Jump to content

MBAM.exe will not Run (Security Tool)


Recommended Posts

Hello, I am having one of those "MBAM-Setup.exe won't run" type errors. The cause of my aggravation is called Security Tool. It is described here:

http://www.bleepingcomputer.com/virus-remo...e-security-tool

I did the steps, but obviously, with me being here and all, it didn't work.

I have tried multiple things: SUPERAntiSpyware, some random free virus suites, Spybot, MalwareBytes. At one point I did run ComboFix, but cut it short because I figured all it would do was list my problems, not fix them.. (I realize now that might have been a mistake) All of these did not work, Security Tool had me wherever I turned. MalwareBytes is my only hope now.

The problem lies after the installation of MalwareBytes. It'll install perfectly, but then when I load it up, a dialog box will appear (entitled "Setup"): Unable to execute file.. (directories) CreateProcces failed; code 2. The system cannot find file specified (the file specified being "mbam.exe").

I have tried to rename the setup, no avail.

I am running off of Windows XP.

Please do help, the problem is getting so bad that I can no longer get on the internet with that computer, Security Tool will block IE from connecting and won't even let me open Chrome (because it's "virused").

I am hoping that the answer does not involve ComboFix, it's going to be a pain to download the Console for my other computer. I am hoping we can do what some other article said and attack the malware at its roots so I can then run MBAM and kill it off completely. :D

All help is welcome and gratefully accepted, though the fake BSoD's were funny at first, they are really starting aggravate me.

Link to post
Share on other sites

Hi, I just wanted to post saying I am still here. I've been running the diag on the other computer, but it's been over one day. Should I let it keep running? The computer is giving me a busy light and it sounds like it's working, the console is still showing new things now and then. Should I be concerned that it keeps saying it can't access certain directories?

Should I keep this up or do you have something better in mind?

Link to post
Share on other sites

  • Staff

Hi,

Is there a report on the Desktop?

If it doesn't finish soon, please run a GMER Rootkit scan:

Download GMER's application from here:

http://www.gmer.net/gmer.zip

Unzip it and start the GMER.exe

Click the Rootkit tab and click the Scan button.

Once done, click the Copy button.

This will copy the results to your clipboard.

Paste the results in your next reply.

Warning ! Please, do not select the "Show all" checkbox during the scan.

-screen317

Link to post
Share on other sites

Thank you for taking the time to help with my problem, sorry about the PM, I guess I hadn't realized your employment status with MalwareBytes.

The scan has been running for 2+ days now, I called it quits and am just about to run the other program you recommended. I've attached what I got before I closed Win32kDiag.exe. I will post what I get with GMER, if you don't suggest something else before then. Thanks!

Win32kDiag.txt

Link to post
Share on other sites

This morning GMER finished, I clicked copy and pasted it into Wordpad, but then an error saying I had no more resources popped up. My mouse went dead, and even though I am pretty handy with just a keyboard, nothing I tried would allow me to paste. I was so close! I am going to run it again right now, then hopefully it will be done by the time I get back from my occupation.

Link to post
Share on other sites

It happened again. This time I was going to hit save and save it to my jumpdrive so I could bring it over on this computer, but again, no more system resources. This is driving me mad. I'm going to run GMER ONE more time, it'd better work this time. Are you sure you can't give me directions from my failed, shortened Win32kDiag log?

Link to post
Share on other sites

  • Staff

Unfortunately, your Win32kDiag log didn't make it far enough to tell me what I needed to see. If you'd like to take a chance, I can make an educated guess of what it was going to show.

Side note: copy the logs to Notepad, not Wordpad.

We need to execute an Avenger2 script.

Note to users reading this topic! This script was created specifically for the particular infection on this specific machine! If you are not this user, do NOT follow these directions as they could damage the workings of your system.

  1. Please download The Avenger2 by Swandog46.
  2. Unzip avenger.exe to your desktop.
  3. Copy the text in the following codebox by selecting all of it, and pressing (<Control> + C) or by right clicking and selecting "Copy"
    Files to move:
    C:\WINDOWS\system32\logevent.dll | C:\WINDOWS\system32\eventlog.dll


  4. Now start The Avenger2 by double clicking avenger.exe on your desktop.
  5. Read the prompt that appears, and press OK.
  6. Paste the script into the textbox that appears, using (<Control> + V) or by right clicking and choosing "Paste".
  7. Press the "Execute" button.
  8. You will be presented with 2 confirmation prompts. Select yes on each. Your system will reboot.
    Note: It is possible that Avenger will reboot your system TWICE.
  9. Upon reboot, a command prompt window will appear on your screen for a few seconds, and then Avenger's log will open. Please paste that log here in your next post.

Next, try running MBAM.

Next, please visit this webpage for instructions for running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

  • When the tool is finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt along with a new HijackThis log so we may continue cleaning the system.

-screen317

Link to post
Share on other sites

Thank you for trying to make an educated guess, but MBAM still won't work, they can't find it. Here's the log from the Avenger.exe, though:

Logfile of The Avenger Version 2.0, © by Swandog46

http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.

Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.

No rootkits found!

Error: file "C:\WINDOWS\system32\logevent.dll" not found!

File move operation "C:\WINDOWS\system32\logevent.dll|C:\WINDOWS\system32\eventlog.dll" failed!

Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)

--> the object does not exist

Completed script processing.

*******************

Finished! Terminate.

I ran GMER again while I slept. This time, I managed to get the log because for some reason or another, the log is really short, didn't take up much memory at all. When I did it previously, it was probably at minimum 6 times longer so I am doubting its accuracy, or maybe Avenger affected it? Anyways, here's the GMER log:

GMER 1.0.15.15125 - http://www.gmer.net

Rootkit scan 2009-10-08 08:19:39

Windows 5.1.2600 Service Pack 2

Running: gmer.exe; Driver: C:\DOCUME~1\ISAAC~1.VAL\LOCALS~1\Temp\fgryyfog.sys

---- Registry - GMER 1.0.15 ----

Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@DeviceNotSelectedTimeout 15

Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@GDIProcessHandleQuota 10000

Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@Spooler yes

Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@swapdisk

Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@TransmissionRetryTimeout 90

Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@USERProcessHandleQuota 10000

Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@LoadAppInit_DLLs 1

Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@AppInit_DLLs madudori.dll c:\windows\system32\lalolezi.dll

---- EOF - GMER 1.0.15 ----

I sincerely hope you can find something out of this, I really need my computer back. Thanks.

Link to post
Share on other sites

I just had a computer at work need fixing because of Security Tool. When I tried to install Malwarebytes, the mbam.exe file would keep getting deleted, but all the rest would remain in the install folder. This also happened in Safe Mode.

I installed to flash drive using a different computer and ran mbam.exe from the flash drive on the infected computer. Malwarebytes ran fine from the flash drive, and Security Tool is no longer infecting that computer.

Hope this helps.

Link to post
Share on other sites

Hmmmm.. I did a full scan overnight, but then Security Tool came back in full. I then did a quick scan, and then now I am back to the point I was in yesterday. You think it's because I had my Ethernet cable plugged into it? Is it possible that Security Tool fixed itself? I unplugged my internet and am now running a full scan on it. I hope that finally does it in.

Link to post
Share on other sites

Now it's back again, in full. How do I kill this thing?! Here's the log from the most recent quick and full scans, respectively.

Malwarebytes' Anti-Malware 1.41
Database version: 2775
Windows 5.1.2600 Service Pack 2 (Safe Mode)

10/9/2009 11:07:25 AM
mbam-log-2009-10-09 (11-07-25).txt

Scan type: Quick Scan
Objects scanned: 154465
Time elapsed: 23 minute(s), 48 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lohaloheda (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Malwarebytes' Anti-Malware 1.41
Database version: 2775
Windows 5.1.2600 Service Pack 2

10/9/2009 7:27:27 PM
mbam-log-2009-10-09 (19-27-27).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 381401
Time elapsed: 5 hour(s), 49 minute(s), 13 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lohaloheda (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

I think I will run a full scan tonight, then "remove selected" and then delete all the quarantined. I think it keeps coming because I don't delete the quarantined fast enough (before the next reboot).. Is this right?

Link to post
Share on other sites

  • Staff

Every post you make puts you at the bottom of my reply list.

You replied 9 times, and as such you were put below the 100 other people I'm helping 9 times.

If you had been patient earlier and just edited your post instead of posting so many times, we could have been done already.

Your MBAM database is out of date. Update MBAM, run a Quick Scan, and post its log.

Next, please visit this webpage for instructions for running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

  • When the tool is finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt along with a new HijackThis log so we may continue cleaning the system.

-screen317

Link to post
Share on other sites

Oh, thanks for explaining it to me, I did not want to seem impatient or ungrateful. I could not have have known that is how it works. Actually, I didn't edit my posts because I couldn't find a way to. I am very thankful with the service MalwareBytes provides, and free no less :) !

Here's my MalwareBytes log, I ran this first:

Malwarebytes' Anti-Malware 1.41

Database version: 2951

Windows 5.1.2600 Service Pack 2

10/13/2009 7:45:44 AM

mbam-log-2009-10-13 (07-45-44).txt

Scan type: Full Scan (C:\|D:\|)

Objects scanned: 388414

Time elapsed: 5 hour(s), 32 minute(s), 36 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 1

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 2

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lohaloheda (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

C:\WINDOWS\system32\rahuguzi.exe (Trojan.Dropper) -> Quarantined and deleted successfully.

C:\Documents and Settings\Isaac.VALUED-A069BA8D\Start Menu\Programs\Security Tool.LNK (Rogue.SecurityTool) -> Quarantined and deleted successfully.

And here's the ComboFix I finished with recently:

ComboFix 09-10-13.01 - Isaac 10/13/2009 16:53.2.1 - NTFSx86

Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.224.75 [GMT -7:00]

Running from: c:\documents and settings\Isaac.VALUED-A069BA8D\Desktop\ComboFix.exe

Command switches used :: c:\documents and settings\Isaac.VALUED-A069BA8D\Desktop\WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\documents and settings\All Users\Documents\ZbThumbnail.info

c:\documents and settings\ENOCH\Desktop\Download programs.url

c:\documents and settings\ENOCH\Desktop\Translator.url

c:\documents and settings\ENOCH\Desktop\Videos.url

c:\documents and settings\ENOCH\Favorites\Download programs.url

c:\documents and settings\ENOCH\Favorites\Games.url

c:\documents and settings\ENOCH\Favorites\Translator.url

c:\documents and settings\ENOCH\Favorites\Videos.url

c:\documents and settings\ENOCH\Start Menu\Programs\Download programs.url

c:\documents and settings\ENOCH\Start Menu\Programs\Games.url

c:\documents and settings\ENOCH\Start Menu\Programs\Translator.url

c:\documents and settings\ENOCH\Start Menu\Programs\Videos.url

c:\program files\delfin

c:\program files\delfin\PromulGate\delfinAD.ebd

c:\program files\delfin\PromulGate\delfinAF.edx

c:\program files\delfin\PromulGate\delfinBD.edx

c:\program files\delfin\PromulGate\delfinCO.edx

c:\program files\delfin\PromulGate\delfinDL.edx

c:\program files\delfin\PromulGate\delfinED.edx

c:\program files\delfin\PromulGate\delfinID.edx

c:\program files\delfin\PromulGate\delfinLD.edx

c:\program files\delfin\PromulGate\delfinLO.ebd

c:\program files\delfin\PromulGate\Description.txt

c:\program files\delfin\PromulGate\License.txt

c:\program files\delfin\PromulGate\PgMonitr.exe

c:\program files\delfin\PromulGate\PgSDK.DLL

c:\program files\delfin\PromulGate\preference.dat

c:\program files\delfin\PromulGate\uninstal.log

c:\recycler\S-1-5-21-334337264-1445258045-2852135485-1003

c:\recycler\S-1-5-21-4269483969-3350533337-2501954535-1003

c:\recycler\S-1-5-21-74049757-4025279379-689279713-1003

c:\windows\Installer\48cbe2.msi

c:\windows\system32\buyoyena.exe

c:\windows\system32\fibikavi.dll

c:\windows\system32\hodisuto.exe

c:\windows\system32\ripeyoji.exe

c:\windows\system32\vowikiho.exe

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Legacy_ZESOFT

((((((((((((((((((((((((( Files Created from 2009-09-14 to 2009-10-14 )))))))))))))))))))))))))))))))

.

2009-10-13 22:52 . 2009-10-13 22:52 -------- dc----w- c:\windows\system32\config\systemprofile\Application Data\Viewpoint

2009-10-11 06:25 . 2009-10-11 06:25 -------- d-----w- C:\found.001

2009-10-04 05:40 . 2009-10-08 08:30 237153 -c--a-w- c:\windows\system32\drivers\sfi.dat

2009-10-04 04:07 . 2009-10-04 04:07 -------- dc----w- c:\documents and settings\Isaac.VALUED-A069BA8D\Application Data\Malwarebytes

2009-10-04 04:07 . 2009-09-10 21:54 38224 -c--a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2009-10-04 04:07 . 2009-10-04 04:07 -------- dc----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2009-10-04 04:07 . 2009-09-10 21:53 19160 -c--a-w- c:\windows\system32\drivers\mbam.sys

2009-10-01 03:12 . 2004-05-10 20:14 118272 -c--a-w- c:\windows\system32\SX5363S.DLL

2009-10-01 03:12 . 2004-05-10 20:14 102400 -c--a-w- c:\windows\system32\RV32RTP.dll

2009-09-30 22:46 . 2009-09-30 22:52 -------- dc----w- c:\documents and settings\Isaac.VALUED-A069BA8D\Application Data\GetRightToGo

2009-09-30 03:45 . 2009-09-30 05:04 -------- dc----w- c:\documents and settings\Isaac.VALUED-A069BA8D\Local Settings\Application Data\PMB Files

2009-09-30 03:45 . 2009-09-30 03:50 -------- dc----w- c:\documents and settings\All Users\Application Data\PMB Files

2009-09-30 00:06 . 2009-09-30 00:06 -------- dc----w- c:\documents and settings\Isaac.VALUED-A069BA8D\Application Data\Unity

2009-09-29 23:59 . 2009-09-29 23:59 -------- dc----w- c:\documents and settings\Isaac.VALUED-A069BA8D\Local Settings\Application Data\Unity

2009-09-24 01:08 . 2009-02-09 10:20 399360 -c----w- c:\windows\system32\dllcache\rpcss.dll

2009-09-24 01:08 . 2009-02-09 10:20 453120 -c----w- c:\windows\system32\dllcache\wmiprvsd.dll

2009-09-24 01:08 . 2009-02-06 17:14 110592 -c----w- c:\windows\system32\dllcache\services.exe

2009-09-24 01:08 . 2009-02-06 16:39 227840 -c----w- c:\windows\system32\dllcache\wmiprvse.exe

2009-09-24 01:08 . 2009-02-09 10:20 714752 -c----w- c:\windows\system32\dllcache\ntdll.dll

2009-09-24 01:08 . 2009-02-09 10:20 616960 -c----w- c:\windows\system32\dllcache\advapi32.dll

2009-09-24 01:08 . 2009-02-09 10:20 473088 -c----w- c:\windows\system32\dllcache\fastprox.dll

2009-09-24 01:08 . 2005-07-26 04:39 60416 -c----w- c:\windows\system32\dllcache\colbact.dll

2009-09-19 02:32 . 2009-10-03 05:23 45 -c--a-w- c:\documents and settings\Isaac.VALUED-A069BA8D\jagex_runescape_preferences2.dat

2009-09-19 02:32 . 2009-10-03 06:09 38 -c--a-w- c:\documents and settings\Isaac.VALUED-A069BA8D\jagex_runescape_preferences.dat

2009-09-19 02:29 . 2009-09-19 02:28 411368 -c--a-w- c:\windows\system32\deploytk.dll

2009-09-18 23:36 . 2009-09-18 23:36 -------- dc----w- C:\.jagex_cache_32

2009-09-18 07:28 . 2009-10-09 06:33 -------- dc----w- c:\documents and settings\Isaac.VALUED-A069BA8D\Local Settings\Application Data\Temp

2009-09-18 07:28 . 2009-10-01 01:31 -------- dc----w- c:\documents and settings\Isaac.VALUED-A069BA8D\Local Settings\Application Data\Google

2009-09-18 04:37 . 2009-09-18 04:37 398 -c--a-w- c:\windows\DelUS.bat

2009-09-18 04:31 . 2009-09-18 04:31 -------- dc----w- c:\windows\Share-to-Web Upload Folder

2009-09-18 03:00 . 2009-09-18 23:35 -------- dc----w- c:\windows\.jagex_cache_32

2009-09-18 00:16 . 2009-09-18 00:16 -------- dc----w- c:\documents and settings\Isaac.VALUED-A069BA8D\Local Settings\Application Data\SupportSoft

2009-09-18 00:15 . 2009-09-18 00:15 -------- dc----w- c:\windows\DSL

2009-09-18 00:15 . 2009-09-18 00:15 -------- dc----w- c:\program files\Verizon

2009-09-18 00:15 . 2009-09-18 00:15 -------- dc----w- c:\program files\Common Files\SupportSoft

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-10-12 07:25 . 2007-10-07 22:22 -------- dc--a-w- c:\documents and settings\All Users\Application Data\TEMP

2009-10-04 21:58 . 2008-12-21 00:41 -------- dc----w- c:\documents and settings\Isaac.VALUED-A069BA8D\Application Data\gtk-2.0

2009-10-04 05:18 . 2006-08-13 21:31 -------- dc----w- c:\program files\Common Files\Wise Installation Wizard

2009-10-03 23:35 . 2007-08-06 18:15 -------- dc----w- c:\program files\America Online 8.0

2009-09-30 05:20 . 2004-01-13 01:26 -------- dc----w- c:\program files\Common Files\AOL

2009-09-30 05:19 . 2007-07-23 16:18 -------- dc----w- c:\documents and settings\Isaac.VALUED-A069BA8D\Application Data\AOL

2009-09-30 05:19 . 2004-01-13 01:27 -------- dc----w- c:\documents and settings\All Users\Application Data\AOL

2009-09-30 03:13 . 2002-04-17 17:48 -------- dc-h--w- c:\program files\InstallShield Installation Information

2009-09-18 04:30 . 2002-10-13 16:57 -------- dc----w- c:\program files\Web Publish

2009-09-07 05:05 . 2007-07-23 16:17 138072 -c--a-w- c:\documents and settings\Isaac.VALUED-A069BA8D\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2009-08-29 22:46 . 2005-12-26 01:43 98304 -c--a-w- c:\windows\system32\CmdLineExt.dll

2009-08-05 09:11 . 2003-02-18 04:52 204800 -c--a-w- c:\windows\system32\mswebdvd.dll

2009-07-29 04:53 . 2002-04-16 10:59 119808 -c--a-w- c:\windows\system32\t2embed.dll

2009-07-29 04:53 . 2002-04-16 10:59 82432 -c--a-w- c:\windows\system32\fontsub.dll

2009-07-17 18:55 . 2003-02-18 03:28 58880 -c--a-w- c:\windows\system32\atl.dll

2009-07-09 11:21 . 2009-07-09 11:21 37888 -csha-w- c:\windows\system32\belazute.dll

2009-07-09 11:21 . 2009-07-09 11:21 50688 -csha-w- c:\windows\system32\kegezadu.dll

2009-07-09 11:22 . 2009-07-09 11:22 50688 -csha-w- c:\windows\system32\kiyajeru.dll

2004-08-04 07:56 . 2002-04-16 10:59 54784 -csha-w- c:\windows\system32\msvcirt.dll

2004-08-04 07:56 . 2003-02-18 04:51 413696 --sha-w- c:\windows\system32\msvcp60.dll

2009-07-13 04:42 . 2009-07-13 04:42 51712 -csha-w- c:\windows\system32\patafudi.dll

2004-08-04 07:56 . 2002-04-16 10:59 11776 -csh--w- c:\windows\system32\regsvr32.exe

2009-07-03 07:07 . 2009-07-03 07:07 26624 -csha-w- c:\windows\system32\tiwedihu.dll

2009-07-03 22:31 . 2009-07-03 22:31 50176 -csha-w- c:\windows\system32\tuduriro.dll

2009-07-03 07:07 . 2009-07-03 07:07 37888 -csha-w- c:\windows\system32\venijija.dll

1617-10-26 20:34 . 1617-10-26 20:34 92077 -csha-r- c:\windows\system32\Winkcu.exe

.

------- Sigcheck -------

[-] 2008-04-14 . A06CE3399D16DB864F55FAEB1F1927A9 . 77824 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\9866fb57abdc0ea2f5d4e132d055ba4e\browser.dll

[-] 2004-08-04 . E3CFCCDDA4EDD1D0DC9168B2E18F27B8 . 77312 . . [5.1.2600.2180] . . c:\windows\ServicePackFiles\i386\browser.dll

[-] 2004-08-04 . E3CFCCDDA4EDD1D0DC9168B2E18F27B8 . 77312 . . [5.1.2600.2180] . . c:\windows\SoftwareDistribution\Download\66b1d8e81a20b4b541ab3e558f2fd638\backup\browser.dll

[-] 2004-08-04 . E3CFCCDDA4EDD1D0DC9168B2E18F27B8 . 77312 . . [5.1.2600.2180] . . c:\windows\system32\browser.dll

[-] 2002-08-29 10:40 . !HASH: COULD NOT OPEN FILE !!!!! . 49152 . . [------] . . c:\windows\$NtServicePackUninstall$\browser.dll

[-] 2008-04-14 . 3D4E199942E29207970E04315D02AD3B . 62464 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\9866fb57abdc0ea2f5d4e132d055ba4e\cryptsvc.dll

[-] 2004-08-04 . 10654F9DDCEA9C46CFB77554231BE73B . 60416 . . [5.1.2600.2180] . . c:\windows\ServicePackFiles\i386\cryptsvc.dll

[-] 2004-08-04 . 10654F9DDCEA9C46CFB77554231BE73B . 60416 . . [5.1.2600.2180] . . c:\windows\SoftwareDistribution\Download\66b1d8e81a20b4b541ab3e558f2fd638\backup\cryptsvc.dll

[-] 2004-08-04 . 10654F9DDCEA9C46CFB77554231BE73B . 60416 . . [5.1.2600.2180] . . c:\windows\system32\cryptsvc.dll

[-] 2002-08-29 10:40 . !HASH: COULD NOT OPEN FILE !!!!! . 53248 . . [------] . . c:\windows\$NtServicePackUninstall$\cryptsvc.dll

[-] 2008-04-13 . B153AFFAC761E7F5FCFA822B9C4E97BC . 14336 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\9866fb57abdc0ea2f5d4e132d055ba4e\asyncmac.sys

[-] 2004-08-04 . 02000ABF34AF4C218C35D257024807D6 . 14336 . . [5.1.2600.2180] . . c:\windows\ServicePackFiles\i386\asyncmac.sys

[-] 2004-08-04 . 02000ABF34AF4C218C35D257024807D6 . 14336 . . [5.1.2600.2180] . . c:\windows\SoftwareDistribution\Download\66b1d8e81a20b4b541ab3e558f2fd638\backup\asyncmac.sys

[-] 2004-08-04 . 02000ABF34AF4C218C35D257024807D6 . 14336 . . [5.1.2600.2180] . . c:\windows\system32\dllcache\asyncmac.sys

[-] 2004-08-04 . 02000ABF34AF4C218C35D257024807D6 . 14336 . . [5.1.2600.2180] . . c:\windows\system32\drivers\asyncmac.sys

[-] 2001-08-18 12:00 . !HASH: COULD NOT OPEN FILE !!!!! . 13568 . . [------] . . c:\windows\$NtServicePackUninstall$\asyncmac.sys

[-] 2001-08-18 . DA1F27D85E0D1525F6621372E7B685E9 . 4224 . . [5.1.2600.0] . . c:\windows\system32\dllcache\beep.sys

[-] 2001-08-18 . DA1F27D85E0D1525F6621372E7B685E9 . 4224 . . [5.1.2600.0] . . c:\windows\system32\drivers\beep.sys

[-] 2008-04-13 . 463C1EC80CD17420A542B7F36A36F128 . 24576 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\9866fb57abdc0ea2f5d4e132d055ba4e\kbdclass.sys

[-] 2004-08-04 . EBDEE8A2EE5393890A1ACEE971C4C246 . 24576 . . [5.1.2600.2180] . . c:\windows\ServicePackFiles\i386\kbdclass.sys

[-] 2004-08-04 . EBDEE8A2EE5393890A1ACEE971C4C246 . 24576 . . [5.1.2600.2180] . . c:\windows\SoftwareDistribution\Download\66b1d8e81a20b4b541ab3e558f2fd638\backup\kbdclass.sys

[-] 2004-08-04 . EBDEE8A2EE5393890A1ACEE971C4C246 . 24576 . . [5.1.2600.2180] . . c:\windows\system32\dllcache\kbdclass.sys

[-] 2004-08-04 . EBDEE8A2EE5393890A1ACEE971C4C246 . 24576 . . [5.1.2600.2180] . . c:\windows\system32\drivers\kbdclass.sys

[-] 2002-08-29 08:27 . !HASH: COULD NOT OPEN FILE !!!!! . 23424 . . [------] . . c:\windows\$NtServicePackUninstall$\kbdclass.sys

[-] 2008-04-13 . 1DF7F42665C94B825322FAE71721130D . 182656 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\9866fb57abdc0ea2f5d4e132d055ba4e\ndis.sys

[-] 2004-08-04 . 558635D3AF1C7546D26067D5D9B6959E . 182912 . . [5.1.2600.2180] . . c:\windows\ServicePackFiles\i386\ndis.sys

[-] 2004-08-04 . 558635D3AF1C7546D26067D5D9B6959E . 182912 . . [5.1.2600.2180] . . c:\windows\SoftwareDistribution\Download\66b1d8e81a20b4b541ab3e558f2fd638\backup\ndis.sys

[-] 2004-08-04 . 558635D3AF1C7546D26067D5D9B6959E . 182912 . . [5.1.2600.2180] . . c:\windows\system32\dllcache\ndis.sys

[-] 2004-08-04 . 558635D3AF1C7546D26067D5D9B6959E . 182912 . . [5.1.2600.2180] . . c:\windows\system32\drivers\ndis.sys

[-] 2002-08-29 09:09 . !HASH: COULD NOT OPEN FILE !!!!! . 167552 . . [------] . . c:\windows\$NtServicePackUninstall$\ndis.sys

[-] 2001-08-18 . 73C1E1F395918BC2C6DD67AF7591A3AD . 2944 . . [5.1.2600.0] . . c:\windows\system32\dllcache\null.sys

[-] 2001-08-18 . 73C1E1F395918BC2C6DD67AF7591A3AD . 2944 . . [5.1.2600.0] . . c:\windows\system32\drivers\null.sys

[-] 2008-06-20 . AD978A1B783B5719720CFF204B666C8E . 361600 . . [5.1.2600.5625] . . c:\windows\$hf_mig$\KB951748\SP3QFE\tcpip.sys

[-] 2008-06-20 . 9AEFA14BD6B182D61E3119FA5F436D3D . 361600 . . [5.1.2600.5625] . . c:\windows\$hf_mig$\KB951748\SP3GDR\tcpip.sys

[-] 2008-06-20 . 2A5554FC5B1E04E131230E3CE035C3F9 . 360320 . . [5.1.2600.3394] . . c:\windows\system32\dllcache\tcpip.sys

[-] 2008-06-20 . 2A5554FC5B1E04E131230E3CE035C3F9 . 360320 . . [5.1.2600.3394] . . c:\windows\system32\drivers\tcpip.sys

[-] 2008-06-20 . 744E57C99232201AE98C49168B918F48 . 360960 . . [5.1.2600.3394] . . c:\windows\$hf_mig$\KB951748\SP2QFE\tcpip.sys

[-] 2008-04-13 . 93EA8D04EC73A85DB02EB8805988F733 . 361344 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\9866fb57abdc0ea2f5d4e132d055ba4e\tcpip.sys

[7] 2007-10-30 . 90CAFF4B094573449A0872A0F919B178 . 360064 . . [5.1.2600.3244] . . c:\windows\$NtUninstallKB951748$\tcpip.sys

[7] 2007-10-30 . 64798ECFA43D78C7178375FCDD16D8C8 . 360832 . . [5.1.2600.3244] . . c:\windows\$hf_mig$\KB941644\SP2QFE\tcpip.sys

[7] 2006-04-20 . B2220C618B42A2212A59D91EBD6FC4B4 . 360576 . . [5.1.2600.2892] . . c:\windows\$hf_mig$\KB917953\SP2QFE\tcpip.sys

[7] 2006-04-20 . 1DBF125862891817F374F407626967F4 . 359808 . . [5.1.2600.2892] . . c:\windows\$NtUninstallKB941644$\tcpip.sys

[7] 2006-04-20 . 1DBF125862891817F374F407626967F4 . 359808 . . [5.1.2600.2892] . . c:\windows\SoftwareDistribution\Download\66b1d8e81a20b4b541ab3e558f2fd638\backup\tcpip.sys

[7] 2006-01-13 . 5562CC0A47B2AEF06D3417B733F3C195 . 360448 . . [5.1.2600.2827] . . c:\windows\$hf_mig$\KB913446\SP2QFE\tcpip.sys

[7] 2006-01-13 . 583E063FDC888CA30D05C2724B0D7EF4 . 359808 . . [5.1.2600.2827] . . c:\windows\$NtUninstallKB917953$\tcpip.sys

[7] 2005-05-25 . 63FDFEA54EB53DE2D863EE454937CE1E . 359936 . . [5.1.2600.2685] . . c:\windows\$hf_mig$\KB893066\SP2QFE\tcpip.sys

[7] 2005-05-25 . 88763A98A4C26C409741B4AA162720C9 . 359808 . . [5.1.2600.2685] . . c:\windows\$NtUninstallKB913446$\tcpip.sys

[-] 2004-08-04 . 9F4B36614A0FC234525BA224957DE55C . 359040 . . [5.1.2600.2180] . . c:\windows\$NtUninstallKB893066$\tcpip.sys

[-] 2004-08-04 . 9F4B36614A0FC234525BA224957DE55C . 359040 . . [5.1.2600.2180] . . c:\windows\ServicePackFiles\i386\tcpip.sys

[-] 2002-08-29 08:58 . !HASH: COULD NOT OPEN FILE !!!!! . 332928 . . [------] . . c:\windows\$NtServicePackUninstall$\tcpip.sys

[-] 2008-07-07 20:32 . 60D1A6342238378BFB7545C81EE3606C . 253952 . . [2001.12.4414.320] . . c:\windows\system32\es.dll

[-] 2008-07-07 20:32 . 60D1A6342238378BFB7545C81EE3606C . 253952 . . [2001.12.4414.320] . . c:\windows\system32\dllcache\es.dll

[-] 2008-07-07 20:26 . D4991D98F2DB73C60D042F1AEF79EFAE . 253952 . . [2001.12.4414.706] . . c:\windows\$hf_mig$\KB950974\SP3GDR\es.dll

[-] 2008-07-07 20:23 . F17F6226BDC0CD5F0BEF0DAF84D29BEC . 253952 . . [2001.12.4414.706] . . c:\windows\$hf_mig$\KB950974\SP3QFE\es.dll

[-] 2008-07-07 20:06 . A4AB3DCA4A383F0DF4988ABDEB84F9A4 . 253952 . . [2001.12.4414.320] . . c:\windows\$hf_mig$\KB950974\SP2QFE\es.dll

[-] 2008-04-14 00:11 . 19A799805B24990867B00C120D300C3A . 246272 . . [2001.12.4414.701] . . c:\windows\SoftwareDistribution\Download\9866fb57abdc0ea2f5d4e132d055ba4e\es.dll

[7] 2005-07-26 04:39 . 34BBD9ACC1538818F2C878898C64E793 . 243200 . . [2001.12.4414.308] . . c:\windows\$NtUninstallKB950974$\es.dll

[7] 2005-07-26 04:20 . 95F5FEA4C6DE2C3F28784D0DCC8F0DD3 . 243200 . . [2001.12.4414.308] . . c:\windows\$hf_mig$\KB902400\SP2QFE\es.dll

[7] 2005-07-26 04:20 . 95F5FEA4C6DE2C3F28784D0DCC8F0DD3 . 243200 . . [2001.12.4414.308] . . c:\windows\SoftwareDistribution\Download\66b1d8e81a20b4b541ab3e558f2fd638\backup\es.dll

[-] 2004-08-04 07:56 . ACD36A2DD7D1E9D8A060AA651DC07E63 . 243200 . . [2001.12.4414.258] . . c:\windows\$NtUninstallKB902400$\es.dll

[-] 2004-08-04 07:56 . ACD36A2DD7D1E9D8A060AA651DC07E63 . 243200 . . [2001.12.4414.258] . . c:\windows\ServicePackFiles\i386\es.dll

[-] 2004-03-06 02:16 . !HASH: COULD NOT OPEN FILE !!!!! . 226816 . . [------] . . c:\windows\$NtServicePackUninstall$\es.dll

[-] 2002-08-29 10:40 . !HASH: COULD NOT OPEN FILE !!!!! . 225280 . . [------] . . c:\windows\$NtUninstallKB828741$\es.dll

[-] 2008-04-14 . 0DA85218E92526972A821587E6A8BF8F . 110080 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\9866fb57abdc0ea2f5d4e132d055ba4e\imm32.dll

[-] 2004-08-04 . 87CA7CE6469577F059297B9D6556D66D . 110080 . . [5.1.2600.2180] . . c:\windows\ServicePackFiles\i386\imm32.dll

[-] 2004-08-04 . 87CA7CE6469577F059297B9D6556D66D . 110080 . . [5.1.2600.2180] . . c:\windows\SoftwareDistribution\Download\66b1d8e81a20b4b541ab3e558f2fd638\backup\imm32.dll

[-] 2004-08-04 . 87CA7CE6469577F059297B9D6556D66D . 110080 . . [5.1.2600.2180] . . c:\windows\system32\imm32.dll

[-] 2002-08-29 10:40 . !HASH: COULD NOT OPEN FILE !!!!! . 103936 . . [------] . . c:\windows\$NtServicePackUninstall$\imm32.dll

[-] 2009-03-21 . B6ACAED7588295129791E0E6A2B0FADE . 986112 . . [5.1.2600.3541] . . c:\windows\SoftwareDistribution\Download\022593ca08eb4cd8e9681a7116f902d9\sp2gdr\kernel32.dll

[-] 2009-03-21 . B6ACAED7588295129791E0E6A2B0FADE . 986112 . . [5.1.2600.3541] . . c:\windows\system32\kernel32.dll

[-] 2009-03-21 . B6ACAED7588295129791E0E6A2B0FADE . 986112 . . [5.1.2600.3541] . . c:\windows\system32\dllcache\kernel32.dll

[-] 2009-03-21 . B921FB870C9AC0D509B2CCABBBBE95F3 . 989696 . . [5.1.2600.5781] . . c:\windows\$hf_mig$\KB959426\SP3GDR\kernel32.dll

[-] 2009-03-21 . B921FB870C9AC0D509B2CCABBBBE95F3 . 989696 . . [5.1.2600.5781] . . c:\windows\SoftwareDistribution\Download\022593ca08eb4cd8e9681a7116f902d9\sp3gdr\kernel32.dll

[-] 2009-03-21 . DA11D9D6ECBDF0F93436A4B7C13F7BEC . 991744 . . [5.1.2600.5781] . . c:\windows\$hf_mig$\KB959426\SP3QFE\kernel32.dll

[-] 2009-03-21 . DA11D9D6ECBDF0F93436A4B7C13F7BEC . 991744 . . [5.1.2600.5781] . . c:\windows\SoftwareDistribution\Download\022593ca08eb4cd8e9681a7116f902d9\sp3qfe\kernel32.dll

[-] 2009-03-21 . 80202858D245FF07DAA1739C57A3E19B . 989184 . . [5.1.2600.3541] . . c:\windows\$hf_mig$\KB959426\SP2QFE\kernel32.dll

[-] 2009-03-21 . 80202858D245FF07DAA1739C57A3E19B . 989184 . . [5.1.2600.3541] . . c:\windows\SoftwareDistribution\Download\022593ca08eb4cd8e9681a7116f902d9\sp2qfe\kernel32.dll

[-] 2008-04-14 . C24B983D211C34DA8FCC1AC38477971D . 989696 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\9866fb57abdc0ea2f5d4e132d055ba4e\kernel32.dll

[7] 2007-04-16 . 09F7CB3687F86EDAA4CA081F7AB66C03 . 986112 . . [5.1.2600.3119] . . c:\windows\$hf_mig$\KB935839\SP2QFE\kernel32.dll

[7] 2007-04-16 . A01F9CA902A88F7CED06884174D6419D . 984576 . . [5.1.2600.3119] . . c:\windows\$NtUninstallKB959426$\kernel32.dll

[7] 2006-07-05 . 0FDD84928A5DDE2510761B7EC76CCEC9 . 985088 . . [5.1.2600.2945] . . c:\windows\$hf_mig$\KB917422\SP2QFE\kernel32.dll

[7] 2006-07-05 . D8DB5397DE07577C1CB50BA6D23B3AD4 . 984064 . . [5.1.2600.2945] . . c:\windows\$NtUninstallKB935839$\kernel32.dll

[7] 2006-07-05 . D8DB5397DE07577C1CB50BA6D23B3AD4 . 984064 . . [5.1.2600.2945] . . c:\windows\SoftwareDistribution\Download\66b1d8e81a20b4b541ab3e558f2fd638\backup\kernel32.dll

[-] 2004-08-04 . 888190E31455FAD793312F8D087146EB . 983552 . . [5.1.2600.2180] . . c:\windows\$NtUninstallKB917422$\kernel32.dll

[-] 2004-08-04 . 888190E31455FAD793312F8D087146EB . 983552 . . [5.1.2600.2180] . . c:\windows\ServicePackFiles\i386\kernel32.dll

[-] 2004-06-17 17:58 . !HASH: COULD NOT OPEN FILE !!!!! . 930816 . . [------] . . c:\windows\$NtServicePackUninstall$\kernel32.dll

[-] 2002-08-29 . 8F162DC91D67D87C1A481BF602A9DAC8 . 930304 . . [5.1.2600.1106] . . c:\windows\$NtUninstallKB840987$\kernel32.dll

[-] 2008-04-14 . 012DF358CEBAA23ACB26D82077820817 . 22016 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\9866fb57abdc0ea2f5d4e132d055ba4e\lpk.dll

[-] 2004-08-04 . 74D66B3DE265E8789153414E75175F26 . 22016 . . [5.1.2600.2180] . . c:\windows\ServicePackFiles\i386\lpk.dll

[-] 2004-08-04 . 74D66B3DE265E8789153414E75175F26 . 22016 . . [5.1.2600.2180] . . c:\windows\SoftwareDistribution\Download\66b1d8e81a20b4b541ab3e558f2fd638\backup\lpk.dll

[-] 2004-08-04 . 74D66B3DE265E8789153414E75175F26 . 22016 . . [5.1.2600.2180] . . c:\windows\system32\lpk.dll

[-] 2001-08-18 12:00 . !HASH: COULD NOT OPEN FILE !!!!! . 18944 . . [------] . . c:\windows\$NtServicePackUninstall$\lpk.dll

[-] 2008-04-14 . BF2466B3E18E970D8A976FB95FC1CA85 . 13312 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\9866fb57abdc0ea2f5d4e132d055ba4e\lsass.exe

[-] 2004-08-04 . 84885F9B82F4D55C6146EBF6065D75D2 . 13312 . . [5.1.2600.2180] . . c:\windows\ServicePackFiles\i386\lsass.exe

[-] 2004-08-04 . 84885F9B82F4D55C6146EBF6065D75D2 . 13312 . . [5.1.2600.2180] . . c:\windows\SoftwareDistribution\Download\66b1d8e81a20b4b541ab3e558f2fd638\backup\lsass.exe

[-] 2004-08-04 . 84885F9B82F4D55C6146EBF6065D75D2 . 13312 . . [5.1.2600.2180] . . c:\windows\system32\lsass.exe

[-] 2002-08-29 10:41 . !HASH: COULD NOT OPEN FILE !!!!! . 11776 . . [------] . . c:\windows\$NtServicePackUninstall$\lsass.exe

[-] 2008-06-20 . 832E4DD8964AB7ACC880B2837CB1ED20 . 245248 . . [5.1.2600.5625] . . c:\windows\$hf_mig$\KB951748\SP3GDR\mswsock.dll

[-] 2008-06-20 . FCEE5FCB99F7C724593365C706D28388 . 245248 . . [5.1.2600.5625] . . c:\windows\$hf_mig$\KB951748\SP3QFE\mswsock.dll

[-] 2008-06-20 . 097722F235A1FB698BF9234E01B52637 . 245248 . . [5.1.2600.3394] . . c:\windows\system32\mswsock.dll

[-] 2008-06-20 . 097722F235A1FB698BF9234E01B52637 . 245248 . . [5.1.2600.3394] . . c:\windows\system32\dllcache\mswsock.dll

[-] 2008-06-20 . 1DFCA7713EA5A70D5D93B436AEA0317A . 245248 . . [5.1.2600.3394] . . c:\windows\$hf_mig$\KB951748\SP2QFE\mswsock.dll

[-] 2008-04-14 . B4138E99236F0F57D4CF49BAE98A0746 . 245248 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\9866fb57abdc0ea2f5d4e132d055ba4e\mswsock.dll

[-] 2004-08-04 . 4E74AF063C3271FBEA20DD940CFD1184 . 245248 . . [5.1.2600.2180] . . c:\windows\$NtUninstallKB951748$\mswsock.dll

[-] 2004-08-04 . 4E74AF063C3271FBEA20DD940CFD1184 . 245248 . . [5.1.2600.2180] . . c:\windows\ServicePackFiles\i386\mswsock.dll

[-] 2004-08-04 . 4E74AF063C3271FBEA20DD940CFD1184 . 245248 . . [5.1.2600.2180] . . c:\windows\SoftwareDistribution\Download\66b1d8e81a20b4b541ab3e558f2fd638\backup\mswsock.dll

[-] 2001-08-18 12:00 . !HASH: COULD NOT OPEN FILE !!!!! . 228352 . . [------] . . c:\windows\$NtServicePackUninstall$\mswsock.dll

[-] 2008-04-14 . 1B7F071C51B77C272875C3A23E1E4550 . 407040 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\9866fb57abdc0ea2f5d4e132d055ba4e\netlogon.dll

[-] 2004-08-04 . 96353FCECBA774BB8DA74A1C6507015A . 407040 . . [5.1.2600.2180] . . c:\windows\ServicePackFiles\i386\netlogon.dll

[-] 2004-08-04 . 96353FCECBA774BB8DA74A1C6507015A . 407040 . . [5.1.2600.2180] . . c:\windows\SoftwareDistribution\Download\66b1d8e81a20b4b541ab3e558f2fd638\backup\netlogon.dll

[-] 2004-08-04 . 96353FCECBA774BB8DA74A1C6507015A . 407040 . . [5.1.2600.2180] . . c:\windows\system32\netlogon.dll

[-] 2002-08-29 10:41 . !HASH: COULD NOT OPEN FILE !!!!! . 399360 . . [------] . . c:\windows\$NtServicePackUninstall$\netlogon.dll

[-] 2008-04-14 . 50A166237A0FA771261275A405646CC0 . 17408 . . [6.00.2900.5512] . . c:\windows\SoftwareDistribution\Download\9866fb57abdc0ea2f5d4e132d055ba4e\powrprof.dll

[-] 2004-08-04 . 1B5F6923ABB450692E9FE0672C897AED . 17408 . . [6.00.2900.2180] . . c:\windows\ServicePackFiles\i386\powrprof.dll

[-] 2004-08-04 . 1B5F6923ABB450692E9FE0672C897AED . 17408 . . [6.00.2900.2180] . . c:\windows\SoftwareDistribution\Download\66b1d8e81a20b4b541ab3e558f2fd638\backup\powrprof.dll

[-] 2004-08-04 . 1B5F6923ABB450692E9FE0672C897AED . 17408 . . [6.00.2900.2180] . . c:\windows\system32\powrprof.dll

[-] 2001-08-18 12:00 . !HASH: COULD NOT OPEN FILE !!!!! . 14848 . . [------] . . c:\windows\$NtServicePackUninstall$\powrprof.dll

[-] 2008-04-14 . 574738F61FCA2935F5265DC4E5691314 . 409088 . . [6.7.2600.5512] . . c:\windows\SoftwareDistribution\Download\9866fb57abdc0ea2f5d4e132d055ba4e\qmgr.dll

[-] 2004-08-04 . 2C69EC7E5A311334D10DD95F338FCCEA . 382464 . . [6.6.2600.2180] . . c:\windows\ServicePackFiles\i386\qmgr.dll

[-] 2004-08-04 . 2C69EC7E5A311334D10DD95F338FCCEA . 382464 . . [6.6.2600.2180] . . c:\windows\SoftwareDistribution\Download\66b1d8e81a20b4b541ab3e558f2fd638\backup\qmgr.dll

[-] 2004-08-04 . 2C69EC7E5A311334D10DD95F338FCCEA . 382464 . . [6.6.2600.2180] . . c:\windows\system32\qmgr.dll

[-] 2004-07-01 22:08 . !HASH: COULD NOT OPEN FILE !!!!! . 361984 . . [------] . . c:\windows\$NtServicePackUninstall$\qmgr.dll

[7] 2004-07-01 . 696AC82FB290A03F205901442E0E9589 . 361984 . . [6.6.2600.1569] . . c:\windows\SoftwareDistribution\Download\62f994895b2e7156099353faaa0580c0\sp1qfe\qmgr.dll

[7] 2004-07-01 . 696AC82FB290A03F205901442E0E9589 . 361984 . . [6.6.2600.1569] . . c:\windows\system32\bits\qmgr.dll

[-] 2002-08-29 . 6A1CF14D0E7D0B2241F552223769C8A7 . 221696 . . [6.2.2600.1106] . . c:\windows\$NtUninstallKB842773$\qmgr.dll

[-] 2001-08-18 12:00 . !HASH: COULD NOT OPEN FILE !!!!! . 179200 . . [------] . . c:\windows\$NtUninstallQ314862$\qmgr.dll

[-] 2008-04-14 . A86BB5E61BF3E39B62AB4C7E7085A084 . 181248 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\9866fb57abdc0ea2f5d4e132d055ba4e\scecli.dll

[-] 2004-08-04 . 0F78E27F563F2AAF74B91A49E2ABF19A . 180224 . . [5.1.2600.2180] . . c:\windows\ServicePackFiles\i386\scecli.dll

[-] 2004-08-04 . 0F78E27F563F2AAF74B91A49E2ABF19A . 180224 . . [5.1.2600.2180] . . c:\windows\SoftwareDistribution\Download\66b1d8e81a20b4b541ab3e558f2fd638\backup\scecli.dll

[-] 2004-08-04 . 0F78E27F563F2AAF74B91A49E2ABF19A . 180224 . . [5.1.2600.2180] . . c:\windows\system32\scecli.dll

[-] 2002-08-29 10:41 . !HASH: COULD NOT OPEN FILE !!!!! . 174592 . . [------] . . c:\windows\$NtServicePackUninstall$\scecli.dll

[-] 2008-04-14 . 96E1C926F22EE1BFBAE82901A35F6BF3 . 5120 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\9866fb57abdc0ea2f5d4e132d055ba4e\sfc.dll

[-] 2004-08-04 . E8A12A12EA9088B4327D49EDCA3ADD3E . 5120 . . [5.1.2600.2180] . . c:\windows\ServicePackFiles\i386\sfc.dll

[-] 2004-08-04 . E8A12A12EA9088B4327D49EDCA3ADD3E . 5120 . . [5.1.2600.2180] . . c:\windows\SoftwareDistribution\Download\66b1d8e81a20b4b541ab3e558f2fd638\backup\sfc.dll

[-] 2004-08-04 . E8A12A12EA9088B4327D49EDCA3ADD3E . 5120 . . [5.1.2600.2180] . . c:\windows\system32\sfc.dll

[-] 2001-08-18 12:00 . !HASH: COULD NOT OPEN FILE !!!!! . 4096 . . [------] . . c:\windows\$NtServicePackUninstall$\sfc.dll

[-] 2008-04-14 . 27C6D03BCDB8CFEB96B716F3D8BE3E18 . 14336 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\9866fb57abdc0ea2f5d4e132d055ba4e\svchost.exe

[-] 2004-08-04 . 8F078AE4ED187AAABC0A305146DE6716 . 14336 . . [5.1.2600.2180] . . c:\windows\ServicePackFiles\i386\svchost.exe

[-] 2004-08-04 . 8F078AE4ED187AAABC0A305146DE6716 . 14336 . . [5.1.2600.2180] . . c:\windows\SoftwareDistribution\Download\66b1d8e81a20b4b541ab3e558f2fd638\backup\svchost.exe

[-] 2004-08-04 . 8F078AE4ED187AAABC0A305146DE6716 . 14336 . . [5.1.2600.2180] . . c:\windows\system32\svchost.exe

[-] 2001-08-18 12:00 . !HASH: COULD NOT OPEN FILE !!!!! . 12800 . . [------] . . c:\windows\$NtServicePackUninstall$\svchost.exe

[-] 2008-04-14 . A93AEE1928A9D7CE3E16D24EC7380F89 . 26112 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\9866fb57abdc0ea2f5d4e132d055ba4e\userinit.exe

[-] 2004-08-04 . 39B1FFB03C2296323832ACBAE50D2AFF . 24576 . . [5.1.2600.2180] . . c:\windows\ServicePackFiles\i386\userinit.exe

[-] 2004-08-04 . 39B1FFB03C2296323832ACBAE50D2AFF . 24576 . . [5.1.2600.2180] . . c:\windows\SoftwareDistribution\Download\66b1d8e81a20b4b541ab3e558f2fd638\backup\userinit.exe

[-] 2004-08-04 . 39B1FFB03C2296323832ACBAE50D2AFF . 24576 . . [5.1.2600.2180] . . c:\windows\system32\userinit.exe

[-] 2004-08-04 . 39B1FFB03C2296323832ACBAE50D2AFF . 24576 . . [5.1.2600.2180] . . c:\windows\system32\dllcache\userinit.exe

[-] 2002-08-29 10:41 . !HASH: COULD NOT OPEN FILE !!!!! . 22016 . . [------] . . c:\windows\$NtServicePackUninstall$\userinit.exe

[-] 2008-04-14 . ED0EF0A136DEC83DF69F04118870003E . 507904 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\9866fb57abdc0ea2f5d4e132d055ba4e\winlogon.exe

[-] 2004-08-04 . 01C3346C241652F43AED8E2149881BFE . 502272 . . [5.1.2600.2180] . . c:\windows\ServicePackFiles\i386\winlogon.exe

[-] 2004-08-04 . 01C3346C241652F43AED8E2149881BFE . 502272 . . [5.1.2600.2180] . . c:\windows\SoftwareDistribution\Download\66b1d8e81a20b4b541ab3e558f2fd638\backup\winlogon.exe

[-] 2004-08-04 . 01C3346C241652F43AED8E2149881BFE . 502272 . . [5.1.2600.2180] . . c:\windows\system32\winlogon.exe

[-] 2004-05-27 01:38 . !HASH: COULD NOT OPEN FILE !!!!! . 483328 . . [------] . . c:\windows\$NtServicePackUninstall$\winlogon.exe

[-] 2002-08-29 . 2246D8D8F4714A2CEDB21AB9B1849ABB . 516608 . . [5.1.2600.1106] . . c:\windows\$NtUninstallKB840987$\winlogon.exe

[-] 2008-04-14 . 2CCC474EB85CEAA3E1FA1726580A3E5A . 82432 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\9866fb57abdc0ea2f5d4e132d055ba4e\ws2_32.dll

[-] 2004-08-04 . 2ED0B7F12A60F90092081C50FA0EC2B2 . 82944 . . [5.1.2600.2180] . . c:\windows\ServicePackFiles\i386\ws2_32.dll

[-] 2004-08-04 . 2ED0B7F12A60F90092081C50FA0EC2B2 . 82944 . . [5.1.2600.2180] . . c:\windows\SoftwareDistribution\Download\66b1d8e81a20b4b541ab3e558f2fd638\backup\ws2_32.dll

[-] 2004-08-04 . 2ED0B7F12A60F90092081C50FA0EC2B2 . 82944 . . [5.1.2600.2180] . . c:\windows\system32\ws2_32.dll

[-] 2001-08-18 12:00 . !HASH: COULD NOT OPEN FILE !!!!! . 75264 . . [------] . . c:\windows\$NtServicePackUninstall$\ws2_32.dll

[-] 2008-04-14 . D7075E95AA599EE77B7A89D39296BD3D . 343040 . . [7.0.2600.5512] . . c:\windows\SoftwareDistribution\Download\9866fb57abdc0ea2f5d4e132d055ba4e\asms\70\msft\windows\mswincrt\msvcrt.dll

[-] 2008-04-14 . 355EDBB4D412B01F1740C17E3F50FA00 . 343040 . . [7.0.2600.5512] . . c:\windows\SoftwareDistribution\Download\9866fb57abdc0ea2f5d4e132d055ba4e\msvcrt.dll

[-] 2004-08-04 . 98EC447E00229AFD88D5161A25D065DA . 343040 . . [7.0.2600.2180] . . c:\windows\WinSxS\x86_Microsoft.Windows.CPlusPlusRuntime_6595b64144ccf1df_7.0.2600.2180_x-ww_b2505ed9\msvcrt.dll

[-] 2004-08-04 . B0FEFA816D61EC66AA765DDF534EAB5E . 343040 . . [7.0.2600.2180] . . c:\windows\ServicePackFiles\i386\msvcrt.dll

[-] 2004-08-04 . B0FEFA816D61EC66AA765DDF534EAB5E . 343040 . . [7.0.2600.2180] . . c:\windows\SoftwareDistribution\Download\66b1d8e81a20b4b541ab3e558f2fd638\backup\msvcrt.dll

[-] 2004-08-04 . B0FEFA816D61EC66AA765DDF534EAB5E . 343040 . . [7.0.2600.2180] . . c:\windows\SoftwareDistribution\Download\66b1d8e81a20b4b541ab3e558f2fd638\backup\asms\70\msft\windows\mswincrt\msvcrt.dll

[-] 2004-08-04 . B0FEFA816D61EC66AA765DDF534EAB5E . 343040 . . [7.0.2600.2180] . . c:\windows\system32\msvcrt.dll

[-] 2002-08-29 . 70630CAD245477F8DB02B79D9A92834C . 323072 . . [7.0.2600.1106] . . c:\windows\WinSxS\x86_Microsoft.Windows.CPlusPlusRuntime_6595b64144ccf1df_7.0.10.0_x-ww_d8862ba3\msvcrt.dll

[-] 2002-08-29 10:41 . !HASH: COULD NOT OPEN FILE !!!!! . 323072 . . [------] . . c:\windows\$NtServicePackUninstall$\msvcrt.dll

[-] 2001-08-18 . 4200BE3808F6406DBE45A7B88DAE5035 . 322560 . . [7.0.2600.0] . . c:\windows\I386\ASMS\7000\MSFT\WINDOWS\MSWINCRT\MSVCRT.DLL

[-] 2001-08-18 . 4200BE3808F6406DBE45A7B88DAE5035 . 322560 . . [7.0.2600.0] . . c:\windows\WinSxS\x86_Microsoft.Windows.CPlusPlusRuntime_6595b64144ccf1df_7.0.0.0_x-ww_2726e76a\msvcrt.dll

[-] 2008-04-14 . 3805DF0AC4296A34BA4BF93B346CC378 . 171008 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\9866fb57abdc0ea2f5d4e132d055ba4e\srsvc.dll

[-] 2004-08-04 . 92BDF74F12D6CBEC43C94D4B7F804838 . 170496 . . [5.1.2600.2180] . . c:\windows\ServicePackFiles\i386\srsvc.dll

[-] 2004-08-04 . 92BDF74F12D6CBEC43C94D4B7F804838 . 170496 . . [5.1.2600.2180] . . c:\windows\SoftwareDistribution\Download\66b1d8e81a20b4b541ab3e558f2fd638\backup\srsvc.dll

[-] 2004-08-04 . 92BDF74F12D6CBEC43C94D4B7F804838 . 170496 . . [5.1.2600.2180] . . c:\windows\system32\srsvc.dll

[-] 2002-08-29 10:41 . !HASH: COULD NOT OPEN FILE !!!!! . 158720 . . [------] . . c:\windows\$NtServicePackUninstall$\srsvc.dll

[-] 2008-04-14 . F92E1076C42FCD6DB3D72D8CFE9816D5 . 13824 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\9866fb57abdc0ea2f5d4e132d055ba4e\wscntfy.exe

[-] 2004-08-04 . 49911DD39E023BB6C45E4E436CFBD297 . 13824 . . [5.1.2600.2180] . . c:\windows\ServicePackFiles\i386\wscntfy.exe

[-] 2004-08-04 . 49911DD39E023BB6C45E4E436CFBD297 . 13824 . . [5.1.2600.2180] . . c:\windows\SoftwareDistribution\Download\66b1d8e81a20b4b541ab3e558f2fd638\backup\wscntfy.exe

[-] 2004-08-04 . 49911DD39E023BB6C45E4E436CFBD297 . 13824 . . [5.1.2600.2180] . . c:\windows\system32\wscntfy.exe

[-] 2008-04-14 . 295D21F14C335B53CB8154E5B1F892B9 . 129024 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\9866fb57abdc0ea2f5d4e132d055ba4e\xmlprov.dll

[-] 2004-08-04 . EEF46DAB68229A14DA3D8E73C99E2959 . 129536 . . [5.1.2600.2180] . . c:\windows\ServicePackFiles\i386\xmlprov.dll

[-] 2004-08-04 . EEF46DAB68229A14DA3D8E73C99E2959 . 129536 . . [5.1.2600.2180] . . c:\windows\SoftwareDistribution\Download\66b1d8e81a20b4b541ab3e558f2fd638\backup\xmlprov.dll

[-] 2004-08-04 . EEF46DAB68229A14DA3D8E73C99E2959 . 129536 . . [5.1.2600.2180] . . c:\windows\system32\xmlprov.dll

[-] 2004-08-04 . EEF46DAB68229A14DA3D8E73C99E2959 . 129536 . . [5.1.2600.2180] . . c:\windows\system32\dllcache\xmlprov.dll

[-] 2008-04-14 . 6D4FEB43EE538FC5428CC7F0565AA656 . 56320 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\9866fb57abdc0ea2f5d4e132d055ba4e\eventlog.dll

[-] 2004-08-04 . 82B24CB70E5944E6E34662205A2A5B78 . 55808 . . [5.1.2600.2180] . . c:\windows\ServicePackFiles\i386\eventlog.dll

[-] 2004-08-04 . 82B24CB70E5944E6E34662205A2A5B78 . 55808 . . [5.1.2600.2180] . . c:\windows\SoftwareDistribution\Download\66b1d8e81a20b4b541ab3e558f2fd638\backup\eventlog.dll

[-] 2004-08-04 . 82B24CB70E5944E6E34662205A2A5B78 . 55808 . . [5.1.2600.2180] . . c:\windows\system32\eventlog.dll

[-] 2002-08-29 10:40 . !HASH: COULD NOT OPEN FILE !!!!! . 49152 . . [------] . . c:\windows\$NtServicePackUninstall$\eventlog.dll

[-] 2008-04-14 . 9DD07AF82244867CA36681EA2D29CE79 . 1614848 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\9866fb57abdc0ea2f5d4e132d055ba4e\sfcfiles.dll

[-] 2004-08-04 . 30A609E00BD1D4FFC49D6B5A432BE7F2 . 1580544 . . [5.1.2600.2180] . . c:\windows\ServicePackFiles\i386\sfcfiles.dll

[-] 2004-08-04 . 30A609E00BD1D4FFC49D6B5A432BE7F2 . 1580544 . . [5.1.2600.2180] . . c:\windows\SoftwareDistribution\Download\66b1d8e81a20b4b541ab3e558f2fd638\backup\sfcfiles.dll

[-] 2004-08-04 . 30A609E00BD1D4FFC49D6B5A432BE7F2 . 1580544 . . [5.1.2600.2180] . . c:\windows\system32\sfcfiles.dll

[-] 2004-08-04 . 30A609E00BD1D4FFC49D6B5A432BE7F2 . 1580544 . . [5.1.2600.2180] . . c:\windows\system32\dllcache\sfcfiles.dll

[-] 2002-08-29 10:41 . !HASH: COULD NOT OPEN FILE !!!!! . 1157632 . . [------] . . c:\windows\$NtServicePackUninstall$\sfcfiles.dll

[-] 2008-04-14 . 5F1D5F88303D4A4DBC8E5F97BA967CC3 . 15360 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\9866fb57abdc0ea2f5d4e132d055ba4e\ctfmon.exe

[-] 2004-08-04 . 24232996A38C0B0CF151C2140AE29FC8 . 15360 . . [5.1.2600.2180] . . c:\windows\ServicePackFiles\i386\ctfmon.exe

[-] 2004-08-04 . 24232996A38C0B0CF151C2140AE29FC8 . 15360 . . [5.1.2600.2180] . . c:\windows\SoftwareDistribution\Download\66b1d8e81a20b4b541ab3e558f2fd638\backup\ctfmon.exe

[-] 2004-08-04 . 24232996A38C0B0CF151C2140AE29FC8 . 15360 . . [5.1.2600.2180] . . c:\windows\system32\ctfmon.exe

[-] 2002-08-29 10:41 . !HASH: COULD NOT OPEN FILE !!!!! . 13312 . . [------] . . c:\windows\$NtServicePackUninstall$\ctfmon.exe

[-] 2008-04-14 . 5B19B557B0C188210A56A6B699D90B8F . 59904 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\9866fb57abdc0ea2f5d4e132d055ba4e\regsvc.dll

[-] 2004-08-04 . 3151427DB7D87107D1C5BE58FAC53960 . 59904 . . [5.1.2600.2180] . . c:\windows\ServicePackFiles\i386\regsvc.dll

[-] 2004-08-04 . 3151427DB7D87107D1C5BE58FAC53960 . 59904 . . [5.1.2600.2180] . . c:\windows\SoftwareDistribution\Download\66b1d8e81a20b4b541ab3e558f2fd638\backup\regsvc.dll

[-] 2004-08-04 . 3151427DB7D87107D1C5BE58FAC53960 . 59904 . . [5.1.2600.2180] . . c:\windows\system32\regsvc.dll

[-] 2004-08-04 . 3151427DB7D87107D1C5BE58FAC53960 . 59904 . . [5.1.2600.2180] . . c:\windows\system32\dllcache\regsvc.dll

[-] 2001-08-18 12:00 . !HASH: COULD NOT OPEN FILE !!!!! . 51712 . . [------] . . c:\windows\$NtServicePackUninstall$\regsvc.dll

[-] 2008-04-14 . 0A9A7365A1CA4319AA7C1D6CD8E4EAFA . 192512 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\9866fb57abdc0ea2f5d4e132d055ba4e\schedsvc.dll

[-] 2004-08-04 . 92360854316611F6CC471612213C3D92 . 190976 . . [5.1.2600.2180] . . c:\windows\ServicePackFiles\i386\schedsvc.dll

[-] 2004-08-04 . 92360854316611F6CC471612213C3D92 . 190976 . . [5.1.2600.2180] . . c:\windows\SoftwareDistribution\Download\66b1d8e81a20b4b541ab3e558f2fd638\backup\schedsvc.dll

[-] 2004-08-04 . 92360854316611F6CC471612213C3D92 . 190976 . . [5.1.2600.2180] . . c:\windows\system32\schedsvc.dll

[-] 2002-08-29 10:41 . !HASH: COULD NOT OPEN FILE !!!!! . 159232 . . [------] . . c:\windows\$NtServicePackUninstall$\schedsvc.dll

[-] 2008-04-14 . 0A5679B3714EDAB99E357057EE88FCA6 . 71680 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\9866fb57abdc0ea2f5d4e132d055ba4e\ssdpsrv.dll

[-] 2004-08-04 . 4B8D61792F7175BED48859CC18CE4E38 . 71680 . . [5.1.2600.2180] . . c:\windows\ServicePackFiles\i386\ssdpsrv.dll

[-] 2004-08-04 . 4B8D61792F7175BED48859CC18CE4E38 . 71680 . . [5.1.2600.2180] . . c:\windows\SoftwareDistribution\Download\66b1d8e81a20b4b541ab3e558f2fd638\backup\ssdpsrv.dll

[-] 2004-08-04 . 4B8D61792F7175BED48859CC18CE4E38 . 71680 . . [5.1.2600.2180] . . c:\windows\system32\ssdpsrv.dll

[-] 2002-08-29 10:41 . !HASH: COULD NOT OPEN FILE !!!!! . 43008 . . [------] . . c:\windows\$NtServicePackUninstall$\ssdpsrv.dll

[-] 2008-04-14 . FF3477C03BE7201C294C35F684B3479F . 295424 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\9866fb57abdc0ea2f5d4e132d055ba4e\termsrv.dll

[-] 2004-08-04 . B60C877D16D9C880B952FDA04ADF16E6 . 295424 . . [5.1.2600.2180] . . c:\windows\ServicePackFiles\i386\termsrv.dll

[-] 2004-08-04 . B60C877D16D9C880B952FDA04ADF16E6 . 295424 . . [5.1.2600.2180] . . c:\windows\SoftwareDistribution\Download\66b1d8e81a20b4b541ab3e558f2fd638\backup\termsrv.dll

[-] 2004-08-04 . B60C877D16D9C880B952FDA04ADF16E6 . 295424 . . [5.1.2600.2180] . . c:\windows\system32\termsrv.dll

[-] 2002-08-29 10:41 . !HASH: COULD NOT OPEN FILE !!!!! . 200192 . . [------] . . c:\windows\$NtServicePackUninstall$\termsrv.dll

[-] 2008-04-13 . 08FD04AA961BDC77FB983F328334E3D7 . 42368 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\9866fb57abdc0ea2f5d4e132d055ba4e\agp440.sys

[-] 2004-08-04 . 2C428FA0C3E3A01ED93C9B2A27D8D4BB . 42368 . . [5.1.2600.2180] . . c:\windows\ServicePackFiles\i386\agp440.sys

[-] 2004-08-04 . 2C428FA0C3E3A01ED93C9B2A27D8D4BB . 42368 . . [5.1.2600.2180] . . c:\windows\SoftwareDistribution\Download\66b1d8e81a20b4b541ab3e558f2fd638\backup\agp440.sys

[-] 2004-08-04 . 2C428FA0C3E3A01ED93C9B2A27D8D4BB . 42368 . . [5.1.2600.2180] . . c:\windows\system32\dllcache\agp440.sys

[-] 2004-08-04 . 2C428FA0C3E3A01ED93C9B2A27D8D4BB . 42368 . . [5.1.2600.2180] . . c:\windows\system32\drivers\agp440.sys

[-] 2001-08-18 . 9859C0F6936E723E4892D7141B1327D5 . 11648 . . [5.1.2600.0] . . c:\windows\system32\dllcache\acpiec.sys

[-] 2001-08-18 . 9859C0F6936E723E4892D7141B1327D5 . 11648 . . [5.1.2600.0] . . c:\windows\system32\drivers\acpiec.sys

[-] 2008-04-13 . 3BB22519A194418D5FEC05D800A19AD0 . 36608 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\9866fb57abdc0ea2f5d4e132d055ba4e\ip6fw.sys

[-] 2004-08-04 . 4448006B6BC60E6C027932CFC38D6855 . 29056 . . [5.1.2600.2180] . . c:\windows\ServicePackFiles\i386\ip6fw.sys

[-] 2004-08-04 . 4448006B6BC60E6C027932CFC38D6855 . 29056 . . [5.1.2600.2180] . . c:\windows\SoftwareDistribution\Download\66b1d8e81a20b4b541ab3e558f2fd638\backup\ip6fw.sys

[-] 2004-08-04 . 4448006B6BC60E6C027932CFC38D6855 . 29056 . . [5.1.2600.2180] . . c:\windows\system32\dllcache\ip6fw.sys

[-] 2004-08-04 . 4448006B6BC60E6C027932CFC38D6855 . 29056 . . [5.1.2600.2180] . . c:\windows\system32\drivers\ip6fw.sys

[-] 2008-04-14 . 986B1FF5814366D71E0AC5755C88F2D3 . 33792 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\9866fb57abdc0ea2f5d4e132d055ba4e\msgsvc.dll

[-] 2004-08-04 . 95FD808E4AC22ABA025A7B3EAC0375D2 . 33792 . . [5.1.2600.2180] . . c:\windows\ServicePackFiles\i386\msgsvc.dll

[-] 2004-08-04 . 95FD808E4AC22ABA025A7B3EAC0375D2 . 33792 . . [5.1.2600.2180] . . c:\windows\SoftwareDistribution\Download\66b1d8e81a20b4b541ab3e558f2fd638\backup\msgsvc.dll

[-] 2004-08-04 . 95FD808E4AC22ABA025A7B3EAC0375D2 . 33792 . . [5.1.2600.2180] . . c:\windows\system32\msgsvc.dll

[-] 2004-08-04 . 95FD808E4AC22ABA025A7B3EAC0375D2 . 33792 . . [5.1.2600.2180] . . c:\windows\system32\dllcache\msgsvc.dll

[-] 2001-08-18 12:00 . !HASH: COULD NOT OPEN FILE !!!!! . 34304 . . [------] . . c:\windows\$NtServicePackUninstall$\msgsvc.dll

[-] 2008-04-14 00:12 . 156F64A3345BD23C600655FB4D10BC08 . 435200 . . [5.1.2400.5512] . . c:\windows\SoftwareDistribution\Download\9866fb57abdc0ea2f5d4e132d055ba4e\ntmssvc.dll

[-] 2004-08-04 07:56 . B62F29C00AC55A761B2E45877D85EA0F . 435200 . . [5.1.2400.2180] . . c:\windows\ServicePackFiles\i386\ntmssvc.dll

[-] 2004-08-04 07:56 . B62F29C00AC55A761B2E45877D85EA0F . 435200 . . [5.1.2400.2180] . . c:\windows\SoftwareDistribution\Download\66b1d8e81a20b4b541ab3e558f2fd638\backup\ntmssvc.dll

[-] 2004-08-04 07:56 . B62F29C00AC55A761B2E45877D85EA0F . 435200 . . [5.1.2400.2180] . . c:\windows\system32\ntmssvc.dll

[-] 2004-08-04 07:56 . B62F29C00AC55A761B2E45877D85EA0F . 435200 . . [5.1.2400.2180] . . c:\windows\system32\dllcache\ntmssvc.dll

[-] 2002-08-29 10:41 . !HASH: COULD NOT OPEN FILE !!!!! . 392704 . . [------] . . c:\windows\$NtServicePackUninstall$\ntmssvc.dll

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{DA3D342F-FF20-4E31-9E82-22334155730C}]

2008-08-14 22:57 2484224 -c--a-w- d:\program files\AntToolbar\Ant.com Toolbar\ant.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]

"{6CD56C02-CB4D-41B5-A0FE-B479061CCB41}"= "d:\program files\AntToolbar\Ant.com Toolbar\ant.dll" [2008-08-14 2484224]

[HKEY_CLASSES_ROOT\clsid\{6cd56c02-cb4d-41b5-a0fe-b479061ccb41}]

[HKEY_CLASSES_ROOT\TBSB00982.TBSB00982.3]

[HKEY_CLASSES_ROOT\TypeLib\{77AA25E8-6083-4949-A831-9CB11861DC10}]

[HKEY_CLASSES_ROOT\TBSB00982.TBSB00982]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]

"{6CD56C02-CB4D-41B5-A0FE-B479061CCB41}"= "d:\program files\AntToolbar\Ant.com Toolbar\ant.dll" [2008-08-14 2484224]

[HKEY_CLASSES_ROOT\clsid\{6cd56c02-cb4d-41b5-a0fe-b479061ccb41}]

[HKEY_CLASSES_ROOT\TBSB00982.TBSB00982.3]

[HKEY_CLASSES_ROOT\TypeLib\{77AA25E8-6083-4949-A831-9CB11861DC10}]

[HKEY_CLASSES_ROOT\TBSB00982.TBSB00982]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"AIM"="c:\program files\AIM95\aim.exe" [2004-12-08 67160]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-03-29 413696]

"Obxgohk"="c:\program files\Owrttti\Oiqxhy.exe" [2005-05-12 37512]

"Google Update"="c:\documents and settings\Isaac.VALUED-A069BA8D\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2009-09-18 133104]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"UserFaultCheck"="c:\windows\system32\dumprep 0 -u" [X]

"SiS KHooker"="c:\windows\System32\khooker.exe" [2002-01-25 290816]

"ZTgServerSwitch"="c:\program files\support.com\client\lserver\server.vbs" [2002-04-26 11406]

"QuickFinder Scheduler"="c:\program files\Corel\WordPerfect Office 2002\Programs\QFSCHD100.EXE" [2001-10-02 77887]

"Share-to-Web Namespace Daemon"="c:\program files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe" [2001-07-03 57344]

"Obxgohk"="c:\program files\Owrttti\Oiqxhy.exe" [2005-05-12 37512]

"HostManager"="c:\program files\Common Files\AOL\1129172188\EE\AOLHostManager.exe" [2006-03-08 13416]

"AOLDialer"="c:\program files\Common Files\AOL\ACS\AOLDial.exe" [2005-04-18 71256]

"SunJavaUpdateSched"="d:\program files\Java\jre6\bin\jusched.exe" [2009-09-19 149280]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-03-29 413696]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-03-30 267048]

"Malwarebytes Anti-Malware (reboot)"="g:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]

"LTSMMSG"="LTSMMSG.exe" - c:\windows\LTSMMSG.exe [2002-03-29 32768]

"SiSPower"="SiSPower.dll" - c:\windows\system32\SiSPower.dll [2006-03-09 49152]

c:\documents and settings\MERCY\Start Menu\Programs\Startup\

My Desktop Post Office.lnk - c:\documents and settings\MERCY\Application Data\Microsoft\Installer\{AD56E036-4580-4060-8ED5-57A3D3E93A36}\IconAD56E0365.exe [2006-8-13 10240]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Adobe Gamma Loader.exe.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2002-5-17 113664]

Adobe Reader Speed Launch.lnk - d:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]

HPAiODevice(hp officejet d series) - 2.lnk - c:\program files\Hewlett-Packard\AiO\hp officejet d series\Bin\hpoojd07.exe [2002-9-26 491582]

HPAiODevice(hp officejet d series) - 3.lnk - c:\program files\Hewlett-Packard\AiO\hp officejet d series\Bin\hpoojd07.exe [2002-9-26 491582]

HPAiODevice(hp officejet d series) - 4.lnk - c:\program files\Hewlett-Packard\AiO\hp officejet d series\Bin\hpoojd07.exe [2002-9-26 491582]

HPAiODevice(hp officejet d series) - 5.lnk - c:\program files\Hewlett-Packard\AiO\hp officejet d series\Bin\hpoojd07.exe [2002-9-26 491582]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\support.com\\client\\bin\\tgcmd.exe"=

"c:\\Program Files\\AIM95\\aim.exe"=

"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=

"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=

"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=

"c:\\Program Files\\America Online 8.0\\waol.exe"=

"c:\\WINDOWS\\system32\\dpnsvr.exe"=

"d:\\Program Files\\DAP\\DAP.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"d:\\Program Files\\FlashGet\\FlashGet.exe"=

"d:\\Program Files\\Microsoft Games\\Zoo Tycoon 2\\zt.exe"=

"d:\\Games\\Jazz2\\Jazz2.exe"=

"c:\\Program Files\\Blender Foundation\\Blender\\blender.exe"=

"d:\\Program Files\\2K Games\\Firaxis Games\\Sid Meier's Civilization 4 Complete\\Civilization4.exe"=

"d:\\Program Files\\2K Games\\Firaxis Games\\Sid Meier's Civilization 4 Complete\\Warlords\\Civ4Warlords.exe"=

"d:\\Program Files\\2K Games\\Firaxis Games\\Sid Meier's Civilization 4 Complete\\Beyond the Sword\\Civ4BeyondSword.exe"=

"d:\\Program Files\\2K Games\\Firaxis Games\\Sid Meier's Civilization IV Colonization\\Colonization.exe"=

"d:\\vbaserver.exe"=

"d:\\Multiplayer VisuaBoy Advance\\VisualBoyAdvance.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"31703:TCP"= 31703:TCP:PORT_31703

"24905:TCP"= 24905:TCP:PORT_24905

"34011:TCP"= 34011:TCP:PORT_34011

"16944:TCP"= 16944:TCP:PORT_16944

"6800:TCP"= 6800:TCP:PORT_6800

"50275:TCP"= 50275:TCP:PORT_50275

"58632:TCP"= 58632:TCP:Pando Media Booster

"58632:UDP"= 58632:UDP:Pando Media Booster

R1 ATMhelpr;ATMhelpr;c:\windows\system32\drivers\ATMHELPR.SYS [8/15/2002 10:00 PM 4064]

R3 LucentSoftModem;Lucent Technologies Soft Modem;c:\windows\system32\drivers\LTSM.sys [4/16/2002 4:00 AM 807917]

R3 SiS7012;Service for AC'97 Sample Driver (WDM);c:\windows\system32\drivers\sis7012.sys [4/16/2002 4:00 AM 175232]

S3 NMUSB;NMUSB;c:\windows\system32\drivers\Nmusb.sys [10/21/2007 12:05 AM 40625]

.

Contents of the 'Scheduled Tasks' folder

2009-10-13 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-917563655-4024994690-2552189465-1021Core.job

- c:\documents and settings\Isaac.VALUED-A069BA8D\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-09-18 07:27]

2009-10-13 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-917563655-4024994690-2552189465-1021UA.job

- c:\documents and settings\Isaac.VALUED-A069BA8D\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-09-18 07:27]

2002-07-10 c:\windows\Tasks\Registration reminder 1.job

- c:\windows\System32\OOBE\oobebaln.exe [2003-02-18 07:56]

2002-07-10 c:\windows\Tasks\Registration reminder 2.job

- c:\windows\System32\OOBE\oobebaln.exe [2003-02-18 07:56]

.

.

------- Supplementary Scan -------

.

uInternet Connection Wizard,ShellNext = hxxp://www.sony.com/vaiopeople

DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab

.

- - - - ORPHANS REMOVED - - - -

BHO-{9f683065-4e02-4201-ad24-44aac2bdad37} - lawireyo.dll

HKCU-Run-MSMSGS - c:\program files\Messenger\msmsgs.exe

HKLM-Run-Pop3trap.exe - c:\program files\Trend Micro\PC-cillin 2000\Pop3trap.exe

HKLM-Run-WebTrapNT.exe - c:\program files\Trend Micro\PC-cillin 2000\WebTrapNT.exe

HKLM-Run-Media Access - c:\program files\Media Access\MediaAccK.exe

HKLM-Run-SiS Tray - (no file)

HKLM-Run-lohaloheda - sapoviri.dll

SharedTaskScheduler-{34bb1f7e-78e9-470e-9dd3-914dfb4ecbee} - c:\windows\system32\kumeweva.dll

SharedTaskScheduler-{7e75a524-e661-4150-b6dc-f4839944e00d} - c:\windows\system32\gebuhobo.dll

SSODL-vozakuhoh-{34bb1f7e-78e9-470e-9dd3-914dfb4ecbee} - c:\windows\system32\kumeweva.dll

SSODL-fijepadeg-{7e75a524-e661-4150-b6dc-f4839944e00d} - c:\windows\system32\gebuhobo.dll

AddRemove-AOL Spyware Protection - c:\progra~1\COMMON~1\AOL\AOLSPY~1\UNWISE.EXE

AddRemove-AOLCoach - c:\program files\Common Files\aolshare\Coach\AolCInUn.exe

AddRemove-Deep Paint - d:\ahearn\Software\DeepPaint\Deep Paint\unwise.exe

AddRemove-Port Magic - c:\progra~1\PURENE~1\PORTMA~1\PortAOL.exe

AddRemove-ShockwaveFlash - c:\windows\system32\Macromed\Flash\FlashUtil9b.exe

AddRemove-U-Storage Service - c:\docume~1\ENOCH\LOCALS~1\Temp\U-Storage.exe

AddRemove-UnityWebPlayer - c:\program files\Unity\WebPlayer\Uninstall.exe

AddRemove-{980A182F-E0A2-4A40-94C1-AE0C1235902E} - c:\program files\Pando Networks\Media Booster\uninst.exe

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-10-13 17:45

Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

c:\docume~1\ISAAC~1.VAL\LOCALS~1\Temp\BIT50.tmp

c:\docume~1\ISAAC~1.VAL\LOCALS~1\Temp\GUR3F.tmp 0 bytes

scan completed successfully

hidden files: 2

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(2204)

c:\windows\system32\WININET.dll

c:\windows\system32\ieframe.dll

.

------------------------ Other Running Processes ------------------------

.

c:\program files\Common Files\AOL\ACS\AOLacsd.exe

c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

c:\program files\Bonjour\mDNSResponder.exe

d:\program files\Java\jre6\bin\jqs.exe

c:\windows\system32\UStorSrv.exe

c:\program files\Viewpoint\Common\ViewpointService.exe

c:\windows\wanmpsvc.exe

c:\program files\Canon\CAL\CALMAIN.exe

c:\program files\Viewpoint\Viewpoint Manager\ViewMgr.exe

c:\windows\system32\wscntfy.exe

c:\windows\system32\wscript.exe

c:\progra~1\HEWLET~1\HPSHAR~1\hpgs2wnf.exe

c:\program files\Common Files\AOL\1129172188\EE\aolsoftware.exe

c:\windows\system32\sistray.exe

c:\program files\Sony\VAIO Action Setup\VAServ.exe

c:\progra~1\support.com\client\bin\tgcmd.exe

c:\program files\iPod\bin\iPodService.exe

c:\progra~1\HEWLET~1\AiO\Shared\Bin\hpoevm07.exe

.

**************************************************************************

.

Completion time: 2009-10-14 18:00 - machine was rebooted

ComboFix-quarantined-files.txt 2009-10-14 01:00

Pre-Run: 874,315,776 bytes free

Post-Run: 1,460,559,872 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn

533

I've run the full MalwareBytes scan before and it effectively rids my computer of the rogue security tool, but if I have my internet on for a length of time, it comes back. You probably already guessed, so did ComboFix do it in for me? What's my next step?

Link to post
Share on other sites

  • Staff

Hi,

My apologies for the delay.

Please use the Internet Explorer browser and click here to use the F-Secure Online Scanner.

  • Click Start Scanning.
  • You should get a notification bar (on top) to install the ActiveX control.
  • Click on it and select to install the ActiveX.
  • Once the ActiveX is installed, you should accept the License terms by clicking OK below to start the scan.
  • In case you are having problems with installing the ActiveX/starting the scan, please read here.
  • Click the Full System Scan button.
  • It will start to download scanner components and databases. This can take a while.
  • The main scan will start.
  • Once the scan has finished scanning, click the Automatic cleaning (recommended) button
  • It could be possible that your firewall gives an alert - allow it, because that's a connection you establish to submit infected files to F-Secure.
  • The cleaning can take a while, so please be patient.
  • Then click the Show report button and Copy/Paste what is present under results in your next reply.

Next, download my Security Check from here or here.

  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

Let me know how things are running now and what issues remain.

-screen317

Link to post
Share on other sites

Okay, I got the BitDefender log and have attached it. That's a lot of infections!

Your Security Check was weird. The first time I ran it, the DOS window appeared, but after five or so seconds, it dissappeared. I tried it again, but now I get an error message: "Windows cannot find 'SecurityCheck\SecurityCheck.bat'. Make sure you typed the name correctly, and then try again. To search for a file, click the Start button, and then click Search. Should I examine this further?

I seem to be able to access the internet for a length amount of time without Security Tool even showing up. I think it's finally dead! You think it's safe now? If you see anything else that needs persuing, I'd be grateful. :lol:

BitDefender_Log.html

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.