pls help remove redirect virus

[writinh2o]

I just ran MBAM (had previously run avast, superantispyware, autoruns, and ccleaner which did not fix the problem) and seem to have fixed the browser redirect problem I

[writinh2o]

Still need help. Added required attachments.

I'm writing this on a different computer and can send attachments. ark.zip and attach.zip are attached.

Was able to get them on a thumb drive.

ark.zip

Attach.zip

[screen317]

Hi and welcome to Malwarebytes.

Please use the ADDREPLY button to reply instead of the "REPLY button.

Update MBAM, run a Quick Scan, and post its logs.

Next, please visit this webpage for instructions for running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

• When the tool is finished, it will produce a report for you.
  
• Please post the C:\ComboFix.txt along with a new HijackThis log so we may continue cleaning the system.
  

-screen317

[writinh2o]

Hi,

I've been keeping the infected computer in safe mode, so I ran everything you asked for in safe mode, hope that's alright.

Updated MBAM, ran quick scan, see log below.

It found three infections, but I didn't remove them since you only said to attach the log (I remember reading somewhere on this site not to delete things unless instructed to, and I thought I could always run it again if you wanted me to).

Downloaded Combofix, read all the instructions, and tried to follow them (some of the screens were a little different, I assume because I'm running windows 2000 on that machine).

When Combofix started the window that I see when I try to do things like change the time came up "Items to Synchronize", then an error window - Access to the specified device, path, or file is denied

32788R22FWJFW/n.pif

then there was a double beep from the system (never heard that before)

I did nothing throughout this and Combofix kept going

Combofix said "System file infected

Attempting to restore

C:\WINNT\system32\comres.dll

started to go through the various stages

I stepped away for a few minutes and when I came back Combofix had rebooted (to normal mode). It never asked me for windows recovery consol, but I notice in the logs I don't have one.

After it rebooted Combofix continued to run (blue window), but gave an error window "cannot import cregC.dat,

I waited 20 min to see if Combofix would continue anyway, but it didn't so I OK'd out of the error window.

Then Combofix continued.

My system loaded Superantispyware since it loads on booting. The window "Items to Synchronize" came up again. Combofix kept going and finally produced the log, see below.

Thanks for helping.

Malwarebytes' Anti-Malware 1.44

Database version: 3888

Windows 5.0.2195 Service Pack 4 (Safe Mode)

Internet Explorer 6.0.2800.1106

3/20/2010 6:51:07 PM

mbam-log-2010-03-20 (18-50-55).txt

Scan type: Quick Scan

Objects scanned: 129107

Time elapsed: 7 minute(s), 4 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 2

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 1

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

HKEY_CLASSES_ROOT\CLSID\{4e102658-f7ad-46e2-a63c-7d2be6654d3a} (Password.Stealer) -> No action taken.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{4e102658-f7ad-46e2-a63c-7d2be6654d3a} (Password.Stealer) -> No action taken.

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

C:\WINNT\system32\xrpijkpte.dll (Password.Stealer) -> No action taken.

________________________________________________________________________________

_____

ComboFix 10-03-20.01 - photon 03/20/2010 19:20:31.1.1 - x86 NETWORK

Microsoft Windows 2000 Professional 5.0.2195.4.1252.1.1033.18.1023.788 [GMT -8:00]

Running from: c:\documents and settings\photon.MATT\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat

c:\winnt\system32\atiptaxx .exe

c:\winnt\system32\ide.txt

c:\winnt\system32\qks.txt

c:\winnt\system32\rundll32 .exe

c:\winnt\Web\default.htt

----- BITS: Possible infected sites -----

hxxp://85.12.18.119

c:\winnt\system32\comres.dll . . . is infected!!

c:\winnt\system32\comres.dll . . . is infected!!

c:\winnt\system32\rundll32.exe . . . is infected!!

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Legacy_IPRIP

-------\Legacy_NWSAPAGENT

-------\Legacy__VOIDqylbdwpcbv

-------\Service__VOIDqylbdwpcbv

-------\Service_Iprip

-------\Service_Nwsapagent

((((((((((((((((((((((((( Files Created from 2010-02-21 to 2010-03-21 )))))))))))))))))))))))))))))))

.

2010-03-21 03:28 . 2010-03-21 03:28 16384 ----atw- c:\winnt\system32\Perflib_Perfdata_25c.dat

2010-03-10 18:21 . 2010-03-10 18:21 -------- d-----w- c:\documents and settings\photon.MATT\Application Data\Malwarebytes

2010-03-10 18:21 . 2010-01-08 00:07 38224 ----a-w- c:\winnt\system32\drivers\mbamswissarmy.sys

2010-03-10 18:21 . 2010-03-10 18:59 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-03-10 18:21 . 2010-03-10 18:21 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2010-03-10 18:21 . 2010-01-08 00:07 18520 ----a-w- c:\winnt\system32\drivers\mbam.sys

2010-03-10 16:04 . 2010-03-10 16:04 -------- d-----w- c:\program files\CCleaner

2010-03-10 16:03 . 2010-03-10 16:03 3396856 ----a-w- C:\ccsetup229.exe

2010-03-09 07:44 . 2009-06-30 17:37 28552 ----a-w- c:\winnt\system32\drivers\pavboot.sys

2010-03-09 07:44 . 2010-03-09 07:44 -------- d-----w- c:\program files\Panda Security

2010-03-08 06:41 . 2010-03-08 17:56 -------- d---a-w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy

2010-03-08 06:41 . 2010-03-08 06:45 -------- d-----w- c:\program files\Spybot - Search & Destroy

2010-03-05 04:27 . 2010-03-05 05:50 14792 ----a-w- c:\winnt\system32\drivers\hitmanpro35.sys

2010-03-05 04:27 . 2010-03-05 05:05 -------- d-----w- c:\documents and settings\All Users\Application Data\Hitman Pro

2010-03-04 16:36 . 2010-03-04 16:36 16384 ----atw- c:\winnt\system32\Perflib_Perfdata_29c.dat

2010-03-04 06:07 . 2010-03-04 06:07 -------- d-----w- c:\documents and settings\photon.MATT\Application Data\Arduino

2010-03-04 05:45 . 2010-03-04 05:45 -------- d-----w- C:\arduino stuff

2010-03-04 02:36 . 2010-03-04 02:36 52224 ----a-w- c:\documents and settings\photon.MATT\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll

2010-03-04 02:33 . 2010-03-04 02:33 -------- d-----w- C:\ATI

2010-03-03 16:47 . 2010-03-03 16:47 47616 ----a-w- c:\winnt\system32\xrpijkpte.dll

2010-02-27 21:29 . 2010-02-27 21:29 177928 ----a-w- C:\TDSSKiller.exe

2010-02-23 03:20 . 2003-06-19 20:05 30768 ----a-w- c:\winnt\system32\drivers\disk.sys

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-03-21 02:31 . 2008-07-09 17:01 -------- d-----w- c:\documents and settings\photon.MATT\Application Data\Azureus

2010-03-13 05:57 . 2004-12-01 20:28 70856 ----a-w- c:\documents and settings\photon.MATT\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2010-03-10 07:59 . 2009-04-22 13:45 117760 ----a-w- c:\documents and settings\photon.MATT\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL

2010-03-06 06:55 . 2008-07-16 23:15 -------- d-----w- c:\program files\SUPERAntiSpyware

2010-03-05 06:29 . 2001-05-08 12:00 111376 ----a-w- c:\winnt\system32\rundll32.exe

2010-03-05 05:31 . 2009-01-02 18:09 -------- d-----w- c:\program files\Aiseesoft Studio

2010-03-05 05:05 . 2010-01-15 03:38 -------- d-----w- c:\program files\QuickTime

2010-03-04 00:22 . 2003-01-14 16:37 -------- d---a-w- c:\program files\Intel

2010-03-02 20:16 . 2008-08-17 23:34 -------- d-----w- c:\documents and settings\photon.MATT\Application Data\dvdcss

2010-02-23 03:59 . 2008-09-09 18:09 -------- d-----w- c:\documents and settings\photon.MATT\Application Data\gtk-2.0

2010-02-15 23:16 . 2007-06-04 00:12 -------- d-----w- c:\program files\Lx_cats

2010-02-15 22:40 . 2003-01-14 16:37 -------- d--h--w- c:\program files\InstallShield Installation Information

2010-02-15 22:39 . 2010-02-15 22:39 -------- d-----w- c:\program files\sony

2010-02-15 05:46 . 2010-02-15 05:46 -------- d-----w- c:\program files\Steinberg

2010-02-13 18:07 . 2010-02-13 18:07 -------- d-----w- c:\program files\Audacity

2010-02-10 18:23 . 2009-10-18 17:27 -------- d-----w- c:\program files\solveig avi cuttrimer

2010-02-04 00:44 . 2010-02-04 00:44 -------- d-----w- c:\documents and settings\photon.MATT\Application Data\NewSoft

2010-02-04 00:38 . 2007-06-04 00:16 -------- d-----w- c:\program files\Abbyy FineReader 6.0 Sprint

2010-01-31 20:24 . 2003-01-22 21:34 141 ----a-w- c:\winnt\C3DPREF6.DAT

2010-01-29 23:16 . 2010-01-29 23:16 61067 ----a-w- c:\winnt\system32\drivers\ftser2k.sys

2010-01-29 23:16 . 2010-01-29 23:16 47249 ----a-w- c:\winnt\system32\drivers\ftdibus.sys

2010-01-29 23:16 . 2010-01-29 23:16 33360 ----a-w- c:\winnt\system32\ftserui2.dll

2010-01-29 23:16 . 2010-01-29 23:16 188416 ----a-w- c:\winnt\system32\ftdiunin.exe

2010-01-29 23:16 . 2010-01-29 23:16 176128 ----a-w- c:\winnt\system32\ftd2xx.dll

2010-01-29 23:16 . 2010-01-29 23:16 106496 ----a-w- c:\winnt\system32\ftbusui.dll

2010-01-29 23:16 . 2010-01-29 23:16 102400 ----a-w- c:\winnt\system32\FTLang.dll

2010-01-22 15:27 . 2003-01-14 17:05 -------- d---a-w- c:\program files\Common Files\Adobe

2009-12-28 13:03 . 2003-01-13 08:49 319760 ------w- c:\winnt\system32\MSPAINT.EXE

2009-05-28 11:05 . 2009-05-28 11:05 9164 ----a-w- c:\program files\SweepGen.txt

2009-05-28 11:05 . 2009-05-28 11:05 716288 ----a-w- c:\program files\SweepGen.exe

2009-05-28 11:05 . 2009-05-28 11:05 43 ----a-w- c:\program files\ReadMe.txt

2009-05-28 11:05 . 2009-05-28 11:05 3204 ----a-w- c:\program files\History.txt

2009-05-23 14:44 . 2009-05-23 14:44 13736273 ----a-w- c:\program files\Discovery.exe

2003-10-17 19:51 . 2003-01-13 16:51 21952 ---h--w- c:\program files\folder.htt

2002-08-01 02:55 . 2006-07-24 04:56 141 --sh--w- c:\winnt\WSYS049.SYS

1601-01-01 00:03 . 1601-01-01 00:03 42496 --sha-w- c:\winnt\system32\nilejonu.exe

.

<pre>
c:\program files\Adobe\Reader 9.0\Reader\reader_sl .exe
c:\program files\Aiseesoft Studio\ashdisp .exe
c:\program files\Alwil Software\Avast4\ashdisp .exe
c:\program files\Common Files\Adobe\ARM\1.0\adobearm .exe
c:\program files\Java\jre6\bin\jusched .exe
c:\program files\QuickTime\qttask			 .exe
c:\program files\SUPERAntiSpyware\superantispyware .exe
c:\program files\Western Digital\WD Drive Manager\wdbtnmgrui .exe
</pre>

------- Sigcheck -------

[-] 2003-06-19 19:05 . 8C718AA8C77041B3285D55A0CE980867 . 86672 . . [5.00.2195.6699] . . c:\winnt\ServicePackFiles\i386\atapi.sys

[-] 2003-06-19 19:05 . 8C718AA8C77041B3285D55A0CE980867 . 86672 . . [5.00.2195.6699] . . c:\winnt\system32\drivers\atapi.sys

[-] 2003-06-19 19:05 . 5D3D77C9EB3A8E6A14CC8E1252B6CC5C . 17840 . . [5.00.2195.6655] . . c:\winnt\ServicePackFiles\i386\asyncmac.sys

[-] 2003-06-19 19:05 . 5D3D77C9EB3A8E6A14CC8E1252B6CC5C . 17840 . . [5.00.2195.6655] . . c:\winnt\system32\drivers\asyncmac.sys

[-] 2001-05-08 12:00 . DF012C2853281CE2BF536E8DE871C8C1 . 4080 . . [5.00.2158.1] . . c:\winnt\system32\dllcache\beep.sys

[-] 2001-05-08 12:00 . DF012C2853281CE2BF536E8DE871C8C1 . 4080 . . [5.00.2158.1] . . c:\winnt\system32\drivers\beep.sys

[-] 2003-06-19 19:05 . 399055F5C4A98F39B47D26888A72145D . 24528 . . [5.00.2195.6666] . . c:\winnt\ServicePackFiles\i386\kbdclass.sys

[-] 2003-06-19 19:05 . 399055F5C4A98F39B47D26888A72145D . 24528 . . [5.00.2195.6666] . . c:\winnt\system32\drivers\kbdclass.sys

[-] 2003-06-19 19:05 . FB4F2D0595BD3546A4DD915E4A9B4809 . 170928 . . [5.00.2195.6655] . . c:\winnt\ServicePackFiles\i386\ndis.sys

[-] 2003-06-19 19:05 . FB4F2D0595BD3546A4DD915E4A9B4809 . 170928 . . [5.00.2195.6655] . . c:\winnt\system32\drivers\ndis.sys

[-] 2005-05-10 09:20 . 7DC1F0F9BF87CA5CEE9A46C9A63DC1D3 . 513424 . . [5.00.2195.7049] . . c:\winnt\system32\dllcache\ntfs.sys

[-] 2005-05-10 09:20 . 7DC1F0F9BF87CA5CEE9A46C9A63DC1D3 . 513424 . . [5.00.2195.7049] . . c:\winnt\system32\drivers\ntfs.sys

[-] 2003-06-19 19:05 . F6AB0E765D5B80443B93C52C42F2602A . 534192 . . [5.00.2195.6710] . . c:\winnt\$NtUpdateRollupPackUninstall$\ntfs.sys

[-] 2003-06-19 19:05 . F6AB0E765D5B80443B93C52C42F2602A . 534192 . . [5.00.2195.6710] . . c:\winnt\ServicePackFiles\i386\ntfs.sys

[-] 2001-05-08 12:00 . 280209CDE798720A24D232BF9CFDA8E9 . 2800 . . [5.00.2134.1] . . c:\winnt\system32\dllcache\null.sys

[-] 2001-05-08 12:00 . 280209CDE798720A24D232BF9CFDA8E9 . 2800 . . [5.00.2134.1] . . c:\winnt\system32\drivers\null.sys

[-] 2005-04-08 11:54 . B4F3ECAAEBC715EDBEA44A28FDEDA851 . 71440 . . [5.00.2195.6866] . . c:\winnt\system32\browser.dll

[-] 2005-04-08 11:54 . B4F3ECAAEBC715EDBEA44A28FDEDA851 . 71440 . . [5.00.2195.6866] . . c:\winnt\system32\dllcache\browser.dll

[-] 2004-03-24 02:17 . 1B19559C80946E1FABF21859DB42CD54 . 69904 . . [5.00.2195.6866] . . c:\winnt\$NtUpdateRollupPackUninstall$\browser.dll

[-] 2003-06-19 19:05 . 38A6BC551496C24118BD1524425AF2FE . 68880 . . [5.00.2195.6693] . . c:\winnt\$NtUninstallKB835732$\browser.dll

[-] 2003-06-19 19:05 . 38A6BC551496C24118BD1524425AF2FE . 68880 . . [5.00.2195.6693] . . c:\winnt\ServicePackFiles\i386\browser.dll

[-] 2004-12-19 22:30 . F19D0A319AB4BF5496F08807CB9B8651 . 33552 . . [5.00.2195.7011] . . c:\winnt\system32\LSASS.EXE

[-] 2004-12-19 22:30 . F19D0A319AB4BF5496F08807CB9B8651 . 33552 . . [5.00.2195.7011] . . c:\winnt\system32\dllcache\lsass.exe

[-] 2004-02-25 23:59 . 0C13D582EDAF90CBEA454A1AC535B913 . 33552 . . [5.00.2195.6902] . . c:\winnt\$NtUpdateRollupPackUninstall$\lsass.exe

[-] 2003-06-19 19:05 . 271229760CCED993E9E7CAB1C7274134 . 33552 . . [5.00.2195.6695] . . c:\winnt\$NtUninstallKB835732$\lsass.exe

[-] 2003-06-19 19:05 . 271229760CCED993E9E7CAB1C7274134 . 33552 . . [5.00.2195.6695] . . c:\winnt\ServicePackFiles\i386\lsass.exe

[-] 2005-08-16 08:35 . 600104D606AB3E9B9AB36076E6261A05 . 100112 . . [5.00.2195.7061] . . c:\winnt\system32\netman.dll

[-] 2005-08-16 08:35 . 600104D606AB3E9B9AB36076E6261A05 . 100112 . . [5.00.2195.7061] . . c:\winnt\system32\dllcache\netman.dll

[-] 2003-06-19 19:05 . 648A07AB73E49EF547A48D240CD36125 . 95504 . . [5.00.2195.6660] . . c:\winnt\$NtUninstallKB905414$\netman.dll

[-] 2003-06-19 19:05 . 648A07AB73E49EF547A48D240CD36125 . 95504 . . [5.00.2195.6660] . . c:\winnt\ServicePackFiles\i386\netman.dll

[-] 2004-10-05 . DCD38D8178BF1BEA585F2F003EE3460E . 362496 . . [6.6.2600.1596] . . c:\winnt\system32\qmgr.dll

[-] 2004-10-05 . DCD38D8178BF1BEA585F2F003EE3460E . 362496 . . [6.6.2600.1596] . . c:\winnt\system32\BITS\qmgr.dll

[-] 2004-10-05 . DCD38D8178BF1BEA585F2F003EE3460E . 362496 . . [6.6.2600.1596] . . c:\winnt\system32\dllcache\qmgr.dll

[-] 2003-06-19 19:05 . FE02334DB8598E2706A51A24DD33AB00 . 244224 . . [6.2.3630.2522 built by: lab04_n] . . c:\winnt\$NtUninstallKB842773$\qmgr.dll

[-] 2003-06-19 19:05 . FE02334DB8598E2706A51A24DD33AB00 . 244224 . . [6.2.3630.2522 built by: lab04_n] . . c:\winnt\ServicePackFiles\i386\qmgr.dll

[-] 2005-09-05 08:18 . 037EBCF93DF5F0C31CCD2FF7E31E3BA5 . 212240 . . [5.00.2195.7059] . . c:\winnt\system32\rpcss.dll

[-] 2005-09-05 08:18 . 037EBCF93DF5F0C31CCD2FF7E31E3BA5 . 212240 . . [5.00.2195.7059] . . c:\winnt\system32\dllcache\rpcss.dll

[-] 2005-04-08 11:54 . 391AFA6F7FE9AA667B2C54DFAE2D0FBD . 273680 . . [5.00.2195.7021] . . c:\winnt\$NtUninstallKB902400$\rpcss.dll

[-] 2005-01-14 01:27 . 10789155522BE499A232AD2773AC1DF0 . 212240 . . [5.00.2195.7021] . . c:\winnt\$NtUpdateRollupPackUninstall$\rpcss.dll

[-] 2004-03-11 21:29 . 4A72D5DD3AAD4B967ABE12D2A3044B98 . 211728 . . [5.00.2195.6906] . . c:\winnt\$NtUninstallKB873333$\rpcss.dll

[-] 2003-08-23 21:48 . EBF7D8A02D8A32926B19EA4C6AD4FE0E . 192272 . . [5.00.2195.6810] . . c:\winnt\$NtUninstallKB828741$\rpcss.dll

[-] 2003-06-19 19:05 . B49E4F60ED7E5918E44396768F9F02F2 . 239376 . . [5.00.2195.6702] . . c:\winnt\$NtUninstallKB824146$\rpcss.dll

[-] 2003-06-19 19:05 . B49E4F60ED7E5918E44396768F9F02F2 . 239376 . . [5.00.2195.6702] . . c:\winnt\ServicePackFiles\i386\rpcss.dll

[-] 2005-04-08 11:51 . B861B4E6E9637EB76A40C10C552E0229 . 92944 . . [5.00.2195.7035] . . c:\winnt\system32\SERVICES.EXE

[-] 2005-04-08 11:51 . B861B4E6E9637EB76A40C10C552E0229 . 92944 . . [5.00.2195.7035] . . c:\winnt\system32\dllcache\services.exe

[-] 2003-06-19 19:05 . CFED2D28F5B8A24127E9E06043070643 . 89360 . . [5.00.2195.6700] . . c:\winnt\$NtUpdateRollupPackUninstall$\services.exe

[-] 2003-06-19 19:05 . CFED2D28F5B8A24127E9E06043070643 . 89360 . . [5.00.2195.6700] . . c:\winnt\ServicePackFiles\i386\services.exe

[-] 2005-07-12 04:59 . FACFB75ECC070103619FA044E0B210D3 . 47376 . . [5.00.2195.7059] . . c:\winnt\system32\spoolsv.exe

[-] 2005-07-12 04:59 . FACFB75ECC070103619FA044E0B210D3 . 47376 . . [5.00.2195.7059] . . c:\winnt\system32\dllcache\spoolsv.exe

[-] 2003-06-19 19:05 . 987DAF317B917CFC973DE8364D62A76C . 45328 . . [5.00.2195.6659] . . c:\winnt\$NtUninstallKB896423$\spoolsv.exe

[-] 2003-06-19 19:05 . 987DAF317B917CFC973DE8364D62A76C . 45328 . . [5.00.2195.6659] . . c:\winnt\ServicePackFiles\i386\spoolsv.exe

[-] 2005-04-08 11:51 . BB1DAF6A5737652646D52665251A0265 . 186640 . . [5.00.2195.6997] . . c:\winnt\system32\WINLOGON.EXE

[-] 2005-04-08 11:51 . BB1DAF6A5737652646D52665251A0265 . 186640 . . [5.00.2195.6997] . . c:\winnt\system32\dllcache\WINLOGON.EXE

[-] 2004-08-24 22:59 . 5922E8055EB439A58EF29530D8567A40 . 182544 . . [5.00.2195.6970] . . c:\winnt\$NtUninstallKB841533$\winlogon.exe

[-] 2004-08-24 22:59 . 5922E8055EB439A58EF29530D8567A40 . 182544 . . [5.00.2195.6970] . . c:\winnt\$NtUpdateRollupPackUninstall$\winlogon.exe

[-] 2004-03-11 02:37 . 563B3DE5B6EE842CFFA8813F9EF4CB5C . 181520 . . [5.00.2195.6898] . . c:\winnt\$NtUninstallKB840987$\winlogon.exe

[-] 2003-07-17 17:20 . E3ACD1BC832E859B157D95D9907560D3 . 182032 . . [5.00.2195.6785] . . c:\winnt\$NtUninstallKB835732$\winlogon.exe

[-] 2003-06-19 19:05 . 3980C28D116D438BBB36FB38526FDE1A . 181008 . . [5.00.2195.6714] . . c:\winnt\$NtUninstallKB824141$\winlogon.exe

[-] 2003-06-19 19:05 . 3980C28D116D438BBB36FB38526FDE1A . 181008 . . [5.00.2195.6714] . . c:\winnt\ServicePackFiles\i386\winlogon.exe

[-] 2006-08-28 08:44 . F4230CAA2B9166E5114441F6B7B2DC3F . 530192 . . [5.81] . . c:\winnt\system32\comctl32.dll

[-] 2006-08-28 08:44 . F4230CAA2B9166E5114441F6B7B2DC3F . 530192 . . [5.81] . . c:\winnt\system32\dllcache\comctl32.dll

[-] 2003-06-19 19:05 . 7A0C4F7B3FAF67A8FE4FE3A24BB39927 . 550672 . . [5.81] . . c:\winnt\ServicePackFiles\i386\comctl32.dll

[-] 2002-08-29 14:14 . 9EDC93CC795DFF919C6CD953912838A9 . 529680 . . [5.81] . . c:\winnt\$NtUninstallKB923191$\comctl32.dll

[-] 2005-04-21 08:08 . 7D77D4AF905903AEDBEED9989857A9A5 . 78096 . . [5.00.2195.7039] . . c:\winnt\system32\cryptsvc.dll

[-] 2005-04-21 08:08 . 7D77D4AF905903AEDBEED9989857A9A5 . 78096 . . [5.00.2195.7039] . . c:\winnt\system32\dllcache\cryptsvc.dll

[-] 2004-03-24 02:17 . 644108E90CA7F628AA5650C31A2E74F5 . 76048 . . [5.00.2195.6868] . . c:\winnt\$NtUpdateRollupPackUninstall$\cryptsvc.dll

[-] 2003-06-19 19:05 . 385F52746FD8558D43999AEED250769A . 76048 . . [5.00.2195.6661] . . c:\winnt\$NtUninstallKB835732$\cryptsvc.dll

[-] 2003-06-19 19:05 . 385F52746FD8558D43999AEED250769A . 76048 . . [5.00.2195.6661] . . c:\winnt\ServicePackFiles\i386\cryptsvc.dll

[-] 2008-07-10 10:00 . 019BD72A117C13DF44D6CA3B96A345D6 . 251152 . . [2000.2.3550.0] . . c:\winnt\system32\es.dll

[-] 2008-07-10 10:00 . 019BD72A117C13DF44D6CA3B96A345D6 . 251152 . . [2000.2.3550.0] . . c:\winnt\system32\dllcache\es.dll

[-] 2005-09-05 08:18 . D8D44D8ED1B35285A83984ACF5D13CB3 . 242448 . . [2000.2.3529.0] . . c:\winnt\$NtUninstallKB950974$\es.dll

[-] 2004-03-11 21:29 . 0400F13BDEC0E1F04C1AD2002D5650A4 . 239888 . . [2000.2.3511.0] . . c:\winnt\$NtUninstallKB902400$\es.dll

[-] 2003-06-19 19:05 . FACD7422F6FBC7CD3AEA3AFCB8382ECF . 233232 . . [2000.2.3504.0] . . c:\winnt\$NtUninstallKB828741$\es.dll

[-] 2003-06-19 19:05 . FACD7422F6FBC7CD3AEA3AFCB8382ECF . 233232 . . [2000.2.3504.0] . . c:\winnt\ServicePackFiles\i386\es.dll

[-] 2003-06-19 19:05 . 873794CE17DD72420D9C4072D4D112E5 . 96528 . . [5.00.2195.6655] . . c:\winnt\ServicePackFiles\i386\imm32.dll

[-] 2003-06-19 19:05 . 873794CE17DD72420D9C4072D4D112E5 . 96528 . . [5.00.2195.6655] . . c:\winnt\system32\imm32.dll

[-] 2007-04-16 12:44 . 18D623471DE9DCC2CEA310B2F3FBA15A . 712976 . . [5.00.2195.7135] . . c:\winnt\Driver Cache\i386\kernel32.dll

[-] 2007-04-16 12:44 . 0AB23B46CCAEBA64D748A5CF79CB4BB6 . 712976 . . [5.00.2195.7135] . . c:\winnt\system32\KERNEL32.DLL

[-] 2007-04-16 12:44 . 18D623471DE9DCC2CEA310B2F3FBA15A . 712976 . . [5.00.2195.7135] . . c:\winnt\system32\dllcache\kernel32.dll

[-] 2006-06-21 06:52 . 84AE59F949F127A3D8D4F4A09D0CE0BD . 712976 . . [5.00.2195.7099] . . c:\winnt\$NtUninstallKB935839$\kernel32.dll

[-] 2005-08-16 09:39 . 694E9BC2ADE4F30C99D8A59340307E1A . 712464 . . [5.00.2195.7006] . . c:\winnt\$NtUninstallKB917422$\kernel32.dll

[-] 2004-06-22 01:35 . CBFC72131FB475249DB3667239F3F4EA . 712464 . . [5.00.2195.6946] . . c:\winnt\$NtUninstallKB891711$\kernel32.dll

[-] 2004-06-17 23:05 . 276ABD5DD2053008C6C327C590DD806D . 712464 . . [5.00.2195.6946] . . c:\winnt\$NtUninstallKB841533$\kernel32.dll

[-] 2004-06-17 23:05 . 276ABD5DD2053008C6C327C590DD806D . 712464 . . [5.00.2195.6946] . . c:\winnt\$NtUpdateRollupPackUninstall$\kernel32.dll

[-] 2004-03-24 02:17 . 5E9BB22C56919870FC80444E655F8AF6 . 742160 . . [5.00.2195.6897] . . c:\winnt\$NtUninstallKB840987$\kernel32.dll

[-] 2003-08-05 22:14 . 5E478294B05FA91151B6599269815495 . 711440 . . [5.00.2195.6794] . . c:\winnt\$NtUninstallKB835732$\kernel32.dll

[-] 2003-06-19 19:05 . AFFDA6F602A8F0DBA615279C28B3BDF8 . 743184 . . [5.00.2195.6688] . . c:\winnt\$NtUninstallKB824141$\kernel32.dll

[-] 2003-06-19 19:05 . 1E93BDAAE187253D18711DA5C210474A . 743184 . . [5.00.2195.6688] . . c:\winnt\ServicePackFiles\i386\kernel32.dll

[-] 2005-09-23 11:03 . EB0EA3EF05D648455D691348C819E479 . 17680 . . [5.00.2195.7069] . . c:\winnt\system32\linkinfo.dll

[-] 2005-09-23 11:03 . EB0EA3EF05D648455D691348C819E479 . 17680 . . [5.00.2195.7069] . . c:\winnt\system32\dllcache\linkinfo.dll

[-] 2005-04-08 11:54 . 4EDE648460D79405487672EFF49805F6 . 17168 . . [5.00.2195.7009] . . c:\winnt\$NtUninstallKB900725$\linkinfo.dll

[-] 2004-09-02 20:03 . 814222ED1C5C31B135B6F97585FE6B41 . 17168 . . [5.00.2195.6958] . . c:\winnt\$NtUpdateRollupPackUninstall$\linkinfo.dll

[-] 2001-05-08 12:00 . A5977BF56A537AFDF2464F1314C315CF . 16144 . . [5.00.2134.1] . . c:\winnt\$NtUninstallKB841356$\linkinfo.dll

[-] 2003-06-19 19:05 . EF290209052ED43DDFDB8F0E74EC79EF . 20240 . . [5.00.2195.6692] . . c:\winnt\ServicePackFiles\i386\lpk.dll

[-] 2003-06-19 19:05 . EF290209052ED43DDFDB8F0E74EC79EF . 20240 . . [5.00.2195.6692] . . c:\winnt\system32\lpk.dll

[-] 2003-06-19 19:05 . BA7BE6F92680B28B9031170659FD222D . 286773 . . [6.10.9844.0] . . c:\winnt\ServicePackFiles\i386\msvcrt.dll

[-] 2003-06-19 19:05 . BA7BE6F92680B28B9031170659FD222D . 286773 . . [6.10.9844.0] . . c:\winnt\system32\msvcrt.dll

[-] 2005-04-08 11:54 . BE8FC3C74AB5212CD4067E8973764AD6 . 366864 . . [5.00.2195.7011] . . c:\winnt\system32\NETLOGON.DLL

[-] 2005-04-08 11:54 . BE8FC3C74AB5212CD4067E8973764AD6 . 366864 . . [5.00.2195.7011] . . c:\winnt\system32\dllcache\NETLOGON.DLL

[-] 2004-03-24 02:17 . 21537BC1F1AB7667A3828B2344E6D4BA . 371472 . . [5.00.2195.6891] . . c:\winnt\$NtUpdateRollupPackUninstall$\netlogon.dll

[-] 2003-06-19 19:05 . 11B91C26925F56F577089FF88AA0BEC0 . 371984 . . [5.00.2195.6695] . . c:\winnt\$NtUninstallKB835732$\netlogon.dll

[-] 2003-06-19 19:05 . 11B91C26925F56F577089FF88AA0BEC0 . 371984 . . [5.00.2195.6695] . . c:\winnt\ServicePackFiles\i386\netlogon.dll

[-] 2003-06-19 19:05 . 0A35F356726069B95F4BB2A99203FDD4 . 13584 . . [5.00.3502.6601] . . c:\winnt\ServicePackFiles\i386\powrprof.dll

[-] 2003-06-19 19:05 . 0A35F356726069B95F4BB2A99203FDD4 . 13584 . . [5.00.3502.6601] . . c:\winnt\system32\powrprof.dll

[-] 2005-01-12 19:39 . 6FCCE1622E75C7DC46509F7EC4B314A3 . 114448 . . [5.00.2195.7013] . . c:\winnt\system32\scecli.dll

[-] 2005-01-12 19:39 . 6FCCE1622E75C7DC46509F7EC4B314A3 . 114448 . . [5.00.2195.7013] . . c:\winnt\system32\dllcache\scecli.dll

[-] 2004-03-24 02:17 . 0B476C9305098B37BE70F0AC29E671E5 . 111376 . . [5.00.2195.6893] . . c:\winnt\$NtUpdateRollupPackUninstall$\scecli.dll

[-] 2003-06-19 19:05 . FF11B32A906D75CD96957B66E318DAD0 . 114448 . . [5.00.2195.6704] . . c:\winnt\$NtUninstallKB835732$\scecli.dll

[-] 2003-06-19 19:05 . FF11B32A906D75CD96957B66E318DAD0 . 114448 . . [5.00.2195.6704] . . c:\winnt\ServicePackFiles\i386\scecli.dll

[-] 2001-05-08 12:00 . 9E64AD53CFD9DA2D22E8A924F8C6E62C . 7952 . . [5.00.2134.1] . . c:\winnt\system32\svchost.exe

[-] 2001-05-08 12:00 . 9E64AD53CFD9DA2D22E8A924F8C6E62C . 7952 . . [5.00.2134.1] . . c:\winnt\system32\dllcache\svchost.exe

[-] 2005-07-02 11:30 . E1086008E7BCE8621F09E6F13B89CC31 . 175888 . . [5.00.2195.7057] . . c:\winnt\system32\tapisrv.dll

[-] 2005-07-02 11:30 . E1086008E7BCE8621F09E6F13B89CC31 . 175888 . . [5.00.2195.7057] . . c:\winnt\system32\dllcache\tapisrv.dll

[-] 2003-06-19 19:05 . 83C78929A8DB0AA545B5F90A4786783C . 173328 . . [5.00.2195.6666] . . c:\winnt\$NtUninstallKB893756$\tapisrv.dll

[-] 2003-06-19 19:05 . 83C78929A8DB0AA545B5F90A4786783C . 173328 . . [5.00.2195.6666] . . c:\winnt\ServicePackFiles\i386\tapisrv.dll

[-] 2007-03-06 11:17 . 40023A7103796B1AF6CA41A6DBC54775 . 381200 . . [5.00.2195.7133] . . c:\winnt\system32\USER32.DLL

[-] 2007-03-06 11:17 . 40023A7103796B1AF6CA41A6DBC54775 . 381200 . . [5.00.2195.7133] . . c:\winnt\system32\dllcache\USER32.DLL

[-] 2005-04-21 08:08 . 63A7731CF4BA8565B9F07908FAC05C3B . 419600 . . [5.00.2195.7032] . . c:\winnt\$NtUninstallKB925902$\user32.dll

[-] 2005-03-12 07:54 . 05CB047C49480A2157911B0A1C7E4C10 . 380688 . . [5.00.2195.7032] . . c:\winnt\$NtUpdateRollupPackUninstall$\user32.dll

[-] 2004-12-29 09:14 . 6CDD0DEAC5BBF7BA47D52E237FFDAE43 . 380688 . . [5.00.2195.7017] . . c:\winnt\$NtUninstallKB890859$\user32.dll

[-] 2004-03-24 02:17 . 6AE59F325971F7D151A50A4E00E04DC0 . 403216 . . [5.00.2195.6897] . . c:\winnt\$NtUninstallKB891711$\user32.dll

[-] 2003-08-05 22:14 . 15B1C7EA9659055280F71A3D83987DA3 . 380176 . . [5.00.2195.6799] . . c:\winnt\$NtUninstallKB835732$\user32.dll

[-] 2003-06-19 19:05 . 11ED538DB87D8CF38017A63A82AA805D . 403216 . . [5.00.2195.6688] . . c:\winnt\$NtUninstallKB824141$\user32.dll

[-] 2003-06-19 19:05 . 11ED538DB87D8CF38017A63A82AA805D . 403216 . . [5.00.2195.6688] . . c:\winnt\ServicePackFiles\i386\user32.dll

[-] 2003-06-19 19:05 . BF179C5B8A722CC79AEF1CA90D6C7D48 . 17680 . . [5.00.2195.6612] . . c:\winnt\ServicePackFiles\i386\userinit.exe

[-] 2003-06-19 19:05 . BF179C5B8A722CC79AEF1CA90D6C7D48 . 17680 . . [5.00.2195.6612] . . c:\winnt\system32\USERINIT.EXE

[-] 2003-06-19 19:05 . 0190C62DE42396D78DB9BE771CF2403E . 69904 . . [5.00.2195.6601] . . c:\winnt\ServicePackFiles\i386\ws2_32.dll

[-] 2003-06-19 19:05 . 0190C62DE42396D78DB9BE771CF2403E . 69904 . . [5.00.2195.6601] . . c:\winnt\system32\ws2_32.dll

[-] 2003-06-19 19:05 . 59CF2B7DCED9111F48F51B4B570E672D . 243472 . . [5.00.3700.6690] . . c:\winnt\explorer.exe

[-] 2003-06-19 19:05 . 59CF2B7DCED9111F48F51B4B570E672D . 243472 . . [5.00.3700.6690] . . c:\winnt\ServicePackFiles\i386\explorer.exe

[-] 2005-04-08 11:54 . E7F03344AE103B02135C20112B557051 . 49424 . . [5.00.2195.7036] . . c:\winnt\system32\EVENTLOG.DLL

[-] 2005-04-08 11:54 . E7F03344AE103B02135C20112B557051 . 49424 . . [5.00.2195.7036] . . c:\winnt\system32\dllcache\EVENTLOG.DLL

[-] 2004-03-24 02:17 . CEB85BFA135CBDDA10C89E5D31D95F9B . 47888 . . [5.00.2195.6883] . . c:\winnt\$NtUpdateRollupPackUninstall$\eventlog.dll

[-] 2003-06-19 19:05 . 5738D5804F61A1D30D86FA24DEE56E0C . 47888 . . [5.00.2195.6716] . . c:\winnt\$NtUninstallKB835732$\eventlog.dll

[-] 2003-06-19 19:05 . 5738D5804F61A1D30D86FA24DEE56E0C . 47888 . . [5.00.2195.6716] . . c:\winnt\ServicePackFiles\i386\eventlog.dll

[-] 2005-04-08 10:34 . 7645645BB506C26B96B8F31893378C4B . 973072 . . [5.00.2195.7038] . . c:\winnt\system32\sfcfiles.dll

[-] 2005-04-08 10:34 . 7645645BB506C26B96B8F31893378C4B . 973072 . . [5.00.2195.7038] . . c:\winnt\system32\dllcache\sfcfiles.dll

[-] 2004-03-24 02:17 . 33D82938C20BA61E4EDB6DA85829BF23 . 971536 . . [5.00.2195.6894] . . c:\winnt\$NtUpdateRollupPackUninstall$\sfcfiles.dll

[-] 2003-06-19 19:05 . A871E77694E9146B3C655A734B1ECF46 . 971024 . . [5.00.2195.6717] . . c:\winnt\$NtUninstallKB835732$\sfcfiles.dll

[-] 2003-06-19 19:05 . A871E77694E9146B3C655A734B1ECF46 . 971024 . . [5.00.2195.6717] . . c:\winnt\ServicePackFiles\i386\sfcfiles.dll

[-] 2003-06-19 19:05 . 9C2A16951FD6A21AEF1C29F213A564B2 . 120592 . . [5.00.2195.6658] . . c:\winnt\ServicePackFiles\i386\appmgmts.dll

[-] 2003-06-19 19:05 . 9C2A16951FD6A21AEF1C29F213A564B2 . 120592 . . [5.00.2195.6658] . . c:\winnt\system32\appmgmts.dll

[-] 2003-06-19 19:05 . 4B10B4DB777EE2EF8E755E7F3D7C4FE8 . 11536 . . [5.00.2195.6655] . . c:\winnt\ServicePackFiles\i386\acpiec.sys

[-] 2003-06-19 19:05 . 4B10B4DB777EE2EF8E755E7F3D7C4FE8 . 11536 . . [5.00.2195.6655] . . c:\winnt\system32\drivers\acpiec.sys

[-] 2003-06-19 19:05 . CDDB71A90077C93BEA5C72507F0B1394 . 21008 . . [5.00.2195.6655] . . c:\winnt\ServicePackFiles\i386\agp440.sys

[-] 2003-06-19 19:05 . CDDB71A90077C93BEA5C72507F0B1394 . 21008 . . [5.00.2195.6655] . . c:\winnt\system32\drivers\agp440.sys

[-] 2006-11-02 17:31 . 6CE82AC80967541ED3787B62B2242271 . 927504 . . [4.1.0.61] . . c:\winnt\system32\MFC40U.DLL

[-] 2006-11-02 17:31 . 6CE82AC80967541ED3787B62B2242271 . 927504 . . [4.1.0.61] . . c:\winnt\system32\dllcache\mfc40u.dll

[-] 2001-05-08 12:00 . CDDD1A27861C406D1B3906A2B2C60CE3 . 924432 . . [4.1.6140] . . c:\winnt\$NtUninstallKB924667$\mfc40u.dll

[-] 2005-04-08 11:54 . 4B6E4C650721D2A51B8F51B7E5787552 . 35600 . . [5.00.2195.6861] . . c:\winnt\system32\MSGSVC.DLL

[-] 2005-04-08 11:54 . 4B6E4C650721D2A51B8F51B7E5787552 . 35600 . . [5.00.2195.6861] . . c:\winnt\system32\dllcache\msgsvc.dll

[-] 2003-10-02 21:17 . B6C0EECE00ACE0379C0F75274E89E47F . 34064 . . [5.00.2195.6861] . . c:\winnt\$NtUpdateRollupPackUninstall$\msgsvc.dll

[-] 2003-06-19 19:05 . C470CF2972A6DF2214764DA2FE8B768F . 35600 . . [5.00.2195.6656] . . c:\winnt\$NtUninstallKB828035$\msgsvc.dll

[-] 2003-06-19 19:05 . C470CF2972A6DF2214764DA2FE8B768F . 35600 . . [5.00.2195.6656] . . c:\winnt\ServicePackFiles\i386\msgsvc.dll

[-] 2003-06-19 19:05 . 56D893A01269008C28FBF2D025B2FA78 . 401168 . . [5.00.2195.6655] . . c:\winnt\ServicePackFiles\i386\ntmssvc.dll

[-] 2003-06-19 19:05 . 56D893A01269008C28FBF2D025B2FA78 . 401168 . . [5.00.2195.6655] . . c:\winnt\system32\ntmssvc.dll

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2010-03-06 2012912]

"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-06 2260480]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"LXCJCATS"="c:\winnt\system32\spool\DRIVERS\W32X86\3\LXCJtime.dll" [2005-09-08 73728]

"AtiPTA"="atiptaxx.exe" [2001-09-27 245760]

"Synchronization Manager"="mobsync.exe" [N/A]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]

"^SetupICWDesktop"="c:\program files\Internet Explorer\Connection Wizard\icwconn1.exe" [2003-06-19 186640]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]

2009-09-07 17:49 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]

"Tray Pilot Lite"="c:\program files\Invention Pilot\Tray Pilot Lite\TrayPlt.exe"

R0 SONYPVM1;Sony Memory Stick Driver(SONYPVM1);c:\winnt\system32\drivers\SonyPVM1.sys [2/15/2010 2:40 PM 28224]

R1 aswSP;avast! Self Protection;c:\winnt\system32\drivers\aswSP.sys [7/9/2008 9:10 AM 114768]

R1 cdudf;cdudf;c:\winnt\system32\drivers\Cdudf.sys [9/4/2001 2:38 PM 238176]

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [5/28/2008 9:33 AM 12872]

R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/28/2008 9:33 AM 66632]

R2 aswFsBlk;aswFsBlk;c:\winnt\system32\drivers\aswFsBlk.sys [7/9/2008 9:10 AM 20560]

R2 aswMon;avast! Standard Shield Support;c:\winnt\system32\drivers\aswmon.sys [7/9/2008 9:10 AM 93424]

R2 WDBtnMgrSvc.exe;WD Drive Manager Service;c:\program files\Western Digital\WD Drive Manager\WDBtnMgrSvc.exe [5/16/2008 5:12 PM 102400]

R2 WMP300NSvc;WMP300NSvc;c:\program files\Linksys\WMP300N\WLService.exe [10/27/2009 1:34 PM 53307]

R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [5/28/2008 9:33 AM 12872]

R3 usbhub20;USB 2.0 Root Hub Support;c:\winnt\system32\drivers\usbhub20.sys [10/17/2003 12:41 PM 49776]

S0 phooks;phooks; [x]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - IPNAT

*NewlyCreated* - RASAUTO

*NewlyCreated* - SHAREDACCESS

.

Contents of the 'Scheduled Tasks' folder

2010-03-01 c:\winnt\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-01-10 23:42]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.google.com/advanced_search?hl=en&num=100

uInternet Settings,ProxyServer = http=90.0.0.25:4480;https=90.0.0.25:4480;ftp=90.0.0.25:4480;socks=90.0.0.25:1080

IE: freePat - c:\program files\freePat\freePat-script.html

IE: freePat Preview - c:\program files\freePat\freePatpreview-script.html

IE: Search Image on TinEye - file://c:\documents and settings\photon.MATT\My Documents\TinEye 1.0\TinEye.js

IE: {{4725A95C-0D36-4E3E-AC08-6657D522529C} - c:\program files\FreshDevices\FreshDownload\fd.exe

IE: {{c95fe080-8f5d-11d2-a20b-00aa003c157a} - %SystemRoot%\web\related.htm

LSP: %SystemRoot%\system32\msafd.dll

DPF: DirectAnimation Java Classes - file://c:\winnt\Java\classes\dajava.cab

DPF: Microsoft XML Parser for Java - file://c:\winnt\Java\classes\xmldso.cab

FF - ProfilePath - c:\documents and settings\photon.MATT\Application Data\Mozilla\Firefox\Profiles\mu8t0x4j.default\

FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/advanced_search?&hl=en&lr=&num=100

FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll

.

- - - - ORPHANS REMOVED - - - -

SSODL-hepitahuk-{2860f68d-a40c-4c08-8c0f-3e9323310c27} - (no file)

Notify-NavLogon - (no file)

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-03-20 19:57

Windows 5.0.2195 Service Pack 4 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run

LXCJCATS = rundll32 c:\winnt\system32\spool\DRIVERS\W32X86\3\LXCJtime.dll,_RunDLLEntry@16?????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]

@DACL=(02 0000)

@=""

"Installed"="1"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]

@DACL=(02 0000)

@=""

"Installed"="1"

"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]

@DACL=(02 0000)

@=""

"Installed"="1"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Windows\AutorunsDisabled]

"Appinit_Dlls"="nodutike.dll c:\\winnt\\system32\\yozekute.dll,c:\\winnt\\system32\\jufuvowa.dll"

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(196)

c:\program files\SUPERAntiSpyware\SASWINLO.DLL

c:\winnt\system32\wzcdlg.dll

c:\winnt\system32\WZCSAPI.DLL

- - - - - - - > 'explorer.exe'(1280)

c:\winnt\system32\SHDOCVW.DLL

.

------------------------ Other Running Processes ------------------------

.

c:\winnt\System32\WLTRYSVC.EXE

c:\winnt\System32\bcmwltry.exe

c:\program files\Alwil Software\Avast4\aswUpdSv.exe

c:\program files\Alwil Software\Avast4\ashServ.exe

c:\program files\Java\jre6\bin\jqs.exe

c:\winnt\system32\LxrJD31s.exe

c:\winnt\system32\regsvc.exe

c:\winnt\system32\MSTask.exe

c:\winnt\system32\stisvc.exe

c:\winnt\System32\WBEM\WinMgmt.exe

c:\program files\Linksys\WMP300N\WMP300N.exe

c:\program files\Alwil Software\Avast4\ashMaiSv.exe

c:\program files\Alwil Software\Avast4\ashWebSv.exe

c:\winnt\system32\rundll32.exe

c:\winnt\system32\atiptaxx.exe

.

**************************************************************************

.

Completion time: 2010-03-20 20:05:09 - machine was rebooted

ComboFix-quarantined-files.txt 2010-03-21 04:05

Pre-Run: 9,200,840,704 bytes free

Post-Run: 9,228,664,832 bytes free

Current=3 Default=3 Failed=2 LastKnownGood=4 Sets=1,2,3,4

- - End Of File - - 0E1DC2FF616BB8D0BCCF5BBFCA7A5A42

[screen317]

Hi,

I'm afraid I have bad news.

Your logs reveal that you had keylogging and backdoor trojans. A backdoor severely compromises system integrity.

A compromised system may allow illicit network connections, disabling of security software, modifying critical system files and collection and transmiission of personal identifiable information without your consent.

I recommend that you disconnect this PC from the Internet immediately, and only reconnect to download any tools that are required. If you do any banking or other financial transactions on the PC or it if it contains any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the Trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of Trojan, the best course of action would be a reformat and reinstall of the OS. If it were on my PC I would not hesitate for a moment to do so. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?

When Should I Format, How Should I Reinstall

Should you decide not to follow that advice, we will of course do our best to clean the computer of any infections that we can see but, as I already stated, we can in no way guarantee it to be trustworthy.

Should you have any questions, please feel free to ask.

Let me know what you decide.

-screen317

[writinh2o]

Well that is bad news.

Is there any way to tell if the backdoor trojan infected my computer at the same time as my recent problem?

What about files that were backed up before my recent problems. Could they be infected?

What type of files can carry this particular trojan, I assume .exe, but what about .doc, .jpg, .htm, etc.?

I will take your advice and first thing change all my passwords. I'm not sure what to do with the computer though.

[screen317]

Actually, this infection does not infect your legitimate files. Please feel free to backup images and documents, but programs and such I wouldn't waste time on. Those can always be reinstalled.

Is there any way to tell if the backdoor trojan infected my computer at the same time as my recent problem?

Well that depends. Which "recent problem" are you referring to, and when did it occur?

[writinh2o]

The "recent problem" is the one described in my first post (March 14, 2010) above. It started just a couple days before that, and first indication was google redirecting to searchclick7 sites and system tools like "change time and date" redirecting to "Items to Synchronize" window. I immediately switched to safe-mode and started to run various anti-virus programs, since they were not completely effective I came here.

If you can tell if the backdoor trojan infection started in March I could rest a little easier since I did make a few credit card purchases on this machine in February (I don't store credit card numbers on the machine, but a keylogger could have picked them up).

I have some older software that I no longer have original disks for, that I would hate to lose. I'm thinking I will remove all personal information, then with your help try to disinfect this machine, and keep it for non-business, non-financial use only.

[screen317]

Hi,

Yes the infection is dated from March and would correlate to your initial issues. Just in case though, make sure you contact your bank, etc., if you haven't already done so, and let them know what may be going on.

Let me know when you're ready to proceed.

[writinh2o]

I have been contacting banks etc.

I've spent hours cleaning up and backing up files. (one problem is that I can't select multiple files with control arrow, or any other method I can think of, so I have to do many things one file at a time). If you don't mind I will wait until tomorrow to start cleaning trojans. Unless you want to give me the next step and have me report back tomorrow.

Thanks

[writinh2o]

Hi,

Ready to continue. Removed essentially all data files from the computer.

[writinh2o]

Still waiting for help on disinfecting my computer.

What is the next step?

[screen317]

Hi,

My apologies for the delay. If in the future you experience extended delays, please PM me and I will take care of it.

Please delete your copy of ComboFix, grab a fresh copy, run it, and post its log.

Next, download DDS by sUBs and save it to your Desktop.

Double-click on the DDS icon and let the scan run. When it has run two logs will be produced, please post the one that is not minimized.

Please run a GMER Rootkit scan:

Download GMER's application from here:

http://www.gmer.net/gmer.zip

Unzip it and start the GMER.exe

Click the Rootkit tab and click the Scan button.

Once done, click the Copy button.

This will copy the results to your clipboard.

Paste the results in your next reply.

Warning ! Please, do not select the "Show all" checkbox during the scan.

[writinh2o]

OK, did everything. ComboFix log, DDS log (neither was minimized, I'm guessing you want this one), GMER log below.

ComboFix 10-03-26.02 - photon 03/27/2010 13:45:20.2.1 - x86 NETWORK

Microsoft Windows 2000 Professional 5.0.2195.4.1252.1.1033.18.1023.852 [GMT -8:00]

Running from: c:\documents and settings\photon.MATT\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\documents and settings\All Users\Favorites\_favdata.dat

.

---- Previous Run -------

.

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat

c:\winnt\system32\atiptaxx .exe

c:\winnt\system32\ide.txt

c:\winnt\system32\qks.txt

c:\winnt\system32\rundll32 .exe

c:\winnt\Web\default.htt

c:\winnt\system32\comres.dll . . . is infected!!

-- Previous Run --

c:\winnt\system32\comres.dll . . . is infected!!

c:\winnt\system32\comres.dll . . . is infected!!

c:\winnt\system32\comres.dll . . . is infected!!

c:\winnt\system32\comres.dll . . . is infected!!

c:\winnt\system32\rundll32.exe . . . is infected!!

--------

c:\winnt\system32\comres.dll . . . is infected!!

c:\winnt\system32\rundll32.exe . . . is infected!!

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Legacy_IPRIP

-------\Legacy_NWSAPAGENT

-------\Legacy__VOIDqylbdwpcbv

-------\Service__VOIDqylbdwpcbv

-------\Service_Iprip

-------\Service_Nwsapagent

((((((((((((((((((((((((( Files Created from 2010-02-27 to 2010-03-27 )))))))))))))))))))))))))))))))

.

2010-03-10 18:21 . 2010-03-10 18:21 -------- d-----w- c:\documents and settings\photon.MATT\Application Data\Malwarebytes

2010-03-10 18:21 . 2010-01-08 00:07 38224 ----a-w- c:\winnt\system32\drivers\mbamswissarmy.sys

2010-03-10 18:21 . 2010-03-10 18:59 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-03-10 18:21 . 2010-03-10 18:21 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2010-03-10 18:21 . 2010-01-08 00:07 18520 ----a-w- c:\winnt\system32\drivers\mbam.sys

2010-03-10 16:04 . 2010-03-10 16:04 -------- d-----w- c:\program files\CCleaner

2010-03-10 16:03 . 2010-03-10 16:03 3396856 ----a-w- C:\ccsetup229.exe

2010-03-09 07:44 . 2009-06-30 17:37 28552 ----a-w- c:\winnt\system32\drivers\pavboot.sys

2010-03-09 07:44 . 2010-03-09 07:44 -------- d-----w- c:\program files\Panda Security

2010-03-08 06:41 . 2010-03-08 17:56 -------- d---a-w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy

2010-03-08 06:41 . 2010-03-08 06:45 -------- d-----w- c:\program files\Spybot - Search & Destroy

2010-03-05 04:27 . 2010-03-05 05:50 14792 ----a-w- c:\winnt\system32\drivers\hitmanpro35.sys

2010-03-05 04:27 . 2010-03-05 05:05 -------- d-----w- c:\documents and settings\All Users\Application Data\Hitman Pro

2010-03-04 06:07 . 2010-03-04 06:07 -------- d-----w- c:\documents and settings\photon.MATT\Application Data\Arduino

2010-03-04 05:45 . 2010-03-04 05:45 -------- d-----w- C:\arduino stuff

2010-03-04 02:36 . 2010-03-04 02:36 52224 ----a-w- c:\documents and settings\photon.MATT\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll

2010-03-04 02:33 . 2010-03-04 02:33 -------- d-----w- C:\ATI

2010-03-03 16:47 . 2010-03-03 16:47 47616 ----a-w- c:\winnt\system32\xrpijkpte.dll

2010-02-27 21:29 . 2010-02-27 21:29 177928 ----a-w- C:\TDSSKiller.exe

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-03-21 02:31 . 2008-07-09 17:01 -------- d-----w- c:\documents and settings\photon.MATT\Application Data\Azureus

2010-03-13 05:57 . 2004-12-01 20:28 70856 ----a-w- c:\documents and settings\photon.MATT\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2010-03-10 07:59 . 2009-04-22 13:45 117760 ----a-w- c:\documents and settings\photon.MATT\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL

2010-03-06 06:55 . 2008-07-16 23:15 -------- d-----w- c:\program files\SUPERAntiSpyware

2010-03-05 06:29 . 2001-05-08 12:00 111376 ----a-w- c:\winnt\system32\rundll32.exe

2010-03-05 05:31 . 2009-01-02 18:09 -------- d-----w- c:\program files\Aiseesoft Studio

2010-03-05 05:05 . 2010-01-15 03:38 -------- d-----w- c:\program files\QuickTime

2010-03-04 00:22 . 2003-01-14 16:37 -------- d---a-w- c:\program files\Intel

2010-03-02 20:16 . 2008-08-17 23:34 -------- d-----w- c:\documents and settings\photon.MATT\Application Data\dvdcss

2010-02-23 03:59 . 2008-09-09 18:09 -------- d-----w- c:\documents and settings\photon.MATT\Application Data\gtk-2.0

2010-02-15 23:16 . 2007-06-04 00:12 -------- d-----w- c:\program files\Lx_cats

2010-02-15 22:40 . 2003-01-14 16:37 -------- d--h--w- c:\program files\InstallShield Installation Information

2010-02-15 22:39 . 2010-02-15 22:39 -------- d-----w- c:\program files\sony

2010-02-15 05:46 . 2010-02-15 05:46 -------- d-----w- c:\program files\Steinberg

2010-02-10 18:23 . 2009-10-18 17:27 -------- d-----w- c:\program files\solveig avi cuttrimer

2010-02-04 00:44 . 2010-02-04 00:44 -------- d-----w- c:\documents and settings\photon.MATT\Application Data\NewSoft

2010-02-04 00:38 . 2007-06-04 00:16 -------- d-----w- c:\program files\Abbyy FineReader 6.0 Sprint

2010-01-31 20:24 . 2003-01-22 21:34 141 ----a-w- c:\winnt\C3DPREF6.DAT

2010-01-29 23:16 . 2010-01-29 23:16 61067 ----a-w- c:\winnt\system32\drivers\ftser2k.sys

2010-01-29 23:16 . 2010-01-29 23:16 47249 ----a-w- c:\winnt\system32\drivers\ftdibus.sys

2010-01-29 23:16 . 2010-01-29 23:16 33360 ----a-w- c:\winnt\system32\ftserui2.dll

2010-01-29 23:16 . 2010-01-29 23:16 188416 ----a-w- c:\winnt\system32\ftdiunin.exe

2010-01-29 23:16 . 2010-01-29 23:16 176128 ----a-w- c:\winnt\system32\ftd2xx.dll

2010-01-29 23:16 . 2010-01-29 23:16 106496 ----a-w- c:\winnt\system32\ftbusui.dll

2010-01-29 23:16 . 2010-01-29 23:16 102400 ----a-w- c:\winnt\system32\FTLang.dll

2009-12-28 13:03 . 2003-01-13 08:49 319760 ------w- c:\winnt\system32\MSPAINT.EXE

2009-05-28 11:05 . 2009-05-28 11:05 9164 ----a-w- c:\program files\SweepGen.txt

2009-05-28 11:05 . 2009-05-28 11:05 716288 ----a-w- c:\program files\SweepGen.exe

2009-05-28 11:05 . 2009-05-28 11:05 43 ----a-w- c:\program files\ReadMe.txt

2009-05-28 11:05 . 2009-05-28 11:05 3204 ----a-w- c:\program files\History.txt

2009-05-23 14:44 . 2009-05-23 14:44 13736273 ----a-w- c:\program files\Discovery.exe

2003-10-17 19:51 . 2003-01-13 16:51 21952 ---h--w- c:\program files\folder.htt

2001-01-09 22:08 . 2003-01-15 19:38 872927 ----a-w- c:\program files\cclean.exe

2002-08-01 02:55 . 2006-07-24 04:56 141 --sh--w- c:\winnt\WSYS049.SYS

1601-01-01 00:03 . 1601-01-01 00:03 42496 --sha-w- c:\winnt\system32\nilejonu.exe

.

<pre>
c:\program files\Adobe\Reader 9.0\Reader\reader_sl .exe
c:\program files\Aiseesoft Studio\ashdisp .exe
c:\program files\Alwil Software\Avast4\ashdisp .exe
c:\program files\Common Files\Adobe\ARM\1.0\adobearm .exe
c:\program files\Java\jre6\bin\jusched .exe
c:\program files\QuickTime\qttask			 .exe
c:\program files\SUPERAntiSpyware\superantispyware .exe
c:\program files\Western Digital\WD Drive Manager\wdbtnmgrui .exe
</pre>

------- Sigcheck -------

[-] 2003-06-19 19:05 . 8C718AA8C77041B3285D55A0CE980867 . 86672 . . [5.00.2195.6699] . . c:\winnt\ServicePackFiles\i386\atapi.sys

[-] 2003-06-19 19:05 . 8C718AA8C77041B3285D55A0CE980867 . 86672 . . [5.00.2195.6699] . . c:\winnt\system32\drivers\atapi.sys

[-] 2003-06-19 19:05 . 5D3D77C9EB3A8E6A14CC8E1252B6CC5C . 17840 . . [5.00.2195.6655] . . c:\winnt\ServicePackFiles\i386\asyncmac.sys

[-] 2003-06-19 19:05 . 5D3D77C9EB3A8E6A14CC8E1252B6CC5C . 17840 . . [5.00.2195.6655] . . c:\winnt\system32\drivers\asyncmac.sys

[-] 2001-05-08 12:00 . DF012C2853281CE2BF536E8DE871C8C1 . 4080 . . [5.00.2158.1] . . c:\winnt\system32\dllcache\beep.sys

[-] 2001-05-08 12:00 . DF012C2853281CE2BF536E8DE871C8C1 . 4080 . . [5.00.2158.1] . . c:\winnt\system32\drivers\beep.sys

[-] 2003-06-19 19:05 . 399055F5C4A98F39B47D26888A72145D . 24528 . . [5.00.2195.6666] . . c:\winnt\ServicePackFiles\i386\kbdclass.sys

[-] 2003-06-19 19:05 . 399055F5C4A98F39B47D26888A72145D . 24528 . . [5.00.2195.6666] . . c:\winnt\system32\drivers\kbdclass.sys

[-] 2003-06-19 19:05 . FB4F2D0595BD3546A4DD915E4A9B4809 . 170928 . . [5.00.2195.6655] . . c:\winnt\ServicePackFiles\i386\ndis.sys

[-] 2003-06-19 19:05 . FB4F2D0595BD3546A4DD915E4A9B4809 . 170928 . . [5.00.2195.6655] . . c:\winnt\system32\drivers\ndis.sys

[-] 2005-05-10 09:20 . 7DC1F0F9BF87CA5CEE9A46C9A63DC1D3 . 513424 . . [5.00.2195.7049] . . c:\winnt\system32\dllcache\ntfs.sys

[-] 2005-05-10 09:20 . 7DC1F0F9BF87CA5CEE9A46C9A63DC1D3 . 513424 . . [5.00.2195.7049] . . c:\winnt\system32\drivers\ntfs.sys

[-] 2003-06-19 19:05 . F6AB0E765D5B80443B93C52C42F2602A . 534192 . . [5.00.2195.6710] . . c:\winnt\$NtUpdateRollupPackUninstall$\ntfs.sys

[-] 2003-06-19 19:05 . F6AB0E765D5B80443B93C52C42F2602A . 534192 . . [5.00.2195.6710] . . c:\winnt\ServicePackFiles\i386\ntfs.sys

[-] 2001-05-08 12:00 . 280209CDE798720A24D232BF9CFDA8E9 . 2800 . . [5.00.2134.1] . . c:\winnt\system32\dllcache\null.sys

[-] 2001-05-08 12:00 . 280209CDE798720A24D232BF9CFDA8E9 . 2800 . . [5.00.2134.1] . . c:\winnt\system32\drivers\null.sys

[-] 2005-04-08 11:54 . B4F3ECAAEBC715EDBEA44A28FDEDA851 . 71440 . . [5.00.2195.6866] . . c:\winnt\system32\browser.dll

[-] 2005-04-08 11:54 . B4F3ECAAEBC715EDBEA44A28FDEDA851 . 71440 . . [5.00.2195.6866] . . c:\winnt\system32\dllcache\browser.dll

[-] 2004-03-24 02:17 . 1B19559C80946E1FABF21859DB42CD54 . 69904 . . [5.00.2195.6866] . . c:\winnt\$NtUpdateRollupPackUninstall$\browser.dll

[-] 2003-06-19 19:05 . 38A6BC551496C24118BD1524425AF2FE . 68880 . . [5.00.2195.6693] . . c:\winnt\$NtUninstallKB835732$\browser.dll

[-] 2003-06-19 19:05 . 38A6BC551496C24118BD1524425AF2FE . 68880 . . [5.00.2195.6693] . . c:\winnt\ServicePackFiles\i386\browser.dll

[-] 2004-12-19 22:30 . F19D0A319AB4BF5496F08807CB9B8651 . 33552 . . [5.00.2195.7011] . . c:\winnt\system32\LSASS.EXE

[-] 2004-12-19 22:30 . F19D0A319AB4BF5496F08807CB9B8651 . 33552 . . [5.00.2195.7011] . . c:\winnt\system32\dllcache\lsass.exe

[-] 2004-02-25 23:59 . 0C13D582EDAF90CBEA454A1AC535B913 . 33552 . . [5.00.2195.6902] . . c:\winnt\$NtUpdateRollupPackUninstall$\lsass.exe

[-] 2003-06-19 19:05 . 271229760CCED993E9E7CAB1C7274134 . 33552 . . [5.00.2195.6695] . . c:\winnt\$NtUninstallKB835732$\lsass.exe

[-] 2003-06-19 19:05 . 271229760CCED993E9E7CAB1C7274134 . 33552 . . [5.00.2195.6695] . . c:\winnt\ServicePackFiles\i386\lsass.exe

[-] 2005-08-16 08:35 . 600104D606AB3E9B9AB36076E6261A05 . 100112 . . [5.00.2195.7061] . . c:\winnt\system32\netman.dll

[-] 2005-08-16 08:35 . 600104D606AB3E9B9AB36076E6261A05 . 100112 . . [5.00.2195.7061] . . c:\winnt\system32\dllcache\netman.dll

[-] 2003-06-19 19:05 . 648A07AB73E49EF547A48D240CD36125 . 95504 . . [5.00.2195.6660] . . c:\winnt\$NtUninstallKB905414$\netman.dll

[-] 2003-06-19 19:05 . 648A07AB73E49EF547A48D240CD36125 . 95504 . . [5.00.2195.6660] . . c:\winnt\ServicePackFiles\i386\netman.dll

[-] 2004-10-05 . DCD38D8178BF1BEA585F2F003EE3460E . 362496 . . [6.6.2600.1596] . . c:\winnt\system32\qmgr.dll

[-] 2004-10-05 . DCD38D8178BF1BEA585F2F003EE3460E . 362496 . . [6.6.2600.1596] . . c:\winnt\system32\BITS\qmgr.dll

[-] 2004-10-05 . DCD38D8178BF1BEA585F2F003EE3460E . 362496 . . [6.6.2600.1596] . . c:\winnt\system32\dllcache\qmgr.dll

[-] 2003-06-19 19:05 . FE02334DB8598E2706A51A24DD33AB00 . 244224 . . [6.2.3630.2522 built by: lab04_n] . . c:\winnt\$NtUninstallKB842773$\qmgr.dll

[-] 2003-06-19 19:05 . FE02334DB8598E2706A51A24DD33AB00 . 244224 . . [6.2.3630.2522 built by: lab04_n] . . c:\winnt\ServicePackFiles\i386\qmgr.dll

[-] 2005-09-05 08:18 . 037EBCF93DF5F0C31CCD2FF7E31E3BA5 . 212240 . . [5.00.2195.7059] . . c:\winnt\system32\rpcss.dll

[-] 2005-09-05 08:18 . 037EBCF93DF5F0C31CCD2FF7E31E3BA5 . 212240 . . [5.00.2195.7059] . . c:\winnt\system32\dllcache\rpcss.dll

[-] 2005-04-08 11:54 . 391AFA6F7FE9AA667B2C54DFAE2D0FBD . 273680 . . [5.00.2195.7021] . . c:\winnt\$NtUninstallKB902400$\rpcss.dll

[-] 2005-01-14 01:27 . 10789155522BE499A232AD2773AC1DF0 . 212240 . . [5.00.2195.7021] . . c:\winnt\$NtUpdateRollupPackUninstall$\rpcss.dll

[-] 2004-03-11 21:29 . 4A72D5DD3AAD4B967ABE12D2A3044B98 . 211728 . . [5.00.2195.6906] . . c:\winnt\$NtUninstallKB873333$\rpcss.dll

[-] 2003-08-23 21:48 . EBF7D8A02D8A32926B19EA4C6AD4FE0E . 192272 . . [5.00.2195.6810] . . c:\winnt\$NtUninstallKB828741$\rpcss.dll

[-] 2003-06-19 19:05 . B49E4F60ED7E5918E44396768F9F02F2 . 239376 . . [5.00.2195.6702] . . c:\winnt\$NtUninstallKB824146$\rpcss.dll

[-] 2003-06-19 19:05 . B49E4F60ED7E5918E44396768F9F02F2 . 239376 . . [5.00.2195.6702] . . c:\winnt\ServicePackFiles\i386\rpcss.dll

[-] 2005-04-08 11:51 . B861B4E6E9637EB76A40C10C552E0229 . 92944 . . [5.00.2195.7035] . . c:\winnt\system32\SERVICES.EXE

[-] 2005-04-08 11:51 . B861B4E6E9637EB76A40C10C552E0229 . 92944 . . [5.00.2195.7035] . . c:\winnt\system32\dllcache\services.exe

[-] 2003-06-19 19:05 . CFED2D28F5B8A24127E9E06043070643 . 89360 . . [5.00.2195.6700] . . c:\winnt\$NtUpdateRollupPackUninstall$\services.exe

[-] 2003-06-19 19:05 . CFED2D28F5B8A24127E9E06043070643 . 89360 . . [5.00.2195.6700] . . c:\winnt\ServicePackFiles\i386\services.exe

[-] 2005-07-12 04:59 . FACFB75ECC070103619FA044E0B210D3 . 47376 . . [5.00.2195.7059] . . c:\winnt\system32\spoolsv.exe

[-] 2005-07-12 04:59 . FACFB75ECC070103619FA044E0B210D3 . 47376 . . [5.00.2195.7059] . . c:\winnt\system32\dllcache\spoolsv.exe

[-] 2003-06-19 19:05 . 987DAF317B917CFC973DE8364D62A76C . 45328 . . [5.00.2195.6659] . . c:\winnt\$NtUninstallKB896423$\spoolsv.exe

[-] 2003-06-19 19:05 . 987DAF317B917CFC973DE8364D62A76C . 45328 . . [5.00.2195.6659] . . c:\winnt\ServicePackFiles\i386\spoolsv.exe

[-] 2005-04-08 11:51 . BB1DAF6A5737652646D52665251A0265 . 186640 . . [5.00.2195.6997] . . c:\winnt\system32\WINLOGON.EXE

[-] 2005-04-08 11:51 . BB1DAF6A5737652646D52665251A0265 . 186640 . . [5.00.2195.6997] . . c:\winnt\system32\dllcache\WINLOGON.EXE

[-] 2004-08-24 22:59 . 5922E8055EB439A58EF29530D8567A40 . 182544 . . [5.00.2195.6970] . . c:\winnt\$NtUninstallKB841533$\winlogon.exe

[-] 2004-08-24 22:59 . 5922E8055EB439A58EF29530D8567A40 . 182544 . . [5.00.2195.6970] . . c:\winnt\$NtUpdateRollupPackUninstall$\winlogon.exe

[-] 2004-03-11 02:37 . 563B3DE5B6EE842CFFA8813F9EF4CB5C . 181520 . . [5.00.2195.6898] . . c:\winnt\$NtUninstallKB840987$\winlogon.exe

[-] 2003-07-17 17:20 . E3ACD1BC832E859B157D95D9907560D3 . 182032 . . [5.00.2195.6785] . . c:\winnt\$NtUninstallKB835732$\winlogon.exe

[-] 2003-06-19 19:05 . 3980C28D116D438BBB36FB38526FDE1A . 181008 . . [5.00.2195.6714] . . c:\winnt\$NtUninstallKB824141$\winlogon.exe

[-] 2003-06-19 19:05 . 3980C28D116D438BBB36FB38526FDE1A . 181008 . . [5.00.2195.6714] . . c:\winnt\ServicePackFiles\i386\winlogon.exe

[-] 2006-08-28 08:44 . F4230CAA2B9166E5114441F6B7B2DC3F . 530192 . . [5.81] . . c:\winnt\system32\comctl32.dll

[-] 2006-08-28 08:44 . F4230CAA2B9166E5114441F6B7B2DC3F . 530192 . . [5.81] . . c:\winnt\system32\dllcache\comctl32.dll

[-] 2003-06-19 19:05 . 7A0C4F7B3FAF67A8FE4FE3A24BB39927 . 550672 . . [5.81] . . c:\winnt\ServicePackFiles\i386\comctl32.dll

[-] 2002-08-29 14:14 . 9EDC93CC795DFF919C6CD953912838A9 . 529680 . . [5.81] . . c:\winnt\$NtUninstallKB923191$\comctl32.dll

[-] 2005-04-21 08:08 . 7D77D4AF905903AEDBEED9989857A9A5 . 78096 . . [5.00.2195.7039] . . c:\winnt\system32\cryptsvc.dll

[-] 2005-04-21 08:08 . 7D77D4AF905903AEDBEED9989857A9A5 . 78096 . . [5.00.2195.7039] . . c:\winnt\system32\dllcache\cryptsvc.dll

[-] 2004-03-24 02:17 . 644108E90CA7F628AA5650C31A2E74F5 . 76048 . . [5.00.2195.6868] . . c:\winnt\$NtUpdateRollupPackUninstall$\cryptsvc.dll

[-] 2003-06-19 19:05 . 385F52746FD8558D43999AEED250769A . 76048 . . [5.00.2195.6661] . . c:\winnt\$NtUninstallKB835732$\cryptsvc.dll

[-] 2003-06-19 19:05 . 385F52746FD8558D43999AEED250769A . 76048 . . [5.00.2195.6661] . . c:\winnt\ServicePackFiles\i386\cryptsvc.dll

[-] 2008-07-10 10:00 . 019BD72A117C13DF44D6CA3B96A345D6 . 251152 . . [2000.2.3550.0] . . c:\winnt\system32\es.dll

[-] 2008-07-10 10:00 . 019BD72A117C13DF44D6CA3B96A345D6 . 251152 . . [2000.2.3550.0] . . c:\winnt\system32\dllcache\es.dll

[-] 2005-09-05 08:18 . D8D44D8ED1B35285A83984ACF5D13CB3 . 242448 . . [2000.2.3529.0] . . c:\winnt\$NtUninstallKB950974$\es.dll

[-] 2004-03-11 21:29 . 0400F13BDEC0E1F04C1AD2002D5650A4 . 239888 . . [2000.2.3511.0] . . c:\winnt\$NtUninstallKB902400$\es.dll

[-] 2003-06-19 19:05 . FACD7422F6FBC7CD3AEA3AFCB8382ECF . 233232 . . [2000.2.3504.0] . . c:\winnt\$NtUninstallKB828741$\es.dll

[-] 2003-06-19 19:05 . FACD7422F6FBC7CD3AEA3AFCB8382ECF . 233232 . . [2000.2.3504.0] . . c:\winnt\ServicePackFiles\i386\es.dll

[-] 2003-06-19 19:05 . 873794CE17DD72420D9C4072D4D112E5 . 96528 . . [5.00.2195.6655] . . c:\winnt\ServicePackFiles\i386\imm32.dll

[-] 2003-06-19 19:05 . 873794CE17DD72420D9C4072D4D112E5 . 96528 . . [5.00.2195.6655] . . c:\winnt\system32\imm32.dll

[-] 2007-04-16 12:44 . 18D623471DE9DCC2CEA310B2F3FBA15A . 712976 . . [5.00.2195.7135] . . c:\winnt\Driver Cache\i386\kernel32.dll

[-] 2007-04-16 12:44 . 0AB23B46CCAEBA64D748A5CF79CB4BB6 . 712976 . . [5.00.2195.7135] . . c:\winnt\system32\KERNEL32.DLL

[-] 2007-04-16 12:44 . 18D623471DE9DCC2CEA310B2F3FBA15A . 712976 . . [5.00.2195.7135] . . c:\winnt\system32\dllcache\kernel32.dll

[-] 2006-06-21 06:52 . 84AE59F949F127A3D8D4F4A09D0CE0BD . 712976 . . [5.00.2195.7099] . . c:\winnt\$NtUninstallKB935839$\kernel32.dll

[-] 2005-08-16 09:39 . 694E9BC2ADE4F30C99D8A59340307E1A . 712464 . . [5.00.2195.7006] . . c:\winnt\$NtUninstallKB917422$\kernel32.dll

[-] 2004-06-22 01:35 . CBFC72131FB475249DB3667239F3F4EA . 712464 . . [5.00.2195.6946] . . c:\winnt\$NtUninstallKB891711$\kernel32.dll

[-] 2004-06-17 23:05 . 276ABD5DD2053008C6C327C590DD806D . 712464 . . [5.00.2195.6946] . . c:\winnt\$NtUninstallKB841533$\kernel32.dll

[-] 2004-06-17 23:05 . 276ABD5DD2053008C6C327C590DD806D . 712464 . . [5.00.2195.6946] . . c:\winnt\$NtUpdateRollupPackUninstall$\kernel32.dll

[-] 2004-03-24 02:17 . 5E9BB22C56919870FC80444E655F8AF6 . 742160 . . [5.00.2195.6897] . . c:\winnt\$NtUninstallKB840987$\kernel32.dll

[-] 2003-08-05 22:14 . 5E478294B05FA91151B6599269815495 . 711440 . . [5.00.2195.6794] . . c:\winnt\$NtUninstallKB835732$\kernel32.dll

[-] 2003-06-19 19:05 . AFFDA6F602A8F0DBA615279C28B3BDF8 . 743184 . . [5.00.2195.6688] . . c:\winnt\$NtUninstallKB824141$\kernel32.dll

[-] 2003-06-19 19:05 . 1E93BDAAE187253D18711DA5C210474A . 743184 . . [5.00.2195.6688] . . c:\winnt\ServicePackFiles\i386\kernel32.dll

[-] 2005-09-23 11:03 . EB0EA3EF05D648455D691348C819E479 . 17680 . . [5.00.2195.7069] . . c:\winnt\system32\linkinfo.dll

[-] 2005-09-23 11:03 . EB0EA3EF05D648455D691348C819E479 . 17680 . . [5.00.2195.7069] . . c:\winnt\system32\dllcache\linkinfo.dll

[-] 2005-04-08 11:54 . 4EDE648460D79405487672EFF49805F6 . 17168 . . [5.00.2195.7009] . . c:\winnt\$NtUninstallKB900725$\linkinfo.dll

[-] 2004-09-02 20:03 . 814222ED1C5C31B135B6F97585FE6B41 . 17168 . . [5.00.2195.6958] . . c:\winnt\$NtUpdateRollupPackUninstall$\linkinfo.dll

[-] 2001-05-08 12:00 . A5977BF56A537AFDF2464F1314C315CF . 16144 . . [5.00.2134.1] . . c:\winnt\$NtUninstallKB841356$\linkinfo.dll

[-] 2003-06-19 19:05 . EF290209052ED43DDFDB8F0E74EC79EF . 20240 . . [5.00.2195.6692] . . c:\winnt\ServicePackFiles\i386\lpk.dll

[-] 2003-06-19 19:05 . EF290209052ED43DDFDB8F0E74EC79EF . 20240 . . [5.00.2195.6692] . . c:\winnt\system32\lpk.dll

[-] 2003-06-19 19:05 . BA7BE6F92680B28B9031170659FD222D . 286773 . . [6.10.9844.0] . . c:\winnt\ServicePackFiles\i386\msvcrt.dll

[-] 2003-06-19 19:05 . BA7BE6F92680B28B9031170659FD222D . 286773 . . [6.10.9844.0] . . c:\winnt\system32\msvcrt.dll

[-] 2005-04-08 11:54 . BE8FC3C74AB5212CD4067E8973764AD6 . 366864 . . [5.00.2195.7011] . . c:\winnt\system32\NETLOGON.DLL

[-] 2005-04-08 11:54 . BE8FC3C74AB5212CD4067E8973764AD6 . 366864 . . [5.00.2195.7011] . . c:\winnt\system32\dllcache\NETLOGON.DLL

[-] 2004-03-24 02:17 . 21537BC1F1AB7667A3828B2344E6D4BA . 371472 . . [5.00.2195.6891] . . c:\winnt\$NtUpdateRollupPackUninstall$\netlogon.dll

[-] 2003-06-19 19:05 . 11B91C26925F56F577089FF88AA0BEC0 . 371984 . . [5.00.2195.6695] . . c:\winnt\$NtUninstallKB835732$\netlogon.dll

[-] 2003-06-19 19:05 . 11B91C26925F56F577089FF88AA0BEC0 . 371984 . . [5.00.2195.6695] . . c:\winnt\ServicePackFiles\i386\netlogon.dll

[-] 2003-06-19 19:05 . 0A35F356726069B95F4BB2A99203FDD4 . 13584 . . [5.00.3502.6601] . . c:\winnt\ServicePackFiles\i386\powrprof.dll

[-] 2003-06-19 19:05 . 0A35F356726069B95F4BB2A99203FDD4 . 13584 . . [5.00.3502.6601] . . c:\winnt\system32\powrprof.dll

[-] 2005-01-12 19:39 . 6FCCE1622E75C7DC46509F7EC4B314A3 . 114448 . . [5.00.2195.7013] . . c:\winnt\system32\scecli.dll

[-] 2005-01-12 19:39 . 6FCCE1622E75C7DC46509F7EC4B314A3 . 114448 . . [5.00.2195.7013] . . c:\winnt\system32\dllcache\scecli.dll

[-] 2004-03-24 02:17 . 0B476C9305098B37BE70F0AC29E671E5 . 111376 . . [5.00.2195.6893] . . c:\winnt\$NtUpdateRollupPackUninstall$\scecli.dll

[-] 2003-06-19 19:05 . FF11B32A906D75CD96957B66E318DAD0 . 114448 . . [5.00.2195.6704] . . c:\winnt\$NtUninstallKB835732$\scecli.dll

[-] 2003-06-19 19:05 . FF11B32A906D75CD96957B66E318DAD0 . 114448 . . [5.00.2195.6704] . . c:\winnt\ServicePackFiles\i386\scecli.dll

[-] 2001-05-08 12:00 . 9E64AD53CFD9DA2D22E8A924F8C6E62C . 7952 . . [5.00.2134.1] . . c:\winnt\system32\svchost.exe

[-] 2001-05-08 12:00 . 9E64AD53CFD9DA2D22E8A924F8C6E62C . 7952 . . [5.00.2134.1] . . c:\winnt\system32\dllcache\svchost.exe

[-] 2005-07-02 11:30 . E1086008E7BCE8621F09E6F13B89CC31 . 175888 . . [5.00.2195.7057] . . c:\winnt\system32\tapisrv.dll

[-] 2005-07-02 11:30 . E1086008E7BCE8621F09E6F13B89CC31 . 175888 . . [5.00.2195.7057] . . c:\winnt\system32\dllcache\tapisrv.dll

[-] 2003-06-19 19:05 . 83C78929A8DB0AA545B5F90A4786783C . 173328 . . [5.00.2195.6666] . . c:\winnt\$NtUninstallKB893756$\tapisrv.dll

[-] 2003-06-19 19:05 . 83C78929A8DB0AA545B5F90A4786783C . 173328 . . [5.00.2195.6666] . . c:\winnt\ServicePackFiles\i386\tapisrv.dll

[-] 2007-03-06 11:17 . 40023A7103796B1AF6CA41A6DBC54775 . 381200 . . [5.00.2195.7133] . . c:\winnt\system32\USER32.DLL

[-] 2007-03-06 11:17 . 40023A7103796B1AF6CA41A6DBC54775 . 381200 . . [5.00.2195.7133] . . c:\winnt\system32\dllcache\USER32.DLL

[-] 2005-04-21 08:08 . 63A7731CF4BA8565B9F07908FAC05C3B . 419600 . . [5.00.2195.7032] . . c:\winnt\$NtUninstallKB925902$\user32.dll

[-] 2005-03-12 07:54 . 05CB047C49480A2157911B0A1C7E4C10 . 380688 . . [5.00.2195.7032] . . c:\winnt\$NtUpdateRollupPackUninstall$\user32.dll

[-] 2004-12-29 09:14 . 6CDD0DEAC5BBF7BA47D52E237FFDAE43 . 380688 . . [5.00.2195.7017] . . c:\winnt\$NtUninstallKB890859$\user32.dll

[-] 2004-03-24 02:17 . 6AE59F325971F7D151A50A4E00E04DC0 . 403216 . . [5.00.2195.6897] . . c:\winnt\$NtUninstallKB891711$\user32.dll

[-] 2003-08-05 22:14 . 15B1C7EA9659055280F71A3D83987DA3 . 380176 . . [5.00.2195.6799] . . c:\winnt\$NtUninstallKB835732$\user32.dll

[-] 2003-06-19 19:05 . 11ED538DB87D8CF38017A63A82AA805D . 403216 . . [5.00.2195.6688] . . c:\winnt\$NtUninstallKB824141$\user32.dll

[-] 2003-06-19 19:05 . 11ED538DB87D8CF38017A63A82AA805D . 403216 . . [5.00.2195.6688] . . c:\winnt\ServicePackFiles\i386\user32.dll

[-] 2003-06-19 19:05 . BF179C5B8A722CC79AEF1CA90D6C7D48 . 17680 . . [5.00.2195.6612] . . c:\winnt\ServicePackFiles\i386\userinit.exe

[-] 2003-06-19 19:05 . BF179C5B8A722CC79AEF1CA90D6C7D48 . 17680 . . [5.00.2195.6612] . . c:\winnt\system32\USERINIT.EXE

[-] 2003-06-19 19:05 . 0190C62DE42396D78DB9BE771CF2403E . 69904 . . [5.00.2195.6601] . . c:\winnt\ServicePackFiles\i386\ws2_32.dll

[-] 2003-06-19 19:05 . 0190C62DE42396D78DB9BE771CF2403E . 69904 . . [5.00.2195.6601] . . c:\winnt\system32\ws2_32.dll

[-] 2003-06-19 19:05 . 59CF2B7DCED9111F48F51B4B570E672D . 243472 . . [5.00.3700.6690] . . c:\winnt\explorer.exe

[-] 2003-06-19 19:05 . 59CF2B7DCED9111F48F51B4B570E672D . 243472 . . [5.00.3700.6690] . . c:\winnt\ServicePackFiles\i386\explorer.exe

[-] 2005-04-08 11:54 . E7F03344AE103B02135C20112B557051 . 49424 . . [5.00.2195.7036] . . c:\winnt\system32\EVENTLOG.DLL

[-] 2005-04-08 11:54 . E7F03344AE103B02135C20112B557051 . 49424 . . [5.00.2195.7036] . . c:\winnt\system32\dllcache\EVENTLOG.DLL

[-] 2004-03-24 02:17 . CEB85BFA135CBDDA10C89E5D31D95F9B . 47888 . . [5.00.2195.6883] . . c:\winnt\$NtUpdateRollupPackUninstall$\eventlog.dll

[-] 2003-06-19 19:05 . 5738D5804F61A1D30D86FA24DEE56E0C . 47888 . . [5.00.2195.6716] . . c:\winnt\$NtUninstallKB835732$\eventlog.dll

[-] 2003-06-19 19:05 . 5738D5804F61A1D30D86FA24DEE56E0C . 47888 . . [5.00.2195.6716] . . c:\winnt\ServicePackFiles\i386\eventlog.dll

[-] 2005-04-08 10:34 . 7645645BB506C26B96B8F31893378C4B . 973072 . . [5.00.2195.7038] . . c:\winnt\system32\sfcfiles.dll

[-] 2005-04-08 10:34 . 7645645BB506C26B96B8F31893378C4B . 973072 . . [5.00.2195.7038] . . c:\winnt\system32\dllcache\sfcfiles.dll

[-] 2004-03-24 02:17 . 33D82938C20BA61E4EDB6DA85829BF23 . 971536 . . [5.00.2195.6894] . . c:\winnt\$NtUpdateRollupPackUninstall$\sfcfiles.dll

[-] 2003-06-19 19:05 . A871E77694E9146B3C655A734B1ECF46 . 971024 . . [5.00.2195.6717] . . c:\winnt\$NtUninstallKB835732$\sfcfiles.dll

[-] 2003-06-19 19:05 . A871E77694E9146B3C655A734B1ECF46 . 971024 . . [5.00.2195.6717] . . c:\winnt\ServicePackFiles\i386\sfcfiles.dll

[-] 2003-06-19 19:05 . 9C2A16951FD6A21AEF1C29F213A564B2 . 120592 . . [5.00.2195.6658] . . c:\winnt\ServicePackFiles\i386\appmgmts.dll

[-] 2003-06-19 19:05 . 9C2A16951FD6A21AEF1C29F213A564B2 . 120592 . . [5.00.2195.6658] . . c:\winnt\system32\appmgmts.dll

[-] 2003-06-19 19:05 . 4B10B4DB777EE2EF8E755E7F3D7C4FE8 . 11536 . . [5.00.2195.6655] . . c:\winnt\ServicePackFiles\i386\acpiec.sys

[-] 2003-06-19 19:05 . 4B10B4DB777EE2EF8E755E7F3D7C4FE8 . 11536 . . [5.00.2195.6655] . . c:\winnt\system32\drivers\acpiec.sys

[-] 2003-06-19 19:05 . CDDB71A90077C93BEA5C72507F0B1394 . 21008 . . [5.00.2195.6655] . . c:\winnt\ServicePackFiles\i386\agp440.sys

[-] 2003-06-19 19:05 . CDDB71A90077C93BEA5C72507F0B1394 . 21008 . . [5.00.2195.6655] . . c:\winnt\system32\drivers\agp440.sys

[-] 2006-11-02 17:31 . 6CE82AC80967541ED3787B62B2242271 . 927504 . . [4.1.0.61] . . c:\winnt\system32\MFC40U.DLL

[-] 2006-11-02 17:31 . 6CE82AC80967541ED3787B62B2242271 . 927504 . . [4.1.0.61] . . c:\winnt\system32\dllcache\mfc40u.dll

[-] 2001-05-08 12:00 . CDDD1A27861C406D1B3906A2B2C60CE3 . 924432 . . [4.1.6140] . . c:\winnt\$NtUninstallKB924667$\mfc40u.dll

[-] 2005-04-08 11:54 . 4B6E4C650721D2A51B8F51B7E5787552 . 35600 . . [5.00.2195.6861] . . c:\winnt\system32\MSGSVC.DLL

[-] 2005-04-08 11:54 . 4B6E4C650721D2A51B8F51B7E5787552 . 35600 . . [5.00.2195.6861] . . c:\winnt\system32\dllcache\msgsvc.dll

[-] 2003-10-02 21:17 . B6C0EECE00ACE0379C0F75274E89E47F . 34064 . . [5.00.2195.6861] . . c:\winnt\$NtUpdateRollupPackUninstall$\msgsvc.dll

[-] 2003-06-19 19:05 . C470CF2972A6DF2214764DA2FE8B768F . 35600 . . [5.00.2195.6656] . . c:\winnt\$NtUninstallKB828035$\msgsvc.dll

[-] 2003-06-19 19:05 . C470CF2972A6DF2214764DA2FE8B768F . 35600 . . [5.00.2195.6656] . . c:\winnt\ServicePackFiles\i386\msgsvc.dll

[-] 2003-06-19 19:05 . 56D893A01269008C28FBF2D025B2FA78 . 401168 . . [5.00.2195.6655] . . c:\winnt\ServicePackFiles\i386\ntmssvc.dll

[-] 2003-06-19 19:05 . 56D893A01269008C28FBF2D025B2FA78 . 401168 . . [5.00.2195.6655] . . c:\winnt\system32\ntmssvc.dll

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2010-03-06 2012912]

"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-06 2260480]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"LXCJCATS"="c:\winnt\system32\spool\DRIVERS\W32X86\3\LXCJtime.dll" [2005-09-08 73728]

"AtiPTA"="atiptaxx.exe" [2001-09-27 245760]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]

"^SetupICWDesktop"="c:\program files\Internet Explorer\Connection Wizard\icwconn1.exe" [2003-06-19 186640]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]

2009-09-07 17:49 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\NavLogon]

[bU]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]

"Tray Pilot Lite"="c:\program files\Invention Pilot\Tray Pilot Lite\TrayPlt.exe"

R0 SONYPVM1;Sony Memory Stick Driver(SONYPVM1);c:\winnt\system32\drivers\SonyPVM1.sys [2/15/2010 2:40 PM 28224]

R3 usbhub20;USB 2.0 Root Hub Support;c:\winnt\system32\drivers\usbhub20.sys [10/17/2003 12:41 PM 49776]

S0 phooks;phooks; [x]

S1 aswSP;avast! Self Protection;c:\winnt\system32\drivers\aswSP.sys [7/9/2008 9:10 AM 114768]

S1 cdudf;cdudf;c:\winnt\system32\drivers\Cdudf.sys [9/4/2001 2:38 PM 238176]

S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [5/28/2008 9:33 AM 12872]

S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/28/2008 9:33 AM 66632]

S2 aswFsBlk;aswFsBlk;c:\winnt\system32\drivers\aswFsBlk.sys [7/9/2008 9:10 AM 20560]

S2 aswMon;avast! Standard Shield Support;c:\winnt\system32\drivers\aswmon.sys [7/9/2008 9:10 AM 93424]

S2 WDBtnMgrSvc.exe;WD Drive Manager Service;c:\program files\Western Digital\WD Drive Manager\WDBtnMgrSvc.exe [5/16/2008 5:12 PM 102400]

S2 WMP300NSvc;WMP300NSvc;c:\program files\Linksys\WMP300N\WLService.exe [10/27/2009 1:34 PM 53307]

S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [5/28/2008 9:33 AM 12872]

.

Contents of the 'Scheduled Tasks' folder

2010-03-01 c:\winnt\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-01-10 23:42]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.google.com/advanced_search?hl=en&num=100

uInternet Settings,ProxyServer = http=90.0.0.25:4480;https=90.0.0.25:4480;ftp=90.0.0.25:4480;socks=90.0.0.25:1080

IE: freePat - c:\program files\freePat\freePat-script.html

IE: freePat Preview - c:\program files\freePat\freePatpreview-script.html

IE: Search Image on TinEye - file://c:\documents and settings\photon.MATT\My Documents\TinEye 1.0\TinEye.js

IE: {{4725A95C-0D36-4E3E-AC08-6657D522529C} - c:\program files\FreshDevices\FreshDownload\fd.exe

IE: {{c95fe080-8f5d-11d2-a20b-00aa003c157a} - %SystemRoot%\web\related.htm

LSP: %SystemRoot%\system32\msafd.dll

DPF: DirectAnimation Java Classes - file://c:\winnt\Java\classes\dajava.cab

DPF: Microsoft XML Parser for Java - file://c:\winnt\Java\classes\xmldso.cab

FF - ProfilePath - c:\documents and settings\photon.MATT\Application Data\Mozilla\Firefox\Profiles\mu8t0x4j.default\

FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/advanced_search?&hl=en&lr=&num=100

FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll

.

- - - - ORPHANS REMOVED - - - -

SSODL-hepitahuk-{2860f68d-a40c-4c08-8c0f-3e9323310c27} - (no file)

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-03-27 13:53

Windows 5.0.2195 Service Pack 4 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run

LXCJCATS = rundll32 c:\winnt\system32\spool\DRIVERS\W32X86\3\LXCJtime.dll,_RunDLLEntry@16?????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]

@DACL=(02 0000)

@=""

"Installed"="1"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]

@DACL=(02 0000)

@=""

"Installed"="1"

"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]

@DACL=(02 0000)

@=""

"Installed"="1"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Windows\AutorunsDisabled]

"Appinit_Dlls"="nodutike.dll c:\\winnt\\system32\\yozekute.dll,c:\\winnt\\system32\\jufuvowa.dll"

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(188)

c:\program files\SUPERAntiSpyware\SASWINLO.DLL

c:\winnt\system32\wzcdlg.dll

c:\winnt\system32\WZCSAPI.DLL

.

------------------------ Other Running Processes ------------------------

.

c:\winnt\System32\WBEM\WinMgmt.exe

c:\winnt\system32\RUNDLL32.EXE

.

**************************************************************************

.

Completion time: 2010-03-27 13:59:52 - machine was rebooted

ComboFix-quarantined-files.txt 2010-03-27 21:59

ComboFix2.txt 2010-03-21 04:05

Pre-Run: 24,519,016,448 bytes free

Post-Run: 24,515,518,464 bytes free

- - End Of File - - 03F5DC32B5F2C63061B8205DFF567D54

DDS (Ver_10-03-17.01) - NTFSx86 NETWORK

Run by photon at 14:18:58.90 on Sat 03/27/2010

Internet Explorer: 6.0.2800.1106 BrowserJavaVersion: 1.6.0_15

Microsoft Windows 2000 Professional 5.0.2195.4.1252.1.1033.18.1023.845 [GMT -8:00]

============== Running Processes ===============

C:\WINNT\System32\WBEM\WinMgmt.exe

C:\WINNT\system32\RUNDLL32.EXE

C:\WINNT\explorer.exe

C:\Documents and Settings\photon.MATT\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/advanced_search?hl=en&num=100

uInternet Settings,ProxyServer = http=90.0.0.25:4480;https=90.0.0.25:4480;ftp=90.0.0.25:4480;socks=90.0.0.25:1080

BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll

BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll

BHO: AcroIEToolbarHelper Class: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 6.0\acrobat\AcroIEFavClient.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 6.0\acrobat\AcroIEFavClient.dll

TB: {ED0E8CA5-42FB-4B18-997B-769E0408E79D} - No File

EB: Media Band: {32683183-48a0-441b-a342-7c2a440a9478} - %SystemRoot%\system32\browseui.dll

uRun: [sUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe

uRun: [spybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe

mRun: [LXCJCATS] rundll32 c:\winnt\system32\spool\drivers\w32x86\3\LXCJtime.dll,_RunDLLEntry@16

mRun: [AtiPTA] atiptaxx.exe

dRunOnce: [^SetupICWDesktop] c:\program files\internet explorer\connection wizard\icwconn1.exe /desktop

IE: freePat - c:\program files\freepat\freePat-script.html

IE: freePat Preview - c:\program files\freepat\freePatpreview-script.html

IE: Search Image on TinEye - file://c:\documents and settings\photon.matt\my documents\tineye 1.0\TinEye.js

IE: {4725A95C-0D36-4E3E-AC08-6657D522529C} - c:\program files\freshdevices\freshdownload\fd.exe

IE: {c95fe080-8f5d-11d2-a20b-00aa003c157a} - %SystemRoot%\web\related.htm

IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll

DPF: DirectAnimation Java Classes - file://c:\winnt\java\classes\dajava.cab

DPF: Microsoft XML Parser for Java - file://c:\winnt\java\classes\xmldso.cab

DPF: {00000161-0000-0010-8000-00AA00389B71} - hxxp://codecs.microsoft.com/codecs/i386/msaudio.cab

DPF: {0246ECA8-996F-11D1-BE2F-00A0C9037DFE} - hxxp://www.kats-korner.com/wfplayer/tdserver.cab

DPF: {106E49CF-797A-11D2-81A2-00E02C015623} - hxxp://www.alternatiff.com/install/00/alttiff.cab

DPF: {31564D57-0000-0010-8000-00AA00389B71} - hxxp://codecs.microsoft.com/codecs/i386/wmvax.cab

DPF: {32564D57-0000-0010-8000-00AA00389B71} - hxxp://codecs.microsoft.com/codecs/i386/wmv8ax.cab

DPF: {33564D57-0000-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB

DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - hxxp://a1540.g.akamai.net/7/1540/52/20030530/qtinstall.info.apple.com/abarth/us/win/QuickTimeInstaller.exe

DPF: {7584C670-2274-4EFB-B00B-D6AABA6D3850} - hxxp://www.espysoft.net/tsweb/msrdp.cab

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab

DPF: {9191F686-7F0A-441D-8A98-2FE3AC1BD913} - hxxp://acs.pandasoftware.com/activescan/cabs/as2stubie.cab

DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} - hxxp://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37911.5699652778

DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab

DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

Filter: application/xhtml+xml - {32F66A26-7614-11D4-BD11-00104BD3F987} - c:\program files\design science\mathplayer001\MathMLMimer.dll

Filter: application/xhtml+xml; charset=iso-8859-1 - {32F66A26-7614-11D4-BD11-00104BD3F987} - c:\program files\design science\mathplayer001\MathMLMimer.dll

Filter: application/xhtml+xml; charset=utf-8 - {32F66A26-7614-11D4-BD11-00104BD3F987} - c:\program files\design science\mathplayer001\MathMLMimer.dll

Filter: text/xml - {32F66A26-7614-11D4-BD11-00104BD3F987} - c:\program files\design science\mathplayer001\MathMLMimer.dll

Filter: text/xml; charset=iso-8859-1 - {32F66A26-7614-11D4-BD11-00104BD3F987} - c:\program files\design science\mathplayer001\MathMLMimer.dll

Filter: text/xml; charset=utf-8 - {32F66A26-7614-11D4-BD11-00104BD3F987} - c:\program files\design science\mathplayer001\MathMLMimer.dll

Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL

SSODL: hepitahuk - {2860f68d-a40c-4c08-8c0f-3e9323310c27} - No File

SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\photon~1.mat\applic~1\mozilla\firefox\profiles\mu8t0x4j.default\

FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/advanced_search?&hl=en&lr=&num=100

FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R0 SONYPVM1;Sony Memory Stick Driver(SONYPVM1);c:\winnt\system32\drivers\SonyPVM1.sys [2010-2-15 28224]

R3 usbhub20;USB 2.0 Root Hub Support;c:\winnt\system32\drivers\usbhub20.sys [2003-10-17 49776]

S0 phooks;phooks; [x]

S1 aswSP;avast! Self Protection;c:\winnt\system32\drivers\aswSP.sys [2008-7-9 114768]

S1 cdudf;cdudf;c:\winnt\system32\drivers\Cdudf.sys [2001-9-4 238176]

S1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\SASDIFSV.SYS [2008-5-28 12872]

S1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2008-5-28 66632]

S2 aswFsBlk;aswFsBlk;c:\winnt\system32\drivers\aswFsBlk.sys [2008-7-9 20560]

S2 aswMon;avast! Standard Shield Support;c:\winnt\system32\drivers\aswmon.sys [2008-7-9 93424]

S2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast4\ashServ.exe [2009-12-10 138680]

S2 WDBtnMgrSvc.exe;WD Drive Manager Service;c:\program files\western digital\wd drive manager\WDBtnMgrSvc.exe [2008-5-16 102400]

S2 WMP300NSvc;WMP300NSvc;c:\program files\linksys\wmp300n\WLService.exe [2009-10-27 53307]

S3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast4\ashMaiSv.exe [2009-12-10 254040]

S3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast4\ashWebSv.exe [2009-12-10 352920]

S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2008-5-28 12872]

=============== Created Last 30 ================

2010-03-27 22:18:59 16384 ----atw- c:\winnt\system32\Perflib_Perfdata_1e4.dat

2010-03-27 21:43:22 0 d-----w- C:\ComboFix

2010-03-21 03:17:58 98816 ----a-w- c:\winnt\sed.exe

2010-03-21 03:17:58 77312 ----a-w- c:\winnt\MBR.exe

2010-03-21 03:17:58 261632 ----a-w- c:\winnt\PEV.exe

2010-03-21 03:17:58 161792 ----a-w- c:\winnt\SWREG.exe

2010-03-14 03:31:06 0 ----a-w- c:\documents and settings\photon.matt\defogger_reenable

2010-03-12 16:15:32 743884 ---h--w- c:\winnt\ShellIconCache

2010-03-10 18:21:49 0 d-----w- c:\docume~1\photon~1.mat\applic~1\Malwarebytes

2010-03-10 18:21:45 38224 ----a-w- c:\winnt\system32\drivers\mbamswissarmy.sys

2010-03-10 18:21:41 18520 ----a-w- c:\winnt\system32\drivers\mbam.sys

2010-03-10 18:21:41 0 d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-03-10 18:21:41 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes

2010-03-10 16:04:56 0 d-----w- c:\program files\CCleaner

2010-03-10 16:03:47 3396856 ----a-w- C:\ccsetup229.exe

2010-03-09 07:44:03 28552 ----a-w- c:\winnt\system32\drivers\pavboot.sys

2010-03-09 07:44:01 0 d-----w- c:\program files\Panda Security

2010-03-08 06:41:59 0 d---a-w- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy

2010-03-08 06:41:59 0 d-----w- c:\program files\Spybot - Search & Destroy

2010-03-05 05:05:58 8712 ----a-w- c:\winnt\system32\.crusader

2010-03-05 04:27:15 14792 ----a-w- c:\winnt\system32\drivers\hitmanpro35.sys

2010-03-05 04:27:00 0 d-----w- c:\docume~1\alluse~1\applic~1\Hitman Pro

2010-03-04 06:07:34 0 d-----w- c:\docume~1\photon~1.mat\applic~1\Arduino

2010-03-04 05:45:25 0 d-----w- C:\arduino stuff

2010-03-04 02:33:01 0 d-----w- C:\ATI

2010-03-04 01:35:00 93 ----a-w- c:\winnt\WININIT.INI

2010-03-04 00:21:59 1904 ------w- c:\winnt\system32\SetupBD.din

2010-03-03 16:47:39 36192 ----a-w- c:\winnt\system32\ljyrm

2010-03-03 16:47:37 47616 ----a-w- c:\winnt\system32\xrpijkpte.dll

2010-02-27 21:29:40 177928 ----a-w- C:\TDSSKiller.exe

==================== Find3M ====================

2010-03-05 06:29:24 111376 ----a-w- c:\winnt\system32\rundll32.exe

2010-01-29 23:16:28 61067 ----a-w- c:\winnt\system32\drivers\ftser2k.sys

2010-01-29 23:16:28 47249 ----a-w- c:\winnt\system32\drivers\ftdibus.sys

2010-01-29 23:16:28 33360 ----a-w- c:\winnt\system32\ftserui2.dll

2010-01-29 23:16:28 188416 ----a-w- c:\winnt\system32\ftdiunin.exe

2010-01-29 23:16:28 176128 ----a-w- c:\winnt\system32\ftd2xx.dll

2010-01-29 23:16:28 106496 ----a-w- c:\winnt\system32\ftbusui.dll

2010-01-29 23:16:28 102400 ----a-w- c:\winnt\system32\FTLang.dll

2009-12-28 13:03:42 319760 ------w- c:\winnt\system32\MSPAINT.EXE

2009-05-28 11:05:02 9164 ----a-w- c:\program files\SweepGen.txt

2009-05-28 11:05:02 716288 ----a-w- c:\program files\SweepGen.exe

2009-05-28 11:05:02 43 ----a-w- c:\program files\ReadMe.txt

2009-05-28 11:05:02 3204 ----a-w- c:\program files\History.txt

2009-05-23 14:44:08 13736273 ----a-w- c:\program files\Discovery.exe

2003-10-17 19:51:23 271 ---h--w- c:\program files\desktop.ini

2003-10-17 19:51:23 21952 ---h--w- c:\program files\folder.htt

2001-05-08 12:00:00 32528 ----a-w- c:\winnt\inf\wbfirdma.sys

2001-01-09 22:08:06 872927 ----a-w- c:\program files\cclean.exe

2002-08-01 02:55:12 141 --sh--w- c:\winnt\WSYS049.SYS

1601-01-01 00:03:28 42496 --sha-w- c:\winnt\system32\nilejonu.exe

============= FINISH: 14:19:06.96 ===============

GMER 1.0.15.15281 - http://www.gmer.net

Rootkit scan 2010-03-27 14:36:59

Windows 5.0.2195 Service Pack 4

Running: gmer.exe; Driver: C:\DOCUME~1\PHOTON~1.MAT\LOCALS~1\Temp\ugtdypoc.sys

---- Kernel code sections - GMER 1.0.15 ----

? Combo-Fix.sys The system cannot find the file specified. !

? C:\ComboFix\catchme.sys The system cannot find the file specified. !

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\WINNT\explorer.exe[564] @ C:\WINNT\explorer.exe [KERNEL32.DLL!CreateProcessW] [4AD84C9A] C:\WINNT\AppPatch\AcLayers.DLL (Windows 2000 Shim Accessory DLL/Microsoft Corporation)

IAT C:\WINNT\explorer.exe[564] @ C:\WINNT\explorer.exe [KERNEL32.DLL!LoadLibraryW] [732E786F] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)

IAT C:\WINNT\explorer.exe[564] @ C:\WINNT\explorer.exe [KERNEL32.DLL!GetProcAddress] [732E771E] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)

IAT C:\WINNT\explorer.exe[564] @ C:\WINNT\explorer.exe [KERNEL32.DLL!FreeLibrary] [732E7A04] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)

IAT C:\WINNT\explorer.exe[564] @ C:\WINNT\explorer.exe [KERNEL32.DLL!LoadLibraryA] [732E7800] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)

IAT C:\WINNT\explorer.exe[564] @ C:\WINNT\system32\ADVAPI32.DLL [KERNEL32.dll!LoadLibraryExW] [732E7955] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)

IAT C:\WINNT\explorer.exe[564] @ C:\WINNT\system32\ADVAPI32.DLL [KERNEL32.dll!CreateProcessA] [4AD84AE3] C:\WINNT\AppPatch\AcLayers.DLL (Windows 2000 Shim Accessory DLL/Microsoft Corporation)

IAT C:\WINNT\explorer.exe[564] @ C:\WINNT\system32\ADVAPI32.DLL [KERNEL32.dll!CreateProcessW] [4AD84C9A] C:\WINNT\AppPatch\AcLayers.DLL (Windows 2000 Shim Accessory DLL/Microsoft Corporation)

IAT C:\WINNT\explorer.exe[564] @ C:\WINNT\system32\ADVAPI32.DLL [KERNEL32.dll!LoadLibraryW] [732E786F] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)

IAT C:\WINNT\explorer.exe[564] @ C:\WINNT\system32\ADVAPI32.DLL [KERNEL32.dll!FreeLibrary] [732E7A04] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)

IAT C:\WINNT\explorer.exe[564] @ C:\WINNT\system32\ADVAPI32.DLL [KERNEL32.dll!LoadLibraryA] [732E7800] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)

IAT C:\WINNT\explorer.exe[564] @ C:\WINNT\system32\ADVAPI32.DLL [KERNEL32.dll!GetProcAddress] [732E771E] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)

IAT C:\WINNT\explorer.exe[564] @ C:\WINNT\system32\RPCRT4.dll [KERNEL32.dll!LoadLibraryW] [732E786F] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)

IAT C:\WINNT\explorer.exe[564] @ C:\WINNT\system32\RPCRT4.dll [KERNEL32.dll!FreeLibrary] [732E7A04] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)

IAT C:\WINNT\explorer.exe[564] @ C:\WINNT\system32\RPCRT4.dll [KERNEL32.dll!GetProcAddress] [732E771E] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)

IAT C:\WINNT\explorer.exe[564] @ C:\WINNT\system32\RPCRT4.dll [KERNEL32.dll!LoadLibraryA] [732E7800] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)

IAT C:\WINNT\explorer.exe[564] @ C:\WINNT\system32\GDI32.DLL [KERNEL32.dll!LoadLibraryExW] [732E7955] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)

IAT C:\WINNT\explorer.exe[564] @ C:\WINNT\system32\GDI32.DLL [KERNEL32.dll!LoadLibraryA] [732E7800] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)

IAT C:\WINNT\explorer.exe[564] @ C:\WINNT\system32\GDI32.DLL [KERNEL32.dll!FreeLibrary] [732E7A04] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)

IAT C:\WINNT\explorer.exe[564] @ C:\WINNT\system32\GDI32.DLL [KERNEL32.dll!GetProcAddress] [732E771E] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)

IAT C:\WINNT\explorer.exe[564] @ C:\WINNT\system32\GDI32.DLL [KERNEL32.dll!LoadLibraryW] [732E786F] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)

IAT C:\WINNT\explorer.exe[564] @ C:\WINNT\system32\USER32.dll [KERNEL32.dll!LoadLibraryExW] [732E7955] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)

IAT C:\WINNT\explorer.exe[564] @ C:\WINNT\system32\USER32.dll [KERNEL32.dll!CreateProcessW] [4AD84C9A] C:\WINNT\AppPatch\AcLayers.DLL (Windows 2000 Shim Accessory DLL/Microsoft Corporation)

IAT C:\WINNT\explorer.exe[564] @ C:\WINNT\system32\USER32.dll [KERNEL32.dll!LoadLibraryA] [732E7800] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)

IAT C:\WINNT\explorer.exe[564] @ C:\WINNT\system32\USER32.dll [KERNEL32.dll!LoadLibraryW] [732E786F] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)

IAT C:\WINNT\explorer.exe[564] @ C:\WINNT\system32\USER32.dll [KERNEL32.dll!GetProcAddress] [732E771E] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)

IAT C:\WINNT\explorer.exe[564] @ C:\WINNT\system32\USER32.dll [KERNEL32.dll!FreeLibrary] [732E7A04] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)

IAT C:\WINNT\explorer.exe[564] @ C:\WINNT\system32\SHLWAPI.DLL [KERNEL32.dll!LoadLibraryExA] [732E78DE] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)

IAT C:\WINNT\explorer.exe[564] @ C:\WINNT\system32\SHLWAPI.DLL [KERNEL32.dll!LoadLibraryExW] [732E7955] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)

IAT C:\WINNT\explorer.exe[564] @ C:\WINNT\system32\SHLWAPI.DLL [KERNEL32.dll!LoadLibraryW] [732E786F] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)

IAT C:\WINNT\explorer.exe[564] @ C:\WINNT\system32\SHLWAPI.DLL [KERNEL32.dll!CreateProcessA] [4AD84AE3] C:\WINNT\AppPatch\AcLayers.DLL (Windows 2000 Shim Accessory DLL/Microsoft Corporation)

IAT C:\WINNT\explorer.exe[564] @ C:\WINNT\system32\SHLWAPI.DLL [KERNEL32.dll!CreateProcessW] [4AD84C9A] C:\WINNT\AppPatch\AcLayers.DLL (Windows 2000 Shim Accessory DLL/Microsoft Corporation)

IAT C:\WINNT\explorer.exe[564] @ C:\WINNT\system32\SHLWAPI.DLL [KERNEL32.dll!FreeLibrary] [732E7A04] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)

IAT C:\WINNT\explorer.exe[564] @ C:\WINNT\system32\SHLWAPI.DLL [KERNEL32.dll!LoadLibraryA] [732E7800] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)

IAT C:\WINNT\explorer.exe[564] @ C:\WINNT\system32\SHLWAPI.DLL [KERNEL32.dll!GetProcAddress] [732E771E] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)

IAT C:\WINNT\explorer.exe[564] @ C:\WINNT\system32\msvcrt.dll [KERNEL32.dll!GetProcAddress] [732E771E] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)

IAT C:\WINNT\explorer.exe[564] @ C:\WINNT\system32\msvcrt.dll [KERNEL32.dll!LoadLibraryA] [732E7800] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)

IAT C:\WINNT\explorer.exe[564] @ C:\WINNT\system32\msvcrt.dll [KERNEL32.dll!FreeLibrary] [732E7A04] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)

IAT C:\WINNT\explorer.exe[564] @ C:\WINNT\system32\msvcrt.dll [KERNEL32.dll!CreateProcessA] [4AD84AE3] C:\WINNT\AppPatch\AcLayers.DLL (Windows 2000 Shim Accessory DLL/Microsoft Corporation)

IAT C:\WINNT\explorer.exe[564] @ C:\WINNT\system32\msvcrt.dll [KERNEL32.dll!CreateProcessW] [4AD84C9A] C:\WINNT\AppPatch\AcLayers.DLL (Windows 2000 Shim Accessory DLL/Microsoft Corporation)

IAT C:\WINNT\explorer.exe[564] @ C:\WINNT\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryExW] [732E7955] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)

IAT C:\WINNT\explorer.exe[564] @ C:\WINNT\system32\SHELL32.dll [KERNEL32.dll!CreateProcessW] [4AD84C9A] C:\WINNT\AppPatch\AcLayers.DLL (Windows 2000 Shim Accessory DLL/Microsoft Corporation)

IAT C:\WINNT\explorer.exe[564] @ C:\WINNT\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryA] [732E7800] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)

IAT C:\WINNT\explorer.exe[564] @ C:\WINNT\system32\SHELL32.dll [KERNEL32.dll!GetProcAddress] [732E771E] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)

IAT C:\WINNT\explorer.exe[564] @ C:\WINNT\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryW] [732E786F] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)

IAT C:\WINNT\explorer.exe[564] @ C:\WINNT\system32\SHELL32.dll [KERNEL32.dll!FreeLibrary] [732E7A04] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)

IAT C:\WINNT\explorer.exe[564] @ C:\WINNT\system32\OLE32.DLL [KERNEL32.dll!GetProcAddress] [732E771E] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)

IAT C:\WINNT\explorer.exe[564] @ C:\WINNT\system32\OLE32.DLL [KERNEL32.dll!LoadLibraryA] [732E7800] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)

IAT C:\WINNT\explorer.exe[564] @ C:\WINNT\system32\OLE32.DLL [KERNEL32.dll!FreeLibrary] [732E7A04] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)

IAT C:\WINNT\explorer.exe[564] @ C:\WINNT\system32\OLE32.DLL [KERNEL32.dll!LoadLibraryW] [732E786F] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)

IAT C:\WINNT\explorer.exe[564] @ C:\WINNT\system32\OLE32.DLL [KERNEL32.dll!LoadLibraryExW] [732E7955] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)

IAT C:\WINNT\explorer.exe[564] @ C:\WINNT\system32\OLE32.DLL [KERNEL32.dll!CreateProcessW] [4AD84C9A] C:\WINNT\AppPatch\AcLayers.DLL (Windows 2000 Shim Accessory DLL/Microsoft Corporation)

IAT C:\WINNT\explorer.exe[564] @ C:\WINNT\system32\NETAPI32.DLL [KERNEL32.dll!LoadLibraryW] [732E786F] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)

IAT C:\WINNT\explorer.exe[564] @ C:\WINNT\system32\NETAPI32.DLL [KERNEL32.dll!GetProcAddress] [732E771E] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)

IAT C:\WINNT\explorer.exe[564] @ C:\WINNT\system32\NETAPI32.DLL [KERNEL32.dll!FreeLibrary] [732E7A04] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)

IAT C:\WINNT\explorer.exe[564] @ C:\WINNT\system32\Secur32.dll [KERNEL32.dll!LoadLibraryA] [732E7800] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)

IAT C:\WINNT\explorer.exe[564] @ C:\WINNT\system32\Secur32.dll [KERNEL32.dll!LoadLibraryW] [732E786F] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)

IAT C:\WINNT\explorer.exe[564] @ C:\WINNT\system32\Secur32.dll [KERNEL32.dll!GetProcAddress] [732E771E] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)

IAT C:\WINNT\explorer.exe[564] @ C:\WINNT\system32\Secur32.dll [KERNEL32.dll!FreeLibrary] [732E7A04] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)

IAT C:\WINNT\explorer.exe[564] @ C:\WINNT\system32\WS2_32.DLL [KERNEL32.DLL!FreeLibrary] [732E7A04] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)

IAT C:\WINNT\explorer.exe[564] @ C:\WINNT\system32\WS2_32.DLL [KERNEL32.DLL!LoadLibraryA] [732E7800] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)

IAT C:\WINNT\explorer.exe[564] @ C:\WINNT\system32\WS2_32.DLL [KERNEL32.DLL!GetProcAddress] [732E771E] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)

IAT C:\WINNT\explorer.exe[564] @ C:\WINNT\system32\WS2HELP.DLL [KERNEL32.DLL!FreeLibrary] [732E7A04] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)

IAT C:\WINNT\explorer.exe[564] @ C:\WINNT\system32\WS2HELP.DLL [KERNEL32.DLL!LoadLibraryA] [732E7800] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)

IAT C:\WINNT\explorer.exe[564] @ C:\WINNT\system32\WS2HELP.DLL [KERNEL32.DLL!GetProcAddress] [732E771E] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)

IAT C:\WINNT\explorer.exe[564] @ C:\WINNT\system32\USERENV.DLL [KERNEL32.dll!LoadLibraryW] [732E786F] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)

IAT C:\WINNT\explorer.exe[564] @ C:\WINNT\system32\USERENV.DLL [KERNEL32.dll!FreeLibrary] [732E7A04] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)

IAT C:\WINNT\explorer.exe[564] @ C:\WINNT\system32\USERENV.DLL [KERNEL32.dll!LoadLibraryExW] [732E7955] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)

IAT C:\WINNT\explorer.exe[564] @ C:\WINNT\system32\USERENV.DLL [KERNEL32.dll!LoadLibraryA] [732E7800] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)

IAT C:\WINNT\explorer.exe[564] @ C:\WINNT\system32\USERENV.DLL [KERNEL32.dll!CreateProcessW] [4AD84C9A] C:\WINNT\AppPatch\AcLayers.DLL (Windows 2000 Shim Accessory DLL/Microsoft Corporation)

IAT C:\WINNT\explorer.exe[564] @ C:\WINNT\system32\USERENV.DLL [KERNEL32.dll!GetProcAddress] [732E771E] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)

IAT C:\WINNT\explorer.exe[564] @ C:\WINNT\system32\WININET.dll [KERNEL32.dll!LoadLibraryW] [732E786F] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)

IAT C:\WINNT\explorer.exe[564] @ C:\WINNT\system32\WININET.dll [KERNEL32.dll!GetProcAddress] [732E771E] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)

IAT C:\WINNT\explorer.exe[564] @ C:\WINNT\system32\WININET.dll [KERNEL32.dll!LoadLibraryA] [732E7800] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)

IAT C:\WINNT\explorer.exe[564] @ C:\WINNT\system32\WININET.dll [KERNEL32.dll!FreeLibrary] [732E7A04] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)

IAT C:\WINNT\explorer.exe[564] @ C:\WINNT\system32\CRYPT32.dll [KERNEL32.dll!GetProcAddress] [732E771E] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)

IAT C:\WINNT\explorer.exe[564] @ C:\WINNT\system32\CRYPT32.dll [KERNEL32.dll!LoadLibraryA] [732E7800] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)

IAT C:\WINNT\explorer.exe[564] @ C:\WINNT\system32\CRYPT32.dll [KERNEL32.dll!LoadLibraryExW] [732E7955] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)

IAT C:\WINNT\explorer.exe[564] @ C:\WINNT\system32\CRYPT32.dll [KERNEL32.dll!LoadLibraryExA] [732E78DE] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)

IAT C:\WINNT\explorer.exe[564] @ C:\WINNT\system32\CRYPT32.dll [KERNEL32.dll!FreeLibrary] [732E7A04] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation)

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\Tcpip \Device\Ip aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)

AttachedDevice \Driver\Tcpip \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)

AttachedDevice \Driver\Tcpip \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)

AttachedDevice \Driver\Tcpip \Device\RawIp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)

---- Services - GMER 1.0.15 ----

Service C:\WINNT\system32\MSTask.exe? (*** hidden *** ) [AUTO] Schedule <-- ROOTKIT !!!

---- Registry - GMER 1.0.15 ----

Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL@

Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL@Installed 1

Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI@

Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI@Installed 1

Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI@NoChange 1

Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS@

Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS@Installed 1

Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@DeviceNotSelectedTimeout 15

Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@GDIProcessHandleQuota 10000

Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@Spooler yes

Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@swapdisk

Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@TransmissionRetryTimeout 90

Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@USERProcessHandleQuota 10000

Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AutorunsDisabled

Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AutorunsDisabled@Appinit_Dlls nodutike.dll c:\winnt\system32\yozekute.dll,c:\winnt\system32\jufuvowa.dll

---- EOF - GMER 1.0.15 ----

[screen317]

Hi,

Before we proceed, please go to VirusTotal, and upload the following file for analysis:

c:\winnt\system32\MSTask.exe

Post the results in your reply.

[writinh2o]

It says "File already Analyzed" and all the fields (MD5, date, etc) are blank. I couldn't figure out how to get any other report out of it.

I tried virustotal on another computer with a random .exe file and got a report, so I see what they should look like.

Tried two other randomly chosen exe files on the infected computer and the same thing happened - the report fields were all blank.

[screen317]

Hi,

There should be an option to re-analyze the file. If not, zip the file and attach it here in your reply.

[writinh2o]

I tried again, but there is no file to zip or send. The screen looks like:

MD5:

First received:

Date:

Results:

Permalink:

with nothing after the :

The "Show Last Report" and "Reanalyse file now"[sic] buttons are grayed out.

It's like something is blocking virustotal from reporting.

[writinh2o]

virustotal would not produce a report on the infected computer (see previous post).

I copied mstask.exe to a flash drive, renamed it mstask.copy, and analyzed it with virustotal on a different computer. (I assume that will not infect the other computer since I'm not running the exe file.)

File has already been analysed:

MD5: b00529eae5d0ce97010b69cc677128c8

First received: 2009.02.26 02:44:29 UTC

Date: 2010.01.24 21:30:19 UTC [>62D]

Results: 0/41

Permalink: analisis/79f8a8ff3ad298a053446b0ecd48df6e2f727675d7c5c1ce020371e634b37800-1264368619

the link is http://www.virustotal.com/analisis/79f8a8f...7800-1264368619

here is a copy/paste copy of the report:

Antivirus Version Last Update Result

a-squared 4.5.0.50 2010.01.24 -

AhnLab-V3 5.0.0.2 2010.01.23 -

AntiVir 7.9.1.150 2010.01.24 -

Antiy-AVL 2.0.3.7 2010.01.22 -

Authentium 5.2.0.5 2010.01.24 -

Avast 4.8.1351.0 2010.01.24 -

AVG 9.0.0.730 2010.01.24 -

BitDefender 7.2 2010.01.24 -

CAT-QuickHeal 10.00 2010.01.22 -

ClamAV 0.94.1 2010.01.24 -

Comodo 3696 2010.01.24 -

DrWeb 5.0.1.12222 2010.01.24 -

eSafe 7.0.17.0 2010.01.24 -

eTrust-Vet 35.2.7255 2010.01.22 -

F-Prot 4.5.1.85 2010.01.24 -

F-Secure 9.0.15370.0 2010.01.24 -

Fortinet 4.0.14.0 2010.01.24 -

GData 19 2010.01.24 -

Ikarus T3.1.1.80.0 2010.01.24 -

Jiangmin 13.0.900 2010.01.24 -

K7AntiVirus 7.10.952 2010.01.22 -

Kaspersky 7.0.0.125 2010.01.24 -

McAfee 5871 2010.01.24 -

McAfee+Artemis 5871 2010.01.24 -

McAfee-GW-Edition 6.8.5 2010.01.24 -

Microsoft 1.5405 2010.01.24 -

NOD32 4802 2010.01.24 -

Norman 6.04.03 2010.01.24 -

nProtect 2009.1.8.0 2010.01.24 -

Panda 10.0.2.2 2010.01.24 -

PCTools 7.0.3.5 2010.01.24 -

Prevx 3.0 2010.01.24 -

Rising 22.31.06.04 2010.01.24 -

Sophos 4.50.0 2010.01.24 -

Sunbelt 3.2.1858.2 2010.01.24 -

Symantec 20091.2.0.41 2010.01.24 -

TheHacker 6.5.0.9.161 2010.01.24 -

TrendMicro 9.120.0.1004 2010.01.24 -

VBA32 3.12.12.1 2010.01.23 -

ViRobot 2010.1.23.2152 2010.01.23 -

VirusBuster 5.0.21.0 2010.01.24 -

Additional information

File size: 122128 bytes

MD5 : b00529eae5d0ce97010b69cc677128c8

SHA1 : c3f096504240f47fef9613bb4223ac43ed0bd526

SHA256: 79f8a8ff3ad298a053446b0ecd48df6e2f727675d7c5c1ce020371e634b37800

PEInfo: PE Structure information

( base data )

entrypointaddress.: 0x10037E0

timedatestamp.....: 0x413EA6AE (Wed Sep 8 08:29:02 2004)

machinetype.......: 0x14C (Intel I386)

( 3 sections )

name viradd virsiz rawdsiz ntrpy md5

.text 0x1000 0x19DEC 0x19E00 6.53 f398a9bbab257266841ebd7429d7a5e5

.data 0x1B000 0xB7C 0x800 3.01 4b3da68dc17b484ae759d0031f758cca

.rsrc 0x1C000 0x2E48 0x3000 3.34 4342171c1e939b1ac26e4fea46d7c2eb

( 0 imports )

( 0 exports )

TrID : File type identification

Win32 Executable MS Visual C++ (generic) (65.2%)

Win32 Executable Generic (14.7%)

Win32 Dynamic Link Library (generic) (13.1%)

Generic Win/DOS Executable (3.4%)

DOS Executable Generic (3.4%)

ssdeep: 3072:zQcZKTdaGb5zmYIUTh8E47IyLIMfGVuYpyoij:ccZKTdamzmtUP4MYfGfij

PEiD : InstallShield 2000

RDS : NSRL Reference Data Set

-

[screen317]

How odd. Can you zip up the copy on your flash drive and attach it here please?

You aren't running a Spanish version of Windows 2000, are you?

[writinh2o]

Made zip file of mstask.copy (that I renamed from mstask.exe) using 7-zip, and attached it here.

No, I am not using a Spanish version of Windows 2000. It is a normal US version.

mstask.zip

[screen317]

Hmm.

Delete your copy of ComboFix, grab a fresh copy, run it, and post its log. We'll take it from there.

-screen317

[writinh2o]

What did you find in mstask.exe?

Running in Safe Mode with Networking, deleted old combofix folders.

Downloaded new combofix from bleepingcomputers.

Ran combofix.

Don't know if this is important, but when combofix reboots the machine I get an error window titled "Registry Editor," that says, "Cannot import creg.dat: error accessing the registry."

I had to OK out of the window to continue.

Here's the log:

ComboFix 10-03-29.04 - photon 03/31/2010 6:33.3.1 - x86 NETWORK

Microsoft Windows 2000 Professional 5.0.2195.4.1252.1.1033.18.1023.851 [GMT -8:00]

Running from: c:\documents and settings\photon.MATT\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

---- Previous Run -------

.

c:\documents and settings\All Users\Favorites\_favdata.dat

c:\winnt\system32\comres.dll . . . is infected!!

-- Previous Run --

c:\winnt\system32\comres.dll . . . is infected!!

c:\winnt\system32\comres.dll . . . is infected!!

c:\winnt\system32\comres.dll . . . is infected!!

c:\winnt\system32\comres.dll . . . is infected!!

c:\winnt\system32\rundll32.exe . . . is infected!!

c:\winnt\system32\comres.dll . . . is infected!!

-- Previous Run --

c:\winnt\system32\comres.dll . . . is infected!!

c:\winnt\system32\comres.dll . . . is infected!!

c:\winnt\system32\comres.dll . . . is infected!!

c:\winnt\system32\comres.dll . . . is infected!!

c:\winnt\system32\rundll32.exe . . . is infected!!

--------

c:\winnt\system32\comres.dll . . . is infected!!

c:\winnt\system32\comres.dll . . . is infected!!

-- Previous Run --

c:\winnt\system32\comres.dll . . . is infected!!

c:\winnt\system32\comres.dll . . . is infected!!

c:\winnt\system32\comres.dll . . . is infected!!

c:\winnt\system32\comres.dll . . . is infected!!

c:\winnt\system32\rundll32.exe . . . is infected!!

--------

c:\winnt\system32\comres.dll . . . is infected!!

c:\winnt\system32\rundll32.exe . . . is infected!!

--------

c:\winnt\system32\comres.dll . . . is infected!!

c:\winnt\system32\rundll32.exe . . . is infected!!

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Legacy_IPRIP

-------\Legacy_NWSAPAGENT

-------\Legacy__VOIDqylbdwpcbv

-------\Service__VOIDqylbdwpcbv

-------\Service_Iprip

-------\Service_Nwsapagent

((((((((((((((((((((((((( Files Created from 2010-02-28 to 2010-03-31 )))))))))))))))))))))))))))))))

.

2010-03-31 14:40 . 2010-03-31 14:40 16384 ----atw- c:\winnt\system32\Perflib_Perfdata_22c.dat

2010-03-31 14:40 . 2010-03-31 14:40 16384 ----atw- c:\winnt\system32\Perflib_Perfdata_27c.dat

2010-03-28 20:31 . 2010-03-31 14:04 -------- d-----w- C:\D

2010-03-10 18:21 . 2010-03-10 18:21 -------- d-----w- c:\documents and settings\photon.MATT\Application Data\Malwarebytes

2010-03-10 18:21 . 2010-01-08 00:07 38224 ----a-w- c:\winnt\system32\drivers\mbamswissarmy.sys

2010-03-10 18:21 . 2010-03-10 18:59 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-03-10 18:21 . 2010-03-10 18:21 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2010-03-10 18:21 . 2010-01-08 00:07 18520 ----a-w- c:\winnt\system32\drivers\mbam.sys

2010-03-10 16:04 . 2010-03-10 16:04 -------- d-----w- c:\program files\CCleaner

2010-03-10 16:03 . 2010-03-10 16:03 3396856 ----a-w- C:\ccsetup229.exe

2010-03-09 07:44 . 2009-06-30 17:37 28552 ----a-w- c:\winnt\system32\drivers\pavboot.sys

2010-03-09 07:44 . 2010-03-09 07:44 -------- d-----w- c:\program files\Panda Security

2010-03-08 06:41 . 2010-03-08 17:56 -------- d---a-w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy

2010-03-08 06:41 . 2010-03-08 06:45 -------- d-----w- c:\program files\Spybot - Search & Destroy

2010-03-05 04:27 . 2010-03-05 05:50 14792 ----a-w- c:\winnt\system32\drivers\hitmanpro35.sys

2010-03-05 04:27 . 2010-03-05 05:05 -------- d-----w- c:\documents and settings\All Users\Application Data\Hitman Pro

2010-03-04 06:07 . 2010-03-04 06:07 -------- d-----w- c:\documents and settings\photon.MATT\Application Data\Arduino

2010-03-04 05:45 . 2010-03-04 05:45 -------- d-----w- C:\arduino stuff

2010-03-04 02:36 . 2010-03-04 02:36 52224 ----a-w- c:\documents and settings\photon.MATT\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll

2010-03-04 02:33 . 2010-03-04 02:33 -------- d-----w- C:\ATI

2010-03-03 16:47 . 2010-03-03 16:47 47616 ----a-w- c:\winnt\system32\xrpijkpte.dll

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-03-31 14:24 . 2008-07-09 17:01 -------- d-----w- c:\documents and settings\photon.MATT\Application Data\Azureus

2010-03-13 05:57 . 2004-12-01 20:28 70856 ----a-w- c:\documents and settings\photon.MATT\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2010-03-10 07:59 . 2009-04-22 13:45 117760 ----a-w- c:\documents and settings\photon.MATT\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL

2010-03-06 06:55 . 2008-07-16 23:15 -------- d-----w- c:\program files\SUPERAntiSpyware

2010-03-05 06:29 . 2001-05-08 12:00 111376 ----a-w- c:\winnt\system32\rundll32.exe

2010-03-05 05:31 . 2009-01-02 18:09 -------- d-----w- c:\program files\Aiseesoft Studio

2010-03-05 05:05 . 2010-01-15 03:38 -------- d-----w- c:\program files\QuickTime

2010-03-04 00:22 . 2003-01-14 16:37 -------- d---a-w- c:\program files\Intel

2010-03-02 20:16 . 2008-08-17 23:34 -------- d-----w- c:\documents and settings\photon.MATT\Application Data\dvdcss

2010-02-27 21:29 . 2010-02-27 21:29 177928 ----a-w- C:\TDSSKiller.exe

2010-02-23 03:59 . 2008-09-09 18:09 -------- d-----w- c:\documents and settings\photon.MATT\Application Data\gtk-2.0

2010-02-15 23:16 . 2007-06-04 00:12 -------- d-----w- c:\program files\Lx_cats

2010-02-15 22:40 . 2003-01-14 16:37 -------- d--h--w- c:\program files\InstallShield Installation Information

2010-02-15 22:39 . 2010-02-15 22:39 -------- d-----w- c:\program files\sony

2010-02-15 05:46 . 2010-02-15 05:46 -------- d-----w- c:\program files\Steinberg

2010-02-10 18:23 . 2009-10-18 17:27 -------- d-----w- c:\program files\solveig avi cuttrimer

2010-02-04 00:44 . 2010-02-04 00:44 -------- d-----w- c:\documents and settings\photon.MATT\Application Data\NewSoft

2010-02-04 00:38 . 2007-06-04 00:16 -------- d-----w- c:\program files\Abbyy FineReader 6.0 Sprint

2010-01-31 20:24 . 2003-01-22 21:34 141 ----a-w- c:\winnt\C3DPREF6.DAT

2010-01-29 23:16 . 2010-01-29 23:16 61067 ----a-w- c:\winnt\system32\drivers\ftser2k.sys

2010-01-29 23:16 . 2010-01-29 23:16 47249 ----a-w- c:\winnt\system32\drivers\ftdibus.sys

2010-01-29 23:16 . 2010-01-29 23:16 33360 ----a-w- c:\winnt\system32\ftserui2.dll

2010-01-29 23:16 . 2010-01-29 23:16 188416 ----a-w- c:\winnt\system32\ftdiunin.exe

2010-01-29 23:16 . 2010-01-29 23:16 176128 ----a-w- c:\winnt\system32\ftd2xx.dll

2010-01-29 23:16 . 2010-01-29 23:16 106496 ----a-w- c:\winnt\system32\ftbusui.dll

2010-01-29 23:16 . 2010-01-29 23:16 102400 ----a-w- c:\winnt\system32\FTLang.dll

2009-05-28 11:05 . 2009-05-28 11:05 9164 ----a-w- c:\program files\SweepGen.txt

2009-05-28 11:05 . 2009-05-28 11:05 716288 ----a-w- c:\program files\SweepGen.exe

2009-05-28 11:05 . 2009-05-28 11:05 43 ----a-w- c:\program files\ReadMe.txt

2009-05-28 11:05 . 2009-05-28 11:05 3204 ----a-w- c:\program files\History.txt

2009-05-23 14:44 . 2009-05-23 14:44 13736273 ----a-w- c:\program files\Discovery.exe

2003-10-17 19:51 . 2003-01-13 16:51 21952 ---h--w- c:\program files\folder.htt

2001-01-09 22:08 . 2003-01-15 19:38 872927 ----a-w- c:\program files\cclean.exe

2002-08-01 02:55 . 2006-07-24 04:56 141 --sh--w- c:\winnt\WSYS049.SYS

1601-01-01 00:03 . 1601-01-01 00:03 42496 --sha-w- c:\winnt\system32\nilejonu.exe

.

<pre>
c:\program files\Adobe\Reader 9.0\Reader\reader_sl .exe
c:\program files\Aiseesoft Studio\ashdisp .exe
c:\program files\Alwil Software\Avast4\ashdisp .exe
c:\program files\Common Files\Adobe\ARM\1.0\adobearm .exe
c:\program files\Java\jre6\bin\jusched .exe
c:\program files\QuickTime\qttask			 .exe
c:\program files\SUPERAntiSpyware\superantispyware .exe
c:\program files\Western Digital\WD Drive Manager\wdbtnmgrui .exe
</pre>

------- Sigcheck -------

[-] 2003-06-19 19:05 . 8C718AA8C77041B3285D55A0CE980867 . 86672 . . [5.00.2195.6699] . . c:\winnt\ServicePackFiles\i386\atapi.sys

[-] 2003-06-19 19:05 . 8C718AA8C77041B3285D55A0CE980867 . 86672 . . [5.00.2195.6699] . . c:\winnt\system32\drivers\atapi.sys

[-] 2003-06-19 19:05 . 5D3D77C9EB3A8E6A14CC8E1252B6CC5C . 17840 . . [5.00.2195.6655] . . c:\winnt\ServicePackFiles\i386\asyncmac.sys

[-] 2003-06-19 19:05 . 5D3D77C9EB3A8E6A14CC8E1252B6CC5C . 17840 . . [5.00.2195.6655] . . c:\winnt\system32\drivers\asyncmac.sys

[-] 2001-05-08 12:00 . DF012C2853281CE2BF536E8DE871C8C1 . 4080 . . [5.00.2158.1] . . c:\winnt\system32\dllcache\beep.sys

[-] 2001-05-08 12:00 . DF012C2853281CE2BF536E8DE871C8C1 . 4080 . . [5.00.2158.1] . . c:\winnt\system32\drivers\beep.sys

[-] 2003-06-19 19:05 . 399055F5C4A98F39B47D26888A72145D . 24528 . . [5.00.2195.6666] . . c:\winnt\ServicePackFiles\i386\kbdclass.sys

[-] 2003-06-19 19:05 . 399055F5C4A98F39B47D26888A72145D . 24528 . . [5.00.2195.6666] . . c:\winnt\system32\drivers\kbdclass.sys

[-] 2003-06-19 19:05 . FB4F2D0595BD3546A4DD915E4A9B4809 . 170928 . . [5.00.2195.6655] . . c:\winnt\ServicePackFiles\i386\ndis.sys

[-] 2003-06-19 19:05 . FB4F2D0595BD3546A4DD915E4A9B4809 . 170928 . . [5.00.2195.6655] . . c:\winnt\system32\drivers\ndis.sys

[-] 2005-05-10 09:20 . 7DC1F0F9BF87CA5CEE9A46C9A63DC1D3 . 513424 . . [5.00.2195.7049] . . c:\winnt\system32\dllcache\ntfs.sys

[-] 2005-05-10 09:20 . 7DC1F0F9BF87CA5CEE9A46C9A63DC1D3 . 513424 . . [5.00.2195.7049] . . c:\winnt\system32\drivers\ntfs.sys

[-] 2003-06-19 19:05 . F6AB0E765D5B80443B93C52C42F2602A . 534192 . . [5.00.2195.6710] . . c:\winnt\$NtUpdateRollupPackUninstall$\ntfs.sys

[-] 2003-06-19 19:05 . F6AB0E765D5B80443B93C52C42F2602A . 534192 . . [5.00.2195.6710] . . c:\winnt\ServicePackFiles\i386\ntfs.sys

[-] 2001-05-08 12:00 . 280209CDE798720A24D232BF9CFDA8E9 . 2800 . . [5.00.2134.1] . . c:\winnt\system32\dllcache\null.sys

[-] 2001-05-08 12:00 . 280209CDE798720A24D232BF9CFDA8E9 . 2800 . . [5.00.2134.1] . . c:\winnt\system32\drivers\null.sys

[-] 2005-04-08 11:54 . B4F3ECAAEBC715EDBEA44A28FDEDA851 . 71440 . . [5.00.2195.6866] . . c:\winnt\system32\browser.dll

[-] 2005-04-08 11:54 . B4F3ECAAEBC715EDBEA44A28FDEDA851 . 71440 . . [5.00.2195.6866] . . c:\winnt\system32\dllcache\browser.dll

[-] 2004-03-24 02:17 . 1B19559C80946E1FABF21859DB42CD54 . 69904 . . [5.00.2195.6866] . . c:\winnt\$NtUpdateRollupPackUninstall$\browser.dll

[-] 2003-06-19 19:05 . 38A6BC551496C24118BD1524425AF2FE . 68880 . . [5.00.2195.6693] . . c:\winnt\$NtUninstallKB835732$\browser.dll

[-] 2003-06-19 19:05 . 38A6BC551496C24118BD1524425AF2FE . 68880 . . [5.00.2195.6693] . . c:\winnt\ServicePackFiles\i386\browser.dll

[-] 2004-12-19 22:30 . F19D0A319AB4BF5496F08807CB9B8651 . 33552 . . [5.00.2195.7011] . . c:\winnt\system32\LSASS.EXE

[-] 2004-12-19 22:30 . F19D0A319AB4BF5496F08807CB9B8651 . 33552 . . [5.00.2195.7011] . . c:\winnt\system32\dllcache\lsass.exe

[-] 2004-02-25 23:59 . 0C13D582EDAF90CBEA454A1AC535B913 . 33552 . . [5.00.2195.6902] . . c:\winnt\$NtUpdateRollupPackUninstall$\lsass.exe

[-] 2003-06-19 19:05 . 271229760CCED993E9E7CAB1C7274134 . 33552 . . [5.00.2195.6695] . . c:\winnt\$NtUninstallKB835732$\lsass.exe

[-] 2003-06-19 19:05 . 271229760CCED993E9E7CAB1C7274134 . 33552 . . [5.00.2195.6695] . . c:\winnt\ServicePackFiles\i386\lsass.exe

[-] 2005-08-16 08:35 . 600104D606AB3E9B9AB36076E6261A05 . 100112 . . [5.00.2195.7061] . . c:\winnt\system32\netman.dll

[-] 2005-08-16 08:35 . 600104D606AB3E9B9AB36076E6261A05 . 100112 . . [5.00.2195.7061] . . c:\winnt\system32\dllcache\netman.dll

[-] 2003-06-19 19:05 . 648A07AB73E49EF547A48D240CD36125 . 95504 . . [5.00.2195.6660] . . c:\winnt\$NtUninstallKB905414$\netman.dll

[-] 2003-06-19 19:05 . 648A07AB73E49EF547A48D240CD36125 . 95504 . . [5.00.2195.6660] . . c:\winnt\ServicePackFiles\i386\netman.dll

[-] 2004-10-05 . DCD38D8178BF1BEA585F2F003EE3460E . 362496 . . [6.6.2600.1596] . . c:\winnt\system32\qmgr.dll

[-] 2004-10-05 . DCD38D8178BF1BEA585F2F003EE3460E . 362496 . . [6.6.2600.1596] . . c:\winnt\system32\BITS\qmgr.dll

[-] 2004-10-05 . DCD38D8178BF1BEA585F2F003EE3460E . 362496 . . [6.6.2600.1596] . . c:\winnt\system32\dllcache\qmgr.dll

[-] 2003-06-19 19:05 . FE02334DB8598E2706A51A24DD33AB00 . 244224 . . [6.2.3630.2522 built by: lab04_n] . . c:\winnt\$NtUninstallKB842773$\qmgr.dll

[-] 2003-06-19 19:05 . FE02334DB8598E2706A51A24DD33AB00 . 244224 . . [6.2.3630.2522 built by: lab04_n] . . c:\winnt\ServicePackFiles\i386\qmgr.dll

[-] 2005-09-05 08:18 . 037EBCF93DF5F0C31CCD2FF7E31E3BA5 . 212240 . . [5.00.2195.7059] . . c:\winnt\system32\rpcss.dll

[-] 2005-09-05 08:18 . 037EBCF93DF5F0C31CCD2FF7E31E3BA5 . 212240 . . [5.00.2195.7059] . . c:\winnt\system32\dllcache\rpcss.dll

[-] 2005-04-08 11:54 . 391AFA6F7FE9AA667B2C54DFAE2D0FBD . 273680 . . [5.00.2195.7021] . . c:\winnt\$NtUninstallKB902400$\rpcss.dll

[-] 2005-01-14 01:27 . 10789155522BE499A232AD2773AC1DF0 . 212240 . . [5.00.2195.7021] . . c:\winnt\$NtUpdateRollupPackUninstall$\rpcss.dll

[-] 2004-03-11 21:29 . 4A72D5DD3AAD4B967ABE12D2A3044B98 . 211728 . . [5.00.2195.6906] . . c:\winnt\$NtUninstallKB873333$\rpcss.dll

[-] 2003-08-23 21:48 . EBF7D8A02D8A32926B19EA4C6AD4FE0E . 192272 . . [5.00.2195.6810] . . c:\winnt\$NtUninstallKB828741$\rpcss.dll

[-] 2003-06-19 19:05 . B49E4F60ED7E5918E44396768F9F02F2 . 239376 . . [5.00.2195.6702] . . c:\winnt\$NtUninstallKB824146$\rpcss.dll

[-] 2003-06-19 19:05 . B49E4F60ED7E5918E44396768F9F02F2 . 239376 . . [5.00.2195.6702] . . c:\winnt\ServicePackFiles\i386\rpcss.dll

[-] 2005-04-08 11:51 . B861B4E6E9637EB76A40C10C552E0229 . 92944 . . [5.00.2195.7035] . . c:\winnt\system32\SERVICES.EXE

[-] 2005-04-08 11:51 . B861B4E6E9637EB76A40C10C552E0229 . 92944 . . [5.00.2195.7035] . . c:\winnt\system32\dllcache\services.exe

[-] 2003-06-19 19:05 . CFED2D28F5B8A24127E9E06043070643 . 89360 . . [5.00.2195.6700] . . c:\winnt\$NtUpdateRollupPackUninstall$\services.exe

[-] 2003-06-19 19:05 . CFED2D28F5B8A24127E9E06043070643 . 89360 . . [5.00.2195.6700] . . c:\winnt\ServicePackFiles\i386\services.exe

[-] 2005-07-12 04:59 . FACFB75ECC070103619FA044E0B210D3 . 47376 . . [5.00.2195.7059] . . c:\winnt\system32\spoolsv.exe

[-] 2005-07-12 04:59 . FACFB75ECC070103619FA044E0B210D3 . 47376 . . [5.00.2195.7059] . . c:\winnt\system32\dllcache\spoolsv.exe

[-] 2003-06-19 19:05 . 987DAF317B917CFC973DE8364D62A76C . 45328 . . [5.00.2195.6659] . . c:\winnt\$NtUninstallKB896423$\spoolsv.exe

[-] 2003-06-19 19:05 . 987DAF317B917CFC973DE8364D62A76C . 45328 . . [5.00.2195.6659] . . c:\winnt\ServicePackFiles\i386\spoolsv.exe

[-] 2005-04-08 11:51 . BB1DAF6A5737652646D52665251A0265 . 186640 . . [5.00.2195.6997] . . c:\winnt\system32\WINLOGON.EXE

[-] 2005-04-08 11:51 . BB1DAF6A5737652646D52665251A0265 . 186640 . . [5.00.2195.6997] . . c:\winnt\system32\dllcache\WINLOGON.EXE

[-] 2004-08-24 22:59 . 5922E8055EB439A58EF29530D8567A40 . 182544 . . [5.00.2195.6970] . . c:\winnt\$NtUninstallKB841533$\winlogon.exe

[-] 2004-08-24 22:59 . 5922E8055EB439A58EF29530D8567A40 . 182544 . . [5.00.2195.6970] . . c:\winnt\$NtUpdateRollupPackUninstall$\winlogon.exe

[-] 2004-03-11 02:37 . 563B3DE5B6EE842CFFA8813F9EF4CB5C . 181520 . . [5.00.2195.6898] . . c:\winnt\$NtUninstallKB840987$\winlogon.exe

[-] 2003-07-17 17:20 . E3ACD1BC832E859B157D95D9907560D3 . 182032 . . [5.00.2195.6785] . . c:\winnt\$NtUninstallKB835732$\winlogon.exe

[-] 2003-06-19 19:05 . 3980C28D116D438BBB36FB38526FDE1A . 181008 . . [5.00.2195.6714] . . c:\winnt\$NtUninstallKB824141$\winlogon.exe

[-] 2003-06-19 19:05 . 3980C28D116D438BBB36FB38526FDE1A . 181008 . . [5.00.2195.6714] . . c:\winnt\ServicePackFiles\i386\winlogon.exe

[-] 2006-08-28 08:44 . F4230CAA2B9166E5114441F6B7B2DC3F . 530192 . . [5.81] . . c:\winnt\system32\comctl32.dll

[-] 2006-08-28 08:44 . F4230CAA2B9166E5114441F6B7B2DC3F . 530192 . . [5.81] . . c:\winnt\system32\dllcache\comctl32.dll

[-] 2003-06-19 19:05 . 7A0C4F7B3FAF67A8FE4FE3A24BB39927 . 550672 . . [5.81] . . c:\winnt\ServicePackFiles\i386\comctl32.dll

[-] 2002-08-29 14:14 . 9EDC93CC795DFF919C6CD953912838A9 . 529680 . . [5.81] . . c:\winnt\$NtUninstallKB923191$\comctl32.dll

[-] 2005-04-21 08:08 . 7D77D4AF905903AEDBEED9989857A9A5 . 78096 . . [5.00.2195.7039] . . c:\winnt\system32\cryptsvc.dll

[-] 2005-04-21 08:08 . 7D77D4AF905903AEDBEED9989857A9A5 . 78096 . . [5.00.2195.7039] . . c:\winnt\system32\dllcache\cryptsvc.dll

[-] 2004-03-24 02:17 . 644108E90CA7F628AA5650C31A2E74F5 . 76048 . . [5.00.2195.6868] . . c:\winnt\$NtUpdateRollupPackUninstall$\cryptsvc.dll

[-] 2003-06-19 19:05 . 385F52746FD8558D43999AEED250769A . 76048 . . [5.00.2195.6661] . . c:\winnt\$NtUninstallKB835732$\cryptsvc.dll

[-] 2003-06-19 19:05 . 385F52746FD8558D43999AEED250769A . 76048 . . [5.00.2195.6661] . . c:\winnt\ServicePackFiles\i386\cryptsvc.dll

[-] 2008-07-10 10:00 . 019BD72A117C13DF44D6CA3B96A345D6 . 251152 . . [2000.2.3550.0] . . c:\winnt\system32\es.dll

[-] 2008-07-10 10:00 . 019BD72A117C13DF44D6CA3B96A345D6 . 251152 . . [2000.2.3550.0] . . c:\winnt\system32\dllcache\es.dll

[-] 2005-09-05 08:18 . D8D44D8ED1B35285A83984ACF5D13CB3 . 242448 . . [2000.2.3529.0] . . c:\winnt\$NtUninstallKB950974$\es.dll

[-] 2004-03-11 21:29 . 0400F13BDEC0E1F04C1AD2002D5650A4 . 239888 . . [2000.2.3511.0] . . c:\winnt\$NtUninstallKB902400$\es.dll

[-] 2003-06-19 19:05 . FACD7422F6FBC7CD3AEA3AFCB8382ECF . 233232 . . [2000.2.3504.0] . . c:\winnt\$NtUninstallKB828741$\es.dll

[-] 2003-06-19 19:05 . FACD7422F6FBC7CD3AEA3AFCB8382ECF . 233232 . . [2000.2.3504.0] . . c:\winnt\ServicePackFiles\i386\es.dll

[-] 2003-06-19 19:05 . 873794CE17DD72420D9C4072D4D112E5 . 96528 . . [5.00.2195.6655] . . c:\winnt\ServicePackFiles\i386\imm32.dll

[-] 2003-06-19 19:05 . 873794CE17DD72420D9C4072D4D112E5 . 96528 . . [5.00.2195.6655] . . c:\winnt\system32\imm32.dll

[-] 2007-04-16 12:44 . 18D623471DE9DCC2CEA310B2F3FBA15A . 712976 . . [5.00.2195.7135] . . c:\winnt\Driver Cache\i386\kernel32.dll

[-] 2007-04-16 12:44 . 0AB23B46CCAEBA64D748A5CF79CB4BB6 . 712976 . . [5.00.2195.7135] . . c:\winnt\system32\KERNEL32.DLL

[-] 2007-04-16 12:44 . 18D623471DE9DCC2CEA310B2F3FBA15A . 712976 . . [5.00.2195.7135] . . c:\winnt\system32\dllcache\kernel32.dll

[-] 2006-06-21 06:52 . 84AE59F949F127A3D8D4F4A09D0CE0BD . 712976 . . [5.00.2195.7099] . . c:\winnt\$NtUninstallKB935839$\kernel32.dll

[-] 2005-08-16 09:39 . 694E9BC2ADE4F30C99D8A59340307E1A . 712464 . . [5.00.2195.7006] . . c:\winnt\$NtUninstallKB917422$\kernel32.dll

[-] 2004-06-22 01:35 . CBFC72131FB475249DB3667239F3F4EA . 712464 . . [5.00.2195.6946] . . c:\winnt\$NtUninstallKB891711$\kernel32.dll

[-] 2004-06-17 23:05 . 276ABD5DD2053008C6C327C590DD806D . 712464 . . [5.00.2195.6946] . . c:\winnt\$NtUninstallKB841533$\kernel32.dll

[-] 2004-06-17 23:05 . 276ABD5DD2053008C6C327C590DD806D . 712464 . . [5.00.2195.6946] . . c:\winnt\$NtUpdateRollupPackUninstall$\kernel32.dll

[-] 2004-03-24 02:17 . 5E9BB22C56919870FC80444E655F8AF6 . 742160 . . [5.00.2195.6897] . . c:\winnt\$NtUninstallKB840987$\kernel32.dll

[-] 2003-08-05 22:14 . 5E478294B05FA91151B6599269815495 . 711440 . . [5.00.2195.6794] . . c:\winnt\$NtUninstallKB835732$\kernel32.dll

[-] 2003-06-19 19:05 . AFFDA6F602A8F0DBA615279C28B3BDF8 . 743184 . . [5.00.2195.6688] . . c:\winnt\$NtUninstallKB824141$\kernel32.dll

[-] 2003-06-19 19:05 . 1E93BDAAE187253D18711DA5C210474A . 743184 . . [5.00.2195.6688] . . c:\winnt\ServicePackFiles\i386\kernel32.dll

[-] 2005-09-23 11:03 . EB0EA3EF05D648455D691348C819E479 . 17680 . . [5.00.2195.7069] . . c:\winnt\system32\linkinfo.dll

[-] 2005-09-23 11:03 . EB0EA3EF05D648455D691348C819E479 . 17680 . . [5.00.2195.7069] . . c:\winnt\system32\dllcache\linkinfo.dll

[-] 2005-04-08 11:54 . 4EDE648460D79405487672EFF49805F6 . 17168 . . [5.00.2195.7009] . . c:\winnt\$NtUninstallKB900725$\linkinfo.dll

[-] 2004-09-02 20:03 . 814222ED1C5C31B135B6F97585FE6B41 . 17168 . . [5.00.2195.6958] . . c:\winnt\$NtUpdateRollupPackUninstall$\linkinfo.dll

[-] 2001-05-08 12:00 . A5977BF56A537AFDF2464F1314C315CF . 16144 . . [5.00.2134.1] . . c:\winnt\$NtUninstallKB841356$\linkinfo.dll

[-] 2003-06-19 19:05 . EF290209052ED43DDFDB8F0E74EC79EF . 20240 . . [5.00.2195.6692] . . c:\winnt\ServicePackFiles\i386\lpk.dll

[-] 2003-06-19 19:05 . EF290209052ED43DDFDB8F0E74EC79EF . 20240 . . [5.00.2195.6692] . . c:\winnt\system32\lpk.dll

[-] 2003-06-19 19:05 . BA7BE6F92680B28B9031170659FD222D . 286773 . . [6.10.9844.0] . . c:\winnt\ServicePackFiles\i386\msvcrt.dll

[-] 2003-06-19 19:05 . BA7BE6F92680B28B9031170659FD222D . 286773 . . [6.10.9844.0] . . c:\winnt\system32\msvcrt.dll

[-] 2005-04-08 11:54 . BE8FC3C74AB5212CD4067E8973764AD6 . 366864 . . [5.00.2195.7011] . . c:\winnt\system32\NETLOGON.DLL

[-] 2005-04-08 11:54 . BE8FC3C74AB5212CD4067E8973764AD6 . 366864 . . [5.00.2195.7011] . . c:\winnt\system32\dllcache\NETLOGON.DLL

[-] 2004-03-24 02:17 . 21537BC1F1AB7667A3828B2344E6D4BA . 371472 . . [5.00.2195.6891] . . c:\winnt\$NtUpdateRollupPackUninstall$\netlogon.dll

[-] 2003-06-19 19:05 . 11B91C26925F56F577089FF88AA0BEC0 . 371984 . . [5.00.2195.6695] . . c:\winnt\$NtUninstallKB835732$\netlogon.dll

[-] 2003-06-19 19:05 . 11B91C26925F56F577089FF88AA0BEC0 . 371984 . . [5.00.2195.6695] . . c:\winnt\ServicePackFiles\i386\netlogon.dll

[-] 2003-06-19 19:05 . 0A35F356726069B95F4BB2A99203FDD4 . 13584 . . [5.00.3502.6601] . . c:\winnt\ServicePackFiles\i386\powrprof.dll

[-] 2003-06-19 19:05 . 0A35F356726069B95F4BB2A99203FDD4 . 13584 . . [5.00.3502.6601] . . c:\winnt\system32\powrprof.dll

[-] 2005-01-12 19:39 . 6FCCE1622E75C7DC46509F7EC4B314A3 . 114448 . . [5.00.2195.7013] . . c:\winnt\system32\scecli.dll

[-] 2005-01-12 19:39 . 6FCCE1622E75C7DC46509F7EC4B314A3 . 114448 . . [5.00.2195.7013] . . c:\winnt\system32\dllcache\scecli.dll

[-] 2004-03-24 02:17 . 0B476C9305098B37BE70F0AC29E671E5 . 111376 . . [5.00.2195.6893] . . c:\winnt\$NtUpdateRollupPackUninstall$\scecli.dll

[-] 2003-06-19 19:05 . FF11B32A906D75CD96957B66E318DAD0 . 114448 . . [5.00.2195.6704] . . c:\winnt\$NtUninstallKB835732$\scecli.dll

[-] 2003-06-19 19:05 . FF11B32A906D75CD96957B66E318DAD0 . 114448 . . [5.00.2195.6704] . . c:\winnt\ServicePackFiles\i386\scecli.dll

[-] 2001-05-08 12:00 . 9E64AD53CFD9DA2D22E8A924F8C6E62C . 7952 . . [5.00.2134.1] . . c:\winnt\system32\svchost.exe

[-] 2001-05-08 12:00 . 9E64AD53CFD9DA2D22E8A924F8C6E62C . 7952 . . [5.00.2134.1] . . c:\winnt\system32\dllcache\svchost.exe

[-] 2005-07-02 11:30 . E1086008E7BCE8621F09E6F13B89CC31 . 175888 . . [5.00.2195.7057] . . c:\winnt\system32\tapisrv.dll

[-] 2005-07-02 11:30 . E1086008E7BCE8621F09E6F13B89CC31 . 175888 . . [5.00.2195.7057] . . c:\winnt\system32\dllcache\tapisrv.dll

[-] 2003-06-19 19:05 . 83C78929A8DB0AA545B5F90A4786783C . 173328 . . [5.00.2195.6666] . . c:\winnt\$NtUninstallKB893756$\tapisrv.dll

[-] 2003-06-19 19:05 . 83C78929A8DB0AA545B5F90A4786783C . 173328 . . [5.00.2195.6666] . . c:\winnt\ServicePackFiles\i386\tapisrv.dll

[-] 2007-03-06 11:17 . 40023A7103796B1AF6CA41A6DBC54775 . 381200 . . [5.00.2195.7133] . . c:\winnt\system32\USER32.DLL

[-] 2007-03-06 11:17 . 40023A7103796B1AF6CA41A6DBC54775 . 381200 . . [5.00.2195.7133] . . c:\winnt\system32\dllcache\USER32.DLL

[-] 2005-04-21 08:08 . 63A7731CF4BA8565B9F07908FAC05C3B . 419600 . . [5.00.2195.7032] . . c:\winnt\$NtUninstallKB925902$\user32.dll

[-] 2005-03-12 07:54 . 05CB047C49480A2157911B0A1C7E4C10 . 380688 . . [5.00.2195.7032] . . c:\winnt\$NtUpdateRollupPackUninstall$\user32.dll

[-] 2004-12-29 09:14 . 6CDD0DEAC5BBF7BA47D52E237FFDAE43 . 380688 . . [5.00.2195.7017] . . c:\winnt\$NtUninstallKB890859$\user32.dll

[-] 2004-03-24 02:17 . 6AE59F325971F7D151A50A4E00E04DC0 . 403216 . . [5.00.2195.6897] . . c:\winnt\$NtUninstallKB891711$\user32.dll

[-] 2003-08-05 22:14 . 15B1C7EA9659055280F71A3D83987DA3 . 380176 . . [5.00.2195.6799] . . c:\winnt\$NtUninstallKB835732$\user32.dll

[-] 2003-06-19 19:05 . 11ED538DB87D8CF38017A63A82AA805D . 403216 . . [5.00.2195.6688] . . c:\winnt\$NtUninstallKB824141$\user32.dll

[-] 2003-06-19 19:05 . 11ED538DB87D8CF38017A63A82AA805D . 403216 . . [5.00.2195.6688] . . c:\winnt\ServicePackFiles\i386\user32.dll

[-] 2003-06-19 19:05 . BF179C5B8A722CC79AEF1CA90D6C7D48 . 17680 . . [5.00.2195.6612] . . c:\winnt\ServicePackFiles\i386\userinit.exe

[-] 2003-06-19 19:05 . BF179C5B8A722CC79AEF1CA90D6C7D48 . 17680 . . [5.00.2195.6612] . . c:\winnt\system32\USERINIT.EXE

[-] 2003-06-19 19:05 . 0190C62DE42396D78DB9BE771CF2403E . 69904 . . [5.00.2195.6601] . . c:\winnt\ServicePackFiles\i386\ws2_32.dll

[-] 2003-06-19 19:05 . 0190C62DE42396D78DB9BE771CF2403E . 69904 . . [5.00.2195.6601] . . c:\winnt\system32\ws2_32.dll

[-] 2003-06-19 19:05 . 59CF2B7DCED9111F48F51B4B570E672D . 243472 . . [5.00.3700.6690] . . c:\winnt\explorer.exe

[-] 2003-06-19 19:05 . 59CF2B7DCED9111F48F51B4B570E672D . 243472 . . [5.00.3700.6690] . . c:\winnt\ServicePackFiles\i386\explorer.exe

[-] 2005-04-08 11:54 . E7F03344AE103B02135C20112B557051 . 49424 . . [5.00.2195.7036] . . c:\winnt\system32\EVENTLOG.DLL

[-] 2005-04-08 11:54 . E7F03344AE103B02135C20112B557051 . 49424 . . [5.00.2195.7036] . . c:\winnt\system32\dllcache\EVENTLOG.DLL

[-] 2004-03-24 02:17 . CEB85BFA135CBDDA10C89E5D31D95F9B . 47888 . . [5.00.2195.6883] . . c:\winnt\$NtUpdateRollupPackUninstall$\eventlog.dll

[-] 2003-06-19 19:05 . 5738D5804F61A1D30D86FA24DEE56E0C . 47888 . . [5.00.2195.6716] . . c:\winnt\$NtUninstallKB835732$\eventlog.dll

[-] 2003-06-19 19:05 . 5738D5804F61A1D30D86FA24DEE56E0C . 47888 . . [5.00.2195.6716] . . c:\winnt\ServicePackFiles\i386\eventlog.dll

[-] 2005-04-08 10:34 . 7645645BB506C26B96B8F31893378C4B . 973072 . . [5.00.2195.7038] . . c:\winnt\system32\sfcfiles.dll

[-] 2005-04-08 10:34 . 7645645BB506C26B96B8F31893378C4B . 973072 . . [5.00.2195.7038] . . c:\winnt\system32\dllcache\sfcfiles.dll

[-] 2004-03-24 02:17 . 33D82938C20BA61E4EDB6DA85829BF23 . 971536 . . [5.00.2195.6894] . . c:\winnt\$NtUpdateRollupPackUninstall$\sfcfiles.dll

[-] 2003-06-19 19:05 . A871E77694E9146B3C655A734B1ECF46 . 971024 . . [5.00.2195.6717] . . c:\winnt\$NtUninstallKB835732$\sfcfiles.dll

[-] 2003-06-19 19:05 . A871E77694E9146B3C655A734B1ECF46 . 971024 . . [5.00.2195.6717] . . c:\winnt\ServicePackFiles\i386\sfcfiles.dll

[-] 2003-06-19 19:05 . 9C2A16951FD6A21AEF1C29F213A564B2 . 120592 . . [5.00.2195.6658] . . c:\winnt\ServicePackFiles\i386\appmgmts.dll

[-] 2003-06-19 19:05 . 9C2A16951FD6A21AEF1C29F213A564B2 . 120592 . . [5.00.2195.6658] . . c:\winnt\system32\appmgmts.dll

[-] 2003-06-19 19:05 . 4B10B4DB777EE2EF8E755E7F3D7C4FE8 . 11536 . . [5.00.2195.6655] . . c:\winnt\ServicePackFiles\i386\acpiec.sys

[-] 2003-06-19 19:05 . 4B10B4DB777EE2EF8E755E7F3D7C4FE8 . 11536 . . [5.00.2195.6655] . . c:\winnt\system32\drivers\acpiec.sys

[-] 2003-06-19 19:05 . CDDB71A90077C93BEA5C72507F0B1394 . 21008 . . [5.00.2195.6655] . . c:\winnt\ServicePackFiles\i386\agp440.sys

[-] 2003-06-19 19:05 . CDDB71A90077C93BEA5C72507F0B1394 . 21008 . . [5.00.2195.6655] . . c:\winnt\system32\drivers\agp440.sys

[-] 2006-11-02 17:31 . 6CE82AC80967541ED3787B62B2242271 . 927504 . . [4.1.0.61] . . c:\winnt\system32\MFC40U.DLL

[-] 2006-11-02 17:31 . 6CE82AC80967541ED3787B62B2242271 . 927504 . . [4.1.0.61] . . c:\winnt\system32\dllcache\mfc40u.dll

[-] 2001-05-08 12:00 . CDDD1A27861C406D1B3906A2B2C60CE3 . 924432 . . [4.1.6140] . . c:\winnt\$NtUninstallKB924667$\mfc40u.dll

[-] 2005-04-08 11:54 . 4B6E4C650721D2A51B8F51B7E5787552 . 35600 . . [5.00.2195.6861] . . c:\winnt\system32\MSGSVC.DLL

[-] 2005-04-08 11:54 . 4B6E4C650721D2A51B8F51B7E5787552 . 35600 . . [5.00.2195.6861] . . c:\winnt\system32\dllcache\msgsvc.dll

[-] 2003-10-02 21:17 . B6C0EECE00ACE0379C0F75274E89E47F . 34064 . . [5.00.2195.6861] . . c:\winnt\$NtUpdateRollupPackUninstall$\msgsvc.dll

[-] 2003-06-19 19:05 . C470CF2972A6DF2214764DA2FE8B768F . 35600 . . [5.00.2195.6656] . . c:\winnt\$NtUninstallKB828035$\msgsvc.dll

[-] 2003-06-19 19:05 . C470CF2972A6DF2214764DA2FE8B768F . 35600 . . [5.00.2195.6656] . . c:\winnt\ServicePackFiles\i386\msgsvc.dll

[-] 2003-06-19 19:05 . 56D893A01269008C28FBF2D025B2FA78 . 401168 . . [5.00.2195.6655] . . c:\winnt\ServicePackFiles\i386\ntmssvc.dll

[-] 2003-06-19 19:05 . 56D893A01269008C28FBF2D025B2FA78 . 401168 . . [5.00.2195.6655] . . c:\winnt\system32\ntmssvc.dll

.

((((((((((((((((((((((((((((( SnapShot@2010-03-21_03.58.21 )))))))))))))))))))))))))))))))))))))))))

.

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2010-03-06 2012912]

"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-06 2260480]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"LXCJCATS"="c:\winnt\system32\spool\DRIVERS\W32X86\3\LXCJtime.dll" [2005-09-08 73728]

"AtiPTA"="atiptaxx.exe" [2001-09-27 245760]

"Synchronization Manager"="mobsync.exe" [N/A]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]

"^SetupICWDesktop"="c:\program files\Internet Explorer\Connection Wizard\icwconn1.exe" [2003-06-19 186640]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]

2009-09-07 17:49 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\NavLogon]

[bU]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]

"Tray Pilot Lite"="c:\program files\Invention Pilot\Tray Pilot Lite\TrayPlt.exe"

R0 SONYPVM1;Sony Memory Stick Driver(SONYPVM1);c:\winnt\system32\drivers\SonyPVM1.sys [2/15/2010 2:40 PM 28224]

R1 aswSP;avast! Self Protection;c:\winnt\system32\drivers\aswSP.sys [7/9/2008 9:10 AM 114768]

R1 cdudf;cdudf;c:\winnt\system32\drivers\Cdudf.sys [9/4/2001 2:38 PM 238176]

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [5/28/2008 9:33 AM 12872]

R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/28/2008 9:33 AM 66632]

R2 aswFsBlk;aswFsBlk;c:\winnt\system32\drivers\aswFsBlk.sys [7/9/2008 9:10 AM 20560]

R2 aswMon;avast! Standard Shield Support;c:\winnt\system32\drivers\aswmon.sys [7/9/2008 9:10 AM 93424]

R2 WDBtnMgrSvc.exe;WD Drive Manager Service;c:\program files\Western Digital\WD Drive Manager\WDBtnMgrSvc.exe [5/16/2008 5:12 PM 102400]

R2 WMP300NSvc;WMP300NSvc;c:\program files\Linksys\WMP300N\WLService.exe [10/27/2009 1:34 PM 53307]

R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [5/28/2008 9:33 AM 12872]

R3 usbhub20;USB 2.0 Root Hub Support;c:\winnt\system32\drivers\usbhub20.sys [10/17/2003 12:41 PM 49776]

S0 phooks;phooks; [x]

.

Contents of the 'Scheduled Tasks' folder

2010-03-01 c:\winnt\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-01-10 23:42]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.google.com/advanced_search?hl=en&num=100

uInternet Settings,ProxyServer = http=90.0.0.25:4480;https=90.0.0.25:4480;ftp=90.0.0.25:4480;socks=90.0.0.25:1080

IE: freePat - c:\program files\freePat\freePat-script.html

IE: freePat Preview - c:\program files\freePat\freePatpreview-script.html

IE: Search Image on TinEye - file://c:\documents and settings\photon.MATT\My Documents\TinEye 1.0\TinEye.js

IE: {{4725A95C-0D36-4E3E-AC08-6657D522529C} - c:\program files\FreshDevices\FreshDownload\fd.exe

IE: {{c95fe080-8f5d-11d2-a20b-00aa003c157a} - %SystemRoot%\web\related.htm

LSP: %SystemRoot%\system32\msafd.dll

DPF: DirectAnimation Java Classes - file://c:\winnt\Java\classes\dajava.cab

DPF: Microsoft XML Parser for Java - file://c:\winnt\Java\classes\xmldso.cab

FF - ProfilePath - c:\documents and settings\photon.MATT\Application Data\Mozilla\Firefox\Profiles\mu8t0x4j.default\

FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/advanced_search?&hl=en&lr=&num=100

FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll

.

- - - - ORPHANS REMOVED - - - -

SSODL-hepitahuk-{2860f68d-a40c-4c08-8c0f-3e9323310c27} - (no file)

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-03-31 07:00

Windows 5.0.2195 Service Pack 4 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run

LXCJCATS = rundll32 c:\winnt\system32\spool\DRIVERS\W32X86\3\LXCJtime.dll,_RunDLLEntry@16?????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]

@DACL=(02 0000)

@=""

"Installed"="1"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]

@DACL=(02 0000)

@=""

"Installed"="1"

"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]

@DACL=(02 0000)

@=""

"Installed"="1"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Windows\AutorunsDisabled]

"Appinit_Dlls"="nodutike.dll c:\\winnt\\system32\\yozekute.dll,c:\\winnt\\system32\\jufuvowa.dll"

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(216)

c:\program files\SUPERAntiSpyware\SASWINLO.DLL

c:\winnt\system32\wzcdlg.dll

c:\winnt\system32\WZCSAPI.DLL

- - - - - - - > 'explorer.exe'(1492)

c:\winnt\system32\SHDOCVW.DLL

.

------------------------ Other Running Processes ------------------------

.

c:\winnt\System32\WLTRYSVC.EXE

c:\winnt\System32\bcmwltry.exe

c:\program files\Alwil Software\Avast4\aswUpdSv.exe

c:\program files\Alwil Software\Avast4\ashServ.exe

c:\program files\Java\jre6\bin\jqs.exe

c:\winnt\system32\LxrJD31s.exe

c:\winnt\system32\regsvc.exe

c:\winnt\system32\MSTask.exe

c:\winnt\system32\stisvc.exe

c:\winnt\System32\WBEM\WinMgmt.exe

c:\program files\Linksys\WMP300N\WMP300N.exe

c:\program files\Alwil Software\Avast4\ashMaiSv.exe

c:\program files\Alwil Software\Avast4\ashWebSv.exe

c:\winnt\system32\atiptaxx.exe

.

**************************************************************************

.

Completion time: 2010-03-31 07:07:45 - machine was rebooted

ComboFix-quarantined-files.txt 2010-03-31 15:07

ComboFix2.txt 2010-03-27 21:59

ComboFix3.txt 2010-03-21 04:05

Pre-Run: 24,526,483,456 bytes free

Post-Run: 24,492,814,336 bytes free

Current=3 Default=3 Failed=2 LastKnownGood=4 Sets=1,2,3,4

- - End Of File - - E2297D8BDE43B50B707C07B43D5AAB88

[screen317]

Hi,

Nothing suspicious was found in the file. Very odd.

Please go to VirusTotal, and upload the following files for analysis:

c:\winnt\system32\comres.dll

c:\winnt\system32\rundll32.exe

Post the results in your reply.

Please delete your copy of ComboFix, download the latest version from here, and save it to your Desktop. Do not run it yet.

Next, please open Notepad - don't use any other text editor than notepad or the script will fail.

Copy/paste the text in the quotebox below into Notepad:

RenV::
c:\program files\Adobe\Reader 9.0\Reader\reader_sl .exe
c:\program files\Aiseesoft Studio\ashdisp .exe
c:\program files\Alwil Software\Avast4\ashdisp .exe
c:\program files\Common Files\Adobe\ARM\1.0\adobearm .exe
c:\program files\Java\jre6\bin\jusched .exe
c:\program files\QuickTime\qttask			 .exe
c:\program files\SUPERAntiSpyware\superantispyware .exe
c:\program files\Western Digital\WD Drive Manager\wdbtnmgrui .exe
KILLALL::
Driver::
phooks
RegLockDel::
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Windows\AutorunsDisabled]
Registry::
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Windows]
"Appinit_Dlls"=""

Save this as CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new DDS log.

Let me know if this version of ComboFix still produces the Creg error.

-screen317

[writinh2o]

OK

As before virustotal would not run on the infected computer - this time it just hung up during upload.

There is no comres.dll file on the machine, anywhere (did search for comres).

Copied the rundll32 file onto flash drive and ran virustotal on another computer, log attached below.

Deleted combofix, re-uped from your link.

Copied script and ran it with combofix.

Still get cregC error window.

Combofix log attached below.

Noticed a file called xrpijkpte.dll when looking for comres.dll. It was created 3/3/2010. It gets 16 hits on virustotal. Should I delete it?

File rundll32.exe received on 2010.04.03 13:47:55 (UTC)

Current status: finished

Result: 1/42 (2.38%)

Compact Compact

Print results Print results

Antivirus Version Last Update Result

a-squared 4.5.0.50 2010.04.03 -

AhnLab-V3 5.0.0.2 2010.04.03 -

AntiVir 7.10.6.23 2010.04.02 -

Antiy-AVL 2.0.3.7 2010.04.02 -

Authentium 5.2.0.5 2010.04.03 -

Avast 4.8.1351.0 2010.04.03 -

Avast5 5.0.332.0 2010.04.03 -

AVG 9.0.0.787 2010.04.03 -

BitDefender 7.2 2010.04.03 -

CAT-QuickHeal 10.00 2010.04.03 -

ClamAV 0.96.0.0-git 2010.04.03 -

Comodo 4484 2010.04.03 -

DrWeb 5.0.2.03300 2010.04.03 -

eSafe 7.0.17.0 2010.04.01 -

eTrust-Vet 35.2.7405 2010.04.02 -

F-Prot 4.5.1.85 2010.04.03 -

F-Secure 9.0.15370.0 2010.04.02 -

Fortinet 4.0.14.0 2010.04.03 -

GData 19 2010.04.03 -

Ikarus T3.1.1.80.0 2010.04.03 -

Jiangmin 13.0.900 2010.04.03 -

K7AntiVirus 7.10.1004 2010.03.22 -

Kaspersky 7.0.0.125 2010.04.03 -

McAfee 5937 2010.03.31 -

McAfee+Artemis 5937 2010.03.31 -

McAfee-GW-Edition 6.8.5 2010.04.02 -

Microsoft 1.5605 2010.04.03 -

NOD32 4996 2010.04.03 -

Norman 6.04.10 2010.04.03 -

nProtect 2009.1.8.0 2010.04.03 -

Panda 10.0.2.2 2010.04.03 -

PCTools 7.0.3.5 2010.04.03 -

Prevx 3.0 2010.04.03 -

Rising 22.41.04.05 2010.04.02 -

Sophos 4.52.0 2010.04.03 -

Sunbelt 6133 2010.04.03 -

Symantec 20091.2.0.41 2010.04.03 Suspicious.Insight

TheHacker 6.5.2.0.251 2010.04.02 -

TrendMicro 9.120.0.1004 2010.04.03 -

VBA32 3.12.12.4 2010.04.02 -

ViRobot 2010.4.3.2259 2010.04.03 -

VirusBuster 5.0.27.0 2010.04.02 -

Additional information

File size: 111376 bytes

MD5 : 9931fc8e549cf67d981f4e101a56f418

SHA1 : 3372e26a3a2abf3e6fb9b9f36a020e2aea813f4a

SHA256: 8813a7fddf069cd28c72b21190c048994c3777560c4086131b52a9e19919ba06

PEInfo: PE Structure information

( base data )

entrypointaddress.: 0x12BF0

timedatestamp.....: 0x3E19F59A (Mon Jan 6 22:31:06 2003)

machinetype.......: 0x14C (Intel I386)

( 3 sections )

name viradd virsiz rawdsiz ntrpy md5

.text 0x1000 0x130DC 0x13200 6.40 adbfd4de13a7d42aaea88f594501d997

.data 0x15000 0x39C 0x200 1.87 e0c2dfce0a873a785411f3e10751356e

.rsrc 0x16000 0x77A0 0x7800 4.17 9ff87412a5744ce51c9431671406c5ce

( 8 imports )

> advapi32.dll: OpenProcessToken, OpenThreadToken, RegCloseKey, RegSetValueExA, RegSetValueExW, RegCreateKeyExA, RegCreateKeyExW, GetUserNameA, GetUserNameW, RegOpenKeyExA, RegOpenKeyExW, RegQueryValueExA, RegQueryValueExW, RegEnumKeyA, RegEnumKeyW

> comctl32.dll: InitCommonControlsEx, ImageList_ReplaceIcon, ImageList_Create, ImageList_LoadImageW, ImageList_Draw

> gdi32.dll: SetTextColor, SelectObject, GetObjectA, SetBkColor, CreateFontIndirectA, CreateFontIndirectW, GetTextExtentPointA, GetTextExtentPointW

> kernel32.dll: CreateEventA, CreateEventW, LocalReAlloc, GetDateFormatW, GetTimeFormatA, GetTimeFormatW, FormatMessageA, FormatMessageW, lstrcpynA, LoadLibraryW, LoadLibraryA, SetLastError, IsBadReadPtr, GetUserDefaultLCID, AreFileApisANSI, WideCharToMultiByte, LocalFree, LocalAlloc, GetModuleHandleA, GetStartupInfoA, DeleteCriticalSection, GetProcAddress, FreeLibrary, DuplicateHandle, lstrlenA, MultiByteToWideChar, InterlockedExchange, FileTimeToLocalFileTime, FileTimeToSystemTime, GetCurrentThread, GetCurrentProcess, SetEnvironmentVariableW, GetVersionExA, GetSystemDefaultLangID, InitializeCriticalSection, TerminateThread, GetTickCount, WaitForMultipleObjects, SetEvent, CreateThread, WaitForSingleObject, CloseHandle, GetLastError, EnterCriticalSection, LeaveCriticalSection, GetCurrentThreadId, InterlockedDecrement, InterlockedIncrement, GetDateFormatA

> mobsync.dll: RegGetSyncItemSettings, MobsyncGetClassObject, DisplayOptions, RegSetProgressDetailsState, RegGetProgressDetailsState, RegGetSyncSettings, RegGetHandlerTopLevelKey, RegSchedHandlerItemsChecked, RegQueryLoadHandlerOnEvent, RegGetSchedConnectionName, RegGetSchedSyncSettings, RegSetUserDefaults, RegGetHandlerRegistrationInfo, RegRemoveManualSyncSettings, RegSetSyncItemSettings

> msvcrt.dll: _except_handler3, _XcptFilter, _ftol, __argv, __argc, toupper, _itow, _ltow, wcscmp, strncpy, _exit, exit, _acmdln, __getmainargs, _initterm, __setusermatherr, _adjust_fdiv, __p__commode, __p__fmode, __set_app_type, __dllonexit, _onexit, _controlfp

> ole32.dll: CoRevokeClassObject, CoRegisterClassObject, StringFromGUID2, CLSIDFromString, CoInitializeEx, CoInitialize, CoFreeUnusedLibraries, CoUninitialize, CoCreateInstance, CoTaskMemFree

> user32.dll: GetUserObjectInformationW, GetProcessWindowStation, RedrawWindow, WinHelpW, GetParent, ReleaseDC, GetSysColor, FillRect, SetCursor, SetRect, SetTimer, InvalidateRect, GetDC, BeginPaint, DrawFocusRect, EndPaint, DrawAnimatedRects, IsWindowVisible, GetWindowRect, MapWindowPoints, SetWindowPos, GetSystemMetrics, KillTimer, DrawIcon, SetForegroundWindow, UpdateWindow, GetClientRect, GetDlgItem, IsWindowEnabled, GetFocus, SetWindowTextW, SetWindowTextA, FindWindowW, FindWindowA, WinHelpA, DrawTextW, DrawTextA, SendMessageW, EnableWindow, SetFocus, SendMessageA, DefDlgProcW, DefDlgProcA, LoadIconA, LoadCursorA, GetWindowLongA, SetWindowLongA, PostQuitMessage, DestroyWindow, PostMessageA, MsgWaitForMultipleObjects, IsDialogMessageA, PeekMessageA, GetMessageA, TranslateMessage, DispatchMessageA, AttachThreadInput, MessageBoxW, MessageBoxA, DefWindowProcW, LoadStringA, RegisterClassW, RegisterClassA, CreateDialogParamW, CreateDialogParamA, CreateWindowExW, CreateWindowExA, RegisterWindowMessageW, RegisterWindowMessageA, FindWindowExW, FindWindowExA, SystemParametersInfoA, LoadStringW, ShowWindow, GetThreadDesktop, DefWindowProcA

( 0 exports )

TrID : File type identification

Win32 Executable MS Visual C++ (generic) (65.2%)

Win32 Executable Generic (14.7%)

Win32 Dynamic Link Library (generic) (13.1%)

Generic Win/DOS Executable (3.4%)

DOS Executable Generic (3.4%)

ssdeep: 1536:rZD+YQnMmmKIvVfS98n6DsFOmQAantYw3brtJ2XEZFMOus4Q3qyUDs5gP/Q:hNNfSSn6DOOmV8rJ2XEEOunJG5YQ

sigcheck: publisher....: Microsoft Corporation

copyright....: Copyright © Microsoft Corp. 1981-1999

product......: Microsoft Synchronization Manager

description..: Microsoft Synchronization Manager

original name: mobsync.exe

internal name: mobsync.exe

file version.: 5.00.2195.6627

comments.....: n/a

signers......: -

signing date.: -

verified.....: Unsigned

PEiD : -

RDS : NSRL Reference Data Set

-

===============================================================

ComboFix 10-04-02.01 - photon 04/03/2010 9:27.4.1 - x86 NETWORK

Microsoft Windows 2000 Professional 5.0.2195.4.1252.1.1033.18.1023.849 [GMT -8:00]

Running from: c:\documents and settings\photon.MATT\Desktop\ComboFix.exe

Command switches used :: c:\documents and settings\photon.MATT\Desktop\CFscript.txt

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\winnt\system32\comres.dll . . . is infected!!

-- Previous Run --

c:\winnt\system32\comres.dll . . . is infected!!

c:\winnt\system32\comres.dll . . . is infected!!

c:\winnt\system32\comres.dll . . . is infected!!

c:\winnt\system32\comres.dll . . . is infected!!

c:\winnt\system32\rundll32.exe . . . is infected!!

c:\winnt\system32\comres.dll . . . is infected!!

-- Previous Run --

c:\winnt\system32\comres.dll . . . is infected!!

c:\winnt\system32\comres.dll . . . is infected!!

c:\winnt\system32\comres.dll . . . is infected!!

c:\winnt\system32\comres.dll . . . is infected!!

c:\winnt\system32\rundll32.exe . . . is infected!!

--------

c:\winnt\system32\comres.dll . . . is infected!!

c:\winnt\system32\comres.dll . . . is infected!!

-- Previous Run --

c:\winnt\system32\comres.dll . . . is infected!!

c:\winnt\system32\comres.dll . . . is infected!!

c:\winnt\system32\comres.dll . . . is infected!!

c:\winnt\system32\comres.dll . . . is infected!!

c:\winnt\system32\rundll32.exe . . . is infected!!

--------

c:\winnt\system32\comres.dll . . . is infected!!

c:\winnt\system32\rundll32.exe . . . is infected!!

c:\winnt\system32\comres.dll . . . is infected!!

-- Previous Run --

c:\winnt\system32\comres.dll . . . is infected!!

c:\winnt\system32\comres.dll . . . is infected!!

c:\winnt\system32\comres.dll . . . is infected!!

c:\winnt\system32\comres.dll . . . is infected!!

c:\winnt\system32\rundll32.exe . . . is infected!!

c:\winnt\system32\comres.dll . . . is infected!!

-- Previous Run --

c:\winnt\system32\comres.dll . . . is infected!!

c:\winnt\system32\comres.dll . . . is infected!!

c:\winnt\system32\comres.dll . . . is infected!!

c:\winnt\system32\comres.dll . . . is infected!!

c:\winnt\system32\rundll32.exe . . . is infected!!

--------

c:\winnt\system32\comres.dll . . . is infected!!

c:\winnt\system32\comres.dll . . . is infected!!

-- Previous Run --

c:\winnt\system32\comres.dll . . . is infected!!

c:\winnt\system32\comres.dll . . . is infected!!

c:\winnt\system32\comres.dll . . . is infected!!

c:\winnt\system32\comres.dll . . . is infected!!

c:\winnt\system32\rundll32.exe . . . is infected!!

--------

c:\winnt\system32\comres.dll . . . is infected!!

c:\winnt\system32\rundll32.exe . . . is infected!!

--------

c:\winnt\system32\comres.dll . . . is infected!!

c:\winnt\system32\comres.dll . . . is infected!!

-- Previous Run --

c:\winnt\system32\comres.dll . . . is infected!!

c:\winnt\system32\comres.dll . . . is infected!!

c:\winnt\system32\comres.dll . . . is infected!!

c:\winnt\system32\comres.dll . . . is infected!!

c:\winnt\system32\rundll32.exe . . . is infected!!

c:\winnt\system32\comres.dll . . . is infected!!

-- Previous Run --

c:\winnt\system32\comres.dll . . . is infected!!

c:\winnt\system32\comres.dll . . . is infected!!

c:\winnt\system32\comres.dll . . . is infected!!

c:\winnt\system32\comres.dll . . . is infected!!

c:\winnt\system32\rundll32.exe . . . is infected!!

--------

c:\winnt\system32\comres.dll . . . is infected!!

c:\winnt\system32\comres.dll . . . is infected!!

-- Previous Run --

c:\winnt\system32\comres.dll . . . is infected!!

c:\winnt\system32\comres.dll . . . is infected!!

c:\winnt\system32\comres.dll . . . is infected!!

c:\winnt\system32\comres.dll . . . is infected!!

c:\winnt\system32\rundll32.exe . . . is infected!!

--------

c:\winnt\system32\comres.dll . . . is infected!!

c:\winnt\system32\rundll32.exe . . . is infected!!

--------

c:\winnt\system32\comres.dll . . . is infected!!

c:\winnt\system32\rundll32.exe . . . is infected!!

--------

c:\winnt\system32\comres.dll . . . is infected!!

c:\winnt\system32\rundll32.exe . . . is infected!!

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Legacy_IPRIP

-------\Legacy_NWSAPAGENT

-------\Legacy__VOIDqylbdwpcbv

-------\Service__VOIDqylbdwpcbv

-------\Service_Iprip

-------\Service_Nwsapagent

-------\Legacy_PHOOKS

-------\Service_phooks

((((((((((((((((((((((((( Files Created from 2010-03-03 to 2010-04-03 )))))))))))))))))))))))))))))))

.

2010-04-03 17:34 . 2010-04-03 17:34 16384 ----atw- c:\winnt\system32\Perflib_Perfdata_254.dat

2010-04-03 17:34 . 2010-04-03 17:34 16384 ----atw- c:\winnt\system32\Perflib_Perfdata_294.dat

2010-03-28 20:31 . 2010-04-03 16:24 -------- d-----w- C:\D

2010-03-10 18:21 . 2010-03-10 18:21 -------- d-----w- c:\documents and settings\photon.MATT\Application Data\Malwarebytes

2010-03-10 18:21 . 2010-01-08 00:07 38224 ----a-w- c:\winnt\system32\drivers\mbamswissarmy.sys

2010-03-10 18:21 . 2010-03-10 18:59 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-03-10 18:21 . 2010-03-10 18:21 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2010-03-10 18:21 . 2010-01-08 00:07 18520 ----a-w- c:\winnt\system32\drivers\mbam.sys

2010-03-10 16:04 . 2010-03-10 16:04 -------- d-----w- c:\program files\CCleaner

2010-03-10 16:03 . 2010-03-10 16:03 3396856 ----a-w- C:\ccsetup229.exe

2010-03-09 07:44 . 2009-06-30 17:37 28552 ----a-w- c:\winnt\system32\drivers\pavboot.sys

2010-03-09 07:44 . 2010-03-09 07:44 -------- d-----w- c:\program files\Panda Security

2010-03-08 06:41 . 2010-03-08 17:56 -------- d---a-w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy

2010-03-08 06:41 . 2010-03-08 06:45 -------- d-----w- c:\program files\Spybot - Search & Destroy

2010-03-05 04:27 . 2010-03-05 05:50 14792 ----a-w- c:\winnt\system32\drivers\hitmanpro35.sys

2010-03-05 04:27 . 2010-03-05 05:05 -------- d-----w- c:\documents and settings\All Users\Application Data\Hitman Pro

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-04-03 17:34 . 2009-01-02 18:09 -------- d-----w- c:\program files\Aiseesoft Studio

2010-04-03 17:27 . 2010-01-15 03:38 -------- d-----w- c:\program files\QuickTime

2010-04-03 17:27 . 2008-07-16 23:15 -------- d-----w- c:\program files\SUPERAntiSpyware

2010-04-03 16:15 . 2008-07-09 17:01 -------- d-----w- c:\documents and settings\photon.MATT\Application Data\Azureus

2010-03-13 05:57 . 2004-12-01 20:28 70856 ----a-w- c:\documents and settings\photon.MATT\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2010-03-10 07:59 . 2009-04-22 13:45 117760 ----a-w- c:\documents and settings\photon.MATT\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL

2010-03-05 06:29 . 2001-05-08 12:00 111376 ----a-w- c:\winnt\system32\rundll32.exe

2010-03-04 06:07 . 2010-03-04 06:07 -------- d-----w- c:\documents and settings\photon.MATT\Application Data\Arduino

2010-03-04 02:36 . 2010-03-04 02:36 52224 ----a-w- c:\documents and settings\photon.MATT\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll

2010-03-04 00:22 . 2003-01-14 16:37 -------- d---a-w- c:\program files\Intel

2010-03-03 16:47 . 2010-03-03 16:47 47616 ----a-w- c:\winnt\system32\xrpijkpte.dll

2010-03-02 20:16 . 2008-08-17 23:34 -------- d-----w- c:\documents and settings\photon.MATT\Application Data\dvdcss

2010-02-27 21:29 . 2010-02-27 21:29 177928 ----a-w- C:\TDSSKiller.exe

2010-02-23 03:59 . 2008-09-09 18:09 -------- d-----w- c:\documents and settings\photon.MATT\Application Data\gtk-2.0

2010-02-15 23:16 . 2007-06-04 00:12 -------- d-----w- c:\program files\Lx_cats

2010-02-15 22:40 . 2003-01-14 16:37 -------- d--h--w- c:\program files\InstallShield Installation Information

2010-02-15 22:39 . 2010-02-15 22:39 -------- d-----w- c:\program files\sony

2010-02-15 05:46 . 2010-02-15 05:46 -------- d-----w- c:\program files\Steinberg

2010-02-10 18:23 . 2009-10-18 17:27 -------- d-----w- c:\program files\solveig avi cuttrimer

2010-02-04 00:44 . 2010-02-04 00:44 -------- d-----w- c:\documents and settings\photon.MATT\Application Data\NewSoft

2010-02-04 00:38 . 2007-06-04 00:16 -------- d-----w- c:\program files\Abbyy FineReader 6.0 Sprint

2010-01-31 20:24 . 2003-01-22 21:34 141 ----a-w- c:\winnt\C3DPREF6.DAT

2010-01-29 23:16 . 2010-01-29 23:16 61067 ----a-w- c:\winnt\system32\drivers\ftser2k.sys

2010-01-29 23:16 . 2010-01-29 23:16 47249 ----a-w- c:\winnt\system32\drivers\ftdibus.sys

2010-01-29 23:16 . 2010-01-29 23:16 33360 ----a-w- c:\winnt\system32\ftserui2.dll

2010-01-29 23:16 . 2010-01-29 23:16 188416 ----a-w- c:\winnt\system32\ftdiunin.exe

2010-01-29 23:16 . 2010-01-29 23:16 176128 ----a-w- c:\winnt\system32\ftd2xx.dll

2010-01-29 23:16 . 2010-01-29 23:16 106496 ----a-w- c:\winnt\system32\ftbusui.dll

2010-01-29 23:16 . 2010-01-29 23:16 102400 ----a-w- c:\winnt\system32\FTLang.dll

2009-05-28 11:05 . 2009-05-28 11:05 9164 ----a-w- c:\program files\SweepGen.txt

2009-05-28 11:05 . 2009-05-28 11:05 716288 ----a-w- c:\program files\SweepGen.exe

2009-05-28 11:05 . 2009-05-28 11:05 43 ----a-w- c:\program files\ReadMe.txt

2009-05-28 11:05 . 2009-05-28 11:05 3204 ----a-w- c:\program files\History.txt

2009-05-23 14:44 . 2009-05-23 14:44 13736273 ----a-w- c:\program files\Discovery.exe

2003-10-17 19:51 . 2003-01-13 16:51 21952 ---h--w- c:\program files\folder.htt

2001-01-09 22:08 . 2003-01-15 19:38 872927 ----a-w- c:\program files\cclean.exe

2002-08-01 02:55 . 2006-07-24 04:56 141 --sh--w- c:\winnt\WSYS049.SYS

1601-01-01 00:03 . 1601-01-01 00:03 42496 --sha-w- c:\winnt\system32\nilejonu.exe

.

------- Sigcheck -------

[-] 2003-06-19 19:05 . 8C718AA8C77041B3285D55A0CE980867 . 86672 . . [5.00.2195.6699] . . c:\winnt\ServicePackFiles\i386\atapi.sys

[-] 2003-06-19 19:05 . 8C718AA8C77041B3285D55A0CE980867 . 86672 . . [5.00.2195.6699] . . c:\winnt\system32\drivers\atapi.sys

[-] 2003-06-19 19:05 . 5D3D77C9EB3A8E6A14CC8E1252B6CC5C . 17840 . . [5.00.2195.6655] . . c:\winnt\ServicePackFiles\i386\asyncmac.sys

[-] 2003-06-19 19:05 . 5D3D77C9EB3A8E6A14CC8E1252B6CC5C . 17840 . . [5.00.2195.6655] . . c:\winnt\system32\drivers\asyncmac.sys

[-] 2001-05-08 12:00 . DF012C2853281CE2BF536E8DE871C8C1 . 4080 . . [5.00.2158.1] . . c:\winnt\system32\dllcache\beep.sys

[-] 2001-05-08 12:00 . DF012C2853281CE2BF536E8DE871C8C1 . 4080 . . [5.00.2158.1] . . c:\winnt\system32\drivers\beep.sys

[-] 2003-06-19 19:05 . 399055F5C4A98F39B47D26888A72145D . 24528 . . [5.00.2195.6666] . . c:\winnt\ServicePackFiles\i386\kbdclass.sys

[-] 2003-06-19 19:05 . 399055F5C4A98F39B47D26888A72145D . 24528 . . [5.00.2195.6666] . . c:\winnt\system32\drivers\kbdclass.sys

[-] 2003-06-19 19:05 . FB4F2D0595BD3546A4DD915E4A9B4809 . 170928 . . [5.00.2195.6655] . . c:\winnt\ServicePackFiles\i386\ndis.sys

[-] 2003-06-19 19:05 . FB4F2D0595BD3546A4DD915E4A9B4809 . 170928 . . [5.00.2195.6655] . . c:\winnt\system32\drivers\ndis.sys

[-] 2005-05-10 09:20 . 7DC1F0F9BF87CA5CEE9A46C9A63DC1D3 . 513424 . . [5.00.2195.7049] . . c:\winnt\system32\dllcache\ntfs.sys

[-] 2005-05-10 09:20 . 7DC1F0F9BF87CA5CEE9A46C9A63DC1D3 . 513424 . . [5.00.2195.7049] . . c:\winnt\system32\drivers\ntfs.sys

[-] 2003-06-19 19:05 . F6AB0E765D5B80443B93C52C42F2602A . 534192 . . [5.00.2195.6710] . . c:\winnt\$NtUpdateRollupPackUninstall$\ntfs.sys

[-] 2003-06-19 19:05 . F6AB0E765D5B80443B93C52C42F2602A . 534192 . . [5.00.2195.6710] . . c:\winnt\ServicePackFiles\i386\ntfs.sys

[-] 2001-05-08 12:00 . 280209CDE798720A24D232BF9CFDA8E9 . 2800 . . [5.00.2134.1] . . c:\winnt\system32\dllcache\null.sys

[-] 2001-05-08 12:00 . 280209CDE798720A24D232BF9CFDA8E9 . 2800 . . [5.00.2134.1] . . c:\winnt\system32\drivers\null.sys

[-] 2005-04-08 11:54 . B4F3ECAAEBC715EDBEA44A28FDEDA851 . 71440 . . [5.00.2195.6866] . . c:\winnt\system32\browser.dll

[-] 2005-04-08 11:54 . B4F3ECAAEBC715EDBEA44A28FDEDA851 . 71440 . . [5.00.2195.6866] . . c:\winnt\system32\dllcache\browser.dll

[-] 2004-03-24 02:17 . 1B19559C80946E1FABF21859DB42CD54 . 69904 . . [5.00.2195.6866] . . c:\winnt\$NtUpdateRollupPackUninstall$\browser.dll

[-] 2003-06-19 19:05 . 38A6BC551496C24118BD1524425AF2FE . 68880 . . [5.00.2195.6693] . . c:\winnt\$NtUninstallKB835732$\browser.dll

[-] 2003-06-19 19:05 . 38A6BC551496C24118BD1524425AF2FE . 68880 . . [5.00.2195.6693] . . c:\winnt\ServicePackFiles\i386\browser.dll

[-] 2004-12-19 22:30 . F19D0A319AB4BF5496F08807CB9B8651 . 33552 . . [5.00.2195.7011] . . c:\winnt\system32\LSASS.EXE

[-] 2004-12-19 22:30 . F19D0A319AB4BF5496F08807CB9B8651 . 33552 . . [5.00.2195.7011] . . c:\winnt\system32\dllcache\lsass.exe

[-] 2004-02-25 23:59 . 0C13D582EDAF90CBEA454A1AC535B913 . 33552 . . [5.00.2195.6902] . . c:\winnt\$NtUpdateRollupPackUninstall$\lsass.exe

[-] 2003-06-19 19:05 . 271229760CCED993E9E7CAB1C7274134 . 33552 . . [5.00.2195.6695] . . c:\winnt\$NtUninstallKB835732$\lsass.exe

[-] 2003-06-19 19:05 . 271229760CCED993E9E7CAB1C7274134 . 33552 . . [5.00.2195.6695] . . c:\winnt\ServicePackFiles\i386\lsass.exe

[-] 2005-08-16 08:35 . 600104D606AB3E9B9AB36076E6261A05 . 100112 . . [5.00.2195.7061] . . c:\winnt\system32\netman.dll

[-] 2005-08-16 08:35 . 600104D606AB3E9B9AB36076E6261A05 . 100112 . . [5.00.2195.7061] . . c:\winnt\system32\dllcache\netman.dll

[-] 2003-06-19 19:05 . 648A07AB73E49EF547A48D240CD36125 . 95504 . . [5.00.2195.6660] . . c:\winnt\$NtUninstallKB905414$\netman.dll

[-] 2003-06-19 19:05 . 648A07AB73E49EF547A48D240CD36125 . 95504 . . [5.00.2195.6660] . . c:\winnt\ServicePackFiles\i386\netman.dll

[-] 2004-10-05 . DCD38D8178BF1BEA585F2F003EE3460E . 362496 . . [6.6.2600.1596] . . c:\winnt\system32\qmgr.dll

[-] 2004-10-05 . DCD38D8178BF1BEA585F2F003EE3460E . 362496 . . [6.6.2600.1596] . . c:\winnt\system32\BITS\qmgr.dll

[-] 2004-10-05 . DCD38D8178BF1BEA585F2F003EE3460E . 362496 . . [6.6.2600.1596] . . c:\winnt\system32\dllcache\qmgr.dll

[-] 2003-06-19 19:05 . FE02334DB8598E2706A51A24DD33AB00 . 244224 . . [6.2.3630.2522 built by: lab04_n] . . c:\winnt\$NtUninstallKB842773$\qmgr.dll

[-] 2003-06-19 19:05 . FE02334DB8598E2706A51A24DD33AB00 . 244224 . . [6.2.3630.2522 built by: lab04_n] . . c:\winnt\ServicePackFiles\i386\qmgr.dll

[-] 2005-09-05 08:18 . 037EBCF93DF5F0C31CCD2FF7E31E3BA5 . 212240 . . [5.00.2195.7059] . . c:\winnt\system32\rpcss.dll

[-] 2005-09-05 08:18 . 037EBCF93DF5F0C31CCD2FF7E31E3BA5 . 212240 . . [5.00.2195.7059] . . c:\winnt\system32\dllcache\rpcss.dll

[-] 2005-04-08 11:54 . 391AFA6F7FE9AA667B2C54DFAE2D0FBD . 273680 . . [5.00.2195.7021] . . c:\winnt\$NtUninstallKB902400$\rpcss.dll

[-] 2005-01-14 01:27 . 10789155522BE499A232AD2773AC1DF0 . 212240 . . [5.00.2195.7021] . . c:\winnt\$NtUpdateRollupPackUninstall$\rpcss.dll

[-] 2004-03-11 21:29 . 4A72D5DD3AAD4B967ABE12D2A3044B98 . 211728 . . [5.00.2195.6906] . . c:\winnt\$NtUninstallKB873333$\rpcss.dll

[-] 2003-08-23 21:48 . EBF7D8A02D8A32926B19EA4C6AD4FE0E . 192272 . . [5.00.2195.6810] . . c:\winnt\$NtUninstallKB828741$\rpcss.dll

[-] 2003-06-19 19:05 . B49E4F60ED7E5918E44396768F9F02F2 . 239376 . . [5.00.2195.6702] . . c:\winnt\$NtUninstallKB824146$\rpcss.dll

[-] 2003-06-19 19:05 . B49E4F60ED7E5918E44396768F9F02F2 . 239376 . . [5.00.2195.6702] . . c:\winnt\ServicePackFiles\i386\rpcss.dll

[-] 2005-04-08 11:51 . B861B4E6E9637EB76A40C10C552E0229 . 92944 . . [5.00.2195.7035] . . c:\winnt\system32\SERVICES.EXE

[-] 2005-04-08 11:51 . B861B4E6E9637EB76A40C10C552E0229 . 92944 . . [5.00.2195.7035] . . c:\winnt\system32\dllcache\services.exe

[-] 2003-06-19 19:05 . CFED2D28F5B8A24127E9E06043070643 . 89360 . . [5.00.2195.6700] . . c:\winnt\$NtUpdateRollupPackUninstall$\services.exe

[-] 2003-06-19 19:05 . CFED2D28F5B8A24127E9E06043070643 . 89360 . . [5.00.2195.6700] . . c:\winnt\ServicePackFiles\i386\services.exe

[-] 2005-07-12 04:59 . FACFB75ECC070103619FA044E0B210D3 . 47376 . . [5.00.2195.7059] . . c:\winnt\system32\spoolsv.exe

[-] 2005-07-12 04:59 . FACFB75ECC070103619FA044E0B210D3 . 47376 . . [5.00.2195.7059] . . c:\winnt\system32\dllcache\spoolsv.exe

[-] 2003-06-19 19:05 . 987DAF317B917CFC973DE8364D62A76C . 45328 . . [5.00.2195.6659] . . c:\winnt\$NtUninstallKB896423$\spoolsv.exe

[-] 2003-06-19 19:05 . 987DAF317B917CFC973DE8364D62A76C . 45328 . . [5.00.2195.6659] . . c:\winnt\ServicePackFiles\i386\spoolsv.exe

[-] 2005-04-08 11:51 . BB1DAF6A5737652646D52665251A0265 . 186640 . . [5.00.2195.6997] . . c:\winnt\system32\WINLOGON.EXE

[-] 2005-04-08 11:51 . BB1DAF6A5737652646D52665251A0265 . 186640 . . [5.00.2195.6997] . . c:\winnt\system32\dllcache\WINLOGON.EXE

[-] 2004-08-24 22:59 . 5922E8055EB439A58EF29530D8567A40 . 182544 . . [5.00.2195.6970] . . c:\winnt\$NtUninstallKB841533$\winlogon.exe

[-] 2004-08-24 22:59 . 5922E8055EB439A58EF29530D8567A40 . 182544 . . [5.00.2195.6970] . . c:\winnt\$NtUpdateRollupPackUninstall$\winlogon.exe

[-] 2004-03-11 02:37 . 563B3DE5B6EE842CFFA8813F9EF4CB5C . 181520 . . [5.00.2195.6898] . . c:\winnt\$NtUninstallKB840987$\winlogon.exe

[-] 2003-07-17 17:20 . E3ACD1BC832E859B157D95D9907560D3 . 182032 . . [5.00.2195.6785] . . c:\winnt\$NtUninstallKB835732$\winlogon.exe

[-] 2003-06-19 19:05 . 3980C28D116D438BBB36FB38526FDE1A . 181008 . . [5.00.2195.6714] . . c:\winnt\$NtUninstallKB824141$\winlogon.exe

[-] 2003-06-19 19:05 . 3980C28D116D438BBB36FB38526FDE1A . 181008 . . [5.00.2195.6714] . . c:\winnt\ServicePackFiles\i386\winlogon.exe

[-] 2006-08-28 08:44 . F4230CAA2B9166E5114441F6B7B2DC3F . 530192 . . [5.81] . . c:\winnt\system32\comctl32.dll

[-] 2006-08-28 08:44 . F4230CAA2B9166E5114441F6B7B2DC3F . 530192 . . [5.81] . . c:\winnt\system32\dllcache\comctl32.dll

[-] 2003-06-19 19:05 . 7A0C4F7B3FAF67A8FE4FE3A24BB39927 . 550672 . . [5.81] . . c:\winnt\ServicePackFiles\i386\comctl32.dll

[-] 2002-08-29 14:14 . 9EDC93CC795DFF919C6CD953912838A9 . 529680 . . [5.81] . . c:\winnt\$NtUninstallKB923191$\comctl32.dll

[-] 2005-04-21 08:08 . 7D77D4AF905903AEDBEED9989857A9A5 . 78096 . . [5.00.2195.7039] . . c:\winnt\system32\cryptsvc.dll

[-] 2005-04-21 08:08 . 7D77D4AF905903AEDBEED9989857A9A5 . 78096 . . [5.00.2195.7039] . . c:\winnt\system32\dllcache\cryptsvc.dll

[-] 2004-03-24 02:17 . 644108E90CA7F628AA5650C31A2E74F5 . 76048 . . [5.00.2195.6868] . . c:\winnt\$NtUpdateRollupPackUninstall$\cryptsvc.dll

[-] 2003-06-19 19:05 . 385F52746FD8558D43999AEED250769A . 76048 . . [5.00.2195.6661] . . c:\winnt\$NtUninstallKB835732$\cryptsvc.dll

[-] 2003-06-19 19:05 . 385F52746FD8558D43999AEED250769A . 76048 . . [5.00.2195.6661] . . c:\winnt\ServicePackFiles\i386\cryptsvc.dll

[-] 2008-07-10 10:00 . 019BD72A117C13DF44D6CA3B96A345D6 . 251152 . . [2000.2.3550.0] . . c:\winnt\system32\es.dll

[-] 2008-07-10 10:00 . 019BD72A117C13DF44D6CA3B96A345D6 . 251152 . . [2000.2.3550.0] . . c:\winnt\system32\dllcache\es.dll

[-] 2005-09-05 08:18 . D8D44D8ED1B35285A83984ACF5D13CB3 . 242448 . . [2000.2.3529.0] . . c:\winnt\$NtUninstallKB950974$\es.dll

[-] 2004-03-11 21:29 . 0400F13BDEC0E1F04C1AD2002D5650A4 . 239888 . . [2000.2.3511.0] . . c:\winnt\$NtUninstallKB902400$\es.dll

[-] 2003-06-19 19:05 . FACD7422F6FBC7CD3AEA3AFCB8382ECF . 233232 . . [2000.2.3504.0] . . c:\winnt\$NtUninstallKB828741$\es.dll

[-] 2003-06-19 19:05 . FACD7422F6FBC7CD3AEA3AFCB8382ECF . 233232 . . [2000.2.3504.0] . . c:\winnt\ServicePackFiles\i386\es.dll

[-] 2003-06-19 19:05 . 873794CE17DD72420D9C4072D4D112E5 . 96528 . . [5.00.2195.6655] . . c:\winnt\ServicePackFiles\i386\imm32.dll

[-] 2003-06-19 19:05 . 873794CE17DD72420D9C4072D4D112E5 . 96528 . . [5.00.2195.6655] . . c:\winnt\system32\imm32.dll

[-] 2007-04-16 12:44 . 18D623471DE9DCC2CEA310B2F3FBA15A . 712976 . . [5.00.2195.7135] . . c:\winnt\Driver Cache\i386\kernel32.dll

[-] 2007-04-16 12:44 . 0AB23B46CCAEBA64D748A5CF79CB4BB6 . 712976 . . [5.00.2195.7135] . . c:\winnt\system32\KERNEL32.DLL

[-] 2007-04-16 12:44 . 18D623471DE9DCC2CEA310B2F3FBA15A . 712976 . . [5.00.2195.7135] . . c:\winnt\system32\dllcache\kernel32.dll

[-] 2006-06-21 06:52 . 84AE59F949F127A3D8D4F4A09D0CE0BD . 712976 . . [5.00.2195.7099] . . c:\winnt\$NtUninstallKB935839$\kernel32.dll

[-] 2005-08-16 09:39 . 694E9BC2ADE4F30C99D8A59340307E1A . 712464 . . [5.00.2195.7006] . . c:\winnt\$NtUninstallKB917422$\kernel32.dll

[-] 2004-06-22 01:35 . CBFC72131FB475249DB3667239F3F4EA . 712464 . . [5.00.2195.6946] . . c:\winnt\$NtUninstallKB891711$\kernel32.dll

[-] 2004-06-17 23:05 . 276ABD5DD2053008C6C327C590DD806D . 712464 . . [5.00.2195.6946] . . c:\winnt\$NtUninstallKB841533$\kernel32.dll

[-] 2004-06-17 23:05 . 276ABD5DD2053008C6C327C590DD806D . 712464 . . [5.00.2195.6946] . . c:\winnt\$NtUpdateRollupPackUninstall$\kernel32.dll

[-] 2004-03-24 02:17 . 5E9BB22C56919870FC80444E655F8AF6 . 742160 . . [5.00.2195.6897] . . c:\winnt\$NtUninstallKB840987$\kernel32.dll

[-] 2003-08-05 22:14 . 5E478294B05FA91151B6599269815495 . 711440 . . [5.00.2195.6794] . . c:\winnt\$NtUninstallKB835732$\kernel32.dll

[-] 2003-06-19 19:05 . AFFDA6F602A8F0DBA615279C28B3BDF8 . 743184 . . [5.00.2195.6688] . . c:\winnt\$NtUninstallKB824141$\kernel32.dll

[-] 2003-06-19 19:05 . 1E93BDAAE187253D18711DA5C210474A . 743184 . . [5.00.2195.6688] . . c:\winnt\ServicePackFiles\i386\kernel32.dll

[-] 2005-09-23 11:03 . EB0EA3EF05D648455D691348C819E479 . 17680 . . [5.00.2195.7069] . . c:\winnt\system32\linkinfo.dll

[-] 2005-09-23 11:03 . EB0EA3EF05D648455D691348C819E479 . 17680 . . [5.00.2195.7069] . . c:\winnt\system32\dllcache\linkinfo.dll

[-] 2005-04-08 11:54 . 4EDE648460D79405487672EFF49805F6 . 17168 . . [5.00.2195.7009] . . c:\winnt\$NtUninstallKB900725$\linkinfo.dll

[-] 2004-09-02 20:03 . 814222ED1C5C31B135B6F97585FE6B41 . 17168 . . [5.00.2195.6958] . . c:\winnt\$NtUpdateRollupPackUninstall$\linkinfo.dll

[-] 2001-05-08 12:00 . A5977BF56A537AFDF2464F1314C315CF . 16144 . . [5.00.2134.1] . . c:\winnt\$NtUninstallKB841356$\linkinfo.dll

[-] 2003-06-19 19:05 . EF290209052ED43DDFDB8F0E74EC79EF . 20240 . . [5.00.2195.6692] . . c:\winnt\ServicePackFiles\i386\lpk.dll

[-] 2003-06-19 19:05 . EF290209052ED43DDFDB8F0E74EC79EF . 20240 . . [5.00.2195.6692] . . c:\winnt\system32\lpk.dll

[-] 2003-06-19 19:05 . BA7BE6F92680B28B9031170659FD222D . 286773 . . [6.10.9844.0] . . c:\winnt\ServicePackFiles\i386\msvcrt.dll

[-] 2003-06-19 19:05 . BA7BE6F92680B28B9031170659FD222D . 286773 . . [6.10.9844.0] . . c:\winnt\system32\msvcrt.dll

[-] 2005-04-08 11:54 . BE8FC3C74AB5212CD4067E8973764AD6 . 366864 . . [5.00.2195.7011] . . c:\winnt\system32\NETLOGON.DLL

[-] 2005-04-08 11:54 . BE8FC3C74AB5212CD4067E8973764AD6 . 366864 . . [5.00.2195.7011] . . c:\winnt\system32\dllcache\NETLOGON.DLL

[-] 2004-03-24 02:17 . 21537BC1F1AB7667A3828B2344E6D4BA . 371472 . . [5.00.2195.6891] . . c:\winnt\$NtUpdateRollupPackUninstall$\netlogon.dll

[-] 2003-06-19 19:05 . 11B91C26925F56F577089FF88AA0BEC0 . 371984 . . [5.00.2195.6695] . . c:\winnt\$NtUninstallKB835732$\netlogon.dll

[-] 2003-06-19 19:05 . 11B91C26925F56F577089FF88AA0BEC0 . 371984 . . [5.00.2195.6695] . . c:\winnt\ServicePackFiles\i386\netlogon.dll

[-] 2003-06-19 19:05 . 0A35F356726069B95F4BB2A99203FDD4 . 13584 . . [5.00.3502.6601] . . c:\winnt\ServicePackFiles\i386\powrprof.dll

[-] 2003-06-19 19:05 . 0A35F356726069B95F4BB2A99203FDD4 . 13584 . . [5.00.3502.6601] . . c:\winnt\system32\powrprof.dll

[-] 2005-01-12 19:39 . 6FCCE1622E75C7DC46509F7EC4B314A3 . 114448 . . [5.00.2195.7013] . . c:\winnt\system32\scecli.dll

[-] 2005-01-12 19:39 . 6FCCE1622E75C7DC46509F7EC4B314A3 . 114448 . . [5.00.2195.7013] . . c:\winnt\system32\dllcache\scecli.dll

[-] 2004-03-24 02:17 . 0B476C9305098B37BE70F0AC29E671E5 . 111376 . . [5.00.2195.6893] . . c:\winnt\$NtUpdateRollupPackUninstall$\scecli.dll

[-] 2003-06-19 19:05 . FF11B32A906D75CD96957B66E318DAD0 . 114448 . . [5.00.2195.6704] . . c:\winnt\$NtUninstallKB835732$\scecli.dll

[-] 2003-06-19 19:05 . FF11B32A906D75CD96957B66E318DAD0 . 114448 . . [5.00.2195.6704] . . c:\winnt\ServicePackFiles\i386\scecli.dll

[-] 2001-05-08 12:00 . 9E64AD53CFD9DA2D22E8A924F8C6E62C . 7952 . . [5.00.2134.1] . . c:\winnt\system32\svchost.exe

[-] 2001-05-08 12:00 . 9E64AD53CFD9DA2D22E8A924F8C6E62C . 7952 . . [5.00.2134.1] . . c:\winnt\system32\dllcache\svchost.exe

[-] 2005-07-02 11:30 . E1086008E7BCE8621F09E6F13B89CC31 . 175888 . . [5.00.2195.7057] . . c:\winnt\system32\tapisrv.dll

[-] 2005-07-02 11:30 . E1086008E7BCE8621F09E6F13B89CC31 . 175888 . . [5.00.2195.7057] . . c:\winnt\system32\dllcache\tapisrv.dll

[-] 2003-06-19 19:05 . 83C78929A8DB0AA545B5F90A4786783C . 173328 . . [5.00.2195.6666] . . c:\winnt\$NtUninstallKB893756$\tapisrv.dll

[-] 2003-06-19 19:05 . 83C78929A8DB0AA545B5F90A4786783C . 173328 . . [5.00.2195.6666] . . c:\winnt\ServicePackFiles\i386\tapisrv.dll

[-] 2007-03-06 11:17 . 40023A7103796B1AF6CA41A6DBC54775 . 381200 . . [5.00.2195.7133] . . c:\winnt\system32\USER32.DLL

[-] 2007-03-06 11:17 . 40023A7103796B1AF6CA41A6DBC54775 . 381200 . . [5.00.2195.7133] . . c:\winnt\system32\dllcache\USER32.DLL

[-] 2005-04-21 08:08 . 63A7731CF4BA8565B9F07908FAC05C3B . 419600 . . [5.00.2195.7032] . . c:\winnt\$NtUninstallKB925902$\user32.dll

[-] 2005-03-12 07:54 . 05CB047C49480A2157911B0A1C7E4C10 . 380688 . . [5.00.2195.7032] . . c:\winnt\$NtUpdateRollupPackUninstall$\user32.dll

[-] 2004-12-29 09:14 . 6CDD0DEAC5BBF7BA47D52E237FFDAE43 . 380688 . . [5.00.2195.7017] . . c:\winnt\$NtUninstallKB890859$\user32.dll

[-] 2004-03-24 02:17 . 6AE59F325971F7D151A50A4E00E04DC0 . 403216 . . [5.00.2195.6897] . . c:\winnt\$NtUninstallKB891711$\user32.dll

[-] 2003-08-05 22:14 . 15B1C7EA9659055280F71A3D83987DA3 . 380176 . . [5.00.2195.6799] . . c:\winnt\$NtUninstallKB835732$\user32.dll

[-] 2003-06-19 19:05 . 11ED538DB87D8CF38017A63A82AA805D . 403216 . . [5.00.2195.6688] . . c:\winnt\$NtUninstallKB824141$\user32.dll

[-] 2003-06-19 19:05 . 11ED538DB87D8CF38017A63A82AA805D . 403216 . . [5.00.2195.6688] . . c:\winnt\ServicePackFiles\i386\user32.dll

[-] 2003-06-19 19:05 . BF179C5B8A722CC79AEF1CA90D6C7D48 . 17680 . . [5.00.2195.6612] . . c:\winnt\ServicePackFiles\i386\userinit.exe

[-] 2003-06-19 19:05 . BF179C5B8A722CC79AEF1CA90D6C7D48 . 17680 . . [5.00.2195.6612] . . c:\winnt\system32\USERINIT.EXE

[-] 2003-06-19 19:05 . 0190C62DE42396D78DB9BE771CF2403E . 69904 . . [5.00.2195.6601] . . c:\winnt\ServicePackFiles\i386\ws2_32.dll

[-] 2003-06-19 19:05 . 0190C62DE42396D78DB9BE771CF2403E . 69904 . . [5.00.2195.6601] . . c:\winnt\system32\ws2_32.dll

[-] 2003-06-19 19:05 . 59CF2B7DCED9111F48F51B4B570E672D . 243472 . . [5.00.3700.6690] . . c:\winnt\explorer.exe

[-] 2003-06-19 19:05 . 59CF2B7DCED9111F48F51B4B570E672D . 243472 . . [5.00.3700.6690] . . c:\winnt\ServicePackFiles\i386\explorer.exe

[-] 2005-04-08 11:54 . E7F03344AE103B02135C20112B557051 . 49424 . . [5.00.2195.7036] . . c:\winnt\system32\EVENTLOG.DLL

[-] 2005-04-08 11:54 . E7F03344AE103B02135C20112B557051 . 49424 . . [5.00.2195.7036] . . c:\winnt\system32\dllcache\EVENTLOG.DLL

[-] 2004-03-24 02:17 . CEB85BFA135CBDDA10C89E5D31D95F9B . 47888 . . [5.00.2195.6883] . . c:\winnt\$NtUpdateRollupPackUninstall$\eventlog.dll

[-] 2003-06-19 19:05 . 5738D5804F61A1D30D86FA24DEE56E0C . 47888 . . [5.00.2195.6716] . . c:\winnt\$NtUninstallKB835732$\eventlog.dll

[-] 2003-06-19 19:05 . 5738D5804F61A1D30D86FA24DEE56E0C . 47888 . . [5.00.2195.6716] . . c:\winnt\ServicePackFiles\i386\eventlog.dll

[-] 2005-04-08 10:34 . 7645645BB506C26B96B8F31893378C4B . 973072 . . [5.00.2195.7038] . . c:\winnt\system32\sfcfiles.dll

[-] 2005-04-08 10:34 . 7645645BB506C26B96B8F31893378C4B . 973072 . . [5.00.2195.7038] . . c:\winnt\system32\dllcache\sfcfiles.dll

[-] 2004-03-24 02:17 . 33D82938C20BA61E4EDB6DA85829BF23 . 971536 . . [5.00.2195.6894] . . c:\winnt\$NtUpdateRollupPackUninstall$\sfcfiles.dll

[-] 2003-06-19 19:05 . A871E77694E9146B3C655A734B1ECF46 . 971024 . . [5.00.2195.6717] . . c:\winnt\$NtUninstallKB835732$\sfcfiles.dll

[-] 2003-06-19 19:05 . A871E77694E9146B3C655A734B1ECF46 . 971024 . . [5.00.2195.6717] . . c:\winnt\ServicePackFiles\i386\sfcfiles.dll

[-] 2003-06-19 19:05 . 9C2A16951FD6A21AEF1C29F213A564B2 . 120592 . . [5.00.2195.6658] . . c:\winnt\ServicePackFiles\i386\appmgmts.dll

[-] 2003-06-19 19:05 . 9C2A16951FD6A21AEF1C29F213A564B2 . 120592 . . [5.00.2195.6658] . . c:\winnt\system32\appmgmts.dll

[-] 2003-06-19 19:05 . 4B10B4DB777EE2EF8E755E7F3D7C4FE8 . 11536 . . [5.00.2195.6655] . . c:\winnt\ServicePackFiles\i386\acpiec.sys

[-] 2003-06-19 19:05 . 4B10B4DB777EE2EF8E755E7F3D7C4FE8 . 11536 . . [5.00.2195.6655] . . c:\winnt\system32\drivers\acpiec.sys

[-] 2003-06-19 19:05 . CDDB71A90077C93BEA5C72507F0B1394 . 21008 . . [5.00.2195.6655] . . c:\winnt\ServicePackFiles\i386\agp440.sys

[-] 2003-06-19 19:05 . CDDB71A90077C93BEA5C72507F0B1394 . 21008 . . [5.00.2195.6655] . . c:\winnt\system32\drivers\agp440.sys

[-] 2006-11-02 17:31 . 6CE82AC80967541ED3787B62B2242271 . 927504 . . [4.1.0.61] . . c:\winnt\system32\MFC40U.DLL

[-] 2006-11-02 17:31 . 6CE82AC80967541ED3787B62B2242271 . 927504 . . [4.1.0.61] . . c:\winnt\system32\dllcache\mfc40u.dll

[-] 2001-05-08 12:00 . CDDD1A27861C406D1B3906A2B2C60CE3 . 924432 . . [4.1.6140] . . c:\winnt\$NtUninstallKB924667$\mfc40u.dll

[-] 2005-04-08 11:54 . 4B6E4C650721D2A51B8F51B7E5787552 . 35600 . . [5.00.2195.6861] . . c:\winnt\system32\MSGSVC.DLL

[-] 2005-04-08 11:54 . 4B6E4C650721D2A51B8F51B7E5787552 . 35600 . . [5.00.2195.6861] . . c:\winnt\system32\dllcache\msgsvc.dll

[-] 2003-10-02 21:17 . B6C0EECE00ACE0379C0F75274E89E47F . 34064 . . [5.00.2195.6861] . . c:\winnt\$NtUpdateRollupPackUninstall$\msgsvc.dll

[-] 2003-06-19 19:05 . C470CF2972A6DF2214764DA2FE8B768F . 35600 . . [5.00.2195.6656] . . c:\winnt\$NtUninstallKB828035$\msgsvc.dll

[-] 2003-06-19 19:05 . C470CF2972A6DF2214764DA2FE8B768F . 35600 . . [5.00.2195.6656] . . c:\winnt\ServicePackFiles\i386\msgsvc.dll

[-] 2003-06-19 19:05 . 56D893A01269008C28FBF2D025B2FA78 . 401168 . . [5.00.2195.6655] . . c:\winnt\ServicePackFiles\i386\ntmssvc.dll

[-] 2003-06-19 19:05 . 56D893A01269008C28FBF2D025B2FA78 . 401168 . . [5.00.2195.6655] . . c:\winnt\system32\ntmssvc.dll

.

((((((((((((((((((((((((((((( SnapShot@2010-03-21_03.58.21 )))))))))))))))))))))))))))))))))))))))))

.

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2010-02-25 2012912]

"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-06 2260480]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"LXCJCATS"="c:\winnt\system32\spool\DRIVERS\W32X86\3\LXCJtime.dll" [2005-09-08 73728]

"AtiPTA"="atiptaxx.exe" [2001-09-27 245760]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]

"^SetupICWDesktop"="c:\program files\Internet Explorer\Connection Wizard\icwconn1.exe" [2003-06-19 186640]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]

2009-09-07 17:49 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\NavLogon]

[bU]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]

"Tray Pilot Lite"="c:\program files\Invention Pilot\Tray Pilot Lite\TrayPlt.exe"

R0 SONYPVM1;Sony Memory Stick Driver(SONYPVM1);c:\winnt\system32\drivers\SonyPVM1.sys [2/15/2010 2:40 PM 28224]

R1 aswSP;avast! Self Protection;c:\winnt\system32\drivers\aswSP.sys [7/9/2008 9:10 AM 114768]

R1 cdudf;cdudf;c:\winnt\system32\drivers\Cdudf.sys [9/4/2001 2:38 PM 238176]

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [5/28/2008 9:33 AM 12872]

R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/28/2008 9:33 AM 66632]

R2 aswFsBlk;aswFsBlk;c:\winnt\system32\drivers\aswFsBlk.sys [7/9/2008 9:10 AM 20560]

R2 aswMon;avast! Standard Shield Support;c:\winnt\system32\drivers\aswmon.sys [7/9/2008 9:10 AM 93424]

R2 WDBtnMgrSvc.exe;WD Drive Manager Service;c:\program files\Western Digital\WD Drive Manager\WDBtnMgrSvc.exe [5/16/2008 5:12 PM 102400]

R2 WMP300NSvc;WMP300NSvc;c:\program files\Linksys\WMP300N\WLService.exe [10/27/2009 1:34 PM 53307]

R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [5/28/2008 9:33 AM 12872]

R3 usbhub20;USB 2.0 Root Hub Support;c:\winnt\system32\drivers\usbhub20.sys [10/17/2003 12:41 PM 49776]

.

Contents of the 'Scheduled Tasks' folder

2010-03-01 c:\winnt\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-01-10 23:42]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.google.com/advanced_search?hl=en&num=100

uInternet Settings,ProxyServer = http=90.0.0.25:4480;https=90.0.0.25:4480;ftp=90.0.0.25:4480;socks=90.0.0.25:1080

IE: freePat - c:\program files\freePat\freePat-script.html

IE: freePat Preview - c:\program files\freePat\freePatpreview-script.html

IE: Search Image on TinEye - file://c:\documents and settings\photon.MATT\My Documents\TinEye 1.0\TinEye.js

IE: {{4725A95C-0D36-4E3E-AC08-6657D522529C} - c:\program files\FreshDevices\FreshDownload\fd.exe

IE: {{c95fe080-8f5d-11d2-a20b-00aa003c157a} - %SystemRoot%\web\related.htm

LSP: %SystemRoot%\system32\msafd.dll

DPF: DirectAnimation Java Classes - file://c:\winnt\Java\classes\dajava.cab

DPF: Microsoft XML Parser for Java - file://c:\winnt\Java\classes\xmldso.cab

FF - ProfilePath - c:\documents and settings\photon.MATT\Application Data\Mozilla\Firefox\Profiles\mu8t0x4j.default\

FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/advanced_search?&hl=en&lr=&num=100

FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll

.

- - - - ORPHANS REMOVED - - - -

HKLM-Run-Synchronization Manager - mobsync.exe

SSODL-hepitahuk-{2860f68d-a40c-4c08-8c0f-3e9323310c27} - (no file)

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-04-03 09:49

Windows 5.0.2195 Service Pack 4 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run

LXCJCATS = rundll32 c:\winnt\system32\spool\DRIVERS\W32X86\3\LXCJtime.dll,_RunDLLEntry@16?????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]

@DACL=(02 0000)

@=""

"Installed"="1"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]

@DACL=(02 0000)

@=""

"Installed"="1"

"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]

@DACL=(02 0000)

@=""

"Installed"="1"

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(196)

c:\program files\SUPERAntiSpyware\SASWINLO.DLL

c:\winnt\system32\wzcdlg.dll

c:\winnt\system32\WZCSAPI.DLL

- - - - - - - > 'explorer.exe'(1284)

c:\winnt\system32\SHDOCVW.DLL

.

------------------------ Other Running Processes ------------------------

.

c:\winnt\System32\WLTRYSVC.EXE

c:\winnt\System32\bcmwltry.exe

c:\program files\Alwil Software\Avast4\aswUpdSv.exe

c:\program files\Alwil Software\Avast4\ashServ.exe

c:\program files\Java\jre6\bin\jqs.exe

c:\winnt\system32\LxrJD31s.exe

c:\winnt\system32\regsvc.exe

c:\winnt\system32\MSTask.exe

c:\winnt\system32\stisvc.exe

c:\winnt\System32\WBEM\WinMgmt.exe

c:\program files\Linksys\WMP300N\WMP300N.exe

c:\program files\Alwil Software\Avast4\ashMaiSv.exe

c:\program files\Alwil Software\Avast4\ashWebSv.exe

c:\winnt\system32\atiptaxx.exe

.

**************************************************************************

.

Completion time: 2010-04-03 09:57:07 - machine was rebooted

ComboFix-quarantined-files.txt 2010-04-03 17:57

ComboFix2.txt 2010-03-31 15:07

ComboFix3.txt 2010-03-27 21:59

ComboFix4.txt 2010-03-21 04:05

Pre-Run: 24,509,796,352 bytes free

Post-Run: 24,495,173,632 bytes free

Current=3 Default=3 Failed=2 LastKnownGood=4 Sets=1,2,3,4

- - End Of File - - F4F24B96CC8F076B9BD835D4E8F980D0