Jump to content

MBAM/HijackThis blocked


Recommended Posts

While browsing I noticed three fake alerts in my taskbar (I didn't catch which program it was) and as soon as I did my computer made a god-awful noise and rebooted. Everything seemed fine after the restart until I tried to run a MBAM scan. I updated to the latest version and began a quick scan, which lasted for 2-3 seconds before the window closed. When I tried to reopen MBAM, access was denied. I can reinstall MBAM, but the same thing always happens, and HijackThis is the same way (starts okay, shuts down, access blocked). I ran a system scan with Avira and tried again, but no luck. I also tried the four suggestion under the important topic section, but didn't find anything that looked suspicious there. I'd really like to throttle the bastards who write this malware, but I'm eternally grateful to the fine folks here who work to counter them. Any help would be appreciated. Thanks.

Link to post
Share on other sites

  • Staff

Hi,

Download and run Win32kDiag:

Link to post
Share on other sites

Hey, thanks a lot for responding. I know from reading some other posts that your very busy, so I really appreciate your time. It seems that Avira updated automatically and was able to run a scan, but there's been no change to the way my computer's been operating. Here's the log you requested:

Log file is located at: C:\Documents and Settings\HP_Administrator\Desktop\Win32kDiag.txt

WARNING: Could not get backup privileges!

Searching 'C:\WINDOWS'...

Found mount point : C:\WINDOWS\$hf_mig$\KB904706\KB904706

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB912812\KB912812

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB912945\KB912945

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB918899\KB918899

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB920213\KB920213

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB922760\KB922760

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB924496\KB924496

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB925454\KB925454

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB928090\KB928090

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB931768\KB931768

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB932168\KB932168

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB933566\KB933566

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB937143\KB937143

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB939653\KB939653

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB941568\KB941568

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB942615\KB942615

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB943460\KB943460

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB944533\KB944533

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB947864\KB947864

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\Temp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\temp\temp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\tmp\tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Config\Config

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Connection Wizard\Connection Wizard

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Debug\Setup\Backup\Backup

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ERDNT\ERDNT

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ftpcache\ftpcache

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Help\SBSI\Training\WXPPRO\Cbz\Cbz

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Help\SBSI\Training\WXPPRO\Lib\Lib

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Help\SBSI\Training\WXPPRO\Wave\Wave

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\chsime\applets\applets

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\CHTIME\Applets\Applets

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\imejp\applets\applets

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\imejp98\imejp98

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\imjp8_1\applets\applets

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\imkr6_1\applets\applets

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\imkr6_1\dicts\dicts

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\shared\res\res

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\0DC1503A46F231838AD88BCDDC8E8F7C\3.2.30729\3.2.30729

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\DC3BF90CC0D3D2F398A9A6D1762F70F3\2.2.30729\2.2.30729

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\java\classes\classes

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\java\trustlib\trustlib

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Microsoft.NET\Framework\v1.0.3705\Temporary ASP.NET Files\Bind Logs\Bind Logs

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Temporary ASP.NET Files\Bind Logs\Bind Logs

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\Temporary ASP.NET Files

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\msapps\msinfo\msinfo

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\ERRORREP\QHEADLES\QHEADLES

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\ERRORREP\QSIGNOFF\QSIGNOFF

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\helpctr\batch\batch

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\helpctr\Config\CheckPoint\CheckPoint

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\helpctr\Config\News\News

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\helpctr\HelpFiles\HelpFiles

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\helpctr\InstalledSKUs\InstalledSKUs

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\helpctr\System\DFS\DFS

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\helpctr\System_OEM\blurbs\blurbs

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\helpctr\System_OEM\css\css

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\helpctr\System_OEM\errors\errors

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\helpctr\System_OEM\HpProducts\HpProducts

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\helpctr\System_OEM\Images\Images

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\helpctr\System_OEM\Modem\Css\Css

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\helpctr\System_OEM\Modem\Image\Image

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\helpctr\System_OEM\Modem\script\script

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\helpctr\System_OEM\Panels\SubPanels\SubPanels

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\helpctr\System_OEM\Scripts\en-us\en-us

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\helpctr\Temp\Temp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\PIF\PIF

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Registration\CRMLog\CRMLog

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\setup.pss\setupupd\temp\temp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\1201b6f74bae1015eceeea43baed9814\backup\backup

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\S-1-5-18\7d49753b93ffa6844bcba39df0e9b771\7d49753b93ffa6844bcba39df0e9b771

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\SelfUpdate\Registered\Registered

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Sun\Java\Deployment\Deployment

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SxsCaPendDel\SxsCaPendDel

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\1025\1025

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\1028\1028

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\1031\1031

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\1037\1037

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\1041\1041

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\1042\1042

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\1054\1054

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\2052\2052

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\3076\3076

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\3com_dmi\3com_dmi

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\appmgmt\MACHINE\MACHINE

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\appmgmt\S-1-5-21-3972624610-298468933-3445700536-1007\S-1-5-21-3972624610-298468933-3445700536-1007

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\CatRoot_bak\CatRoot_bak

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\Original\Original

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Identities\{D190EE07-1887-4595-8F62-6253114299D2}\{D190EE07-1887-4595-8F62-6253114299D2}

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Intuit\Quicken\Config\Config

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Intuit\Quicken\Data\Data

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\Credentials\Credentials

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\Crypto\RSA\RSA

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\Media Player\Media Player

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\MMC\MMC

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\SystemCertificates\My\Certificates\Certificates

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\SystemCertificates\My\CRLs\CRLs

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\SystemCertificates\My\CTLs\CTLs

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Real\Msg\Msg

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Real\Rhapsody\Rhapsody

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Desktop\Desktop

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Microsoft\CD Burning\CD Burning

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Credentials\Credentials

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Microsoft\ehome\ehome

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Money\15.0\Webcache\Webcache

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Local Settings\temp\temp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\NetHood\NetHood

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\PrintHood\PrintHood

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\WINDOWS\system\system

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\dhcp\dhcp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\drivers\disdn\disdn

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\ENU\ENU

Mount point destination : \Device\__max++>\^

Cannot access: C:\WINDOWS\system32\eventlog.dll

[1] 2004-08-09 23:00:00 55808 C:\WINDOWS\$NtServicePackUninstall$\eventlog.dll (Microsoft Corporation)

[1] 2004-08-09 23:00:00 55808 C:\WINDOWS\system32\dllcache\eventlog.dll (Microsoft Corporation)

[2] 2004-08-09 23:00:00 55808 C:\WINDOWS\system32\eventlog(3).dll (Microsoft Corporation)

[1] 2004-08-09 23:00:00 62976 C:\WINDOWS\system32\eventlog.dll ()

[2] 2004-08-09 23:00:00 55808 C:\WINDOWS\system32\logevent.dll (Microsoft Corporation)

Found mount point : C:\WINDOWS\system32\export\export

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\FxsTmp\FxsTmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\GroupPolicy\Machine\Machine

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\IME\CINTLGNT\CINTLGNT

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\IME\PINTLGNT\PINTLGNT

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\IME\TINTLGNT\TINTLGNT

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\inetsrv\inetsrv

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\LogFiles\WUDF\WUDF

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\mui\dispspec\dispspec

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\oobe\html\ispsgnup\ispsgnup

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\oobe\html\oemcust\oemcust

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\oobe\html\oemreg\oemreg

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\oobe\sample\sample

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\ShellExt\ShellExt

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\spool\PRINTERS\PRINTERS

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\wbem\mof\bad\bad

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\wbem\mof\good\good

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\wbem\snmp\snmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\wins\wins

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\xircom\xircom

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\WinSxS\InstallTemp\InstallTemp

Mount point destination : \Device\__max++>\^

Finished!

Link to post
Share on other sites

  • Staff

Hi,

1. Please download The Avenger2 by SwanDog46

2. Unzip avenger.exe to your desktop.

3. Copy the text in the following codebox by selecting all of it, and pressing (<Control> + C) or by right clicking and selecting "Copy"

Files to move:
C:\WINDOWS\SYSTEM32\logevent.dll | C:\WINDOWS\SYSTEM32\eventlog.dll

4. Now start The Avenger2 by double clicking avenger.exe on your desktop.

5. Read the prompt that appears, and press OK.

6. Paste the script into the textbox that appears, using (<Control> + V) or by right clicking and choosing "Paste".

7. Press the "Execute" button.

8. You will be presented with 2 confirmation prompts. Select yes on each. Your system will reboot.

Note: It is possible that Avenger will reboot your system TWICE.

9. Upon reboot, a command prompt window will appear on your screen for a few seconds, and then Avenger's log will open. Please paste that log here in your next post.

Also,

Go to start > run and copy and paste the following command in the field:

"%userprofile%\desktop\win32kdiag.exe" -f -r

This should restore permissions on locked files and remove mountpoints.

Link to post
Share on other sites

Okay, done. I guess its not a rootkit, although Avira's scan did indicate rootkit activity.

Logfile of The Avenger Version 2.0, © by Swandog46

http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.

Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.

No rootkits found!

File move operation "C:\WINDOWS\SYSTEM32\logevent.dll|C:\WINDOWS\SYSTEM32\eventlog.dll" completed successfully.

Completed script processing.

*******************

Finished! Terminate.

Link to post
Share on other sites

  • Staff

Hi,

Trust me, it is a rootkit... :)

Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved and renamed following this process directly to your desktop**

  1. If you are using Firefox, make sure that your download settings are as follows:
    • Tools->Options->Main tab
    • Set to "Always ask me where to Save the files".

[*]During the download, rename Combofix to Combo-Fix as follows:

CF_download_FF.gif

CF_download_rename.gif

[*]It is important you rename Combofix during the download, but not after.

[*]Please do not rename Combofix to other names, but only to the one indicated.

[*]Close any open browsers.

[*]Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

-----------------------------------------------------------

  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
  • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

    -----------------------------------------------------------


  • Close any open browsers.
  • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
  • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
  • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

-----------------------------------------------------------

[*]Double click on combo-Fix.exe & follow the prompts.

[*]When finished, it will produce a report for you.

[*]Please post the "C:\Combo-Fix.txt" along with a new HijackThis log for further review.

**Note: Do not mouseclick combo-fix's window while it's running. That may cause it to stall**

If you still cannot get this to run, try booting into Safe Mode, and run it there.

To boot into Safe Mode, tap F8 after BIOS, and just before the Windows logo appears. A list of options will appear, select "Safe Mode."

If this doesn't work either, try the same method (above method), but name Combofix.exe to iexplore.exe instead, or winlogon.exe..

This because It also happens in some cases that malware blocks EVERY process except for what is in its own whitelist, so this whitelist also includes system important processes such as iexplore.exe, explorer.exe, winlogon.exe...

Link to post
Share on other sites

If you say it's a rootkit, I certainly trust you. You've been much more help than any program I've run.

I had to uninstall Avira in order to disable it. For some reason the disable option was not available by right-clicking or in the menu. I think this might be the result of the infection, as I know I've disabled Avira in this way before. I will reinstall it when we're finished here. I'm posting the ComboFix log below, but was still unable to access HijackThis or MBAM. I'm getting a Windows can't access the specified device--don't have permission message box when I try to open them.

ComboFix 09-08-30.01 - HP_Administrator 08/30/2009 21:28.2.2 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2046.1726 [GMT -5:00]

Running from: c:\documents and settings\HP_Administrator\Desktop\Combo-Fix.exe

FW: Norton Internet Worm Protection *disabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E}

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\windows\msa.exe

c:\windows\run.log

c:\windows\system32\drivers\kbiwkmktliltim.sys

c:\windows\system32\kbiwkmerftxqfj.dat

c:\windows\system32\kbiwkmivotuiho.dll

c:\windows\system32\kbiwkmolnsesvi.dat

c:\windows\system32\kbiwkmppawuxnb.dll

c:\windows\system32\kbiwkmswesismq.dll

c:\windows\system32\kbiwkmtfgnwkib.dat

c:\windows\system32\kbiwkmutowobpv.dll

c:\windows\system32\kbiwkmuxxoqyec.dll

c:\windows\system32\kbiwkmwxwmqpip.dll

c:\windows\system32\uacinit.dll

c:\windows\system32\ytasfwwiigsonv.dat

L:\autorun.inf

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226ED}

-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226EE}

-------\Service_kbiwkmylkdmtai

((((((((((((((((((((((((( Files Created from 2009-07-28 to 2009-08-31 )))))))))))))))))))))))))))))))

.

2009-08-27 18:16 . 2009-08-27 18:16 74240 ----a-w- c:\windows\system32\uacbbr.dll

2009-08-27 18:16 . 2009-08-27 18:16 26624 ----a-w- c:\windows\system32\UACwlotnapfuw.dll

2009-08-27 18:16 . 2009-08-27 18:16 54784 ----a-w- c:\windows\system32\drivers\UAChbgrqllvbu.sys

2009-08-02 21:13 . 2009-08-02 21:13 -------- d-sh--w- c:\documents and settings\HP_Administrator\PrivacIE

2009-08-02 21:10 . 2009-08-02 21:10 -------- d-sh--w- c:\documents and settings\HP_Administrator\IETldCache

2009-08-02 21:08 . 2009-08-02 21:08 -------- dc-h--w- c:\windows\ie8

2009-08-01 14:25 . 2009-08-01 14:25 1962544 ----a-w- c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\install_flash_player_ax.exe

2009-08-01 14:25 . 2009-08-01 14:33 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS

2009-08-01 14:25 . 2009-08-01 14:33 -------- d-----w- c:\program files\NOS

2009-08-01 14:20 . 2009-08-01 14:20 -------- d-----w- c:\program files\Common Files\xing shared

2009-08-01 14:20 . 2009-08-01 14:20 -------- d-----w- c:\program files\QuickTime

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-08-29 01:01 . 2008-10-06 02:20 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2009-08-29 01:01 . 2008-12-03 19:24 3942048 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe

2009-08-27 18:05 . 2009-08-27 18:05 889604 ----a-w- c:\windows\system32\xa.tmp

2009-08-05 23:30 . 2009-07-28 22:54 55656 ----a-w- c:\windows\system32\drivers\avgntflt.sys

2009-08-03 18:36 . 2008-10-06 02:20 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2009-08-03 18:36 . 2008-10-06 02:20 19096 ----a-w- c:\windows\system32\drivers\mbam.sys

2009-08-01 14:38 . 2006-08-29 03:22 298 ----a-w- c:\documents and settings\HP_Administrator\Application Data\wklnhst.dat

2009-08-01 14:20 . 2006-07-21 06:47 -------- d-----w- c:\program files\Common Files\Real

2009-08-01 11:46 . 2009-07-04 19:53 -------- d-----w- c:\program files\Steam

2009-07-29 22:46 . 2004-08-10 04:00 577536 ----a-w- c:\windows\system32\user32.dll

2009-07-29 22:17 . 2009-07-25 03:59 117760 ----a-w- c:\documents and settings\HP_Administrator\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL

2009-07-28 21:54 . 2009-07-25 03:59 -------- d-----w- c:\program files\SUPERAntiSpyware

2009-07-25 16:25 . 2008-09-28 22:21 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP

2009-07-25 16:11 . 2008-10-02 03:12 -------- d-----w- c:\documents and settings\All Users\Application Data\STOPzilla!

2009-07-25 15:51 . 2009-07-25 15:51 1688 ----a-w- c:\windows\system32\drivers\kgpcpy.cfg

2009-07-25 15:51 . 2009-07-25 15:51 656 ----a-w- c:\windows\system32\drivers\kgpfr2.cfg

2009-07-25 15:18 . 2009-07-25 15:18 528 ----a-w- c:\program files\ukwjckr.txt

2009-07-25 14:41 . 2009-07-25 04:46 117760 ----a-w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL

2009-07-25 13:53 . 2009-07-25 13:53 -------- d-----w- c:\program files\Enigma Software Group

2009-07-25 04:46 . 2009-07-25 04:46 -------- d-----w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com

2009-07-25 04:33 . 2009-07-25 04:33 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes

2009-07-25 03:59 . 2009-07-25 03:59 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com

2009-07-25 03:59 . 2009-07-25 03:59 -------- d-----w- c:\documents and settings\HP_Administrator\Application Data\SUPERAntiSpyware.com

2009-07-25 03:58 . 2009-07-25 03:58 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard

2009-07-19 20:01 . 2008-06-04 00:35 1915520 -c--a-w- c:\documents and settings\HP_Administrator\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\fpupdateax\fpupdateax.exe

2009-07-19 19:08 . 2006-08-28 22:41 -------- d-----w- c:\program files\Google

2009-07-19 19:07 . 2009-07-19 19:07 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater

2009-07-04 20:43 . 2009-07-04 20:43 -------- d-----w- c:\documents and settings\HP_Administrator\Application Data\The Creative Assembly

2009-06-16 14:55 . 2004-08-10 04:00 82432 ----a-w- c:\windows\system32\fontsub.dll

2009-06-16 14:55 . 2004-08-10 04:00 119808 ----a-w- c:\windows\system32\t2embed.dll

2009-06-03 19:24 . 2004-08-10 04:00 1291264 ----a-w- c:\windows\system32\quartz.dll

2009-06-02 20:47 . 2009-06-02 20:47 390664 ----a-w- c:\documents and settings\HP_Administrator\Application Data\Real\RealPlayer\Update\RealPlayer11.exe

2008-12-17 02:16 . 2008-12-17 02:16 7518240 ----a-w- c:\program files\Firefox Setup 3.0.5.exe

2008-11-12 00:16 . 2008-11-12 00:16 14622342 ----a-w- c:\program files\vlc-0.9.6-win32.exe

2008-11-06 23:38 . 2008-11-06 23:38 2078831 ----a-w- c:\program files\mplayerc_20081005.zip

2006-08-29 23:13 . 2006-08-29 23:13 599592 ----a-w- c:\program files\DMSetup.exe

2006-08-28 22:40 . 2006-08-28 22:40 13736064 ----a-w- c:\program files\GoogleEarthWin.exe

2006-08-28 19:43 . 2006-08-28 19:43 37518744 ----a-w- c:\program files\iTunesSetup.exe

2006-08-28 19:33 . 2006-08-28 19:33 5834344 ----a-w- c:\program files\winzip100.exe

2006-08-28 02:42 . 2008-09-26 21:25 410309 ----a-w- c:\program files\yproxy12.zip

2006-08-28 00:39 . 2006-08-28 00:39 198656 ----a-w- c:\program files\yproxywizard.exe

2006-10-31 01:40 . 2006-10-31 01:40 22 -csha-w- c:\windows\SMINST\HPCD.sys

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-10-13 1694208]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"UserFaultCheck"="c:\windows\system32\dumprep 0 -u" [X]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-10-31 7634944]

"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-08-01 198160]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-05-26 413696]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Updates From HP.lnk - c:\program files\Updates from HP\9972322\Program\Updates from HP.exe [2006-7-21 36903]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]

2008-12-22 17:05 356352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]

@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]

@=""

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]

"xmlprov"=3 (0x3)

"WZCSVC"=2 (0x2)

"wuauserv"=2 (0x2)

"LightScribeService"=2 (0x2)

"iPod Service"=3 (0x3)

"Fax"=3 (0x3)

"ERSvc"=2 (0x2)

"ehSched"=2 (0x2)

"ehRecvr"=2 (0x2)

"Bonjour Service"=2 (0x2)

"BITS"=2 (0x2)

"Apple Mobile Device"=3 (0x3)

"ALG"=3 (0x3)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"FirewallOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Updates from HP\\9972322\\Program\\Updates from HP.exe"=

"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=

"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\DISC\\DISCover.exe"=

"c:\\Program Files\\DISC\\myFTP.exe"=

"c:\\Program Files\\DISC\\DiscStreamHub.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"c:\\Program Files\\Messenger\\msmsgs.exe"=

"c:\\Program Files\\BitTornado\\btdownloadgui.exe"=

"c:\\Program Files\\Steam\\SteamApps\\common\\empire total war\\Empire.exe"=

R1 sasdifsv;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [6/23/2009 11:01 AM 9968]

R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [6/23/2009 11:01 AM 72944]

R2 FreeAgentGoNext Service;Seagate Service;c:\program files\Seagate\SeagateManager\Sync\FreeAgentService.exe [10/28/2008 4:42 PM 156968]

R3 WN5301;LIteon Wireless PCI Network Adapter Service;c:\windows\system32\drivers\wn5301.sys [7/21/2006 1:40 AM 468768]

S2 gupdate1ca08a443d5b73e;Google Update Service (gupdate1ca08a443d5b73e);c:\program files\Google\Update\GoogleUpdate.exe [7/19/2009 2:08 PM 133104]

S3 s916bus;Sony Ericsson Device 916 driver (WDM);c:\windows\system32\drivers\s916bus.sys [12/28/2008 10:51 PM 83496]

S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [6/23/2009 11:01 AM 7408]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]

"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP

.

Contents of the 'Scheduled Tasks' folder

2009-08-31 c:\windows\Tasks\Google Software Updater.job

- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2007-08-03 19:07]

2009-08-30 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files\Google\Update\GoogleUpdate.exe [2009-07-19 19:08]

2009-08-31 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files\Google\Update\GoogleUpdate.exe [2009-07-19 19:08]

.

- - - - ORPHANS REMOVED - - - -

HKLM-Run-net - c:\windows\system32\net.net

SafeBoot-AVG Anti-Spyware Driver

SafeBoot-AVG Anti-Spyware Guard

.

------- Supplementary Scan -------

.

uStart Page = www.yahoo.com/

uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=PAVILION&pf=desktop

mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=PAVILION&pf=desktop

uInternet Settings,ProxyOverride = *.local;<local>

Trusted Zone: trymedia.com

TCP: {0BA62877-8BEA-458E-9209-6F51E4CC697E} = 208.67.220.220,208.67.222.222

TCP: {49E71310-75FF-497D-BECD-E9C49FE7B764} = 208.67.220.220,208.67.222.222

TCP: {4B7B8D55-4C0A-480F-9C44-79656DC6EC28} = 208.67.220.220,208.67.222.222

TCP: {892900FC-9814-4488-99C0-81491C1EE93D} = 208.67.220.220,208.67.222.222

DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

FF - ProfilePath - c:\documents and settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\gs1t2cw0.default\

FF - prefs.js: browser.startup.homepage - hxxp://yahoo.com/

FF - plugin: c:\progra~1\Yahoo!\Common\npyaxmpb.dll

FF - plugin: c:\program files\Google\Google Updater\2.4.1636.7222\npCIDetect13.dll

FF - plugin: c:\program files\Google\Update\1.2.183.7\npGoogleOneClick8.dll

.

.

------- File Associations -------

.

JSEFile=NOTEPAD.EXE %1

VBEFile=NOTEPAD.EXE %1

VBSFile=NOTEPAD.EXE %1

.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-08-30 21:41

Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\kbiwkmylkdmtai]

"imagepath"="\systemroot\system32\drivers\kbiwkmktliltim.sys"

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}]

@Denied: (A 2) (Everyone)

@="FlashBroker"

"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10c.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\Elevation]

"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\LocalServer32]

@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10c.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}]

@Denied: (A 2) (Everyone)

@="IFlashBroker3"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\ProxyStubClsid32]

@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

"Version"="1.0"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\kbiwkmylkdmtai]

@DACL=(02 0000)

"start"=dword:00000001

"type"=dword:00000001

"group"="file system"

"imagepath"=expand:"\\systemroot\\system32\\drivers\\kbiwkmktliltim.sys"

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(868)

c:\program files\SUPERAntiSpyware\SASWINLO.dll

- - - - - - - > 'explorer.exe'(3824)

c:\docume~1\HP_ADM~1\LOCALS~1\Temp\IadHide5.dll

c:\windows\system32\ieframe.dll

c:\windows\system32\webcheck.dll

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

------------------------ Other Running Processes ------------------------

.

c:\program files\Intel\Intel Matrix Storage Manager\IAANTmon.exe

c:\windows\system32\nvsvc32.exe

c:\windows\ehome\mcrdsvc.exe

c:\program files\Intel\IntelDH\Intel® Quick Resume Technology Drivers\ELService.exe

.

**************************************************************************

.

Completion time: 2009-08-31 21:52 - machine was rebooted

ComboFix-quarantined-files.txt 2009-08-31 02:52

ComboFix2.txt 2009-07-29 23:32

Pre-Run: 178,401,415,168 bytes free

Post-Run: 179,295,682,560 bytes free

254 --- E O F --- 2009-07-28 03:44

Link to post
Share on other sites

  • Staff

Hi,

* Open notepad - don't use any other texteditor than notepad or the script will fail.

Copy/paste the text in the quotebox below into notepad:

File::

c:\windows\system32\uacbbr.dll

c:\windows\system32\UACwlotnapfuw.dll

c:\windows\system32\drivers\UAChbgrqllvbu.sys

c:\program files\ukwjckr.txt

Collect::[8]

c:\windows\system32\xa.tmp

Driver::

REGLOCKDEL::

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\kbiwkmylkdmtai]

Save this as txtfile CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

CFScript.gif

This will start ComboFix again.

Then, please visit this site:

http://www.bleepingcomputer.com/submit-malware.php?channel=8

Where it says: "Browse to the file you want to submit", use the Browse button to navigate to the following file: C:\Qoobox\Quarantine\[8]-Submit_date_time.zip (date_time will be replaced with the date and time when this file was created)

Then click the "Send File" button below in order to upload it.

After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply.

Link to post
Share on other sites

Okay, the file was accepted at the site. Here is the ComboFix log:

ComboFix 09-08-31.03 - HP_Administrator 08/31/2009 17:50.3.2 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2046.1675 [GMT -5:00]

Running from: c:\documents and settings\HP_Administrator\Desktop\Combo-Fix.exe

Command switches used :: c:\documents and settings\HP_Administrator\Desktop\CFScript.txt

FW: Norton Internet Worm Protection *disabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E}

FILE ::

"c:\program files\ukwjckr.txt"

"c:\windows\system32\drivers\UAChbgrqllvbu.sys"

"c:\windows\system32\uacbbr.dll"

"c:\windows\system32\UACwlotnapfuw.dll"

file zipped: c:\windows\system32\xa.tmp

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\docume~1\HP_ADM~1\LOCALS~1\Temp\IadHide5.dll

c:\documents and settings\HP_Administrator\Local Settings\temp\IadHide5.dll

c:\program files\ukwjckr.txt

c:\windows\system32\drivers\UAChbgrqllvbu.sys

c:\windows\system32\uacbbr.dll

c:\windows\system32\UACwlotnapfuw.dll

c:\windows\system32\xa.tmp

L:\Autorun.inf

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Legacy_kbiwkmylkdmtai

-------\Service_kbiwkmylkdmtai

((((((((((((((((((((((((( Files Created from 2009-07-28 to 2009-08-31 )))))))))))))))))))))))))))))))

.

2009-08-31 03:13 . 2009-08-31 03:13 -------- d-----w- c:\windows\ie8updates

2009-08-31 02:51 . 2009-07-03 17:09 594432 ------w- c:\windows\system32\dllcache\msfeeds.dll

2009-08-31 02:51 . 2009-07-03 17:09 55296 ------w- c:\windows\system32\dllcache\msfeedsbs.dll

2009-08-31 02:51 . 2009-07-03 17:09 12800 ------w- c:\windows\system32\dllcache\xpshims.dll

2009-08-31 02:51 . 2009-07-03 17:09 246272 ------w- c:\windows\system32\dllcache\ieproxy.dll

2009-08-31 02:51 . 2009-07-03 17:09 1985536 ------w- c:\windows\system32\dllcache\iertutil.dll

2009-08-02 21:13 . 2009-08-02 21:13 -------- d-sh--w- c:\documents and settings\HP_Administrator\PrivacIE

2009-08-02 21:10 . 2009-08-02 21:10 -------- d-sh--w- c:\documents and settings\HP_Administrator\IETldCache

2009-08-02 21:08 . 2009-08-02 21:08 -------- dc-h--w- c:\windows\ie8

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-08-29 01:01 . 2008-10-06 02:20 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2009-08-29 01:01 . 2008-12-03 19:24 3942048 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe

2009-08-05 23:30 . 2009-07-28 22:54 55656 ----a-w- c:\windows\system32\drivers\avgntflt.sys

2009-08-05 09:11 . 2004-08-10 04:00 204800 ----a-w- c:\windows\system32\mswebdvd.dll

2009-08-03 18:36 . 2008-10-06 02:20 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2009-08-03 18:36 . 2008-10-06 02:20 19096 ----a-w- c:\windows\system32\drivers\mbam.sys

2009-08-01 14:38 . 2006-08-29 03:22 298 ----a-w- c:\documents and settings\HP_Administrator\Application Data\wklnhst.dat

2009-08-01 14:33 . 2009-08-01 14:25 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS

2009-08-01 14:33 . 2009-08-01 14:25 -------- d-----w- c:\program files\NOS

2009-08-01 14:25 . 2009-08-01 14:25 1962544 ----a-w- c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\install_flash_player_ax.exe

2009-08-01 14:20 . 2009-08-01 14:20 -------- d-----w- c:\program files\QuickTime

2009-08-01 14:20 . 2009-08-01 14:20 -------- d-----w- c:\program files\Common Files\xing shared

2009-08-01 14:20 . 2006-07-21 06:47 -------- d-----w- c:\program files\Common Files\Real

2009-08-01 11:46 . 2009-07-04 19:53 -------- d-----w- c:\program files\Steam

2009-07-29 22:46 . 2004-08-10 04:00 577536 ------w- c:\windows\system32\user32.dll

2009-07-29 22:17 . 2009-07-25 03:59 117760 ----a-w- c:\documents and settings\HP_Administrator\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL

2009-07-28 21:54 . 2009-07-25 03:59 -------- d-----w- c:\program files\SUPERAntiSpyware

2009-07-25 16:25 . 2008-09-28 22:21 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP

2009-07-25 16:11 . 2008-10-02 03:12 -------- d-----w- c:\documents and settings\All Users\Application Data\STOPzilla!

2009-07-25 15:51 . 2009-07-25 15:51 1688 ----a-w- c:\windows\system32\drivers\kgpcpy.cfg

2009-07-25 15:51 . 2009-07-25 15:51 656 ----a-w- c:\windows\system32\drivers\kgpfr2.cfg

2009-07-25 14:41 . 2009-07-25 04:46 117760 ----a-w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL

2009-07-25 13:53 . 2009-07-25 13:53 -------- d-----w- c:\program files\Enigma Software Group

2009-07-25 04:46 . 2009-07-25 04:46 -------- d-----w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com

2009-07-25 04:33 . 2009-07-25 04:33 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes

2009-07-25 03:59 . 2009-07-25 03:59 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com

2009-07-25 03:59 . 2009-07-25 03:59 -------- d-----w- c:\documents and settings\HP_Administrator\Application Data\SUPERAntiSpyware.com

2009-07-25 03:58 . 2009-07-25 03:58 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard

2009-07-19 20:01 . 2008-06-04 00:35 1915520 -c--a-w- c:\documents and settings\HP_Administrator\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\fpupdateax\fpupdateax.exe

2009-07-19 19:08 . 2006-08-28 22:41 -------- d-----w- c:\program files\Google

2009-07-19 19:07 . 2009-07-19 19:07 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater

2009-07-17 18:55 . 2004-08-10 04:00 58880 ----a-w- c:\windows\system32\atl.dll

2009-07-14 04:43 . 2004-08-10 04:00 286208 ----a-w- c:\windows\system32\wmpdxm.dll

2009-07-04 20:43 . 2009-07-04 20:43 -------- d-----w- c:\documents and settings\HP_Administrator\Application Data\The Creative Assembly

2009-07-03 17:09 . 2004-08-10 04:00 915456 ----a-w- c:\windows\system32\wininet.dll

2009-06-25 18:36 . 2004-08-10 04:00 95744 ----a-w- c:\windows\system32\mqsec.dll

2009-06-25 18:36 . 2004-08-10 04:00 661504 ----a-w- c:\windows\system32\mqqm.dll

2009-06-25 18:36 . 2004-08-10 04:00 517120 ----a-w- c:\windows\system32\mqsnap.dll

2009-06-25 18:36 . 2004-08-10 04:00 48640 ----a-w- c:\windows\system32\mqupgrd.dll

2009-06-25 18:36 . 2004-08-10 04:00 471552 ----a-w- c:\windows\system32\mqutil.dll

2009-06-25 18:36 . 2004-08-10 04:00 47104 ----a-w- c:\windows\system32\mqdscli.dll

2009-06-25 18:36 . 2004-08-10 04:00 225280 ----a-w- c:\windows\system32\mqoa.dll

2009-06-25 18:36 . 2004-08-10 04:00 186880 ----a-w- c:\windows\system32\mqtrig.dll

2009-06-25 18:36 . 2004-08-10 04:00 177152 ----a-w- c:\windows\system32\mqrt.dll

2009-06-25 18:36 . 2004-08-10 04:00 16896 ----a-w- c:\windows\system32\mqise.dll

2009-06-25 18:36 . 2004-08-10 04:00 138240 ----a-w- c:\windows\system32\mqad.dll

2009-06-25 18:36 . 2004-08-10 04:00 123392 ----a-w- c:\windows\system32\mqrtdep.dll

2009-06-22 11:49 . 2004-08-10 04:00 19968 ----a-w- c:\windows\system32\mqbkup.exe

2009-06-22 11:49 . 2004-08-10 04:00 117248 ----a-w- c:\windows\system32\mqtgsvc.exe

2009-06-22 11:49 . 2004-08-10 04:00 4608 ----a-w- c:\windows\system32\mqsvc.exe

2009-06-22 11:48 . 2004-08-10 04:00 91776 ----a-w- c:\windows\system32\drivers\mqac.sys

2009-06-16 14:55 . 2004-08-10 04:00 82432 ----a-w- c:\windows\system32\fontsub.dll

2009-06-16 14:55 . 2004-08-10 04:00 119808 ----a-w- c:\windows\system32\t2embed.dll

2009-06-12 11:50 . 2004-08-10 04:00 80896 ----a-w- c:\windows\system32\tlntsess.exe

2009-06-12 11:50 . 2004-08-10 11:00 76288 ----a-w- c:\windows\system32\telnet.exe

2009-06-10 14:21 . 2004-08-10 04:00 84992 ----a-w- c:\windows\system32\avifil32.dll

2009-06-10 06:32 . 2004-08-10 04:00 132096 ----a-w- c:\windows\system32\wkssvc.dll

2009-06-05 07:42 . 2004-08-10 04:00 655872 ----a-w- c:\windows\system32\mstscax.dll

2009-06-03 19:24 . 2004-08-10 04:00 1291264 ----a-w- c:\windows\system32\quartz.dll

2008-12-17 02:16 . 2008-12-17 02:16 7518240 ----a-w- c:\program files\Firefox Setup 3.0.5.exe

2008-11-12 00:16 . 2008-11-12 00:16 14622342 ----a-w- c:\program files\vlc-0.9.6-win32.exe

2008-11-06 23:38 . 2008-11-06 23:38 2078831 ----a-w- c:\program files\mplayerc_20081005.zip

2006-08-29 23:13 . 2006-08-29 23:13 599592 ----a-w- c:\program files\DMSetup.exe

2006-08-28 22:40 . 2006-08-28 22:40 13736064 ----a-w- c:\program files\GoogleEarthWin.exe

2006-08-28 19:43 . 2006-08-28 19:43 37518744 ----a-w- c:\program files\iTunesSetup.exe

2006-08-28 19:33 . 2006-08-28 19:33 5834344 ----a-w- c:\program files\winzip100.exe

2006-08-28 02:42 . 2008-09-26 21:25 410309 ----a-w- c:\program files\yproxy12.zip

2006-08-28 00:39 . 2006-08-28 00:39 198656 ----a-w- c:\program files\yproxywizard.exe

2006-10-31 01:40 . 2006-10-31 01:40 22 -csha-w- c:\windows\SMINST\HPCD.sys

.

((((((((((((((((((((((((((((( SnapShot@2009-08-31_02.41.09 )))))))))))))))))))))))))))))))))))))))))

.

+ 2007-01-29 08:58 . 2009-07-14 11:03 46080 c:\windows\system32\tzchange.exe

- 2005-08-31 04:07 . 2009-05-01 22:25 71936 c:\windows\system32\perfc009.dat

+ 2005-08-31 04:07 . 2009-08-31 03:15 71936 c:\windows\system32\perfc009.dat

- 2009-03-08 09:31 . 2009-03-08 09:31 55296 c:\windows\system32\msfeedsbs.dll

+ 2009-03-08 09:31 . 2009-07-03 17:09 55296 c:\windows\system32\msfeedsbs.dll

+ 2004-08-10 04:00 . 2009-07-03 17:09 25600 c:\windows\system32\jsproxy.dll

- 2004-08-10 04:00 . 2009-03-08 09:33 25600 c:\windows\system32\jsproxy.dll

+ 2004-08-10 04:00 . 2009-06-12 11:50 80896 c:\windows\system32\dllcache\tlntsess.exe

+ 2004-08-10 11:00 . 2009-06-12 11:50 76288 c:\windows\system32\dllcache\telnet.exe

- 2004-08-10 04:00 . 2007-07-06 12:46 48640 c:\windows\system32\dllcache\mqupgrd.dll

+ 2004-08-10 04:00 . 2009-06-25 18:36 48640 c:\windows\system32\dllcache\mqupgrd.dll

+ 2004-08-10 04:00 . 2009-06-25 18:36 95744 c:\windows\system32\dllcache\mqsec.dll

- 2004-08-10 04:00 . 2007-07-06 12:46 95744 c:\windows\system32\dllcache\mqsec.dll

- 2004-08-10 04:00 . 2007-07-06 12:46 16896 c:\windows\system32\dllcache\mqise.dll

+ 2004-08-10 04:00 . 2009-06-25 18:36 16896 c:\windows\system32\dllcache\mqise.dll

+ 2004-08-10 04:00 . 2009-06-25 18:36 47104 c:\windows\system32\dllcache\mqdscli.dll

- 2004-08-10 04:00 . 2007-07-06 12:46 47104 c:\windows\system32\dllcache\mqdscli.dll

- 2004-08-10 04:00 . 2004-08-10 04:00 19968 c:\windows\system32\dllcache\mqbkup.exe

+ 2004-08-10 04:00 . 2009-06-22 11:49 19968 c:\windows\system32\dllcache\mqbkup.exe

+ 2004-08-10 04:00 . 2009-06-22 11:48 91776 c:\windows\system32\dllcache\mqac.sys

- 2004-08-10 04:00 . 2009-03-08 09:33 25600 c:\windows\system32\dllcache\jsproxy.dll

+ 2004-08-10 04:00 . 2009-07-03 17:09 25600 c:\windows\system32\dllcache\jsproxy.dll

+ 2004-08-10 04:00 . 2009-06-10 14:21 84992 c:\windows\system32\dllcache\avifil32.dll

- 2004-08-10 04:00 . 2004-08-10 04:00 84992 c:\windows\system32\dllcache\avifil32.dll

+ 2004-08-10 04:00 . 2009-07-17 18:55 58880 c:\windows\system32\dllcache\atl.dll

- 2004-08-10 04:00 . 2004-08-10 04:00 58880 c:\windows\system32\dllcache\atl.dll

- 2009-04-01 03:33 . 2008-07-09 07:38 26488 c:\windows\SoftwareDistribution\Download\55ae228715888b68a08f491655790fa6\update\spcustom.dll

- 2009-04-01 03:33 . 2008-07-09 07:38 17272 c:\windows\SoftwareDistribution\Download\55ae228715888b68a08f491655790fa6\spmsg.dll

+ 2008-11-25 09:59 . 2008-11-25 09:59 31560 c:\windows\Microsoft.NET\Framework\v2.0.50727\aspnet_wp.exe

+ 2009-08-31 03:13 . 2009-03-08 09:33 12288 c:\windows\ie8updates\KB972260-IE8\xpshims.dll

+ 2009-08-31 03:13 . 2009-03-08 09:31 55296 c:\windows\ie8updates\KB972260-IE8\msfeedsbs.dll

+ 2009-08-31 03:13 . 2009-03-08 09:33 25600 c:\windows\ie8updates\KB972260-IE8\jsproxy.dll

+ 2009-08-31 22:41 . 2009-08-31 22:41 60928 c:\windows\assembly\NativeImages_v2.0.50727_32\UIAutomationProvider\a715aa442ef87ae99b3ade185599249d\UIAutomationProvider.ni.dll

+ 2009-08-31 22:40 . 2009-08-31 22:40 47104 c:\windows\assembly\NativeImages_v2.0.50727_32\PresentationFontCac#\2d7408a0232f2e2efd0d7adf5dfa733a\PresentationFontCache.ni.exe

+ 2009-08-31 03:16 . 2009-08-31 03:16 39424 c:\windows\assembly\NativeImages_v2.0.50727_32\PresentationCFFRast#\c8fd2d9233f8ea3031fb16f697635231\PresentationCFFRasterizer.ni.dll

- 2009-05-01 22:23 . 2009-05-01 22:23 77824 c:\windows\assembly\GAC_MSIL\System.Web.RegularExpressions\2.0.0.0__b03f5f7f11d50a3a\System.Web.RegularExpressions.dll

+ 2009-08-31 03:15 . 2009-08-31 03:15 77824 c:\windows\assembly\GAC_MSIL\System.Web.RegularExpressions\2.0.0.0__b03f5f7f11d50a3a\System.Web.RegularExpressions.dll

- 2009-05-01 22:23 . 2009-05-01 22:23 81920 c:\windows\assembly\GAC_MSIL\System.Drawing.Design\2.0.0.0__b03f5f7f11d50a3a\System.Drawing.Design.dll

+ 2009-08-31 03:15 . 2009-08-31 03:15 81920 c:\windows\assembly\GAC_MSIL\System.Drawing.Design\2.0.0.0__b03f5f7f11d50a3a\System.Drawing.Design.dll

+ 2009-08-31 03:15 . 2009-08-31 03:15 81920 c:\windows\assembly\GAC_MSIL\System.Configuration.Install\2.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll

- 2009-05-01 22:23 . 2009-05-01 22:23 81920 c:\windows\assembly\GAC_MSIL\System.Configuration.Install\2.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll

- 2009-05-01 22:23 . 2009-05-01 22:23 32768 c:\windows\assembly\GAC_MSIL\Microsoft.Vsa\8.0.0.0__b03f5f7f11d50a3a\Microsoft.Vsa.dll

+ 2009-08-31 03:15 . 2009-08-31 03:15 32768 c:\windows\assembly\GAC_MSIL\Microsoft.Vsa\8.0.0.0__b03f5f7f11d50a3a\Microsoft.Vsa.dll

- 2009-05-01 22:23 . 2009-05-01 22:23 12800 c:\windows\assembly\GAC_MSIL\Microsoft.Vsa.Vb.CodeDOMProcessor\8.0.0.0__b03f5f7f11d50a3a\Microsoft.Vsa.Vb.CodeDOMProcessor.dll

+ 2009-08-31 03:15 . 2009-08-31 03:15 12800 c:\windows\assembly\GAC_MSIL\Microsoft.Vsa.Vb.CodeDOMProcessor\8.0.0.0__b03f5f7f11d50a3a\Microsoft.Vsa.Vb.CodeDOMProcessor.dll

- 2009-05-01 22:23 . 2009-05-01 22:23 28672 c:\windows\assembly\GAC_MSIL\Microsoft.VisualBasic.Vsa\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.Vsa.dll

+ 2009-08-31 03:15 . 2009-08-31 03:15 28672 c:\windows\assembly\GAC_MSIL\Microsoft.VisualBasic.Vsa\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.Vsa.dll

+ 2009-08-31 03:15 . 2009-08-31 03:15 77824 c:\windows\assembly\GAC_MSIL\Microsoft.Build.Utilities\2.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Utilities.dll

- 2009-05-01 22:23 . 2009-05-01 22:23 77824 c:\windows\assembly\GAC_MSIL\Microsoft.Build.Utilities\2.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Utilities.dll

+ 2009-08-31 03:15 . 2009-08-31 03:15 36864 c:\windows\assembly\GAC_MSIL\Microsoft.Build.Framework\2.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Framework.dll

- 2009-05-01 22:23 . 2009-05-01 22:23 36864 c:\windows\assembly\GAC_MSIL\Microsoft.Build.Framework\2.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Framework.dll

+ 2009-08-31 03:15 . 2009-08-31 03:15 77824 c:\windows\assembly\GAC_MSIL\IEHost\2.0.0.0__b03f5f7f11d50a3a\IEHost.dll

- 2009-05-01 22:23 . 2009-05-01 22:23 77824 c:\windows\assembly\GAC_MSIL\IEHost\2.0.0.0__b03f5f7f11d50a3a\IEHost.dll

- 2009-05-01 22:23 . 2009-05-01 22:23 13312 c:\windows\assembly\GAC_MSIL\cscompmgd\8.0.0.0__b03f5f7f11d50a3a\cscompmgd.dll

+ 2009-08-31 03:15 . 2009-08-31 03:15 13312 c:\windows\assembly\GAC_MSIL\cscompmgd\8.0.0.0__b03f5f7f11d50a3a\cscompmgd.dll

+ 2009-08-31 03:15 . 2009-08-31 03:15 10752 c:\windows\assembly\GAC_MSIL\Accessibility\2.0.0.0__b03f5f7f11d50a3a\Accessibility.dll

- 2009-05-01 22:23 . 2009-05-01 22:23 10752 c:\windows\assembly\GAC_MSIL\Accessibility\2.0.0.0__b03f5f7f11d50a3a\Accessibility.dll

- 2009-05-01 22:23 . 2009-05-01 22:23 72192 c:\windows\assembly\GAC_32\ISymWrapper\2.0.0.0__b03f5f7f11d50a3a\ISymWrapper.dll

+ 2009-08-31 03:15 . 2009-08-31 03:15 72192 c:\windows\assembly\GAC_32\ISymWrapper\2.0.0.0__b03f5f7f11d50a3a\ISymWrapper.dll

- 2009-05-01 22:23 . 2009-05-01 22:23 69120 c:\windows\assembly\GAC_32\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll

+ 2009-08-31 03:15 . 2009-08-31 03:15 69120 c:\windows\assembly\GAC_32\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll

- 2009-05-01 22:23 . 2009-05-01 22:23 8192 c:\windows\WinSxS\MSIL_IEExecRemote_b03f5f7f11d50a3a_2.0.0.0_x-ww_6e57c34e\IEExecRemote.dll

+ 2009-08-31 03:15 . 2009-08-31 03:15 8192 c:\windows\WinSxS\MSIL_IEExecRemote_b03f5f7f11d50a3a_2.0.0.0_x-ww_6e57c34e\IEExecRemote.dll

- 2004-08-10 04:00 . 2004-08-10 04:00 4608 c:\windows\system32\dllcache\mqsvc.exe

+ 2004-08-10 04:00 . 2009-06-22 11:49 4608 c:\windows\system32\dllcache\mqsvc.exe

- 2009-05-01 22:23 . 2009-05-01 22:23 7168 c:\windows\assembly\GAC_MSIL\Microsoft_VsaVb\8.0.0.0__b03f5f7f11d50a3a\Microsoft_VsaVb.dll

+ 2009-08-31 03:15 . 2009-08-31 03:15 7168 c:\windows\assembly\GAC_MSIL\Microsoft_VsaVb\8.0.0.0__b03f5f7f11d50a3a\Microsoft_VsaVb.dll

+ 2009-08-31 03:15 . 2009-08-31 03:15 5632 c:\windows\assembly\GAC_MSIL\Microsoft.VisualC\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualC.Dll

- 2009-05-01 22:23 . 2009-05-01 22:23 5632 c:\windows\assembly\GAC_MSIL\Microsoft.VisualC\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualC.Dll

- 2009-05-01 22:23 . 2009-05-01 22:23 6656 c:\windows\assembly\GAC_MSIL\IIEHost\2.0.0.0__b03f5f7f11d50a3a\IIEHost.dll

+ 2009-08-31 03:15 . 2009-08-31 03:15 6656 c:\windows\assembly\GAC_MSIL\IIEHost\2.0.0.0__b03f5f7f11d50a3a\IIEHost.dll

+ 2009-08-31 03:15 . 2009-08-31 03:15 8192 c:\windows\assembly\GAC_MSIL\IEExecRemote\2.0.0.0__b03f5f7f11d50a3a\IEExecRemote.dll

- 2009-05-01 22:23 . 2009-05-01 22:23 8192 c:\windows\assembly\GAC_MSIL\IEExecRemote\2.0.0.0__b03f5f7f11d50a3a\IEExecRemote.dll

- 2009-05-01 22:23 . 2009-05-01 22:23 113664 c:\windows\WinSxS\x86_System.EnterpriseServices_b03f5f7f11d50a3a_2.0.0.0_x-ww_7d5f3790\System.EnterpriseServices.Wrapper.dll

+ 2009-08-31 03:15 . 2009-08-31 03:15 113664 c:\windows\WinSxS\x86_System.EnterpriseServices_b03f5f7f11d50a3a_2.0.0.0_x-ww_7d5f3790\System.EnterpriseServices.Wrapper.dll

- 2009-05-01 22:23 . 2009-05-01 22:23 258048 c:\windows\WinSxS\x86_System.EnterpriseServices_b03f5f7f11d50a3a_2.0.0.0_x-ww_7d5f3790\System.EnterpriseServices.dll

+ 2009-08-31 03:15 . 2009-08-31 03:15 258048 c:\windows\WinSxS\x86_System.EnterpriseServices_b03f5f7f11d50a3a_2.0.0.0_x-ww_7d5f3790\System.EnterpriseServices.dll

+ 2004-08-10 04:00 . 2009-06-25 18:36 169472 c:\windows\system32\Setup\msmqocm.dll

- 2005-08-31 04:07 . 2009-05-01 22:25 442796 c:\windows\system32\perfh009.dat

+ 2005-08-31 04:07 . 2009-08-31 03:15 442796 c:\windows\system32\perfh009.dat

+ 2004-08-10 04:00 . 2009-07-03 17:09 206848 c:\windows\system32\occache.dll

+ 2009-03-08 09:32 . 2009-07-03 17:09 594432 c:\windows\system32\msfeeds.dll

- 2009-03-08 09:32 . 2009-03-08 09:32 594432 c:\windows\system32\msfeeds.dll

+ 2004-08-10 04:00 . 2009-07-03 17:09 184320 c:\windows\system32\iepeers.dll

+ 2004-08-10 04:00 . 2009-07-03 17:09 386048 c:\windows\system32\iedkcs32.dll

- 2004-08-10 04:00 . 2009-03-08 09:32 173056 c:\windows\system32\ie4uinit.exe

+ 2004-08-10 04:00 . 2009-07-03 11:01 173056 c:\windows\system32\ie4uinit.exe

+ 2004-08-10 04:00 . 2009-07-14 04:43 286208 c:\windows\system32\dllcache\wmpdxm.dll

+ 2004-08-10 04:00 . 2009-06-10 06:32 132096 c:\windows\system32\dllcache\wkssvc.dll

- 2004-08-10 04:00 . 2006-08-17 12:28 132096 c:\windows\system32\dllcache\wkssvc.dll

+ 2004-08-10 04:00 . 2009-07-03 17:09 915456 c:\windows\system32\dllcache\wininet.dll

+ 2004-08-10 04:00 . 2009-07-03 17:09 206848 c:\windows\system32\dllcache\occache.dll

+ 2004-08-10 04:00 . 2009-08-05 09:11 204800 c:\windows\system32\dllcache\mswebdvd.dll

+ 2004-08-10 04:00 . 2009-06-05 07:42 655872 c:\windows\system32\dllcache\mstscax.dll

+ 2004-08-10 04:00 . 2009-06-25 18:36 169472 c:\windows\system32\dllcache\msmqocm.dll

- 2004-08-10 04:00 . 2007-07-06 12:46 471552 c:\windows\system32\dllcache\mqutil.dll

+ 2004-08-10 04:00 . 2009-06-25 18:36 471552 c:\windows\system32\dllcache\mqutil.dll

+ 2004-08-10 04:00 . 2009-06-25 18:36 186880 c:\windows\system32\dllcache\mqtrig.dll

- 2004-08-10 04:00 . 2004-08-10 04:00 186880 c:\windows\system32\dllcache\mqtrig.dll

+ 2004-08-10 04:00 . 2009-06-22 11:49 117248 c:\windows\system32\dllcache\mqtgsvc.exe

- 2004-08-10 04:00 . 2004-08-10 04:00 117248 c:\windows\system32\dllcache\mqtgsvc.exe

+ 2004-08-10 04:00 . 2009-06-25 18:36 517120 c:\windows\system32\dllcache\mqsnap.dll

- 2004-08-10 04:00 . 2004-08-10 04:00 123392 c:\windows\system32\dllcache\mqrtdep.dll

+ 2004-08-10 04:00 . 2009-06-25 18:36 123392 c:\windows\system32\dllcache\mqrtdep.dll

- 2004-08-10 04:00 . 2007-07-06 12:46 177152 c:\windows\system32\dllcache\mqrt.dll

+ 2004-08-10 04:00 . 2009-06-25 18:36 177152 c:\windows\system32\dllcache\mqrt.dll

+ 2004-08-10 04:00 . 2009-06-25 18:36 661504 c:\windows\system32\dllcache\mqqm.dll

- 2004-08-10 04:00 . 2004-08-10 04:00 225280 c:\windows\system32\dllcache\mqoa.dll

+ 2004-08-10 04:00 . 2009-06-25 18:36 225280 c:\windows\system32\dllcache\mqoa.dll

+ 2004-08-10 04:00 . 2009-06-25 18:36 138240 c:\windows\system32\dllcache\mqad.dll

- 2004-08-10 04:00 . 2007-07-06 12:46 138240 c:\windows\system32\dllcache\mqad.dll

+ 2004-08-10 04:00 . 2009-07-03 17:09 184320 c:\windows\system32\dllcache\iepeers.dll

+ 2004-08-10 04:00 . 2009-07-03 17:09 386048 c:\windows\system32\dllcache\iedkcs32.dll

- 2004-08-10 04:00 . 2009-03-08 09:32 173056 c:\windows\system32\dllcache\ie4uinit.exe

+ 2004-08-10 04:00 . 2009-07-03 11:01 173056 c:\windows\system32\dllcache\ie4uinit.exe

- 2009-04-01 03:33 . 2008-07-09 07:38 382840 c:\windows\SoftwareDistribution\Download\55ae228715888b68a08f491655790fa6\update\updspapi.dll

- 2009-04-01 03:33 . 2008-07-09 07:38 755576 c:\windows\SoftwareDistribution\Download\55ae228715888b68a08f491655790fa6\update\update.exe

- 2009-04-01 03:33 . 2008-07-09 07:38 231288 c:\windows\SoftwareDistribution\Download\55ae228715888b68a08f491655790fa6\spuninst.exe

+ 2008-11-25 09:59 . 2008-11-25 09:59 436040 c:\windows\Microsoft.NET\Framework\v2.0.50727\webengine.dll

+ 2008-11-25 09:59 . 2008-11-25 09:59 486400 c:\windows\Microsoft.NET\Framework\v2.0.50727\System.Data.OracleClient.dll

- 2008-07-25 16:17 . 2008-07-25 16:17 486400 c:\windows\Microsoft.NET\Framework\v2.0.50727\System.Data.OracleClient.dll

+ 2008-11-25 09:59 . 2008-11-25 09:59 364872 c:\windows\Microsoft.NET\Framework\v2.0.50727\mscorjit.dll

+ 2008-11-25 09:59 . 2008-11-25 09:59 990032 c:\windows\Microsoft.NET\Framework\v2.0.50727\mscordacwks.dll

+ 2008-12-13 14:58 . 2008-12-13 14:58 754688 c:\windows\Installer\21051c.msp

+ 2009-08-31 03:13 . 2009-03-08 09:34 914944 c:\windows\ie8updates\KB972260-IE8\wininet.dll

+ 2009-08-31 03:13 . 2009-05-26 11:40 382840 c:\windows\ie8updates\KB972260-IE8\spuninst\updspapi.dll

+ 2009-08-31 03:13 . 2009-05-26 11:40 231288 c:\windows\ie8updates\KB972260-IE8\spuninst\spuninst.exe

+ 2009-08-31 03:13 . 2009-03-08 09:34 109568 c:\windows\ie8updates\KB972260-IE8\occache.dll

+ 2009-08-31 03:13 . 2009-03-08 09:32 594432 c:\windows\ie8updates\KB972260-IE8\msfeeds.dll

+ 2009-08-31 03:13 . 2009-03-08 09:33 246784 c:\windows\ie8updates\KB972260-IE8\ieproxy.dll

+ 2009-08-31 03:13 . 2009-03-08 09:31 183808 c:\windows\ie8updates\KB972260-IE8\iepeers.dll

+ 2009-08-31 03:13 . 2009-03-08 19:09 391536 c:\windows\ie8updates\KB972260-IE8\iedkcs32.dll

+ 2009-08-31 03:13 . 2009-03-08 09:32 173056 c:\windows\ie8updates\KB972260-IE8\ie4uinit.exe

+ 2009-08-31 22:41 . 2009-08-31 22:41 240128 c:\windows\assembly\NativeImages_v2.0.50727_32\WindowsFormsIntegra#\6a818099f0386e2356ae94f886a2196f\WindowsFormsIntegration.ni.dll

+ 2009-08-31 22:41 . 2009-08-31 22:41 187904 c:\windows\assembly\NativeImages_v2.0.50727_32\UIAutomationTypes\a6d9503962d47c722231c1478f180695\UIAutomationTypes.ni.dll

+ 2009-08-31 22:41 . 2009-08-31 22:41 447488 c:\windows\assembly\NativeImages_v2.0.50727_32\UIAutomationClient\5c028c3d8db6c0f0277673ea4a2d89fb\UIAutomationClient.ni.dll

+ 2009-08-31 22:41 . 2009-08-31 22:41 208384 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Drawing.Desi#\18bbe2b6717e7f1d1dd672526e9889ee\System.Drawing.Design.ni.dll

+ 2009-08-31 22:40 . 2009-08-31 22:40 224768 c:\windows\assembly\NativeImages_v2.0.50727_32\PresentationFramewo#\f475294d8c7dc2dd4febeef27bc0417e\PresentationFramework.Classic.ni.dll

+ 2009-08-31 22:40 . 2009-08-31 22:40 539648 c:\windows\assembly\NativeImages_v2.0.50727_32\PresentationFramewo#\8003abaf6bcf70f7eb620d06837e897b\PresentationFramework.Luna.ni.dll

+ 2009-08-31 22:40 . 2009-08-31 22:40 368128 c:\windows\assembly\NativeImages_v2.0.50727_32\PresentationFramewo#\59a67874d8d8475faa5be1d993083d12\PresentationFramework.Aero.ni.dll

+ 2009-08-31 22:40 . 2009-08-31 22:40 258048 c:\windows\assembly\NativeImages_v2.0.50727_32\PresentationFramewo#\2c980c9a5051d723c6ec2a78a3d0e2b3\PresentationFramework.Royale.ni.dll

- 2009-05-01 22:23 . 2009-05-01 22:23 839680 c:\windows\assembly\GAC_MSIL\System.Web.Services\2.0.0.0__b03f5f7f11d50a3a\System.Web.Services.dll

+ 2009-08-31 03:15 . 2009-08-31 03:15 839680 c:\windows\assembly\GAC_MSIL\System.Web.Services\2.0.0.0__b03f5f7f11d50a3a\System.Web.Services.dll

+ 2009-08-31 03:15 . 2009-08-31 03:15 835584 c:\windows\assembly\GAC_MSIL\System.Web.Mobile\2.0.0.0__b03f5f7f11d50a3a\System.Web.Mobile.dll

- 2009-05-01 22:23 . 2009-05-01 22:23 835584 c:\windows\assembly\GAC_MSIL\System.Web.Mobile\2.0.0.0__b03f5f7f11d50a3a\System.Web.Mobile.dll

- 2009-05-01 22:25 . 2009-05-01 22:25 139264 c:\windows\assembly\GAC_MSIL\System.Web.Entity\3.5.0.0__b77a5c561934e089\System.Web.Entity.dll

+ 2009-08-31 03:15 . 2009-08-31 03:15 139264 c:\windows\assembly\GAC_MSIL\System.Web.Entity\3.5.0.0__b77a5c561934e089\System.Web.Entity.dll

+ 2009-08-31 03:15 . 2009-08-31 03:15 229376 c:\windows\assembly\GAC_MSIL\System.Web.DynamicData\3.5.0.0__31bf3856ad364e35\System.Web.DynamicData.dll

+ 2009-08-31 03:15 . 2009-08-31 03:15 114688 c:\windows\assembly\GAC_MSIL\System.ServiceProcess\2.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll

- 2009-05-01 22:23 . 2009-05-01 22:23 114688 c:\windows\assembly\GAC_MSIL\System.ServiceProcess\2.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll

- 2009-05-01 22:23 . 2009-05-01 22:23 258048 c:\windows\assembly\GAC_MSIL\System.Security\2.0.0.0__b03f5f7f11d50a3a\System.Security.dll

+ 2009-08-31 03:15 . 2009-08-31 03:15 258048 c:\windows\assembly\GAC_MSIL\System.Security\2.0.0.0__b03f5f7f11d50a3a\System.Security.dll

+ 2009-08-31 03:15 . 2009-08-31 03:15 131072 c:\windows\assembly\GAC_MSIL\System.Runtime.Serialization.Formatters.Soap\2.0.0.0__b03f5f7f11d50a3a\System.Runtime.Serialization.Formatters.Soap.dll

- 2009-05-01 22:23 . 2009-05-01 22:23 131072 c:\windows\assembly\GAC_MSIL\System.Runtime.Serialization.Formatters.Soap\2.0.0.0__b03f5f7f11d50a3a\System.Runtime.Serialization.Formatters.Soap.dll

+ 2009-08-31 03:15 . 2009-08-31 03:15 303104 c:\windows\assembly\GAC_MSIL\System.Runtime.Remoting\2.0.0.0__b77a5c561934e089\System.Runtime.Remoting.dll

- 2009-05-01 22:23 . 2009-05-01 22:23 303104 c:\windows\assembly\GAC_MSIL\System.Runtime.Remoting\2.0.0.0__b77a5c561934e089\System.Runtime.Remoting.dll

- 2009-05-01 22:23 . 2009-05-01 22:23 258048 c:\windows\assembly\GAC_MSIL\System.Messaging\2.0.0.0__b03f5f7f11d50a3a\System.Messaging.dll

+ 2009-08-31 03:15 . 2009-08-31 03:15 258048 c:\windows\assembly\GAC_MSIL\System.Messaging\2.0.0.0__b03f5f7f11d50a3a\System.Messaging.dll

- 2009-05-01 22:23 . 2009-05-01 22:23 372736 c:\windows\assembly\GAC_MSIL\System.Management\2.0.0.0__b03f5f7f11d50a3a\System.Management.dll

+ 2009-08-31 03:15 . 2009-08-31 03:15 372736 c:\windows\assembly\GAC_MSIL\System.Management\2.0.0.0__b03f5f7f11d50a3a\System.Management.dll

+ 2009-08-31 03:15 . 2009-08-31 03:15 626688 c:\windows\assembly\GAC_MSIL\System.Drawing\2.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll

- 2009-05-01 22:23 . 2009-05-01 22:23 626688 c:\windows\assembly\GAC_MSIL\System.Drawing\2.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll

- 2009-05-01 22:23 . 2009-05-01 22:23 401408 c:\windows\assembly\GAC_MSIL\System.DirectoryServices\2.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll

+ 2009-08-31 03:15 . 2009-08-31 03:15 401408 c:\windows\assembly\GAC_MSIL\System.DirectoryServices\2.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll

+ 2009-08-31 03:15 . 2009-08-31 03:15 188416 c:\windows\assembly\GAC_MSIL\System.DirectoryServices.Protocols\2.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.Protocols.dll

- 2009-05-01 22:23 . 2009-05-01 22:23 188416 c:\windows\assembly\GAC_MSIL\System.DirectoryServices.Protocols\2.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.Protocols.dll

+ 2009-08-31 03:15 . 2009-08-31 03:15 970752 c:\windows\assembly\GAC_MSIL\System.Deployment\2.0.0.0__b03f5f7f11d50a3a\System.Deployment.dll

- 2009-05-01 22:23 . 2009-05-01 22:23 970752 c:\windows\assembly\GAC_MSIL\System.Deployment\2.0.0.0__b03f5f7f11d50a3a\System.Deployment.dll

+ 2009-08-31 03:15 . 2009-08-31 03:15 745472 c:\windows\assembly\GAC_MSIL\System.Data.SqlXml\2.0.0.0__b77a5c561934e089\System.Data.SqlXml.dll

- 2009-05-01 22:23 . 2009-05-01 22:23 745472 c:\windows\assembly\GAC_MSIL\System.Data.SqlXml\2.0.0.0__b77a5c561934e089\System.Data.SqlXml.dll

- 2009-05-01 22:25 . 2009-05-01 22:25 442368 c:\windows\assembly\GAC_MSIL\System.Data.Services\3.5.0.0__b77a5c561934e089\System.Data.Services.dll

+ 2009-08-31 03:15 . 2009-08-31 03:15 442368 c:\windows\assembly\GAC_MSIL\System.Data.Services\3.5.0.0__b77a5c561934e089\System.Data.Services.dll

- 2009-05-01 22:25 . 2009-05-01 22:25 294912 c:\windows\assembly\GAC_MSIL\System.Data.Services.Client\3.5.0.0__b77a5c561934e089\System.Data.Services.Client.dll

+ 2009-08-31 03:15 . 2009-08-31 03:15 294912 c:\windows\assembly\GAC_MSIL\System.Data.Services.Client\3.5.0.0__b77a5c561934e089\System.Data.Services.Client.dll

+ 2009-08-31 03:15 . 2009-08-31 03:15 425984 c:\windows\assembly\GAC_MSIL\System.Configuration\2.0.0.0__b03f5f7f11d50a3a\System.configuration.dll

- 2009-05-01 22:23 . 2009-05-01 22:23 425984 c:\windows\assembly\GAC_MSIL\System.Configuration\2.0.0.0__b03f5f7f11d50a3a\System.configuration.dll

- 2009-05-01 22:23 . 2009-05-01 22:23 110592 c:\windows\assembly\GAC_MSIL\sysglobl\2.0.0.0__b03f5f7f11d50a3a\sysglobl.dll

+ 2009-08-31 03:15 . 2009-08-31 03:15 110592 c:\windows\assembly\GAC_MSIL\sysglobl\2.0.0.0__b03f5f7f11d50a3a\sysglobl.dll

+ 2009-08-31 03:15 . 2009-08-31 03:15 659456 c:\windows\assembly\GAC_MSIL\Microsoft.VisualBasic\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll

- 2009-05-01 22:23 . 2009-05-01 22:23 659456 c:\windows\assembly\GAC_MSIL\Microsoft.VisualBasic\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll

- 2009-05-01 22:23 . 2009-05-01 22:23 372736 c:\windows\assembly\GAC_MSIL\Microsoft.VisualBasic.Compatibility\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.Compatibility.dll

+ 2009-08-31 03:15 . 2009-08-31 03:15 372736 c:\windows\assembly\GAC_MSIL\Microsoft.VisualBasic.Compatibility\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.Compatibility.dll

- 2009-05-01 22:23 . 2009-05-01 22:23 110592 c:\windows\assembly\GAC_MSIL\Microsoft.VisualBasic.Compatibility.Data\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.Compatibility.Data.dll

+ 2009-08-31 03:15 . 2009-08-31 03:15 110592 c:\windows\assembly\GAC_MSIL\Microsoft.VisualBasic.Compatibility.Data\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.Compatibility.Data.dll

- 2009-05-01 22:23 . 2009-05-01 22:23 749568 c:\windows\assembly\GAC_MSIL\Microsoft.JScript\8.0.0.0__b03f5f7f11d50a3a\Microsoft.JScript.dll

+ 2009-08-31 03:15 . 2009-08-31 03:15 749568 c:\windows\assembly\GAC_MSIL\Microsoft.JScript\8.0.0.0__b03f5f7f11d50a3a\Microsoft.JScript.dll

+ 2009-08-31 03:15 . 2009-08-31 03:15 655360 c:\windows\assembly\GAC_MSIL\Microsoft.Build.Tasks\2.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Tasks.dll

- 2009-05-01 22:23 . 2009-05-01 22:23 655360 c:\windows\assembly\GAC_MSIL\Microsoft.Build.Tasks\2.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Tasks.dll

- 2009-05-01 22:23 . 2009-05-01 22:23 348160 c:\windows\assembly\GAC_MSIL\Microsoft.Build.Engine\2.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Engine.dll

+ 2009-08-31 03:15 . 2009-08-31 03:15 348160 c:\windows\assembly\GAC_MSIL\Microsoft.Build.Engine\2.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Engine.dll

+ 2009-08-31 03:15 . 2009-08-31 03:15 507904 c:\windows\assembly\GAC_MSIL\AspNetMMCExt\2.0.0.0__b03f5f7f11d50a3a\AspNetMMCExt.dll

- 2009-05-01 22:23 . 2009-05-01 22:23 507904 c:\windows\assembly\GAC_MSIL\AspNetMMCExt\2.0.0.0__b03f5f7f11d50a3a\AspNetMMCExt.dll

- 2009-05-01 22:23 . 2009-05-01 22:23 261632 c:\windows\assembly\GAC_32\System.Transactions\2.0.0.0__b77a5c561934e089\System.Transactions.dll

+ 2009-08-31 03:15 . 2009-08-31 03:15 261632 c:\windows\assembly\GAC_32\System.Transactions\2.0.0.0__b77a5c561934e089\System.Transactions.dll

- 2009-05-01 22:23 . 2009-05-01 22:23 113664 c:\windows\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll

+ 2009-08-31 03:15 . 2009-08-31 03:15 113664 c:\windows\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll

+ 2009-08-31 03:15 . 2009-08-31 03:15 258048 c:\windows\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.dll

- 2009-05-01 22:23 . 2009-05-01 22:23 258048 c:\windows\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.dll

- 2009-05-01 22:23 . 2009-05-01 22:23 486400 c:\windows\assembly\GAC_32\System.Data.OracleClient\2.0.0.0__b77a5c561934e089\System.Data.OracleClient.dll

+ 2009-08-31 03:15 . 2009-08-31 03:15 486400 c:\windows\assembly\GAC_32\System.Data.OracleClient\2.0.0.0__b77a5c561934e089\System.Data.OracleClient.dll

+ 2004-08-10 04:00 . 2009-07-03 17:09 1208832 c:\windows\system32\urlmon.dll

- 2004-08-10 04:00 . 2009-03-08 09:41 5937152 c:\windows\system32\mshtml.dll

+ 2004-08-10 04:00 . 2009-07-19 13:18 5937152 c:\windows\system32\mshtml.dll

+ 2009-03-08 09:32 . 2009-07-03 17:09 1985536 c:\windows\system32\iertutil.dll

+ 2004-08-10 04:00 . 2009-07-03 17:09 1208832 c:\windows\system32\dllcache\urlmon.dll

+ 2004-08-10 04:00 . 2009-07-10 13:42 1315328 c:\windows\system32\dllcache\msoe.dll

+ 2004-08-10 04:00 . 2009-07-19 13:18 5937152 c:\windows\system32\dllcache\mshtml.dll

- 2004-08-10 04:00 . 2009-03-08 09:41 5937152 c:\windows\system32\dllcache\mshtml.dll

+ 2008-12-06 00:35 . 2008-12-06 00:35 1736528 c:\windows\Microsoft.NET\Framework\v3.0\WPF\wpfgfx_v0300.dll

+ 2008-12-06 01:12 . 2008-12-06 01:12 5931008 c:\windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\System.ServiceModel.dll

- 2008-07-30 00:16 . 2008-07-30 00:16 5931008 c:\windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\System.ServiceModel.dll

+ 2008-11-25 09:59 . 2008-11-25 09:59 2048000 c:\windows\Microsoft.NET\Framework\v2.0.50727\System.XML.dll

- 2008-07-25 16:17 . 2008-07-25 16:17 2048000 c:\windows\Microsoft.NET\Framework\v2.0.50727\System.XML.dll

+ 2008-11-25 09:59 . 2008-11-25 09:59 5242880 c:\windows\Microsoft.NET\Framework\v2.0.50727\System.Web.dll

+ 2008-11-25 09:59 . 2008-11-25 09:59 5813576 c:\windows\Microsoft.NET\Framework\v2.0.50727\mscorwks.dll

- 2008-07-25 16:17 . 2008-07-25 16:17 4546560 c:\windows\Microsoft.NET\Framework\v2.0.50727\mscorlib.dll

+ 2008-11-25 09:59 . 2008-11-25 09:59 4546560 c:\windows\Microsoft.NET\Framework\v2.0.50727\mscorlib.dll

+ 2008-12-13 14:57 . 2008-12-13 14:57 8397824 c:\windows\Installer\210501.msp

+ 2009-08-31 03:13 . 2009-03-08 09:34 1206784 c:\windows\ie8updates\KB972260-IE8\urlmon.dll

+ 2009-08-31 03:13 . 2009-03-08 09:41 5937152 c:\windows\ie8updates\KB972260-IE8\mshtml.dll

+ 2009-08-31 03:13 . 2009-03-08 09:32 1985024 c:\windows\ie8updates\KB972260-IE8\iertutil.dll

+ 2009-08-31 22:39 . 2009-08-31 22:39 3313664 c:\windows\assembly\NativeImages_v2.0.50727_32\WindowsBase\14cd5f4b61d35f9b76327d6be9853755\WindowsBase.ni.dll

+ 2009-08-31 22:41 . 2009-08-31 22:41 1049600 c:\windows\assembly\NativeImages_v2.0.50727_32\UIAutomationClients#\f3c7957351aec85f526a3350c9718b1e\UIAutomationClientsideProviders.ni.dll

+ 2009-08-31 03:16 . 2009-08-31 03:16 7868416 c:\windows\assembly\NativeImages_v2.0.50727_32\System\80978a322d7dd39f0a71be1251ae395a\System.ni.dll

+ 2009-08-31 22:41 . 2009-08-31 22:41 5450752 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Xml\773a9786013451d3baaeff003dc4230f\System.Xml.ni.dll

+ 2009-08-31 22:41 . 2009-08-31 22:41 1917440 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Speech\63cf639b6e0a3c25c1643c85016e7422\System.Speech.ni.dll

+ 2009-08-31 22:41 . 2009-08-31 22:41 1035264 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Printing\646ab52eef343380aa002c220dc31e13\System.Printing.ni.dll

+ 2009-08-31 22:41 . 2009-08-31 22:41 1587200 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\3da96ee075bab9202626ae44c18d226c\System.Drawing.ni.dll

+ 2009-08-31 22:40 . 2009-08-31 22:40 6616576 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Data\c70731047b0022638b3f9fb158948a03\System.Data.ni.dll

+ 2009-08-31 22:40 . 2009-08-31 22:40 2516480 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Data.Linq\0bbec79460b1137df5313f9baf7b246f\System.Data.Linq.ni.dll

+ 2009-08-31 22:40 . 2009-08-31 22:40 2295296 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Core\47d87251e93256c635eb73403b8db33e\System.Core.ni.dll

+ 2009-08-31 22:40 . 2009-08-31 22:40 2128896 c:\windows\assembly\NativeImages_v2.0.50727_32\ReachFramework\4bfb3048bf200a6a8592d1b4ba861a7f\ReachFramework.ni.dll

+ 2009-08-31 22:40 . 2009-08-31 22:40 1657856 c:\windows\assembly\NativeImages_v2.0.50727_32\PresentationUI\6bafb1a2a73794ddb9761cb321c9e7e2\PresentationUI.ni.dll

+ 2009-08-31 03:16 . 2009-08-31 03:16 1451008 c:\windows\assembly\NativeImages_v2.0.50727_32\PresentationBuildTa#\e634bc4c4a00635a0a254febab0e2e2c\PresentationBuildTasks.ni.dll

- 2009-05-01 22:23 . 2009-05-01 22:23 3149824 c:\windows\assembly\GAC_MSIL\System\2.0.0.0__b77a5c561934e089\System.dll

+ 2009-08-31 03:15 . 2009-08-31 03:15 3149824 c:\windows\assembly\GAC_MSIL\System\2.0.0.0__b77a5c561934e089\System.dll

+ 2009-08-31 03:15 . 2009-08-31 03:15 2048000 c:\windows\assembly\GAC_MSIL\System.Xml\2.0.0.0__b77a5c561934e089\System.XML.dll

- 2009-05-01 22:23 . 2009-05-01 22:23 2048000 c:\windows\assembly\GAC_MSIL\System.Xml\2.0.0.0__b77a5c561934e089\System.XML.dll

- 2009-05-01 22:23 . 2009-05-01 22:23 5025792 c:\windows\assembly\GAC_MSIL\System.Windows.Forms\2.0.0.0__b77a5c561934e089\System.Windows.Forms.dll

+ 2009-08-31 03:15 . 2009-08-31 03:15 5025792 c:\windows\assembly\GAC_MSIL\System.Windows.Forms\2.0.0.0__b77a5c561934e089\System.Windows.Forms.dll

- 2009-05-01 22:25 . 2009-05-01 22:25 1277952 c:\windows\assembly\GAC_MSIL\System.Web.Extensions\3.5.0.0__31bf3856ad364e35\System.Web.Extensions.dll

+ 2009-08-31 03:15 . 2009-08-31 03:15 1277952 c:\windows\assembly\GAC_MSIL\System.Web.Extensions\3.5.0.0__31bf3856ad364e35\System.Web.Extensions.dll

+ 2009-08-31 03:15 . 2009-08-31 03:15 5931008 c:\windows\assembly\GAC_MSIL\System.ServiceModel\3.0.0.0__b77a5c561934e089\System.ServiceModel.dll

- 2009-05-01 22:24 . 2009-05-01 22:24 5931008 c:\windows\assembly\GAC_MSIL\System.ServiceModel\3.0.0.0__b77a5c561934e089\System.ServiceModel.dll

- 2009-05-01 22:23 . 2009-05-01 22:23 5062656 c:\windows\assembly\GAC_MSIL\System.Design\2.0.0.0__b03f5f7f11d50a3a\System.Design.dll

+ 2009-08-31 03:15 . 2009-08-31 03:15 5062656 c:\windows\assembly\GAC_MSIL\System.Design\2.0.0.0__b03f5f7f11d50a3a\System.Design.dll

+ 2009-08-31 03:15 . 2009-08-31 03:15 5283840 c:\windows\assembly\GAC_MSIL\PresentationFramework\3.0.0.0__31bf3856ad364e35\PresentationFramework.dll

- 2009-05-01 22:24 . 2009-05-01 22:25 5283840 c:\windows\assembly\GAC_MSIL\PresentationFramework\3.0.0.0__31bf3856ad364e35\PresentationFramework.dll

+ 2009-08-31 03:15 . 2009-08-31 03:15 5242880 c:\windows\assembly\GAC_32\System.Web\2.0.0.0__b03f5f7f11d50a3a\System.Web.dll

- 2009-05-01 22:23 . 2009-05-01 22:23 2933248 c:\windows\assembly\GAC_32\System.Data\2.0.0.0__b77a5c561934e089\System.Data.dll

+ 2009-08-31 03:15 . 2009-08-31 03:15 2933248 c:\windows\assembly\GAC_32\System.Data\2.0.0.0__b77a5c561934e089\System.Data.dll

+ 2009-08-31 03:15 . 2009-08-31 03:15 4546560 c:\windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\mscorlib.dll

- 2009-05-01 22:23 . 2009-05-01 22:23 4546560 c:\windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\mscorlib.dll

+ 2004-08-10 04:00 . 2009-07-14 04:43 10841088 c:\windows\system32\wmp.dll

+ 2006-08-28 17:33 . 2009-07-30 00:49 24281536 c:\windows\system32\MRT.exe

+ 2009-03-08 09:39 . 2009-07-19 23:48 11067392 c:\windows\system32\ieframe.dll

+ 2004-08-10 04:00 . 2009-07-14 04:43 10841088 c:\windows\system32\dllcache\wmp.dll

+ 2009-07-19 23:48 . 2009-07-19 23:48 11067392 c:\windows\system32\dllcache\ieframe.dll

+ 2008-12-13 15:21 . 2008-12-13 15:21 10473472 c:\windows\Installer\21050e.msp

+ 2009-08-31 03:13 . 2009-03-08 09:39 11063808 c:\windows\ie8updates\KB972260-IE8\ieframe.dll

+ 2009-08-31 22:41 . 2009-08-31 22:41 12430848 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\63406259e94d5c0ff5b79401dfe113ce\System.Windows.Forms.ni.dll

+ 2009-08-31 22:41 . 2009-08-31 22:41 10683392 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Design\8ee220bc3cce4f7bbd7818946519ed7f\System.Design.ni.dll

+ 2009-08-31 22:40 . 2009-08-31 22:40 14327808 c:\windows\assembly\NativeImages_v2.0.50727_32\PresentationFramewo#\96e710f47c601cba3f2348a8d11ddede\PresentationFramework.ni.dll

+ 2009-08-31 22:40 . 2009-08-31 22:40 12216320 c:\windows\assembly\NativeImages_v2.0.50727_32\PresentationCore\956375d487cbef36165b3250030e3574\PresentationCore.ni.dll

+ 2009-08-31 03:15 . 2009-08-31 03:15 11486720 c:\windows\assembly\NativeImages_v2.0.50727_32\mscorlib\6d667f19d687361886990f3ca0f49816\mscorlib.ni.dll

.

-- Snapshot reset to current date --

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-10-13 1694208]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"UserFaultCheck"="c:\windows\system32\dumprep 0 -u" [X]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-10-31 7634944]

"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-08-01 198160]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-05-26 413696]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Updates From HP.lnk - c:\program files\Updates from HP\9972322\Program\Updates from HP.exe [2006-7-21 36903]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]

2008-12-22 17:05 356352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]

@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]

@=""

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]

"xmlprov"=3 (0x3)

"WZCSVC"=2 (0x2)

"wuauserv"=2 (0x2)

"LightScribeService"=2 (0x2)

"iPod Service"=3 (0x3)

"Fax"=3 (0x3)

"ERSvc"=2 (0x2)

"ehSched"=2 (0x2)

"ehRecvr"=2 (0x2)

"Bonjour Service"=2 (0x2)

"BITS"=2 (0x2)

"Apple Mobile Device"=3 (0x3)

"ALG"=3 (0x3)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"FirewallOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Updates from HP\\9972322\\Program\\Updates from HP.exe"=

"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=

"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\DISC\\DISCover.exe"=

"c:\\Program Files\\DISC\\myFTP.exe"=

"c:\\Program Files\\DISC\\DiscStreamHub.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"c:\\Program Files\\Messenger\\msmsgs.exe"=

"c:\\Program Files\\BitTornado\\btdownloadgui.exe"=

"c:\\Program Files\\Steam\\SteamApps\\common\\empire total war\\Empire.exe"=

R1 sasdifsv;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [6/23/2009 11:01 AM 9968]

R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [6/23/2009 11:01 AM 72944]

R2 FreeAgentGoNext Service;Seagate Service;c:\program files\Seagate\SeagateManager\Sync\FreeAgentService.exe [10/28/2008 4:42 PM 156968]

R3 WN5301;LIteon Wireless PCI Network Adapter Service;c:\windows\system32\drivers\wn5301.sys [7/21/2006 1:40 AM 468768]

S2 gupdate1ca08a443d5b73e;Google Update Service (gupdate1ca08a443d5b73e);c:\program files\Google\Update\GoogleUpdate.exe [7/19/2009 2:08 PM 133104]

S3 s916bus;Sony Ericsson Device 916 driver (WDM);c:\windows\system32\drivers\s916bus.sys [12/28/2008 10:51 PM 83496]

S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [6/23/2009 11:01 AM 7408]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]

"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP

.

Contents of the 'Scheduled Tasks' folder

2009-08-31 c:\windows\Tasks\Google Software Updater.job

- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2007-08-03 19:07]

2009-08-30 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files\Google\Update\GoogleUpdate.exe [2009-07-19 19:08]

2009-08-31 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files\Google\Update\GoogleUpdate.exe [2009-07-19 19:08]

.

.

------- Supplementary Scan -------

.

uStart Page = www.yahoo.com/

uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=PAVILION&pf=desktop

mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=PAVILION&pf=desktop

uInternet Settings,ProxyOverride = *.local;<local>

Trusted Zone: trymedia.com

TCP: {0BA62877-8BEA-458E-9209-6F51E4CC697E} = 208.67.220.220,208.67.222.222

TCP: {49E71310-75FF-497D-BECD-E9C49FE7B764} = 208.67.220.220,208.67.222.222

TCP: {4B7B8D55-4C0A-480F-9C44-79656DC6EC28} = 208.67.220.220,208.67.222.222

TCP: {892900FC-9814-4488-99C0-81491C1EE93D} = 208.67.220.220,208.67.222.222

DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

FF - ProfilePath - c:\documents and settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\gs1t2cw0.default\

FF - prefs.js: browser.startup.homepage - hxxp://yahoo.com/

FF - plugin: c:\progra~1\Yahoo!\Common\npyaxmpb.dll

FF - plugin: c:\program files\Google\Google Updater\2.4.1636.7222\npCIDetect13.dll

FF - plugin: c:\program files\Google\Update\1.2.183.7\npGoogleOneClick8.dll

.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-08-31 18:00

Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}]

@Denied: (A 2) (Everyone)

@="FlashBroker"

"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10c.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\Elevation]

"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\LocalServer32]

@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10c.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}]

@Denied: (A 2) (Everyone)

@="IFlashBroker3"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\ProxyStubClsid32]

@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

"Version"="1.0"

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(864)

c:\program files\SUPERAntiSpyware\SASWINLO.dll

c:\windows\system32\WININET.dll

- - - - - - - > 'explorer.exe'(3008)

c:\windows\system32\WININET.dll

c:\windows\system32\ieframe.dll

c:\windows\system32\webcheck.dll

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

------------------------ Other Running Processes ------------------------

.

c:\program files\Intel\Intel Matrix Storage Manager\IAANTmon.exe

c:\windows\system32\nvsvc32.exe

c:\windows\ehome\mcrdsvc.exe

c:\program files\Intel\IntelDH\Intel® Quick Resume Technology Drivers\ELService.exe

.

**************************************************************************

.

Completion time: 2009-08-31 18:12 - machine was rebooted

ComboFix-quarantined-files.txt 2009-08-31 23:12

ComboFix2.txt 2009-08-31 02:52

ComboFix3.txt 2009-07-29 23:32

Pre-Run: 178,912,989,184 bytes free

Post-Run: 178,819,547,136 bytes free

531 --- E O F --- 2009-08-31 03:16

Link to post
Share on other sites

  • Staff

Hi,

This looks OK again.

* Go to start > run and copy and paste next command in the field:

Combo-Fix.exe /u

Make sure there's a space between Combofix and /

Then hit enter.

This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

Let me know in your next reply how things are now.

Link to post
Share on other sites

I had to change the name of file to CombFix instead of Combo-Fix (even thought that's how it was renamed during the download), but the uninstall was successful. I was able to run a MBAM scan after reinstalling the program, and it found nothing. Everything seems normal, except that I still can't access HijackThis, but I'm not too concerned about that at this point. If you think we are finished, I will go ahead and download Avira again and get that running. Seeing as it didn't stop this infection to begin with, is there an anit-virus program that you would recommend that would offer better protection (Kaspersky or Bitdefender, perhaps)?

Again, I can't thank you enough for your help. I owe you big time, my friend. I feel like I should be paying you for your services, or at least donating to a charity of your choice or something.

Link to post
Share on other sites

  • Staff
I had to change the name of file to CombFix instead of Combo-Fix (even thought that's how it was renamed during the download)
Yes, that makes sense. I guess it's not updated in the app paths key in this ccase, which explains why renamed versions of combofix can't be found under start > run (except for when you include the full path to the file ofcourse).

Good you figured that out already :)

Everything seems normal, except that I still can't access HijackThis, but I'm not too concerned about that at this point.
Must be because it's still locked/has denied permissions, so...

1) Please download this file

2) Place fr33.exe next to the exe file that doesn't want to run

3) Drag the exefile into fr33.exe. That shall free/unlock it.

Example how to do this (this is an example with malwarebytes exefile (mbam.exe).

Fr33_mbam.gif

You can do that with every exe file that cannot run.

Or, in case you want to know/interests you how to do this manually and take ownership of locked files, then please see here (XP/Vista) for more info. Note, on XP Home, the "Security" tab is only visible in Safe mode. In case there's no Security tab in XP Pro, then please see here (XP Pro

But not needed to do it manually if you use fr33.exe instead to "unlock" files. :)

Link to post
Share on other sites

That was easy enough, and everything seems to be fine. Unless there's something else I need to do, I suppose we can close the thread. I'm going to go ahead and download Avira again for some added protection.

Once again, thanks so much for your help Mieke. I really appreciate it. As your title suggests, you really are a goddess.

Link to post
Share on other sites

  • Staff

Glad I could help. :)

Please read my Prevention page with lots of info and tips how to prevent this in the future.

And if you want to improve speed/system performance after malware removal, take a look here.

Extra note: Make sure your programs are up to date - because older versions may contain Security Leaks. To find out what programs need to be updated, please run the Secunia Software Inspector Scan.

Happy Surfing again!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.