Jump to content

Can't get rid of a9k (dot) bin


Recommended Posts

Hi

have been trying to clean my partner's son's machine for over a day now and have got it down to just a9k . bin showing when MWB is used and the machine is not connected to the net - this goes up to approx 14 iitems when MWB is run and the machine is online.

I have Kaspeskey Internet Suite 2009 but this little devil has killed it off and I am now unable to reload it.

Here are the latest logs:

MWB when connected to net:

Malwarebytes' Anti-Malware 1.36

Database version: 2162

Windows 5.1.2600 Service Pack 2

21/05/2009 21:03:38

mbam-log-2009-05-21 (21-03-38).txt

Scan type: Full Scan (C:\|D:\|E:\|)

Objects scanned: 184240

Time elapsed: 28 minute(s), 25 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 1

Registry Keys Infected: 0

Registry Values Infected: 3

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 10

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

C:\WINDOWS\Temp\msb.dll (Spyware.Agent) -> Delete on reboot.

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autochk (Spyware.Agent) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autochk (Trojan.Agent) -> Quarantined and deleted successfully.

HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autochk (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

C:\WINDOWS\system32\autochk.dll (Spyware.Agent) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\lmn_setup.exe (Trojan.Agent) -> Delete on reboot.

C:\WINDOWS\system32\config\systemprofile\protect.dll (Spyware.Agent) -> Quarantined and deleted successfully.

C:\WINDOWS\Temp\msb.dll (Spyware.Agent) -> Delete on reboot.

C:\Documents and Settings\HP_Owner\protect.dll (Trojan.Agent) -> Quarantined and deleted successfully.

C:\Documents and Settings\LocalService\protect.dll (Trojan.Agent) -> Quarantined and deleted successfully.

C:\Documents and Settings\HP_Owner\Start Menu\Programs\Startup\ChkDisk.dll (Trojan.Agent) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\a9k.bin (Trojan.Agent) -> Quarantined and deleted successfully.

C:\Documents and Settings\HP_Owner\Start Menu\Programs\Startup\ChkDisk.lnk (Trojan.FakeAlert) -> Quarantined and deleted successfully.

C:\WINDOWS\Temp\nsrbgxod.bak (Trojan.Agent) -> Delete on reboot.

MWB when run with machine offline:

Malwarebytes' Anti-Malware 1.36

Database version: 2162

Windows 5.1.2600 Service Pack 2

21/05/2009 20:29:49

mbam-log-2009-05-21 (20-29-49).txt

Scan type: Full Scan (C:\|D:\|E:\|)

Objects scanned: 184167

Time elapsed: 26 minute(s), 44 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 1

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

C:\WINDOWS\system32\a9k.bin (Trojan.Agent) -> Quarantined and deleted successfully.

HJT:

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 21:18:51, on 21/05/2009

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\AGRSMMSG.exe

C:\WINDOWS\SOUNDMAN.EXE

C:\WINDOWS\ALCWZRD.EXE

C:\Program Files\Java\jre6\bin\jusched.exe

C:\Program Files\Messenger\Msmsgs.exe

C:\Documents and Settings\HP_Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe

C:\Program Files\Belkin\Belkin Wireless Network Utility\WLService.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\Belkin\Belkin Wireless Network Utility\WLanCfgG.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\Kontiki\KService.exe

C:\WINDOWS\runservice.exe

C:\WINDOWS\system32\PnkBstrA.exe

C:\WINDOWS\system32\wscntfy.exe

C:\WINDOWS\system32\msiexec.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe

C:\Program Files\Opera\opera.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local

R3 - URLSearchHook: Yahoo!

Edited by AdvancedSetup
Removed unwanted CODE boxes
Link to post
Share on other sites

  • Root Admin

Please visit this webpage for instructions for downloading ComboFix to your
DESKTOP
:
how-to-use-combofix

Please ensure you read this guide carefully and install the Recovery Console first.

NOTE!!:

You must save and run
ComboFix.exe
on your DESKTOP and not from any other folder.

Also,
DO NOT
click the mouse or launch any other applications while this is running or it may stall the program

Additional links to download the tool:

Note:

The
Windows Recovery Console
will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

Once installed, you should see a blue screen prompt that says:

The Recovery Console was successfully installed.

Please continue as follows:
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • Click
    Yes
    to allow ComboFix to continue scanning for malware.

  • When the tool is finished, it will produce a report for you.

  • Please post the
    C:\ComboFix.txt
    along with a
    new HijackThis log
    so we may continue cleaning the system.

Link to post
Share on other sites

Hi Ron.

Thanks for the quick reply, here are the logs:

Combofix:

ComboFix 09-05-21.01 - HP_Owner 22/05/2009 8:28.1 - NTFSx86

Running from: c:\documents and settings\HP_Owner\Desktop\ComboFix.exe

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\documents and settings\HP_Owner\protect.dll

c:\documents and settings\HP_Owner\Start Menu\Programs\Startup\ChkDisk.dll

c:\documents and settings\HP_Owner\Start Menu\Programs\Startup\ChkDisk.lnk

c:\documents and settings\LocalService\protect.dll

c:\documents and settings\NetworkService\protect.dll

C:\install.exe

c:\program files\ThunMail

c:\program files\ThunMail\testabd.dll

c:\program files\ThunMail\testabd.exe

c:\windows\cddddd.ini

c:\windows\fhijkj.ini

c:\windows\prtwyb.ini

c:\windows\system32\a9k.bin

c:\windows\system32\autochk.dll

c:\windows\system32\config\systemprofile\protect.dll

c:\windows\system32\drivers\mrxdavv.sys

c:\windows\system32\drivers\ovfsthfpylbetexfynqqjgoivrtrhohmuntwvq.sys

c:\windows\system32\hehoyoze.dll

c:\windows\system32\kawenola.dll

c:\windows\system32\kwave.sys

c:\windows\system32\nutowuko.exe

c:\windows\system32\ovfsthpbwhkwxhxbujrlrlyyeybejnfvoqtapr.dat

c:\windows\system32\ovfsthpspbrblvmwmpbwutqtvfxshmetsphnsd.dat

c:\windows\system32\ovfsthtwjpkmekchuycxptdyjkjokecvpesupi.dll

c:\windows\system32\ovfsthvvcniypvbvonptgtkxwdvnfrxcqsijmx.dll

c:\windows\system32\ovfsthxjorhpbdgqeneheeyuiqimsdkmyvibit.dll

c:\windows\system32\owimunos.ini

c:\windows\system32\pejejuwu.exe

c:\windows\system32\serv.exe

c:\windows\system32\uniq.tll

c:\windows\system32\yezamase.dll

c:\windows\yxwaay.ini

D:\Autorun.inf

D:\Desktop.ini

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Service_ovfsthcciomkosidwprptextpuyfqufdxrxvgb

-------\Legacy_ASHEVTSVC

-------\Legacy_MYWEBSEARCHSERVICE

((((((((((((((((((((((((( Files Created from 2009-04-22 to 2009-05-22 )))))))))))))))))))))))))))))))

.

2009-05-22 07:44 . 2009-05-22 07:47 0 ----a-w c:\windows\system32\a9k.bin

2009-05-21 20:18 . 2009-05-21 20:18 -------- d-----w c:\program files\Trend Micro

2009-05-21 20:01 . 2009-05-21 20:01 136 ----a-w c:\windows\system32\vp_setup.exe.bat

2009-05-21 20:01 . 2009-05-21 20:01 61440 ----a-w c:\windows\system32\vp_setup.exe

2009-05-21 12:42 . 2009-05-21 12:42 -------- d-----w c:\documents and settings\Administrator\Application Data\AdobeUM

2009-05-21 12:41 . 2009-05-21 12:41 -------- d-----w c:\documents and settings\Administrator\Local Settings\Application Data\Adobe

2009-05-21 10:42 . 2009-05-21 10:42 -------- d-----w c:\program files\Sophos

2009-05-21 10:05 . 2009-05-21 10:05 -------- d-----w c:\documents and settings\HP_Owner\Local Settings\Application Data\Opera

2009-05-21 10:04 . 2009-05-21 10:05 -------- d-----w c:\program files\Opera

2009-05-20 21:16 . 2009-05-20 21:17 -------- d-----w C:\1c29a3c156629520db698789b9

2009-05-20 21:01 . 2009-05-21 08:15 -------- d---a-w c:\documents and settings\All Users\Application Data\TEMP

2009-05-20 20:53 . 2007-06-08 12:53 1753088 ----a-w c:\windows\system32\ExGrid.dll

2009-05-20 20:53 . 2007-06-05 09:20 602112 ----a-w c:\windows\system32\ExMenu.dll

2009-05-20 20:53 . 2007-04-03 15:51 614400 ----a-w c:\windows\system32\ExButton.dll

2009-05-20 20:53 . 2007-04-03 15:51 307200 ----a-w c:\windows\system32\ExPMenu.dll

2009-05-20 20:53 . 2009-05-20 20:53 -------- d-----w c:\program files\Common Files\eSellerate

2009-05-20 20:53 . 2007-06-05 09:19 516096 ----a-w c:\windows\system32\ExTab.dll

2009-05-20 20:53 . 2005-10-11 13:40 356352 ----a-w c:\windows\system32\eSellerateEngine.dll

2009-05-20 20:53 . 2005-10-04 07:11 118784 ----a-w c:\windows\system32\eWebControl.dll

2009-05-20 20:53 . 1998-04-24 00:00 368912 ----a-w c:\windows\system32\vbar332.dll

2009-05-20 20:53 . 2009-05-20 20:53 -------- d-----w c:\program files\AnswersThatWork

2009-05-20 17:39 . 2009-05-20 17:39 -------- d-----w c:\documents and settings\Administrator\Application Data\Malwarebytes

2009-05-15 19:34 . 2009-05-15 19:34 119296 ----a-w c:\windows\system32\00setup.exe

2009-05-15 19:33 . 2009-05-15 19:34 77798 ----a-w c:\windows\system32\wdh.bin

2009-05-15 19:33 . 2009-05-15 19:33 24307 ----a-w c:\windows\system32\exodpt.dll

2009-05-14 18:28 . 2009-05-14 18:28 15939 ----a-w c:\windows\system32\drivers\AegisP.sys

2009-05-14 18:28 . 2009-05-14 18:28 -------- d-----w c:\windows\options

2009-05-14 18:28 . 2004-04-30 14:12 40960 ----a-w c:\windows\system32\B11gUSB.dll

2009-05-14 18:28 . 2004-03-30 11:51 1085440 ----a-w c:\windows\system32\AegisE5.dll

2009-05-14 18:28 . 2003-10-13 14:30 94208 ----a-w c:\windows\system32\GTW32N50.dll

2009-05-14 18:28 . 2003-09-25 21:15 15872 ----a-w c:\windows\system32\GTNDIS5.sys

2009-05-03 05:09 . 2009-05-03 05:09 -------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy

2009-04-30 22:29 . 2009-04-30 22:29 -------- d-----w c:\program files\Kontiki

2009-04-30 22:29 . 2009-04-30 22:29 -------- d-----w c:\program files\Channel4

2009-04-30 20:29 . 2009-04-30 20:29 31948 ---ha-w c:\windows\system32\mlfcache.dat

2009-04-30 20:28 . 2009-04-30 20:28 -------- d-----w c:\program files\Safari

2009-04-30 20:27 . 2009-04-30 20:27 -------- d-----w c:\program files\Bonjour

2009-04-30 20:27 . 2009-04-30 20:27 -------- d-----w c:\program files\Apple Software Update

2009-04-30 20:15 . 2009-04-30 20:15 -------- d-----w c:\program files\Unlocker

2009-04-30 20:15 . 2009-04-30 20:15 -------- d-----w c:\documents and settings\HP_Owner\Application Data\Desktopicon

2009-04-30 18:42 . 2009-05-03 05:08 -------- d-----w c:\program files\Spybot - Search & Destroy

2009-04-28 21:00 . 2009-04-28 21:00 -------- d-----w c:\documents and settings\HP_Owner\Application Data\Malwarebytes

2009-04-28 21:00 . 2009-04-06 14:32 15504 ----a-w c:\windows\system32\drivers\mbam.sys

2009-04-28 21:00 . 2009-04-06 14:32 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys

2009-04-28 21:00 . 2009-04-28 21:00 -------- d-----w c:\program files\Malwarebytes' Anti-Malware

2009-04-28 21:00 . 2009-04-28 21:00 -------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes

2009-04-27 20:28 . 2009-04-27 20:28 226832 ----a-w c:\documents and settings\All Users\Application Data\Kaspersky Lab\AVP8\Data\Updater\Temporary Files\temporaryFolder\AutoPatches\kav8exec\8.0.0.506\XP\klif.sys

2009-04-27 20:13 . 2009-05-20 20:57 -------- d-----w c:\documents and settings\All Users\Application Data\Kaspersky Lab

2009-04-27 20:13 . 2009-04-27 20:13 -------- d-----w c:\program files\Kaspersky Lab

2009-04-27 20:09 . 2009-04-27 20:09 -------- d-----w c:\documents and settings\All Users\Application Data\Kaspersky Lab Setup Files

2009-04-27 20:03 . 2009-04-27 20:03 -------- d-----w c:\documents and settings\All Users\Application Data\Avg7

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-05-22 07:46 . 2008-03-04 15:48 -------- d-----w c:\documents and settings\All Users\Application Data\Kontiki

2009-05-22 07:44 . 2006-12-06 20:35 2241 --sha-w c:\windows\system32\mmf.sys

2009-05-15 19:33 . 2006-11-02 12:00 8656 ----a-w c:\windows\system32\drivers\sptd.sys

2009-04-30 20:28 . 2006-11-01 20:11 -------- d-----w c:\documents and settings\HP_Owner\Application Data\Apple Computer

2009-04-28 05:32 . 2007-10-10 22:20 -------- d-----w c:\program files\CCleaner

2009-04-27 23:12 . 2007-04-17 15:57 -------- d-----w c:\program files\VideoEgg

2009-04-27 20:02 . 2007-05-07 17:20 -------- d-----w c:\documents and settings\All Users\Application Data\Grisoft

2009-04-27 16:37 . 2007-07-28 06:24 -------- d-----w c:\program files\iWin

2009-04-26 04:17 . 2009-01-26 04:17 50688 --sha-w c:\windows\system32\nemarato.exe

2009-04-22 23:59 . 2009-01-09 07:20 -------- d-----w c:\documents and settings\HP_Owner\Application Data\Spotify

2009-03-16 06:54 . 2009-03-06 21:37 138944 ----a-w c:\windows\system32\drivers\PnkBstrK.sys

2009-03-16 06:54 . 2009-03-06 21:37 75064 ----a-w c:\windows\system32\PnkBstrA.exe

2009-03-16 06:53 . 2009-03-06 21:41 334912 ----a-w c:\documents and settings\HP_Owner\Application Data\id Software\quakelive\home\baseq3\cgamex86.dll

2009-03-16 06:53 . 2009-03-06 21:41 171072 ----a-w c:\documents and settings\HP_Owner\Application Data\id Software\quakelive\home\baseq3\uix86.dll

2009-03-16 06:53 . 2009-03-06 21:37 189784 ----a-w c:\windows\system32\PnkBstrB.exe

2009-03-16 06:53 . 2009-03-06 21:41 874660 ----a-w c:\documents and settings\HP_Owner\Application Data\id Software\quakelive\home\pb\pbcl.dll

2009-03-16 06:53 . 2009-03-06 21:41 57344 ----a-w c:\documents and settings\HP_Owner\Application Data\id Software\quakelive\home\pb\pbag.dll

2009-03-16 06:53 . 2009-03-06 21:41 479232 ----a-w c:\documents and settings\HP_Owner\Application Data\id Software\quakelive\home\pb\pbsv.dll

2009-03-16 06:53 . 2009-03-06 21:41 2669632 ----a-w c:\documents and settings\HP_Owner\Application Data\id Software\quakelive\home\baseq3\quakelive.dll

2009-03-12 22:33 . 2009-03-06 21:41 441408 ----a-w c:\documents and settings\HP_Owner\Application Data\id Software\quakelive\home\baseq3\qagamex86.dll

2009-03-12 22:23 . 2009-03-06 21:37 22328 ----a-w c:\documents and settings\HP_Owner\Application Data\PnkBstrK.sys

2009-03-12 22:23 . 2009-03-06 21:37 22328 ----a-w c:\documents and settings\HP_Owner\Application Data\PnkBstrK.sys

2009-03-12 22:22 . 2009-03-06 21:37 2246144 ----a-w c:\windows\system32\pbsvc.exe

2009-03-11 12:40 . 2009-03-11 12:40 625728 ----a-w c:\documents and settings\All Users\Application Data\id Software\QuakeLive\npquakezero.dll

2009-03-06 21:41 . 2009-03-06 21:41 57344 ----a-w c:\documents and settings\HP_Owner\Application Data\id Software\quakelive\home\pb\pbags.dll

2009-03-06 21:41 . 2009-03-06 21:41 866235 ----a-w c:\documents and settings\HP_Owner\Application Data\id Software\quakelive\home\pb\pbcls.dll

2009-03-06 14:44 . 2006-11-02 00:08 283648 ----a-w c:\windows\system32\pdh.dll

.

((((((((((((((((((((((((((((((((((((((((((((( AWF ))))))))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2006-11-01 18:46 . 2004-10-15 04:54 253952 c:\hp\drivers\hplsbwatcher\bak\lsburnwatcher.exe

2006-11-01 18:42 . 2003-02-12 02:02 61440 c:\hp\KBD\bak\KBD.EXE

2006-11-01 18:47 . 2004-06-16 06:03 81920 c:\program files\Common Files\InstallShield\UpdateService\bak\issch.exe

2006-11-01 18:47 . 2004-06-16 06:03 221184 c:\program files\Common Files\InstallShield\UpdateService\bak\ISUSPM.exe

2006-11-01 18:47 . 2004-11-05 00:26 106496 c:\program files\Common Files\InterVideo\SchSvr\bak\SchSvr.exe

2004-08-28 06:22 . 2004-08-28 06:22 58488 c:\program files\Common Files\Symantec Shared\bak\ccApp.exe

2006-09-14 20:09 . 2006-09-14 20:09 157592 c:\program files\DAEMON Tools\bak\daemon.exe

2007-09-18 14:16 . 2007-09-18 14:16 171464 c:\program files\DAEMON Tools\daemon.exe

2006-11-01 18:47 . 2004-11-05 01:44 192512 c:\program files\InterVideo\Common\Bin\bak\WinRemote.exe

2004-10-13 16:04 . 2004-10-13 16:04 278528 c:\program files\iTunes\bak\iTunesHelper.exe

2007-09-26 13:42 . 2007-09-26 13:42 267064 c:\program files\iTunes\iTunesHelper.exe

2006-11-01 18:24 . 2006-11-01 18:24 32881 c:\program files\Java\j2re1.4.2_03\bin\bak\jusched.exe

2004-08-04 14:06 . 2004-08-04 14:06 1667584 c:\program files\Messenger\bak\msmsgs.exe

2007-04-12 01:43 . 2007-04-12 01:43 1661304 c:\program files\Messenger\Msmsgs.exe

2006-12-06 09:31 . 2006-12-06 09:31 282624 c:\program files\QuickTime\bak\qttask.exe

2007-06-29 05:24 . 2007-06-29 05:24 286720 c:\program files\QuickTime\QTTask.exe

2004-04-15 03:43 . 2004-04-15 03:43 233472 c:\windows\SMINST\bak\RECGUARD.EXE

2006-11-01 18:27 . 1998-05-07 23:04 52736 c:\windows\system\bak\hpsysdrv.exe

2006-11-01 18:29 . 2004-11-02 22:59 126976 c:\windows\system32\bak\hkcmd.exe

2004-06-08 01:42 . 2004-06-08 01:42 659456 c:\windows\system32\bak\hphmon06.exe

2006-11-01 18:42 . 2004-10-26 04:17 90112 c:\windows\system32\bak\ps2.exe

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"MSMSGS"="c:\program files\Messenger\Msmsgs.exe" [2007-04-12 1661304]

"Google Update"="c:\documents and settings\HP_Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2009-05-20 133104]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-02-02 136600]

"High Definition Audio Property Page Shortcut"="HDAudPropShortcut.exe" - c:\windows\system32\Hdaudpropshortcut.exe [2004-03-17 61952]

"AGRSMMSG"="AGRSMMSG.exe" - c:\windows\AGRSMMSG.exe [2004-06-30 88363]

"SoundMan"="SOUNDMAN.EXE" - c:\windows\SOUNDMAN.EXE [2005-02-22 90112]

"AlcWzrd"="ALCWZRD.EXE" - c:\windows\ALCWZRD.EXE [2005-02-19 2754560]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"Diagnostic Manager"="c:\windows\TEMP\724505052.exe" [N/A]

"uidenhiufgsduiazghs"="c:\windows\TEMP\g3024ok.exe" [N/A]

"svc"="c:\program files\ThunMail\testabd.exe" [N/A]

"autochk"="c:\docume~1\LOCALS~1\protect.dll" [N/A]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]

"NoSetActiveDesktop"= 1 (0x1)

"NoActiveDesktopChanges"= 1 (0x1)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\exodpt.sys]

@="Driver"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^PalTalk.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\PalTalk.lnk

backup=c:\windows\pss\PalTalk.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^HP_Owner^Start Menu^Programs^Startup^ChkDisk.lnk]

path=c:\documents and settings\HP_Owner\Start Menu\Programs\Startup\ChkDisk.lnk

backup=c:\windows\pss\ChkDisk.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]

"usnjsvc"=3 (0x3)

"iPod Service"=3 (0x3)

"Apple Mobile Device"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Azureus\\Azureus.exe"=

"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=

"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=

"c:\\Program Files\\Paltalk Messenger\\paltalk.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"c:\\Program Files\\Messenger\\Msmsgs.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=

"c:\\Program Files\\Kontiki\\KService.exe"=

"c:\\Program Files\\Kontiki\\KHost.exe"=

"c:\\Documents and Settings\\HP_Owner\\Application Data\\PowerChallenge\\PowerSoccer\\PowerSoccer.exe"=

"c:\\Program Files\\Spotify\\spotify.exe"=

"c:\\WINDOWS\\system32\\PnkBstrA.exe"=

"c:\\WINDOWS\\system32\\PnkBstrB.exe"=

"c:\\Program Files\\Emote\\Launcher\\launcher.exe"=

"c:\\Program Files\\Zattoo\\zattood.exe"=

"c:\\Program Files\\Zattoo\\Zattoo2.exe"=

"c:\\Program Files\\Belkin\\Belkin Wireless Network Utility\\WLanCfgG.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"10093:TCP"= 10093:TCP:Football Manager 2008

"10093:UDP"= 10093:UDP:Football Manager 2008

"10094:TCP"= 10094:TCP:Football Manager

R3 bkn50USB;Belkin 54Mbps Wireless USB Network Adapter;c:\windows\system32\drivers\rt2500usb.sys [01/11/2006 21:32 140416]

R3 PhTVTune;ASUS WDM TV Tuner;c:\windows\system32\drivers\PhTVTune.sys [01/11/2006 19:30 24544]

S1 exodpt;TDIFilter Driver;c:\windows\system32\exodpt.sys []

--- Other Services/Drivers In Memory ---

*Deregistered* - ALG

*Deregistered* - AudioSrv

*Deregistered* - Belkin 54g Wireless USB Network Adapter Service

*Deregistered* - BITS

*Deregistered* - Bonjour Service

*Deregistered* - Browser

*Deregistered* - CryptSvc

*Deregistered* - DcomLaunch

*Deregistered* - Dhcp

*Deregistered* - Dnscache

*Deregistered* - ERSvc

*Deregistered* - EventSystem

*Deregistered* - FastUserSwitchingCompatibility

*Deregistered* - GTNDIS5

*Deregistered* - helpsvc

*Deregistered* - HidServ

*Deregistered* - HTTPFilter

*Deregistered* - JavaQuickStarterService

*Deregistered* - KService

*Deregistered* - lanmanserver

*Deregistered* - lanmanworkstation

*Deregistered* - LicCtrlService

*Deregistered* - LmHosts

*Deregistered* - Netman

*Deregistered* - Nla

*Deregistered* - PnkBstrA

*Deregistered* - PolicyAgent

*Deregistered* - ProtectedStorage

*Deregistered* - RasMan

*Deregistered* - RpcSs

*Deregistered* - SamSs

*Deregistered* - Schedule

*Deregistered* - Secdrv

*Deregistered* - seclogon

*Deregistered* - SENS

*Deregistered* - SharedAccess

*Deregistered* - ShellHWDetection

*Deregistered* - Spooler

*Deregistered* - sptd

*Deregistered* - sr

*Deregistered* - srservice

*Deregistered* - Srv

*Deregistered* - SSDPSRV

*Deregistered* - swenum

*Deregistered* - TapiSrv

*Deregistered* - Tcpip

*Deregistered* - TermDD

*Deregistered* - TermService

*Deregistered* - Themes

*Deregistered* - Update

*Deregistered* - VgaSave

*Deregistered* - VolSnap

*Deregistered* - W32Time

*Deregistered* - Wanarp

*Deregistered* - WebClient

*Deregistered* - winmgmt

*Deregistered* - WmiApSrv

*Deregistered* - WS2IFSL

*Deregistered* - wscsvc

*Deregistered* - wuauserv

*Deregistered* - WZCSVC

.

Contents of the 'Scheduled Tasks' folder

2009-05-09 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]

2009-05-21 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2550148391-1751980287-1883927685-1007.job

- c:\documents and settings\HP_Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-05-20 17:13]

2009-05-22 c:\windows\Tasks\RegCure Program Check.job

- c:\program files\RegCure\RegCure.exe [2007-03-09 21:15]

2009-04-30 c:\windows\Tasks\RegCure.job

- c:\program files\RegCure\RegCure.exe [2007-03-09 21:15]

.

.

------- Supplementary Scan -------

.

uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_GB&c=Q105&bd=pavilion&pf=desktop

mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_GB&c=Q105&bd=pavilion&pf=desktop

mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_GB&c=Q105&bd=pavilion&pf=desktop

uInternet Connection Wizard,ShellNext = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_GB&c=Q105&bd=pavilion&pf=desktop

uInternet Settings,ProxyOverride = *.local

IE: &Search

.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-05-22 08:45

Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

c:\windows\system32\exodpt.sys 8656 bytes executable

c:\windows\system32\pllk.bin 7 bytes

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\LicCtrl\LicCtrl\LicCtrl\LicCtrl*lkzs$i&y@^t! #^$ g9^$&pgb SDB36o \EC1A69D1C0948222]

"1"=hex:b0,cd,e0,26,42,20,9e,7c,08,f1,c1,23,e7,41,66,ec,c9,e0,20,43,a1,23,f2,

e3

"2"=hex:d7,7a,ea,31,a0,f7,22,dd,b6,43,6f,32,07,8b,4a,0a,e2,6f,a8,1b,53,71,0d,

78,d5,ad,68,1b,c8,4a,9b,03

"3"=hex:b0,cd,e0,26,42,20,9e,7c,08,f1,c1,23,e7,41,66,ec,aa,6b,6f,c8,5d,d1,dd,

70,c8,0c,a2,71,14,a4,b5,05,7d,2c,84,8d,ff,2b,de,6d,f8,f2,70,94,19,43,ce,bd,\

[HKEY_LOCAL_MACHINE\software\LicCtrl\LicCtrl\LicCtrl\LicCtrl*lkzs$i&y@^t! #^$ g9^$&pgb SDB36o \EC1A69D1C0948222\48236A7EED3B8895E98434D6DCE253AC]

"1"=hex:08,26,de,b9,bd,1e,cc,2a,55,96,fd,b8,7e,1b,23,82,71,bb,5a,5f,e0,12,25,

42,0c,3f,30,d4,d3,b8,cd,35,d5,a9,6f,e0,2c,05,4e,14

"2"=hex:58,92,5a,34,3f,c6,a5,c5

"3"=hex:ad,5a,fd,6a,39,d7,e0,10,47,e0,80,2a,b7,5e,91,04,0c,03,4d,22,bc,a3,5f,

99,0b,a3,ea,cf,f9,0a,c4,4d,9a,96,1d,fa,75,81,ec,9e,61,ed,d1,4e,a1,29,4a,ab,\

"4"=hex:2f,ad,a2,e7,8a,bf,05,5e

"5"=hex:bf,e5,23,7b,b0,66,d6,fc,b8,e8,6b,a0,96,52,f7,32,80,09,8f,24,b7,b3,55,

1a,98,d1,47,16,02,43,61,1c,b9,d5,8f,2a,7b,81,b1,fb,95,22,f8,b3,2c,53,9d,ae,\

"6"=hex:bf,e5,23,7b,b0,66,d6,fc,bc,64,22,fb,7e,d3,39,3e,a3,00,33,13,c0,21,f4,

51,6c,4e,0c,96,e2,dd,ad,8a,b6,c4,05,e8,5a,bd,9a,e9,d4,1a,3d,68,9d,00,32,20

"7"=hex:08,26,de,b9,bd,1e,cc,2a,55,96,fd,b8,7e,1b,23,82,71,bb,5a,5f,e0,12,25,

42,0c,3f,30,d4,d3,b8,cd,35,61,5a,c0,6c,22,7e,83,13,6e,44,91,28,69,cc,01,dd

"8"=hex:9d,9e,b2,b9,a7,a5,f4,ae,4d,29,c2,a3,c0,78,c4,c5,73,7e,45,c6,9f,9e,10,

63,a0,2f,06,c2,a3,e9,62,70,d1,3e,e6,57,b7,98,40,c9,e4,cc,88,e6,39,d6,95,f5,\

"9"=hex:81,20,8f,ab,28,6a,52,9c

"18"=hex:70,56,26,33,e3,20,f8,ab

"10"=hex:59,c8,db,4e,44,81,2c,dd

"11"=hex:7d,ba,74,77,fe,09,92,36

"12"=hex:81,20,8f,ab,28,6a,52,9c

"13"=hex:81,20,8f,ab,28,6a,52,9c

"14"=hex:81,20,8f,ab,28,6a,52,9c

"24"=hex:81,20,8f,ab,28,6a,52,9c

"26"=hex:81,20,8f,ab,28,6a,52,9c

"27"=hex:81,20,8f,ab,28,6a,52,9c

"19"=hex:81,20,8f,ab,28,6a,52,9c

"22"=hex:81,20,8f,ab,28,6a,52,9c

[HKEY_LOCAL_MACHINE\software\LicCtrl\LicCtrl\LicCtrl\LicCtrl*lkzs$i&y@^t! #^$ g9^$&pgb SDB36o \EC1A69D1C0948222\B144CCE307E78EB6EE53CA2196E4D0A2]

"1"=hex:97,5e,49,d3,7c,a0,18,18,10,c9,e3,e3,c1,ae,57,ed,60,42,a5,db,24,eb,e2,

b0,36,d7,56,53,fe,9f,3d,f9

"2"=hex:8c,23,2d,03,75,bd,a0,cd

"3"=hex:25,76,f6,55,8d,1e,6a,c9,04,3b,67,d6,73,28,29,ef,9b,ac,56,1e,7b,56,45,

9d,1c,6f,80,6d,86,35,6a,dc,7e,45,58,21,69,29,63,0d,8e,98,9d,55,52,3f,f8,de,\

"4"=hex:2f,ad,a2,e7,8a,bf,05,5e

"5"=hex:bf,e5,23,7b,b0,66,d6,fc,b8,e8,6b,a0,96,52,f7,32,80,09,8f,24,b7,b3,55,

1a,98,d1,47,16,02,43,61,1c,b9,d5,8f,2a,7b,81,b1,fb,95,22,f8,b3,2c,53,9d,ae,\

"6"=hex:bf,e5,23,7b,b0,66,d6,fc,bc,64,22,fb,7e,d3,39,3e,a3,00,33,13,c0,21,f4,

51,6c,4e,0c,96,e2,dd,ad,8a,b6,c4,05,e8,5a,bd,9a,e9,d4,1a,3d,68,9d,00,32,20

"7"=hex:6b,96,68,24,0f,2f,9e,94,e8,ce,54,f3,3b,80,63,3a,1b,c3,e7,ed,44,3a,1d,

97,9f,f9,03,77,68,81,1b,0c,34,a2,88,30,12,be,09,a0

"8"=hex:9d,9e,b2,b9,a7,a5,f4,ae,4d,29,c2,a3,c0,78,c4,c5,73,7e,45,c6,9f,9e,10,

63,a0,2f,06,c2,a3,e9,62,70,90,4c,ec,d6,92,e1,28,ba,e5,5d,0d,25,ef,fb,b7,21,\

"9"=hex:81,20,8f,ab,28,6a,52,9c

"18"=hex:70,56,26,33,e3,20,f8,ab

"10"=hex:07,96,b3,35,9e,5a,1a,0b

"11"=hex:cf,4c,c7,26,f1,27,01,be

"12"=hex:81,20,8f,ab,28,6a,52,9c

"13"=hex:81,20,8f,ab,28,6a,52,9c

"14"=hex:81,20,8f,ab,28,6a,52,9c

"24"=hex:81,20,8f,ab,28,6a,52,9c

"26"=hex:81,20,8f,ab,28,6a,52,9c

"27"=hex:81,20,8f,ab,28,6a,52,9c

"19"=hex:81,20,8f,ab,28,6a,52,9c

"22"=hex:81,20,8f,ab,28,6a,52,9c

[HKEY_LOCAL_MACHINE\software\LicCtrl\LicCtrl\LicCtrl\LicCtrl*lkzs$i&y@^t! #^$ g9^$&pgb SDB36o \F3F0046F119EFA4F]

"1"=hex:97,5e,49,d3,7c,a0,18,18,10,c9,e3,e3,c1,ae,57,ed,c2,97,86,6a,a5,82,f8,

d5,42,54,3b,7e,24,3e,19,f8

"2"=hex:f1,df,16,de,80,08,0e,2a,d1,38,b5,6f,94,ca,dc,d2,b3,e8,d2,40,6c,6f,61,

5e,d2,5e,7f,21,14,b5,b2,29

"3"=hex:97,5e,49,d3,7c,a0,18,18,10,c9,e3,e3,c1,ae,57,ed,c2,97,86,6a,a5,82,f8,

d5,f2,55,76,c8,bc,53,92,25,3f,d1,b6,bc,00,35,73,43,96,90,79,f6,5b,97,35,47,\

[HKEY_LOCAL_MACHINE\software\LicCtrl\LicCtrl\LicCtrl\LicCtrl*lkzs$i&y@^t! #^$ g9^$&pgb SDB36o \F3F0046F119EFA4F\BB6E5071F4E6B2769BD4E4FACC553A99]

"1"=hex:09,d8,ec,22,15,54,e7,37,3d,5b,59,2d,b7,79,05,2e,dc,0a,71,44,dc,37,80,

ce,24,ad,19,19,d6,bf,9e,2f

"2"=hex:69,46,da,08,bb,5c,f4,0f

"3"=hex:9b,d3,62,7f,98,29,5b,a8,a3,6c,2d,ed,ba,59,f9,15,ac,2e,45,24,46,4d,d1,

30,c4,4c,de,d7,5b,1f,40,d5,4d,ce,f1,e7,44,ba,09,d9,55,3b,91,53,28,0d,7d,fa,\

"4"=hex:2f,ad,a2,e7,8a,bf,05,5e

"5"=hex:bf,e5,23,7b,b0,66,d6,fc,b8,e8,6b,a0,96,52,f7,32,80,09,8f,24,b7,b3,55,

1a,98,d1,47,16,02,43,61,1c,b9,d5,8f,2a,7b,81,b1,fb,95,22,f8,b3,2c,53,9d,ae,\

"6"=hex:bf,e5,23,7b,b0,66,d6,fc,bc,64,22,fb,7e,d3,39,3e,a3,00,33,13,c0,21,f4,

51,6c,4e,0c,96,e2,dd,ad,8a,b6,c4,05,e8,5a,bd,9a,e9,d4,1a,3d,68,9d,00,32,20

"7"=hex:85,bb,69,ad,52,49,47,61,50,80,55,ef,fa,b4,14,9a,04,b7,d6,59,f0,23,46,

cc,d3,ec,dd,49,40,98,41,b7,16,93,15,99,41,9a,8d,78,4a,2e,fb,89,b2,3d,70,79,\

"8"=hex:63,5a,d7,1b,b1,d4,18,46,f1,a8,be,52,77,05,97,0b,34,a0,71,a8,88,47,3c,

8d,75,16,d6,0c,2b,a7,16,a7,8a,ab,2c,39,23,dd,28,0f

"9"=hex:81,20,8f,ab,28,6a,52,9c

"18"=hex:70,56,26,33,e3,20,f8,ab

"10"=hex:ef,01,3f,48,b8,d3,ab,86

"11"=hex:7d,ba,74,77,fe,09,92,36

"12"=hex:81,20,8f,ab,28,6a,52,9c

"13"=hex:81,20,8f,ab,28,6a,52,9c

"14"=hex:81,20,8f,ab,28,6a,52,9c

"24"=hex:81,20,8f,ab,28,6a,52,9c

"26"=hex:81,20,8f,ab,28,6a,52,9c

"27"=hex:81,20,8f,ab,28,6a,52,9c

"19"=hex:81,20,8f,ab,28,6a,52,9c

"22"=hex:81,20,8f,ab,28,6a,52,9c

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(784)

c:\windows\system32\exodpt.dll

- - - - - - - > 'explorer.exe'(704)

c:\windows\system32\exodpt.dll

c:\windows\system32\shdoclc.dll

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

------------------------ Other Running Processes ------------------------

.

c:\program files\Belkin\Belkin Wireless Network Utility\WLService.exe

c:\program files\Belkin\Belkin Wireless Network Utility\WLanCfgG.exe

c:\program files\Bonjour\mDNSResponder.exe

c:\program files\Java\jre6\bin\jqs.exe

c:\windows\Runservice.exe

c:\windows\system32\PnkBstrA.exe

c:\windows\system32\wscntfy.exe

c:\windows\system32\wbem\wmiapsrv.exe

.

**************************************************************************

.

Completion time: 2009-05-22 9:08 - machine was rebooted

ComboFix-quarantined-files.txt 2009-05-22 08:07

Pre-Run: 118,566,371,328 bytes free

Post-Run: 118,485,762,048 bytes free

435 --- E O F --- 2009-05-20 23:19

Hijackthis:

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 09:16:35, on 22/05/2009

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\AGRSMMSG.exe

C:\WINDOWS\SOUNDMAN.EXE

C:\WINDOWS\ALCWZRD.EXE

C:\Program Files\Java\jre6\bin\jusched.exe

C:\Program Files\Messenger\Msmsgs.exe

C:\Documents and Settings\HP_Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe

C:\Program Files\Belkin\Belkin Wireless Network Utility\WLService.exe

C:\Program Files\Belkin\Belkin Wireless Network Utility\WLanCfgG.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\WINDOWS\runservice.exe

C:\WINDOWS\system32\PnkBstrA.exe

C:\WINDOWS\system32\wscntfy.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\wbem\wmiapsrv.exe

C:\WINDOWS\explorer.exe

C:\WINDOWS\system32\notepad.exe

C:\Program Files\Opera\opera.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local

R3 - URLSearchHook: Yahoo!

Link to post
Share on other sites

  • Root Admin

STEP 01

Download but do not yet run ComboFix

If you have a previous version of Combofix.exe, delete it and download a fresh copy.

Download it to your DESKTOP - it MUST run from the Desktop

download.bleepingcomputer.com/sUBs/ComboFix.exe

subs.geekstogo.com/ComboFix.exe

Using your mouse, Highlight and then Right-click | Copy the entire contents of the Code box below, including blank lines

KILLALL::

Rootkit::
exodpt.sys

File::
c:\windows\system32\exodpt.dll
c:\windows\system32\exodpt.sys
c:\windows\system32\pllk.bin
c:\windows\system32\a9k.bin
c:\windows\system32\vp_setup.exe
c:\windows\system32\vp_setup.exe.bat
c:\windows\system32\00setup.exe
c:\windows\system32\wdh.bin
c:\windows\TEMP\724505052.exe
c:\windows\TEMP\g3024ok.exe
c:\program files\ThunMail\testabd.exe
c:\docume~1\LOCALS~1\protect.dll

Folder::
C:\1c29a3c156629520db698789b9

Driver::
exodpt

Registry::
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Diagnostic Manager"=-
"uidenhiufgsduiazghs"=-
"svc"=-
"autochk"=-

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"=-
"NoActiveDesktopChanges"=-

[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\exodpt.sys]

RegLock::
[HKEY_LOCAL_MACHINE\software\LicCtrl\LicCtrl\LicCtrl\LicCtrl*lkzs$i&y@^t! #^$ g9^$&pgb SDB36o \EC1A69D1C0948222]
[HKEY_LOCAL_MACHINE\software\LicCtrl\LicCtrl\LicCtrl\LicCtrl*lkzs$i&y@^t! #^$ g9^$&pgb SDB36o \EC1A69D1C0948222
[HKEY_LOCAL_MACHINE\software\LicCtrl\LicCtrl\LicCtrl\LicCtrl*lkzs$i&y@^t! #^$ g9^$&pgb SDB36o \EC1A69D1C0948222
[HKEY_LOCAL_MACHINE\software\LicCtrl\LicCtrl\LicCtrl\LicCtrl*lkzs$i&y@^t! #^$ g9^$&pgb SDB36o \F3F0046F119EFA4F]
[HKEY_LOCAL_MACHINE\software\LicCtrl\LicCtrl\LicCtrl\LicCtrl*lkzs$i&y@^t! #^$ g9^$&pgb SDB36o \F3F0046F119EFA4F

Open a new Notepad session (Do not use a Word Processor or WordPad). Click "Format" and be certain that Word Wrap is not enabled. Right-click | Paste the Code box contents from above into Notepad. Click File, Save as..., and set the location to your Desktop, and enter (including quotation marks) as the filename: "CFscript.txt" .

Using your mouse, drag the new file CFscript.txt and drop it on the Combo-Fix.exe icon as shown:

CFScript.gif

  • Important: Have no other programs running. Your Task Bar should be clear of any program entries including your Browser.
  • Disconnect from the Internet.
  • Disable your Antivirus software. If it has Script Blocking features, please disable these as well.
  • A window may open with a series of Disclaimers. Accept the Disclaimers to start the fix.
  • It may identify that Recovery Console is not installed. Please accept when asked if you wish it to be installed.
    When the scan completes Notepad will open with with your results log open. Do a File, Exit.

A caution - Do not run Combofix more than once. Do not touch your mouse/keyboard until the scan has completed, as this may cause the process to stall or your computer to lock. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop. Even when ComboFix appears to be doing nothing, look at your Drive light. If it is flashing, Combofix is still at work.

Post back the Combofix log on your next reply.

STEP 02

  • Download FixPolicies.exe by Bill Castner and save it to your desktop.
  • Double click on FixPolicies.exe to run it.
  • Click on Install. It will create a folder named FixPolicies on your desktop.
  • Open the FixPolicies folder.
  • Double click on Fix_policies.cmd to run it. Command Prompt will open and close quickly this is normal.
    Download this INF repair file by MS-MVP Miekiemoes: http://users.telenet.be/bluepatchy/miekiemoes/tools/VArestorepolicies.zip
    Unzip the download. Open the folder VArestorepolicies and Right-click the file inside, VArestorepolicies.INF and choose Install

STEP 03

Update and Scan with Malwarebytes' Anti-Malware

  • Start MalwareBytes AntiMalware (Vista users must Right click and choose RunAs Admin)
  • Please DO NOT run MBAM in Safe Mode unless requested to, you MUST run it in normal Windows mode.
    • Update Malwarebytes' Anti-Malware
    • Select the Update tab
    • Click Update

    [*]When the update is complete, select the Scanner tab

    [*]Select Perform quick scan, then click Scan.

    [*]When the scan is complete, click OK, then Show Results to view the results.

    [*]Be sure that everything is checked, and click Remove Selected.

    [*]When completed, a log will open in Notepad. please copy and paste the log into your next reply

    • If you accidently close it, the log file is saved here and will be named like this:
    • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

Then post back the MBAM log and a new Hijackthis log.

Link to post
Share on other sites

Logs as requested:

Combofix:

ComboFix 09-05-22.05 - HP_Owner 23/05/2009 9:31.2 - NTFSx86

Microsoft Windows XP Home Edition 5.1.2600.2.1252.44.1033.18.759.474 [GMT 1:00]

Running from: c:\documents and settings\HP_Owner\Desktop\ComboFix.exe

Command switches used :: c:\documents and settings\HP_Owner\Desktop\CFscript.txt

FILE ::

c:\docume~1\LOCALS~1\protect.dll

c:\program files\ThunMail\testabd.exe

c:\windows\system32\00setup.exe

c:\windows\system32\a9k.bin

c:\windows\system32\exodpt.dll

c:\windows\system32\exodpt.sys

c:\windows\system32\pllk.bin

c:\windows\system32\vp_setup.exe

c:\windows\system32\vp_setup.exe.bat

c:\windows\system32\wdh.bin

c:\windows\TEMP\724505052.exe

c:\windows\TEMP\g3024ok.exe

.

The following files were disabled during the run:

c:\windows\system32\exodpt.dll

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

C:\1c29a3c156629520db698789b9

c:\1c29a3c156629520db698789b9\mrt.exe

c:\1c29a3c156629520db698789b9\mrtstub.exe

c:\windows\system32\00setup.exe

c:\windows\system32\a9k.bin

c:\windows\system32\drivers\mrxdavv.sys

c:\windows\system32\exodpt.dll.vir

c:\windows\system32\kwave.sys

c:\windows\system32\nemarato.exe

c:\windows\system32\vp_setup.exe

c:\windows\system32\vp_setup.exe.bat

c:\windows\system32\wdh.bin

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Legacy_EXODPT

-------\Service_exodpt

((((((((((((((((((((((((( Files Created from 2009-04-23 to 2009-05-23 )))))))))))))))))))))))))))))))

.

2009-05-21 20:18 . 2009-05-21 20:18 -------- d-----w c:\program files\Trend Micro

2009-05-21 12:42 . 2009-05-21 12:42 -------- d-----w c:\documents and settings\Administrator\Application Data\AdobeUM

2009-05-21 12:41 . 2009-05-21 12:41 -------- d-----w c:\documents and settings\Administrator\Local Settings\Application Data\Adobe

2009-05-21 10:42 . 2009-05-21 10:42 -------- d-----w c:\program files\Sophos

2009-05-21 10:05 . 2009-05-21 10:05 -------- d-----w c:\documents and settings\HP_Owner\Local Settings\Application Data\Opera

2009-05-21 10:04 . 2009-05-21 10:05 -------- d-----w c:\program files\Opera

2009-05-20 21:01 . 2009-05-21 08:15 -------- d---a-w c:\documents and settings\All Users\Application Data\TEMP

2009-05-20 20:53 . 2007-06-08 12:53 1753088 ----a-w c:\windows\system32\ExGrid.dll

2009-05-20 20:53 . 2007-06-05 09:20 602112 ----a-w c:\windows\system32\ExMenu.dll

2009-05-20 20:53 . 2007-04-03 15:51 614400 ----a-w c:\windows\system32\ExButton.dll

2009-05-20 20:53 . 2007-04-03 15:51 307200 ----a-w c:\windows\system32\ExPMenu.dll

2009-05-20 20:53 . 2009-05-20 20:53 -------- d-----w c:\program files\Common Files\eSellerate

2009-05-20 20:53 . 2007-06-05 09:19 516096 ----a-w c:\windows\system32\ExTab.dll

2009-05-20 20:53 . 2005-10-11 13:40 356352 ----a-w c:\windows\system32\eSellerateEngine.dll

2009-05-20 20:53 . 2005-10-04 07:11 118784 ----a-w c:\windows\system32\eWebControl.dll

2009-05-20 20:53 . 1998-04-24 00:00 368912 ----a-w c:\windows\system32\vbar332.dll

2009-05-20 20:53 . 2009-05-20 20:53 -------- d-----w c:\program files\AnswersThatWork

2009-05-20 17:39 . 2009-05-20 17:39 -------- d-----w c:\documents and settings\Administrator\Application Data\Malwarebytes

2009-05-16 13:21 . 2009-05-20 17:14 7 ----a-w c:\windows\system32\pllk.bin

2009-05-15 19:33 . 2009-05-15 19:33 8656 ----a-w c:\windows\system32\exodpt.sys

2009-05-14 18:28 . 2009-05-14 18:28 15939 ----a-w c:\windows\system32\drivers\AegisP.sys

2009-05-14 18:28 . 2009-05-14 18:28 -------- d-----w c:\windows\options

2009-05-14 18:28 . 2004-04-30 14:12 40960 ----a-w c:\windows\system32\B11gUSB.dll

2009-05-14 18:28 . 2004-03-30 11:51 1085440 ----a-w c:\windows\system32\AegisE5.dll

2009-05-14 18:28 . 2003-10-13 14:30 94208 ----a-w c:\windows\system32\GTW32N50.dll

2009-05-14 18:28 . 2003-09-25 21:15 15872 ----a-w c:\windows\system32\GTNDIS5.sys

2009-05-03 05:09 . 2009-05-03 05:09 -------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy

2009-04-30 22:29 . 2009-04-30 22:29 -------- d-----w c:\program files\Kontiki

2009-04-30 22:29 . 2009-04-30 22:29 -------- d-----w c:\program files\Channel4

2009-04-30 20:29 . 2009-04-30 20:29 31948 ---ha-w c:\windows\system32\mlfcache.dat

2009-04-30 20:28 . 2009-04-30 20:28 -------- d-----w c:\program files\Safari

2009-04-30 20:27 . 2009-04-30 20:27 -------- d-----w c:\program files\Bonjour

2009-04-30 20:27 . 2009-04-30 20:27 -------- d-----w c:\program files\Apple Software Update

2009-04-30 20:15 . 2009-04-30 20:15 -------- d-----w c:\program files\Unlocker

2009-04-30 20:15 . 2009-04-30 20:15 -------- d-----w c:\documents and settings\HP_Owner\Application Data\Desktopicon

2009-04-30 18:42 . 2009-05-03 05:08 -------- d-----w c:\program files\Spybot - Search & Destroy

2009-04-28 21:00 . 2009-04-28 21:00 -------- d-----w c:\documents and settings\HP_Owner\Application Data\Malwarebytes

2009-04-28 21:00 . 2009-04-06 14:32 15504 ----a-w c:\windows\system32\drivers\mbam.sys

2009-04-28 21:00 . 2009-04-06 14:32 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys

2009-04-28 21:00 . 2009-04-28 21:00 -------- d-----w c:\program files\Malwarebytes' Anti-Malware

2009-04-28 21:00 . 2009-04-28 21:00 -------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes

2009-04-27 20:28 . 2009-04-27 20:28 226832 ----a-w c:\documents and settings\All Users\Application Data\Kaspersky Lab\AVP8\Data\Updater\Temporary Files\temporaryFolder\AutoPatches\kav8exec\8.0.0.506\XP\klif.sys

2009-04-27 20:13 . 2009-05-20 20:57 -------- d-----w c:\documents and settings\All Users\Application Data\Kaspersky Lab

2009-04-27 20:13 . 2009-04-27 20:13 -------- d-----w c:\program files\Kaspersky Lab

2009-04-27 20:09 . 2009-04-27 20:09 -------- d-----w c:\documents and settings\All Users\Application Data\Kaspersky Lab Setup Files

2009-04-27 20:03 . 2009-04-27 20:03 -------- d-----w c:\documents and settings\All Users\Application Data\Avg7

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-05-23 08:39 . 2008-03-04 15:48 -------- d-----w c:\documents and settings\All Users\Application Data\Kontiki

2009-05-23 08:38 . 2006-12-06 20:35 2241 --sha-w c:\windows\system32\mmf.sys

2009-05-15 19:33 . 2006-11-02 12:00 8656 ----a-w c:\windows\system32\drivers\sptd.sys

2009-04-30 20:28 . 2006-11-01 20:11 -------- d-----w c:\documents and settings\HP_Owner\Application Data\Apple Computer

2009-04-28 05:32 . 2007-10-10 22:20 -------- d-----w c:\program files\CCleaner

2009-04-27 23:12 . 2007-04-17 15:57 -------- d-----w c:\program files\VideoEgg

2009-04-27 20:02 . 2007-05-07 17:20 -------- d-----w c:\documents and settings\All Users\Application Data\Grisoft

2009-04-27 16:37 . 2007-07-28 06:24 -------- d-----w c:\program files\iWin

2009-04-22 23:59 . 2009-01-09 07:20 -------- d-----w c:\documents and settings\HP_Owner\Application Data\Spotify

2009-03-16 06:54 . 2009-03-06 21:37 138944 ----a-w c:\windows\system32\drivers\PnkBstrK.sys

2009-03-16 06:54 . 2009-03-06 21:37 75064 ----a-w c:\windows\system32\PnkBstrA.exe

2009-03-16 06:53 . 2009-03-06 21:41 334912 ----a-w c:\documents and settings\HP_Owner\Application Data\id Software\quakelive\home\baseq3\cgamex86.dll

2009-03-16 06:53 . 2009-03-06 21:41 171072 ----a-w c:\documents and settings\HP_Owner\Application Data\id Software\quakelive\home\baseq3\uix86.dll

2009-03-16 06:53 . 2009-03-06 21:37 189784 ----a-w c:\windows\system32\PnkBstrB.exe

2009-03-16 06:53 . 2009-03-06 21:41 874660 ----a-w c:\documents and settings\HP_Owner\Application Data\id Software\quakelive\home\pb\pbcl.dll

2009-03-16 06:53 . 2009-03-06 21:41 57344 ----a-w c:\documents and settings\HP_Owner\Application Data\id Software\quakelive\home\pb\pbag.dll

2009-03-16 06:53 . 2009-03-06 21:41 479232 ----a-w c:\documents and settings\HP_Owner\Application Data\id Software\quakelive\home\pb\pbsv.dll

2009-03-16 06:53 . 2009-03-06 21:41 2669632 ----a-w c:\documents and settings\HP_Owner\Application Data\id Software\quakelive\home\baseq3\quakelive.dll

2009-03-12 22:33 . 2009-03-06 21:41 441408 ----a-w c:\documents and settings\HP_Owner\Application Data\id Software\quakelive\home\baseq3\qagamex86.dll

2009-03-12 22:23 . 2009-03-06 21:37 22328 ----a-w c:\documents and settings\HP_Owner\Application Data\PnkBstrK.sys

2009-03-12 22:23 . 2009-03-06 21:37 22328 ----a-w c:\documents and settings\HP_Owner\Application Data\PnkBstrK.sys

2009-03-12 22:22 . 2009-03-06 21:37 2246144 ----a-w c:\windows\system32\pbsvc.exe

2009-03-11 12:40 . 2009-03-11 12:40 625728 ----a-w c:\documents and settings\All Users\Application Data\id Software\QuakeLive\npquakezero.dll

2009-03-06 21:41 . 2009-03-06 21:41 57344 ----a-w c:\documents and settings\HP_Owner\Application Data\id Software\quakelive\home\pb\pbags.dll

2009-03-06 21:41 . 2009-03-06 21:41 866235 ----a-w c:\documents and settings\HP_Owner\Application Data\id Software\quakelive\home\pb\pbcls.dll

2009-03-06 14:44 . 2006-11-02 00:08 283648 ----a-w c:\windows\system32\pdh.dll

.

((((((((((((((((((((((((((((( SnapShot@2009-05-22_07.46.43 )))))))))))))))))))))))))))))))))))))))))

.

+ 2009-05-23 08:38 . 2009-05-23 08:38 16384 c:\windows\temp\Perflib_Perfdata_2c8.dat

+ 2009-05-23 08:38 . 2009-05-23 08:38 16384 c:\windows\temp\Perflib_Perfdata_180.dat

.

((((((((((((((((((((((((((((((((((((((((((((( AWF ))))))))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2006-11-01 18:46 . 2004-10-15 04:54 253952 c:\hp\drivers\hplsbwatcher\bak\lsburnwatcher.exe

2006-11-01 18:42 . 2003-02-12 02:02 61440 c:\hp\KBD\bak\KBD.EXE

2006-11-01 18:47 . 2004-06-16 06:03 81920 c:\program files\Common Files\InstallShield\UpdateService\bak\issch.exe

2006-11-01 18:47 . 2004-06-16 06:03 221184 c:\program files\Common Files\InstallShield\UpdateService\bak\ISUSPM.exe

2006-11-01 18:47 . 2004-11-05 00:26 106496 c:\program files\Common Files\InterVideo\SchSvr\bak\SchSvr.exe

2004-08-28 06:22 . 2004-08-28 06:22 58488 c:\program files\Common Files\Symantec Shared\bak\ccApp.exe

2006-09-14 20:09 . 2006-09-14 20:09 157592 c:\program files\DAEMON Tools\bak\daemon.exe

2007-09-18 14:16 . 2007-09-18 14:16 171464 c:\program files\DAEMON Tools\daemon.exe

2006-11-01 18:47 . 2004-11-05 01:44 192512 c:\program files\InterVideo\Common\Bin\bak\WinRemote.exe

2004-10-13 16:04 . 2004-10-13 16:04 278528 c:\program files\iTunes\bak\iTunesHelper.exe

2007-09-26 13:42 . 2007-09-26 13:42 267064 c:\program files\iTunes\iTunesHelper.exe

2006-11-01 18:24 . 2006-11-01 18:24 32881 c:\program files\Java\j2re1.4.2_03\bin\bak\jusched.exe

2004-08-04 14:06 . 2004-08-04 14:06 1667584 c:\program files\Messenger\bak\msmsgs.exe

2007-04-12 01:43 . 2007-04-12 01:43 1661304 c:\program files\Messenger\Msmsgs.exe

2006-12-06 09:31 . 2006-12-06 09:31 282624 c:\program files\QuickTime\bak\qttask.exe

2007-06-29 05:24 . 2007-06-29 05:24 286720 c:\program files\QuickTime\QTTask.exe

2004-04-15 03:43 . 2004-04-15 03:43 233472 c:\windows\SMINST\bak\RECGUARD.EXE

2006-11-01 18:27 . 1998-05-07 23:04 52736 c:\windows\system\bak\hpsysdrv.exe

2006-11-01 18:29 . 2004-11-02 22:59 126976 c:\windows\system32\bak\hkcmd.exe

2004-06-08 01:42 . 2004-06-08 01:42 659456 c:\windows\system32\bak\hphmon06.exe

2006-11-01 18:42 . 2004-10-26 04:17 90112 c:\windows\system32\bak\ps2.exe

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"MSMSGS"="c:\program files\Messenger\Msmsgs.exe" [2007-04-12 1661304]

"Google Update"="c:\documents and settings\HP_Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2009-05-20 133104]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-02-02 136600]

"High Definition Audio Property Page Shortcut"="HDAudPropShortcut.exe" - c:\windows\system32\Hdaudpropshortcut.exe [2004-03-17 61952]

"AGRSMMSG"="AGRSMMSG.exe" - c:\windows\AGRSMMSG.exe [2004-06-30 88363]

"SoundMan"="SOUNDMAN.EXE" - c:\windows\SOUNDMAN.EXE [2005-02-22 90112]

"AlcWzrd"="ALCWZRD.EXE" - c:\windows\ALCWZRD.EXE [2005-02-19 2754560]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^PalTalk.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\PalTalk.lnk

backup=c:\windows\pss\PalTalk.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^HP_Owner^Start Menu^Programs^Startup^ChkDisk.lnk]

path=c:\documents and settings\HP_Owner\Start Menu\Programs\Startup\ChkDisk.lnk

backup=c:\windows\pss\ChkDisk.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]

"usnjsvc"=3 (0x3)

"iPod Service"=3 (0x3)

"Apple Mobile Device"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Azureus\\Azureus.exe"=

"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=

"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=

"c:\\Program Files\\Paltalk Messenger\\paltalk.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"c:\\Program Files\\Messenger\\Msmsgs.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=

"c:\\Program Files\\Kontiki\\KService.exe"=

"c:\\Program Files\\Kontiki\\KHost.exe"=

"c:\\Documents and Settings\\HP_Owner\\Application Data\\PowerChallenge\\PowerSoccer\\PowerSoccer.exe"=

"c:\\Program Files\\Spotify\\spotify.exe"=

"c:\\WINDOWS\\system32\\PnkBstrA.exe"=

"c:\\WINDOWS\\system32\\PnkBstrB.exe"=

"c:\\Program Files\\Emote\\Launcher\\launcher.exe"=

"c:\\Program Files\\Zattoo\\zattood.exe"=

"c:\\Program Files\\Zattoo\\Zattoo2.exe"=

"c:\\Program Files\\Belkin\\Belkin Wireless Network Utility\\WLanCfgG.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"10093:TCP"= 10093:TCP:Football Manager 2008

"10093:UDP"= 10093:UDP:Football Manager 2008

"10094:TCP"= 10094:TCP:Football Manager

R2 Belkin 54g Wireless USB Network Adapter Service;Belkin 54g Wireless USB Network Adapter;c:\program files\Belkin\Belkin Wireless Network Utility\WLService.exe [14/05/2009 19:28 49152]

R2 LicCtrlService;LicCtrl Service;c:\windows\Runservice.exe [06/12/2006 21:35 2560]

R3 PhTVTune;ASUS WDM TV Tuner;c:\windows\system32\drivers\PhTVTune.sys [01/11/2006 19:30 24544]

S3 bkn50USB;Belkin 54Mbps Wireless USB Network Adapter;c:\windows\system32\drivers\rt2500usb.sys [01/11/2006 21:32 140416]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - GTNDIS5

.

Contents of the 'Scheduled Tasks' folder

2009-05-09 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]

2009-05-21 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2550148391-1751980287-1883927685-1007.job

- c:\documents and settings\HP_Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-05-20 17:13]

2009-05-23 c:\windows\Tasks\RegCure Program Check.job

- c:\program files\RegCure\RegCure.exe [2007-03-09 21:15]

2009-04-30 c:\windows\Tasks\RegCure.job

- c:\program files\RegCure\RegCure.exe [2007-03-09 21:15]

.

- - - - ORPHANS REMOVED - - - -

Notify-exodpt - exodpt.dll

Notify-kbdt32 - kbdt32.dll

SafeBoot-AVG Anti-Spyware Driver

SafeBoot-procexp90.Sys

SafeBoot-AVG Anti-Spyware Guard

.

------- Supplementary Scan -------

.

uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_GB&c=Q105&bd=pavilion&pf=desktop

mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_GB&c=Q105&bd=pavilion&pf=desktop

mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_GB&c=Q105&bd=pavilion&pf=desktop

uInternet Connection Wizard,ShellNext = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_GB&c=Q105&bd=pavilion&pf=desktop

uInternet Settings,ProxyOverride = *.local

IE: &Search

.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-05-23 09:39

Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\LicCtrl\LicCtrl\LicCtrl\LicCtrl*lkzs$i&y@^t! #^$ g9^$&pgb SDB36o \EC1A69D1C0948222]

"1"=hex:b0,cd,e0,26,42,20,9e,7c,08,f1,c1,23,e7,41,66,ec,c9,e0,20,43,a1,23,f2,

e3

"2"=hex:d7,7a,ea,31,a0,f7,22,dd,b6,43,6f,32,07,8b,4a,0a,e2,6f,a8,1b,53,71,0d,

78,d5,ad,68,1b,c8,4a,9b,03

"3"=hex:b0,cd,e0,26,42,20,9e,7c,08,f1,c1,23,e7,41,66,ec,aa,6b,6f,c8,5d,d1,dd,

70,c8,0c,a2,71,14,a4,b5,05,7d,2c,84,8d,ff,2b,de,6d,f8,f2,70,94,19,43,ce,bd,\

[HKEY_LOCAL_MACHINE\software\LicCtrl\LicCtrl\LicCtrl\LicCtrl*lkzs$i&y@^t! #^$ g9^$&pgb SDB36o \EC1A69D1C0948222\48236A7EED3B8895E98434D6DCE253AC]

"1"=hex:08,26,de,b9,bd,1e,cc,2a,55,96,fd,b8,7e,1b,23,82,71,bb,5a,5f,e0,12,25,

42,0c,3f,30,d4,d3,b8,cd,35,d5,a9,6f,e0,2c,05,4e,14

"2"=hex:58,92,5a,34,3f,c6,a5,c5

"3"=hex:ad,5a,fd,6a,39,d7,e0,10,47,e0,80,2a,b7,5e,91,04,0c,03,4d,22,bc,a3,5f,

99,0b,a3,ea,cf,f9,0a,c4,4d,9a,96,1d,fa,75,81,ec,9e,61,ed,d1,4e,a1,29,4a,ab,\

"4"=hex:2f,ad,a2,e7,8a,bf,05,5e

"5"=hex:bf,e5,23,7b,b0,66,d6,fc,b8,e8,6b,a0,96,52,f7,32,80,09,8f,24,b7,b3,55,

1a,98,d1,47,16,02,43,61,1c,b9,d5,8f,2a,7b,81,b1,fb,95,22,f8,b3,2c,53,9d,ae,\

"6"=hex:bf,e5,23,7b,b0,66,d6,fc,bc,64,22,fb,7e,d3,39,3e,a3,00,33,13,c0,21,f4,

51,6c,4e,0c,96,e2,dd,ad,8a,b6,c4,05,e8,5a,bd,9a,e9,d4,1a,3d,68,9d,00,32,20

"7"=hex:08,26,de,b9,bd,1e,cc,2a,55,96,fd,b8,7e,1b,23,82,71,bb,5a,5f,e0,12,25,

42,0c,3f,30,d4,d3,b8,cd,35,61,5a,c0,6c,22,7e,83,13,6e,44,91,28,69,cc,01,dd

"8"=hex:9d,9e,b2,b9,a7,a5,f4,ae,4d,29,c2,a3,c0,78,c4,c5,73,7e,45,c6,9f,9e,10,

63,a0,2f,06,c2,a3,e9,62,70,d1,3e,e6,57,b7,98,40,c9,e4,cc,88,e6,39,d6,95,f5,\

"9"=hex:81,20,8f,ab,28,6a,52,9c

"18"=hex:70,56,26,33,e3,20,f8,ab

"10"=hex:59,c8,db,4e,44,81,2c,dd

"11"=hex:7d,ba,74,77,fe,09,92,36

"12"=hex:81,20,8f,ab,28,6a,52,9c

"13"=hex:81,20,8f,ab,28,6a,52,9c

"14"=hex:81,20,8f,ab,28,6a,52,9c

"24"=hex:81,20,8f,ab,28,6a,52,9c

"26"=hex:81,20,8f,ab,28,6a,52,9c

"27"=hex:81,20,8f,ab,28,6a,52,9c

"19"=hex:81,20,8f,ab,28,6a,52,9c

"22"=hex:81,20,8f,ab,28,6a,52,9c

[HKEY_LOCAL_MACHINE\software\LicCtrl\LicCtrl\LicCtrl\LicCtrl*lkzs$i&y@^t! #^$ g9^$&pgb SDB36o \EC1A69D1C0948222\B144CCE307E78EB6EE53CA2196E4D0A2]

"1"=hex:97,5e,49,d3,7c,a0,18,18,10,c9,e3,e3,c1,ae,57,ed,60,42,a5,db,24,eb,e2,

b0,36,d7,56,53,fe,9f,3d,f9

"2"=hex:8c,23,2d,03,75,bd,a0,cd

"3"=hex:25,76,f6,55,8d,1e,6a,c9,04,3b,67,d6,73,28,29,ef,9b,ac,56,1e,7b,56,45,

9d,1c,6f,80,6d,86,35,6a,dc,7e,45,58,21,69,29,63,0d,8e,98,9d,55,52,3f,f8,de,\

"4"=hex:2f,ad,a2,e7,8a,bf,05,5e

"5"=hex:bf,e5,23,7b,b0,66,d6,fc,b8,e8,6b,a0,96,52,f7,32,80,09,8f,24,b7,b3,55,

1a,98,d1,47,16,02,43,61,1c,b9,d5,8f,2a,7b,81,b1,fb,95,22,f8,b3,2c,53,9d,ae,\

"6"=hex:bf,e5,23,7b,b0,66,d6,fc,bc,64,22,fb,7e,d3,39,3e,a3,00,33,13,c0,21,f4,

51,6c,4e,0c,96,e2,dd,ad,8a,b6,c4,05,e8,5a,bd,9a,e9,d4,1a,3d,68,9d,00,32,20

"7"=hex:6b,96,68,24,0f,2f,9e,94,e8,ce,54,f3,3b,80,63,3a,1b,c3,e7,ed,44,3a,1d,

97,9f,f9,03,77,68,81,1b,0c,34,a2,88,30,12,be,09,a0

"8"=hex:9d,9e,b2,b9,a7,a5,f4,ae,4d,29,c2,a3,c0,78,c4,c5,73,7e,45,c6,9f,9e,10,

63,a0,2f,06,c2,a3,e9,62,70,90,4c,ec,d6,92,e1,28,ba,e5,5d,0d,25,ef,fb,b7,21,\

"9"=hex:81,20,8f,ab,28,6a,52,9c

"18"=hex:70,56,26,33,e3,20,f8,ab

"10"=hex:07,96,b3,35,9e,5a,1a,0b

"11"=hex:cf,4c,c7,26,f1,27,01,be

"12"=hex:81,20,8f,ab,28,6a,52,9c

"13"=hex:81,20,8f,ab,28,6a,52,9c

"14"=hex:81,20,8f,ab,28,6a,52,9c

"24"=hex:81,20,8f,ab,28,6a,52,9c

"26"=hex:81,20,8f,ab,28,6a,52,9c

"27"=hex:81,20,8f,ab,28,6a,52,9c

"19"=hex:81,20,8f,ab,28,6a,52,9c

"22"=hex:81,20,8f,ab,28,6a,52,9c

[HKEY_LOCAL_MACHINE\software\LicCtrl\LicCtrl\LicCtrl\LicCtrl*lkzs$i&y@^t! #^$ g9^$&pgb SDB36o \F3F0046F119EFA4F]

"1"=hex:97,5e,49,d3,7c,a0,18,18,10,c9,e3,e3,c1,ae,57,ed,c2,97,86,6a,a5,82,f8,

d5,42,54,3b,7e,24,3e,19,f8

"2"=hex:f1,df,16,de,80,08,0e,2a,d1,38,b5,6f,94,ca,dc,d2,b3,e8,d2,40,6c,6f,61,

5e,d2,5e,7f,21,14,b5,b2,29

"3"=hex:97,5e,49,d3,7c,a0,18,18,10,c9,e3,e3,c1,ae,57,ed,c2,97,86,6a,a5,82,f8,

d5,f2,55,76,c8,bc,53,92,25,3f,d1,b6,bc,00,35,73,43,96,90,79,f6,5b,97,35,47,\

[HKEY_LOCAL_MACHINE\software\LicCtrl\LicCtrl\LicCtrl\LicCtrl*lkzs$i&y@^t! #^$ g9^$&pgb SDB36o \F3F0046F119EFA4F\BB6E5071F4E6B2769BD4E4FACC553A99]

"1"=hex:09,d8,ec,22,15,54,e7,37,3d,5b,59,2d,b7,79,05,2e,dc,0a,71,44,dc,37,80,

ce,24,ad,19,19,d6,bf,9e,2f

"2"=hex:69,46,da,08,bb,5c,f4,0f

"3"=hex:9b,d3,62,7f,98,29,5b,a8,a3,6c,2d,ed,ba,59,f9,15,ac,2e,45,24,46,4d,d1,

30,c4,4c,de,d7,5b,1f,40,d5,4d,ce,f1,e7,44,ba,09,d9,55,3b,91,53,28,0d,7d,fa,\

"4"=hex:2f,ad,a2,e7,8a,bf,05,5e

"5"=hex:bf,e5,23,7b,b0,66,d6,fc,b8,e8,6b,a0,96,52,f7,32,80,09,8f,24,b7,b3,55,

1a,98,d1,47,16,02,43,61,1c,b9,d5,8f,2a,7b,81,b1,fb,95,22,f8,b3,2c,53,9d,ae,\

"6"=hex:bf,e5,23,7b,b0,66,d6,fc,bc,64,22,fb,7e,d3,39,3e,a3,00,33,13,c0,21,f4,

51,6c,4e,0c,96,e2,dd,ad,8a,b6,c4,05,e8,5a,bd,9a,e9,d4,1a,3d,68,9d,00,32,20

"7"=hex:85,bb,69,ad,52,49,47,61,50,80,55,ef,fa,b4,14,9a,04,b7,d6,59,f0,23,46,

cc,d3,ec,dd,49,40,98,41,b7,16,93,15,99,41,9a,8d,78,4a,2e,fb,89,b2,3d,70,79,\

"8"=hex:63,5a,d7,1b,b1,d4,18,46,f1,a8,be,52,77,05,97,0b,34,a0,71,a8,88,47,3c,

8d,75,16,d6,0c,2b,a7,16,a7,8a,ab,2c,39,23,dd,28,0f

"9"=hex:81,20,8f,ab,28,6a,52,9c

"18"=hex:70,56,26,33,e3,20,f8,ab

"10"=hex:ef,01,3f,48,b8,d3,ab,86

"11"=hex:7d,ba,74,77,fe,09,92,36

"12"=hex:81,20,8f,ab,28,6a,52,9c

"13"=hex:81,20,8f,ab,28,6a,52,9c

"14"=hex:81,20,8f,ab,28,6a,52,9c

"24"=hex:81,20,8f,ab,28,6a,52,9c

"26"=hex:81,20,8f,ab,28,6a,52,9c

"27"=hex:81,20,8f,ab,28,6a,52,9c

"19"=hex:81,20,8f,ab,28,6a,52,9c

"22"=hex:81,20,8f,ab,28,6a,52,9c

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(2496)

c:\windows\system32\shdoclc.dll

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

------------------------ Other Running Processes ------------------------

.

c:\program files\Belkin\Belkin Wireless Network Utility\WLanCfgG.exe

c:\program files\Bonjour\mDNSResponder.exe

c:\program files\Java\jre6\bin\jqs.exe

c:\program files\Kontiki\KService.exe

c:\windows\system32\PnkBstrA.exe

c:\windows\system32\wscntfy.exe

.

**************************************************************************

.

Completion time: 2009-05-23 9:43 - machine was rebooted

ComboFix-quarantined-files.txt 2009-05-23 08:43

ComboFix2.txt 2009-05-22 08:09

Pre-Run: 118,475,845,632 bytes free

Post-Run: 118,488,862,720 bytes free

361 --- E O F --- 2009-05-20 23:19

Malwarebytes:

Malwarebytes' Anti-Malware 1.36

Database version: 2168

Windows 5.1.2600 Service Pack 2

23/05/2009 10:00:55

mbam-log-2009-05-23 (10-00-55).txt

Scan type: Quick Scan

Objects scanned: 82802

Time elapsed: 2 minute(s), 44 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 2

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

C:\WINDOWS\system32\drivers\mrxdavv.sys (Rootkit.Agent.H) -> Delete on reboot.

C:\WINDOWS\system32\kwave.sys (Trojan.Agent) -> Delete on reboot.

HJT:

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 10:05:07, on 23/05/2009

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\AGRSMMSG.exe

C:\WINDOWS\SOUNDMAN.EXE

C:\WINDOWS\ALCWZRD.EXE

C:\Program Files\Java\jre6\bin\jusched.exe

C:\Program Files\Messenger\Msmsgs.exe

C:\Documents and Settings\HP_Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe

C:\Program Files\Belkin\Belkin Wireless Network Utility\WLService.exe

C:\Program Files\Belkin\Belkin Wireless Network Utility\WLanCfgG.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\Kontiki\KService.exe

C:\WINDOWS\runservice.exe

C:\WINDOWS\system32\PnkBstrA.exe

C:\WINDOWS\system32\wscntfy.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Opera\opera.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local

R3 - URLSearchHook: Yahoo!

Link to post
Share on other sites

  • Root Admin

This one will take a bit more work to dig out. It hides and renames on every reboot. Try not to use the computer much and don't use it for any sensitive information such as banking, etc.

Will try to get back to you as soon as I can, but this is a long 3 day weekend.

Link to post
Share on other sites

It won't be used until instructed by you.

It's wifi'd through the router but not on our home network so hopefully the other machines are safe although I did use a usb stick a couple of times to try and put a different AV on his machine before you started helping us. That stick is now destroyed just in case and I'm keeping a real close eye on my machine for anything unusual.

Enjoy the weekend.

Link to post
Share on other sites

  • Root Admin

Okay let's start by removing any temp and other unneeded files and then run the scanners.

STEP 01

    Download and install CCleaner
  • CCleaner
  • Double-click on the downloaded file "ccsetup219.exe" and install the application.
  • Keep the default installation folder "C:\Program Files\CCleaner"
  • Uncheck "Add CCleaner Yahoo! Toolbar and use CCleaner from your browser"
  • Click finish when done and close ALL PROGRAMS
  • Start the CCleaner program.
  • Click on Registry and Uncheck Registry Integrity so that it does not run (basically the very top, uncheck it)
  • Click on Options - Advanced and Uncheck "Only delete files in Windows Temp folders older than 48 hours"
  • Click back to Cleaner and under SYSTEM uncheck the Memory Dumps and Windows Log Files
  • Click on Run Cleaner button on the bottom right side of the program.
  • Click OK to any prompts

STEP 02

Delete C:\Windows\ntbtlog.txt Then click on START - RUN and type in MSCONFIG and make sure the /BOOTLOG is still set to create one.

If not then set it to and reboot the computer now.

STEP 03

Delete your current copy of Combofix.exe and download a NEW fresh copy. Rename the file to HONEY.EXE before running it though.

Additional links to download the tool:

ComboFix.exe

ComboFix.exe

ComboFix.exe

Run HONEY.EXE (renamed from Combofix.exe) as previously intructed. Disconnect from the Internet and disable your Anti-Virus.

STEP 04

DO NOT reboot the computer anymore unless one of the programs forces you to as this Malware will rename itself and we'll miss it.

STEP 04

RootRepeal - Rootkit Detector

    Close ALL applications and as many items in the task tray that will stop and exit.
  • Please download the following tool:
    RootRepeal - Rootkit Detector

  • Direct download link is here:
    RootRepeal.rar

  • If you don't already have a program to open a .RAR compressed file you can download a trial version from here:
    WinRAR

  • Extract the program file to a new folder such as
    C:\RootRepeal

  • Run the program
    RootRepeal.exe
    and go to the
    REPORT
    tab and click on the
    Scan
    button

  • Select
    ALL
    of the checkboxes and then click
    OK
    and it will start scanning your system.

  • If you have multiple drives you only need to check the C: drive or the one Windows is installed on.

  • When done, click on
    Save Report

  • Save it to the same location where you ran it from, such as
    C:\RootRepeal

  • Save it as
    your_name_rootrepeal.txt
    - where your_name is your
    forum name

  • This makes it more easy to track who the log belongs to.

  • Then open that log and select all and copy/paste it back on your next reply please.

  • Quit the RootRepeal program.

STEP 05

Copy and ATTACH the C:\Windows\ntbtlog.txt file to your next reply along with:

Combofix log, Root Repeal log

If we miss it again we'll run another Program to help track it down, but hopefully this one will catch it.

Link to post
Share on other sites

Hope you had a good weekend. Here's the next instalment:

ntbootlog.txt:

Service Pack 2 5 26 2009 12:03:11.500

Loaded driver \WINDOWS\system32\ntkrnlpa.exe

Loaded driver \WINDOWS\system32\hal.dll

Loaded driver \WINDOWS\system32\KDCOM.DLL

Loaded driver \WINDOWS\system32\BOOTVID.dll

Loaded driver ACPI.sys

Loaded driver \WINDOWS\system32\DRIVERS\WMILIB.SYS

Loaded driver pci.sys

Loaded driver isapnp.sys

Loaded driver ohci1394.sys

Loaded driver \WINDOWS\system32\DRIVERS\1394BUS.SYS

Loaded driver intelide.sys

Loaded driver \WINDOWS\system32\DRIVERS\PCIIDEX.SYS

Loaded driver MountMgr.sys

Loaded driver ftdisk.sys

Loaded driver PartMgr.sys

Loaded driver VolSnap.sys

Loaded driver atapi.sys

Loaded driver disk.sys

Loaded driver \WINDOWS\system32\DRIVERS\CLASSPNP.SYS

Loaded driver fltMgr.sys

Loaded driver sr.sys

Loaded driver PxHelp20.sys

Loaded driver KSecDD.sys

Loaded driver Ntfs.sys

Loaded driver NDIS.sys

Loaded driver Mup.sys

Loaded driver gagp30kx.sys

Loaded driver \SystemRoot\system32\DRIVERS\nic1394.sys

Loaded driver \SystemRoot\system32\DRIVERS\intelppm.sys

Loaded driver \SystemRoot\system32\DRIVERS\ialmnt5.sys

Loaded driver \SystemRoot\system32\DRIVERS\HDAudBus.sys

Loaded driver \SystemRoot\system32\DRIVERS\usbuhci.sys

Loaded driver \SystemRoot\system32\DRIVERS\usbehci.sys

Loaded driver \SystemRoot\system32\DRIVERS\R8139n51.SYS

Loaded driver \SystemRoot\system32\DRIVERS\Cap7134.sys

Loaded driver \SystemRoot\system32\DRIVERS\AGRSM.sys

Loaded driver \SystemRoot\System32\Drivers\Modem.SYS

Loaded driver \SystemRoot\system32\DRIVERS\parport.sys

Loaded driver \SystemRoot\system32\DRIVERS\i8042prt.sys

Loaded driver \SystemRoot\system32\DRIVERS\PS2.sys

Loaded driver \SystemRoot\system32\DRIVERS\kbdclass.sys

Loaded driver \SystemRoot\system32\DRIVERS\mouclass.sys

Loaded driver \SystemRoot\system32\DRIVERS\imapi.sys

Loaded driver \SystemRoot\system32\drivers\iviaspi.sys

Loaded driver \SystemRoot\system32\DRIVERS\cdrom.sys

Loaded driver \SystemRoot\system32\DRIVERS\redbook.sys

Loaded driver \SystemRoot\SYSTEM32\DRIVERS\GEARAspiWDM.sys

Loaded driver \SystemRoot\system32\DRIVERS\audstub.sys

Loaded driver \SystemRoot\system32\DRIVERS\rasl2tp.sys

Loaded driver \SystemRoot\system32\DRIVERS\ndistapi.sys

Loaded driver \SystemRoot\system32\DRIVERS\ndiswan.sys

Loaded driver \SystemRoot\system32\DRIVERS\raspppoe.sys

Loaded driver \SystemRoot\system32\DRIVERS\raspptp.sys

Loaded driver \SystemRoot\system32\DRIVERS\msgpc.sys

Loaded driver \SystemRoot\system32\DRIVERS\psched.sys

Loaded driver \SystemRoot\system32\DRIVERS\ptilink.sys

Loaded driver \SystemRoot\system32\DRIVERS\raspti.sys

Loaded driver \SystemRoot\system32\DRIVERS\hamachi.sys

Loaded driver \SystemRoot\system32\DRIVERS\termdd.sys

Loaded driver \SystemRoot\system32\DRIVERS\swenum.sys

Loaded driver \SystemRoot\system32\DRIVERS\update.sys

Loaded driver \SystemRoot\system32\DRIVERS\mssmbios.sys

Loaded driver \SystemRoot\System32\Drivers\NDProxy.SYS

Did not load driver \SystemRoot\System32\Drivers\NDProxy.SYS

Loaded driver \SystemRoot\system32\drivers\RtkHDAud.sys

Loaded driver \SystemRoot\system32\DRIVERS\usbhub.sys

Loaded driver \SystemRoot\system32\DRIVERS\PhTVTune.sys

Loaded driver \SystemRoot\System32\Drivers\sptd.sys

Did not load driver \SystemRoot\System32\Drivers\lbrtfdc.SYS

Did not load driver \SystemRoot\System32\Drivers\Sfloppy.SYS

Did not load driver \SystemRoot\System32\Drivers\i2omgmt.SYS

Did not load driver \SystemRoot\System32\Drivers\Changer.SYS

Did not load driver \SystemRoot\System32\Drivers\Cdaudio.SYS

Loaded driver \SystemRoot\System32\Drivers\Fs_Rec.SYS

Loaded driver \SystemRoot\System32\Drivers\Null.SYS

Loaded driver \SystemRoot\System32\Drivers\Beep.SYS

Did not load driver \SystemRoot\system32\DRIVERS\kbdhid.sys

Loaded driver \SystemRoot\System32\drivers\vga.sys

Loaded driver \SystemRoot\System32\Drivers\mnmdd.SYS

Loaded driver \SystemRoot\System32\DRIVERS\RDPCDD.sys

Loaded driver \SystemRoot\System32\Drivers\Msfs.SYS

Loaded driver \SystemRoot\System32\Drivers\Npfs.SYS

Loaded driver \SystemRoot\system32\DRIVERS\rasacd.sys

Loaded driver \SystemRoot\system32\DRIVERS\ipsec.sys

Loaded driver \SystemRoot\system32\DRIVERS\tcpip.sys

Loaded driver \SystemRoot\system32\DRIVERS\netbt.sys

Loaded driver \SystemRoot\System32\drivers\ws2ifsl.sys

Loaded driver \SystemRoot\System32\drivers\afd.sys

Loaded driver \SystemRoot\system32\DRIVERS\netbios.sys

Did not load driver \SystemRoot\system32\DRIVERS\serial.sys

Did not load driver \SystemRoot\system32\DRIVERS\processr.sys

Did not load driver \SystemRoot\System32\Drivers\PCIDump.SYS

Loaded driver \SystemRoot\system32\DRIVERS\rdbss.sys

Loaded driver \SystemRoot\system32\DRIVERS\mrxsmb.sys

Loaded driver \SystemRoot\system32\DRIVERS\ipnat.sys

Loaded driver \SystemRoot\system32\DRIVERS\wanarp.sys

Loaded driver \SystemRoot\system32\DRIVERS\arp1394.sys

Loaded driver \SystemRoot\System32\Drivers\Fips.SYS

Loaded driver \SystemRoot\System32\Drivers\Fastfat.SYS

Loaded driver \SystemRoot\system32\DRIVERS\hidusb.sys

Loaded driver \SystemRoot\System32\Drivers\Cdfs.SYS

Loaded driver \SystemRoot\system32\DRIVERS\rt2500usb.sys

Loaded driver \SystemRoot\system32\DRIVERS\mouhid.sys

Loaded driver \SystemRoot\system32\DRIVERS\AegisP.sys

Loaded driver \SystemRoot\system32\DRIVERS\ndisuio.sys

Did not load driver \SystemRoot\system32\DRIVERS\rdbss.sys

Did not load driver \SystemRoot\system32\DRIVERS\mrxsmb.sys

Loaded driver \SystemRoot\system32\drivers\wdmaud.sys

Loaded driver \SystemRoot\system32\drivers\sysaudio.sys

Loaded driver \SystemRoot\system32\drivers\splitter.sys

Loaded driver \SystemRoot\system32\drivers\aec.sys

Loaded driver \SystemRoot\system32\drivers\swmidi.sys

Loaded driver \SystemRoot\system32\drivers\DMusic.sys

Loaded driver \SystemRoot\system32\drivers\kmixer.sys

Loaded driver \SystemRoot\system32\drivers\drmkaud.sys

Loaded driver \SystemRoot\system32\DRIVERS\mrxdav.sys

Loaded driver \SystemRoot\system32\DRIVERS\srv.sys

Loaded driver \SystemRoot\system32\DRIVERS\secdrv.sys

Did not load driver \SystemRoot\system32\DRIVERS\ipnat.sys

Loaded driver \SystemRoot\System32\Drivers\HTTP.sys

Loaded driver \SystemRoot\system32\drivers\MSPQM.sys

Loaded driver \??\C:\WINDOWS\system32\GTNDIS5.SYS

Loaded driver \SystemRoot\system32\drivers\kmixer.sys

Loaded driver \SystemRoot\system32\drivers\kmixer.sys

Loaded driver \??\C:\DOCUME~1\HP_Owner\LOCALS~1\Temp\catchme.sys

Loaded driver \??\C:\WINDOWS\system32\Drivers\PROCEXP90.SYS

Loaded driver \SystemRoot\system32\drivers\kmixer.sys

Loaded driver \SystemRoot\system32\drivers\kmixer.sys

Service Pack 2 5 26 2009 12:29:31.500

Loaded driver \WINDOWS\system32\ntkrnlpa.exe

Loaded driver \WINDOWS\system32\hal.dll

Loaded driver \WINDOWS\system32\KDCOM.DLL

Loaded driver \WINDOWS\system32\BOOTVID.dll

Loaded driver ACPI.sys

Loaded driver \WINDOWS\system32\DRIVERS\WMILIB.SYS

Loaded driver pci.sys

Loaded driver isapnp.sys

Loaded driver ohci1394.sys

Loaded driver \WINDOWS\system32\DRIVERS\1394BUS.SYS

Loaded driver intelide.sys

Loaded driver \WINDOWS\system32\DRIVERS\PCIIDEX.SYS

Loaded driver MountMgr.sys

Loaded driver ftdisk.sys

Loaded driver PartMgr.sys

Loaded driver VolSnap.sys

Loaded driver atapi.sys

Loaded driver disk.sys

Loaded driver \WINDOWS\system32\DRIVERS\CLASSPNP.SYS

Loaded driver fltMgr.sys

Loaded driver sr.sys

Loaded driver PxHelp20.sys

Loaded driver KSecDD.sys

Loaded driver Ntfs.sys

Loaded driver NDIS.sys

Loaded driver Combo-Fix.sys

Loaded driver Mup.sys

Loaded driver gagp30kx.sys

Loaded driver \SystemRoot\system32\DRIVERS\nic1394.sys

Loaded driver \SystemRoot\system32\DRIVERS\intelppm.sys

Loaded driver \SystemRoot\system32\DRIVERS\ialmnt5.sys

Loaded driver \SystemRoot\system32\DRIVERS\HDAudBus.sys

Loaded driver \SystemRoot\system32\DRIVERS\usbuhci.sys

Loaded driver \SystemRoot\system32\DRIVERS\usbehci.sys

Loaded driver \SystemRoot\system32\DRIVERS\R8139n51.SYS

Loaded driver \SystemRoot\system32\DRIVERS\Cap7134.sys

Loaded driver \SystemRoot\system32\DRIVERS\AGRSM.sys

Loaded driver \SystemRoot\System32\Drivers\Modem.SYS

Loaded driver \SystemRoot\system32\DRIVERS\parport.sys

Loaded driver \SystemRoot\system32\DRIVERS\i8042prt.sys

Loaded driver \SystemRoot\system32\DRIVERS\PS2.sys

Loaded driver \SystemRoot\system32\DRIVERS\kbdclass.sys

Loaded driver \SystemRoot\system32\DRIVERS\mouclass.sys

Loaded driver \SystemRoot\system32\DRIVERS\imapi.sys

Loaded driver \SystemRoot\system32\drivers\iviaspi.sys

Loaded driver \SystemRoot\system32\DRIVERS\cdrom.sys

Loaded driver \SystemRoot\system32\DRIVERS\redbook.sys

Loaded driver \SystemRoot\SYSTEM32\DRIVERS\GEARAspiWDM.sys

Loaded driver \SystemRoot\system32\DRIVERS\audstub.sys

Loaded driver \SystemRoot\system32\DRIVERS\rasl2tp.sys

Loaded driver \SystemRoot\system32\DRIVERS\ndistapi.sys

Loaded driver \SystemRoot\system32\DRIVERS\ndiswan.sys

Loaded driver \SystemRoot\system32\DRIVERS\raspppoe.sys

Loaded driver \SystemRoot\system32\DRIVERS\raspptp.sys

Loaded driver \SystemRoot\system32\DRIVERS\msgpc.sys

Loaded driver \SystemRoot\system32\DRIVERS\psched.sys

Loaded driver \SystemRoot\system32\DRIVERS\ptilink.sys

Loaded driver \SystemRoot\system32\DRIVERS\raspti.sys

Loaded driver \SystemRoot\system32\DRIVERS\hamachi.sys

Loaded driver \SystemRoot\system32\DRIVERS\termdd.sys

Loaded driver \SystemRoot\system32\DRIVERS\swenum.sys

Loaded driver \SystemRoot\system32\DRIVERS\update.sys

Loaded driver \SystemRoot\system32\DRIVERS\mssmbios.sys

Loaded driver \SystemRoot\System32\Drivers\NDProxy.SYS

Did not load driver \SystemRoot\System32\Drivers\NDProxy.SYS

Loaded driver \SystemRoot\system32\drivers\RtkHDAud.sys

Loaded driver \SystemRoot\system32\DRIVERS\usbhub.sys

Loaded driver \SystemRoot\system32\DRIVERS\PhTVTune.sys

Loaded driver \SystemRoot\System32\Drivers\sptd.sys

Did not load driver \SystemRoot\System32\Drivers\lbrtfdc.SYS

Did not load driver \SystemRoot\System32\Drivers\Sfloppy.SYS

Did not load driver \SystemRoot\System32\Drivers\i2omgmt.SYS

Did not load driver \SystemRoot\System32\Drivers\Changer.SYS

Did not load driver \SystemRoot\System32\Drivers\Cdaudio.SYS

Loaded driver \SystemRoot\System32\Drivers\Fs_Rec.SYS

Loaded driver \SystemRoot\System32\Drivers\Null.SYS

Loaded driver \SystemRoot\System32\Drivers\Beep.SYS

Did not load driver \SystemRoot\system32\DRIVERS\kbdhid.sys

Loaded driver \SystemRoot\System32\drivers\vga.sys

Loaded driver \SystemRoot\System32\Drivers\mnmdd.SYS

Loaded driver \SystemRoot\System32\DRIVERS\RDPCDD.sys

Loaded driver \SystemRoot\System32\Drivers\Msfs.SYS

Loaded driver \SystemRoot\System32\Drivers\Npfs.SYS

Loaded driver \SystemRoot\system32\DRIVERS\rasacd.sys

Loaded driver \SystemRoot\system32\DRIVERS\ipsec.sys

Loaded driver \SystemRoot\system32\DRIVERS\tcpip.sys

Loaded driver \SystemRoot\system32\DRIVERS\netbt.sys

Loaded driver \SystemRoot\System32\drivers\ws2ifsl.sys

Loaded driver \SystemRoot\System32\drivers\afd.sys

Loaded driver \SystemRoot\system32\DRIVERS\netbios.sys

Did not load driver \SystemRoot\system32\DRIVERS\serial.sys

Did not load driver \SystemRoot\system32\DRIVERS\processr.sys

Did not load driver \SystemRoot\System32\Drivers\PCIDump.SYS

Loaded driver \SystemRoot\system32\DRIVERS\rdbss.sys

Loaded driver \SystemRoot\system32\DRIVERS\mrxsmb.sys

Loaded driver \SystemRoot\system32\DRIVERS\ipnat.sys

Loaded driver \SystemRoot\system32\DRIVERS\wanarp.sys

Loaded driver \SystemRoot\system32\DRIVERS\arp1394.sys

Loaded driver \SystemRoot\System32\Drivers\Fips.SYS

Loaded driver \SystemRoot\System32\Drivers\Fastfat.SYS

Loaded driver \SystemRoot\system32\DRIVERS\hidusb.sys

Loaded driver \SystemRoot\System32\Drivers\Cdfs.SYS

Loaded driver \SystemRoot\system32\DRIVERS\rt2500usb.sys

Loaded driver \SystemRoot\system32\DRIVERS\mouhid.sys

Loaded driver \SystemRoot\system32\DRIVERS\AegisP.sys

Loaded driver \SystemRoot\system32\DRIVERS\ndisuio.sys

Did not load driver \SystemRoot\system32\DRIVERS\rdbss.sys

Did not load driver \SystemRoot\system32\DRIVERS\mrxsmb.sys

Loaded driver \SystemRoot\system32\drivers\wdmaud.sys

Loaded driver \SystemRoot\system32\drivers\sysaudio.sys

Loaded driver \SystemRoot\system32\drivers\splitter.sys

Loaded driver \SystemRoot\system32\drivers\aec.sys

Loaded driver \SystemRoot\system32\drivers\swmidi.sys

Loaded driver \SystemRoot\system32\drivers\DMusic.sys

Loaded driver \SystemRoot\system32\drivers\kmixer.sys

Loaded driver \SystemRoot\system32\drivers\drmkaud.sys

Loaded driver \SystemRoot\system32\DRIVERS\mrxdav.sys

Loaded driver \SystemRoot\system32\DRIVERS\srv.sys

Loaded driver \SystemRoot\system32\DRIVERS\secdrv.sys

Did not load driver \SystemRoot\system32\DRIVERS\ipnat.sys

Loaded driver \SystemRoot\System32\Drivers\HTTP.sys

Loaded driver \??\C:\DOCUME~1\HP_Owner\LOCALS~1\Temp\catchme.sys

Loaded driver \SystemRoot\system32\drivers\MSPQM.sys

Loaded driver \??\C:\WINDOWS\system32\GTNDIS5.SYS

Loaded driver \SystemRoot\system32\drivers\kmixer.sys

Loaded driver \SystemRoot\system32\drivers\kmixer.sys

Loaded driver \??\C:\WINDOWS\system32\Drivers\PROCEXP90.SYS

Loaded driver \SystemRoot\system32\drivers\kmixer.sys

Loaded driver \??\C:\WINDOWS\system32\drivers\rootrepeal.sys

Loaded driver \??\C:\WINDOWS\system32\drivers\rootrepeal.sys

Loaded driver \SystemRoot\system32\DRIVERS\rt2500usb.sys

Loaded driver \SystemRoot\system32\drivers\kmixer.sys

Combofix log:

ComboFix 09-05-25.07 - HP_Owner 26/05/2009 12:26.3 - NTFSx86

Microsoft Windows XP Home Edition 5.1.2600.2.1252.44.1033.18.759.462 [GMT 1:00]

Running from: c:\documents and settings\HP_Owner\Desktop\HONEY.exe

* Created a new restore point

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\windows\system32\drivers\mrxdavv.sys

c:\windows\system32\kwave.sys

.

((((((((((((((((((((((((( Files Created from 2009-04-26 to 2009-05-26 )))))))))))))))))))))))))))))))

.

2009-05-21 20:18 . 2009-05-21 20:18 -------- d-----w c:\program files\Trend Micro

2009-05-21 12:42 . 2009-05-21 12:42 -------- d-----w c:\documents and settings\Administrator\Application Data\AdobeUM

2009-05-21 12:41 . 2009-05-21 12:41 -------- d-----w c:\documents and settings\Administrator\Local Settings\Application Data\Adobe

2009-05-21 10:42 . 2009-05-21 10:42 -------- d-----w c:\program files\Sophos

2009-05-21 10:05 . 2009-05-21 10:05 -------- d-----w c:\documents and settings\HP_Owner\Local Settings\Application Data\Opera

2009-05-21 10:04 . 2009-05-21 10:05 -------- d-----w c:\program files\Opera

2009-05-20 21:01 . 2009-05-21 08:15 -------- d---a-w c:\documents and settings\All Users\Application Data\TEMP

2009-05-20 20:53 . 2007-06-08 12:53 1753088 ----a-w c:\windows\system32\ExGrid.dll

2009-05-20 20:53 . 2007-06-05 09:20 602112 ----a-w c:\windows\system32\ExMenu.dll

2009-05-20 20:53 . 2007-04-03 15:51 614400 ----a-w c:\windows\system32\ExButton.dll

2009-05-20 20:53 . 2007-04-03 15:51 307200 ----a-w c:\windows\system32\ExPMenu.dll

2009-05-20 20:53 . 2009-05-20 20:53 -------- d-----w c:\program files\Common Files\eSellerate

2009-05-20 20:53 . 2007-06-05 09:19 516096 ----a-w c:\windows\system32\ExTab.dll

2009-05-20 20:53 . 2005-10-11 13:40 356352 ----a-w c:\windows\system32\eSellerateEngine.dll

2009-05-20 20:53 . 2005-10-04 07:11 118784 ----a-w c:\windows\system32\eWebControl.dll

2009-05-20 20:53 . 1998-04-24 00:00 368912 ----a-w c:\windows\system32\vbar332.dll

2009-05-20 20:53 . 2009-05-20 20:53 -------- d-----w c:\program files\AnswersThatWork

2009-05-20 17:39 . 2009-05-20 17:39 -------- d-----w c:\documents and settings\Administrator\Application Data\Malwarebytes

2009-05-16 13:21 . 2009-05-20 17:14 7 ----a-w c:\windows\system32\pllk.bin

2009-05-15 19:33 . 2009-05-15 19:33 8656 ----a-w c:\windows\system32\exodpt.sys

2009-05-14 18:28 . 2009-05-14 18:28 15939 ----a-w c:\windows\system32\drivers\AegisP.sys

2009-05-14 18:28 . 2009-05-14 18:28 -------- d-----w c:\windows\options

2009-05-14 18:28 . 2004-04-30 14:12 40960 ----a-w c:\windows\system32\B11gUSB.dll

2009-05-14 18:28 . 2004-03-30 11:51 1085440 ----a-w c:\windows\system32\AegisE5.dll

2009-05-14 18:28 . 2003-10-13 14:30 94208 ----a-w c:\windows\system32\GTW32N50.dll

2009-05-14 18:28 . 2003-09-25 21:15 15872 ----a-w c:\windows\system32\GTNDIS5.sys

2009-05-03 05:09 . 2009-05-03 05:09 -------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy

2009-04-30 22:29 . 2009-04-30 22:29 -------- d-----w c:\program files\Kontiki

2009-04-30 22:29 . 2009-04-30 22:29 -------- d-----w c:\program files\Channel4

2009-04-30 20:29 . 2009-04-30 20:29 31948 ---ha-w c:\windows\system32\mlfcache.dat

2009-04-30 20:28 . 2009-04-30 20:28 -------- d-----w c:\program files\Safari

2009-04-30 20:27 . 2009-04-30 20:27 -------- d-----w c:\program files\Bonjour

2009-04-30 20:27 . 2009-04-30 20:27 -------- d-----w c:\program files\Apple Software Update

2009-04-30 20:15 . 2009-04-30 20:15 -------- d-----w c:\program files\Unlocker

2009-04-30 20:15 . 2009-04-30 20:15 -------- d-----w c:\documents and settings\HP_Owner\Application Data\Desktopicon

2009-04-30 18:42 . 2009-05-03 05:08 -------- d-----w c:\program files\Spybot - Search & Destroy

2009-04-28 21:00 . 2009-04-28 21:00 -------- d-----w c:\documents and settings\HP_Owner\Application Data\Malwarebytes

2009-04-28 21:00 . 2009-04-06 14:32 15504 ----a-w c:\windows\system32\drivers\mbam.sys

2009-04-28 21:00 . 2009-04-06 14:32 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys

2009-04-28 21:00 . 2009-04-28 21:00 -------- d-----w c:\program files\Malwarebytes' Anti-Malware

2009-04-28 21:00 . 2009-04-28 21:00 -------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes

2009-04-27 20:28 . 2009-04-27 20:28 226832 ----a-w c:\documents and settings\All Users\Application Data\Kaspersky Lab\AVP8\Data\Updater\Temporary Files\temporaryFolder\AutoPatches\kav8exec\8.0.0.506\XP\klif.sys

2009-04-27 20:13 . 2009-05-20 20:57 -------- d-----w c:\documents and settings\All Users\Application Data\Kaspersky Lab

2009-04-27 20:13 . 2009-04-27 20:13 -------- d-----w c:\program files\Kaspersky Lab

2009-04-27 20:09 . 2009-04-27 20:09 -------- d-----w c:\documents and settings\All Users\Application Data\Kaspersky Lab Setup Files

2009-04-27 20:03 . 2009-04-27 20:03 -------- d-----w c:\documents and settings\All Users\Application Data\Avg7

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-05-26 11:31 . 2008-03-04 15:48 -------- d-----w c:\documents and settings\All Users\Application Data\Kontiki

2009-05-26 11:30 . 2006-12-06 20:35 2241 --sha-w c:\windows\system32\mmf.sys

2009-05-15 19:33 . 2006-11-02 12:00 8656 ----a-w c:\windows\system32\drivers\sptd.sys

2009-04-30 20:28 . 2006-11-01 20:11 -------- d-----w c:\documents and settings\HP_Owner\Application Data\Apple Computer

2009-04-28 05:32 . 2007-10-10 22:20 -------- d-----w c:\program files\CCleaner

2009-04-27 23:12 . 2007-04-17 15:57 -------- d-----w c:\program files\VideoEgg

2009-04-27 20:02 . 2007-05-07 17:20 -------- d-----w c:\documents and settings\All Users\Application Data\Grisoft

2009-04-27 16:37 . 2007-07-28 06:24 -------- d-----w c:\program files\iWin

2009-04-22 23:59 . 2009-01-09 07:20 -------- d-----w c:\documents and settings\HP_Owner\Application Data\Spotify

2009-03-16 06:54 . 2009-03-06 21:37 138944 ----a-w c:\windows\system32\drivers\PnkBstrK.sys

2009-03-16 06:54 . 2009-03-06 21:37 75064 ----a-w c:\windows\system32\PnkBstrA.exe

2009-03-16 06:53 . 2009-03-06 21:41 334912 ----a-w c:\documents and settings\HP_Owner\Application Data\id Software\quakelive\home\baseq3\cgamex86.dll

2009-03-16 06:53 . 2009-03-06 21:41 171072 ----a-w c:\documents and settings\HP_Owner\Application Data\id Software\quakelive\home\baseq3\uix86.dll

2009-03-16 06:53 . 2009-03-06 21:37 189784 ----a-w c:\windows\system32\PnkBstrB.exe

2009-03-16 06:53 . 2009-03-06 21:41 874660 ----a-w c:\documents and settings\HP_Owner\Application Data\id Software\quakelive\home\pb\pbcl.dll

2009-03-16 06:53 . 2009-03-06 21:41 57344 ----a-w c:\documents and settings\HP_Owner\Application Data\id Software\quakelive\home\pb\pbag.dll

2009-03-16 06:53 . 2009-03-06 21:41 479232 ----a-w c:\documents and settings\HP_Owner\Application Data\id Software\quakelive\home\pb\pbsv.dll

2009-03-16 06:53 . 2009-03-06 21:41 2669632 ----a-w c:\documents and settings\HP_Owner\Application Data\id Software\quakelive\home\baseq3\quakelive.dll

2009-03-12 22:33 . 2009-03-06 21:41 441408 ----a-w c:\documents and settings\HP_Owner\Application Data\id Software\quakelive\home\baseq3\qagamex86.dll

2009-03-12 22:23 . 2009-03-06 21:37 22328 ----a-w c:\documents and settings\HP_Owner\Application Data\PnkBstrK.sys

2009-03-12 22:23 . 2009-03-06 21:37 22328 ----a-w c:\documents and settings\HP_Owner\Application Data\PnkBstrK.sys

2009-03-12 22:22 . 2009-03-06 21:37 2246144 ----a-w c:\windows\system32\pbsvc.exe

2009-03-11 12:40 . 2009-03-11 12:40 625728 ----a-w c:\documents and settings\All Users\Application Data\id Software\QuakeLive\npquakezero.dll

2009-03-06 21:41 . 2009-03-06 21:41 57344 ----a-w c:\documents and settings\HP_Owner\Application Data\id Software\quakelive\home\pb\pbags.dll

2009-03-06 21:41 . 2009-03-06 21:41 866235 ----a-w c:\documents and settings\HP_Owner\Application Data\id Software\quakelive\home\pb\pbcls.dll

2009-03-06 14:44 . 2006-11-02 00:08 283648 ----a-w c:\windows\system32\pdh.dll

.

((((((((((((((((((((((((((((( SnapShot@2009-05-22_07.46.43 )))))))))))))))))))))))))))))))))))))))))

.

+ 2009-05-26 11:30 . 2009-05-26 11:30 16384 c:\windows\temp\Perflib_Perfdata_75c.dat

+ 2009-05-26 11:30 . 2009-05-26 11:30 16384 c:\windows\temp\Perflib_Perfdata_714.dat

.

((((((((((((((((((((((((((((((((((((((((((((( AWF ))))))))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2006-11-01 18:46 . 2004-10-15 04:54 253952 c:\hp\drivers\hplsbwatcher\bak\lsburnwatcher.exe

2006-11-01 18:42 . 2003-02-12 02:02 61440 c:\hp\KBD\bak\KBD.EXE

2006-11-01 18:47 . 2004-06-16 06:03 81920 c:\program files\Common Files\InstallShield\UpdateService\bak\issch.exe

2006-11-01 18:47 . 2004-06-16 06:03 221184 c:\program files\Common Files\InstallShield\UpdateService\bak\ISUSPM.exe

2006-11-01 18:47 . 2004-11-05 00:26 106496 c:\program files\Common Files\InterVideo\SchSvr\bak\SchSvr.exe

2004-08-28 06:22 . 2004-08-28 06:22 58488 c:\program files\Common Files\Symantec Shared\bak\ccApp.exe

2006-09-14 20:09 . 2006-09-14 20:09 157592 c:\program files\DAEMON Tools\bak\daemon.exe

2007-09-18 14:16 . 2007-09-18 14:16 171464 c:\program files\DAEMON Tools\daemon.exe

2006-11-01 18:47 . 2004-11-05 01:44 192512 c:\program files\InterVideo\Common\Bin\bak\WinRemote.exe

2004-10-13 16:04 . 2004-10-13 16:04 278528 c:\program files\iTunes\bak\iTunesHelper.exe

2007-09-26 13:42 . 2007-09-26 13:42 267064 c:\program files\iTunes\iTunesHelper.exe

2006-11-01 18:24 . 2006-11-01 18:24 32881 c:\program files\Java\j2re1.4.2_03\bin\bak\jusched.exe

2004-08-04 14:06 . 2004-08-04 14:06 1667584 c:\program files\Messenger\bak\msmsgs.exe

2007-04-12 01:43 . 2007-04-12 01:43 1661304 c:\program files\Messenger\Msmsgs.exe

2006-12-06 09:31 . 2006-12-06 09:31 282624 c:\program files\QuickTime\bak\qttask.exe

2007-06-29 05:24 . 2007-06-29 05:24 286720 c:\program files\QuickTime\QTTask.exe

2004-04-15 03:43 . 2004-04-15 03:43 233472 c:\windows\SMINST\bak\RECGUARD.EXE

2006-11-01 18:27 . 1998-05-07 23:04 52736 c:\windows\system\bak\hpsysdrv.exe

2006-11-01 18:29 . 2004-11-02 22:59 126976 c:\windows\system32\bak\hkcmd.exe

2004-06-08 01:42 . 2004-06-08 01:42 659456 c:\windows\system32\bak\hphmon06.exe

2006-11-01 18:42 . 2004-10-26 04:17 90112 c:\windows\system32\bak\ps2.exe

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"MSMSGS"="c:\program files\Messenger\Msmsgs.exe" [2007-04-12 1661304]

"Google Update"="c:\documents and settings\HP_Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2009-05-20 133104]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-02-02 136600]

"MSConfig"="c:\windows\pchealth\helpctr\Binaries\MSCONFIG.EXE" [2004-08-04 158208]

"High Definition Audio Property Page Shortcut"="HDAudPropShortcut.exe" - c:\windows\system32\Hdaudpropshortcut.exe [2004-03-17 61952]

"AGRSMMSG"="AGRSMMSG.exe" - c:\windows\AGRSMMSG.exe [2004-06-30 88363]

"SoundMan"="SOUNDMAN.EXE" - c:\windows\SOUNDMAN.EXE [2005-02-22 90112]

"AlcWzrd"="ALCWZRD.EXE" - c:\windows\ALCWZRD.EXE [2005-02-19 2754560]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^PalTalk.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\PalTalk.lnk

backup=c:\windows\pss\PalTalk.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^HP_Owner^Start Menu^Programs^Startup^ChkDisk.lnk]

path=c:\documents and settings\HP_Owner\Start Menu\Programs\Startup\ChkDisk.lnk

backup=c:\windows\pss\ChkDisk.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]

"usnjsvc"=3 (0x3)

"iPod Service"=3 (0x3)

"Apple Mobile Device"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Azureus\\Azureus.exe"=

"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=

"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=

"c:\\Program Files\\Paltalk Messenger\\paltalk.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"c:\\Program Files\\Messenger\\Msmsgs.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=

"c:\\Program Files\\Kontiki\\KService.exe"=

"c:\\Program Files\\Kontiki\\KHost.exe"=

"c:\\Documents and Settings\\HP_Owner\\Application Data\\PowerChallenge\\PowerSoccer\\PowerSoccer.exe"=

"c:\\Program Files\\Spotify\\spotify.exe"=

"c:\\WINDOWS\\system32\\PnkBstrA.exe"=

"c:\\WINDOWS\\system32\\PnkBstrB.exe"=

"c:\\Program Files\\Emote\\Launcher\\launcher.exe"=

"c:\\Program Files\\Zattoo\\zattood.exe"=

"c:\\Program Files\\Zattoo\\Zattoo2.exe"=

"c:\\Program Files\\Belkin\\Belkin Wireless Network Utility\\WLanCfgG.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"10093:TCP"= 10093:TCP:Football Manager 2008

"10093:UDP"= 10093:UDP:Football Manager 2008

"10094:TCP"= 10094:TCP:Football Manager

R2 Belkin 54g Wireless USB Network Adapter Service;Belkin 54g Wireless USB Network Adapter;c:\program files\Belkin\Belkin Wireless Network Utility\WLService.exe [14/05/2009 19:28 49152]

R2 LicCtrlService;LicCtrl Service;c:\windows\Runservice.exe [06/12/2006 21:35 2560]

R3 bkn50USB;Belkin 54Mbps Wireless USB Network Adapter;c:\windows\system32\drivers\rt2500usb.sys [01/11/2006 21:32 140416]

R3 PhTVTune;ASUS WDM TV Tuner;c:\windows\system32\drivers\PhTVTune.sys [01/11/2006 19:30 24544]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - GTNDIS5

.

Contents of the 'Scheduled Tasks' folder

2009-05-09 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]

2009-05-21 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2550148391-1751980287-1883927685-1007.job

- c:\documents and settings\HP_Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-05-20 17:13]

2009-05-26 c:\windows\Tasks\RegCure Program Check.job

- c:\program files\RegCure\RegCure.exe [2007-03-09 21:15]

2009-04-30 c:\windows\Tasks\RegCure.job

- c:\program files\RegCure\RegCure.exe [2007-03-09 21:15]

.

.

------- Supplementary Scan -------

.

uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_GB&c=Q105&bd=pavilion&pf=desktop

mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_GB&c=Q105&bd=pavilion&pf=desktop

mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_GB&c=Q105&bd=pavilion&pf=desktop

uInternet Connection Wizard,ShellNext = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_GB&c=Q105&bd=pavilion&pf=desktop

uInternet Settings,ProxyOverride = *.local

IE: &Search

.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-05-26 12:30

Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\LicCtrl\LicCtrl\LicCtrl\LicCtrl*lkzs$i&y@^t! #^$ g9^$&pgb SDB36o \EC1A69D1C0948222]

"1"=hex:b0,cd,e0,26,42,20,9e,7c,08,f1,c1,23,e7,41,66,ec,c9,e0,20,43,a1,23,f2,

e3

"2"=hex:d7,7a,ea,31,a0,f7,22,dd,b6,43,6f,32,07,8b,4a,0a,e2,6f,a8,1b,53,71,0d,

78,d5,ad,68,1b,c8,4a,9b,03

"3"=hex:b0,cd,e0,26,42,20,9e,7c,08,f1,c1,23,e7,41,66,ec,aa,6b,6f,c8,5d,d1,dd,

70,c8,0c,a2,71,14,a4,b5,05,7d,2c,84,8d,ff,2b,de,6d,f8,f2,70,94,19,43,ce,bd,\

[HKEY_LOCAL_MACHINE\software\LicCtrl\LicCtrl\LicCtrl\LicCtrl*lkzs$i&y@^t! #^$ g9^$&pgb SDB36o \EC1A69D1C0948222\48236A7EED3B8895E98434D6DCE253AC]

"1"=hex:08,26,de,b9,bd,1e,cc,2a,55,96,fd,b8,7e,1b,23,82,71,bb,5a,5f,e0,12,25,

42,0c,3f,30,d4,d3,b8,cd,35,d5,a9,6f,e0,2c,05,4e,14

"2"=hex:58,92,5a,34,3f,c6,a5,c5

"3"=hex:ad,5a,fd,6a,39,d7,e0,10,47,e0,80,2a,b7,5e,91,04,0c,03,4d,22,bc,a3,5f,

99,0b,a3,ea,cf,f9,0a,c4,4d,9a,96,1d,fa,75,81,ec,9e,61,ed,d1,4e,a1,29,4a,ab,\

"4"=hex:2f,ad,a2,e7,8a,bf,05,5e

"5"=hex:bf,e5,23,7b,b0,66,d6,fc,b8,e8,6b,a0,96,52,f7,32,80,09,8f,24,b7,b3,55,

1a,98,d1,47,16,02,43,61,1c,b9,d5,8f,2a,7b,81,b1,fb,95,22,f8,b3,2c,53,9d,ae,\

"6"=hex:bf,e5,23,7b,b0,66,d6,fc,bc,64,22,fb,7e,d3,39,3e,a3,00,33,13,c0,21,f4,

51,6c,4e,0c,96,e2,dd,ad,8a,b6,c4,05,e8,5a,bd,9a,e9,d4,1a,3d,68,9d,00,32,20

"7"=hex:08,26,de,b9,bd,1e,cc,2a,55,96,fd,b8,7e,1b,23,82,71,bb,5a,5f,e0,12,25,

42,0c,3f,30,d4,d3,b8,cd,35,61,5a,c0,6c,22,7e,83,13,6e,44,91,28,69,cc,01,dd

"8"=hex:9d,9e,b2,b9,a7,a5,f4,ae,4d,29,c2,a3,c0,78,c4,c5,73,7e,45,c6,9f,9e,10,

63,a0,2f,06,c2,a3,e9,62,70,d1,3e,e6,57,b7,98,40,c9,e4,cc,88,e6,39,d6,95,f5,\

"9"=hex:81,20,8f,ab,28,6a,52,9c

"18"=hex:70,56,26,33,e3,20,f8,ab

"10"=hex:59,c8,db,4e,44,81,2c,dd

"11"=hex:7d,ba,74,77,fe,09,92,36

"12"=hex:81,20,8f,ab,28,6a,52,9c

"13"=hex:81,20,8f,ab,28,6a,52,9c

"14"=hex:81,20,8f,ab,28,6a,52,9c

"24"=hex:81,20,8f,ab,28,6a,52,9c

"26"=hex:81,20,8f,ab,28,6a,52,9c

"27"=hex:81,20,8f,ab,28,6a,52,9c

"19"=hex:81,20,8f,ab,28,6a,52,9c

"22"=hex:81,20,8f,ab,28,6a,52,9c

[HKEY_LOCAL_MACHINE\software\LicCtrl\LicCtrl\LicCtrl\LicCtrl*lkzs$i&y@^t! #^$ g9^$&pgb SDB36o \EC1A69D1C0948222\B144CCE307E78EB6EE53CA2196E4D0A2]

"1"=hex:97,5e,49,d3,7c,a0,18,18,10,c9,e3,e3,c1,ae,57,ed,60,42,a5,db,24,eb,e2,

b0,36,d7,56,53,fe,9f,3d,f9

"2"=hex:8c,23,2d,03,75,bd,a0,cd

"3"=hex:25,76,f6,55,8d,1e,6a,c9,04,3b,67,d6,73,28,29,ef,9b,ac,56,1e,7b,56,45,

9d,1c,6f,80,6d,86,35,6a,dc,7e,45,58,21,69,29,63,0d,8e,98,9d,55,52,3f,f8,de,\

"4"=hex:2f,ad,a2,e7,8a,bf,05,5e

"5"=hex:bf,e5,23,7b,b0,66,d6,fc,b8,e8,6b,a0,96,52,f7,32,80,09,8f,24,b7,b3,55,

1a,98,d1,47,16,02,43,61,1c,b9,d5,8f,2a,7b,81,b1,fb,95,22,f8,b3,2c,53,9d,ae,\

"6"=hex:bf,e5,23,7b,b0,66,d6,fc,bc,64,22,fb,7e,d3,39,3e,a3,00,33,13,c0,21,f4,

51,6c,4e,0c,96,e2,dd,ad,8a,b6,c4,05,e8,5a,bd,9a,e9,d4,1a,3d,68,9d,00,32,20

"7"=hex:6b,96,68,24,0f,2f,9e,94,e8,ce,54,f3,3b,80,63,3a,1b,c3,e7,ed,44,3a,1d,

97,9f,f9,03,77,68,81,1b,0c,34,a2,88,30,12,be,09,a0

"8"=hex:9d,9e,b2,b9,a7,a5,f4,ae,4d,29,c2,a3,c0,78,c4,c5,73,7e,45,c6,9f,9e,10,

63,a0,2f,06,c2,a3,e9,62,70,90,4c,ec,d6,92,e1,28,ba,e5,5d,0d,25,ef,fb,b7,21,\

"9"=hex:81,20,8f,ab,28,6a,52,9c

"18"=hex:70,56,26,33,e3,20,f8,ab

"10"=hex:07,96,b3,35,9e,5a,1a,0b

"11"=hex:cf,4c,c7,26,f1,27,01,be

"12"=hex:81,20,8f,ab,28,6a,52,9c

"13"=hex:81,20,8f,ab,28,6a,52,9c

"14"=hex:81,20,8f,ab,28,6a,52,9c

"24"=hex:81,20,8f,ab,28,6a,52,9c

"26"=hex:81,20,8f,ab,28,6a,52,9c

"27"=hex:81,20,8f,ab,28,6a,52,9c

"19"=hex:81,20,8f,ab,28,6a,52,9c

"22"=hex:81,20,8f,ab,28,6a,52,9c

[HKEY_LOCAL_MACHINE\software\LicCtrl\LicCtrl\LicCtrl\LicCtrl*lkzs$i&y@^t! #^$ g9^$&pgb SDB36o \F3F0046F119EFA4F]

"1"=hex:97,5e,49,d3,7c,a0,18,18,10,c9,e3,e3,c1,ae,57,ed,c2,97,86,6a,a5,82,f8,

d5,42,54,3b,7e,24,3e,19,f8

"2"=hex:f1,df,16,de,80,08,0e,2a,d1,38,b5,6f,94,ca,dc,d2,b3,e8,d2,40,6c,6f,61,

5e,d2,5e,7f,21,14,b5,b2,29

"3"=hex:97,5e,49,d3,7c,a0,18,18,10,c9,e3,e3,c1,ae,57,ed,c2,97,86,6a,a5,82,f8,

d5,f2,55,76,c8,bc,53,92,25,3f,d1,b6,bc,00,35,73,43,96,90,79,f6,5b,97,35,47,\

[HKEY_LOCAL_MACHINE\software\LicCtrl\LicCtrl\LicCtrl\LicCtrl*lkzs$i&y@^t! #^$ g9^$&pgb SDB36o \F3F0046F119EFA4F\BB6E5071F4E6B2769BD4E4FACC553A99]

"1"=hex:09,d8,ec,22,15,54,e7,37,3d,5b,59,2d,b7,79,05,2e,dc,0a,71,44,dc,37,80,

ce,24,ad,19,19,d6,bf,9e,2f

"2"=hex:69,46,da,08,bb,5c,f4,0f

"3"=hex:9b,d3,62,7f,98,29,5b,a8,a3,6c,2d,ed,ba,59,f9,15,ac,2e,45,24,46,4d,d1,

30,c4,4c,de,d7,5b,1f,40,d5,4d,ce,f1,e7,44,ba,09,d9,55,3b,91,53,28,0d,7d,fa,\

"4"=hex:2f,ad,a2,e7,8a,bf,05,5e

"5"=hex:bf,e5,23,7b,b0,66,d6,fc,b8,e8,6b,a0,96,52,f7,32,80,09,8f,24,b7,b3,55,

1a,98,d1,47,16,02,43,61,1c,b9,d5,8f,2a,7b,81,b1,fb,95,22,f8,b3,2c,53,9d,ae,\

"6"=hex:bf,e5,23,7b,b0,66,d6,fc,bc,64,22,fb,7e,d3,39,3e,a3,00,33,13,c0,21,f4,

51,6c,4e,0c,96,e2,dd,ad,8a,b6,c4,05,e8,5a,bd,9a,e9,d4,1a,3d,68,9d,00,32,20

"7"=hex:85,bb,69,ad,52,49,47,61,50,80,55,ef,fa,b4,14,9a,04,b7,d6,59,f0,23,46,

cc,d3,ec,dd,49,40,98,41,b7,16,93,15,99,41,9a,8d,78,4a,2e,fb,89,b2,3d,70,79,\

"8"=hex:63,5a,d7,1b,b1,d4,18,46,f1,a8,be,52,77,05,97,0b,34,a0,71,a8,88,47,3c,

8d,75,16,d6,0c,2b,a7,16,a7,8a,ab,2c,39,23,dd,28,0f

"9"=hex:81,20,8f,ab,28,6a,52,9c

"18"=hex:70,56,26,33,e3,20,f8,ab

"10"=hex:ef,01,3f,48,b8,d3,ab,86

"11"=hex:7d,ba,74,77,fe,09,92,36

"12"=hex:81,20,8f,ab,28,6a,52,9c

"13"=hex:81,20,8f,ab,28,6a,52,9c

"14"=hex:81,20,8f,ab,28,6a,52,9c

"24"=hex:81,20,8f,ab,28,6a,52,9c

"26"=hex:81,20,8f,ab,28,6a,52,9c

"27"=hex:81,20,8f,ab,28,6a,52,9c

"19"=hex:81,20,8f,ab,28,6a,52,9c

"22"=hex:81,20,8f,ab,28,6a,52,9c

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(2164)

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

------------------------ Other Running Processes ------------------------

.

c:\program files\Belkin\Belkin Wireless Network Utility\WLanCfgG.exe

c:\program files\Bonjour\mDNSResponder.exe

c:\program files\Java\jre6\bin\jqs.exe

c:\program files\Kontiki\KService.exe

c:\windows\system32\PnkBstrA.exe

c:\windows\system32\wscntfy.exe

.

**************************************************************************

.

Completion time: 2009-05-26 12:34 - machine was rebooted

ComboFix-quarantined-files.txt 2009-05-26 11:34

ComboFix2.txt 2009-05-23 08:43

ComboFix3.txt 2009-05-22 08:09

Pre-Run: 118,700,093,440 bytes free

Post-Run: 118,687,502,336 bytes free

327 --- E O F --- 2009-05-20 23:19

Rootrepeal log, klidge_rootrepeal.txt

ROOTREPEAL © AD, 2007-2008

==================================================

Scan Time: 2009/05/26 12:42

Program Version: Version 1.2.3.0

Windows Version: Windows XP SP2

==================================================

Drivers

-------------------

Name: catchme.sys

Image Path: C:\DOCUME~1\HP_Owner\LOCALS~1\Temp\catchme.sys

Address: 0xF7900000 Size: 31744 File Visible: No

Status: -

Name: Combo-Fix.sys

Image Path: Combo-Fix.sys

Address: 0xF7588000 Size: 60416 File Visible: No

Status: -

Name: dump_atapi.sys

Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys

Address: 0xAA231000 Size: 98304 File Visible: No

Status: -

Name: dump_WMILIB.SYS

Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS

Address: 0xF7A40000 Size: 8192 File Visible: No

Status: -

Name: PROCEXP90.SYS

Image Path: C:\WINDOWS\system32\Drivers\PROCEXP90.SYS

Address: 0xF7AC8000 Size: 6464 File Visible: No

Status: -

Name: rootrepeal.sys

Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys

Address: 0xA9A20000 Size: 45056 File Visible: No

Status: -

Hidden/Locked Files

-------------------

Path: C:\hiberfil.sys

Status: Locked to the Windows API!

Path: C:\WINDOWS\system32\drivers\klif.sys

Status: Locked to the Windows API!

Path: C:\WINDOWS\SoftwareDistribution\Download\59fc8f12b80caa991163249076d0bcca\avc.sys

Status: Locked to the Windows API!

Path: C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\KLIFX86\klif.sys

Status: Locked to the Windows API!

Path: C:\Documents and Settings\HP_Owner\Local Settings\Application Data\Microsoft\Messenger\imgonnagoaheadanddoakermitthefrog@hotmail.co.uk\SharingMetadata\a_aitchie@hotmail.com\DFSR\ConflictDelete\whitey - 03 - y.u.h.2.b.m.2-{F748E14E-3A91-48F6-A641-2F39903D9A80}-v24.mp3

Status: Locked to the Windows API!

Path: C:\Documents and Settings\HP_Owner\Local Settings\Application Data\Microsoft\Messenger\imgonnagoaheadanddoakermitthefrog@hotmail.co.uk\SharingMetadata\a_aitchie@hotmail.com\DFSR\ConflictDelete\whitey - 07 - ha ha ha-{F748E14E-3A91-48F6-A641-2F39903D9A80}-v26.mp3

Status: Locked to the Windows API!

Path: C:\Documents and Settings\All Users\Application Data\Kaspersky Lab\AVP8\Data\Updater\Temporary Files\temporaryFolder\AutoPatches\kav8exec\8.0.0.506\XP\klif.sys

Status: Locked to the Windows API!

Path: C:\Documents and Settings\HP_Owner\Local Settings\Application Data\Microsoft\Messenger\imgonnagoaheadanddoakermitthefrog@hotmail.co.uk\SharingMetadata\a_aitchie@hotmail.com\DFSR\Staging\CS{9BC68BFA-D241-03D8-F600-9870A6224E10}\00\1385-{~1.FRX:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.rdc.1

Status: Locked to the Windows API!

Path: C:\Documents and Settings\HP_Owner\Local Settings\Application Data\Microsoft\Messenger\imgonnagoaheadanddoakermitthefrog@hotmail.co.uk\SharingMetadata\a_aitchie@hotmail.com\DFSR\Staging\CS{9BC68BFA-D241-03D8-F600-9870A6224E10}\00\1385-{~1.FRX:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.rdc.2

Status: Locked to the Windows API!

Path: C:\Documents and Settings\HP_Owner\Local Settings\Application Data\Microsoft\Messenger\imgonnagoaheadanddoakermitthefrog@hotmail.co.uk\SharingMetadata\a_aitchie@hotmail.com\DFSR\Staging\CS{9BC68BFA-D241-03D8-F600-9870A6224E10}\00\1385-{~1.FRX:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS

Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\HP_Owner\Local Settings\Application Data\Microsoft\Messenger\imgonnagoaheadanddoakermitthefrog@hotmail.co.uk\SharingMetadata\a_aitchie@hotmail.com\DFSR\Staging\CS{9BC68BFA-D241-03D8-F600-9870A6224E10}\01\12-{9BC68BFA-D241-03D8-F600-9870A6224E10}-v1-{F748E14E-3A91-48F6-A641-2F39903D9A80}-v12-Downloaded.frx

Status: Locked to the Windows API!

Path: C:\Documents and Settings\HP_Owner\Local Settings\Application Data\Microsoft\Messenger\imgonnagoaheadanddoakermitthefrog@hotmail.co.uk\SharingMetadata\a_aitchie@hotmail.com\DFSR\Staging\CS{9BC68BFA-D241-03D8-F600-9870A6224E10}\01\1384-{~1.FRX:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS

Status: Locked to the Windows API!

Path: C:\Documents and Settings\HP_Owner\Local Settings\Application Data\Microsoft\Messenger\imgonnagoaheadanddoakermitthefrog@hotmail.co.uk\SharingMetadata\a_aitchie@hotmail.com\DFSR\Staging\CS{9BC68BFA-D241-03D8-F600-9870A6224E10}\01\1384-{~1.FRX:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.rdc.1

Status: Locked to the Windows API!

Path: C:\Documents and Settings\HP_Owner\Local Settings\Application Data\Microsoft\Messenger\imgonnagoaheadanddoakermitthefrog@hotmail.co.uk\SharingMetadata\a_aitchie@hotmail.com\DFSR\Staging\CS{9BC68BFA-D241-03D8-F600-9870A6224E10}\01\1384-{~1.FRX:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.rdc.2

Status: Locked to the Windows API!

Path: C:\Documents and Settings\HP_Owner\Local Settings\Application Data\Microsoft\Messenger\imgonnagoaheadanddoakermitthefrog@hotmail.co.uk\SharingMetadata\a_aitchie@hotmail.com\DFSR\Staging\CS{9BC68BFA-D241-03D8-F600-9870A6224E10}\02\1391-{~1.FRX:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.rdc.1

Status: Locked to the Windows API!

Path: C:\Documents and Settings\HP_Owner\Local Settings\Application Data\Microsoft\Messenger\imgonnagoaheadanddoakermitthefrog@hotmail.co.uk\SharingMetadata\a_aitchie@hotmail.com\DFSR\Staging\CS{9BC68BFA-D241-03D8-F600-9870A6224E10}\02\1391-{~1.FRX:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.rdc.2

Status: Locked to the Windows API!

Path: C:\Documents and Settings\HP_Owner\Local Settings\Application Data\Microsoft\Messenger\imgonnagoaheadanddoakermitthefrog@hotmail.co.uk\SharingMetadata\a_aitchie@hotmail.com\DFSR\Staging\CS{9BC68BFA-D241-03D8-F600-9870A6224E10}\02\1391-{~1.FRX:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS

Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\HP_Owner\Local Settings\Application Data\Microsoft\Messenger\imgonnagoaheadanddoakermitthefrog@hotmail.co.uk\SharingMetadata\a_aitchie@hotmail.com\DFSR\Staging\CS{9BC68BFA-D241-03D8-F600-9870A6224E10}\03\1386-{~1.FRX:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.rdc.1

Status: Locked to the Windows API!

Path: C:\Documents and Settings\HP_Owner\Local Settings\Application Data\Microsoft\Messenger\imgonnagoaheadanddoakermitthefrog@hotmail.co.uk\SharingMetadata\a_aitchie@hotmail.com\DFSR\Staging\CS{9BC68BFA-D241-03D8-F600-9870A6224E10}\03\1386-{~1.FRX:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.rdc.2

Status: Locked to the Windows API!

Path: C:\Documents and Settings\HP_Owner\Local Settings\Application Data\Microsoft\Messenger\imgonnagoaheadanddoakermitthefrog@hotmail.co.uk\SharingMetadata\a_aitchie@hotmail.com\DFSR\Staging\CS{9BC68BFA-D241-03D8-F600-9870A6224E10}\03\1386-{~1.FRX:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS

Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\HP_Owner\Local Settings\Application Data\Microsoft\Messenger\imgonnagoaheadanddoakermitthefrog@hotmail.co.uk\SharingMetadata\a_aitchie@hotmail.com\DFSR\Staging\CS{9BC68BFA-D241-03D8-F600-9870A6224E10}\04\1387-{~1.FRX:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.rdc.1

Status: Locked to the Windows API!

Path: C:\Documents and Settings\HP_Owner\Local Settings\Application Data\Microsoft\Messenger\imgonnagoaheadanddoakermitthefrog@hotmail.co.uk\SharingMetadata\a_aitchie@hotmail.com\DFSR\Staging\CS{9BC68BFA-D241-03D8-F600-9870A6224E10}\04\1387-{~1.FRX:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.rdc.2

Status: Locked to the Windows API!

Path: C:\Documents and Settings\HP_Owner\Local Settings\Application Data\Microsoft\Messenger\imgonnagoaheadanddoakermitthefrog@hotmail.co.uk\SharingMetadata\a_aitchie@hotmail.com\DFSR\Staging\CS{9BC68BFA-D241-03D8-F600-9870A6224E10}\04\1387-{~1.FRX:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS

Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\HP_Owner\Local Settings\Application Data\Microsoft\Messenger\imgonnagoaheadanddoakermitthefrog@hotmail.co.uk\SharingMetadata\a_aitchie@hotmail.com\DFSR\Staging\CS{9BC68BFA-D241-03D8-F600-9870A6224E10}\05\1388-{~1.FRX:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.rdc.1

Status: Locked to the Windows API!

Path: C:\Documents and Settings\HP_Owner\Local Settings\Application Data\Microsoft\Messenger\imgonnagoaheadanddoakermitthefrog@hotmail.co.uk\SharingMetadata\a_aitchie@hotmail.com\DFSR\Staging\CS{9BC68BFA-D241-03D8-F600-9870A6224E10}\05\1388-{~1.FRX:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.rdc.2

Status: Locked to the Windows API!

Path: C:\Documents and Settings\HP_Owner\Local Settings\Application Data\Microsoft\Messenger\imgonnagoaheadanddoakermitthefrog@hotmail.co.uk\SharingMetadata\a_aitchie@hotmail.com\DFSR\Staging\CS{9BC68BFA-D241-03D8-F600-9870A6224E10}\05\1388-{~1.FRX:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS

Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\HP_Owner\Local Settings\Application Data\Microsoft\Messenger\imgonnagoaheadanddoakermitthefrog@hotmail.co.uk\SharingMetadata\a_aitchie@hotmail.com\DFSR\Staging\CS{9BC68BFA-D241-03D8-F600-9870A6224E10}\06\1389-{~1.FRX:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.rdc.1

Status: Locked to the Windows API!

Path: C:\Documents and Settings\HP_Owner\Local Settings\Application Data\Microsoft\Messenger\imgonnagoaheadanddoakermitthefrog@hotmail.co.uk\SharingMetadata\a_aitchie@hotmail.com\DFSR\Staging\CS{9BC68BFA-D241-03D8-F600-9870A6224E10}\06\1389-{~1.FRX:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.rdc.2

Status: Locked to the Windows API!

Path: C:\Documents and Settings\HP_Owner\Local Settings\Application Data\Microsoft\Messenger\imgonnagoaheadanddoakermitthefrog@hotmail.co.uk\SharingMetadata\a_aitchie@hotmail.com\DFSR\Staging\CS{9BC68BFA-D241-03D8-F600-9870A6224E10}\06\1389-{~1.FRX:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS

Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\HP_Owner\Local Settings\Application Data\Microsoft\Messenger\imgonnagoaheadanddoakermitthefrog@hotmail.co.uk\SharingMetadata\a_aitchie@hotmail.com\DFSR\Staging\CS{9BC68BFA-D241-03D8-F600-9870A6224E10}\07\1383-{~1.FRX:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.rdc.1

Status: Locked to the Windows API!

Path: C:\Documents and Settings\HP_Owner\Local Settings\Application Data\Microsoft\Messenger\imgonnagoaheadanddoakermitthefrog@hotmail.co.uk\SharingMetadata\a_aitchie@hotmail.com\DFSR\Staging\CS{9BC68BFA-D241-03D8-F600-9870A6224E10}\07\1383-{~1.FRX:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.rdc.2

Status: Locked to the Windows API!

Path: C:\Documents and Settings\HP_Owner\Local Settings\Application Data\Microsoft\Messenger\imgonnagoaheadanddoakermitthefrog@hotmail.co.uk\SharingMetadata\a_aitchie@hotmail.com\DFSR\Staging\CS{9BC68BFA-D241-03D8-F600-9870A6224E10}\07\1383-{~1.FRX:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS

Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\HP_Owner\Local Settings\Application Data\Microsoft\Messenger\imgonnagoaheadanddoakermitthefrog@hotmail.co.uk\SharingMetadata\a_aitchie@hotmail.com\DFSR\Staging\CS{9BC68BFA-D241-03D8-F600-9870A6224E10}\33\2094-{BC85FFE9-D716-4CA5-A482-B5060458EC0A}-v1833-{BC85FFE9-D716-4CA5-A482-B5060458EC0A}-v2094-Downloaded.frx

Status: Locked to the Windows API!

Path: C:\Documents and Settings\HP_Owner\Local Settings\Application Data\Microsoft\Messenger\imgonnagoaheadanddoakermitthefrog@hotmail.co.uk\SharingMetadata\a_aitchie@hotmail.com\DFSR\Staging\CS{9BC68BFA-D241-03D8-F600-9870A6224E10}\34\34-{BC85FFE9-D716-4CA5-A482-B5060458EC0A}-v34-{BC85FFE9-D716-4CA5-A482-B5060458EC0A}-v34-Downloaded.frx

Status: Locked to the Windows API!

Path: C:\Documents and Settings\HP_Owner\Local Settings\Application Data\Microsoft\Messenger\imgonnagoaheadanddoakermitthefrog@hotmail.co.uk\SharingMetadata\a_aitchie@hotmail.com\DFSR\Staging\CS{9BC68BFA-D241-03D8-F600-9870A6224E10}\36\36-{BC85FFE9-D716-4CA5-A482-B5060458EC0A}-v36-{BC85FFE9-D716-4CA5-A482-B5060458EC0A}-v36-Downloaded.frx

Status: Locked to the Windows API!

Path: C:\Documents and Settings\HP_Owner\Local Settings\Application Data\Microsoft\Messenger\imgonnagoaheadanddoakermitthefrog@hotmail.co.uk\SharingMetadata\a_aitchie@hotmail.com\DFSR\Staging\CS{9BC68BFA-D241-03D8-F600-9870A6224E10}\62\1360-{~1.FRX:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.rdc.1

Status: Locked to the Windows API!

Path: C:\Documents and Settings\HP_Owner\Local Settings\Application Data\Microsoft\Messenger\imgonnagoaheadanddoakermitthefrog@hotmail.co.uk\SharingMetadata\a_aitchie@hotmail.com\DFSR\Staging\CS{9BC68BFA-D241-03D8-F600-9870A6224E10}\62\1360-{~1.FRX:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.rdc.2

Status: Locked to the Windows API!

Path: C:\Documents and Settings\HP_Owner\Local Settings\Application Data\Microsoft\Messenger\imgonnagoaheadanddoakermitthefrog@hotmail.co.uk\SharingMetadata\a_aitchie@hotmail.com\DFSR\Staging\CS{9BC68BFA-D241-03D8-F600-9870A6224E10}\62\1360-{~1.FRX:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS

Status: Locked to the Windows API!

Path: C:\Documents and Settings\HP_Owner\Local Settings\Application Data\Microsoft\Messenger\imgonnagoaheadanddoakermitthefrog@hotmail.co.uk\SharingMetadata\a_aitchie@hotmail.com\DFSR\Staging\CS{9BC68BFA-D241-03D8-F600-9870A6224E10}\62\1360-{~1.FRX:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.rdc.1

Status: Invisible to the Windows API!

Path: C:\Documents and Settings\HP_Owner\Local Settings\Application Data\Microsoft\Messenger\imgonnagoaheadanddoakermitthefrog@hotmail.co.uk\SharingMetadata\a_aitchie@hotmail.com\DFSR\Staging\CS{9BC68BFA-D241-03D8-F600-9870A6224E10}\62\1360-{~1.FRX:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS

Status: Invisible to the Windows API!

Path: C:\Documents and Settings\HP_Owner\Local Settings\Application Data\Microsoft\Messenger\imgonnagoaheadanddoakermitthefrog@hotmail.co.uk\SharingMetadata\a_aitchie@hotmail.com\DFSR\Staging\CS{9BC68BFA-D241-03D8-F600-9870A6224E10}\62\1360-{~1.FRX:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.rdc.1

Status: Invisible to the Windows API!

Path: C:\Documents and Settings\HP_Owner\Local Settings\Application Data\Microsoft\Messenger\imgonnagoaheadanddoakermitthefrog@hotmail.co.uk\SharingMetadata\a_aitchie@hotmail.com\DFSR\Staging\CS{9BC68BFA-D241-03D8-F600-9870A6224E10}\62\1360-{~1.FRX:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.rdc.2

Status: Invisible to the Windows API!

Path: C:\Documents and Settings\HP_Owner\Local Settings\Application Data\Microsoft\Messenger\imgonnagoaheadanddoakermitthefrog@hotmail.co.uk\SharingMetadata\a_aitchie@hotmail.com\DFSR\Staging\CS{9BC68BFA-D241-03D8-F600-9870A6224E10}\65\965-{BC85FFE9-D716-4CA5-A482-B5060458EC0A}-v965-{BC85FFE9-D716-4CA5-A482-B5060458EC0A}-v965-Partial.frx

Status: Locked to the Windows API!

Path: C:\Documents and Settings\HP_Owner\Local Settings\Application Data\Microsoft\Messenger\imgonnagoaheadanddoakermitthefrog@hotmail.co.uk\SharingMetadata\a_aitchie@hotmail.com\DFSR\Staging\CS{9BC68BFA-D241-03D8-F600-9870A6224E10}\69\1364-{~1.FRX:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS

Status: Locked to the Windows API!

Path: C:\Documents and Settings\HP_Owner\Local Settings\Application Data\Microsoft\Messenger\imgonnagoaheadanddoakermitthefrog@hotmail.co.uk\SharingMetadata\a_aitchie@hotmail.com\DFSR\Staging\CS{9BC68BFA-D241-03D8-F600-9870A6224E10}\69\1364-{~1.FRX:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.rdc.1

Status: Locked to the Windows API!

Path: C:\Documents and Settings\HP_Owner\Local Settings\Application Data\Microsoft\Messenger\imgonnagoaheadanddoakermitthefrog@hotmail.co.uk\SharingMetadata\a_aitchie@hotmail.com\DFSR\Staging\CS{9BC68BFA-D241-03D8-F600-9870A6224E10}\69\1364-{~1.FRX:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.rdc.2

Status: Locked to the Windows API!

Path: C:\Documents and Settings\HP_Owner\Local Settings\Application Data\Microsoft\Messenger\imgonnagoaheadanddoakermitthefrog@hotmail.co.uk\SharingMetadata\a_aitchie@hotmail.com\DFSR\Staging\CS{9BC68BFA-D241-03D8-F600-9870A6224E10}\76\41-{F748E14E-3A91-48F6-A641-2F39903D9A80}-v76-{D9E4BA94-EB3F-456C-BB74-0FF6156E9C7E}-v41-Downloaded.frx

Status: Locked to the Windows API!

Path: C:\Documents and Settings\HP_Owner\Local Settings\Application Data\Microsoft\Messenger\imgonnagoaheadanddoakermitthefrog@hotmail.co.uk\SharingMetadata\a_aitchie@hotmail.com\DFSR\Staging\CS{9BC68BFA-D241-03D8-F600-9870A6224E10}\77\1348-{~1.FRX:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.rdc.1

Status: Locked to the Windows API!

Path: C:\Documents and Settings\HP_Owner\Local Settings\Application Data\Microsoft\Messenger\imgonnagoaheadanddoakermitthefrog@hotmail.co.uk\SharingMetadata\a_aitchie@hotmail.com\DFSR\Staging\CS{9BC68BFA-D241-03D8-F600-9870A6224E10}\77\1348-{~1.FRX:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.rdc.2

Status: Locked to the Windows API!

Path: C:\Documents and Settings\HP_Owner\Local Settings\Application Data\Microsoft\Messenger\imgonnagoaheadanddoakermitthefrog@hotmail.co.uk\SharingMetadata\a_aitchie@hotmail.com\DFSR\Staging\CS{9BC68BFA-D241-03D8-F600-9870A6224E10}\77\1348-{~1.FRX:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.rdc.1

Status: Invisible to the Windows API!

Path: C:\Documents and Settings\HP_Owner\Local Settings\Application Data\Microsoft\Messenger\imgonnagoaheadanddoakermitthefrog@hotmail.co.uk\SharingMetadata\a_aitchie@hotmail.com\DFSR\Staging\CS{9BC68BFA-D241-03D8-F600-9870A6224E10}\77\1348-{~1.FRX:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.rdc.2

Status: Invisible to the Windows API!

Path: C:\Documents and Settings\HP_Owner\Local Settings\Application Data\Microsoft\Messenger\imgonnagoaheadanddoakermitthefrog@hotmail.co.uk\SharingMetadata\a_aitchie@hotmail.com\DFSR\Staging\CS{9BC68BFA-D241-03D8-F600-9870A6224E10}\77\1348-{~1.FRX:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS

Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\HP_Owner\Local Settings\Application Data\Microsoft\Messenger\imgonnagoaheadanddoakermitthefrog@hotmail.co.uk\SharingMetadata\a_aitchie@hotmail.com\DFSR\Staging\CS{9BC68BFA-D241-03D8-F600-9870A6224E10}\77\37-{F748E14E-3A91-48F6-A641-2F39903D9A80}-v77-{D9E4BA94-EB3F-456C-BB74-0FF6156E9C7E}-v37-Downloaded.frx

Status: Locked to the Windows API!

Path: C:\Documents and Settings\HP_Owner\Local Settings\Application Data\Microsoft\Messenger\imgonnagoaheadanddoakermitthefrog@hotmail.co.uk\SharingMetadata\a_aitchie@hotmail.com\DFSR\Staging\CS{9BC68BFA-D241-03D8-F600-9870A6224E10}\78\1362-{~1.FRX:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.rdc.1

Status: Locked to the Windows API!

Path: C:\Documents and Settings\HP_Owner\Local Settings\Application Data\Microsoft\Messenger\imgonnagoaheadanddoakermitthefrog@hotmail.co.uk\SharingMetadata\a_aitchie@hotmail.com\DFSR\Staging\CS{9BC68BFA-D241-03D8-F600-9870A6224E10}\78\1362-{~1.FRX:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.rdc.2

Status: Locked to the Windows API!

Path: C:\Documents and Settings\HP_Owner\Local Settings\Application Data\Microsoft\Messenger\imgonnagoaheadanddoakermitthefrog@hotmail.co.uk\SharingMetadata\a_aitchie@hotmail.com\DFSR\Staging\CS{9BC68BFA-D241-03D8-F600-9870A6224E10}\78\1362-{~1.FRX:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.rdc.1

Status: Invisible to the Windows API!

Path: C:\Documents and Settings\HP_Owner\Local Settings\Application Data\Microsoft\Messenger\imgonnagoaheadanddoakermitthefrog@hotmail.co.uk\SharingMetadata\a_aitchie@hotmail.com\DFSR\Staging\CS{9BC68BFA-D241-03D8-F600-9870A6224E10}\78\1362-{~1.FRX:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.rdc.2

Status: Invisible to the Windows API!

Path: C:\Documents and Settings\HP_Owner\Local Settings\Application Data\Microsoft\Messenger\imgonnagoaheadanddoakermitthefrog@hotmail.co.uk\SharingMetadata\a_aitchie@hotmail.com\DFSR\Staging\CS{9BC68BFA-D241-03D8-F600-9870A6224E10}\78\1362-{~1.FRX:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS

Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\HP_Owner\Local Settings\Application Data\Microsoft\Messenger\imgonnagoaheadanddoakermitthefrog@hotmail.co.uk\SharingMetadata\a_aitchie@hotmail.com\DFSR\Staging\CS{9BC68BFA-D241-03D8-F600-9870A6224E10}\78\38-{F748E14E-3A91-48F6-A641-2F39903D9A80}-v78-{D9E4BA94-EB3F-456C-BB74-0FF6156E9C7E}-v38-Downloaded.frx

Status: Locked to the Windows API!

Path: C:\Documents and Settings\HP_Owner\Local Settings\Application Data\Microsoft\Messenger\imgonnagoaheadanddoakermitthefrog@hotmail.co.uk\SharingMetadata\a_aitchie@hotmail.com\DFSR\Staging\CS{9BC68BFA-D241-03D8-F600-9870A6224E10}\79\1361-{~1.FRX:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.rdc.1

Status: Locked to the Windows API!

Path: C:\Documents and Settings\HP_Owner\Local Settings\Application Data\Microsoft\Messenger\imgonnagoaheadanddoakermitthefrog@hotmail.co.uk\SharingMetadata\a_aitchie@hotmail.com\DFSR\Staging\CS{9BC68BFA-D241-03D8-F600-9870A6224E10}\79\1361-{~1.FRX:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.rdc.2

Status: Locked to the Windows API!

Path: C:\Documents and Settings\HP_Owner\Local Settings\Application Data\Microsoft\Messenger\imgonnagoaheadanddoakermitthefrog@hotmail.co.uk\SharingMetadata\a_aitchie@hotmail.com\DFSR\Staging\CS{9BC68BFA-D241-03D8-F600-9870A6224E10}\79\1361-{~1.FRX:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.rdc.1

Status: Invisible to the Windows API!

Path: C:\Documents and Settings\HP_Owner\Local Settings\Application Data\Microsoft\Messenger\imgonnagoaheadanddoakermitthefrog@hotmail.co.uk\SharingMetadata\a_aitchie@hotmail.com\DFSR\Staging\CS{9BC68BFA-D241-03D8-F600-9870A6224E10}\79\1361-{~1.FRX:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.rdc.2

Status: Invisible to the Windows API!

Path: C:\Documents and Settings\HP_Owner\Local Settings\Application Data\Microsoft\Messenger\imgonnagoaheadanddoakermitthefrog@hotmail.co.uk\SharingMetadata\a_aitchie@hotmail.com\DFSR\Staging\CS{9BC68BFA-D241-03D8-F600-9870A6224E10}\79\1361-{~1.FRX:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS

Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\HP_Owner\Local Settings\Application Data\Microsoft\Messenger\imgonnagoaheadanddoakermitthefrog@hotmail.co.uk\SharingMetadata\a_aitchie@hotmail.com\DFSR\Staging\CS{9BC68BFA-D241-03D8-F600-9870A6224E10}\79\39-{F748E14E-3A91-48F6-A641-2F39903D9A80}-v79-{D9E4BA94-EB3F-456C-BB74-0FF6156E9C7E}-v39-Downloaded.frx

Status: Locked to the Windows API!

Path: C:\Documents and Settings\HP_Owner\Local Settings\Application Data\Microsoft\Messenger\imgonnagoaheadanddoakermitthefrog@hotmail.co.uk\SharingMetadata\a_aitchie@hotmail.com\DFSR\Staging\CS{9BC68BFA-D241-03D8-F600-9870A6224E10}\79\79-{F748E14E-3A91-48F6-A641-2F39903D9A80}-v79-{F748E14E-3A91-48F6-A641-2F39903D9A80}-v79-Downloaded.frx

Status: Locked to the Windows API!

Path: C:\Documents and Settings\HP_Owner\Local Settings\Application Data\Microsoft\Messenger\imgonnagoaheadanddoakermitthefrog@hotmail.co.uk\SharingMetadata\a_aitchie@hotmail.com\DFSR\Staging\CS{9BC68BFA-D241-03D8-F600-9870A6224E10}\80\1359-{~1.FRX:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.rdc.1

Status: Locked to the Windows API!

Path: C:\Documents and Settings\HP_Owner\Local Settings\Application Data\Microsoft\Messenger\imgonnagoaheadanddoakermitthefrog@hotmail.co.uk\SharingMetadata\a_aitchie@hotmail.com\DFSR\Staging\CS{9BC68BFA-D241-03D8-F600-9870A6224E10}\80\1359-{~1.FRX:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.rdc.2

Status: Locked to the Windows API!

Path: C:\Documents and Settings\HP_Owner\Local Settings\Application Data\Microsoft\Messenger\imgonnagoaheadanddoakermitthefrog@hotmail.co.uk\SharingMetadata\a_aitchie@hotmail.com\DFSR\Staging\CS{9BC68BFA-D241-03D8-F600-9870A6224E10}\80\1359-{~1.FRX:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS

Status: Locked to the Windows API!

Path: C:\Documents and Settings\HP_Owner\Local Settings\Application Data\Microsoft\Messenger\imgonnagoaheadanddoakermitthefrog@hotmail.co.uk\SharingMetadata\a_aitchie@hotmail.com\DFSR\Staging\CS{9BC68BFA-D241-03D8-F600-9870A6224E10}\80\1359-{~1.FRX:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.rdc.1

Status: Invisible to the Windows API!

Path: C:\Documents and Settings\HP_Owner\Local Settings\Application Data\Microsoft\Messenger\imgonnagoaheadanddoakermitthefrog@hotmail.co.uk\SharingMetadata\a_aitchie@hotmail.com\DFSR\Staging\CS{9BC68BFA-D241-03D8-F600-9870A6224E10}\80\1359-{~1.FRX:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.rdc.2

Status: Invisible to the Windows API!

Path: C:\Documents and Settings\HP_Owner\Local Settings\Application Data\Microsoft\Messenger\imgonnagoaheadanddoakermitthefrog@hotmail.co.uk\SharingMetadata\a_aitchie@hotmail.com\DFSR\Staging\CS{9BC68BFA-D241-03D8-F600-9870A6224E10}\80\40-{F7~1.FRX:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.rdc.1

Status: Locked to the Windows API!

Path: C:\Documents and Settings\HP_Owner\Local Settings\Application Data\Microsoft\Messenger\imgonnagoaheadanddoakermitthefrog@hotmail.co.uk\SharingMetadata\a_aitchie@hotmail.com\DFSR\Staging\CS{9BC68BFA-D241-03D8-F600-9870A6224E10}\80\40-{F7~1.FRX:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.rdc.2

Status: Locked to the Windows API!

Path: C:\Documents and Settings\HP_Owner\Local Settings\Application Data\Microsoft\Messenger\imgonnagoaheadanddoakermitthefrog@hotmail.co.uk\SharingMetadata\a_aitchie@hotmail.com\DFSR\Staging\CS{9BC68BFA-D241-03D8-F600-9870A6224E10}\80\40-{F7~1.FRX:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS

Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\HP_Owner\Local Settings\Application Data\Microsoft\Messenger\imgonnagoaheadanddoakermitthefrog@hotmail.co.uk\SharingMetadata\a_aitchie@hotmail.com\DFSR\Staging\CS{9BC68BFA-D241-03D8-F600-9870A6224E10}\81\1358-{~1.FRX:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.rdc.1

Status: Locked to the Windows API!

Path: C:\Documents and Settings\HP_Owner\Local Settings\Application Data\Microsoft\Messenger\imgonnagoaheadanddoakermitthefrog@hotmail.co.uk\SharingMetadata\a_aitchie@hotmail.com\DFSR\Staging\CS{9BC68BFA-D241-03D8-F600-9870A6224E10}\81\1358-{~1.FRX:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.rdc.2

Status: Locked to the Windows API!

Path: C:\Documents and Settings\HP_Owner\Local Settings\Application Data\Microsoft\Messenger\imgonnagoaheadanddoakermitthefrog@hotmail.co.uk\SharingMetadata\a_aitchie@hotmail.com\DFSR\Staging\CS{9BC68BFA-D241-03D8-F600-9870A6224E10}\81\1358-{~1.FRX:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS

Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\HP_Owner\Local Settings\Application Data\Microsoft\Messenger\imgonnagoaheadanddoakermitthefrog@hotmail.co.uk\SharingMetadata\a_aitchie@hotmail.com\DFSR\Staging\CS{9BC68BFA-D241-03D8-F600-9870A6224E10}\81\81-{F7~2.FRX:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.rdc.1

Status: Locked to the Windows API!

Path: C:\Documents and Settings\HP_Owner\Local Settings\Application Data\Microsoft\Messenger\imgonnagoaheadanddoakermitthefrog@hotmail.co.uk\SharingMetadata\a_aitchie@hotmail.com\DFSR\Staging\CS{9BC68BFA-D241-03D8-F600-9870A6224E10}\81\81-{F7~2.FRX:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.rdc.2

Status: Locked to the Windows API!

Path: C:\Documents and Settings\HP_Owner\Local Settings\Application Data\Microsoft\Messenger\imgonnagoaheadanddoakermitthefrog@hotmail.co.uk\SharingMetadata\a_aitchie@hotmail.com\DFSR\Staging\CS{9BC68BFA-D241-03D8-F600-9870A6224E10}\81\81-{F7~2.FRX:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS

Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\HP_Owner\Local Settings\Application Data\Microsoft\Messenger\imgonnagoaheadanddoakermitthefrog@hotmail.co.uk\SharingMetadata\a_aitchie@hotmail.com\DFSR\Staging\CS{9BC68BFA-D241-03D8-F600-9870A6224E10}\82\1357-{~1.FRX:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.rdc.1

Status: Locked to the Windows API!

Path: C:\Documents and Settings\HP_Owner\Local Settings\Application Data\Microsoft\Messenger\imgonnagoaheadanddoakermitthefrog@hotmail.co.uk\SharingMetadata\a_aitchie@hotmail.com\DFSR\Staging\CS{9BC68BFA-D241-03D8-F600-9870A6224E10}\82\1357-{~1.FRX:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.rdc.2

Status: Locked to the Windows API!

Path: C:\Documents and Settings\HP_Owner\Local Settings\Application Data\Microsoft\Messenger\imgonnagoaheadanddoakermitthefrog@hotmail.co.uk\SharingMetadata\a_aitchie@hotmail.com\DFSR\Staging\CS{9BC68BFA-D241-03D8-F600-9870A6224E10}\82\1357-{~1.FRX:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS

Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\HP_Owner\Local Settings\Application Data\Microsoft\Messenger\imgonnagoaheadanddoakermitthefrog@hotmail.co.uk\SharingMetadata\a_aitchie@hotmail.com\DFSR\Staging\CS{9BC68BFA-D241-03D8-F600-9870A6224E10}\82\82-{F748E14E-3A91-48F6-A641-2F39903D9A80}-v82-{F748E14E-3A91-48F6-A641-2F39903D9A80}-v82-Downloaded.frx

Status: Locked to the Windows API!

Path: C:\Documents and Settings\HP_Owner\Local Settings\Application Data\Microsoft\Messenger\imgonnagoaheadanddoakermitthefrog@hotmail.co.uk\SharingMetadata\a_aitchie@hotmail.com\DFSR\Staging\CS{9BC68BFA-D241-03D8-F600-9870A6224E10}\83\1367-{~1.FRX:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS

Status: Locked to the Windows API!

Path: C:\Documents and Settings\HP_Owner\Local Settings\Application Data\Microsoft\Messenger\imgonnagoaheadanddoakermitthefrog@hotmail.co.uk\SharingMetadata\a_aitchie@hotmail.com\DFSR\Staging\CS{9BC68BFA-D241-03D8-F600-9870A6224E10}\83\1367-{~1.FRX:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.rdc.1

Status: Locked to the Windows API!

Path: C:\Documents and Settings\HP_Owner\Local Settings\Application Data\Microsoft\Messenger\imgonnagoaheadanddoakermitthefrog@hotmail.co.uk\SharingMetadata\a_aitchie@hotmail.com\DFSR\Staging\CS{9BC68BFA-D241-03D8-F600-9870A6224E10}\83\1367-{~1.FRX:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.rdc.2

Status: Locked to the Windows API!

Path: C:\Documents and Settings\HP_Owner\Local Settings\Application Data\Microsoft\Messenger\imgonnagoaheadanddoakermitthefrog@hotmail.co.uk\SharingMetadata\a_aitchie@hotmail.com\DFSR\Staging\CS{9

Link to post
Share on other sites

  • Root Admin

STEP 01

Download but do not yet run ComboFix

If you have a previous version of Combofix.exe, delete it and download a fresh copy.

Download it to your DESKTOP - it MUST run from the Desktop

download.bleepingcomputer.com/sUBs/ComboFix.exe

subs.geekstogo.com/ComboFix.exe

Using your mouse, Highlight and then Right-click | Copy the entire contents of the Code box below, including blank lines

KILLALL::

Driver::
exodpt.sys
exodpt
sptd.sys
sptd

File::
c:\windows\system32\exodpt.sys
c:\windows\system32\pllk.bin
c:\windows\system32\drivers\sptd.sys
C:\WINDOWS\SYSTEM32\exodpt.dll

Open a new Notepad session (Do not use a Word Processor or WordPad). Click "Format" and be certain that Word Wrap is not enabled. Right-click | Paste the Code box contents from above into Notepad. Click File, Save as..., and set the location to your Desktop, and enter (including quotation marks) as the filename: "CFscript.txt" .

Using your mouse, drag the new file CFscript.txt and drop it on the Combo-Fix.exe icon as shown:

CFScript.gif

  • Important: Have no other programs running. Your Task Bar should be clear of any program entries including your Browser.
  • Disconnect from the Internet.
  • Disable your Antivirus software. If it has Script Blocking features, please disable these as well.
  • A window may open with a series of Disclaimers. Accept the Disclaimers to start the fix.
  • It may identify that Recovery Console is not installed. Please accept when asked if you wish it to be installed.
    When the scan completes Notepad will open with with your results log open. Do a File, Exit.

A caution - Do not run Combofix more than once. Do not touch your mouse/keyboard until the scan has completed, as this may cause the process to stall or your computer to lock. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop. Even when ComboFix appears to be doing nothing, look at your Drive light. If it is flashing, Combofix is still at work.

Post back the Combofix log on your next reply.

STEP 02

Update and Scan with Malwarebytes' Anti-Malware

  • Start MalwareBytes AntiMalware (Vista users must Right click and choose RunAs Admin)
  • Please DO NOT run MBAM in Safe Mode unless requested to, you MUST run it in normal Windows mode.
    • Update Malwarebytes' Anti-Malware
    • Select the Update tab
    • Click Update

    [*]When the update is complete, select the Scanner tab

    [*]Select Perform quick scan, then click Scan.

    [*]When the scan is complete, click OK, then Show Results to view the results.

    [*]Be sure that everything is checked, and click Remove Selected.

    [*]When completed, a log will open in Notepad. please copy and paste the log into your next reply

    • If you accidently close it, the log file is saved here and will be named like this:
    • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

Then post back the MBAM log and a new Hijackthis log.

Link to post
Share on other sites

Here's the latest logs

Combifix:

ComboFix 09-05-26.02 - HP_Owner 26/05/2009 23:29.4 - NTFSx86

Microsoft Windows XP Home Edition 5.1.2600.2.1252.44.1033.18.759.456 [GMT 1:00]

Running from: c:\documents and settings\HP_Owner\Desktop\ComboFix.exe

Command switches used :: c:\documents and settings\HP_Owner\Desktop\CFscript.txt

FILE ::

"c:\windows\system32\drivers\sptd.sys"

"c:\windows\SYSTEM32\exodpt.dll"

"c:\windows\system32\exodpt.sys"

"c:\windows\system32\pllk.bin"

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\windows\system32\drivers\mrxdavv.sys

c:\windows\system32\drivers\sptd.sys

c:\windows\system32\exodpt.sys

c:\windows\system32\kwave.sys

c:\windows\system32\pllk.bin

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Legacy_SPTD

-------\Service_sptd

((((((((((((((((((((((((( Files Created from 2009-04-26 to 2009-05-26 )))))))))))))))))))))))))))))))

.

2009-05-26 11:40 . 2009-05-26 11:52 -------- d-----w C:\RootRepeal

2009-05-21 20:18 . 2009-05-21 20:18 -------- d-----w c:\program files\Trend Micro

2009-05-21 12:42 . 2009-05-21 12:42 -------- d-----w c:\documents and settings\Administrator\Application Data\AdobeUM

2009-05-21 12:41 . 2009-05-21 12:41 -------- d-----w c:\documents and settings\Administrator\Local Settings\Application Data\Adobe

2009-05-21 10:42 . 2009-05-21 10:42 -------- d-----w c:\program files\Sophos

2009-05-21 10:05 . 2009-05-21 10:05 -------- d-----w c:\documents and settings\HP_Owner\Local Settings\Application Data\Opera

2009-05-21 10:04 . 2009-05-21 10:05 -------- d-----w c:\program files\Opera

2009-05-20 21:01 . 2009-05-21 08:15 -------- d---a-w c:\documents and settings\All Users\Application Data\TEMP

2009-05-20 20:53 . 2007-06-08 12:53 1753088 ----a-w c:\windows\system32\ExGrid.dll

2009-05-20 20:53 . 2007-06-05 09:20 602112 ----a-w c:\windows\system32\ExMenu.dll

2009-05-20 20:53 . 2007-04-03 15:51 614400 ----a-w c:\windows\system32\ExButton.dll

2009-05-20 20:53 . 2007-04-03 15:51 307200 ----a-w c:\windows\system32\ExPMenu.dll

2009-05-20 20:53 . 2009-05-20 20:53 -------- d-----w c:\program files\Common Files\eSellerate

2009-05-20 20:53 . 2007-06-05 09:19 516096 ----a-w c:\windows\system32\ExTab.dll

2009-05-20 20:53 . 2005-10-11 13:40 356352 ----a-w c:\windows\system32\eSellerateEngine.dll

2009-05-20 20:53 . 2005-10-04 07:11 118784 ----a-w c:\windows\system32\eWebControl.dll

2009-05-20 20:53 . 1998-04-24 00:00 368912 ----a-w c:\windows\system32\vbar332.dll

2009-05-20 20:53 . 2009-05-20 20:53 -------- d-----w c:\program files\AnswersThatWork

2009-05-20 17:39 . 2009-05-20 17:39 -------- d-----w c:\documents and settings\Administrator\Application Data\Malwarebytes

2009-05-14 18:28 . 2009-05-14 18:28 15939 ----a-w c:\windows\system32\drivers\AegisP.sys

2009-05-14 18:28 . 2009-05-14 18:28 -------- d-----w c:\windows\options

2009-05-14 18:28 . 2004-04-30 14:12 40960 ----a-w c:\windows\system32\B11gUSB.dll

2009-05-14 18:28 . 2004-03-30 11:51 1085440 ----a-w c:\windows\system32\AegisE5.dll

2009-05-14 18:28 . 2003-10-13 14:30 94208 ----a-w c:\windows\system32\GTW32N50.dll

2009-05-14 18:28 . 2003-09-25 21:15 15872 ----a-w c:\windows\system32\GTNDIS5.sys

2009-05-03 05:09 . 2009-05-03 05:09 -------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy

2009-04-30 22:29 . 2009-04-30 22:29 -------- d-----w c:\program files\Kontiki

2009-04-30 22:29 . 2009-04-30 22:29 -------- d-----w c:\program files\Channel4

2009-04-30 20:29 . 2009-04-30 20:29 31948 ---ha-w c:\windows\system32\mlfcache.dat

2009-04-30 20:28 . 2009-04-30 20:28 -------- d-----w c:\program files\Safari

2009-04-30 20:27 . 2009-04-30 20:27 -------- d-----w c:\program files\Bonjour

2009-04-30 20:27 . 2009-04-30 20:27 -------- d-----w c:\program files\Apple Software Update

2009-04-30 20:15 . 2009-04-30 20:15 -------- d-----w c:\program files\Unlocker

2009-04-30 20:15 . 2009-04-30 20:15 -------- d-----w c:\documents and settings\HP_Owner\Application Data\Desktopicon

2009-04-30 18:42 . 2009-05-03 05:08 -------- d-----w c:\program files\Spybot - Search & Destroy

2009-04-28 21:00 . 2009-04-28 21:00 -------- d-----w c:\documents and settings\HP_Owner\Application Data\Malwarebytes

2009-04-28 21:00 . 2009-04-06 14:32 15504 ----a-w c:\windows\system32\drivers\mbam.sys

2009-04-28 21:00 . 2009-04-06 14:32 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys

2009-04-28 21:00 . 2009-04-28 21:00 -------- d-----w c:\program files\Malwarebytes' Anti-Malware

2009-04-28 21:00 . 2009-04-28 21:00 -------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes

2009-04-27 20:28 . 2009-04-27 20:28 226832 ----a-w c:\documents and settings\All Users\Application Data\Kaspersky Lab\AVP8\Data\Updater\Temporary Files\temporaryFolder\AutoPatches\kav8exec\8.0.0.506\XP\klif.sys

2009-04-27 20:13 . 2009-05-20 20:57 -------- d-----w c:\documents and settings\All Users\Application Data\Kaspersky Lab

2009-04-27 20:13 . 2009-04-27 20:13 -------- d-----w c:\program files\Kaspersky Lab

2009-04-27 20:09 . 2009-04-27 20:09 -------- d-----w c:\documents and settings\All Users\Application Data\Kaspersky Lab Setup Files

2009-04-27 20:03 . 2009-04-27 20:03 -------- d-----w c:\documents and settings\All Users\Application Data\Avg7

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-05-26 22:33 . 2008-03-04 15:48 -------- d-----w c:\documents and settings\All Users\Application Data\Kontiki

2009-05-26 22:32 . 2006-12-06 20:35 2241 --sha-w c:\windows\system32\mmf.sys

2009-04-30 20:28 . 2006-11-01 20:11 -------- d-----w c:\documents and settings\HP_Owner\Application Data\Apple Computer

2009-04-28 05:32 . 2007-10-10 22:20 -------- d-----w c:\program files\CCleaner

2009-04-27 23:12 . 2007-04-17 15:57 -------- d-----w c:\program files\VideoEgg

2009-04-27 20:02 . 2007-05-07 17:20 -------- d-----w c:\documents and settings\All Users\Application Data\Grisoft

2009-04-27 16:37 . 2007-07-28 06:24 -------- d-----w c:\program files\iWin

2009-04-22 23:59 . 2009-01-09 07:20 -------- d-----w c:\documents and settings\HP_Owner\Application Data\Spotify

2009-03-16 06:54 . 2009-03-06 21:37 138944 ----a-w c:\windows\system32\drivers\PnkBstrK.sys

2009-03-16 06:54 . 2009-03-06 21:37 75064 ----a-w c:\windows\system32\PnkBstrA.exe

2009-03-16 06:53 . 2009-03-06 21:41 334912 ----a-w c:\documents and settings\HP_Owner\Application Data\id Software\quakelive\home\baseq3\cgamex86.dll

2009-03-16 06:53 . 2009-03-06 21:41 171072 ----a-w c:\documents and settings\HP_Owner\Application Data\id Software\quakelive\home\baseq3\uix86.dll

2009-03-16 06:53 . 2009-03-06 21:37 189784 ----a-w c:\windows\system32\PnkBstrB.exe

2009-03-16 06:53 . 2009-03-06 21:41 874660 ----a-w c:\documents and settings\HP_Owner\Application Data\id Software\quakelive\home\pb\pbcl.dll

2009-03-16 06:53 . 2009-03-06 21:41 57344 ----a-w c:\documents and settings\HP_Owner\Application Data\id Software\quakelive\home\pb\pbag.dll

2009-03-16 06:53 . 2009-03-06 21:41 479232 ----a-w c:\documents and settings\HP_Owner\Application Data\id Software\quakelive\home\pb\pbsv.dll

2009-03-16 06:53 . 2009-03-06 21:41 2669632 ----a-w c:\documents and settings\HP_Owner\Application Data\id Software\quakelive\home\baseq3\quakelive.dll

2009-03-12 22:33 . 2009-03-06 21:41 441408 ----a-w c:\documents and settings\HP_Owner\Application Data\id Software\quakelive\home\baseq3\qagamex86.dll

2009-03-12 22:23 . 2009-03-06 21:37 22328 ----a-w c:\documents and settings\HP_Owner\Application Data\PnkBstrK.sys

2009-03-12 22:23 . 2009-03-06 21:37 22328 ----a-w c:\documents and settings\HP_Owner\Application Data\PnkBstrK.sys

2009-03-12 22:22 . 2009-03-06 21:37 2246144 ----a-w c:\windows\system32\pbsvc.exe

2009-03-11 12:40 . 2009-03-11 12:40 625728 ----a-w c:\documents and settings\All Users\Application Data\id Software\QuakeLive\npquakezero.dll

2009-03-06 21:41 . 2009-03-06 21:41 57344 ----a-w c:\documents and settings\HP_Owner\Application Data\id Software\quakelive\home\pb\pbags.dll

2009-03-06 21:41 . 2009-03-06 21:41 866235 ----a-w c:\documents and settings\HP_Owner\Application Data\id Software\quakelive\home\pb\pbcls.dll

2009-03-06 14:44 . 2006-11-02 00:08 283648 ----a-w c:\windows\system32\pdh.dll

.

((((((((((((((((((((((((((((( SnapShot@2009-05-22_07.46.43 )))))))))))))))))))))))))))))))))))))))))

.

+ 2009-05-26 22:32 . 2009-05-26 22:32 16384 c:\windows\temp\Perflib_Perfdata_3a0.dat

+ 2009-05-26 22:32 . 2009-05-26 22:32 16384 c:\windows\temp\Perflib_Perfdata_2dc.dat

.

((((((((((((((((((((((((((((((((((((((((((((( AWF ))))))))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2006-11-01 18:46 . 2004-10-15 04:54 253952 c:\hp\drivers\hplsbwatcher\bak\lsburnwatcher.exe

2006-11-01 18:42 . 2003-02-12 02:02 61440 c:\hp\KBD\bak\KBD.EXE

2006-11-01 18:47 . 2004-06-16 06:03 81920 c:\program files\Common Files\InstallShield\UpdateService\bak\issch.exe

2006-11-01 18:47 . 2004-06-16 06:03 221184 c:\program files\Common Files\InstallShield\UpdateService\bak\ISUSPM.exe

2006-11-01 18:47 . 2004-11-05 00:26 106496 c:\program files\Common Files\InterVideo\SchSvr\bak\SchSvr.exe

2004-08-28 06:22 . 2004-08-28 06:22 58488 c:\program files\Common Files\Symantec Shared\bak\ccApp.exe

2006-09-14 20:09 . 2006-09-14 20:09 157592 c:\program files\DAEMON Tools\bak\daemon.exe

2007-09-18 14:16 . 2007-09-18 14:16 171464 c:\program files\DAEMON Tools\daemon.exe

2006-11-01 18:47 . 2004-11-05 01:44 192512 c:\program files\InterVideo\Common\Bin\bak\WinRemote.exe

2004-10-13 16:04 . 2004-10-13 16:04 278528 c:\program files\iTunes\bak\iTunesHelper.exe

2007-09-26 13:42 . 2007-09-26 13:42 267064 c:\program files\iTunes\iTunesHelper.exe

2006-11-01 18:24 . 2006-11-01 18:24 32881 c:\program files\Java\j2re1.4.2_03\bin\bak\jusched.exe

2004-08-04 14:06 . 2004-08-04 14:06 1667584 c:\program files\Messenger\bak\msmsgs.exe

2007-04-12 01:43 . 2007-04-12 01:43 1661304 c:\program files\Messenger\Msmsgs.exe

2006-12-06 09:31 . 2006-12-06 09:31 282624 c:\program files\QuickTime\bak\qttask.exe

2007-06-29 05:24 . 2007-06-29 05:24 286720 c:\program files\QuickTime\QTTask.exe

2004-04-15 03:43 . 2004-04-15 03:43 233472 c:\windows\SMINST\bak\RECGUARD.EXE

2006-11-01 18:27 . 1998-05-07 23:04 52736 c:\windows\system\bak\hpsysdrv.exe

2006-11-01 18:29 . 2004-11-02 22:59 126976 c:\windows\system32\bak\hkcmd.exe

2004-06-08 01:42 . 2004-06-08 01:42 659456 c:\windows\system32\bak\hphmon06.exe

2006-11-01 18:42 . 2004-10-26 04:17 90112 c:\windows\system32\bak\ps2.exe

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"MSMSGS"="c:\program files\Messenger\Msmsgs.exe" [2007-04-12 1661304]

"Google Update"="c:\documents and settings\HP_Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2009-05-20 133104]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-02-02 136600]

"MSConfig"="c:\windows\pchealth\helpctr\Binaries\MSCONFIG.EXE" [2004-08-04 158208]

"High Definition Audio Property Page Shortcut"="HDAudPropShortcut.exe" - c:\windows\system32\Hdaudpropshortcut.exe [2004-03-17 61952]

"AGRSMMSG"="AGRSMMSG.exe" - c:\windows\AGRSMMSG.exe [2004-06-30 88363]

"SoundMan"="SOUNDMAN.EXE" - c:\windows\SOUNDMAN.EXE [2005-02-22 90112]

"AlcWzrd"="ALCWZRD.EXE" - c:\windows\ALCWZRD.EXE [2005-02-19 2754560]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^PalTalk.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\PalTalk.lnk

backup=c:\windows\pss\PalTalk.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^HP_Owner^Start Menu^Programs^Startup^ChkDisk.lnk]

path=c:\documents and settings\HP_Owner\Start Menu\Programs\Startup\ChkDisk.lnk

backup=c:\windows\pss\ChkDisk.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]

"usnjsvc"=3 (0x3)

"iPod Service"=3 (0x3)

"Apple Mobile Device"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Azureus\\Azureus.exe"=

"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=

"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=

"c:\\Program Files\\Paltalk Messenger\\paltalk.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"c:\\Program Files\\Messenger\\Msmsgs.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=

"c:\\Program Files\\Kontiki\\KService.exe"=

"c:\\Program Files\\Kontiki\\KHost.exe"=

"c:\\Documents and Settings\\HP_Owner\\Application Data\\PowerChallenge\\PowerSoccer\\PowerSoccer.exe"=

"c:\\Program Files\\Spotify\\spotify.exe"=

"c:\\WINDOWS\\system32\\PnkBstrA.exe"=

"c:\\WINDOWS\\system32\\PnkBstrB.exe"=

"c:\\Program Files\\Emote\\Launcher\\launcher.exe"=

"c:\\Program Files\\Zattoo\\zattood.exe"=

"c:\\Program Files\\Zattoo\\Zattoo2.exe"=

"c:\\Program Files\\Belkin\\Belkin Wireless Network Utility\\WLanCfgG.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"10093:TCP"= 10093:TCP:Football Manager 2008

"10093:UDP"= 10093:UDP:Football Manager 2008

"10094:TCP"= 10094:TCP:Football Manager

R2 Belkin 54g Wireless USB Network Adapter Service;Belkin 54g Wireless USB Network Adapter;c:\program files\Belkin\Belkin Wireless Network Utility\WLService.exe [14/05/2009 19:28 49152]

R2 LicCtrlService;LicCtrl Service;c:\windows\Runservice.exe [06/12/2006 21:35 2560]

R3 PhTVTune;ASUS WDM TV Tuner;c:\windows\system32\drivers\PhTVTune.sys [01/11/2006 19:30 24544]

S3 bkn50USB;Belkin 54Mbps Wireless USB Network Adapter;c:\windows\system32\drivers\rt2500usb.sys [01/11/2006 21:32 140416]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - GTNDIS5

.

Contents of the 'Scheduled Tasks' folder

2009-05-09 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]

2009-05-26 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2550148391-1751980287-1883927685-1007.job

- c:\documents and settings\HP_Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-05-20 17:13]

2009-05-26 c:\windows\Tasks\RegCure Program Check.job

- c:\program files\RegCure\RegCure.exe [2007-03-09 21:15]

2009-04-30 c:\windows\Tasks\RegCure.job

- c:\program files\RegCure\RegCure.exe [2007-03-09 21:15]

.

.

------- Supplementary Scan -------

.

uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_GB&c=Q105&bd=pavilion&pf=desktop

mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_GB&c=Q105&bd=pavilion&pf=desktop

mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_GB&c=Q105&bd=pavilion&pf=desktop

uInternet Connection Wizard,ShellNext = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_GB&c=Q105&bd=pavilion&pf=desktop

uInternet Settings,ProxyOverride = *.local

IE: &Search

.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-05-26 23:32

Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\LicCtrl\LicCtrl\LicCtrl\LicCtrl*lkzs$i&y@^t! #^$ g9^$&pgb SDB36o \EC1A69D1C0948222]

"1"=hex:b0,cd,e0,26,42,20,9e,7c,08,f1,c1,23,e7,41,66,ec,c9,e0,20,43,a1,23,f2,

e3

"2"=hex:d7,7a,ea,31,a0,f7,22,dd,b6,43,6f,32,07,8b,4a,0a,e2,6f,a8,1b,53,71,0d,

78,d5,ad,68,1b,c8,4a,9b,03

"3"=hex:b0,cd,e0,26,42,20,9e,7c,08,f1,c1,23,e7,41,66,ec,aa,6b,6f,c8,5d,d1,dd,

70,c8,0c,a2,71,14,a4,b5,05,7d,2c,84,8d,ff,2b,de,6d,f8,f2,70,94,19,43,ce,bd,\

[HKEY_LOCAL_MACHINE\software\LicCtrl\LicCtrl\LicCtrl\LicCtrl*lkzs$i&y@^t! #^$ g9^$&pgb SDB36o \EC1A69D1C0948222\48236A7EED3B8895E98434D6DCE253AC]

"1"=hex:08,26,de,b9,bd,1e,cc,2a,55,96,fd,b8,7e,1b,23,82,71,bb,5a,5f,e0,12,25,

42,0c,3f,30,d4,d3,b8,cd,35,d5,a9,6f,e0,2c,05,4e,14

"2"=hex:58,92,5a,34,3f,c6,a5,c5

"3"=hex:ad,5a,fd,6a,39,d7,e0,10,47,e0,80,2a,b7,5e,91,04,0c,03,4d,22,bc,a3,5f,

99,0b,a3,ea,cf,f9,0a,c4,4d,9a,96,1d,fa,75,81,ec,9e,61,ed,d1,4e,a1,29,4a,ab,\

"4"=hex:2f,ad,a2,e7,8a,bf,05,5e

"5"=hex:bf,e5,23,7b,b0,66,d6,fc,b8,e8,6b,a0,96,52,f7,32,80,09,8f,24,b7,b3,55,

1a,98,d1,47,16,02,43,61,1c,b9,d5,8f,2a,7b,81,b1,fb,95,22,f8,b3,2c,53,9d,ae,\

"6"=hex:bf,e5,23,7b,b0,66,d6,fc,bc,64,22,fb,7e,d3,39,3e,a3,00,33,13,c0,21,f4,

51,6c,4e,0c,96,e2,dd,ad,8a,b6,c4,05,e8,5a,bd,9a,e9,d4,1a,3d,68,9d,00,32,20

"7"=hex:08,26,de,b9,bd,1e,cc,2a,55,96,fd,b8,7e,1b,23,82,71,bb,5a,5f,e0,12,25,

42,0c,3f,30,d4,d3,b8,cd,35,61,5a,c0,6c,22,7e,83,13,6e,44,91,28,69,cc,01,dd

"8"=hex:9d,9e,b2,b9,a7,a5,f4,ae,4d,29,c2,a3,c0,78,c4,c5,73,7e,45,c6,9f,9e,10,

63,a0,2f,06,c2,a3,e9,62,70,d1,3e,e6,57,b7,98,40,c9,e4,cc,88,e6,39,d6,95,f5,\

"9"=hex:81,20,8f,ab,28,6a,52,9c

"18"=hex:70,56,26,33,e3,20,f8,ab

"10"=hex:59,c8,db,4e,44,81,2c,dd

"11"=hex:7d,ba,74,77,fe,09,92,36

"12"=hex:81,20,8f,ab,28,6a,52,9c

"13"=hex:81,20,8f,ab,28,6a,52,9c

"14"=hex:81,20,8f,ab,28,6a,52,9c

"24"=hex:81,20,8f,ab,28,6a,52,9c

"26"=hex:81,20,8f,ab,28,6a,52,9c

"27"=hex:81,20,8f,ab,28,6a,52,9c

"19"=hex:81,20,8f,ab,28,6a,52,9c

"22"=hex:81,20,8f,ab,28,6a,52,9c

[HKEY_LOCAL_MACHINE\software\LicCtrl\LicCtrl\LicCtrl\LicCtrl*lkzs$i&y@^t! #^$ g9^$&pgb SDB36o \EC1A69D1C0948222\B144CCE307E78EB6EE53CA2196E4D0A2]

"1"=hex:97,5e,49,d3,7c,a0,18,18,10,c9,e3,e3,c1,ae,57,ed,60,42,a5,db,24,eb,e2,

b0,36,d7,56,53,fe,9f,3d,f9

"2"=hex:8c,23,2d,03,75,bd,a0,cd

"3"=hex:25,76,f6,55,8d,1e,6a,c9,04,3b,67,d6,73,28,29,ef,9b,ac,56,1e,7b,56,45,

9d,1c,6f,80,6d,86,35,6a,dc,7e,45,58,21,69,29,63,0d,8e,98,9d,55,52,3f,f8,de,\

"4"=hex:2f,ad,a2,e7,8a,bf,05,5e

"5"=hex:bf,e5,23,7b,b0,66,d6,fc,b8,e8,6b,a0,96,52,f7,32,80,09,8f,24,b7,b3,55,

1a,98,d1,47,16,02,43,61,1c,b9,d5,8f,2a,7b,81,b1,fb,95,22,f8,b3,2c,53,9d,ae,\

"6"=hex:bf,e5,23,7b,b0,66,d6,fc,bc,64,22,fb,7e,d3,39,3e,a3,00,33,13,c0,21,f4,

51,6c,4e,0c,96,e2,dd,ad,8a,b6,c4,05,e8,5a,bd,9a,e9,d4,1a,3d,68,9d,00,32,20

"7"=hex:6b,96,68,24,0f,2f,9e,94,e8,ce,54,f3,3b,80,63,3a,1b,c3,e7,ed,44,3a,1d,

97,9f,f9,03,77,68,81,1b,0c,34,a2,88,30,12,be,09,a0

"8"=hex:9d,9e,b2,b9,a7,a5,f4,ae,4d,29,c2,a3,c0,78,c4,c5,73,7e,45,c6,9f,9e,10,

63,a0,2f,06,c2,a3,e9,62,70,90,4c,ec,d6,92,e1,28,ba,e5,5d,0d,25,ef,fb,b7,21,\

"9"=hex:81,20,8f,ab,28,6a,52,9c

"18"=hex:70,56,26,33,e3,20,f8,ab

"10"=hex:07,96,b3,35,9e,5a,1a,0b

"11"=hex:cf,4c,c7,26,f1,27,01,be

"12"=hex:81,20,8f,ab,28,6a,52,9c

"13"=hex:81,20,8f,ab,28,6a,52,9c

"14"=hex:81,20,8f,ab,28,6a,52,9c

"24"=hex:81,20,8f,ab,28,6a,52,9c

"26"=hex:81,20,8f,ab,28,6a,52,9c

"27"=hex:81,20,8f,ab,28,6a,52,9c

"19"=hex:81,20,8f,ab,28,6a,52,9c

"22"=hex:81,20,8f,ab,28,6a,52,9c

[HKEY_LOCAL_MACHINE\software\LicCtrl\LicCtrl\LicCtrl\LicCtrl*lkzs$i&y@^t! #^$ g9^$&pgb SDB36o \F3F0046F119EFA4F]

"1"=hex:97,5e,49,d3,7c,a0,18,18,10,c9,e3,e3,c1,ae,57,ed,c2,97,86,6a,a5,82,f8,

d5,42,54,3b,7e,24,3e,19,f8

"2"=hex:f1,df,16,de,80,08,0e,2a,d1,38,b5,6f,94,ca,dc,d2,b3,e8,d2,40,6c,6f,61,

5e,d2,5e,7f,21,14,b5,b2,29

"3"=hex:97,5e,49,d3,7c,a0,18,18,10,c9,e3,e3,c1,ae,57,ed,c2,97,86,6a,a5,82,f8,

d5,f2,55,76,c8,bc,53,92,25,3f,d1,b6,bc,00,35,73,43,96,90,79,f6,5b,97,35,47,\

[HKEY_LOCAL_MACHINE\software\LicCtrl\LicCtrl\LicCtrl\LicCtrl*lkzs$i&y@^t! #^$ g9^$&pgb SDB36o \F3F0046F119EFA4F\BB6E5071F4E6B2769BD4E4FACC553A99]

"1"=hex:09,d8,ec,22,15,54,e7,37,3d,5b,59,2d,b7,79,05,2e,dc,0a,71,44,dc,37,80,

ce,24,ad,19,19,d6,bf,9e,2f

"2"=hex:69,46,da,08,bb,5c,f4,0f

"3"=hex:9b,d3,62,7f,98,29,5b,a8,a3,6c,2d,ed,ba,59,f9,15,ac,2e,45,24,46,4d,d1,

30,c4,4c,de,d7,5b,1f,40,d5,4d,ce,f1,e7,44,ba,09,d9,55,3b,91,53,28,0d,7d,fa,\

"4"=hex:2f,ad,a2,e7,8a,bf,05,5e

"5"=hex:bf,e5,23,7b,b0,66,d6,fc,b8,e8,6b,a0,96,52,f7,32,80,09,8f,24,b7,b3,55,

1a,98,d1,47,16,02,43,61,1c,b9,d5,8f,2a,7b,81,b1,fb,95,22,f8,b3,2c,53,9d,ae,\

"6"=hex:bf,e5,23,7b,b0,66,d6,fc,bc,64,22,fb,7e,d3,39,3e,a3,00,33,13,c0,21,f4,

51,6c,4e,0c,96,e2,dd,ad,8a,b6,c4,05,e8,5a,bd,9a,e9,d4,1a,3d,68,9d,00,32,20

"7"=hex:85,bb,69,ad,52,49,47,61,50,80,55,ef,fa,b4,14,9a,04,b7,d6,59,f0,23,46,

cc,d3,ec,dd,49,40,98,41,b7,16,93,15,99,41,9a,8d,78,4a,2e,fb,89,b2,3d,70,79,\

"8"=hex:63,5a,d7,1b,b1,d4,18,46,f1,a8,be,52,77,05,97,0b,34,a0,71,a8,88,47,3c,

8d,75,16,d6,0c,2b,a7,16,a7,8a,ab,2c,39,23,dd,28,0f

"9"=hex:81,20,8f,ab,28,6a,52,9c

"18"=hex:70,56,26,33,e3,20,f8,ab

"10"=hex:ef,01,3f,48,b8,d3,ab,86

"11"=hex:7d,ba,74,77,fe,09,92,36

"12"=hex:81,20,8f,ab,28,6a,52,9c

"13"=hex:81,20,8f,ab,28,6a,52,9c

"14"=hex:81,20,8f,ab,28,6a,52,9c

"24"=hex:81,20,8f,ab,28,6a,52,9c

"26"=hex:81,20,8f,ab,28,6a,52,9c

"27"=hex:81,20,8f,ab,28,6a,52,9c

"19"=hex:81,20,8f,ab,28,6a,52,9c

"22"=hex:81,20,8f,ab,28,6a,52,9c

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3848)

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

------------------------ Other Running Processes ------------------------

.

c:\program files\Belkin\Belkin Wireless Network Utility\WLanCfgG.exe

c:\program files\Bonjour\mDNSResponder.exe

c:\program files\Java\jre6\bin\jqs.exe

c:\program files\Kontiki\KService.exe

c:\windows\system32\PnkBstrA.exe

c:\windows\system32\wscntfy.exe

.

**************************************************************************

.

Completion time: 2009-05-26 23:36 - machine was rebooted

ComboFix-quarantined-files.txt 2009-05-26 22:36

ComboFix2.txt 2009-05-26 11:34

ComboFix3.txt 2009-05-23 08:43

ComboFix4.txt 2009-05-22 08:09

Pre-Run: 118,693,593,088 bytes free

Post-Run: 118,680,408,064 bytes free

338 --- E O F --- 2009-05-20 23:19

Malwarebytes:

Malwarebytes' Anti-Malware 1.37

Database version: 2182

Windows 5.1.2600 Service Pack 2

26/05/2009 23:46:55

mbam-log-2009-05-26 (23-46-55).txt

Scan type: Quick Scan

Objects scanned: 83272

Time elapsed: 2 minute(s), 43 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

Link to post
Share on other sites

Looks like the little devil is still there.

I managed to get Kasperskey loaded which it wouldn't let me do before and it let me get to MS so the computer is now uptodate with XPSP3 and IE8.

On reboot several popups appeared, they were (from 1st to last)

RUNDLL - - The specified module could not be found.

1) error loading C:\WINDOWS|system32\vojijaje.dll

2) error loading C:\PROGRA~1\MYWEBS~1\bar\1-bin\M3PLUGIN.DLL

3) error loading C:\PROGRA~1\MYWEBS~1\bar\1-bin\MWSBAR.DLL

4) error loading C:\WINDOWS|system32\najihate.dll

5) error loading C:\WINDOWS|system32\autochk.dll

6) error loading C:\WINDOWS|system32\jagepeyu.dll

Last Popup was

DAEMONTOOLS Initialization error 0. The program requires at least Windows 2000 with SPTD 1.43 or higher. Kernel debugger must be deactivated.

Kaspeskey showed several trojans etc. deleted from Qoobox so I'm assuming that was where Combobox put them but not picking up any current infection.

Malwarebytes showed 4 items infected:

Malwarebytes' Anti-Malware 1.37

Database version: 2185

Windows 5.1.2600 Service Pack 3

27/05/2009 17:11:06

mbam-log-2009-05-27 (17-11-06).txt

Scan type: Quick Scan

Objects scanned: 60366

Time elapsed: 4 minute(s), 16 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 4

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\zinamalobu (Trojan.Vundo.H) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cpm4b8aabb9 (Trojan.Vundo.H) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\48b99825 (Trojan.Vundo.H) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autochk (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

HJT run straight after:

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 17:12:10, on 27/05/2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v8.00 (8.00.6001.18702)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files\Belkin\Belkin Wireless Network Utility\WLService.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\Belkin\Belkin Wireless Network Utility\WLanCfgG.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\Kontiki\KService.exe

C:\WINDOWS\runservice.exe

C:\WINDOWS\system32\PnkBstrA.exe

C:\WINDOWS\AGRSMMSG.exe

C:\WINDOWS\SOUNDMAN.EXE

C:\WINDOWS\ALCWZRD.EXE

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\Java\jre6\bin\jusched.exe

C:\Program Files\Messenger\Msmsgs.exe

C:\Documents and Settings\HP_Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe

C:\Program Files\Windows Live\Messenger\msnmsgr.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local

R3 - URLSearchHook: Yahoo!

Link to post
Share on other sites

  • Root Admin

STEP 01

Disable the Spybot Tea Timer - DO NOT continue until you've disabled the Tea Timer

Disable Teatimer

First step:

  • Right-click the Spybot Icon in the System Tray (looks like a blue/white calendar with a padlock symbol)
  • If you have the new version 1.5, Click once on
    Resident Protection
    , then Right click the Spybot icon again and make sure
    Resident Protection
    is now
    Unchecked
    . The Spybot icon in the System tray should now be now colorless.

  • If you have Version 1.4, Click on
    Exit Spybot S&D Resident

Second step, For Either Version :
  • Open Spybot S&D
  • Click
    Mode
    , choose
    Advanced Mode

  • Go To the bottom of the Vertical Panel on the Left, Click
    Tools

  • then, also in left panel, click
    Resident
    shows a red/white shield.

  • If your firewall raises a question, say
    OK

  • In the
    Resident protection status
    frame,
    Uncheck
    the box labeled
    Resident "Tea-Timer"(Protection of over-all system settings) active

  • OK
    any prompts.

  • Use
    File, Exit
    to terminate Spybot

  • Reboot
    your machine for the changes to take effect.

STEP 02

From within IE go to Tools/Internet Options/Advanced and click on the RESET button.

Then restart IE and chose your default choice settings again and go to your home page.

Then quit IE again.

STEP 03

Go into Control Panel, Add/Remove and see if you can find and uninstall Daemon Tools

If you do want this program then I suggest you donwload the latest version when we're done and install that one.

This current version had an infected file from a 3rd party add-on tool they use and suggest that we removed.

STEP 04

Unless you really want them and installed them on purpose I would uninstall all the Toolbars you don't use.

Yahoo, Live, Ask, Google, etc..

If it were my machine I'd remove ALL of them and then only install the latest version of the one I wanted.

STEP 05

With all other applications closed (Taskbar empty), open HijackThis again

and run Do a system scan only and place a check mark on the following items.

  • R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
  • O2 - BHO: Java
Link to post
Share on other sites

Logs as requested:

drWeb:

KillWind.exe;C:\hp\bin;Tool.ProcessKill;Moved.;

A0000140.exe/data002\32788R22FWJFW\FIND3M.bat;C:\System Volume Information\_restore{D8696F73-2D76-412A-A981-4300C43EF86F}\RP1\A0000140.exe/data002;Probably BATCH.Virus;;

data002;C:\System Volume Information\_restore{D8696F73-2D76-412A-A981-4300C43EF86F}\RP1;Archive contains infected objects;;

A0000140.exe;C:\System Volume Information\_restore{D8696F73-2D76-412A-A981-4300C43EF86F}\RP1;Container contains infected objects;Moved.;

A0000186.bat;C:\System Volume Information\_restore{D8696F73-2D76-412A-A981-4300C43EF86F}\RP1;Probably BATCH.Virus;;

A0000240.exe/data002\32788R22FWJFW\FIND3M.bat;C:\System Volume Information\_restore{D8696F73-2D76-412A-A981-4300C43EF86F}\RP1\A0000240.exe/data002;Probably BATCH.Virus;;

data002;C:\System Volume Information\_restore{D8696F73-2D76-412A-A981-4300C43EF86F}\RP1;Archive contains infected objects;;

A0000240.exe;C:\System Volume Information\_restore{D8696F73-2D76-412A-A981-4300C43EF86F}\RP1;Container contains infected objects;Moved.;

A0005142.exe/data002\32788R22FWJFW\FIND3M.bat;C:\System Volume Information\_restore{D8696F73-2D76-412A-A981-4300C43EF86F}\RP12\A0005142.exe/data002;Probably BATCH.Virus;;

data002;C:\System Volume Information\_restore{D8696F73-2D76-412A-A981-4300C43EF86F}\RP12;Archive contains infected objects;;

A0005142.exe;C:\System Volume Information\_restore{D8696F73-2D76-412A-A981-4300C43EF86F}\RP12;Container contains infected objects;Moved.;

A0005182.exe;C:\System Volume Information\_restore{D8696F73-2D76-412A-A981-4300C43EF86F}\RP12;Tool.ProcessKill;Moved.;

A0000272.exe/data002\32788R22FWJFW\FIND3M.bat;C:\System Volume Information\_restore{D8696F73-2D76-412A-A981-4300C43EF86F}\RP2\A0000272.exe/data002;Probably BATCH.Virus;;

data002;C:\System Volume Information\_restore{D8696F73-2D76-412A-A981-4300C43EF86F}\RP2;Archive contains infected objects;;

A0000272.exe;C:\System Volume Information\_restore{D8696F73-2D76-412A-A981-4300C43EF86F}\RP2;Container contains infected objects;Moved.;

A0000329.bat;C:\System Volume Information\_restore{D8696F73-2D76-412A-A981-4300C43EF86F}\RP2;Probably BATCH.Virus;;

A0000370.exe/data002\32788R22FWJFW\FIND3M.bat;C:\System Volume Information\_restore{D8696F73-2D76-412A-A981-4300C43EF86F}\RP2\A0000370.exe/data002;Probably BATCH.Virus;;

data002;C:\System Volume Information\_restore{D8696F73-2D76-412A-A981-4300C43EF86F}\RP2;Archive contains infected objects;;

A0000370.exe;C:\System Volume Information\_restore{D8696F73-2D76-412A-A981-4300C43EF86F}\RP2;Container contains infected objects;Moved.;

A0000430.bat;C:\System Volume Information\_restore{D8696F73-2D76-412A-A981-4300C43EF86F}\RP2;Probably BATCH.Virus;;

HijackThis:

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 19:05:52, on 28/05/2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v8.00 (8.00.6001.18702)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files\Belkin\Belkin Wireless Network Utility\WLService.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\Belkin\Belkin Wireless Network Utility\WLanCfgG.exe

C:\WINDOWS\runservice.exe

C:\WINDOWS\system32\PnkBstrA.exe

C:\WINDOWS\system32\wuauclt.exe

C:\WINDOWS\system32\wscntfy.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local

O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll (file missing)

O2 - BHO: IEVkbdBHO - {59273AB4-E7D3-40F9-A1A8-6FA9CCA1862C} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\ievkbd.dll

O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe"

O4 - HKCU\..\Run: [spybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O9 - Extra button: Web traffic protection statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\SCIEPlgn.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204

O16 - DPF: {1B9B97D0-C0F4-4045-9B42-50A4535C9041} (WCLoaderCtl Class) - http://download.paltalk.com/wcloader_prod/wcloader.cab

O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll

O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-GB/a-UNO1/GAME_UNO1.cab

O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab

O20 - AppInit_DLLs: C:\PROGRA~1\KASPER~1\KASPER~1\mzvkbd.dll,C:\PROGRA~1\KASPER~1\KASPER~1\mzvkbd3.dll,C:\PROGRA~1\KASPER~1\KASPER~1\adialhk.dll,C:\PROGRA~1\KASPER~1\KASPER~1\kloehk.dll

O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: Kaspersky Internet Security (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe

O23 - Service: Belkin 54g Wireless USB Network Adapter (Belkin 54g Wireless USB Network Adapter Service) - Unknown owner - C:\Program Files\Belkin\Belkin Wireless Network Utility\WLService.exe

O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: LicCtrl Service (LicCtrlService) - Unknown owner - C:\WINDOWS\runservice.exe

O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe

--

End of file - 4620 bytes

I haven't got a clue where Spybot is coming from it's not on the start menu or in Program Files and I can't find any toolbars - am I being dumb or just looking in the wrong places?

Link to post
Share on other sites

  • Root Admin

Okay, disconnect any external USB drives from the system for now.

Make sure that Tea Timer is turned off as best as possible.

Try not to visit many sites if you can while we clean this up.

Run MBAM, UPDATE, Quick Scan and post log.

Then download NEW combofix and run it again and post back the log.

Link to post
Share on other sites

Malwarebytes' Anti-Malware 1.37

Database version: 2191

Windows 5.1.2600 Service Pack 3

29/05/2009 07:17:48

mbam-log-2009-05-29 (07-17-48).txt

Scan type: Quick Scan

Objects scanned: 84021

Time elapsed: 3 minute(s), 19 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

Combofix log (very long so have had to split over a few posts)

ComboFix 09-05-28.07 - HP_Owner 29/05/2009 7:22.5 - NTFSx86

Microsoft Windows XP Home Edition 5.1.2600.3.1252.44.1033.18.759.389 [GMT 1:00]

Running from: c:\documents and settings\HP_Owner\Desktop\ComboFix.exe

AV: Kaspersky Internet Security *On-access scanning disabled* (Updated) {2C4D4BC6-0793-4956-A9F9-E252435469C0}

FW: Kaspersky Internet Security *disabled* {2C4D4BC6-0793-4956-A9F9-E252435469C0}

.

((((((((((((((((((((((((( Files Created from 2009-04-28 to 2009-05-29 )))))))))))))))))))))))))))))))

.

2009-05-28 07:53 . 2009-05-28 07:53 -------- d-----w c:\documents and settings\HP_Owner\DoctorWeb

2009-05-28 06:53 . 2009-05-28 06:53 -------- d-sh--w c:\documents and settings\HP_Owner\IECompatCache

2009-05-28 06:51 . 2009-05-28 06:51 -------- d-sh--w c:\documents and settings\HP_Owner\PrivacIE

2009-05-28 06:42 . 2009-05-28 06:42 -------- d-sh--w c:\documents and settings\LocalService\IETldCache

2009-05-27 16:04 . 2009-05-27 16:04 -------- d-sh--w c:\documents and settings\NetworkService\IETldCache

2009-05-27 11:25 . 2009-05-27 11:25 -------- d-----w c:\windows\ie8updates

2009-05-27 11:25 . 2009-05-12 05:11 102912 ------w c:\windows\system32\dllcache\iecompat.dll

2009-05-27 11:23 . 2009-05-27 11:24 -------- dc-h--w c:\windows\ie8

2009-05-27 10:09 . 2009-05-27 10:09 -------- d-----w c:\windows\system32\scripting

2009-05-27 10:09 . 2009-05-27 10:09 -------- d-----w c:\windows\l2schemas

2009-05-27 10:09 . 2009-05-27 10:09 -------- d-----w c:\windows\system32\bits

2009-05-27 10:05 . 2009-05-27 10:05 -------- d-----w c:\windows\ServicePackFiles

2009-05-27 09:54 . 2009-05-27 09:54 -------- d-----w c:\windows\EHome

2009-05-27 09:22 . 2004-08-03 22:41 180360 ------w c:\windows\system32\drivers\ntmtlfax.sys

2009-05-27 09:21 . 2008-04-14 00:12 20992 ------w c:\windows\system32\faxpatch.exe

2009-05-27 07:22 . 2009-05-27 07:22 33808 ----a-w c:\documents and settings\All Users\Application Data\Kaspersky Lab\AVP8\Data\Updater\Temporary Files\temporaryFolder\AutoPatches\kav8exec\8.0.0.506\klbg.sys

2009-05-27 07:22 . 2009-05-27 07:22 206088 ----a-w c:\documents and settings\All Users\Application Data\Kaspersky Lab\AVP8\Data\Updater\Temporary Files\temporaryFolder\AutoPatches\kav8exec\8.0.0.506\avp.exe

2009-05-27 07:09 . 2009-05-27 07:22 94643 ----a-w c:\windows\system32\drivers\klick.dat

2009-05-27 07:09 . 2009-05-27 07:22 105395 ----a-w c:\windows\system32\drivers\klin.dat

2009-05-27 07:08 . 2009-05-29 06:27 581664 --sha-w c:\windows\system32\drivers\fidbox2.dat

2009-05-27 07:08 . 2009-05-29 06:25 3408416 --sha-w c:\windows\system32\drivers\fidbox.dat

2009-05-26 22:42 . 2009-05-26 22:42 3371383 ----a-w c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe

2009-05-26 11:40 . 2009-05-26 11:52 -------- d-----w C:\RootRepeal

2009-05-21 20:18 . 2009-05-21 20:18 -------- d-----w c:\program files\Trend Micro

2009-05-21 12:42 . 2009-05-21 12:42 -------- d-----w c:\documents and settings\Administrator\Application Data\AdobeUM

2009-05-21 12:41 . 2009-05-21 12:41 -------- d-----w c:\documents and settings\Administrator\Local Settings\Application Data\Adobe

2009-05-21 10:42 . 2009-05-21 10:42 -------- d-----w c:\program files\Sophos

2009-05-21 10:05 . 2009-05-21 10:05 -------- d-----w c:\documents and settings\HP_Owner\Local Settings\Application Data\Opera

2009-05-21 10:04 . 2009-05-21 10:05 -------- d-----w c:\program files\Opera

2009-05-20 21:01 . 2009-05-28 06:39 -------- d---a-w c:\documents and settings\All Users\Application Data\TEMP

2009-05-20 20:53 . 2007-06-08 12:53 1753088 ----a-w c:\windows\system32\ExGrid.dll

2009-05-20 20:53 . 2007-06-05 09:20 602112 ----a-w c:\windows\system32\ExMenu.dll

2009-05-20 20:53 . 2007-04-03 15:51 614400 ----a-w c:\windows\system32\ExButton.dll

2009-05-20 20:53 . 2007-04-03 15:51 307200 ----a-w c:\windows\system32\ExPMenu.dll

2009-05-20 20:53 . 2009-05-20 20:53 -------- d-----w c:\program files\Common Files\eSellerate

2009-05-20 20:53 . 2007-06-05 09:19 516096 ----a-w c:\windows\system32\ExTab.dll

2009-05-20 20:53 . 2005-10-11 13:40 356352 ----a-w c:\windows\system32\eSellerateEngine.dll

2009-05-20 20:53 . 2005-10-04 07:11 118784 ----a-w c:\windows\system32\eWebControl.dll

2009-05-20 20:53 . 1998-04-24 00:00 368912 ----a-w c:\windows\system32\vbar332.dll

2009-05-20 20:53 . 2009-05-20 20:53 -------- d-----w c:\program files\AnswersThatWork

2009-05-20 17:39 . 2009-05-20 17:39 -------- d-----w c:\documents and settings\Administrator\Application Data\Malwarebytes

2009-05-14 18:28 . 2009-05-14 18:28 15939 ----a-w c:\windows\system32\drivers\AegisP.sys

2009-05-14 18:28 . 2009-05-14 18:28 -------- d-----w c:\windows\options

2009-05-14 18:28 . 2004-04-30 14:12 40960 ----a-w c:\windows\system32\B11gUSB.dll

2009-05-14 18:28 . 2004-03-30 11:51 1085440 ----a-w c:\windows\system32\AegisE5.dll

2009-05-14 18:28 . 2003-10-13 14:30 94208 ----a-w c:\windows\system32\GTW32N50.dll

2009-05-14 18:28 . 2003-09-25 21:15 15872 ----a-w c:\windows\system32\GTNDIS5.sys

2009-04-30 20:29 . 2009-04-30 20:29 31948 ---ha-w c:\windows\system32\mlfcache.dat

2009-04-30 20:28 . 2009-04-30 20:28 -------- d-----w c:\program files\Safari

2009-04-30 20:27 . 2009-04-30 20:27 -------- d-----w c:\program files\Bonjour

2009-04-30 20:27 . 2009-04-30 20:27 -------- d-----w c:\program files\Apple Software Update

2009-04-30 20:15 . 2009-04-30 20:15 -------- d-----w c:\program files\Unlocker

2009-04-30 20:15 . 2009-04-30 20:15 -------- d-----w c:\documents and settings\HP_Owner\Application Data\Desktopicon

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-05-29 06:27 . 2009-05-27 07:08 3068 --sha-w c:\windows\system32\drivers\fidbox2.idx

2009-05-29 06:27 . 2006-12-06 20:35 2241 --sha-w c:\windows\system32\mmf.sys

2009-05-29 06:25 . 2009-05-27 07:08 27708 --sha-w c:\windows\system32\drivers\fidbox.idx

2009-05-28 18:23 . 2009-04-27 20:13 -------- d-----w c:\documents and settings\All Users\Application Data\Kaspersky Lab

2009-05-28 07:08 . 2008-03-04 15:48 -------- d-----w c:\documents and settings\All Users\Application Data\Kontiki

2009-05-28 07:02 . 2007-04-17 20:39 -------- d-----w c:\program files\Yahoo!

2009-05-27 11:41 . 2007-05-29 08:37 37192 ----a-w c:\documents and settings\HP_Owner\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2009-05-27 11:31 . 2009-05-27 11:31 -------- d-----w c:\program files\MSBuild

2009-05-27 11:30 . 2009-05-27 11:30 -------- d-----w c:\program files\Reference Assemblies

2009-05-27 10:13 . 2004-11-10 03:19 82439 ----a-w c:\windows\pchealth\helpctr\OfflineCache\index.dat

2009-05-27 10:13 . 2009-05-27 10:13 44032 ----a-w c:\windows\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\HPQ\XPXWWPP5\LocalContent\Attachments\devcon.exe

2009-05-27 10:13 . 2009-05-27 10:13 307200 ----a-w c:\windows\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\HPQ\XPXWWPP5\plugin\bin\pchnotify.exe

2009-05-27 10:13 . 2009-05-27 10:13 3072 ----a-w c:\windows\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\HPQ\XPXWWPP5\plugin\bin\jsharpde\pchealthde.exe

2009-05-27 10:13 . 2009-05-27 10:13 159744 ----a-w c:\windows\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\HPQ\XPXWWPP5\plugin\bin\PCHButton.exe

2009-05-27 10:13 . 2009-05-27 10:13 77824 ----a-w c:\windows\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\HPQ\XPXWWPP5\plugin\bin\FDIWrapper.dll

2009-05-27 10:13 . 2009-05-27 10:13 26572 ----a-w c:\windows\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\HPQ\XPXWWPP5\plugin\bin\jsharpde\INV16.dll

2009-05-27 10:13 . 2009-05-27 10:13 69632 ----a-w c:\windows\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\HPQ\XPXWWPP5\plugin\bin\jsharpde\msxmlwrapper.dll

2009-05-27 10:13 . 2009-05-27 10:13 40960 ----a-w c:\windows\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\HPQ\XPXWWPP5\plugin\bin\ScDmi.dll

2009-05-27 10:13 . 2009-05-27 10:13 49152 ----a-w c:\windows\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\HPQ\XPXWWPP5\plugin\bin\PCHI18N.dll

2009-05-27 10:13 . 2009-05-27 10:13 139264 ----a-w c:\windows\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\HPQ\XPXWWPP5\plugin\bin\ContentUpdater.exe

2009-05-27 07:22 . 2008-01-29 16:29 33808 ----a-w c:\windows\system32\drivers\klbg.sys

2009-05-27 07:22 . 2009-04-27 20:28 226832 ----a-w c:\documents and settings\All Users\Application Data\Kaspersky Lab\AVP8\Data\Updater\Temporary Files\temporaryFolder\AutoPatches\kav8exec\8.0.0.506\XP\klif.sys

2009-05-26 22:42 . 2009-04-28 21:00 -------- d-----w c:\program files\Malwarebytes' Anti-Malware

2009-05-26 12:20 . 2009-04-28 21:00 40160 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys

2009-05-26 12:19 . 2009-04-28 21:00 19096 ----a-w c:\windows\system32\drivers\mbam.sys

2009-04-30 20:28 . 2006-11-01 20:11 -------- d-----w c:\documents and settings\HP_Owner\Application Data\Apple Computer

2009-04-28 21:00 . 2009-04-28 21:00 -------- d-----w c:\documents and settings\HP_Owner\Application Data\Malwarebytes

2009-04-28 21:00 . 2009-04-28 21:00 -------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes

2009-04-28 05:32 . 2007-10-10 22:20 -------- d-----w c:\program files\CCleaner

2009-04-27 23:12 . 2007-04-17 15:57 -------- d-----w c:\program files\VideoEgg

2009-04-27 20:13 . 2009-04-27 20:13 -------- d-----w c:\program files\Kaspersky Lab

2009-04-27 20:09 . 2009-04-27 20:09 -------- d-----w c:\documents and settings\All Users\Application Data\Kaspersky Lab Setup Files

2009-04-27 20:03 . 2009-04-27 20:03 -------- d-----w c:\documents and settings\All Users\Application Data\Avg7

2009-04-27 20:02 . 2007-05-07 17:20 -------- d-----w c:\documents and settings\All Users\Application Data\Grisoft

2009-04-27 16:37 . 2007-07-28 06:24 -------- d-----w c:\program files\iWin

2009-04-22 23:59 . 2009-01-09 07:20 -------- d-----w c:\documents and settings\HP_Owner\Application Data\Spotify

2009-03-16 06:54 . 2009-03-06 21:37 138944 ----a-w c:\windows\system32\drivers\PnkBstrK.sys

2009-03-16 06:54 . 2009-03-06 21:37 75064 ----a-w c:\windows\system32\PnkBstrA.exe

2009-03-16 06:53 . 2009-03-06 21:41 334912 ----a-w c:\documents and settings\HP_Owner\Application Data\id Software\quakelive\home\baseq3\cgamex86.dll

2009-03-16 06:53 . 2009-03-06 21:41 171072 ----a-w c:\documents and settings\HP_Owner\Application Data\id Software\quakelive\home\baseq3\uix86.dll

2009-03-16 06:53 . 2009-03-06 21:37 189784 ----a-w c:\windows\system32\PnkBstrB.exe

2009-03-16 06:53 . 2009-03-06 21:41 874660 ----a-w c:\documents and settings\HP_Owner\Application Data\id Software\quakelive\home\pb\pbcl.dll

2009-03-16 06:53 . 2009-03-06 21:41 57344 ----a-w c:\documents and settings\HP_Owner\Application Data\id Software\quakelive\home\pb\pbag.dll

2009-03-16 06:53 . 2009-03-06 21:41 479232 ----a-w c:\documents and settings\HP_Owner\Application Data\id Software\quakelive\home\pb\pbsv.dll

2009-03-16 06:53 . 2009-03-06 21:41 2669632 ----a-w c:\documents and settings\HP_Owner\Application Data\id Software\quakelive\home\baseq3\quakelive.dll

2009-03-12 22:33 . 2009-03-06 21:41 441408 ----a-w c:\documents and settings\HP_Owner\Application Data\id Software\quakelive\home\baseq3\qagamex86.dll

2009-03-12 22:23 . 2009-03-06 21:37 22328 ----a-w c:\documents and settings\HP_Owner\Application Data\PnkBstrK.sys

2009-03-12 22:23 . 2009-03-06 21:37 22328 ----a-w c:\documents and settings\HP_Owner\Application Data\PnkBstrK.sys

2009-03-12 22:22 . 2009-03-06 21:37 2246144 ----a-w c:\windows\system32\pbsvc.exe

2009-03-11 12:40 . 2009-03-11 12:40 625728 ----a-w c:\documents and settings\All Users\Application Data\id Software\QuakeLive\npquakezero.dll

2009-03-09 04:19 . 2009-02-02 23:04 410984 ----a-w c:\windows\system32\deploytk.dll

2009-03-08 03:34 . 2006-11-02 00:10 914944 ----a-w c:\windows\system32\wininet.dll

2009-03-08 03:34 . 2006-11-02 00:07 43008 ----a-w c:\windows\system32\licmgr10.dll

2009-03-08 03:33 . 2006-11-02 00:06 18944 ----a-w c:\windows\system32\corpol.dll

2009-03-08 03:33 . 2006-11-02 00:10 420352 ----a-w c:\windows\system32\vbscript.dll

2009-03-08 03:32 . 2006-11-02 00:06 72704 ----a-w c:\windows\system32\admparse.dll

2009-03-08 03:32 . 2006-11-02 00:07 71680 ----a-w c:\windows\system32\iesetup.dll

2009-03-08 03:31 . 2006-11-02 00:07 34816 ----a-w c:\windows\system32\imgutil.dll

2009-03-08 03:31 . 2006-11-02 00:08 48128 ----a-w c:\windows\system32\mshtmler.dll

2009-03-08 03:31 . 2006-11-02 00:08 45568 ----a-w c:\windows\system32\mshta.exe

2009-03-08 03:22 . 2006-11-02 00:08 156160 ----a-w c:\windows\system32\msls31.dll

2009-03-06 21:41 . 2009-03-06 21:41 57344 ----a-w c:\documents and settings\HP_Owner\Application Data\id Software\quakelive\home\pb\pbags.dll

2009-03-06 21:41 . 2009-03-06 21:41 866235 ----a-w c:\documents and settings\HP_Owner\Application Data\id Software\quakelive\home\pb\pbcls.dll

2009-03-06 14:22 . 2006-11-02 00:08 284160 ----a-w c:\windows\system32\pdh.dll

.

((((((((((((((((((((((((((((( SnapShot@2009-05-22_07.46.43 )))))))))))))))))))))))))))))))))))))))))

.

+ 2009-05-27 09:21 . 2008-04-14 00:12 57344 c:\windows\WinSxS\x86_Microsoft.Windows.CPlusPlusRuntime_6595b64144ccf1df_7.0.2600.5512_x-ww_3fd60d63\msvcirt.dll

- 2007-09-17 09:41 . 2007-01-19 20:15 74802 c:\windows\WinSxS\x86_Microsoft.Tools.VisualCPlusPlus.Runtime-Libraries_6595b64144ccf1df_6.0.9792.0_x-ww_08a6620a\atl.dll

+ 2009-05-27 09:21 . 2008-04-14 00:12 74802 c:\windows\WinSxS\x86_Microsoft.Tools.VisualCPlusPlus.Runtime-Libraries_6595b64144ccf1df_6.0.9792.0_x-ww_08a6620a\atl.dll

+ 2006-11-02 00:10 . 2008-04-14 00:12 50688 c:\windows\twain_32.dll

- 2006-11-02 00:10 . 2004-08-04 04:00 50688 c:\windows\twain_32.dll

- 2006-11-02 00:10 . 2006-03-01 19:42 11776 c:\windows\system32\xolehlp.dll

+ 2006-11-02 00:10 . 2008-04-14 00:12 11776 c:\windows\system32\xolehlp.dll

+ 2006-11-02 00:10 . 2008-04-14 00:12 50176 c:\windows\system32\xmlprovi.dll

- 2006-11-02 00:10 . 2004-08-04 04:00 50176 c:\windows\system32\xmlprovi.dll

- 2006-11-02 00:10 . 2004-08-04 04:00 30720 c:\windows\system32\xcopy.exe

+ 2006-11-02 00:10 . 2008-04-14 00:12 30720 c:\windows\system32\xcopy.exe

+ 2006-11-02 00:10 . 2008-04-14 00:12 91648 c:\windows\system32\xactsrv.dll

- 2006-11-02 00:10 . 2004-08-04 04:00 91648 c:\windows\system32\xactsrv.dll

+ 2004-08-05 01:00 . 2008-04-14 00:12 52736 c:\windows\system32\wzcsapi.dll

- 2006-11-02 00:10 . 2004-08-04 04:00 18432 c:\windows\system32\wtsapi32.dll

+ 2006-11-02 00:10 . 2008-04-14 00:12 18432 c:\windows\system32\wtsapi32.dll

+ 2006-11-02 00:10 . 2008-04-14 00:12 50688 c:\windows\system32\wstdecod.dll

- 2006-11-02 00:10 . 2004-08-04 04:00 50688 c:\windows\system32\wstdecod.dll

+ 2006-11-02 00:10 . 2008-04-14 00:12 22528 c:\windows\system32\wsock32.dll

- 2006-11-02 00:10 . 2004-08-04 04:00 22528 c:\windows\system32\wsock32.dll

+ 2006-11-02 00:10 . 2008-04-14 00:12 41984 c:\windows\system32\wsnmp32.dll

+ 2006-11-02 00:10 . 2008-04-14 00:12 19456 c:\windows\system32\wshtcpip.dll

+ 2006-11-02 00:10 . 2008-04-14 00:12 11264 c:\windows\system32\wshrm.dll

- 2006-11-02 00:10 . 2004-08-04 04:00 14336 c:\windows\system32\wship6.dll

+ 2006-11-02 00:10 . 2008-04-14 00:12 14336 c:\windows\system32\wship6.dll

+ 2006-11-02 00:10 . 2008-05-09 10:53 90112 c:\windows\system32\wshext.dll

+ 2006-11-02 00:10 . 2008-04-14 00:12 36864 c:\windows\system32\wshcon.dll

+ 2006-11-02 00:10 . 2008-04-14 00:12 80896 c:\windows\system32\wscsvc.dll

- 2006-11-02 00:10 . 2004-08-04 04:00 13824 c:\windows\system32\wscntfy.exe

+ 2006-11-02 00:10 . 2008-04-14 00:12 13824 c:\windows\system32\wscntfy.exe

- 2006-11-02 00:10 . 2004-08-04 04:00 19968 c:\windows\system32\ws2help.dll

+ 2006-11-02 00:10 . 2008-04-14 00:12 19968 c:\windows\system32\ws2help.dll

+ 2006-11-02 00:10 . 2008-04-14 00:12 82432 c:\windows\system32\ws2_32.dll

+ 2006-11-02 00:10 . 2008-04-14 00:12 11264 c:\windows\system32\wpnpinst.exe

+ 2006-11-02 00:10 . 2008-04-14 00:12 32256 c:\windows\system32\wpabaln.exe

- 2006-11-02 00:10 . 2004-08-04 04:00 32256 c:\windows\system32\wpabaln.exe

- 2006-11-02 00:10 . 2004-08-04 04:00 20480 c:\windows\system32\wmpui.dll

+ 2006-11-02 00:10 . 2008-04-14 00:12 20480 c:\windows\system32\wmpui.dll

- 2006-11-02 00:10 . 2004-08-04 04:00 20480 c:\windows\system32\wmpcore.dll

+ 2006-11-02 00:10 . 2008-04-14 00:12 20480 c:\windows\system32\wmpcore.dll

- 2006-11-02 00:10 . 2004-08-04 04:00 20480 c:\windows\system32\wmpcd.dll

+ 2006-11-02 00:10 . 2008-04-14 00:12 20480 c:\windows\system32\wmpcd.dll

- 2006-11-02 00:10 . 2004-08-04 04:00 92672 c:\windows\system32\wlnotify.dll

+ 2006-11-02 00:10 . 2008-04-14 00:12 92672 c:\windows\system32\wlnotify.dll

+ 2009-05-27 09:23 . 2008-04-14 00:12 69120 c:\windows\system32\wlanapi.dll

- 2006-11-02 00:10 . 2004-08-04 04:00 53760 c:\windows\system32\winsta.dll

+ 2006-11-02 00:10 . 2008-04-14 00:12 53760 c:\windows\system32\winsta.dll

+ 2006-11-02 00:10 . 2008-04-14 00:12 17408 c:\windows\system32\winshfhc.dll

- 2006-11-02 00:10 . 2004-08-04 04:00 17408 c:\windows\system32\winshfhc.dll

- 2006-11-02 00:10 . 2004-08-04 04:00 99328 c:\windows\system32\winscard.dll

+ 2006-11-02 00:10 . 2008-04-14 00:12 99328 c:\windows\system32\winscard.dll

- 2006-11-02 00:10 . 2004-08-04 04:00 16896 c:\windows\system32\winrnr.dll

+ 2006-11-02 00:10 . 2008-04-14 00:12 16896 c:\windows\system32\winrnr.dll

+ 2006-11-02 00:10 . 2008-04-14 00:12 32256 c:\windows\system32\winipsec.dll

- 2006-11-02 00:10 . 2004-08-04 04:00 75776 c:\windows\system32\wiascr.dll

+ 2006-11-02 00:10 . 2008-04-14 00:12 75776 c:\windows\system32\wiascr.dll

+ 2006-11-02 00:10 . 2008-04-14 00:12 65024 c:\windows\system32\wextract.exe

- 2006-11-02 00:10 . 2006-01-04 03:35 68096 c:\windows\system32\webclnt.dll

+ 2006-11-02 00:10 . 2008-04-14 00:12 68096 c:\windows\system32\webclnt.dll

- 2004-08-05 01:00 . 2004-08-05 01:00 23552 c:\windows\system32\wdmaud.drv

+ 2004-08-05 01:00 . 2008-04-14 00:12 23552 c:\windows\system32\wdmaud.drv

- 2006-11-02 00:10 . 2004-08-04 04:00 49152 c:\windows\system32\wdigest.dll

+ 2006-11-02 00:10 . 2008-04-14 00:12 49152 c:\windows\system32\wdigest.dll

- 2006-11-02 00:10 . 2004-08-04 04:00 95232 c:\windows\system32\wbem\wmiutils.dll

+ 2006-11-02 00:10 . 2008-04-14 00:12 95232 c:\windows\system32\wbem\wmiutils.dll

- 2006-11-02 00:10 . 2004-08-04 04:00 41472 c:\windows\system32\wbem\wmipsess.dll

+ 2006-11-02 00:10 . 2008-04-14 00:12 41472 c:\windows\system32\wbem\wmipsess.dll

+ 2006-11-02 00:10 . 2008-04-14 00:12 62464 c:\windows\system32\wbem\wmipjobj.dll

+ 2006-11-02 00:10 . 2008-04-14 00:12 61952 c:\windows\system32\wbem\wmipiprt.dll

- 2006-11-02 00:10 . 2004-08-04 04:00 60928 c:\windows\system32\wbem\wmicookr.dll

+ 2006-11-02 00:10 . 2008-04-14 00:12 60928 c:\windows\system32\wbem\wmicookr.dll

+ 2006-11-02 00:10 . 2008-04-14 00:12 88576 c:\windows\system32\wbem\wmiaprpl.dll

- 2006-11-02 00:10 . 2004-08-04 04:00 43520 c:\windows\system32\wbem\wbemsvc.dll

+ 2006-11-02 00:10 . 2008-04-14 00:12 43520 c:\windows\system32\wbem\wbemsvc.dll

- 2006-11-02 00:10 . 2004-08-04 04:00 18944 c:\windows\system32\wbem\wbemprox.dll

+ 2006-11-02 00:10 . 2008-04-14 00:12 18944 c:\windows\system32\wbem\wbemprox.dll

- 2006-11-02 00:10 . 2004-08-04 04:00 43008 c:\windows\system32\wbem\wbemperf.dll

+ 2006-11-02 00:10 . 2008-04-14 00:12 43008 c:\windows\system32\wbem\wbemperf.dll

+ 2006-11-02 00:10 . 2008-04-14 00:12 71680 c:\windows\system32\wbem\wbemcons.dll

- 2006-11-02 00:10 . 2004-08-04 04:00 71680 c:\windows\system32\wbem\wbemcons.dll

- 2006-11-02 00:09 . 2004-08-04 04:00 86528 c:\windows\system32\wbem\stdprov.dll

+ 2006-11-02 00:09 . 2008-04-14 00:12 86528 c:\windows\system32\wbem\stdprov.dll

+ 2006-11-02 00:08 . 2008-04-14 00:12 36352 c:\windows\system32\wbem\scrcons.exe

+ 2006-11-02 00:08 . 2008-04-14 00:12 47104 c:\windows\system32\wbem\ncprov.dll

- 2006-11-02 00:08 . 2004-08-04 04:00 47104 c:\windows\system32\wbem\ncprov.dll

- 2006-11-02 00:07 . 2004-08-04 04:00 16384 c:\windows\system32\wbem\mofcomp.exe

+ 2006-11-02 00:07 . 2008-04-14 00:12 16384 c:\windows\system32\wbem\mofcomp.exe

- 2006-11-02 00:07 . 2004-08-04 04:00 24576 c:\windows\system32\wbem\krnlprov.dll

+ 2006-11-02 00:07 . 2008-04-14 00:11 24576 c:\windows\system32\wbem\krnlprov.dll

+ 2006-11-02 00:07 . 2008-04-14 00:11 21504 c:\windows\system32\wbem\evntrprv.dll

- 2006-11-02 00:10 . 2004-08-04 04:00 17664 c:\windows\system32\watchdog.sys

+ 2006-11-02 00:10 . 2008-04-13 18:44 17664 c:\windows\system32\watchdog.sys

- 2006-11-02 00:10 . 2004-08-04 04:00 15872 c:\windows\system32\w3ssl.dll

+ 2006-11-02 00:10 . 2008-04-14 00:12 15872 c:\windows\system32\w3ssl.dll

+ 2006-11-01 18:30 . 2008-04-14 00:12 53760 c:\windows\system32\vfwwdm32.dll

- 2006-11-01 18:30 . 2004-08-04 00:56 53760 c:\windows\system32\vfwwdm32.dll

+ 2006-11-02 00:10 . 2008-04-14 00:12 18944 c:\windows\system32\version.dll

- 2006-11-02 00:10 . 2004-08-04 04:00 18944 c:\windows\system32\version.dll

+ 2006-11-02 00:10 . 2008-04-14 00:12 26624 c:\windows\system32\verifier.dll

+ 2006-03-17 00:38 . 2008-04-14 00:12 28672 c:\windows\system32\verclsid.exe

- 2006-03-17 00:38 . 2006-03-17 00:38 28672 c:\windows\system32\verclsid.exe

+ 2006-11-02 00:10 . 2008-04-14 00:12 51712 c:\windows\system32\vdmredir.dll

- 2006-11-02 00:10 . 2004-08-04 04:00 51712 c:\windows\system32\vdmredir.dll

- 2006-11-02 00:10 . 2004-08-04 04:00 26112 c:\windows\system32\vdmdbg.dll

+ 2006-11-02 00:10 . 2008-04-14 00:12 26112 c:\windows\system32\vdmdbg.dll

- 2006-11-02 00:10 . 2004-08-04 04:00 30749 c:\windows\system32\vbajet32.dll

+ 2006-11-02 00:10 . 2008-04-14 00:12 30749 c:\windows\system32\vbajet32.dll

- 2006-11-02 00:10 . 2004-08-04 04:00 50176 c:\windows\system32\utilman.exe

+ 2006-11-02 00:10 . 2008-04-14 00:12 50176 c:\windows\system32\utilman.exe

+ 2006-11-02 00:07 . 2008-04-14 00:11 19968 c:\windows\system32\usmt\log.dll

- 2006-11-02 00:07 . 2004-08-04 04:00 19968 c:\windows\system32\usmt\log.dll

+ 2009-05-27 09:21 . 2008-04-13 16:44 17920 c:\windows\system32\usmt\cobramsg.dll

+ 2006-11-02 00:10 . 2008-04-14 00:12 26112 c:\windows\system32\userinit.exe

- 2004-08-04 13:56 . 2004-08-04 13:56 74240 c:\windows\system32\usbui.dll

+ 2004-08-04 13:56 . 2008-04-14 00:12 74240 c:\windows\system32\usbui.dll

- 2006-11-02 00:10 . 2004-08-04 04:00 16896 c:\windows\system32\usbmon.dll

+ 2006-11-02 00:10 . 2008-04-14 00:12 16896 c:\windows\system32\usbmon.dll

- 2006-11-02 00:10 . 2004-08-04 04:00 18432 c:\windows\system32\ups.exe

+ 2006-11-02 00:10 . 2008-04-14 00:12 18432 c:\windows\system32\ups.exe

+ 2006-11-02 00:10 . 2008-04-14 00:12 16896 c:\windows\system32\upnpcont.exe

- 2006-11-02 00:10 . 2004-08-04 04:00 16896 c:\windows\system32\upnpcont.exe

+ 2006-11-02 00:10 . 2008-04-14 00:12 13824 c:\windows\system32\uniplat.dll

- 2006-11-02 00:10 . 2004-08-04 04:00 13824 c:\windows\system32\uniplat.dll

+ 2006-11-02 00:10 . 2008-04-14 00:12 74240 c:\windows\system32\unimdmat.dll

- 2006-11-02 00:10 . 2004-08-04 04:00 74240 c:\windows\system32\unimdmat.dll

- 2007-02-25 14:27 . 2004-08-04 04:00 76288 c:\windows\system32\uniime.dll

+ 2007-02-25 14:27 . 2008-04-14 00:11 76288 c:\windows\system32\uniime.dll

- 2006-11-02 00:10 . 2004-08-04 04:00 35840 c:\windows\system32\umandlg.dll

+ 2006-11-02 00:10 . 2008-04-14 00:12 35840 c:\windows\system32\umandlg.dll

+ 2006-11-02 00:10 . 2008-04-14 00:12 26624 c:\windows\system32\udhisapi.dll

+ 2007-07-18 12:42 . 2008-04-14 00:12 60416 c:\windows\system32\tzchange.exe

+ 2006-11-02 00:10 . 2008-04-14 00:12 57856 c:\windows\system32\twext.dll

+ 2008-07-29 20:10 . 2008-07-29 20:10 26112 c:\windows\system32\TsWpfWrp.exe

+ 2009-05-27 09:23 . 2008-04-14 00:12 50688 c:\windows\system32\tspkg.dll

+ 2009-05-27 09:23 . 2008-04-14 00:12 53248 c:\windows\system32\tsgqec.dll

+ 2006-11-02 00:10 . 2008-04-14 00:13 12168 c:\windows\system32\tsddd.dll

- 2006-11-02 00:10 . 2004-08-04 04:00 12168 c:\windows\system32\tsddd.dll

+ 2006-11-02 00:10 . 2008-04-14 00:12 93696 c:\windows\system32\tscfgwmi.dll

- 2006-11-02 00:10 . 2004-08-04 04:00 93696 c:\windows\system32\tscfgwmi.dll

+ 2006-11-02 00:10 . 2008-04-14 00:12 90112 c:\windows\system32\trkwks.dll

+ 2006-11-02 00:10 . 2008-04-14 00:12 12800 c:\windows\system32\tree.com

- 2006-11-02 00:10 . 2004-08-04 04:00 12288 c:\windows\system32\tracert.exe

+ 2006-11-02 00:10 . 2008-04-14 00:12 12288 c:\windows\system32\tracert.exe

- 2004-08-05 01:00 . 2005-05-10 23:45 75776 c:\windows\system32\telnet.exe

+ 2004-08-05 01:00 . 2008-04-14 00:12 75776 c:\windows\system32\telnet.exe

+ 2006-11-02 00:10 . 2008-04-14 00:12 45568 c:\windows\system32\tcpmonui.dll

- 2006-11-02 00:10 . 2004-08-04 04:00 45568 c:\windows\system32\tcpmonui.dll

- 2006-11-02 00:10 . 2004-08-04 04:00 45568 c:\windows\system32\tcpmon.dll

+ 2006-11-02 00:10 . 2008-04-14 00:12 45568 c:\windows\system32\tcpmon.dll

+ 2006-11-02 00:10 . 2008-04-14 00:12 14848 c:\windows\system32\tcpmib.dll

- 2006-11-02 00:10 . 2004-08-04 04:00 14848 c:\windows\system32\tcpmib.dll

- 2006-11-02 00:09 . 2004-08-04 04:00 57856 c:\windows\system32\synceng.dll

+ 2006-11-02 00:09 . 2008-04-14 00:12 57856 c:\windows\system32\synceng.dll

- 2006-11-02 00:09 . 2004-08-04 04:00 14336 c:\windows\system32\svchost.exe

+ 2006-11-02 00:09 . 2008-04-14 00:12 14336 c:\windows\system32\svchost.exe

- 2006-11-02 00:09 . 2004-08-04 04:00 75776 c:\windows\system32\strmfilt.dll

+ 2006-11-02 00:09 . 2008-04-14 00:12 75776 c:\windows\system32\strmfilt.dll

+ 2004-08-04 13:56 . 2008-04-14 00:12 74752 c:\windows\system32\storprop.dll

- 2004-08-04 13:56 . 2004-08-04 13:56 74752 c:\windows\system32\storprop.dll

- 2006-11-02 00:09 . 2004-08-04 04:00 14848 c:\windows\system32\stimon.exe

+ 2006-11-02 00:09 . 2008-04-14 00:12 14848 c:\windows\system32\stimon.exe

+ 2006-11-02 00:09 . 2008-04-14 00:12 68096 c:\windows\system32\sti.dll

+ 2006-11-02 00:09 . 2008-04-14 00:12 59392 c:\windows\system32\stclient.dll

+ 2006-11-02 00:09 . 2008-04-14 00:12 14336 c:\windows\system32\ssstars.scr

- 2006-11-02 00:09 . 2004-08-04 04:00 14336 c:\windows\system32\ssstars.scr

+ 2006-11-02 00:09 . 2008-04-14 00:12 18944 c:\windows\system32\ssmyst.scr

- 2006-11-02 00:09 . 2004-08-04 04:00 18944 c:\windows\system32\ssmyst.scr

- 2006-11-02 00:09 . 2004-08-04 04:00 47104 c:\windows\system32\ssmypics.scr

+ 2006-11-02 00:09 . 2008-04-14 00:12 47104 c:\windows\system32\ssmypics.scr

+ 2006-11-02 00:09 . 2008-04-14 00:12 20992 c:\windows\system32\ssmarque.scr

- 2006-11-02 00:09 . 2004-08-04 04:00 20992 c:\windows\system32\ssmarque.scr

+ 2006-11-02 00:09 . 2008-04-14 00:12 71680 c:\windows\system32\ssdpsrv.dll

- 2006-11-02 00:09 . 2004-08-04 04:00 71680 c:\windows\system32\ssdpsrv.dll

- 2006-11-02 00:09 . 2004-08-04 04:00 34816 c:\windows\system32\ssdpapi.dll

+ 2006-11-02 00:09 . 2008-04-14 00:12 34816 c:\windows\system32\ssdpapi.dll

- 2006-11-02 00:09 . 2004-08-04 04:00 19968 c:\windows\system32\ssbezier.scr

+ 2006-11-02 00:09 . 2008-04-14 00:12 19968 c:\windows\system32\ssbezier.scr

- 2006-11-02 00:09 . 2004-12-07 19:32 96768 c:\windows\system32\srvsvc.dll

+ 2006-11-02 00:09 . 2008-04-14 00:12 96768 c:\windows\system32\srvsvc.dll

+ 2006-11-02 00:09 . 2008-04-14 00:12 67584 c:\windows\system32\srclient.dll

- 2006-11-02 00:09 . 2004-08-04 04:00 67584 c:\windows\system32\srclient.dll

+ 2009-05-27 09:23 . 2008-04-14 00:12 20992 c:\windows\system32\spupdwxp.exe

+ 2007-04-17 17:04 . 2009-01-07 17:21 26144 c:\windows\system32\spupdsvc.exe

- 2006-11-02 00:09 . 2005-06-10 23:53 57856 c:\windows\system32\spoolsv.exe

+ 2006-11-02 00:09 . 2008-04-14 00:12 57856 c:\windows\system32\spoolsv.exe

+ 2006-11-02 00:09 . 2008-04-14 00:12 75264 c:\windows\system32\spoolss.dll

+ 2009-05-27 11:30 . 2008-07-06 12:06 89088 c:\windows\system32\spool\prtprocs\w32x86\filterpipelineprintproc.dll

+ 2006-11-01 18:32 . 2008-04-14 00:11 26624 c:\windows\system32\spool\drivers\w32x86\3\fxsdrv.dll

+ 2004-08-05 01:00 . 2008-04-14 05:42 11264 c:\windows\system32\spnpinst.exe

+ 2008-03-04 16:09 . 2009-01-07 17:20 16928 c:\windows\system32\spmsg.dll

+ 2006-11-02 00:08 . 2008-04-14 00:12 24576 c:\windows\system32\sort.exe

- 2006-11-02 00:08 . 2004-08-04 04:00 18944 c:\windows\system32\snmpapi.dll

+ 2006-11-02 00:08 . 2008-04-14 00:12 18944 c:\windows\system32\snmpapi.dll

+ 2006-11-02 00:08 . 2008-04-14 00:12 50688 c:\windows\system32\smss.exe

- 2006-11-02 00:08 . 2004-08-04 04:00 50688 c:\windows\system32\smss.exe

- 2006-11-02 00:08 . 2004-08-04 04:00 89600 c:\windows\system32\smlogsvc.exe

+ 2006-11-02 00:08 . 2008-04-14 00:12 89600 c:\windows\system32\smlogsvc.exe

+ 2009-05-27 09:23 . 2008-04-14 00:12 73796 c:\windows\system32\slserv.exe

+ 2009-05-27 09:23 . 2008-04-14 00:12 32866 c:\windows\system32\slrundll.exe

+ 2009-05-27 09:23 . 2008-04-14 00:12 73832 c:\windows\system32\slcoinst.dll

- 2006-11-02 00:08 . 2004-08-04 04:00 98304 c:\windows\system32\slbiop.dll

+ 2006-11-02 00:08 . 2008-04-14 00:12 98304 c:\windows\system32\slbiop.dll

- 2006-11-02 00:08 . 2004-08-04 04:00 25088 c:\windows\system32\slayerxp.dll

+ 2006-11-02 00:08 . 2008-04-14 00:12 25088 c:\windows\system32\slayerxp.dll

+ 2006-11-02 00:08 . 2008-04-14 00:12 26112 c:\windows\system32\skeys.exe

- 2006-11-02 00:08 . 2004-08-04 04:00 26112 c:\windows\system32\skeys.exe

- 2006-11-02 00:08 . 2004-08-04 04:00 70144 c:\windows\system32\sigverif.exe

+ 2006-11-02 00:08 . 2008-04-14 00:12 70144 c:\windows\system32\sigverif.exe

+ 2006-11-02 00:08 . 2008-04-14 00:12 13312 c:\windows\system32\sigtab.dll

- 2006-11-02 00:08 . 2004-08-04 04:00 13312 c:\windows\system32\sigtab.dll

- 2006-11-02 00:08 . 2004-08-04 04:00 19456 c:\windows\system32\shutdown.exe

+ 2006-11-02 00:08 . 2008-04-14 00:12 19456 c:\windows\system32\shutdown.exe

+ 2006-11-02 00:08 . 2008-04-14 00:12 27648 c:\windows\system32\shscrap.dll

- 2006-11-02 00:08 . 2004-08-04 04:00 27648 c:\windows\system32\shscrap.dll

- 2006-11-02 00:08 . 2004-08-04 04:00 77824 c:\windows\system32\shrpubw.exe

+ 2006-11-02 00:08 . 2008-04-14 00:12 77824 c:\windows\system32\shrpubw.exe

+ 2006-11-02 00:08 . 2008-04-14 00:12 45056 c:\windows\system32\shmgrate.exe

+ 2006-11-02 00:08 . 2008-04-14 00:12 65024 c:\windows\system32\shimeng.dll

+ 2006-11-02 00:08 . 2008-04-14 00:12 68096 c:\windows\system32\shgina.dll

- 2006-11-02 00:08 . 2004-08-04 04:00 68096 c:\windows\system32\shgina.dll

- 2006-11-02 00:08 . 2004-08-04 04:00 25088 c:\windows\system32\shfolder.dll

+ 2006-11-02 00:08 . 2008-04-14 00:12 25088 c:\windows\system32\shfolder.dll

+ 2009-05-27 09:23 . 2008-04-14 00:12 32768 c:\windows\system32\setupn.exe

+ 2006-11-02 00:09 . 2008-04-14 00:12 26624 c:\windows\system32\Setup\startoc.dll

- 2006-11-02 00:08 . 2004-08-04 04:00 17408 c:\windows\system32\Setup\ocmsn.dll

+ 2006-11-02 00:08 . 2008-04-14 00:12 17408 c:\windows\system32\Setup\ocmsn.dll

+ 2006-11-02 00:08 . 2008-04-14 00:12 15360 c:\windows\system32\Setup\ocgen.dll

+ 2006-11-02 00:08 . 2008-04-14 00:12 62976 c:\windows\system32\Setup\ntoc.dll

- 2006-11-02 00:08 . 2004-08-04 04:00 62976 c:\windows\system32\Setup\ntoc.dll

+ 2006-11-02 00:08 . 2008-04-14 00:12 77312 c:\windows\system32\Setup\netoc.dll

- 2006-11-02 00:08 . 2004-08-04 04:00 77312 c:\windows\system32\Setup\netoc.dll

+ 2006-11-02 00:08 . 2008-04-14 00:11 15360 c:\windows\system32\Setup\msgrocm.dll

- 2006-11-02 00:08 . 2004-08-04 04:00 15360 c:\windows\system32\Setup\msgrocm.dll

+ 2006-11-02 00:08 . 2008-04-14 00:11 90112 c:\windows\system32\Setup\msdtcstp.dll

- 2006-11-02 00:07 . 2004-08-04 04:00 32828 c:\windows\system32\Setup\fp40ext.dll

+ 2006-11-02 00:07 . 2008-04-14 00:11 32828 c:\windows\system32\Setup\fp40ext.dll

- 2006-11-02 00:08 . 2004-08-04 04:00 23040 c:\windows\system32\setup.exe

+ 2006-11-02 00:08 . 2008-04-14 00:12 23040 c:\windows\system32\setup.exe

- 2006-11-02 00:08 . 2004-08-04 04:00 31232 c:\windows\system32\sethc.exe

+ 2006-11-02 00:08 . 2008-04-14 00:12 31232 c:\windows\system32\sethc.exe

- 2006-11-02 00:08 . 2004-08-04 04:00 56320 c:\windows\system32\servdeps.dll

+ 2006-11-02 00:08 . 2008-04-14 00:12 56320 c:\windows\system32\servdeps.dll

+ 2006-11-02 00:08 . 2008-04-14 00:12 39424 c:\windows\system32\sens.dll

+ 2006-11-02 00:08 . 2008-04-14 00:12 54784 c:\windows\system32\sendmail.dll

+ 2006-11-02 00:08 . 2008-04-14 00:12 29184 c:\windows\system32\sendcmsg.dll

- 2006-11-02 00:08 . 2004-08-04 04:00 29184 c:\windows\system32\sendcmsg.dll

+ 2006-11-02 00:08 . 2009-02-03 19:59 56832 c:\windows\system32\secur32.dll

+ 2006-11-02 00:08 . 2008-04-14 00:12 18944 c:\windows\system32\seclogon.dll

- 2006-11-02 00:08 . 2004-08-04 04:00 18944 c:\windows\system32\seclogon.dll

- 2006-11-02 00:08 . 2004-08-04 04:00 29184 c:\windows\system32\sdhcinst.dll

+ 2006-11-02 00:08 . 2008-04-14 00:12 29184 c:\windows\system32\sdhcinst.dll

- 2006-11-02 00:08 . 2004-08-04 04:00 77312 c:\windows\system32\sdbinst.exe

+ 2006-11-02 00:08 . 2008-04-14 00:12 77312 c:\windows\system32\sdbinst.exe

+ 2006-11-02 00:08 . 2008-04-14 00:12 20480 c:\windows\system32\sclgntfy.dll

+ 2006-11-02 00:08 . 2008-04-14 00:12 95744 c:\windows\system32\scardsvr.exe

- 2006-11-02 00:08 . 2004-08-04 04:00 95744 c:\windows\system32\scardsvr.exe

+ 2006-11-02 00:08 . 2008-04-14 00:12 69632 c:\windows\system32\scarddlg.dll

- 2006-11-02 00:08 . 2004-08-04 04:00 69632 c:\windows\system32\scarddlg.dll

- 2006-11-02 00:08 . 2009-02-06 16:54 35328 c:\windows\system32\sc.exe

+ 2006-11-02 00:08 . 2009-02-06 10:39 35328 c:\windows\system32\sc.exe

+ 2006-11-02 00:08 . 2008-04-14 00:12 13312 c:\windows\system32\savedump.exe

- 2006-11-02 00:08 . 2004-08-04 04:00 13312 c:\windows\system32\savedump.exe

+ 2006-11-02 00:08 . 2008-04-14 00:12 64000 c:\windows\system32\samlib.dll

- 2006-11-02 00:08 . 2004-08-04 04:00 64000 c:\windows\system32\samlib.dll

+ 2006-11-02 00:08 . 2008-04-14 00:12 45568 c:\windows\system32\safrslv.dll

- 2006-11-02 00:08 . 2004-08-04 04:00 45568 c:\windows\system32\safrslv.dll

- 2006-11-02 00:08 . 2004-08-04 04:00 29696 c:\windows\system32\safrdm.dll

+ 2006-11-02 00:08 . 2008-04-14 00:12 29696 c:\windows\system32\safrdm.dll

+ 2006-11-02 00:08 . 2008-04-14 00:12 43520 c:\windows\system32\safrcdlg.dll

- 2006-11-02 00:08 . 2004-08-04 04:00 43520 c:\windows\system32\safrcdlg.dll

- 2006-11-02 00:08 . 2004-08-04 04:00 14336 c:\windows\system32\runonce.exe

+ 2006-11-02 00:08 . 2008-04-14 00:12 14336 c:\windows\system32\runonce.exe

+ 2006-11-02 00:08 . 2008-04-14 00:12 33280 c:\windows\system32\rundll32.exe

- 2006-11-02 00:08 . 2004-08-04 04:00 33280 c:\windows\system32\rundll32.exe

+ 2006-11-02 00:08 . 2008-04-14 00:12 44032 c:\windows\system32\rtutils.dll

- 2006-11-02 00:08 . 2004-08-04 04:00 44032 c:\windows\system32\rtutils.dll

- 2006-11-02 00:08 . 2004-08-04 04:00 31744 c:\windows\system32\rtipxmib.dll

+ 2006-11-02 00:08 . 2008-04-14 00:12 31744 c:\windows\system32\rtipxmib.dll

+ 2006-11-02 00:08 . 2008-04-14 00:12 77312 c:\windows\system32\rtcshare.exe

- 2006-11-02 00:08 . 2004-08-04 04:00 77312 c:\windows\system32\rtcshare.exe

+ 2006-11-02 00:08 . 2008-04-14 00:12 92672 c:\windows\system32\rsvpsp.dll

+ 2006-11-02 00:08 . 2008-04-14 00:12 18944 c:\windows\system32\rsmps.dll

- 2006-11-02 00:08 . 2004-08-04 04:00 18944 c:\windows\system32\rsmps.dll

- 2006-11-02 00:08 . 2004-08-04 04:00 39936 c:\windows\system32\rshx32.dll

+ 2006-11-02 00:08 . 2008-04-14 00:12 39936 c:\windows\system32\rshx32.dll

- 2006-11-02 00:08 . 2004-08-04 04:00 14848 c:\windows\system32\rsh.exe

+ 2006-11-02 00:08 . 2008-04-14 00:12 14848 c:\windows\system32\rsh.exe

+ 2006-11-02 00:08 . 2008-04-14 00:12 13824 c:\windows\system32\rexec.exe

- 2006-11-02 00:08 . 2004-08-04 04:00 13824 c:\windows\system32\rexec.exe

- 2006-11-02 00:08 . 2004-08-04 04:00 58880 c:\windows\system32\resutils.dll

+ 2006-11-02 00:08 . 2008-04-14 00:12 58880 c:\windows\system32\resutils.dll

- 2006-11-02 00:08 . 2004-08-04 04:00 60416 c:\windows\system32\remotepg.dll

+ 2006-11-02 00:08 . 2008-04-14 00:12 60416 c:\windows\system32\remotepg.dll

+ 2009-05-27 10:00 . 2004-08-04 04:00 68224 c:\windows\system32\ReinstallBackups\0008\DriverFiles\i386\pci.sys

+ 2009-05-27 10:00 . 2004-08-04 04:00 35840 c:\windows\system32\ReinstallBackups\0007\DriverFiles\i386\isapnp.sys

+ 2009-05-27 10:00 . 2004-08-03 22:59 36096 c:\windows\system32\ReinstallBackups\0005\DriverFiles\i386\intelppm.sys

+ 2006-11-02 00:08 . 2008-04-14 00:12 11776 c:\windows\system32\regsvr32.exe

- 2006-11-02 00:08 . 2004-08-04 04:00 11776 c:\windows\system32\regsvr32.exe

- 2006-11-02 00:08 . 2004-08-04 04:00 59904 c:\windows\system32\regsvc.dll

+ 2006-11-02 00:08 . 2008-04-14 00:12 59904 c:\windows\system32\regsvc.dll

- 2006-11-02 00:08 . 2004-08-04 04:00 49664 c:\windows\system32\regapi.dll

+ 2006-11-02 00:08 . 2008-04-14 00:12 49664 c:\windows\system32\regapi.dll

+ 2006-11-02 00:08 . 2008-04-14 00:12 50176 c:\windows\system32\reg.exe

- 2006-11-02 00:08 . 2004-08-04 04:00 50176 c:\windows\system32\reg.exe

- 2006-11-02 00:08 . 2004-08-04 04:00 67072 c:\windows\system32\rdshost.exe

+ 2006-11-02 00:08 . 2008-04-14 00:12 67072 c:\windows\system32\rdshost.exe

- 2006-11-02 00:08 . 2004-08-04 04:00 13824 c:\windows\system32\rdsaddin.exe

+ 2006-11-02 00:08 . 2008-04-14 00:12 13824 c:\windows\system32\rdsaddin.exe

- 2006-11-02 00:08 . 2004-08-04 04:00 87176 c:\windows\system32\rdpwsx.dll

+ 2006-11-02 00:08 . 2008-04-14 00:13 87176 c:\windows\system32\rdpwsx.dll

- 2006-11-02 00:08 . 2004-08-04 04:00 19968 c:\windows\system32\rdpsnd.dll

+ 2006-11-02 00:08 . 2008-04-14 00:12 19968 c:\windows\system32\rdpsnd.dll

+ 2006-11-02 00:08 . 2008-04-14 00:13 92424 c:\windows\system32\rdpdd.dll

+ 2006-11-02 00:08 . 2008-04-14 00:12 62976 c:\windows\system32\rdpclip.exe

+ 2006-11-02 00:08 . 2008-04-14 00:12 21504 c:\windows\system32\rcp.exe

- 2006-11-02 00:08 . 2004-08-04 04:00 21504 c:\windows\system32\rcp.exe

- 2006-11-02 00:08 . 2004-08-04 04:00 35840 c:\windows\system32\rcimlby.exe

+ 2006-11-02 00:08 . 2008-04-14 00:12 35840 c:\windows\system32\rcimlby.exe

+ 2006-11-02 00:08 . 2008-04-14 00:12 58368 c:\windows\system32\rastapi.dll

+ 2006-11-02 00:08 . 2008-04-14 00:12 16384 c:\windows\system32\rassapi.dll

+ 2009-05-27 09:23 . 2008-04-14 00:12 61952 c:\windows\system32\rasqec.dll

+ 2006-11-02 00:08 . 2008-04-14 00:12 56832 c:\windows\system32\rasphone.exe

- 2006-11-02 00:08 . 2004-08-04 04:00 56832 c:\windows\system32\rasphone.exe

+ 2006-11-02 00:08 . 2008-04-14 00:12 61440 c:\windows\system32\rasman.dll

- 2006-11-02 00:08 . 2004-08-04 04:00 61440 c:\windows\system32\rasman.dll

+ 2006-11-02 00:08 . 2008-04-14 00:12 79872 c:\windows\system32\raschap.dll

+ 2006-11-02 00:08 . 2008-04-14 00:12 88576 c:\windows\system32\rasauto.dll

- 2006-11-02 00:08 . 2004-08-04 04:00 43520 c:\windows\system32\racpldlg.dll

+ 2006-11-02 00:08 . 2008-04-14 00:12 43520 c:\windows\system32\racpldlg.dll

+ 2009-05-27 09:23 . 2008-04-14 00:12 76800 c:\windows\system32\qutil.dll

+ 2006-11-02 00:08 . 2008-04-14 00:12 19968 c:\windows\system32\qprocess.exe

- 2006-11-02 00:08 . 2004-08-04 04:00 18944 c:\windows\system32\qmgrprxy.dll

+ 2006-11-02 00:08 . 2008-04-14 00:12 18944 c:\windows\system32\qmgrprxy.dll

+ 2009-05-27 09:23 . 2008-04-14 00:12 62464 c:\windows\system32\qcliprov.dll

+ 2006-11-02 00:08 . 2008-04-14 00:12 34304 c:\windows\system32\pstorsvc.dll

- 2006-11-02 00:08 . 2004-08-04 04:00 34304 c:\windows\system32\pstorsvc.dll

+ 2006-11-02 00:08 . 2008-04-14 00:12 43520 c:\windows\system32\pstorec.dll

- 2006-11-02 00:08 . 2004-08-04 04:00 43520 c:\windows\system32\pstorec.dll

- 2006-11-02 00:08 . 2004-08-04 04:00 96768 c:\windows\system32\psbase.dll

+ 2006-11-02 00:08 . 2008-04-14 00:12 96768 c:\windows\system32\psbase.dll

- 2006-11-02 00:08 . 2004-08-04 04:00 23040 c:\windows\system32\psapi.dll

+ 2006-11-02 00:08 . 2008-04-14 00:12 23040 c:\windows\system32\psapi.dll

- 2006-11-02 00:08 . 2004-08-04 04:00 50176 c:\windows\system32\proquota.exe

+ 2006-11-02 00:08 . 2008-04-14 00:12 50176 c:\windows\system32\proquota.exe

- 2006-11-02 00:08 . 2004-08-04 04:00 27648 c:\windows\system32\profmap.dll

+ 2006-11-02 00:08 . 2008-04-14 00:12 27648 c:\windows\system32\profmap.dll

+ 2008-07-29 18:59 . 2008-07-29 18:59 43544 c:\windows\system32\PresentationHostProxy.dll

+ 2006-11-02 00:08 . 2008-04-14 00:12 17408 c:\windows\system32\powrprof.dll

- 2006-11-02 00:08 . 2004-08-04 04:00 17408 c:\windows\system32\powrprof.dll

+ 2006-11-02 00:08 . 2008-04-14 00:12 49152 c:\windows\system32\powercfg.exe

- 2006-11-02 00:08 . 2004-08-04 04:00 49152 c:\windows\system32\powercfg.exe

+ 2006-11-02 00:08 . 2008-04-14 00:12 58880 c:\windows\system32\pnrpnsp.dll

+ 2006-11-02 00:08 . 2009-03-08 03:31 46592 c:\windows\system32\pngfilt.dll

- 2004-08-05 01:00 . 2004-08-05 01:00 15360 c:\windows\system32\pjlmon.dll

+ 2004-08-05 01:00 . 2008-04-14 00:12 15360 c:\windows\system32\pjlmon.dll

- 2006-11-02 00:08 . 2004-08-04 04:00 17920 c:\windows\system32\ping.exe

+ 2006-11-02 00:08 . 2008-04-14 00:12 17920 c:\windows\system32\ping.exe

+ 2004-08-05 01:00 . 2008-04-13 18:35 24064 c:\windows\system32\pidgen.dll

- 2004-08-05 01:00 . 2004-08-05 01:00 24064 c:\windows\system32\pidgen.dll

- 2004-08-05 01:00 . 2004-08-05 01:00 35328 c:\windows\system32\pid.dll

+ 2004-08-05 01:00 . 2008-04-14 00:12 35328 c:\windows\system32\pid.dll

+ 2006-11-02 00:08 . 2008-04-14 00:12 34816 c:\windows\system32\perfproc.dll

- 2006-11-02 00:08 . 2004-08-04 04:00 34816 c:\windows\system32\perfproc.dll

- 2006-11-02 00:08 . 2004-08-04 04:00 25088 c:\windows\system32\perfos.dll

+ 2006-11-02 00:08 . 2008-04-14 00:12 25088 c:\windows\system32\perfos.dll

+ 2006-11-02 00:08 . 2008-04-14 00:12 17920 c:\windows\system32\perfnet.dll

- 2006-11-02 00:08 . 2004-08-04 04:00 15872 c:\windows\system32\perfmon.exe

+ 2006-11-02 00:08 . 2008-04-14 00:12 15872 c:\windows\system32\perfmon.exe

+ 2006-11-02 00:08 . 2008-04-14 00:12 26624 c:\windows\system32\perfdisk.dll

- 2006-11-02 00:08 . 2004-08-04 04:00 26624 c:\windows\system32\perfdisk.dll

- 2006-11-02 00:08 . 2004-08-04 04:00 39936 c:\windows\system32\perfctrs.dll

+ 2006-11-02 00:08 . 2008-04-14 00:12 39936 c:\windows\system32\perfctrs.dll

+ 2004-11-10 03:25 . 2009-05-27 11:35 71868 c:\windows\system32\perfc009.dat

+ 2006-11-02 00:08 . 2008-04-14 00:12 67584 c:\windows\system32\pautoenr.dll

- 2006-11-02 00:08 . 2004-08-04 04:00 58368 c:\windows\system32\packager.exe

+ 2006-11-02 00:08 . 2008-04-14 00:12 58368 c:\windows\system32\packager.exe

- 2006-11-02 00:08 . 2004-08-04 04:00 67584 c:\windows\system32\osuninst.dll

+ 2006-11-02 00:08 . 2008-04-14 00:12 67584 c:\windows\system32\osuninst.dll

+ 2006-11-02 00:08 . 2008-04-14 00:12 51200 c:\windows\system32\oobe\oobebaln.exe

- 2006-11-02 00:08 . 2004-08-04 04:00 51200 c:\windows\system32\oobe\oobebaln.exe

+ 2006-11-02 00:08 . 2008-04-14 00:12 29184 c:\windows\system32\oobe\msoobe.exe

+ 2006-11-02 00:08 . 2008-04-14 00:12 19456 c:\windows\system32\oobe\msobweb.dll

- 2006-11-02 00:08 . 2004-08-04 04:00 30720 c:\windows\system32\oobe\msobshel.dll

+ 2006-11-02 00:08 . 2008-04-14 00:12 30720 c:\windows\system32\oobe\msobshel.dll

+ 2006-11-02 00:08 . 2008-04-14 00:12 16384 c:\windows\system32\oobe\msobdl.dll

- 2006-11-02 00:08 . 2004-08-04 04:00 16384 c:\windows\system32\oobe\msobdl.dll

+ 2006-11-02 00:08 . 2008-04-14 00:12 84992 c:\windows\system32\olepro32.dll

+ 2006-11-02 00:08 . 2008-04-14 00:12 37376 c:\windows\system32\olecnv32.dll

+ 2006-11-02 00:08 . 2008-04-14 00:12 74752 c:\windows\system32\olecli32.dll

- 2006-11-02 00:08 . 2005-07-26 04:39 74752 c:\windows\system32\olecli32.dll

+ 2006-11-02 00:08 . 2008-04-14 00:12 20511 c:\windows\system32\odtext32.dll

- 2006-11-02 00:08 . 2004-08-04 04:00 20511 c:\windows\system32\odtext32.dll

- 2006-11-02 00:08 . 2004-08-04 04:00 20510 c:\windows\system32\odpdx32.dll

+ 2006-11-02 00:08 . 2008-04-14 00:12 20510 c:\windows\system32\odpdx32.dll

+ 2006-11-02 00:08 . 2008-04-14 00:12 20510 c:\windows\system32\odfox32.dll

- 2006-11-02 00:08 . 2004-08-04 04:00 20510 c:\windows\system32\odfox32.dll

+ 2006-11-02 00:08 . 2008-04-14 00:12 20510 c:\windows\system32\odexl32.dll

- 2006-11-02 00:08 . 2004-08-04 04:00 20510 c:\windows\system32\odexl32.dll

- 2006-11-02 00:08 . 2004-08-04 04:00 20511 c:\windows\system32\oddbse32.dll

+ 2006-11-02 00:08 . 2008-04-14 00:12 20511 c:\windows\system32\oddbse32.dll

- 2006-11-02 00:08 . 2004-08-04 04:00 12288 c:\windows\system32\odbcp32r.dll

+ 2006-11-02 00:08 . 2008-04-13 17:26 12288 c:\windows\system32\odbcp32r.dll

+ 2006-11-02 00:08 . 2008-04-14 00:10 53279 c:\windows\system32\odbcji32.dll

- 2006-11-02 00:08 . 2004-08-04 04:00 53279 c:\windows\system32\odbcji32.dll

+ 2006-11-02 00:08 . 2008-04-13 17:26 94208 c:\windows\system32\odbcint.dll

- 2006-11-02 00:08 . 2004-08-04 04:00 94208 c:\windows\system32\odbcint.dll

+ 2006-11-02 00:08 . 2008-04-14 00:12 65536 c:\windows\system32\odbccu32.dll

- 2006-11-02 00:08 . 2004-08-04 04:00 65536 c:\windows\system32\odbccu32.dll

- 2006-11-02 00:08 . 2004-08-04 04:00 65536 c:\windows\system32\odbccr32.dll

+ 2006-11-02 00:08 . 2008-04-14 00:12 65536 c:\windows\system32\odbccr32.dll

- 2006-11-02 00:08 . 2004-08-04 04:00 69632 c:\windows\system32\odbcconf.exe

+ 2006-11-02 00:08 . 2008-04-14 00:12 69632 c:\windows\system32\odbcconf.exe

+ 2006-11-02 00:08 . 2008-04-14 00:12 24576 c:\windows\system32\odbcbcp.dll

- 2006-11-02 00:08 . 2004-08-04 04:00 24576 c:\windows\system32\odbcbcp.dll

+ 2006-11-02 00:08 . 2008-04-14 00:12 32768 c:\windows\system32\odbcad32.exe

- 2006-11-02 00:08 . 2004-08-04 04:00 32768 c:\windows\system32\odbcad32.exe

+ 2006-11-02 00:08 . 2008-04-14 00:12 16384 c:\windows\system32\odbc32gt.dll

- 2006-11-02 00:08 . 2004-08-04 04:00 16384 c:\windows\system32\odbc32gt.dll

+ 2006-11-02 00:08 . 2008-04-14 00:12 67584 c:\windows\system32\ocmanage.dll

+ 2006-11-02 00:08 . 2008-04-14 00:12 15360 c:\windows\system32\ntvdmd.dll

- 2006-11-02 00:08 . 2004-08-04 04:00 91136 c:\windows\system32\ntprint.dll

+ 2006-11-02 00:08 . 2008-04-14 00:12 91136 c:\windows\system32\ntprint.dll

- 2006-11-02 00:08 . 2004-08-04 04:00 40960 c:\windows\system32\ntmsapi.dll

+ 2006-11-02 00:08 . 2008-04-14 00:12 40960 c:\windows\system32\ntmsapi.dll

+ 2006-11-02 00:08 . 2008-04-14 00:12 44032 c:\windows\system32\ntlanman.dll

- 2006-11-02 00:08 . 2004-08-04 04:00 67072 c:\windows\system32\ntdsapi.dll

+ 2006-11-02 00:08 . 2008-04-14 00:12 67072 c:\windows\system32\ntdsapi.dll

- 2006-11-02 00:08 . 2004-08-04 04:00 76800 c:\windows\system32\nslookup.exe

+ 2006-11-02 00:08 . 2008-04-14 00:12 76800 c:\windows\system32\nslookup.exe

- 2006-11-02 00:08 . 2004-08-04 04:00 54784 c:\windows\system32\npptools.dll

+ 2006-11-02 00:08 . 2008-04-14 00:12 54784 c:\windows\system32\npptools.dll

- 2006-11-02 00:08 . 2004-08-04 04:00 15360 c:\windows\system32\npp\nppagent.exe

+ 2006-11-02 00:08 . 2008-04-14 00:12 15360 c:\windows\system32\npp\nppagent.exe

+ 2006-11-02 00:08 . 2008-04-14 00:12 57344 c:\windows\system32\npp\ndisnpp.dll

- 2006-11-02 00:08 . 2004-08-04 04:00 57344 c:\windows\system32\npp\ndisnpp.dll

+ 2006-11-02 00:08 . 2008-04-14 00:12 69120 c:\windows\system32\notepad.exe

- 2006-11-02 00:08 . 2004-08-04 04:00 69120 c:\windows\system32\notepad.exe

+ 2009-01-07 17:20 . 2009-01-07 17:20 23552 c:\windows\system32\normaliz.dll

- 2006-11-02 00:08 . 2004-08-04 04:00 28672 c:\windows\system32\nmmkcert.dll

+ 2006-11-02 00:08 . 2008-04-14 00:12 28672 c:\windows\system32\nmmkcert.dll

+ 2009-01-07 17:20 . 2009-01-07 17:20 24576 c:\windows\system32\nlsdl.dll

+ 2006-11-02 00:08 . 2008-04-14 00:12 98304 c:\windows\system32\nlhtml.dll

+ 2006-11-02 00:08 . 2008-04-14 00:12 80896 c:\windows\system32\netui0.dll

- 2006-11-02 00:08 . 2004-08-04 04:00 80896 c:\windows\system32\netui0.dll

- 2006-11-02 00:08 . 2004-08-04 04:00 36864 c:\windows\system32\netstat.exe

+ 2006-11-02 00:08 . 2008-04-14 00:12 36864 c:\windows\system32\netstat.exe

+ 2006-11-02 00:08 . 2008-04-14 00:12 86016 c:\windows\system32\netsh.exe

- 2006-11-02 00:08 . 2004-08-04 04:00 86016 c:\windows\system32\netsh.exe

+ 2006-11-02 00:08 . 2008-04-14 00:12 11776 c:\windows\system32\netrap.dll

+ 2006-11-02 00:08 . 2008-04-14 00:12 42496 c:\windows\system32\net.exe

- 2006-11-02 00:08 . 2004-08-04 04:00 42496 c:\windows\system32\net.exe

+ 2006-11-02 00:08 . 2008-04-14 00:12 18944 c:\windows\system32\nddenb32.dll

- 2006-11-02 00:08 . 2004-08-04 04:00 18944 c:\windows\system32\nddenb32.dll

- 2006-11-02 00:08 . 2004-08-04 04:00 17920 c:\windows\system32\nddeapi.dll

+ 2006-11-02 00:08 . 2008-04-14 00:12 17920 c:\windows\system32\nddeapi.dll

- 2006-11-02 00:08 . 2004-08-04 04:00 36352 c:\windows\system32\ncobjapi.dll

+ 2006-11-02 00:08 . 2008-04-14 00:12 36352 c:\windows\system32\ncobjapi.dll

+ 2006-11-02 00:08 . 2008-04-14 00:12 53760 c:\windows\system32\narrator.exe

- 2006-11-02 00:08 . 2004-08-04 04:00 53760 c:\windows\system32\narrator.exe

+ 2009-05-27 09:22 . 2008-04-14 00:12 30208 c:\windows\system32\napipsec.dll

- 2006-11-02 00:08 . 2004-08-04 04:00 90624 c:\windows\system32\mydocs.dll

+ 2006-11-02 00:08 . 2008-04-14 00:12 90624 c:\windows\system32\mydocs.dll

- 2007-10-24 00:47 . 2007-10-24 00:47 15360 c:\windows\system32\mui\0409\mscorees.dll

+ 2008-07-25 10:17 . 2008-07-25 10:17 15360 c:\windows\system32\mui\0409\mscorees.dll

- 2006-11-02 00:08 . 2008-06-12 14:16 91648 c:\windows\system32\mtxoci.dll

+ 2006-11-02 00:08 . 2008-06-12 14:23 91648 c:\windows\system32\mtxoci.dll

+ 2006-11-02 00:08 . 2008-04-14 00:12 34304 c:\windows\system32\mtxlegih.dll

+ 2006-11-02 00:08 . 2008-04-14 00:12 30720 c:\windows\system32\mtxdm.dll

- 2006-11-02 00:08 . 2008-06-12 14:16 66560 c:\windows\system32\mtxclu.dll

+ 2006-11-02 00:08 . 2008-06-12 14:23 66560 c:\windows\system32\mtxclu.dll

+ 2004-08-05 01:00 . 2008-04-14 00:12 16896 c:\windows\system32\msyuv.dll

+ 2009-05-27 09:22 . 2008-04-13 17:27 79872 c:\windows\system32\msxml6r.dll

+ 2006-11-02 00:08 . 2008-04-14 00:12 72704 c:\windows\system32\msw3prt.dll

- 2006-11-02 00:08 . 2004-08-04 04:00 72704 c:\windows\system32\msw3prt.dll

+ 2006-11-02 00:08 . 2008-04-13 18:30 61440 c:\windows\system32\msvcrt40.dll

- 2006-11-02 00:08 . 2004-08-04 04:00 61440 c:\windows\system32\msvcrt40.dll

+ 2006-11-02 00:08 . 2008-04-14 00:12 57344 c:\windows\system32\msvcirt.dll

+ 2006-11-02 00:08 . 2008-04-14 00:12 12288 c:\windows\system32\mstinit.exe

- 2006-11-02 00:08 . 2004-08-04 04:00 12288 c:\windows\system32\mstinit.exe

+ 2009-05-27 09:22 . 2008-04-13 18:14 76800 c:\windows\system32\msshavmsg.dll

- 2006-11-02 00:08 . 2004-08-04 04:00 11264 c:\windows\system32\msrle32.dll

+ 2006-11-02 00:08 . 2008-04-14 00:12 11264 c:\windows\system32\msrle32.dll

- 2006-11-02 00:08 . 2004-08-04 04:00 48128 c:\windows\system32\msprivs.dll

+ 2006-11-02 00:08 . 2008-04-13 16:23 48128 c:\windows\system32\msprivs.dll

+ 2006-11-02 00:08 . 2008-04-14 00:12 29696 c:\windows\system32\mspatcha.dll

+ 2006-11-02 00:08 . 2008-04-13 17:24 20480 c:\windows\system32\msorc32r.dll

- 2006-11-02 00:08 . 2004-08-04 04:00 20480 c:\windows\system32\msorc32r.dll

+ 2006-11-02 00:08 . 2008-04-14 00:12 25088 c:\windows\system32\mslbui.dll

- 2006-11-02 00:08 . 2004-08-04 04:00 25088 c:\windows\system32\mslbui.dll

+ 2006-11-02 00:08 . 2007-04-02 12:49 60192 c:\windows\system32\msjter40.dll

- 2006-11-02 00:08 . 2005-05-03 12:58 15360 c:\windows\system32\msisip.dll

+ 2006-11-02 00:08 . 2008-04-14 00:11 15360 c:\windows\system32\msisip.dll

- 2006-11-02 00:08 . 2005-05-03 12:58 78848 c:\windows\system32\msiexec.exe

+ 2006-11-02 00:08 . 2008-04-14 00:12 78848 c:\windows\system32\msiexec.exe

- 2006-11-02 00:08 . 2004-08-04 04:00 51712 c:\windows\system32\msident.dll

+ 2006-11-02 00:08 . 2008-04-14 00:11 51712 c:\windows\system32\msident.dll

+ 2006-11-02 00:08 . 2009-03-08 03:31 66560 c:\windows\system32\mshtmled.dll

+ 2006-11-02 00:08 . 2008-04-14 00:11 33792 c:\windows\system32\msgsvc.dll

- 2006-11-02 00:08 . 2004-08-04 04:00 33792 c:\windows\system32\msgsvc.dll

+ 2009-03-08 03:31 . 2009-03-08 03:31 13312 c:\windows\system32\msfeedssync.exe

+ 2009-03-08 03:31 . 2009-03-08 03:31 55296 c:\windows\system32\msfeedsbs.dll

- 2006-11-02 00:08 . 2008-06-12 14:16 58880 c:\windows\system32\msdtclog.dll

+ 2006-11-02 00:08 . 2008-06-12 14:23 58880 c:\windows\system32\msdtclog.dll

+ 2006-11-02 00:08 . 2008-04-14 00:11 14336 c:\windows\system32\msdmo.dll

- 2006-11-02 00:08 . 2004-08-04 04:00 14336 c:\windows\system32\msdmo.dll

+ 2006-11-02 00:08 . 2008-04-14 00:11 68608 c:\windows\system32\msctfp.dll

- 2006-11-02 00:08 . 2004-08-04 04:00 36864 c:\windows\system32\mscpxl32.dLL

+ 2006-11-02 00:08 . 2008-04-14 00:11 36864 c:\windows\system32\mscpxl32.dll

- 2006-11-02 00:08 . 2004-08-04 04:00 12288 c:\windows\system32\mscpx32r.dLL

+ 2006-11-02 00:08 . 2008-04-13 17:26 12288 c:\windows\system32\mscpx32r.dll

+ 2008-07-25 10:16 . 2008-07-25 10:16 83968 c:\windows\system32\mscories.dll

+ 2006-11-02 00:08 . 2008-04-14 00:11 69632 c:\windows\system32\msconf.dll

- 2006-11-02 00:08 . 2004-08-04 04:00 69632 c:\windows\system32\msconf.dll

+ 2006-11-02 00:08 . 2008-06-24 16:43 74240 c:\windows\system32\mscms.dll

- 2006-11-02 00:08 . 2008-06-24 16:23 74240 c:\windows\system32\mscms.dll

- 2006-11-02 00:08 . 2004-08-04 04:00 57344 c:\windows\system32\msasn1.dll

+ 2006-11-02 00:08 . 2008-04-14 00:11 57344 c:\windows\system32\msasn1.dll

- 2006-11-02 00:08 . 2004-08-04 04:00 86016 c:\windows\system32\msapsspc.dll

+ 2006-11-02 00:08 . 2008-04-14 00:11 86016 c:\windows\system32\msapsspc.dll

+ 2006-11-02 00:08 . 2008-04-14 00:11 71680 c:\windows\system32\msacm32.dll

- 2006-11-02 00:08 . 2004-08-04 04:00 71680 c:\windows\system32\msacm32.dll

+ 2006-11-02 00:07 . 2008-04-14 00:11 53248 c:\windows\system32\mprdim.dll

- 2006-11-02 00:07 . 2004-08-04 04:00 87040 c:\windows\system32\mprapi.dll

+ 2006-11-02 00:07 . 2008-04-14 00:11 87040 c:\windows\system32\mprapi.dll

+ 2006-11-02 00:07 . 2008-04-14 00:11 59904 c:\windows\system32\mpr.dll

- 2006-11-02 00:07 . 2004-08-04 04:00 59904 c:\windows\system32\mpr.dll

+ 2006-11-02 00:07 . 2008-04-14 00:12 16896 c:\windows\system32\more.com

+ 2006-11-02 00:07 . 2008-04-14 00:12 32768 c:\windows\system32\mnmsrvc.exe

- 2006-11-02 00:07 . 2004-08-04 04:00 32768 c:\windows\system32\mnmsrvc.exe

- 2006-11-02 00:07 . 2004-08-04 04:00 34560 c:\windows\system32\mnmdd.dll

+ 2006-11-02 00:07 . 2008-04-14 00:11 34560 c:\windows\system32\mnmdd.dll

+ 2006-11-02 00:07 . 2008-04-14 00:11 17408 c:\windows\system32\mmfutil.dll

- 2006-11-02 00:07 . 2004-08-04 04:00 17408 c:\windows\system32\mmfutil.dll

+ 2006-11-02 00:07 . 2008-04-14 00:11 61440 c:\windows\system32\mmcshext.dll

+ 2009-05-27 09:22 . 2008-04-14 00:12 33792 c:\windows\system32\mmcperf.exe

+ 2006-11-02 00:07 . 2008-04-14 00:11 29696 c:\windows\system32\mimefilt.dll

- 2006-11-02 00:07 . 2004-08-04 04:00 60928 c:\windows\system32\miglibnt.dll

+ 2006-11-02 00:07 . 2008-04-14 00:11 60928 c:\windows\system32\miglibnt.dll

+ 2006-11-02 00:07 . 2008-04-14 00:11 18944 c:\windows\system32\midimap.dll

- 2006-11-02 00:07 . 2004-08-04 04:00 18944 c:\windows\system32\midimap.dll

- 2006-11-02 00:07 . 2004-08-04 04:00 14848 c:\windows\system32\mgmtapi.dll

+ 2006-11-02 00:07 . 2008-04-14 00:11 14848 c:\windows\system32\mgmtapi.dll

+ 2006-11-02 00:07 . 2008-04-14 00:11 22528 c:\windows\system32\mfcsubs.dll

- 2006-11-02 00:07 . 2004-08-04 04:00 22528 c:\windows\system32\mfcsubs.dll

- 2006-11-02 00:07 . 2007-03-08 15:36 40960 c:\windows\system32\mf3216.dll

+ 2006-11-02 00:07 . 2008-04-14 00:11 40960 c:\windows\system32\mf3216.dll

+ 2009-05-27 09:22 . 2008-04-14 00:11 86016 c:\windows\system32\mdmxsdk.dll

- 2006-11-02 00:07 . 2004-08-04 04:00 23552 c:\windows\system32\mciwave.dll

+ 2006-11-02 00:07 . 2008-04-14 00:11 23552 c:\windows\system32\mciwave.dll

+ 2006-11-02 00:07 . 2008-04-14 00:11 23040 c:\windows\system32\mciseq.dll

- 2006-11-02 00:07 . 2004-08-04 04:00 23040 c:\windows\system32\mciseq.dll

+ 2006-11-02 00:07 . 2008-04-14 00:11 35328 c:\windows\system32\mciqtz32.dll

- 2006-11-02 00:07 . 2004-08-04 04:00 35328 c:\windows\system32\mciqtz32.dll

+ 2006-11-02 00:07 . 2008-04-14 00:11 84480 c:\windows\system32\mciavi32.dll

- 2006-11-02 00:07 . 2004-08-04 04:00 84480 c:\windows\system32\mciavi32.dll

+ 2006-11-02 00:07 . 2008-04-14 00:11 14336 c:\windows\system32\mcastmib.dll

+ 2006-11-02 00:07 . 2008-04-14 00:12 57344 c:\windows\system32\makecab.exe

- 2006-11-02 00:07 . 2004-08-04 04:00 72704 c:\windows\system32\magnify.exe

+ 2006-11-02 00:07 . 2008-04-14 00:12 72704 c:\windows\system32\magnify.exe

- 2006-11-02 00:07 . 2004-08-04 04:00 13312 c:\windows\system32\lsass.exe

+ 2006-11-02 00:07 . 2008-04-14 00:12 13312 c:\windows\system32\lsass.exe

- 2006-11-02 00:07 . 2004-08-04 04:00 10240 c:\windows\system32\lprhelp.dll

+ 2006-11-02 00:07 . 2008-04-14 00:11 10240 c:\windows\system32\lprhelp.dll

- 2006-11-02 00:07 . 2004-08-04 04:00 22016 c:\windows\system32\lpk.dll

+ 2006-11-02 00:07 . 2008-04-14 00:11 22016 c:\windows\system32\lpk.dll

+ 2006-11-02 00:07 . 2008-04-14 00:12 59392 c:\windows\system32\logman.exe

- 2006-11-02 00:07 . 2004-08-04 04:00 59392 c:\windows\system32\logman.exe

+ 2006-11-02 00:07 . 2008-04-14 00:12 75264 c:\windows\system32\locator.exe

- 2006-11-02 00:07 . 2004-08-04 04:00 75264 c:\windows\system32\locator.exe

+ 2006-11-02 00:07 . 2008-04-14 00:11 11776 c:\windows\system32\localui.dll

- 2006-11-02 00:07 . 2004-08-04 04:00 11776 c:\windows\system32\localui.dll

- 2006-11-02 00:07 . 2004-08-04 04:00 97280 c:\windows\system32\loadperf.dll

+ 2006-11-02 00:07 . 2008-04-14 00:11 97280 c:\windows\system32\loadperf.dll

- 2006-11-02 00:07 . 2004-08-04 04:00 13824 c:\windows\system32\lmhsvc.dll

+ 2006-11-02 00:07 . 2008-04-14 00:11 13824 c:\windows\system32\lmhsvc.dll

- 2006-11-02 00:07 . 2005-09-01 01:41 19968 c:\windows\system32\linkinfo.dll

+ 2006-11-02 00:07 . 2008-04-14 00:11 19968 c:\windows\system32\linkinfo.dll

+ 2006-11-02 00:07 . 2008-04-14 00:11 58880 c:\windows\system32\licwmi.dll

- 2006-11-02 00:07 . 2004-08-04 04:00 58880 c:\windows\system32\licwmi.dll

+ 2009-05-27 09:22 . 2008-04-14 00:11 37376 c:\windows\system32\l2gpstore.dll

+ 2009-05-27 09:22 . 2008-04-14 00:11 61440 c:\windows\system32\kmsvc.dll

+ 2006-11-02 00:07 . 2009-03-08 03:33 25600 c:\windows\system32\jsproxy.dll

+ 2006-11-02 00:07 . 2008-04-14 00:11 27648 c:\windows\system32\jgpl400.dll

- 2006-11-02 00:07 . 2006-06-01 18:47 27648 c:\windows\system32\jgpl400.dll

- 2004-08-05 01:00 . 2004-08-04 00:56 47616 c:\windows\system32\iyuv_32.dll

+ 2004-08-05 01:00 . 2008-04-14 00:11 47616 c:\windows\system32\iyuv_32.dll

- 2006-11-02 00:07 . 2004-08-04 04:00 54272 c:\windows\system32\ixsso.dll

+ 2006-11-02 00:07 . 2008-04-14 00:11 54272 c:\windows\system32\ixsso.dll

+ 2006-11-02 00:07 . 2008-04-14 00:11 32768 c:\windows\system32\isrdbg32.dll

- 2006-11-02 00:07 . 2004-08-04 04:00 32768 c:\windows\system32\isrdbg32.dll

+ 2006-11-02 00:07 . 2008-04-14 00:11 81920 c:\windows\system32\isign32.dll

- 2006-11-02 00:07 . 2004-08-04 04:00 81920 c:\windows\system32\isign32.dll

+ 2006-11-02 00:07 . 2008-04-14 00:11 22016 c:\windows\system32\ipxwan.dll

+ 2006-11-02 00:07 . 2008-04-14 00:12 23552 c:\windows\system32\ipxroute.exe

- 2006-11-02 00:07 . 2004-08-04 04:00 23552 c:\windows\system32\ipxroute.exe

+ 2006-11-02 00:07 . 2008-04-14 00:11 59904 c:\windows\system32\ipv6mon.dll

- 2006-11-02 00:07 . 2004-08-04 04:00 59904 c:\windows\system32\ipv6mon.dll

+ 2006-11-02 00:07 . 2008-04-14 00:12 53248 c:\windows\system32\ipv6.exe

- 2006-11-02 00:07 . 2004-08-04 04:00 53248 c:\windows\system32\ipv6.exe

- 2006-11-02 00:07 . 2006-05-19 12:59 94720 c:\windows\system32\iphlpapi.dll

+ 2006-11-02 00:07 . 2008-04-14 00:11 94720 c:\windows\system32\iphlpapi.dll

- 2006-11-02 00:07 . 2004-08-04 04:00 55808 c:\windows\system32\ipconfig.exe

+ 2006-11-02 00:07 . 2008-04-14 00:12 55808 c:\windows\system32\ipconfig.exe

+ 2006-11-02 00:07 . 2009-03-08 03:32 94720 c:\windows\system32\inseng.dll

+ 2008-07-29 18:24 . 2008-07-29 18:24 97800 c:\windows\system32\infocardapi.dll

- 2006-11-02 00:07 . 2004-08-04 04:00 48128 c:\windows\system32\inetres.dll

+ 2006-11-02 00:07 . 2008-04-13 16:22 48128 c:\windows\system32\inetres.dll

+ 2006-11-02 00:07 . 2008-04-14 00:11 15872 c:\windows\system32\inetppui.dll

- 2006-11-02 00:07 . 2004-08-04 04:00 15872 c:\windows\system32\inetppui.dll

+ 2006-11-02 00:07 . 2008-04-14 00:11 75264 c:\windows\system32\inetpp.dll

- 2006-11-02 00:07 . 2004-08-04 04:00 75264 c:\windows\system32\inetpp.dll

+ 2006-11-02 00:07 . 2008-04-14 00:11 32768 c:\windows\system32\inetmib1.dll

+ 2006-11-02 00:07 . 2008-04-14 00:11 36921 c:\windows\system32\imeshare.dll

- 2006-11-02 00:07 . 2004-08-04 04:00 36921 c:\windows\system32\imeshare.dll

- 2007-02-25 14:27 . 2004-08-04 04:00 10240 c:\windows\system32\IME\TINTLGNT\TMIGRATE.DLL

+ 2007-02-25 14:27 . 2008-04-14 00:10 10240 c:\windows\system32\IME\TINTLGNT\tmigrate.dll

- 2007-02-25 14:26 . 2004-08-04 04:00 67584 c:\windows\system32\IME\PINTLGNT\PMIGRATE.DLL

+ 2007-02-25 14:26 . 2008-04-14 00:10 67584 c:\windows\system32\IME\PINTLGNT\pmigrate.dll

+ 2007-02-25 14:26 . 2008-04-13 16:43 70144 c:\windows\system32\IME\PINTLGNT\pintlphr.exe

- 2007-02-25 14:26 . 2004-08-04 04:00 70144 c:\windows\system32\IME\PINTLGNT\PINTLPHR.EXE

- 2006-11-02 00:07 . 2004-08-04 04:00 81920 c:\windows\system32\ils.dll

+ 2006-11-02 00:07 . 2008-04-14 00:11 81920 c:\windows\system32\ils.dll

+ 2009-03-08 03:32 . 2009-03-08 03:32 36864 c:\windows\system32\ieudinit.exe

+ 2006-11-02 00:07 . 2009-03-08 03:32 55808 c:\windows\system32\iernonce.dll

+ 2009-01-07 17:20 . 2009-01-07 17:20 26112 c:\windows\system32\idndl.dll

- 2006-11-02 00:07 . 2004-08-04 04:00 65536 c:\windows\system32\icwphbk.dll

+ 2006-11-02 00:07 . 2008-04-14 00:11 65536 c:\windows\system32\icwphbk.dll

+ 2006-11-02 00:07 . 2008-04-14 00:11 73728 c:\windows\system32\icwdial.dll

- 2006-11-02 00:07 . 2004-08-04 04:00 73728 c:\windows\system32\icwdial.dll

+ 2006-11-02 00:07 . 2008-04-14 00:11 80384 c:\windows\system32\iccvid.dll

- 2006-11-02 00:07 . 2004-08-04 04:00 80384 c:\windows\system32\iccvid.dll

+ 2008-07-29 18:24 . 2008-07-29 18:24 11264 c:\windows\system32\icardres.dll

+ 2009-03-08 03:31 . 2009-03-08 03:31 59904 c:\windows\system32\icardie.dll

- 2006-11-02 00:07 . 2004-08-04 04:00 11264 c:\windows\system32\icaapi.dll

+ 2006-11-02 00:07 . 2008-04-14 00:11 11264 c:\windows\system32\icaapi.dll

- 2006-11-02 00:07 . 2004-08-04 04:00 41984 c:\windows\system32\htui.dll

+ 2006-11-02 00:07 . 2008-04-14 00:11 41984 c:\windows\system32\htui.dll

- 2006-11-02 00:07 . 2004-08-04 04:00 24576 c:\windows\system32\httpapi.dll

+ 2006-11-02 00:07 . 2008-04-14 00:11 24576 c:\windows\system32\httpapi.dll

+ 2009-05-27 09:22 . 2008-04-14 00:11 32285 c:\windows\system32\hsfcisp2.dll

- 2006-11-02 00:07 . 2006-07-21 08:24 72704 c:\windows\system32\hlink.dll

+ 2006-11-02 00:07 . 2008-04-14 00:11 72704 c:\windows\system32\hlink.dll

+ 2004-08-04 13:56 . 2008-04-14 00:11 21504 c:\windows\system32\hidserv.dll

- 2004-08-04 13:56 . 2004-08-04 13:56 21504 c:\windows\system32\hidserv.dll

+ 2004-08-05 01:00 . 2008-04-14 00:11 20992 c:\windows\system32\hid.dll

- 2004-08-05 01:00 . 2004-08-05 01:00 20992 c:\windows\system32\hid.dll

- 2006-11-02 00:07 . 2005-05-27 02:04 41472 c:\windows\system32\hhsetup.dll

+ 2006-11-02 00:07 . 2008-04-14 00:11 41472 c:\windows\system32\hhsetup.dll

+ 2006-11-02 00:07 . 2008-04-14 00:12 15872 c:\windows\system32\help.exe

+ 2006-11-02 00:07 . 2008-04-14 00:12 39424 c:\windows\system32\grpconv.exe

- 2006-11-02 00:07 . 2004-08-04 04:00 39424 c:\windows\system32\grpconv.exe

- 2006-11-01 18:32 . 2004-08-04 04:00 23552 c:\windows\system32\fxsmon.dll

+ 2006-11-01 18:32 . 2008-04-14 00:11 23552 c:\windows\system32\fxsmon.dll

- 2006-11-01 18:32 . 2004-08-04 04:00 23552 c:\windows\system32\fxsext32.dll

+ 2006-11-01 18:32 . 2008-04-14 00:11 23552 c:\windows\system32\fxsext32.dll

+ 2006-11-01 18:32 . 2008-04-14 00:11 55296 c:\windows\system32\fxsevent.dll

- 2006-11-01 18:32 . 2004-08-04 04:00 55296 c:\windows\system32\fxsevent.dll

+ 2006-11-01 18:32 . 2008-04-14 00:11 26624 c:\windows\system32\fxsdrv.dll

+ 2006-11-01 18:32 . 2008-04-14 00:11 72192 c:\windows\system32\fxscom.dll

- 2006-11-01 18:32 . 2004-08-04 04:00 72192 c:\windows\system32\fxscom.dll

+ 2006-11-02 00:07 . 2008-04-14 00:11 60416 c:\windows\system32\fwcfg.dll

- 2006-11-02 00:07 . 2004-08-04 04:00 60416 c:\windows\system32\fwcfg.dll

- 2006-11-02 00:07 . 2004-08-04 04:00 42496 c:\windows\system32\ftp.exe

+ 2006-11-02 00:07 . 2008-04-14 00:12 42496 c:\windows\system32\ftp.exe

+ 2006-11-02 00:07 . 2008-04-14 00:12 29696 c:\windows\system32\format.com

- 2006-11-02 00:07 . 2004-08-04 04:00 20992 c:\windows\system32\fontview.exe

+ 2006-11-02 00:07 . 2008-04-14 00:12 20992 c:\windows\system32\fontview.exe

+ 2006-11-02 00:07 . 2008-04-14 00:11 80896 c:\windows\system32\fontsub.dll

- 2006-11-02 00:07 . 2005-10-17 21:14 80896 c:\windows\system32\fontsub.dll

- 2006-11-02 00:07 . 2006-08-21 09:14 23040 c:\windows\system32\fltmc.exe

+ 2006-11-02 00:07 . 2008-04-14 00:12 23040 c:\windows\system32\fltmc.exe

+ 2006-11-02 00:07 . 2008-04-14 00:11 16896 c:\windows\system32\fltlib.dll

- 2006-11-02 00:07 . 2006-08-21 12:21 16896 c:\windows\system32\fltlib.dll

+ 2006-11-02 00:07 . 2008-04-14 00:11 87552 c:\windows\system32\fldrclnr.dll

- 2006-11-02 00:07 . 2004-08-04 04:00 87552 c:\windows\system32\fldrclnr.dll

+ 2006-11-02 00:07 . 2008-04-14 00:12 27136 c:\windows\system32\findstr.exe

- 2006-11-02 00:07 . 2004-08-04 04:00 27136 c:\windows\system32\findstr.exe

+ 2006-11-02 00:07 . 2008-04-14 00:11 21504 c:\windows\system32\feclient.dll

- 2006-11-02 00:07 . 2004-08-04 04:00 21504 c:\windows\system32\feclient.dll

+ 2006-11-02 00:07 . 2008-04-14 00:11 80384 c:\windows\system32\faultrep.dll

- 2006-11-02 00:07 . 2004-08-04 04:00 80384 c:\windows\system32\faultrep.dll

+ 2006-11-02 00:07 . 2008-04-14 00:12 24064 c:\windows\system32\extrac32.exe

- 2006-11-02 00:07 . 2009-02-20 08:30 55808 c:\windows\system32\extmgr.dll

+ 2006-11-02 00:07 . 2008-04-14 00:11 55808 c:\windows\system32\extmgr.dll

+ 2006-11-02 00:07 . 2008-04-14 00:11 56320 c:\windows\system32\eventlog.dll

- 2006-11-02 00:07 . 2004-08-04 04:00 23040 c:\windows\system32\ersvc.dll

+ 2006-11-02 00:07 . 2008-04-14 00:11 23040 c:\windows\system32\ersvc.dll

+ 2006-11-02 00:07 . 2008-04-14 00:11 20480 c:\windows\system32\encapi.dll

- 2006-11-02 00:07 . 2004-08-04 04:00 20480 c:\windows\system32\encapi.dll

+ 2009-05-27 09:22 . 2008-04-14 00:11 40960 c:\windows\system32\en\mmcex.resources.dll

+ 2009-05-27 09:22 . 2008-04-14 00:11 28672 c:\windows\system32\en\microsoft.managementconsole.resources.dll

+ 2009-05-27 09:21 . 2008-04-14 00:11 33792 c:\windows\system32\eapsvc.dll

+ 2009-05-27 09:21 . 2008-04-14 00:11 59392 c:\windows\system32\eapqec.dll

+ 2009-05-27 09:21 . 2008-04-14 00:11 40960 c:\windows\system32\eappprxy.dll

+ 2009-05-27 09:21 . 2008-04-14 00:11 94208 c:\windows\system32\eappgnui.dll

+ 2009-05-27 09:21 . 2008-04-14 00:11 30720 c:\windows\system32\eapolqec.dll

+ 2008-07-29 20:10 . 2008-07-29 20:10 73720 c:\windows\system32\dxva2.dll

+ 2006-11-02 00:07 . 2008-04-14 00:12 17920 c:\windows\system32\dvdupgrd.exe

- 2006-11-02 00:07 . 2004-08-04 04:00 17920 c:\windows\system32\dvdupgrd.exe

+ 2006-11-02 00:07 . 2008-04-14 00:12 10752 c:\windows\system32\dumprep.exe

- 2006-11-02 00:07 . 2004-08-04 04:00 10752 c:\windows\system32\dumprep.exe

+ 2006-11-02 00:07 . 2008-04-14 00:11 19456 c:\windows\system32\dswave.dll

- 2006-11-02 00:07 . 2004-08-04 04:00 19456 c:\windows\system32\dswave.dll

+ 2006-11-02 00:07 . 2008-04-14 00:11 51200 c:\windows\system32\dssec.dll

- 2006-11-02 00:07 . 2004-08-04 04:00 51200 c:\windows\system32\dssec.dll

- 2006-11-02 00:07 . 2004-08-04 04:00 92672 c:\windows\system32\dskquota.dll

+ 2006-11-02 00:07 . 2008-04-14 00:11 92672 c:\windows\system32\dskquota.dll

+ 2006-11-02 00:07 . 2008-04-14 00:11 71680 c:\windows\system32\dsdmoprp.dll

- 2006-11-02 00:07 . 2004-08-04 04:00 71680 c:\windows\system32\dsdmoprp.dll

- 2006-11-02 00:07 . 2004-08-04 04:00 16384 c:\windows\system32\ds32gt.dll

+ 2006-11-02 00:07 . 2008-04-14 00:11 16384 c:\windows\system32\ds32gt.dll

- 2006-11-02 00:07 . 2004-08-04 04:00 14336 c:\windows\system32\drprov.dll

+ 2006-11-02 00:07 . 2008-04-14 00:11 14336 c:\windows\system32\drprov.dll

Link to post
Share on other sites

  • Root Admin

No, that was not what I meant by update. Okay...

Please see if you can do this or not.

  1. Uninstall Malwarebytes' Anti-Malware using Add/Remove programs in the control panel.
  2. Restart your computer (very important).
  3. Download and run this utility.
  4. It will ask to restart your computer (please allow it to).
  5. After the computer restarts, install the latest version from here
    Note: If you're using a PAID version of Malwareybtes, you will need to reactivate the program using the license you were sent via e-mail.

BEFORE registering and starting the Protection Module, locate the Exclusion List for your Anti-Virus. Probably under an advanced menu in the program.

Add the following folders, sub-folders, and files to the exclusion to be safe.

  • C:\Program Files\Malwarebytes' Anti-Malware
  • C:\Documents and Settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware
  • C:\WINDOWS\system32\drivers\mbam.sys
  • C:\WINDOWS\system32\drivers\mbamswissarmy.sys

Then UPDATE the MBAM program with the latest definitions and do a QUICK SCAN and post back that log along with a NEW HJT log.

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.