Jump to content

Can't connect to the internet after Rootkit.ZeroAccess


Recommended Posts

So Combofix told me I had Rootkit.ZeroAccess. I think I've gotten it removed, (TDSS Killer no longer reports any infection). But now I cannot connect to the internet, (big surprise, right?). After some poking around, I determined that afd, netbt, and tcpip were all problematic. If I try to start DHCP, it tells me that the dependent service was marked for deletion (error 1075 I think). Even after replacing netbt.sys, afd.sys, and tcpip.sys with good versions of the files from another computer, I'm still having the same issue.

This is a desktop computer (no wireless), with Windows XP SP3. I have tried doing SFC /SCANNOW, but I can't get it to work, even though I'm using the same Windows CD that I installed the OS with. It keeps prompting me to insert my windows CD and click Retry. I have tried several other CDs as well, including an OEM CD from Dell with SP3 on it, (I thought maybe the problem with my original CD was that it doesn't have SP3). I also tried to do a Repair install with the Windows CD, but no matter which CD I use, I cannot get the repair option to appear. Very strange and frustrating. I've tried uninstalling/reinstalling TCP/IP. I've tried running several tools to repair Winsock, TCP/IP, etc. I'm stumped and pissed off at this point.

I also want to mention that I am a computer repair technician and don't usually encounter many problems I can't fix, although I'm not quite an expert at virus removal yet. What should I do next? I'd appreciate any suggestions. Merry Christmas. =)

Link to post
Share on other sites

  • Replies 55
  • Created
  • Last Reply

Top Posters In This Topic

:welcome:

Rootkit.ZeroAccess is also a BackDoor Trojan.

This is what we tell the users who have it.

Whether you wish to continue with cleaning or not, you should be aware that you may have been infected by a backdoor trojan. This type of program has the ability to steal passwords and other information from your system. If you are using your computer for sensitive purposes such as internet banking then I recommend you take the following steps immediately:
  • Use another, uninfected computer to change all your internet passwords, especially ones with financial implications such as banks, paypal, ebay, etc. You should also change the passwords for any other site you use.
  • Call your bank(s), credit card company or any other institution which may be affected and advise them that your login/password or credit card information may have been stolen and ask what steps to take with regard to your account.
  • Consider what other private information could possibly have been taken from your computer and take appropriate steps
  • Removing this infection can also disable the ability to connect to the internet.

This infection can almost certainly be cleaned, but as the malware could be configured to run any program a remote attacker requires, it will be impossible to be 100% sure that the machine is clean, if this is unacceptable to you then you should consider reformatting the system partition and reinstalling Windows as this is the only 100% sure answer.

Beings you have the OS CD, Have you tried a Repair Install?

http://www.geekstogo.com/forum/topic/138-how-to-repair-windows-xp/

Link to post
Share on other sites

If need be, Download the tools needed to a flash drive or other USB device, and transfer them to the infected computer.

Please do not attach the scan results from Combofx. Use copy/paste.

Vista and Windows 7 users:

1. These tools MUST be run from the executable. (.exe) every time you run them

2. With Admin Rights (Right click, choose "Run as Administrator")

Download ComboFix from one of these locations:

Link 1

Link 2 If using this link, Right Click and select Save As.

* IMPORTANT !!! Save ComboFix.exe to your Desktop

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. Note: If you are having difficulty properly disabling your protective programs, or are unsure as to what programs need to be disabled, please refer to the information available through this link : Protective Programs
  • Double click on ComboFix.exe & follow the prompts.
    Notes: Combofix will run without the Recovery Console installed. Skip the Recovery Console part if you're running Vista or Windows 7.
    Note: If you have XP SP3, use the XP SP2 package.
    If Vista or Windows 7, skip the Recovery Console part
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

RC1.png

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

RC2-1.png

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt using Copy / Paste in your next reply.

Notes:

1.Do not mouse-click Combofix's window while it is running. That may cause it to stall.

2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.

3. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.

4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

Give it atleast 20-30 minutes to finish if needed.

Please do not attach the scan results from Combofx. Use copy/paste.

Also please describe how your computer behaves at the moment.

Link to post
Share on other sites

Please don't use the Combofix you have now.

We need to get the latest version

Ok, I ran the latest Combofix. Here's the log file. I still have no connection to the internet. If I try connecting to the internet it simply says "Acquiring network address" forever. If I try doing "ipconfig /renew" in cmd it says the RPC server is unavailable. If I go into Services, DHCP is not started. If I attempt to start it, I get Error 1075: The dependency service does not exist or has been marked for deletion. This is the same problem I had before. I'm just stating this to provide as much info as possible, please know that I haven't done anything else to try to fix it after running Combofix. Just trying to be helpful.

I have a Combofix log file from the previous time I ran it, also, if that would help.

Newest Combofix log file:

ComboFix 11-12-29.05 - Dan 12/29/2011 18:03:36.4.2 - x86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3326.2750 [GMT -7:00]

Running from: c:\documents and settings\Dan\Desktop\ComboFixDec29.exe

.

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

c:\windows\system32\SET107.tmp

c:\windows\system32\SET108.tmp

c:\windows\system32\SET109.tmp

c:\windows\system32\SET10A.tmp

c:\windows\system32\SET10B.tmp

c:\windows\system32\SET10C.tmp

c:\windows\system32\SET10D.tmp

c:\windows\system32\SET10F.tmp

c:\windows\system32\SET110.tmp

c:\windows\system32\SET115.tmp

c:\windows\system32\SET116.tmp

c:\windows\system32\SET11F.tmp

c:\windows\system32\SET123.tmp

c:\windows\system32\SET155.tmp

c:\windows\system32\SET156.tmp

c:\windows\system32\SET157.tmp

c:\windows\system32\SET158.tmp

c:\windows\system32\SET159.tmp

c:\windows\system32\SET15A.tmp

c:\windows\system32\SET15B.tmp

c:\windows\system32\SET15C.tmp

c:\windows\system32\SET160.tmp

c:\windows\system32\SET161.tmp

c:\windows\system32\SET162.tmp

c:\windows\system32\SET163.tmp

c:\windows\system32\SET164.tmp

c:\windows\system32\SET168.tmp

c:\windows\system32\SET16A.tmp

c:\windows\system32\SET16C.tmp

c:\windows\system32\SET16D.tmp

c:\windows\system32\SET16F.tmp

c:\windows\system32\SET171.tmp

c:\windows\system32\SET172.tmp

c:\windows\system32\SET174.tmp

c:\windows\system32\SET177.tmp

c:\windows\system32\SET178.tmp

c:\windows\system32\SET17B.tmp

c:\windows\system32\SET17C.tmp

c:\windows\system32\SET17D.tmp

c:\windows\system32\SET17E.tmp

c:\windows\system32\SET17F.tmp

c:\windows\system32\SET183.tmp

c:\windows\system32\SET184.tmp

c:\windows\system32\SET185.tmp

c:\windows\system32\SET187.tmp

c:\windows\system32\SET188.tmp

c:\windows\system32\SET189.tmp

c:\windows\system32\SET1B3.tmp

c:\windows\system32\SET1B4.tmp

c:\windows\system32\SET1B7.tmp

c:\windows\system32\SET1B8.tmp

c:\windows\system32\SET1B9.tmp

c:\windows\system32\SET1BC.tmp

c:\windows\system32\SET1BD.tmp

c:\windows\system32\SET1BE.tmp

c:\windows\system32\SET1F2.tmp

c:\windows\system32\SET205.tmp

c:\windows\system32\SET206.tmp

c:\windows\system32\SET207.tmp

c:\windows\system32\SET209.tmp

c:\windows\system32\SET219.tmp

c:\windows\system32\SET21D.tmp

c:\windows\system32\SET21E.tmp

c:\windows\system32\SET22A.tmp

c:\windows\system32\SET22B.tmp

c:\windows\system32\SET231.tmp

c:\windows\system32\SET250.tmp

c:\windows\system32\SET251.tmp

c:\windows\system32\SET252.tmp

c:\windows\system32\SET261.tmp

c:\windows\system32\SET29.tmp

c:\windows\system32\SET306.tmp

c:\windows\system32\SET308.tmp

c:\windows\system32\SET30C.tmp

c:\windows\system32\SET30E.tmp

c:\windows\system32\SET31.tmp

c:\windows\system32\SET324.tmp

c:\windows\system32\SET326.tmp

c:\windows\system32\SET328.tmp

c:\windows\system32\SET32C.tmp

c:\windows\system32\SET32E.tmp

c:\windows\system32\SET336.tmp

c:\windows\system32\SET39.tmp

c:\windows\system32\SET3D.tmp

c:\windows\system32\SET408.tmp

c:\windows\system32\SET41.tmp

c:\windows\system32\SET41C.tmp

c:\windows\system32\SET425.tmp

c:\windows\system32\SET49.tmp

c:\windows\system32\SET4D.tmp

c:\windows\system32\SET4F.tmp

c:\windows\system32\SET51.tmp

c:\windows\system32\SET541.tmp

c:\windows\system32\SET55.tmp

c:\windows\system32\SET561C.tmp

c:\windows\system32\SET561D.tmp

c:\windows\system32\SET561E.tmp

c:\windows\system32\SET581C.tmp

c:\windows\system32\SET5822.tmp

c:\windows\system32\SET5A.tmp

c:\windows\system32\SET5AF5.tmp

c:\windows\system32\SET5AF7.tmp

c:\windows\system32\SET5AFB.tmp

c:\windows\system32\SET5AFC.tmp

c:\windows\system32\SET5AFD.tmp

c:\windows\system32\SET5B.tmp

c:\windows\system32\SET5B01.tmp

c:\windows\system32\SET5B03.tmp

c:\windows\system32\SET5E.tmp

c:\windows\system32\SET62.tmp

c:\windows\system32\SET66.tmp

c:\windows\system32\SET6B.tmp

c:\windows\system32\SET6E.tmp

c:\windows\system32\SET7A.tmp

c:\windows\system32\SET81.tmp

c:\windows\system32\SETA9.tmp

c:\windows\system32\SETB5.tmp

c:\windows\system32\SETB6.tmp

c:\windows\system32\SETB7.tmp

c:\windows\system32\SETB8.tmp

c:\windows\system32\SETB9.tmp

c:\windows\system32\SETBA.tmp

c:\windows\system32\SETBB.tmp

c:\windows\system32\SETBC.tmp

c:\windows\system32\SETBD.tmp

c:\windows\system32\SETBE.tmp

c:\windows\system32\SETBF.tmp

c:\windows\system32\SETC0.tmp

c:\windows\system32\SETC1.tmp

c:\windows\system32\SETC2.tmp

c:\windows\system32\SETC4.tmp

c:\windows\system32\SETC6.tmp

c:\windows\system32\SETC8.tmp

c:\windows\system32\SETC9.tmp

c:\windows\system32\SETCA.tmp

c:\windows\system32\SETCC.tmp

c:\windows\system32\SETCD.tmp

c:\windows\system32\SETCE.tmp

c:\windows\system32\SETCF.tmp

c:\windows\system32\SETD2.tmp

c:\windows\system32\SETD3.tmp

c:\windows\system32\SETD5.tmp

c:\windows\system32\SETD6.tmp

c:\windows\system32\SETD7.tmp

c:\windows\system32\SETD8.tmp

c:\windows\system32\SETD9.tmp

c:\windows\system32\SETDA.tmp

c:\windows\system32\SETDB.tmp

c:\windows\system32\SETDC.tmp

c:\windows\system32\SETDE.tmp

c:\windows\system32\SETDF.tmp

c:\windows\system32\SETE0.tmp

c:\windows\system32\SETE7.tmp

.

.

((((((((((((((((((((((((( Files Created from 2011-11-28 to 2011-12-30 )))))))))))))))))))))))))))))))

.

.

2011-12-30 00:55 . 2011-12-30 00:55 -------- d-----w- c:\windows\LastGood

2011-12-24 23:14 . 2001-08-17 20:28 130942 -c--a-w- c:\windows\system32\dllcache\OLDAED.tmp

2011-12-24 23:14 . 2001-08-17 20:28 112574 -c--a-w- c:\windows\system32\dllcache\OLDAE9.tmp

2011-12-24 23:14 . 2008-04-14 12:42 159232 -c--a-w- c:\windows\system32\dllcache\OLDAE1.tmp

2011-12-24 23:14 . 2001-08-17 20:28 128286 -c--a-w- c:\windows\system32\dllcache\OLDAE5.tmp

2011-12-24 23:14 . 2011-12-24 23:14 -------- d-----w- c:\windows\system32\CatRoot_bak

2011-12-24 01:10 . 2011-12-24 01:10 -------- d-----w- c:\program files\Magical Jelly Bean

2011-12-24 00:40 . 2011-08-17 13:49 138496 -c--a-w- c:\windows\system32\dllcache\afd.sys

2011-12-24 00:40 . 2011-08-17 13:49 138496 ----a-w- c:\windows\system32\drivers\afd.sys

2011-12-24 00:40 . 2008-06-20 11:51 361600 -c--a-w- c:\windows\system32\dllcache\tcpip.sys

2011-12-24 00:40 . 2008-06-20 11:51 361600 ----a-w- c:\windows\system32\drivers\tcpip.sys

2011-12-24 00:40 . 2008-04-14 07:51 162816 -c--a-w- c:\windows\system32\dllcache\netbt.sys

2011-12-24 00:40 . 2008-04-14 07:51 162816 ----a-w- c:\windows\system32\drivers\netbt.sys

2011-12-17 00:37 . 2008-04-14 12:42 116224 -c--a-w- c:\windows\system32\dllcache\xrxwiadr.dll

2011-12-17 00:37 . 2001-08-18 05:36 23040 -c--a-w- c:\windows\system32\dllcache\xrxwbtmp.dll

2011-12-17 00:37 . 2008-04-14 12:42 18944 -c--a-w- c:\windows\system32\dllcache\xrxscnui.dll

2011-12-17 00:37 . 2001-08-18 05:37 4608 -c--a-w- c:\windows\system32\dllcache\xrxflnch.exe

2011-12-17 00:37 . 2001-08-18 05:37 27648 -c--a-w- c:\windows\system32\dllcache\xrxftplt.exe

2011-12-17 00:37 . 2001-08-18 05:37 99865 -c--a-w- c:\windows\system32\dllcache\xlog.exe

2011-12-17 00:37 . 2001-08-17 19:11 16970 -c--a-w- c:\windows\system32\dllcache\xem336n5.sys

2011-12-17 00:37 . 2008-04-14 05:04 19455 -c--a-w- c:\windows\system32\dllcache\wvchntxx.sys

2011-12-17 00:37 . 2008-04-14 07:16 19200 -c--a-w- c:\windows\system32\dllcache\wstcodec.sys

2011-12-17 00:37 . 2008-04-14 12:42 8192 -c--a-w- c:\windows\system32\dllcache\wshirda.dll

2011-12-17 00:37 . 2008-04-14 05:04 12063 -c--a-w- c:\windows\system32\dllcache\wsiintxx.sys

2011-12-17 00:35 . 2001-08-18 05:36 24660 -c--a-w- c:\windows\system32\dllcache\spxupchk.dll

2011-12-17 00:34 . 2001-08-17 20:28 130942 -c--a-w- c:\windows\system32\dllcache\ptserlv.sys

2011-12-17 00:33 . 2001-08-17 21:02 35200 -c--a-w- c:\windows\system32\dllcache\msgame.sys

2011-12-17 00:32 . 2001-08-18 05:36 372824 -c--a-w- c:\windows\system32\dllcache\iconf32.dll

2011-12-17 00:31 . 2001-08-17 20:28 347550 -c--a-w- c:\windows\system32\dllcache\es56tpi.sys

2011-12-17 00:30 . 2008-04-14 07:11 8192 -c--a-w- c:\windows\system32\dllcache\changer.sys

2011-12-17 00:29 . 2001-08-17 19:48 36128 -c--a-w- c:\windows\system32\dllcache\banshee.sys

2011-12-15 14:26 . 2011-12-16 14:27 -------- d-----w- C:\## aswSnx private storage

2011-12-14 03:40 . 2001-08-17 19:12 97354 -c--a-w- c:\windows\system32\dllcache\aspndis3.sys

2011-12-14 03:40 . 2001-08-17 20:52 22400 -c--a-w- c:\windows\system32\dllcache\asc3350p.sys

2011-12-14 03:40 . 2001-08-17 20:51 14848 -c--a-w- c:\windows\system32\dllcache\asc3550.sys

2011-12-14 03:40 . 2001-08-17 20:52 26496 -c--a-w- c:\windows\system32\dllcache\asc.sys

2011-12-14 03:39 . 2001-08-17 20:47 6272 -c--a-w- c:\windows\system32\dllcache\apmbatt.sys

2011-12-14 03:39 . 2008-04-14 05:05 36224 -c--a-w- c:\windows\system32\dllcache\an983.sys

2011-12-14 03:39 . 2001-08-17 20:52 12032 -c--a-w- c:\windows\system32\dllcache\amsint.sys

2011-12-14 03:39 . 2001-08-17 20:51 5248 -c--a-w- c:\windows\system32\dllcache\aliide.sys

2011-12-14 03:39 . 2001-08-17 20:49 26624 -c--a-w- c:\windows\system32\dllcache\alifir.sys

2011-12-14 03:39 . 2001-08-17 19:11 16969 -c--a-w- c:\windows\system32\dllcache\amb8002.sys

2011-12-14 03:39 . 2001-08-17 21:07 56960 -c--a-w- c:\windows\system32\dllcache\aic78xx.sys

2011-12-14 03:39 . 2001-08-17 21:07 55168 -c--a-w- c:\windows\system32\dllcache\aic78u2.sys

2011-12-14 03:39 . 2001-08-17 19:11 27678 -c--a-w- c:\windows\system32\dllcache\ali5261.sys

2011-12-14 03:39 . 2001-08-17 20:52 12800 -c--a-w- c:\windows\system32\dllcache\aha154x.sys

2011-12-14 03:39 . 2001-08-17 21:07 101888 -c--a-w- c:\windows\system32\dllcache\adpu160m.sys

2011-12-14 03:39 . 2001-08-17 19:11 46112 -c--a-w- c:\windows\system32\dllcache\adptsf50.sys

2011-12-14 03:35 . 2001-08-17 21:56 66048 -c--a-w- c:\windows\system32\dllcache\s3legacy.dll

2011-12-14 02:51 . 2011-12-14 02:51 -------- d-----w- c:\program files\ERUNT

2011-12-14 01:31 . 2011-09-27 00:15 117920 ----a-w- c:\windows\system32\IPROSetMonitor.exe

2011-12-13 00:27 . 2011-12-13 00:27 -------- d-----w- c:\windows\system32\wbem\Repository

.

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2011-12-06 23:48 . 2011-05-14 23:52 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

2011-11-29 04:52 . 2011-11-29 04:51 83360 ----a-w- c:\windows\system32\LMIRfsClientNP.dll

2011-11-29 04:52 . 2011-11-29 04:51 52096 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\LMIproc.dll

2011-11-29 04:52 . 2011-11-29 04:51 30592 ----a-w- c:\windows\system32\LMIport.dll

2011-11-29 04:52 . 2011-11-29 04:51 87424 ----a-w- c:\windows\system32\LMIinit.dll

2011-11-03 13:22 . 2011-01-11 18:16 499712 ----a-w- c:\windows\system32\msvcp71.dll

2011-11-03 13:22 . 2011-01-11 18:16 348160 ----a-w- c:\windows\system32\msvcr71.dll

2011-10-26 17:41 . 2011-10-26 17:41 667256 ----a-w- c:\windows\system32\ncs2dmix.dll

2011-10-26 17:41 . 2011-10-26 17:41 517752 ----a-w- c:\windows\system32\accesor.dll

2011-10-26 17:01 . 2011-10-26 17:01 142456 ----a-w- c:\windows\system32\ncs2instutility.dll

2011-10-26 16:31 . 2011-10-26 16:31 2208888 ----a-w- c:\windows\system32\ncscolib.dll

2011-10-25 18:04 . 2011-10-25 18:04 193536 ----a-w- c:\windows\system32\Ncs2Setp.dll

2011-10-14 17:40 . 2010-03-26 06:59 253656 ----a-w- c:\windows\system32\drivers\e1e5132.sys

2011-10-10 14:22 . 2008-10-06 03:39 692736 ----a-w- c:\windows\system32\inetcomm.dll

2011-10-05 07:28 . 2011-10-05 07:28 30368 ----a-w- c:\windows\system32\drivers\iqvw32.sys

2011-11-23 14:16 . 2011-05-03 06:21 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll

.

.

((((((((((((((((((((((((((((( SnapShot@2011-12-19_07.24.16 )))))))))))))))))))))))))))))))))))))))))

.

+ 2011-12-30 00:50 . 2011-12-30 00:50 16384 c:\windows\Temp\Perflib_Perfdata_c8.dat

+ 2011-12-30 00:50 . 2011-12-30 00:50 16384 c:\windows\Temp\Perflib_Perfdata_20c.dat

- 2004-08-04 12:00 . 2011-12-19 07:12 92390 c:\windows\system32\perfc009.dat

+ 2004-08-04 12:00 . 2011-12-30 00:54 92390 c:\windows\system32\perfc009.dat

+ 2008-10-06 03:45 . 2008-04-14 12:00 29760 c:\windows\system32\dllcache\znetm.dll

- 2008-10-06 03:45 . 2004-08-04 12:00 29760 c:\windows\system32\dllcache\znetm.dll

+ 2008-10-06 03:45 . 2008-04-14 12:00 36937 c:\windows\system32\dllcache\zclientm.exe

- 2008-10-06 03:45 . 2004-08-04 12:00 36937 c:\windows\system32\dllcache\zclientm.exe

- 2008-10-06 03:45 . 2004-08-04 12:00 31232 c:\windows\system32\dllcache\weitekp9.sys

+ 2008-10-06 03:45 . 2008-04-14 12:00 31232 c:\windows\system32\dllcache\weitekp9.sys

- 2008-10-06 03:45 . 2004-08-04 12:00 41600 c:\windows\system32\dllcache\weitekp9.dll

+ 2008-10-06 03:45 . 2008-04-14 12:00 41600 c:\windows\system32\dllcache\weitekp9.dll

+ 2008-10-06 03:45 . 2008-04-14 12:00 73728 c:\windows\system32\dllcache\w3ext.dll

- 2008-10-06 03:45 . 2004-08-04 12:00 73728 c:\windows\system32\dllcache\w3ext.dll

+ 2008-10-06 03:45 . 2008-04-14 12:00 48256 c:\windows\system32\dllcache\w32.dll

- 2008-10-06 03:45 . 2004-08-04 12:00 48256 c:\windows\system32\dllcache\w32.dll

+ 2008-10-06 03:44 . 2008-04-14 12:00 32339 c:\windows\system32\dllcache\uniansi.dll

- 2008-10-06 03:44 . 2004-08-04 12:00 32339 c:\windows\system32\dllcache\uniansi.dll

- 2008-10-06 03:44 . 2004-08-04 12:00 14336 c:\windows\system32\dllcache\tsprof.exe

+ 2008-10-06 03:44 . 2008-04-14 12:00 14336 c:\windows\system32\dllcache\tsprof.exe

- 2008-10-06 03:44 . 2004-08-04 12:00 19464 c:\windows\system32\dllcache\tdspx.sys

+ 2008-10-06 03:44 . 2008-04-14 12:00 19464 c:\windows\system32\dllcache\tdspx.sys

+ 2008-10-06 03:44 . 2008-04-14 12:00 21896 c:\windows\system32\dllcache\tdipx.sys

- 2008-10-06 03:44 . 2004-08-04 12:00 21896 c:\windows\system32\dllcache\tdipx.sys

+ 2008-10-06 03:44 . 2008-04-14 12:00 13192 c:\windows\system32\dllcache\tdasync.sys

- 2008-10-06 03:44 . 2004-08-04 12:00 13192 c:\windows\system32\dllcache\tdasync.sys

- 2008-10-06 03:44 . 2004-08-04 12:00 16896 c:\windows\system32\dllcache\status.dll

+ 2008-10-06 03:44 . 2008-04-14 12:00 16896 c:\windows\system32\dllcache\status.dll

+ 2008-10-06 03:44 . 2008-04-14 12:00 10240 c:\windows\system32\dllcache\snmpstup.dll

- 2008-10-06 03:44 . 2004-08-04 12:00 10240 c:\windows\system32\dllcache\snmpstup.dll

- 2008-10-06 03:44 . 2004-08-04 12:00 15872 c:\windows\system32\dllcache\smierrsm.dll

+ 2008-10-06 03:44 . 2008-04-14 12:00 15872 c:\windows\system32\dllcache\smierrsm.dll

- 2008-10-06 03:44 . 2004-08-04 12:00 31744 c:\windows\system32\dllcache\smb6w.dll

+ 2008-10-06 03:44 . 2008-04-14 12:00 31744 c:\windows\system32\dllcache\smb6w.dll

+ 2008-10-06 03:44 . 2008-04-14 12:00 31744 c:\windows\system32\dllcache\sma3w.dll

- 2008-10-06 03:44 . 2004-08-04 12:00 31744 c:\windows\system32\dllcache\sma3w.dll

+ 2008-10-06 03:44 . 2008-04-14 12:00 38912 c:\windows\system32\dllcache\sm9aw.dll

- 2008-10-06 03:44 . 2004-08-04 12:00 38912 c:\windows\system32\dllcache\sm9aw.dll

+ 2008-10-06 03:44 . 2008-04-14 12:00 26624 c:\windows\system32\dllcache\sm93w.dll

- 2008-10-06 03:44 . 2004-08-04 12:00 26624 c:\windows\system32\dllcache\sm93w.dll

- 2008-10-06 03:44 . 2004-08-04 12:00 26624 c:\windows\system32\dllcache\sm92w.dll

+ 2008-10-06 03:44 . 2008-04-14 12:00 26624 c:\windows\system32\dllcache\sm92w.dll

- 2008-10-06 03:44 . 2004-08-04 12:00 26112 c:\windows\system32\dllcache\sm90w.dll

+ 2008-10-06 03:44 . 2008-04-14 12:00 26112 c:\windows\system32\dllcache\sm90w.dll

+ 2008-10-06 03:44 . 2008-04-14 12:00 26112 c:\windows\system32\dllcache\sm8dw.dll

- 2008-10-06 03:44 . 2004-08-04 12:00 26112 c:\windows\system32\dllcache\sm8dw.dll

+ 2008-10-06 03:44 . 2008-04-14 12:00 29184 c:\windows\system32\dllcache\sm8cw.dll

- 2008-10-06 03:44 . 2004-08-04 12:00 29184 c:\windows\system32\dllcache\sm8cw.dll

- 2008-10-06 03:44 . 2004-08-04 12:00 26112 c:\windows\system32\dllcache\sm8aw.dll

+ 2008-10-06 03:44 . 2008-04-14 12:00 26112 c:\windows\system32\dllcache\sm8aw.dll

- 2008-10-06 03:44 . 2004-08-04 12:00 26112 c:\windows\system32\dllcache\sm89w.dll

+ 2008-10-06 03:44 . 2008-04-14 12:00 26112 c:\windows\system32\dllcache\sm89w.dll

+ 2008-10-06 03:44 . 2008-04-14 12:00 30208 c:\windows\system32\dllcache\sm87w.dll

- 2008-10-06 03:44 . 2004-08-04 12:00 30208 c:\windows\system32\dllcache\sm87w.dll

- 2008-10-06 03:44 . 2004-08-04 12:00 30208 c:\windows\system32\dllcache\sm81w.dll

+ 2008-10-06 03:44 . 2008-04-14 12:00 30208 c:\windows\system32\dllcache\sm81w.dll

+ 2008-10-06 03:44 . 2008-04-14 12:00 25088 c:\windows\system32\dllcache\sm59w.dll

- 2008-10-06 03:44 . 2004-08-04 12:00 25088 c:\windows\system32\dllcache\sm59w.dll

+ 2008-10-06 03:44 . 2008-04-14 12:00 18944 c:\windows\system32\dllcache\simptcp.dll

- 2008-10-06 03:44 . 2004-08-04 12:00 18944 c:\windows\system32\dllcache\simptcp.dll

+ 2008-10-06 03:44 . 2008-04-14 12:00 42573 c:\windows\system32\dllcache\shvlzm.exe

- 2008-10-06 03:44 . 2004-08-04 12:00 42573 c:\windows\system32\dllcache\shvlzm.exe

- 2008-10-06 03:44 . 2004-08-04 12:00 66113 c:\windows\system32\dllcache\shvl.dll

+ 2008-10-06 03:44 . 2008-04-14 12:00 66113 c:\windows\system32\dllcache\shvl.dll

- 2008-10-06 03:44 . 2004-08-04 12:00 79872 c:\windows\system32\dllcache\rwia330.dll

+ 2008-10-06 03:44 . 2008-04-14 12:00 79872 c:\windows\system32\dllcache\rwia330.dll

- 2008-10-06 03:44 . 2004-08-04 12:00 79872 c:\windows\system32\dllcache\rwia001.dll

+ 2008-10-06 03:44 . 2008-04-14 12:00 79872 c:\windows\system32\dllcache\rwia001.dll

- 2008-10-06 03:44 . 2004-08-04 12:00 42574 c:\windows\system32\dllcache\rvsezm.exe

+ 2008-10-06 03:44 . 2008-04-14 12:00 42574 c:\windows\system32\dllcache\rvsezm.exe

- 2008-10-06 03:44 . 2004-08-04 12:00 48706 c:\windows\system32\dllcache\rvse.dll

+ 2008-10-06 03:44 . 2008-04-14 12:00 48706 c:\windows\system32\dllcache\rvse.dll

+ 2008-10-06 03:44 . 2008-04-14 12:00 14848 c:\windows\system32\dllcache\register.exe

- 2008-10-06 03:44 . 2004-08-04 12:00 14848 c:\windows\system32\dllcache\register.exe

+ 2008-10-06 03:44 . 2008-04-14 12:00 16384 c:\windows\system32\dllcache\quser.exe

- 2008-10-06 03:44 . 2004-08-04 12:00 16384 c:\windows\system32\dllcache\quser.exe

+ 2008-10-06 03:44 . 2008-04-14 12:00 11264 c:\windows\system32\dllcache\pmxmcro.dll

- 2008-10-06 03:44 . 2004-08-04 12:00 11264 c:\windows\system32\dllcache\pmxmcro.dll

+ 2008-10-06 03:44 . 2008-04-14 12:00 20992 c:\windows\system32\dllcache\permchk.dll

- 2008-10-06 03:44 . 2004-08-04 12:00 20992 c:\windows\system32\dllcache\permchk.dll

+ 2008-10-06 03:44 . 2008-04-14 12:00 31744 c:\windows\system32\dllcache\pagecnt.dll

- 2008-10-06 03:44 . 2004-08-04 12:00 31744 c:\windows\system32\dllcache\pagecnt.dll

- 2008-10-06 03:44 . 2004-08-04 12:00 14336 c:\windows\system32\dllcache\padrs412.dll

+ 2008-10-06 03:44 . 2008-04-14 12:00 14336 c:\windows\system32\dllcache\padrs412.dll

+ 2008-10-06 03:44 . 2008-04-14 12:00 36927 c:\windows\system32\dllcache\padrs411.dll

- 2008-10-06 03:44 . 2004-08-04 12:00 36927 c:\windows\system32\dllcache\padrs411.dll

+ 2008-10-06 03:44 . 2008-04-14 12:00 53248 c:\windows\system32\dllcache\nextlink.dll

- 2008-10-06 03:44 . 2004-08-04 12:00 53248 c:\windows\system32\dllcache\nextlink.dll

- 2008-10-06 03:44 . 2004-08-04 12:00 98304 c:\windows\system32\dllcache\msir3jp.dll

+ 2008-10-06 03:44 . 2008-04-14 12:00 98304 c:\windows\system32\dllcache\msir3jp.dll

+ 2004-08-04 12:00 . 2008-04-14 12:00 34304 c:\windows\system32\dllcache\migisol.exe

- 2004-08-04 12:00 . 2004-08-04 12:00 34304 c:\windows\system32\dllcache\migisol.exe

+ 2008-10-06 03:44 . 2008-04-14 12:00 92416 c:\windows\system32\dllcache\mga.sys

- 2008-10-06 03:44 . 2004-08-04 12:00 92416 c:\windows\system32\dllcache\mga.sys

+ 2008-10-06 03:44 . 2008-04-14 12:00 92032 c:\windows\system32\dllcache\mga.dll

- 2008-10-06 03:44 . 2004-08-04 12:00 92032 c:\windows\system32\dllcache\mga.dll

+ 2008-10-06 03:44 . 2008-04-14 12:00 26624 c:\windows\system32\dllcache\mdsync.dll

- 2008-10-06 03:44 . 2004-08-04 12:00 26624 c:\windows\system32\dllcache\mdsync.dll

+ 2008-10-06 03:44 . 2008-04-14 12:00 22016 c:\windows\system32\dllcache\logscrpt.dll

- 2008-10-06 03:44 . 2004-08-04 12:00 22016 c:\windows\system32\dllcache\logscrpt.dll

+ 2008-10-06 03:44 . 2008-04-14 12:00 70656 c:\windows\system32\dllcache\korwbrkr.dll

- 2008-10-06 03:44 . 2004-08-04 12:00 70656 c:\windows\system32\dllcache\korwbrkr.dll

- 2008-10-06 03:44 . 2004-08-04 12:00 18432 c:\windows\system32\dllcache\jupiw.dll

+ 2008-10-06 03:44 . 2001-08-23 11:00 18432 c:\windows\system32\dllcache\jupiw.dll

- 2008-10-06 03:43 . 2004-08-04 12:00 59904 c:\windows\system32\dllcache\imkrinst.exe

+ 2008-10-06 03:43 . 2001-08-23 11:00 59904 c:\windows\system32\dllcache\imkrinst.exe

- 2008-10-06 03:43 . 2004-08-04 12:00 45109 c:\windows\system32\dllcache\imjpuex.exe

+ 2008-10-06 03:43 . 2001-08-23 11:00 45109 c:\windows\system32\dllcache\imjpuex.exe

+ 2008-10-06 03:43 . 2001-08-23 11:00 57398 c:\windows\system32\dllcache\imjpdadm.exe

- 2008-10-06 03:43 . 2004-08-04 12:00 57398 c:\windows\system32\dllcache\imjpdadm.exe

- 2008-10-06 03:43 . 2004-08-04 12:00 44032 c:\windows\system32\dllcache\imekrmig.exe

+ 2008-10-06 03:43 . 2001-08-23 11:00 44032 c:\windows\system32\dllcache\imekrmig.exe

+ 2008-10-06 03:43 . 2001-08-23 11:00 19456 c:\windows\system32\dllcache\iiscrmap.dll

- 2008-10-06 03:43 . 2004-08-04 12:00 19456 c:\windows\system32\dllcache\iiscrmap.dll

+ 2008-10-06 03:43 . 2001-08-23 11:00 60928 c:\windows\system32\dllcache\iisclex4.dll

- 2008-10-06 03:43 . 2004-08-04 12:00 60928 c:\windows\system32\dllcache\iisclex4.dll

- 2008-10-06 03:43 . 2004-08-04 12:00 42573 c:\windows\system32\dllcache\hrtzzm.exe

+ 2008-10-06 03:43 . 2001-08-23 11:00 42573 c:\windows\system32\dllcache\hrtzzm.exe

+ 2008-10-06 03:43 . 2001-08-23 11:00 57409 c:\windows\system32\dllcache\hrtz.dll

- 2008-10-06 03:43 . 2004-08-04 12:00 57409 c:\windows\system32\dllcache\hrtz.dll

- 2008-10-06 03:43 . 2004-08-04 12:00 36864 c:\windows\system32\dllcache\hanjadic.dll

+ 2008-10-06 03:43 . 2001-08-23 11:00 36864 c:\windows\system32\dllcache\hanjadic.dll

- 2008-10-06 03:43 . 2004-08-04 12:00 11264 c:\windows\system32\dllcache\fxssend.exe

+ 2008-10-06 03:43 . 2001-08-23 11:00 11264 c:\windows\system32\dllcache\fxssend.exe

+ 2008-10-06 03:43 . 2001-08-23 11:00 31744 c:\windows\system32\dllcache\fxsroute.dll

- 2008-10-06 03:43 . 2004-08-04 12:00 31744 c:\windows\system32\dllcache\fxsroute.dll

+ 2008-10-06 03:43 . 2001-08-23 11:00 14848 c:\windows\system32\dllcache\flattemp.exe

- 2008-10-06 03:43 . 2004-08-04 12:00 14848 c:\windows\system32\dllcache\flattemp.exe

- 2008-10-06 03:43 . 2004-08-04 12:00 25856 c:\windows\system32\dllcache\et4000.sys

+ 2008-10-06 03:43 . 2001-08-23 11:00 25856 c:\windows\system32\dllcache\et4000.sys

- 2008-10-06 03:43 . 2004-08-04 12:00 45056 c:\windows\system32\dllcache\esunid.dll

+ 2008-10-06 03:43 . 2001-08-23 11:00 45056 c:\windows\system32\dllcache\esunid.dll

+ 2008-10-06 03:43 . 2001-08-23 11:00 57856 c:\windows\system32\dllcache\esuimgd.dll

- 2008-10-06 03:43 . 2004-08-04 12:00 57856 c:\windows\system32\dllcache\esuimgd.dll

- 2008-10-06 03:43 . 2004-08-04 12:00 31744 c:\windows\system32\dllcache\esucmd.dll

+ 2008-10-06 03:43 . 2001-08-23 11:00 31744 c:\windows\system32\dllcache\esucmd.dll

- 2008-10-06 03:43 . 2004-08-04 12:00 18944 c:\windows\system32\dllcache\cprofile.exe

+ 2008-10-06 03:43 . 2001-08-23 11:00 18944 c:\windows\system32\dllcache\cprofile.exe

- 2008-10-06 03:43 . 2004-08-04 12:00 20480 c:\windows\system32\dllcache\counters.dll

+ 2008-10-06 03:43 . 2001-08-23 11:00 20480 c:\windows\system32\dllcache\counters.dll

- 2008-10-06 03:43 . 2004-08-04 12:00 56320 c:\windows\system32\dllcache\convlog.exe

+ 2008-10-06 03:43 . 2001-08-23 11:00 56320 c:\windows\system32\dllcache\convlog.exe

+ 2008-10-06 03:43 . 2001-08-23 11:00 33792 c:\windows\system32\dllcache\controt.dll

- 2008-10-06 03:43 . 2004-08-04 12:00 33792 c:\windows\system32\dllcache\controt.dll

+ 2008-10-06 03:43 . 2001-08-23 11:00 42575 c:\windows\system32\dllcache\chkrzm.exe

- 2008-10-06 03:43 . 2004-08-04 12:00 42575 c:\windows\system32\dllcache\chkrzm.exe

- 2008-10-06 03:43 . 2004-08-04 12:00 40515 c:\windows\system32\dllcache\chkr.dll

+ 2008-10-06 03:43 . 2001-08-23 11:00 40515 c:\windows\system32\dllcache\chkr.dll

- 2008-10-06 03:43 . 2004-08-04 12:00 14336 c:\windows\system32\dllcache\chgusr.exe

+ 2008-10-06 03:43 . 2001-08-23 11:00 14336 c:\windows\system32\dllcache\chgusr.exe

+ 2008-10-06 03:43 . 2001-08-23 11:00 15872 c:\windows\system32\dllcache\chgport.exe

- 2008-10-06 03:43 . 2004-08-04 12:00 15872 c:\windows\system32\dllcache\chgport.exe

- 2008-10-06 03:43 . 2004-08-04 12:00 13312 c:\windows\system32\dllcache\chglogon.exe

+ 2008-10-06 03:43 . 2001-08-23 11:00 13312 c:\windows\system32\dllcache\chglogon.exe

+ 2008-10-06 03:43 . 2001-08-23 11:00 54528 c:\windows\system32\dllcache\cap7146.sys

- 2008-10-06 03:43 . 2004-08-04 12:00 54528 c:\windows\system32\dllcache\cap7146.sys

- 2008-10-06 03:43 . 2004-08-04 12:00 45568 c:\windows\system32\dllcache\browscap.dll

+ 2008-10-06 03:43 . 2001-08-23 11:00 45568 c:\windows\system32\dllcache\browscap.dll

- 2008-10-06 03:43 . 2004-08-04 12:00 42577 c:\windows\system32\dllcache\bckgzm.exe

+ 2008-10-06 03:43 . 2001-08-23 11:00 42577 c:\windows\system32\dllcache\bckgzm.exe

+ 2008-10-06 03:43 . 2008-04-14 12:00 82501 c:\windows\system32\dllcache\bckg.dll

- 2008-10-06 03:43 . 2004-08-04 12:00 82501 c:\windows\system32\dllcache\bckg.dll

+ 2011-12-30 00:55 . 2011-05-10 11:40 12112 c:\windows\LastGood\system32\DRIVERS\aswNdis.sys

- 2008-10-06 03:45 . 2004-08-04 12:00 4677 c:\windows\system32\dllcache\zeeverm.dll

+ 2008-10-06 03:45 . 2008-04-14 12:00 4677 c:\windows\system32\dllcache\zeeverm.dll

- 2008-10-06 03:45 . 2004-08-04 12:00 9216 c:\windows\system32\dllcache\wamps51.dll

+ 2008-10-06 03:45 . 2008-04-14 12:00 9216 c:\windows\system32\dllcache\wamps51.dll

- 2008-10-06 03:45 . 2004-08-04 12:00 5632 c:\windows\system32\dllcache\w3svapi.dll

+ 2008-10-06 03:45 . 2008-04-14 12:00 5632 c:\windows\system32\dllcache\w3svapi.dll

+ 2008-10-06 03:45 . 2008-04-14 12:00 4608 c:\windows\system32\dllcache\w3ctrs51.dll

- 2008-10-06 03:45 . 2004-08-04 12:00 4608 c:\windows\system32\dllcache\w3ctrs51.dll

+ 2008-10-06 03:44 . 2008-04-14 12:00 5632 c:\windows\system32\dllcache\smimsgif.dll

- 2008-10-06 03:44 . 2004-08-04 12:00 5632 c:\windows\system32\dllcache\smimsgif.dll

- 2008-10-06 03:44 . 2004-08-04 12:00 5632 c:\windows\system32\dllcache\smierrsy.dll

+ 2008-10-06 03:44 . 2008-04-14 12:00 5632 c:\windows\system32\dllcache\smierrsy.dll

+ 2008-10-06 03:44 . 2008-04-14 12:00 9728 c:\windows\system32\dllcache\query.exe

- 2008-10-06 03:44 . 2004-08-04 12:00 9728 c:\windows\system32\dllcache\query.exe

+ 2008-10-06 03:44 . 2008-04-14 12:00 6144 c:\windows\system32\dllcache\pmxgl.dll

- 2008-10-06 03:44 . 2004-08-04 12:00 6144 c:\windows\system32\dllcache\pmxgl.dll

+ 2008-10-06 03:44 . 2008-04-14 12:00 5632 c:\windows\system32\dllcache\kbdvntc.dll

- 2008-10-06 03:44 . 2004-08-04 12:00 5632 c:\windows\system32\dllcache\kbdvntc.dll

- 2008-10-06 03:44 . 2004-08-04 12:00 5632 c:\windows\system32\dllcache\kbdusa.dll

+ 2008-10-06 03:44 . 2008-04-14 12:00 5632 c:\windows\system32\dllcache\kbdusa.dll

+ 2008-10-06 03:44 . 2008-04-14 12:00 5632 c:\windows\system32\dllcache\kbdurdu.dll

- 2008-10-06 03:44 . 2004-08-04 12:00 5632 c:\windows\system32\dllcache\kbdurdu.dll

- 2008-10-06 03:44 . 2004-08-04 12:00 6144 c:\windows\system32\dllcache\kbdth3.dll

+ 2008-10-06 03:44 . 2001-08-23 11:00 6144 c:\windows\system32\dllcache\kbdth3.dll

+ 2008-10-06 03:44 . 2001-08-23 11:00 6144 c:\windows\system32\dllcache\kbdth2.dll

- 2008-10-06 03:44 . 2004-08-04 12:00 6144 c:\windows\system32\dllcache\kbdth2.dll

+ 2008-10-06 03:44 . 2001-08-23 11:00 5632 c:\windows\system32\dllcache\kbdth1.dll

- 2008-10-06 03:44 . 2004-08-04 12:00 5632 c:\windows\system32\dllcache\kbdth1.dll

- 2008-10-06 03:44 . 2004-08-04 12:00 5632 c:\windows\system32\dllcache\kbdth0.dll

+ 2008-10-06 03:44 . 2001-08-23 11:00 5632 c:\windows\system32\dllcache\kbdth0.dll

+ 2008-10-06 03:44 . 2001-08-23 11:00 5632 c:\windows\system32\dllcache\kbdsyr2.dll

- 2008-10-06 03:44 . 2004-08-04 12:00 5632 c:\windows\system32\dllcache\kbdsyr2.dll

- 2008-10-06 03:44 . 2004-08-04 12:00 5632 c:\windows\system32\dllcache\kbdsyr1.dll

+ 2008-10-06 03:44 . 2001-08-23 11:00 5632 c:\windows\system32\dllcache\kbdsyr1.dll

- 2008-10-06 03:44 . 2004-08-04 12:00 7680 c:\windows\system32\dllcache\kbdnecnt.dll

+ 2008-10-06 03:44 . 2001-08-23 11:00 7680 c:\windows\system32\dllcache\kbdnecnt.dll

- 2008-10-06 03:44 . 2004-08-04 12:00 9216 c:\windows\system32\dllcache\kbdnecat.dll

+ 2008-10-06 03:44 . 2001-08-23 11:00 9216 c:\windows\system32\dllcache\kbdnecat.dll

+ 2008-10-06 03:44 . 2001-08-23 11:00 7168 c:\windows\system32\dllcache\kbdnec95.dll

- 2008-10-06 03:44 . 2004-08-04 12:00 7168 c:\windows\system32\dllcache\kbdnec95.dll

+ 2008-10-06 03:44 . 2001-08-23 11:00 5632 c:\windows\system32\dllcache\kbdintel.dll

- 2008-10-06 03:44 . 2004-08-04 12:00 5632 c:\windows\system32\dllcache\kbdintel.dll

+ 2008-10-06 03:44 . 2001-08-23 11:00 5632 c:\windows\system32\dllcache\kbdintam.dll

- 2008-10-06 03:44 . 2004-08-04 12:00 5632 c:\windows\system32\dllcache\kbdintam.dll

+ 2008-10-06 03:44 . 2001-08-23 11:00 6144 c:\windows\system32\dllcache\kbdinpun.dll

- 2008-10-06 03:44 . 2004-08-04 12:00 6144 c:\windows\system32\dllcache\kbdinpun.dll

- 2008-10-06 03:44 . 2004-08-04 12:00 5632 c:\windows\system32\dllcache\kbdinmar.dll

+ 2008-10-06 03:44 . 2001-08-23 11:00 5632 c:\windows\system32\dllcache\kbdinmar.dll

- 2008-10-06 03:44 . 2004-08-04 12:00 5632 c:\windows\system32\dllcache\kbdinkan.dll

+ 2008-10-06 03:44 . 2001-08-23 11:00 5632 c:\windows\system32\dllcache\kbdinkan.dll

+ 2008-10-06 03:44 . 2001-08-23 11:00 5632 c:\windows\system32\dllcache\kbdinhin.dll

- 2008-10-06 03:44 . 2004-08-04 12:00 5632 c:\windows\system32\dllcache\kbdinhin.dll

- 2008-10-06 03:44 . 2004-08-04 12:00 5632 c:\windows\system32\dllcache\kbdinguj.dll

+ 2008-10-06 03:44 . 2001-08-23 11:00 5632 c:\windows\system32\dllcache\kbdinguj.dll

+ 2008-10-06 03:44 . 2001-08-23 11:00 5632 c:\windows\system32\dllcache\kbdindev.dll

- 2008-10-06 03:44 . 2004-08-04 12:00 5632 c:\windows\system32\dllcache\kbdindev.dll

- 2008-10-06 03:44 . 2004-08-04 12:00 5632 c:\windows\system32\dllcache\kbdheb.dll

+ 2008-10-06 03:44 . 2001-08-23 11:00 5632 c:\windows\system32\dllcache\kbdheb.dll

- 2008-10-06 03:44 . 2004-08-04 12:00 5120 c:\windows\system32\dllcache\kbdgeo.dll

+ 2008-10-06 03:44 . 2001-08-23 11:00 5120 c:\windows\system32\dllcache\kbdgeo.dll

- 2008-10-06 03:44 . 2004-08-04 12:00 5632 c:\windows\system32\dllcache\kbdfa.dll

+ 2008-10-06 03:44 . 2001-08-23 11:00 5632 c:\windows\system32\dllcache\kbdfa.dll

- 2008-10-06 03:44 . 2004-08-04 12:00 5632 c:\windows\system32\dllcache\kbddiv2.dll

+ 2008-10-06 03:44 . 2001-08-23 11:00 5632 c:\windows\system32\dllcache\kbddiv2.dll

- 2008-10-06 03:44 . 2004-08-04 12:00 5632 c:\windows\system32\dllcache\kbddiv1.dll

+ 2008-10-06 03:44 . 2001-08-23 11:00 5632 c:\windows\system32\dllcache\kbddiv1.dll

- 2008-10-06 03:44 . 2004-08-04 12:00 5120 c:\windows\system32\dllcache\kbdarmw.dll

+ 2008-10-06 03:44 . 2001-08-23 11:00 5120 c:\windows\system32\dllcache\kbdarmw.dll

+ 2008-10-06 03:44 . 2001-08-23 11:00 5120 c:\windows\system32\dllcache\kbdarme.dll

- 2008-10-06 03:44 . 2004-08-04 12:00 5120 c:\windows\system32\dllcache\kbdarme.dll

- 2008-10-06 03:44 . 2004-08-04 12:00 5632 c:\windows\system32\dllcache\kbda3.dll

+ 2008-10-06 03:44 . 2001-08-23 11:00 5632 c:\windows\system32\dllcache\kbda3.dll

- 2008-10-06 03:44 . 2004-08-04 12:00 5632 c:\windows\system32\dllcache\kbda2.dll

+ 2008-10-06 03:44 . 2001-08-23 11:00 5632 c:\windows\system32\dllcache\kbda2.dll

+ 2008-10-06 03:44 . 2001-08-23 11:00 5632 c:\windows\system32\dllcache\kbda1.dll

- 2008-10-06 03:44 . 2004-08-04 12:00 5632 c:\windows\system32\dllcache\kbda1.dll

+ 2008-10-06 03:44 . 2001-08-23 11:00 6144 c:\windows\system32\dllcache\kbd101a.dll

- 2008-10-06 03:44 . 2004-08-04 12:00 6144 c:\windows\system32\dllcache\kbd101a.dll

+ 2008-10-06 03:44 . 2001-08-23 11:00 9216 c:\windows\system32\dllcache\iwrps.dll

- 2008-10-06 03:44 . 2004-08-04 12:00 9216 c:\windows\system32\dllcache\iwrps.dll

+ 2008-10-06 03:44 . 2001-08-23 11:00 7168 c:\windows\system32\dllcache\isapips.dll

- 2008-10-06 03:44 . 2004-08-04 12:00 7168 c:\windows\system32\dllcache\isapips.dll

+ 2008-10-06 03:43 . 2001-08-23 11:00 8704 c:\windows\system32\dllcache\infoctrs.dll

- 2008-10-06 03:43 . 2004-08-04 12:00 8704 c:\windows\system32\dllcache\infoctrs.dll

+ 2008-10-06 03:43 . 2001-08-23 11:00 6656 c:\windows\system32\dllcache\iissync.exe

- 2008-10-06 03:43 . 2004-08-04 12:00 6656 c:\windows\system32\dllcache\iissync.exe

+ 2008-10-06 03:43 . 2001-08-23 11:00 3584 c:\windows\system32\dllcache\iismui.dll

- 2008-10-06 03:43 . 2004-08-04 12:00 3584 c:\windows\system32\dllcache\iismui.dll

- 2008-10-06 03:42 . 2008-04-14 12:00 6144 c:\windows\system32\dllcache\ftpsapi2.dll

+ 2008-10-06 03:42 . 2004-08-04 12:00 6144 c:\windows\system32\dllcache\ftpsapi2.dll

- 2008-10-06 03:43 . 2004-08-04 12:00 7680 c:\windows\system32\dllcache\ftpctrs2.dll

+ 2008-10-06 03:43 . 2001-08-23 11:00 7680 c:\windows\system32\dllcache\ftpctrs2.dll

+ 2008-10-06 03:43 . 2001-08-23 11:00 6144 c:\windows\system32\dllcache\ftlx041e.dll

- 2008-10-06 03:43 . 2004-08-04 12:00 6144 c:\windows\system32\dllcache\ftlx041e.dll

- 2008-10-06 03:43 . 2004-08-04 12:00 9728 c:\windows\system32\dllcache\change.exe

+ 2008-10-06 03:43 . 2001-08-23 11:00 9728 c:\windows\system32\dllcache\change.exe

- 2004-08-04 12:00 . 2011-12-19 07:12 516268 c:\windows\system32\perfh009.dat

+ 2004-08-04 12:00 . 2011-12-30 00:54 516268 c:\windows\system32\perfh009.dat

+ 2008-10-06 03:44 . 2008-04-14 12:00 185344 c:\windows\system32\dllcache\thawbrkr.dll

- 2008-10-06 03:44 . 2004-08-04 12:00 185344 c:\windows\system32\dllcache\thawbrkr.dll

- 2008-10-06 03:44 . 2004-08-04 12:00 101376 c:\windows\system32\dllcache\srusbusd.dll

+ 2008-10-06 03:44 . 2008-04-14 12:00 101376 c:\windows\system32\dllcache\srusbusd.dll

- 2008-10-06 03:44 . 2004-08-04 12:00 143422 c:\windows\system32\dllcache\softkey.dll

+ 2008-10-06 03:44 . 2008-04-14 12:00 143422 c:\windows\system32\dllcache\softkey.dll

- 2008-10-06 03:44 . 2004-08-04 12:00 753236 c:\windows\system32\dllcache\rvseres.dll

+ 2008-10-06 03:44 . 2008-04-14 12:00 753236 c:\windows\system32\dllcache\rvseres.dll

+ 2008-10-06 03:44 . 2008-04-14 12:00 131584 c:\windows\system32\dllcache\pmxviceo.dll

- 2008-10-06 03:44 . 2004-08-04 12:00 131584 c:\windows\system32\dllcache\pmxviceo.dll

+ 2008-10-06 03:44 . 2008-04-14 12:00 229439 c:\windows\system32\dllcache\multibox.dll

- 2008-10-06 03:44 . 2004-08-04 12:00 229439 c:\windows\system32\dllcache\multibox.dll

+ 2008-10-06 03:43 . 2001-08-23 11:00 471102 c:\windows\system32\dllcache\imskdic.dll

- 2008-10-06 03:43 . 2004-08-04 12:00 471102 c:\windows\system32\dllcache\imskdic.dll

+ 2008-10-06 03:43 . 2001-08-23 11:00 311359 c:\windows\system32\dllcache\imepadsv.exe

- 2008-10-06 03:43 . 2004-08-04 12:00 311359 c:\windows\system32\dllcache\imepadsv.exe

- 2008-10-06 03:43 . 2004-08-04 12:00 102463 c:\windows\system32\dllcache\imepadsm.dll

+ 2008-10-06 03:43 . 2001-08-23 11:00 102463 c:\windows\system32\dllcache\imepadsm.dll

+ 2008-10-06 03:43 . 2001-08-23 11:00 132608 c:\windows\system32\dllcache\fxsclntr.dll

- 2008-10-06 03:43 . 2004-08-04 12:00 132608 c:\windows\system32\dllcache\fxsclntr.dll

+ 2008-10-06 03:43 . 2001-08-23 11:00 111104 c:\windows\system32\dllcache\fxscfgwz.dll

- 2008-10-06 03:43 . 2004-08-04 12:00 111104 c:\windows\system32\dllcache\fxscfgwz.dll

+ 2008-10-06 03:43 . 2001-08-23 11:00 514587 c:\windows\system32\dllcache\edb500.dll

- 2008-10-06 03:43 . 2004-08-04 12:00 514587 c:\windows\system32\dllcache\edb500.dll

+ 2008-10-06 03:43 . 2001-08-23 11:00 217160 c:\windows\system32\dllcache\cmnclim.dll

- 2008-10-06 03:43 . 2004-08-04 12:00 217160 c:\windows\system32\dllcache\cmnclim.dll

+ 2008-10-06 03:43 . 2001-08-23 11:00 838144 c:\windows\system32\dllcache\chtbrkr.dll

- 2008-10-06 03:43 . 2004-08-04 12:00 838144 c:\windows\system32\dllcache\chtbrkr.dll

+ 2008-10-06 03:43 . 2001-08-23 11:00 780885 c:\windows\system32\dllcache\chkrres.dll

- 2008-10-06 03:43 . 2004-08-04 12:00 780885 c:\windows\system32\dllcache\chkrres.dll

+ 2011-12-30 00:46 . 2011-12-30 00:46 409600 c:\windows\ERDNT\AutoBackup\12-29-2011\Users\00000002\UsrClass.dat

+ 2011-12-30 00:46 . 2005-10-20 19:02 163328 c:\windows\ERDNT\AutoBackup\12-29-2011\ERDNT.EXE

+ 2011-12-27 14:42 . 2011-12-27 14:42 409600 c:\windows\ERDNT\AutoBackup\12-27-2011\Users\00000002\UsrClass.dat

+ 2011-12-27 14:42 . 2005-10-20 19:02 163328 c:\windows\ERDNT\AutoBackup\12-27-2011\ERDNT.EXE

+ 2011-12-24 00:30 . 2011-12-24 00:30 409600 c:\windows\ERDNT\AutoBackup\12-23-2011\Users\00000002\UsrClass.dat

+ 2011-12-24 00:30 . 2005-10-20 19:02 163328 c:\windows\ERDNT\AutoBackup\12-23-2011\ERDNT.EXE

+ 2011-12-24 00:24 . 2011-12-24 00:24 409600 c:\windows\ERDNT\12-23-2011\Users\00000002\UsrClass.dat

+ 2011-12-24 00:24 . 2005-10-20 19:02 163328 c:\windows\ERDNT\12-23-2011\ERDNT.EXE

- 2008-10-06 03:44 . 2004-08-04 12:00 2178131 c:\windows\system32\dllcache\shvlres.dll

+ 2008-10-06 03:44 . 2008-04-14 12:00 2178131 c:\windows\system32\dllcache\shvlres.dll

+ 2008-10-06 03:43 . 2001-08-23 11:00 1175635 c:\windows\system32\dllcache\hrtzres.dll

- 2008-10-06 03:43 . 2004-08-04 12:00 1175635 c:\windows\system32\dllcache\hrtzres.dll

- 2008-10-06 03:43 . 2004-08-04 12:00 1039955 c:\windows\system32\dllcache\cmnresm.dll

+ 2008-10-06 03:43 . 2001-08-23 11:00 1039955 c:\windows\system32\dllcache\cmnresm.dll

+ 2008-10-06 03:43 . 2001-08-23 11:00 1677824 c:\windows\system32\dllcache\chsbrkr.dll

- 2008-10-06 03:43 . 2004-08-04 12:00 1677824 c:\windows\system32\dllcache\chsbrkr.dll

- 2008-10-06 03:43 . 2004-08-04 12:00 1817687 c:\windows\system32\dllcache\bckgres.dll

+ 2008-10-06 03:43 . 2001-08-23 11:00 1817687 c:\windows\system32\dllcache\bckgres.dll

+ 2011-12-30 00:46 . 2011-12-30 00:46 7733248 c:\windows\ERDNT\AutoBackup\12-29-2011\Users\00000001\ntuser.dat

+ 2011-12-27 14:42 . 2011-12-27 14:42 7733248 c:\windows\ERDNT\AutoBackup\12-27-2011\Users\00000001\ntuser.dat

+ 2011-12-24 00:30 . 2011-12-24 00:30 7733248 c:\windows\ERDNT\AutoBackup\12-23-2011\Users\00000001\ntuser.dat

+ 2011-12-24 00:24 . 2011-12-24 00:24 7733248 c:\windows\ERDNT\12-23-2011\Users\00000001\ntuser.dat

- 2008-10-06 03:43 . 2004-08-04 12:00 10129408 c:\windows\system32\dllcache\hwxkor.dll

+ 2008-10-06 03:43 . 2001-08-23 11:00 10129408 c:\windows\system32\dllcache\hwxkor.dll

- 2008-10-06 03:43 . 2004-08-04 12:00 10096640 c:\windows\system32\dllcache\hwxcht.dll

+ 2008-10-06 03:43 . 2001-08-23 11:00 10096640 c:\windows\system32\dllcache\hwxcht.dll

.

-- Snapshot reset to current date --

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]

@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"

[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]

2011-02-18 05:12 94208 ----a-w- c:\documents and settings\Dan\Application Data\Dropbox\bin\DropboxExt.14.dll

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]

@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"

[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]

2011-02-18 05:12 94208 ----a-w- c:\documents and settings\Dan\Application Data\Dropbox\bin\DropboxExt.14.dll

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]

@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"

[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]

2011-02-18 05:12 94208 ----a-w- c:\documents and settings\Dan\Application Data\Dropbox\bin\DropboxExt.14.dll

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt4]

@="{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}"

[HKEY_CLASSES_ROOT\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}]

2011-02-18 05:12 94208 ----a-w- c:\documents and settings\Dan\Application Data\Dropbox\bin\DropboxExt.14.dll

.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2011-12-09 4616064]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"TkBellExe"="c:\program files\real\realplayer\update\realsched.exe" [2011-11-03 273528]

.

c:\documents and settings\Dan\Start Menu\Programs\Startup\

ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"EnableLinkedConnections"= 1 (0x1)

.

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2011-07-19 113024]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]

2011-05-04 17:54 551296 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]

2011-11-29 04:52 87424 ----a-w- c:\windows\system32\LMIinit.dll

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]

@=""

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\IMFservice]

@="Service"

.

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^ClientManager3.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\ClientManager3.lnk

backup=c:\windows\pss\ClientManager3.lnkCommon Startup

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AnyDVD]

2011-10-11 15:17 5389944 ----a-w- c:\program files\SlySoft\AnyDVD\AnyDVDtray.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]

2008-04-14 11:42 15360 ----a-w- c:\windows\system32\ctfmon.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogMeIn GUI]

c:\program files\LogMeIn\x86\LogMeInSystray.exe [bU]

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Malwarebytes' Anti-Malware]

2011-09-01 00:00 449608 ----a-w- c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]

2011-11-03 13:22 273528 ----a-w- c:\program files\Real\RealPlayer\Update\realsched.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusOverride"=dword:00000001

"FirewallOverride"=dword:00000001

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

"DisableNotifications"= 1 (0x1)

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"%windir%\\system32\\sessmgr.exe"=

"c:\\WINDOWS\\system32\\dpvsetup.exe"=

"c:\\Program Files\\uTorrent\\uTorrent.exe"=

"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=

"c:\\Program Files\\Microsoft Office\\Office14\\GROOVE.EXE"=

"c:\\Program Files\\Microsoft Office\\Office14\\ONENOTE.EXE"=

"c:\\Program Files\\Microsoft Office\\Office14\\OUTLOOK.EXE"=

"c:\\Documents and Settings\\Dan\\Application Data\\Dropbox\\bin\\Dropbox.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"c:\\Program Files\\Freemake\\Freemake Video Converter\\FreemakeVC.exe"=

"c:\\Program Files\\Synology\\Assistant\\DSAssistant.exe"=

"c:\\Program Files\\BUFFALO\\Client Manager3\\bwsvc.exe"=

"c:\\Program Files\\BUFFALO\\Client Manager3\\AOSSWPS.exe"=

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"5985:TCP"= 5985:TCP:*:Disabled:Windows Remote Management

.

R1 dtsoftbus01;DAEMON Tools Virtual Bus Driver;c:\windows\system32\drivers\dtsoftbus01.sys [8/28/2011 11:48 AM 232512]

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [7/22/2011 9:27 AM 12880]

R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [7/12/2011 2:55 PM 67664]

R2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCore.exe [8/11/2011 4:38 PM 116608]

R2 IMFservice;IMF Service;c:\program files\IObit\IObit Malware Fighter\IMFsrv.exe [10/24/2011 5:00 PM 820568]

R2 Intel® PROSet Monitoring Service;Intel® PROSet Monitoring Service;c:\windows\system32\IPROSetMonitor.exe [12/13/2011 6:31 PM 117920]

R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [4/27/2011 11:11 PM 366152]

R2 UsbClientService;UsbClientService;c:\program files\Synology\Assistant\UsbClientService.exe [2/17/2011 11:18 PM 245760]

R3 busenum;Synology Virtual USB Hub;c:\windows\system32\drivers\busenum.sys [2/17/2011 11:20 PM 46304]

R3 DKRtWrt;DKRtWrt;c:\windows\system32\drivers\DKRtWrt.sys [8/20/2010 11:14 AM 42144]

R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [4/27/2011 11:11 PM 22216]

R3 pcouffin;VSO Software pcouffin;c:\windows\system32\drivers\pcouffin.sys [12/9/2010 11:48 PM 47360]

S0 vhndu;vhndu;c:\windows\system32\drivers\lswo.sys --> c:\windows\system32\drivers\lswo.sys [?]

S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 12:16 PM 130384]

S2 LMIInfo;LogMeIn Kernel Information Provider;\??\c:\program files\LogMeIn\x86\RaInfo.sys --> c:\program files\LogMeIn\x86\RaInfo.sys [?]

S3 cpudrv;cpudrv;c:\program files\SystemRequirementsLab\cpudrv.sys [12/18/2009 9:58 AM 11336]

S3 FileMonitor;FileMonitor;c:\program files\IObit\IObit Malware Fighter\Drivers\wxp_x86\FileMonitor.sys [10/24/2011 5:00 PM 239472]

S3 Microsoft SharePoint Workspace Audit Service;Microsoft SharePoint Workspace Audit Service;c:\program files\Microsoft Office\Office14\GROOVE.EXE [1/21/2010 4:51 PM 30963576]

S3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [1/9/2010 7:37 PM 4640000]

S3 RegFilter;RegFilter;c:\program files\IObit\IObit Malware Fighter\Drivers\wxp_x86\RegFilter.sys [10/24/2011 5:00 PM 30368]

S3 UrlFilter;UrlFilter;c:\program files\IObit\IObit Malware Fighter\Drivers\wxp_x86\UrlFilter.sys [10/24/2011 5:00 PM 16208]

S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [8/4/2004 5:00 AM 14336]

S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 12:16 PM 753504]

S4 LMIGuardianSvc;LMIGuardianSvc;"c:\program files\LogMeIn\x86\LMIGuardianSvc.exe" --> c:\program files\LogMeIn\x86\LMIGuardianSvc.exe [?]

S4 MotoHelper;MotoHelper Service;c:\program files\Motorola\MotoHelper\MotoHelperService.exe [8/10/2011 12:35 PM 227184]

S4 NAUpdate;@c:\program files\Nero\Update\NASvc.exe,-200;c:\program files\Nero\Update\NASvc.exe [3/25/2010 1:39 PM 490280]

.

--- Other Services/Drivers In Memory ---

.

*Deregistered* - ppsio2

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

WINRM REG_MULTI_SZ WINRM

.

Contents of the 'Scheduled Tasks' folder

.

2011-12-30 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-746137067-1606980848-839522115-1003Core.job

- c:\documents and settings\Dan\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-05-25 05:25]

.

2011-12-30 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-746137067-1606980848-839522115-1003UA.job

- c:\documents and settings\Dan\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-05-25 05:25]

.

2011-12-24 c:\windows\Tasks\MotoHelper MUM.job

- c:\program files\Motorola\MotoHelper\MotoHelperUpdate.exe [2011-08-08 22:11]

.

2011-12-29 c:\windows\Tasks\MotoHelper Routing.job

- c:\program files\Motorola\MotoHelper\MotoHelperUpdate.exe [2011-08-08 22:11]

.

2011-12-24 c:\windows\Tasks\MotoHelper Update.job

- c:\program files\Motorola\MotoHelper\MotoHelperUpdate.exe [2011-08-08 22:11]

.

2011-12-13 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-18.job

- c:\program files\Real\RealUpgrade\realupgrade.exe [2011-09-27 19:40]

.

2011-12-13 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-746137067-1606980848-839522115-1003.job

- c:\program files\Real\RealUpgrade\realupgrade.exe [2011-09-27 19:40]

.

2011-12-27 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-18.job

- c:\program files\Real\RealUpgrade\realupgrade.exe [2011-09-27 19:40]

.

2011-12-25 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-746137067-1606980848-839522115-1003.job

- c:\program files\Real\RealUpgrade\realupgrade.exe [2011-09-27 19:40]

.

.

------- Supplementary Scan -------

.

uInternet Settings,ProxyOverride = *.local;192.168.*.*

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office14\EXCEL.EXE/3000

IE: Se&nd to OneNote - c:\progra~1\MICROS~3\Office14\ONBttnIE.dll/105

FF - ProfilePath - c:\documents and settings\Dan\Application Data\Mozilla\Firefox\Profiles\4x0jvxwd.default\

.

.

**************************************************************************

.

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2011-12-29 18:16

Windows 5.1.2600 Service Pack 3 NTFS

.

scanning hidden processes ...

.

scanning hidden autostart entries ...

.

scanning hidden files ...

.

scan completed successfully

hidden files: 0

.

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

.

[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]

@Denied: (2) (LocalSystem)

"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,

d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,81,12,8e,ab,81,7c,c5,4c,83,6e,8d,\

"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,

d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,81,12,8e,ab,81,7c,c5,4c,83,6e,8d,\

.

--------------------- DLLs Loaded Under Running Processes ---------------------

.

- - - - - - - > 'winlogon.exe'(580)

c:\program files\SUPERAntiSpyware\SASWINLO.DLL

c:\windows\system32\WININET.dll

c:\windows\system32\Ati2evxx.dll

c:\windows\system32\atiadlxx.dll

c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.6195_x-ww_44262b86\MSVCR80.dll

c:\windows\system32\LMIinit.dll

c:\program files\BUFFALO\Client Manager3\BwcProv.dll

c:\windows\system32\LMIRfsClientNP.dll

.

Completion time: 2011-12-29 18:19:57

ComboFix-quarantined-files.txt 2011-12-30 01:19

ComboFix2.txt 2011-12-19 08:56

ComboFix3.txt 2011-12-19 07:29

.

Pre-Run: 34,407,084,032 bytes free

Post-Run: 34,392,223,744 bytes free

.

- - End Of File - - 6284B9179F6EC7486942CFB94987F889

Link to post
Share on other sites

I know it's a pain going back and forth from one box to another.

Please download, open, and run the QueryServices.bat inside the attached zip file and post back the NetworkDetails.txt file (as an attachment) that it will create in the root of the system drive.

It's not that much of a pain going back and forth to the other computer. I'm just glad to have the help, and from a moderator, nonetheless. =)

Query Services version 2

...

[sC] GetServiceConfig SUCCESS

SERVICE_NAME: dhcp

TYPE : 20 WIN32_SHARE_PROCESS

START_TYPE : 2 AUTO_START

ERROR_CONTROL : 1 NORMAL

BINARY_PATH_NAME : C:\WINDOWS\system32\svchost.exe -k netsvcs

LOAD_ORDER_GROUP : TDI

TAG : 0

DISPLAY_NAME : DHCP Client

DEPENDENCIES : Tcpip

: Afd

: NetBT

SERVICE_START_NAME : LocalSystem

SERVICE_NAME: dhcp

TYPE : 20 WIN32_SHARE_PROCESS

STATE : 1 STOPPED

(NOT_STOPPABLE,NOT_PAUSABLE,IGNORES_SHUTDOWN)

WIN32_EXIT_CODE : 1075 (0x433)

SERVICE_EXIT_CODE : 0 (0x0)

CHECKPOINT : 0x0

WAIT_HINT : 0x0

PID : 0

FLAGS :

[sC] GetServiceConfig SUCCESS

SERVICE_NAME: TCPIP

TYPE : 1 KERNEL_DRIVER

START_TYPE : 1 SYSTEM_START

ERROR_CONTROL : 1 NORMAL

BINARY_PATH_NAME : system32\DRIVERS\tcpip.sys

LOAD_ORDER_GROUP : PNP_TDI

TAG : 13

DISPLAY_NAME : TCP/IP Protocol Driver

DEPENDENCIES : IPSec

SERVICE_START_NAME :

SERVICE_NAME: TCPIP

TYPE : 1 KERNEL_DRIVER

STATE : 4 RUNNING

(STOPPABLE,NOT_PAUSABLE,IGNORES_SHUTDOWN)

WIN32_EXIT_CODE : 0 (0x0)

SERVICE_EXIT_CODE : 0 (0x0)

CHECKPOINT : 0x0

WAIT_HINT : 0x0

PID : 0

FLAGS :

[sC] OpenService FAILED 1060:

The specified service does not exist as an installed service.

[sC] EnumQueryServicesStatus:OpenService FAILED 1060:

The specified service does not exist as an installed service.

[sC] GetServiceConfig SUCCESS

SERVICE_NAME: NetBT

TYPE : 1 KERNEL_DRIVER

START_TYPE : 1 SYSTEM_START

ERROR_CONTROL : 1 NORMAL

BINARY_PATH_NAME : system32\DRIVERS\netbt.sys

LOAD_ORDER_GROUP : PNP_TDI

TAG : 15

DISPLAY_NAME : NetBios over Tcpip

DEPENDENCIES : Tcpip

SERVICE_START_NAME :

SERVICE_NAME: NetBT

TYPE : 1 KERNEL_DRIVER

STATE : 4 RUNNING

(STOPPABLE,NOT_PAUSABLE,IGNORES_SHUTDOWN)

WIN32_EXIT_CODE : 0 (0x0)

SERVICE_EXIT_CODE : 0 (0x0)

CHECKPOINT : 0x0

WAIT_HINT : 0x0

PID : 0

FLAGS :

[sC] GetServiceConfig SUCCESS

SERVICE_NAME: NetBIOS

TYPE : 2 FILE_SYSTEM_DRIVER

START_TYPE : 1 SYSTEM_START

ERROR_CONTROL : 1 NORMAL

BINARY_PATH_NAME : system32\DRIVERS\netbios.sys

LOAD_ORDER_GROUP : NetBIOSGroup

TAG : 1

DISPLAY_NAME : NetBIOS Interface

DEPENDENCIES :

SERVICE_START_NAME :

SERVICE_NAME: NetBIOS

TYPE : 2 FILE_SYSTEM_DRIVER

STATE : 4 RUNNING

(STOPPABLE,NOT_PAUSABLE,IGNORES_SHUTDOWN)

WIN32_EXIT_CODE : 0 (0x0)

SERVICE_EXIT_CODE : 0 (0x0)

CHECKPOINT : 0x0

WAIT_HINT : 0x0

PID : 0

FLAGS :

[sC] GetServiceConfig SUCCESS

SERVICE_NAME: Lmhosts

TYPE : 20 WIN32_SHARE_PROCESS

START_TYPE : 2 AUTO_START

ERROR_CONTROL : 1 NORMAL

BINARY_PATH_NAME : C:\WINDOWS\system32\svchost.exe -k LocalService

LOAD_ORDER_GROUP : TDI

TAG : 0

DISPLAY_NAME : TCP/IP NetBIOS Helper

DEPENDENCIES : NetBT

: Afd

SERVICE_START_NAME : NT AUTHORITY\LocalService

SERVICE_NAME: Lmhosts

TYPE : 20 WIN32_SHARE_PROCESS

STATE : 1 STOPPED

(NOT_STOPPABLE,NOT_PAUSABLE,IGNORES_SHUTDOWN)

WIN32_EXIT_CODE : 1075 (0x433)

SERVICE_EXIT_CODE : 0 (0x0)

CHECKPOINT : 0x0

WAIT_HINT : 0x0

PID : 0

FLAGS :

[sC] GetServiceConfig SUCCESS

SERVICE_NAME: Dnscache

TYPE : 20 WIN32_SHARE_PROCESS

START_TYPE : 2 AUTO_START

ERROR_CONTROL : 1 NORMAL

BINARY_PATH_NAME : C:\WINDOWS\system32\svchost.exe -k NetworkService

LOAD_ORDER_GROUP : TDI

TAG : 0

DISPLAY_NAME : DNS Client

DEPENDENCIES : Tcpip

SERVICE_START_NAME : NT AUTHORITY\NetworkService

SERVICE_NAME: Dnscache

TYPE : 20 WIN32_SHARE_PROCESS

STATE : 4 RUNNING

(STOPPABLE,NOT_PAUSABLE,IGNORES_SHUTDOWN)

WIN32_EXIT_CODE : 0 (0x0)

SERVICE_EXIT_CODE : 0 (0x0)

CHECKPOINT : 0x0

WAIT_HINT : 0x0

PID : 1092

FLAGS :

[sC] GetServiceConfig SUCCESS

SERVICE_NAME: PolicyAgent

TYPE : 20 WIN32_SHARE_PROCESS

START_TYPE : 2 AUTO_START

ERROR_CONTROL : 1 NORMAL

BINARY_PATH_NAME : C:\WINDOWS\system32\lsass.exe

LOAD_ORDER_GROUP :

TAG : 0

DISPLAY_NAME : IPSEC Services

DEPENDENCIES : RPCSS

: Tcpip

: IPSec

SERVICE_START_NAME : LocalSystem

SERVICE_NAME: PolicyAgent

TYPE : 20 WIN32_SHARE_PROCESS

STATE : 1 STOPPED

(NOT_STOPPABLE,NOT_PAUSABLE,IGNORES_SHUTDOWN)

WIN32_EXIT_CODE : 10050 (0x2742)

SERVICE_EXIT_CODE : 0 (0x0)

CHECKPOINT : 0x0

WAIT_HINT : 0x0

PID : 0

FLAGS :

[sC] GetServiceConfig SUCCESS

SERVICE_NAME: Nla

TYPE : 20 WIN32_SHARE_PROCESS

START_TYPE : 3 DEMAND_START

ERROR_CONTROL : 1 NORMAL

BINARY_PATH_NAME : C:\WINDOWS\system32\svchost.exe -k netsvcs

LOAD_ORDER_GROUP :

TAG : 0

DISPLAY_NAME : Network Location Awareness (NLA)

DEPENDENCIES : Tcpip

: Afd

SERVICE_START_NAME : LocalSystem

SERVICE_NAME: Nla

TYPE : 20 WIN32_SHARE_PROCESS

STATE : 1 STOPPED

(NOT_STOPPABLE,NOT_PAUSABLE,IGNORES_SHUTDOWN)

WIN32_EXIT_CODE : 1075 (0x433)

SERVICE_EXIT_CODE : 0 (0x0)

CHECKPOINT : 0x0

WAIT_HINT : 0x0

PID : 0

FLAGS :

[sC] GetServiceConfig SUCCESS

SERVICE_NAME: lanmanserver

TYPE : 20 WIN32_SHARE_PROCESS

START_TYPE : 2 AUTO_START

ERROR_CONTROL : 1 NORMAL

BINARY_PATH_NAME : C:\WINDOWS\system32\svchost.exe -k netsvcs

LOAD_ORDER_GROUP :

TAG : 0

DISPLAY_NAME : Server

DEPENDENCIES :

SERVICE_START_NAME : LocalSystem

SERVICE_NAME: lanmanserver

TYPE : 20 WIN32_SHARE_PROCESS

STATE : 4 RUNNING

(STOPPABLE,PAUSABLE,ACCEPTS_SHUTDOWN)

WIN32_EXIT_CODE : 0 (0x0)

SERVICE_EXIT_CODE : 0 (0x0)

CHECKPOINT : 0x0

WAIT_HINT : 0x0

PID : 1000

FLAGS :

[sC] GetServiceConfig SUCCESS

SERVICE_NAME: IPSEC

TYPE : 1 KERNEL_DRIVER

START_TYPE : 1 SYSTEM_START

ERROR_CONTROL : 1 NORMAL

BINARY_PATH_NAME : system32\DRIVERS\ipsec.sys

LOAD_ORDER_GROUP : PNP_TDI

TAG : 14

DISPLAY_NAME : IPSEC driver

DEPENDENCIES :

SERVICE_START_NAME :

SERVICE_NAME: IPSEC

TYPE : 1 KERNEL_DRIVER

STATE : 4 RUNNING

(STOPPABLE,NOT_PAUSABLE,IGNORES_SHUTDOWN)

WIN32_EXIT_CODE : 0 (0x0)

SERVICE_EXIT_CODE : 0 (0x0)

CHECKPOINT : 0x0

WAIT_HINT : 0x0

PID : 0

FLAGS :

[sC] GetServiceConfig SUCCESS

SERVICE_NAME: RPCSS

TYPE : 10 WIN32_OWN_PROCESS

START_TYPE : 2 AUTO_START

ERROR_CONTROL : 1 NORMAL

BINARY_PATH_NAME : C:\WINDOWS\system32\svchost.exe -k rpcss

LOAD_ORDER_GROUP : COM Infrastructure

TAG : 0

DISPLAY_NAME : Remote Procedure Call (RPC)

DEPENDENCIES :

SERVICE_START_NAME : NT Authority\NetworkService

SERVICE_NAME: RPCSS

TYPE : 10 WIN32_OWN_PROCESS

STATE : 4 RUNNING

(NOT_STOPPABLE,NOT_PAUSABLE,IGNORES_SHUTDOWN)

WIN32_EXIT_CODE : 0 (0x0)

SERVICE_EXIT_CODE : 0 (0x0)

CHECKPOINT : 0x0

WAIT_HINT : 0x0

PID : 952

FLAGS :

Link to post
Share on other sites

I don't see the Afd.sys driver / service loading

Please download SystemLook from one of the links below and save it to your Desktop.

Download Mirror #1

Download Mirror #2

  • Double-click SystemLook.exe to run it.
  • Copy the content of the following codebox into the main textfield:
    :filefind
    afd.sys


  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.

Note: The log can also be found on your Desktop entitled SystemLook.txt

Link to post
Share on other sites

I don't see the Afd.sys driver / service loading

Please download SystemLook from one of the links below and save it to your Desktop.

Download Mirror #1

Download Mirror #2

  • Double-click SystemLook.exe to run it.
  • Copy the content of the following codebox into the main textfield:
    :filefind
    afd.sys


  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.

Note: The log can also be found on your Desktop entitled SystemLook.txt

SystemLook 30.07.11 by jpshortstuff

Log created at 15:20 on 30/12/2011 by Dan

Administrator - Elevation successful

========== filefind ==========

Searching for "afd.sys"

C:\WINDOWS\ServicePackFiles\i386\afd.sys ------- 138112 bytes [07:40 06/10/2008] [06:49 14/04/2008] 322D0E36693D6E24A2398BEE62A268CD

C:\WINDOWS\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\afd.sys --a---- 138112 bytes [07:07 06/10/2008] [19:19 13/04/2008] 322D0E36693D6E24A2398BEE62A268CD

C:\WINDOWS\system32\dllcache\afd.sys --a--c- 138496 bytes [00:40 24/12/2011] [13:49 17/08/2011] 1E44BC1E83D8FD2305F8D452DB109CF9

C:\WINDOWS\system32\drivers\afd.sys --a---- 138496 bytes [00:40 24/12/2011] [13:49 17/08/2011] 1E44BC1E83D8FD2305F8D452DB109CF9

-= EOF =-

Link to post
Share on other sites

1.Click Start, click Run, type regedit in the Open box, and then click OK.

2.In Registry Editor, locate and then click the following registry subkey:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Dhcp

3.Right-click the DependOnService entry,

4.In the Value data box, the only services that are in the DependOnService entry are the following services:

Tcpip

Afd

NetBt

are there any others listed?

Link to post
Share on other sites

I'd also like you to do this.

Please go to http://www.virustotal.com/, click on Browse, and upload the following file for analysis:

C:\windows\system32\drivers\lswo.sys

Then click Submit. Allow the file to be scanned, and then please copy and paste the results here for me to see.

If virustotal is too busy you can try these.

http://virusscan.jotti.org

http://www.kaspersky.com/scanforvirus.html

Link to post
Share on other sites

It's where it's suppose to be.

Do you know how long it hasn't been working?

Well I found what is posted below in the event viewer, stating a problem on Dec. 6, but I didn't experience any problems with the computer until several days later when I rebooted...it might have been up to a week later. Actually the file that is in the system32\drivers folder is not the original file from my computer. I copied afd.sys, netbt.sys, and tcpip.sys from another working computer with the same XP installation, and put those on the infected computer, because I thought that might be what was causing the DHCP 1075 error, (The dependency service does not exist or has been marked for deletion ). You can't see afd, netbt, or tcpip in Computer Management > Services, but if you go into the Device Manager > Show Hidden Devices > Non Plug and Play Drivers, they show up there, and they were all showing as Stopped and I was unable to get them to start, so I figured they were corrupted by the virus. Maybe that's still my problem. What can I do to fix this?

Event Viewer - System

Information 12/6/11 10:39:52pm Source-Windows File Protection Category-None Event 64002 User-N/A

File replacement was attempted on the protected system file c:\windows\system32\drivers\afd.sys. This file was

restored to the original version to maintain system stability. The file version of the system file is 5.1.2600.6142

Link to post
Share on other sites

Is that correct? You only copied them in the drivers folder?

That is correct - I only replaced the files in the Drivers folder.

Ok, I looked up the DHCP registry key, and the 3 you mentioned are the only dependencies.

I cannot locate lswo.sys. It does not exist in C:\windows\system32\drivers. Just to clarify, thats LSWO.SYS, right?

Link to post
Share on other sites

S0 vhndu;vhndu;c:\windows\system32\drivers\lswo.sys --> c:\windows\system32\drivers\lswo.sys [?]

That's in your combofix scan and I can't find any ifo on it.

Lets give this a try.

I want you to delete these files:

C:\WINDOWS\system32\drivers\afd.sys

C:\WINDOWS\system32\drivers\Tcpip.sys

C:\WINDOWS\system32\drivers\NetBt.sys

C:\WINDOWS\system32\drivers\IPSec.sys

Now run a new combofix scan.

Post the results

Link to post
Share on other sites

S0 vhndu;vhndu;c:\windows\system32\drivers\lswo.sys --> c:\windows\system32\drivers\lswo.sys [?]

That's in your combofix scan and I can't find any info on it.

Lets give this a try.

I want you to delete these files:

C:\WINDOWS\system32\drivers\afd.sys

C:\WINDOWS\system32\drivers\Tcpip.sys

C:\WINDOWS\system32\drivers\NetBt.sys

C:\WINDOWS\system32\drivers\IPSec.sys

Now run a new combofix scan.

Post the results

Ok. 4 files deleted, Combofix ran. Here's the log. Should I have rebooted after deleting the files? (I didn't).

ComboFix 11-12-30.02 - Dan 12/30/2011 16:35:31.5.2 - x86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3326.2766 [GMT -7:00]

Running from: c:\documents and settings\Dan\Desktop\ComboFix.exe

.

.

((((((((((((((((((((((((( Files Created from 2011-11-28 to 2011-12-30 )))))))))))))))))))))))))))))))

.

.

2011-12-24 23:14 . 2001-08-17 20:28 130942 -c--a-w- c:\windows\system32\dllcache\OLDAED.tmp

2011-12-24 23:14 . 2001-08-17 20:28 112574 -c--a-w- c:\windows\system32\dllcache\OLDAE9.tmp

2011-12-24 23:14 . 2008-04-14 12:42 159232 -c--a-w- c:\windows\system32\dllcache\OLDAE1.tmp

2011-12-24 23:14 . 2001-08-17 20:28 128286 -c--a-w- c:\windows\system32\dllcache\OLDAE5.tmp

2011-12-24 23:14 . 2011-12-24 23:14 -------- d-----w- c:\windows\system32\CatRoot_bak

2011-12-24 01:10 . 2011-12-24 01:10 -------- d-----w- c:\program files\Magical Jelly Bean

2011-12-24 00:40 . 2011-08-17 13:49 138496 -c--a-w- c:\windows\system32\dllcache\afd.sys

2011-12-24 00:40 . 2011-08-17 13:49 138496 ----a-w- c:\windows\system32\drivers\afd.sys

2011-12-24 00:40 . 2008-06-20 11:51 361600 -c--a-w- c:\windows\system32\dllcache\tcpip.sys

2011-12-24 00:40 . 2008-06-20 11:51 361600 ----a-w- c:\windows\system32\drivers\tcpip.sys

2011-12-24 00:40 . 2008-04-14 07:51 162816 -c--a-w- c:\windows\system32\dllcache\netbt.sys

2011-12-24 00:40 . 2008-04-14 07:51 162816 ----a-w- c:\windows\system32\drivers\netbt.sys

2011-12-17 00:37 . 2008-04-14 12:42 116224 -c--a-w- c:\windows\system32\dllcache\xrxwiadr.dll

2011-12-17 00:37 . 2001-08-18 05:36 23040 -c--a-w- c:\windows\system32\dllcache\xrxwbtmp.dll

2011-12-17 00:37 . 2008-04-14 12:42 18944 -c--a-w- c:\windows\system32\dllcache\xrxscnui.dll

2011-12-17 00:37 . 2001-08-18 05:37 4608 -c--a-w- c:\windows\system32\dllcache\xrxflnch.exe

2011-12-17 00:37 . 2001-08-18 05:37 27648 -c--a-w- c:\windows\system32\dllcache\xrxftplt.exe

2011-12-17 00:37 . 2001-08-18 05:37 99865 -c--a-w- c:\windows\system32\dllcache\xlog.exe

2011-12-17 00:37 . 2001-08-17 19:11 16970 -c--a-w- c:\windows\system32\dllcache\xem336n5.sys

2011-12-17 00:37 . 2008-04-14 05:04 19455 -c--a-w- c:\windows\system32\dllcache\wvchntxx.sys

2011-12-17 00:37 . 2008-04-14 07:16 19200 -c--a-w- c:\windows\system32\dllcache\wstcodec.sys

2011-12-17 00:37 . 2008-04-14 12:42 8192 -c--a-w- c:\windows\system32\dllcache\wshirda.dll

2011-12-17 00:37 . 2008-04-14 05:04 12063 -c--a-w- c:\windows\system32\dllcache\wsiintxx.sys

2011-12-17 00:35 . 2001-08-18 05:36 24660 -c--a-w- c:\windows\system32\dllcache\spxupchk.dll

2011-12-17 00:34 . 2001-08-17 20:28 130942 -c--a-w- c:\windows\system32\dllcache\ptserlv.sys

2011-12-17 00:33 . 2001-08-17 21:02 35200 -c--a-w- c:\windows\system32\dllcache\msgame.sys

2011-12-17 00:32 . 2001-08-18 05:36 372824 -c--a-w- c:\windows\system32\dllcache\iconf32.dll

2011-12-17 00:31 . 2001-08-17 20:28 347550 -c--a-w- c:\windows\system32\dllcache\es56tpi.sys

2011-12-17 00:30 . 2008-04-14 07:11 8192 -c--a-w- c:\windows\system32\dllcache\changer.sys

2011-12-17 00:29 . 2001-08-17 19:48 36128 -c--a-w- c:\windows\system32\dllcache\banshee.sys

2011-12-14 03:40 . 2001-08-17 19:12 97354 -c--a-w- c:\windows\system32\dllcache\aspndis3.sys

2011-12-14 03:40 . 2001-08-17 20:52 22400 -c--a-w- c:\windows\system32\dllcache\asc3350p.sys

2011-12-14 03:40 . 2001-08-17 20:51 14848 -c--a-w- c:\windows\system32\dllcache\asc3550.sys

2011-12-14 03:40 . 2001-08-17 20:52 26496 -c--a-w- c:\windows\system32\dllcache\asc.sys

2011-12-14 03:39 . 2001-08-17 20:47 6272 -c--a-w- c:\windows\system32\dllcache\apmbatt.sys

2011-12-14 03:39 . 2008-04-14 05:05 36224 -c--a-w- c:\windows\system32\dllcache\an983.sys

2011-12-14 03:39 . 2001-08-17 20:52 12032 -c--a-w- c:\windows\system32\dllcache\amsint.sys

2011-12-14 03:39 . 2001-08-17 20:51 5248 -c--a-w- c:\windows\system32\dllcache\aliide.sys

2011-12-14 03:39 . 2001-08-17 20:49 26624 -c--a-w- c:\windows\system32\dllcache\alifir.sys

2011-12-14 03:39 . 2001-08-17 19:11 16969 -c--a-w- c:\windows\system32\dllcache\amb8002.sys

2011-12-14 03:39 . 2001-08-17 21:07 56960 -c--a-w- c:\windows\system32\dllcache\aic78xx.sys

2011-12-14 03:39 . 2001-08-17 21:07 55168 -c--a-w- c:\windows\system32\dllcache\aic78u2.sys

2011-12-14 03:39 . 2001-08-17 19:11 27678 -c--a-w- c:\windows\system32\dllcache\ali5261.sys

2011-12-14 03:39 . 2001-08-17 20:52 12800 -c--a-w- c:\windows\system32\dllcache\aha154x.sys

2011-12-14 03:39 . 2001-08-17 21:07 101888 -c--a-w- c:\windows\system32\dllcache\adpu160m.sys

2011-12-14 03:39 . 2001-08-17 19:11 46112 -c--a-w- c:\windows\system32\dllcache\adptsf50.sys

2011-12-14 03:35 . 2001-08-17 21:56 66048 -c--a-w- c:\windows\system32\dllcache\s3legacy.dll

2011-12-14 02:51 . 2011-12-14 02:51 -------- d-----w- c:\program files\ERUNT

2011-12-14 01:31 . 2011-09-27 00:15 117920 ----a-w- c:\windows\system32\IPROSetMonitor.exe

2011-12-13 00:27 . 2011-12-13 00:27 -------- d-----w- c:\windows\system32\wbem\Repository

.

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2011-12-06 23:48 . 2011-05-14 23:52 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

2011-11-29 04:52 . 2011-11-29 04:51 83360 ----a-w- c:\windows\system32\LMIRfsClientNP.dll

2011-11-29 04:52 . 2011-11-29 04:51 52096 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\LMIproc.dll

2011-11-29 04:52 . 2011-11-29 04:51 30592 ----a-w- c:\windows\system32\LMIport.dll

2011-11-29 04:52 . 2011-11-29 04:51 87424 ----a-w- c:\windows\system32\LMIinit.dll

2011-11-03 13:22 . 2011-01-11 18:16 499712 ----a-w- c:\windows\system32\msvcp71.dll

2011-11-03 13:22 . 2011-01-11 18:16 348160 ----a-w- c:\windows\system32\msvcr71.dll

2011-10-26 17:41 . 2011-10-26 17:41 667256 ----a-w- c:\windows\system32\ncs2dmix.dll

2011-10-26 17:41 . 2011-10-26 17:41 517752 ----a-w- c:\windows\system32\accesor.dll

2011-10-26 17:01 . 2011-10-26 17:01 142456 ----a-w- c:\windows\system32\ncs2instutility.dll

2011-10-26 16:31 . 2011-10-26 16:31 2208888 ----a-w- c:\windows\system32\ncscolib.dll

2011-10-25 18:04 . 2011-10-25 18:04 193536 ----a-w- c:\windows\system32\Ncs2Setp.dll

2011-10-14 17:40 . 2010-03-26 06:59 253656 ----a-w- c:\windows\system32\drivers\e1e5132.sys

2011-10-10 14:22 . 2008-10-06 03:39 692736 ----a-w- c:\windows\system32\inetcomm.dll

2011-10-05 07:28 . 2011-10-05 07:28 30368 ----a-w- c:\windows\system32\drivers\iqvw32.sys

2011-11-23 14:16 . 2011-05-03 06:21 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll

.

.

((((((((((((((((((((((((((((( SnapShot_2011-12-30_01.16.38 )))))))))))))))))))))))))))))))))))))))))

.

+ 2011-12-30 01:51 . 2011-12-30 01:51 16384 c:\windows\Temp\Perflib_Perfdata_7e8.dat

+ 2011-12-30 01:51 . 2011-12-30 01:51 16384 c:\windows\Temp\Perflib_Perfdata_778.dat

+ 2004-08-04 12:00 . 2011-12-30 06:17 92390 c:\windows\system32\perfc009.dat

- 2004-08-04 12:00 . 2011-12-30 00:54 92390 c:\windows\system32\perfc009.dat

+ 2004-08-04 12:00 . 2011-12-30 06:17 516268 c:\windows\system32\perfh009.dat

- 2004-08-04 12:00 . 2011-12-30 00:54 516268 c:\windows\system32\perfh009.dat

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]

@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"

[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]

2011-02-18 05:12 94208 ----a-w- c:\documents and settings\Dan\Application Data\Dropbox\bin\DropboxExt.14.dll

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]

@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"

[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]

2011-02-18 05:12 94208 ----a-w- c:\documents and settings\Dan\Application Data\Dropbox\bin\DropboxExt.14.dll

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]

@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"

[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]

2011-02-18 05:12 94208 ----a-w- c:\documents and settings\Dan\Application Data\Dropbox\bin\DropboxExt.14.dll

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt4]

@="{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}"

[HKEY_CLASSES_ROOT\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}]

2011-02-18 05:12 94208 ----a-w- c:\documents and settings\Dan\Application Data\Dropbox\bin\DropboxExt.14.dll

.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2011-12-09 4616064]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"TkBellExe"="c:\program files\real\realplayer\update\realsched.exe" [2011-11-03 273528]

.

c:\documents and settings\Dan\Start Menu\Programs\Startup\

ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"EnableLinkedConnections"= 1 (0x1)

.

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2011-07-19 113024]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]

2011-05-04 17:54 551296 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]

2011-11-29 04:52 87424 ----a-w- c:\windows\system32\LMIinit.dll

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]

@=""

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\IMFservice]

@="Service"

.

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^ClientManager3.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\ClientManager3.lnk

backup=c:\windows\pss\ClientManager3.lnkCommon Startup

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AnyDVD]

2011-10-11 15:17 5389944 ----a-w- c:\program files\SlySoft\AnyDVD\AnyDVDtray.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]

2008-04-14 11:42 15360 ----a-w- c:\windows\system32\ctfmon.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogMeIn GUI]

c:\program files\LogMeIn\x86\LogMeInSystray.exe [bU]

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Malwarebytes' Anti-Malware]

2011-09-01 00:00 449608 ----a-w- c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]

2011-11-03 13:22 273528 ----a-w- c:\program files\Real\RealPlayer\Update\realsched.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusOverride"=dword:00000001

"FirewallOverride"=dword:00000001

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

"DisableNotifications"= 1 (0x1)

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"%windir%\\system32\\sessmgr.exe"=

"c:\\WINDOWS\\system32\\dpvsetup.exe"=

"c:\\Program Files\\uTorrent\\uTorrent.exe"=

"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=

"c:\\Program Files\\Microsoft Office\\Office14\\GROOVE.EXE"=

"c:\\Program Files\\Microsoft Office\\Office14\\ONENOTE.EXE"=

"c:\\Program Files\\Microsoft Office\\Office14\\OUTLOOK.EXE"=

"c:\\Documents and Settings\\Dan\\Application Data\\Dropbox\\bin\\Dropbox.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"c:\\Program Files\\Freemake\\Freemake Video Converter\\FreemakeVC.exe"=

"c:\\Program Files\\Synology\\Assistant\\DSAssistant.exe"=

"c:\\Program Files\\BUFFALO\\Client Manager3\\bwsvc.exe"=

"c:\\Program Files\\BUFFALO\\Client Manager3\\AOSSWPS.exe"=

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"5985:TCP"= 5985:TCP:*:Disabled:Windows Remote Management

.

R1 dtsoftbus01;DAEMON Tools Virtual Bus Driver;c:\windows\system32\drivers\dtsoftbus01.sys [8/28/2011 11:48 AM 232512]

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [7/22/2011 9:27 AM 12880]

R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [7/12/2011 2:55 PM 67664]

R2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCore.exe [8/11/2011 4:38 PM 116608]

R2 IMFservice;IMF Service;c:\program files\IObit\IObit Malware Fighter\IMFsrv.exe [10/24/2011 5:00 PM 820568]

R2 Intel® PROSet Monitoring Service;Intel® PROSet Monitoring Service;c:\windows\system32\IPROSetMonitor.exe [12/13/2011 6:31 PM 117920]

R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [4/27/2011 11:11 PM 366152]

R2 UsbClientService;UsbClientService;c:\program files\Synology\Assistant\UsbClientService.exe [2/17/2011 11:18 PM 245760]

R3 busenum;Synology Virtual USB Hub;c:\windows\system32\drivers\busenum.sys [2/17/2011 11:20 PM 46304]

R3 DKRtWrt;DKRtWrt;c:\windows\system32\drivers\DKRtWrt.sys [8/20/2010 11:14 AM 42144]

R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [4/27/2011 11:11 PM 22216]

R3 pcouffin;VSO Software pcouffin;c:\windows\system32\drivers\pcouffin.sys [12/9/2010 11:48 PM 47360]

S0 vhndu;vhndu;c:\windows\system32\drivers\lswo.sys --> c:\windows\system32\drivers\lswo.sys [?]

S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 12:16 PM 130384]

S2 LMIInfo;LogMeIn Kernel Information Provider;\??\c:\program files\LogMeIn\x86\RaInfo.sys --> c:\program files\LogMeIn\x86\RaInfo.sys [?]

S3 cpudrv;cpudrv;c:\program files\SystemRequirementsLab\cpudrv.sys [12/18/2009 9:58 AM 11336]

S3 FileMonitor;FileMonitor;c:\program files\IObit\IObit Malware Fighter\Drivers\wxp_x86\FileMonitor.sys [10/24/2011 5:00 PM 239472]

S3 Microsoft SharePoint Workspace Audit Service;Microsoft SharePoint Workspace Audit Service;c:\program files\Microsoft Office\Office14\GROOVE.EXE [1/21/2010 4:51 PM 30963576]

S3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [1/9/2010 7:37 PM 4640000]

S3 RegFilter;RegFilter;c:\program files\IObit\IObit Malware Fighter\Drivers\wxp_x86\RegFilter.sys [10/24/2011 5:00 PM 30368]

S3 UrlFilter;UrlFilter;c:\program files\IObit\IObit Malware Fighter\Drivers\wxp_x86\UrlFilter.sys [10/24/2011 5:00 PM 16208]

S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [8/4/2004 5:00 AM 14336]

S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 12:16 PM 753504]

S4 LMIGuardianSvc;LMIGuardianSvc;"c:\program files\LogMeIn\x86\LMIGuardianSvc.exe" --> c:\program files\LogMeIn\x86\LMIGuardianSvc.exe [?]

S4 MotoHelper;MotoHelper Service;c:\program files\Motorola\MotoHelper\MotoHelperService.exe [8/10/2011 12:35 PM 227184]

S4 NAUpdate;@c:\program files\Nero\Update\NASvc.exe,-200;c:\program files\Nero\Update\NASvc.exe [3/25/2010 1:39 PM 490280]

.

--- Other Services/Drivers In Memory ---

.

*Deregistered* - ppsio2

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

WINRM REG_MULTI_SZ WINRM

.

Contents of the 'Scheduled Tasks' folder

.

2011-12-30 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-746137067-1606980848-839522115-1003Core.job

- c:\documents and settings\Dan\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-05-25 05:25]

.

2011-12-30 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-746137067-1606980848-839522115-1003UA.job

- c:\documents and settings\Dan\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-05-25 05:25]

.

2011-12-24 c:\windows\Tasks\MotoHelper MUM.job

- c:\program files\Motorola\MotoHelper\MotoHelperUpdate.exe [2011-08-08 22:11]

.

2011-12-29 c:\windows\Tasks\MotoHelper Routing.job

- c:\program files\Motorola\MotoHelper\MotoHelperUpdate.exe [2011-08-08 22:11]

.

2011-12-24 c:\windows\Tasks\MotoHelper Update.job

- c:\program files\Motorola\MotoHelper\MotoHelperUpdate.exe [2011-08-08 22:11]

.

2011-12-30 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-18.job

- c:\program files\Real\RealUpgrade\realupgrade.exe [2011-09-27 19:40]

.

2011-12-30 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-746137067-1606980848-839522115-1003.job

- c:\program files\Real\RealUpgrade\realupgrade.exe [2011-09-27 19:40]

.

2011-12-27 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-18.job

- c:\program files\Real\RealUpgrade\realupgrade.exe [2011-09-27 19:40]

.

2011-12-25 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-746137067-1606980848-839522115-1003.job

- c:\program files\Real\RealUpgrade\realupgrade.exe [2011-09-27 19:40]

.

.

------- Supplementary Scan -------

.

uInternet Settings,ProxyOverride = *.local;192.168.*.*

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office14\EXCEL.EXE/3000

IE: Se&nd to OneNote - c:\progra~1\MICROS~3\Office14\ONBttnIE.dll/105

FF - ProfilePath - c:\documents and settings\Dan\Application Data\Mozilla\Firefox\Profiles\4x0jvxwd.default\

.

.

**************************************************************************

.

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2011-12-30 16:39

Windows 5.1.2600 Service Pack 3 NTFS

.

scanning hidden processes ...

.

scanning hidden autostart entries ...

.

scanning hidden files ...

.

scan completed successfully

hidden files: 0

.

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

.

[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]

@Denied: (2) (LocalSystem)

"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,

d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,81,12,8e,ab,81,7c,c5,4c,83,6e,8d,\

"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,

d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,81,12,8e,ab,81,7c,c5,4c,83,6e,8d,\

.

--------------------- DLLs Loaded Under Running Processes ---------------------

.

- - - - - - - > 'winlogon.exe'(604)

c:\program files\SUPERAntiSpyware\SASWINLO.DLL

c:\windows\system32\WININET.dll

c:\windows\system32\Ati2evxx.dll

c:\windows\system32\atiadlxx.dll

c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.6195_x-ww_44262b86\MSVCR80.dll

c:\windows\system32\LMIinit.dll

c:\program files\BUFFALO\Client Manager3\BwcProv.dll

c:\windows\system32\LMIRfsClientNP.dll

.

- - - - - - - > 'explorer.exe'(3140)

c:\windows\system32\WININET.dll

c:\documents and settings\Dan\Application Data\Dropbox\bin\DropboxExt.14.dll

c:\progra~1\COMMON~1\MICROS~1\OFFICE14\Cultures\office.odf

c:\progra~1\MICROS~3\Office14\1033\GrooveIntlResource.dll

c:\windows\system32\msi.dll

c:\windows\system32\ieframe.dll

c:\windows\system32\webcheck.dll

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

Completion time: 2011-12-30 16:40:10

ComboFix-quarantined-files.txt 2011-12-30 23:40

ComboFix2.txt 2011-12-30 01:19

ComboFix3.txt 2011-12-19 08:56

ComboFix4.txt 2011-12-19 07:29

.

Pre-Run: 34,401,882,112 bytes free

Post-Run: 34,385,084,416 bytes free

.

- - End Of File - - FF9FB78C98F260782856EE8E49FAE6D1

Link to post
Share on other sites

I was hoping to see combofix replacing those files.

Maybe it will after killing this one.

Copy/paste the text in the Codebox below into notepad:

Here's how to do that:

Click Start > Run type Notepad click OK.

This will open an empty notepad file:

Take your mouse, and place your cursor at the beginning of the text in the box below, then click and hold the left mouse button, while pulling your mouse over the text. This should highlight the text. Now release the left mouse button. Now, with the cursor over the highlighted text, right click the mouse for options, and select 'copy'. Now over the empty Notepad box, right click your mouse again, and select 'paste' and you will have copied and pasted the text.

KillAll::

File::
c:\windows\system32\drivers\lswo.sys

RegLock::
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]

Save this file to your desktop, Save this as "CFScript"

Here's how to do that:

1.Click File;

2.Click Save As... Change the directory to your desktop;

3.Change the Save as type to "All Files";

4.Type in the file name: CFScript

5.Click Save ...

CFScriptB-4.gif

Drag CFScript.txt into ComboFix.exe

Then post the results log using Copy / Paste

Also please describe how your computer behaves at the moment.

Link to post
Share on other sites

I need to go out for a few hrs.

If that didn't work.

Copy these files to the drivers folder

C:\WINDOWS\ServicePackFiles\i386\afd.sys

C:\WINDOWS\ServicePackFiles\i386\Tcpip.sys

C:\WINDOWS\ServicePackFiles\i386\NetBt.sys

C:\WINDOWS\ServicePackFiles\i386\IPSec.sys

C:\WINDOWS\system32\drivers\

Reboot.

We still have other things to try.

Link to post
Share on other sites

I need to go out for a few hrs.

If that didn't work.

Copy these files to the drivers folder

C:\WINDOWS\ServicePackFiles\i386\afd.sys

C:\WINDOWS\ServicePackFiles\i386\Tcpip.sys

C:\WINDOWS\ServicePackFiles\i386\NetBt.sys

C:\WINDOWS\ServicePackFiles\i386\IPSec.sys

C:\WINDOWS\system32\drivers\

Reboot.

We still have other things to try.

Here's the combofix log. I also copied the 4 files you mentioned and rebooted. No difference. I wanted to mention that when I look in Device Manager > Show Hidden Devices > Non Plug and Play Drivers - NetBT, Tcpip, and IPSec all show up and are Started. AFD, on the other hand, is not there at all. I think this may indicate afd as the problem. It seems like something is preventing the service from starting. I checked in C:\Windows\system32\drivers and afd.sys is still there.

ComboFix 11-12-30.02 - Dan 12/30/2011 17:24:47.6.2 - x86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3326.2852 [GMT -7:00]

Running from: c:\documents and settings\Dan\Desktop\ComboFix.exe

Command switches used :: c:\documents and settings\Dan\Desktop\cfscript

.

FILE ::

"c:\windows\system32\drivers\lswo.sys"

.

.

((((((((((((((((((((((((( Files Created from 2011-11-28 to 2011-12-31 )))))))))))))))))))))))))))))))

.

.

2011-12-24 23:14 . 2001-08-17 20:28 130942 -c--a-w- c:\windows\system32\dllcache\OLDAED.tmp

2011-12-24 23:14 . 2001-08-17 20:28 112574 -c--a-w- c:\windows\system32\dllcache\OLDAE9.tmp

2011-12-24 23:14 . 2008-04-14 12:42 159232 -c--a-w- c:\windows\system32\dllcache\OLDAE1.tmp

2011-12-24 23:14 . 2001-08-17 20:28 128286 -c--a-w- c:\windows\system32\dllcache\OLDAE5.tmp

2011-12-24 23:14 . 2011-12-24 23:14 -------- d-----w- c:\windows\system32\CatRoot_bak

2011-12-24 01:10 . 2011-12-24 01:10 -------- d-----w- c:\program files\Magical Jelly Bean

2011-12-24 00:40 . 2011-08-17 13:49 138496 -c--a-w- c:\windows\system32\dllcache\afd.sys

2011-12-24 00:40 . 2011-08-17 13:49 138496 ----a-w- c:\windows\system32\drivers\afd.sys

2011-12-24 00:40 . 2008-06-20 11:51 361600 -c--a-w- c:\windows\system32\dllcache\tcpip.sys

2011-12-24 00:40 . 2008-06-20 11:51 361600 ----a-w- c:\windows\system32\drivers\tcpip.sys

2011-12-24 00:40 . 2008-04-14 07:51 162816 -c--a-w- c:\windows\system32\dllcache\netbt.sys

2011-12-24 00:40 . 2008-04-14 07:51 162816 ----a-w- c:\windows\system32\drivers\netbt.sys

2011-12-17 00:37 . 2008-04-14 12:42 116224 -c--a-w- c:\windows\system32\dllcache\xrxwiadr.dll

2011-12-17 00:37 . 2001-08-18 05:36 23040 -c--a-w- c:\windows\system32\dllcache\xrxwbtmp.dll

2011-12-17 00:37 . 2008-04-14 12:42 18944 -c--a-w- c:\windows\system32\dllcache\xrxscnui.dll

2011-12-17 00:37 . 2001-08-18 05:37 4608 -c--a-w- c:\windows\system32\dllcache\xrxflnch.exe

2011-12-17 00:37 . 2001-08-18 05:37 27648 -c--a-w- c:\windows\system32\dllcache\xrxftplt.exe

2011-12-17 00:37 . 2001-08-18 05:37 99865 -c--a-w- c:\windows\system32\dllcache\xlog.exe

2011-12-17 00:37 . 2001-08-17 19:11 16970 -c--a-w- c:\windows\system32\dllcache\xem336n5.sys

2011-12-17 00:37 . 2008-04-14 05:04 19455 -c--a-w- c:\windows\system32\dllcache\wvchntxx.sys

2011-12-17 00:37 . 2008-04-14 07:16 19200 -c--a-w- c:\windows\system32\dllcache\wstcodec.sys

2011-12-17 00:37 . 2008-04-14 12:42 8192 -c--a-w- c:\windows\system32\dllcache\wshirda.dll

2011-12-17 00:37 . 2008-04-14 05:04 12063 -c--a-w- c:\windows\system32\dllcache\wsiintxx.sys

2011-12-17 00:35 . 2001-08-18 05:36 24660 -c--a-w- c:\windows\system32\dllcache\spxupchk.dll

2011-12-17 00:34 . 2001-08-17 20:28 130942 -c--a-w- c:\windows\system32\dllcache\ptserlv.sys

2011-12-17 00:33 . 2001-08-17 21:02 35200 -c--a-w- c:\windows\system32\dllcache\msgame.sys

2011-12-17 00:32 . 2001-08-18 05:36 372824 -c--a-w- c:\windows\system32\dllcache\iconf32.dll

2011-12-17 00:31 . 2001-08-17 20:28 347550 -c--a-w- c:\windows\system32\dllcache\es56tpi.sys

2011-12-17 00:30 . 2008-04-14 07:11 8192 -c--a-w- c:\windows\system32\dllcache\changer.sys

2011-12-17 00:29 . 2001-08-17 19:48 36128 -c--a-w- c:\windows\system32\dllcache\banshee.sys

2011-12-14 03:40 . 2001-08-17 19:12 97354 -c--a-w- c:\windows\system32\dllcache\aspndis3.sys

2011-12-14 03:40 . 2001-08-17 20:52 22400 -c--a-w- c:\windows\system32\dllcache\asc3350p.sys

2011-12-14 03:40 . 2001-08-17 20:51 14848 -c--a-w- c:\windows\system32\dllcache\asc3550.sys

2011-12-14 03:40 . 2001-08-17 20:52 26496 -c--a-w- c:\windows\system32\dllcache\asc.sys

2011-12-14 03:39 . 2001-08-17 20:47 6272 -c--a-w- c:\windows\system32\dllcache\apmbatt.sys

2011-12-14 03:39 . 2008-04-14 05:05 36224 -c--a-w- c:\windows\system32\dllcache\an983.sys

2011-12-14 03:39 . 2001-08-17 20:52 12032 -c--a-w- c:\windows\system32\dllcache\amsint.sys

2011-12-14 03:39 . 2001-08-17 20:51 5248 -c--a-w- c:\windows\system32\dllcache\aliide.sys

2011-12-14 03:39 . 2001-08-17 20:49 26624 -c--a-w- c:\windows\system32\dllcache\alifir.sys

2011-12-14 03:39 . 2001-08-17 19:11 16969 -c--a-w- c:\windows\system32\dllcache\amb8002.sys

2011-12-14 03:39 . 2001-08-17 21:07 56960 -c--a-w- c:\windows\system32\dllcache\aic78xx.sys

2011-12-14 03:39 . 2001-08-17 21:07 55168 -c--a-w- c:\windows\system32\dllcache\aic78u2.sys

2011-12-14 03:39 . 2001-08-17 19:11 27678 -c--a-w- c:\windows\system32\dllcache\ali5261.sys

2011-12-14 03:39 . 2001-08-17 20:52 12800 -c--a-w- c:\windows\system32\dllcache\aha154x.sys

2011-12-14 03:39 . 2001-08-17 21:07 101888 -c--a-w- c:\windows\system32\dllcache\adpu160m.sys

2011-12-14 03:39 . 2001-08-17 19:11 46112 -c--a-w- c:\windows\system32\dllcache\adptsf50.sys

2011-12-14 03:35 . 2001-08-17 21:56 66048 -c--a-w- c:\windows\system32\dllcache\s3legacy.dll

2011-12-14 02:51 . 2011-12-14 02:51 -------- d-----w- c:\program files\ERUNT

2011-12-14 01:31 . 2011-09-27 00:15 117920 ----a-w- c:\windows\system32\IPROSetMonitor.exe

2011-12-13 00:27 . 2011-12-13 00:27 -------- d-----w- c:\windows\system32\wbem\Repository

.

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2011-12-06 23:48 . 2011-05-14 23:52 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

2011-11-29 04:52 . 2011-11-29 04:51 83360 ----a-w- c:\windows\system32\LMIRfsClientNP.dll

2011-11-29 04:52 . 2011-11-29 04:51 52096 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\LMIproc.dll

2011-11-29 04:52 . 2011-11-29 04:51 30592 ----a-w- c:\windows\system32\LMIport.dll

2011-11-29 04:52 . 2011-11-29 04:51 87424 ----a-w- c:\windows\system32\LMIinit.dll

2011-11-03 13:22 . 2011-01-11 18:16 499712 ----a-w- c:\windows\system32\msvcp71.dll

2011-11-03 13:22 . 2011-01-11 18:16 348160 ----a-w- c:\windows\system32\msvcr71.dll

2011-10-26 17:41 . 2011-10-26 17:41 667256 ----a-w- c:\windows\system32\ncs2dmix.dll

2011-10-26 17:41 . 2011-10-26 17:41 517752 ----a-w- c:\windows\system32\accesor.dll

2011-10-26 17:01 . 2011-10-26 17:01 142456 ----a-w- c:\windows\system32\ncs2instutility.dll

2011-10-26 16:31 . 2011-10-26 16:31 2208888 ----a-w- c:\windows\system32\ncscolib.dll

2011-10-25 18:04 . 2011-10-25 18:04 193536 ----a-w- c:\windows\system32\Ncs2Setp.dll

2011-10-14 17:40 . 2010-03-26 06:59 253656 ----a-w- c:\windows\system32\drivers\e1e5132.sys

2011-10-10 14:22 . 2008-10-06 03:39 692736 ----a-w- c:\windows\system32\inetcomm.dll

2011-10-05 07:28 . 2011-10-05 07:28 30368 ----a-w- c:\windows\system32\drivers\iqvw32.sys

2011-11-23 14:16 . 2011-05-03 06:21 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll

.

.

------- Sigcheck -------

Note: Unsigned files aren't necessarily malware.

.

Cryptography Services Error !!

.

((((((((((((((((((((((((((((( SnapShot_2011-12-30_01.16.38 )))))))))))))))))))))))))))))))))))))))))

.

- 2004-08-04 12:00 . 2011-12-30 00:54 92390 c:\windows\system32\perfc009.dat

+ 2004-08-04 12:00 . 2011-12-31 00:03 92390 c:\windows\system32\perfc009.dat

+ 2004-08-04 12:00 . 2011-12-31 00:03 516268 c:\windows\system32\perfh009.dat

- 2004-08-04 12:00 . 2011-12-30 00:54 516268 c:\windows\system32\perfh009.dat

+ 2011-12-30 23:55 . 2011-12-30 23:55 409600 c:\windows\ERDNT\AutoBackup\12-30-2011\Users\00000002\UsrClass.dat

+ 2011-12-30 23:55 . 2005-10-20 19:02 163328 c:\windows\ERDNT\AutoBackup\12-30-2011\ERDNT.EXE

+ 2011-12-30 23:55 . 2011-12-30 23:55 7733248 c:\windows\ERDNT\AutoBackup\12-30-2011\Users\00000001\ntuser.dat

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]

@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"

[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]

2011-02-18 05:12 94208 ----a-w- c:\documents and settings\Dan\Application Data\Dropbox\bin\DropboxExt.14.dll

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]

@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"

[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]

2011-02-18 05:12 94208 ----a-w- c:\documents and settings\Dan\Application Data\Dropbox\bin\DropboxExt.14.dll

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]

@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"

[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]

2011-02-18 05:12 94208 ----a-w- c:\documents and settings\Dan\Application Data\Dropbox\bin\DropboxExt.14.dll

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt4]

@="{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}"

[HKEY_CLASSES_ROOT\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}]

2011-02-18 05:12 94208 ----a-w- c:\documents and settings\Dan\Application Data\Dropbox\bin\DropboxExt.14.dll

.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2011-12-09 4616064]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"TkBellExe"="c:\program files\real\realplayer\update\realsched.exe" [2011-11-03 273528]

.

c:\documents and settings\Dan\Start Menu\Programs\Startup\

ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"EnableLinkedConnections"= 1 (0x1)

.

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2011-07-19 113024]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]

2011-05-04 17:54 551296 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]

2011-11-29 04:52 87424 ----a-w- c:\windows\system32\LMIinit.dll

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]

@=""

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\IMFservice]

@="Service"

.

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^ClientManager3.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\ClientManager3.lnk

backup=c:\windows\pss\ClientManager3.lnkCommon Startup

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AnyDVD]

2011-10-11 15:17 5389944 ----a-w- c:\program files\SlySoft\AnyDVD\AnyDVDtray.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]

2008-04-14 11:42 15360 ----a-w- c:\windows\system32\ctfmon.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogMeIn GUI]

c:\program files\LogMeIn\x86\LogMeInSystray.exe [bU]

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Malwarebytes' Anti-Malware]

2011-09-01 00:00 449608 ----a-w- c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]

2011-11-03 13:22 273528 ----a-w- c:\program files\Real\RealPlayer\Update\realsched.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusOverride"=dword:00000001

"FirewallOverride"=dword:00000001

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

"DisableNotifications"= 1 (0x1)

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"%windir%\\system32\\sessmgr.exe"=

"c:\\WINDOWS\\system32\\dpvsetup.exe"=

"c:\\Program Files\\uTorrent\\uTorrent.exe"=

"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=

"c:\\Program Files\\Microsoft Office\\Office14\\GROOVE.EXE"=

"c:\\Program Files\\Microsoft Office\\Office14\\ONENOTE.EXE"=

"c:\\Program Files\\Microsoft Office\\Office14\\OUTLOOK.EXE"=

"c:\\Documents and Settings\\Dan\\Application Data\\Dropbox\\bin\\Dropbox.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"c:\\Program Files\\Freemake\\Freemake Video Converter\\FreemakeVC.exe"=

"c:\\Program Files\\Synology\\Assistant\\DSAssistant.exe"=

"c:\\Program Files\\BUFFALO\\Client Manager3\\bwsvc.exe"=

"c:\\Program Files\\BUFFALO\\Client Manager3\\AOSSWPS.exe"=

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"5985:TCP"= 5985:TCP:*:Disabled:Windows Remote Management

.

R0 vhndu;vhndu;c:\windows\System32\drivers\lswo.sys [x]

R2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCORE.EXE [2011-08-11 116608]

R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]

R2 Intel® PROSet Monitoring Service;Intel® PROSet Monitoring Service;c:\windows\system32\IProsetMonitor.exe [2011-09-27 117920]

R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\LogMeIn\x86\RaInfo.sys [x]

R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [2011-09-01 366152]

R2 UsbClientService;UsbClientService;c:\program files\Synology\Assistant\UsbClientService.exe [2011-02-18 245760]

R3 cpudrv;cpudrv;c:\program files\SystemRequirementsLab\cpudrv.sys [2009-12-18 11336]

R3 DKRtWrt;DKRtWrt;c:\windows\system32\DRIVERS\DKRtWrt.sys [2010-03-10 42144]

R3 FileMonitor;FileMonitor;c:\program files\IObit\IObit Malware Fighter\Drivers\wxp_x86\FileMonitor.sys [2011-10-08 239472]

R3 Microsoft SharePoint Workspace Audit Service;Microsoft SharePoint Workspace Audit Service;c:\program files\Microsoft Office\Office14\GROOVE.EXE [2010-01-21 30963576]

R3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-01-10 4640000]

R3 RegFilter;RegFilter;c:\program files\IObit\IObit Malware Fighter\drivers\wxp_x86\regfilter.sys [2011-09-20 30368]

R3 UrlFilter;UrlFilter;c:\program files\IObit\IObit Malware Fighter\drivers\wxp_x86\UrlFilter.sys [2011-09-20 16208]

R3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe [2008-04-14 14336]

R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504]

R4 LMIGuardianSvc;LMIGuardianSvc;c:\program files\LogMeIn\x86\LMIGuardianSvc.exe [x]

R4 MotoHelper;MotoHelper Service;c:\program files\Motorola\MotoHelper\MotoHelperService.exe [2011-08-10 227184]

R4 NAUpdate;@c:\program files\Nero\Update\NASvc.exe,-200;c:\program files\Nero\Update\NASvc.exe [2010-03-25 490280]

S1 dtsoftbus01;DAEMON Tools Virtual Bus Driver;c:\windows\system32\DRIVERS\dtsoftbus01.sys [2011-08-28 232512]

S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2011-07-22 12880]

S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2011-07-12 67664]

S2 IMFservice;IMF Service;c:\program files\IObit\IObit Malware Fighter\IMFsrv.exe [2011-10-08 820568]

S3 busenum;Synology Virtual USB Hub;c:\windows\system32\DRIVERS\busenum.sys [2011-02-18 46304]

S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2011-09-01 22216]

S3 pcouffin;VSO Software pcouffin;c:\windows\system32\Drivers\pcouffin.sys [2010-12-10 47360]

.

.

--- Other Services/Drivers In Memory ---

.

*Deregistered* - ppsio2

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

WINRM REG_MULTI_SZ WINRM

.

Contents of the 'Scheduled Tasks' folder

.

2011-12-30 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-746137067-1606980848-839522115-1003Core.job

- c:\documents and settings\Dan\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-05-25 05:25]

.

2011-12-30 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-746137067-1606980848-839522115-1003UA.job

- c:\documents and settings\Dan\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-05-25 05:25]

.

2011-12-24 c:\windows\Tasks\MotoHelper MUM.job

- c:\program files\Motorola\MotoHelper\MotoHelperUpdate.exe [2011-08-08 22:11]

.

2011-12-30 c:\windows\Tasks\MotoHelper Routing.job

- c:\program files\Motorola\MotoHelper\MotoHelperUpdate.exe [2011-08-08 22:11]

.

2011-12-24 c:\windows\Tasks\MotoHelper Update.job

- c:\program files\Motorola\MotoHelper\MotoHelperUpdate.exe [2011-08-08 22:11]

.

2011-12-31 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-18.job

- c:\program files\Real\RealUpgrade\realupgrade.exe [2011-09-27 19:40]

.

2011-12-31 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-746137067-1606980848-839522115-1003.job

- c:\program files\Real\RealUpgrade\realupgrade.exe [2011-09-27 19:40]

.

2011-12-27 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-18.job

- c:\program files\Real\RealUpgrade\realupgrade.exe [2011-09-27 19:40]

.

2011-12-25 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-746137067-1606980848-839522115-1003.job

- c:\program files\Real\RealUpgrade\realupgrade.exe [2011-09-27 19:40]

.

.

------- Supplementary Scan -------

.

uInternet Settings,ProxyOverride = *.local;192.168.*.*

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office14\EXCEL.EXE/3000

IE: Se&nd to OneNote - c:\progra~1\MICROS~3\Office14\ONBttnIE.dll/105

FF - ProfilePath - c:\documents and settings\Dan\Application Data\Mozilla\Firefox\Profiles\4x0jvxwd.default\

.

.

**************************************************************************

.

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2011-12-30 17:37

Windows 5.1.2600 Service Pack 3 NTFS

.

scanning hidden processes ...

.

scanning hidden autostart entries ...

.

scanning hidden files ...

.

scan completed successfully

hidden files: 0

.

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

.

- - - - - - - > 'winlogon.exe'(840)

c:\program files\SUPERAntiSpyware\SASWINLO.DLL

c:\windows\system32\WININET.dll

c:\windows\system32\Ati2evxx.dll

c:\windows\system32\atiadlxx.dll

c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.6195_x-ww_44262b86\MSVCR80.dll

c:\windows\system32\LMIinit.dll

c:\program files\BUFFALO\Client Manager3\BwcProv.dll

c:\windows\system32\LMIRfsClientNP.dll

.

- - - - - - - > 'explorer.exe'(1432)

c:\windows\system32\WININET.dll

c:\documents and settings\Dan\Application Data\Dropbox\bin\DropboxExt.14.dll

c:\progra~1\COMMON~1\MICROS~1\OFFICE14\Cultures\office.odf

c:\progra~1\MICROS~3\Office14\1033\GrooveIntlResource.dll

c:\windows\system32\msi.dll

c:\windows\system32\ieframe.dll

c:\windows\system32\webcheck.dll

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

------------------------ Other Running Processes ------------------------

.

c:\windows\system32\Ati2evxx.exe

c:\program files\idt\intelxpv_v103\wdm\STacSV.exe

c:\windows\system32\Ati2evxx.exe

c:\program files\Diskeeper Corporation\Diskeeper\DkService.exe

c:\program files\Java\jre6\bin\jqs.exe

c:\windows\system32\imapi.exe

.

**************************************************************************

.

Completion time: 2011-12-30 17:37:55 - machine was rebooted

ComboFix-quarantined-files.txt 2011-12-31 00:37

ComboFix2.txt 2011-12-30 23:40

ComboFix3.txt 2011-12-30 01:19

ComboFix4.txt 2011-12-19 08:56

ComboFix5.txt 2011-12-31 00:24

.

Pre-Run: 34,341,183,488 bytes free

Post-Run: 34,326,249,472 bytes free

.

- - End Of File - - 44B63F39EF483D78D5ED7F409585821E

Link to post
Share on other sites

Yes that one tool I had you run doesn't show it running / loading at all

WARNING! This fix has been made specifically for this user! If you are not this user, DO NOT run this fix, as you could seriously harm your computer. Take a few seconds extra to make a new thread, and get a fix created for you, rather than having to possibly reinstall your whole system!

Link to post
Share on other sites

Yes that one tool I had you run doesn't show it running / loading at all

WARNING! This fix has been made specifically for this user! If you are not this user, DO NOT run this fix, as you could seriously harm your computer. Take a few seconds extra to make a new thread, and get a fix created for you, rather than having to possibly reinstall your whole system!

1. launch Notepad (Start>All Programs>Accessories), and copy/paste all the Quoted REGEDIT below to it. Don't forget to include REGEDIT4.

Save in: Desktop

File Name: fixme.reg

Save as Type: All files

Click: Save

2. Save this text as fixme.reg. Make sure the "Save as type:" is "All Files (*.*)" and save it to your desktop.

3. Double-click on fixme.reg. When it asks you to merge the information to the registry click Yes.

Reboot Also please describe how your computer behaves at the moment.

Progress!!

I now have "Connected" as my status for the network connection, and my IP address looks good, but I still can't get on a website in a browser (IE or Firefox). I can, however, get my Router utility to come up, so that tells me that the network card is at least working. So what next? Run Combofix again?

I should mention I got the following pop up box when I tried running fixme.reg. Maybe it didn't get everything added that we wanted it to.

---------------------------

Registry Editor

---------------------------

Cannot import C:\Documents and Settings\Dan\Desktop\fixme.reg: Not all data was successfully written to the registry. Some keys are open by the system or other processes.

---------------------------

OK

---------------------------

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.

Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.