Cannot figure out what malware is causing problems

locknload68 · November 2, 2010

My computer has several problems. When I first log on I get an error saying that winlogon.exe had an application error. It says "The instruction at "0x00188f17" referenced memory at "0x00188f17". The memory could not be "read".

The only way i can keep from getting this error is to start in normal safe mode. Safe mode with networking causes it as well.

I can ignore the error and log on. After logging on I get random redirects with IE8, especially with security sites. My antivirus software seems to have disappeared. I cannot run MBAM unless in safe mode. Rkill does not find anything to stop. I ran McAfee Stinger in safe mode and it found a couple infections which it said it cleared. I also ran MBAM in safe mode and it cleared several infections.

I am out of ideas to try. This Malware doesn't give me any indication of what it is. Below is my Hijackthis log.

Logfile of Trend Micro HijackThis v2.0.4

Scan saved at 4:52:14 PM, on 11/2/2010

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v8.00 (8.00.6001.18702)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Intel\Wireless\Bin\EvtEng.exe

C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe

C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe

C:\Program Files\Apoint\Apoint.exe

C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe

C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

C:\Program Files\Dell\Media Experience\PCMService.exe

C:\Program Files\Dell\QuickSet\quickset.exe

C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe

C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe

C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe

C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe

C:\WINDOWS\mHotkey.exe

C:\Program Files\Common Files\AOL\1161703535\ee\AOLSoftware.exe

C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe

C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe

C:\Program Files\Real\RealPlayer\RealPlay.exe

C:\Program Files\QuickTime\qttask.exe

C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe

C:\Program Files\Track4Win Enterprise Monitor\STMonitor.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\palmOne\Hotsync.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\Program Files\Apoint\Apntex.exe

C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe

C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Documents and Settings\Dan.BOBB\Desktop\RootRepeal.exe

C:\WINDOWS\system32\msiexec.exe

C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/mywaybiz

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://bfc.myway.com/search/de_srchlft.html

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/mywaybiz

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe

O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe

O4 - HKLM\..\Run: [intelWireless] C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless

O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"

O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe

O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"

O4 - HKLM\..\Run: [iSUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start

O4 - HKLM\..\Run: [CHotkey] mHotkey.exe

O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1161703535\ee\AOLSoftware.exe

O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe

O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"

O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [DiskeeperSystray] "C:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe"

O4 - HKLM\..\Run: [iPHSend] C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe

O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript

O4 - HKLM\..\Run: [MailUsTraMon] C:\Program Files\Track4Win Enterprise Monitor\STMonitor.exe

O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup

O4 - HKCU\..\Run: [DellSupport-] "C:\Program Files\Dell Support\DSAgnt.exe" /startup

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O4 - Global Startup: HOTSYNCSHORTCUTNAME.lnk = C:\Program Files\palmOne\Hotsync.exe

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL

O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll

O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing)

O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1288715047921

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1288715037375

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = liteflex.local.com

O17 - HKLM\Software\..\Telephony: DomainName = liteflex.local.com

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = liteflex.local.com

O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll

O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll

O23 - Service: AOL Connectivity Service (AOL ACS) - America Online - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe

O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe

O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe

O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe

O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe

O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe

O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe

O23 - Service: WLANKEEPER - Intel

negster22 · November 2, 2010

Hi and Welcome to the Malwarebytes' Forum!!

Download DDS and save it to your desktop from here

Disable any antimalware and script blocking programs you may have installed (such as Norton script blocking), and then double-click dss.scr to run the tool.

When done, DDS will open two (2) logs:
- DDS.txt
- Attach.txt
[*]Save both reports to your desktop
[*]Please copy and paste dds.txt into your next reply.

Download Microsoft's Malicious Software Removal Tool (MSRT) to your desktop

Save and Rename it as You download it to iexplore.exe

Double-click iexplore.exe on your Desktop to run it

In the "Scan Type" window, select Full Scan

Perform a scan and the Click Finish when the scan is done.

Retrieve the MSRT log as follows, and post it in your next reply:

1) Click on Start => Run

2) Type or Copy/Paste the following command to the "Run Line" and Press Enter

notepad c:\windows\debug\mrt.log

====

Next, download this Antirootkit Program to a folder that you create such as C:\ARK.

Disable the active protection component of your antivirus by following the directions that apply here:

http://www.bleepingcomputer.com/forums/topic114351.html

Next, please perform a rootkit scan:

Double-click the randomly name EXE located in the C:\ARK folder that you just downloaded to run the program.
When the program opens, it will automatically initiate a very fast scan of common rootkit hiding places.
After the automatic "quick" scan is finished (a few seconds), save the scan log to the Windows clipboard
Open Notepad or a similar text editor
Paste the clipboard contents into a text file by clicking Edit | Paste or Ctl V
Exit the Program
Save the Scan log as ARK.txt and post it in your next reply.
Re-enable your antivirus and any antimalware programs you disabled before running the scan

Please copy/paste DDS.txt and ARK.txt (do NOT attach) into your next reply.

Please attach the MSRT log and attach .txt!

Thank You!!

locknload68 · November 2, 2010

Hi, I could not get the Microsoft tool to run. I named it iexplore.exe during the download and it starts to load but then gets closed. I watched it appear and dissappear in taskmgr. Below is the DDS log followed by the rootkit log.

DDS (Ver_10-11-01.01) - NTFSx86

Run by Dan at 18:22:37.21 on Tue 11/02/2010

Internet Explorer: 8.0.6001.18702

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.488 [GMT -4:00]

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

C:\Program Files\Intel\Wireless\Bin\EvtEng.exe

C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe

C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

svchost.exe

C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

svchost.exe

C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe

C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe

C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe

C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe

C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe

C:\WINDOWS\system32\svchost.exe -k imgsvc

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe

C:\Program Files\Apoint\Apoint.exe

C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe

C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

C:\Program Files\Dell\Media Experience\PCMService.exe

C:\Program Files\Dell\QuickSet\quickset.exe

C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe

C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe

C:\WINDOWS\mHotkey.exe

C:\Program Files\Common Files\AOL\1161703535\ee\AOLSoftware.exe

C:\Program Files\Common Files\AOL\ACS\AOLDial.exe

C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe

C:\Program Files\Real\RealPlayer\RealPlay.exe

C:\Program Files\QuickTime\qttask.exe

C:\Program Files\Track4Win Enterprise Monitor\STMonitor.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

C:\Program Files\palmOne\Hotsync.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\Apoint\Apntex.exe

C:\WINDOWS\System32\svchost.exe -k HTTPFilter

C:\Program Files\Internet Explorer\iexplore.exe

C:\Documents and Settings\Dan.BOBB\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.dell4me.com/mywaybiz

uDefault_Page_URL = hxxp://www.dell4me.com/mywaybiz

uSearch Bar = hxxp://bfc.myway.com/search/de_srchlft.html

mSearchAssistant = hxxp://www.google.com/ie

BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll

BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll

EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll

uRun: [DellSupport] "c:\program files\dell support\DSAgnt.exe" /startup

uRun: [DellSupport-] "c:\program files\dell support\DSAgnt.exe" /startup

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

mRun: [sunJavaUpdateSched] c:\program files\java\j2re1.4.2_03\bin\jusched.exe

mRun: [Apoint] c:\program files\apoint\Apoint.exe

mRun: [intelWireless] c:\program files\intel\wireless\bin\ifrmewrk.exe /tf Intel PROSet/Wireless

mRun: [ATIPTA] c:\program files\ati technologies\ati control panel\atiptaxx.exe

mRun: [PCMService] "c:\program files\dell\media experience\PCMService.exe"

mRun: [Dell QuickSet] c:\program files\dell\quickset\quickset.exe

mRun: [DVDLauncher] "c:\program files\cyberlink\powerdvd\DVDLauncher.exe"

mRun: [iSUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start

mRun: [CHotkey] mHotkey.exe

mRun: [HostManager] c:\program files\common files\aol\1161703535\ee\AOLSoftware.exe

mRun: [AOLDialer] c:\program files\common files\aol\acs\AOLDial.exe

mRun: [AOL Spyware Protection] "c:\progra~1\common~1\aol\aolspy~1\AOLSP Scheduler.exe"

mRun: [RealTray] c:\program files\real\realplayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER

mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime

mRun: [DiskeeperSystray] "c:\program files\diskeeper corporation\diskeeper\DkIcon.exe"

mRun: [iPHSend] c:\program files\common files\aol\iphsend\IPHSend.exe

mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript

mRun: [MailUsTraMon] c:\program files\track4win enterprise monitor\STMonitor.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hotsyn~1.lnk - c:\program files\palmone\Hotsync.exe

mPolicies-system: EnableLUA = 0 (0x0)

IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office11\EXCEL.EXE/3000

IE: {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0004-ABCDEFFEDCBC} - c:\program files\java\jre1.5.0_04\bin\npjpi150_04.dll

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office11\REFIEBAR.DLL

IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll

IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll

DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://download.microsoft.com/download/e/7/3/e7345c16-80aa-4488-ae10-9ac6be844f99/OGAControl.cab

DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1288715047921

DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1288715037375

Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\pkmcdo.dll

Notify: AtiExtEvent - Ati2evxx.dll

Notify: IntelWireless - c:\program files\intel\wireless\bin\LgNotify.dll

============= SERVICES / DRIVERS ===============

S3 ADM851X;ADM851X USB To Fast Ethernet Adapter;c:\windows\system32\drivers\ADM851X.sys [2005-11-22 22144]

=============== Created Last 30 ================

2010-11-02 21:11:33 -------- d-----w- c:\docume~1\dan~1.bob\applic~1\Office Genuine Advantage

2010-11-02 20:51:47 388096 ----a-r- c:\docume~1\dan~1.bob\applic~1\microsoft\installer\{45a66726-69bc-466b-a7a4-12fcba4883d7}\HiJackThis.exe

2010-11-02 20:51:45 -------- d-----w- c:\program files\Trend Micro

2010-11-02 18:32:46 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-11-02 18:32:44 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-11-02 16:55:44 974848 ------w- c:\windows\system32\dllcache\mfc42.dll

2010-11-02 16:55:44 953856 ------w- c:\windows\system32\dllcache\mfc40u.dll

2010-11-02 16:54:31 617472 ------w- c:\windows\system32\dllcache\comctl32.dll

2010-11-02 16:54:19 471552 ------w- c:\windows\system32\dllcache\aclayers.dll

2010-11-02 16:53:33 744448 ------w- c:\windows\system32\dllcache\helpsvc.exe

2010-11-02 16:51:35 743424 ------w- c:\windows\system32\dllcache\iedvtool.dll

2010-11-02 16:48:24 3558912 ------w- c:\windows\system32\dllcache\moviemk.exe

2010-11-02 16:24:59 15064 ----a-w- c:\windows\system32\wuapi.dll.mui

2010-11-02 16:20:19 -------- d-----w- c:\docume~1\dan~1.bob\locals~1\applic~1\AOL

2010-11-02 16:20:16 -------- d-----w- c:\docume~1\dan~1.bob\applic~1\AOL

2010-11-02 14:37:43 -------- d-----w- c:\docume~1\dan~1.bob\applic~1\Malwarebytes

2010-11-02 14:33:41 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-11-02 14:33:41 -------- d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes

2010-11-02 14:12:20 -------- d-sh--w- c:\documents and settings\dan.bobb\IECompatCache

2010-11-02 14:11:05 -------- d-sh--w- c:\documents and settings\dan.bobb\PrivacIE

2010-11-01 22:35:23 -------- d-sh--w- c:\documents and settings\dan.bobb\IETldCache

2010-11-01 22:24:40 -------- d-----w- c:\windows\system32\wbem\repository\FS

2010-11-01 22:24:40 -------- d-----w- c:\windows\system32\wbem\Repository

==================== Find3M ====================

2010-09-18 16:23:26 974848 ----a-w- c:\windows\system32\mfc42u.dll

2010-09-18 06:53:25 974848 ----a-w- c:\windows\system32\mfc42.dll

2010-09-18 06:53:25 954368 ----a-w- c:\windows\system32\mfc40.dll

2010-09-18 06:53:25 953856 ----a-w- c:\windows\system32\mfc40u.dll

2010-09-10 05:58:08 916480 ----a-w- c:\windows\system32\wininet.dll

2010-09-10 05:58:06 43520 ----a-w- c:\windows\system32\licmgr10.dll

2010-09-10 05:58:06 1469440 ------w- c:\windows\system32\inetcpl.cpl

2010-09-01 11:51:14 285824 ----a-w- c:\windows\system32\atmfd.dll

2010-08-31 13:42:52 1852800 ----a-w- c:\windows\system32\win32k.sys

2010-08-27 08:02:29 119808 ----a-w- c:\windows\system32\t2embed.dll

2010-08-27 05:57:43 99840 ----a-w- c:\windows\system32\srvsvc.dll

2010-08-26 12:52:45 5120 ----a-w- c:\windows\system32\xpsp4res.dll

2010-08-23 16:12:04 617472 ----a-w- c:\windows\system32\comctl32.dll

2010-08-17 13:17:06 58880 ----a-w- c:\windows\system32\spoolsv.exe

2010-08-16 08:45:00 590848 ----a-w- c:\windows\system32\rpcrt4.dll

=================== ROOTKIT ====================

Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.1 by Gmer, http://www.gmer.net

Windows 5.1.2600 Disk: HTS726060M9AT00 rev.MH4OA6EA -> \Device\Ide\IdePort0

device: opened successfully

user: MBR read successfully

called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x86A9DEC5]<<

_asm { PUSH EBP; MOV EBP, ESP; SUB ESP, 0x1c; PUSH EBX; PUSH ESI; MOV DWORD [EBP-0x4], 0x86344872; SUB DWORD [EBP-0x4], 0x8634412e; PUSH EDI; CALL 0xffffffffffffdf33; }

1 nt!IofCallDriver[0x804E37D5] -> \Device\Harddisk0\DR0[0x87785AB8]

3 CLASSPNP[0xF786EFD7] -> nt!IofCallDriver[0x804E37D5] -> [0x87506930]

[0x86974CA8] -> IRP_MJ_CREATE -> 0x86A9DEC5

kernel: MBR read successfully

_asm { CLI ; MOV AX, 0x0; MOV SS, AX; MOV SP, 0x7c00; STI ; MOV DS, AX; CLD ; MOV CX, 0x80; MOV SI, SP; MOV DI, 0x600; MOV ES, AX; REP MOVSD ; JMP FAR 0x0:0x62f; }

detected hooks:

\Device\Ide\IdeDeviceP0T0L0-3 -> \??\IDE#DiskHTS726060M9AT00_________________________MH4OA6EA#5&17ce0675&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found

\Driver\atapi DriverStartIo -> 0x86A9DAEA

user & kernel MBR OK

sectors 117210238 (+255): user != kernel

Warning: possible TDL3 rootkit infection !

Filesystem trace:

called modules: ntoskrnl.exe hal.dll fltmgr.sys Ntfs.sys

1 nt!IofCallDriver[0x804E37D5] -> [0x8772C250]

3 fltmgr[0xF77435C8] -> nt!IofCallDriver[0x804E37D5] -> [0x8778F020]

5 nt[0x80567F6C] -> nt!IofCallDriver[0x804E37D5] -> [0x8772C250]

7 fltmgr[0xF7736FB5] -> nt!IofCallDriver[0x804E37D5] -> [0x8778F020]

Registry trace:

called modules: ntoskrnl.exe hal.dll

============= FINISH: 18:26:19.48 ===============

GMER 1.0.15.15477 - http://www.gmer.net

Rootkit quick scan 2010-11-02 18:31:52

Windows 5.1.2600 Service Pack 3

Running: bgz253nd.exe; Driver: C:\DOCUME~1\DAN~1.BOB\LOCALS~1\Temp\pxtdqpoc.sys

---- Disk sectors - GMER 1.0.15 ----

Disk \Device\Harddisk0\DR0 sectors 117209984 (+254): rootkit-like behavior;

---- Devices - GMER 1.0.15 ----

Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort0 86A9DAEA

Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort1 86A9DAEA

Device \Driver\atapi -> DriverStartIo \Device\Ide\IdeDeviceP1T0L0-e 86A9DAEA

Device \Device\Ide\IdeDeviceP0T0L0-3 -> \??\IDE#DiskHTS726060M9AT00_________________________MH4OA6EA#5&17ce0675&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found

---- Processes - GMER 1.0.15 ----

Process C:\Program Files\Track4Win Enterprise Monitor\STMonitor.exe (*** hidden *** ) 2244

---- EOF - GMER 1.0.15 ----

negster22 · November 2, 2010

The Master Boot Record of your hard drive is infected with the Alureon Bootkit trojan and it is self-protecting malware, so programs that can detect and remove it are blocked.

You can read more about it here:

http://secure-computer-solutions.com/blog/

Download a mbr.exe and save it to your C:\ (your root directory)

Open a command prompt (click Start -> Run, type cmd, and hit Enter)

Now I want you to make a copy of your MBR by executing (copy/pasting) the following command at the Command Prompt:

C:\mbr.exe -c 0 1 MBR_copy.bin

Hit Enter

Please verify that the file MBR_copy.bin with a size of 512 bytes exists in C:

Please zip that file up.

Then upload it for analysis as follows:

Go to the upload page here

http://www.bleepingcomputer.com/submit-mal....php?channel=75

Click Browse to this file

Find this file:

C:\MBR_copy.zip

Select the file, then click Open

Click Send File

If You have trouble zipping it then just upload:

MBR_copy.bin

Delete the iexplore.exe (MRST tool)on your desktop that I asked You to download in my previous reply.

Please Run ComboFix by following the steps provided in exactly this sequence:

Here is a tutorial that describes how to download, install and run Combofix. Please thoroughly review it beofre proceeding:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Very Important! Before downloading Combofix, temporarily disable your antivirus and antimalware real-time protection and any script blocking components of them or your firewall before performing a scan. They can interfere with ComboFix and even remove onboard components so it is rendered ineffective:

http://www.bleepingcomputer.com/forums/topic114351.html

Note: The above tutorial does not tell you to rename Combofix as I am about to instruct you to do in the following instructions, so make sure you complete the renaming step before launching Combofix.

Using ComboFix ->

Please download Combofix from one of these locations:

HERE or HERE

I want you to rename Combofix.exe as you download it to iexplore.exe

Notes:

It is very important that save the newly renamed EXE file to your desktop.
You must rename Combofixe.exe as you download it and not after it is on your computer.
You may have to modify your browser settings if you use Firefox, so you can rename Combofix.exe as you download it. To do that:
- Open Firefox
- Click Tools -> Options -> Main
- Under the downloads section check the button that says "Always ask me where to save files".
- Click OK
[*]For Internet Explorer:
- Choose to save, not open the file
- When prompted - save the file to your desktop, and rename it iexplore.exe

Running Combofix

In the event you already have Combofix, please delete it as this is a new version.

Close any open browsers.
Close/disable all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix.
When Combofix prompts to install the Recovery Console, please allow it to do so, if you're running Win XP.

1. To Launch Combofix

Click Start --> Run, and enter this command exactly as shown:

"%userprofile%\desktop\iexplore.exe" /killall

2. When finished, it will produce a logfile located at C:\ComboFix.txt

3. Post the contents of that log in your next reply.

Note: Do not mouseclick combofix's window while it is running. That may cause your system to stall/hang.

Please post C:\ComboFix.txt in your next reply.

Do you have your XP CD available?

locknload68 · November 3, 2010

I successfully copied the MBR and uploaded it. I followed your instructions and downloaded combofix. I ran into a problem after I put the command in run. The combofix loading "progress bar" filled up then an error came up saying that there was an application error with SVChost and the memory could not be read. Then it said OK to terminate or cancel to debug. I was going to ignore it and see if combo fix would run but I blue screen appeared. It says:

"STOP: c000021a {Fatal System Error}

The Windows Logon Process system process terminated unexpectedly with a status of 0xc0000005 (0x00000000 0x00000000).

The system has been shut down."

Should I try running combofix again after restarting or maybe in safe mode?

Also, yes I do have access to the windows XP disk.

Thank you for your help so far.

negster22 · November 3, 2010

You're welcome!

Try running Combofix in safe mode, and then post back Combofix.txt if works.

Also, try this program which is able to detect and repair the MBR:

Please also download MBRCheck to your root directory - C:\

http://download.bleepingcomputer.com/rootrepeal/MBRCheck.exe

Double click MBRCheck.exe to run it (Vista and Win 7 users should right-click and select Run as Administrator)
It will show a Black screen with some data on it
a report called MBRcheck will be on your desktop
Open this report
Right click on the screen and select > Select All
Press Control+C
Now please paste that report in your next reply

Thank You!

locknload68 · November 3, 2010

I was able to successfully run combofix in safe mode. There was a explorer.exe memory could not be read error while it was running but I just ignored it and combofix continued. The problem is that combofix rebooted the computer. When it did that I didn't realize it was going to continue running when windows came back up. After combofix started running I got the same error with Winlogon.exe that I had in my previous post. This caused a BSOD and stopped combofix from finishing. I don't want to try running combofix again unless you say it's ok. If I do it again from safe mode I will make sure it goes back to safe mode if it reboots.

I did run the MBRCheck and here is the log file.

Thanks.

MBRCheck, version 1.2.3

Command-line:

Windows Version: Windows XP Professional

Windows Information: Service Pack 3 (build 2600)

Logical Drives Mask: 0x0000000c

Kernel Drivers (total 123):

0x804D7000 \WINDOWS\system32\ntoskrnl.exe

0x806EE000 \WINDOWS\system32\hal.dll

0xF7D2E000 \WINDOWS\system32\KDCOM.DLL

0xF7C3E000 \WINDOWS\system32\BOOTVID.dll

0xF77DF000 ACPI.sys

0xF7D30000 \WINDOWS\system32\DRIVERS\WMILIB.SYS

0xF77CE000 pci.sys

0xF782E000 isapnp.sys

0xF7C42000 compbatt.sys

0xF7C46000 \WINDOWS\system32\DRIVERS\BATTC.SYS

0xF7DF6000 pciide.sys

0xF7AAE000 \WINDOWS\system32\DRIVERS\PCIIDEX.SYS

0xF7D32000 intelide.sys

0xF77B0000 pcmcia.sys

0xF783E000 MountMgr.sys

0xF7791000 ftdisk.sys

0xF776B000 dmio.sys

0xF7AB6000 PartMgr.sys

0xF784E000 VolSnap.sys

0xF7753000 atapi.sys

0xF785E000 disk.sys

0xF786E000 \WINDOWS\system32\DRIVERS\CLASSPNP.SYS

0xF7733000 fltmgr.sys

0xF7721000 sr.sys

0xF7ABE000 PxHelp20.sys

0xF770A000 KSecDD.sys

0xF767D000 Ntfs.sys

0xF7650000 NDIS.sys

0xF787E000 ohci1394.sys

0xF788E000 \WINDOWS\system32\DRIVERS\1394BUS.SYS

0xF7636000 Mup.sys

0xF7A1E000 \SystemRoot\system32\DRIVERS\intelppm.sys

0xF7CDE000 \SystemRoot\system32\DRIVERS\CmBatt.sys

0xF74FE000 \SystemRoot\system32\DRIVERS\ati2mtag.sys

0xF74EA000 \SystemRoot\system32\DRIVERS\VIDEOPRT.SYS

0xF7B6E000 \SystemRoot\system32\DRIVERS\usbuhci.sys

0xF74C6000 \SystemRoot\system32\DRIVERS\USBPORT.SYS

0xF7B76000 \SystemRoot\system32\DRIVERS\usbehci.sys

0xF7A2E000 \SystemRoot\system32\DRIVERS\bcm4sbxp.sys

0xF74B2000 \SystemRoot\system32\DRIVERS\sdbus.sys

0xF7191000 \SystemRoot\system32\DRIVERS\w29n51.sys

0xF714E000 \SystemRoot\system32\drivers\STAC97.sys

0xF712A000 \SystemRoot\system32\drivers\portcls.sys

0xF7A3E000 \SystemRoot\system32\drivers\drmk.sys

0xF7107000 \SystemRoot\system32\drivers\ks.sys

0xF70D4000 \SystemRoot\system32\DRIVERS\HSFHWICH.sys

0xF6FD7000 \SystemRoot\system32\DRIVERS\HSF_DPV.SYS

0xF6F2A000 \SystemRoot\system32\DRIVERS\HSF_CNXT.sys

0xF7B7E000 \SystemRoot\System32\Drivers\Modem.SYS

0xF7A4E000 \SystemRoot\system32\DRIVERS\i8042prt.sys

0xF6F10000 \SystemRoot\system32\DRIVERS\Apfiltr.sys

0xF7B86000 \SystemRoot\system32\DRIVERS\mouclass.sys

0xF7B8E000 \SystemRoot\system32\DRIVERS\kbdclass.sys

0xF7A5E000 \SystemRoot\system32\DRIVERS\imapi.sys

0xF7A6E000 \SystemRoot\system32\DRIVERS\cdrom.sys

0xF7A7E000 \SystemRoot\system32\DRIVERS\redbook.sys

0xF6ED3000 \SystemRoot\system32\DRIVERS\iwca.sys

0xF7F09000 \SystemRoot\system32\DRIVERS\audstub.sys

0xF7A8E000 \SystemRoot\system32\DRIVERS\rasl2tp.sys

0xF7CEA000 \SystemRoot\system32\DRIVERS\ndistapi.sys

0xF6EBC000 \SystemRoot\system32\DRIVERS\ndiswan.sys

0xF7A9E000 \SystemRoot\system32\DRIVERS\raspppoe.sys

0xF78AE000 \SystemRoot\system32\DRIVERS\raspptp.sys

0xF7B96000 \SystemRoot\system32\DRIVERS\TDI.SYS

0xF6EAB000 \SystemRoot\system32\DRIVERS\psched.sys

0xF78BE000 \SystemRoot\system32\DRIVERS\msgpc.sys

0xF7B9E000 \SystemRoot\system32\DRIVERS\ptilink.sys

0xF7BA6000 \SystemRoot\system32\DRIVERS\raspti.sys

0xF7BAE000 \SystemRoot\system32\DRIVERS\wanatw4.sys

0xF6E0E000 \SystemRoot\system32\DRIVERS\rdpdr.sys

0xF78CE000 \SystemRoot\system32\DRIVERS\termdd.sys

0xF7D60000 \SystemRoot\system32\DRIVERS\swenum.sys

0xF6DB0000 \SystemRoot\system32\DRIVERS\update.sys

0xF7D06000 \SystemRoot\system32\DRIVERS\mssmbios.sys

0xF7BB6000 \SystemRoot\system32\DRIVERS\omci.sys

0xF78EE000 \SystemRoot\System32\Drivers\NDProxy.SYS

0xF793E000 \SystemRoot\system32\DRIVERS\usbhub.sys

0xF7D66000 \SystemRoot\system32\DRIVERS\USBD.SYS

0xF75E5000 \SystemRoot\System32\Drivers\i2omgmt.SYS

0xF7D6E000 \SystemRoot\System32\Drivers\Fs_Rec.SYS

0xF7EE1000 \SystemRoot\System32\Drivers\Null.SYS

0xF7D70000 \SystemRoot\System32\Drivers\Beep.SYS

0xF7BD6000 \SystemRoot\system32\DRIVERS\HIDPARSE.SYS

0xF7BDE000 \SystemRoot\System32\drivers\vga.sys

0xF7D72000 \SystemRoot\System32\Drivers\mnmdd.SYS

0xF7D74000 \SystemRoot\System32\DRIVERS\RDPCDD.sys

0xF7BE6000 \SystemRoot\System32\Drivers\Msfs.SYS

0xF7BEE000 \SystemRoot\System32\Drivers\Npfs.SYS

0xF75DD000 \SystemRoot\system32\DRIVERS\rasacd.sys

0xF2A5C000 \SystemRoot\system32\DRIVERS\ipsec.sys

0xF29E1000 \SystemRoot\system32\DRIVERS\tcpip.sys

0xF29B9000 \SystemRoot\system32\DRIVERS\netbt.sys

0xF7CCE000 \SystemRoot\System32\drivers\ws2ifsl.sys

0xF2997000 \SystemRoot\System32\drivers\afd.sys

0xF794E000 \SystemRoot\system32\DRIVERS\netbios.sys

0xF296C000 \SystemRoot\system32\DRIVERS\rdbss.sys

0xF28FC000 \SystemRoot\system32\DRIVERS\mrxsmb.sys

0xF796E000 \SystemRoot\System32\Drivers\Fips.SYS

0xF2491000 \SystemRoot\system32\DRIVERS\ipnat.sys

0xF79AE000 \SystemRoot\system32\DRIVERS\wanarp.sys

0xF6CE8000 \SystemRoot\SYSTEM32\DRIVERS\APPDRV.SYS

0xF6D20000 \SystemRoot\System32\Drivers\Cdfs.SYS

0xBF800000 \SystemRoot\System32\win32k.sys

0xF2AAB000 \SystemRoot\System32\drivers\Dxapi.sys

0xF7B16000 \SystemRoot\System32\watchdog.sys

0xBF000000 \SystemRoot\System32\drivers\dxg.sys

0xF7EE5000 \SystemRoot\System32\drivers\dxgthk.sys

0xBF012000 \SystemRoot\System32\ati2dvag.dll

0xBF04C000 \SystemRoot\System32\ati2cqag.dll

0xBF088000 \SystemRoot\System32\ati3duag.dll

0xBF2AF000 \SystemRoot\System32\ativvaxx.dll

0xF0FE9000 \SystemRoot\system32\DRIVERS\AegisP.sys

0xF0FE5000 \SystemRoot\system32\DRIVERS\s24trans.sys

0xF0FA9000 \SystemRoot\system32\DRIVERS\ndisuio.sys

0xF0BC0000 \SystemRoot\system32\drivers\wdmaud.sys

0xF0C9D000 \SystemRoot\system32\drivers\sysaudio.sys

0xF0895000 \SystemRoot\system32\DRIVERS\mrxdav.sys

0xF7DA0000 \SystemRoot\System32\Drivers\ASCTRM.SYS

0xF086D000 \SystemRoot\system32\DRIVERS\mdmxsdk.sys

0xF051D000 \SystemRoot\system32\DRIVERS\srv.sys

0xEFF14000 \SystemRoot\System32\Drivers\HTTP.sys

0xEFBC9000 \SystemRoot\system32\drivers\kmixer.sys

0x7C900000 \WINDOWS\system32\ntdll.dll

Processes (total 58):

0 System Idle Process

4 System

912 C:\WINDOWS\system32\smss.exe

960 csrss.exe

984 C:\WINDOWS\system32\winlogon.exe

1032 C:\WINDOWS\system32\services.exe

1044 C:\WINDOWS\system32\lsass.exe

1212 C:\WINDOWS\system32\ati2evxx.exe

1228 C:\WINDOWS\system32\svchost.exe

1308 svchost.exe

1384 C:\WINDOWS\system32\svchost.exe

1504 C:\Program Files\Intel\Wireless\Bin\EvtEng.exe

1588 C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe

1648 C:\Program Files\Intel\Wireless\Bin\WLKEEPER.exe

1688 svchost.exe

1804 svchost.exe

1996 C:\Program Files\Intel\Wireless\Bin\ZCfgSvc.exe

156 C:\WINDOWS\system32\ati2evxx.exe

396 C:\WINDOWS\explorer.exe

592 C:\WINDOWS\system32\spoolsv.exe

884 C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe

1704 C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe

1732 C:\Program Files\Apoint\Apoint.exe

1744 C:\Program Files\Intel\Wireless\Bin\iFrmewrk.exe

1752 C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

1764 C:\Program Files\Dell\Media Experience\PCMService.exe

1772 C:\Program Files\Dell\QuickSet\quickset.exe

1780 C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe

1820 C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe

1868 C:\WINDOWS\mHotkey.exe

1924 C:\Program Files\Common Files\AOL\1161703535\EE\aolsoftware.exe

1964 C:\Program Files\Common Files\AOL\ACS\AOLDial.exe

2024 C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe

184 C:\Program Files\Real\RealPlayer\realplay.exe

248 C:\Program Files\QuickTime\qttask.exe

328 svchost.exe

388 C:\Program Files\Track4Win Enterprise Monitor\STMonitor.exe

724 C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe

948 C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe

1360 C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe

240 aoltpspd.exe

1724 C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

816 C:\Program Files\Apoint\ApntEx.exe

1180 C:\Program Files\Dell\NicConfigSvc\NicConfigSvc.exe

1628 C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

2080 C:\Program Files\palmOne\Hotsync.exe

2584 C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe

2676 C:\WINDOWS\system32\svchost.exe

2768 wdfmgr.exe

3020 wmiprvse.exe

3324 C:\WINDOWS\system32\wuauclt.exe

3248 alg.exe

3824 C:\WINDOWS\system32\svchost.exe

3768 C:\Program Files\Internet Explorer\iexplore.exe

1944 C:\WINDOWS\system32\ctfmon.exe

1600 C:\Program Files\Internet Explorer\iexplore.exe

1540 C:\Program Files\Internet Explorer\iexplore.exe

384 C:\MBRCheck.exe

\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`036e8e00 (NTFS)

PhysicalDrive0 Model Number: HTS726060M9AT00, Rev: MH4OA6EA

Size Device Name MBR Status

--------------------------------------------

55 GB \\.\PhysicalDrive0 Unknown MBR code

SHA1: 79BCE648F143823706869D592F56B05B3E4D6E83

Found non-standard or infected MBR.

Enter 'Y' and hit ENTER for more options, or 'N' to exit:

Done!

negster22 · November 3, 2010

We have to perform a more in depth anti-rootkit scan now:

Double-click the randomly name EXE located in the C:\ARK folder that you previously downloaded to run the program.
When the program opens, it will automatically initiate a very fast scan of common rootkit hiding places.
When the "Quick scan" is done, a few seconds, if you're notified of "Rootkit Activity and asked to perform a Full Scan say "No" so we can configure the scan options first.
In the right pane, UNCHECK the following options:
- IAT/EAT
- Drives/Partition other than Systemdrive, which is typically C:\
- Show All (This is important, so do not miss it.)
[*]Once, configured according to the above, select the Scan button.
[*]Leave your system completely idle while this longer scan is in progress.
[*]When the scan is done, save the scan log to the Windows clipboard
[*]Open Notepad or a similar text editor
[*]Paste the clipboard contents into a text file by clicking Edit | Paste or Ctl V
[*]Exit the Program
[*]Save the Scan log as ARKFullScan.txt and post it in your next reply. If the log is very long attach it please.

locknload68 · November 4, 2010

I've tried twice to run the deeper anti-rootkit scan. The first time was with Windows in normal startup. ARK got hung up on Winlogon.exe after leaving it run for over three hours. It didn't freeze. I could click stop and it seemed to stop trying to scan. When I tried to have it scan again it just showed an hourglass. I then tried to run it in safe mode. This time it got hung up on C:\Windows\system32\hal.dll. Again I was able to stop it but when I clicked scan again it just gives an hourglass.

negster22 · November 4, 2010

Sorry about that.

Reboot

Wait for about 5 minutes.

Make sure ALL windows and browsers are closed, and real-time protection is disabled.

Now, we'll do a more limited ARK scan in Normal Mode, which should show what I'm looking for:

Double-click the randomly name EXE located in the C:\ARK folder that you previously downloaded to run the program.
When the program opens, it will automatically initiate a very fast scan of common rootkit hiding places.
When the "Quick scan" is done, a few seconds, if you're notified of "Rootkit Activity and asked to perform a Full Scan say "No" so we can configure the scan options first.
In the right pane,CHECK these items ONLY:
- Sections
- Devices
- Modules
- Libraries
- Services
- Registry
- Your primary drive (C:\)
[*]Verify that "Show All" is UNCHECKED
[*]Once, configured according to the above, select the Scan button.
[*]Leave your system completely idle while this longer scan is in progress(about 10 minutes).
[*]When the scan is done, save the scan log to the Windows clipboard
[*]Open Notepad or a similar text editor
[*]Paste the clipboard contents into a text file by clicking Edit | Paste or Ctl V
[*]Save the file as "ARKSections.TXT"
[*]Exit the Program

Re-enable Active Protection

Please post ARKSections.TXT

locknload68 · November 4, 2010

ARK is still hanging when I try to scan and the PC's functions seem to be getting worse. I booted Windows normally and when I tried to open My Computer it froze so I restarted in safe mode and ran ARK using the settings you gave me.

It is currently hung on "Sections: C:\Windows\system32\winlogon.exe[240] C:\Windows\system32\SHLWAPI.dll"

The program isn't forzen. I can click to close it and it asks if I want to abort the scan.

I am starting to think it will be faster and easier to format and reinstall. Will that get rid of this though since it is in the MBR?

negster22 · November 4, 2010

No, please don't reformat yet. There are a few "standard" options that we can use to defeat this infection first. I think you have a TDL3 infection with an infected disk drive controller driver (SYS file). This program we're going to run next is able to detect and disinfect that.

Some background information on what we're planning to do next can be found HERE

Please read carefully and follow these steps.

Download TDSSKiller and save it to your Desktop.
Extract its contents to your desktop.
Once extracted, open the TDSSKiller folder and doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
If an infected file is detected, the default action will be Cure, click on Continue.
If a suspicious file is detected, the default action will be Skip, do NOT change this action Leave it on Skip and click on Continue.
However, there is one "Skip" exception: If a suspicious file is detected,and the name is vb*.sys (where the * stands for random numbers or letters the default action will be Skip, Change skip to delete instead.
It may ask you to reboot the computer to complete the process. Click on Reboot Now.
If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.

____________________

Note:The following directions assume that Combofix.exe is located on your desktop and renamed iexplore.exe

If TDSSKiller was unsuccessful, let's run Combofix in Safe Mode using the /safeboot option as follows

Boot into safe mode using the /safeboot option:

Click on Start -> Run. Type "msconfig" and press Enter
Click on the Boot.ini tab
Reboot and your computer will automatically start in Safe Mode

We'll reverse this process to get it to boot back to Normal Mode, after Combofix is run in safe mode. This will enable Combofix to continue it's run in Safe Mode upon reboot, so it can complete disinfection and produce a log.

Once in Safe Mode:

1. Launch Combofix

Click Start --> Run, and enter this command exactly as shown:

"%userprofile%\desktop\iexplore.exe" /killall

2. When finished, it will produce a logfile located at C:\ComboFix.txt

3. Post the contents of that log in your next reply.

Note: Do not mouseclick combofix's window while it is running. That may cause your system to stall/hang.

Please post C:\ComboFix.txt in your next reply.

To reset your computer to boot into normal windows mode again:

Launch MSCONFIG and UNCHECK the /SAFEMODE box under Boot Options so that the computer will boot into normal Windows mode the next time you start it up.

locknload68 · November 4, 2010

I may be speaking too soon, but I think TDSSKiller got it. So far I haven't gotten the error with winlogon.exe and security sites aren't redirecting anymore. I was worried because the computer hung up when trying to restart but it looks like it worked.

Here is the TDSSKiller log file:

2010/11/04 12:19:22.0296 TDSS rootkit removing tool 2.4.6.0 Nov 3 2010 10:11:43

2010/11/04 12:19:22.0296 ================================================================================

2010/11/04 12:19:22.0296 SystemInfo:

2010/11/04 12:19:22.0296

2010/11/04 12:19:22.0296 OS Version: 5.1.2600 ServicePack: 3.0

2010/11/04 12:19:22.0296 Product type: Workstation

2010/11/04 12:19:22.0296 ComputerName: BOBB

2010/11/04 12:19:22.0296 UserName: Dan

2010/11/04 12:19:22.0296 Windows directory: C:\WINDOWS

2010/11/04 12:19:22.0296 System windows directory: C:\WINDOWS

2010/11/04 12:19:22.0296 Processor architecture: Intel x86

2010/11/04 12:19:22.0296 Number of processors: 1

2010/11/04 12:19:22.0296 Page size: 0x1000

2010/11/04 12:19:22.0296 Boot type: Normal boot

2010/11/04 12:19:22.0296 ================================================================================

2010/11/04 12:19:24.0203 Initialize success

2010/11/04 12:19:30.0109 ================================================================================

2010/11/04 12:19:30.0109 Scan started

2010/11/04 12:19:30.0109 Mode: Manual;

2010/11/04 12:19:30.0109 ================================================================================

2010/11/04 12:19:31.0984 abp480n5 (6abb91494fe6c59089b9336452ab2ea3) C:\WINDOWS\system32\DRIVERS\ABP480N5.SYS

2010/11/04 12:19:32.0062 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys

2010/11/04 12:19:32.0125 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys

2010/11/04 12:19:32.0203 ADM851X (18b9e3affff9a3e65c4bce114fca297c) C:\WINDOWS\system32\DRIVERS\ADM851X.SYS

2010/11/04 12:19:32.0250 adpu160m (9a11864873da202c996558b2106b0bbc) C:\WINDOWS\system32\DRIVERS\adpu160m.sys

2010/11/04 12:19:32.0312 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys

2010/11/04 12:19:32.0390 AegisP (076394a345ee5e9e3911fc0f058f4f38) C:\WINDOWS\system32\DRIVERS\AegisP.sys

2010/11/04 12:19:32.0453 AFD (7e775010ef291da96ad17ca4b17137d7) C:\WINDOWS\System32\drivers\afd.sys

2010/11/04 12:19:32.0656 agp440 (08fd04aa961bdc77fb983f328334e3d7) C:\WINDOWS\system32\DRIVERS\agp440.sys

2010/11/04 12:19:32.0687 agpCPQ (03a7e0922acfe1b07d5db2eeb0773063) C:\WINDOWS\system32\DRIVERS\agpCPQ.sys

2010/11/04 12:19:32.0734 Aha154x (c23ea9b5f46c7f7910db3eab648ff013) C:\WINDOWS\system32\DRIVERS\aha154x.sys

2010/11/04 12:19:32.0781 aic78u2 (19dd0fb48b0c18892f70e2e7d61a1529) C:\WINDOWS\system32\DRIVERS\aic78u2.sys

2010/11/04 12:19:32.0843 aic78xx (b7fe594a7468aa0132deb03fb8e34326) C:\WINDOWS\system32\DRIVERS\aic78xx.sys

2010/11/04 12:19:32.0906 AliIde (1140ab9938809700b46bb88e46d72a96) C:\WINDOWS\system32\DRIVERS\aliide.sys

2010/11/04 12:19:32.0968 alim1541 (cb08aed0de2dd889a8a820cd8082d83c) C:\WINDOWS\system32\DRIVERS\alim1541.sys

2010/11/04 12:19:33.0000 amdagp (95b4fb835e28aa1336ceeb07fd5b9398) C:\WINDOWS\system32\DRIVERS\amdagp.sys

2010/11/04 12:19:33.0062 amsint (79f5add8d24bd6893f2903a3e2f3fad6) C:\WINDOWS\system32\DRIVERS\amsint.sys

2010/11/04 12:19:33.0156 ApfiltrService (aeb775a2bae0f392ba6adc0bb706233a) C:\WINDOWS\system32\DRIVERS\Apfiltr.sys

2010/11/04 12:19:33.0281 APPDRV (ec94e05b76d033b74394e7b2175103cf) C:\WINDOWS\SYSTEM32\DRIVERS\APPDRV.SYS

2010/11/04 12:19:33.0421 Arp1394 (b5b8a80875c1dededa8b02765642c32f) C:\WINDOWS\system32\DRIVERS\arp1394.sys

2010/11/04 12:19:33.0468 asc (62d318e9a0c8fc9b780008e724283707) C:\WINDOWS\system32\DRIVERS\asc.sys

2010/11/04 12:19:33.0531 asc3350p (69eb0cc7714b32896ccbfd5edcbea447) C:\WINDOWS\system32\DRIVERS\asc3350p.sys

2010/11/04 12:19:33.0593 asc3550 (5d8de112aa0254b907861e9e9c31d597) C:\WINDOWS\system32\DRIVERS\asc3550.sys

2010/11/04 12:19:33.0656 ASCTRM (d880831279ed91f9a4190a2db9539ea9) C:\WINDOWS\system32\drivers\ASCTRM.sys

2010/11/04 12:19:33.0734 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys

2010/11/04 12:19:33.0781 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys

2010/11/04 12:19:33.0921 ati2mtag (5b75176663f88e90f14a87e57b8562a4) C:\WINDOWS\system32\DRIVERS\ati2mtag.sys

2010/11/04 12:19:34.0125 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys

2010/11/04 12:19:34.0203 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys

2010/11/04 12:19:34.0250 bcm4sbxp (78123f44be9e4768852a3a017e02d637) C:\WINDOWS\system32\DRIVERS\bcm4sbxp.sys

2010/11/04 12:19:34.0312 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys

2010/11/04 12:19:34.0421 cbidf (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\DRIVERS\cbidf2k.sys

2010/11/04 12:19:34.0453 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys

2010/11/04 12:19:34.0484 cd20xrnt (f3ec03299634490e97bbce94cd2954c7) C:\WINDOWS\system32\DRIVERS\cd20xrnt.sys

2010/11/04 12:19:34.0546 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys

2010/11/04 12:19:34.0609 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys

2010/11/04 12:19:34.0656 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys

2010/11/04 12:19:34.0765 CmBatt (0f6c187d38d98f8df904589a5f94d411) C:\WINDOWS\system32\DRIVERS\CmBatt.sys

2010/11/04 12:19:34.0812 CmdIde (e5dcb56c533014ecbc556a8357c929d5) C:\WINDOWS\system32\DRIVERS\cmdide.sys

2010/11/04 12:19:34.0875 Compbatt (6e4c9f21f0fae8940661144f41b13203) C:\WINDOWS\system32\DRIVERS\compbatt.sys

2010/11/04 12:19:34.0937 Cpqarray (3ee529119eed34cd212a215e8c40d4b6) C:\WINDOWS\system32\DRIVERS\cpqarray.sys

2010/11/04 12:19:35.0125 dac2w2k (e550e7418984b65a78299d248f0a7f36) C:\WINDOWS\system32\DRIVERS\dac2w2k.sys

2010/11/04 12:19:35.0156 dac960nt (683789caa3864eb46125ae86ff677d34) C:\WINDOWS\system32\DRIVERS\dac960nt.sys

2010/11/04 12:19:35.0234 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys

2010/11/04 12:19:35.0328 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys

2010/11/04 12:19:35.0421 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys

2010/11/04 12:19:35.0578 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys

2010/11/04 12:19:35.0640 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys

2010/11/04 12:19:35.0718 dpti2o (40f3b93b4e5b0126f2f5c0a7a5e22660) C:\WINDOWS\system32\DRIVERS\dpti2o.sys

2010/11/04 12:19:35.0765 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys

2010/11/04 12:19:35.0843 E100B (3fca03cbca11269f973b70fa483c88ef) C:\WINDOWS\system32\DRIVERS\e100b325.sys

2010/11/04 12:19:35.0968 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys

2010/11/04 12:19:36.0031 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\DRIVERS\fdc.sys

2010/11/04 12:19:36.0093 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys

2010/11/04 12:19:36.0140 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\DRIVERS\flpydisk.sys

2010/11/04 12:19:36.0171 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys

2010/11/04 12:19:36.0218 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys

2010/11/04 12:19:36.0312 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys

2010/11/04 12:19:36.0359 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys

2010/11/04 12:19:36.0703 HidUsb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys

2010/11/04 12:19:37.0109 hpn (b028377dea0546a5fcfba928a8aefae0) C:\WINDOWS\system32\DRIVERS\hpn.sys

2010/11/04 12:19:37.0171 HPZid412 (5faba4775d4c61e55ec669d643ffc71f) C:\WINDOWS\system32\DRIVERS\HPZid412.sys

2010/11/04 12:19:37.0218 HPZipr12 (a3c43980ee1f1beac778b44ea65dbdd4) C:\WINDOWS\system32\DRIVERS\HPZipr12.sys

2010/11/04 12:19:37.0250 HPZius12 (2906949bd4e206f2bb0dd1896ce9f66f) C:\WINDOWS\system32\DRIVERS\HPZius12.sys

2010/11/04 12:19:37.0328 HSFHWICH (d1eecce82eaea46125e1ecbba10226ae) C:\WINDOWS\system32\DRIVERS\HSFHWICH.sys

2010/11/04 12:19:37.0453 HSF_DP (b2dfc168d6f7512faea085253c5a37ad) C:\WINDOWS\system32\DRIVERS\HSF_DP.sys

2010/11/04 12:19:38.0015 HSF_DPV (cbf6831420a97e8fbb91e5f52b707ef7) C:\WINDOWS\system32\DRIVERS\HSF_DPV.SYS

2010/11/04 12:19:38.0281 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys

2010/11/04 12:19:38.0562 i2omgmt (9368670bd426ebea5e8b18a62416ec28) C:\WINDOWS\system32\drivers\i2omgmt.sys

2010/11/04 12:19:38.0609 i2omp (f10863bf1ccc290babd1a09188ae49e0) C:\WINDOWS\system32\DRIVERS\i2omp.sys

2010/11/04 12:19:38.0656 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys

2010/11/04 12:19:38.0703 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys

2010/11/04 12:19:38.0781 ini910u (4a40e045faee58631fd8d91afc620719) C:\WINDOWS\system32\DRIVERS\ini910u.sys

2010/11/04 12:19:38.0843 IntelIde (b5466a9250342a7aa0cd1fba13420678) C:\WINDOWS\system32\DRIVERS\intelide.sys

2010/11/04 12:19:38.0937 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys

2010/11/04 12:19:39.0000 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys

2010/11/04 12:19:39.0046 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys

2010/11/04 12:19:39.0093 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys

2010/11/04 12:19:39.0312 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys

2010/11/04 12:19:39.0359 IPSec (ff315d094ed74b086e205d70136ce460) C:\WINDOWS\system32\DRIVERS\ipsec.sys

2010/11/04 12:19:39.0359 Suspicious file (Forged): C:\WINDOWS\system32\DRIVERS\ipsec.sys. Real md5: ff315d094ed74b086e205d70136ce460, Fake md5: 23c74d75e36e7158768dd63d92789a91

2010/11/04 12:19:39.0375 IPSec - detected Rootkit.Win32.TDSS.tdl3 (0)

2010/11/04 12:19:39.0406 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys

2010/11/04 12:19:39.0468 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys

2010/11/04 12:19:39.0546 IWCA (872d090ca5c306f62d1982bce6302376) C:\WINDOWS\system32\DRIVERS\iwca.sys

2010/11/04 12:19:39.0609 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys

2010/11/04 12:19:39.0656 kbdhid (9ef487a186dea361aa06913a75b3fa99) C:\WINDOWS\system32\DRIVERS\kbdhid.sys

2010/11/04 12:19:39.0703 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys

2010/11/04 12:19:39.0812 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys

2010/11/04 12:19:39.0984 mdmxsdk (3c318b9cd391371bed62126581ee9961) C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys

2010/11/04 12:19:40.0078 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys

2010/11/04 12:19:40.0140 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys

2010/11/04 12:19:40.0187 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys

2010/11/04 12:19:40.0234 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys

2010/11/04 12:19:40.0281 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys

2010/11/04 12:19:40.0343 mraid35x (3f4bb95e5a44f3be34824e8e7caf0737) C:\WINDOWS\system32\DRIVERS\mraid35x.sys

2010/11/04 12:19:40.0375 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys

2010/11/04 12:19:40.0453 MRxSmb (f3aefb11abc521122b67095044169e98) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys

2010/11/04 12:19:40.0609 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys

2010/11/04 12:19:40.0656 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys

2010/11/04 12:19:40.0703 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys

2010/11/04 12:19:40.0875 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys

2010/11/04 12:19:40.0937 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys

2010/11/04 12:19:40.0984 Mup (2f625d11385b1a94360bfc70aaefdee1) C:\WINDOWS\system32\drivers\Mup.sys

2010/11/04 12:19:41.0062 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys

2010/11/04 12:19:41.0109 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys

2010/11/04 12:19:41.0203 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys

2010/11/04 12:19:41.0250 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys

2010/11/04 12:19:41.0281 NDProxy (6215023940cfd3702b46abc304e1d45a) C:\WINDOWS\system32\drivers\NDProxy.sys

2010/11/04 12:19:41.0312 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys

2010/11/04 12:19:41.0359 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys

2010/11/04 12:19:41.0468 NIC1394 (e9e47cfb2d461fa0fc75b7a74c6383ea) C:\WINDOWS\system32\DRIVERS\nic1394.sys

2010/11/04 12:19:41.0531 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys

2010/11/04 12:19:41.0703 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys

2010/11/04 12:19:41.0828 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys

2010/11/04 12:19:42.0062 nv (2b298519edbfcf451d43e0f1e8f1006d) C:\WINDOWS\system32\DRIVERS\nv4_mini.sys

2010/11/04 12:19:42.0171 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys

2010/11/04 12:19:42.0296 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys

2010/11/04 12:19:42.0375 ohci1394 (ca33832df41afb202ee7aeb05145922f) C:\WINDOWS\system32\DRIVERS\ohci1394.sys

2010/11/04 12:19:42.0453 omci (b17228142cec9b3c222239fd935a37ca) C:\WINDOWS\system32\DRIVERS\omci.sys

2010/11/04 12:19:42.0531 PalmUSBD (240c0d4049a833b16b63b636acf01672) C:\WINDOWS\system32\drivers\PalmUSBD.sys

2010/11/04 12:19:42.0578 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys

2010/11/04 12:19:42.0703 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys

2010/11/04 12:19:42.0765 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys

2010/11/04 12:19:42.0796 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys

2010/11/04 12:19:42.0859 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys

2010/11/04 12:19:42.0906 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\DRIVERS\pcmcia.sys

2010/11/04 12:19:43.0250 perc2 (6c14b9c19ba84f73d3a86dba11133101) C:\WINDOWS\system32\DRIVERS\perc2.sys

2010/11/04 12:19:43.0296 perc2hib (f50f7c27f131afe7beba13e14a3b9416) C:\WINDOWS\system32\DRIVERS\perc2hib.sys

2010/11/04 12:19:43.0437 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys

2010/11/04 12:19:43.0484 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys

2010/11/04 12:19:43.0531 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys

2010/11/04 12:19:43.0578 PxHelp20 (183ef96bcc2ec3d5294cb2c2c0ecbcd1) C:\WINDOWS\system32\Drivers\PxHelp20.sys

2010/11/04 12:19:43.0625 ql1080 (0a63fb54039eb5662433caba3b26dba7) C:\WINDOWS\system32\DRIVERS\ql1080.sys

2010/11/04 12:19:43.0671 Ql10wnt (6503449e1d43a0ff0201ad5cb1b8c706) C:\WINDOWS\system32\DRIVERS\ql10wnt.sys

2010/11/04 12:19:43.0734 ql12160 (156ed0ef20c15114ca097a34a30d8a01) C:\WINDOWS\system32\DRIVERS\ql12160.sys

2010/11/04 12:19:43.0781 ql1240 (70f016bebde6d29e864c1230a07cc5e6) C:\WINDOWS\system32\DRIVERS\ql1240.sys

2010/11/04 12:19:43.0828 ql1280 (907f0aeea6bc451011611e732bd31fcf) C:\WINDOWS\system32\DRIVERS\ql1280.sys

2010/11/04 12:19:43.0875 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys

2010/11/04 12:19:44.0000 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys

2010/11/04 12:19:44.0046 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys

2010/11/04 12:19:44.0078 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys

2010/11/04 12:19:44.0125 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys

2010/11/04 12:19:44.0156 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys

2010/11/04 12:19:44.0234 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys

2010/11/04 12:19:44.0296 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys

2010/11/04 12:19:44.0421 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys

2010/11/04 12:19:44.0546 s24trans (81aa6f0d6a2be1c550f814b036215888) C:\WINDOWS\system32\DRIVERS\s24trans.sys

2010/11/04 12:19:44.0609 sdbus (8d04819a3ce51b9eb47e5689b44d43c4) C:\WINDOWS\system32\DRIVERS\sdbus.sys

2010/11/04 12:19:44.0687 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys

2010/11/04 12:19:44.0765 Ser2pl (6ce397c482bede91a38e56a8c4a0dc6d) C:\WINDOWS\system32\DRIVERS\ser2pl.sys

2010/11/04 12:19:44.0906 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys

2010/11/04 12:19:44.0968 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys

2010/11/04 12:19:45.0015 sffdisk (0fa803c64df0914b41f807ea276bf2a6) C:\WINDOWS\system32\DRIVERS\sffdisk.sys

2010/11/04 12:19:45.0062 sffp_sd (c17c331e435ed8737525c86a7557b3ac) C:\WINDOWS\system32\DRIVERS\sffp_sd.sys

2010/11/04 12:19:45.0093 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\DRIVERS\sfloppy.sys

2010/11/04 12:19:45.0250 sisagp (6b33d0ebd30db32e27d1d78fe946a754) C:\WINDOWS\system32\DRIVERS\sisagp.sys

2010/11/04 12:19:45.0328 SONYPVU1 (a1eceeaa5c5e74b2499eb51d38185b84) C:\WINDOWS\system32\DRIVERS\SONYPVU1.SYS

2010/11/04 12:19:45.0390 Sparrow (83c0f71f86d3bdaf915685f3d568b20e) C:\WINDOWS\system32\DRIVERS\sparrow.sys

2010/11/04 12:19:45.0437 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys

2010/11/04 12:19:45.0500 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys

2010/11/04 12:19:45.0656 Srv (0f6aefad3641a657e18081f52d0c15af) C:\WINDOWS\system32\DRIVERS\srv.sys

2010/11/04 12:19:45.0843 STAC97 (305cc42945a713347f978d78566113f3) C:\WINDOWS\system32\drivers\STAC97.sys

2010/11/04 12:19:45.0921 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys

2010/11/04 12:19:45.0968 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys

2010/11/04 12:19:46.0031 symc810 (1ff3217614018630d0a6758630fc698c) C:\WINDOWS\system32\DRIVERS\symc810.sys

2010/11/04 12:19:46.0078 symc8xx (070e001d95cf725186ef8b20335f933c) C:\WINDOWS\system32\DRIVERS\symc8xx.sys

2010/11/04 12:19:46.0203 sym_hi (80ac1c4abbe2df3b738bf15517a51f2c) C:\WINDOWS\system32\DRIVERS\sym_hi.sys

2010/11/04 12:19:46.0234 sym_u3 (bf4fab949a382a8e105f46ebb4937058) C:\WINDOWS\system32\DRIVERS\sym_u3.sys

2010/11/04 12:19:46.0296 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys

2010/11/04 12:19:46.0406 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys

2010/11/04 12:19:46.0578 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys

2010/11/04 12:19:46.0625 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys

2010/11/04 12:19:46.0671 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys

2010/11/04 12:19:46.0828 TosIde (f2790f6af01321b172aa62f8e1e187d9) C:\WINDOWS\system32\DRIVERS\toside.sys

2010/11/04 12:19:46.0937 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys

2010/11/04 12:19:47.0000 ultra (1b698a51cd528d8da4ffaed66dfc51b9) C:\WINDOWS\system32\DRIVERS\ultra.sys

2010/11/04 12:19:47.0078 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys

2010/11/04 12:19:47.0250 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys

2010/11/04 12:19:47.0296 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys

2010/11/04 12:19:47.0328 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys

2010/11/04 12:19:47.0375 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys

2010/11/04 12:19:47.0437 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys

2010/11/04 12:19:47.0531 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS

2010/11/04 12:19:47.0625 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys

2010/11/04 12:19:47.0671 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys

2010/11/04 12:19:47.0718 viaagp (754292ce5848b3738281b4f3607eaef4) C:\WINDOWS\system32\DRIVERS\viaagp.sys

2010/11/04 12:19:47.0875 ViaIde (3b3efcda263b8ac14fdf9cbdd0791b2e) C:\WINDOWS\system32\DRIVERS\viaide.sys

2010/11/04 12:19:47.0921 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys

2010/11/04 12:19:48.0218 w29n51 (f0f902220910c4fbe42a51964bd33599) C:\WINDOWS\system32\DRIVERS\w29n51.sys

2010/11/04 12:19:48.0656 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys

2010/11/04 12:19:48.0734 wanatw (0a716c08cb13c3a8f4f51e882dbf7416) C:\WINDOWS\system32\DRIVERS\wanatw4.sys

2010/11/04 12:19:48.0796 wceusbsh (dc7f91b2ed24a738c807ea07f298928c) C:\WINDOWS\system32\DRIVERS\wceusbsh.sys

2010/11/04 12:19:48.0890 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys

2010/11/04 12:19:49.0015 winachsf (59d043485a6eda2ed2685c81489ae5bd) C:\WINDOWS\system32\DRIVERS\HSF_CNXT.sys

2010/11/04 12:19:49.0375 WS2IFSL (6abe6e225adb5a751622a9cc3bc19ce8) C:\WINDOWS\System32\drivers\ws2ifsl.sys

2010/11/04 12:19:49.0468 ================================================================================

2010/11/04 12:19:49.0468 Scan finished

2010/11/04 12:19:49.0468 ================================================================================

2010/11/04 12:19:49.0484 Detected object count: 1

2010/11/04 12:20:19.0453 IPSec (ff315d094ed74b086e205d70136ce460) C:\WINDOWS\system32\DRIVERS\ipsec.sys

2010/11/04 12:20:19.0453 Suspicious file (Forged): C:\WINDOWS\system32\DRIVERS\ipsec.sys. Real md5: ff315d094ed74b086e205d70136ce460, Fake md5: 23c74d75e36e7158768dd63d92789a91

2010/11/04 12:20:21.0359 Backup copy not found, trying to cure infected file..

2010/11/04 12:20:21.0359 Cure success, using it..

2010/11/04 12:20:21.0375 C:\WINDOWS\system32\DRIVERS\ipsec.sys - will be cured after reboot

2010/11/04 12:20:21.0375 Rootkit.Win32.TDSS.tdl3(IPSec) - User select action: Cure

2010/11/04 12:20:42.0218 Deinitialize success

negster22 · November 4, 2010

Great News and this was the infected driver -ipsec.sys, and by curing it TDSSKiller restored it with a known good copy of that system file.

2010/11/04 12:20:21.0375 C:\WINDOWS\system32\DRIVERS\ipsec.sys - will be cured after reboot
2010/11/04 12:20:21.0375 Rootkit.Win32.TDSS.tdl3(IPSec) - User select action: Cure

Now, see if You can run MBAM and Combofix (renamed but in Normal mode) because the blocking should no longer exist.

locknload68 · November 4, 2010

I was able to successfully run MBAM and Combofix. While combofix was running MS DEP came up and said it closed Windows Explorer to protect the system. Combofix continued to run and didn't seem to have a problem. Below are the log files.

This computer used to have Symantec Antivirus installed but I'm not sure what happened to it. I installed MS Security Essentials because I've seen that recommended on here a few times.

Thanks again for your help!

Malwarebytes' Anti-Malware 1.46

www.malwarebytes.org

Database version: 5044

Windows 5.1.2600 Service Pack 3

Internet Explorer 8.0.6001.18702

11/4/2010 3:23:20 PM

mbam-log-2010-11-04 (15-23-20).txt

Scan type: Quick scan

Objects scanned: 178464

Time elapsed: 19 minute(s), 18 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 1

Registry Values Infected: 1

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{4d25f926-b9fe-4682-bf72-8ab8210d6d75} (Adware.MyWebSearch) -> Quarantined and deleted successfully.

Registry Values Infected:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\URLSearchHooks\{4d25f926-b9fe-4682-bf72-8ab8210d6d75} (Adware.MyWebSearch) -> Quarantined and deleted successfully.

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

ComboFix 10-11-03.04 - bob 11/04/2010 15:30:38.2.1 - x86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.654 [GMT -4:00]

Running from: c:\documents and settings\bob\Desktop\ComboFix.exe

Command switches used :: /killall

AV: Microsoft Security Essentials *On-access scanning disabled* (Updated) {BCF43643-A118-4432-AEDE-D861FCBCFCDF}

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

---- Previous Run -------

.

c:\documents and settings\bob\Local Settings\Temporary Internet Files\webex.ini

C:\setup.exe

.

((((((((((((((((((((((((( Files Created from 2010-10-04 to 2010-11-04 )))))))))))))))))))))))))))))))

.

2010-11-04 19:02 . 2010-11-04 19:02 -------- d-----w- c:\documents and settings\bob\Application Data\Malwarebytes

2010-11-04 19:01 . 2010-10-07 20:21 6146896 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{51013566-9C9A-4EAA-8FF8-691BC59032E8}\mpengine.dll

2010-11-04 19:01 . 2010-10-19 20:51 222080 ------w- c:\windows\system32\MpSigStub.exe

2010-11-04 18:58 . 2010-11-04 18:59 -------- d-----w- c:\program files\Microsoft Security Essentials

2010-11-04 18:34 . 2010-11-04 18:34 -------- d-----w- c:\program files\Combined Community Codec Pack

2010-11-04 18:23 . 2010-11-04 18:22 73728 ----a-w- c:\windows\system32\javacpl.cpl

2010-11-04 18:23 . 2010-11-04 18:21 472808 ----a-w- c:\windows\system32\deployJava1.dll

2010-11-04 18:07 . 2010-11-04 18:07 -------- d-----w- C:\javara

2010-11-03 12:35 . 2010-11-03 12:35 80384 ----a-w- C:\MBRCheck.exe

2010-11-03 03:01 . 2010-11-03 03:01 88064 ----a-w- C:\mbr.exe

2010-11-02 22:23 . 2010-11-02 22:24 -------- d-----w- C:\ARK

2010-11-02 20:51 . 2010-11-02 20:51 -------- d-----w- c:\program files\Trend Micro

2010-11-02 18:32 . 2010-04-29 19:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-11-02 18:32 . 2010-04-29 19:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-11-02 16:55 . 2010-09-18 06:53 974848 ------w- c:\windows\system32\dllcache\mfc42.dll

2010-11-02 16:55 . 2010-09-18 06:53 953856 ------w- c:\windows\system32\dllcache\mfc40u.dll

2010-11-02 16:54 . 2010-08-23 16:12 617472 ------w- c:\windows\system32\dllcache\comctl32.dll

2010-11-02 16:54 . 2009-11-21 15:51 471552 ------w- c:\windows\system32\dllcache\aclayers.dll

2010-11-02 16:53 . 2010-06-14 14:31 744448 ------w- c:\windows\system32\dllcache\helpsvc.exe

2010-11-02 16:51 . 2010-09-10 05:58 743424 ------w- c:\windows\system32\dllcache\iedvtool.dll

2010-11-02 16:48 . 2010-06-18 13:36 3558912 ------w- c:\windows\system32\dllcache\moviemk.exe

2010-11-02 16:24 . 2009-08-06 23:24 15064 ----a-w- c:\windows\system32\wuapi.dll.mui

2010-11-02 14:33 . 2010-11-02 19:00 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-11-02 14:33 . 2010-11-02 14:33 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2010-11-01 22:24 . 2010-11-01 22:24 -------- d-----w- c:\windows\system32\wbem\Repository

2010-11-01 21:47 . 2010-11-01 22:23 -------- d-s---w- c:\documents and settings\Dan

2010-10-07 22:25 . 2010-10-07 22:25 -------- d-----w- c:\windows\system32\config\systemprofile\IETldCache

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-11-04 17:33 . 2004-08-11 22:00 75264 ----a-w- c:\windows\system32\drivers\ipsec.sys

2010-11-03 03:05 . 2010-11-03 03:05 586 ----a-w- C:\MBR_copy.zip

2010-09-18 16:23 . 2004-08-11 22:00 974848 ----a-w- c:\windows\system32\mfc42u.dll

2010-09-18 06:53 . 2004-08-11 22:00 974848 ----a-w- c:\windows\system32\mfc42.dll

2010-09-18 06:53 . 2004-08-11 22:00 954368 ----a-w- c:\windows\system32\mfc40.dll

2010-09-18 06:53 . 2004-08-11 22:00 953856 ----a-w- c:\windows\system32\mfc40u.dll

2010-09-10 05:58 . 2004-08-11 22:00 916480 ----a-w- c:\windows\system32\wininet.dll

2010-09-10 05:58 . 2004-08-11 22:00 43520 ----a-w- c:\windows\system32\licmgr10.dll

2010-09-10 05:58 . 2004-08-11 22:00 1469440 ------w- c:\windows\system32\inetcpl.cpl

2010-09-01 11:51 . 2004-08-11 22:00 285824 ----a-w- c:\windows\system32\atmfd.dll

2010-08-31 13:42 . 2004-08-11 22:00 1852800 ----a-w- c:\windows\system32\win32k.sys

2010-08-27 08:02 . 2004-08-11 22:00 119808 ----a-w- c:\windows\system32\t2embed.dll

2010-08-27 05:57 . 2004-08-11 22:00 99840 ----a-w- c:\windows\system32\srvsvc.dll

2010-08-26 13:39 . 2005-07-07 18:16 357248 ----a-w- c:\windows\system32\drivers\srv.sys

2010-08-26 12:52 . 2009-04-16 17:34 5120 ----a-w- c:\windows\system32\xpsp4res.dll

2010-08-23 16:12 . 2004-08-11 22:00 617472 ----a-w- c:\windows\system32\comctl32.dll

2010-08-17 13:17 . 2004-08-11 22:00 58880 ----a-w- c:\windows\system32\spoolsv.exe

2010-08-16 08:45 . 2004-08-11 22:00 590848 ----a-w- c:\windows\system32\rpcrt4.dll

.

------- Sigcheck -------

[-] 2008-04-13 . 9F3A2F5AA6875C72BF062C712CFA2674 . 96512 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\atapi.sys

[-] 2008-04-13 . 9F3A2F5AA6875C72BF062C712CFA2674 . 96512 . . [5.1.2600.5512] . . c:\windows\system32\drivers\atapi.sys

[-] 2004-08-04 . CDFE4411A69C224BD1D11B2DA92DAC51 . 95360 . . [5.1.2600.2180] . . c:\windows\$NtServicePackUninstall$\atapi.sys

[-] 2004-08-04 . CDFE4411A69C224BD1D11B2DA92DAC51 . 95360 . . [5.1.2600.2180] . . c:\windows\system32\ReinstallBackups\0004\DriverFiles\i386\atapi.sys

[-] 2008-04-13 . B153AFFAC761E7F5FCFA822B9C4E97BC . 14336 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\asyncmac.sys

[-] 2008-04-13 . B153AFFAC761E7F5FCFA822B9C4E97BC . 14336 . . [5.1.2600.5512] . . c:\windows\system32\drivers\asyncmac.sys

[-] 2004-08-04 . 02000ABF34AF4C218C35D257024807D6 . 14336 . . [5.1.2600.2180] . . c:\windows\$NtServicePackUninstall$\asyncmac.sys

[-] 2004-08-04 . DA1F27D85E0D1525F6621372E7B685E9 . 4224 . . [5.1.2600.0] . . c:\windows\system32\drivers\beep.sys

[-] 2008-04-13 . 463C1EC80CD17420A542B7F36A36F128 . 24576 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\kbdclass.sys

[-] 2008-04-13 . 463C1EC80CD17420A542B7F36A36F128 . 24576 . . [5.1.2600.5512] . . c:\windows\system32\drivers\kbdclass.sys

[-] 2004-08-04 . EBDEE8A2EE5393890A1ACEE971C4C246 . 24576 . . [5.1.2600.2180] . . c:\windows\$NtServicePackUninstall$\kbdclass.sys

[-] 2008-04-13 . 1DF7F42665C94B825322FAE71721130D . 182656 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\ndis.sys

[-] 2008-04-13 . 1DF7F42665C94B825322FAE71721130D . 182656 . . [5.1.2600.5512] . . c:\windows\system32\drivers\ndis.sys

[-] 2004-08-04 . 558635D3AF1C7546D26067D5D9B6959E . 182912 . . [5.1.2600.2180] . . c:\windows\$NtServicePackUninstall$\ndis.sys

[-] 2008-04-13 . 78A08DD6A8D65E697C18E1DB01C5CDCA . 574976 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\ntfs.sys

[-] 2008-04-13 . 78A08DD6A8D65E697C18E1DB01C5CDCA . 574976 . . [5.1.2600.5512] . . c:\windows\system32\drivers\ntfs.sys

[-] 2007-02-09 . 05AB81909514BFD69CBB1F2C147CF6B9 . 574976 . . [5.1.2600.3081] . . c:\windows\$hf_mig$\KB930916\SP2QFE\ntfs.sys

[-] 2007-02-09 . 19A811EF5F1ED5C926A028CE107FF1AF . 574464 . . [5.1.2600.3081] . . c:\windows\$NtServicePackUninstall$\ntfs.sys

[-] 2004-08-04 . B78BE402C3F63DD55521F73876951CDD . 574592 . . [5.1.2600.2180] . . c:\windows\$NtUninstallKB930916$\ntfs.sys

[-] 2004-08-04 . 73C1E1F395918BC2C6DD67AF7591A3AD . 2944 . . [5.1.2600.0] . . c:\windows\system32\drivers\null.sys

[-] 2008-06-20 . AD978A1B783B5719720CFF204B666C8E . 361600 . . [5.1.2600.5625] . . c:\windows\$hf_mig$\KB951748\SP3QFE\tcpip.sys

[-] 2008-06-20 . 9AEFA14BD6B182D61E3119FA5F436D3D . 361600 . . [5.1.2600.5625] . . c:\windows\$hf_mig$\KB951748\SP3GDR\tcpip.sys

[-] 2008-06-20 . 9AEFA14BD6B182D61E3119FA5F436D3D . 361600 . . [5.1.2600.5625] . . c:\windows\system32\dllcache\tcpip.sys

[-] 2008-06-20 . 9AEFA14BD6B182D61E3119FA5F436D3D . 361600 . . [5.1.2600.5625] . . c:\windows\system32\drivers\tcpip.sys

[-] 2008-06-20 . 2A5554FC5B1E04E131230E3CE035C3F9 . 360320 . . [5.1.2600.3394] . . c:\windows\$NtServicePackUninstall$\tcpip.sys

[-] 2008-06-20 . 744E57C99232201AE98C49168B918F48 . 360960 . . [5.1.2600.3394] . . c:\windows\$hf_mig$\KB951748\SP2QFE\tcpip.sys

[-] 2008-04-13 . 93EA8D04EC73A85DB02EB8805988F733 . 361344 . . [5.1.2600.5512] . . c:\windows\$NtUninstallKB951748$\tcpip.sys

[-] 2008-04-13 . 93EA8D04EC73A85DB02EB8805988F733 . 361344 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\tcpip.sys

[-] 2007-10-30 . 90CAFF4B094573449A0872A0F919B178 . 360064 . . [5.1.2600.3244] . . c:\windows\$NtUninstallKB951748_0$\tcpip.sys

[-] 2007-10-30 . 64798ECFA43D78C7178375FCDD16D8C8 . 360832 . . [5.1.2600.3244] . . c:\windows\$hf_mig$\KB941644\SP2QFE\tcpip.sys

[-] 2006-04-20 . B2220C618B42A2212A59D91EBD6FC4B4 . 360576 . . [5.1.2600.2892] . . c:\windows\$hf_mig$\KB917953\SP2QFE\tcpip.sys

[-] 2006-04-20 . 1DBF125862891817F374F407626967F4 . 359808 . . [5.1.2600.2892] . . c:\windows\$NtUninstallKB941644$\tcpip.sys

[-] 2006-01-13 . 5562CC0A47B2AEF06D3417B733F3C195 . 360448 . . [5.1.2600.2827] . . c:\windows\$hf_mig$\KB913446\SP2QFE\tcpip.sys

[-] 2006-01-13 . 583E063FDC888CA30D05C2724B0D7EF4 . 359808 . . [5.1.2600.2827] . . c:\windows\$NtUninstallKB917953$\tcpip.sys

[-] 2005-05-25 . 63FDFEA54EB53DE2D863EE454937CE1E . 359936 . . [5.1.2600.2685] . . c:\windows\$hf_mig$\KB893066\SP2QFE\tcpip.sys

[-] 2005-05-25 . 88763A98A4C26C409741B4AA162720C9 . 359808 . . [5.1.2600.2685] . . c:\windows\$NtUninstallKB913446$\tcpip.sys

[-] 2004-08-04 . 9F4B36614A0FC234525BA224957DE55C . 359040 . . [5.1.2600.2180] . . c:\windows\$NtUninstallKB893066$\tcpip.sys

[-] 2008-04-14 . A06CE3399D16DB864F55FAEB1F1927A9 . 77824 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\browser.dll

[-] 2008-04-14 . A06CE3399D16DB864F55FAEB1F1927A9 . 77824 . . [5.1.2600.5512] . . c:\windows\system32\browser.dll

[-] 2004-08-04 . E3CFCCDDA4EDD1D0DC9168B2E18F27B8 . 77312 . . [5.1.2600.2180] . . c:\windows\$NtServicePackUninstall$\browser.dll

[-] 2008-04-14 . BF2466B3E18E970D8A976FB95FC1CA85 . 13312 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\lsass.exe

[-] 2008-04-14 . BF2466B3E18E970D8A976FB95FC1CA85 . 13312 . . [5.1.2600.5512] . . c:\windows\system32\lsass.exe

[-] 2004-08-04 . 84885F9B82F4D55C6146EBF6065D75D2 . 13312 . . [5.1.2600.2180] . . c:\windows\$NtServicePackUninstall$\lsass.exe

[-] 2008-04-14 . 13E67B55B3ABD7BF3FE7AAE5A0F9A9DE . 198144 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\netman.dll

[-] 2008-04-14 . 13E67B55B3ABD7BF3FE7AAE5A0F9A9DE . 198144 . . [5.1.2600.5512] . . c:\windows\system32\netman.dll

[-] 2005-08-22 . 36739B39267914BA69AD0610A0299732 . 197632 . . [5.1.2600.2743] . . c:\windows\$NtServicePackUninstall$\netman.dll

[-] 2005-08-22 . 3516D8A18B36784B1005B950B84232E1 . 197632 . . [5.1.2600.2743] . . c:\windows\$hf_mig$\KB905414\SP2QFE\netman.dll

[-] 2004-08-04 . DAB9E6C7105D2EF49876FE92C524F565 . 198144 . . [5.1.2600.2180] . . c:\windows\$NtUninstallKB905414$\netman.dll

[-] 2008-04-14 . 574738F61FCA2935F5265DC4E5691314 . 409088 . . [6.7.2600.5512] . . c:\windows\ServicePackFiles\i386\qmgr.dll

[-] 2008-04-14 . 574738F61FCA2935F5265DC4E5691314 . 409088 . . [6.7.2600.5512] . . c:\windows\system32\qmgr.dll

[-] 2008-04-14 . 574738F61FCA2935F5265DC4E5691314 . 409088 . . [6.7.2600.5512] . . c:\windows\system32\bits\qmgr.dll

[-] 2004-08-04 . 2C69EC7E5A311334D10DD95F338FCCEA . 382464 . . [6.6.2600.2180] . . c:\windows\$NtServicePackUninstall$\qmgr.dll

[-] 2009-02-09 . 6B27A5C03DFB94B4245739065431322C . 401408 . . [5.1.2600.5755] . . c:\windows\system32\rpcss.dll

[-] 2009-02-09 . 6B27A5C03DFB94B4245739065431322C . 401408 . . [5.1.2600.5755] . . c:\windows\system32\dllcache\rpcss.dll

[-] 2009-02-09 . 9222562D44021B988B9F9F62207FB6F2 . 401408 . . [5.1.2600.5755] . . c:\windows\$hf_mig$\KB956572\SP3QFE\rpcss.dll

[-] 2008-04-14 . 2589FE6015A316C0F5D5112B4DA7B509 . 399360 . . [5.1.2600.5512] . . c:\windows\$NtUninstallKB956572$\rpcss.dll

[-] 2008-04-14 . 2589FE6015A316C0F5D5112B4DA7B509 . 399360 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\rpcss.dll

[-] 2005-07-26 . CE94A2BD25E3E9F4D46A7373FF455C6D . 397824 . . [5.1.2600.2726] . . c:\windows\$NtServicePackUninstall$\rpcss.dll

[-] 2005-07-26 . C369DF215D352B6F3A0B8C3469AA34F8 . 398336 . . [5.1.2600.2726] . . c:\windows\$hf_mig$\KB902400\SP2QFE\rpcss.dll

[-] 2005-04-28 . DA383FB39A6F1C445F3AFC94B3EB1248 . 396288 . . [5.1.2600.2665] . . c:\windows\$hf_mig$\KB894391\SP2QFE\rpcss.dll

[-] 2005-04-28 . C8061F289E000703E7672916B7FE1571 . 395776 . . [5.1.2600.2665] . . c:\windows\$NtUninstallKB902400$\rpcss.dll

[-] 2005-01-14 . 419899803CA479B73B02390318C787C0 . 395776 . . [5.1.2600.2595] . . c:\windows\$NtUninstallKB894391$\rpcss.dll

[-] 2005-01-14 . 94456045BEB4545B5EBE1DCC85951AFA . 395776 . . [5.1.2600.2595] . . c:\windows\$hf_mig$\KB873333\SP2QFE\rpcss.dll

[-] 2004-08-04 . 5C83A4408604F737717AB96371201680 . 395776 . . [5.1.2600.2180] . . c:\windows\$NtUninstallKB873333$\rpcss.dll

[-] 2009-02-06 . 65DF52F5B8B6E9BBD183505225C37315 . 110592 . . [5.1.2600.5755] . . c:\windows\system32\services.exe

[-] 2009-02-06 . 65DF52F5B8B6E9BBD183505225C37315 . 110592 . . [5.1.2600.5755] . . c:\windows\system32\dllcache\services.exe

[-] 2009-02-06 . 020CEAAEDC8EB655B6506B8C70D53BB6 . 110592 . . [5.1.2600.5755] . . c:\windows\$hf_mig$\KB956572\SP3QFE\services.exe

[-] 2008-04-14 . 0E776ED5F7CC9F94299E70461B7B8185 . 108544 . . [5.1.2600.5512] . . c:\windows\$NtUninstallKB956572$\services.exe

[-] 2008-04-14 . 0E776ED5F7CC9F94299E70461B7B8185 . 108544 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\services.exe

[-] 2004-08-04 . C6CE6EEC82F187615D1002BB3BB50ED4 . 108032 . . [5.1.2600.2180] . . c:\windows\$NtServicePackUninstall$\services.exe

[-] 2008-04-14 . ED0EF0A136DEC83DF69F04118870003E . 507904 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\winlogon.exe

[-] 2008-04-14 . ED0EF0A136DEC83DF69F04118870003E . 507904 . . [5.1.2600.5512] . . c:\windows\system32\winlogon.exe

[-] 2004-08-04 . 01C3346C241652F43AED8E2149881BFE . 502272 . . [5.1.2600.2180] . . c:\windows\$NtServicePackUninstall$\winlogon.exe

[-] 2008-04-14 . 3D4E199942E29207970E04315D02AD3B . 62464 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\cryptsvc.dll

[-] 2008-04-14 . 3D4E199942E29207970E04315D02AD3B . 62464 . . [5.1.2600.5512] . . c:\windows\system32\cryptsvc.dll

[-] 2004-08-04 . 10654F9DDCEA9C46CFB77554231BE73B . 60416 . . [5.1.2600.2180] . . c:\windows\$NtServicePackUninstall$\cryptsvc.dll

[-] 2008-07-07 20:32 . 60D1A6342238378BFB7545C81EE3606C . 253952 . . [2001.12.4414.320] . . c:\windows\$NtServicePackUninstall$\es.dll

[-] 2008-07-07 20:26 . D4991D98F2DB73C60D042F1AEF79EFAE . 253952 . . [2001.12.4414.706] . . c:\windows\$hf_mig$\KB950974\SP3GDR\es.dll

[-] 2008-07-07 20:26 . D4991D98F2DB73C60D042F1AEF79EFAE . 253952 . . [2001.12.4414.706] . . c:\windows\system32\es.dll

[-] 2008-07-07 20:26 . D4991D98F2DB73C60D042F1AEF79EFAE . 253952 . . [2001.12.4414.706] . . c:\windows\system32\dllcache\es.dll

[-] 2008-07-07 20:23 . F17F6226BDC0CD5F0BEF0DAF84D29BEC . 253952 . . [2001.12.4414.706] . . c:\windows\$hf_mig$\KB950974\SP3QFE\es.dll

[-] 2008-07-07 20:06 . A4AB3DCA4A383F0DF4988ABDEB84F9A4 . 253952 . . [2001.12.4414.320] . . c:\windows\$hf_mig$\KB950974\SP2QFE\es.dll

[-] 2008-04-14 00:11 . 19A799805B24990867B00C120D300C3A . 246272 . . [2001.12.4414.701] . . c:\windows\$NtUninstallKB950974$\es.dll

[-] 2008-04-14 00:11 . 19A799805B24990867B00C120D300C3A . 246272 . . [2001.12.4414.701] . . c:\windows\ServicePackFiles\i386\es.dll

[-] 2005-07-26 04:39 . 34BBD9ACC1538818F2C878898C64E793 . 243200 . . [2001.12.4414.308] . . c:\windows\$NtUninstallKB950974_0$\es.dll

[-] 2005-07-26 04:20 . 95F5FEA4C6DE2C3F28784D0DCC8F0DD3 . 243200 . . [2001.12.4414.308] . . c:\windows\$hf_mig$\KB902400\SP2QFE\es.dll

[-] 2004-08-04 10:00 . ACD36A2DD7D1E9D8A060AA651DC07E63 . 243200 . . [2001.12.4414.258] . . c:\windows\$NtUninstallKB902400$\es.dll

[-] 2008-04-14 . 0DA85218E92526972A821587E6A8BF8F . 110080 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\imm32.dll

[-] 2008-04-14 . 0DA85218E92526972A821587E6A8BF8F . 110080 . . [5.1.2600.5512] . . c:\windows\system32\imm32.dll

[-] 2004-08-04 . 87CA7CE6469577F059297B9D6556D66D . 110080 . . [5.1.2600.2180] . . c:\windows\$NtServicePackUninstall$\imm32.dll

[-] 2009-03-21 . B921FB870C9AC0D509B2CCABBBBE95F3 . 989696 . . [5.1.2600.5781] . . c:\windows\system32\kernel32.dll

[-] 2009-03-21 . B921FB870C9AC0D509B2CCABBBBE95F3 . 989696 . . [5.1.2600.5781] . . c:\windows\system32\dllcache\kernel32.dll

[-] 2009-03-21 . DA11D9D6ECBDF0F93436A4B7C13F7BEC . 991744 . . [5.1.2600.5781] . . c:\windows\$hf_mig$\KB959426\SP3QFE\kernel32.dll

[-] 2008-04-14 . C24B983D211C34DA8FCC1AC38477971D . 989696 . . [5.1.2600.5512] . . c:\windows\$NtUninstallKB959426$\kernel32.dll

[-] 2008-04-14 . C24B983D211C34DA8FCC1AC38477971D . 989696 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\kernel32.dll

[-] 2007-04-16 . 09F7CB3687F86EDAA4CA081F7AB66C03 . 986112 . . [5.1.2600.3119] . . c:\windows\$hf_mig$\KB935839\SP2QFE\kernel32.dll

[-] 2007-04-16 . A01F9CA902A88F7CED06884174D6419D . 984576 . . [5.1.2600.3119] . . c:\windows\$NtServicePackUninstall$\kernel32.dll

[-] 2006-07-05 . 0FDD84928A5DDE2510761B7EC76CCEC9 . 985088 . . [5.1.2600.2945] . . c:\windows\$hf_mig$\KB917422\SP2QFE\kernel32.dll

[-] 2006-07-05 . D8DB5397DE07577C1CB50BA6D23B3AD4 . 984064 . . [5.1.2600.2945] . . c:\windows\$NtUninstallKB935839$\kernel32.dll

[-] 2004-08-04 . 888190E31455FAD793312F8D087146EB . 983552 . . [5.1.2600.2180] . . c:\windows\$NtUninstallKB917422$\kernel32.dll

[-] 2008-04-14 . 2DC5A8019E2387987905F77C664E4BE2 . 19968 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\linkinfo.dll

[-] 2008-04-14 . 2DC5A8019E2387987905F77C664E4BE2 . 19968 . . [5.1.2600.5512] . . c:\windows\system32\linkinfo.dll

[-] 2005-09-01 . 648BF0B4DDE4F7A1156DAE7174D36EFA . 19968 . . [5.1.2600.2751] . . c:\windows\$hf_mig$\KB900725\SP2QFE\linkinfo.dll

[-] 2005-09-01 . A1A688EE56CF3BBD24EDEB815D48E9BA . 19968 . . [5.1.2600.2751] . . c:\windows\$NtServicePackUninstall$\linkinfo.dll

[-] 2004-08-04 . C2BBD044C741EA4292016C36F718D2E4 . 18944 . . [5.1.2600.2180] . . c:\windows\$NtUninstallKB900725$\linkinfo.dll

[-] 2008-04-14 . 012DF358CEBAA23ACB26D82077820817 . 22016 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\lpk.dll

[-] 2008-04-14 . 012DF358CEBAA23ACB26D82077820817 . 22016 . . [5.1.2600.5512] . . c:\windows\system32\lpk.dll

[-] 2004-08-04 . 74D66B3DE265E8789153414E75175F26 . 22016 . . [5.1.2600.2180] . . c:\windows\$NtServicePackUninstall$\lpk.dll

[-] 2008-04-14 . D7075E95AA599EE77B7A89D39296BD3D . 343040 . . [7.0.2600.5512] . . c:\windows\WinSxS\x86_Microsoft.Windows.CPlusPlusRuntime_6595b64144ccf1df_7.0.2600.5512_x-ww_3fd60d63\msvcrt.dll

[-] 2008-04-14 . 355EDBB4D412B01F1740C17E3F50FA00 . 343040 . . [7.0.2600.5512] . . c:\windows\ServicePackFiles\i386\msvcrt.dll

[-] 2008-04-14 . 355EDBB4D412B01F1740C17E3F50FA00 . 343040 . . [7.0.2600.5512] . . c:\windows\system32\msvcrt.dll

[-] 2004-08-04 . B0FEFA816D61EC66AA765DDF534EAB5E . 343040 . . [7.0.2600.2180] . . c:\windows\$NtServicePackUninstall$\msvcrt.dll

[-] 2004-08-04 . 4200BE3808F6406DBE45A7B88DAE5035 . 322560 . . [7.0.2600.0] . . c:\windows\WinSxS\x86_Microsoft.Windows.CPlusPlusRuntime_6595b64144ccf1df_7.0.0.0_x-ww_2726e76a\msvcrt.dll

[-] 2004-08-04 . 98EC447E00229AFD88D5161A25D065DA . 343040 . . [7.0.2600.2180] . . c:\windows\WinSxS\x86_Microsoft.Windows.CPlusPlusRuntime_6595b64144ccf1df_7.0.2600.2180_x-ww_b2505ed9\msvcrt.dll

[-] 2008-06-20 . 832E4DD8964AB7ACC880B2837CB1ED20 . 245248 . . [5.1.2600.5625] . . c:\windows\$hf_mig$\KB951748\SP3GDR\mswsock.dll

[-] 2008-06-20 . 832E4DD8964AB7ACC880B2837CB1ED20 . 245248 . . [5.1.2600.5625] . . c:\windows\system32\mswsock.dll

[-] 2008-06-20 . 832E4DD8964AB7ACC880B2837CB1ED20 . 245248 . . [5.1.2600.5625] . . c:\windows\system32\dllcache\mswsock.dll

[-] 2008-06-20 . FCEE5FCB99F7C724593365C706D28388 . 245248 . . [5.1.2600.5625] . . c:\windows\$hf_mig$\KB951748\SP3QFE\mswsock.dll

[-] 2008-06-20 . 097722F235A1FB698BF9234E01B52637 . 245248 . . [5.1.2600.3394] . . c:\windows\$NtServicePackUninstall$\mswsock.dll

[-] 2008-06-20 . 1DFCA7713EA5A70D5D93B436AEA0317A . 245248 . . [5.1.2600.3394] . . c:\windows\$hf_mig$\KB951748\SP2QFE\mswsock.dll

[-] 2008-04-14 . B4138E99236F0F57D4CF49BAE98A0746 . 245248 . . [5.1.2600.5512] . . c:\windows\$NtUninstallKB951748$\mswsock.dll

[-] 2008-04-14 . B4138E99236F0F57D4CF49BAE98A0746 . 245248 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\mswsock.dll

[-] 2004-08-04 . 4E74AF063C3271FBEA20DD940CFD1184 . 245248 . . [5.1.2600.2180] . . c:\windows\$NtUninstallKB951748_0$\mswsock.dll

[-] 2008-04-14 . 1B7F071C51B77C272875C3A23E1E4550 . 407040 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\netlogon.dll

[-] 2008-04-14 . 1B7F071C51B77C272875C3A23E1E4550 . 407040 . . [5.1.2600.5512] . . c:\windows\system32\netlogon.dll

[-] 2004-08-04 . 96353FCECBA774BB8DA74A1C6507015A . 407040 . . [5.1.2600.2180] . . c:\windows\$NtServicePackUninstall$\netlogon.dll

[-] 2008-04-14 . 50A166237A0FA771261275A405646CC0 . 17408 . . [6.00.2900.5512] . . c:\windows\ServicePackFiles\i386\powrprof.dll

[-] 2008-04-14 . 50A166237A0FA771261275A405646CC0 . 17408 . . [6.00.2900.5512] . . c:\windows\system32\powrprof.dll

[-] 2004-08-04 . 1B5F6923ABB450692E9FE0672C897AED . 17408 . . [6.00.2900.2180] . . c:\windows\$NtServicePackUninstall$\powrprof.dll

[-] 2008-04-14 . A86BB5E61BF3E39B62AB4C7E7085A084 . 181248 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\scecli.dll

[-] 2008-04-14 . A86BB5E61BF3E39B62AB4C7E7085A084 . 181248 . . [5.1.2600.5512] . . c:\windows\system32\scecli.dll

[-] 2004-08-04 . 0F78E27F563F2AAF74B91A49E2ABF19A . 180224 . . [5.1.2600.2180] . . c:\windows\$NtServicePackUninstall$\scecli.dll

[-] 2008-04-14 . 96E1C926F22EE1BFBAE82901A35F6BF3 . 5120 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\sfc.dll

[-] 2008-04-14 . 96E1C926F22EE1BFBAE82901A35F6BF3 . 5120 . . [5.1.2600.5512] . . c:\windows\system32\sfc.dll

[-] 2004-08-04 . E8A12A12EA9088B4327D49EDCA3ADD3E . 5120 . . [5.1.2600.2180] . . c:\windows\$NtServicePackUninstall$\sfc.dll

[-] 2008-04-14 . 27C6D03BCDB8CFEB96B716F3D8BE3E18 . 14336 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\svchost.exe

[-] 2008-04-14 . 27C6D03BCDB8CFEB96B716F3D8BE3E18 . 14336 . . [5.1.2600.5512] . . c:\windows\system32\svchost.exe

[-] 2004-08-04 . 8F078AE4ED187AAABC0A305146DE6716 . 14336 . . [5.1.2600.2180] . . c:\windows\$NtServicePackUninstall$\svchost.exe

[-] 2008-04-14 . 3CB78C17BB664637787C9A1C98F79C38 . 249856 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\tapisrv.dll

[-] 2008-04-14 . 3CB78C17BB664637787C9A1C98F79C38 . 249856 . . [5.1.2600.5512] . . c:\windows\system32\tapisrv.dll

[-] 2005-07-08 . 1418A3A6E76E5A2E3F5E43866E793A8B . 249344 . . [5.1.2600.2716] . . c:\windows\$hf_mig$\KB893756\SP2QFE\tapisrv.dll

[-] 2005-07-08 . FB78839B36025AA286A51289ED28B73E . 249344 . . [5.1.2600.2716] . . c:\windows\$NtServicePackUninstall$\tapisrv.dll

[-] 2004-08-04 . EB4A4187D74A8EFDCBEA3EA2CB1BDFBD . 246272 . . [5.1.2600.2180] . . c:\windows\$NtUninstallKB893756$\tapisrv.dll

[-] 2008-04-14 . B26B135FF1B9F60C9388B4A7D16F600B . 578560 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\user32.dll

[-] 2008-04-14 . B26B135FF1B9F60C9388B4A7D16F600B . 578560 . . [5.1.2600.5512] . . c:\windows\system32\user32.dll

[-] 2007-03-08 . 7AA4F6C00405DFC4B70ED4214E7D687B . 578048 . . [5.1.2600.3099] . . c:\windows\$hf_mig$\KB925902\SP2QFE\user32.dll

[-] 2007-03-08 . B409909F6E2E8A7067076ED748ABF1E7 . 577536 . . [5.1.2600.3099] . . c:\windows\$NtServicePackUninstall$\user32.dll

[-] 2005-03-02 . 1800F293BCCC8EDE8A70E12B88D80036 . 577024 . . [5.1.2600.2622] . . c:\windows\$hf_mig$\KB890859\SP2QFE\user32.dll

[-] 2005-03-02 . DE2DB164BBB35DB061AF0997E4499054 . 577024 . . [5.1.2600.2622] . . c:\windows\$NtUninstallKB925902$\user32.dll

[-] 2004-08-04 . C72661F8552ACE7C5C85E16A3CF505C4 . 577024 . . [5.1.2600.2180] . . c:\windows\$NtUninstallKB890859$\user32.dll

[-] 2008-04-14 . A93AEE1928A9D7CE3E16D24EC7380F89 . 26112 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\userinit.exe

[-] 2008-04-14 . A93AEE1928A9D7CE3E16D24EC7380F89 . 26112 . . [5.1.2600.5512] . . c:\windows\system32\userinit.exe

[-] 2004-08-04 . 39B1FFB03C2296323832ACBAE50D2AFF . 24576 . . [5.1.2600.2180] . . c:\windows\$NtServicePackUninstall$\userinit.exe

[-] 2008-04-14 . 2CCC474EB85CEAA3E1FA1726580A3E5A . 82432 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\ws2_32.dll

[-] 2008-04-14 . 2CCC474EB85CEAA3E1FA1726580A3E5A . 82432 . . [5.1.2600.5512] . . c:\windows\system32\ws2_32.dll

[-] 2004-08-04 . 2ED0B7F12A60F90092081C50FA0EC2B2 . 82944 . . [5.1.2600.2180] . . c:\windows\$NtServicePackUninstall$\ws2_32.dll

[-] 2008-04-14 . 9789E95E1D88EEB4B922BF3EA7779C28 . 19968 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\ws2help.dll

[-] 2008-04-14 . 9789E95E1D88EEB4B922BF3EA7779C28 . 19968 . . [5.1.2600.5512] . . c:\windows\system32\ws2help.dll

[-] 2004-08-04 . 9BEACB911CA61E5881102188AB7FB431 . 19968 . . [5.1.2600.2180] . . c:\windows\$NtServicePackUninstall$\ws2help.dll

[-] 2008-04-14 . 12896823FB95BFB3DC9B46BCAEDC9923 . 1033728 . . [6.00.2900.5512] . . c:\windows\explorer.exe

[-] 2008-04-14 . 12896823FB95BFB3DC9B46BCAEDC9923 . 1033728 . . [6.00.2900.5512] . . c:\windows\ServicePackFiles\i386\explorer.exe

[-] 2007-06-13 . 7712DF0CDDE3A5AC89843E61CD5B3658 . 1033216 . . [6.00.2900.3156] . . c:\windows\$hf_mig$\KB938828\SP2QFE\explorer.exe

[-] 2007-06-13 . 97BD6515465659FF8F3B7BE375B2EA87 . 1033216 . . [6.00.2900.3156] . . c:\windows\$NtServicePackUninstall$\explorer.exe

[-] 2004-08-04 . A0732187050030AE399B241436565E64 . 1032192 . . [6.00.2900.2180] . . c:\windows\$NtUninstallKB938828$\explorer.exe

[-] 2008-04-14 . 3805DF0AC4296A34BA4BF93B346CC378 . 171008 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\srsvc.dll

[-] 2008-04-14 . 3805DF0AC4296A34BA4BF93B346CC378 . 171008 . . [5.1.2600.5512] . . c:\windows\system32\srsvc.dll

[-] 2004-08-04 . 92BDF74F12D6CBEC43C94D4B7F804838 . 170496 . . [5.1.2600.2180] . . c:\windows\$NtServicePackUninstall$\srsvc.dll

[-] 2008-04-14 . F92E1076C42FCD6DB3D72D8CFE9816D5 . 13824 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\wscntfy.exe

[-] 2008-04-14 . F92E1076C42FCD6DB3D72D8CFE9816D5 . 13824 . . [5.1.2600.5512] . . c:\windows\system32\wscntfy.exe

[-] 2004-08-04 . 49911DD39E023BB6C45E4E436CFBD297 . 13824 . . [5.1.2600.2180] . . c:\windows\$NtServicePackUninstall$\wscntfy.exe

[-] 2008-04-14 . 295D21F14C335B53CB8154E5B1F892B9 . 129024 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\xmlprov.dll

[-] 2008-04-14 . 295D21F14C335B53CB8154E5B1F892B9 . 129024 . . [5.1.2600.5512] . . c:\windows\system32\xmlprov.dll

[-] 2004-08-04 . EEF46DAB68229A14DA3D8E73C99E2959 . 129536 . . [5.1.2600.2180] . . c:\windows\$NtServicePackUninstall$\xmlprov.dll

[-] 2008-04-14 . 6D4FEB43EE538FC5428CC7F0565AA656 . 56320 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\eventlog.dll

[-] 2008-04-14 . 6D4FEB43EE538FC5428CC7F0565AA656 . 56320 . . [5.1.2600.5512] . . c:\windows\system32\eventlog.dll

[-] 2004-08-04 . 82B24CB70E5944E6E34662205A2A5B78 . 55808 . . [5.1.2600.2180] . . c:\windows\$NtServicePackUninstall$\eventlog.dll

[-] 2008-04-14 . 9DD07AF82244867CA36681EA2D29CE79 . 1614848 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\sfcfiles.dll

[-] 2008-04-14 . 9DD07AF82244867CA36681EA2D29CE79 . 1614848 . . [5.1.2600.5512] . . c:\windows\system32\sfcfiles.dll

[-] 2004-08-04 . 30A609E00BD1D4FFC49D6B5A432BE7F2 . 1580544 . . [5.1.2600.2180] . . c:\windows\$NtServicePackUninstall$\sfcfiles.dll

[-] 2008-04-14 . 5F1D5F88303D4A4DBC8E5F97BA967CC3 . 15360 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\ctfmon.exe

[-] 2008-04-14 . 5F1D5F88303D4A4DBC8E5F97BA967CC3 . 15360 . . [5.1.2600.5512] . . c:\windows\system32\ctfmon.exe

[-] 2004-08-04 . 24232996A38C0B0CF151C2140AE29FC8 . 15360 . . [5.1.2600.2180] . . c:\windows\$NtServicePackUninstall$\ctfmon.exe

[-] 2008-04-14 . 1926899BF9FFE2602B63074971700412 . 135168 . . [6.00.2900.5512] . . c:\windows\ServicePackFiles\i386\shsvcs.dll

[-] 2008-04-14 . 1926899BF9FFE2602B63074971700412 . 135168 . . [6.00.2900.5512] . . c:\windows\system32\shsvcs.dll

[-] 2006-12-19 . 6815DEF9B810AEFAC107EEAF72DA6F82 . 134656 . . [6.00.2900.3051] . . c:\windows\$NtServicePackUninstall$\shsvcs.dll

[-] 2006-12-19 . 53D9184A21C5CBF600D918E51EF3A7E5 . 135168 . . [6.00.2900.3051] . . c:\windows\$hf_mig$\KB928255\SP2QFE\shsvcs.dll

[-] 2004-08-04 . E7518DC542D3EBDCB80EDD98462C7821 . 134656 . . [6.00.2900.2180] . . c:\windows\$NtUninstallKB928255$\shsvcs.dll

[-] 2008-04-14 . 5B19B557B0C188210A56A6B699D90B8F . 59904 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\regsvc.dll

[-] 2008-04-14 . 5B19B557B0C188210A56A6B699D90B8F . 59904 . . [5.1.2600.5512] . . c:\windows\system32\regsvc.dll

[-] 2004-08-04 . 3151427DB7D87107D1C5BE58FAC53960 . 59904 . . [5.1.2600.2180] . . c:\windows\$NtServicePackUninstall$\regsvc.dll

[-] 2008-04-14 . 0A9A7365A1CA4319AA7C1D6CD8E4EAFA . 192512 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\schedsvc.dll

[-] 2008-04-14 . 0A9A7365A1CA4319AA7C1D6CD8E4EAFA . 192512 . . [5.1.2600.5512] . . c:\windows\system32\schedsvc.dll

[-] 2004-08-04 . 92360854316611F6CC471612213C3D92 . 190976 . . [5.1.2600.2180] . . c:\windows\$NtServicePackUninstall$\schedsvc.dll

[-] 2008-04-14 . 0A5679B3714EDAB99E357057EE88FCA6 . 71680 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\ssdpsrv.dll

[-] 2008-04-14 . 0A5679B3714EDAB99E357057EE88FCA6 . 71680 . . [5.1.2600.5512] . . c:\windows\system32\ssdpsrv.dll

[-] 2004-08-04 . 4B8D61792F7175BED48859CC18CE4E38 . 71680 . . [5.1.2600.2180] . . c:\windows\$NtServicePackUninstall$\ssdpsrv.dll

[-] 2008-04-14 . FF3477C03BE7201C294C35F684B3479F . 295424 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\termsrv.dll

[-] 2008-04-14 . FF3477C03BE7201C294C35F684B3479F . 295424 . . [5.1.2600.5512] . . c:\windows\system32\termsrv.dll

[-] 2004-08-04 . B60C877D16D9C880B952FDA04ADF16E6 . 295424 . . [5.1.2600.2180] . . c:\windows\$NtServicePackUninstall$\termsrv.dll

[-] 2008-04-14 . D8849F77C0B66226335A59D26CB4EDC6 . 167936 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\appmgmts.dll

[-] 2008-04-14 . D8849F77C0B66226335A59D26CB4EDC6 . 167936 . . [5.1.2600.5512] . . c:\windows\system32\appmgmts.dll

[-] 2004-08-04 . 9C3C12975C97119412802B181FBEEFFE . 167936 . . [5.1.2600.2180] . . c:\windows\$NtServicePackUninstall$\appmgmts.dll

[-] 2004-08-04 . 9859C0F6936E723E4892D7141B1327D5 . 11648 . . [5.1.2600.0] . . c:\windows\system32\dllcache\acpiec.sys

[-] 2004-08-04 . 9859C0F6936E723E4892D7141B1327D5 . 11648 . . [5.1.2600.0] . . c:\windows\system32\drivers\acpiec.sys

[-] 2008-04-13 16:39 . 8BED39E3C35D6A489438B8141717A557 . 142592 . . [5.1.2601.3142] . . c:\windows\ServicePackFiles\i386\aec.sys

[-] 2008-04-13 16:39 . 8BED39E3C35D6A489438B8141717A557 . 142592 . . [5.1.2601.3142] . . c:\windows\system32\drivers\aec.sys

[-] 2006-02-15 00:30 . 1EE7B434BA961EF845DE136224C30FEC . 142464 . . [5.1.2601.2180] . . c:\windows\$hf_mig$\KB900485\SP2QFE\aec.sys

[-] 2006-02-15 00:22 . 1EE7B434BA961EF845DE136224C30FEC . 142464 . . [5.1.2601.2180] . . c:\windows\$NtServicePackUninstall$\aec.sys

[-] 2004-08-04 03:39 . 841F385C6CFAF66B58FBD898722BB4F0 . 142464 . . [5.1.2601.2078] . . c:\windows\$NtUninstallKB900485$\aec.sys

[-] 2008-04-13 . 08FD04AA961BDC77FB983F328334E3D7 . 42368 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\agp440.sys

[-] 2008-04-13 . 08FD04AA961BDC77FB983F328334E3D7 . 42368 . . [5.1.2600.5512] . . c:\windows\system32\drivers\agp440.sys

[-] 2004-08-04 . 2C428FA0C3E3A01ED93C9B2A27D8D4BB . 42368 . . [5.1.2600.2180] . . c:\windows\$NtServicePackUninstall$\agp440.sys

[-] 2008-04-13 . 3BB22519A194418D5FEC05D800A19AD0 . 36608 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\ip6fw.sys

[-] 2008-04-13 . 3BB22519A194418D5FEC05D800A19AD0 . 36608 . . [5.1.2600.5512] . . c:\windows\system32\drivers\ip6fw.sys

[-] 2004-08-04 . 4448006B6BC60E6C027932CFC38D6855 . 29056 . . [5.1.2600.2180] . . c:\windows\$NtServicePackUninstall$\ip6fw.sys

[-] 2008-04-14 . 986B1FF5814366D71E0AC5755C88F2D3 . 33792 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\msgsvc.dll

[-] 2008-04-14 . 986B1FF5814366D71E0AC5755C88F2D3 . 33792 . . [5.1.2600.5512] . . c:\windows\system32\msgsvc.dll

[-] 2004-08-04 . 95FD808E4AC22ABA025A7B3EAC0375D2 . 33792 . . [5.1.2600.2180] . . c:\windows\$NtServicePackUninstall$\msgsvc.dll

[-] 2004-08-11 06:45 . A477391B7A8B0A0DAABADB17CF533A4B . 25088 . . [10.0.3790.3646] . . c:\windows\RegisteredPackages\{30C7234B-6482-4A55-A11D-ECD9030313F2}\MsPMSNSv.dll

[-] 2004-08-11 06:45 . A477391B7A8B0A0DAABADB17CF533A4B . 25088 . . [10.0.3790.3646] . . c:\windows\system32\MsPMSNSv.dll

[-] 2004-08-11 06:45 . A477391B7A8B0A0DAABADB17CF533A4B . 25088 . . [10.0.3790.3646] . . c:\windows\system32\dllcache\mspmsnsv.dll

[-] 2004-08-04 10:00 . C086483E3DBA8C1C0A687EC8D5B3D4C1 . 52224 . . [9.0.1.56] . . c:\windows\RegisteredPackages\{30C7234B-6482-4A55-A11D-ECD9030313F2}$BACKUP$\System\MsPMSNSv.dll

[-] 2008-04-14 00:12 . 156F64A3345BD23C600655FB4D10BC08 . 435200 . . [5.1.2400.5512] . . c:\windows\ServicePackFiles\i386\ntmssvc.dll

[-] 2008-04-14 00:12 . 156F64A3345BD23C600655FB4D10BC08 . 435200 . . [5.1.2400.5512] . . c:\windows\system32\ntmssvc.dll

[-] 2004-08-04 10:00 . B62F29C00AC55A761B2E45877D85EA0F . 435200 . . [5.1.2400.2180] . . c:\windows\$NtServicePackUninstall$\ntmssvc.dll

[-] 2008-04-14 . 1EBAFEB9A3FBDC41B8D9C7F0F687AD91 . 185856 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\upnphost.dll

[-] 2008-04-14 . 1EBAFEB9A3FBDC41B8D9C7F0F687AD91 . 185856 . . [5.1.2600.5512] . . c:\windows\system32\upnphost.dll

[-] 2007-02-05 . 36ACA6CDC19C95FF468A1426EB7F32F0 . 185344 . . [5.1.2600.3077] . . c:\windows\$hf_mig$\KB931261\SP2QFE\upnphost.dll

[-] 2007-02-05 . ACA5D98663D879C6BAAFCEA7E2F1B710 . 185344 . . [5.1.2600.3077] . . c:\windows\$NtServicePackUninstall$\upnphost.dll

[-] 2004-08-04 . 0546477BDE979E33294FE97F6B3DE84A . 185344 . . [5.1.2600.2180] . . c:\windows\$NtUninstallKB931261$\upnphost.dll

[-] 2008-04-14 . 4D83ED8BDDEC431FC8AD907B47CFB6E3 . 367616 . . [5.3.2600.5512] . . c:\windows\ServicePackFiles\i386\dsound.dll

[-] 2008-04-14 . 4D83ED8BDDEC431FC8AD907B47CFB6E3 . 367616 . . [5.3.2600.5512] . . c:\windows\system32\dsound.dll

[-] 2004-08-04 . 55E148C01296696588EAFA425782C3E8 . 367616 . . [5.3.2600.2180] . . c:\windows\$NtServicePackUninstall$\dsound.dll

[-] 2008-04-14 . 0607CBC6FA20114CB491EFE4B2F9EFAD . 1689088 . . [5.03.2600.5512] . . c:\windows\ServicePackFiles\i386\d3d9.dll

[-] 2008-04-14 . 0607CBC6FA20114CB491EFE4B2F9EFAD . 1689088 . . [5.03.2600.5512] . . c:\windows\system32\d3d9.dll

[-] 2004-08-04 . D67BDBBDA86CC9AEEBBAF3217C1717D8 . 1689088 . . [5.03.2600.2180] . . c:\windows\$NtServicePackUninstall$\d3d9.dll

[-] 2008-04-14 . A340CD71EB535A3DD751B5F28723E50C . 279552 . . [5.03.2600.5512] . . c:\windows\ServicePackFiles\i386\ddraw.dll

[-] 2008-04-14 . A340CD71EB535A3DD751B5F28723E50C . 279552 . . [5.03.2600.5512] . . c:\windows\system32\ddraw.dll

[-] 2004-08-04 . 7ED462F353B3D915A418A689FA881F96 . 266240 . . [5.03.2600.2180] . . c:\windows\$NtServicePackUninstall$\ddraw.dll

[-] 2008-04-14 00:12 . 5652F6CE1D9E9D8068B9D29BC21B5409 . 84992 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\olepro32.dll

[-] 2008-04-14 00:12 . 5652F6CE1D9E9D8068B9D29BC21B5409 . 84992 . . [5.1.2600.5512] . . c:\windows\system32\olepro32.dll

[-] 2004-08-04 10:00 . B48D3193DD1474DCBCC32BF4779AC698 . 83456 . . [5.1.2600.2180] . . c:\windows\$NtServicePackUninstall$\olepro32.dll

[-] 2008-04-14 . DBE2B62353660ECCA0D75EA307A717E9 . 39936 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\perfctrs.dll

[-] 2008-04-14 . DBE2B62353660ECCA0D75EA307A717E9 . 39936 . . [5.1.2600.5512] . . c:\windows\system32\perfctrs.dll

[-] 2004-08-04 . 96492C721C6EA517E2BFD5381FEF55E3 . 39936 . . [5.1.2600.2180] . . c:\windows\$NtServicePackUninstall$\perfctrs.dll

[-] 2008-04-14 . C7CE131408739B0B3A318BE2D0032719 . 18944 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\version.dll

[-] 2008-04-14 . C7CE131408739B0B3A318BE2D0032719 . 18944 . . [5.1.2600.5512] . . c:\windows\system32\version.dll

[-] 2004-08-04 . D38408967BE738D0C1B47005BCE8CEEB . 18944 . . [5.1.2600.2180] . . c:\windows\$NtServicePackUninstall$\version.dll

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Apoint"="c:\program files\Apoint\Apoint.exe" [2004-09-13 155648]

"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2004-10-30 385024]

"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-12-04 344064]

"PCMService"="c:\program files\Dell\Media Experience\PCMService.exe" [2004-04-12 290816]

"Dell QuickSet"="c:\program files\Dell\QuickSet\quickset.exe" [2005-03-04 606208]

"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-02-23 53248]

"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 81920]

"CHotkey"="mHotkey.exe" [2004-09-21 550400]

"DiskeeperSystray"="c:\program files\Diskeeper Corporation\Diskeeper\DkIcon.exe" [2006-06-07 319488]

"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]

"MSSE"="c:\program files\Microsoft Security Essentials\msseces.exe" [2010-09-15 1094224]

"MailUsTraMon"="c:\program files\Track4Win Enterprise Monitor\STMonitor.exe" [2008-11-02 598016]

c:\documents and settings\admin\Start Menu\Programs\Startup\

palmOne Registration.lnk - c:\program files\Docudesk\deskPDF\register.exe [2004-6-22 45056]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-24 29696]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]

"ForceStartMenuLogOff"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IntelWireless]

2004-09-07 21:08 110592 ----a-w- c:\program files\Intel\Wireless\Bin\LgNotify.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]

@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\rootrepeal.sys]

@=""

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HOTSYNCSHORTCUTNAME.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HOTSYNCSHORTCUTNAME.lnk

backup=c:\windows\pss\HOTSYNCSHORTCUTNAME.lnkCommon Startup

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Track4Win Enterprise Monitor\\STMonitor.exe"=

S3 ADM851X;ADM851X USB To Fast Ethernet Adapter;c:\windows\system32\drivers\ADM851X.sys [11/22/2005 2:01 PM 22144]

.

Contents of the 'Scheduled Tasks' folder

2010-11-03 c:\windows\Tasks\dan chien.job

- c:\windows\system32\ntbackup.exe [2004-08-11 00:12]

2010-11-04 c:\windows\Tasks\MP Scheduled Scan.job

- c:\program files\Microsoft Security Essentials\MpCmdRun.exe [2010-03-26 01:40]

2010-11-04 c:\windows\Tasks\MpIdleTask.job

- c:\program files\Microsoft Security Essentials\MpCmdRun.exe [2010-03-26 01:40]

2010-11-04 c:\windows\Tasks\OGALogon.job

- c:\windows\system32\OGAEXEC.exe [2009-08-03 19:07]

.

------- Supplementary Scan -------

.

uInternet Connection Wizard,ShellNext = hxxp://www.dell4me.com/mywaybiz

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000

.

- - - - ORPHANS REMOVED - - - -

HKCU-Run-DellSupport - c:\program files\Dell Support\DSAgnt.exe

HKCU-Run-DellSupport- - c:\program files\Dell Support\DSAgnt.exe

Notify-NavLogon - (no file)

SafeBoot-klmdb.sys

MSConfigStartUp-AOL Fast Start - c:\program files\America Online 9.0\AOL.EXE

MSConfigStartUp-AOLDialer - c:\program files\Common Files\AOL\ACS\AOLDial.exe

MSConfigStartUp-HostManager - c:\program files\Common Files\AOL\1161703535\ee\AOLSoftware.exe

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-11-04 15:45

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(980)

c:\windows\system32\Ati2evxx.dll

c:\program files\Intel\Wireless\Bin\LgNotify.dll

- - - - - - - > 'explorer.exe'(812)

c:\windows\system32\WININET.dll

c:\progra~1\WINDOW~2\wmpband.dll

c:\windows\system32\ieframe.dll

c:\program files\Track4Win Enterprise Monitor\STHLP.DLL

c:\windows\system32\webcheck.dll

.

------------------------ Other Running Processes ------------------------

.

c:\windows\system32\Ati2evxx.exe

c:\program files\Microsoft Security Essentials\MsMpEng.exe

c:\program files\Intel\Wireless\Bin\EvtEng.exe

c:\program files\Intel\Wireless\Bin\S24EvMon.exe

c:\program files\Intel\Wireless\Bin\WLKeeper.exe

c:\program files\Diskeeper Corporation\Diskeeper\DkService.exe

c:\program files\Java\jre6\bin\jqs.exe

c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

c:\program files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe

c:\program files\Intel\Wireless\Bin\RegSrvc.exe

c:\windows\system32\wdfmgr.exe

c:\program files\Intel\Wireless\Bin\ZcfgSvc.exe

c:\windows\system32\Ati2evxx.exe

c:\progra~1\Intel\Wireless\Bin\1XConfig.exe

c:\windows\mHotkey.exe

c:\program files\Apoint\Apntex.exe

.

**************************************************************************

.

Completion time: 2010-11-04 15:51:24 - machine was rebooted

ComboFix-quarantined-files.txt 2010-11-04 19:51

Pre-Run: 25,122,156,544 bytes free

Post-Run: 25,133,572,096 bytes free

- - End Of File - - 9152FF5D6232090E91256961CE7DF560

negster22 · November 4, 2010

Can you please do the following:

Click Start -> Run, type services.msc and hit Enter

After the Services Console opens, check to see if the following services are Started and set to Automatic Startup:

Cryptographic Services
Remote Procedure Call (RPC)

.

If not, please set them to that status (Started and Automatic Start-up), by double-clicking each one individually to open their respective "Properties" Dialogs.

locknload68 · November 4, 2010

Both services were started and set to automatic.

negster22 · November 4, 2010

Did you ever do a repair install or run System File Checker (sfc /scannow) because some system files are failing signature checking.

locknload68 · November 4, 2010

Neither a repair install or system file check has been performed on this machine to my knowledge.

negster22 · November 4, 2010

Please perform a scan with the ESET online virus scanner (You can expect some detections in Combofix's quarantine (Qoobox) and system volume information. They will not represent active malware so don't worry):

ESET recommends disabling your resident anti-virus's auto-protection feature before beginning the scan to avoid conflicts and system hangs
Use Internet Explorer to navigate to the scanner website because you must approve install an ActiveX add-on to complete the scan.
Check the "Yes, I accept the terms of use" box.
Click "Start"
Approve the installation of the ActiveX control that's required to enable scanning
Make sure the box to
- Remove found threats. is CHECKED!!
- Click "Start"
[*]Allow the definition data base to install
[*]Click "Scan"

When the scan is done, please post the scan report in your next reply. It can be found in this location:

C:\Program Files\EsetOnlineScanner\log.txt

Note to Windows 7 and Vista users, and anyone with restrictive IE security settings:

Depending on your security settings, you may have to allow cookies and put the ESET website, www.eset.com, into the trusted zone of Internet Explorer if the scan has problems starting (in Vista this is a necessity as IE runs in Protected mode).

To do that, on the Internet Explorer menu click Tools => Internet Options => Security => Trusted Sites => Sites. Then UNcheck "Require server verification for all sites in this zone" checkbox at the bottom of the dialog. Add the above www.eset.com url to the list of trusted sites, by inserting it in the blank box and clicking the Add button, then click Close. For cookies, choose the IE Privacy tab and add the above eset.com url to the exceptions list for cookie blocking.

locknload68 · November 5, 2010

Here is the ESET scan log.

ESETSmartInstaller@High as CAB hook log:

OnlineScanner.ocx - registred OK

# version=7

# iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)

# OnlineScanner.ocx=1.0.0.6211

# api_version=3.0.2

# EOSSerial=bcea00a29d8f124f86bbdda80b5fb9b5

# end=finished

# remove_checked=true

# archives_checked=false

# unwanted_checked=true

# unsafe_checked=false

# antistealth_checked=true

# utc_time=2010-11-05 01:20:52

# local_time=2010-11-05 09:20:52 (-0500, Eastern Daylight Time)

# country="United States"

# lang=1033

# osver=5.1.2600 NT Service Pack 3

# compatibility_mode=512 16777215 100 0 143457 143457 0 0

# compatibility_mode=5891 16776869 100 100 0 18472340 0 0

# compatibility_mode=8192 67108863 100 0 0 0 0 0

# scanned=64198

# found=0

# cleaned=0

# scan_time=2291

negster22 · November 6, 2010

Excellent job, LocknLoad68!

Your scans are all coming up clean now and the rootkit driver that was causing your problems, has been disinfected.

We have a few steps to finish up now!!

If I asked you to download and run an ARK (Antirootkit program) such as Gmer, Rootkit Unhooker, or Root Repeal, then please uninstall it by doing the following:

Delete the contents of the C:\ARK folder (or whatever folder you chose to install the antirootkit in)
Delete the C:\ARK folder(or whatever folder you chose to install the antirootkit in)

If I asked You to download TDSSKiller, MBRCheck or mbr.exe, please delete these programs from your Desktop (or their download location). If I asked you to make a back-up copy of your MBR, retain that on your hard drive and also burn it to CD for safekeeping, in the event You need to restore it.

To remove Combofix and it's quarantine folder:

Click Start -> Run, and copy/paste the following bolded text in the Open: box and select OK:

"%userprofile%\desktop\combofix.exe" /uninstall

This will do the following:

Uninstall Combofix and all its associated files and folders.
Flush your system restore points and create a new restore point.
Re-hide your system files and folders
Reset your system clock

---

Here are some additional measures you should take to keep your system in good working order and ensure your continued security.

1. Scan your system for outdated versions of commonly used software applications that may also cause your PC be vulnerable, using the Secunia Online Software Inspector (OSI) by clicking the Start Scanner button. This is very important because recent statistics confirm that an overwhelming majority of infections are aquired through application not Operating System flaws. Commonly used programs like Quicktime, Java, and Adobe Acrobat Reader, itunes, FlashPlayer and many others are frequently targeted today. You can make your computer much more secure if you update to the most current versions of these programs and any others that Secunia alerts you to.

Just click the "Start Scanner" button to get a listing of all outdated and possibly insecure resident programs.

Note: If your firewall prompts you about access, allow it.

2. Keep MBAM as an on demand scanner because I highly recommend it, and the quick scan will find most active malware in minutes.

3. You can reduce your startups by downloading Malwarebyte's StartUp Lite and saving it to a convenient location. Just double-click StartUpLite.exe. Then, check the options you would like based on the descriptions provided, then select continue. This will free up system resources because nonessential background programs will no longer be running when you start up your computer.

You should visit the Windows Updates website, and obtain the most current Operating System updates/patches, and Internet Explorer released versions.

The easiest and fastest way to obtain Windows Updates is by clicking Control Panel -> Windows Update.

However, setting your computer to download and install updates automatically will relieve you of the responsibility of doing this on a continual basis. It is important to periodically check that Windows Updates is functioning properly because many threats disable it as part of their strategy to compromise your system. Windows Updates are released on the second Tuesday of every month.

Finally, please review the additional suggestions offered by Tony Klein in How did I get infected in the first place. so you can maintain a safe and secure computing environment.

Happy Surfing!

locknload68 · November 8, 2010

Negster22, thank you so much for your help with this. I've updated the programs that OSI found to be out-of-date. Overall, the system seems to be running much better.

Thanks again!

negster22 · November 9, 2010

You're Welcome!

Cannot figure out what malware is causing problems

Recommended Posts

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Recently Browsing 0 members

Important Information