Jump to content


Photo

I may be well past 'removal'


  • This topic is locked This topic is locked
34 replies to this topic

#1 nenadrew

nenadrew

    Member

  • Full Member
  • Pip
  • 56 posts

Posted 05 December 2009 - 09:37 AM

My computer picked up a trojan one night while I was trying to watch a tv show online. Don't know which site it was, I just remember getting a message repeatedly that said I needed to install a plug-in; normally I would be too cautious to allow a download like that, but I suspect that in the chaos of trying to do too many things at once, I must have accidentally clicked the Yes button. Never did get the tv show to play, but the very next morning I found that Spybot and MalwareBytes would not run.

That was at the end of August. Since then, a series of family crises and my own back trouble have kept me from spending great chunks of time at the computer to resolve this. I have, sporadically, done a lot of Googling and tried every tip, trick, and program I could find to fix things, but to no avail. Renaming .exe files did not work. Searching my computer for suspect files turned up nothing. Some programs would attempt to run, but promptly shut down (even in Safe Mode):

Spybot
MalwareBytes
Hijack This
SuperAntiSpyware
RootAlyzer
Microsoft's Malicious Software Removal Tool
Windows Live OneCare Safety Scanner

The programs that would run normally were not helpful:

Comodo found only a few tracking cookies.
Iobit Security 360 fixed a few small things but did not find the major problem.
VundoFix found no problems.
Norman Vundo Cleaner found no problems.

I have also read your FAQs and tried the programs suggested there.

Kaspersky could not be accessed; there was a message saying it was being updated.
BitDefender loaded and tried to run, but shut down immediately.
F-Secure would get to the point where it was about to begin scanning, then pop up an error message. (Error 65: Network Access Is Denied.)
Panda seemed to be working, but stalled at 18% every time I ran it.

The only reason I haven't already wiped the hdd and started over was because I was afraid that plugging in the external drive to back up files would also transfer the trojan. I was in the midst of writing a long posting to this forum to ask for help when the problem reached critical mass three days ago - I suddenly had no taskbar, could not get into Internet Explorer, and could not connect to the internet even through Netscape.

I managed to get the Start button back (though without the normal taskbar), and was alarmed enough to plug in the external drive and start trying to copy files. That's when I discovered that I can no longer drag & drop or copy/paste, either through keyboard commands or with mouse clicks. In Services, I can see where certain functions are disabled, but I cannot change the settings; when I click on Properties, nothing happens.

Since then I've discovered that my internet connection has disappeared, and Windows will not let me create a new one. (I am typing this on the slow, ancient computer that my husband kept to play Solitaire on.) System Restore does not work. ("System Restore is not able to protect your computer.") I tried to do a repair using the XP cd, but it demands an Admin password even though we never set one.

At this point my system is so messed up that it seems clear I just need some way to copy my files so I can start fresh. Years ago when my hdd crashed, we were able to salvage files using Damn Small Linux, so I dug out that cd and tried it. Wouldn't work; it kept freezing up at the 'checking for usb' point. I downloaded DSL again, hoping a newer version would work, but got the same results. Then I read that DSL can be run from inside Windows, so I downloaded the appropriate zip file and extracted it to my computer. That wouldn't run, either.

Is there some other program similar to this that might work better with Windows XP?

I know that I have installed Windows over itself before without reformatting, but a) that was Windows 98, and b) I didn't have a nasty trojan then to complicate things. I didn't want to try that without asking first... would this be a feasible way to get a temporary fix? Obviously the trojan would still be there, and I would still need to wipe the hdd and reinstall Windows again later; I'd just like to buy some time to save these months worth of photos, financial info, genealogy, e-mails, etc. Just don't really know how to do this without being able to download or copy.

Any help, advice, or suggestions would be received gratefully.

Thank you!

Nena

EDIT: Please try renaming HijackThis to something like Nenafix.com and running it... If you get a log, post it here... If that doesn't work, try it in Safe Mode with the altered name... You can also do the same thing with MalwareBytes Anti-Malware... There are some infections that are unrecoverable and reformatting and reinstalling may be the only remaining option, but we can't tell without some log info to work with...

Edited by Budfred, 05 December 2009 - 12:45 PM.


#2 nenadrew

nenadrew

    Member

  • Full Member
  • Pip
  • 56 posts

Posted 05 December 2009 - 02:43 PM

EDIT: Please try renaming HijackThis to something like Nenafix.com and running it... If you get a log, post it here... If that doesn't work, try it in Safe Mode with the altered name... You can also do the same thing with MalwareBytes Anti-Malware... There are some infections that are unrecoverable and reformatting and reinstalling may be the only remaining option, but we can't tell without some log info to work with...


I have tried the renaming trick, both in Windows and in Safe Mode, with Hijack This, Spybot, and MalwareBytes; none of them worked. I would be happy to try it again, but I am unable to reinstall the programs without an internet connection. (Every time I've tried to run one of these programs, the trojan not only made it shut down at once, but also, apparently, disabled the program so it could not be opened again. Over and over, I've had to delete programs and reinstall them just to try again. At this moment, I do not have a fresh install of any of them; I'm sorry.) Nena

EDIT: If you can download HijackThis on another computer, you can rename it prior to trying to install it on your infected computer... It is a very small program, so it downloads very quickly... If you are not able to do that, please wait for a helper to post and give you other ideas...

Edited by Budfred, 05 December 2009 - 04:44 PM.


#3 TheJoker

TheJoker

    Forum Deity

  • Boot Camp Mod
  • PipPipPipPipPip
  • 13,555 posts

Posted 05 December 2009 - 07:05 PM

Hi nenadrew, and Welcome to SWI

I suggest printing out each set of instructions and reading the entire post before proceeding. It will make following them easier. Please follow the directions in the order listed.

IObit Security 360 is a rogue security program known to cause system problems and that has stolen material from other computer security companies to use in their own program.
IOBit Steals Malwarebytes’ Intellectual Property
IOBit’s Denial of Theft Unconvincing

Go to Start > Control Panel > Add or Remove Programs and remove the following program:
IObit Security 360
(or any program from IObit)

After uninstalling it, using Windows Explorer delete the following folder if still there:
C:\Program Files\IObit

Clean your Cache and Cookies in IE:
  • Close all instances of Outlook Express and Internet Explorer
  • Go to Control Panel > Internet Options > General tab
  • Under Browsing History, click the Delete button.
    - For IE 7:
  • In the window that opens, click the Delete all button.
  • When prompted, place a check in: "Also delete files and settings stored by add-ons.", click Yes.
- For IE8:
  • In the window that opens place a checkmark in all options.
  • Click the Delete and OK buttons.
Clean your Cache and Cookies in Firefox (In case you also have Firefox installed):
  • Go to Tools > Options > Privacy.
  • Click "clear your recent history".
  • Go to the Advanced tab, and click the Clear Now button
  • Click OK to close the Options window
Clean other Temporary files + Recycle bin
  • Go to start > run and type: cleanmgr and click OK.
  • Let it scan your system for files to remove.
  • Make sure Temporary Files, Temporary Internet Files, and Recycle Bin are the only things checked.
  • Press OK to remove them.
Since you don't currently have an Internet connection, you will need to download the below tools on a clean, working system and burn them to CD/DVD to transfer to the infected system. Please do NOT use a flash drive so you do not transfer the infection back to your other system, see here:
USB/Flash Drive Safety

Please save this file to your Desktop.
Click on Start->Run, and copy-paste the following command (the bolded text) into the "Open" box, and click OK.
When it's finished, there will be a log called Win32kDiag.txt on your desktop.
Please open it with notepad and post the contents here.
"%userprofile%\desktop\win32kdiag.exe" -f -r

Now see if you can run MBAM.Please Run Malwarebytes' Anti-Malware.
  • Click the Scanner tab.
  • Select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy & Paste the entire report in your next reply along with a fresh HijackThis log.
Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately.


Now see if you can run HijackThis.

If you were able, please post a HijackThis log, the log from Win32kDiag.exe (Win32kDiag.txt), the log from MBAM, and note any errors encountered.

Free Tools for Fighting Malware
Anti-Virus: avast! Free Antivirus / Avira Free AntiVirus
OnLine Anti-Virus: ESET / BitDefender / F-Secure
Anti-Malware: Malwarebytes' Anti-Malware / Dr.Web CureIt
Spyware/Adware Tools: MVPS HOSTS File / SpywareBlaster
Firewall: Comodo Firewall Free / Privatefirewall
Tutorials: How did I get Infected? / Internet Explorer Privacy & Security Settings
If we have helped, please help us continue the fight by using the Donate button, or see this topic for other ways to donate.

MS MVP 2009-20010 and ASAP Member since 2005


#4 nenadrew

nenadrew

    Member

  • Full Member
  • Pip
  • 56 posts

Posted 06 December 2009 - 01:27 PM

Joker, thank you so much for taking the time to write all that. I have spent the morning working through your list.

I did not know that IObit was a rogue program; it was suggested by one of my husband's co-workers (a computer tech!) I have e-mailed the links you gave me to my husband's workplace so they will know not to use it. I did run IObit a couple of months ago but had already deleted it from my computer.

Cache and cookies have been cleaned from both IE8 and Netscape. temp files deleted, and the Recycle bin emptied.

Thanks for the reminder about flash drive safety. I did use a flash drive the other day in copying a .zip file from my husband's computer to extract to mine, but I ran MalwareBytes on his computer yesterday and it came up clean, thank goodness. I have used Flash Disinfecter on our flash drives and e-mailed the link about turning off Autoplay to myself for later use.

I didn't come out so great with the rest of your suggestions. I burned the Win32kdiag file to a cd from my husband's computer. Lacking the ability to copy to my computer, the best I could do was send a shortcut to the desktop and try running it from the cd. This is the error message it gave before returning me to the Run command box:

Windows cannot find 'c:\Documents and Settings\(username)\desktop\win32kdiag.exe'. Make sure you typed the name correctly, and then try again. To search for a file, click the Start button, and then click Search.

(Note to comment here that I no longer have Search function, either.)

I still had the MalwareBytes installer file on my computer, so I tried reinstalling from that. I have successfully installed from it at least a dozen times before, but this time the installation was interrupted with the following error message:

Run-time error '372'. Failed to load control 'vbalGrid' from vbalsgrid6.ocx. Your version of vbalsgrid6.ocx may be outdated. Make sure you are using the version of the control that was provided with your application.

I then downloaded the newest version of MawareBytes and burned it to cd; took it to my computer and sent a shortcut to the desktop and tried installing from there. Got the exact same error message.

I still have the HijackThis installer file on my computer but cannot use it because it installs from the internet. I burned the HijackThis.exe file to a cd and tried it from there, but it did the same as it did when trying to run it from my computer - started to run and then shut down abruptly.

At this point I am completely stymied. If there are other suggestions, I am willing to try anything. Is reinstalling Windows over itself starting to look like a better option, at least to temporarily restore the ability to copy?

It really sickens me to know that somewhere out there is a person who was gifted with the intellectual brilliance to do amazing things with computers, and this is what they chose to do with their talent - create misery. :(

Nena
bumfuzzled and frustrated

#5 TheJoker

TheJoker

    Forum Deity

  • Boot Camp Mod
  • PipPipPipPipPip
  • 13,555 posts

Posted 06 December 2009 - 03:24 PM

I didn't come out so great with the rest of your suggestions. I burned the Win32kdiag file to a cd from my husband's computer. Lacking the ability to copy to my computer, the best I could do was send a shortcut to the desktop and try running it from the cd. This is the error message it gave before returning me to the Run command box:

Windows cannot find 'c:\Documents and Settings\(username)\desktop\win32kdiag.exe'.

You received that error message because you ran the program from CD with a command path that specified that the file was on your Desktop. You would need to change the path to the file to run it from CD. But I don't see why you can't copy. You didn't mention anything about that. You said that you don't have the Taskbar at the bottom, but do you have your normal Desktop present?

Download ComboFix© by sUBs from one of these locations:
http://download.blee...Bs/ComboFix.exe
http://www.forospywa...Bs/ComboFix.exe

Burn it to CD so you can copy it to your system (it must be on your Desktop to run properly).

Insert the CD that you copied win32kdiag.exe onto.
As the file is on CD, you need to run it with this command:
D:\win32kdiag.exe" -f -r
If your CD drive is not drive D, you will need to change the drive letter for your CD drive, for instance, if your CD drive is drive E:
E:\win32kdiag.exe" -f -r

Save the log that it produces so you can post that in your next reply. You may need to save that to floppy to transfer that file since you don't have internet connectivity from that system.

Insert the CD that you copied ComboFix to.
Now press CRTL-ALT-DEL to start the Task Manager
From the drop-down menu, click File > New Task (RUN)
In the box type the following and hit Enter:
Copy D:\Combofix.exe "%userprofile%\desktop\Combofix.exe
Again, if D is not your CD drive, change D to your CD drive letter
That will copy the file to your Desktop
Now from the New Task (Run) window, enter the following and hit enter:
"%userprofile%\desktop\Combofix.exe"

- Follow the prompts to allow ComboFix to run and scan for malware. When finished, it will save a log. Please include the contents of the log at C:\ComboFix.txt in your next reply.

Now if you can, please post a HijackThis log, the log from Win32kDiag (Win32kDiag.txt), and in a second reply (so nothing is cut off by the maximum post length) the log from ComboFix and note any errors encountered

Free Tools for Fighting Malware
Anti-Virus: avast! Free Antivirus / Avira Free AntiVirus
OnLine Anti-Virus: ESET / BitDefender / F-Secure
Anti-Malware: Malwarebytes' Anti-Malware / Dr.Web CureIt
Spyware/Adware Tools: MVPS HOSTS File / SpywareBlaster
Firewall: Comodo Firewall Free / Privatefirewall
Tutorials: How did I get Infected? / Internet Explorer Privacy & Security Settings
If we have helped, please help us continue the fight by using the Donate button, or see this topic for other ways to donate.

MS MVP 2009-20010 and ASAP Member since 2005


#6 nenadrew

nenadrew

    Member

  • Full Member
  • Pip
  • 56 posts

Posted 07 December 2009 - 03:48 AM

You received that error message because you ran the program from CD with a command path that specified that the file was on your Desktop. You would need to change the path to the file to run it from CD. But I don't see why you can't copy. You didn't mention anything about that. You said that you don't have the Taskbar at the bottom, but do you have your normal Desktop present?


Joker, thanks for your patience; I should have realized I wasn't routing that command properly.

I mentioned the can't-copy issue about halfway through my initial posting, but the mention was brief and easy to miss. I said:

I managed to get the Start button back (though without the normal taskbar), and was alarmed enough to plug in the external drive and start trying to copy files. That's when I discovered that I can no longer drag & drop or copy/paste, either through keyboard commands or with mouse clicks. In Services, I can see where certain functions are disabled, but I cannot change the settings; when I click on Properties, nothing happens.

(I do have a taskbar, but for some reason it now contains IE bookmarks instead of the things I had on it before.)

After following your instructions regarding ComboFix, I hit Enter to copy it to my desktop and recieved the following error message:

Windows cannot find 'copy'. Make sure you typed the name correctly, and then try again. To search for a file, click the Start button, and then click Search.

I tried running HiJack This directly from the cd, and once again it opened but shut down almost immediately.

I then tried compressing ComboFix and HiJack This into .zip files and burning them to cd, but the blasted computer will not let me unzip them. I even tried copying them to a flash drive, despite potential safety issues; that didn't work either. (After running Flash Disinfecter, the computer now sees my flash drives as read-only. Is that supposed to happen?)

However, I was finally able to get a Win32kdiag log (appended); I hope it proves helpful, because whatever evil entity has taken hold of my computer seems determined not to let me run ComboFix or HiJack This.

Thank you again for your help!

Nena


WIN32KDIAG LOG:

Running from: d:\Win32kDiag.exe Log file at : C:\Documents and Settings\Nena Drew Thrower.NENA\Desktop\Win32kDiag.txt

Removing all found mount points.

Attempting to reset file permissions.

WARNING: Could not get backup privileges!

Searching 'C:\WINDOWS'...

Cannot access: C:\WINDOWS\system32\drivers\sfi.dat

Attempting to restore permissions of :

C:\WINDOWS\system32\drivers\sfi.dat [1] 2009-09-01 08:31:43 1474832

C:\WINDOWS\system32\drivers\sfi.dat ()

Found mount point : C:\WINDOWS\system32\DRVSTORE\GEARAspiWD_4F4AA3475F1B13A1E8212B6D40B351211BC358CE\x86\x86 Mount point destination : \Device\__max++>\^
Removing mount point: C:\WINDOWS\system32\DRVSTORE\GEARAspiWD_4F4AA3475F1B13A1E8212B6D40B351211BC358CE\x86\x86

Cannot access: C:\WINDOWS\system32\eventlog.dll

Attempting to restore permissions of :

C:\WINDOWS\system32\eventlog.dll [1] 2004-08-04 04:00:00 55808

C:\WINDOWS\$NtServicePackUninstall$\eventlog.dll (Microsoft Corporation) [1] 2008-04-13 18:11:53 56320

C:\WINDOWS\ServicePackFiles\i386\eventlog.dll (Microsoft Corporation) [1] 2008-04-13 18:11:53 62976

C:\WINDOWS\system32\eventlog.dll () [2] 2008-04-13 18:11:53 56320

C:\WINDOWS\system32\logevent.dll (Microsoft Corporation) [2] 2004-08-04 05:00:00 55808

C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP55\A0019995.dll (Microsoft Corporation) [2] 2004-08-04 05:00:00 55808

C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP55\A0020940.dll (Microsoft Corporation) [1] 2004-08-04 05:00:00 55808

C:\i386\eventlog.dll (Microsoft Corporation)

Found mount point : C:\WINDOWS\system32\export\export Mount point destination : \Device\__max++>\^
Removing mount point: C:\WINDOWS\system32\export\export

Found mount point : C:\WINDOWS\system32\FxsTmp\FxsTmp Mount point destination : \Device\__max++>\^
Removing mount point: C:\WINDOWS\system32\FxsTmp\FxsTmp

Found mount point : C:\WINDOWS\system32\IME\CINTLGNT\CINTLGNT Mount point destination : \Device\__max++>\^
Removing mount point: C:\WINDOWS\system32\IME\CINTLGNT\CINTLGNT

Found mount point : C:\WINDOWS\system32\IME\PINTLGNT\PINTLGNT Mount point destination : \Device\__max++>\^
Removing mount point: C:\WINDOWS\system32\IME\PINTLGNT\PINTLGNT

Found mount point : C:\WINDOWS\system32\IME\TINTLGNT\TINTLGNT Mount point destination : \Device\__max++>\^
Removing mount point: C:\WINDOWS\system32\IME\TINTLGNT\TINTLGNT

Found mount point : C:\WINDOWS\system32\inetsrv\inetsrv Mount point destination : \Device\__max++>\^
Removing mount point: C:\WINDOWS\system32\inetsrv\inetsrv

Found mount point : C:\WINDOWS\system32\Microsoft\Crypto\RSA\MachineKeys\MachineKeys Mount point destination : \Device\__max++>\^
Removing mount point: C:\WINDOWS\system32\Microsoft\Crypto\RSA\MachineKeys\MachineKeys

Cannot access : C:\WINDOWS\system32\MRT.exe
Attempting to restore permissions of: C:\WINDOWS\system32\MRT.exe

Found mount point : C:\WINDOWS\system32\mui\dispspec\dispspec Mount point destination : \Device\__max++>\^
Removing mount point: C:\WINDOWS\system32\mui\dispspec\dispspec

Found mount point : C:\WINDOWS\system32\oobe\html\ispsgnup\ispsgnup Mount point destination : \Device\__max++>\^
Removing mount point: C:\WINDOWS\system32\oobe\html\ispsgnup\ispsgnup

Found mount point : C:\WINDOWS\system32\oobe\html\oemcust\oemcust Mount point destination : \Device\__max++>\^
Removing mount point: C:\WINDOWS\system32\oobe\html\oemcust\oemcust

Found mount point : C:\WINDOWS\system32\oobe\html\oemhw\oemhw Mount point destination : \Device\__max++>\^
Removing mount point: C:\WINDOWS\system32\oobe\html\oemhw\oemhw

Found mount point : C:\WINDOWS\system32\oobe\html\oemreg\oemreg Mount point destination : \Device\__max++>\^
Removing mount point: C:\WINDOWS\system32\oobe\html\oemreg\oemreg

Found mount point : C:\WINDOWS\system32\oobe\sample\sample Mount point destination : \Device\__max++>\^
Removing mount point: C:\WINDOWS\system32\oobe\sample\sample

Found mount point : C:\WINDOWS\system32\ReinstallBackups\0000\DriverFiles\DriverFiles Mount point destination : \Device\__max++>\^
Removing mount point: C:\WINDOWS\system32\ReinstallBackups\0000\DriverFiles\DriverFiles

Found mount point : C:\WINDOWS\system32\ReinstallBackups\0001\DriverFiles\i386\i386 Mount point destination : \Device\__max++>\^
Removing mount point: C:\WINDOWS\system32\ReinstallBackups\0001\DriverFiles\i386\i386

Found mount point : C:\WINDOWS\system32\ReinstallBackups\0002\DriverFiles\i386\i386 Mount point destination : \Device\__max++>\^
Removing mount point: C:\WINDOWS\system32\ReinstallBackups\0002\DriverFiles\i386\i386

Found mount point : C:\WINDOWS\system32\ReinstallBackups\0003\DriverFiles\i386\i386 Mount point destination : \Device\__max++>\^
Removing mount point: C:\WINDOWS\system32\ReinstallBackups\0003\DriverFiles\i386\i386

Found mount point : C:\WINDOWS\system32\ReinstallBackups\0004\DriverFiles\i386\i386 Mount point destination : \Device\__max++>\^
Removing mount point: C:\WINDOWS\system32\ReinstallBackups\0004\DriverFiles\i386\i386

Found mount point : C:\WINDOWS\system32\ReinstallBackups\0005\DriverFiles\i386\i386 Mount point destination : \Device\__max++>\^
Removing mount point: C:\WINDOWS\system32\ReinstallBackups\0005\DriverFiles\i386\i386

Found mount point : C:\WINDOWS\system32\ReinstallBackups\0006\DriverFiles\i386\i386 Mount point destination : \Device\__max++>\^
Removing mount point: C:\WINDOWS\system32\ReinstallBackups\0006\DriverFiles\i386\i386

Found mount point : C:\WINDOWS\system32\ReinstallBackups\0007\DriverFiles\i386\i386 Mount point destination : \Device\__max++>\^
Removing mount point: C:\WINDOWS\system32\ReinstallBackups\0007\DriverFiles\i386\i386

Found mount point : C:\WINDOWS\system32\ReinstallBackups\0008\DriverFiles\i386\i386 Mount point destination : \Device\__max++>\^
Removing mount point: C:\WINDOWS\system32\ReinstallBackups\0008\DriverFiles\i386\i386

Found mount point : C:\WINDOWS\system32\ReinstallBackups\0009\DriverFiles\i386\i386 Mount point destination : \Device\__max++>\^
Removing mount point: C:\WINDOWS\system32\ReinstallBackups\0009\DriverFiles\i386\i386

Found mount point : C:\WINDOWS\system32\ReinstallBackups\0010\DriverFiles\i386\i386 Mount point destination : \Device\__max++>\^
Removing mount point: C:\WINDOWS\system32\ReinstallBackups\0010\DriverFiles\i386\i386

Found mount point : C:\WINDOWS\system32\ReinstallBackups\0011\DriverFiles\i386\i386 Mount point destination : \Device\__max++>\^
Removing mount point: C:\WINDOWS\system32\ReinstallBackups\0011\DriverFiles\i386\i386

Found mount point : C:\WINDOWS\system32\ReinstallBackups\0012\DriverFiles\DriverFiles Mount point destination : \Device\__max++>\^
Removing mount point: C:\WINDOWS\system32\ReinstallBackups\0012\DriverFiles\DriverFiles

Found mount point : C:\WINDOWS\system32\ReinstallBackups\0013\DriverFiles\i386\i386 Mount point destination : \Device\__max++>\^
Removing mount point: C:\WINDOWS\system32\ReinstallBackups\0013\DriverFiles\i386\i386

Found mount point : C:\WINDOWS\system32\ReinstallBackups\0014\DriverFiles\i386\i386 Mount point destination : \Device\__max++>\^
Removing mount point: C:\WINDOWS\system32\ReinstallBackups\0014\DriverFiles\i386\i386

Found mount point : C:\WINDOWS\system32\ReinstallBackups\0015\DriverFiles\i386\i386 Mount point destination : \Device\__max++>\^
Removing mount point: C:\WINDOWS\system32\ReinstallBackups\0015\DriverFiles\i386\i386

Found mount point : C:\WINDOWS\system32\ReinstallBackups\0016\DriverFiles\DriverFiles Mount point destination : \Device\__max++>\^
Removing mount point: C:\WINDOWS\system32\ReinstallBackups\0016\DriverFiles\DriverFiles

Found mount point : C:\WINDOWS\system32\ShellExt\ShellExt Mount point destination : \Device\__max++>\^
Removing mount point: C:\WINDOWS\system32\ShellExt\ShellExt

Found mount point : C:\WINDOWS\system32\SoftwareDistribution\Setup\ServiceStartup\wups.dll\7.0.6000.381\7.0.6000.381 Mount point destination : \Device\__max++>\^
Removing mount point: C:\WINDOWS\system32\SoftwareDistribution\Setup\ServiceStartup\wups.dll\7.0.6000.381\7.0.6000.381

Found mount point : C:\WINDOWS\system32\SoftwareDistribution\Setup\ServiceStartup\wups.dll\7.2.6001.784\7.2.6001.784 Mount point destination : \Device\__max++>\^
Removing mount point: C:\WINDOWS\system32\SoftwareDistribution\Setup\ServiceStartup\wups.dll\7.2.6001.784\7.2.6001.784

Found mount point : C:\WINDOWS\system32\SoftwareDistribution\Setup\ServiceStartup\wups2.dll\7.2.6001.784\7.2.6001.784 Mount point destination : \Device\__max++>\^
Removing mount point: C:\WINDOWS\system32\SoftwareDistribution\Setup\ServiceStartup\wups2.dll\7.2.6001.784\7.2.6001.784

Found mount point : C:\WINDOWS\system32\SoftwareDistribution\Setup\ServiceStartup\wups2.dll\7.2.6001.788\7.2.6001.788 Mount point destination : \Device\__max++>\^
Removing mount point: C:\WINDOWS\system32\SoftwareDistribution\Setup\ServiceStartup\wups2.dll\7.2.6001.788\7.2.6001.788

Found mount point : C:\WINDOWS\system32\spool\PRINTERS\PRINTERS Mount point destination : \Device\__max++>\^
Removing mount point: C:\WINDOWS\system32\spool\PRINTERS\PRINTERS

Cannot access : C:\WINDOWS\system32\svchost.exe
Attempting to restore permissions of : C:\WINDOWS\system32\svchost.exe Note: Granted Everyone Full Access to svchost.exe

Found mount point : C:\WINDOWS\system32\URTTemp\URTTemp Mount point destination : \Device\__max++>\^
Removing mount point: C:\WINDOWS\system32\URTTemp\URTTemp

Found mount point : C:\WINDOWS\system32\VIEWERS\VIEWERS Mount point destination : \Device\__max++>\^
Removing mount point: C:\WINDOWS\system32\VIEWERS\VIEWERS

Found mount point : C:\WINDOWS\system32\wbem\Logs\Logs Mount point destination : \Device\__max++>\^
Removing mount point: C:\WINDOWS\system32\wbem\Logs\Logs

Found mount point : C:\WINDOWS\system32\wbem\mof\bad\bad Mount point destination : \Device\__max++>\^
Removing mount point: C:\WINDOWS\system32\wbem\mof\bad\bad

Found mount point : C:\WINDOWS\system32\wbem\mof\good\good Mount point destination : \Device\__max++>\^
Removing mount point: C:\WINDOWS\system32\wbem\mof\good\good

Found mount point : C:\WINDOWS\system32\wbem\snmp\snmp Mount point destination : \Device\__max++>\^
Removing mount point: C:\WINDOWS\system32\wbem\snmp\snmp

Found mount point : C:\WINDOWS\system32\wins\wins Mount point destination : \Device\__max++>\^
Removing mount point: C:\WINDOWS\system32\wins\wins

Found mount point : C:\WINDOWS\system32\x64\x64 Mount point destination : \Device\__max++>\^
Removing mount point: C:\WINDOWS\system32\x64\x64

Found mount point : C:\WINDOWS\system32\xircom\xircom Mount point destination : \Device\__max++>\^
Removing mount point: C:\WINDOWS\system32\xircom\xircom

Found mount point : C:\WINDOWS\Template\Template Mount point destination : \Device\__max++>\^
Removing mount point: C:\WINDOWS\Template\Template

Found mount point : C:\WINDOWS\TWAIN\TWAIN Mount point destination : \Device\__max++>\^
Removing mount point: C:\WINDOWS\TWAIN\TWAIN

Found mount point : C:\WINDOWS\WinSxS\InstallTemp\InstallTemp Mount point destination : \Device\__max++>\^
Removing mount point: C:\WINDOWS\WinSxS\InstallTemp\InstallTemp

Found mount point : C:\WINDOWS\WinSxS\x86_Microsoft.MSXML2R_6bd6b9abf345378f_4.1.0.0_x-ww_29c3ad6a\x86_Microsoft.MSXML2R_6bd6b9abf345378f_4.1.0.0_x-ww_29c3ad6a Mount point destination : \Device\__max++>\^
Removing mount point: C:\WINDOWS\WinSxS\x86_Microsoft.MSXML2R_6bd6b9abf345378f_4.1.0.0_x-ww_29c3ad6a\x86_Microsoft.MSXML2R_6bd6b9abf345378f_4.1.0.0_x-ww_29c3ad6a

Found mount point : C:\WINDOWS\WinSxS\x86_Microsoft.MSXML2_6bd6b9abf345378f_4.20.9818.0_x-ww_8ff50c5d\x86_Microsoft.MSXML2_6bd6b9abf345378f_4.20.9818.0_x-ww_8ff50c5d Mount point destination : \Device\__max++>\^
Removing mount point: C:\WINDOWS\WinSxS\x86_Microsoft.MSXML2_6bd6b9abf345378f_4.20.9818.0_x-ww_8ff50c5d\x86_Microsoft.MSXML2_6bd6b9abf345378f_4.20.9818.0_x-ww_8ff50c5d

Found mount point : C:\WINDOWS\WinSxS\x86_Microsoft.MSXML2_6bd6b9abf345378f_4.20.9848.0_x-ww_1b897e9a\x86_Microsoft.MSXML2_6bd6b9abf345378f_4.20.9848.0_x-ww_1b897e9a Mount point destination : \Device\__max++>\^
Removing mount point: C:\WINDOWS\WinSxS\x86_Microsoft.MSXML2_6bd6b9abf345378f_4.20.9848.0_x-ww_1b897e9a\x86_Microsoft.MSXML2_6bd6b9abf345378f_4.20.9848.0_x-ww_1b897e9a

Found mount point : C:\WINDOWS\WinSxS\x86_Microsoft.VC80.ATL_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_cbb27474\x86_Microsoft.VC80.ATL_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_cbb27474 Mount point destination : \Device\__max++>\^
Removing mount point: C:\WINDOWS\WinSxS\x86_Microsoft.VC80.ATL_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_cbb27474\x86_Microsoft.VC80.ATL_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_cbb27474

Found mount point : C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.163_x-ww_681e29fb\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.163_x-ww_681e29fb Mount point destination : \Device\__max++>\^
Removing mount point: C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.163_x-ww_681e29fb\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.163_x-ww_681e29fb

Found mount point : C:\WINDOWS\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303 Mount point destination : \Device\__max++>\^
Removing mount point: C:\WINDOWS\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303

Found mount point : C:\WINDOWS\WinSxS\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_3bf8fa05\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_3bf8fa05 Mount point destination : \Device\__max++>\^
Removing mount point: C:\WINDOWS\WinSxS\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_3bf8fa05\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_3bf8fa05

Found mount point : C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2982_x-ww_ac3f9c03\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2982_x-ww_ac3f9c03 Mount point destination : \Device\__max++>\^
Removing mount point: C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2982_x-ww_ac3f9c03\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2982_x-ww_ac3f9c03

Finished!

#7 TheJoker

TheJoker

    Forum Deity

  • Boot Camp Mod
  • PipPipPipPipPip
  • 13,555 posts

Posted 07 December 2009 - 06:15 AM

After running Flash Disinfecter, the computer now sees my flash drives as read-only. Is that supposed to happen?

No, it shouldn't.

Part of the problem is that there's a rootkit protecting whatever has infected your system.

I know that I have installed Windows over itself before without reformatting, but a) that was Windows 98, and b) I didn't have a nasty trojan then to complicate things. I didn't want to try that without asking first... would this be a feasible way to get a temporary fix? Obviously the trojan would still be there, and I would still need to wipe the hdd and reinstall Windows again later

That won't work, because as you pointed out, the infection would still be present, and likely still running at startup.

I'd just like to buy some time to save these months worth of photos, financial info, genealogy, e-mails, etc. Just don't really know how to do this without being able to download or copy.

After the scan below, there is another rescue disc from F-Secure that will let you copy files to a USB Flash drive, but I need to see the log from the Kaspersky scan below first, as if a particular virus is present, it will affect what file types you can safely copy.

The Kaspersky Rescue Disk is a bootable CD based version of Kaspersky Antivirus.
The download is in ISO format.
If you are not sure how to burn an image, please read How to write a CD/DVD image or ISO. If you need a FREE utility to burn the ISO image, download and use ImgBurn.

On the uninfected system, download the Kaspersky Rescue Disk:
http://devbuilds.kas...lds/RescueDisk/
  • Burn the Kaspersky Rescue Disk ISO image to CD.
  • Insert the Kaspersky Rescue Disk CD into your CD/DVD drive on the infected system and boot the computer (you may need to change the boot sequence in your system's BIOS to boot from the CD/DVD drive).
  • Follow the instructions in the initial text screen to press Enter to start Kaspersky AntiVirus.
  • Select your language (or wait a few seconds for the default English to load).
  • Your screen may go blank for several minutes while the program loads.
  • After the Kaspersky Rescue Disk loads, the database will be updated (if you have network connectivity)
    • Click the Update tab to view the update progress.
    • When the update has completed, click the Scan tab.
  • Place a checkmark in all the available drives to scan the entire system.
  • Click the "Security level" option, and select options.
    • Make sure "All Files" is selected
    • Under "Scan of compound files" ensure all options are selected and click the OK button.
  • Click the "On threat detection" option
    • Select "Do not prompt", "Disinfect", and "Delete if disinfection fails".
  • Click the "Start scan" button.
  • When the scan has completed, click the Reports button.
    • Click the Save button, and select your System drive (normally your C: drive)
    • In the "File name" box, name the file krd-log and click the Save button.
    • Click Close to close the Reports window.
  • Click the Exit button to close the Rescue Disk program and confirm.
    In the lower left of the screen, left-click the red K button, select Logout, and confirm.
  • The computer will shut down.
  • Restart the computer and reboot normally.
  • Please post the log (krd-log.txt) in your next reply.
If you can't get the log, I'm particularly interested to see if you have any instances of the viruses virut or sality identified.

Free Tools for Fighting Malware
Anti-Virus: avast! Free Antivirus / Avira Free AntiVirus
OnLine Anti-Virus: ESET / BitDefender / F-Secure
Anti-Malware: Malwarebytes' Anti-Malware / Dr.Web CureIt
Spyware/Adware Tools: MVPS HOSTS File / SpywareBlaster
Firewall: Comodo Firewall Free / Privatefirewall
Tutorials: How did I get Infected? / Internet Explorer Privacy & Security Settings
If we have helped, please help us continue the fight by using the Donate button, or see this topic for other ways to donate.

MS MVP 2009-20010 and ASAP Member since 2005


#8 nenadrew

nenadrew

    Member

  • Full Member
  • Pip
  • 56 posts

Posted 08 December 2009 - 12:08 AM

Joker, just wanted to let you know that it will be tomorrow before I have an update. Got the Kaperskey .iso burned to cd and started the scan on my computer early this afternoon; it has been running for nine hours now and is at 57% complete. When it finishes, I'm going to try saving the log to my external drive (fingers crossed.) So far I've seen Rootkit mentioned in the details log, and something called Backdoor.

It's really exciting and hopeful to finally have a scan work!

Nena

#9 nenadrew

nenadrew

    Member

  • Full Member
  • Pip
  • 56 posts

Posted 09 December 2009 - 07:00 AM

Woohoo! I am posting from my own computer! Internet is back and copy/paste works; so far that's all I've had a chance to check. But yea! That was 38+ hours well spent, for sure.

The Kaspersky Rescue Disk log is appended; there is some duplication because I had it scan the external drive as well. No mention of Virut or Sality (or Vundo, which is what I thought the problem was.) The email worm that Kaspersky couldn't delete... would deleting those emails manually solve that?

So what now.... can I consider it fixed, or is there something more I need to do? I can probably get a Hijack This log now, if it's still needed. Meanwhile, I think I will go reinstall and run Spybot and MalwareBytes just to be sure I can.

Joker, I cannot thank you enough for your help and patience!

Nena


krd-log

Scan: completed 12/9/09 4:18 AM (events: 382, objects: , time: 00:00:00)
12/7/09 1:58 PM Task started

12/7/09 3:23 PM Detected: not-a-virus:AdWare.Win32.Background /discs/D:/Program Files/COMODO/COMODO Internet Security/Quarantine/A0006563.EXE
12/7/09 3:23 PM Deleted: not-a-virus:AdWare.Win32.Background /discs/D:/Program Files/COMODO/COMODO Internet Security/Quarantine/A0006563.EXE

12/7/09 3:23 PM Detected: not-a-virus:AdWare.Win32.Background /discs/D:/Program Files/COMODO/COMODO Internet Security/Quarantine/A0022272.EXE
12/7/09 3:23 PM Deleted: not-a-virus:AdWare.Win32.Background /discs/D:/Program Files/COMODO/COMODO Internet Security/Quarantine/A0022272.EXE

12/7/09 5:57 PM Detected: Rootkit.Win32.PMax.e /discs/D:/System Volume Information/_restore{B627D24E-CB41-42F9-B04F-8DB656A8ACDA}/RP148/A0020623.sys:1
12/7/09 5:57 PM Deleted: Rootkit.Win32.PMax.e /discs/D:/System Volume Information/_restore{B627D24E-CB41-42F9-B04F-8DB656A8ACDA}/RP148/A0020623.sys:1

12/7/09 5:57 PM Detected: Rootkit.Win32.PMax.e /discs/D:/System Volume Information/_restore{B627D24E-CB41-42F9-B04F-8DB656A8ACDA}/RP152/A0020716.sys:1
12/7/09 5:57 PM Deleted: Rootkit.Win32.PMax.e /discs/D:/System Volume Information/_restore{B627D24E-CB41-42F9-B04F-8DB656A8ACDA}/RP152/A0020716.sys:1

12/7/09 5:58 PM Detected: Rootkit.Win32.PMax.e /discs/D:/System Volume Information/_restore{B627D24E-CB41-42F9-B04F-8DB656A8ACDA}/RP155/A0020768.sys:1
12/7/09 5:58 PM Deleted: Rootkit.Win32.PMax.e /discs/D:/System Volume Information/_restore{B627D24E-CB41-42F9-B04F-8DB656A8ACDA}/RP155/A0020768.sys:1

12/7/09 6:00 PM Detected: Rootkit.Win32.PMax.e /discs/D:/System Volume Information/_restore{B627D24E-CB41-42F9-B04F-8DB656A8ACDA}/RP157/A0021267.sys:1
12/7/09 6:00 PM Deleted: Rootkit.Win32.PMax.e /discs/D:/System Volume Information/_restore{B627D24E-CB41-42F9-B04F-8DB656A8ACDA}/RP157/A0021267.sys:1

12/7/09 6:00 PM Detected: Rootkit.Win32.PMax.e /discs/D:/System Volume Information/_restore{B627D24E-CB41-42F9-B04F-8DB656A8ACDA}/RP157/A0021382.sys:1
12/7/09 6:00 PM Deleted: Rootkit.Win32.PMax.e /discs/D:/System Volume Information/_restore{B627D24E-CB41-42F9-B04F-8DB656A8ACDA}/RP157/A0021382.sys:1

12/7/09 6:04 PM Detected: Rootkit.Win32.PMax.e /discs/D:/System Volume Information/_restore{B627D24E-CB41-42F9-B04F-8DB656A8ACDA}/RP160/A0022033.sys:1
12/7/09 6:04 PM Deleted: Rootkit.Win32.PMax.e /discs/D:/System Volume Information/_restore{B627D24E-CB41-42F9-B04F-8DB656A8ACDA}/RP160/A0022033.sys:1

12/7/09 6:07 PM Detected: Rootkit.Win32.PMax.e /discs/D:/System Volume Information/_restore{B627D24E-CB41-42F9-B04F-8DB656A8ACDA}/RP168/A0022282.sys:1
12/7/09 6:07 PM Deleted: Rootkit.Win32.PMax.e /discs/D:/System Volume Information/_restore{B627D24E-CB41-42F9-B04F-8DB656A8ACDA}/RP168/A0022282.sys:1

12/7/09 6:08 PM Detected: Rootkit.Win32.PMax.e /discs/D:/System Volume Information/_restore{B627D24E-CB41-42F9-B04F-8DB656A8ACDA}/RP168/A0022328.sys:1
12/7/09 6:08 PM Deleted: Rootkit.Win32.PMax.e /discs/D:/System Volume Information/_restore{B627D24E-CB41-42F9-B04F-8DB656A8ACDA}/RP168/A0022328.sys:1

12/7/09 6:08 PM Detected: Rootkit.Win32.PMax.e /discs/D:/System Volume Information/_restore{B627D24E-CB41-42F9-B04F-8DB656A8ACDA}/RP169/A0022402.sys:1
12/7/09 6:09 PM Deleted: Rootkit.Win32.PMax.e /discs/D:/System Volume Information/_restore{B627D24E-CB41-42F9-B04F-8DB656A8ACDA}/RP169/A0022402.sys:1

12/7/09 6:09 PM Detected: Rootkit.Win32.PMax.e /discs/D:/System Volume Information/_restore{B627D24E-CB41-42F9-B04F-8DB656A8ACDA}/RP169/A0022597.sys:1
12/7/09 6:09 PM Deleted: Rootkit.Win32.PMax.e /discs/D:/System Volume Information/_restore{B627D24E-CB41-42F9-B04F-8DB656A8ACDA}/RP169/A0022597.sys:1

12/7/09 6:10 PM Detected: Rootkit.Win32.PMax.e /discs/D:/System Volume Information/_restore{B627D24E-CB41-42F9-B04F-8DB656A8ACDA}/RP169/A0022534.sys:1
12/7/09 6:10 PM Deleted: Rootkit.Win32.PMax.e /discs/D:/System Volume Information/_restore{B627D24E-CB41-42F9-B04F-8DB656A8ACDA}/RP169/A0022534.sys:1

12/7/09 6:10 PM Detected: Rootkit.Win32.PMax.e /discs/D:/System Volume Information/_restore{B627D24E-CB41-42F9-B04F-8DB656A8ACDA}/RP169/A0022542.sys:1
12/7/09 6:10 PM Deleted: Rootkit.Win32.PMax.e /discs/D:/System Volume Information/_restore{B627D24E-CB41-42F9-B04F-8DB656A8ACDA}/RP169/A0022542.sys:1

12/7/09 6:10 PM Detected: Rootkit.Win32.PMax.e /discs/D:/System Volume Information/_restore{B627D24E-CB41-42F9-B04F-8DB656A8ACDA}/RP170/A0022622.sys:1
12/7/09 6:10 PM Deleted: Rootkit.Win32.PMax.e /discs/D:/System Volume Information/_restore{B627D24E-CB41-42F9-B04F-8DB656A8ACDA}/RP170/A0022622.sys:1

12/7/09 6:11 PM Detected: Rootkit.Win32.PMax.e /discs/D:/System Volume Information/_restore{B627D24E-CB41-42F9-B04F-8DB656A8ACDA}/RP171/A0022675.sys:1
12/7/09 6:11 PM Deleted: Rootkit.Win32.PMax.e /discs/D:/System Volume Information/_restore{B627D24E-CB41-42F9-B04F-8DB656A8ACDA}/RP171/A0022675.sys:1

12/7/09 6:12 PM Detected: Rootkit.Win32.PMax.e /discs/D:/System Volume Information/_restore{B627D24E-CB41-42F9-B04F-8DB656A8ACDA}/RP177/A0022771.sys:1
12/7/09 6:12 PM Deleted: Rootkit.Win32.PMax.e /discs/D:/System Volume Information/_restore{B627D24E-CB41-42F9-B04F-8DB656A8ACDA}/RP177/A0022771.sys:1

12/7/09 6:12 PM Detected: Rootkit.Win32.PMax.e /discs/D:/System Volume Information/_restore{B627D24E-CB41-42F9-B04F-8DB656A8ACDA}/RP177/A0022811.sys:1
12/7/09 6:12 PM Deleted: Rootkit.Win32.PMax.e /discs/D:/System Volume Information/_restore{B627D24E-CB41-42F9-B04F-8DB656A8ACDA}/RP177/A0022811.sys:1

12/7/09 6:12 PM Detected: Rootkit.Win32.PMax.e /discs/D:/System Volume Information/_restore{B627D24E-CB41-42F9-B04F-8DB656A8ACDA}/RP178/A0022833.sys:1
12/7/09 6:12 PM Deleted: Rootkit.Win32.PMax.e /discs/D:/System Volume Information/_restore{B627D24E-CB41-42F9-B04F-8DB656A8ACDA}/RP178/A0022833.sys:1

12/7/09 6:13 PM Detected: Rootkit.Win32.PMax.e /discs/D:/System Volume Information/_restore{B627D24E-CB41-42F9-B04F-8DB656A8ACDA}/RP184/A0023833.sys:1
12/7/09 6:13 PM Deleted: Rootkit.Win32.PMax.e /discs/D:/System Volume Information/_restore{B627D24E-CB41-42F9-B04F-8DB656A8ACDA}/RP184/A0023833.sys:1

12/7/09 6:13 PM Detected: Rootkit.Win32.PMax.e /discs/D:/System Volume Information/_restore{B627D24E-CB41-42F9-B04F-8DB656A8ACDA}/RP185/A0023906.sys:1
12/7/09 6:13 PM Deleted: Rootkit.Win32.PMax.e /discs/D:/System Volume Information/_restore{B627D24E-CB41-42F9-B04F-8DB656A8ACDA}/RP185/A0023906.sys:1

12/7/09 6:14 PM Detected: Rootkit.Win32.PMax.e /discs/D:/System Volume Information/_restore{B627D24E-CB41-42F9-B04F-8DB656A8ACDA}/RP186/A0023939.sys:1
12/7/09 6:14 PM Deleted: Rootkit.Win32.PMax.e /discs/D:/System Volume Information/_restore{B627D24E-CB41-42F9-B04F-8DB656A8ACDA}/RP186/A0023939.sys:1

12/7/09 6:14 PM Detected: Rootkit.Win32.PMax.e /discs/D:/System Volume Information/_restore{B627D24E-CB41-42F9-B04F-8DB656A8ACDA}/RP186/A0023945.sys:1
12/7/09 6:14 PM Deleted: Rootkit.Win32.PMax.e /discs/D:/System Volume Information/_restore{B627D24E-CB41-42F9-B04F-8DB656A8ACDA}/RP186/A0023945.sys:1

12/7/09 6:15 PM Detected: Rootkit.Win32.PMax.e /discs/D:/System Volume Information/_restore{B627D24E-CB41-42F9-B04F-8DB656A8ACDA}/RP190/A0024041.sys:1
12/7/09 6:15 PM Deleted: Rootkit.Win32.PMax.e /discs/D:/System Volume Information/_restore{B627D24E-CB41-42F9-B04F-8DB656A8ACDA}/RP190/A0024041.sys:1

12/7/09 6:15 PM Detected: Rootkit.Win32.PMax.e /discs/D:/System Volume Information/_restore{B627D24E-CB41-42F9-B04F-8DB656A8ACDA}/RP193/A0024103.sys:1
12/7/09 6:15 PM Deleted: Rootkit.Win32.PMax.e /discs/D:/System Volume Information/_restore{B627D24E-CB41-42F9-B04F-8DB656A8ACDA}/RP193/A0024103.sys:1

12/7/09 6:16 PM Detected: Rootkit.Win32.PMax.e /discs/D:/System Volume Information/_restore{B627D24E-CB41-42F9-B04F-8DB656A8ACDA}/RP194/A0024127.sys:1
12/7/09 6:16 PM Deleted: Rootkit.Win32.PMax.e /discs/D:/System Volume Information/_restore{B627D24E-CB41-42F9-B04F-8DB656A8ACDA}/RP194/A0024127.sys:1

12/7/09 6:16 PM Detected: Rootkit.Win32.PMax.e /discs/D:/System Volume Information/_restore{B627D24E-CB41-42F9-B04F-8DB656A8ACDA}/RP195/A0024168.sys:1
12/7/09 6:16 PM Deleted: Rootkit.Win32.PMax.e /discs/D:/System Volume Information/_restore{B627D24E-CB41-42F9-B04F-8DB656A8ACDA}/RP195/A0024168.sys:1

12/7/09 6:16 PM Detected: Rootkit.Win32.PMax.e /discs/D:/System Volume Information/_restore{B627D24E-CB41-42F9-B04F-8DB656A8ACDA}/RP195/A0024177.sys:1
12/7/09 6:16 PM Deleted: Rootkit.Win32.PMax.e /discs/D:/System Volume Information/_restore{B627D24E-CB41-42F9-B04F-8DB656A8ACDA}/RP195/A0024177.sys:1

12/7/09 6:16 PM Detected: Rootkit.Win32.PMax.e /discs/D:/System Volume Information/_restore{B627D24E-CB41-42F9-B04F-8DB656A8ACDA}/RP195/A0024186.sys:1
12/7/09 6:16 PM Deleted: Rootkit.Win32.PMax.e /discs/D:/System Volume Information/_restore{B627D24E-CB41-42F9-B04F-8DB656A8ACDA}/RP195/A0024186.sys:1

12/7/09 6:16 PM Detected: Rootkit.Win32.PMax.e /discs/D:/System Volume Information/_restore{B627D24E-CB41-42F9-B04F-8DB656A8ACDA}/RP195/A0024195.sys:1
12/7/09 6:16 PM Deleted: Rootkit.Win32.PMax.e /discs/D:/System Volume Information/_restore{B627D24E-CB41-42F9-B04F-8DB656A8ACDA}/RP195/A0024195.sys:1

12/7/09 6:16 PM Detected: Rootkit.Win32.PMax.e /discs/D:/System Volume Information/_restore{B627D24E-CB41-42F9-B04F-8DB656A8ACDA}/RP195/A0024205.sys:1
12/7/09 6:16 PM Deleted: Rootkit.Win32.PMax.e /discs/D:/System Volume Information/_restore{B627D24E-CB41-42F9-B04F-8DB656A8ACDA}/RP195/A0024205.sys:1

12/7/09 6:16 PM Detected: Rootkit.Win32.PMax.e /discs/D:/System Volume Information/_restore{B627D24E-CB41-42F9-B04F-8DB656A8ACDA}/RP196/A0024218.sys:1
12/7/09 6:16 PM Deleted: Rootkit.Win32.PMax.e /discs/D:/System Volume Information/_restore{B627D24E-CB41-42F9-B04F-8DB656A8ACDA}/RP196/A0024218.sys:1

12/7/09 6:16 PM Detected: Rootkit.Win32.PMax.e /discs/D:/System Volume Information/_restore{B627D24E-CB41-42F9-B04F-8DB656A8ACDA}/RP197/A0024240.sys:1
12/7/09 6:16 PM Deleted: Rootkit.Win32.PMax.e /discs/D:/System Volume Information/_restore{B627D24E-CB41-42F9-B04F-8DB656A8ACDA}/RP197/A0024240.sys:1

12/7/09 6:17 PM Detected: Rootkit.Win32.PMax.e /discs/D:/System Volume Information/_restore{B627D24E-CB41-42F9-B04F-8DB656A8ACDA}/RP198/A0024252.sys:1
12/7/09 6:17 PM Deleted: Rootkit.Win32.PMax.e /discs/D:/System Volume Information/_restore{B627D24E-CB41-42F9-B04F-8DB656A8ACDA}/RP198/A0024252.sys:1

12/7/09 6:17 PM Detected: Rootkit.Win32.PMax.e /discs/D:/System Volume Information/_restore{B627D24E-CB41-42F9-B04F-8DB656A8ACDA}/RP199/A0024271.sys:1
12/7/09 6:17 PM Deleted: Rootkit.Win32.PMax.e /discs/D:/System Volume Information/_restore{B627D24E-CB41-42F9-B04F-8DB656A8ACDA}/RP199/A0024271.sys:1

12/7/09 6:17 PM Detected: Rootkit.Win32.PMax.e /discs/D:/System Volume Information/_restore{B627D24E-CB41-42F9-B04F-8DB656A8ACDA}/RP201/A0024305.sys:1
12/7/09 6:17 PM Deleted: Rootkit.Win32.PMax.e /discs/D:/System Volume Information/_restore{B627D24E-CB41-42F9-B04F-8DB656A8ACDA}/RP201/A0024305.sys:1

12/7/09 6:17 PM Detected: Rootkit.Win32.PMax.e /discs/D:/System Volume Information/_restore{B627D24E-CB41-42F9-B04F-8DB656A8ACDA}/RP202/A0024330.sys:1
12/7/09 6:17 PM Deleted: Rootkit.Win32.PMax.e /discs/D:/System Volume Information/_restore{B627D24E-CB41-42F9-B04F-8DB656A8ACDA}/RP202/A0024330.sys:1

12/7/09 6:18 PM Detected: Rootkit.Win32.PMax.e /discs/D:/System Volume Information/_restore{B627D24E-CB41-42F9-B04F-8DB656A8ACDA}/RP204/A0025382.sys:1
12/7/09 6:18 PM Deleted: Rootkit.Win32.PMax.e /discs/D:/System Volume Information/_restore{B627D24E-CB41-42F9-B04F-8DB656A8ACDA}/RP204/A0025382.sys:1

12/7/09 6:18 PM Detected: Rootkit.Win32.PMax.e /discs/D:/System Volume Information/_restore{B627D24E-CB41-42F9-B04F-8DB656A8ACDA}/RP204/A0025389.sys:1
12/7/09 6:18 PM Deleted: Rootkit.Win32.PMax.e /discs/D:/System Volume Information/_restore{B627D24E-CB41-42F9-B04F-8DB656A8ACDA}/RP204/A0025389.sys:1

12/7/09 6:18 PM Detected: Rootkit.Win32.PMax.e /discs/D:/System Volume Information/_restore{B627D24E-CB41-42F9-B04F-8DB656A8ACDA}/RP205/A0025408.sys:1
12/7/09 6:18 PM Deleted: Rootkit.Win32.PMax.e /discs/D:/System Volume Information/_restore{B627D24E-CB41-42F9-B04F-8DB656A8ACDA}/RP205/A0025408.sys:1

12/7/09 6:18 PM Detected: Rootkit.Win32.PMax.e /discs/D:/System Volume Information/_restore{B627D24E-CB41-42F9-B04F-8DB656A8ACDA}/RP205/A0025417.sys:1
12/7/09 6:18 PM Deleted: Rootkit.Win32.PMax.e /discs/D:/System Volume Information/_restore{B627D24E-CB41-42F9-B04F-8DB656A8ACDA}/RP205/A0025417.sys:1

12/7/09 6:18 PM Detected: Rootkit.Win32.PMax.e /discs/D:/System Volume Information/_restore{B627D24E-CB41-42F9-B04F-8DB656A8ACDA}/RP205/A0025437.sys:1
12/7/09 6:18 PM Deleted: Rootkit.Win32.PMax.e /discs/D:/System Volume Information/_restore{B627D24E-CB41-42F9-B04F-8DB656A8ACDA}/RP205/A0025437.sys:1

12/7/09 6:18 PM Detected: Rootkit.Win32.PMax.e /discs/D:/System Volume Information/_restore{B627D24E-CB41-42F9-B04F-8DB656A8ACDA}/RP206/A0025492.sys:1
12/7/09 6:18 PM Deleted: Rootkit.Win32.PMax.e /discs/D:/System Volume Information/_restore{B627D24E-CB41-42F9-B04F-8DB656A8ACDA}/RP206/A0025492.sys:1

12/7/09 6:19 PM Detected: Rootkit.Win32.PMax.e /discs/D:/System Volume Information/_restore{B627D24E-CB41-42F9-B04F-8DB656A8ACDA}/RP207/A0025525.sys:1
12/7/09 6:19 PM Deleted: Rootkit.Win32.PMax.e /discs/D:/System Volume Information/_restore{B627D24E-CB41-42F9-B04F-8DB656A8ACDA}/RP207/A0025525.sys:1

12/7/09 6:19 PM Detected: Rootkit.Win32.PMax.e /discs/D:/System Volume Information/_restore{B627D24E-CB41-42F9-B04F-8DB656A8ACDA}/RP207/A0025536.sys:1
12/7/09 6:19 PM Deleted: Rootkit.Win32.PMax.e /discs/D:/System Volume Information/_restore{B627D24E-CB41-42F9-B04F-8DB656A8ACDA}/RP207/A0025536.sys:1

12/7/09 6:19 PM Detected: Rootkit.Win32.PMax.e /discs/D:/System Volume Information/_restore{B627D24E-CB41-42F9-B04F-8DB656A8ACDA}/RP207/A0025567.sys:1
12/7/09 6:19 PM Deleted: Rootkit.Win32.PMax.e /discs/D:/System Volume Information/_restore{B627D24E-CB41-42F9-B04F-8DB656A8ACDA}/RP207/A0025567.sys:1

12/7/09 6:19 PM Detected: Rootkit.Win32.PMax.e /discs/D:/System Volume Information/_restore{B627D24E-CB41-42F9-B04F-8DB656A8ACDA}/RP166/A0022163.sys:1
12/7/09 6:19 PM Deleted: Rootkit.Win32.PMax.e /discs/D:/System Volume Information/_restore{B627D24E-CB41-42F9-B04F-8DB656A8ACDA}/RP166/A0022163.sys:1

12/7/09 6:19 PM Detected: Rootkit.Win32.PMax.e /discs/D:/System Volume Information/_restore{B627D24E-CB41-42F9-B04F-8DB656A8ACDA}/RP166/A0022222.sys:1
12/7/09 6:19 PM Deleted: Rootkit.Win32.PMax.e /discs/D:/System Volume Information/_restore{B627D24E-CB41-42F9-B04F-8DB656A8ACDA}/RP166/A0022222.sys:1

12/7/09 6:19 PM Detected: Rootkit.Win32.PMax.e /discs/D:/System Volume Information/_restore{B627D24E-CB41-42F9-B04F-8DB656A8ACDA}/RP166/A0022235.sys:1
12/7/09 6:19 PM Deleted: Rootkit.Win32.PMax.e /discs/D:/System Volume Information/_restore{B627D24E-CB41-42F9-B04F-8DB656A8ACDA}/RP166/A0022235.sys:1

12/7/09 6:19 PM Detected: Rootkit.Win32.PMax.e /discs/D:/System Volume Information/_restore{B627D24E-CB41-42F9-B04F-8DB656A8ACDA}/RP187/A0023973.sys:1
12/7/09 6:19 PM Deleted: Rootkit.Win32.PMax.e /discs/D:/System Volume Information/_restore{B627D24E-CB41-42F9-B04F-8DB656A8ACDA}/RP187/A0023973.sys:1

12/7/09 6:20 PM Detected: Rootkit.Win32.PMax.e /discs/D:/System Volume Information/_restore{B627D24E-CB41-42F9-B04F-8DB656A8ACDA}/RP208/A0025578.sys:1
12/7/09 6:20 PM Deleted: Rootkit.Win32.PMax.e /discs/D:/System Volume Information/_restore{B627D24E-CB41-42F9-B04F-8DB656A8ACDA}/RP208/A0025578.sys:1

12/7/09 6:20 PM Detected: Rootkit.Win32.PMax.e /discs/D:/System Volume Information/_restore{B627D24E-CB41-42F9-B04F-8DB656A8ACDA}/RP209/A0025615.sys:1
12/7/09 6:20 PM Deleted: Rootkit.Win32.PMax.e /discs/D:/System Volume Information/_restore{B627D24E-CB41-42F9-B04F-8DB656A8ACDA}/RP209/A0025615.sys:1

12/7/09 6:20 PM Detected: Rootkit.Win32.PMax.e /discs/D:/System Volume Information/_restore{B627D24E-CB41-42F9-B04F-8DB656A8ACDA}/RP210/A0025627.sys:1
12/7/09 6:20 PM Deleted: Rootkit.Win32.PMax.e /discs/D:/System Volume Information/_restore{B627D24E-CB41-42F9-B04F-8DB656A8ACDA}/RP210/A0025627.sys:1

12/7/09 6:20 PM Detected: Rootkit.Win32.PMax.e /discs/D:/System Volume Information/_restore{B627D24E-CB41-42F9-B04F-8DB656A8ACDA}/RP211/A0025648.sys:1
12/7/09 6:20 PM Deleted: Rootkit.Win32.PMax.e /discs/D:/System Volume Information/_restore{B627D24E-CB41-42F9-B04F-8DB656A8ACDA}/RP211/A0025648.sys:1

12/7/09 6:20 PM Detected: Rootkit.Win32.PMax.e /discs/D:/System Volume Information/_restore{B627D24E-CB41-42F9-B04F-8DB656A8ACDA}/RP212/A0025658.sys:1
12/7/09 6:20 PM Deleted: Rootkit.Win32.PMax.e /discs/D:/System Volume Information/_restore{B627D24E-CB41-42F9-B04F-8DB656A8ACDA}/RP212/A0025658.sys:1

12/7/09 6:20 PM Detected: Rootkit.Win32.PMax.e /discs/D:/System Volume Information/_restore{B627D24E-CB41-42F9-B04F-8DB656A8ACDA}/RP213/A0025724.sys:1
12/7/09 6:21 PM Deleted: Rootkit.Win32.PMax.e /discs/D:/System Volume Information/_restore{B627D24E-CB41-42F9-B04F-8DB656A8ACDA}/RP213/A0025724.sys:1

12/7/09 6:21 PM Detected: Rootkit.Win32.PMax.e /discs/D:/System Volume Information/_restore{B627D24E-CB41-42F9-B04F-8DB656A8ACDA}/RP213/A0025700.sys:1
12/7/09 6:21 PM Deleted: Rootkit.Win32.PMax.e /discs/D:/System Volume Information/_restore{B627D24E-CB41-42F9-B04F-8DB656A8ACDA}/RP213/A0025700.sys:1

12/7/09 6:21 PM Detected: Rootkit.Win32.PMax.e /discs/D:/System Volume Information/_restore{B627D24E-CB41-42F9-B04F-8DB656A8ACDA}/RP213/A0025715.sys:1
12/7/09 6:21 PM Deleted: Rootkit.Win32.PMax.e /discs/D:/System Volume Information/_restore{B627D24E-CB41-42F9-B04F-8DB656A8ACDA}/RP213/A0025715.sys:1

12/7/09 6:21 PM Detected: Rootkit.Win32.PMax.e /discs/D:/System Volume Information/_restore{B627D24E-CB41-42F9-B04F-8DB656A8ACDA}/RP215/A0025741.sys:1
12/7/09 6:21 PM Deleted: Rootkit.Win32.PMax.e /discs/D:/System Volume Information/_restore{B627D24E-CB41-42F9-B04F-8DB656A8ACDA}/RP215/A0025741.sys:1

12/7/09 6:21 PM Detected: Rootkit.Win32.PMax.e /discs/D:/System Volume Information/_restore{B627D24E-CB41-42F9-B04F-8DB656A8ACDA}/RP216/A0025756.sys:1
12/7/09 6:21 PM Deleted: Rootkit.Win32.PMax.e /discs/D:/System Volume Information/_restore{B627D24E-CB41-42F9-B04F-8DB656A8ACDA}/RP216/A0025756.sys:1

12/7/09 6:21 PM Detected: Rootkit.Win32.PMax.e /discs/D:/System Volume Information/_restore{B627D24E-CB41-42F9-B04F-8DB656A8ACDA}/RP216/A0025767.sys:1
12/7/09 6:21 PM Deleted: Rootkit.Win32.PMax.e /discs/D:/System Volume Information/_restore{B627D24E-CB41-42F9-B04F-8DB656A8ACDA}/RP216/A0025767.sys:1

12/7/09 6:22 PM Detected: Rootkit.Win32.PMax.e /discs/D:/System Volume Information/_restore{B627D24E-CB41-42F9-B04F-8DB656A8ACDA}/RP219/A0025800.sys:1
12/7/09 6:22 PM Deleted: Rootkit.Win32.PMax.e /discs/D:/System Volume Information/_restore{B627D24E-CB41-42F9-B04F-8DB656A8ACDA}/RP219/A0025800.sys:1

12/7/09 6:22 PM Detected: Rootkit.Win32.PMax.e /discs/D:/System Volume Information/_restore{B627D24E-CB41-42F9-B04F-8DB656A8ACDA}/RP220/A0025818.sys:1
12/7/09 6:22 PM Deleted: Rootkit.Win32.PMax.e /discs/D:/System Volume Information/_restore{B627D24E-CB41-42F9-B04F-8DB656A8ACDA}/RP220/A0025818.sys:1

12/7/09 6:22 PM Detected: Rootkit.Win32.PMax.e /discs/D:/System Volume Information/_restore{B627D24E-CB41-42F9-B04F-8DB656A8ACDA}/RP221/A0025840.sys:1
12/7/09 6:22 PM Deleted: Rootkit.Win32.PMax.e /discs/D:/System Volume Information/_restore{B627D24E-CB41-42F9-B04F-8DB656A8ACDA}/RP221/A0025840.sys:1

12/7/09 6:23 PM Detected: Rootkit.Win32.PMax.e /discs/D:/System Volume Information/_restore{B627D24E-CB41-42F9-B04F-8DB656A8ACDA}/RP222/A0025988.sys:1
12/7/09 6:23 PM Deleted: Rootkit.Win32.PMax.e /discs/D:/System Volume Information/_restore{B627D24E-CB41-42F9-B04F-8DB656A8ACDA}/RP222/A0025988.sys:1

12/7/09 6:23 PM Detected: Rootkit.Win32.PMax.e /discs/D:/System Volume Information/_restore{B627D24E-CB41-42F9-B04F-8DB656A8ACDA}/RP224/A0026019.sys:1
12/7/09 6:23 PM Deleted: Rootkit.Win32.PMax.e /discs/D:/System Volume Information/_restore{B627D24E-CB41-42F9-B04F-8DB656A8ACDA}/RP224/A0026019.sys:1

12/7/09 6:24 PM Detected: Rootkit.Win32.PMax.e /discs/D:/System Volume Information/_restore{B627D24E-CB41-42F9-B04F-8DB656A8ACDA}/RP227/A0026038.sys:1
12/7/09 6:24 PM Deleted: Rootkit.Win32.PMax.e /discs/D:/System Volume Information/_restore{B627D24E-CB41-42F9-B04F-8DB656A8ACDA}/RP227/A0026038.sys:1

12/7/09 6:24 PM Detected: Rootkit.Win32.PMax.e /discs/D:/System Volume Information/_restore{B627D24E-CB41-42F9-B04F-8DB656A8ACDA}/RP230/A0026064.sys:1
12/7/09 6:24 PM Deleted: Rootkit.Win32.PMax.e /discs/D:/System Volume Information/_restore{B627D24E-CB41-42F9-B04F-8DB656A8ACDA}/RP230/A0026064.sys:1

12/7/09 6:25 PM Detected: Rootkit.Win32.PMax.e /discs/D:/System Volume Information/_restore{B627D24E-CB41-42F9-B04F-8DB656A8ACDA}/RP232/A0026089.sys:1
12/7/09 6:25 PM Deleted: Rootkit.Win32.PMax.e /discs/D:/System Volume Information/_restore{B627D24E-CB41-42F9-B04F-8DB656A8ACDA}/RP232/A0026089.sys:1

12/7/09 6:25 PM Detected: Rootkit.Win32.PMax.e /discs/D:/System Volume Information/_restore{B627D24E-CB41-42F9-B04F-8DB656A8ACDA}/RP233/A0026121.sys:1
12/7/09 6:25 PM Deleted: Rootkit.Win32.PMax.e /discs/D:/System Volume Information/_restore{B627D24E-CB41-42F9-B04F-8DB656A8ACDA}/RP233/A0026121.sys:1

12/7/09 6:25 PM Detected: Rootkit.Win32.PMax.e /discs/D:/System Volume Information/_restore{B627D24E-CB41-42F9-B04F-8DB656A8ACDA}/RP233/A0026133.sys:1
12/7/09 6:25 PM Deleted: Rootkit.Win32.PMax.e /discs/D:/System Volume Information/_restore{B627D24E-CB41-42F9-B04F-8DB656A8ACDA}/RP233/A0026133.sys:1

12/7/09 6:25 PM Detected: Rootkit.Win32.PMax.e /discs/D:/System Volume Information/_restore{B627D24E-CB41-42F9-B04F-8DB656A8ACDA}/RP234/A0026155.sys:1
12/7/09 6:25 PM Deleted: Rootkit.Win32.PMax.e /discs/D:/System Volume Information/_restore{B627D24E-CB41-42F9-B04F-8DB656A8ACDA}/RP234/A0026155.sys:1

12/7/09 6:26 PM Detected: Rootkit.Win32.PMax.e /discs/D:/System Volume Information/_restore{B627D24E-CB41-42F9-B04F-8DB656A8ACDA}/RP236/A0026167.sys:1
12/7/09 6:26 PM Deleted: Rootkit.Win32.PMax.e /discs/D:/System Volume Information/_restore{B627D24E-CB41-42F9-B04F-8DB656A8ACDA}/RP236/A0026167.sys:1

12/7/09 6:26 PM Detected: Rootkit.Win32.PMax.e /discs/D:/System Volume Information/_restore{B627D24E-CB41-42F9-B04F-8DB656A8ACDA}/RP236/A0026175.sys:1
12/7/09 6:26 PM Deleted: Rootkit.Win32.PMax.e /discs/D:/System Volume Information/_restore{B627D24E-CB41-42F9-B04F-8DB656A8ACDA}/RP236/A0026175.sys:1

12/7/09 6:26 PM Detected: Rootkit.Win32.PMax.e /discs/D:/System Volume Information/_restore{B627D24E-CB41-42F9-B04F-8DB656A8ACDA}/RP236/A0026188.sys:1
12/7/09 6:26 PM Deleted: Rootkit.Win32.PMax.e /discs/D:/System Volume Information/_restore{B627D24E-CB41-42F9-B04F-8DB656A8ACDA}/RP236/A0026188.sys:1

12/7/09 6:26 PM Detected: Rootkit.Win32.PMax.e /discs/D:/System Volume Information/_restore{B627D24E-CB41-42F9-B04F-8DB656A8ACDA}/RP237/A0026211.sys:1
12/7/09 6:26 PM Deleted: Rootkit.Win32.PMax.e /discs/D:/System Volume Information/_restore{B627D24E-CB41-42F9-B04F-8DB656A8ACDA}/RP237/A0026211.sys:1

12/7/09 6:26 PM Detected: Rootkit.Win32.PMax.e /discs/D:/System Volume Information/_restore{B627D24E-CB41-42F9-B04F-8DB656A8ACDA}/RP238/A0026227.sys:1
12/7/09 6:26 PM Deleted: Rootkit.Win32.PMax.e /discs/D:/System Volume Information/_restore{B627D24E-CB41-42F9-B04F-8DB656A8ACDA}/RP238/A0026227.sys:1

12/7/09 6:26 PM Detected: Rootkit.Win32.PMax.e /discs/D:/System Volume Information/_restore{B627D24E-CB41-42F9-B04F-8DB656A8ACDA}/RP238/A0026237.sys:1
12/7/09 6:26 PM Deleted: Rootkit.Win32.PMax.e /discs/D:/System Volume Information/_restore{B627D24E-CB41-42F9-B04F-8DB656A8ACDA}/RP238/A0026237.sys:1

12/7/09 6:26 PM Detected: Rootkit.Win32.PMax.e /discs/D:/System Volume Information/_restore{B627D24E-CB41-42F9-B04F-8DB656A8ACDA}/RP238/A0026247.sys:1
12/7/09 6:26 PM Deleted: Rootkit.Win32.PMax.e /discs/D:/System Volume Information/_restore{B627D24E-CB41-42F9-B04F-8DB656A8ACDA}/RP238/A0026247.sys:1

12/7/09 6:26 PM Detected: Rootkit.Win32.PMax.e /discs/D:/System Volume Information/_restore{B627D24E-CB41-42F9-B04F-8DB656A8ACDA}/RP239/A0026258.sys:1
12/7/09 6:26 PM Deleted: Rootkit.Win32.PMax.e /discs/D:/System Volume Information/_restore{B627D24E-CB41-42F9-B04F-8DB656A8ACDA}/RP239/A0026258.sys:1

12/7/09 6:26 PM Detected: Rootkit.Win32.PMax.e /discs/D:/System Volume Information/_restore{B627D24E-CB41-42F9-B04F-8DB656A8ACDA}/RP239/A0026267.sys:1
12/7/09 6:26 PM Deleted: Rootkit.Win32.PMax.e /discs/D:/System Volume Information/_restore{B627D24E-CB41-42F9-B04F-8DB656A8ACDA}/RP239/A0026267.sys:1

12/7/09 6:27 PM Detected: Rootkit.Win32.PMax.e /discs/D:/System Volume Information/_restore{B627D24E-CB41-42F9-B04F-8DB656A8ACDA}/RP239/A0027267.sys:1
12/7/09 6:27 PM Deleted: Rootkit.Win32.PMax.e /discs/D:/System Volume Information/_restore{B627D24E-CB41-42F9-B04F-8DB656A8ACDA}/RP239/A0027267.sys:1

12/7/09 6:27 PM Detected: Rootkit.Win32.PMax.e /discs/D:/System Volume Information/_restore{B627D24E-CB41-42F9-B04F-8DB656A8ACDA}/RP239/A0028267.sys:1
12/7/09 6:27 PM Deleted: Rootkit.Win32.PMax.e /discs/D:/System Volume Information/_restore{B627D24E-CB41-42F9-B04F-8DB656A8ACDA}/RP239/A0028267.sys:1

12/7/09 6:27 PM Detected: Rootkit.Win32.PMax.e /discs/D:/System Volume Information/_restore{B627D24E-CB41-42F9-B04F-8DB656A8ACDA}/RP239/A0029267.sys:1
12/7/09 6:27 PM Deleted: Rootkit.Win32.PMax.e /discs/D:/System Volume Information/_restore{B627D24E-CB41-42F9-B04F-8DB656A8ACDA}/RP239/A0029267.sys:1

12/7/09 6:27 PM Detected: Rootkit.Win32.PMax.e /discs/D:/System Volume Information/_restore{B627D24E-CB41-42F9-B04F-8DB656A8ACDA}/RP239/A0029281.sys:1
12/7/09 6:27 PM Deleted: Rootkit.Win32.PMax.e /discs/D:/System Volume Information/_restore{B627D24E-CB41-42F9-B04F-8DB656A8ACDA}/RP239/A0029281.sys:1

12/7/09 6:28 PM Detected: Rootkit.Win32.PMax.e /discs/D:/System Volume Information/_restore{B627D24E-CB41-42F9-B04F-8DB656A8ACDA}/RP241/A0029485.sys:1
12/7/09 6:28 PM Deleted: Rootkit.Win32.PMax.e /discs/D:/System Volume Information/_restore{B627D24E-CB41-42F9-B04F-8DB656A8ACDA}/RP241/A0029485.sys:1

12/7/09 6:28 PM Detected: Rootkit.Win32.PMax.e /discs/D:/System Volume Information/_restore{B627D24E-CB41-42F9-B04F-8DB656A8ACDA}/RP241/A0029536.sys:1
12/7/09 6:28 PM Deleted: Rootkit.Win32.PMax.e /discs/D:/System Volume Information/_restore{B627D24E-CB41-42F9-B04F-8DB656A8ACDA}/RP241/A0029536.sys:1

12/7/09 6:28 PM Detected: Rootkit.Win32.PMax.e /discs/D:/System Volume Information/_restore{B627D24E-CB41-42F9-B04F-8DB656A8ACDA}/RP241/A0030536.sys:1
12/7/09 6:28 PM Deleted: Rootkit.Win32.PMax.e /discs/D:/System Volume Information/_restore{B627D24E-CB41-42F9-B04F-8DB656A8ACDA}/RP241/A0030536.sys:1

12/7/09 6:28 PM Detected: Rootkit.Win32.PMax.e /discs/D:/System Volume Information/_restore{B627D24E-CB41-42F9-B04F-8DB656A8ACDA}/RP241/A0035329.sys:1
12/7/09 6:28 PM Deleted: Rootkit.Win32.PMax.e /discs/D:/System Volume Information/_restore{B627D24E-CB41-42F9-B04F-8DB656A8ACDA}/RP241/A0035329.sys:1

12/7/09 6:28 PM Detected: Rootkit.Win32.PMax.e /discs/D:/System Volume Information/_restore{B627D24E-CB41-42F9-B04F-8DB656A8ACDA}/RP241/A0035334.sys:1
12/7/09 6:28 PM Deleted: Rootkit.Win32.PMax.e /discs/D:/System Volume Information/_restore{B627D24E-CB41-42F9-B04F-8DB656A8ACDA}/RP241/A0035334.sys:1

12/7/09 6:28 PM Detected: Rootkit.Win32.PMax.e /discs/D:/System Volume Information/_restore{B627D24E-CB41-42F9-B04F-8DB656A8ACDA}/RP241/A0035341.sys:1
12/7/09 6:28 PM Deleted: Rootkit.Win32.PMax.e /discs/D:/System Volume Information/_restore{B627D24E-CB41-42F9-B04F-8DB656A8ACDA}/RP241/A0035341.sys:1

12/7/09 6:28 PM Detected: Rootkit.Win32.PMax.e /discs/D:/System Volume Information/_restore{B627D24E-CB41-42F9-B04F-8DB656A8ACDA}/RP241/A0035346.sys:1
12/7/09 6:28 PM Deleted: Rootkit.Win32.PMax.e /discs/D:/System Volume Information/_restore{B627D24E-CB41-42F9-B04F-8DB656A8ACDA}/RP241/A0035346.sys:1

12/7/09 6:28 PM Detected: Rootkit.Win32.PMax.e /discs/D:/System Volume Information/_restore{B627D24E-CB41-42F9-B04F-8DB656A8ACDA}/RP241/A0035367.sys:1
12/7/09 6:28 PM Deleted: Rootkit.Win32.PMax.e /discs/D:/System Volume Information/_restore{B627D24E-CB41-42F9-B04F-8DB656A8ACDA}/RP241/A0035367.sys:1

12/7/09 6:28 PM Detected: Rootkit.Win32.PMax.e /discs/D:/System Volume Information/_restore{B627D24E-CB41-42F9-B04F-8DB656A8ACDA}/RP241/A0035375.sys:1
12/7/09 6:28 PM Deleted: Rootkit.Win32.PMax.e /discs/D:/System Volume Information/_restore{B627D24E-CB41-42F9-B04F-8DB656A8ACDA}/RP241/A0035375.sys:1

12/7/09 6:28 PM Detected: Rootkit.Win32.PMax.e /discs/D:/System Volume Information/_restore{B627D24E-CB41-42F9-B04F-8DB656A8ACDA}/RP241/A0036375.sys:1
12/7/09 6:28 PM Deleted: Rootkit.Win32.PMax.e /discs/D:/System Volume Information/_restore{B627D24E-CB41-42F9-B04F-8DB656A8ACDA}/RP241/A0036375.sys:1

12/7/09 6:28 PM Detected: Rootkit.Win32.PMax.e /discs/D:/System Volume Information/_restore{B627D24E-CB41-42F9-B04F-8DB656A8ACDA}/RP241/A0036380.sys:1
12/7/09 6:28 PM Deleted: Rootkit.Win32.PMax.e /discs/D:/System Volume Information/_restore{B627D24E-CB41-42F9-B04F-8DB656A8ACDA}/RP241/A0036380.sys:1

12/7/09 6:41 PM Detected: Rootkit.Win32.PMax.e /discs/D:/System Volume Information/_restore{B627D24E-CB41-42F9-B04F-8DB656A8ACDA}/RP241/A0039529.sys:1
12/7/09 6:41 PM Deleted: Rootkit.Win32.PMax.e /discs/D:/System Volume Information/_restore{B627D24E-CB41-42F9-B04F-8DB656A8ACDA}/RP241/A0039529.sys:1

12/7/09 6:41 PM Detected: Rootkit.Win32.PMax.e /discs/D:/System Volume Information/_restore{B627D24E-CB41-42F9-B04F-8DB656A8ACDA}/RP241/A0039498.sys:1
12/7/09 6:41 PM Deleted: Rootkit.Win32.PMax.e /discs/D:/System Volume Information/_restore{B627D24E-CB41-42F9-B04F-8DB656A8ACDA}/RP241/A0039498.sys:1

12/7/09 6:41 PM Detected: Rootkit.Win32.PMax.e /discs/D:/System Volume Information/_restore{B627D24E-CB41-42F9-B04F-8DB656A8ACDA}/RP241/A0039508.sys:1
12/7/09 6:41 PM Deleted: Rootkit.Win32.PMax.e /discs/D:/System Volume Information/_restore{B627D24E-CB41-42F9-B04F-8DB656A8ACDA}/RP241/A0039508.sys:1

12/7/09 6:41 PM Detected: Rootkit.Win32.PMax.e /discs/D:/System Volume Information/_restore{B627D24E-CB41-42F9-B04F-8DB656A8ACDA}/RP241/A0039519.sys:1
12/7/09 6:41 PM Deleted: Rootkit.Win32.PMax.e /discs/D:/System Volume Information/_restore{B627D24E-CB41-42F9-B04F-8DB656A8ACDA}/RP241/A0039519.sys:1

12/7/09 7:07 PM Detected: Backdoor.Win32.Agent.akmn /discs/D:/WINDOWS/system32/eventlog.dll
12/7/09 7:07 PM Deleted: Backdoor.Win32.Agent.akmn /discs/D:/WINDOWS/system32/eventlog.dll

12/7/09 7:52 PM Detected: not-a-virus:AdWare.Win32.TimeSink /discs/D:/ZIP/TimeSinkPatch/timesinkpatch.EXE/TSUNINSTALLER.EXE
12/7/09 7:52 PM Deleted: not-a-virus:AdWare.Win32.TimeSink /discs/D:/ZIP/TimeSinkPatch/timesinkpatch.EXE

12/8/09 1:21 AM Detected: Email-Worm.VBS.KakWorm /discs/D:/Documents and Settings/Nena Drew Thrower/Application Data/Mozilla/Profiles/nenadrew/0bbmyzi6.slt/Mail/mail.cableone.net/Old Friends.sbd/Kim/[From "Kim" <removed@hevanet.com>][Date 15 May 2000 16:01:26][Subj Hi]/html
12/8/09 1:21 AM Untreated: Email-Worm.VBS.KakWorm /discs/D:/Documents and Settings/Nena Drew Thrower/Application Data/Mozilla/Profiles/nenadrew/0bbmyzi6.slt/Mail/mail.cableone.net/Old Friends.sbd/Kim/[From "Kim" <removed@hevanet.com>][Date 15 May 2000 16:01:26][Subj Hi]/html Write not supported

12/8/09 1:21 AM Detected: Email-Worm.VBS.KakWorm /discs/D:/Documents and Settings/Nena Drew Thrower/Application Data/Mozilla/Profiles/nenadrew/0bbmyzi6.slt/Mail/mail.cableone.net/Old Friends.sbd/Kim/[From "Kim" <removed@hevanet.com>][Date 18 May 2000 21:50:43][Subj Hi]/html
12/8/09 1:21 AM Untreated: Email-Worm.VBS.KakWorm /discs/D:/Documents and Settings/Nena Drew Thrower/Application Data/Mozilla/Profiles/nenadrew/0bbmyzi6.slt/Mail/mail.cableone.net/Old Friends.sbd/Kim/[From "Kim" <removed@hevanet.com>][Date 18 May 2000 21:50:43][Subj Hi]/html Write not supported

12/8/09 1:21 AM Detected: Email-Worm.VBS.KakWorm /discs/D:/Documents and Settings/Nena Drew Thrower/Application Data/Mozilla/Profiles/nenadrew/0bbmyzi6.slt/Mail/mail.cableone.net/Old Friends.sbd/Kim/[From "Kim" <removed@hevanet.com>][Date 22 May 2000 19:59:08][Subj Wants to help all of you]/html
12/8/09 1:21 AM Untreated: Email-Worm.VBS.KakWorm /discs/D:/Documents and Settings/Nena Drew Thrower/Application Data/Mozilla/Profiles/nenadrew/0bbmyzi6.slt/Mail/mail.cableone.net/Old Friends.sbd/Kim/[From "Kim" <removed@hevanet.com>][Date 22 May 2000 19:59:08][Subj Wants to help all of you]/html Write not supported

12/8/09 1:22 AM Detected: Email-Worm.VBS.KakWorm /discs/D:/Documents and Settings/Nena Drew Thrower/Application Data/Mozilla/Profiles/nenadrew/0bbmyzi6.slt/Mail/mail.cableone.net/Old Friends.sbd/Kim/[From "Kim" <removed@hevanet.com>][Date 24 May 2000 19:22:52][Subj Hi]/html
12/8/09 1:22 AM Untreated: Email-Worm.VBS.KakWorm /discs/D:/Documents and Settings/Nena Drew Thrower/Application Data/Mozilla/Profiles/nenadrew/0bbmyzi6.slt/Mail/mail.cableone.net/Old Friends.sbd/Kim/[From "Kim" <removed@hevanet.com>][Date 24 May 2000 19:22:52][Subj Hi]/html Write not supported

12/8/09 5:19 AM Detected: Email-Worm.VBS.KakWorm /discs/D:/Documents and Settings/Nena Drew Thrower.NENA/Application Data/Mozilla/Profiles/nenadrew/0bbmyzi6.slt/Mail/mail.cableone.net/Old Friends.sbd/Kim/[From "Kim" <removed@hevanet.com>][Date 15 May 2000 16:01:26][Subj Hi]/html
12/8/09 5:19 AM Untreated: Email-Worm.VBS.KakWorm /discs/D:/Documents and Settings/Nena Drew Thrower.NENA/Application Data/Mozilla/Profiles/nenadrew/0bbmyzi6.slt/Mail/mail.cableone.net/Old Friends.sbd/Kim/[From "Kim" <removed@hevanet.com>][Date 15 May 2000 16:01:26][Subj Hi]/html Write not supported

12/8/09 5:19 AM Detected: Email-Worm.VBS.KakWorm /discs/D:/Documents and Settings/Nena Drew Thrower.NENA/Application Data/Mozilla/Profiles/nenadrew/0bbmyzi6.slt/Mail/mail.cableone.net/Old Friends.sbd/Kim/[From "Kim" <removed@hevanet.com>][Date 18 May 2000 21:50:43][Subj Hi]/html
12/8/09 5:19 AM Untreated: Email-Worm.VBS.KakWorm /discs/D:/Documents and Settings/Nena Drew Thrower.NENA/Application Data/Mozilla/Profiles/nenadrew/0bbmyzi6.slt/Mail/mail.cableone.net/Old Friends.sbd/Kim/[From "Kim" <removed@hevanet.com>][Date 18 May 2000 21:50:43][Subj Hi]/html Write not supported

12/8/09 5:19 AM Detected: Email-Worm.VBS.KakWorm /discs/D:/Documents and Settings/Nena Drew Thrower.NENA/Application Data/Mozilla/Profiles/nenadrew/0bbmyzi6.slt/Mail/mail.cableone.net/Old Friends.sbd/Kim/[From "Kim" <removed@hevanet.com>][Date 22 May 2000 19:59:08][Subj Wants to help all of you]/html
12/8/09 5:19 AM Untreated: Email-Worm.VBS.KakWorm /discs/D:/Documents and Settings/Nena Drew Thrower.NENA/Application Data/Mozilla/Profiles/nenadrew/0bbmyzi6.slt/Mail/mail.cableone.net/Old Friends.sbd/Kim/[From "Kim" <removed@hevanet.com>][Date 22 May 2000 19:59:08][Subj Wants to help all of you]/html Write not supported

12/8/09 5:19 AM Detected: Email-Worm.VBS.KakWorm /discs/D:/Documents and Settings/Nena Drew Thrower.NENA/Application Data/Mozilla/Profiles/nenadrew/0bbmyzi6.slt/Mail/mail.cableone.net/Old Friends.sbd/Kim/[From "Kim" <removed@hevanet.com>][Date 24 May 2000 19:22:52][Subj Hi]/html
12/8/09 5:19 AM Untreated: Email-Worm.VBS.KakWorm /discs/D:/Documents and Settings/Nena Drew Thrower.NENA/Application Data/Mozilla/Profiles/nenadrew/0bbmyzi6.slt/Mail/mail.cableone.net/Old Friends.sbd/Kim/[From "Kim" <removed@hevanet.com>][Date 24 May 2000 19:22:52][Subj Hi]/html Write not supported

12/8/09 6:59 AM Detected: Trojan.Win32.Rabbit.af /discs/E:/System Volume Information/_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}/rp71/a0071059.exe
12/8/09 6:59 AM Deleted: Trojan.Win32.Rabbit.af /discs/E:/System Volume Information/_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}/rp71/a0071059.exe

12/8/09 8:03 AM Detected: not-a-virus:AdWare.Win32.TimeSink /discs/E:/System Volume Information/_restore{B627D24E-CB41-42F9-B04F-8DB656A8ACDA}/rp241/a0031551.exe/TSUNINSTALLER.EXE
12/8/09 8:03 AM Deleted: not-a-virus:AdWare.Win32.TimeSink /discs/E:/System Volume Information/_restore{B627D24E-CB41-42F9-B04F-8DB656A8ACDA}/rp241/a0031551.exe

12/8/09 8:44 AM Detected: Trojan-PSW.Win32.Papras.lr /discs/E:/System Volume Information/_restore{B627D24E-CB41-42F9-B04F-8DB656A8ACDA}/rp241/a0034737.exe
12/8/09 8:44 AM Deleted: Trojan-PSW.Win32.Papras.lr /discs/E:/System Volume Information/_restore{B627D24E-CB41-42F9-B04F-8DB656A8ACDA}/rp241/a0034737.exe

12/8/09 8:44 AM Detected: Rootkit.Win32.Agent.ex /discs/E:/System Volume Information/_restore{B627D24E-CB41-42F9-B04F-8DB656A8ACDA}/rp241/a0034769.sys
12/8/09 8:44 AM Deleted: Rootkit.Win32.Agent.ex /discs/E:/System Volume Information/_restore{B627D24E-CB41-42F9-B04F-8DB656A8ACDA}/rp241/a0034769.sys

12/8/09 11:45 AM Detected: Trojan.Win32.Rabbit.af /discs/E:/Backup Files May 6 2009/Documents and Settings/Nena Drew Thrower/Nena Drew Thrower.exe
12/8/09 11:45 AM Deleted: Trojan.Win32.Rabbit.af /discs/E:/Backup Files May 6 2009/Documents and Settings/Nena Drew Thrower/Nena Drew Thrower.exe

12/8/09 2:08 PM Detected: Email-Worm.VBS.KakWorm /discs/E:/Backup Files May 6 2009/Documents and Settings/Nena Drew Thrower/Application Data/Mozilla/Profiles/nenadrew/0bbmyzi6.slt/Mail/mail.cableone.net/Old Friends.sbd/Kim/[From "Kim" <removed@hevanet.com>][Date 15 May 2000 16:01:26][Subj Hi]/html
12/8/09 2:08 PM Untreated: Email-Worm.VBS.KakWorm /discs/E:/Backup Files May 6 2009/Documents and Settings/Nena Drew Thrower/Application Data/Mozilla/Profiles/nenadrew/0bbmyzi6.slt/Mail/mail.cableone.net/Old Friends.sbd/Kim/[From "Kim" <removed@hevanet.com>][Date 15 May 2000 16:01:26][Subj Hi]/html Write not supported

12/8/09 2:08 PM Detected: Email-Worm.VBS.KakWorm /discs/E:/Backup Files May 6 2009/Documents and Settings/Nena Drew Thrower/Application Data/Mozilla/Profiles/nenadrew/0bbmyzi6.slt/Mail/mail.cableone.net/Old Friends.sbd/Kim/[From "Kim" <removed@hevanet.com>][Date 18 May 2000 21:50:43][Subj Hi]/html
12/8/09 2:08 PM Untreated: Email-Worm.VBS.KakWorm /discs/E:/Backup Files May 6 2009/Documents and Settings/Nena Drew Thrower/Application Data/Mozilla/Profiles/nenadrew/0bbmyzi6.slt/Mail/mail.cableone.net/Old Friends.sbd/Kim/[From "Kim" <removed@hevanet.com>][Date 18 May 2000 21:50:43][Subj Hi]/html Write not supported

12/8/09 2:09 PM Detected: Email-Worm.VBS.KakWorm /discs/E:/Backup Files May 6 2009/Documents and Settings/Nena Drew Thrower/Application Data/Mozilla/Profiles/nenadrew/0bbmyzi6.slt/Mail/mail.cableone.net/Old Friends.sbd/Kim/[From "Kim" <removed@hevanet.com>][Date 22 May 2000 19:59:08][Subj Wants to help all of you]/html
12/8/09 2:09 PM Untreated: Email-Worm.VBS.KakWorm /discs/E:/Backup Files May 6 2009/Documents and Settings/Nena Drew Thrower/Application Data/Mozilla/Profiles/nenadrew/0bbmyzi6.slt/Mail/mail.cableone.net/Old Friends.sbd/Kim/[From "Kim" <removed@hevanet.com>][Date 22 May 2000 19:59:08][Subj Wants to help all of you]/html Write not supported

12/8/09 2:09 PM Detected: Email-Worm.VBS.KakWorm /discs/E:/Backup Files May 6 2009/Documents and Settings/Nena Drew Thrower/Application Data/Mozilla/Profiles/nenadrew/0bbmyzi6.slt/Mail/mail.cableone.net/Old Friends.sbd/Kim/[From "Kim" <removed@hevanet.com>][Date 24 May 2000 19:22:52][Subj Hi]/html
12/8/09 2:09 PM Untreated: Email-Worm.VBS.KakWorm /discs/E:/Backup Files May 6 2009/Documents and Settings/Nena Drew Thrower/Application Data/Mozilla/Profiles/nenadrew/0bbmyzi6.slt/Mail/mail.cableone.net/Old Friends.sbd/Kim/[From "Kim" <removed@hevanet.com>][Date 24 May 2000 19:22:52][Subj Hi]/html Write not supported

12/8/09 5:16 PM Detected: Backdoor.Win32.Zdoogu.bx /discs/E:/Backup Files May 6 2009/Documents and Settings/Nena Drew Thrower/Local Settings/Temporary Internet Files/Content.IE5/vep3ia9r/load[1].exe
12/8/09 5:16 PM Deleted: Backdoor.Win32.Zdoogu.bx /discs/E:/Backup Files May 6 2009/Documents and Settings/Nena Drew Thrower/Local Settings/Temporary Internet Files/Content.IE5/vep3ia9r/load[1].exe

12/8/09 5:17 PM Detected: Trojan-Downloader.Win32.Mutant.gbi /discs/E:/Backup Files May 6 2009/Documents and Settings/Nena Drew Thrower/Local Settings/Temp/bn1.tmp
12/8/09 5:17 PM Detected: Trojan-Downloader.Win32.Mutant.gbi /discs/E:/Backup Files May 6 2009/Documents and Settings/Nena Drew Thrower/Local Settings/Temp/bn10.tmp

12/8/09 5:17 PM Deleted: Trojan-Downloader.Win32.Mutant.gbi /discs/E:/Backup Files May 6 2009/Documents and Settings/Nena Drew Thrower/Local Settings/Temp/bn1.tmp
12/8/09 5:17 PM Detected: Trojan-Downloader.Win32.Mutant.gbi /discs/E:/Backup Files May 6 2009/Documents and Settings/Nena Drew Thrower/Local Settings/Temp/bn11.tmp

12/8/09 5:17 PM Detected: Trojan-Downloader.Win32.Mutant.gbi /discs/E:/Backup Files May 6 2009/Documents and Settings/Nena Drew Thrower/Local Settings/Temp/bn12.tmp
12/8/09 5:17 PM Deleted: Trojan-Downloader.Win32.Mutant.gbi /discs/E:/Backup Files May 6 2009/Documents and Settings/Nena Drew Thrower/Local Settings/Temp/bn10.tmp

12/8/09 5:17 PM Detected: Trojan-Downloader.Win32.Mutant.gbi /discs/E:/Backup Files May 6 2009/Documents and Settings/Nena Drew Thrower/Local Settings/Temp/bn13.tmp
12/8/09 5:17 PM Deleted: Trojan-Downloader.Win32.Mutant.gbi /discs/E:/Backup Files May 6 2009/Documents and Settings/Nena Drew Thrower/Local Settings/Temp/bn11.tmp

12/8/09 5:17 PM Detected: Trojan-Downloader.Win32.Mutant.gbi /discs/E:/Backup Files May 6 2009/Documents and Settings/Nena Drew Thrower/Local Settings/Temp/bn14.tmp
12/8/09 5:17 PM Deleted: Trojan-Downloader.Win32.Mutant.gbi /discs/E:/Backup Files May 6 2009/Documents and Settings/Nena Drew Thrower/Local Settings/Temp/bn12.tmp

12/8/09 5:17 PM Detected: Trojan-Downloader.Win32.Mutant.gbi /discs/E:/Backup Files May 6 2009/Documents and Settings/Nena Drew Thrower/Local Settings/Temp/bn15.tmp
12/8/09 5:17 PM Deleted: Trojan-Downloader.Win32.Mutant.gbi /discs/E:/Backup Files May 6 2009/Documents and Settings/Nena Drew Thrower/Local Settings/Temp/bn13.tmp

12/8/09 5:17 PM Detected: Trojan-Downloader.Win32.Mutant.gbi /discs/E:/Backup Files May 6 2009/Documents and Settings/Nena Drew Thrower/Local Settings/Temp/bn16.tmp
12/8/09 5:17 PM Deleted: Trojan-Downloader.Win32.Mutant.gbi /discs/E:/Backup Files May 6 2009/Documents and Settings/Nena Drew Thrower/Local Settings/Temp/bn15.tmp

12/8/09 5:17 PM Detected: Trojan-Downloader.Win32.Mutant.gbi /discs/E:/Backup Files May 6 2009/Documents and Settings/Nena Drew Thrower/Local Settings/Temp/bn17.tmp
12/8/09 5:17 PM Deleted: Trojan-Downloader.Win32.Mutant.gbi /discs/E:/Backup Files May 6 2009/Documents and Settings/Nena Drew Thrower/Local Settings/Temp/bn14.tmp

12/8/09 5:18 PM Detected: Trojan-Downloader.Win32.Mutant.gbi /discs/E:/Backup Files May 6 2009/Documents and Settings/Nena Drew Thrower/Local Settings/Temp/bn18.tmp
12/8/09 5:18 PM Deleted: Trojan-Downloader.Win32.Mutant.gbi /discs/E:/Backup Files May 6 2009/Documents and Settings/Nena Drew Thrower/Local Settings/Temp/bn16.tmp

12/8/09 5:18 PM Detected: Trojan-Downloader.Win32.Mutant.gbi /discs/E:/Backup Files May 6 2009/Documents and Settings/Nena Drew Thrower/Local Settings/Temp/bn19.tmp
12/8/09 5:18 PM Deleted: Trojan-Downloader.Win32.Mutant.gbi /discs/E:/Backup Files May 6 2009/Documents and Settings/Nena Drew Thrower/Local Settings/Temp/bn17.tmp

12/8/09 5:18 PM Detected: Trojan-Downloader.Win32.Mutant.gbi /discs/E:/Backup Files May 6 2009/Documents and Settings/Nena Drew Thrower/Local Settings/Temp/bn1a.tmp
12/8/09 5:18 PM Deleted: Trojan-Downloader.Win32.Mutant.gbi /discs/E:/Backup Files May 6 2009/Documents and Settings/Nena Drew Thrower/Local Settings/Temp/bn18.tmp

12/8/09 5:18 PM Detected: Trojan-Downloader.Win32.Mutant.gbi /discs/E:/Backup Files May 6 2009/Documents and Settings/Nena Drew Thrower/Local Settings/Temp/bn1b.tmp
12/8/09 5:18 PM Deleted: Trojan-Downloader.Win32.Mutant.gbi /discs/E:/Backup Files May 6 2009/Documents and Settings/Nena Drew Thrower/Local Settings/Temp/bn19.tmp

12/8/09 5:18 PM Detected: Trojan-Downloader.Win32.Mutant.gbi /discs/E:/Backup Files May 6 2009/Documents and Settings/Nena Drew Thrower/Local Settings/Temp/bn1c.tmp
12/8/09 5:18 PM Deleted: Trojan-Downloader.Win32.Mutant.gbi /discs/E:/Backup Files May 6 2009/Documents and Settings/Nena Drew Thrower/Local Settings/Temp/bn1a.tmp

12/8/09 5:18 PM Detected: Trojan-Downloader.Win32.Mutant.gbi /discs/E:/Backup Files May 6 2009/Documents and Settings/Nena Drew Thrower/Local Settings/Temp/bn1d.tmp
12/8/09 5:18 PM Deleted: Trojan-Downloader.Win32.Mutant.gbi /discs/E:/Backup Files May 6 2009/Documents and Settings/Nena Drew Thrower/Local Settings/Temp/bn1b.tmp

12/8/09 5:18 PM Detected: Trojan-Downloader.Win32.Mutant.gbi /discs/E:/Backup Files May 6 2009/Documents and Settings/Nena Drew Thrower/Local Settings/Temp/bn1e.tmp
12/8/09 5:18 PM Deleted: Trojan-Downloader.Win32.Mutant.gbi /discs/E:/Backup Files May 6 2009/Documents and Settings/Nena Drew Thrower/Local Settings/Temp/bn1c.tmp

12/8/09 5:18 PM Detected: Trojan-Downloader.Win32.Mutant.gbi /discs/E:/Backup Files May 6 2009/Documents and Settings/Nena Drew Thrower/Local Settings/Temp/bn1f.tmp
12/8/09 5:18 PM Deleted: Trojan-Downloader.Win32.Mutant.gbi /discs/E:/Backup Files May 6 2009/Documents and Settings/Nena Drew Thrower/Local Settings/Temp/bn1d.tmp

12/8/09 5:18 PM Detected: Trojan-Downloader.Win32.Mutant.gbi /discs/E:/Backup Files May 6 2009/Documents and Settings/Nena Drew Thrower/Local Settings/Temp/bn2.tmp
12/8/09 5:18 PM Deleted: Trojan-Downloader.Win32.Mutant.gbi /discs/E:/Backup Files May 6 2009/Documents and Settings/Nena Drew Thrower/Local Settings/Temp/bn1e.tmp

12/8/09 5:18 PM Detected: Trojan-Downloader.Win32.Mutant.gbi /discs/E:/Backup Files May 6 2009/Documents and Settings/Nena Drew Thrower/Local Settings/Temp/bn20.tmp
12/8/09 5:18 PM Deleted: Trojan-Downloader.Win32.Mutant.gbi /discs/E:/Backup Files May 6 2009/Documents and Settings/Nena Drew Thrower/Local Settings/Temp/bn1f.tmp

12/8/09 5:18 PM Detected: Trojan-Downloader.Win32.Mutant.gbi /discs/E:/Backup Files May 6 2009/Documents and Settings/Nena Drew Thrower/Local Settings/Temp/bn21.tmp
12/8/09 5:18 PM Deleted: Trojan-Downloader.Win32.Mutant.gbi /discs/E:/Backup Files May 6 2009/Documents and Settings/Nena Drew Thrower/Local Settings/Temp/bn2.tmp

12/8/09 5:18 PM Detected: Trojan-Downloader.Win32.Mutant.gbi /discs/E:/Backup Files May 6 2009/Documents and Settings/Nena Drew Thrower/Local Settings/Temp/bn22.tmp
12/8/09 5:18 PM Deleted: Trojan-Downloader.Win32.Mutant.gbi /discs/E:/Backup Files May 6 2009/Documents and Settings/Nena Drew Thrower/Local Settings/Temp/bn20.tmp

12/8/09 5:18 PM Detected: Trojan-Downloader.Win32.Mutant.gbi /discs/E:/Backup Files May 6 2009/Documents and Settings/Nena Drew Thrower/Local Settings/Temp/bn23.tmp
12/8/09 5:18 PM Deleted: Trojan-Downloader.Win32.Mutant.gbi /discs/E:/Backup Files May 6 2009/Documents and Settings/Nena Drew Thrower/Local Settings/Temp/bn21.tmp

12/8/09 5:18 PM Detected: Trojan-Downloader.Win32.Mutant.gbi /discs/E:/Backup Files May 6 2009/Documents and Settings/Nena Drew Thrower/Local Settings/Temp/bn24.tmp
12/8/09 5:18 PM Deleted: Trojan-Downloader.Win32.Mutant.gbi /discs/E:/Backup Files May 6 2009/Documents and Settings/Nena Drew Thrower/Local Settings/Temp/bn22.tmp

12/8/09 5:18 PM Detected: Trojan-Downloader.Win32.Mutant.gbi /discs/E:/Backup Files May 6 2009/Documents and Settings/Nena Drew Thrower/Local Settings/Temp/bn25.tmp
12/8/09 5:18 PM Deleted: Trojan-Downloader.Win32.Mutant.gbi /discs/E:/Backup Files May 6 2009/Documents and Settings/Nena Drew Thrower/Local Settings/Temp/bn23.tmp

12/8/09 5:18 PM Detected: Trojan-Downloader.Win32.Mutant.gbi /discs/E:/Backup Files May 6 2009/Documents and Settings/Nena Drew Thrower/Local Settings/Temp/bn26.tmp
12/8/09 5:18 PM Deleted: Trojan-Downloader.Win32.Mutant.gbi /discs/E:/Backup Files May 6 2009/Documents and Settings/Nena Drew Thrower/Local Settings/Temp/bn24.tmp

12/8/09 5:18 PM Detected: Trojan-Downloader.Win32.Mutant.gbi /discs/E:/Backup Files May 6 2009/Documents and Settings/Nena Drew Thrower/Local Settings/Temp/bn27.tmp
12/8/09 5:18 PM Deleted: Trojan-Downloader.Win32.Mutant.gbi /discs/E:/Backup Files May 6 2009/Documents and Settings/Nena Drew Thrower/Local Settings/Temp/bn25.tmp

12/8/09 5:18 PM Detected: Trojan-Downloader.Win32.Mutant.gbi /discs/E:/Backup Files May 6 2009/Documents and Settings/Nena Drew Thrower/Local Settings/Temp/bn28.tmp
12/8/09 5:18 PM Deleted: Trojan-Downloader.Win32.Mutant.gbi /discs/E:/Backup Files May 6 2009/Documents and Settings/Nena Drew Thrower/Local Settings/Temp/bn26.tmp

12/8/09 5:18 PM Detected: Trojan-Downloader.Win32.Mutant.gbi /discs/E:/Backup Files May 6 2009/Documents and Settings/Nena Drew Thrower/Local Settings/Temp/bn29.tmp
12/8/09 5:18 PM Deleted: Trojan-Downloader.Win32.Mutant.gbi /discs/E:/Backup Files May 6 2009/Documents and Settings/Nena Drew Thrower/Local Settings/Temp/bn27.tmp

12/8/09 5:18 PM Detected: Trojan-Downloader.Win32.Mutant.gbi /discs/E:/Backup Files May 6 2009/Documents and Settings/Nena Drew Thrower/Local Settings/Temp/bn2a.tmp
12/8/09 5:18 PM Deleted: Trojan-Downloader.Win32.Mutant.gbi /discs/E:/Backup Files May 6 2009/Documents and Settings/Nena Drew Thrower/Local Settings/Temp/bn28.tmp

12/8/09 5:18 PM Detected: Trojan-Downloader.Win32.Mutant.gbi /discs/E:/Backup Files May 6 2009/Documents and Settings/Nena Drew Thrower/Local Settings/Temp/bn2b.tmp
12/8/09 5:18 PM Deleted: Trojan-Downloader.Win32.Mutant.gbi /discs/E:/Backup Files May 6 2009/Documents and Settings/Nena Drew Thrower/Local Settings/Temp/bn29.tmp

12/8/09 5:18 PM Detected: Trojan-Downloader.Win32.Mutant.gbi /discs/E:/Backup Files May 6 2009/Documents and Settings/Nena Drew Thrower/Local Settings/Temp/bn2c.tmp
12/8/09 5:18 PM Deleted: Trojan-Downloader.Win32.Mutant.gbi /discs/E:/Backup Files May 6 2009/Documents and Settings/Nena Drew Thrower/Local Settings/Temp/bn2a.tmp

12/8/09 5:18 PM Detected: Trojan-Downloader.Win32.Mutant.gbi /discs/E:/Backup Files May 6 2009/Documents and Settings/Nena Drew Thrower/Local Settings/Temp/bn2d.tmp
12/8/09 5:18 PM Deleted: Trojan-Downloader.Win32.Mutant.gbi /discs/E:/Backup Files May 6 2009/Documents and Settings/Nena Drew Thrower/Local Settings/Temp/bn2b.tmp

12/8/09 5:18 PM Detected: Trojan-Downloader.Win32.Mutant.gbi /discs/E:/Backup Files May 6 2009/Documents and Settings/Nena Drew Thrower/Local Settings/Temp/bn2e.tmp
12/8/09 5:18 PM Deleted: Trojan-Downloader.Win32.Mutant.gbi /discs/E:/Backup Files May 6 2009/Documents and Settings/Nena Drew Thrower/Local Settings/Temp/bn2c.tmp

12/8/09 5:18 PM Detected: Trojan-Downloader.Win32.Mutant.gbi /discs/E:/Backup Files May 6 2009/Documents and Settings/Nena Drew Thrower/Local Settings/Temp/bn2f.tmp
12/8/09 5:18 PM Deleted: Trojan-Downloader.Win32.Mutant.gbi /discs/E:/Backup Files May 6 2009/Documents and Settings/Nena Drew Thrower/Local Settings/Temp/bn2d.tmp

12/8/09 5:18 PM Detected: Trojan-Downloader.Win32.Mutant.gbi /discs/E:/Backup Files May 6 2009/Documents and Settings/Nena Drew Thrower/Local Settings/Temp/bn3.tmp
12/8/09 5:19 PM Deleted: Trojan-Downloader.Win32.Mutant.gbi /discs/E:/Backup Files May 6 2009/Documents and Settings/Nena Drew Thrower/Local Settings/Temp/bn2e.tmp

12/8/09 5:19 PM Detected: Trojan-Downloader.Win32.Mutant.gbi /discs/E:/Backup Files May 6 2009/Documents and Settings/Nena Drew Thrower/Local Settings/Temp/bn30.tmp
12/8/09 5:19 PM Deleted: Trojan-Downloader.Win32.Mutant.gbi /discs/E:/Backup Files May 6 2009/Documents and Settings/Nena Drew Thrower/Local Settings/Temp/bn2f.tmp

12/8/09 5:19 PM Detected: Trojan-Downloader.Win32.Mutant.gbi /discs/E:/Backup Files May 6 2009/Documents and Settings/Nena Drew Thrower/Local Settings/Temp/bn31.tmp
12/8/09 5:19 PM Deleted: Trojan-Downloader.Win32.Mutant.gbi /discs/E:/Backup Files May 6 2009/Documents and Settings/Nena Drew Thrower/Local Settings/Temp/bn3.tmp

12/8/09 5:19 PM Detected: Trojan-Downloader.Win32.Mutant.gbi /discs/E:/Backup Files May 6 2009/Documents and Settings/Nena Drew Thrower/Local Settings/Temp/bn32.tmp
12/8/09 5:19 PM Deleted: Trojan-Downloader.Win32.Mutant.gbi /discs/E:/Backup Files May 6 2009/Documents and Settings/Nena Drew Thrower/Local Settings/Temp/bn30.tmp

12/8/09 5:19 PM Detected: Trojan-Downloader.Win32.Mutant.gbi /discs/E:/Backup Files May 6 2009/Documents and Settings/Nena Drew Thrower/Local Settings/Temp/bn33.tmp
12/8/09 5:19 PM Deleted: Trojan-Downloader.Win32.Mutant.gbi /discs/E:/Backup Files May 6 2009/Documents and Settings/Nena Drew Thrower/Local Settings/Temp/bn31.tmp

12/8/09 5:19 PM Detected: Trojan-Downloader.Win32.Mutant.gbi /discs/E:/Backup Files May 6 2009/Documents and Settings/Nena Drew Thrower/Local Settings/Temp/bn34.tmp
12/8/09 5:19 PM Deleted: Trojan-Downloader.Win32.Mutant.gbi /discs/E:/Backup Files May 6 2009/Documents and Settings/Nena Drew Thrower/Local Settings/Temp/bn32.tmp

12/8/09 5:19 PM Detected: Trojan-Downloader.Win32.Mutant.gbi /discs/E:/Backup Files May 6 2009/Documents and Settings/Nena Drew Thrower/Local Settings/Temp/bn35.tmp
12/8/09 5:19 PM Deleted: Trojan-Downloader.Win32.Mutant.gbi /discs/E:/Backup Files May 6 2009/Documents and Settings/Nena Drew Thrower/Local Settings/Temp/bn33.tmp

12/8/09 5:19 PM Detected: Trojan-Downloader.Win32.Mutant.gbi /discs/E:/Backup Files May 6 2009/Documents and Settings/Nena Drew Thrower/Local Settings/Temp/bn36.tmp
12/8/09 5:19 PM Deleted: Trojan-Downloader.Win32.Mutant.gbi /discs/E:/Backup Files May 6 2009/Documents and Settings/Nena Drew Thrower/Local Settings/Temp/bn34.tmp

12/8/09 5:19 PM Detected: Trojan-Downloader.Win32.Mutant.gbi /discs/E:/Backup Files May 6 2009/Documents and Settings/Nena Drew Thrower/Local Settings/Temp/bn37.tmp
12/8/09 5:19 PM Deleted: Trojan-Downloader.Win32.Mutant.gbi /discs/E:/Backup Files May 6 2009/Documents and Settings/Nena Drew Thrower/Local Settings/Temp/bn35.tmp

12/8/09 5:19 PM Detected: Trojan-Downloader.Win32.Mutant.gbi /discs/E:/Backup Files May 6 2009/Documents and Settings/Nena Drew Thrower/Local Settings/Temp/bn38.tmp
12/8/09 5:19 PM Deleted: Trojan-Downloader.Win32.Mutant.gbi /discs/E:/Backup Files May 6 2009/Documents and Settings/Nena Drew Thrower/Local Settings/Temp/bn36.tmp

12/8/09 5:19 PM Detected: Trojan-Downloader.Win32.Mutant.gbi /discs/E:/Backup Files May 6 2009/Documents and Settings/Nena Drew Thrower/Local Settings/Temp/bn39.tmp
12/8/09 5:19 PM Deleted: Trojan-Downloader.Win32.Mutant.gbi /discs/E:/Backup Files May 6 2009/Documents and Settings/Nena Drew Thrower/Local Settings/Temp/bn37.tmp

12/8/09 5:19 PM Detected: Trojan-Downloader.Win32.Mutant.gbi /discs/E:/Backup Files May 6 2009/Documents and Settings/Nena Drew Thrower/Local Settings/Temp/bn3a.tmp
12/8/09 5:19 PM Deleted: Trojan-Downloader.Win32.Mutant.gbi /discs/E:/Backup Files May 6 2009/Documents and Settings/Nena Drew Thrower/Local Settings/Temp/bn38.tmp

12/8/09 5:19 PM Detected: Trojan-Downloader.Win32.Mutant.gbi /discs/E:/Backup Files May 6 2009/Documents and Settings/Nena Drew Thrower/Local Settings/Temp/bn3b.tmp
12/8/09 5:19 PM Deleted: Trojan-Downloader.Win32.Mutant.gbi /discs/E:/Backup Files May 6 2009/Documents and Settings/Nena Drew Thrower/Local Settings/Temp/bn39.tmp

12/8/09 5:19 PM Detected: Trojan-Downloader.Win32.Mutant.gbi /discs/E:/Backup Files May 6 2009/Documents and Settings/Nena Drew Thrower/Local Settings/Temp/bn3c.tmp
12/8/09 5:19 PM Deleted: Trojan-Downloader.Win32.Mutant.gbi /discs/E:/Backup Files May 6 2009/Documents and Settings/Nena Drew Thrower/Local Settings/Temp/bn3a.tmp

12/8/09 5:19 PM Detected: Trojan-Downloader.Win32.Mutant.gbi /discs/E:/Backup Files May 6 2009/Documents and Settings/Nena Drew Thrower/Local Settings/Temp/bn3d.tmp
12/8/09 5:19 PM Deleted: Trojan-Downloader.Win32.Mutant.gbi /discs/E:/Backup Files May 6 2009/Documents and Settings/Nena Drew Thrower/Local Settings/Temp/bn3b.tmp

12/8/09 5:19 PM Detected: Trojan-Downloader.Win32.Mutant.gbi /discs/E:/Backup Files May 6 2009/Documents and Settings/Nena Drew Thrower/Local Settings/Temp/bn3e.tmp
12/8/09 5:19 PM Deleted: Trojan-Downloader.Win32.Mutant.gbi /discs/E:/Backup Files May 6 2009/Documents and Settings/Nena Drew Thrower/Local Settings/Temp/bn3c.tmp

12/8/09 5:19 PM Detected: Trojan-Downloader.Win32.Mutant.gbi /discs/E:/Backup Files May 6 2009/Documents and Settings/Nena Drew Thrower/Local Settings/Temp/bn3f.tmp
12/8/09 5:19 PM Deleted: Trojan-Downloader.Win32.Mutant.gbi /discs/E:/Backup Files May 6 2009/Documents and Settings/Nena Drew Thrower/Local Settings/Temp/bn3d.tmp

12/8/09 5:19 PM Detected: Trojan-Downloader.Win32.Mutant.gbi /discs/E:/Backup Files May 6 2009/Documents and Settings/Nena Drew Thrower/Local Settings/Temp/bn4.tmp
12/8/09 5:19 PM Deleted: Trojan-Downloader.Win32.Mutant.gbi /discs/E:/Backup Files May 6 2009/Documents and Settings/Nena Drew Thrower/Local Settings/Temp/bn3e.tmp

12/8/09 5:19 PM Detected: Trojan-Downloader.Win32.Mutant.gbi /discs/E:/Backup Files May 6 2009/Documents and Settings/Nena Drew Thrower/Local Settings/Temp/bn40.tmp
12/8/09 5:19 PM Deleted: Trojan-Downloader.Win32.Mutant.gbi /discs/E:/Backup Files May 6 2009/Documents and Settings/Nena Drew Thrower/Local Settings/Temp/bn3f.tmp

12/8/09 5:19 PM Detected: Trojan-Downloader.Win32.Mutant.gbi /discs/E:/Backup Files May 6 2009/Documents and Settings/Nena Drew Thrower/Local Settings/Temp/bn41.tmp
12/8/09 5:19 PM Deleted: Trojan-Downloader.Win32.Mutant.gbi /discs/E:/Backup Files May 6 2009/Documents and Settings/Nena Drew Thrower/Local Settings/Temp/bn4.tmp

12/8/09 5:19 PM Detected: Trojan-Downloader.Win32.Mutant.gbi /discs/E:/Backup Files May 6 2009/Documents and Settings/Nena Drew Thrower/Local Settings/Temp/bn42.tmp
12/8/09 5:19 PM Deleted: Trojan-Downloader.Win32.Mutant.gbi /discs/E:/Backup Files May 6 2009/Documents and Settings/Nena Drew Thrower/Local Settings/Temp/bn40.tmp

12/8/09 5:19 PM Detected: Trojan-Downloader.Win32.Mutant.gbi /discs/E:/Backup Files May 6 2009/Documents and Settings/Nena Drew Thrower/Local Settings/Temp/bn44.tmp
12/8/09 5:19 PM Deleted: Trojan-Downloader.Win32.Mutant.gbi /discs/E:/Backup Files May 6 2009/Documents and Settings/Nena Drew Thrower/Local Settings/Temp/bn41.tmp

12/8/09 5:19 PM Detected: Trojan-Downloader.Win32.Mutant.gbi /discs/E:/Backup Files May 6 2009/Documents and Settings/Nena Drew Thrower/Local Settings/Temp/bn5.tmp
12/8/09 5:19 PM Deleted: Trojan-Downloader.Win32.Mutant.gbi /discs/E:/Backup Files May 6 2009/Documents and Settings/Nena Drew Thrower/Local Settings/Temp/bn42.tmp

12/8/09 5:19 PM Detected: Trojan-Downloader.Win32.Mutant.gbi /discs/E:/Backup Files May 6 2009/Documents and Settings/Nena Drew Thrower/Local Settings/Temp/bn6.tmp
12/8/09 5:19 PM Deleted: Trojan-Downloader.Win32.Mutant.gbi /discs/E:/Backup Files May 6 2009/Documents and Settings/Nena Drew Thrower/Local Settings/Temp/bn44.tmp

12/8/09 5:19 PM Detected: Trojan-Downloader.Win32.Mutant.gbi /discs/E:/Backup Files May 6 2009/Documents and Settings/Nena Drew Thrower/Local Settings/Temp/bn7.tmp
12/8/09 5:19 PM Deleted: Trojan-Downloader.Win32.Mutant.gbi /discs/E:/Backup Files May 6 2009/Documents and Settings/Nena Drew Thrower/Local Settings/Temp/bn5.tmp

12/8/09 5:20 PM Detected: Trojan-Downloader.Win32.Mutant.gbi /discs/E:/Backup Files May 6 2009/Documents and Settings/Nena Drew Thrower/Local Settings/Temp/bn8.tmp
12/8/09 5:20 PM Deleted: Trojan-Downloader.Win32.Mutant.gbi /discs/E:/Backup Files May 6 2009/Documents and Settings/Nena Drew Thrower/Local Settings/Temp/bn6.tmp

12/8/09 5:20 PM Detected: Trojan-Downloader.Win32.Mutant.gbi /discs/E:/Backup Files May 6 2009/Documents and Settings/Nena Drew Thrower/Local Settings/Temp/bn83.tmp
12/8/09 5:20 PM Deleted: Trojan-Downloader.Win32.Mutant.gbi /discs/E:/Backup Files May 6 2009/Documents and Settings/Nena Drew Thrower/Local Settings/Temp/bn7.tmp

12/8/09 5:20 PM Detected: Trojan-Downloader.Win32.Mutant.gbi /discs/E:/Backup Files May 6 2009/Documents and Settings/Nena Drew Throwe

Edited by TheJoker, 09 December 2009 - 08:15 PM.
edited e-mail addresses to prevent harvesting by bots


#10 TheJoker

TheJoker

    Forum Deity

  • Boot Camp Mod
  • PipPipPipPipPip
  • 13,555 posts

Posted 09 December 2009 - 08:08 PM

Woohoo! I am posting from my own computer! Internet is back and copy/paste works; so far that's all I've had a chance to check. But yea! That was 38+ hours well spent, for sure.

Excellent work! :D

So what now.... can I consider it fixed, or is there something more I need to do? I can probably get a Hijack This log now, if it's still needed.

There will be more to do, and I can't tell everything that was infected because the Kaspersky log was too long and was cut off.

Meanwhile, I think I will go reinstall and run Spybot and MalwareBytes just to be sure I can.

After you update MBAM and scan the system, please be sure to remove everything found and post the log.

Kaspersky was unable to delete the infected e-mails that it detected. Go to your e-mail program, and in the folder Old Friends/Kim, delete the following infected e-mails from Kim:

[Date 15 May 2000 16:01:26][Subj Hi]
Date 18 May 2000 21:50:43][Subj Hi]
[Date 22 May 2000 19:59:08][Subj Wants to help all of you]
[Date 24 May 2000 19:22:52][Subj Hi]
[Date 15 May 2000 16:01:26][Subj Hi]
[Date 18 May 2000 21:50:43][Subj Hi]
[Date 22 May 2000 19:59:08][Subj Wants to help all of you]
[Date 24 May 2000 19:22:52][Subj Hi]
[Date 15 May 2000 16:01:26][Subj Hi]
[Date 18 May 2000 21:50:43][Subj Hi]
[Date 22 May 2000 19:59:08][Subj Wants to help all of you]
[Date 24 May 2000 19:22:52][Subj Hi]

After you do that, please empty the deleted items folder or they will still be in your e-mail program's database.

There may be more infected e-mails, but I'll need to see the rest of the log from the Kaspersky Rescue Disk. Since I can't tell how large the remainder of the log is, please attach it to your next reply. When you reply, use the 'Add Reply' button, click 'Choose..' and browse for file. Finally, click 'Attach This File'. Then add the rest of your text reply.

Download ComboFix© by sUBs from one of these locations:

http://download.blee...Bs/ComboFix.exe
http://www.forospywa...Bs/ComboFix.exe

* IMPORTANT !!! Save ComboFix.exe to your Desktop

Familiarize yourself with ComboFix before running it:
http://www.bleepingc...to-use-combofix

  • Disable your AntiVirus and any AntiSpyware programs you may be running (usually via a right click on the System Tray icon) to prevent them from interfering.
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware. There are some difficult to remove infections that will only be fixed if you have the Recovery Console installed.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.


Posted Image

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image

Click on Yes, to continue scanning for malware. When finished, it will save a log.
Please include the contents of the log at C:\ComboFix.txt in your next reply.

Download Security Check by screen317 from here or here and save it to your Desktop.
  • Double-click SecurityCheck.exe
  • Follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.
Please post a new HijackThis log, the log from MBAM, the log from Security Check (checkup.txt), and in a second reply (due to length) the log from ComboFix (combofix.txt), and note any errors encountered. Please also remember to attach the Kaspersky log to one of the replies so I can review it to see what other infected e-mails may need to be manually deleted.

Free Tools for Fighting Malware
Anti-Virus: avast! Free Antivirus / Avira Free AntiVirus
OnLine Anti-Virus: ESET / BitDefender / F-Secure
Anti-Malware: Malwarebytes' Anti-Malware / Dr.Web CureIt
Spyware/Adware Tools: MVPS HOSTS File / SpywareBlaster
Firewall: Comodo Firewall Free / Privatefirewall
Tutorials: How did I get Infected? / Internet Explorer Privacy & Security Settings
If we have helped, please help us continue the fight by using the Donate button, or see this topic for other ways to donate.

MS MVP 2009-20010 and ASAP Member since 2005


#11 nenadrew

nenadrew

    Member

  • Full Member
  • Pip
  • 56 posts

Posted 10 December 2009 - 04:46 AM

Joker, thanks for editing out that email address; I saw it, but it just didn't register.

I apologize for not noticing that the last 20 lines of the krd-log had been cut off. I tried attaching the log file to this posting but that doesn't seem to be working; I'll paste in those missing lines here, with a little overlap so you can see where it cut off. Those were the only emails affected, and I have deleted them from the hdd and external drive.

krd-log (last 29 lines):

12/8/09 5:19 PM Detected: Trojan-Downloader.Win32.Mutant.gbi /discs/E:/Backup Files May 6 2009/Documents and Settings/Nena Drew Thrower/Local Settings/Temp/bn6.tmp
12/8/09 5:19 PM Deleted: Trojan-Downloader.Win32.Mutant.gbi /discs/E:/Backup Files May 6 2009/Documents and Settings/Nena Drew Thrower/Local Settings/Temp/bn44.tmp
12/8/09 5:19 PM Detected: Trojan-Downloader.Win32.Mutant.gbi /discs/E:/Backup Files May 6 2009/Documents and Settings/Nena Drew Thrower/Local Settings/Temp/bn7.tmp
12/8/09 5:19 PM Deleted: Trojan-Downloader.Win32.Mutant.gbi /discs/E:/Backup Files May 6 2009/Documents and Settings/Nena Drew Thrower/Local Settings/Temp/bn5.tmp
12/8/09 5:20 PM Detected: Trojan-Downloader.Win32.Mutant.gbi /discs/E:/Backup Files May 6 2009/Documents and Settings/Nena Drew Thrower/Local Settings/Temp/bn8.tmp
12/8/09 5:20 PM Deleted: Trojan-Downloader.Win32.Mutant.gbi /discs/E:/Backup Files May 6 2009/Documents and Settings/Nena Drew Thrower/Local Settings/Temp/bn6.tmp
12/8/09 5:20 PM Detected: Trojan-Downloader.Win32.Mutant.gbi /discs/E:/Backup Files May 6 2009/Documents and Settings/Nena Drew Thrower/Local Settings/Temp/bn83.tmp
12/8/09 5:20 PM Deleted: Trojan-Downloader.Win32.Mutant.gbi /discs/E:/Backup Files May 6 2009/Documents and Settings/Nena Drew Thrower/Local Settings/Temp/bn7.tmp
12/8/09 5:20 PM Detected: Trojan-Downloader.Win32.Mutant.gbi /discs/E:/Backup Files May 6 2009/Documents and Settings/Nena Drew Thrower/Local Settings/Temp/bn9.tmp
12/8/09 5:20 PM Deleted: Trojan-Downloader.Win32.Mutant.gbi /discs/E:/Backup Files May 6 2009/Documents and Settings/Nena Drew Thrower/Local Settings/Temp/bn8.tmp
12/8/09 5:20 PM Detected: Trojan-Downloader.Win32.Mutant.gbi /discs/E:/Backup Files May 6 2009/Documents and Settings/Nena Drew Thrower/Local Settings/Temp/bna.tmp
12/8/09 5:20 PM Deleted: Trojan-Downloader.Win32.Mutant.gbi /discs/E:/Backup Files May 6 2009/Documents and Settings/Nena Drew Thrower/Local Settings/Temp/bn83.tmp
12/8/09 5:20 PM Detected: Trojan-Downloader.Win32.Mutant.gbi /discs/E:/Backup Files May 6 2009/Documents and Settings/Nena Drew Thrower/Local Settings/Temp/bnb.tmp
12/8/09 5:20 PM Deleted: Trojan-Downloader.Win32.Mutant.gbi /discs/E:/Backup Files May 6 2009/Documents and Settings/Nena Drew Thrower/Local Settings/Temp/bn9.tmp
12/8/09 5:20 PM Detected: Trojan-Downloader.Win32.Mutant.gbi /discs/E:/Backup Files May 6 2009/Documents and Settings/Nena Drew Thrower/Local Settings/Temp/bnc.tmp
12/8/09 5:20 PM Deleted: Trojan-Downloader.Win32.Mutant.gbi /discs/E:/Backup Files May 6 2009/Documents and Settings/Nena Drew Thrower/Local Settings/Temp/bnb.tmp
12/8/09 5:20 PM Detected: Trojan-Downloader.Win32.Mutant.gbi /discs/E:/Backup Files May 6 2009/Documents and Settings/Nena Drew Thrower/Local Settings/Temp/bnd.tmp
12/8/09 5:20 PM Deleted: Trojan-Downloader.Win32.Mutant.gbi /discs/E:/Backup Files May 6 2009/Documents and Settings/Nena Drew Thrower/Local Settings/Temp/bna.tmp
12/8/09 5:20 PM Detected: Trojan-Downloader.Win32.Mutant.gbi /discs/E:/Backup Files May 6 2009/Documents and Settings/Nena Drew Thrower/Local Settings/Temp/bne.tmp
12/8/09 5:20 PM Deleted: Trojan-Downloader.Win32.Mutant.gbi /discs/E:/Backup Files May 6 2009/Documents and Settings/Nena Drew Thrower/Local Settings/Temp/bnc.tmp
12/8/09 5:20 PM Detected: Trojan-Downloader.Win32.Mutant.gbi /discs/E:/Backup Files May 6 2009/Documents and Settings/Nena Drew Thrower/Local Settings/Temp/bnf.tmp
12/8/09 5:20 PM Deleted: Trojan-Downloader.Win32.Mutant.gbi /discs/E:/Backup Files May 6 2009/Documents and Settings/Nena Drew Thrower/Local Settings/Temp/bnd.tmp
12/8/09 5:20 PM Deleted: Trojan-Downloader.Win32.Mutant.gbi /discs/E:/Backup Files May 6 2009/Documents and Settings/Nena Drew Thrower/Local Settings/Temp/bne.tmp
12/8/09 5:20 PM Deleted: Trojan-Downloader.Win32.Mutant.gbi /discs/E:/Backup Files May 6 2009/Documents and Settings/Nena Drew Thrower/Local Settings/Temp/bnf.tmp
12/8/09 5:21 PM Detected: Backdoor.Win32.Zdoogu.bx /discs/E:/Backup Files May 6 2009/Documents and Settings/Nena Drew Thrower/Local Settings/Temp/pdfupd.exe
12/8/09 5:21 PM Deleted: Backdoor.Win32.Zdoogu.bx /discs/E:/Backup Files May 6 2009/Documents and Settings/Nena Drew Thrower/Local Settings/Temp/pdfupd.exe
12/8/09 10:25 PM Detected: not-a-virus:AdWare.Win32.TimeSink /discs/E:/Backup Files May 6 2009/zip/TimeSinkPatch/timesinkpatch.EXE/TSUNINSTALLER.EXE
12/8/09 10:25 PM Deleted: not-a-virus:AdWare.Win32.TimeSink /discs/E:/Backup Files May 6 2009/zip/TimeSinkPatch/timesinkpatch.EXE
12/9/09 4:18 AM Task completed


-----


Just to avoid confusion (mine!), I'm going to post these other logs one at a time. Here is the MBAM log:

Malwarebytes' Anti-Malware 1.42
Database version: 3331
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

12/9/2009 4:19:28 PM
mbam-log-2009-12-09 (16-19-28).txt

Scan type: Full Scan (C:\|)
Objects scanned: 297306
Time elapsed: 1 hour(s), 21 minute(s), 12 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Edited by nenadrew, 10 December 2009 - 05:05 AM.


#12 nenadrew

nenadrew

    Member

  • Full Member
  • Pip
  • 56 posts

Posted 10 December 2009 - 04:49 AM

ComboFix log:

ComboFix 09-12-09.04 - Nena Drew Thrower 12/10/2009 2:40.1.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2037.1552 [GMT -6:00]
Running from: c:\documents and settings\Nena Drew Thrower.NENA\Desktop\ComboFix.exe
AV: COMODO Antivirus *On-access scanning disabled* (Updated) {043803A5-4F86-4ef7-AFC5-F6E02A79969B}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\recycler\S-1-5-21-2821085223-2637937949-4013441066-1006
c:\windows\winhelp.ini

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226ED}
-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226EE}


((((((((((((((((((((((((( Files Created from 2009-11-10 to 2009-12-10 )))))))))))))))))))))))))))))))
.

2009-12-10 00:11 . 2009-12-10 00:11 -------- d-sh--w- c:\documents and settings\Default User.WINDOWS\IETldCache
2009-12-09 22:33 . 2009-12-09 22:33 -------- d-sh--w- c:\documents and settings\NetworkService.NT AUTHORITY\IETldCache
2009-12-09 15:12 . 2009-12-03 22:14 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-12-09 15:12 . 2009-12-09 15:12 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-12-09 15:12 . 2009-12-03 22:13 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-12-09 13:32 . 2009-12-09 22:28 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-12-07 13:53 . 2009-12-07 13:53 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\Kaspersky Lab
2009-12-03 20:04 . 2008-04-13 19:40 36352 ----a-w- c:\windows\system32\drivers\disk.sys
2009-12-03 08:03 . 2009-12-03 08:03 -------- d-----w- c:\documents and settings\Default User.WINDOWS\Local Settings\Application Data\Microsoft Help
2009-12-02 19:43 . 2009-06-21 21:44 153088 -c----w- c:\windows\system32\dllcache\triedit.dll
2009-12-02 19:42 . 2009-07-31 04:35 1172480 -c----w- c:\windows\system32\dllcache\msxml3.dll
2009-12-02 19:42 . 2009-07-10 13:27 1315328 -c----w- c:\windows\system32\dllcache\msoe.dll
2009-12-02 19:41 . 2009-08-04 15:13 2145280 -c----w- c:\windows\system32\dllcache\ntkrnlmp.exe
2009-12-02 19:41 . 2009-08-04 14:20 2023936 -c----w- c:\windows\system32\dllcache\ntkrpamp.exe
2009-12-02 19:41 . 2009-08-04 14:20 2066048 -c----w- c:\windows\system32\dllcache\ntkrnlpa.exe
2009-12-02 19:41 . 2009-06-22 06:44 726528 -c----w- c:\windows\system32\dllcache\jscript.dll
2009-12-02 19:33 . 2009-08-07 01:23 274288 ----a-w- c:\windows\system32\mucltui.dll
2009-12-02 19:33 . 2009-08-07 01:23 215920 ----a-w- c:\windows\system32\muweb.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-12-10 00:17 . 2009-05-22 15:11 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\Microsoft Help
2009-12-09 15:05 . 2009-05-08 03:09 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\Spybot - Search & Destroy
2009-11-30 23:31 . 2009-05-11 17:23 -------- d-----w- c:\documents and settings\Nena Drew Thrower.NENA\Application Data\uTorrent
2009-11-08 19:03 . 2009-11-08 19:03 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\F-Secure
2009-11-06 20:22 . 2009-11-06 20:22 -------- d-----w- c:\program files\Panda Security
2009-11-01 11:11 . 2009-11-01 11:11 -------- d-----w- c:\program files\HiddenFinder
2009-10-31 23:18 . 2009-10-30 21:00 -------- d-----w- c:\program files\Windows Live Safety Center
2009-10-31 19:06 . 2009-10-31 19:06 -------- d-----w- c:\program files\Trend Micro
2009-10-29 07:45 . 2006-03-04 03:33 916480 ----a-w- c:\windows\system32\wininet.dll
2009-10-21 05:38 . 2004-08-04 10:00 75776 ----a-w- c:\windows\system32\strmfilt.dll
2009-10-21 05:38 . 2004-08-04 10:00 25088 ----a-w- c:\windows\system32\httpapi.dll
2009-10-20 16:20 . 2004-08-04 10:00 265728 ----a-w- c:\windows\system32\drivers\http.sys
2009-10-20 07:32 . 2009-05-08 10:01 -------- d-----w- c:\program files\Soulseek
2009-10-16 12:33 . 2009-10-02 07:46 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-10-13 10:30 . 2004-08-04 10:00 270336 ----a-w- c:\windows\system32\oakley.dll
2009-10-12 13:38 . 2004-08-04 10:00 149504 ----a-w- c:\windows\system32\rastls.dll
2009-10-12 13:38 . 2004-08-04 10:00 79872 ----a-w- c:\windows\system32\raschap.dll
2009-10-06 08:29 . 2009-10-06 08:28 126970 ----a-w- c:\documents and settings\Nena Drew Thrower.NENA\Application Data\Move Networks\uninstall.exe
2009-10-06 08:29 . 2009-08-03 21:48 4187512 ----a-w- c:\documents and settings\Nena Drew Thrower.NENA\Application Data\Move Networks\plugins\npqmp071505000010.dll
2009-10-02 07:47 . 2009-10-02 07:47 117760 ----a-w- c:\documents and settings\Nena Drew Thrower.NENA\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2009-09-22 06:17 . 2009-08-30 22:40 179792 ----a-w- c:\windows\system32\guard32.dll
2009-09-22 06:17 . 2009-08-30 22:40 87104 ----a-w- c:\windows\system32\drivers\inspect.sys
2009-09-22 06:17 . 2009-08-30 22:40 25160 ----a-w- c:\windows\system32\drivers\cmdhlp.sys
2009-09-22 06:17 . 2009-08-30 22:40 132296 ----a-w- c:\windows\system32\drivers\cmdguard.sys
2009-09-16 23:34 . 2009-05-08 20:56 50220 ---ha-w- c:\windows\system32\mlfcache.dat
2009-09-16 19:17 . 2009-09-16 19:17 79144 ----a-w- c:\documents and settings\All Users.WINDOWS\Application Data\Apple Computer\Installer Cache\iTunes 9.0.0.70\SetupAdmin.exe
2009-09-11 14:18 . 2004-08-04 10:00 136192 ----a-w- c:\windows\system32\msv1_0.dll
.

------- Sigcheck -------

[7] 2008-04-14 . 6D4FEB43EE538FC5428CC7F0565AA656 . 56320 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\eventlog.dll
[7] 2004-08-04 . 82B24CB70E5944E6E34662205A2A5B78 . 55808 . . [5.1.2600.2180] . . c:\windows\$NtServicePackUninstall$\eventlog.dll

c:\windows\System32\eventlog.dll ... is missing !!
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Freebie Notes"="c:\program files\Power Soft\Freebie Notes\FreebieNotes.exe" [2009-04-13 1051520]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup" [X]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe -start" [X]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe -atboottime" [X]
"COMODO Internet Security"="c:\program files\COMODO\COMODO Internet Security\cfp.exe -h" [X]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-06-14 142104]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-06-14 162584]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-06-14 138008]
"itype"="c:\program files\Microsoft IntelliType Pro\itype.exe" [2006-11-21 813912]
"PDVDDXSrv"="c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2006-10-20 118784]
"RTHDCPL"="RTHDCPL.EXE" [2007-04-26 16132608]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-25 149280]
"UnlockerAssistant"="c:\program files\Unlocker\UnlockerAssistant.exe" [2008-05-02 15872]

c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\
Microtek Scanner Finder.lnk - c:\program files\Microtek\ScanWizard 5\ScannerFinder.exe [2008-6-6 339968]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]
2009-05-06 08:40 10536 ----a-w- c:\program files\Citrix\GoToAssist\514\g2awinlogon.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\system32\guard32.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\rootrepeal.sys]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2009-09-09 02:09 305440 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxioDragToDisc]
2006-08-17 14:00 1116920 ----a-w- c:\program files\Roxio\Drag-to-Disc\DrgToDsc.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SUPERAntiSpyware]
2009-09-15 16:42 1998576 ----a-w- c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Soulseek\\slsk.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Alchemy Mindworks\\Graphic Workshop Professional 3\\alchuddl.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [11/6/2009 2:22 PM 28552]
R1 cmdGuard;COMODO Internet Security Sandbox Driver;c:\windows\system32\drivers\cmdguard.sys [8/30/2009 4:40 PM 132296]
S1 SASKUTIL;SASKUTIL;\??\c:\program files\SUPERAntiSpyware\SASKUTIL.sys --> c:\program files\SUPERAntiSpyware\SASKUTIL.sys [?]
S3 cpuz132;cpuz132;c:\windows\system32\drivers\cpuz132_x32.sys [5/19/2009 1:36 PM 12672]
S3 KProcWatch;KProcWatch;c:\windows\system32\drivers\KProcWatch.sys [11/1/2009 5:11 AM 8576]
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = *.local
.
- - - - ORPHANS REMOVED - - - -

AddRemove-HijackThis - D:\HijackThis.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-12-10 02:46
Windows 5.1.2600 Service Pack 3 NTFS

detected NTDLL code modification:
ZwClose, ZwOpenFile

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-2025429265-688789844-682003330-1004\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{D433C04C-54CB-4BB3-0F86-29103BADBBDF}*]
"iaipepepnkenhcmlom"=hex:6a,61,62,65,61,6a,6b,6c,66,61,66,63,69,66,66,6b,6f,63,
65,6a,00,02
"jaoggaejeknbedcpnfjm"=hex:6a,61,62,65,61,6a,6b,6c,66,61,66,63,69,66,66,6b,6f,
63,65,6a,00,02
"hakggfejjddpcnci"=hex:62,62,67,70,63,6f,6e,65,69,68,6e,66,6f,61,70,6d,6f,65,
61,69,6e,67,68,61,67,70,66,6b,63,6d,69,6a,61,66,65,68,00,00
"hakggfejedobofmi"=hex:70,62,70,64,68,70,68,61,6f,6d,69,6e,61,64,6f,66,69,69,
69,61,6d,61,62,67,64,62,65,6d,68,6d,6a,63,6e,6e,65,6c,62,6b,6f,6b,69,69,66,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(712)
c:\program files\Citrix\GoToAssist\514\G2AWinLogon.dll

- - - - - - - > 'explorer.exe'(2832)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\COMODO\COMODO Internet Security\cmdagent.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\wdfmgr.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\igfxsrvc.exe
c:\windows\RTHDCPL.EXE
c:\program files\Common Files\InstallShield\UpdateService\issch.exe
c:\program files\COMODO\COMODO Internet Security\cfp.exe
.
**************************************************************************
.
Completion time: 2009-12-10 02:53:00 - machine was rebooted
ComboFix-quarantined-files.txt 2009-12-10 08:52

Pre-Run: 52,194,361,344 bytes free
Post-Run: 52,871,520,256 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

- - End Of File - - 171A2A8CA4DB89B38FECC9D596DECE23

#13 nenadrew

nenadrew

    Member

  • Full Member
  • Pip
  • 56 posts

Posted 10 December 2009 - 04:56 AM

Hijack This log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:51:15 AM, on 12/10/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Microsoft IntelliType Pro\itype.exe
C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\COMODO\COMODO Internet Security\cfp.exe
C:\Program Files\Microtek\ScanWizard 5\ScannerFinder.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\Nena Drew Thrower.NENA\Desktop\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [itype] "c:\Program Files\Microsoft IntelliType Pro\itype.exe"
O4 - HKLM\..\Run: [PDVDDXSrv] "C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe"
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [COMODO Internet Security] "C:\Program Files\COMODO\COMODO Internet Security\cfp.exe" -h
O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe"
O4 - HKCU\..\Run: [Freebie Notes] "C:\Program Files\Power Soft\Freebie Notes\FreebieNotes.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\system32\Macromed\Flash\NPSWF32_FlashUtil.exe -p
O4 - Global Startup: Microtek Scanner Finder.lnk = C:\Program Files\Microtek\ScanWizard 5\ScannerFinder.exe
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {22492231-AEF0-49FC-9180-CE8969AB1273} (F-Secure Online Scanner Launcher) - http://download.sp.f.../fslauncher.cab
O16 - DPF: {9191F686-7F0A-441D-8A98-2FE3AC1BD913} (ActiveScan 2.0 Installer Class) - http://acs.pandasoft...s/as2stubie.cab
O20 - AppInit_DLLs: C:\WINDOWS\system32\guard32.dll
O20 - Winlogon Notify: GoToAssist - C:\Program Files\Citrix\GoToAssist\514\G2AWinLogon.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: COMODO Internet Security Helper Service (cmdAgent) - COMODO - C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
O23 - Service: GoToAssist - Citrix Online, a division of Citrix Systems, Inc. - C:\Program Files\Citrix\GoToAssist\514\g2aservice.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe

--
End of file - 6202 bytes

#14 nenadrew

nenadrew

    Member

  • Full Member
  • Pip
  • 56 posts

Posted 10 December 2009 - 05:03 AM

Last of all, the Security Check log:

Results of screen317's Security Check version 0.99.1
Windows XP Service Pack 3
``````````````````````````````
Antivirus/Firewall Check:

Windows Firewall Enabled!
``````````````````````````````
Anti-malware/Other Utilities Check:

Spybot - Search & Destroy
HijackThis 2.0.2
CCleaner
Java™ 6 Update 15
Out of date Java installed!
Adobe Flash Player 10
Adobe Reader 9.1.3
``````````````````````````````
Process Check:
objlist.exe by Laurent

Comodo Firewall cmdagent.exe
Comodo Firewall cfp.exe
``````````````````````````````
DNS Vulnerability Check:

GREAT! (Not vulnerable to DNS cache poisoning)

`````````End of Log```````````

#15 TheJoker

TheJoker

    Forum Deity

  • Boot Camp Mod
  • PipPipPipPipPip
  • 13,555 posts

Posted 10 December 2009 - 05:27 PM

We need to make sure you have the most recent version of ComboFix.
Delete your current copy of ComboFix.exe.
Download ComboFix© by sUBs from one of these links:
http://download.blee...Bs/ComboFix.exe
http://www.forospywa...Bs/ComboFix.exe

Save the file to your Desktop.
Close any open browsers.
Close your AntiVirus and any anti-spyware programs you may be running.

For this next step, please ensure that ComboFix.exe is on your desktop:

Please open Notepad *Do Not Use Wordpad!* (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the quote box below:
Save this as "CFScript.txt" and change the "Save as type" to "All Files" and place it on your desktop.

Restore::
c:\windows\System32\eventlog.dll
RegNull::
[HKEY_USERS\S-1-5-21-2025429265-688789844-682003330-1004\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{D433C04C-54CB-4BB3-0F86-29103BADBBDF}*]

Save this as CFScript.txt, in the same location as ComboFix.exe

Posted Image

Referring to the picture above, drag CFScript into ComboFix.exe

When finished, it will produce a log for you at C:\ComboFix.txt. Please post that log in your next reply.

In Internet Explorer, please run the BitDefender online scan at BitDefender.com
You will need to allow an ActiveX control to install for the scan to run.
Leave the scanning options at default and press "click here to scan"
When finished scanning, click on "click here to export the scan report"
Save it to your desktop, at "file name" type in "bdscan" then click save.
Please post the contents of the log in your next reply.

Your version of Java is outdated and needs to be updated to take advantage of fixes that have eliminated security vulnerabilities.
Updating Java:
  • Download the latest version of Java Runtime Environment (JRE) 6.
  • Scroll down to where it says "Java SE Runtime Environment (JRE), JRE 6 Update 17".
  • Click the "Download" button to the right.
  • In the Window that opens, select Windows, and check the "agree" box and click "Continue".
    - Note: If you are running an x64 (64-bit) version of Windows, you need to install both the Windows (x32) and Windows x64 version.
  • Click on the link to download Windows Offline Installation and save to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel double-click on Add or Remove Programs and remove all older versions of Java.
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
    - Examples of older versions in Add or Remove Programs:
    • Java 2 Runtime Environment, SE v1.4.2
    • J2SE Runtime Environment 5.0
    • Java™ 6 Update 15
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u17-windows-i586.exe that you downloaded to install the newest version (the x64 version is jre-6u17-windows-x64.exe).
    - Note: If you are running Vista, you may need to right-click on the installation file and select Run as Administrator.
Please post a new HijackThis log, the log from BitDefender's online scan, and in a second reply (due to length) the log from ComboFix (combofix.txt), and note any errors encountered.

Free Tools for Fighting Malware
Anti-Virus: avast! Free Antivirus / Avira Free AntiVirus
OnLine Anti-Virus: ESET / BitDefender / F-Secure
Anti-Malware: Malwarebytes' Anti-Malware / Dr.Web CureIt
Spyware/Adware Tools: MVPS HOSTS File / SpywareBlaster
Firewall: Comodo Firewall Free / Privatefirewall
Tutorials: How did I get Infected? / Internet Explorer Privacy & Security Settings
If we have helped, please help us continue the fight by using the Donate button, or see this topic for other ways to donate.

MS MVP 2009-20010 and ASAP Member since 2005


#16 nenadrew

nenadrew

    Member

  • Full Member
  • Pip
  • 56 posts

Posted 11 December 2009 - 12:16 AM

Joker, I followed your instructions re Combofix, and the resulting log follows. Also updated Java and installed the Autoplay fix (plus thirty other updates that were waiting in the wings.) Will be back shortly with the BitDefender and Hijack This logs. Thank you!

Nena

Combofix log:

ComboFix 09-12-10.01 - Nena Drew Thrower 12/10/2009 19:44:22.2.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2037.1486 [GMT -6:00]
Running from: c:\documents and settings\Nena Drew Thrower.NENA\Desktop\ComboFix.exe
AV: COMODO Antivirus *On-access scanning disabled* (Updated) {043803A5-4F86-4ef7-AFC5-F6E02A79969B}
.

((((((((((((((((((((((((( Files Created from 2009-11-11 to 2009-12-11 )))))))))))))))))))))))))))))))
.

2009-12-10 23:45 . 2009-12-10 23:45 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\McAfee
2009-12-10 23:45 . 2009-12-10 23:45 152576 ----a-w- c:\documents and settings\Nena Drew Thrower.NENA\Application Data\Sun\Java\jre1.6.0_17\lzma.dll
2009-12-10 12:19 . 2009-07-27 23:17 135168 -c----w- c:\windows\system32\dllcache\shsvcs.dll
2009-12-10 12:19 . 2009-07-27 23:17 8461824 -c----w- c:\windows\system32\dllcache\shell32.dll
2009-12-10 10:27 . 2009-12-10 10:27 -------- d-----w- c:\windows\system32\XPSViewer
2009-12-10 10:27 . 2009-12-10 10:27 -------- d-----w- c:\program files\MSBuild
2009-12-10 10:26 . 2009-12-10 10:26 -------- d-----w- c:\program files\Reference Assemblies
2009-12-10 10:26 . 2008-07-06 12:06 89088 -c----w- c:\windows\system32\dllcache\filterpipelineprintproc.dll
2009-12-10 10:26 . 2008-07-06 12:06 575488 -c----w- c:\windows\system32\dllcache\xpsshhdr.dll
2009-12-10 10:26 . 2008-07-06 12:06 575488 ------w- c:\windows\system32\xpsshhdr.dll
2009-12-10 10:26 . 2008-07-06 12:06 1676288 -c----w- c:\windows\system32\dllcache\xpssvcs.dll
2009-12-10 10:26 . 2008-07-06 12:06 1676288 ------w- c:\windows\system32\xpssvcs.dll
2009-12-10 10:26 . 2008-07-06 12:06 117760 ------w- c:\windows\system32\prntvpt.dll
2009-12-10 10:26 . 2008-07-06 10:50 597504 -c----w- c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2009-12-10 10:26 . 2008-07-06 10:50 597504 ------w- c:\windows\system32\Spool\prtprocs\w32x86\printfilterpipelinesvc.exe
2009-12-10 00:11 . 2009-12-10 00:11 -------- d-sh--w- c:\documents and settings\Default User.WINDOWS\IETldCache
2009-12-09 22:33 . 2009-12-09 22:33 -------- d-sh--w- c:\documents and settings\NetworkService.NT AUTHORITY\IETldCache
2009-12-09 15:12 . 2009-12-03 22:14 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-12-09 15:12 . 2009-12-09 15:12 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-12-09 15:12 . 2009-12-03 22:13 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-12-09 13:32 . 2009-12-09 22:28 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-12-07 13:53 . 2009-12-07 13:53 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\Kaspersky Lab
2009-12-03 20:04 . 2008-04-13 19:40 36352 ----a-w- c:\windows\system32\drivers\disk.sys
2009-12-03 08:03 . 2009-12-03 08:03 -------- d-----w- c:\documents and settings\Default User.WINDOWS\Local Settings\Application Data\Microsoft Help
2009-12-02 19:43 . 2009-06-21 21:44 153088 -c----w- c:\windows\system32\dllcache\triedit.dll
2009-12-02 19:42 . 2009-07-31 04:35 1172480 -c----w- c:\windows\system32\dllcache\msxml3.dll
2009-12-02 19:42 . 2009-07-10 13:27 1315328 -c----w- c:\windows\system32\dllcache\msoe.dll
2009-12-02 19:41 . 2009-08-04 15:13 2145280 -c----w- c:\windows\system32\dllcache\ntkrnlmp.exe
2009-12-02 19:41 . 2009-08-04 14:20 2023936 -c----w- c:\windows\system32\dllcache\ntkrpamp.exe
2009-12-02 19:41 . 2009-08-04 14:20 2066048 -c----w- c:\windows\system32\dllcache\ntkrnlpa.exe
2009-12-02 19:41 . 2009-06-22 06:44 726528 -c----w- c:\windows\system32\dllcache\jscript.dll
2009-12-02 19:33 . 2009-08-07 01:23 274288 ----a-w- c:\windows\system32\mucltui.dll
2009-12-02 19:33 . 2009-08-07 01:23 215920 ----a-w- c:\windows\system32\muweb.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-12-10 23:46 . 2009-05-09 06:29 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-12-10 12:36 . 2009-08-30 22:40 171552 ----a-w- c:\windows\system32\guard32.dll
2009-12-10 12:36 . 2009-08-30 22:40 87104 ----a-w- c:\windows\system32\drivers\inspect.sys
2009-12-10 12:36 . 2009-08-30 22:40 25160 ----a-w- c:\windows\system32\drivers\cmdhlp.sys
2009-12-10 12:36 . 2009-08-30 22:40 133064 ----a-w- c:\windows\system32\drivers\cmdguard.sys
2009-12-10 00:17 . 2009-05-22 15:11 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\Microsoft Help
2009-12-09 15:05 . 2009-05-08 03:09 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\Spybot - Search & Destroy
2009-11-30 23:31 . 2009-05-11 17:23 -------- d-----w- c:\documents and settings\Nena Drew Thrower.NENA\Application Data\uTorrent
2009-11-08 19:03 . 2009-11-08 19:03 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\F-Secure
2009-11-06 20:22 . 2009-11-06 20:22 -------- d-----w- c:\program files\Panda Security
2009-11-01 11:11 . 2009-11-01 11:11 -------- d-----w- c:\program files\HiddenFinder
2009-10-31 23:18 . 2009-10-30 21:00 -------- d-----w- c:\program files\Windows Live Safety Center
2009-10-31 19:06 . 2009-10-31 19:06 -------- d-----w- c:\program files\Trend Micro
2009-10-29 07:45 . 2006-03-04 03:33 916480 ------w- c:\windows\system32\wininet.dll
2009-10-21 05:38 . 2004-08-04 10:00 75776 ----a-w- c:\windows\system32\strmfilt.dll
2009-10-21 05:38 . 2004-08-04 10:00 25088 ----a-w- c:\windows\system32\httpapi.dll
2009-10-20 16:20 . 2004-08-04 10:00 265728 ----a-w- c:\windows\system32\drivers\http.sys
2009-10-20 07:32 . 2009-05-08 10:01 -------- d-----w- c:\program files\Soulseek
2009-10-16 12:33 . 2009-10-02 07:46 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-10-13 10:30 . 2004-08-04 10:00 270336 ----a-w- c:\windows\system32\oakley.dll
2009-10-12 13:38 . 2004-08-04 10:00 149504 ----a-w- c:\windows\system32\rastls.dll
2009-10-12 13:38 . 2004-08-04 10:00 79872 ----a-w- c:\windows\system32\raschap.dll
2009-10-06 08:29 . 2009-10-06 08:28 126970 ----a-w- c:\documents and settings\Nena Drew Thrower.NENA\Application Data\Move Networks\uninstall.exe
2009-10-06 08:29 . 2009-08-03 21:48 4187512 ----a-w- c:\documents and settings\Nena Drew Thrower.NENA\Application Data\Move Networks\plugins\npqmp071505000010.dll
2009-10-02 07:47 . 2009-10-02 07:47 117760 ----a-w- c:\documents and settings\Nena Drew Thrower.NENA\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2009-09-16 23:34 . 2009-05-08 20:56 50220 ---ha-w- c:\windows\system32\mlfcache.dat
2009-09-16 19:17 . 2009-09-16 19:17 79144 ----a-w- c:\documents and settings\All Users.WINDOWS\Application Data\Apple Computer\Installer Cache\iTunes 9.0.0.70\SetupAdmin.exe
.

------- Sigcheck -------

[7] 2008-04-14 . 6D4FEB43EE538FC5428CC7F0565AA656 . 56320 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\eventlog.dll
[7] 2004-08-04 . 82B24CB70E5944E6E34662205A2A5B78 . 55808 . . [5.1.2600.2180] . . c:\windows\$NtServicePackUninstall$\eventlog.dll

c:\windows\System32\eventlog.dll ... is missing !!
.
((((((((((((((((((((((((((((( SnapShot@2009-12-10_08.46.16 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-12-10 23:49 . 2009-12-10 23:49 16384 c:\windows\Temp\Perflib_Perfdata_710.dat
+ 2008-07-30 03:10 . 2008-07-30 03:10 26112 c:\windows\system32\TsWpfWrp.exe
+ 2008-07-30 01:59 . 2008-07-30 01:59 43544 c:\windows\system32\PresentationHostProxy.dll
+ 2004-08-04 10:00 . 2009-12-10 10:33 67516 c:\windows\system32\perfc009.dat
+ 2008-07-25 17:17 . 2008-07-25 17:17 15360 c:\windows\system32\mui\0409\mscorees.dll
+ 2008-07-25 17:16 . 2008-07-25 17:16 83968 c:\windows\system32\mscories.dll
+ 2009-05-13 21:27 . 2009-12-10 10:16 84661 c:\windows\system32\Macromed\Flash\uninstall_plugin.exe
- 2009-05-13 21:27 . 2009-05-13 21:27 84661 c:\windows\system32\Macromed\Flash\uninstall_plugin.exe
+ 2008-07-30 01:24 . 2008-07-30 01:24 97800 c:\windows\system32\infocardapi.dll
+ 2008-07-30 01:24 . 2008-07-30 01:24 11264 c:\windows\system32\icardres.dll
+ 2008-07-30 03:10 . 2008-07-30 03:10 73720 c:\windows\system32\dxva2.dll
+ 2008-07-25 17:16 . 2008-07-25 17:16 96760 c:\windows\system32\dfshim.dll
+ 2008-07-30 05:40 . 2008-07-30 05:40 70648 c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll
+ 2008-07-30 05:40 . 2008-07-30 05:40 91136 c:\windows\Microsoft.NET\Framework\v3.5\MSBuild.exe
+ 2008-07-30 05:40 . 2008-07-30 05:40 41984 c:\windows\Microsoft.NET\Framework\v3.5\Microsoft.VisualC.STLCLR.dll
+ 2008-07-30 05:40 . 2008-07-30 05:40 40960 c:\windows\Microsoft.NET\Framework\v3.5\Microsoft.Data.Entity.Build.Tasks.dll
+ 2008-07-30 00:47 . 2008-07-30 00:47 89080 c:\windows\Microsoft.NET\Framework\v3.5\Microsoft .NET Framework 3.5 SP1\WapRes.2052.dll
+ 2008-07-30 00:47 . 2008-07-30 00:47 92664 c:\windows\Microsoft.NET\Framework\v3.5\Microsoft .NET Framework 3.5 SP1\WapRes.1042.dll
+ 2008-07-30 00:47 . 2008-07-30 00:47 95224 c:\windows\Microsoft.NET\Framework\v3.5\Microsoft .NET Framework 3.5 SP1\WapRes.1041.dll
+ 2008-07-30 00:47 . 2008-07-30 00:47 89592 c:\windows\Microsoft.NET\Framework\v3.5\Microsoft .NET Framework 3.5 SP1\WapRes.1028.dll
+ 2008-07-30 00:47 . 2008-07-30 00:47 84480 c:\windows\Microsoft.NET\Framework\v3.5\Microsoft .NET Framework 3.5 SP1\setupres.2052.dll
+ 2008-07-30 00:47 . 2008-07-30 00:47 94720 c:\windows\Microsoft.NET\Framework\v3.5\Microsoft .NET Framework 3.5 SP1\setupres.1042.dll
+ 2008-07-30 00:47 . 2008-07-30 00:47 97792 c:\windows\Microsoft.NET\Framework\v3.5\Microsoft .NET Framework 3.5 SP1\setupres.1041.dll
+ 2008-07-30 00:47 . 2008-07-30 00:47 84992 c:\windows\Microsoft.NET\Framework\v3.5\Microsoft .NET Framework 3.5 SP1\setupres.1028.dll
+ 2008-07-30 00:47 . 2008-07-30 00:47 97280 c:\windows\Microsoft.NET\Framework\v3.5\Microsoft .NET Framework 3.5 SP1\DeleteTemp.exe
+ 2008-07-30 05:40 . 2008-07-30 05:40 95224 c:\windows\Microsoft.NET\Framework\v3.5\EdmGen.exe
+ 2008-07-30 05:40 . 2008-07-30 05:40 78856 c:\windows\Microsoft.NET\Framework\v3.5\DataSvcUtil.exe
+ 2008-07-30 05:40 . 2008-07-30 05:40 41984 c:\windows\Microsoft.NET\Framework\v3.5\AddInUtil.exe
+ 2008-07-30 05:40 . 2008-07-30 05:40 41992 c:\windows\Microsoft.NET\Framework\v3.5\AddInProcess32.exe
+ 2008-07-30 05:40 . 2008-07-30 05:40 41992 c:\windows\Microsoft.NET\Framework\v3.5\AddInProcess.exe
+ 2008-07-30 03:10 . 2008-07-30 03:10 46104 c:\windows\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe
+ 2008-07-30 01:59 . 2008-07-30 01:59 32768 c:\windows\Microsoft.NET\Framework\v3.0\WPF\PresentationCFFRasterizer.dll
+ 2008-07-30 03:10 . 2008-07-30 03:10 71160 c:\windows\Microsoft.NET\Framework\v3.0\WPF\PenIMC.dll
+ 2008-07-30 01:32 . 2008-07-30 01:32 17448 c:\windows\Microsoft.NET\Framework\v3.0\Windows Workflow Foundation\PerformanceCounterInstaller.exe
+ 2008-07-30 01:16 . 2008-07-30 01:16 32768 c:\windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\System.ServiceModel.WasHosting.dll
+ 2008-07-30 01:16 . 2008-07-30 01:16 73728 c:\windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\System.ServiceModel.Install.dll
+ 2008-07-30 01:16 . 2008-07-30 01:16 20504 c:\windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\ServiceMonikerSupport.dll
+ 2008-07-30 01:16 . 2008-07-30 01:16 11280 c:\windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\ServiceModelEvents.dll
+ 2008-07-25 17:17 . 2008-07-25 17:17 37896 c:\windows\Microsoft.NET\Framework\v2.0.50727\WMINet_Utils.dll
+ 2008-07-25 17:17 . 2008-07-25 17:17 81400 c:\windows\Microsoft.NET\Framework\v2.0.50727\TLBREF.DLL
+ 2008-07-25 17:17 . 2008-07-25 17:17 77824 c:\windows\Microsoft.NET\Framework\v2.0.50727\System.Web.RegularExpressions.dll
+ 2008-07-25 17:17 . 2008-07-25 17:17 57392 c:\windows\Microsoft.NET\Framework\v2.0.50727\System.EnterpriseServices.Thunk.dll
+ 2008-07-25 17:17 . 2008-07-25 17:17 81920 c:\windows\Microsoft.NET\Framework\v2.0.50727\System.Drawing.Design.dll
- 2005-09-23 12:28 . 2005-09-23 12:28 81920 c:\windows\Microsoft.NET\Framework\v2.0.50727\System.Drawing.Design.dll
+ 2008-07-25 17:17 . 2008-07-25 17:17 81920 c:\windows\Microsoft.NET\Framework\v2.0.50727\System.Configuration.Install.dll
- 2005-09-23 12:28 . 2005-09-23 12:28 81920 c:\windows\Microsoft.NET\Framework\v2.0.50727\System.Configuration.Install.dll
+ 2008-07-25 17:17 . 2008-07-25 17:17 95232 c:\windows\Microsoft.NET\Framework\v2.0.50727\ShFusRes.dll
+ 2008-07-25 17:17 . 2008-07-25 17:17 16896 c:\windows\Microsoft.NET\Framework\v2.0.50727\sbscmp20_mscorlib.dll
+ 2008-07-25 17:17 . 2008-07-25 17:17 61952 c:\windows\Microsoft.NET\Framework\v2.0.50727\regtlibv12.exe
- 2005-09-23 12:28 . 2005-09-23 12:28 32768 c:\windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
+ 2008-07-25 17:17 . 2008-07-25 17:17 32768 c:\windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
+ 2008-07-25 17:17 . 2008-07-25 17:17 53248 c:\windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
- 2005-09-23 12:28 . 2005-09-23 12:28 53248 c:\windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
+ 2008-07-25 17:17 . 2008-07-25 17:17 88584 c:\windows\Microsoft.NET\Framework\v2.0.50727\PerfCounter.dll
+ 2008-07-25 17:17 . 2008-07-25 17:17 24584 c:\windows\Microsoft.NET\Framework\v2.0.50727\normalization.dll
+ 2008-07-25 17:17 . 2008-07-25 17:17 31744 c:\windows\Microsoft.NET\Framework\v2.0.50727\MUI\0409\mscorsecr.dll
+ 2008-07-25 17:17 . 2008-07-25 17:17 19456 c:\windows\Microsoft.NET\Framework\v2.0.50727\mscortim.dll
+ 2008-07-25 17:17 . 2008-07-25 17:17 69632 c:\windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
+ 2008-07-25 17:16 . 2008-07-25 17:16 18944 c:\windows\Microsoft.NET\Framework\v2.0.50727\mscorsn.dll
+ 2008-07-25 17:17 . 2008-07-25 17:17 77312 c:\windows\Microsoft.NET\Framework\v2.0.50727\mscorsec.dll
+ 2008-07-25 17:17 . 2008-07-25 17:17 94208 c:\windows\Microsoft.NET\Framework\v2.0.50727\mscorld.dll
+ 2008-07-25 17:17 . 2008-07-25 17:17 46592 c:\windows\Microsoft.NET\Framework\v2.0.50727\mscorie.dll
+ 2008-07-25 17:17 . 2008-07-25 17:17 83456 c:\windows\Microsoft.NET\Framework\v2.0.50727\mscordbc.dll
+ 2008-07-25 17:16 . 2008-07-25 17:16 69632 c:\windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe
- 2005-09-23 12:28 . 2005-09-23 12:28 69632 c:\windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe
+ 2008-07-25 17:16 . 2008-07-25 17:16 97792 c:\windows\Microsoft.NET\Framework\v2.0.50727\MmcAspExt.dll
+ 2008-07-25 17:16 . 2008-07-25 17:16 12800 c:\windows\Microsoft.NET\Framework\v2.0.50727\Microsoft.Vsa.Vb.CodeDOMProcessor.dll
- 2005-09-23 12:28 . 2005-09-23 12:28 12800 c:\windows\Microsoft.NET\Framework\v2.0.50727\Microsoft.Vsa.Vb.CodeDOMProcessor.dll
+ 2008-07-25 17:16 . 2008-07-25 17:16 32768 c:\windows\Microsoft.NET\Framework\v2.0.50727\Microsoft.Vsa.dll
- 2005-09-23 12:28 . 2005-09-23 12:28 32768 c:\windows\Microsoft.NET\Framework\v2.0.50727\Microsoft.Vsa.dll
+ 2008-07-25 17:16 . 2008-07-25 17:16 28672 c:\windows\Microsoft.NET\Framework\v2.0.50727\Microsoft.VisualBasic.Vsa.dll
- 2005-09-23 12:28 . 2005-09-23 12:28 28672 c:\windows\Microsoft.NET\Framework\v2.0.50727\Microsoft.VisualBasic.Vsa.dll
+ 2008-07-25 17:16 . 2008-07-25 17:16 77824 c:\windows\Microsoft.NET\Framework\v2.0.50727\Microsoft.Build.Utilities.dll
- 2005-09-23 12:28 . 2005-09-23 12:28 36864 c:\windows\Microsoft.NET\Framework\v2.0.50727\Microsoft.Build.Framework.dll
+ 2008-07-25 17:16 . 2008-07-25 17:16 36864 c:\windows\Microsoft.NET\Framework\v2.0.50727\Microsoft.Build.Framework.dll
+ 2008-07-25 17:16 . 2008-07-25 17:16 40960 c:\windows\Microsoft.NET\Framework\v2.0.50727\jsc.exe
- 2005-09-23 12:28 . 2005-09-23 12:28 40960 c:\windows\Microsoft.NET\Framework\v2.0.50727\jsc.exe
+ 2008-07-25 17:17 . 2008-07-25 17:17 72192 c:\windows\Microsoft.NET\Framework\v2.0.50727\ISymWrapper.dll
- 2005-09-23 12:28 . 2005-09-23 12:28 72192 c:\windows\Microsoft.NET\Framework\v2.0.50727\ISymWrapper.dll
+ 2008-07-25 17:17 . 2008-07-25 17:17 65032 c:\windows\Microsoft.NET\Framework\v2.0.50727\InstallUtilLib.dll
- 2005-09-23 12:28 . 2005-09-23 12:28 28672 c:\windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe
+ 2008-07-25 17:17 . 2008-07-25 17:17 28672 c:\windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe
+ 2008-07-25 17:17 . 2008-07-25 17:17 77824 c:\windows\Microsoft.NET\Framework\v2.0.50727\IEHost.dll
+ 2008-07-25 17:16 . 2008-07-25 17:16 18936 c:\windows\Microsoft.NET\Framework\v2.0.50727\fusion.dll
+ 2008-07-25 17:16 . 2008-07-25 17:16 62968 c:\windows\Microsoft.NET\Framework\v2.0.50727\dfdll.dll
+ 2008-07-25 17:16 . 2008-07-25 17:16 35320 c:\windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
+ 2008-07-25 17:17 . 2008-07-25 17:17 69120 c:\windows\Microsoft.NET\Framework\v2.0.50727\CustomMarshalers.dll
+ 2008-07-25 17:17 . 2008-07-25 17:17 27136 c:\windows\Microsoft.NET\Framework\v2.0.50727\Culture.dll
+ 2008-07-25 17:16 . 2008-07-25 17:16 13312 c:\windows\Microsoft.NET\Framework\v2.0.50727\cscompmgd.dll
- 2005-09-23 12:28 . 2005-09-23 12:28 13312 c:\windows\Microsoft.NET\Framework\v2.0.50727\cscompmgd.dll
+ 2008-07-25 17:16 . 2008-07-25 17:16 80376 c:\windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
+ 2008-07-25 17:17 . 2008-07-25 17:17 89608 c:\windows\Microsoft.NET\Framework\v2.0.50727\CORPerfMonExt.dll
+ 2008-11-25 10:59 . 2008-11-25 10:59 31560 c:\windows\Microsoft.NET\Framework\v2.0.50727\aspnet_wp.exe
+ 2008-07-25 17:16 . 2008-07-25 17:16 34312 c:\windows\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe
+ 2008-07-25 17:16 . 2008-07-25 17:16 33288 c:\windows\Microsoft.NET\Framework\v2.0.50727\aspnet_regiis.exe
+ 2008-07-25 17:16 . 2008-07-25 17:16 24576 c:\windows\Microsoft.NET\Framework\v2.0.50727\aspnet_regbrowsers.exe
+ 2008-07-25 17:16 . 2008-07-25 17:16 84480 c:\windows\Microsoft.NET\Framework\v2.0.50727\aspnet_rc.dll
+ 2008-07-25 17:16 . 2008-07-25 17:16 33800 c:\windows\Microsoft.NET\Framework\v2.0.50727\Aspnet_perf.dll
+ 2008-07-25 17:16 . 2008-07-25 17:16 17416 c:\windows\Microsoft.NET\Framework\v2.0.50727\aspnet_isapi.dll
+ 2008-07-25 17:16 . 2008-07-25 17:16 22024 c:\windows\Microsoft.NET\Framework\v2.0.50727\aspnet_filter.dll
+ 2008-07-25 17:16 . 2008-07-25 17:16 36864 c:\windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe
- 2005-09-23 12:28 . 2005-09-23 12:28 36864 c:\windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe
+ 2008-07-25 17:17 . 2008-07-25 17:17 58880 c:\windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
+ 2008-07-25 17:16 . 2008-07-25 17:16 98808 c:\windows\Microsoft.NET\Framework\v2.0.50727\alink.dll
- 2005-09-23 12:28 . 2005-09-23 12:28 10752 c:\windows\Microsoft.NET\Framework\v2.0.50727\Accessibility.dll
+ 2008-07-25 17:17 . 2008-07-25 17:17 10752 c:\windows\Microsoft.NET\Framework\v2.0.50727\Accessibility.dll
+ 2008-07-25 17:16 . 2008-07-25 17:16 13824 c:\windows\Microsoft.NET\Framework\v2.0.50727\1033\CvtResUI.dll
+ 2008-07-25 17:16 . 2008-07-25 17:16 28672 c:\windows\Microsoft.NET\Framework\v2.0.50727\1033\alinkui.dll
+ 2008-07-25 17:16 . 2008-07-25 17:16 96768 c:\windows\Microsoft.NET\Framework\v1.0.3705\mscormmc.dll
+ 2008-07-25 17:17 . 2008-07-25 17:17 16896 c:\windows\Microsoft.NET\Framework\SharedReg12.dll
+ 2008-07-25 17:17 . 2008-07-25 17:17 16896 c:\windows\Microsoft.NET\Framework\sbscmp20_perfcounter.dll
+ 2008-07-25 17:17 . 2008-07-25 17:17 16896 c:\windows\Microsoft.NET\Framework\sbscmp20_mscorwks.dll
+ 2008-07-25 17:16 . 2008-07-25 17:16 16896 c:\windows\Microsoft.NET\Framework\sbscmp10.dll
+ 2008-07-25 17:16 . 2008-07-25 17:16 82944 c:\windows\Microsoft.NET\Framework\NETFXSBS10.exe
+ 2008-07-30 03:07 . 2008-07-30 03:07 23040 c:\windows\Installer\eaae2.msp
+ 2009-12-10 10:25 . 2009-12-10 10:25 88576 c:\windows\Installer\a0b05.msi
+ 2009-12-10 10:26 . 2008-07-06 12:06 89088 c:\windows\Driver Cache\i386\filterpipelineprintproc.dll
+ 2009-12-10 10:40 . 2009-12-10 10:40 60928 c:\windows\assembly\NativeImages_v2.0.50727_32\UIAutomationProvider\a715aa442ef87ae99b3ade185599249d\UIAutomationProvider.ni.dll
+ 2009-12-10 10:54 . 2009-12-10 10:54 37888 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Pres#\423f794d1f4ed6e120fbb02e436491cb\System.Windows.Presentation.ni.dll
+ 2009-12-10 10:54 . 2009-12-10 10:54 36864 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Web.DynamicD#\19ca1747c1ea18a3b639b302bca8df93\System.Web.DynamicData.Design.ni.dll
+ 2009-12-10 10:53 . 2009-12-10 10:53 94208 c:\windows\assembly\NativeImages_v2.0.50727_32\System.ComponentMod#\532438e2acfcadc469a4d468c51f8451\System.ComponentModel.DataAnnotations.ni.dll
+ 2009-12-10 10:53 . 2009-12-10 10:53 82944 c:\windows\assembly\NativeImages_v2.0.50727_32\System.AddIn.Contra#\597b20e1b053d6a510cfe033c07a63e6\System.AddIn.Contract.ni.dll
+ 2009-12-10 10:34 . 2009-12-10 10:34 47104 c:\windows\assembly\NativeImages_v2.0.50727_32\PresentationFontCac#\2d7408a0232f2e2efd0d7adf5dfa733a\PresentationFontCache.ni.exe
+ 2009-12-10 10:34 . 2009-12-10 10:34 39424 c:\windows\assembly\NativeImages_v2.0.50727_32\PresentationCFFRast#\c8fd2d9233f8ea3031fb16f697635231\PresentationCFFRasterizer.ni.dll
+ 2009-12-10 10:54 . 2009-12-10 10:54 55296 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Vsa\790cf1edb17ee41b59be62ecbd59613b\Microsoft.Vsa.ni.dll
+ 2009-12-10 10:52 . 2009-12-10 10:52 65024 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Build.Fra#\e9aba2eab90d647356f65e66053da02b\Microsoft.Build.Framework.ni.dll
+ 2009-12-10 10:52 . 2009-12-10 10:52 74752 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Build.Fra#\28343d470d992f169ca0e7cdb3cc3117\Microsoft.Build.Framework.ni.dll
+ 2009-12-10 10:52 . 2009-12-10 10:52 14336 c:\windows\assembly\NativeImages_v2.0.50727_32\dfsvc\f4e38208e88cb4cc314a1d6543b9fcc6\dfsvc.ni.exe
+ 2009-12-10 10:52 . 2009-12-10 10:52 25600 c:\windows\assembly\NativeImages_v2.0.50727_32\Accessibility\11eb4f6606ba01e5128805759121ea6c\Accessibility.ni.dll
+ 2009-12-10 10:27 . 2009-12-10 10:27 94208 c:\windows\assembly\GAC_MSIL\WindowsFormsIntegration\3.0.0.0__31bf3856ad364e35\WindowsFormsIntegration.dll
+ 2009-12-10 10:26 . 2009-12-10 10:26 98304 c:\windows\assembly\GAC_MSIL\UIAutomationTypes\3.0.0.0__31bf3856ad364e35\UIAutomationTypes.dll
+ 2009-12-10 10:26 . 2009-12-10 10:26 40960 c:\windows\assembly\GAC_MSIL\UIAutomationProvider\3.0.0.0__31bf3856ad364e35\UIAutomationProvider.dll
+ 2009-12-10 10:30 . 2009-12-10 10:30 12288 c:\windows\assembly\GAC_MSIL\System.Windows.Presentation\3.5.0.0__b77a5c561934e089\System.Windows.Presentation.dll
+ 2009-12-10 10:30 . 2009-12-10 10:30 61440 c:\windows\assembly\GAC_MSIL\System.Web.Routing\3.5.0.0__31bf3856ad364e35\System.Web.Routing.dll
+ 2009-12-10 10:33 . 2009-12-10 10:33 77824 c:\windows\assembly\GAC_MSIL\System.Web.RegularExpressions\2.0.0.0__b03f5f7f11d50a3a\System.Web.RegularExpressions.dll
+ 2009-12-10 10:30 . 2009-12-10 10:30 32768 c:\windows\assembly\GAC_MSIL\System.Web.DynamicData.Design\3.5.0.0__31bf3856ad364e35\System.Web.DynamicData.Design.dll
+ 2009-12-10 10:30 . 2009-12-10 10:30 77824 c:\windows\assembly\GAC_MSIL\System.Web.Abstractions\3.5.0.0__31bf3856ad364e35\System.Web.Abstractions.dll
+ 2009-12-10 10:26 . 2009-12-10 10:26 32768 c:\windows\assembly\GAC_MSIL\System.ServiceModel.WasHosting\3.0.0.0__b77a5c561934e089\System.ServiceModel.WasHosting.dll
+ 2009-12-10 10:26 . 2009-12-10 10:26 73728 c:\windows\assembly\GAC_MSIL\System.ServiceModel.Install\3.0.0.0__b77a5c561934e089\System.ServiceModel.Install.dll
+ 2009-12-10 10:33 . 2009-12-10 10:33 81920 c:\windows\assembly\GAC_MSIL\System.Drawing.Design\2.0.0.0__b03f5f7f11d50a3a\System.Drawing.Design.dll
- 2009-07-20 04:24 . 2009-07-20 04:24 81920 c:\windows\assembly\GAC_MSIL\System.Drawing.Design\2.0.0.0__b03f5f7f11d50a3a\System.Drawing.Design.dll
+ 2009-12-10 10:30 . 2009-12-10 10:30 53248 c:\windows\assembly\GAC_MSIL\System.Data.DataSetExtensions\3.5.0.0__b77a5c561934e089\System.Data.DataSetExtensions.dll
- 2009-07-20 04:24 . 2009-07-20 04:24 81920 c:\windows\assembly\GAC_MSIL\System.Configuration.Install\2.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll
+ 2009-12-10 10:33 . 2009-12-10 10:33 81920 c:\windows\assembly\GAC_MSIL\System.Configuration.Install\2.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll
+ 2009-12-10 10:30 . 2009-12-10 10:30 57344 c:\windows\assembly\GAC_MSIL\System.ComponentModel.DataAnnotations\3.5.0.0__31bf3856ad364e35\System.ComponentModel.DataAnnotations.dll
+ 2009-12-10 10:30 . 2009-12-10 10:30 45056 c:\windows\assembly\GAC_MSIL\System.AddIn.Contract\2.0.0.0__b03f5f7f11d50a3a\System.AddIn.Contract.dll
+ 2009-12-10 10:27 . 2009-12-10 10:27 46104 c:\windows\assembly\GAC_MSIL\PresentationFontCache\3.0.0.0__31bf3856ad364e35\PresentationFontCache.exe
+ 2009-12-10 10:26 . 2009-12-10 10:26 32768 c:\windows\assembly\GAC_MSIL\PresentationCFFRasterizer\3.0.0.0__31bf3856ad364e35\PresentationCFFRasterizer.dll
+ 2009-12-10 10:33 . 2009-12-10 10:33 32768 c:\windows\assembly\GAC_MSIL\Microsoft.Vsa\8.0.0.0__b03f5f7f11d50a3a\Microsoft.Vsa.dll
- 2009-07-20 04:24 . 2009-07-20 04:24 32768 c:\windows\assembly\GAC_MSIL\Microsoft.Vsa\8.0.0.0__b03f5f7f11d50a3a\Microsoft.Vsa.dll
- 2009-07-20 04:24 . 2009-07-20 04:24 12800 c:\windows\assembly\GAC_MSIL\Microsoft.Vsa.Vb.CodeDOMProcessor\8.0.0.0__b03f5f7f11d50a3a\Microsoft.Vsa.Vb.CodeDOMProcessor.dll
+ 2009-12-10 10:33 . 2009-12-10 10:33 12800 c:\windows\assembly\GAC_MSIL\Microsoft.Vsa.Vb.CodeDOMProcessor\8.0.0.0__b03f5f7f11d50a3a\Microsoft.Vsa.Vb.CodeDOMProcessor.dll
+ 2009-12-10 10:30 . 2009-12-10 10:30 41984 c:\windows\assembly\GAC_MSIL\Microsoft.VisualC.STLCLR\1.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualC.STLCLR.dll
- 2009-07-20 04:24 . 2009-07-20 04:24 28672 c:\windows\assembly\GAC_MSIL\Microsoft.VisualBasic.Vsa\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.Vsa.dll
+ 2009-12-10 10:33 . 2009-12-10 10:33 28672 c:\windows\assembly\GAC_MSIL\Microsoft.VisualBasic.Vsa\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.Vsa.dll
+ 2009-12-10 10:33 . 2009-12-10 10:33 77824 c:\windows\assembly\GAC_MSIL\Microsoft.Build.Utilities\2.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Utilities.dll
+ 2009-12-10 10:30 . 2009-12-10 10:30 94208 c:\windows\assembly\GAC_MSIL\Microsoft.Build.Utilities.v3.5\3.5.0.0__b03f5f7f11d50a3a\Microsoft.Build.Utilities.v3.5.dll
+ 2009-12-10 10:30 . 2009-12-10 10:30 36864 c:\windows\assembly\GAC_MSIL\Microsoft.Build.Framework\3.5.0.0__b03f5f7f11d50a3a\Microsoft.Build.Framework.dll
- 2009-07-20 04:24 . 2009-07-20 04:24 36864 c:\windows\assembly\GAC_MSIL\Microsoft.Build.Framework\2.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Framework.dll
+ 2009-12-10 10:33 . 2009-12-10 10:33 36864 c:\windows\assembly\GAC_MSIL\Microsoft.Build.Framework\2.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Framework.dll
+ 2009-12-10 10:33 . 2009-12-10 10:33 77824 c:\windows\assembly\GAC_MSIL\IEHost\2.0.0.0__b03f5f7f11d50a3a\IEHost.dll
- 2009-07-20 04:24 . 2009-07-20 04:24 13312 c:\windows\assembly\GAC_MSIL\cscompmgd\8.0.0.0__b03f5f7f11d50a3a\cscompmgd.dll
+ 2009-12-10 10:33 . 2009-12-10 10:33 13312 c:\windows\assembly\GAC_MSIL\cscompmgd\8.0.0.0__b03f5f7f11d50a3a\cscompmgd.dll
+ 2009-12-10 10:33 . 2009-12-10 10:33 10752 c:\windows\assembly\GAC_MSIL\Accessibility\2.0.0.0__b03f5f7f11d50a3a\Accessibility.dll
- 2009-07-20 04:24 . 2009-07-20 04:24 10752 c:\windows\assembly\GAC_MSIL\Accessibility\2.0.0.0__b03f5f7f11d50a3a\Accessibility.dll
+ 2009-12-10 10:33 . 2009-12-10 10:33 72192 c:\windows\assembly\GAC_32\ISymWrapper\2.0.0.0__b03f5f7f11d50a3a\ISymWrapper.dll
- 2009-07-20 04:24 . 2009-07-20 04:24 72192 c:\windows\assembly\GAC_32\ISymWrapper\2.0.0.0__b03f5f7f11d50a3a\ISymWrapper.dll
+ 2009-12-10 10:33 . 2009-12-10 10:33 69120 c:\windows\assembly\GAC_32\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll
+ 2009-12-10 10:33 . 2009-12-10 10:33 8192 c:\windows\WinSxS\MSIL_IEExecRemote_b03f5f7f11d50a3a_2.0.0.0_x-ww_6e57c34e\IEExecRemote.dll
+ 2008-07-30 05:40 . 2008-07-30 05:40 5632 c:\windows\Microsoft.NET\Framework\v3.5\Sentinel.v3.5Client.dll
+ 2008-07-25 17:16 . 2008-07-25 17:16 7168 c:\windows\Microsoft.NET\Framework\v2.0.50727\Microsoft_VsaVb.dll
- 2005-09-23 12:28 . 2005-09-23 12:28 7168 c:\windows\Microsoft.NET\Framework\v2.0.50727\Microsoft_VsaVb.dll
- 2005-09-23 12:29 . 2005-09-23 12:29 5632 c:\windows\Microsoft.NET\Framework\v2.0.50727\Microsoft.VisualC.Dll
+ 2008-07-25 17:17 . 2008-07-25 17:17 5632 c:\windows\Microsoft.NET\Framework\v2.0.50727\Microsoft.VisualC.Dll
+ 2008-07-25 17:17 . 2008-07-25 17:17 6656 c:\windows\Microsoft.NET\Framework\v2.0.50727\IIEHost.dll
- 2005-09-23 12:28 . 2005-09-23 12:28 8192 c:\windows\Microsoft.NET\Framework\v2.0.50727\IEExecRemote.dll
+ 2008-07-25 17:17 . 2008-07-25 17:17 8192 c:\windows\Microsoft.NET\Framework\v2.0.50727\IEExecRemote.dll
+ 2008-07-25 17:17 . 2008-07-25 17:17 9728 c:\windows\Microsoft.NET\Framework\v2.0.50727\IEExec.exe
- 2005-09-23 12:28 . 2005-09-23 12:28 9728 c:\windows\Microsoft.NET\Framework\v2.0.50727\IEExec.exe
+ 2008-07-25 17:16 . 2008-07-25 17:16 5120 c:\windows\Microsoft.NET\Framework\v2.0.50727\dfsvc.exe
+ 2009-12-10 10:30 . 2009-12-10 10:30 5632 c:\windows\assembly\GAC_MSIL\Sentinel.v3.5Client\3.5.0.0__b03f5f7f11d50a3a\Sentinel.v3.5Client.dll
+ 2009-12-10 10:33 . 2009-12-10 10:33 7168 c:\windows\assembly\GAC_MSIL\Microsoft_VsaVb\8.0.0.0__b03f5f7f11d50a3a\Microsoft_VsaVb.dll
- 2009-07-20 04:24 . 2009-07-20 04:24 7168 c:\windows\assembly\GAC_MSIL\Microsoft_VsaVb\8.0.0.0__b03f5f7f11d50a3a\Microsoft_VsaVb.dll
- 2009-07-20 04:24 . 2009-07-20 04:24 5632 c:\windows\assembly\GAC_MSIL\Microsoft.VisualC\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualC.Dll
+ 2009-12-10 10:33 . 2009-12-10 10:33 5632 c:\windows\assembly\GAC_MSIL\Microsoft.VisualC\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualC.Dll
+ 2009-12-10 10:33 . 2009-12-10 10:33 6656 c:\windows\assembly\GAC_MSIL\IIEHost\2.0.0.0__b03f5f7f11d50a3a\IIEHost.dll
- 2009-07-20 04:24 . 2009-07-20 04:24 8192 c:\windows\assembly\GAC_MSIL\IEExecRemote\2.0.0.0__b03f5f7f11d50a3a\IEExecRemote.dll
+ 2009-12-10 10:33 . 2009-12-10 10:33 8192 c:\windows\assembly\GAC_MSIL\IEExecRemote\2.0.0.0__b03f5f7f11d50a3a\IEExecRemote.dll
+ 2009-12-10 10:33 . 2009-12-10 10:33 113664 c:\windows\WinSxS\x86_System.EnterpriseServices_b03f5f7f11d50a3a_2.0.0.0_x-ww_7d5f3790\System.EnterpriseServices.Wrapper.dll
+ 2009-12-10 10:33 . 2009-12-10 10:33 258048 c:\windows\WinSxS\x86_System.EnterpriseServices_b03f5f7f11d50a3a_2.0.0.0_x-ww_7d5f3790\System.EnterpriseServices.dll
- 2009-07-20 04:24 . 2009-07-20 04:24 258048 c:\windows\WinSxS\x86_System.EnterpriseServices_b03f5f7f11d50a3a_2.0.0.0_x-ww_7d5f3790\System.EnterpriseServices.dll
+ 2007-11-07 08:19 . 2007-11-07 08:19 655872 c:\windows\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.21022.8_x-ww_d08d0375\msvcr90.dll
+ 2007-11-07 08:19 . 2007-11-07 08:19 568832 c:\windows\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.21022.8_x-ww_d08d0375\msvcp90.dll
+ 2007-11-07 03:23 . 2007-11-07 03:23 224768 c:\windows\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.21022.8_x-ww_d08d0375\msvcm90.dll
+ 2008-07-25 17:17 . 2008-07-25 17:17 635904 c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.3053_x-ww_b80fa8ca\msvcr80.dll
+ 2008-07-25 17:17 . 2008-07-25 17:17 558080 c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.3053_x-ww_b80fa8ca\msvcp80.dll
+ 2008-07-25 17:17 . 2008-07-25 17:17 479232 c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.3053_x-ww_b80fa8ca\msvcm80.dll
+ 2008-07-30 03:26 . 2008-07-30 03:26 301568 c:\windows\system32\XPSViewer\XPSViewer.exe
+ 2008-07-30 01:59 . 2008-07-30 01:59 161296 c:\windows\system32\UIAutomationCore.dll
+ 2009-05-09 03:17 . 2008-03-13 04:52 761344 c:\windows\system32\spool\drivers\w32x86\3\unires.dll
- 2009-05-09 03:17 . 2007-05-15 08:08 761344 c:\windows\system32\spool\drivers\w32x86\3\UNIRES.DLL
+ 2009-05-09 03:17 . 2008-07-06 12:06 744960 c:\windows\system32\spool\drivers\w32x86\3\unidrvui.dll
+ 2009-05-09 03:17 . 2008-07-06 12:06 373248 c:\windows\system32\spool\drivers\w32x86\3\unidrv.dll
- 2009-05-09 03:17 . 2008-04-14 00:12 373248 c:\windows\system32\spool\drivers\w32x86\3\UNIDRV.DLL
+ 2004-08-04 10:00 . 2009-07-27 23:17 135168 c:\windows\system32\shsvcs.dll
- 2004-08-04 10:00 . 2008-04-14 00:12 135168 c:\windows\system32\shsvcs.dll
+ 2006-08-24 22:15 . 2006-08-24 22:15 150808 c:\windows\system32\rgb9rast_2.dll
+ 2008-07-30 01:59 . 2008-07-30 01:59 781344 c:\windows\system32\PresentationNative_v0300.dll
+ 2008-07-30 02:35 . 2008-07-30 02:35 326160 c:\windows\system32\PresentationHost.exe
+ 2008-07-30 01:59 . 2008-07-30 01:59 105016 c:\windows\system32\PresentationCFFRasterizerNative_v0300.dll
+ 2004-08-04 10:00 . 2009-12-10 10:33 432686 c:\windows\system32\perfh009.dat
+ 2008-07-25 17:16 . 2008-07-25 17:16 158720 c:\windows\system32\mscorier.dll
+ 2008-07-25 17:16 . 2008-07-25 17:16 282112 c:\windows\system32\mscoree.dll
+ 2009-10-28 03:40 . 2009-10-28 03:40 257440 c:\windows\system32\Macromed\Flash\NPSWF32_FlashUtil.exe
- 2009-08-14 02:33 . 2009-07-25 10:23 149280 c:\windows\system32\javaws.exe
+ 2009-12-10 23:46 . 2009-12-10 23:46 149280 c:\windows\system32\javaws.exe
- 2009-08-14 02:33 . 2009-07-25 10:23 145184 c:\windows\system32\javaw.exe
+ 2009-12-10 23:46 . 2009-12-10 23:46 145184 c:\windows\system32\javaw.exe
- 2009-08-14 02:33 . 2009-07-25 10:23 145184 c:\windows\system32\java.exe
+ 2009-12-10 23:46 . 2009-12-10 23:46 145184 c:\windows\system32\java.exe
+ 2008-07-30 01:24 . 2008-07-30 01:24 622080 c:\windows\system32\icardagt.exe
+ 2009-05-07 19:27 . 2009-12-10 10:37 211288 c:\windows\system32\FNTCACHE.DAT
+ 2008-07-30 03:10 . 2008-07-30 03:10 493048 c:\windows\system32\evr.dll
+ 2009-12-10 23:34 . 2009-12-10 23:34 262144 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat
+ 2008-07-30 05:40 . 2008-07-30 05:40 196104 c:\windows\Microsoft.NET\Framework\v3.5\WFServicesReg.exe
+ 2008-07-30 05:40 . 2008-07-30 05:40 802816 c:\windows\Microsoft.NET\Framework\v3.5\Microsoft.Build.Tasks.v3.5.dll
+ 2008-07-30 00:47 . 2008-07-30 00:47 984056 c:\windows\Microsoft.NET\Framework\v3.5\Microsoft .NET Framework 3.5 SP1\WapUI.dll
+ 2008-07-30 00:47 . 2008-07-30 00:47 107512 c:\windows\Microsoft.NET\Framework\v3.5\Microsoft .NET Framework 3.5 SP1\WapRes.dll
+ 2008-07-30 00:47 . 2008-07-30 00:47 111096 c:\windows\Microsoft.NET\Framework\v3.5\Microsoft .NET Framework 3.5 SP1\WapRes.3082.dll
+ 2008-07-30 00:47 . 2008-07-30 00:47 110072 c:\windows\Microsoft.NET\Framework\v3.5\Microsoft .NET Framework 3.5 SP1\WapRes.2070.dll
+ 2008-07-30 00:47 . 2008-07-30 00:47 106488 c:\windows\Microsoft.NET\Framework\v3.5\Microsoft .NET Framework 3.5 SP1\WapRes.1055.dll
+ 2008-07-30 00:47 . 2008-07-30 00:47 105976 c:\windows\Microsoft.NET\Framework\v3.5\Microsoft .NET Framework 3.5 SP1\WapRes.1053.dll
+ 2008-07-30 00:47 . 2008-07-30 00:47 107000 c:\windows\Microsoft.NET\Framework\v3.5\Microsoft .NET Framework 3.5 SP1\WapRes.1049.dll
+ 2008-07-30 00:47 . 2008-07-30 00:47 107512 c:\windows\Microsoft.NET\Framework\v3.5\Microsoft .NET Framework 3.5 SP1\WapRes.1046.dll
+ 2008-07-30 00:47 . 2008-07-30 00:47 109048 c:\windows\Microsoft.NET\Framework\v3.5\Microsoft .NET Framework 3.5 SP1\WapRes.1045.dll
+ 2008-07-30 00:47 . 2008-07-30 00:47 106488 c:\windows\Microsoft.NET\Framework\v3.5\Microsoft .NET Framework 3.5 SP1\WapRes.1044.dll
+ 2008-07-30 00:47 . 2008-07-30 00:47 108536 c:\windows\Microsoft.NET\Framework\v3.5\Microsoft .NET Framework 3.5 SP1\WapRes.1043.dll
+ 2008-07-30 00:47 . 2008-07-30 00:47 110072 c:\windows\Microsoft.NET\Framework\v3.5\Microsoft .NET Framework 3.5 SP1\WapRes.1040.dll
+ 2008-07-30 00:47 . 2008-07-30 00:47 111096 c:\windows\Microsoft.NET\Framework\v3.5\Microsoft .NET Framework 3.5 SP1\WapRes.1038.dll
+ 2008-07-30 00:47 . 2008-07-30 00:47 101368 c:\windows\Microsoft.NET\Framework\v3.5\Microsoft .NET Framework 3.5 SP1\WapRes.1037.dll
+ 2008-07-30 00:47 . 2008-07-30 00:47 112120 c:\windows\Microsoft.NET\Framework\v3.5\Microsoft .NET Framework 3.5 SP1\WapRes.1036.dll
+ 2008-07-30 00:47 . 2008-07-30 00:47 106488 c:\windows\Microsoft.NET\Framework\v3.5\Microsoft .NET Framework 3.5 SP1\WapRes.1035.dll
+ 2008-07-30 00:47 . 2008-07-30 00:47 113656 c:\windows\Microsoft.NET\Framework\v3.5\Microsoft .NET Framework 3.5 SP1\WapRes.1032.dll
+ 2008-07-30 00:47 . 2008-07-30 00:47 111608 c:\windows\Microsoft.NET\Framework\v3.5\Microsoft .NET Framework 3.5 SP1\WapRes.1031.dll
+ 2008-07-30 00:47 . 2008-07-30 00:47 108536 c:\windows\Microsoft.NET\Framework\v3.5\Microsoft .NET Framework 3.5 SP1\WapRes.1030.dll
+ 2008-07-30 00:47 . 2008-07-30 00:47 108536 c:\windows\Microsoft.NET\Framework\v3.5\Microsoft .NET Framework 3.5 SP1\WapRes.1029.dll
+ 2008-07-30 00:47 . 2008-07-30 00:47 102904 c:\windows\Microsoft.NET\Framework\v3.5\Microsoft .NET Framework 3.5 SP1\WapRes.1025.dll
+ 2008-07-30 00:47 . 2008-07-30 00:47 689152 c:\windows\Microsoft.NET\Framework\v3.5\Microsoft .NET Framework 3.5 SP1\vsscenario.dll
+ 2008-07-30 00:47 . 2008-07-30 00:47 413184 c:\windows\Microsoft.NET\Framework\v3.5\Microsoft .NET Framework 3.5 SP1\vsbasereqs.dll
+ 2008-07-30 00:47 . 2008-07-30 00:47 632320 c:\windows\Microsoft.NET\Framework\v3.5\Microsoft .NET Framework 3.5 SP1\vs70uimgr.dll
+ 2009-12-10 10:30 . 2009-12-10 10:30 652800 c:\windows\Microsoft.NET\Framework\v3.5\Microsoft .NET Framework 3.5 SP1\vs_setup.msi
+ 2008-07-30 00:47 . 2008-07-30 00:47 110080 c:\windows\Microsoft.NET\Framework\v3.5\Microsoft .NET Framework 3.5 SP1\setupres.dll
+ 2008-07-30 00:47 . 2008-07-30 00:47 131584 c:\windows\Microsoft.NET\Framework\v3.5\Microsoft .NET Framework 3.5 SP1\setupres.3082.dll
+ 2008-07-30 00:47 . 2008-07-30 00:47 131072 c:\windows\Microsoft.NET\Framework\v3.5\Microsoft .NET Framework 3.5 SP1\setupres.2070.dll
+ 2008-07-30 00:47 . 2008-07-30 00:47 121344 c:\windows\Microsoft.NET\Framework\v3.5\Microsoft .NET Framework 3.5 SP1\setupres.1055.dll
+ 2008-07-30 00:47 . 2008-07-30 00:47 121344 c:\windows\Microsoft.NET\Framework\v3.5\Microsoft .NET Framework 3.5 SP1\setupres.1053.dll
+ 2008-07-30 00:47 . 2008-07-30 00:47 123904 c:\windows\Microsoft.NET\Framework\v3.5\Microsoft .NET Framework 3.5 SP1\setupres.1049.dll
+ 2008-07-30 00:47 . 2008-07-30 00:47 122880 c:\windows\Microsoft.NET\Framework\v3.5\Microsoft .NET Framework 3.5 SP1\setupres.1046.dll
+ 2008-07-30 00:47 . 2008-07-30 00:47 128512 c:\windows\Microsoft.NET\Framework\v3.5\Microsoft .NET Framework 3.5 SP1\setupres.1045.dll
+ 2008-07-30 00:47 . 2008-07-30 00:47 121856 c:\windows\Microsoft.NET\Framework\v3.5\Microsoft .NET Framework 3.5 SP1\setupres.1044.dll
+ 2008-07-30 00:47 . 2008-07-30 00:47 129024 c:\windows\Microsoft.NET\Framework\v3.5\Microsoft .NET Framework 3.5 SP1\setupres.1043.dll
+ 2008-07-30 00:47 . 2008-07-30 00:47 128512 c:\windows\Microsoft.NET\Framework\v3.5\Microsoft .NET Framework 3.5 SP1\setupres.1040.dll
+ 2008-07-30 00:47 . 2008-07-30 00:47 132096 c:\windows\Microsoft.NET\Framework\v3.5\Microsoft .NET Framework 3.5 SP1\setupres.1038.dll
+ 2008-07-30 00:47 . 2008-07-30 00:47 111104 c:\windows\Microsoft.NET\Framework\v3.5\Microsoft .NET Framework 3.5 SP1\setupres.1037.dll
+ 2008-07-30 00:47 . 2008-07-30 00:47 133120 c:\windows\Microsoft.NET\Framework\v3.5\Microsoft .NET Framework 3.5 SP1\setupres.1036.dll
+ 2008-07-30 00:47 . 2008-07-30 00:47 122368 c:\windows\Microsoft.NET\Framework\v3.5\Microsoft .NET Framework 3.5 SP1\setupres.1035.dll
+ 2008-07-30 00:47 . 2008-07-30 00:47 137728 c:\windows\Microsoft.NET\Framework\v3.5\Microsoft .NET Framework 3.5 SP1\setupres.1032.dll
+ 2008-07-30 00:47 . 2008-07-30 00:47 130048 c:\windows\Microsoft.NET\Framework\v3.5\Microsoft .NET Framework 3.5 SP1\setupres.1031.dll
+ 2008-07-30 00:47 . 2008-07-30 00:47 126464 c:\windows\Microsoft.NET\Framework\v3.5\Microsoft .NET Framework 3.5 SP1\setupres.1030.dll
+ 2008-07-30 00:47 . 2008-07-30 00:47 125440 c:\windows\Microsoft.NET\Framework\v3.5\Microsoft .NET Framework 3.5 SP1\setupres.1029.dll
+ 2008-07-30 00:47 . 2008-07-30 00:47 113152 c:\windows\Microsoft.NET\Framework\v3.5\Microsoft .NET Framework 3.5 SP1\setupres.1025.dll
+ 2008-07-30 00:47 . 2008-07-30 00:47 269304 c:\windows\Microsoft.NET\Framework\v3.5\Microsoft .NET Framework 3.5 SP1\setup.exe
+ 2008-07-30 00:47 . 2008-07-30 00:47 177152 c:\windows\Microsoft.NET\Framework\v3.5\Microsoft .NET Framework 3.5 SP1\HtmlLite.dll
+ 2008-07-30 00:47 . 2008-07-30 00:47 276984 c:\windows\Microsoft.NET\Framework\v3.5\Microsoft .NET Framework 3.5 SP1\dlmgr.dll
+ 2008-07-30 05:15 . 2008-07-30 05:15 225490 c:\windows\Microsoft.NET\Framework\v3.5\Microsoft .NET Framework 3.5 SP1\baseline.dat
+ 2008-07-30 05:40 . 2008-07-30 05:40 233976 c:\windows\Microsoft.NET\Framework\v3.5\1033\vbc7ui.dll
+ 2008-07-30 05:40 . 2008-07-30 05:40 168448 c:\windows\Microsoft.NET\Framework\v3.5\1033\cscompui.dll
+ 2008-07-30 02:35 . 2008-07-30 02:35 864256 c:\windows\Microsoft.NET\Framework\v3.0\WPF\PresentationUI.dll
+ 2008-07-30 01:59 . 2008-07-30 01:59 132120 c:\windows\Microsoft.NET\Framework\v3.0\WPF\PresentationHostDLL.dll
+ 2008-07-30 03:10 . 2008-07-30 03:10 806928 c:\windows\Microsoft.NET\Framework\v3.0\WPF\NaturalLanguage6.dll
+ 2008-07-30 01:16 . 2008-07-30 01:16 152576 c:\windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\WsatConfig.exe
+ 2008-07-30 01:16 . 2008-07-30 01:16 966656 c:\windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\System.Runtime.Serialization.dll
+ 2008-07-30 01:16 . 2008-07-30 01:16 132096 c:\windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe
+ 2008-07-30 01:16 . 2008-07-30 01:16 110592 c:\windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMdiagnostics.dll
+ 2008-07-30 01:16 . 2008-07-30 01:16 156688 c:\windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\ServiceModelReg.exe
+ 2008-07-30 01:16 . 2008-07-30 01:16 163840 c:\windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\Microsoft.Transactions.Bridge.Dtc.dll
+ 2008-07-30 01:16 . 2008-07-30 01:16 397312 c:\windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\Microsoft.Transactions.Bridge.dll
+ 2008-07-30 01:24 . 2008-07-30 01:24 881664 c:\windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe
+ 2008-07-30 01:16 . 2008-07-30 01:16 168968 c:\windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\ComSvcConfig.exe
+ 2008-11-25 10:59 . 2008-11-25 10:59 436040 c:\windows\Microsoft.NET\Framework\v2.0.50727\webengine.dll
+ 2008-07-25 17:17 . 2008-07-25 17:17 839680 c:\windows\Microsoft.NET\Framework\v2.0.50727\System.Web.Services.dll
+ 2008-07-25 17:17 . 2008-07-25 17:17 835584 c:\windows\Microsoft.NET\Framework\v2.0.50727\System.Web.Mobile.dll
- 2005-09-23 12:28 . 2005-09-23 12:28 835584 c:\windows\Microsoft.NET\Framework\v2.0.50727\System.Web.Mobile.dll
+ 2008-07-25 17:17 . 2008-07-25 17:17 261632 c:\windows\Microsoft.NET\Framework\v2.0.50727\System.Transactions.dll
+ 2008-07-25 17:17 . 2008-07-25 17:17 114688 c:\windows\Microsoft.NET\Framework\v2.0.50727\System.ServiceProcess.dll
- 2005-09-23 12:28 . 2005-09-23 12:28 114688 c:\windows\Microsoft.NET\Framework\v2.0.50727\System.ServiceProcess.dll
+ 2008-07-25 17:17 . 2008-07-25 17:17 258048 c:\windows\Microsoft.NET\Framework\v2.0.50727\System.Security.dll
- 2005-09-23 12:28 . 2005-09-23 12:28 258048 c:\windows\Microsoft.NET\Framework\v2.0.50727\System.Security.dll
+ 2008-07-25 17:17 . 2008-07-25 17:17 131072 c:\windows\Microsoft.NET\Framework\v2.0.50727\System.Runtime.Serialization.Formatters.Soap.dll
- 2005-09-23 12:28 . 2005-09-23 12:28 131072 c:\windows\Microsoft.NET\Framework\v2.0.50727\System.Runtime.Serialization.Formatters.Soap.dll
+ 2008-07-25 17:17 . 2008-07-25 17:17 303104 c:\windows\Microsoft.NET\Framework\v2.0.50727\System.Runtime.Remoting.dll
+ 2008-07-25 17:17 . 2008-07-25 17:17 258048 c:\windows\Microsoft.NET\Framework\v2.0.50727\System.Messaging.dll
- 2005-09-23 12:28 . 2005-09-23 12:28 258048 c:\windows\Microsoft.NET\Framework\v2.0.50727\System.Messaging.dll
+ 2008-07-25 17:17 . 2008-07-25 17:17 372736 c:\windows\Microsoft.NET\Framework\v2.0.50727\System.Management.dll
+ 2008-07-25 17:17 . 2008-07-25 17:17 113664 c:\windows\Microsoft.NET\Framework\v2.0.50727\System.EnterpriseServices.Wrapper.dll
+ 2008-07-25 17:17 . 2008-07-25 17:17 258048 c:\windows\Microsoft.NET\Framework\v2.0.50727\System.EnterpriseServices.dll
- 2005-09-23 12:28 . 2005-09-23 12:28 258048 c:\windows\Microsoft.NET\Framework\v2.0.50727\System.EnterpriseServices.dll
+ 2008-07-25 17:17 . 2008-07-25 17:17 626688 c:\windows\Microsoft.NET\Framework\v2.0.50727\System.Drawing.dll
+ 2008-07-25 17:17 . 2008-07-25 17:17 188416 c:\windows\Microsoft.NET\Framework\v2.0.50727\System.DirectoryServices.Protocols.dll
- 2005-09-23 12:28 . 2005-09-23 12:28 188416 c:\windows\Microsoft.NET\Framework\v2.0.50727\System.DirectoryServices.Protocols.dll
+ 2008-07-25 17:17 . 2008-07-25 17:17 401408 c:\windows\Microsoft.NET\Framework\v2.0.50727\System.DirectoryServices.dll
+ 2008-07-25 17:16 . 2008-07-25 17:16 970752 c:\windows\Microsoft.NET\Framework\v2.0.50727\System.Deployment.dll
+ 2008-07-25 17:17 . 2008-07-25 17:17 745472 c:\windows\Microsoft.NET\Framework\v2.0.50727\System.Data.SqlXml.dll
+ 2008-11-25 10:59 . 2008-11-25 10:59 486400 c:\windows\Microsoft.NET\Framework\v2.0.50727\System.Data.OracleClient.dll
+ 2008-07-25 17:17 . 2008-07-25 17:17 425984 c:\windows\Microsoft.NET\Framework\v2.0.50727\System.configuration.dll
- 2005-09-23 12:28 . 2005-09-23 12:28 110592 c:\windows\Microsoft.NET\Framework\v2.0.50727\sysglobl.dll
+ 2008-07-25 17:17 . 2008-07-25 17:17 110592 c:\windows\Microsoft.NET\Framework\v2.0.50727\sysglobl.dll
+ 2008-07-25 17:17 . 2008-07-25 17:17 392184 c:\windows\Microsoft.NET\Framework\v2.0.50727\SOS.dll
+ 2008-07-25 17:17 . 2008-07-25 17:17 118784 c:\windows\Microsoft.NET\Framework\v2.0.50727\shfusion.dll
+ 2008-07-25 17:16 . 2008-07-25 17:16 143360 c:\windows\Microsoft.NET\Framework\v2.0.50727\peverify.dll
+ 2008-07-25 17:17 . 2008-07-25 17:17 100856 c:\windows\Microsoft.NET\Framework\v2.0.50727\ngen.exe
+ 2008-07-25 17:17 . 2008-07-25 17:17 230912 c:\windows\Microsoft.NET\Framework\v2.0.50727\mscorsvc.dll
+ 2008-07-25 17:17 . 2008-07-25 17:17 345600 c:\windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dll
+ 2008-07-25 17:17 . 2008-07-25 17:17 114176 c:\windows\Microsoft.NET\Framework\v2.0.50727\mscorpe.dll
+ 2008-11-25 10:59 . 2008-11-25 10:59 364872 c:\windows\Microsoft.NET\Framework\v2.0.50727\mscorjit.dll
+ 2008-07-25 17:17 . 2008-07-25 17:17 308224 c:\windows\Microsoft.NET\Framework\v2.0.50727\mscordbi.dll
+ 2008-11-25 10:59 . 2008-11-25 10:59 990032 c:\windows\Microsoft.NET\Framework\v2.0.50727\mscordacwks.dll
+ 2008-07-25 17:17 . 2008-07-25 17:17 659456 c:\windows\Microsoft.NET\Framework\v2.0.50727\Microsoft.VisualBasic.dll
- 2005-09-23 12:29 . 2005-09-23 12:29 372736 c:\windows\Microsoft.NET\Framework\v2.0.50727\Microsoft.VisualBasic.Compatibility.dll
+ 2008-07-25 17:17 . 2008-07-25 17:17 372736 c:\windows\Microsoft.NET\Framework\v2.0.50727\Microsoft.VisualBasic.Compatibility.dll
+ 2008-07-25 17:17 . 2008-07-25 17:17 110592 c:\windows\Microsoft.NET\Framework\v2.0.50727\Microsoft.VisualBasic.Compatibility.Data.dll
- 2005-09-23 12:29 . 2005-09-23 12:29 110592 c:\windows\Microsoft.NET\Framework\v2.0.50727\Microsoft.VisualBasic.Compatibility.Data.dll
+ 2008-07-25 17:16 . 2008-07-25 17:16 749568 c:\windows\Microsoft.NET\Framework\v2.0.50727\Microsoft.JScript.dll
+ 2008-07-25 17:16 . 2008-07-25 17:16 655360 c:\windows\Microsoft.NET\Framework\v2.0.50727\Microsoft.Build.Tasks.dll
+ 2008-07-25 17:16 . 2008-07-25 17:16 348160 c:\windows\Microsoft.NET\Framework\v2.0.50727\Microsoft.Build.Engine.dll
+ 2008-07-25 17:17 . 2008-07-25 17:17 230904 c:\windows\Microsoft.NET\Framework\v2.0.50727\ilasm.exe
+ 2008-07-25 17:17 . 2008-07-25 17:17 798224 c:\windows\Microsoft.NET\Framework\v2.0.50727\EventLogMessages.dll
+ 2008-07-25 17:17 . 2008-07-25 17:17 575496 c:\windows\Microsoft.NET\Framework\v2.0.50727\diasymreader.dll
+ 2008-07-25 17:17 . 2008-07-25 17:17 106496 c:\windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe
- 2005-09-23 12:28 . 2005-09-23 12:28 106496 c:\windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe
+ 2008-07-25 17:16 . 2008-07-25 17:16 507904

#17 TheJoker

TheJoker

    Forum Deity

  • Boot Camp Mod
  • PipPipPipPipPip
  • 13,555 posts

Posted 11 December 2009 - 12:52 AM

There was some sort of problem running ComboFix, it appears that the script didn't work for some reason.

I notice that you have Spybot's TeaTimer running. While this is normally a wonderful tool to protect against hijackers, it can also interfere with HijackThis fixes. So please disable TeaTimer by doing the following:
1) Run Spybot-S&D
2) Go to the Mode menu, and make sure "Advanced Mode" is selected
3) On the left hand side, choose Tools -> Resident
4) Uncheck "Resident TeaTimer" and OK any prompts

When everything is done and your log is clean again, you can enable it again.
If teatimer gives you a warning afterwords that some changes were made, allow this instead of blocking it.
Please don't forget this step to disable teatimer and please leave it off for now.

Using Windows Explorer, please copy the file c:\windows\$NtServicePackUninstall$\eventlog.dll to the c:\windows\System32 folder.

We need to make sure you have the most recent version of ComboFix.
Delete your current copy of ComboFix.exe.
Download ComboFix© by sUBs from one of these links:
http://download.blee...Bs/ComboFix.exe
http://www.forospywa...Bs/ComboFix.exe

Save the file to your Desktop.

Close any open browsers.
Close your AntiVirus and any anti-spyware programs you may be running.

For this next step, please ensure that ComboFix.exe is on your desktop:

Please open Notepad *Do Not Use Wordpad!* (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the box below:
Save this as "CFScript.txt" and change the "Save as type" to "All Files" and place it on your desktop.

[box]REGNULL::
[HKEY_USERS\S-1-5-21-2025429265-688789844-682003330-1004\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{D433C04C-54CB-4BB3-0F86-29103BADBBDF}*][/box]
Save this as CFScript.txt, in the same location as ComboFix.exe

Posted Image

Referring to the picture above, drag CFScript into ComboFix.exe

When finished, it will produce a log for you at C:\ComboFix.txt. Please post that log in your next reply along with the new HijackThis log and the log from the BitDefender scan.

Free Tools for Fighting Malware
Anti-Virus: avast! Free Antivirus / Avira Free AntiVirus
OnLine Anti-Virus: ESET / BitDefender / F-Secure
Anti-Malware: Malwarebytes' Anti-Malware / Dr.Web CureIt
Spyware/Adware Tools: MVPS HOSTS File / SpywareBlaster
Firewall: Comodo Firewall Free / Privatefirewall
Tutorials: How did I get Infected? / Internet Explorer Privacy & Security Settings
If we have helped, please help us continue the fight by using the Donate button, or see this topic for other ways to donate.

MS MVP 2009-20010 and ASAP Member since 2005


#18 nenadrew

nenadrew

    Member

  • Full Member
  • Pip
  • 56 posts

Posted 11 December 2009 - 05:09 AM

There was some sort of problem running ComboFix, it appears that the script didn't work for some reason.

I notice that you have Spybot's TeaTimer running. While this is normally a wonderful tool to protect against hijackers, it can also interfere with HijackThis fixes. So please disable TeaTimer by doing the following:
1) Run Spybot-S&D
2) Go to the Mode menu, and make sure "Advanced Mode" is selected
3) On the left hand side, choose Tools -> Resident
4) Uncheck "Resident TeaTimer" and OK any prompts


Ah. Sorry about that; thought I had disabled TeaTimer from the taskbar. I did it through Spybot this time.


Using Windows Explorer, please copy the file c:\windows\$NtServicePackUninstall$\eventlog.dll to the c:\windows\System32 folder.


Done.


We need to make sure you have the most recent version of ComboFix.


Ok, I've started over from step 1 of your instructions. Earlier I downloaded from the first link you posted, so this time I've used the second link; don't know why it keeps seeming like I have an older version. The new CFScript file appeared to merge smoothly into the newly downloaded ComboFix, and here is the resulting log.


ComboFix log:


ComboFix 09-12-10.01 - Nena Drew Thrower 12/11/2009 3:47.3.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2037.1612 [GMT -6:00]
Running from: c:\documents and settings\Nena Drew Thrower.NENA\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Nena Drew Thrower.NENA\Desktop\CFScript.txt
AV: COMODO Antivirus *On-access scanning disabled* (Updated) {043803A5-4F86-4ef7-AFC5-F6E02A79969B}
.

((((((((((((((((((((((((( Files Created from 2009-11-11 to 2009-12-11 )))))))))))))))))))))))))))))))
.

2009-12-11 09:46 . 2009-12-11 09:46 -------- d-----w- C:\32788R22FWJFW
2009-12-11 09:21 . 2004-08-04 10:00 55808 -c--a-w- c:\windows\system32\dllcache\eventlog.dll
2009-12-11 09:21 . 2004-08-04 10:00 55808 ----a-w- c:\windows\system32\eventlog.dll
2009-12-10 23:45 . 2009-12-10 23:45 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\McAfee
2009-12-10 12:19 . 2009-07-27 23:17 135168 -c----w- c:\windows\system32\dllcache\shsvcs.dll
2009-12-10 12:19 . 2009-07-27 23:17 8461824 -c----w- c:\windows\system32\dllcache\shell32.dll
2009-12-10 10:27 . 2009-12-10 10:27 -------- d-----w- c:\windows\system32\XPSViewer
2009-12-10 10:27 . 2009-12-10 10:27 -------- d-----w- c:\program files\MSBuild
2009-12-10 10:26 . 2009-12-10 10:26 -------- d-----w- c:\program files\Reference Assemblies
2009-12-10 10:26 . 2008-07-06 12:06 89088 -c----w- c:\windows\system32\dllcache\filterpipelineprintproc.dll
2009-12-10 10:26 . 2008-07-06 12:06 575488 -c----w- c:\windows\system32\dllcache\xpsshhdr.dll
2009-12-10 10:26 . 2008-07-06 12:06 575488 ------w- c:\windows\system32\xpsshhdr.dll
2009-12-10 10:26 . 2008-07-06 12:06 1676288 -c----w- c:\windows\system32\dllcache\xpssvcs.dll
2009-12-10 10:26 . 2008-07-06 12:06 1676288 ------w- c:\windows\system32\xpssvcs.dll
2009-12-10 10:26 . 2008-07-06 12:06 117760 ------w- c:\windows\system32\prntvpt.dll
2009-12-10 10:26 . 2008-07-06 10:50 597504 -c----w- c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2009-12-10 10:26 . 2008-07-06 10:50 597504 ------w- c:\windows\system32\Spool\prtprocs\w32x86\printfilterpipelinesvc.exe
2009-12-10 00:11 . 2009-12-10 00:11 -------- d-sh--w- c:\documents and settings\Default User.WINDOWS\IETldCache
2009-12-09 22:33 . 2009-12-09 22:33 -------- d-sh--w- c:\documents and settings\NetworkService.NT AUTHORITY\IETldCache
2009-12-09 15:12 . 2009-12-03 22:14 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-12-09 15:12 . 2009-12-09 15:12 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-12-09 15:12 . 2009-12-03 22:13 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-12-09 13:32 . 2009-12-09 22:28 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-12-07 13:53 . 2009-12-07 13:53 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\Kaspersky Lab
2009-12-03 20:04 . 2008-04-13 19:40 36352 ----a-w- c:\windows\system32\drivers\disk.sys
2009-12-03 08:03 . 2009-12-03 08:03 -------- d-----w- c:\documents and settings\Default User.WINDOWS\Local Settings\Application Data\Microsoft Help
2009-12-02 19:43 . 2009-06-21 21:44 153088 -c----w- c:\windows\system32\dllcache\triedit.dll
2009-12-02 19:42 . 2009-07-31 04:35 1172480 -c----w- c:\windows\system32\dllcache\msxml3.dll
2009-12-02 19:42 . 2009-07-10 13:27 1315328 -c----w- c:\windows\system32\dllcache\msoe.dll
2009-12-02 19:41 . 2009-08-04 15:13 2145280 -c----w- c:\windows\system32\dllcache\ntkrnlmp.exe
2009-12-02 19:41 . 2009-08-04 14:20 2023936 -c----w- c:\windows\system32\dllcache\ntkrpamp.exe
2009-12-02 19:41 . 2009-08-04 14:20 2066048 -c----w- c:\windows\system32\dllcache\ntkrnlpa.exe
2009-12-02 19:41 . 2009-06-22 06:44 726528 -c----w- c:\windows\system32\dllcache\jscript.dll
2009-12-02 19:33 . 2009-08-07 01:23 274288 ----a-w- c:\windows\system32\mucltui.dll
2009-12-02 19:33 . 2009-08-07 01:23 215920 ----a-w- c:\windows\system32\muweb.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-12-11 08:03 . 2009-05-22 15:11 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\Microsoft Help
2009-12-11 08:02 . 2008-02-26 16:55 -------- d-----w- c:\program files\Microsoft Works
2009-12-10 23:46 . 2009-05-09 06:29 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-12-10 23:45 . 2009-12-10 23:45 152576 ----a-w- c:\documents and settings\Nena Drew Thrower.NENA\Application Data\Sun\Java\jre1.6.0_17\lzma.dll
2009-12-10 12:36 . 2009-08-30 22:40 171552 ----a-w- c:\windows\system32\guard32.dll
2009-12-10 12:36 . 2009-08-30 22:40 87104 ----a-w- c:\windows\system32\drivers\inspect.sys
2009-12-10 12:36 . 2009-08-30 22:40 25160 ----a-w- c:\windows\system32\drivers\cmdhlp.sys
2009-12-10 12:36 . 2009-08-30 22:40 133064 ----a-w- c:\windows\system32\drivers\cmdguard.sys
2009-12-09 15:05 . 2009-05-08 03:09 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\Spybot - Search & Destroy
2009-11-30 23:31 . 2009-05-11 17:23 -------- d-----w- c:\documents and settings\Nena Drew Thrower.NENA\Application Data\uTorrent
2009-11-08 19:03 . 2009-11-08 19:03 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\F-Secure
2009-11-06 20:22 . 2009-11-06 20:22 -------- d-----w- c:\program files\Panda Security
2009-11-01 11:11 . 2009-11-01 11:11 -------- d-----w- c:\program files\HiddenFinder
2009-10-31 23:18 . 2009-10-30 21:00 -------- d-----w- c:\program files\Windows Live Safety Center
2009-10-31 19:06 . 2009-10-31 19:06 -------- d-----w- c:\program files\Trend Micro
2009-10-29 07:45 . 2006-03-04 03:33 916480 ------w- c:\windows\system32\wininet.dll
2009-10-21 05:38 . 2004-08-04 10:00 75776 ----a-w- c:\windows\system32\strmfilt.dll
2009-10-21 05:38 . 2004-08-04 10:00 25088 ----a-w- c:\windows\system32\httpapi.dll
2009-10-20 16:20 . 2004-08-04 10:00 265728 ----a-w- c:\windows\system32\drivers\http.sys
2009-10-20 07:32 . 2009-05-08 10:01 -------- d-----w- c:\program files\Soulseek
2009-10-16 12:33 . 2009-10-02 07:46 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-10-13 10:30 . 2004-08-04 10:00 270336 ----a-w- c:\windows\system32\oakley.dll
2009-10-12 13:38 . 2004-08-04 10:00 149504 ----a-w- c:\windows\system32\rastls.dll
2009-10-12 13:38 . 2004-08-04 10:00 79872 ----a-w- c:\windows\system32\raschap.dll
2009-10-06 08:29 . 2009-10-06 08:28 126970 ----a-w- c:\documents and settings\Nena Drew Thrower.NENA\Application Data\Move Networks\uninstall.exe
2009-10-06 08:29 . 2009-08-03 21:48 4187512 ----a-w- c:\documents and settings\Nena Drew Thrower.NENA\Application Data\Move Networks\plugins\npqmp071505000010.dll
2009-10-02 07:47 . 2009-10-02 07:47 117760 ----a-w- c:\documents and settings\Nena Drew Thrower.NENA\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2009-09-16 23:34 . 2009-05-08 20:56 50220 ---ha-w- c:\windows\system32\mlfcache.dat
2009-09-16 19:17 . 2009-09-16 19:17 79144 ----a-w- c:\documents and settings\All Users.WINDOWS\Application Data\Apple Computer\Installer Cache\iTunes 9.0.0.70\SetupAdmin.exe
.

((((((((((((((((((((((((((((( SnapShot_2009-12-11_01.48.29 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-12-11 09:07 . 2009-12-11 09:07 16384 c:\windows\Temp\Perflib_Perfdata_6c0.dat
+ 2009-05-22 15:13 . 2008-11-10 17:41 67472 c:\windows\system32\spool\drivers\w32x86\msonpui.dll
+ 2009-05-22 15:13 . 2008-11-10 17:41 67472 c:\windows\system32\spool\drivers\w32x86\3\msonpui.dll
+ 2004-08-04 10:00 . 2009-12-11 08:09 67516 c:\windows\system32\perfc009.dat
- 2004-08-04 10:00 . 2009-12-10 10:33 67516 c:\windows\system32\perfc009.dat
+ 2009-05-22 15:13 . 2008-11-10 17:41 32656 c:\windows\system32\msonpmon.dll
+ 2009-08-07 15:44 . 2009-12-11 08:03 35088 c:\windows\Installer\{91120000-002F-0000-0000-0000000FF1CE}\oisicon.exe
- 2009-08-07 15:44 . 2009-12-10 00:17 35088 c:\windows\Installer\{91120000-002F-0000-0000-0000000FF1CE}\oisicon.exe
+ 2009-08-07 15:44 . 2009-12-11 08:03 18704 c:\windows\Installer\{91120000-002F-0000-0000-0000000FF1CE}\mspicons.exe
- 2009-08-07 15:44 . 2009-12-10 00:17 18704 c:\windows\Installer\{91120000-002F-0000-0000-0000000FF1CE}\mspicons.exe
- 2009-08-07 15:44 . 2009-12-10 00:17 20240 c:\windows\Installer\{91120000-002F-0000-0000-0000000FF1CE}\cagicon.exe
+ 2009-08-07 15:44 . 2009-12-11 08:03 20240 c:\windows\Installer\{91120000-002F-0000-0000-0000000FF1CE}\cagicon.exe
+ 2006-07-24 15:50 . 2006-07-24 15:50 47920 c:\windows\Installer\$PatchCache$\Managed\00002119F20000000000000000F01FEC\12.0.6425\VBAME.DLL
+ 2006-07-24 15:50 . 2006-07-24 15:50 92976 c:\windows\Installer\$PatchCache$\Managed\00002119F20000000000000000F01FEC\12.0.6425\MSADDNDR.DLL
+ 2006-10-27 00:59 . 2006-10-27 00:59 15672 c:\windows\Installer\$PatchCache$\Managed\00002119F20000000000000000F01FEC\12.0.4518\SMARTTAGINSTALL.EXE
+ 2006-10-27 00:49 . 2006-10-27 00:49 34104 c:\windows\Installer\$PatchCache$\Managed\00002119F20000000000000000F01FEC\12.0.4518\SETLANG.EXE
+ 2006-10-27 01:12 . 2006-10-27 01:12 40424 c:\windows\Installer\$PatchCache$\Managed\00002119F20000000000000000F01FEC\12.0.4518\REFIEBAR.DLL
+ 2006-10-27 00:59 . 2006-10-27 00:59 46936 c:\windows\Installer\$PatchCache$\Managed\00002119F20000000000000000F01FEC\12.0.4518\OSETUPPS.DLL
+ 2006-10-27 00:59 . 2006-10-27 00:59 18760 c:\windows\Installer\$PatchCache$\Managed\00002119F20000000000000000F01FEC\12.0.4518\OPHPROXY.DLL
+ 2006-10-27 00:59 . 2006-10-27 00:59 16728 c:\windows\Installer\$PatchCache$\Managed\00002119F20000000000000000F01FEC\12.0.4518\OMUOPTINPS.DLL
+ 2006-10-27 01:00 . 2006-10-27 01:00 23392 c:\windows\Installer\$PatchCache$\Managed\00002119F20000000000000000F01FEC\12.0.4518\OISCTRL.DLL
+ 2006-10-27 20:11 . 2006-10-27 20:11 54680 c:\windows\Installer\$PatchCache$\Managed\00002119F20000000000000000F01FEC\12.0.4518\OFFRHD.DLL
+ 2006-10-27 00:59 . 2006-10-27 00:59 43832 c:\windows\Installer\$PatchCache$\Managed\00002119F20000000000000000F01FEC\12.0.4518\MSSH.DLL
+ 2006-10-27 20:26 . 2006-10-27 20:26 35152 c:\windows\Installer\$PatchCache$\Managed\00002119F20000000000000000F01FEC\12.0.4518\MSOSTYLE.DLL
+ 2006-10-27 00:56 . 2006-10-27 00:56 67408 c:\windows\Installer\$PatchCache$\Managed\00002119F20000000000000000F01FEC\12.0.4518\MSONPUI.DLL
+ 2006-10-27 00:56 . 2006-10-27 00:56 32592 c:\windows\Installer\$PatchCache$\Managed\00002119F20000000000000000F01FEC\12.0.4518\MSONPMON.DLL
+ 2006-10-27 01:12 . 2006-10-27 01:12 67896 c:\windows\Installer\$PatchCache$\Managed\00002119F20000000000000000F01FEC\12.0.4518\MSOHTMED.EXE
+ 2006-10-27 20:01 . 2006-10-27 20:01 76088 c:\windows\Installer\$PatchCache$\Managed\00002119F20000000000000000F01FEC\12.0.4518\MSOHEV.DLL
+ 2006-10-27 00:59 . 2006-10-27 00:59 19768 c:\windows\Installer\$PatchCache$\Managed\00002119F20000000000000000F01FEC\12.0.4518\MSMH.DLL
+ 2006-10-27 01:12 . 2006-10-27 01:12 89400 c:\windows\Installer\$PatchCache$\Managed\00002119F20000000000000000F01FEC\12.0.4518\METCONV.DLL
+ 2006-10-27 01:12 . 2006-10-27 01:12 53576 c:\windows\Installer\$PatchCache$\Managed\00002119F20000000000000000F01FEC\12.0.4518\AUTHZAX.DLL
+ 2009-01-05 21:44 . 2009-01-05 21:44 53248 c:\windows\bdoscandel.exe
+ 2009-12-11 05:38 . 2009-12-11 05:38 86016 c:\windows\BDOSCAN8\librtvr.dll
+ 2009-12-11 05:38 . 2009-12-11 05:38 27136 c:\windows\BDOSCAN8\avxt.dll
+ 2009-12-11 05:38 . 2009-12-11 05:38 10240 c:\windows\BDOSCAN8\avxs.dll
+ 2009-12-11 05:38 . 2009-12-11 05:38 45056 c:\windows\BDOSCAN8\avxdisk.dll
+ 2009-12-11 08:12 . 2009-12-11 08:12 60928 c:\windows\assembly\NativeImages_v2.0.50727_32\UIAutomationProvider\b4a9e413d5cd6d6ec2d50aa05381e293\UIAutomationProvider.ni.dll
+ 2009-12-11 08:23 . 2009-12-11 08:23 37888 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Pres#\8acb476a0d4ee17a12881e17ae74a6af\System.Windows.Presentation.ni.dll
+ 2009-12-11 08:23 . 2009-12-11 08:23 36864 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Web.DynamicD#\4b87ca3482a3c0ee733e028ecee7de65\System.Web.DynamicData.Design.ni.dll
+ 2009-12-11 08:21 . 2009-12-11 08:21 94208 c:\windows\assembly\NativeImages_v2.0.50727_32\System.ComponentMod#\a0c71055364bd356971791284c3fb910\System.ComponentModel.DataAnnotations.ni.dll
+ 2009-12-11 08:21 . 2009-12-11 08:21 82944 c:\windows\assembly\NativeImages_v2.0.50727_32\System.AddIn.Contra#\f9a75bbdc2ce7db578b5977766a09b99\System.AddIn.Contract.ni.dll
+ 2009-12-11 08:10 . 2009-12-11 08:10 47104 c:\windows\assembly\NativeImages_v2.0.50727_32\PresentationFontCac#\3dd0f86c966c75755d62eab8ddf0634c\PresentationFontCache.ni.exe
+ 2009-12-11 08:10 . 2009-12-11 08:10 39424 c:\windows\assembly\NativeImages_v2.0.50727_32\PresentationCFFRast#\034d081fe294bab1ee1ecc98c1181424\PresentationCFFRasterizer.ni.dll
+ 2009-12-11 08:22 . 2009-12-11 08:22 55296 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Vsa\f2673aec397c52796aef05bb9d2668df\Microsoft.Vsa.ni.dll
+ 2009-12-11 08:21 . 2009-12-11 08:21 65024 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Build.Fra#\d513fe1a81c441e7656a9b062cff4e9f\Microsoft.Build.Framework.ni.dll
+ 2009-12-11 08:21 . 2009-12-11 08:21 74752 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Build.Fra#\c5d504724d7f351b1d034615dbb72a2a\Microsoft.Build.Framework.ni.dll
+ 2009-12-11 08:14 . 2009-12-11 08:14 14336 c:\windows\assembly\NativeImages_v2.0.50727_32\dfsvc\a664ccab020f93f1d533919f57131190\dfsvc.ni.exe
+ 2009-12-11 08:13 . 2009-12-11 08:13 25600 c:\windows\assembly\NativeImages_v2.0.50727_32\Accessibility\e63d6d26b8a664cfdfbd4ad75e03c14d\Accessibility.ni.dll
+ 2009-12-11 08:08 . 2009-12-11 08:08 77824 c:\windows\assembly\GAC_MSIL\System.Web.RegularExpressions\2.0.0.0__b03f5f7f11d50a3a\System.Web.RegularExpressions.dll
- 2009-12-10 10:33 . 2009-12-10 10:33 77824 c:\windows\assembly\GAC_MSIL\System.Web.RegularExpressions\2.0.0.0__b03f5f7f11d50a3a\System.Web.RegularExpressions.dll
+ 2009-12-11 08:08 . 2009-12-11 08:08 81920 c:\windows\assembly\GAC_MSIL\System.Drawing.Design\2.0.0.0__b03f5f7f11d50a3a\System.Drawing.Design.dll
- 2009-12-10 10:33 . 2009-12-10 10:33 81920 c:\windows\assembly\GAC_MSIL\System.Drawing.Design\2.0.0.0__b03f5f7f11d50a3a\System.Drawing.Design.dll
+ 2009-12-11 08:09 . 2009-12-11 08:09 81920 c:\windows\assembly\GAC_MSIL\System.Configuration.Install\2.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll
- 2009-12-10 10:33 . 2009-12-10 10:33 81920 c:\windows\assembly\GAC_MSIL\System.Configuration.Install\2.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll
+ 2009-12-11 08:08 . 2009-12-11 08:08 32768 c:\windows\assembly\GAC_MSIL\Microsoft.Vsa\8.0.0.0__b03f5f7f11d50a3a\Microsoft.Vsa.dll
- 2009-12-10 10:33 . 2009-12-10 10:33 32768 c:\windows\assembly\GAC_MSIL\Microsoft.Vsa\8.0.0.0__b03f5f7f11d50a3a\Microsoft.Vsa.dll
+ 2009-12-11 08:08 . 2009-12-11 08:08 12800 c:\windows\assembly\GAC_MSIL\Microsoft.Vsa.Vb.CodeDOMProcessor\8.0.0.0__b03f5f7f11d50a3a\Microsoft.Vsa.Vb.CodeDOMProcessor.dll
- 2009-12-10 10:33 . 2009-12-10 10:33 12800 c:\windows\assembly\GAC_MSIL\Microsoft.Vsa.Vb.CodeDOMProcessor\8.0.0.0__b03f5f7f11d50a3a\Microsoft.Vsa.Vb.CodeDOMProcessor.dll
- 2009-12-10 10:33 . 2009-12-10 10:33 28672 c:\windows\assembly\GAC_MSIL\Microsoft.VisualBasic.Vsa\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.Vsa.dll
+ 2009-12-11 08:08 . 2009-12-11 08:08 28672 c:\windows\assembly\GAC_MSIL\Microsoft.VisualBasic.Vsa\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.Vsa.dll
- 2009-12-10 10:33 . 2009-12-10 10:33 77824 c:\windows\assembly\GAC_MSIL\Microsoft.Build.Utilities\2.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Utilities.dll
+ 2009-12-11 08:09 . 2009-12-11 08:09 77824 c:\windows\assembly\GAC_MSIL\Microsoft.Build.Utilities\2.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Utilities.dll
+ 2009-12-11 08:09 . 2009-12-11 08:09 36864 c:\windows\assembly\GAC_MSIL\Microsoft.Build.Framework\2.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Framework.dll
- 2009-12-10 10:33 . 2009-12-10 10:33 36864 c:\windows\assembly\GAC_MSIL\Microsoft.Build.Framework\2.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Framework.dll
+ 2009-12-11 08:08 . 2009-12-11 08:08 77824 c:\windows\assembly\GAC_MSIL\IEHost\2.0.0.0__b03f5f7f11d50a3a\IEHost.dll
- 2009-12-10 10:33 . 2009-12-10 10:33 77824 c:\windows\assembly\GAC_MSIL\IEHost\2.0.0.0__b03f5f7f11d50a3a\IEHost.dll
+ 2009-12-11 08:08 . 2009-12-11 08:08 13312 c:\windows\assembly\GAC_MSIL\cscompmgd\8.0.0.0__b03f5f7f11d50a3a\cscompmgd.dll
- 2009-12-10 10:33 . 2009-12-10 10:33 13312 c:\windows\assembly\GAC_MSIL\cscompmgd\8.0.0.0__b03f5f7f11d50a3a\cscompmgd.dll
- 2009-12-10 10:33 . 2009-12-10 10:33 10752 c:\windows\assembly\GAC_MSIL\Accessibility\2.0.0.0__b03f5f7f11d50a3a\Accessibility.dll
+ 2009-12-11 08:08 . 2009-12-11 08:08 10752 c:\windows\assembly\GAC_MSIL\Accessibility\2.0.0.0__b03f5f7f11d50a3a\Accessibility.dll
+ 2009-12-11 08:08 . 2009-12-11 08:08 72192 c:\windows\assembly\GAC_32\ISymWrapper\2.0.0.0__b03f5f7f11d50a3a\ISymWrapper.dll
- 2009-12-10 10:33 . 2009-12-10 10:33 72192 c:\windows\assembly\GAC_32\ISymWrapper\2.0.0.0__b03f5f7f11d50a3a\ISymWrapper.dll
- 2009-12-10 10:33 . 2009-12-10 10:33 69120 c:\windows\assembly\GAC_32\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll
+ 2009-12-11 08:08 . 2009-12-11 08:08 69120 c:\windows\assembly\GAC_32\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll
- 2009-12-10 10:33 . 2009-12-10 10:33 8192 c:\windows\WinSxS\MSIL_IEExecRemote_b03f5f7f11d50a3a_2.0.0.0_x-ww_6e57c34e\IEExecRemote.dll
+ 2009-12-11 08:08 . 2009-12-11 08:08 8192 c:\windows\WinSxS\MSIL_IEExecRemote_b03f5f7f11d50a3a_2.0.0.0_x-ww_6e57c34e\IEExecRemote.dll
- 2009-12-10 10:33 . 2009-12-10 10:33 7168 c:\windows\assembly\GAC_MSIL\Microsoft_VsaVb\8.0.0.0__b03f5f7f11d50a3a\Microsoft_VsaVb.dll
+ 2009-12-11 08:08 . 2009-12-11 08:08 7168 c:\windows\assembly\GAC_MSIL\Microsoft_VsaVb\8.0.0.0__b03f5f7f11d50a3a\Microsoft_VsaVb.dll
+ 2009-12-11 08:09 . 2009-12-11 08:09 5632 c:\windows\assembly\GAC_MSIL\Microsoft.VisualC\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualC.Dll
- 2009-12-10 10:33 . 2009-12-10 10:33 5632 c:\windows\assembly\GAC_MSIL\Microsoft.VisualC\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualC.Dll
+ 2009-12-11 08:08 . 2009-12-11 08:08 6656 c:\windows\assembly\GAC_MSIL\IIEHost\2.0.0.0__b03f5f7f11d50a3a\IIEHost.dll
- 2009-12-10 10:33 . 2009-12-10 10:33 6656 c:\windows\assembly\GAC_MSIL\IIEHost\2.0.0.0__b03f5f7f11d50a3a\IIEHost.dll
+ 2009-12-11 08:08 . 2009-12-11 08:08 8192 c:\windows\assembly\GAC_MSIL\IEExecRemote\2.0.0.0__b03f5f7f11d50a3a\IEExecRemote.dll
- 2009-12-10 10:33 . 2009-12-10 10:33 8192 c:\windows\assembly\GAC_MSIL\IEExecRemote\2.0.0.0__b03f5f7f11d50a3a\IEExecRemote.dll
- 2009-12-10 10:33 . 2009-12-10 10:33 113664 c:\windows\WinSxS\x86_System.EnterpriseServices_b03f5f7f11d50a3a_2.0.0.0_x-ww_7d5f3790\System.EnterpriseServices.Wrapper.dll
+ 2009-12-11 08:08 . 2009-12-11 08:08 113664 c:\windows\WinSxS\x86_System.EnterpriseServices_b03f5f7f11d50a3a_2.0.0.0_x-ww_7d5f3790\System.EnterpriseServices.Wrapper.dll
- 2009-12-10 10:33 . 2009-12-10 10:33 258048 c:\windows\WinSxS\x86_System.EnterpriseServices_b03f5f7f11d50a3a_2.0.0.0_x-ww_7d5f3790\System.EnterpriseServices.dll
+ 2009-12-11 08:08 . 2009-12-11 08:08 258048 c:\windows\WinSxS\x86_System.EnterpriseServices_b03f5f7f11d50a3a_2.0.0.0_x-ww_7d5f3790\System.EnterpriseServices.dll
+ 2009-05-22 15:13 . 2008-11-10 17:41 864144 c:\windows\system32\spool\drivers\w32x86\msonpdrv.dll
+ 2009-05-22 15:13 . 2008-11-10 17:41 864144 c:\windows\system32\spool\drivers\w32x86\3\msonpdrv.dll
+ 2004-08-04 10:00 . 2009-12-11 08:09 432686 c:\windows\system32\perfh009.dat
- 2004-08-04 10:00 . 2009-12-10 10:33 432686 c:\windows\system32\perfh009.dat
- 2009-05-07 19:27 . 2009-12-10 10:37 211288 c:\windows\system32\FNTCACHE.DAT
+ 2009-05-07 19:27 . 2009-12-11 09:07 211288 c:\windows\system32\FNTCACHE.DAT
+ 2009-08-08 05:51 . 2009-08-08 05:51 989016 c:\windows\Microsoft.NET\Framework\v2.0.50727\mscordacwks.dll
+ 2009-03-20 17:48 . 2009-03-20 17:48 183808 c:\windows\Installer\1c2c468.msp
- 2009-08-07 15:44 . 2009-12-10 00:17 888080 c:\windows\Installer\{91120000-002F-0000-0000-0000000FF1CE}\wordicon.exe
+ 2009-08-07 15:44 . 2009-12-11 08:03 888080 c:\windows\Installer\{91120000-002F-0000-0000-0000000FF1CE}\wordicon.exe
- 2009-08-07 15:44 . 2009-12-10 00:17 922384 c:\windows\Installer\{91120000-002F-0000-0000-0000000FF1CE}\pptico.exe
+ 2009-08-07 15:44 . 2009-12-11 08:03 922384 c:\windows\Installer\{91120000-002F-0000-0000-0000000FF1CE}\pptico.exe
+ 2009-08-07 15:44 . 2009-12-11 08:03 217864 c:\windows\Installer\{91120000-002F-0000-0000-0000000FF1CE}\misc.exe
- 2009-08-07 15:44 . 2009-12-10 00:17 217864 c:\windows\Installer\{91120000-002F-0000-0000-0000000FF1CE}\misc.exe
- 2009-08-07 15:44 . 2009-12-10 00:17 184080 c:\windows\Installer\{91120000-002F-0000-0000-0000000FF1CE}\joticon.exe
+ 2009-08-07 15:44 . 2009-12-11 08:03 184080 c:\windows\Installer\{91120000-002F-0000-0000-0000000FF1CE}\joticon.exe
- 2009-05-22 15:11 . 2009-12-03 08:04 217864 c:\windows\Installer\{90120000-006E-0409-0000-0000000FF1CE}\misc.exe
+ 2009-05-22 15:11 . 2009-12-11 08:01 217864 c:\windows\Installer\{90120000-006E-0409-0000-0000000FF1CE}\misc.exe
+ 2007-06-08 01:51 . 2007-06-08 01:51 465800 c:\windows\Installer\$PatchCache$\Managed\00002119F20000000000000000F01FEC\12.0.6425\OUTLFLTR.DLL
+ 2006-07-24 15:50 . 2006-07-24 15:50 125744 c:\windows\Installer\$PatchCache$\Managed\00002119F20000000000000000F01FEC\12.0.6425\MSSTDFMT.DLL
+ 2006-10-27 01:49 . 2006-10-27 01:49 509200 c:\windows\Installer\$PatchCache$\Managed\00002119F20000000000000000F01FEC\12.0.4518\WRD12CVR.DLL
+ 2006-10-27 02:07 . 2006-10-27 02:07 368968 c:\windows\Installer\$PatchCache$\Managed\00002119F20000000000000000F01FEC\12.0.4518\PPSLAX.DLL
+ 2006-10-20 13:37 . 2006-10-20 13:37 637744 c:\windows\Installer\$PatchCache$\Managed\00002119F20000000000000000F01FEC\12.0.4518\OGALEGIT.DLL
+ 2006-10-27 00:55 . 2006-10-27 00:55 145688 c:\windows\Installer\$PatchCache$\Managed\00002119F20000000000000000F01FEC\12.0.4518\MSTORE.EXE
+ 2006-10-26 19:47 . 2006-10-26 19:47 727840 c:\windows\Installer\$PatchCache$\Managed\00002119F20000000000000000F01FEC\12.0.4518\MSPROOF6.DLL
+ 2006-10-27 00:56 . 2006-10-27 00:56 864080 c:\windows\Installer\$PatchCache$\Managed\00002119F20000000000000000F01FEC\12.0.4518\MSONPDRV.DLL
+ 2006-10-27 01:00 . 2006-10-27 01:00 178488 c:\windows\Installer\$PatchCache$\Managed\00002119F20000000000000000F01FEC\12.0.4518\IETAG.DLL
+ 2006-10-27 01:12 . 2006-10-27 01:12 106824 c:\windows\Installer\$PatchCache$\Managed\00002119F20000000000000000F01FEC\12.0.4518\DSSM.EXE
+ 2009-01-05 21:44 . 2009-01-05 21:44 741376 c:\windows\Downloaded Program Files\CONFLICT.2\ipsupd.dll
+ 2009-01-05 21:44 . 2009-12-11 05:38 142848 c:\windows\BDOSCAN8\libfn.dll
+ 2009-01-05 21:44 . 2009-01-05 21:44 741376 c:\windows\BDOSCAN8\ipsupd.dll
+ 2009-01-05 21:44 . 2009-12-11 05:39 107800 c:\windows\BDOSCAN8\bdcore.dll
+ 2009-12-11 08:21 . 2009-12-11 08:21 321536 c:\windows\assembly\NativeImages_v2.0.50727_32\WsatConfig\e2098e43d115155d6ba91ba3a7e577cf\WsatConfig.ni.exe
+ 2009-12-11 08:12 . 2009-12-11 08:12 240128 c:\windows\assembly\NativeImages_v2.0.50727_32\WindowsFormsIntegra#\bf92bc207f927cbbd6dfc9dc0c3eae68\WindowsFormsIntegration.ni.dll
+ 2009-12-11 08:12 . 2009-12-11 08:12 187904 c:\windows\assembly\NativeImages_v2.0.50727_32\UIAutomationTypes\6f488b7644dc50a083868e91a4014466\UIAutomationTypes.ni.dll
+ 2009-12-11 08:12 . 2009-12-11 08:12 447488 c:\windows\assembly\NativeImages_v2.0.50727_32\UIAutomationClient\c2fbf25609b704061a93500efa6f241d\UIAutomationClient.ni.dll
+ 2009-12-11 08:23 . 2009-12-11 08:23 400896 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Xml.Linq\eb23b78564687badff1bd1f1d0a0ec97\System.Xml.Linq.ni.dll
+ 2009-12-11 08:23 . 2009-12-11 08:23 129536 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Web.Routing\e7666364bf9f3ba5f4833c9efedd8218\System.Web.Routing.ni.dll
+ 2009-12-11 08:23 . 2009-12-11 08:23 202240 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Web.RegularE#\b5f1b8791e6c47e5bd5e7018c346c586\System.Web.RegularExpressions.ni.dll
+ 2009-12-11 08:23 . 2009-12-11 08:23 859648 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Web.Extensio#\884eacddf339b8b342f66aedff5f8ef9\System.Web.Extensions.Design.ni.dll
+ 2009-12-11 08:23 . 2009-12-11 08:23 328704 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Web.Entity\9e199645bd26f1afe58ebe185d1e7f0f\System.Web.Entity.ni.dll
+ 2009-12-11 08:23 . 2009-12-11 08:23 301056 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Web.Entity.D#\652017ebe962ab2eb271c2524f31cd61\System.Web.Entity.Design.ni.dll
+ 2009-12-11 08:23 . 2009-12-11 08:23 547328 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Web.DynamicD#\d0070c1c1a642ae30394e00bc0d82336\System.Web.DynamicData.ni.dll
+ 2009-12-11 08:23 . 2009-12-11 08:23 141312 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Web.Abstract#\1896753d02d146be1988d32241300f51\System.Web.Abstractions.ni.dll
+ 2009-12-11 08:23 . 2009-12-11 08:23 627200 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Transactions\408e637346ef628a3f54fb1b9b83ac9f\System.Transactions.ni.dll
+ 2009-12-11 08:23 . 2009-12-11 08:23 212992 c:\windows\assembly\NativeImages_v2.0.50727_32\System.ServiceProce#\1f61bccb700d687775cf778dd77752e9\System.ServiceProcess.ni.dll
+ 2009-12-11 08:21 . 2009-12-11 08:21 676352 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Security\a9e9b885a6601469c4058375cc74d856\System.Security.ni.dll
+ 2009-12-11 08:22 . 2009-12-11 08:22 311296 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Runtime.Seri#\9bc34a79af9c3ed2cf17a0226c769b4c\System.Runtime.Serialization.Formatters.Soap.ni.dll
+ 2009-12-11 08:22 . 2009-12-11 08:22 621056 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Net\5f74a84e9d28c2332c51f6e30da0e125\System.Net.ni.dll
+ 2009-12-11 08:22 . 2009-12-11 08:22 998400 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Management\2c208e4c5521f31057ea7d6e93c6a567\System.Management.ni.dll
+ 2009-12-11 08:22 . 2009-12-11 08:22 330752 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Management.I#\818b20a7c6f3b2fe97bf008ca24080c1\System.Management.Instrumentation.ni.dll
+ 2009-12-11 08:13 . 2009-12-11 08:13 381440 c:\windows\assembly\NativeImages_v2.0.50727_32\System.IO.Log\6c273eb9d1ee8b66b5ecb073de4b785d\System.IO.Log.ni.dll
+ 2009-12-11 08:13 . 2009-12-11 08:13 212992 c:\windows\assembly\NativeImages_v2.0.50727_32\System.IdentityMode#\7222db518afb4eaaa138824278249bc7\System.IdentityModel.Selectors.ni.dll
+ 2009-12-11 08:22 . 2009-12-11 08:22 280064 c:\windows\assembly\NativeImages_v2.0.50727_32\System.EnterpriseSe#\8a7d0bd0057a8ed38291d5662248f7a1\System.EnterpriseServices.Wrapper.dll
+ 2009-12-11 08:22 . 2009-12-11 08:22 627712 c:\windows\assembly\NativeImages_v2.0.50727_32\System.EnterpriseSe#\8a7d0bd0057a8ed38291d5662248f7a1\System.EnterpriseServices.ni.dll
+ 2009-12-11 08:11 . 2009-12-11 08:11 208384 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Drawing.Desi#\ca6d7208c0fb72ff97429f2636ced321\System.Drawing.Design.ni.dll
+ 2009-12-11 08:22 . 2009-12-11 08:22 881152 c:\windows\assembly\NativeImages_v2.0.50727_32\System.DirectorySer#\c92fc19800e701c90f90ab7a2ab44c47\System.DirectoryServices.AccountManagement.ni.dll
+ 2009-12-11 08:22 . 2009-12-11 08:22 455680 c:\windows\assembly\NativeImages_v2.0.50727_32\System.DirectorySer#\a601f47a98ee67df424685c9a66ea449\System.DirectoryServices.Protocols.ni.dll
+ 2009-12-11 08:22 . 2009-12-11 08:22 939008 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Data.Service#\b91b44015859163646f210d284f7166a\System.Data.Services.Client.ni.dll
+ 2009-12-11 08:22 . 2009-12-11 08:22 354816 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Data.Service#\1b35297e07b85071daecdb06f96750a1\System.Data.Services.Design.ni.dll
+ 2009-12-11 08:22 . 2009-12-11 08:22 756736 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Data.Entity.#\cf906bf9146d1f0013451ec63b58e064\System.Data.Entity.Design.ni.dll
+ 2009-12-11 08:21 . 2009-12-11 08:21 135680 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Data.DataSet#\4ff4134b0d490c090e03d74e104517c4\System.Data.DataSetExtensions.ni.dll
+ 2009-12-11 08:21 . 2009-12-11 08:21 971264 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Configuration\7c743462baccf29b3567b0e3ec9ac134\System.Configuration.ni.dll
+ 2009-12-11 08:22 . 2009-12-11 08:22 141312 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Configuratio#\443e3a85c491b2de4a2ac654cb957484\System.Configuration.Install.ni.dll
+ 2009-12-11 08:21 . 2009-12-11 08:21 633856 c:\windows\assembly\NativeImages_v2.0.50727_32\System.AddIn\cba35f47925431a54d0e6ae147a292f1\System.AddIn.ni.dll
+ 2009-12-11 08:21 . 2009-12-11 08:21 366080 c:\windows\assembly\NativeImages_v2.0.50727_32\SMSvcHost\6af32fe5cbec0aa54e2efa6910c73651\SMSvcHost.ni.exe
+ 2009-12-11 08:21 . 2009-12-11 08:21 256000 c:\windows\assembly\NativeImages_v2.0.50727_32\SMDiagnostics\7602d7687fb9bd21cd9ae60d2b187c99\SMDiagnostics.ni.dll
+ 2009-12-11 08:21 . 2009-12-11 08:21 320512 c:\windows\assembly\NativeImages_v2.0.50727_32\ServiceModelReg\a23dc25782df04533a13e348203e4dc5\ServiceModelReg.ni.exe
+ 2009-12-11 08:11 . 2009-12-11 08:11 258048 c:\windows\assembly\NativeImages_v2.0.50727_32\PresentationFramewo#\96f74da5fc40b92f09069230bc0df4f0\PresentationFramework.Royale.ni.dll
+ 2009-12-11 08:11 . 2009-12-11 08:11 539648 c:\windows\assembly\NativeImages_v2.0.50727_32\PresentationFramewo#\3bb4d16b042b72c2c85a0f8ac9d48f28\PresentationFramework.Luna.ni.dll
+ 2009-12-11 08:11 . 2009-12-11 08:11 368128 c:\windows\assembly\NativeImages_v2.0.50727_32\PresentationFramewo#\30c5c2682d3c5bdaa83bb9a36ee48afa\PresentationFramework.Aero.ni.dll
+ 2009-12-11 08:11 . 2009-12-11 08:11 224768 c:\windows\assembly\NativeImages_v2.0.50727_32\PresentationFramewo#\07e952efd70f5608e221a008e6231ace\PresentationFramework.Classic.ni.dll
+ 2009-12-11 08:21 . 2009-12-11 08:21 133632 c:\windows\assembly\NativeImages_v2.0.50727_32\MSBuild\eade8c1c9c1e8e5ffb50e6c9b9af0f6a\MSBuild.ni.exe
+ 2009-12-11 08:21 . 2009-12-11 08:21 386560 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Transacti#\fc4d66e0a92b3767006a84f2519d2457\Microsoft.Transactions.Bridge.Dtc.ni.dll
+ 2009-12-11 08:21 . 2009-12-11 08:21 144384 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Build.Uti#\58ca3ecc52b7246b448c109817198a0b\Microsoft.Build.Utilities.ni.dll
+ 2009-12-11 08:21 . 2009-12-11 08:21 175104 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Build.Uti#\4dd43724dd92026577c6f588270137a0\Microsoft.Build.Utilities.v3.5.ni.dll
+ 2009-12-11 08:21 . 2009-12-11 08:21 839680 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Build.Eng#\8c651f75bb741330370986dcad8e9e5b\Microsoft.Build.Engine.ni.dll
+ 2009-12-11 08:21 . 2009-12-11 08:21 222720 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Build.Con#\a6dcbae619ccd938bfe808c54d6d3ae0\Microsoft.Build.Conversion.v3.5.ni.dll
+ 2009-12-11 08:21 . 2009-12-11 08:21 220672 c:\windows\assembly\NativeImages_v2.0.50727_32\CustomMarshalers\77688ce14f221ed94a9f442ae4736123\CustomMarshalers.ni.dll
+ 2009-12-11 08:14 . 2009-12-11 08:14 410112 c:\windows\assembly\NativeImages_v2.0.50727_32\ComSvcConfig\a17c65f0cffaa4f792dd38d50df9d526\ComSvcConfig.ni.exe
+ 2009-12-11 08:13 . 2009-12-11 08:13 842240 c:\windows\assembly\NativeImages_v2.0.50727_32\AspNetMMCExt\85d7c111956b478766d90625b35d963f\AspNetMMCExt.ni.dll
+ 2009-12-11 08:08 . 2009-12-11 08:08 839680 c:\windows\assembly\GAC_MSIL\System.Web.Services\2.0.0.0__b03f5f7f11d50a3a\System.Web.Services.dll
- 2009-12-10 10:33 . 2009-12-10 10:33 839680 c:\windows\assembly\GAC_MSIL\System.Web.Services\2.0.0.0__b03f5f7f11d50a3a\System.Web.Services.dll
- 2009-12-10 10:33 . 2009-12-10 10:33 835584 c:\windows\assembly\GAC_MSIL\System.Web.Mobile\2.0.0.0__b03f5f7f11d50a3a\System.Web.Mobile.dll
+ 2009-12-11 08:08 . 2009-12-11 08:08 835584 c:\windows\assembly\GAC_MSIL\System.Web.Mobile\2.0.0.0__b03f5f7f11d50a3a\System.Web.Mobile.dll
+ 2009-12-11 08:08 . 2009-12-11 08:08 114688 c:\windows\assembly\GAC_MSIL\System.ServiceProcess\2.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll
- 2009-12-10 10:33 . 2009-12-10 10:33 114688 c:\windows\assembly\GAC_MSIL\System.ServiceProcess\2.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll
+ 2009-12-11 08:08 . 2009-12-11 08:08 258048 c:\windows\assembly\GAC_MSIL\System.Security\2.0.0.0__b03f5f7f11d50a3a\System.Security.dll
- 2009-12-10 10:33 . 2009-12-10 10:33 258048 c:\windows\assembly\GAC_MSIL\System.Security\2.0.0.0__b03f5f7f11d50a3a\System.Security.dll
- 2009-12-10 10:33 . 2009-12-10 10:33 131072 c:\windows\assembly\GAC_MSIL\System.Runtime.Serialization.Formatters.Soap\2.0.0.0__b03f5f7f11d50a3a\System.Runtime.Serialization.Formatters.Soap.dll
+ 2009-12-11 08:08 . 2009-12-11 08:08 131072 c:\windows\assembly\GAC_MSIL\System.Runtime.Serialization.Formatters.Soap\2.0.0.0__b03f5f7f11d50a3a\System.Runtime.Serialization.Formatters.Soap.dll
+ 2009-12-11 08:09 . 2009-12-11 08:09 303104 c:\windows\assembly\GAC_MSIL\System.Runtime.Remoting\2.0.0.0__b77a5c561934e089\System.Runtime.Remoting.dll
- 2009-12-10 10:33 . 2009-12-10 10:33 303104 c:\windows\assembly\GAC_MSIL\System.Runtime.Remoting\2.0.0.0__b77a5c561934e089\System.Runtime.Remoting.dll
- 2009-12-10 10:33 . 2009-12-10 10:33 258048 c:\windows\assembly\GAC_MSIL\System.Messaging\2.0.0.0__b03f5f7f11d50a3a\System.Messaging.dll
+ 2009-12-11 08:09 . 2009-12-11 08:09 258048 c:\windows\assembly\GAC_MSIL\System.Messaging\2.0.0.0__b03f5f7f11d50a3a\System.Messaging.dll
- 2009-12-10 10:33 . 2009-12-10 10:33 372736 c:\windows\assembly\GAC_MSIL\System.Management\2.0.0.0__b03f5f7f11d50a3a\System.Management.dll
+ 2009-12-11 08:09 . 2009-12-11 08:09 372736 c:\windows\assembly\GAC_MSIL\System.Management\2.0.0.0__b03f5f7f11d50a3a\System.Management.dll
- 2009-12-10 10:33 . 2009-12-10 10:33 626688 c:\windows\assembly\GAC_MSIL\System.Drawing\2.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll
+ 2009-12-11 08:09 . 2009-12-11 08:09 626688 c:\windows\assembly\GAC_MSIL\System.Drawing\2.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll
- 2009-12-10 10:33 . 2009-12-10 10:33 401408 c:\windows\assembly\GAC_MSIL\System.DirectoryServices\2.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll
+ 2009-12-11 08:08 . 2009-12-11 08:08 401408 c:\windows\assembly\GAC_MSIL\System.DirectoryServices\2.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll
+ 2009-12-11 08:08 . 2009-12-11 08:08 188416 c:\windows\assembly\GAC_MSIL\System.DirectoryServices.Protocols\2.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.Protocols.dll
- 2009-12-10 10:33 . 2009-12-10 10:33 188416 c:\windows\assembly\GAC_MSIL\System.DirectoryServices.Protocols\2.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.Protocols.dll
+ 2009-12-11 08:09 . 2009-12-11 08:09 970752 c:\windows\assembly\GAC_MSIL\System.Deployment\2.0.0.0__b03f5f7f11d50a3a\System.Deployment.dll
- 2009-12-10 10:33 . 2009-12-10 10:33 970752 c:\windows\assembly\GAC_MSIL\System.Deployment\2.0.0.0__b03f5f7f11d50a3a\System.Deployment.dll
+ 2009-12-11 08:09 . 2009-12-11 08:09 745472 c:\windows\assembly\GAC_MSIL\System.Data.SqlXml\2.0.0.0__b77a5c561934e089\System.Data.SqlXml.dll
- 2009-12-10 10:33 . 2009-12-10 10:33 745472 c:\windows\assembly\GAC_MSIL\System.Data.SqlXml\2.0.0.0__b77a5c561934e089\System.Data.SqlXml.dll
+ 2009-12-11 08:09 . 2009-12-11 08:09 425984 c:\windows\assembly\GAC_MSIL\System.Configuration\2.0.0.0__b03f5f7f11d50a3a\System.configuration.dll
- 2009-12-10 10:33 . 2009-12-10 10:33 425984 c:\windows\assembly\GAC_MSIL\System.Configuration\2.0.0.0__b03f5f7f11d50a3a\System.configuration.dll
- 2009-12-10 10:33 . 2009-12-10 10:33 110592 c:\windows\assembly\GAC_MSIL\sysglobl\2.0.0.0__b03f5f7f11d50a3a\sysglobl.dll
+ 2009-12-11 08:09 . 2009-12-11 08:09 110592 c:\windows\assembly\GAC_MSIL\sysglobl\2.0.0.0__b03f5f7f11d50a3a\sysglobl.dll
- 2009-12-10 10:33 . 2009-12-10 10:33 659456 c:\windows\assembly\GAC_MSIL\Microsoft.VisualBasic\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll
+ 2009-12-11 08:08 . 2009-12-11 08:08 659456 c:\windows\assembly\GAC_MSIL\Microsoft.VisualBasic\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll
- 2009-12-10 10:33 . 2009-12-10 10:33 372736 c:\windows\assembly\GAC_MSIL\Microsoft.VisualBasic.Compatibility\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.Compatibility.dll
+ 2009-12-11 08:08 . 2009-12-11 08:08 372736 c:\windows\assembly\GAC_MSIL\Microsoft.VisualBasic.Compatibility\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.Compatibility.dll
- 2009-12-10 10:33 . 2009-12-10 10:33 110592 c:\windows\assembly\GAC_MSIL\Microsoft.VisualBasic.Compatibility.Data\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.Compatibility.Data.dll
+ 2009-12-11 08:08 . 2009-12-11 08:08 110592 c:\windows\assembly\GAC_MSIL\Microsoft.VisualBasic.Compatibility.Data\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.Compatibility.Data.dll
- 2009-12-10 10:33 . 2009-12-10 10:33 749568 c:\windows\assembly\GAC_MSIL\Microsoft.JScript\8.0.0.0__b03f5f7f11d50a3a\Microsoft.JScript.dll
+ 2009-12-11 08:08 . 2009-12-11 08:08 749568 c:\windows\assembly\GAC_MSIL\Microsoft.JScript\8.0.0.0__b03f5f7f11d50a3a\Microsoft.JScript.dll
+ 2009-12-11 08:09 . 2009-12-11 08:09 655360 c:\windows\assembly\GAC_MSIL\Microsoft.Build.Tasks\2.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Tasks.dll
- 2009-12-10 10:33 . 2009-12-10 10:33 655360 c:\windows\assembly\GAC_MSIL\Microsoft.Build.Tasks\2.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Tasks.dll
+ 2009-12-11 08:08 . 2009-12-11 08:08 348160 c:\windows\assembly\GAC_MSIL\Microsoft.Build.Engine\2.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Engine.dll
- 2009-12-10 10:33 . 2009-12-10 10:33 348160 c:\windows\assembly\GAC_MSIL\Microsoft.Build.Engine\2.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Engine.dll
- 2009-12-10 10:33 . 2009-12-10 10:33 507904 c:\windows\assembly\GAC_MSIL\AspNetMMCExt\2.0.0.0__b03f5f7f11d50a3a\AspNetMMCExt.dll
+ 2009-12-11 08:08 . 2009-12-11 08:08 507904 c:\windows\assembly\GAC_MSIL\AspNetMMCExt\2.0.0.0__b03f5f7f11d50a3a\AspNetMMCExt.dll
+ 2009-12-11 08:08 . 2009-12-11 08:08 261632 c:\windows\assembly\GAC_32\System.Transactions\2.0.0.0__b77a5c561934e089\System.Transactions.dll
- 2009-12-10 10:33 . 2009-12-10 10:33 261632 c:\windows\assembly\GAC_32\System.Transactions\2.0.0.0__b77a5c561934e089\System.Transactions.dll
+ 2009-12-11 08:08 . 2009-12-11 08:08 113664 c:\windows\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll
- 2009-12-10 10:33 . 2009-12-10 10:33 113664 c:\windows\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll
- 2009-12-10 10:33 . 2009-12-10 10:33 258048 c:\windows\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.dll
+ 2009-12-11 08:08 . 2009-12-11 08:08 258048 c:\windows\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.dll
+ 2009-12-11 08:09 . 2009-12-11 08:09 486400 c:\windows\assembly\GAC_32\System.Data.OracleClient\2.0.0.0__b77a5c561934e089\System.Data.OracleClient.dll
- 2009-12-10 10:33 . 2009-12-10 10:33 486400 c:\windows\assembly\GAC_32\System.Data.OracleClient\2.0.0.0__b77a5c561934e089\System.Data.OracleClient.dll
+ 2009-08-08 05:51 . 2009-08-08 05:51 5812560 c:\windows\Microsoft.NET\Framework\v2.0.50727\mscorwks.dll
+ 2009-08-08 05:51 . 2009-08-08 05:51 4546560 c:\windows\Microsoft.NET\Framework\v2.0.50727\mscorlib.dll
- 2008-11-25 10:59 . 2008-11-25 10:59 4546560 c:\windows\Microsoft.NET\Framework\v2.0.50727\mscorlib.dll
+ 2009-04-04 23:10 . 2009-04-04 23:10 1282560 c:\windows\Installer\1c2c45d.msp
+ 2009-04-04 23:10 . 2009-04-04 23:10 7888384 c:\windows\Installer\1c2c455.msp
+ 2009-04-04 23:10 . 2009-04-04 23:10 9926144 c:\windows\Installer\1c2c44b.msp
- 2009-08-07 15:44 . 2009-12-10 00:17 1172240 c:\windows\Installer\{91120000-002F-0000-0000-0000000FF1CE}\xlicons.exe
+ 2009-08-07 15:44 . 2009-12-11 08:03 1172240 c:\windows\Installer\{91120000-002F-0000-0000-0000000FF1CE}\xlicons.exe
+ 2006-10-26 19:47 . 2006-10-26 19:47 1512304 c:\windows\Installer\$PatchCache$\Managed\00002119F20000000000000000F01FEC\12.0.4518\NLSD0000.DLL
+ 2009-12-11 08:10 . 2009-12-11 08:10 3313664 c:\windows\assembly\NativeImages_v2.0.50727_32\WindowsBase\204d6e5b335134f23ca37638b9227ecf\WindowsBase.ni.dll
+ 2009-12-11 08:12 . 2009-12-11 08:12 1049600 c:\windows\assembly\NativeImages_v2.0.50727_32\UIAutomationClients#\0f2ed6a204eb13841e99b77025464afc\UIAutomationClientsideProviders.ni.dll
+ 2009-12-11 08:10 . 2009-12-11 08:10 7868416 c:\windows\assembly\NativeImages_v2.0.50727_32\System\3de5bd01124463d7862bd173af90bc83\System.ni.dll
+ 2009-12-11 08:12 . 2009-12-11 08:12 5450752 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Xml\5913d3f81e77194ec833991b1047a532\System.Xml.ni.dll
+ 2009-12-11 08:23 . 2009-12-11 08:23 1356288 c:\windows\assembly\NativeImages_v2.0.50727_32\System.WorkflowServ#\fa48917b13629d8effa80dd4a2f2973d\System.WorkflowServices.ni.dll
+ 2009-12-11 08:23 . 2009-12-11 08:23 1908224 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Workflow.Run#\6fe66ee6f3c81996bc148f1ebe7ec030\System.Workflow.Runtime.ni.dll
+ 2009-12-11 08:23 . 2009-12-11 08:23 4514304 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Workflow.Com#\9d0b61f2f1ebdc300bd970f594c422ef\System.Workflow.ComponentModel.ni.dll
+ 2009-12-11 08:23 . 2009-12-11 08:23 2992640 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Workflow.Act#\65328898148a720d394f802f192fc2a0\System.Workflow.Activities.ni.dll
+ 2009-12-11 08:23 . 2009-12-11 08:23 1840640 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Web.Services\ea07ac791bb5cb9f83679e3dd1a0c0cc\System.Web.Services.ni.dll
+ 2009-12-11 08:23 . 2009-12-11 08:23 2209280 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Web.Mobile\29e2f8b1fb691ced973acf49fcee6ec1\System.Web.Mobile.ni.dll
+ 2009-12-11 08:23 . 2009-12-11 08:23 2403328 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Web.Extensio#\981dea02bc63c0c083e335adf9018788\System.Web.Extensions.ni.dll
+ 2009-12-11 08:11 . 2009-12-11 08:11 1917440 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Speech\99594bae1d022502925f5b9dfcdaae9a\System.Speech.ni.dll
+ 2009-12-11 08:23 . 2009-12-11 08:23 1706496 c:\windows\assembly\NativeImages_v2.0.50727_32\System.ServiceModel#\e182695d05ea57257568bc5f3208aca7\System.ServiceModel.Web.ni.dll
+ 2009-12-11 08:13 . 2009-12-11 08:13 2338304 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Runtime.Seri#\67ad55827f2542552b576170f0a7dc56\System.Runtime.Serialization.ni.dll
+ 2009-12-11 08:11 . 2009-12-11 08:11 1035264 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Printing\e5313735a40c0800f116e27fba4754db\System.Printing.ni.dll
+ 2009-12-11 08:13 . 2009-12-11 08:13 1056768 c:\windows\assembly\NativeImages_v2.0.50727_32\System.IdentityModel\c3b18fef5c6dc3bcdbe5df699fd21a55\System.IdentityModel.ni.dll
+ 2009-12-11 08:11 . 2009-12-11 08:11 1587200 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\abb2ac7e08bee026f857d8fa36f9fe6f\System.Drawing.ni.dll
+ 2009-12-11 08:22 . 2009-12-11 08:22 1116672 c:\windows\assembly\NativeImages_v2.0.50727_32\System.DirectorySer#\f47ebb9db460874b1bcbfc391dc970b1\System.DirectoryServices.ni.dll
+ 2009-12-11 08:22 . 2009-12-11 08:22 1801216 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Deployment\c94a427baa7683f4221b91f90c18461b\System.Deployment.ni.dll
+ 2009-12-11 08:11 . 2009-12-11 08:11 6616576 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Data\694c07365e0fd6bba0bc304d4d2404a7\System.Data.ni.dll
+ 2009-12-11 08:21 . 2009-12-11 08:21 2510336 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Data.SqlXml\272152f0cc139490729e215611a4b244\System.Data.SqlXml.ni.dll
+ 2009-12-11 08:22 . 2009-12-11 08:22 1328128 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Data.Services\112a48e34620a0210eb850040da8a31b\System.Data.Services.ni.dll
+ 2009-12-11 08:11 . 2009-12-11 08:11 2516480 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Data.Linq\32788c58ff9f8324460604cf1fe7681b\System.Data.Linq.ni.dll
+ 2009-12-11 08:22 . 2009-12-11 08:22 9924096 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Data.Entity\9012cac7819660f61f1c69cf8e4f2ccf\System.Data.Entity.ni.dll
+ 2009-12-11 08:11 . 2009-12-11 08:11 2295296 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Core\c0a42d2ad8a4078040b334f6770ea11f\System.Core.ni.dll
+ 2009-12-11 08:11 . 2009-12-11 08:11 2128896 c:\windows\assembly\NativeImages_v2.0.50727_32\ReachFramework\954685c29689d2a6126ceca1fd55e904\ReachFramework.ni.dll
+ 2009-12-11 08:11 . 2009-12-11 08:11 1657856 c:\windows\assembly\NativeImages_v2.0.50727_32\PresentationUI\a3a6f52ce1d09a7bdccc8e7fc664792d\PresentationUI.ni.dll
+ 2009-12-11 08:10 . 2009-12-11 08:10 1451008 c:\windows\assembly\NativeImages_v2.0.50727_32\PresentationBuildTa#\f906701365083c1473db31519147e263\PresentationBuildTasks.ni.dll
+ 2009-12-11 08:21 . 2009-12-11 08:21 1712128 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualBas#\6eee9b772b6d12d3dbd82f118c2ab2e5\Microsoft.VisualBasic.ni.dll
+ 2009-12-11 08:21 . 2009-12-11 08:21 1093120 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Transacti#\f19e9b439636d0744597fff1331cad04\Microsoft.Transactions.Bridge.ni.dll
+ 2009-12-11 08:22 . 2009-12-11 08:22 2332160 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.JScript\5b1af7b5be24c7ace065fe1c81c2b650\Microsoft.JScript.ni.dll
+ 2009-12-11 08:21 . 2009-12-11 08:21 1620992 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Build.Tas#\9eec1cc7ac37e0c7f3205e8156149c5a\Microsoft.Build.Tasks.ni.dll
+ 2009-12-11 08:21 . 2009-12-11 08:21 1966080 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Build.Tas#\28c0730288453d57d5dcd62903c4d31b\Microsoft.Build.Tasks.v3.5.ni.dll
+ 2009-12-11 08:21 . 2009-12-11 08:21 1888768 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Build.Eng#\5dd4f58999eed37c12aee7ea9f9863ac\Microsoft.Build.Engine.ni.dll
+ 2009-12-11 08:09 . 2009-12-11 08:09 3149824 c:\windows\assembly\GAC_MSIL\System\2.0.0.0__b77a5c561934e089\System.dll
- 2009-12-10 10:33 . 2009-12-10 10:33 3149824 c:\windows\assembly\GAC_MSIL\System\2.0.0.0__b77a5c561934e089\System.dll
- 2009-12-10 10:33 . 2009-12-10 10:33 2048000 c:\windows\assembly\GAC_MSIL\System.Xml\2.0.0.0__b77a5c561934e089\System.XML.dll
+ 2009-12-11 08:09 . 2009-12-11 08:09 2048000 c:\windows\assembly\GAC_MSIL\System.Xml\2.0.0.0__b77a5c561934e089\System.XML.dll
- 2009-12-10 10:33 . 2009-12-10 10:33 5025792 c:\windows\assembly\GAC_MSIL\System.Windows.Forms\2.0.0.0__b77a5c561934e089\System.Windows.Forms.dll
+ 2009-12-11 08:08 . 2009-12-11 08:08 5025792 c:\windows\assembly\GAC_MSIL\System.Windows.Forms\2.0.0.0__b77a5c561934e089\System.Windows.Forms.dll
- 2009-12-10 10:33 . 2009-12-10 10:33 5062656 c:\windows\assembly\GAC_MSIL\System.Design\2.0.0.0__b03f5f7f11d50a3a\System.Design.dll
+ 2009-12-11 08:08 . 2009-12-11 08:08 5062656 c:\windows\assembly\GAC_MSIL\System.Design\2.0.0.0__b03f5f7f11d50a3a\System.Design.dll
+ 2009-12-11 08:08 . 2009-12-11 08:08 5242880 c:\windows\assembly\GAC_32\System.Web\2.0.0.0__b03f5f7f11d50a3a\System.Web.dll
- 2009-12-10 10:33 . 2009-12-10 10:33 5242880 c:\windows\assembly\GAC_32\System.Web\2.0.0.0__b03f5f7f11d50a3a\System.Web.dll
- 2009-12-10 10:33 . 2009-12-10 10:33 2933248 c:\windows\assembly\GAC_32\System.Data\2.0.0.0__b77a5c561934e089\System.Data.dll
+ 2009-12-11 08:09 . 2009-12-11 08:09 2933248 c:\windows\assembly\GAC_32\System.Data\2.0.0.0__b77a5c561934e089\System.Data.dll
- 2009-12-10 10:33 . 2009-12-10 10:33 4546560 c:\windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\mscorlib.dll
+ 2009-12-11 08:09 . 2009-12-11 08:09 4546560 c:\windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\mscorlib.dll
+ 2009-08-15 02:32 . 2009-08-15 02:32 11110912 c:\windows\Installer\1c2c472.msp
+ 2009-04-04 17:36 . 2009-04-04 17:36 21390848 c:\windows\Installer\1c2c308.msp
+ 2009-04-04 23:09 . 2009-04-04 23:09 15190016 c:\windows\Installer\1c2c2f4.msp
+ 2009-12-11 08:12 . 2009-12-11 08:12 12430848 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\d2ea8d76f015817db1607075812b555f\System.Windows.Forms.ni.dll
+ 2009-12-11 08:23 . 2009-12-11 08:23 11796992 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Web\5cea03cfb008f2eac1439a9905467f37\System.Web.ni.dll
+ 2009-12-11 08:14 . 2009-12-11 08:14 17317888 c:\windows\assembly\NativeImages_v2.0.50727_32\System.ServiceModel\06d6eab93282d2b136a377bd50b7c5a9\System.ServiceModel.ni.dll
+ 2009-12-11 08:11 . 2009-12-11 08:11 10683392 c:\windows\assembly\NativeImages_v2.0.50727_32\

#19 nenadrew

nenadrew

    Member

  • Full Member
  • Pip
  • 56 posts

Posted 11 December 2009 - 05:19 AM

Here is the Hijack This log:


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:11:52 AM, on 12/11/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Microsoft IntelliType Pro\itype.exe
C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\COMODO\COMODO Internet Security\cfp.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Microtek\ScanWizard 5\ScannerFinder.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Nena Drew Thrower.NENA\Desktop\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [itype] "c:\Program Files\Microsoft IntelliType Pro\itype.exe"
O4 - HKLM\..\Run: [PDVDDXSrv] "C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe"
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [COMODO Internet Security] "C:\Program Files\COMODO\COMODO Internet Security\cfp.exe" -h
O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [Freebie Notes] "C:\Program Files\Power Soft\Freebie Notes\FreebieNotes.exe"
O4 - Global Startup: Microtek Scanner Finder.lnk = C:\Program Files\Microtek\ScanWizard 5\ScannerFinder.exe
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {22492231-AEF0-49FC-9180-CE8969AB1273} (F-Secure Online Scanner Launcher) - http://download.sp.f.../fslauncher.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitd...can8/oscan8.cab
O16 - DPF: {9191F686-7F0A-441D-8A98-2FE3AC1BD913} (ActiveScan 2.0 Installer Class) - http://acs.pandasoft...s/as2stubie.cab
O20 - AppInit_DLLs: C:\WINDOWS\system32\guard32.dll
O20 - Winlogon Notify: GoToAssist - C:\Program Files\Citrix\GoToAssist\514\G2AWinLogon.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: COMODO Internet Security Helper Service (cmdAgent) - COMODO - C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
O23 - Service: GoToAssist - Citrix Online, a division of Citrix Systems, Inc. - C:\Program Files\Citrix\GoToAssist\514\g2aservice.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe

--
End of file - 6297 bytes

#20 nenadrew

nenadrew

    Member

  • Full Member
  • Pip
  • 56 posts

Posted 11 December 2009 - 05:27 AM

The BitDefender log is in .html, so I'll try attaching again (couldn't get that to work last night.) (Ah. Apparently this is one of those things that works in IE but not Netscape. Now I know, eh?)

I don't understand why those same emails showed up again, since they have been deleted from both drives.

Thanks!

Nena

Attached File  bdscan.html   26.85KB   48 downloads

Edited by nenadrew, 11 December 2009 - 05:33 AM.


#21 TheJoker

TheJoker

    Forum Deity

  • Boot Camp Mod
  • PipPipPipPipPip
  • 13,555 posts

Posted 11 December 2009 - 06:00 AM

I don't understand why those same emails showed up again, since they have been deleted from both drives.

These look like they were different e-mails, they are on a different drive and some were from a different person than the other e-mails. Please check to see that the e-mails were actually deleted.

It looks like it failed to delete some of the infected files. Using Windows Explorer, delete the following files if still there:
C:\ZIP\FirstPage\1stpage2.zip
J:\Backup Files May 6 2009\ZIP\FirstPage\1stpage2.zip

The registry entry still was not deleted by ComboFix. I'll need to check on a different method to remove the locked registry entry.

Free Tools for Fighting Malware
Anti-Virus: avast! Free Antivirus / Avira Free AntiVirus
OnLine Anti-Virus: ESET / BitDefender / F-Secure
Anti-Malware: Malwarebytes' Anti-Malware / Dr.Web CureIt
Spyware/Adware Tools: MVPS HOSTS File / SpywareBlaster
Firewall: Comodo Firewall Free / Privatefirewall
Tutorials: How did I get Infected? / Internet Explorer Privacy & Security Settings
If we have helped, please help us continue the fight by using the Donate button, or see this topic for other ways to donate.

MS MVP 2009-20010 and ASAP Member since 2005


#22 nenadrew

nenadrew

    Member

  • Full Member
  • Pip
  • 56 posts

Posted 11 December 2009 - 07:39 PM

These look like they were different e-mails, they are on a different drive and some were from a different person than the other e-mails. Please check to see that the e-mails were actually deleted.


They're actually the same two drives - the C:\ drive and the external hdd (J:\). For some reason, Kaspersky read those drives as D and E instead of C and J; I figured it was because the Kaspersky disk was created on my husband's computer, where D:\ is the main drive.

Yes, some of the emails noted on the BitDefender log were from a different person (Danny), but it's also still showing the Kim emails that I know were deleted - I have triple-checked to be sure. I have emptied email trash, emptied the recycle bin, and deleted all temporary files, too.

On the Kim emails, there was nothing important there so I didn't mind deleting her whole subdirectory. But it's a different story with the Danny emails; I would really rather not delete every email received from my brother over the last umpteen years. Is there some way I can find which specific message BitDefender refers to as message 643 and just delete that?

I have read some discussion online about the Generic.Peed.Eml infection, and gather that this is something usually only found by BitDefender; I couldn't even find any description of what it does. Is it possible that this is a false positive and could safely be ignored?


It looks like it failed to delete some of the infected files. Using Windows Explorer, delete the following files if still there:
C:\ZIP\FirstPage\1stpage2.zip
J:\Backup Files May 6 2009\ZIP\FirstPage\1stpage2.zip


Done. Deleted the whole First Page directory on both drives. I ran BitDefender again, and it no longer finds those entries. Still finds those emails, though, darn it. I'm attaching the new BitDefender log in case you wanted to see it.

Thanks!

Nena

Attached File  bdscan2.html   24.54KB   44 downloads

#23 TheJoker

TheJoker

    Forum Deity

  • Boot Camp Mod
  • PipPipPipPipPip
  • 13,555 posts

Posted 11 December 2009 - 11:39 PM

Is there some way I can find which specific message BitDefender refers to as message 643 and just delete that?

No way that I know of from that log as it didn't identify the date/time/subject.
One option would be to try another online scanner and see if it can detect and disinfect the e-mail.

Please run a free online scan with the ESET Online Scanner
Note: You will need to use Internet Explorer for this scan.
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the ActiveX control to install
  • Click Start
  • Make sure that the options Remove found threats and the option Scan unwanted applications is checked
  • Click Scan
    Wait for the scan to finish
  • Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
  • Copy and paste that log as a reply to this topic

Now lets see if we can get some more information on the registry key that couldn't be deleted.


Open Notepad and copy/paste the contents in the quote box below into Notepad.

@echo off
swreg null query "HKU\S-1-5-21-2025429265-688789844-682003330-1004\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved" /s /f
Start Log.txt
DEL %0

Save this as look.bat and make sure the "Save as Type" field says "All Files".

It should look like this: Posted Image
Double click on look.bat & allow it to run. Then post the log which it produces.


Download GMER Rootkit Scanner from here.

Uninstall any CD emulation software before you run GMER, such as DAEMON Tools or Alcohol. These can be reinstalled later.
  • Extract the contents of the zipped file to your Desktop.
  • Double-click on GMER.exe to run it.
  • If it gives you a warning about rootkit activity and asks if you want to run a full scan, click NO, and then use the following settings.
  • In the right panel, you will see several boxes that have been checked. Ensure the following are UNCHECKED:
    • Sections
    • IAT/EAT
    • Drives/Partition other than your Systemdrive (the drive you have Windows installed on)
    • Show All (don't miss unchecking this one)
  • Then click the Scan button & wait for it to finish.
  • When its finished, click on the Save button, and in the File name area, type in "gmer.txt".
  • Save it to a convenient location such as your Desktop

Please post a new Hijackthis log, the log from ESET's online scan, the log from running SWREG (Log.txt), the log from GMER (gmer.txt), and note any errors encountered.

Free Tools for Fighting Malware
Anti-Virus: avast! Free Antivirus / Avira Free AntiVirus
OnLine Anti-Virus: ESET / BitDefender / F-Secure
Anti-Malware: Malwarebytes' Anti-Malware / Dr.Web CureIt
Spyware/Adware Tools: MVPS HOSTS File / SpywareBlaster
Firewall: Comodo Firewall Free / Privatefirewall
Tutorials: How did I get Infected? / Internet Explorer Privacy & Security Settings
If we have helped, please help us continue the fight by using the Donate button, or see this topic for other ways to donate.

MS MVP 2009-20010 and ASAP Member since 2005


#24 nenadrew

nenadrew

    Member

  • Full Member
  • Pip
  • 56 posts

Posted 12 December 2009 - 02:21 PM

ESET log:

ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
# version=7
# iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)
# OnlineScanner.ocx=1.0.0.6211
# api_version=3.0.2
# EOSSerial=2ffb2d1466a3fd4fa2e1830d68df83f4
# end=finished
# remove_checked=true
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=false
# utc_time=2009-12-12 11:57:40
# local_time=2009-12-12 05:57:40 (-0600, Central Standard Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=512 16777215 100 0 3504597 3504597 0 0
# compatibility_mode=3073 16777189 80 89 0 0 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=229807
# found=2
# cleaned=2
# scan_time=12051
C:\Documents and Settings\Nena Drew Thrower.NENA\Application Data\Mozilla\Profiles\nenadrew\0bbmyzi6.slt\Mail\mail.cableone.net\Old Friends.sbd\Kim JS/KakWorm.A worm (contained infected files) DBA0E2525062F9951FAC895A6DFF6B67 C
C:\ZIP\Unlocker\unlocker1.8.7.exe a variant of Win32/Adware.ADON application (deleted - quarantined) D1BA8373DF4F53E95CE984FE4CEC3D15 C

#25 nenadrew

nenadrew

    Member

  • Full Member
  • Pip
  • 56 posts

Posted 12 December 2009 - 02:22 PM

Hijack This log:


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:03:59 PM, on 12/12/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Microsoft IntelliType Pro\itype.exe
C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\COMODO\COMODO Internet Security\cfp.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Unlocker\UnlockerAssistant.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microtek\ScanWizard 5\ScannerFinder.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\ntvdm.exe
C:\Documents and Settings\Nena Drew Thrower.NENA\Desktop\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [itype] "c:\Program Files\Microsoft IntelliType Pro\itype.exe"
O4 - HKLM\..\Run: [PDVDDXSrv] "C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe"
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [COMODO Internet Security] "C:\Program Files\COMODO\COMODO Internet Security\cfp.exe" -h
O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [Freebie Notes] "C:\Program Files\Power Soft\Freebie Notes\FreebieNotes.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Microtek Scanner Finder.lnk = C:\Program Files\Microtek\ScanWizard 5\ScannerFinder.exe
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {22492231-AEF0-49FC-9180-CE8969AB1273} (F-Secure Online Scanner Launcher) - http://download.sp.f.../fslauncher.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitd...can8/oscan8.cab
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} (OnlineScanner Control) - http://download.eset...lineScanner.cab
O16 - DPF: {9191F686-7F0A-441D-8A98-2FE3AC1BD913} (ActiveScan 2.0 Installer Class) - http://acs.pandasoft...s/as2stubie.cab
O20 - AppInit_DLLs: C:\WINDOWS\system32\guard32.dll
O20 - Winlogon Notify: GoToAssist - C:\Program Files\Citrix\GoToAssist\514\G2AWinLogon.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: COMODO Internet Security Helper Service (cmdAgent) - COMODO - C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
O23 - Service: GoToAssist - Citrix Online, a division of Citrix Systems, Inc. - C:\Program Files\Citrix\GoToAssist\514\g2aservice.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe

--
End of file - 6572 bytes

#26 nenadrew

nenadrew

    Member

  • Full Member
  • Pip
  • 56 posts

Posted 12 December 2009 - 02:28 PM

Fwiw, the folks at Spybot had me try to run GMER back when all the problems first started, but it would scan for a couple of hours and just stop. This time it completed the scan without a hitch.

GMER log:

GMER 1.0.15.15279 - http://www.gmer.net
Rootkit scan 2009-12-12 13:00:12
Windows 5.1.2600 Service Pack 3
Running: gmer.exe; Driver: C:\DOCUME~1\NENADR~1.NEN\LOCALS~1\Temp\pxtdqpoc.sys


---- System - GMER 1.0.15 ----

SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwAdjustPrivilegesToken [0xA7F85BCC]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwConnectPort [0xA7F851AA]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwCreateFile [0xA7F85832]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwCreateKey [0xA7F8634C]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwCreatePort [0xA7F8508C]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwCreateSection [0xA7F8705C]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwCreateSymbolicLinkObject [0xA7F872F4]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwCreateThread [0xA7F84C52]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwDeleteKey [0xA7F85FB6]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwDeleteValueKey [0xA7F86166]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwDuplicateObject [0xA7F84A84]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwLoadDriver [0xA7F86CDE]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwMakeTemporaryObject [0xA7F8542E]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwOpenFile [0xA7F85A0E]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwOpenProcess [0xA7F847B4]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwOpenSection [0xA7F856BE]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwOpenThread [0xA7F8492C]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwRenameKey [0xA7F86712]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwRequestWaitReplyPort [0xA7F8763A]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwSecureConnectPort [0xA7F86A7A]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwSetSecurityObject [0xA7F85DB2]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwSetSystemInformation [0xA7F86E8C]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwSetValueKey [0xA7F86512]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwShutdownSystem [0xA7F853C8]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwSystemDebugControl [0xA7F855B2]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwTerminateProcess [0xA7F84F56]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwTerminateThread [0xA7F84E24]

---- Devices - GMER 1.0.15 ----

Device mrxsmb.sys (Windows NT SMB Minirdr/Microsoft Corporation)

AttachedDevice fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

Device \FileSystem\Cdfs \Cdfs DLAIFS_M.SYS (Drive Letter Access Component/Roxio)

---- Registry - GMER 1.0.15 ----

Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{D433C04C-54CB-4BB3-0F86-29103BADBBDF}
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{D433C04C-54CB-4BB3-0F86-29103BADBBDF}@iaipepepnkenhcmlom 0x6A 0x61 0x62 0x65 ...
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{D433C04C-54CB-4BB3-0F86-29103BADBBDF}@jaoggaejeknbedcpnfjm 0x6A 0x61 0x62 0x65 ...
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{D433C04C-54CB-4BB3-0F86-29103BADBBDF}@hakggfejjddpcnci 0x62 0x62 0x67 0x70 ...
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{D433C04C-54CB-4BB3-0F86-29103BADBBDF}@hakggfejedobofmi 0x70 0x62 0x70 0x64 ...

---- Files - GMER 1.0.15 ----

File C:\Program Files\COMODO\COMODO Internet Security\Quarantine\A0006563.EXE.info 250 bytes
File C:\Program Files\COMODO\COMODO Internet Security\Quarantine\A0022272.EXE.info 252 bytes
File C:\Program Files\COMODO\COMODO Internet Security\Quarantine\A0023862.exe 1433864 bytes executable
File C:\Program Files\COMODO\COMODO Internet Security\Quarantine\A0023862.exe.info 244 bytes
File C:\Program Files\COMODO\COMODO Internet Security\Quarantine\SPEU.exe 1433864 bytes executable
File C:\Program Files\COMODO\COMODO Internet Security\Quarantine\SPEU.exe.info 96 bytes
File C:\Program Files\COMODO\COMODO Internet Security\Quarantine\SPEU.exe1 1433864 bytes executable
File C:\Program Files\COMODO\COMODO Internet Security\Quarantine\SPEU.exe1.info 86 bytes

---- EOF - GMER 1.0.15 ----

#27 nenadrew

nenadrew

    Member

  • Full Member
  • Pip
  • 56 posts

Posted 12 December 2009 - 03:08 PM

Double click on look.bat & allow it to run. Then post the log which it produces.


Joker, SWREG looked like it tried to run, but popped up an error message on top of the command screen, saying 'Windows cannot find log.txt.' I'm inserting a screenshot so you can see what it did.

Posted Image

Thanks!

Nena

Edited by nenadrew, 12 December 2009 - 04:03 PM.


#28 TheJoker

TheJoker

    Forum Deity

  • Boot Camp Mod
  • PipPipPipPipPip
  • 13,555 posts

Posted 12 December 2009 - 07:03 PM

Let's try to get that log a different way.

Open a Command Prompt window:
Go to Start > All Programs > Accessories > Command Prompt
Copy the following line and paste it into the Command Prompt window and hit Enter.
SWReg null query HKU\S-1-5-21-2025429265-688789844-682003330-1004\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved /s /f >> C:\exportnulls.txt

Please post the contents of the file at C:\exportnulls.txt

Free Tools for Fighting Malware
Anti-Virus: avast! Free Antivirus / Avira Free AntiVirus
OnLine Anti-Virus: ESET / BitDefender / F-Secure
Anti-Malware: Malwarebytes' Anti-Malware / Dr.Web CureIt
Spyware/Adware Tools: MVPS HOSTS File / SpywareBlaster
Firewall: Comodo Firewall Free / Privatefirewall
Tutorials: How did I get Infected? / Internet Explorer Privacy & Security Settings
If we have helped, please help us continue the fight by using the Donate button, or see this topic for other ways to donate.

MS MVP 2009-20010 and ASAP Member since 2005


#29 nenadrew

nenadrew

    Member

  • Full Member
  • Pip
  • 56 posts

Posted 12 December 2009 - 08:15 PM

Contents of exportnulls.txt:


SteelWerX Registry Console Tool 2.0
Written by Bobbi Flekman 2006 ©

Error: Key: s-1-5-21-2025429265-688789844-682003330-1004\software\microsoft\windows\currentversion\shell does not exist!


Hmmn. Not what we needed, I suspect. If there is something else to try, I'm game. Do all my other logs look ok now?

Nena

#30 TheJoker

TheJoker

    Forum Deity

  • Boot Camp Mod
  • PipPipPipPipPip
  • 13,555 posts

Posted 12 December 2009 - 11:45 PM

We need to make sure you have the most recent version of ComboFix.
Delete your current copy of ComboFix.exe.
Download ComboFix© by sUBs from one of these links:
http://download.blee...Bs/ComboFix.exe
http://www.forospywa...Bs/ComboFix.exe

Save the file to your Desktop.

Close any open browsers.
Close your AntiVirus and any anti-spyware programs you may be running.

For this next step, please ensure that ComboFix.exe is on your desktop:

Please open Notepad *Do Not Use Wordpad!* (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the quote box below:
Save this as "CFScript.txt" and change the "Save as type" to "All Files" and place it on your desktop.

File::
C:\Program Files\COMODO\COMODO Internet Security\Quarantine\A0006563.EXE.info
C:\Program Files\COMODO\COMODO Internet Security\Quarantine\A0022272.EXE.info
C:\Program Files\COMODO\COMODO Internet Security\Quarantine\A0023862.exe
C:\Program Files\COMODO\COMODO Internet Security\Quarantine\A0023862.exe.info
C:\Program Files\COMODO\COMODO Internet Security\Quarantine\SPEU.exe
C:\Program Files\COMODO\COMODO Internet Security\Quarantine\SPEU.exe.info
C:\Program Files\COMODO\COMODO Internet Security\Quarantine\SPEU.exe1
C:\Program Files\COMODO\COMODO Internet Security\Quarantine\SPEU.exe1.info

RegNull::
[HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{D433C04C-54CB-4BB3-0F86-29103BADBBDF}*]

Save this as CFScript.txt, in the same location as ComboFix.exe

Posted Image

Referring to the picture above, drag CFScript into ComboFix.exe
When finished, it will produce a log for you at C:\ComboFix.txt. Please post that log in your next reply.

Please post a new HijackThis log and the log from ComboFix (combofix.txt), and note any errors encountered.

Free Tools for Fighting Malware
Anti-Virus: avast! Free Antivirus / Avira Free AntiVirus
OnLine Anti-Virus: ESET / BitDefender / F-Secure
Anti-Malware: Malwarebytes' Anti-Malware / Dr.Web CureIt
Spyware/Adware Tools: MVPS HOSTS File / SpywareBlaster
Firewall: Comodo Firewall Free / Privatefirewall
Tutorials: How did I get Infected? / Internet Explorer Privacy & Security Settings
If we have helped, please help us continue the fight by using the Donate button, or see this topic for other ways to donate.

MS MVP 2009-20010 and ASAP Member since 2005


#31 nenadrew

nenadrew

    Member

  • Full Member
  • Pip
  • 56 posts

Posted 13 December 2009 - 03:37 AM

ComboFix log:

ComboFix 09-12-11.05 - Nena Drew Thrower 12/13/2009 1:00.4.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2037.1567 [GMT -6:00]
Running from: c:\documents and settings\Nena Drew Thrower.NENA\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Nena Drew Thrower.NENA\Desktop\CFScript.txt
AV: COMODO Antivirus *On-access scanning disabled* (Updated) {043803A5-4F86-4ef7-AFC5-F6E02A79969B}

FILE ::
"c:\program files\COMODO\COMODO Internet Security\Quarantine\A0006563.EXE.info"
"c:\program files\COMODO\COMODO Internet Security\Quarantine\A0022272.EXE.info"
"c:\program files\COMODO\COMODO Internet Security\Quarantine\A0023862.exe"
"c:\program files\COMODO\COMODO Internet Security\Quarantine\A0023862.exe.info"
"c:\program files\COMODO\COMODO Internet Security\Quarantine\SPEU.exe"
"c:\program files\COMODO\COMODO Internet Security\Quarantine\SPEU.exe.info"
"c:\program files\COMODO\COMODO Internet Security\Quarantine\SPEU.exe1"
"c:\program files\COMODO\COMODO Internet Security\Quarantine\SPEU.exe1.info"
.

((((((((((((((((((((((((( Files Created from 2009-11-13 to 2009-12-13 )))))))))))))))))))))))))))))))
.

2009-12-12 19:38 . 1998-07-24 14:42 101376 ----a-w- c:\windows\system32\Ptsaab32.dll
2009-12-12 19:38 . 1998-07-24 14:42 96768 ----a-w- c:\windows\system32\Ptsacx40.dll
2009-12-12 19:38 . 1998-07-24 11:05 50048 ----a-w- c:\windows\system32\PTSAABDB.DLL
2009-12-12 19:38 . 1998-07-24 11:04 116640 ----a-w- c:\windows\system32\Ptsaci40.dll
2009-12-12 19:38 . 1997-10-01 14:20 30080 ----a-w- c:\windows\system32\Ptabimp3.exe
2009-12-12 19:38 . 1997-10-01 14:20 21840 ----a-w- c:\windows\system32\PTSAAB30.DLL
2009-12-12 19:38 . 1994-11-22 15:09 317116 ----a-w- c:\windows\system32\WBTR32.EXE
2009-12-12 19:38 . 1994-11-22 14:54 17704 ----a-w- c:\windows\system32\WBTRLOCL.DLL
2009-12-12 19:38 . 1994-11-22 14:52 4280 ----a-w- c:\windows\system32\WBT32RES.DLL
2009-12-12 19:38 . 1994-11-17 10:22 16496 ----a-w- c:\windows\system32\WBTRCALL.DLL
2009-12-12 19:38 . 1994-08-10 15:43 4128 ----a-w- c:\windows\system32\WBTRVRES.DLL
2009-12-12 08:32 . 2009-12-12 08:32 -------- d-----w- c:\program files\ESET
2009-12-11 09:21 . 2004-08-04 10:00 55808 -c--a-w- c:\windows\system32\dllcache\eventlog.dll
2009-12-11 09:21 . 2004-08-04 10:00 55808 ------w- c:\windows\system32\eventlog.dll
2009-12-10 23:45 . 2009-12-10 23:45 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\McAfee
2009-12-10 23:45 . 2009-12-10 23:45 152576 ----a-w- c:\documents and settings\Nena Drew Thrower.NENA\Application Data\Sun\Java\jre1.6.0_17\lzma.dll
2009-12-10 12:19 . 2009-07-27 23:17 135168 -c----w- c:\windows\system32\dllcache\shsvcs.dll
2009-12-10 12:19 . 2009-07-27 23:17 8461824 -c----w- c:\windows\system32\dllcache\shell32.dll
2009-12-10 10:27 . 2009-12-10 10:27 -------- d-----w- c:\windows\system32\XPSViewer
2009-12-10 10:27 . 2009-12-10 10:27 -------- d-----w- c:\program files\MSBuild
2009-12-10 10:26 . 2009-12-10 10:26 -------- d-----w- c:\program files\Reference Assemblies
2009-12-10 10:26 . 2008-07-06 12:06 89088 -c----w- c:\windows\system32\dllcache\filterpipelineprintproc.dll
2009-12-10 10:26 . 2008-07-06 12:06 575488 -c----w- c:\windows\system32\dllcache\xpsshhdr.dll
2009-12-10 10:26 . 2008-07-06 12:06 575488 ------w- c:\windows\system32\xpsshhdr.dll
2009-12-10 10:26 . 2008-07-06 12:06 1676288 -c----w- c:\windows\system32\dllcache\xpssvcs.dll
2009-12-10 10:26 . 2008-07-06 12:06 1676288 ------w- c:\windows\system32\xpssvcs.dll
2009-12-10 10:26 . 2008-07-06 12:06 117760 ------w- c:\windows\system32\prntvpt.dll
2009-12-10 10:26 . 2008-07-06 10:50 597504 -c----w- c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2009-12-10 10:26 . 2008-07-06 10:50 597504 ------w- c:\windows\system32\Spool\prtprocs\w32x86\printfilterpipelinesvc.exe
2009-12-10 00:11 . 2009-12-10 00:11 -------- d-sh--w- c:\documents and settings\Default User.WINDOWS\IETldCache
2009-12-09 22:33 . 2009-12-09 22:33 -------- d-sh--w- c:\documents and settings\NetworkService.NT AUTHORITY\IETldCache
2009-12-09 15:12 . 2009-12-03 22:14 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-12-09 15:12 . 2009-12-09 15:12 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-12-09 15:12 . 2009-12-03 22:13 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-12-09 13:32 . 2009-12-09 22:28 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-12-07 13:53 . 2009-12-07 13:53 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\Kaspersky Lab
2009-12-03 20:04 . 2008-04-13 19:40 36352 ----a-w- c:\windows\system32\drivers\disk.sys
2009-12-03 08:03 . 2009-12-03 08:03 -------- d-----w- c:\documents and settings\Default User.WINDOWS\Local Settings\Application Data\Microsoft Help
2009-12-02 19:43 . 2009-06-21 21:44 153088 -c----w- c:\windows\system32\dllcache\triedit.dll
2009-12-02 19:42 . 2009-07-31 04:35 1172480 -c----w- c:\windows\system32\dllcache\msxml3.dll
2009-12-02 19:42 . 2009-07-10 13:27 1315328 -c----w- c:\windows\system32\dllcache\msoe.dll
2009-12-02 19:41 . 2009-08-04 15:13 2145280 -c----w- c:\windows\system32\dllcache\ntkrnlmp.exe
2009-12-02 19:41 . 2009-08-04 14:20 2023936 -c----w- c:\windows\system32\dllcache\ntkrpamp.exe
2009-12-02 19:41 . 2009-08-04 14:20 2066048 -c----w- c:\windows\system32\dllcache\ntkrnlpa.exe
2009-12-02 19:41 . 2009-06-22 06:44 726528 -c----w- c:\windows\system32\dllcache\jscript.dll
2009-12-02 19:33 . 2009-08-07 01:23 274288 ----a-w- c:\windows\system32\mucltui.dll
2009-12-02 19:33 . 2009-08-07 01:23 215920 ----a-w- c:\windows\system32\muweb.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-12-12 19:41 . 2008-06-14 00:58 -------- d-----w- c:\program files\Broderbund
2009-12-12 19:41 . 2008-06-14 01:03 -------- d-----w- c:\program files\Web Publish
2009-12-11 08:03 . 2009-05-22 15:11 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\Microsoft Help
2009-12-11 08:02 . 2008-02-26 16:55 -------- d-----w- c:\program files\Microsoft Works
2009-12-10 23:46 . 2009-05-09 06:29 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-12-10 12:36 . 2009-08-30 22:40 171552 ----a-w- c:\windows\system32\guard32.dll
2009-12-10 12:36 . 2009-08-30 22:40 87104 ----a-w- c:\windows\system32\drivers\inspect.sys
2009-12-10 12:36 . 2009-08-30 22:40 25160 ----a-w- c:\windows\system32\drivers\cmdhlp.sys
2009-12-10 12:36 . 2009-08-30 22:40 133064 ----a-w- c:\windows\system32\drivers\cmdguard.sys
2009-12-09 15:05 . 2009-05-08 03:09 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\Spybot - Search & Destroy
2009-11-30 23:31 . 2009-05-11 17:23 -------- d-----w- c:\documents and settings\Nena Drew Thrower.NENA\Application Data\uTorrent
2009-11-08 19:03 . 2009-11-08 19:03 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\F-Secure
2009-11-06 20:22 . 2009-11-06 20:22 -------- d-----w- c:\program files\Panda Security
2009-11-01 11:11 . 2009-11-01 11:11 -------- d-----w- c:\program files\HiddenFinder
2009-10-31 23:18 . 2009-10-30 21:00 -------- d-----w- c:\program files\Windows Live Safety Center
2009-10-31 19:06 . 2009-10-31 19:06 -------- d-----w- c:\program files\Trend Micro
2009-10-29 07:45 . 2006-03-04 03:33 916480 ------w- c:\windows\system32\wininet.dll
2009-10-21 05:38 . 2004-08-04 10:00 75776 ----a-w- c:\windows\system32\strmfilt.dll
2009-10-21 05:38 . 2004-08-04 10:00 25088 ----a-w- c:\windows\system32\httpapi.dll
2009-10-20 16:20 . 2004-08-04 10:00 265728 ----a-w- c:\windows\system32\drivers\http.sys
2009-10-20 07:32 . 2009-05-08 10:01 -------- d-----w- c:\program files\Soulseek
2009-10-16 12:33 . 2009-10-02 07:46 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-10-13 10:30 . 2004-08-04 10:00 270336 ----a-w- c:\windows\system32\oakley.dll
2009-10-12 13:38 . 2004-08-04 10:00 149504 ----a-w- c:\windows\system32\rastls.dll
2009-10-12 13:38 . 2004-08-04 10:00 79872 ----a-w- c:\windows\system32\raschap.dll
2009-10-06 08:29 . 2009-10-06 08:28 126970 ----a-w- c:\documents and settings\Nena Drew Thrower.NENA\Application Data\Move Networks\uninstall.exe
2009-10-06 08:29 . 2009-08-03 21:48 4187512 ----a-w- c:\documents and settings\Nena Drew Thrower.NENA\Application Data\Move Networks\plugins\npqmp071505000010.dll
2009-10-02 07:47 . 2009-10-02 07:47 117760 ----a-w- c:\documents and settings\Nena Drew Thrower.NENA\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2009-09-16 23:34 . 2009-05-08 20:56 50220 ---ha-w- c:\windows\system32\mlfcache.dat
2009-09-16 19:17 . 2009-09-16 19:17 79144 ----a-w- c:\documents and settings\All Users.WINDOWS\Application Data\Apple Computer\Installer Cache\iTunes 9.0.0.70\SetupAdmin.exe
.

((((((((((((((((((((((((((((( SnapShot_2009-12-11_09.53.58 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-12-13 01:17 . 2009-12-13 01:17 16384 c:\windows\Temp\Perflib_Perfdata_340.dat
- 1997-10-23 17:15 . 1997-10-23 17:15 97968 c:\windows\system32\POSTWPP.DLL
+ 1997-10-23 17:15 . 1997-10-23 18:15 97968 c:\windows\system32\POSTWPP.DLL
- 1997-10-23 17:15 . 1997-10-23 17:15 50288 c:\windows\system32\PIPARSE.DLL
+ 1997-10-23 17:15 . 1997-10-23 18:15 50288 c:\windows\system32\PIPARSE.DLL
+ 1997-10-23 17:15 . 1997-10-23 18:15 98432 c:\windows\system32\FTPWPP.DLL
- 1997-10-23 17:15 . 1997-10-23 17:15 98432 c:\windows\system32\FTPWPP.DLL
- 1997-10-22 21:33 . 1997-10-22 21:33 95744 c:\windows\system32\FPWPP.DLL
+ 1997-10-22 21:33 . 1997-10-22 22:33 95744 c:\windows\system32\FPWPP.DLL
+ 2009-05-08 22:31 . 1997-04-09 02:08 299520 c:\windows\uninst.exe
- 2009-05-08 22:31 . 1997-04-09 01:08 299520 c:\windows\uninst.exe
+ 1997-10-23 17:15 . 1997-10-23 18:15 108976 c:\windows\system32\WPWIZDLL.DLL
- 1997-10-23 17:15 . 1997-10-23 17:15 108976 c:\windows\system32\WPWIZDLL.DLL
- 1997-10-23 17:15 . 1997-10-23 17:15 143312 c:\windows\system32\WEBPOST.DLL
+ 1997-10-23 17:15 . 1997-10-23 18:15 143312 c:\windows\system32\WEBPOST.DLL
+ 2009-05-07 19:27 . 2009-12-12 19:43 211288 c:\windows\system32\FNTCACHE.DAT
- 2009-05-07 19:27 . 2009-12-11 09:07 211288 c:\windows\system32\FNTCACHE.DAT
+ 1997-10-23 17:15 . 1997-10-23 18:15 120432 c:\windows\system32\CRSWPP.DLL
- 1997-10-23 17:15 . 1997-10-23 17:15 120432 c:\windows\system32\CRSWPP.DLL
+ 2009-12-12 19:38 . 1998-11-24 13:21 546304 c:\windows\BBStore\DSS\DSSAGENT.EXE
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Freebie Notes"="c:\program files\Power Soft\Freebie Notes\FreebieNotes.exe" [2009-04-13 1051520]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-06-14 142104]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-06-14 162584]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-06-14 138008]
"itype"="c:\program files\Microsoft IntelliType Pro\itype.exe" [2006-11-21 813912]
"PDVDDXSrv"="c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2006-10-20 118784]
"RTHDCPL"="RTHDCPL.EXE" [2007-04-26 16132608]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 81920]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-09-05 417792]
"COMODO Internet Security"="c:\program files\COMODO\COMODO Internet Security\cfp.exe" [2009-12-10 1800464]
"UnlockerAssistant"="c:\program files\Unlocker\UnlockerAssistant.exe" [2008-05-02 15872]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-12-10 149280]

c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\
Microtek Scanner Finder.lnk - c:\program files\Microtek\ScanWizard 5\ScannerFinder.exe [2008-6-6 339968]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]
2009-05-06 08:40 10536 ----a-w- c:\program files\Citrix\GoToAssist\514\g2awinlogon.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\system32\guard32.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\rootrepeal.sys]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2009-09-09 02:09 305440 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxioDragToDisc]
2006-08-17 14:00 1116920 ----a-w- c:\program files\Roxio\Drag-to-Disc\DrgToDsc.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SUPERAntiSpyware]
2009-09-15 16:42 1998576 ----a-w- c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Soulseek\\slsk.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Alchemy Mindworks\\Graphic Workshop Professional 3\\alchuddl.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [11/6/2009 2:22 PM 28552]
R1 cmdGuard;COMODO Internet Security Sandbox Driver;c:\windows\system32\drivers\cmdguard.sys [8/30/2009 4:40 PM 133064]
S1 SASKUTIL;SASKUTIL;\??\c:\program files\SUPERAntiSpyware\SASKUTIL.sys --> c:\program files\SUPERAntiSpyware\SASKUTIL.sys [?]
S3 cpuz132;cpuz132;c:\windows\system32\drivers\cpuz132_x32.sys [5/19/2009 1:36 PM 12672]
S3 KProcWatch;KProcWatch;c:\windows\system32\drivers\KProcWatch.sys [11/1/2009 5:11 AM 8576]
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = *.local
.

**************************************************************************
scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files:

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(708)
c:\windows\system32\guard32.dll
c:\program files\Citrix\GoToAssist\514\G2AWinLogon.dll

- - - - - - - > 'lsass.exe'(764)
c:\windows\system32\guard32.dll

- - - - - - - > 'explorer.exe'(1088)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
Completion time: 2009-12-13 01:06:36
ComboFix-quarantined-files.txt 2009-12-13 07:06
ComboFix2.txt 2009-12-11 01:51
ComboFix3.txt 2009-12-10 08:53

Pre-Run: 51,153,039,360 bytes free
Post-Run: 51,113,865,216 bytes free

- - End Of File - - 1865D44791BC1CEE79654FFC52A29EBE

#32 nenadrew

nenadrew

    Member

  • Full Member
  • Pip
  • 56 posts

Posted 13 December 2009 - 03:48 AM

Hijack This log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:37:58 AM, on 12/13/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Microsoft IntelliType Pro\itype.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\COMODO\COMODO Internet Security\cfp.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microtek\ScanWizard 5\ScannerFinder.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Nena Drew Thrower.NENA\Desktop\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [itype] "c:\Program Files\Microsoft IntelliType Pro\itype.exe"
O4 - HKLM\..\Run: [PDVDDXSrv] "C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe"
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [COMODO Internet Security] "C:\Program Files\COMODO\COMODO Internet Security\cfp.exe" -h
O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [Freebie Notes] "C:\Program Files\Power Soft\Freebie Notes\FreebieNotes.exe"
O4 - Global Startup: Microtek Scanner Finder.lnk = C:\Program Files\Microtek\ScanWizard 5\ScannerFinder.exe
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {22492231-AEF0-49FC-9180-CE8969AB1273} (F-Secure Online Scanner Launcher) - http://download.sp.f.../fslauncher.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitd...can8/oscan8.cab
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} (OnlineScanner Control) - http://download.eset...lineScanner.cab
O16 - DPF: {9191F686-7F0A-441D-8A98-2FE3AC1BD913} (ActiveScan 2.0 Installer Class) - http://acs.pandasoft...s/as2stubie.cab
O20 - AppInit_DLLs: C:\WINDOWS\system32\guard32.dll
O20 - Winlogon Notify: GoToAssist - C:\Program Files\Citrix\GoToAssist\514\G2AWinLogon.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: COMODO Internet Security Helper Service (cmdAgent) - COMODO - C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
O23 - Service: GoToAssist - Citrix Online, a division of Citrix Systems, Inc. - C:\Program Files\Citrix\GoToAssist\514\g2aservice.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe

--
End of file - 6429 bytes

#33 TheJoker

TheJoker

    Forum Deity

  • Boot Camp Mod
  • PipPipPipPipPip
  • 13,555 posts

Posted 13 December 2009 - 10:41 AM

The entries are gone. I would also delete any other items in your Comodo quarantine. In Comodo go to AntiVirus, Common Tasks, Quarantined Items, and click the Clear button. This will delete all the quarantined items.

I see that you have P2P (Peer-to-Peer) file sharing programs installed (Soulseek, uTorrent.exe). Your infection may have come from a downloaded program from one of those P2P networks. I highly recommend that you consider uninstalling them. P2P programs represent a security threat to the information on your system as they allow others to access your system. Just look at the number of high profile compromises in the news as a result of P2P software:
Data about Obama's helicopter breached via P2P?
Leak of congressional ethics document prompts calls for cybersecurity probe
Walter Reed suffers peer-to-peer data breach
Update: Seattle man arrested for p-to-p ID theft

More listed here:
Data Security Threats And Breaches
You should read the link at the bottom of that page:
Why File Sharing Networks Are Dangerous (Dartmouth study, .pdf file)

In many cases P2P programs also represent a risk of infection from the program itself, as some have installed adware/spyware, or other programs without consent. Even if the program itself is clean, many P2P networks are riddled with malware, and it's often the newest, most difficult to remove malware. There are many risks associated with P2P programs, none are worth the risks. If you don't uninstall the P2P software, we will continue to clean your system, but realize that it's likely only a matter of time before you are infected again if you continue to download form P2P networks.

Go to start > run and copy and paste the next command in the field:
ComboFix /uninstall

Make sure there's a space between Combofix and /
Then hit enter.

This will uninstall Combofix, implement some cleanup procedures, and reset System Restore points.

Run Disk Cleanup
  • Go to Start > Run and type the below line:
    cleanmgr
  • Click OK
    • If you have more than one drive, select the drive Windows is installed on
    • Click OK
  • When Disk Cleanup opens, select the More Options tab
  • In the System Restore section (bottom of window), click Cleanup
    • In the confirmation window that opens, click Yes
  • Now click on the Disk Cleanup tab and select the following items:
    • Downloaded Program Files
    • Temporary Internet Files
    • Recycle Bin
    • Temporary Files
  • Click OK
  • in the confirmation window, select Yes (Disk Cleanup will close).
To help keep malware off your system:
  • Keep Windows updated at Windows Update or Microsoft Update.
  • Keep your other applications updated, there are vulnerabilities that rely on exploits through other programs like Java, Microsoft Office, Adobe Reader, Flash, and others.
  • Run a program like Secunia Software Inspector Scan to see what programs need to be updated.
  • Be careful with flash drives, as they can spread infections. See this post on USB/flash drive safety.
  • Stay away from P2P software; even with a clean P2P program, their networks are often riddled with malware.
  • Don't click on attachments or links in e-mail, and read your e-mail in text-only mode for the highest safety.
  • Don't click on links received in instant message programs.
  • In place of Internet Explorer, browse with Firefox with the NoScript and AdBlock Plus add-ons.
  • A HOSTS file will prevent Internet Explorer from communicating with sites known to be associated with adware or spyware. A good regularly updated HOST file is MVPS HOSTS File, available at http://www.mvps.org/...2002/hosts.htm.
  • A free non-resident utility to prevent the installation of ActiveX-based malware is JavaCool's SpywareBlaster. For real-time protection, there is SpywareGuard. Both are available at http://www.javacools.../products.html.
  • I recommend reading Tony Klein's article So How did I get Infected in the First Place? at http://www.spywarein...showtopic=60955
Does your problem appear resolved?

Free Tools for Fighting Malware
Anti-Virus: avast! Free Antivirus / Avira Free AntiVirus
OnLine Anti-Virus: ESET / BitDefender / F-Secure
Anti-Malware: Malwarebytes' Anti-Malware / Dr.Web CureIt
Spyware/Adware Tools: MVPS HOSTS File / SpywareBlaster
Firewall: Comodo Firewall Free / Privatefirewall
Tutorials: How did I get Infected? / Internet Explorer Privacy & Security Settings
If we have helped, please help us continue the fight by using the Donate button, or see this topic for other ways to donate.

MS MVP 2009-20010 and ASAP Member since 2005


#34 nenadrew

nenadrew

    Member

  • Full Member
  • Pip
  • 56 posts

Posted 14 December 2009 - 06:06 AM

Joker, my computer seems to be working smoothly once more, and I cannot thank you enough for your patient help in getting it back - I truly thought my data files were toast. I have finished the tidying-up actions you recommended, including running Secunia and updating the few programs it noted. The tips on how to be more vigilant are much appreciated, and I will consider what you've said about P2P.

Thank you! Merry Christmas!

Nena

#35 TheJoker

TheJoker

    Forum Deity

  • Boot Camp Mod
  • PipPipPipPipPip
  • 13,555 posts

Posted 14 December 2009 - 05:00 PM

Glad we could help. :)

If you need this topic reopened, please tell the moderating team by replying here with the address of the thread. This applies only to the original topic starter. Everyone else please begin a New Topic.

Free Tools for Fighting Malware
Anti-Virus: avast! Free Antivirus / Avira Free AntiVirus
OnLine Anti-Virus: ESET / BitDefender / F-Secure
Anti-Malware: Malwarebytes' Anti-Malware / Dr.Web CureIt
Spyware/Adware Tools: MVPS HOSTS File / SpywareBlaster
Firewall: Comodo Firewall Free / Privatefirewall
Tutorials: How did I get Infected? / Internet Explorer Privacy & Security Settings
If we have helped, please help us continue the fight by using the Donate button, or see this topic for other ways to donate.

MS MVP 2009-20010 and ASAP Member since 2005





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button