Need to get rid of rootkit.

Page 1 of 2 1, 2  Next

View previous topic View next topic Go down

Need to get rid of rootkit.

Post by Uthanak on Thu 01 Sep 2011, 3:56 pm

Hello, I came here as a last resort, because I have done a good portion of the disinfection so far, but a rootkit remains and I cannot Find it. I ran OTL and will pot the log below. AswMBR.exe closes down after running for a short while, and I cannot reopen after because it says windows does not have access to it. But I saw before it closed down that it had found Orajeon.rootkit or something like that, which other disinfection tools had not found so far. I also have a security check log that I will post below. Basically as of right now the virus opens new tab as I click on a link while websurfing which says in the new tab congratulation, you have won something.

OTL log:

OTL logfile created on: 10/2/2011 12:23:12 AM - Run 3
OTL by OldTimer - Version 3.2.26.7 Folder = C:\Documents and Settings\Maxim\Desktop
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.11)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

3.25 Gb Total Physical Memory | 2.74 Gb Available Physical Memory | 84.21% Memory free
5.09 Gb Paging File | 4.69 Gb Available in Paging File | 92.21% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 298.09 Gb Total Space | 118.71 Gb Free Space | 39.82% Space Free | Partition Type: NTFS
Drive D: | 1.13 Gb Total Space | 0.00 Gb Free Space | 0.00% Space Free | Partition Type: UDF
Drive E: | 245.23 Mb Total Space | 110.27 Mb Free Space | 44.97% Space Free | Partition Type: FAT
Drive F: | 1.29 Gb Total Space | 0.00 Gb Free Space | 0.00% Space Free | Partition Type: CDFS

Computer Name: MAXIM-9C1E76C15 | User Name: Maxim | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2011/10/02 00:22:28 | 000,580,608 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Maxim\Desktop\OTL.com
PRC - [2011/06/10 13:04:22 | 000,142,336 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Desktop Manager\dwm.exe
PRC - [2009/12/10 03:39:04 | 000,065,536 | ---- | M] (PostgreSQL Global Development Group) -- C:\Program Files\PostgreSQL\8.3\bin\pg_ctl.exe
PRC - [2009/12/10 03:37:16 | 003,690,496 | ---- | M] (PostgreSQL Global Development Group) -- C:\Program Files\PostgreSQL\8.3\bin\postgres.exe
PRC - [2008/04/13 20:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2007/11/13 19:51:24 | 002,510,848 | ---- | M] (OpenOffice.org) -- C:\Program Files\OpenOffice.org 2.3\program\soffice.bin
PRC - [2007/11/13 19:49:22 | 002,359,296 | ---- | M] (OpenOffice.org) -- C:\Program Files\OpenOffice.org 2.3\program\soffice.exe
PRC - [2007/05/28 12:57:54 | 000,275,968 | ---- | M] (Rocket Division Software) -- C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
PRC - [2004/10/28 09:29:48 | 000,581,632 | ---- | M] (Logitech Inc.) -- C:\Program Files\Logitech\SetPoint\KEM.exe
PRC - [2004/10/21 13:28:40 | 000,029,696 | ---- | M] (Logitech Inc.) -- C:\Program Files\Logitech\SetPoint\KHALMNPR.exe


========== Modules (No Company Name) ==========

MOD - [2010/02/05 14:27:45 | 001,291,776 | ---- | M] () -- C:\WINDOWS\system32\quartz.dll
MOD - [2008/04/13 20:11:59 | 000,014,336 | ---- | M] () -- C:\WINDOWS\system32\msdmo.dll
MOD - [2008/04/13 20:11:51 | 000,059,904 | ---- | M] () -- C:\WINDOWS\system32\devenum.dll
MOD - [2007/08/08 19:15:02 | 000,828,416 | ---- | M] () -- C:\Program Files\OpenOffice.org 2.3\program\libxml2.dll
MOD - [2004/10/28 09:27:18 | 000,086,016 | ---- | M] () -- C:\Program Files\Logitech\SetPoint\lgscroll.dll


========== Win32 Services (SafeList) ==========

SRV - File not found [Disabled | Stopped] -- -- (NMIndexingService)
SRV - File not found [On_Demand | Stopped] -- -- (McComponentHostService)
SRV - File not found [On_Demand | Stopped] -- -- (AppMgmt)
SRV - [2011/06/10 13:04:22 | 000,142,336 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\Desktop Manager\dwm.exe -- (USmsServ)
SRV - [2010/09/17 12:13:10 | 000,185,640 | ---- | M] () [On_Demand | Stopped] -- C:\Documents and Settings\Maxim\Application Data\Mikogo\B-Service.exe -- (B-Service)
SRV - [2009/12/10 03:39:04 | 000,065,536 | ---- | M] (PostgreSQL Global Development Group) [Auto | Running] -- C:\Program Files\PostgreSQL\8.3\bin\pg_ctl.exe -- (pgsql-8.3)
SRV - [2009/08/09 18:35:32 | 000,297,752 | ---- | M] (AVG Technologies CZ, s.r.o.) [Auto | Stopped] -- C:\Program Files\AVG\AVG8\avgwdsvc.exe -- (avg8wd)
SRV - [2007/05/28 12:57:54 | 000,275,968 | ---- | M] (Rocket Division Software) [Auto | Running] -- C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe -- (StarWindServiceAE)
SRV - [2002/12/17 17:26:22 | 007,520,337 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\Sony\Shared Plug-Ins\Media Manager\MSSQL$SONY_MEDIAMGR\Binn\sqlservr.exe -- (MSSQL$SONY_MEDIAMGR)
SRV - [2002/12/17 17:23:30 | 000,311,872 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\Sony\Shared Plug-Ins\Media Manager\MSSQL$SONY_MEDIAMGR\Binn\sqlagent.EXE -- (SQLAgent$SONY_MEDIAMGR)


========== Driver Services (SafeList) ==========

DRV - [2011/07/06 19:52:42 | 000,041,272 | ---- | M] (Malwarebytes Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\mbamswissarmy.sys -- (MBAMSwissArmy)
DRV - [2010/04/28 07:44:02 | 000,054,760 | ---- | M] (Microsoft Corporation) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\fssfltr_tdi.sys -- (fssfltr)
DRV - [2009/08/21 16:24:10 | 000,057,248 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\nvhda32.sys -- (NVHDA)
DRV - [2009/08/17 09:38:37 | 000,722,416 | ---- | M] (Duplex Secure Ltd.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\drivers\sptd.sys -- (sptd)
DRV - [2009/06/05 13:23:27 | 000,102,664 | ---- | M] (Trend Micro Inc.) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\tmcomm.sys -- (tmcomm)
DRV - [2009/02/24 18:42:14 | 000,116,736 | ---- | M] (MagicISO, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\mcdbus.sys -- (mcdbus)
DRV - [2006/09/11 07:45:38 | 000,019,968 | R--- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\nvnetbus.sys -- (nvnetbus)
DRV - [2006/09/11 07:45:36 | 000,057,856 | R--- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\NVENETFD.sys -- (NVENETFD)
DRV - [2006/08/21 06:24:28 | 000,105,344 | R--- | M] (NVIDIA Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\nvata.sys -- (nvata)
DRV - [2006/06/18 23:37:34 | 000,036,864 | ---- | M] (Advanced Micro Devices) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\AmdK8.sys -- (AmdK8)
DRV - [2006/03/17 06:18:58 | 000,392,960 | R--- | M] (Sensaura) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\senfilt.sys -- (SenFiltService)
DRV - [2004/10/21 13:31:14 | 000,038,691 | ---- | M] (Logitech, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\LHidUsbK.sys -- (LHidUsbK)
DRV - [2004/10/21 13:31:06 | 000,054,851 | ---- | M] (Logitech, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\L8042mou.Sys -- (L8042mou)
DRV - [2004/10/21 13:30:56 | 000,071,535 | ---- | M] (Logitech, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\LMouKE.Sys -- (LMouKE)
DRV - [2004/10/21 13:30:38 | 000,024,671 | ---- | M] (Logitech, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\LHidKE.Sys -- (LHidKe)
DRV - [2004/08/12 22:56:20 | 000,005,810 | R--- | M] () [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ASACPI.sys -- (MTsensor)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========


IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = localhost

========== FireFox ==========

FF - prefs.js..browser.search.defaultenginename: "Bing"
FF - prefs.js..browser.search.defaultthis.engineName: "Veoh Web Player Customized Web Search"
FF - prefs.js..browser.search.defaulturl: "http://search.conduit.com/ResultsExt.aspx?ctid=CT2653012&SearchSource=3&q={searchTerms}"
FF - prefs.js..browser.search.param.yahoo-fr: "chrf-ytbm"
FF - prefs.js..browser.search.param.yahoo-fr-cjkt: "chrf-ytbm"
FF - prefs.js..browser.search.param.yahoo-type: "${8}"
FF - prefs.js..browser.search.selectedEngine: "Google"
FF - prefs.js..browser.search.useDBForOrder: true
FF - prefs.js..browser.startup.homepage: "http://www.google.ca/"
FF - prefs.js..extensions.enabledItems: [You must be registered and logged in to see this link.]:1.0
FF - prefs.js..extensions.enabledItems: {ABDE892B-13A8-4d1b-88E6-365A6E755758}:1.0
FF - prefs.js..extensions.enabledItems: [You must be registered and logged in to see this link.]:2
FF - prefs.js..extensions.enabledItems: 4
FF - prefs.js..extensions.enabledItems: 9
FF - prefs.js..extensions.enabledItems: 1
FF - prefs.js..extensions.enabledItems: {AB2CE124-6272-4b12-94A9-7303C7397BD1}:5.0.0.6906
FF - prefs.js..extensions.enabledItems: {73a6fe31-595d-460b-a920-fcc0f8843232}:2.1.0.2
FF - prefs.js..extensions.enabledItems: {cd90bf73-20f6-44ef-993d-bb920303bd2e}:3.3.3.2
FF - prefs.js..extensions.enabledItems: [You must be registered and logged in to see this link.]:3.3.3.2
FF - prefs.js..keyword.URL: "http://www.bing.com/search?FORM=IEFM1&q="
FF - prefs.js..network.proxy.type: 0


FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\WINDOWS\system32\Macromed\Flash\NPSWF32.dll ()
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=: File not found
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=1.0: C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll ()
FF - HKLM\Software\MozillaPlugins\@divx.com/DivX Browser Plugin,version=1.0.0: C:\Program Files\DivX\DivX Web Player\npdivx32.dll (DivX,Inc.)
FF - HKLM\Software\MozillaPlugins\@divx.com/DivX Player Plugin,version=1.0.0: C:\Program Files\DivX\DivX Player\npDivxPlayerPlugin.dll (DivX, Inc)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WLPG,version=14.0.8117.0416: C:\Program Files\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@pack.google.com/Google Updater;version=14: C:\Program Files\Google\Google Updater\2.4.1908.5032\npCIDetect14.dll (Google)
FF - HKLM\Software\MozillaPlugins\@pandonetworks.com/PandoWebPlugin: C:\Program Files\Pando Networks\Media Booster\npPandoWebPlugin.dll File not found
FF - HKLM\Software\MozillaPlugins\@veetle.com/vbp;version=0.9.17: C:\Program Files\Veetle\VLCBroadcast\npvbp.dll (Veetle Inc)
FF - HKLM\Software\MozillaPlugins\@veetle.com/veetleCorePlugin,version=0.9.17: C:\Program Files\Veetle\plugins\npVeetle.dll (Veetle Inc)
FF - HKLM\Software\MozillaPlugins\@veetle.com/veetlePlayerPlugin,version=0.9.17: C:\Program Files\Veetle\Player\npvlc.dll (Veetle Inc)
FF - HKLM\Software\MozillaPlugins\@videolan.org/vlc,version=0.9.8a: C:\Program Files\VideoLAN\VLC\npvlc.dll (the VideoLAN Team)
FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Program Files\Adobe\Reader 9.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
FF - HKCU\Software\MozillaPlugins\@tools.google.com/Google Update;version=8: C:\Documents and Settings\Maxim\Local Settings\Application Data\Google\Update\1.2.183.23\npGoogleOneClick8.dll (Google Inc.)
FF - HKCU\Software\MozillaPlugins\@unity3d.com/UnityPlayer,version=1.0: C:\Documents and Settings\Maxim\Local Settings\Application Data\Unity\WebPlayer\loader\npUnity3D32.dll (Unity Technologies ApS)

FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 6.0\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2011/08/16 23:56:54 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 6.0\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2011/07/01 14:18:21 | 000,000,000 | ---D | M]

[2008/08/26 16:23:40 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Maxim\Application Data\Mozilla\Extensions
[2011/09/30 12:44:30 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Maxim\Application Data\Mozilla\Firefox\Profiles\pu9jai39.default\extensions
[2010/05/14 17:23:56 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Documents and Settings\Maxim\Application Data\Mozilla\Firefox\Profiles\pu9jai39.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2011/06/10 12:47:07 | 000,000,000 | ---D | M] (Google Toolbar for Firefox) -- C:\Documents and Settings\Maxim\Application Data\Mozilla\Firefox\Profiles\pu9jai39.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}
[2011/08/16 23:56:57 | 000,000,000 | ---D | M] (Veoh Web Player Community Toolbar) -- C:\Documents and Settings\Maxim\Application Data\Mozilla\Firefox\Profiles\pu9jai39.default\extensions\{cd90bf73-20f6-44ef-993d-bb920303bd2e}
[2011/04/25 12:38:59 | 000,000,000 | ---D | M] (Conduit Engine) -- C:\Documents and Settings\Maxim\Application Data\Mozilla\Firefox\Profiles\pu9jai39.default\extensions\engine@conduit.com
[2010/01/03 00:17:37 | 000,000,000 | ---D | M] (TVU Web Player) -- C:\Documents and Settings\Maxim\Application Data\Mozilla\Firefox\Profiles\pu9jai39.default\extensions\firefox@tvunetworks.com
[2010/05/09 21:48:45 | 000,001,490 | ---- | M] () -- C:\Documents and Settings\Maxim\Application Data\Mozilla\Firefox\Profiles\pu9jai39.default\searchplugins\AOL Search.xml
[2010/07/25 02:57:04 | 000,001,819 | ---- | M] () -- C:\Documents and Settings\Maxim\Application Data\Mozilla\Firefox\Profiles\pu9jai39.default\searchplugins\bing.xml
[2010/06/29 18:22:34 | 000,000,933 | ---- | M] () -- C:\Documents and Settings\Maxim\Application Data\Mozilla\Firefox\Profiles\pu9jai39.default\searchplugins\conduit.xml
[2011/05/14 01:49:54 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
[2007/06/22 16:38:17 | 000,000,000 | ---D | M] (Google Toolbar for Firefox) -- C:\Program Files\Mozilla Firefox\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}
[2011/06/10 13:23:12 | 000,000,000 | ---D | M] (Skype extension) -- C:\Program Files\Mozilla Firefox\extensions\{82AF8DCA-6DE9-405D-BD5E-43525BDAD38A}
[2007/12/13 21:50:58 | 000,000,000 | ---D | M] (AdVantage) -- C:\Program Files\Mozilla Firefox\extensions\{A89AED22-9133-424c-88E7-C8235C5FF302}
() (No name found) -- C:\DOCUMENTS AND SETTINGS\MAXIM\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\PU9JAI39.DEFAULT\EXTENSIONS\{73A6FE31-595D-460B-A920-FCC0F8843232}.XPI
() (No name found) -- C:\DOCUMENTS AND SETTINGS\MAXIM\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\PU9JAI39.DEFAULT\EXTENSIONS\{D10D0BF8-F5B5-C8B4-A8B2-2B9879E08C5D}.XPI
[2009/04/29 15:51:34 | 000,000,000 | ---D | M] (Java Quick Starter) -- C:\PROGRAM FILES\JAVA\JRE6\LIB\DEPLOY\JQS\FF
[2011/08/16 23:56:54 | 000,134,104 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\browsercomps.dll
[2008/11/11 02:54:07 | 000,221,184 | ---- | M] (CNN) -- C:\Program Files\mozilla firefox\plugins\NPTURNMED.dll
[2010/05/09 21:48:45 | 000,001,490 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\AOL Search.xml
[2011/05/07 21:44:41 | 000,002,252 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\bing.xml

O1 HOSTS File: ([2011/10/01 14:18:08 | 000,000,027 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - No CLSID value found.
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - No CLSID value found.
O2 - BHO: (Skype Browser Helper) - {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O2 - BHO: (Google Toolbar Notifier BHO) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.2.4204.1700\swg.dll (Google Inc.)
O4 - HKLM..\Run: [Adobe ARM] File not found
O4 - HKLM..\Run: [Adobe Reader Speed Launcher] File not found
O4 - HKLM..\Run: [Google Updater] File not found
O4 - HKLM..\Run: [iTunesHelper] File not found
O4 - HKLM..\Run: [Logitech Hardware Abstraction Layer] C:\WINDOWS\KHALMNPR.Exe (Logitech Inc.)
O4 - HKLM..\Run: [NvCplDaemon] C:\WINDOWS\System32\NvCpl.dll (NVIDIA Corporation)
O4 - HKLM..\Run: [NvMediaCenter] C:\WINDOWS\System32\NvMcTray.dll (NVIDIA Corporation)
O4 - HKLM..\Run: [OfficeKB] File not found
O4 - HKLM..\Run: [QuickTime Task] File not found
O4 - HKLM..\Run: [SoundMAXPnP] File not found
O4 - HKCU..\Run: [AlcoholAutomount] File not found
O4 - HKCU..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] File not found
O4 - HKCU..\Run: [LDM] File not found
O4 - HKCU..\Run: [swg] File not found
O4 - HKCU..\Run: [UU9W7W0EWIWEVHXDLTEVZ] File not found
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe (Logitech)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\KEM.exe (Logitech Inc.)
O4 - Startup: C:\Documents and Settings\Maxim\Start Menu\Programs\Startup\OpenOffice.org 2.3.lnk = C:\Program Files\OpenOffice.org 2.3\program\quickstart.exe ()
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O9 - Extra Button: PokerStars - {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - C:\Program Files\PokerStars\PokerStarsUpdate.exe (PokerStars)
O9 - Extra Button: Skype Plug-In - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O9 - Extra 'Tools' menuitem : Skype Plug-In - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O9 - Extra Button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - File not found
O9 - Extra 'Tools' menuitem : PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - File not found
O15 - HKCU\..Trusted Domains: clonewarsadventures.com ([]* in Trusted sites)
O15 - HKCU\..Trusted Domains: freerealms.com ([]* in Trusted sites)
O15 - HKCU\..Trusted Domains: soe.com ([]* in Trusted sites)
O15 - HKCU\..Trusted Domains: sony.com ([]* in Trusted sites)
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} [You must be registered and logged in to see this link.] (MSN Photo Upload Tool)
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} [You must be registered and logged in to see this link.] (OnlineScanner Control)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} [You must be registered and logged in to see this link.] (Java Plug-in 1.6.0_18)
O16 - DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} [You must be registered and logged in to see this link.] (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} [You must be registered and logged in to see this link.] (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} [You must be registered and logged in to see this link.] (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} [You must be registered and logged in to see this link.] (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} [You must be registered and logged in to see this link.] (Java Plug-in 1.6.0_18)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} [You must be registered and logged in to see this link.] (Java Plug-in 1.6.0_18)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} [You must be registered and logged in to see this link.] (Shockwave Flash Object)
O16 - DPF: Garmin Communicator Plug-In [You must be registered and logged in to see this link.] (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.0.1
O18 - Protocol\Handler\skype-ie-addon-data {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\system32\userinit.exe) - C:\WINDOWS\system32\userinit.exe (Microsoft Corporation)
O24 - Desktop WallPaper: C:\Documents and Settings\Maxim\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\Maxim\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2007/06/21 00:56:20 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O32 - AutoRun File - [2008/04/30 06:03:45 | 000,000,045 | R--- | M] () - F:\AUTORUN.INF -- [ CDFS ]
O32 - AutoRun File - [2008/06/25 02:50:03 | 000,152,848 | R--- | M] (KOEI Co., Ltd.) - F:\AutoRun.exe -- [ CDFS ]
O32 - AutoRun File - [2008/07/01 06:35:52 | 000,914,704 | R--- | M] (KOEI Co., Ltd.) - F:\AutoRunInstall.exe -- [ CDFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

NetSvcs: 6to4 - File not found
NetSvcs: AppMgmt - File not found
NetSvcs: Ias - File not found
NetSvcs: Iprip - File not found
NetSvcs: Irmon - File not found
NetSvcs: NWCWorkstation - File not found
NetSvcs: Nwsapagent - File not found
NetSvcs: WmdmPmSp - File not found


SafeBootMin: AppMgmt - File not found
SafeBootMin: Base - Driver Group
SafeBootMin: Boot Bus Extender - Driver Group
SafeBootMin: Boot file system - Driver Group
SafeBootMin: File system - Driver Group
SafeBootMin: Filter - Driver Group
SafeBootMin: PCI Configuration - Driver Group
SafeBootMin: PNP Filter - Driver Group
SafeBootMin: Primary disk - Driver Group
SafeBootMin: SCSI Class - Driver Group
SafeBootMin: sermouse.sys - Driver
SafeBootMin: System Bus Extender - Driver Group
SafeBootMin: vds - Service
SafeBootMin: vga.sys - Driver
SafeBootMin: {36FC9E60-C465-11CF-8056-444553540000} - Universal Serial Bus controllers
SafeBootMin: {4D36E965-E325-11CE-BFC1-08002BE10318} - CD-ROM Drive
SafeBootMin: {4D36E967-E325-11CE-BFC1-08002BE10318} - DiskDrive
SafeBootMin: {4D36E969-E325-11CE-BFC1-08002BE10318} - Standard floppy disk controller
SafeBootMin: {4D36E96A-E325-11CE-BFC1-08002BE10318} - Hdc
SafeBootMin: {4D36E96B-E325-11CE-BFC1-08002BE10318} - Keyboard
SafeBootMin: {4D36E96F-E325-11CE-BFC1-08002BE10318} - Mouse
SafeBootMin: {4D36E977-E325-11CE-BFC1-08002BE10318} - PCMCIA Adapters
SafeBootMin: {4D36E97B-E325-11CE-BFC1-08002BE10318} - SCSIAdapter
SafeBootMin: {4D36E97D-E325-11CE-BFC1-08002BE10318} - System
SafeBootMin: {4D36E980-E325-11CE-BFC1-08002BE10318} - Floppy disk drive
SafeBootMin: {533C5B84-EC70-11D2-9505-00C04F79DEAF} - Volume shadow copy
SafeBootMin: {71A27CDD-812A-11D0-BEC7-08002BE2092F} - Volume
SafeBootMin: {745A17A0-74D3-11D0-B6FE-00A0C90F57DA} - Human Interface Devices

SafeBootNet: AppMgmt - File not found
SafeBootNet: Base - Driver Group
SafeBootNet: Boot Bus Extender - Driver Group
SafeBootNet: Boot file system - Driver Group
SafeBootNet: File system - Driver Group
SafeBootNet: Filter - Driver Group
SafeBootNet: NDIS Wrapper - Driver Group
SafeBootNet: NetBIOSGroup - Driver Group
SafeBootNet: NetDDEGroup - Driver Group
SafeBootNet: Network - Driver Group
SafeBootNet: NetworkProvider - Driver Group
SafeBootNet: PCI Configuration - Driver Group
SafeBootNet: PNP Filter - Driver Group
SafeBootNet: PNP_TDI - Driver Group
SafeBootNet: Primary disk - Driver Group
SafeBootNet: SCSI Class - Driver Group
SafeBootNet: sermouse.sys - Driver
SafeBootNet: Streams Drivers - Driver Group
SafeBootNet: System Bus Extender - Driver Group
SafeBootNet: TDI - Driver Group
SafeBootNet: vga.sys - Driver
SafeBootNet: {1a3e09be-1e45-494b-9174-d7385b45bbf5} -
SafeBootNet: {36FC9E60-C465-11CF-8056-444553540000} - Universal Serial Bus controllers
SafeBootNet: {4D36E965-E325-11CE-BFC1-08002BE10318} - CD-ROM Drive
SafeBootNet: {4D36E967-E325-11CE-BFC1-08002BE10318} - DiskDrive
SafeBootNet: {4D36E969-E325-11CE-BFC1-08002BE10318} - Standard floppy disk controller
SafeBootNet: {4D36E96A-E325-11CE-BFC1-08002BE10318} - Hdc
SafeBootNet: {4D36E96B-E325-11CE-BFC1-08002BE10318} - Keyboard
SafeBootNet: {4D36E96F-E325-11CE-BFC1-08002BE10318} - Mouse
SafeBootNet: {4D36E972-E325-11CE-BFC1-08002BE10318} - Net
SafeBootNet: {4D36E973-E325-11CE-BFC1-08002BE10318} - NetClient
SafeBootNet: {4D36E974-E325-11CE-BFC1-08002BE10318} - NetService
SafeBootNet: {4D36E975-E325-11CE-BFC1-08002BE10318} - NetTrans
SafeBootNet: {4D36E977-E325-11CE-BFC1-08002BE10318} - PCMCIA Adapters
SafeBootNet: {4D36E97B-E325-11CE-BFC1-08002BE10318} - SCSIAdapter
SafeBootNet: {4D36E97D-E325-11CE-BFC1-08002BE10318} - System
SafeBootNet: {4D36E980-E325-11CE-BFC1-08002BE10318} - Floppy disk drive
SafeBootNet: {71A27CDD-812A-11D0-BEC7-08002BE2092F} - Volume
SafeBootNet: {745A17A0-74D3-11D0-B6FE-00A0C90F57DA} - Human Interface Devices

ActiveX: {08B0E5C0-4FCB-11CF-AAA5-00401C608500} - Java (Sun)
ActiveX: {10072CEC-8CC1-11D1-986E-00A0C955B42F} - Vector Graphics Rendering (VML)
ActiveX: {2179C5D3-EBFF-11CF-B6FD-00AA00B4E220} - NetShow
ActiveX: {22d6f312-b0f6-11d0-94ab-0080c74c7e95} - Microsoft Windows Media Player 6.4
ActiveX: {283807B5-2C60-11D0-A31D-00AA00B92C03} - DirectAnimation
ActiveX: {2A3320D6-C805-4280-B423-B665BDE33D8F} - Microsoft .NET Framework 1.1 Security Update (KB979906)
ActiveX: {2C7339CF-2B09-4501-B3F3-F3508C9228ED} - %SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll
ActiveX: {2F6EFCE6-10DF-49F9-9E64-9AE3775B2588} - Microsoft .NET Framework 1.1 Security Update (KB2416447)
ActiveX: {36f8ec70-c29a-11d1-b5c7-0000f8051515} - Dynamic HTML Data Binding for Java
ActiveX: {3af36230-a269-11d1-b5bf-0000f8051515} - Offline Browsing Pack
ActiveX: {3bf42070-b3b1-11d1-b5c5-0000f8051515} - Uniscribe
ActiveX: {411EDCF7-755D-414E-A74B-3DCD6583F589} - Microsoft .NET Framework 1.1 Service Pack 1 (KB867460)
ActiveX: {4278c270-a269-11d1-b5bf-0000f8051515} - Advanced Authoring
ActiveX: {44BBA840-CC51-11CF-AAFA-00AA00B6015C} - "%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install
ActiveX: {44BBA842-CC51-11CF-AAFA-00AA00B6015B} - rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msnetmtg.inf,NetMtg.Install.PerUser.NT
ActiveX: {44BBA848-CC51-11CF-AAFA-00AA00B6015C} - DirectShow
ActiveX: {44BBA855-CC51-11CF-AAFA-00AA00B6015F} - DirectDrawEx
ActiveX: {45ea75a0-a269-11d1-b5bf-0000f8051515} - Internet Explorer Help
ActiveX: {4f216970-c90c-11d1-b5c7-0000f8051515} - DirectAnimation Java Classes
ActiveX: {4f645220-306d-11d2-995d-00c04f98bbc9} - Microsoft Windows Script 5.7
ActiveX: {5056b317-8d4c-43ee-8543-b9d1e234b8f4} - Security Update for Windows XP (KB923789)
ActiveX: {5945c046-1e7d-11d1-bc44-00c04fd912be} - rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msmsgs.inf,BLC.QuietInstall.PerUser
ActiveX: {5A8D6EE0-3E18-11D0-821E-444553540000} - ICW
ActiveX: {5fd399c0-a70a-11d1-9948-00c04f98bbc9} - Internet Explorer Setup Tools
ActiveX: {630b1da0-b465-11d1-9948-00c04f98bbc9} - Browsing Enhancements
ActiveX: {6BF52A52-394A-11d3-B153-00C04F79FAA6} - Microsoft Windows Media Player
ActiveX: {6fab99d0-bab8-11d1-994a-00c04f98bbc9} - MSN Site Access
ActiveX: {7131646D-CD3C-40F4-97B9-CD9E4E6262EF} - .NET Framework
ActiveX: {7790769C-0471-11d2-AF11-00C04FA35D02} - "%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install
ActiveX: {89820200-ECBD-11cf-8B85-00AA005B4340} - regsvr32.exe /s /n /i:U shell32.dll
ActiveX: {89820200-ECBD-11cf-8B85-00AA005B4383} - C:\WINDOWS\system32\ie4uinit.exe -BaseSettings
ActiveX: {89B4C1CD-B018-4511-B0A1-5476DBF70820} - c:\WINDOWS\system32\Rundll32.exe c:\WINDOWS\system32\mscories.dll,Install
ActiveX: {9381D8F2-0288-11D0-9501-00AA00B911A5} - Dynamic HTML Data Binding
ActiveX: {B508B3F1-A24A-32C0-B310-85786919EF28} - .NET Framework
ActiveX: {C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F} - .NET Framework
ActiveX: {C9E9A340-D1F1-11D0-821E-444553540600} - Internet Explorer Core Fonts
ActiveX: {CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1} - .NET Framework
ActiveX: {CC2A9BA0-3BDD-11D0-821E-444553540000} - Task Scheduler
ActiveX: {CDD7975E-60F8-41d5-8149-19E51D6F71D0} - Windows Movie Maker v2.1
ActiveX: {D27CDB6E-AE6D-11cf-96B8-444553540000} - Adobe Flash Player
ActiveX: {de5aed00-a4bf-11d1-9948-00c04f98bbc9} - HTML Help
ActiveX: {E92B03AB-B707-11d2-9CBD-0000F87A369E} - Active Directory Service Interface
ActiveX: {EF289A85-8E57-408d-BE47-73B55609861A} - RootsUpdate
ActiveX: <{12d0ed0d-0ee0-4f90-8827-78cefb8f4988} - C:\WINDOWS\system32\ieudinit.exe
ActiveX: >{22d6f312-b0f6-11d0-94ab-0080c74c7e95} - C:\WINDOWS\inf\unregmp2.exe /ShowWMP
ActiveX: >{26923b43-4d38-484f-9b9e-de460746276c} - %systemroot%\system32\shmgrate.exe OCInstallUserConfigIE
ActiveX: >{60B49E34-C7CC-11D0-8953-00A0C90347FF} - RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP
ActiveX: >{60B49E34-C7CC-11D0-8953-00A0C90347FF}MICROS - RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP
ActiveX: >{881dd1c5-3dcf-431b-b061-f3f88e8be88a} - %systemroot%\system32\shmgrate.exe OCInstallUserConfigOE
ActiveX: Microsoft Base Smart Card Crypto Provider Package -

Drivers32: msacm.iac2 - C:\WINDOWS\system32\iac25_32.ax (Intel Corporation)
Drivers32: msacm.l3acm - C:\WINDOWS\system32\l3codeca.acm (Fraunhofer Institut Integrierte Schaltungen IIS)
Drivers32: msacm.lhacm - C:\WINDOWS\System32\lhacm.acm (Microsoft Corporation)
Drivers32: msacm.sl_anet - C:\WINDOWS\System32\sl_anet.acm (Sipro Lab Telecom Inc.)
Drivers32: msacm.trspch - C:\WINDOWS\System32\tssoft32.acm (DSP GROUP, INC.)
Drivers32: vidc.cvid - C:\WINDOWS\System32\iccvid.dll (Radius Inc.)
Drivers32: vidc.DIVX - C:\WINDOWS\System32\DivX.dll (DivX, Inc.)
Drivers32: VIDC.FPS1 - C:\WINDOWS\System32\frapsvid.dll (Beepa P/L)
Drivers32: vidc.iv31 - C:\WINDOWS\System32\ir32_32.dll ()
Drivers32: vidc.iv32 - C:\WINDOWS\System32\ir32_32.dll ()
Drivers32: vidc.iv41 - C:\WINDOWS\System32\ir41_32.ax (Intel Corporation)
Drivers32: vidc.iv50 - C:\WINDOWS\System32\ir50_32.dll (Intel Corporation)
Drivers32: vidc.tscc - C:\WINDOWS\system32\tsccvid.dll (TechSmith Corporation)
Drivers32: vidc.yv12 - C:\WINDOWS\System32\DivX.dll (DivX, Inc.)

CREATERESTOREPOINT
Restore point Set: OTL Restore Point

========== Files/Folders - Created Within 30 Days ==========

[2011/10/01 13:36:29 | 004,191,448 | R--- | C] (Swearware) -- C:\Documents and Settings\Maxim\Desktop\Commy.exe
[2011/10/01 13:10:33 | 000,518,144 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe
[2011/10/01 13:10:33 | 000,406,528 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe
[2011/10/01 13:10:33 | 000,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe
[2011/10/01 13:10:33 | 000,060,416 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe
[2011/10/01 13:06:57 | 000,000,000 | R--D | C] -- C:\Documents and Settings\Maxim\Start Menu\Programs\Administrative Tools
[2011/09/30 01:51:31 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Sun
[2011/09/28 14:35:48 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Application Data\Sun
[2011/09/28 13:10:02 | 002,322,184 | ---- | C] (ESET) -- C:\Documents and Settings\Maxim\Desktop\esetsmartinstaller_enu.exe
[8 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2011/10/02 00:22:28 | 000,580,608 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Maxim\Desktop\OTL.com
[2011/10/02 00:20:54 | 000,013,646 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2011/10/02 00:20:53 | 000,000,868 | ---- | M] () -- C:\WINDOWS\tasks\Google Software Updater.job
[2011/10/02 00:20:41 | 000,249,230 | ---- | M] () -- C:\WINDOWS\System32\NvApps.xml
[2011/10/02 00:20:33 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2011/10/02 00:08:38 | 000,001,324 | ---- | M] () -- C:\WINDOWS\System32\d3d9caps.dat
[2011/10/01 15:51:51 | 000,000,402 | -H-- | M] () -- C:\WINDOWS\tasks\Norton Security Scan for Maxim.job
[2011/10/01 14:18:08 | 000,000,027 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
[2011/10/01 13:35:49 | 004,191,448 | R--- | M] (Swearware) -- C:\Documents and Settings\Maxim\Desktop\Commy.exe
[2011/09/28 14:38:26 | 000,001,200 | -HS- | M] () -- C:\Documents and Settings\All Users\Application Data\04c43552oyhi36rm1b1my06173a47xha7xadku6ggt56
[2011/09/28 13:09:32 | 000,000,112 | ---- | M] () -- C:\Documents and Settings\All Users\Application Data\xLp3TL.dat
[2011/09/28 13:09:19 | 002,322,184 | ---- | M] (ESET) -- C:\Documents and Settings\Maxim\Desktop\esetsmartinstaller_enu.exe
[2011/09/28 06:20:40 | 000,000,844 | -HS- | M] () -- C:\Documents and Settings\Maxim\Local Settings\Application Data\tr6fsajl1433id65s1m04rqrtw5pt462o58343y618vh
[2011/09/28 06:20:40 | 000,000,844 | -HS- | M] () -- C:\Documents and Settings\All Users\Application Data\tr6fsajl1433id65s1m04rqrtw5pt462o58343y618vh
[8 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files Created - No Company Name ==========

Uthanak

Rookie Surfer
Rookie Surfer

Posts : 66
Joined : 2009-08-10
Operating System : windows xp

View user profile

Back to top Go down

Re: Need to get rid of rootkit.

Post by Uthanak on Thu 01 Sep 2011, 4:17 pm

[2011/10/01 13:10:33 | 000,256,000 | ---- | C] () -- C:\WINDOWS\PEV.exe
[2011/10/01 13:10:33 | 000,208,896 | ---- | C] () -- C:\WINDOWS\MBR.exe
[2011/10/01 13:10:33 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
[2011/10/01 13:10:33 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
[2011/10/01 13:10:33 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
[2011/09/30 12:56:10 | 001,008,092 | ---- | C] () -- C:\Documents and Settings\Maxim\Desktop\rkill.scr
[2011/09/28 14:38:26 | 000,001,200 | -HS- | C] () -- C:\Documents and Settings\LocalService\Local Settings\Application Data\04c43552oyhi36rm1b1my06173a47xha7xadku6ggt56
[2011/09/28 14:38:26 | 000,001,200 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\04c43552oyhi36rm1b1my06173a47xha7xadku6ggt56
[2011/09/28 06:20:40 | 000,000,844 | -HS- | C] () -- C:\Documents and Settings\Maxim\Local Settings\Application Data\tr6fsajl1433id65s1m04rqrtw5pt462o58343y618vh
[2011/09/28 06:20:40 | 000,000,844 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\tr6fsajl1433id65s1m04rqrtw5pt462o58343y618vh
[2011/08/27 20:21:15 | 000,000,112 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\xLp3TL.dat
[2011/08/27 20:06:58 | 000,001,312 | -HS- | C] () -- C:\Documents and Settings\Maxim\Local Settings\Application Data\84i83072ueun14wi5d5vk15770d37sjc7mgaaq1ntg83
[2011/08/27 20:06:58 | 000,001,312 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\84i83072ueun14wi5d5vk15770d37sjc7mgaaq1ntg83
[2011/08/27 20:06:58 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\sodv.exe
[2011/08/27 20:06:58 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\pndo.exe
[2011/08/27 20:06:58 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\ntxu.exe
[2011/08/27 20:06:57 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\jlub.exe
[2011/05/24 02:56:38 | 000,013,822 | -HS- | C] () -- C:\Documents and Settings\Maxim\Local Settings\Application Data\s3y6i48l744h4x280ce123866cp324d301uytp1006
[2011/05/24 02:56:38 | 000,013,822 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\s3y6i48l744h4x280ce123866cp324d301uytp1006
[2011/04/18 00:25:25 | 000,016,742 | -HS- | C] () -- C:\Documents and Settings\Maxim\Local Settings\Application Data\d60olj4151841n3gtp048337hy7eoh
[2011/04/18 00:25:25 | 000,016,742 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\d60olj4151841n3gtp048337hy7eoh
[2011/04/09 18:55:28 | 000,179,261 | ---- | C] () -- C:\WINDOWS\System32\xlive.dll.cat
[2011/03/04 05:27:52 | 000,000,552 | ---- | C] () -- C:\WINDOWS\System32\d3d8caps.dat
[2010/11/14 21:30:55 | 000,000,075 | ---- | C] () -- C:\WINDOWS\System32\nvUnsupRes.dat
[2010/09/16 03:17:58 | 001,628,304 | ---- | C] () -- C:\Documents and Settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
[2010/07/13 11:44:37 | 000,000,056 | -H-- | C] () -- C:\WINDOWS\System32\ezsidmv.dat
[2010/06/22 19:45:00 | 000,005,077 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\bltofzsb.qlf
[2010/04/21 00:05:49 | 000,000,056 | ---- | C] () -- C:\WINDOWS\kgt2k.INI
[2009/11/03 18:00:33 | 001,604,482 | ---- | C] () -- C:\WINDOWS\System32\nvdata.bin
[2009/10/28 15:03:02 | 000,015,144 | -H-- | C] () -- C:\WINDOWS\System32\mlfcache.dat
[2009/08/24 18:00:27 | 000,021,840 | ---- | C] () -- C:\WINDOWS\System32\SIntfNT.dll
[2009/08/24 18:00:27 | 000,017,212 | ---- | C] () -- C:\WINDOWS\System32\SIntf32.dll
[2009/08/24 18:00:27 | 000,012,067 | ---- | C] () -- C:\WINDOWS\System32\SIntf16.dll
[2009/08/09 16:36:22 | 000,001,324 | ---- | C] () -- C:\WINDOWS\System32\d3d9caps.dat
[2009/07/03 14:31:54 | 000,003,972 | ---- | C] () -- C:\WINDOWS\System32\drivers\PciBus.sys
[2009/06/06 02:32:36 | 000,002,119 | ---- | C] () -- C:\Documents and Settings\Maxim\Application Data\waQ1P0bNat.gif
[2009/06/06 02:32:36 | 000,000,607 | ---- | C] () -- C:\Documents and Settings\Maxim\Application Data\waQ1P0bNzn.gif
[2009/06/06 02:32:36 | 000,000,598 | ---- | C] () -- C:\Documents and Settings\Maxim\Application Data\waQ1P0bNby.gif
[2009/04/16 03:01:55 | 000,000,118 | ---- | C] () -- C:\WINDOWS\System32\MRT.INI
[2008/10/07 09:13:22 | 000,058,648 | ---- | C] () -- C:\WINDOWS\System32\AgCPanelTraditionalChinese.dll
[2008/10/07 09:13:20 | 000,058,648 | ---- | C] () -- C:\WINDOWS\System32\AgCPanelSwedish.dll
[2008/10/07 09:13:20 | 000,058,648 | ---- | C] () -- C:\WINDOWS\System32\AgCPanelSpanish.dll
[2008/10/07 09:13:20 | 000,058,648 | ---- | C] () -- C:\WINDOWS\System32\AgCPanelSimplifiedChinese.dll
[2008/10/07 09:13:20 | 000,058,648 | ---- | C] () -- C:\WINDOWS\System32\AgCPanelPortugese.dll
[2008/10/07 09:13:20 | 000,058,648 | ---- | C] () -- C:\WINDOWS\System32\AgCPanelKorean.dll
[2008/10/07 09:13:20 | 000,058,648 | ---- | C] () -- C:\WINDOWS\System32\AgCPanelJapanese.dll
[2008/10/07 09:13:20 | 000,058,648 | ---- | C] () -- C:\WINDOWS\System32\AgCPanelGerman.dll
[2008/10/07 09:13:20 | 000,058,648 | ---- | C] () -- C:\WINDOWS\System32\AgCPanelFrench.dll
[2008/02/02 18:59:03 | 000,043,520 | ---- | C] () -- C:\WINDOWS\System32\CmdLineExt03.dll
[2007/10/21 17:41:15 | 000,211,089 | ---- | C] () -- C:\WINDOWS\War3Unin.dat
[2007/09/11 14:58:00 | 000,002,908 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\QTSBandwidthCache
[2007/07/15 19:04:34 | 000,000,069 | ---- | C] () -- C:\WINDOWS\NeroDigital.ini
[2007/07/06 03:03:38 | 000,160,768 | ---- | C] () -- C:\Documents and Settings\Maxim\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2007/07/03 02:05:51 | 000,008,272 | ---- | C] () -- C:\WINDOWS\cdplayer.ini
[2007/06/26 01:43:53 | 000,001,340 | ---- | C] () -- C:\WINDOWS\mozver.dat
[2007/06/23 19:48:21 | 000,000,000 | ---- | C] () -- C:\WINDOWS\SetSel.INI
[2007/06/23 02:49:14 | 000,000,008 | ---- | C] () -- C:\WINDOWS\System32\nvModes.dat
[2007/06/22 16:38:18 | 000,000,000 | ---- | C] () -- C:\WINDOWS\nsreg.dat
[2007/06/21 20:48:59 | 000,004,161 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI
[2007/06/21 20:46:22 | 000,107,008 | ---- | C] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2007/06/21 01:02:06 | 000,001,428 | R--- | C] () -- C:\WINDOWS\System32\drivers\nvphy.bin
[2007/06/21 01:01:47 | 000,000,396 | R--- | C] () -- C:\WINDOWS\System32\raidmgmt.ini
[2007/06/21 01:01:46 | 000,000,804 | R--- | C] () -- C:\WINDOWS\System32\AsusSetup.ini
[2007/06/21 01:01:35 | 000,024,816 | ---- | C] () -- C:\WINDOWS\Ascd_tmp.ini
[2007/06/21 01:01:35 | 000,005,810 | R--- | C] () -- C:\WINDOWS\System32\drivers\ASACPI.sys
[2007/06/21 01:01:25 | 000,010,288 | ---- | C] () -- C:\WINDOWS\System32\drivers\ASUSHWIO.SYS
[2007/06/21 00:57:45 | 000,002,048 | --S- | C] () -- C:\WINDOWS\bootstat.dat
[2007/06/21 00:54:20 | 000,021,640 | ---- | C] () -- C:\WINDOWS\System32\emptyregdb.dat
[2007/03/13 14:43:04 | 001,018,748 | ---- | C] () -- C:\WINDOWS\System32\nvucode.bin
[2007/03/13 14:43:02 | 000,286,720 | ---- | C] () -- C:\WINDOWS\System32\nvnt4cpl.dll
[2006/02/28 08:00:00 | 013,107,200 | ---- | C] () -- C:\WINDOWS\System32\oembios.bin
[2006/02/28 08:00:00 | 000,673,088 | ---- | C] () -- C:\WINDOWS\System32\mlang.dat
[2006/02/28 08:00:00 | 000,459,732 | ---- | C] () -- C:\WINDOWS\System32\perfh009.dat
[2006/02/28 08:00:00 | 000,272,128 | ---- | C] () -- C:\WINDOWS\System32\perfi009.dat
[2006/02/28 08:00:00 | 000,218,003 | ---- | C] () -- C:\WINDOWS\System32\dssec.dat
[2006/02/28 08:00:00 | 000,079,538 | ---- | C] () -- C:\WINDOWS\System32\perfc009.dat
[2006/02/28 08:00:00 | 000,046,258 | ---- | C] () -- C:\WINDOWS\System32\mib.bin
[2006/02/28 08:00:00 | 000,028,626 | ---- | C] () -- C:\WINDOWS\System32\perfd009.dat
[2006/02/28 08:00:00 | 000,004,569 | ---- | C] () -- C:\WINDOWS\System32\secupd.dat
[2006/02/28 08:00:00 | 000,004,461 | ---- | C] () -- C:\WINDOWS\System32\oembios.dat
[2006/02/28 08:00:00 | 000,001,804 | ---- | C] () -- C:\WINDOWS\System32\dcache.bin
[2006/02/28 08:00:00 | 000,000,741 | ---- | C] () -- C:\WINDOWS\System32\noise.dat
[2000/04/27 15:14:02 | 000,004,500 | ---- | C] () -- C:\WINDOWS\System32\FILTRCOI.DLL

========== Custom Scans ==========


< %APPDATA%\Microsoft\*.* >

< %systemroot%\system32\config\systemprofile\*.dat /x >

< %USERPROFILE%\Desktop\*.exe >
[2009/08/09 20:44:14 | 000,812,344 | ---- | M] (Trend Micro Inc.) -- C:\Documents and Settings\Maxim\Desktop\1234.exe
[2011/08/20 21:56:56 | 007,952,623 | ---- | M] () -- C:\Documents and Settings\Maxim\Desktop\cockatrice_win32_20110309.exe
[2011/10/01 13:35:49 | 004,191,448 | R--- | M] (Swearware) -- C:\Documents and Settings\Maxim\Desktop\Commy.exe
[2011/09/28 13:09:19 | 002,322,184 | ---- | M] (ESET) -- C:\Documents and Settings\Maxim\Desktop\esetsmartinstaller_enu.exe
[2011/05/14 04:41:28 | 000,642,712 | ---- | M] (Microsoft Corporation) -- C:\Documents and Settings\Maxim\Desktop\gfwlivesetup.exe
[2010/02/27 13:25:00 | 001,498,968 | ---- | M] () -- C:\Documents and Settings\Maxim\Desktop\LoLInstaller.exe
[2011/06/04 02:44:53 | 009,690,219 | ---- | M] () -- C:\Documents and Settings\Maxim\Desktop\mws094f.exe
[2008/03/02 22:19:06 | 125,892,318 | ---- | M] () -- C:\Documents and Settings\Maxim\Desktop\OOo_2.3.1_Win32Intel_install_wJRE_en-US.exe
[2010/05/05 08:21:22 | 000,570,880 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Maxim\Desktop\OTL.exe
[2009/08/10 22:26:58 | 000,408,064 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Maxim\Desktop\OTM.exe
[2011/04/22 22:45:32 | 013,732,286 | ---- | M] () -- C:\Documents and Settings\Maxim\Desktop\PT-Install-v3.10.exe
[2010/04/16 16:07:40 | 002,178,224 | ---- | M] () -- C:\Documents and Settings\Maxim\Desktop\TestRealmInstallerDownloader.04_05_2010.exe
[2010/05/11 22:33:25 | 003,249,480 | ---- | M] (Unity Technologies ApS) -- C:\Documents and Settings\Maxim\Desktop\UnityWebPlayer.exe
[2011/04/11 01:20:07 | 000,399,736 | ---- | M] (BitTorrent, Inc.) -- C:\Documents and Settings\Maxim\Desktop\utorrent.exe
[2010/04/10 15:11:12 | 011,048,840 | ---- | M] () -- C:\Documents and Settings\Maxim\Desktop\veetle-0.9.17.exe
[2011/05/14 04:43:03 | 000,823,152 | ---- | M] (Microsoft Corporation) -- C:\Documents and Settings\Maxim\Desktop\WindowsXP-KB938759-x86-ENU.exe

< %PROGRAMFILES%\Common Files\*.* >

< %systemroot%\winn32\*.* >

< %USERPROFILE%\My Documents\*.exe >

< %USERPROFILE%\*.exe >

< %PROGRAMFILES%\Mozilla Firefox\*.exe >
[2011/08/16 23:56:54 | 000,125,912 | ---- | M] (Mozilla Foundation) -- C:\Program Files\Mozilla Firefox\crashreporter.exe
[2011/08/16 23:56:54 | 000,924,632 | ---- | M] (Mozilla Corporation) -- C:\Program Files\Mozilla Firefox\firefox.exe
[2011/08/16 23:56:52 | 000,016,856 | ---- | M] (Mozilla Corporation) -- C:\Program Files\Mozilla Firefox\plugin-container.exe
[2011/08/16 23:56:52 | 000,269,272 | ---- | M] (Mozilla Foundation) -- C:\Program Files\Mozilla Firefox\updater.exe
[2007/10/13 18:59:13 | 140,202,521 | ---- | M] () -- C:\Program Files\Mozilla Firefox\WoW-2.2.3.7359-to-0.3.0.7382-enUS-patch.exe
[2008/02/11 23:41:51 | 141,909,560 | ---- | M] () -- C:\Program Files\Mozilla Firefox\WoW-2.3.3.7799-to-0.4.0.7897-enUS-patch.exe

< %ProgramFiles%\TinyProxy. >

< %systemroot%\system32\*.* /lockedfiles >
[1 C:\WINDOWS\system32\*.tmp files -> C:\WINDOWS\system32\*.tmp -> ]

< %systemroot%\Tasks\*.job /lockedfiles >

< %systemroot%\system32\drivers\*.* /lockedfiles >

< %PROGRAMFILES%\*. >
[2010/05/05 15:54:09 | 000,000,000 | ---D | M] -- C:\Program Files\Absolute Poker
[2011/01/09 19:01:08 | 000,000,000 | ---D | M] -- C:\Program Files\Adobe
[2010/06/25 15:52:41 | 000,000,000 | ---D | M] -- C:\Program Files\AGEIA Technologies
[2009/08/23 23:51:56 | 000,000,000 | ---D | M] -- C:\Program Files\Alcohol Soft
[2011/04/24 14:59:45 | 000,000,000 | ---D | M] -- C:\Program Files\ALL IN Expert
[2007/06/21 01:05:06 | 000,000,000 | ---D | M] -- C:\Program Files\Analog Devices
[2009/08/09 19:02:59 | 000,000,000 | ---D | M] -- C:\Program Files\Apprentice
[2010/12/24 23:44:54 | 000,000,000 | ---D | M] -- C:\Program Files\Armagetron Advanced
[2009/08/09 19:18:13 | 000,000,000 | ---D | M] -- C:\Program Files\Atari
[2011/02/23 14:46:23 | 000,000,000 | ---D | M] -- C:\Program Files\ATMA V
[2011/01/08 03:45:54 | 000,000,000 | ---D | M] -- C:\Program Files\AVG
[2010/02/20 22:17:48 | 000,000,000 | ---D | M] -- C:\Program Files\Belkin
[2011/01/14 20:16:28 | 000,000,000 | ---D | M] -- C:\Program Files\BitTorrent
[2011/08/20 22:01:51 | 000,000,000 | ---D | M] -- C:\Program Files\Cockatrice
[2011/10/01 13:57:26 | 000,000,000 | ---D | M] -- C:\Program Files\Common Files
[2007/06/21 00:54:14 | 000,000,000 | ---D | M] -- C:\Program Files\ComPlus Applications
[2011/04/24 15:00:37 | 000,000,000 | ---D | M] -- C:\Program Files\CyberLink
[2009/08/17 10:00:09 | 000,000,000 | ---D | M] -- C:\Program Files\DAEMON Tools Pro
[2009/03/18 04:58:17 | 000,000,000 | ---D | M] -- C:\Program Files\Dawn of War 2
[2010/02/20 22:17:36 | 000,000,000 | ---D | M] -- C:\Program Files\Diablo II
[2007/06/21 01:03:33 | 000,000,000 | ---D | M] -- C:\Program Files\DIFX
[2009/07/09 10:12:02 | 000,000,000 | ---D | M] -- C:\Program Files\DivX
[2010/05/05 16:04:22 | 000,000,000 | ---D | M] -- C:\Program Files\Electronic Arts
[2011/01/09 20:54:35 | 000,000,000 | ---D | M] -- C:\Program Files\ESET
[2010/05/05 15:56:26 | 000,000,000 | ---D | M] -- C:\Program Files\Eusing Free Registry Cleaner
[2010/11/22 15:58:44 | 000,000,000 | ---D | M] -- C:\Program Files\Full Tilt Poker
[2009/07/03 14:30:52 | 000,000,000 | ---D | M] -- C:\Program Files\Futuremark
[2010/01/03 19:34:26 | 000,000,000 | ---D | M] -- C:\Program Files\GIMP-2.0
[2007/07/03 02:04:26 | 000,000,000 | ---D | M] -- C:\Program Files\Google
[2007/09/05 00:52:49 | 000,000,000 | ---D | M] -- C:\Program Files\Google Video
[2011/04/24 15:00:37 | 000,000,000 | -H-D | M] -- C:\Program Files\InstallShield Installation Information
[2011/04/16 03:05:06 | 000,000,000 | ---D | M] -- C:\Program Files\Internet Explorer
[2008/06/19 22:00:21 | 000,000,000 | ---D | M] -- C:\Program Files\iPod
[2011/09/28 15:02:22 | 000,000,000 | ---D | M] -- C:\Program Files\iTunes
[2010/01/27 06:57:58 | 000,000,000 | ---D | M] -- C:\Program Files\Java
[2011/04/24 15:05:34 | 000,000,000 | ---D | M] -- C:\Program Files\Koei
[2010/05/05 15:59:14 | 000,000,000 | ---D | M] -- C:\Program Files\LimeWire
[2007/06/23 02:20:11 | 000,000,000 | ---D | M] -- C:\Program Files\Logitech
[2011/06/04 14:35:55 | 000,000,000 | ---D | M] -- C:\Program Files\Magic Workstation
[2009/08/17 10:01:47 | 000,000,000 | ---D | M] -- C:\Program Files\MagicDisc
[2009/08/09 18:16:39 | 000,000,000 | ---D | M] -- C:\Program Files\Malwarebytes' Anti-Malware
[2008/09/04 00:18:57 | 000,000,000 | ---D | M] -- C:\Program Files\Messenger
[2009/11/10 12:25:09 | 000,000,000 | ---D | M] -- C:\Program Files\Microsoft
[2007/06/21 00:56:36 | 000,000,000 | ---D | M] -- C:\Program Files\microsoft frontpage
[2011/05/14 04:42:08 | 000,000,000 | ---D | M] -- C:\Program Files\Microsoft Games for Windows - LIVE
[2009/08/14 17:06:34 | 000,000,000 | ---D | M] -- C:\Program Files\Microsoft SDKs
[2009/08/14 17:09:51 | 000,000,000 | ---D | M] -- C:\Program Files\Microsoft SQL Server
[2010/07/25 02:40:06 | 000,000,000 | ---D | M] -- C:\Program Files\Microsoft SQL Server Compact Edition
[2010/07/25 02:40:38 | 000,000,000 | ---D | M] -- C:\Program Files\Microsoft Sync Framework
[2009/08/14 17:08:53 | 000,000,000 | ---D | M] -- C:\Program Files\Microsoft Visual Studio 9.0
[2009/08/14 17:07:34 | 000,000,000 | ---D | M] -- C:\Program Files\Microsoft.NET
[2011/04/25 12:40:54 | 000,000,000 | ---D | M] -- C:\Program Files\mIRC
[2010/08/13 03:00:25 | 000,000,000 | ---D | M] -- C:\Program Files\Movie Maker
[2011/08/16 23:57:28 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox
[2007/06/21 01:50:07 | 000,000,000 | ---D | M] -- C:\Program Files\MSBuild
[2007/06/21 00:53:16 | 000,000,000 | ---D | M] -- C:\Program Files\MSN
[2007/06/21 00:53:44 | 000,000,000 | ---D | M] -- C:\Program Files\MSN Gaming Zone
[2007/08/16 03:00:19 | 000,000,000 | ---D | M] -- C:\Program Files\MSXML 4.0
[2007/06/21 02:00:05 | 000,000,000 | ---D | M] -- C:\Program Files\MSXML 6.0
[2010/02/20 22:18:49 | 000,000,000 | ---D | M] -- C:\Program Files\MUSICMATCH
[2007/06/21 01:20:48 | 000,000,000 | ---D | M] -- C:\Program Files\Nero
[2008/09/04 00:13:50 | 000,000,000 | ---D | M] -- C:\Program Files\NetMeeting
[2011/06/09 02:47:09 | 000,000,000 | ---D | M] -- C:\Program Files\Norton Security Scan
[2011/06/09 02:47:08 | 000,000,000 | ---D | M] -- C:\Program Files\NortonInstaller
[2010/06/25 15:52:41 | 000,000,000 | ---D | M] -- C:\Program Files\NVIDIA Corporation
[2007/12/17 14:11:29 | 000,000,000 | ---D | M] -- C:\Program Files\Ocean Technology
[2011/09/28 15:09:34 | 000,000,000 | ---D | M] -- C:\Program Files\OfficeKB
[2007/06/21 00:53:51 | 000,000,000 | ---D | M] -- C:\Program Files\Online Services
[2008/03/02 22:21:39 | 000,000,000 | ---D | M] -- C:\Program Files\OpenOffice.org 2.3
[2010/12/16 04:01:12 | 000,000,000 | ---D | M] -- C:\Program Files\Outlook Express
[2010/04/16 16:07:53 | 000,000,000 | ---D | M] -- C:\Program Files\Pando Networks
[2010/11/23 09:59:42 | 000,000,000 | ---D | M] -- C:\Program Files\PartyGaming
[2011/07/31 18:55:39 | 000,000,000 | ---D | M] -- C:\Program Files\PokerStars
[2010/10/05 11:11:14 | 000,000,000 | ---D | M] -- C:\Program Files\PokerStove
[2010/12/15 21:23:06 | 000,000,000 | ---D | M] -- C:\Program Files\PokerTracker 3
[2010/06/22 19:56:05 | 000,000,000 | ---D | M] -- C:\Program Files\PostgreSQL
[2011/09/28 15:13:32 | 000,000,000 | ---D | M] -- C:\Program Files\QuickTime
[2009/11/21 02:30:15 | 000,000,000 | ---D | M] -- C:\Program Files\Real
[2007/06/21 01:48:03 | 000,000,000 | ---D | M] -- C:\Program Files\Reference Assemblies
[2011/07/09 00:10:07 | 000,000,000 | R--D | M] -- C:\Program Files\Skype
[2010/05/05 16:04:00 | 000,000,000 | ---D | M] -- C:\Program Files\Sony
[2011/02/05 16:20:09 | 000,000,000 | ---D | M] -- C:\Program Files\Sony Online Entertainment
[2007/08/12 23:39:28 | 000,000,000 | ---D | M] -- C:\Program Files\Sony Setup
[2010/05/21 23:26:48 | 000,000,000 | ---D | M] -- C:\Program Files\SopCast
[2011/07/05 02:01:15 | 000,000,000 | ---D | M] -- C:\Program Files\Steam
[2009/03/18 04:32:35 | 000,000,000 | ---D | M] -- C:\Program Files\SystemRequirementsLab
[2010/12/19 23:15:18 | 000,000,000 | ---D | M] -- C:\Program Files\TeamViewer
[2007/12/13 21:54:45 | 000,000,000 | ---D | M] -- C:\Program Files\THQ
[2009/08/09 20:44:22 | 000,000,000 | ---D | M] -- C:\Program Files\Trend Micro
[2007/08/12 23:41:14 | 000,000,000 | -H-D | M] -- C:\Program Files\Uninstall Information
[2011/04/11 01:20:37 | 000,000,000 | ---D | M] -- C:\Program Files\uTorrent
[2010/01/03 20:57:07 | 000,000,000 | ---D | M] -- C:\Program Files\Vector Magic
[2010/04/10 15:11:26 | 000,000,000 | ---D | M] -- C:\Program Files\Veetle
[2007/11/14 17:47:00 | 000,000,000 | ---D | M] -- C:\Program Files\Ventrilo
[2010/11/07 02:11:40 | 000,000,000 | ---D | M] -- C:\Program Files\Veoh Networks
[2008/08/08 13:55:45 | 000,000,000 | ---D | M] -- C:\Program Files\VideoLAN
[2010/05/05 16:03:14 | 000,000,000 | ---D | M] -- C:\Program Files\VS Revo Group
[2011/01/29 23:02:16 | 000,000,000 | ---D | M] -- C:\Program Files\Warcraft III
[2010/05/05 15:55:53 | 000,000,000 | ---D | M] -- C:\Program Files\Wesnoth
[2010/07/25 02:41:00 | 000,000,000 | ---D | M] -- C:\Program Files\Windows Live
[2009/06/05 13:14:51 | 000,000,000 | ---D | M] -- C:\Program Files\Windows Live SkyDrive
[2007/06/21 01:47:26 | 000,000,000 | ---D | M] -- C:\Program Files\Windows Media Connect 2
[2008/09/04 00:13:48 | 000,000,000 | ---D | M] -- C:\Program Files\Windows Media Player
[2008/09/04 00:13:48 | 000,000,000 | ---D | M] -- C:\Program Files\Windows NT
[2007/07/01 00:28:39 | 000,000,000 | ---D | M] -- C:\Program Files\WinRAR
[2011/04/24 15:06:59 | 000,000,000 | ---D | M] -- C:\Program Files\World of Warcraft
[2007/06/21 00:56:36 | 000,000,000 | ---D | M] -- C:\Program Files\xerox
[2010/09/21 03:35:39 | 000,000,000 | ---D | M] -- C:\Program Files\Yahoo!
[2009/11/12 20:50:12 | 000,000,000 | ---D | M] -- C:\Program Files\_uninstallation_info


< MD5 for: AGP440.SYS >
[2006/02/28 08:00:00 | 018,738,937 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp2.cab:AGP440.sys
[2008/09/04 00:10:58 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp3.cab:AGP440.sys
[2008/09/04 00:10:58 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\ServicePackFiles\i386\sp3.cab:AGP440.sys
[2008/04/13 14:36:38 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\WINDOWS\ERDNT\cache\agp440.sys
[2008/04/13 14:36:38 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\WINDOWS\ServicePackFiles\i386\agp440.sys
[2008/04/13 14:36:38 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\WINDOWS\system32\drivers\agp440.sys

< MD5 for: ATAPI.SYS >
[2006/02/28 08:00:00 | 018,738,937 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp2.cab:atapi.sys
[2008/09/04 00:10:58 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp3.cab:atapi.sys
[2008/09/04 00:10:58 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\ServicePackFiles\i386\sp3.cab:atapi.sys
[2008/04/13 14:40:30 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\ERDNT\cache\atapi.sys
[2008/04/13 14:40:30 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\ServicePackFiles\i386\atapi.sys
[2008/04/13 14:40:30 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\system32\drivers\atapi.sys
[2006/02/28 08:00:00 | 000,095,360 | ---- | M] (Microsoft Corporation) MD5=CDFE4411A69C224BD1D11B2DA92DAC51 -- C:\WINDOWS\$NtServicePackUninstall$\atapi.sys
[2006/02/28 08:00:00 | 000,095,360 | ---- | M] (Microsoft Corporation) MD5=CDFE4411A69C224BD1D11B2DA92DAC51 -- C:\WINDOWS\system32\ReinstallBackups\0000\DriverFiles\i386\atapi.sys

< MD5 for: DISK.SYS >
[2006/02/28 08:00:00 | 018,738,937 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp2.cab:disk.sys
[2008/09/04 00:10:58 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp3.cab:disk.sys
[2008/09/04 00:10:58 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\ServicePackFiles\i386\sp3.cab:disk.sys
[2006/02/28 08:00:00 | 000,036,352 | ---- | M] (Microsoft Corporation) MD5=00CA44E4534865F8A3B64F7C0984BFF0 -- C:\WINDOWS\$NtServicePackUninstall$\disk.sys
[2008/04/13 14:40:47 | 000,036,352 | ---- | M] (Microsoft Corporation) MD5=044452051F3E02E7963599FC8F4F3E25 -- C:\WINDOWS\ServicePackFiles\i386\disk.sys
[2008/04/13 14:40:47 | 000,036,352 | ---- | M] (Microsoft Corporation) MD5=044452051F3E02E7963599FC8F4F3E25 -- C:\WINDOWS\system32\drivers\disk.sys

< MD5 for: NETLOGON.DLL >
[2008/04/13 20:12:01 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\ERDNT\cache\netlogon.dll
[2008/04/13 20:12:01 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\ServicePackFiles\i386\netlogon.dll
[2008/04/13 20:12:01 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\system32\netlogon.dll
[2006/02/28 08:00:00 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=96353FCECBA774BB8DA74A1C6507015A -- C:\WINDOWS\$NtServicePackUninstall$\netlogon.dll

< HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs >
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install\\LastSuccessTime: 2011-10-01 17:22:48

< hklm\software\clients\startmenuinternet|command /rs >
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\chrome.exe\InstallInfo\\ShowIconsCommand: "C:\Documents and Settings\Maxim\Local Settings\Application Data\Google\Chrome\Application\chrome.exe" --show-icons [2010/04/26 13:13:25 | 000,531,440 | ---- | M] (Google Inc.)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\chrome.exe\InstallInfo\\HideIconsCommand: "C:\Documents and Settings\Maxim\Local Settings\Application Data\Google\Chrome\Application\chrome.exe" --hide-icons [2010/04/26 13:13:25 | 000,531,440 | ---- | M] (Google Inc.)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\chrome.exe\InstallInfo\\ReinstallCommand: "C:\Documents and Settings\Maxim\Local Settings\Application Data\Google\Chrome\Application\chrome.exe" --make-default-browser [2010/04/26 13:13:25 | 000,531,440 | ---- | M] (Google Inc.)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\chrome.exe\shell\open\command\\: "C:\Documents and Settings\Maxim\Local Settings\Application Data\Google\Chrome\Application\chrome.exe" [2010/04/26 13:13:25 | 000,531,440 | ---- | M] (Google Inc.)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\FIREFOX.EXE\InstallInfo\\HideIconsCommand: "C:\Program Files\Mozilla Firefox\uninstall\helper.exe" /HideShortcuts [2011/08/16 23:56:52 | 000,712,976 | ---- | M] (Mozilla Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\FIREFOX.EXE\InstallInfo\\ShowIconsCommand: "C:\Program Files\Mozilla Firefox\uninstall\helper.exe" /ShowShortcuts [2011/08/16 23:56:52 | 000,712,976 | ---- | M] (Mozilla Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\FIREFOX.EXE\InstallInfo\\ReinstallCommand: "C:\Program Files\Mozilla Firefox\uninstall\helper.exe" /SetAsDefaultAppGlobal [2011/08/16 23:56:52 | 000,712,976 | ---- | M] (Mozilla Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\FIREFOX.EXE\shell\open\command\\: C:\Program Files\Mozilla Firefox\firefox.exe [2011/08/16 23:56:54 | 000,924,632 | ---- | M] (Mozilla Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\FIREFOX.EXE\shell\properties\command\\: "C:\Program Files\Mozilla Firefox\firefox.exe" -preferences [2011/08/16 23:56:54 | 000,924,632 | ---- | M] (Mozilla Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\FIREFOX.EXE\shell\safemode\command\\: "C:\Program Files\Mozilla Firefox\firefox.exe" -safe-mode [2011/08/16 23:56:54 | 000,924,632 | ---- | M] (Mozilla Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\Google Chrome\InstallInfo\\ShowIconsCommand: "C:\Documents and Settings\Maxim\Local Settings\Application Data\Google\Chrome\Application\chrome.exe" --show-icons [2010/04/26 13:13:25 | 000,531,440 | ---- | M] (Google Inc.)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\Google Chrome\InstallInfo\\HideIconsCommand: "C:\Documents and Settings\Maxim\Local Settings\Application Data\Google\Chrome\Application\chrome.exe" --hide-icons [2010/04/26 13:13:25 | 000,531,440 | ---- | M] (Google Inc.)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\Google Chrome\InstallInfo\\ReinstallCommand: "C:\Documents and Settings\Maxim\Local Settings\Application Data\Google\Chrome\Application\chrome.exe" --make-default-browser [2010/04/26 13:13:25 | 000,531,440 | ---- | M] (Google Inc.)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\Google Chrome\shell\open\command\\: "C:\Documents and Settings\Maxim\Local Settings\Application Data\Google\Chrome\Application\chrome.exe" [2010/04/26 13:13:25 | 000,531,440 | ---- | M] (Google Inc.)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\InstallInfo\\ReinstallCommand: "C:\WINDOWS\system32\ie4uinit.exe" -reinstall [2011/02/17 07:43:27 | 000,070,656 | ---- | M] (Microsoft Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\InstallInfo\\HideIconsCommand: "C:\WINDOWS\system32\ie4uinit.exe" -hide [2011/02/17 07:43:27 | 000,070,656 | ---- | M] (Microsoft Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\InstallInfo\\ShowIconsCommand: "C:\WINDOWS\system32\ie4uinit.exe" -show [2011/02/17 07:43:27 | 000,070,656 | ---- | M] (Microsoft Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\shell\open\command\\: "C:\Program Files\internet explorer\iexplore.exe" [2011/02/14 08:17:08 | 000,634,648 | ---- | M] (Microsoft Corporation)

< hklm\software\clients\startmenuinternet|command /64 /rs >
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\chrome.exe\InstallInfo\\ShowIconsCommand: "C:\Documents and Settings\Maxim\Local Settings\Application Data\Google\Chrome\Application\chrome.exe" --show-icons [2010/04/26 13:13:25 | 000,531,440 | ---- | M] (Google Inc.)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\chrome.exe\InstallInfo\\HideIconsCommand: "C:\Documents and Settings\Maxim\Local Settings\Application Data\Google\Chrome\Application\chrome.exe" --hide-icons [2010/04/26 13:13:25 | 000,531,440 | ---- | M] (Google Inc.)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\chrome.exe\InstallInfo\\ReinstallCommand: "C:\Documents and Settings\Maxim\Local Settings\Application Data\Google\Chrome\Application\chrome.exe" --make-default-browser [2010/04/26 13:13:25 | 000,531,440 | ---- | M] (Google Inc.)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\chrome.exe\shell\open\command\\: "C:\Documents and Settings\Maxim\Local Settings\Application Data\Google\Chrome\Application\chrome.exe" [2010/04/26 13:13:25 | 000,531,440 | ---- | M] (Google Inc.)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\FIREFOX.EXE\InstallInfo\\HideIconsCommand: "C:\Program Files\Mozilla Firefox\uninstall\helper.exe" /HideShortcuts [2011/08/16 23:56:52 | 000,712,976 | ---- | M] (Mozilla Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\FIREFOX.EXE\InstallInfo\\ShowIconsCommand: "C:\Program Files\Mozilla Firefox\uninstall\helper.exe" /ShowShortcuts [2011/08/16 23:56:52 | 000,712,976 | ---- | M] (Mozilla Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\FIREFOX.EXE\InstallInfo\\ReinstallCommand: "C:\Program Files\Mozilla Firefox\uninstall\helper.exe" /SetAsDefaultAppGlobal [2011/08/16 23:56:52 | 000,712,976 | ---- | M] (Mozilla Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\FIREFOX.EXE\shell\open\command\\: C:\Program Files\Mozilla Firefox\firefox.exe [2011/08/16 23:56:54 | 000,924,632 | ---- | M] (Mozilla Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\FIREFOX.EXE\shell\properties\command\\: "C:\Program Files\Mozilla Firefox\firefox.exe" -preferences [2011/08/16 23:56:54 | 000,924,632 | ---- | M] (Mozilla Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\FIREFOX.EXE\shell\safemode\command\\: "C:\Program Files\Mozilla Firefox\firefox.exe" -safe-mode [2011/08/16 23:56:54 | 000,924,632 | ---- | M] (Mozilla Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\Google Chrome\InstallInfo\\ShowIconsCommand: "C:\Documents and Settings\Maxim\Local Settings\Application Data\Google\Chrome\Application\chrome.exe" --show-icons [2010/04/26 13:13:25 | 000,531,440 | ---- | M] (Google Inc.)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\Google Chrome\InstallInfo\\HideIconsCommand: "C:\Documents and Settings\Maxim\Local Settings\Application Data\Google\Chrome\Application\chrome.exe" --hide-icons [2010/04/26 13:13:25 | 000,531,440 | ---- | M] (Google Inc.)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\Google Chrome\InstallInfo\\ReinstallCommand: "C:\Documents and Settings\Maxim\Local Settings\Application Data\Google\Chrome\Application\chrome.exe" --make-default-browser [2010/04/26 13:13:25 | 000,531,440 | ---- | M] (Google Inc.)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\Google Chrome\shell\open\command\\: "C:\Documents and Settings\Maxim\Local Settings\Application Data\Google\Chrome\Application\chrome.exe" [2010/04/26 13:13:25 | 000,531,440 | ---- | M] (Google Inc.)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\InstallInfo\\ReinstallCommand: "C:\WINDOWS\system32\ie4uinit.exe" -reinstall [2011/02/17 07:43:27 | 000,070,656 | ---- | M] (Microsoft Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\InstallInfo\\HideIconsCommand: "C:\WINDOWS\system32\ie4uinit.exe" -hide [2011/02/17 07:43:27 | 000,070,656 | ---- | M] (Microsoft Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\InstallInfo\\ShowIconsCommand: "C:\WINDOWS\system32\ie4uinit.exe" -show [2011/02/17 07:43:27 | 000,070,656 | ---- | M] (Microsoft Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\shell\open\command\\: "C:\Program Files\internet explorer\iexplore.exe" [2011/02/14 08:17:08 | 000,634,648 | ---- | M] (Microsoft Corporation)

========== Alternate Data Streams ==========

@Alternate Data Stream - 136 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:05EE1EEF
@Alternate Data Stream - 113 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:8CEFE51A

< End of report >

Uthanak

Rookie Surfer
Rookie Surfer

Posts : 66
Joined : 2009-08-10
Operating System : windows xp

View user profile

Back to top Go down

Re: Need to get rid of rootkit.

Post by Uthanak on Thu 01 Sep 2011, 4:18 pm

Results of screen317's Security Check version 0.99.18
Windows XP Service Pack 3
Internet Explorer 7 Out of date!
``````````````````````````````
Antivirus/Firewall Check:

Windows Firewall Disabled!
ESET Online Scanner v3
```````````````````````````````
Anti-malware/Other Utilities Check:

Malwarebytes' Anti-Malware
HijackThis 2.0.2
Java(TM) 6 Update 18
Java(TM) 6 Update 2
Java(TM) 6 Update 3
Java(TM) 6 Update 5
Java(TM) 6 Update 7
Out of date Java installed!
Adobe Flash Player 10.3.183.7
Mozilla Firefox (x86 en-US..)
````````````````````````````````
Process Check:
objlist.exe by Laurent

``````````End of Log````````````

Uthanak

Rookie Surfer
Rookie Surfer

Posts : 66
Joined : 2009-08-10
Operating System : windows xp

View user profile

Back to top Go down

Re: Need to get rid of rootkit.

Post by Gabethebabe on Fri 02 Sep 2011, 6:37 pm

Hi there Uthanak!

I am Gabethebabe and I will be helping you with this issue. Before we start some general remarks/rules:
  • Whilst Im helping you, please follow my instructions carefully and do not experiment on your own or accept help from other persons.
  • Feel free to ask questions! Especially if my instructions are not clear. Im here to help, not confuse you.
  • I will try and respond quickly, but please understand I do have a real life (job, wife, 3 kids, kinky hobbies).
  • Stick with me till the end. If your computer starts running better, doesnt mean it is clean yet!

====================

Time to use ComboFix by sUBs, a powerful tool that you are advised not to run without supervision of a trained malware helper. Please visit this webpage and read the tutorial on using ComboFix very carefully. After that download the tool and save it to your desktop.

Doubleclick ComboFix.exe to run the tool. Please post its log back here.

Gabethebabe

Tech Advisor
Tech Advisor

Posts : 1568
Joined : 2010-03-07
Operating System : WIN7 64bit, Ubuntu 12.04 LTS

View user profile

Back to top Go down

Re: Need to get rid of rootkit.

Post by Uthanak on Fri 02 Sep 2011, 7:51 pm

Combofix is stuck at rebooting and says to not reboot manually myself, what should I do?

Uthanak

Rookie Surfer
Rookie Surfer

Posts : 66
Joined : 2009-08-10
Operating System : windows xp

View user profile

Back to top Go down

Re: Need to get rid of rootkit.

Post by Gabethebabe on Fri 02 Sep 2011, 9:00 pm

Well, if it is really stuck, you will need to reboot manually Im afraid.

Do you have the original windows XP setup disk?

Gabethebabe

Tech Advisor
Tech Advisor

Posts : 1568
Joined : 2010-03-07
Operating System : WIN7 64bit, Ubuntu 12.04 LTS

View user profile

Back to top Go down

Re: Need to get rid of rootkit.

Post by Uthanak on Sat 03 Sep 2011, 5:41 am

Nope, never had it, bought the pc with xp installed.

Uthanak

Rookie Surfer
Rookie Surfer

Posts : 66
Joined : 2009-08-10
Operating System : windows xp

View user profile

Back to top Go down

Re: Need to get rid of rootkit.

Post by Uthanak on Sat 03 Sep 2011, 6:04 am

ComboFix 11-09-01.03 - Maxim 10/03/2011 4:30.10.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.3326.2755 [GMT -4:00]
Running from: c:\documents and settings\Maxim\Desktop\ComboFix.exe
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\All Users\Application Data\bpbr.exe
c:\documents and settings\All Users\Application Data\dnlq.exe
c:\documents and settings\All Users\Application Data\oydr.exe
c:\documents and settings\All Users\Application Data\tonq.exe
c:\documents and settings\NetworkService\Local Settings\Application Data\dfhi.exe
c:\documents and settings\NetworkService\Local Settings\Application Data\irbx.exe
c:\documents and settings\NetworkService\Local Settings\Application Data\luoj.exe
c:\documents and settings\NetworkService\Local Settings\Application Data\oenn.exe
c:\documents and settings\NetworkService\Local Settings\Application Data\roe.exe
c:\process\FC78BA656AF.exe
c:\windows\assembly\GAC_MSIL\desktop.ini
c:\windows\dasetup.log
c:\windows\system32\mpix.exe
c:\windows\system32\pbtf.exe
c:\windows\system32\vfge.exe
c:\windows\system32\xbxc.exe
.
Infected copy of c:\program files\Java\jre6\bin\jqs.exe was found and disinfected
Restored copy from - c:\system volume information\_restore{67B3C756-D887-4359-B4D9-A09C29921E96}\RP483\A0079096.exe
.
Infected copy of c:\windows\system32\nvsvc32.exe was found and disinfected
Restored copy from - c:\windows\system32\ReinstallBackups\0011\DriverFiles\nvsvc32.exe
.
Infected copy of c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe was found and disinfected
Restored copy from - c:\system volume information\_restore{67B3C756-D887-4359-B4D9-A09C29921E96}\RP483\A0079095.exe
.
Infected copy of c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE was found and disinfected
Restored copy from - c:\system volume information\_restore{67B3C756-D887-4359-B4D9-A09C29921E96}\RP483\A0079094.EXE
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Service_1f9293b4
.
.
((((((((((((((((((((((((( Files Created from 2011-09-03 to 2011-10-03 )))))))))))))))))))))))))))))))
.
.
2011-10-03 06:21 . 2011-10-03 06:25 -------- d-----w- C:\Commy
2011-10-03 06:19 . 2011-10-03 06:19 -------- d-----w- C:\ARK
2011-10-02 04:38 . 2011-10-02 04:38 4194304 ----a-w- c:\windows\system32\dtxmbwwl.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-08-28 01:16 . 2011-05-14 05:48 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-08-28 00:06 . 2011-08-28 00:06 0 ----a-w- c:\documents and settings\All Users\Application Data\sodv.exe
2011-08-28 00:06 . 2011-08-28 00:06 0 ----a-w- c:\documents and settings\All Users\Application Data\pndo.exe
2011-08-28 00:06 . 2011-08-28 00:06 0 ----a-w- c:\documents and settings\All Users\Application Data\ntxu.exe
2011-08-28 00:06 . 2011-08-28 00:06 0 ----a-w- c:\documents and settings\All Users\Application Data\jlub.exe
2011-07-08 14:02 . 2006-02-28 12:00 10496 ----a-w- c:\windows\system32\drivers\ndistapi.sys
2011-07-06 23:52 . 2009-08-09 21:50 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-07-06 23:52 . 2009-08-09 21:50 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-05-01 21:02 . 2009-05-01 21:02 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll
2009-05-01 21:02 . 2009-05-01 21:02 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll
2011-08-17 03:56 . 2011-05-08 01:44 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
Code:
<pre>
c:\program files\Adobe\Reader 9.0\Reader\Reader_sl .exe
c:\program files\Alcohol Soft\Alcohol 120\axcmd .exe
c:\program files\Analog Devices\Core\smax4pnp .exe
c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM .exe
c:\program files\Common Files\Ahead\Lib\NMBgMonitor .exe
c:\program files\Google\Google Updater\GoogleUpdater .exe
c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier .exe
c:\program files\iTunes\iTunesHelper .exe
</pre>
.
((((((((((((((((((((((((((((( SnapShot_2011-10-01_18.18.58 )))))))))))))))))))))))))))))))))))))))))
.
+ 2011-10-03 18:49 . 2011-10-03 18:49 16384 c:\windows\temp\Perflib_Perfdata_7ec.dat
+ 2011-10-03 18:43 . 2011-10-03 18:43 16384 c:\windows\temp\Perflib_Perfdata_688.dat
+ 2011-10-03 07:04 . 2011-10-03 07:04 16384 c:\windows\temp\Perflib_Perfdata_680.dat
+ 2007-06-21 05:47 . 2010-07-05 13:15 17272 c:\windows\system32\spmsg.dll
- 2007-06-21 05:47 . 2008-07-08 13:02 17272 c:\windows\system32\spmsg.dll
+ 2011-10-01 17:23 . 2011-07-08 14:02 10496 c:\windows\system32\dllcache\ndistapi.sys
+ 2007-06-21 04:58 . 2011-10-02 06:54 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2007-06-21 04:58 . 2011-06-12 14:22 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2011-10-02 06:54 . 2011-10-02 06:54 16384 c:\windows\system32\config\systemprofile\Cookies\index.dat
- 2011-06-12 14:22 . 2011-06-12 14:22 16384 c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2009-09-27 23:19 . 2007-04-20 10:05 163908 c:\windows\system32\nvsvc32.exe
+ 2008-12-05 06:54 . 2011-04-29 17:25 151552 c:\windows\system32\dllcache\schannel.dll
- 2009-11-21 06:30 . 2011-06-12 14:22 360448 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2009-11-21 06:30 . 2011-10-02 06:54 360448 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2011-04-16 12:44 . 2011-04-16 12:44 2770944 c:\windows\temp\IXP000.TMP\vcredist.msi
+ 2006-02-28 12:00 . 2011-06-02 14:02 1858944 c:\windows\system32\win32k.sys
+ 2008-10-16 03:23 . 2011-06-02 14:02 1858944 c:\windows\system32\dllcache\win32k.sys
+ 2006-02-28 12:00 . 2011-03-03 13:21 1857920 c:\windows\system32\_000006_.tmp.dll
+ 2011-04-16 12:44 . 2011-04-16 12:44 2770944 c:\windows\Installer\45976.msi
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe" [N/A]
"MsnMsgr"="c:\program files\Windows Live\Messenger\MsnMsgr.Exe" [2010-04-17 3872080]
"LDM"="c:\program files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe" [N/A]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [N/A]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2011-06-15 15141768]
"UU9W7W0EWIWEVHXDLTEVZ"="c:\process\FC78BA656AF.exe" [N/A]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="c:\program files\QuickTime\qttask .exe -atboottime" [X]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [N/A]
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" [2004-10-21 29696]
"OfficeKB"="c:\progra~1\OfficeKB\OfficeKB.EXE" [N/A]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-09-27 13918208]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-09-27 86016]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [N/A]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [N/A]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [N/A]
"Google Updater"="c:\program files\Google\Google Updater\GoogleUpdater.exe" [N/A]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RealUpgradeHelper"="c:\program files\Common Files\Real\Update_OB\upgrdhlp.exe" [N/A]
"FlashPlayerUpdate"="c:\windows\system32\Macromed\Flash\FlashUtil10t_ActiveX.exe" [2011-07-09 240288]
.
c:\documents and settings\Maxim\Start Menu\Programs\Startup\
OpenOffice.org 2.3.lnk - c:\program files\OpenOffice.org 2.3\program\quickstart.exe [2007-8-17 393216]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Logitech Desktop Messenger.lnk - c:\program files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe [2007-6-23 450560]
Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\KEM.exe [2007-6-23 581632]
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-1.12.0-enUS-downloader.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Apprentice\\Appr.exe"=
"c:\\Program Files\\THQ\\Dawn of War - Dark Crusade\\DarkCrusade.exe"=
"c:\\Program Files\\THQ\\Dawn Of War\\W40kWA.exe"=
"c:\\Program Files\\THQ\\Dawn Of War\\W40k.exe"=
"c:\\Program Files\\Warcraft III\\Warcraft III.exe"=
"c:\\Documents and Settings\\Maxim\\Desktop\\Max\\Pokemon Game.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-3.0.8.9506-to-3.0.9.9551-enUS-downloader.exe"=
"c:\\Program Files\\Dawn of War 2\\DOW2.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-3.2.0-enUS-downloader.exe"=
"c:\\Program Files\\mIRC\\mirc.exe"=
"c:\\Program Files\\Steam\\steam.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\aliens vs predator\\AvP_CLI.exe"=
"c:\\Program Files\\SopCast\\adv\\SopAdver.exe"=
"c:\\Program Files\\SopCast\\SopCast.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\transformers war for cybertron\\Binaries\\TWFC.exe"=
"c:\\Program Files\\TeamViewer\\Version5\\TeamViewer.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\TeamViewer\\Version6\\TeamViewer.exe"=
"c:\\Program Files\\TeamViewer\\Version6\\TeamViewer_Service.exe"=
"c:\\Program Files\\Armagetron Advanced\\armagetronad.exe"=
"c:\\Program Files\\Sony Online Entertainment\\Installed Games\\DC Universe Online Live\\UNREAL3\\BINARIES\\WIN32\\DCGAME.EXE"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Riot Games\\League of Legends\\lol.launcher.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\dawn of war 2\\DOW2.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\dawn of war ii - retribution\\DOW2.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3724:TCP"= 3724:TCP:Blizzard Downloader: 3724
"4000:TCP"= 4000:TCP:diablo
"8375:TCP"= 8375:TCP:League of Legends Launcher
"8375:UDP"= 8375:UDP:League of Legends Launcher
"8376:TCP"= 8376:TCP:League of Legends Launcher
"8376:UDP"= 8376:UDP:League of Legends Launcher
"8377:TCP"= 8377:TCP:League of Legends Launcher
"8377:UDP"= 8377:UDP:League of Legends Launcher
"8378:TCP"= 8378:TCP:League of Legends Launcher
"8378:UDP"= 8378:UDP:League of Legends Launcher
"8379:TCP"= 8379:TCP:League of Legends Launcher
"8379:UDP"= 8379:UDP:League of Legends Launcher
"8380:TCP"= 8380:TCP:League of Legends Launcher
"8380:UDP"= 8380:UDP:League of Legends Launcher
"8381:TCP"= 8381:TCP:League of Legends Launcher
"8381:UDP"= 8381:UDP:League of Legends Launcher
"6881:TCP"= 6881:TCP:League of Legends Launcher
"6881:UDP"= 6881:UDP:League of Legends Launcher
"8382:TCP"= 8382:TCP:League of Legends Launcher
"8382:UDP"= 8382:UDP:League of Legends Launcher
"8383:TCP"= 8383:TCP:League of Legends Launcher
"8383:UDP"= 8383:UDP:League of Legends Launcher
"8393:TCP"= 8393:TCP:League of Legends Lobby
"8393:UDP"= 8393:UDP:League of Legends Lobby
"8390:TCP"= 8390:TCP:League of Legends Game Client
"8390:UDP"= 8390:UDP:League of Legends Game Client
"6929:TCP"= 6929:TCP:League of Legends Launcher
"6929:UDP"= 6929:UDP:League of Legends Launcher
.
R2 USmsServ;Desktop Window Manager Sessions Manager;c:\windows\Desktop Manager\dwm.exe [6/10/2011 12:48 PM 142336]
R3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda32.sys [2/27/2010 11:44 AM 57248]
S2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [8/9/2009 6:35 PM 297752]
S2 pgsql-8.3;PostgreSQL Database Server 8.3;c:\program files\PostgreSQL\8.3\bin\pg_ctl.exe [12/10/2009 3:39 AM 65536]
S3 B-Service;B-Service;c:\documents and settings\Maxim\Application Data\Mikogo\B-Service.exe [9/17/2010 12:13 PM 185640]
S3 bcgame;Nostromo HID Device Minidriver;c:\windows\system32\drivers\bcgame.sys --> c:\windows\system32\drivers\bcgame.sys [?]
S3 McComponentHostService;McAfee Security Scan Component Host Service;"c:\program files\McAfee Security Scan\2.0.181\McCHSvc.exe" --> c:\program files\McAfee Security Scan\2.0.181\McCHSvc.exe [?]
S4 sptd;sptd;c:\windows\system32\drivers\sptd.sys [12/13/2007 12:28 AM 722416]
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - WUAUSERV
.
Contents of the 'Scheduled Tasks' folder
.
2011-10-03 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2007-07-03 14:27]
.
2011-10-02 c:\windows\Tasks\Norton Security Scan for Maxim.job
- c:\progra~1\NORTON~2\Engine\312~1.9\Nss.exe [2011-06-09 08:19]
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = localhost
LSP: mswsock.dll
Trusted Zone: clonewarsadventures.com
Trusted Zone: freerealms.com
Trusted Zone: soe.com
Trusted Zone: sony.com
TCP: DhcpNameServer = 192.168.0.1
DPF: Garmin Communicator Plug-In - [You must be registered and logged in to see this link.]
FF - ProfilePath - c:\documents and settings\Maxim\Application Data\Mozilla\Firefox\Profiles\pu9jai39.default\
FF - prefs.js: browser.search.defaulturl - [You must be registered and logged in to see this link.]
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - [You must be registered and logged in to see this link.]
FF - prefs.js: keyword.URL - [You must be registered and logged in to see this link.]
FF - prefs.js: network.proxy.type - 0
FF - user.js: yahoo.homepage.dontask - true);user_pref(network.protocol-handler.warn-external.dnupdate, false);user_pref(network.protocol-handler.warn-external.dnupdate, false);user_pref(network.protocol-handler.warn-external.dnupdate, false);user_pref(yahoo.ytff.general.dontshowhpoffer, true);user_pref(network.protocol-handler.warn-external.dnupdate, false
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2011-10-03 14:46
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
.
c:\windows\3029570079:3765267531.exe 816 bytes executable
c:\windows\$NtUninstallKB2541763$
c:\windows\$NtUninstallKB2555917$
c:\windows\$NtUninstallKB2562937$
c:\windows\$NtUninstallKB2566454$
c:\windows\KB2566454.log 7668 bytes
c:\windows\system32\_000006_.tmp.dll 1857920 bytes executable
c:\windows\system32\SET14.tmp 151552 bytes executable
.
.
**************************************************************************
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, [You must be registered and logged in to see this link.]
Windows 5.1.2600 Disk: WDC_WD3200AAKS-00L9A0 rev.01.03E01 -> Harddisk0\DR0 -> \Device\00000032
.
device: opened successfully
user: MBR read successfully
.
Disk trace:
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x8AC31530]<<
_asm { MOV EAX, [ESP+0x4]; MOV ECX, [EAX+0x28]; PUSH EBP; MOV EBP, [ECX+0x4]; PUSH ESI; MOV ESI, [ESP+0x10]; PUSH EDI; MOV EDI, [ESI+0x60]; MOV AL, [EDI]; CMP AL, 0x16; JNZ 0x36; PUSH ESI; }
1 ntkrnlpa!IofCallDriver[0x804EF1A6] -> \Device\Harddisk0\DR0[0x8AD6EAB8]
3 CLASSPNP[0xB80E8FD7] -> ntkrnlpa!IofCallDriver[0x804EF1A6] -> [0x8A8C8F08]
\Driver\00001114[0x8A96BCA8] -> IRP_MJ_CREATE -> 0x8AC31530
error: Read The request is not supported.
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; STI ; PUSH AX; POP ES; PUSH AX; POP DS; CLD ; MOV SI, 0x7c1b; MOV DI, 0x61b; PUSH AX; PUSH DI; MOV CX, 0x1e5; REP MOVSB ; RETF ; MOV BP, 0x7be; MOV CL, 0x4; CMP [BP+0x0], CH; JL 0x2e; JNZ 0x3a; }
detected disk devices:
\Device\0000006a -> \??\IDE#DiskWDC_WD3200AAKS-00L9A0___________________01.03E01#2020202057202D44435756414332353631363737#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
detected hooks:
user & kernel MBR OK
copy of MBR has been found in sector 625137345
Warning: possible TDL3 rootkit infection !
.
**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\nvsvc32.exe
c:\windows\3029570079:3765267531.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\program files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
c:\windows\system32\RUNDLL32.EXE
c:\program files\OpenOffice.org 2.3\program\soffice.exe
c:\program files\Logitech\SetPoint\KHALMNPR.EXE
c:\program files\OpenOffice.org 2.3\program\soffice.BIN
c:\windows\system32\msiexec.exe
c:\windows\SoftwareDistribution\Download\Install\VS90SP1-KB2251487-x86.exe
c:\53c62789f54aa0c8a6601544\HotFixInstaller.exe
c:\windows\system32\MsiExec.exe
.
**************************************************************************
.
Completion time: 2011-10-03 14:54:47 - machine was rebooted
ComboFix-quarantined-files.txt 2011-10-03 18:54
ComboFix2.txt 2011-10-01 18:28
ComboFix3.txt 2011-01-14 22:14
ComboFix4.txt 2011-01-09 07:15
ComboFix5.txt 2011-10-03 08:28
.
Pre-Run: 126,926,155,776 bytes free
Post-Run: 127,373,467,648 bytes free
.
- - End Of File - - 53DB6E7A28A44B22A10A56B792E3551F

Uthanak

Rookie Surfer
Rookie Surfer

Posts : 66
Joined : 2009-08-10
Operating System : windows xp

View user profile

Back to top Go down

Re: Need to get rid of rootkit.

Post by Gabethebabe on Sat 03 Sep 2011, 7:14 am

Your computer is quite seriously infected. Combofix cleaned up something but we are not half way yet.

  • Please create a new text file in Notepad with the following contents:
    Code:
    KILLALL::
    File::
    c:\documents and settings\All Users\Application Data\sodv.exe
    c:\documents and settings\All Users\Application Data\pndo.exe
    c:\documents and settings\All Users\Application Data\ntxu.exe
    c:\documents and settings\All Users\Application Data\jlub.exe
    c:\windows\system32\_000006_.tmp.dll
    c:\windows\system32\SET14.tmp

    Renv::
    c:\program files\Adobe\Reader 9.0\Reader\Reader_sl .exe
    c:\program files\Alcohol Soft\Alcohol 120\axcmd .exe
    c:\program files\Analog Devices\Core\smax4pnp .exe
    c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM .exe
    c:\program files\Common Files\Ahead\Lib\NMBgMonitor .exe
    c:\program files\Google\Google Updater\GoogleUpdater .exe
    c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier .exe
    c:\program files\iTunes\iTunesHelper .exe

    Folder::
    c:\windows\3029570079

    Registry::
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "UU9W7W0EWIWEVHXDLTEVZ"=-

  • Save that file as CFScript.txt on your desktop
  • Drag and drop the CFScript.txt onto the ComboFix icon, as shown in the animation below.

  • If done correctly, ComboFix will start and perform specific instructions
  • In doing so, ComboFix may request a reboot
  • Please post the contents of Combofix.txt in your next reply

====================

You should try and get aswMBR running, before or after the combofix fix. It is possible that aswMBR will run now that we have removed a bunch of malware processes.

  • Double click aswMBR.exe to run the tool
  • Click the Scan button to start the scan
  • Once the scan finishes click Fix to fix the infected MBR
  • Reboot the computer
  • After the reboot, re-run aswMBR
  • Once the scan finishes click Save log to save the log to your desktop
  • Copy and paste the contents of this log (aswMBR.txt) into your next reply.



Gabethebabe

Tech Advisor
Tech Advisor

Posts : 1568
Joined : 2010-03-07
Operating System : WIN7 64bit, Ubuntu 12.04 LTS

View user profile

Back to top Go down

Re: Need to get rid of rootkit.

Post by Uthanak on Sat 03 Sep 2011, 6:41 pm

ComboFix 11-09-02.04 - Maxim 10/04/2011 3:08.11.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.3326.2706 [GMT -4:00]
Running from: c:\documents and settings\Maxim\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Maxim\Desktop\CFScript.txt
.
FILE ::
"c:\documents and settings\All Users\Application Data\jlub.exe"
"c:\documents and settings\All Users\Application Data\ntxu.exe"
"c:\documents and settings\All Users\Application Data\pndo.exe"
"c:\documents and settings\All Users\Application Data\sodv.exe"
"c:\windows\system32\_000006_.tmp.dll"
"c:\windows\system32\SET14.tmp"
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\All Users\Application Data\jlub.exe
c:\documents and settings\All Users\Application Data\ntxu.exe
c:\documents and settings\All Users\Application Data\pndo.exe
c:\documents and settings\All Users\Application Data\sodv.exe
c:\windows\assembly\GAC_MSIL\desktop.ini
.
Infected copy of c:\windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe was found and disinfected
Restored copy from - c:\system volume information\_restore{67B3C756-D887-4359-B4D9-A09C29921E96}\RP485\A0082890.exe
.
Infected copy of c:\program files\Java\jre6\bin\jqs.exe was found and disinfected
Restored copy from - c:\system volume information\_restore{67B3C756-D887-4359-B4D9-A09C29921E96}\RP485\A0082893.exe
.
Infected copy of c:\windows\system32\nvsvc32.exe was found and disinfected
Restored copy from - c:\windows\system32\ReinstallBackups\0011\DriverFiles\nvsvc32.exe
.
Infected copy of c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe was found and disinfected
Restored copy from - c:\system volume information\_restore{67B3C756-D887-4359-B4D9-A09C29921E96}\RP485\A0082892.exe
.
Infected copy of c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE was found and disinfected
Restored copy from - c:\system volume information\_restore{67B3C756-D887-4359-B4D9-A09C29921E96}\RP485\A0082891.EXE
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Service_1f9293b4
.
.
((((((((((((((((((((((((( Files Created from 2011-09-04 to 2011-10-04 )))))))))))))))))))))))))))))))
.
.
2011-10-04 07:00 . 2011-10-04 07:00 -------- d-----w- c:\documents and settings\Default User\Local Settings\Application Data\Microsoft Help
2011-10-04 05:37 . 2011-10-04 05:37 -------- d-----w- c:\documents and settings\Maxim\Local Settings\Application Data\PCHealth
2011-10-03 18:58 . 2011-10-03 18:58 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\PCHealth
2011-10-03 06:21 . 2011-10-03 06:25 -------- d-----w- C:\Commy
2011-10-03 06:19 . 2011-10-03 06:19 -------- d-----w- C:\ARK
2011-10-02 04:38 . 2011-10-02 04:38 4194304 ----a-w- c:\windows\system32\dtxmbwwl.dll
2011-10-01 17:25 . 2011-06-24 14:10 139656 -c----w- c:\windows\system32\dllcache\rdpwd.sys
2011-10-01 17:25 . 2011-04-21 13:37 105472 -c----w- c:\windows\system32\dllcache\mup.sys
2011-10-01 17:23 . 2011-07-08 14:02 10496 -c----w- c:\windows\system32\dllcache\ndistapi.sys
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-10-04 07:01 . 2009-08-14 21:09 112640 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\VCExpress\9.0\1033\ResourceCache.dll
2011-10-04 07:00 . 2009-08-14 21:09 416 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\MSDN\9.0\1033\ResourceCache.dll
2011-08-28 01:16 . 2011-05-14 05:48 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-07-15 13:29 . 2006-02-28 12:00 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-07-08 14:02 . 2006-02-28 12:00 10496 ----a-w- c:\windows\system32\drivers\ndistapi.sys
2011-07-06 23:52 . 2009-08-09 21:50 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-07-06 23:52 . 2009-08-09 21:50 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-05-01 21:02 . 2009-05-01 21:02 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll
2009-05-01 21:02 . 2009-05-01 21:02 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll
2011-10-03 18:59 . 2011-05-08 01:44 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
Code:
<pre>
c:\program files\OfficeKB\OfficeKB .exe
c:\program files\QuickTime\qttask  .exe
</pre>
.
((((((((((((((((((((((((((((( SnapShot_2011-10-01_18.18.58 )))))))))))))))))))))))))))))))))))))))))
.
+ 2011-04-19 02:51 . 2011-04-19 02:51 51024 c:\windows\WinSxS\x86_Microsoft.VC90.OpenMP_1fc8b3b9a1e18e3b_9.0.30729.6161_x-ww_4ddc769f\vcomp90.dll
+ 2011-04-19 02:51 . 2011-04-19 02:51 59728 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.6161_x-ww_730c3508\mfc90rus.dll
+ 2011-04-19 02:51 . 2011-04-19 02:51 42832 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.6161_x-ww_730c3508\mfc90kor.dll
+ 2011-04-19 02:51 . 2011-04-19 02:51 43344 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.6161_x-ww_730c3508\mfc90jpn.dll
+ 2011-04-19 02:51 . 2011-04-19 02:51 61264 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.6161_x-ww_730c3508\mfc90ita.dll
+ 2011-04-19 02:51 . 2011-04-19 02:51 62800 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.6161_x-ww_730c3508\mfc90fra.dll
+ 2011-04-19 02:51 . 2011-04-19 02:51 61776 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.6161_x-ww_730c3508\mfc90esp.dll
+ 2011-04-19 02:51 . 2011-04-19 02:51 61776 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.6161_x-ww_730c3508\mfc90esn.dll
+ 2011-04-19 02:51 . 2011-04-19 02:51 53584 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.6161_x-ww_730c3508\mfc90enu.dll
+ 2011-04-19 02:51 . 2011-04-19 02:51 63312 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.6161_x-ww_730c3508\mfc90deu.dll
+ 2011-04-19 02:51 . 2011-04-19 02:51 36688 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.6161_x-ww_730c3508\mfc90cht.dll
+ 2011-04-19 02:51 . 2011-04-19 02:51 35664 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.6161_x-ww_730c3508\mfc90chs.dll
+ 2011-04-19 02:51 . 2011-04-19 02:51 59904 c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.6161_x-ww_028bc148\mfcm90u.dll
+ 2011-04-19 02:51 . 2011-04-19 02:51 59904 c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.6161_x-ww_028bc148\mfcm90.dll
+ 2011-05-14 00:17 . 2011-05-14 00:17 65536 c:\windows\WinSxS\x86_Microsoft.VC80.OpenMP_1fc8b3b9a1e18e3b_8.0.50727.6195_x-ww_452bf920\vcomp.dll
+ 2011-05-13 23:45 . 2011-05-13 23:45 49152 c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.6195_x-ww_6a5bb789\mfc80KOR.dll
+ 2011-05-13 23:45 . 2011-05-13 23:45 49152 c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.6195_x-ww_6a5bb789\mfc80JPN.dll
+ 2011-05-13 23:45 . 2011-05-13 23:45 61440 c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.6195_x-ww_6a5bb789\mfc80ITA.dll
+ 2011-05-13 23:45 . 2011-05-13 23:45 61440 c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.6195_x-ww_6a5bb789\mfc80FRA.dll
+ 2011-05-13 23:45 . 2011-05-13 23:45 61440 c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.6195_x-ww_6a5bb789\mfc80ESP.dll
+ 2011-05-13 23:45 . 2011-05-13 23:45 57344 c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.6195_x-ww_6a5bb789\mfc80ENU.dll
+ 2011-05-13 23:45 . 2011-05-13 23:45 65536 c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.6195_x-ww_6a5bb789\mfc80DEU.dll
+ 2011-05-13 23:45 . 2011-05-13 23:45 45056 c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.6195_x-ww_6a5bb789\mfc80CHT.dll
+ 2011-05-13 23:45 . 2011-05-13 23:45 40960 c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.6195_x-ww_6a5bb789\mfc80CHS.dll
+ 2011-05-14 05:06 . 2011-05-14 05:06 57856 c:\windows\WinSxS\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.6195_x-ww_150c9e8b\mfcm80u.dll
+ 2011-05-14 05:23 . 2011-05-14 05:23 69632 c:\windows\WinSxS\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.6195_x-ww_150c9e8b\mfcm80.dll
+ 2011-05-13 22:37 . 2011-05-13 22:37 97280 c:\windows\WinSxS\x86_Microsoft.VC80.ATL_1fc8b3b9a1e18e3b_8.0.50727.6195_x-ww_a4c618fa\ATL80.dll
+ 2011-10-04 07:19 . 2011-10-04 07:19 16384 c:\windows\temp\Perflib_Perfdata_678.dat
+ 2011-10-04 05:33 . 2011-10-04 05:33 16384 c:\windows\temp\Perflib_Perfdata_414.dat
- 2007-01-29 08:58 . 2010-11-03 13:12 46080 c:\windows\system32\tzchange.exe
+ 2007-01-29 08:58 . 2011-07-08 13:49 46080 c:\windows\system32\tzchange.exe
+ 2007-06-21 05:47 . 2010-07-05 13:15 17272 c:\windows\system32\spmsg.dll
- 2007-06-21 05:47 . 2008-07-08 13:02 17272 c:\windows\system32\spmsg.dll
- 2006-02-28 12:00 . 2011-02-17 19:00 44544 c:\windows\system32\pngfilt.dll
+ 2006-02-28 12:00 . 2011-06-21 18:45 44544 c:\windows\system32\pngfilt.dll
+ 2006-02-28 12:00 . 2011-10-03 18:57 79538 c:\windows\system32\perfc009.dat
- 2006-02-28 12:00 . 2011-04-16 07:04 79538 c:\windows\system32\perfc009.dat
- 2006-11-08 01:03 . 2011-02-17 19:00 52224 c:\windows\system32\msfeedsbs.dll
+ 2006-11-08 01:03 . 2011-06-21 18:45 52224 c:\windows\system32\msfeedsbs.dll
+ 2006-02-28 12:00 . 2011-06-21 18:45 27648 c:\windows\system32\jsproxy.dll
- 2006-02-28 12:00 . 2011-02-17 19:00 27648 c:\windows\system32\jsproxy.dll
- 2006-11-07 07:26 . 2011-02-17 11:43 13824 c:\windows\system32\ieudinit.exe
+ 2006-11-07 07:26 . 2011-06-21 11:46 13824 c:\windows\system32\ieudinit.exe
- 2006-02-28 12:00 . 2011-02-17 19:00 44544 c:\windows\system32\iernonce.dll
+ 2006-02-28 12:00 . 2011-06-21 18:45 44544 c:\windows\system32\iernonce.dll
- 2006-02-28 12:00 . 2011-02-17 19:00 78336 c:\windows\system32\ieencode.dll
+ 2006-02-28 12:00 . 2011-06-21 18:45 78336 c:\windows\system32\ieencode.dll
+ 2006-02-28 12:00 . 2011-06-21 11:46 70656 c:\windows\system32\ie4uinit.exe
- 2006-02-28 12:00 . 2011-02-17 11:43 70656 c:\windows\system32\ie4uinit.exe
+ 2006-10-17 15:58 . 2011-06-21 18:45 63488 c:\windows\system32\icardie.dll
- 2006-10-17 15:58 . 2011-02-17 19:00 63488 c:\windows\system32\icardie.dll
+ 2006-02-28 12:00 . 2011-06-21 18:45 44544 c:\windows\system32\dllcache\pngfilt.dll
- 2006-02-28 12:00 . 2011-02-17 19:00 44544 c:\windows\system32\dllcache\pngfilt.dll
+ 2007-04-25 08:41 . 2011-06-21 18:45 52224 c:\windows\system32\dllcache\msfeedsbs.dll
- 2007-04-25 08:41 . 2011-02-17 19:00 52224 c:\windows\system32\dllcache\msfeedsbs.dll
- 2006-02-28 12:00 . 2011-02-17 19:00 27648 c:\windows\system32\dllcache\jsproxy.dll
+ 2006-02-28 12:00 . 2011-06-21 18:45 27648 c:\windows\system32\dllcache\jsproxy.dll
+ 2007-04-24 14:26 . 2011-06-21 11:46 13824 c:\windows\system32\dllcache\ieudinit.exe
- 2007-04-24 14:26 . 2011-02-17 11:43 13824 c:\windows\system32\dllcache\ieudinit.exe
+ 2006-02-28 12:00 . 2011-06-21 18:45 44544 c:\windows\system32\dllcache\iernonce.dll
- 2006-02-28 12:00 . 2011-02-17 19:00 44544 c:\windows\system32\dllcache\iernonce.dll
+ 2009-02-20 18:09 . 2011-06-21 18:45 78336 c:\windows\system32\dllcache\ieencode.dll
- 2009-02-20 18:09 . 2011-02-17 19:00 78336 c:\windows\system32\dllcache\ieencode.dll
+ 2006-02-28 12:00 . 2011-06-21 11:46 70656 c:\windows\system32\dllcache\ie4uinit.exe
- 2006-02-28 12:00 . 2011-02-17 11:43 70656 c:\windows\system32\dllcache\ie4uinit.exe
+ 2007-08-20 10:04 . 2011-06-21 18:45 63488 c:\windows\system32\dllcache\icardie.dll
- 2007-08-20 10:04 . 2011-02-17 19:00 63488 c:\windows\system32\dllcache\icardie.dll
- 2009-12-14 07:08 . 2010-12-09 14:30 33280 c:\windows\system32\dllcache\csrsrv.dll
+ 2009-12-14 07:08 . 2011-04-26 11:07 33280 c:\windows\system32\dllcache\csrsrv.dll
- 2009-06-29 16:12 . 2011-02-17 19:00 17408 c:\windows\system32\dllcache\corpol.dll
+ 2009-06-29 16:12 . 2011-06-21 18:45 17408 c:\windows\system32\dllcache\corpol.dll
+ 2006-02-28 12:00 . 2011-04-26 11:07 33280 c:\windows\system32\csrsrv.dll
- 2006-02-28 12:00 . 2010-12-09 14:30 33280 c:\windows\system32\csrsrv.dll
+ 2006-02-28 12:00 . 2011-06-21 18:45 17408 c:\windows\system32\corpol.dll
- 2006-02-28 12:00 . 2011-02-17 19:00 17408 c:\windows\system32\corpol.dll
+ 2007-06-21 04:58 . 2011-10-02 06:54 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2007-06-21 04:58 . 2011-06-12 14:22 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2008-07-25 15:17 . 2008-07-25 15:17 69632 c:\windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
+ 2011-10-04 07:16 . 2008-07-25 15:17 69632 c:\windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
+ 2011-10-03 18:53 . 2011-02-17 19:00 44544 c:\windows\ie7updates\KB2559049-IE7\pngfilt.dll
+ 2011-10-03 18:53 . 2011-02-17 19:00 52224 c:\windows\ie7updates\KB2559049-IE7\msfeedsbs.dll
+ 2011-10-03 18:53 . 2011-02-17 19:00 27648 c:\windows\ie7updates\KB2559049-IE7\jsproxy.dll
+ 2011-10-03 18:53 . 2011-02-17 11:43 13824 c:\windows\ie7updates\KB2559049-IE7\ieudinit.exe
+ 2011-10-03 18:53 . 2011-02-17 19:00 44544 c:\windows\ie7updates\KB2559049-IE7\iernonce.dll
+ 2011-10-03 18:53 . 2011-02-17 19:00 78336 c:\windows\ie7updates\KB2559049-IE7\ieencode.dll
+ 2011-10-03 18:53 . 2011-02-17 11:43 70656 c:\windows\ie7updates\KB2559049-IE7\ie4uinit.exe
+ 2011-10-03 18:53 . 2011-02-17 19:00 63488 c:\windows\ie7updates\KB2559049-IE7\icardie.dll
+ 2011-10-03 18:53 . 2011-02-17 19:00 17408 c:\windows\ie7updates\KB2559049-IE7\corpol.dll
+ 2011-10-03 19:15 . 2011-10-03 19:15 47616 c:\windows\assembly\NativeImages_v2.0.50727_32\WindowsLiveWriter\e01941c4292a588e4f1eb5585822087c\WindowsLiveWriter.ni.exe
+ 2011-10-03 19:15 . 2011-10-03 19:15 99840 c:\windows\assembly\NativeImages_v2.0.50727_32\WindowsLive.Writer.#\6730cd9fbbafc6c69651abefafb0667a\WindowsLive.Writer.Api.ni.dll
+ 2011-10-03 18:58 . 2011-10-03 18:58 60928 c:\windows\assembly\NativeImages_v2.0.50727_32\UIAutomationProvider\1492e9393417d6e91b5ddc746b5ef320\UIAutomationProvider.ni.dll
+ 2011-10-03 19:16 . 2011-10-03 19:16 37888 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Pres#\343c52b741531ce9ae874ea7508831a7\System.Windows.Presentation.ni.dll
+ 2011-10-03 19:16 . 2011-10-03 19:16 36864 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Web.DynamicD#\246110974e3c48733458819b07464b23\System.Web.DynamicData.Design.ni.dll
+ 2011-10-03 19:15 . 2011-10-03 19:15 94208 c:\windows\assembly\NativeImages_v2.0.50727_32\System.ComponentMod#\ace861fe8dbf146c3e449abaa7691e9f\System.ComponentModel.DataAnnotations.ni.dll
+ 2011-10-03 19:15 . 2011-10-03 19:15 82944 c:\windows\assembly\NativeImages_v2.0.50727_32\System.AddIn.Contra#\177a17af98d803ab79006d6785706462\System.AddIn.Contract.ni.dll
+ 2011-10-03 18:59 . 2011-10-03 18:59 47104 c:\windows\assembly\NativeImages_v2.0.50727_32\PresentationFontCac#\40ee65aacd9d7472cd6f8dddbfca604b\PresentationFontCache.ni.exe
+ 2011-10-03 18:58 . 2011-10-03 18:58 39424 c:\windows\assembly\NativeImages_v2.0.50727_32\PresentationCFFRast#\12c424eed7ee0e9c017bf72ff09eb78c\PresentationCFFRasterizer.ni.dll
+ 2011-10-03 19:16 . 2011-10-03 19:16 55296 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Vsa\f9c514544c8e23220493cd42a0e20678\Microsoft.Vsa.ni.dll
+ 2011-10-03 19:15 . 2011-10-03 19:15 22016 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\3b4ad8da0cbaa896c4d589f578aafa72\Microsoft.VisualStudio.Designer.Interfaces.ni.dll
+ 2011-10-03 19:15 . 2011-10-03 19:15 74752 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\2c43daba93b3ba97181b9989aa16ac6b\Microsoft.VisualStudio.Shell.Interop.9.0.ni.dll
+ 2011-10-03 18:58 . 2011-10-03 18:58 15872 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualC\a96b02abbfcaae424cfb91a198a9e0e9\Microsoft.VisualC.ni.dll
+ 2011-10-03 19:15 . 2011-10-03 19:15 25600 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.SqlServer#\fb512f845450258bade202c55d71f9f7\Microsoft.SqlServer.SqlClrProvider.ni.dll
+ 2011-10-03 19:15 . 2011-10-03 19:15 65024 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.SqlServer#\ea9d072be5a0a195fa4f581a71dc084d\Microsoft.SqlServer.SqlTDiagM.ni.dll
+ 2011-10-03 19:15 . 2011-10-03 19:15 32768 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.SqlServer#\e9338317231b3a111c1e03e09d2e7dac\Microsoft.SqlServer.PolicyEnum.ni.dll
+ 2011-10-03 19:14 . 2011-10-03 19:14 42496 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.SqlServer#\c78025f5d7f5d6577680edfe21309557\Microsoft.SqlServer.ServiceBrokerEnum.ni.dll
+ 2011-10-03 19:15 . 2011-10-03 19:15 65536 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.SqlServer#\7fcf1d80b88a778575dd9ec8795e66d3\Microsoft.SqlServer.WmiEnum.ni.dll
+ 2011-10-03 19:15 . 2011-10-03 19:15 72704 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.SqlServer#\175a23975dabef3caa7927810cfbbb12\Microsoft.SqlServer.BatchParserClient.ni.dll
+ 2011-10-03 19:15 . 2011-10-03 19:15 42496 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.SqlServer#\08a6c1b7f4cde3cf62e18c93d47f7ca3\Microsoft.SqlServer.SString.ni.dll
+ 2011-10-03 19:15 . 2011-10-03 19:15 18944 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Internal.#\d9c730065629e1d6aca8bee7a0d50b51\Microsoft.Internal.VisualStudio.Shell.Interop.9.0.ni.dll
+ 2011-10-03 18:58 . 2011-10-03 18:58 65024 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Build.Fra#\f5057c30d89ad8d99e38c946a68def9e\Microsoft.Build.Framework.ni.dll
+ 2011-10-03 19:15 . 2011-10-03 19:15 74752 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Build.Fra#\623c05a555ac0719a1367f511d4a9270\Microsoft.Build.Framework.ni.dll
+ 2011-10-03 19:14 . 2011-10-03 19:14 47616 c:\windows\assembly\NativeImages_v2.0.50727_32\MetaGen\fc10af3b73da597150ad5ee9f033fe8b\MetaGen.ni.dll
+ 2011-10-03 19:15 . 2011-10-03 19:15 31232 c:\windows\assembly\NativeImages_v2.0.50727_32\EnvDTE90a\ce5c47995565f9a2f148ebd8ec812e71\EnvDTE90a.ni.dll
+ 2011-10-03 19:15 . 2011-10-03 19:15 46080 c:\windows\assembly\NativeImages_v2.0.50727_32\EnvDTE90\111531ba5fdba583b81c67151e91a789\EnvDTE90.ni.dll
+ 2011-10-03 19:15 . 2011-10-03 19:15 14336 c:\windows\assembly\NativeImages_v2.0.50727_32\dfsvc\c40d3caad8bff3c52db7e7562286406a\dfsvc.ni.exe
+ 2011-10-03 18:59 . 2011-10-03 18:59 25600 c:\windows\assembly\NativeImages_v2.0.50727_32\Accessibility\d9228d58804dfd75fd92a4d12ffac8af\Accessibility.ni.dll
- 2011-04-16 07:04 . 2011-04-16 07:04 77824 c:\windows\assembly\GAC_MSIL\System.Web.RegularExpressions\2.0.0.0__b03f5f7f11d50a3a\System.Web.RegularExpressions.dll
+ 2011-10-03 18:57 . 2011-10-03 18:57 77824 c:\windows\assembly\GAC_MSIL\System.Web.RegularExpressions\2.0.0.0__b03f5f7f11d50a3a\System.Web.RegularExpressions.dll
- 2011-04-16 07:04 . 2011-04-16 07:04 81920 c:\windows\assembly\GAC_MSIL\System.Drawing.Design\2.0.0.0__b03f5f7f11d50a3a\System.Drawing.Design.dll
+ 2011-10-03 18:57 . 2011-10-03 18:57 81920 c:\windows\assembly\GAC_MSIL\System.Drawing.Design\2.0.0.0__b03f5f7f11d50a3a\System.Drawing.Design.dll
+ 2011-10-03 18:57 . 2011-10-03 18:57 81920 c:\windows\assembly\GAC_MSIL\System.Configuration.Install\2.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll
- 2011-04-16 07:04 . 2011-04-16 07:04 81920 c:\windows\assembly\GAC_MSIL\System.Configuration.Install\2.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll
+ 2011-10-03 18:57 . 2011-10-03 18:57 32768 c:\windows\assembly\GAC_MSIL\Microsoft.Vsa\8.0.0.0__b03f5f7f11d50a3a\Microsoft.Vsa.dll
- 2011-04-16 07:04 . 2011-04-16 07:04 32768 c:\windows\assembly\GAC_MSIL\Microsoft.Vsa\8.0.0.0__b03f5f7f11d50a3a\Microsoft.Vsa.dll
+ 2011-10-03 18:57 . 2011-10-03 18:57 12800 c:\windows\assembly\GAC_MSIL\Microsoft.Vsa.Vb.CodeDOMProcessor\8.0.0.0__b03f5f7f11d50a3a\Microsoft.Vsa.Vb.CodeDOMProcessor.dll
- 2011-04-16 07:04 . 2011-04-16 07:04 12800 c:\windows\assembly\GAC_MSIL\Microsoft.Vsa.Vb.CodeDOMProcessor\8.0.0.0__b03f5f7f11d50a3a\Microsoft.Vsa.Vb.CodeDOMProcessor.dll
+ 2011-10-03 18:57 . 2011-10-03 18:57 28672 c:\windows\assembly\GAC_MSIL\Microsoft.VisualBasic.Vsa\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.Vsa.dll
- 2011-04-16 07:04 . 2011-04-16 07:04 28672 c:\windows\assembly\GAC_MSIL\Microsoft.VisualBasic.Vsa\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.Vsa.dll
- 2011-04-16 07:04 . 2011-04-16 07:04 77824 c:\windows\assembly\GAC_MSIL\Microsoft.Build.Utilities\2.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Utilities.dll
+ 2011-10-03 18:57 . 2011-10-03 18:57 77824 c:\windows\assembly\GAC_MSIL\Microsoft.Build.Utilities\2.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Utilities.dll
+ 2011-10-03 18:57 . 2011-10-03 18:57 36864 c:\windows\assembly\GAC_MSIL\Microsoft.Build.Framework\2.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Framework.dll
- 2011-04-16 07:04 . 2011-04-16 07:04 36864 c:\windows\assembly\GAC_MSIL\Microsoft.Build.Framework\2.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Framework.dll
- 2011-04-16 07:04 . 2011-04-16 07:04 77824 c:\windows\assembly\GAC_MSIL\IEHost\2.0.0.0__b03f5f7f11d50a3a\IEHost.dll
+ 2011-10-03 18:57 . 2011-10-03 18:57 77824 c:\windows\assembly\GAC_MSIL\IEHost\2.0.0.0__b03f5f7f11d50a3a\IEHost.dll
- 2011-04-16 07:04 . 2011-04-16 07:04 13312 c:\windows\assembly\GAC_MSIL\cscompmgd\8.0.0.0__b03f5f7f11d50a3a\cscompmgd.dll
+ 2011-10-03 18:57 . 2011-10-03 18:57 13312 c:\windows\assembly\GAC_MSIL\cscompmgd\8.0.0.0__b03f5f7f11d50a3a\cscompmgd.dll
+ 2011-10-03 18:57 . 2011-10-03 18:57 10752 c:\windows\assembly\GAC_MSIL\Accessibility\2.0.0.0__b03f5f7f11d50a3a\Accessibility.dll
- 2011-04-16 07:04 . 2011-04-16 07:04 10752 c:\windows\assembly\GAC_MSIL\Accessibility\2.0.0.0__b03f5f7f11d50a3a\Accessibility.dll
+ 2011-10-03 18:57 . 2011-10-03 18:57 72192 c:\windows\assembly\GAC_32\ISymWrapper\2.0.0.0__b03f5f7f11d50a3a\ISymWrapper.dll
- 2011-04-16 07:04 . 2011-04-16 07:04 72192 c:\windows\assembly\GAC_32\ISymWrapper\2.0.0.0__b03f5f7f11d50a3a\ISymWrapper.dll
+ 2011-10-03 18:57 . 2011-10-03 18:57 69120 c:\windows\assembly\GAC_32\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll
- 2011-04-16 07:04 . 2011-04-16 07:04 69120 c:\windows\assembly\GAC_32\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll
+ 2011-10-03 18:57 . 2011-10-03 18:57 8192 c:\windows\WinSxS\MSIL_IEExecRemote_b03f5f7f11d50a3a_2.0.0.0_x-ww_6e57c34e\IEExecRemote.dll
- 2011-04-16 07:04 . 2011-04-16 07:04 8192 c:\windows\WinSxS\MSIL_IEExecRemote_b03f5f7f11d50a3a_2.0.0.0_x-ww_6e57c34e\IEExecRemote.dll
- 2011-04-16 07:04 . 2011-04-16 07:04 7168 c:\windows\assembly\GAC_MSIL\Microsoft_VsaVb\8.0.0.0__b03f5f7f11d50a3a\Microsoft_VsaVb.dll
+ 2011-10-03 18:57 . 2011-10-03 18:57 7168 c:\windows\assembly\GAC_MSIL\Microsoft_VsaVb\8.0.0.0__b03f5f7f11d50a3a\Microsoft_VsaVb.dll
+ 2011-10-03 18:57 . 2011-10-03 18:57 5632 c:\windows\assembly\GAC_MSIL\Microsoft.VisualC\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualC.Dll
- 2011-04-16 07:04 . 2011-04-16 07:04 5632 c:\windows\assembly\GAC_MSIL\Microsoft.VisualC\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualC.Dll
- 2011-04-16 07:04 . 2011-04-16 07:04 6656 c:\windows\assembly\GAC_MSIL\IIEHost\2.0.0.0__b03f5f7f11d50a3a\IIEHost.dll
+ 2011-10-03 18:57 . 2011-10-03 18:57 6656 c:\windows\assembly\GAC_MSIL\IIEHost\2.0.0.0__b03f5f7f11d50a3a\IIEHost.dll
+ 2011-10-03 18:57 . 2011-10-03 18:57 113664 c:\windows\WinSxS\x86_System.EnterpriseServices_b03f5f7f11d50a3a_2.0.0.0_x-ww_7d5f3790\System.EnterpriseServices.Wrapper.dll
- 2011-04-16 07:04 . 2011-04-16 07:04 113664 c:\windows\WinSxS\x86_System.EnterpriseServices_b03f5f7f11d50a3a_2.0.0.0_x-ww_7d5f3790\System.EnterpriseServices.Wrapper.dll
+ 2011-10-03 18:57 . 2011-10-03 18:57 258048 c:\windows\WinSxS\x86_System.EnterpriseServices_b03f5f7f11d50a3a_2.0.0.0_x-ww_7d5f3790\System.EnterpriseServices.dll
- 2011-04-16 07:04 . 2011-04-16 07:04 258048 c:\windows\WinSxS\x86_System.EnterpriseServices_b03f5f7f11d50a3a_2.0.0.0_x-ww_7d5f3790\System.EnterpriseServices.dll
+ 2011-04-19 02:51 . 2011-04-19 02:51 653136 c:\windows\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.6161_x-ww_31a54e43\msvcr90.dll
+ 2011-04-19 02:51 . 2011-04-19 02:51 569680 c:\windows\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.6161_x-ww_31a54e43\msvcp90.dll
+ 2011-04-19 02:51 . 2011-04-19 02:51 225280 c:\windows\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.6161_x-ww_31a54e43\msvcm90.dll
+ 2011-04-19 02:51 . 2011-04-19 02:51 159048 c:\windows\WinSxS\x86_Microsoft.VC90.ATL_1fc8b3b9a1e18e3b_9.0.30729.6161_x-ww_92453bb7\atl90.dll
+ 2011-05-14 05:17 . 2011-05-14 05:17 632656 c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.6195_x-ww_44262b86\msvcr80.dll
+ 2011-05-14 05:12 . 2011-05-14 05:12 554832 c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.6195_x-ww_44262b86\msvcp80.dll
+ 2011-05-14 05:11 . 2011-05-14 05:11 479232 c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.6195_x-ww_44262b86\msvcm80.dll
- 2006-02-28 12:00 . 2010-06-18 17:45 293376 c:\windows\system32\winsrv.dll
+ 2006-02-28 12:00 . 2011-06-20 17:44 293376 c:\windows\system32\winsrv.dll
+ 2006-02-28 12:00 . 2011-06-21 18:45 832512 c:\windows\system32\wininet.dll
- 2006-02-28 12:00 . 2011-02-17 19:00 832512 c:\windows\system32\wininet.dll
- 2006-02-28 12:00 . 2011-02-17 19:00 233472 c:\windows\system32\webcheck.dll
+ 2006-02-28 12:00 . 2011-06-21 18:45 233472 c:\windows\system32\webcheck.dll
+ 2006-02-28 12:00 . 2011-06-21 18:45 106496 c:\windows\system32\url.dll
+ 2006-02-28 12:00 . 2011-04-29 17:25 151552 c:\windows\system32\schannel.dll
- 2006-02-28 12:00 . 2011-04-16 07:04 459732 c:\windows\system32\perfh009.dat
+ 2006-02-28 12:00 . 2011-10-03 18:57 459732 c:\windows\system32\perfh009.dat
+ 2006-02-28 12:00 . 2010-12-20 17:32 551936 c:\windows\system32\oleaut32.dll
- 2006-02-28 12:00 . 2008-04-14 00:12 551936 c:\windows\system32\oleaut32.dll
- 2006-02-28 12:00 . 2011-02-17 19:00 102912 c:\windows\system32\occache.dll
+ 2006-02-28 12:00 . 2011-06-21 18:45 102912 c:\windows\system32\occache.dll
+ 2009-09-27 23:19 . 2007-04-20 10:05 163908 c:\windows\system32\nvsvc32.exe
+ 2006-02-28 12:00 . 2011-06-21 18:45 671232 c:\windows\system32\mstime.dll
- 2006-02-28 12:00 . 2011-02-17 19:00 671232 c:\windows\system32\mstime.dll
+ 2006-02-28 12:00 . 2011-06-21 18:45 193024 c:\windows\system32\msrating.dll
- 2006-02-28 12:00 . 2011-02-17 19:00 193024 c:\windows\system32\msrating.dll
+ 2006-02-28 12:00 . 2011-06-21 18:45 478720 c:\windows\system32\mshtmled.dll
- 2006-11-08 01:03 . 2011-02-17 19:00 468480 c:\windows\system32\msfeeds.dll
+ 2006-11-08 01:03 . 2011-06-21 18:45 468480 c:\windows\system32\msfeeds.dll
+ 2007-06-21 04:54 . 2011-05-02 15:31 692736 c:\windows\system32\inetcomm.dll
- 2007-06-21 04:54 . 2011-03-07 05:33 692736 c:\windows\system32\inetcomm.dll
- 2006-10-17 15:57 . 2011-02-17 19:00 268288 c:\windows\system32\iertutil.dll
+ 2006-10-17 15:57 . 2011-06-21 18:45 268288 c:\windows\system32\iertutil.dll
+ 2006-02-28 12:00 . 2011-06-21 18:45 192512 c:\windows\system32\iepeers.dll
- 2006-02-28 12:00 . 2011-02-17 19:00 192512 c:\windows\system32\iepeers.dll
+ 2006-02-28 12:00 . 2011-06-21 18:45 384512 c:\windows\system32\iedkcs32.dll
- 2006-02-28 12:00 . 2011-02-17 19:00 384512 c:\windows\system32\iedkcs32.dll
+ 2006-10-17 15:27 . 2011-06-21 18:45 380928 c:\windows\system32\ieapfltr.dll
- 2006-10-17 15:27 . 2011-02-17 19:00 380928 c:\windows\system32\ieapfltr.dll
- 2006-02-28 12:00 . 2011-02-14 12:15 161792 c:\windows\system32\ieakui.dll
+ 2006-02-28 12:00 . 2011-06-20 11:27 161792 c:\windows\system32\ieakui.dll
- 2006-02-28 12:00 . 2011-02-17 19:00 230400 c:\windows\system32\ieaksie.dll
+ 2006-02-28 12:00 . 2011-06-21 18:45 230400 c:\windows\system32\ieaksie.dll
+ 2006-02-28 12:00 . 2011-06-21 18:45 153088 c:\windows\system32\ieakeng.dll
- 2006-02-28 12:00 . 2011-02-17 19:00 153088 c:\windows\system32\ieakeng.dll
+ 2007-06-22 00:46 . 2011-10-04 05:33 107008 c:\windows\system32\FNTCACHE.DAT
- 2007-06-22 00:46 . 2011-04-16 08:05 107008 c:\windows\system32\FNTCACHE.DAT
- 2006-02-28 12:00 . 2011-02-17 19:00 133120 c:\windows\system32\extmgr.dll
+ 2006-02-28 12:00 . 2011-06-21 18:45 133120 c:\windows\system32\extmgr.dll
- 2006-02-28 12:00 . 2011-02-17 19:00 214528 c:\windows\system32\dxtrans.dll
+ 2006-02-28 12:00 . 2011-06-21 18:45 214528 c:\windows\system32\dxtrans.dll
- 2006-02-28 12:00 . 2011-02-17 19:00 347136 c:\windows\system32\dxtmsft.dll
+ 2006-02-28 12:00 . 2011-06-21 18:45 347136 c:\windows\system32\dxtmsft.dll
- 2007-06-21 04:53 . 2008-04-14 00:13 139656 c:\windows\system32\drivers\rdpwd.sys
+ 2007-06-21 04:53 . 2011-06-24 14:10 139656 c:\windows\system32\drivers\rdpwd.sys
+ 2006-02-28 12:00 . 2011-04-21 13:37 105472 c:\windows\system32\drivers\mup.sys
+ 2006-02-28 12:00 . 2011-02-16 13:22 138496 c:\windows\system32\drivers\afd.sys
- 2006-02-28 12:00 . 2008-10-16 14:43 138496 c:\windows\system32\drivers\afd.sys
- 2010-06-18 17:45 . 2010-06-18 17:45 293376 c:\windows\system32\dllcache\winsrv.dll
+ 2010-06-18 17:45 . 2011-06-20 17:44 293376 c:\windows\system32\dllcache\winsrv.dll
+ 2006-02-28 12:00 . 2011-06-21 18:45 832512 c:\windows\system32\dllcache\wininet.dll
- 2006-02-28 12:00 . 2011-02-17 19:00 832512 c:\windows\system32\dllcache\wininet.dll
+ 2006-02-28 12:00 . 2011-06-21 18:45 233472 c:\windows\system32\dllcache\webcheck.dll
- 2006-02-28 12:00 . 2011-02-17 19:00 233472 c:\windows\system32\dllcache\webcheck.dll
+ 2007-06-21 04:54 . 2011-04-30 08:50 766464 c:\windows\system32\dllcache\vgx.dll
+ 2006-02-28 12:00 . 2011-06-21 18:45 106496 c:\windows\system32\dllcache\url.dll
+ 2008-12-05 06:54 . 2011-04-29 17:25 151552 c:\windows\system32\dllcache\schannel.dll
+ 2010-12-20 17:32 . 2010-12-20 17:32 551936 c:\windows\system32\dllcache\oleaut32.dll
- 2006-02-28 12:00 . 2011-02-17 19:00 102912 c:\windows\system32\dllcache\occache.dll
+ 2006-02-28 12:00 . 2011-06-21 18:45 102912 c:\windows\system32\dllcache\occache.dll
+ 2006-02-28 12:00 . 2011-06-21 18:45 671232 c:\windows\system32\dllcache\mstime.dll
- 2006-02-28 12:00 . 2011-02-17 19:00 671232 c:\windows\system32\dllcache\mstime.dll
- 2006-02-28 12:00 . 2011-02-17 19:00 193024 c:\windows\system32\dllcache\msrating.dll
+ 2006-02-28 12:00 . 2011-06-21 18:45 193024 c:\windows\system32\dllcache\msrating.dll
+ 2006-02-28 12:00 . 2011-06-21 18:45 478720 c:\windows\system32\dllcache\mshtmled.dll
+ 2007-04-25 08:41 . 2011-06-21 18:45 468480 c:\windows\system32\dllcache\msfeeds.dll
- 2007-04-25 08:41 . 2011-02-17 19:00 468480 c:\windows\system32\dllcache\msfeeds.dll
+ 2008-11-13 00:46 . 2011-07-15 13:29 456320 c:\windows\system32\dllcache\mrxsmb.sys
- 2008-08-13 14:30 . 2011-03-07 05:33 692736 c:\windows\system32\dllcache\inetcomm.dll
+ 2008-08-13 14:30 . 2011-05-02 15:31 692736 c:\windows\system32\dllcache\inetcomm.dll
- 2007-06-21 04:54 . 2011-02-14 12:17 634648 c:\windows\system32\dllcache\iexplore.exe
+ 2007-06-21 04:54 . 2011-06-20 11:29 634648 c:\windows\system32\dllcache\iexplore.exe
- 2007-04-25 08:41 . 2011-02-17 19:00 268288 c:\windows\system32\dllcache\iertutil.dll
+ 2007-04-25 08:41 . 2011-06-21 18:45 268288 c:\windows\system32\dllcache\iertutil.dll
- 2006-02-28 12:00 . 2011-02-17 19:00 192512 c:\windows\system32\dllcache\iepeers.dll
+ 2006-02-28 12:00 . 2011-06-21 18:45 192512 c:\windows\system32\dllcache\iepeers.dll
- 2006-02-28 12:00 . 2011-02-17 19:00 384512 c:\windows\system32\dllcache\iedkcs32.dll
+ 2006-02-28 12:00 . 2011-06-21 18:45 384512 c:\windows\system32\dllcache\iedkcs32.dll
- 2007-04-25 08:41 . 2011-02-17 19:00 380928 c:\windows\system32\dllcache\ieapfltr.dll
+ 2007-04-25 08:41 . 2011-06-21 18:45 380928 c:\windows\system32\dllcache\ieapfltr.dll
- 2006-02-28 12:00 . 2011-02-14 12:15 161792 c:\windows\system32\dllcache\ieakui.dll
+ 2006-02-28 12:00 . 2011-06-20 11:27 161792 c:\windows\system32\dllcache\ieakui.dll
- 2006-02-28 12:00 . 2011-02-17 19:00 230400 c:\windows\system32\dllcache\ieaksie.dll
+ 2006-02-28 12:00 . 2011-06-21 18:45 230400 c:\windows\system32\dllcache\ieaksie.dll
- 2006-02-28 12:00 . 2011-02-17 19:00 153088 c:\windows\system32\dllcache\ieakeng.dll
+ 2006-02-28 12:00 . 2011-06-21 18:45 153088 c:\windows\system32\dllcache\ieakeng.dll
- 2006-02-28 12:00 . 2011-02-17 19:00 133120 c:\windows\system32\dllcache\extmgr.dll
+ 2006-02-28 12:00 . 2011-06-21 18:45 133120 c:\windows\system32\dllcache\extmgr.dll
+ 2006-02-28 12:00 . 2011-06-21 18:45 214528 c:\windows\system32\dllcache\dxtrans.dll
- 2006-02-28 12:00 . 2011-02-17 19:00 214528 c:\windows\system32\dllcache\dxtrans.dll
- 2006-02-28 12:00 . 2011-02-17 19:00 347136 c:\windows\system32\dllcache\dxtmsft.dll
+ 2006-02-28 12:00 . 2011-06-21 18:45 347136 c:\windows\system32\dllcache\dxtmsft.dll
+ 2008-06-20 11:40 . 2011-02-16 13:22 138496 c:\windows\system32\dllcache\afd.sys
- 2008-06-20 11:40 . 2008-10-16 14:43 138496 c:\windows\system32\dllcache\afd.sys
- 2006-02-28 12:00 . 2011-02-17 19:00 124928 c:\windows\system32\dllcache\advpack.dll
+ 2006-02-28 12:00 . 2011-06-21 18:45 124928 c:\windows\system32\dllcache\advpack.dll
- 2009-11-21 06:30 . 2011-06-12 14:22 360448 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2009-11-21 06:30 . 2011-10-02 06:54 360448 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2006-02-28 12:00 . 2011-02-17 19:00 124928 c:\windows\system32\advpack.dll
+ 2006-02-28 12:00 . 2011-06-21 18:45 124928 c:\windows\system32\advpack.dll
- 2011-01-18 08:39 . 2011-01-18 08:39 388936 c:\windows\Microsoft.NET\Framework\v2.0.50727\SOS.dll
+ 2011-03-25 10:15 . 2011-03-25 10:15 388936 c:\windows\Microsoft.NET\Framework\v2.0.50727\SOS.dll
- 2011-01-18 08:39 . 2011-01-18 08:39 363856 c:\windows\Microsoft.NET\Framework\v2.0.50727\mscorjit.dll
+ 2011-03-25 10:15 . 2011-03-25 10:15 363856 c:\windows\Microsoft.NET\Framework\v2.0.50727\mscorjit.dll
- 2011-01-18 08:39 . 2011-01-18 08:39 989016 c:\windows\Microsoft.NET\Framework\v2.0.50727\mscordacwks.dll
+ 2011-03-25 10:15 . 2011-03-25 10:15 989016 c:\windows\Microsoft.NET\Framework\v2.0.50727\mscordacwks.dll
+ 2011-10-03 18:53 . 2011-10-03 18:53 223744 c:\windows\Installer\4598c.msi
+ 2011-10-03 18:50 . 2011-10-03 18:50 467456 c:\windows\Installer\45986.msi
+ 2011-10-03 18:53 . 2011-02-17 19:00 832512 c:\windows\ie7updates\KB2559049-IE7\wininet.dll
+ 2011-10-03 18:53 . 2011-02-17 19:00 233472 c:\windows\ie7updates\KB2559049-IE7\webcheck.dll
+ 2011-10-03 18:53 . 2011-02-17 19:00 105984 c:\windows\ie7updates\KB2559049-IE7\url.dll
+ 2011-10-03 18:53 . 2010-07-05 13:16 382840 c:\windows\ie7updates\KB2559049-IE7\spuninst\updspapi.dll
+ 2011-10-03 18:53 . 2010-07-05 13:15 231288 c:\windows\ie7updates\KB2559049-IE7\spuninst\spuninst.exe
+ 2011-10-03 18:53 . 2011-02-17 19:00 102912 c:\windows\ie7updates\KB2559049-IE7\occache.dll
+ 2011-10-03 18:53 . 2011-02-17 19:00 671232 c:\windows\ie7updates\KB2559049-IE7\mstime.dll
+ 2011-10-03 18:53 . 2011-02-17 19:00 193024 c:\windows\ie7updates\KB2559049-IE7\msrating.dll
+ 2011-10-03 18:53 . 2011-02-17 19:00 478208 c:\windows\ie7updates\KB2559049-IE7\mshtmled.dll
+ 2011-10-03 18:53 . 2011-02-17 19:00 468480 c:\windows\ie7updates\KB2559049-IE7\msfeeds.dll
+ 2011-10-03 18:53 . 2011-02-14 12:17 634648 c:\windows\ie7updates\KB2559049-IE7\iexplore.exe
+ 2011-10-03 18:53 . 2011-02-17 19:00 268288 c:\windows\ie7updates\KB2559049-IE7\iertutil.dll
+ 2011-10-03 18:53 . 2011-02-17 19:00 192512 c:\windows\ie7updates\KB2559049-IE7\iepeers.dll
+ 2011-10-03 18:53 . 2011-02-17 19:00 384512 c:\windows\ie7updates\KB2559049-IE7\iedkcs32.dll
+ 2011-10-03 18:53 . 2011-02-17 19:00 380928 c:\windows\ie7updates\KB2559049-IE7\ieapfltr.dll
+ 2011-10-03 18:53 . 2011-02-14 12:15 161792 c:\windows\ie7updates\KB2559049-IE7\ieakui.dll
+ 2011-10-03 18:53 . 2011-02-17 19:00 230400 c:\windows\ie7updates\KB2559049-IE7\ieaksie.dll
+ 2011-10-03 18:53 . 2011-02-17 19:00 153088 c:\windows\ie7updates\KB2559049-IE7\ieakeng.dll
+ 2011-10-03 18:53 . 2011-02-17 19:00 133120 c:\windows\ie7updates\KB2559049-IE7\extmgr.dll
+ 2011-10-03 18:53 . 2011-02-17 19:00 214528 c:\windows\ie7updates\KB2559049-IE7\dxtrans.dll
+ 2011-10-03 18:53 . 2011-02-17 19:00 347136 c:\windows\ie7updates\KB2559049-IE7\dxtmsft.dll
+ 2011-10-03 18:53 . 2011-02-17 19:00 124928 c:\windows\ie7updates\KB2559049-IE7\advpack.dll
+ 2011-10-03 18:53 . 2007-07-12 23:31 765952 c:\windows\ie7updates\KB2544521-IE7\vgx.dll
+ 2011-10-03 18:53 . 2010-07-05 13:16 382840 c:\windows\ie7updates\KB2544521-IE7\spuninst\updspapi.dll
+ 2011-10-03 18:53 . 2010-07-05 13:15 231288 c:\windows\ie7updates\KB2544521-IE7\spuninst\spuninst.exe
+ 2008-11-13 00:46 . 2011-07-15 13:29 456320 c:\windows\Driver Cache\i386\mrxsmb.sys
+ 2011-10-03 19:15 . 2011-10-03 19:15 321536 c:\windows\assembly\NativeImages_v2.0.50727_32\WsatConfig\cc14c69205b984edba1db26fd5e421ac\WsatConfig.ni.exe
+ 2011-10-03 19:15 . 2011-10-03 19:15 626688 c:\windows\assembly\NativeImages_v2.0.50727_32\WindowsLiveLocal.Wr#\3c563025202d24342179c8a1a0a755ad\WindowsLiveLocal.WriterPlugin.ni.dll
+ 2011-10-03 19:15 . 2011-10-03 19:15 152064 c:\windows\assembly\NativeImages_v2.0.50727_32\WindowsLive.Writer.#\fe621804d2c95c0e4fc8dff970b4f3f3\WindowsLive.Writer.HtmlParser.ni.dll
+ 2011-10-03 19:15 . 2011-10-03 19:15 851968 c:\windows\assembly\NativeImages_v2.0.50727_32\WindowsLive.Writer.#\fc64a3a9c3629479f0b1239f00825bbc\WindowsLive.Writer.BlogClient.ni.dll
+ 2011-10-03 19:15 . 2011-10-03 19:15 108544 c:\windows\assembly\NativeImages_v2.0.50727_32\WindowsLive.Writer.#\efe876b4b72a7027fdec114bf09e7a88\WindowsLive.Writer.Passport.ni.dll
+ 2011-10-03 19:15 . 2011-10-03 19:15 117760 c:\windows\assembly\NativeImages_v2.0.50727_32\WindowsLive.Writer.#\ed53ada3701a243ad82946a6565391e9\WindowsLive.Writer.Instrumentation.ni.dll
+ 2011-10-03 19:15 . 2011-10-03 19:15 313856 c:\windows\assembly\NativeImages_v2.0.50727_32\WindowsLive.Writer.#\d78f83ddd58e30d6b7beb63b7534f092\WindowsLive.Writer.Interop.SHDocVw.ni.dll
+ 2011-10-03 19:15 . 2011-10-03 19:15 322048 c:\windows\assembly\NativeImages_v2.0.50727_32\WindowsLive.Writer.#\93c0a88195c257f98b0fb4371bfccc03\WindowsLive.Writer.SpellChecker.ni.dll
+ 2011-10-03 19:15 . 2011-10-03 19:15 843776 c:\windows\assembly\NativeImages_v2.0.50727_32\WindowsLive.Writer.#\8211d331938ec70d8f6c630b2eb74658\WindowsLive.Writer.Controls.ni.dll
+ 2011-10-03 19:15 . 2011-10-03 19:15 428032 c:\windows\assembly\NativeImages_v2.0.50727_32\WindowsLive.Writer.#\7a787d90ccf09155f4436bb4d53c941b\WindowsLive.Writer.Localization.ni.dll
+ 2011-10-03 19:15 . 2011-10-03 19:15 258048 c:\windows\assembly\NativeImages_v2.0.50727_32\WindowsLive.Writer.#\5f4061dfd69553f192267517ab2dc226\WindowsLive.Writer.Mshtml.ni.dll
+ 2011-10-03 19:15 . 2011-10-03 19:15 174080 c:\windows\assembly\NativeImages_v2.0.50727_32\WindowsLive.Writer.#\486d51f1da2fb066734ce15fdf8c9733\WindowsLive.Writer.BrowserControl.ni.dll
+ 2011-10-03 19:15 . 2011-10-03 19:15 594944 c:\windows\assembly\NativeImages_v2.0.50727_32\WindowsLive.Writer.#\470af3d7e20d0819ac6dab6f001264c1\WindowsLive.Writer.HtmlEditor.ni.dll
+ 2011-10-03 19:15 . 2011-10-03 19:15 119296 c:\windows\assembly\NativeImages_v2.0.50727_32\WindowsLive.Writer.#\3e2eb2d5abfe8d71ae30931a68ce6fe4\WindowsLive.Writer.FileDestinations.ni.dll
+ 2011-10-03 19:15 . 2011-10-03 19:15 118784 c:\windows\assembly\NativeImages_v2.0.50727_32\WindowsLive.Writer.#\21b955e068018c3e384bd504b600a78a\WindowsLive.Writer.Extensibility.ni.dll
+ 2011-10-03 19:15 . 2011-10-03 19:15 334848 c:\windows\assembly\NativeImages_v2.0.50727_32\WindowsLive.Writer.#\1802baf79662b34a028da7f1a5de1e64\WindowsLive.Writer.Interop.Mshtml.ni.dll
+ 2011-10-03 19:15 . 2011-10-03 19:15 319488 c:\windows\assembly\NativeImages_v2.0.50727_32\WindowsLive.Writer.#\0d88a9ab4974e271b5ad2fc0a699d8c4\WindowsLive.Writer.Interop.ni.dll
+ 2011-10-03 19:15 . 2011-10-03 19:15 145920 c:\windows\assembly\NativeImages_v2.0.50727_32\WindowsLive.Client\50952e96ff796d55954df71508ec0899\WindowsLive.Client.ni.dll
+ 2011-10-03 19:00 . 2011-10-03 19:00 240128 c:\windows\assembly\NativeImages_v2.0.50727_32\WindowsFormsIntegra#\39ce0c9c9cc294c0ee26c4ff01522961\WindowsFormsIntegration.ni.dll
+ 2011-10-03 18:58 . 2011-10-03 18:58 187904 c:\windows\assembly\NativeImages_v2.0.50727_32\UIAutomationTypes\3740d6db28af31a6523a79fcdd71fbeb\UIAutomationTypes.ni.dll
+ 2011-10-03 19:00 . 2011-10-03 19:00 447488 c:\windows\assembly\NativeImages_v2.0.50727_32\UIAutomationClient\431e918aee8da919f5b9e3a5195ccf93\UIAutomationClient.ni.dll
+ 2011-10-03 19:17 . 2011-10-03 19:17 400896 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Xml.Linq\946eefb99bc116ee68e0e7c69a5a8a5c\System.Xml.Linq.ni.dll
+ 2011-10-03 19:16 . 2011-10-03 19:16 129536 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Web.Routing\a82eef3128b9527dc05b3c8667e713bc\System.Web.Routing.ni.dll
+ 2011-10-03 18:59 . 2011-10-03 18:59 202240 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Web.RegularE#\203c148c913357bfc2ae9d209101f2b3\System.Web.RegularExpressions.ni.dll
+ 2011-10-03 19:16 . 2011-10-03 19:16 859648 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Web.Extensio#\f89fe39468ea6faf71c4257c89cf3c54\System.Web.Extensions.Design.ni.dll
+ 2011-10-03 19:16 . 2011-10-03 19:16 328704 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Web.Entity\2314ff800782dc85224e69e802a073f7\System.Web.Entity.ni.dll
+ 2011-10-03 19:16 . 2011-10-03 19:16 301056 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Web.Entity.D#\f690a8f5d784a5bb20f2cbaa7277eb6c\System.Web.Entity.Design.ni.dll
+ 2011-10-03 19:16 . 2011-10-03 19:16 547328 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Web.DynamicD#\c5c96400424b85536443623f96f64581\System.Web.DynamicData.ni.dll
+ 2011-10-03 19:16 . 2011-10-03 19:16 141312 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Web.Abstract#\5f8e87b47465a038403e73012c6d102a\System.Web.Abstractions.ni.dll
+ 2011-10-03 18:59 . 2011-10-03 18:59 627200 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Transactions\846dd505f97805f00999ee26aec9bf75\System.Transactions.ni.dll
+ 2011-10-03 19:00 . 2011-10-03 19:00 212992 c:\windows\assembly\NativeImages_v2.0.50727_32\System.ServiceProce#\70a1400affdc775d7c7398e036359286\System.ServiceProcess.ni.dll
+ 2011-10-03 18:58 . 2011-10-03 18:58 679936 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Security\de9cd25ccb24bcf8a0316756e766721f\System.Security.ni.dll
+ 2011-10-03 18:59 . 2011-10-03 18:59 311296 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Runtime.Seri#\21248037960cf6dfa2ce401d355bd6c9\System.Runtime.Serialization.Formatters.Soap.ni.dll
+ 2011-10-03 18:59 . 2011-10-03 18:59 771584 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Runtime.Remo#\b7e0214a811f81e09041864081139641\System.Runtime.Remoting.ni.dll
+ 2011-10-03 19:16 . 2011-10-03 19:16 621056 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Net\480ea914e13fe41cdd8fb542bb1f7e81\System.Net.ni.dll
+ 2011-10-03 19:16 . 2011-10-03 19:16 593408 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Messaging\18a7efd299665b8bfa0d0dc6701343c6\System.Messaging.ni.dll
+ 2011-10-03 19:16 . 2011-10-03 19:16 998400 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Management\6e563a58e6fc0117070d5b8fd59e4e1b\System.Management.ni.dll
+ 2011-10-03 19:16 . 2011-10-03 19:16 330752 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Management.I#\dc72c7581f1b3794c0ea595ba02ff7ad\System.Management.Instrumentation.ni.dll
+ 2011-10-03 19:14 . 2011-10-03 19:14 381440 c:\windows\assembly\NativeImages_v2.0.50727_32\System.IO.Log\fcf8612a210d1f76e0b37dc8467b4696\System.IO.Log.ni.dll
+ 2011-10-03 19:14 . 2011-10-03 19:14 212992 c:\windows\assembly\NativeImages_v2.0.50727_32\System.IdentityMode#\ec017b5a95d02fccaefd835490ef1e14\System.IdentityModel.Selectors.ni.dll
+ 2011-10-03 18:59 . 2011-10-03 18:59 280064 c:\windows\assembly\NativeImages_v2.0.50727_32\System.EnterpriseSe#\75f452279422a7898e840ee5768c9d2e\System.EnterpriseServices.Wrapper.dll
+ 2011-10-03 18:59 . 2011-10-03 18:59 627712 c:\windows\assembly\NativeImages_v2.0.50727_32\System.EnterpriseSe#\75f452279422a7898e840ee5768c9d2e\System.EnterpriseServices.ni.dll
+ 2011-10-03 18:59 . 2011-10-03 18:59 208384 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Drawing.Desi#\f7cd3d07c15366b76fe4c38d24455d6b\System.Drawing.Design.ni.dll
+ 2011-10-03 19:16 . 2011-10-03 19:16 881152 c:\windows\assembly\NativeImages_v2.0.50727_32\System.DirectorySer#\822c996e6ad4901219b7de399a6f78bf\System.DirectoryServices.AccountManagement.ni.dll
+ 2011-10-03 19:00 . 2011-10-03 19:00 455680 c:\windows\assembly\NativeImages_v2.0.50727_32\System.DirectorySer#\1ffe911e62f482e42be2c4428bd08c10\System.DirectoryServices.Protocols.ni.dll
+ 2011-10-03 19:16 . 2011-10-03 19:16 354816 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Data.Service#\e1c009b2c9becdb732a2ea45f32a46b8\System.Data.Services.Design.ni.dll
+ 2011-10-03 19:16 . 2011-10-03 19:16 939008 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Data.Service#\1defd94e1662a4478ccf2cd0b1b4e6a6\System.Data.Services.Client.ni.dll
+ 2011-10-03 19:16 . 2011-10-03 19:16 756736 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Data.Entity.#\04267c1dbdcdd8ec37e1518126767ead\System.Data.Entity.Design.ni.dll
+ 2011-10-03 19:15 . 2011-10-03 19:15 135680 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Data.DataSet#\f2a6d41b3f6e26eea6dcac9298aa637b\System.Data.DataSetExtensions.ni.dll
+ 2011-10-03 18:58 . 2011-10-03 18:58 971264 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Configuration\77df2cd21a5b85a1605b335aa9ad9d44\System.Configuration.ni.dll
+ 2011-10-03 19:00 . 2011-10-03 19:00 141312 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Configuratio#\585e68739b2a8aff61ee6b2786513245\System.Configuration.Install.ni.dll
+ 2011-10-03 19:15 . 2011-10-03 19:15 633856 c:\windows\assembly\NativeImages_v2.0.50727_32\System.AddIn\fbf6ef12d1456058acde29f2640092fb\System.AddIn.ni.dll
+ 2011-10-03 19:00 . 2011-10-03 19:00 232448 c:\windows\assembly\NativeImages_v2.0.50727_32\sysglobl\b87b5e03cdda1e29cd412a315c45a9ad\sysglobl.ni.dll
+ 2011-10-03 19:15 . 2011-10-03 19:15 366080 c:\windows\assembly\NativeImages_v2.0.50727_32\SMSvcHost\896e42071939e038008b0bbbfed1213c\SMSvcHost.ni.exe
+ 2011-10-03 19:15 . 2011-10-03 19:15 256000 c:\windows\assembly\NativeImages_v2.0.50727_32\SMDiagnostics\ca07e9cf488af1290d2340d682574a24\SMDiagnostics.ni.dll
+ 2011-10-03 19:15 . 2011-10-03 19:15 320512 c:\windows\assembly\NativeImages_v2.0.50727_32\ServiceModelReg\a5aa977dd575a6beb3a416bd480b98a7\ServiceModelReg.ni.exe
+ 2011-10-03 19:00 . 2011-10-03 19:00 224768 c:\windows\assembly\NativeImages_v2.0.50727_32\PresentationFramewo#\f52e48f55258d0a04fbab3a1f93752e9\PresentationFramework.Classic.ni.dll
+ 2011-10-03 19:00 . 2011-10-03 19:00 368128 c:\windows\assembly\NativeImages_v2.0.50727_32\PresentationFramewo#\cf812b99f587ab514afb36fa9d4c1567\PresentationFramework.Aero.ni.dll
+ 2011-10-03 19:00 . 2011-10-03 19:00 539648 c:\windows\assembly\NativeImages_v2.0.50727_32\PresentationFramewo#\b7795999cc67f3a6cec40f5b24005e00\PresentationFramework.Luna.ni.dll
+ 2011-10-03 19:00 . 2011-10-03 19:00 258048 c:\windows\assembly\NativeImages_v2.0.50727_32\PresentationFramewo#\09f5af61ea2af04eb32c04b3091ffc86\PresentationFramework.Royale.ni.dll
+ 2011-10-03 19:15 . 2011-10-03 19:15 133632 c:\windows\assembly\NativeImages_v2.0.50727_32\MSBuild\2d89c7b72bc8e527b26d5b6f3b931012\MSBuild.ni.exe
+ 2011-10-03 19:15 . 2011-10-03 19:15 876032 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\fb4774beedf30755f8b1301883fb1506\Microsoft.VisualStudio.Shell.9.0.ni.dll
+ 2011-10-03 19:15 . 2011-10-03 19:15 220672 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\c0756004c70945180abc71e46202b84e\Microsoft.VisualStudio.Configuration.ni.dll
+ 2011-10-03 19:15 . 2011-10-03 19:15 306176 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\90cd38aaa7ed1b3e1bbc4c0303744381\Microsoft.VisualStudio.OLE.Interop.ni.dll
+ 2011-10-03 19:15 . 2011-10-03 19:15 159744 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\791751150dd31c42740c73dbeb90a9c2\Microsoft.VisualStudio.WizardFramework.ni.dll
+ 2011-10-03 19:15 . 2011-10-03 19:15 373248 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\775e413e8006c0063ebcdd72b7d7324c\Microsoft.VisualStudio.Shell.Interop.8.0.ni.dll
+ 2011-10-03 19:15 . 2011-10-03 19:15 822272 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\57479fad3b751103d2dbec0d81ecf21d\Microsoft.VisualStudio.Shell.ni.dll
+ 2011-10-03 19:15 . 2011-10-03 19:15 513024 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\038a3aee2192f2ac9628a2c537387701\Microsoft.VisualStudio.Shell.Design.ni.dll
+ 2011-10-03 19:15 . 2011-10-03 19:15 386560 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Transacti#\39e9d172f0cf5eec30b1b67212cc032b\Microsoft.Transactions.Bridge.Dtc.ni.dll
+ 2011-10-03 19:15 . 2011-10-03 19:15 137216 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.SqlServer#\f770d04f347372b67367ae4080624d41\Microsoft.SqlServer.ConnectionInfoExtended.ni.dll
+ 2011-10-03 19:15 . 2011-10-03 19:15 632320 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.SqlServer#\b37dbade38cfac41b08b53c143c4ee87\Microsoft.SqlServer.BatchParser.ni.dll
+ 2011-10-03 19:15 . 2011-10-03 19:15 128000 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.SqlServer#\ae2f332910305ea399ebdc1093734406\Microsoft.SqlServer.RegSvrEnum.ni.dll
+ 2011-10-03 19:15 . 2011-10-03 19:15 400896 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.SqlServer#\a8047d52ef02857925d0c154b1416c65\Microsoft.SqlServer.SmoExtended.ni.dll
+ 2011-10-03 19:15 . 2011-10-03 19:15 251904 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.SqlServer#\2a9beb33cc9c3f32239beff7ae26c867\Microsoft.SqlServer.SqlWmiManagement.ni.dll
+ 2011-10-03 19:15 . 2011-10-03 19:15 244736 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.SqlServer#\0e6fae83b938e4c105c0a013b1169fbe\Microsoft.SqlServer.ConnectionInfo.ni.dll
+ 2011-10-03 18:58 . 2011-10-03 18:58 144384 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Build.Uti#\f1b0ec3ccde9142e67ac681fb521ac66\Microsoft.Build.Utilities.ni.dll
+ 2011-10-03 19:15 . 2011-10-03 19:15 175104 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Build.Uti#\9250f038410f0d6432e3ccb0b046862b\Microsoft.Build.Utilities.v3.5.ni.dll
+ 2011-10-03 19:15 . 2011-10-03 19:15 839680 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Build.Eng#\a4672179aba638cd78bdfe268391b47b\Microsoft.Build.Engine.ni.dll
+ 2011-10-03 19:15 . 2011-10-03 19:15 222720 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Build.Con#\37db660a84ee52b61a7ca55812581bbd\Microsoft.Build.Conversion.v3.5.ni.dll

Uthanak

Rookie Surfer
Rookie Surfer

Posts : 66
Joined : 2009-08-10
Operating System : windows xp

View user profile

Back to top Go down

Re: Need to get rid of rootkit.

Post by Uthanak on Sat 03 Sep 2011, 6:42 pm

+ 2011-10-03 19:15 . 2011-10-03 19:15 276480 c:\windows\assembly\NativeImages_v2.0.50727_32\EnvDTE80\ee98355fcd61c7690e1878a286c31cc5\EnvDTE80.ni.dll
+ 2011-10-03 19:14 . 2011-10-03 19:14 573440 c:\windows\assembly\NativeImages_v2.0.50727_32\EnvDTE\22d54b56b1f2e30f35c8ac8fcbfb24d6\EnvDTE.ni.dll
+ 2011-10-03 19:15 . 2011-10-03 19:15 220672 c:\windows\assembly\NativeImages_v2.0.50727_32\CustomMarshalers\80bd17388778c90f301746ad88700758\CustomMarshalers.ni.dll
+ 2011-10-03 19:15 . 2011-10-03 19:15 410112 c:\windows\assembly\NativeImages_v2.0.50727_32\ComSvcConfig\fe9a21b94803f74697bb42b9d1fdea5b\ComSvcConfig.ni.exe
+ 2011-10-03 19:14 . 2011-10-03 19:14 842240 c:\windows\assembly\NativeImages_v2.0.50727_32\AspNetMMCExt\f160c8e40b60edd47ae74b0b911fece1\AspNetMMCExt.ni.dll
+ 2011-10-03 18:57 . 2011-10-03 18:57 839680 c:\windows\assembly\GAC_MSIL\System.Web.Services\2.0.0.0__b03f5f7f11d50a3a\System.Web.Services.dll
- 2011-04-16 07:04 . 2011-04-16 07:04 839680 c:\windows\assembly\GAC_MSIL\System.Web.Services\2.0.0.0__b03f5f7f11d50a3a\System.Web.Services.dll
- 2011-04-16 07:04 . 2011-04-16 07:04 835584 c:\windows\assembly\GAC_MSIL\System.Web.Mobile\2.0.0.0__b03f5f7f11d50a3a\System.Web.Mobile.dll
+ 2011-10-03 18:57 . 2011-10-03 18:57 835584 c:\windows\assembly\GAC_MSIL\System.Web.Mobile\2.0.0.0__b03f5f7f11d50a3a\System.Web.Mobile.dll
+ 2011-10-03 18:57 . 2011-10-03 18:57 114688 c:\windows\assembly\GAC_MSIL\System.ServiceProcess\2.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll
- 2011-04-16 07:04 . 2011-04-16 07:04 114688 c:\windows\assembly\GAC_MSIL\System.ServiceProcess\2.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll
- 2011-04-16 07:04 . 2011-04-16 07:04 258048 c:\windows\assembly\GAC_MSIL\System.Security\2.0.0.0__b03f5f7f11d50a3a\System.Security.dll
+ 2011-10-03 18:57 . 2011-10-03 18:57 258048 c:\windows\assembly\GAC_MSIL\System.Security\2.0.0.0__b03f5f7f11d50a3a\System.Security.dll
- 2011-04-16 07:04 . 2011-04-16 07:04 131072 c:\windows\assembly\GAC_MSIL\System.Runtime.Serialization.Formatters.Soap\2.0.0.0__b03f5f7f11d50a3a\System.Runtime.Serialization.Formatters.Soap.dll
+ 2011-10-03 18:57 . 2011-10-03 18:57 131072 c:\windows\assembly\GAC_MSIL\System.Runtime.Serialization.Formatters.Soap\2.0.0.0__b03f5f7f11d50a3a\System.Runtime.Serialization.Formatters.Soap.dll
+ 2011-10-03 18:57 . 2011-10-03 18:57 303104 c:\windows\assembly\GAC_MSIL\System.Runtime.Remoting\2.0.0.0__b77a5c561934e089\System.Runtime.Remoting.dll
- 2011-04-16 07:04 . 2011-04-16 07:04 303104 c:\windows\assembly\GAC_MSIL\System.Runtime.Remoting\2.0.0.0__b77a5c561934e089\System.Runtime.Remoting.dll
- 2011-04-16 07:04 . 2011-04-16 07:04 258048 c:\windows\assembly\GAC_MSIL\System.Messaging\2.0.0.0__b03f5f7f11d50a3a\System.Messaging.dll
+ 2011-10-03 18:57 . 2011-10-03 18:57 258048 c:\windows\assembly\GAC_MSIL\System.Messaging\2.0.0.0__b03f5f7f11d50a3a\System.Messaging.dll
+ 2011-10-03 18:57 . 2011-10-03 18:57 372736 c:\windows\assembly\GAC_MSIL\System.Management\2.0.0.0__b03f5f7f11d50a3a\System.Management.dll
- 2011-04-16 07:04 . 2011-04-16 07:04 372736 c:\windows\assembly\GAC_MSIL\System.Management\2.0.0.0__b03f5f7f11d50a3a\System.Management.dll
- 2011-04-16 07:04 . 2011-04-16 07:04 626688 c:\windows\assembly\GAC_MSIL\System.Drawing\2.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll
+ 2011-10-03 18:57 . 2011-10-03 18:57 626688 c:\windows\assembly\GAC_MSIL\System.Drawing\2.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll
+ 2011-10-03 18:57 . 2011-10-03 18:57 401408 c:\windows\assembly\GAC_MSIL\System.DirectoryServices\2.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll
- 2011-04-16 07:04 . 2011-04-16 07:04 401408 c:\windows\assembly\GAC_MSIL\System.DirectoryServices\2.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll
+ 2011-10-03 18:57 . 2011-10-03 18:57 188416 c:\windows\assembly\GAC_MSIL\System.DirectoryServices.Protocols\2.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.Protocols.dll
- 2011-04-16 07:04 . 2011-04-16 07:04 188416 c:\windows\assembly\GAC_MSIL\System.DirectoryServices.Protocols\2.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.Protocols.dll
+ 2011-10-03 18:57 . 2011-10-03 18:57 970752 c:\windows\assembly\GAC_MSIL\System.Deployment\2.0.0.0__b03f5f7f11d50a3a\System.Deployment.dll
- 2011-04-16 07:04 . 2011-04-16 07:04 970752 c:\windows\assembly\GAC_MSIL\System.Deployment\2.0.0.0__b03f5f7f11d50a3a\System.Deployment.dll
+ 2011-10-03 18:57 . 2011-10-03 18:57 745472 c:\windows\assembly\GAC_MSIL\System.Data.SqlXml\2.0.0.0__b77a5c561934e089\System.Data.SqlXml.dll
- 2011-04-16 07:04 . 2011-04-16 07:04 745472 c:\windows\assembly\GAC_MSIL\System.Data.SqlXml\2.0.0.0__b77a5c561934e089\System.Data.SqlXml.dll
+ 2011-10-03 18:57 . 2011-10-03 18:57 425984 c:\windows\assembly\GAC_MSIL\System.Configuration\2.0.0.0__b03f5f7f11d50a3a\System.configuration.dll
- 2011-04-16 07:04 . 2011-04-16 07:04 425984 c:\windows\assembly\GAC_MSIL\System.Configuration\2.0.0.0__b03f5f7f11d50a3a\System.configuration.dll
- 2011-04-16 07:04 . 2011-04-16 07:04 110592 c:\windows\assembly\GAC_MSIL\sysglobl\2.0.0.0__b03f5f7f11d50a3a\sysglobl.dll
+ 2011-10-03 18:57 . 2011-10-03 18:57 110592 c:\windows\assembly\GAC_MSIL\sysglobl\2.0.0.0__b03f5f7f11d50a3a\sysglobl.dll
- 2011-04-16 07:04 . 2011-04-16 07:04 659456 c:\windows\assembly\GAC_MSIL\Microsoft.VisualBasic\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll
+ 2011-10-03 18:57 . 2011-10-03 18:57 659456 c:\windows\assembly\GAC_MSIL\Microsoft.VisualBasic\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll
+ 2011-10-03 18:57 . 2011-10-03 18:57 372736 c:\windows\assembly\GAC_MSIL\Microsoft.VisualBasic.Compatibility\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.Compatibility.dll
- 2011-04-16 07:04 . 2011-04-16 07:04 372736 c:\windows\assembly\GAC_MSIL\Microsoft.VisualBasic.Compatibility\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.Compatibility.dll
- 2011-04-16 07:04 . 2011-04-16 07:04 110592 c:\windows\assembly\GAC_MSIL\Microsoft.VisualBasic.Compatibility.Data\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.Compatibility.Data.dll
+ 2011-10-03 18:57 . 2011-10-03 18:57 110592 c:\windows\assembly\GAC_MSIL\Microsoft.VisualBasic.Compatibility.Data\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.Compatibility.Data.dll
- 2011-04-16 07:04 . 2011-04-16 07:04 749568 c:\windows\assembly\GAC_MSIL\Microsoft.JScript\8.0.0.0__b03f5f7f11d50a3a\Microsoft.JScript.dll
+ 2011-10-03 18:57 . 2011-10-03 18:57 749568 c:\windows\assembly\GAC_MSIL\Microsoft.JScript\8.0.0.0__b03f5f7f11d50a3a\Microsoft.JScript.dll
+ 2011-10-03 18:57 . 2011-10-03 18:57 655360 c:\windows\assembly\GAC_MSIL\Microsoft.Build.Tasks\2.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Tasks.dll
- 2011-04-16 07:04 . 2011-04-16 07:04 655360 c:\windows\assembly\GAC_MSIL\Microsoft.Build.Tasks\2.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Tasks.dll
+ 2011-10-03 18:57 . 2011-10-03 18:57 348160 c:\windows\assembly\GAC_MSIL\Microsoft.Build.Engine\2.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Engine.dll
- 2011-04-16 07:04 . 2011-04-16 07:04 348160 c:\windows\assembly\GAC_MSIL\Microsoft.Build.Engine\2.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Engine.dll
- 2011-04-16 07:04 . 2011-04-16 07:04 507904 c:\windows\assembly\GAC_MSIL\AspNetMMCExt\2.0.0.0__b03f5f7f11d50a3a\AspNetMMCExt.dll
+ 2011-10-03 18:57 . 2011-10-03 18:57 507904 c:\windows\assembly\GAC_MSIL\AspNetMMCExt\2.0.0.0__b03f5f7f11d50a3a\AspNetMMCExt.dll
+ 2011-10-03 18:57 . 2011-10-03 18:57 261632 c:\windows\assembly\GAC_32\System.Transactions\2.0.0.0__b77a5c561934e089\System.Transactions.dll
- 2011-04-16 07:04 . 2011-04-16 07:04 261632 c:\windows\assembly\GAC_32\System.Transactions\2.0.0.0__b77a5c561934e089\System.Transactions.dll
+ 2011-10-03 18:57 . 2011-10-03 18:57 486400 c:\windows\assembly\GAC_32\System.Data.OracleClient\2.0.0.0__b77a5c561934e089\System.Data.OracleClient.dll
- 2011-04-16 07:04 . 2011-04-16 07:04 486400 c:\windows\assembly\GAC_32\System.Data.OracleClient\2.0.0.0__b77a5c561934e089\System.Data.OracleClient.dll
+ 2011-04-19 02:51 . 2011-04-19 02:51 3781960 c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.6161_x-ww_028bc148\mfc90u.dll
+ 2011-04-19 02:51 . 2011-04-19 02:51 3766600 c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.6161_x-ww_028bc148\mfc90.dll
+ 2011-05-14 00:04 . 2011-05-14 00:04 1093120 c:\windows\WinSxS\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.6195_x-ww_150c9e8b\mfc80u.dll
+ 2011-05-14 00:04 . 2011-05-14 00:04 1101824 c:\windows\WinSxS\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.6195_x-ww_150c9e8b\mfc80.dll
+ 2006-02-28 12:00 . 2011-06-02 14:02 1858944 c:\windows\system32\win32k.sys
+ 2006-02-28 12:00 . 2011-06-21 18:45 1168896 c:\windows\system32\urlmon.dll
+ 2006-02-28 12:00 . 2011-07-22 16:35 3613696 c:\windows\system32\mshtml.dll
+ 2006-11-08 01:03 . 2011-06-21 18:45 6076416 c:\windows\system32\ieframe.dll
+ 2008-10-16 03:23 . 2011-06-02 14:02 1858944 c:\windows\system32\dllcache\win32k.sys
+ 2006-02-28 12:00 . 2011-06-21 18:45 1168896 c:\windows\system32\dllcache\urlmon.dll
+ 2006-02-28 12:00 . 2011-07-22 16:35 3613696 c:\windows\system32\dllcache\mshtml.dll
+ 2007-04-25 08:41 . 2011-06-21 18:45 6076416 c:\windows\system32\dllcache\ieframe.dll
- 2008-07-25 15:17 . 2008-07-25 15:17 5025792 c:\windows\Microsoft.NET\Framework\v2.0.50727\System.Windows.Forms.dll
+ 2011-03-25 10:15 . 2011-03-25 10:15 5025792 c:\windows\Microsoft.NET\Framework\v2.0.50727\System.Windows.Forms.dll
- 2010-03-23 09:32 . 2010-03-23 09:32 3182592 c:\windows\Microsoft.NET\Framework\v2.0.50727\System.dll
+ 2011-04-29 01:50 . 2011-04-29 01:50 3182592 c:\windows\Microsoft.NET\Framework\v2.0.50727\System.dll
+ 2011-03-25 10:15 . 2011-03-25 10:15 5912400 c:\windows\Microsoft.NET\Framework\v2.0.50727\mscorwks.dll
+ 2011-03-25 10:15 . 2011-03-25 10:15 4550656 c:\windows\Microsoft.NET\Framework\v2.0.50727\mscorlib.dll
- 2011-01-18 08:39 . 2011-01-18 08:39 4550656 c:\windows\Microsoft.NET\Framework\v2.0.50727\mscorlib.dll
+ 2011-05-02 04:06 . 2011-05-02 04:06 2705920 c:\windows\Installer\45996.msp
+ 2011-10-03 18:53 . 2011-02-17 19:00 1168384 c:\windows\ie7updates\KB2559049-IE7\urlmon.dll
+ 2011-10-03 18:53 . 2011-02-17 19:00 3607040 c:\windows\ie7updates\KB2559049-IE7\mshtml.dll
+ 2011-10-03 18:53 . 2011-02-17 19:00 6075904 c:\windows\ie7updates\KB2559049-IE7\ieframe.dll
+ 2011-10-03 19:15 . 2011-10-03 19:15 1105920 c:\windows\assembly\NativeImages_v2.0.50727_32\WindowsLive.Writer.#\fd91703869c4577ee385f6950b744cbe\WindowsLive.Writer.ApplicationFramework.ni.dll
+ 2011-10-03 19:15 . 2011-10-03 19:15 6392832 c:\windows\assembly\NativeImages_v2.0.50727_32\WindowsLive.Writer.#\dae5a7d92344cb126cd6f3fdfd661c07\WindowsLive.Writer.PostEditor.ni.dll
+ 2011-10-03 19:15 . 2011-10-03 19:15 2018816 c:\windows\assembly\NativeImages_v2.0.50727_32\WindowsLive.Writer.#\9855902aee545bdeae2cbbd1bd6151c9\WindowsLive.Writer.CoreServices.ni.dll
+ 2011-10-03 18:58 . 2011-10-03 18:58 3325440 c:\windows\assembly\NativeImages_v2.0.50727_32\WindowsBase\fd6e0cd6f124a6d041ef1b4c9a5f080b\WindowsBase.ni.dll
+ 2011-10-03 19:00 . 2011-10-03 19:00 1049600 c:\windows\assembly\NativeImages_v2.0.50727_32\UIAutomationClients#\162600dde59fbaa0c048a949158ecba3\UIAutomationClientsideProviders.ni.dll
+ 2011-10-03 18:58 . 2011-10-03 18:58 7950848 c:\windows\assembly\NativeImages_v2.0.50727_32\System\e6c79e1d71b0c9000afd7e5e439b5c54\System.ni.dll
+ 2011-10-03 18:58 . 2011-10-03 18:58 5450752 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Xml\10154dcad2d62f226af2fd4211460a4b\System.Xml.ni.dll
+ 2011-10-03 19:17 . 2011-10-03 19:17 1356288 c:\windows\assembly\NativeImages_v2.0.50727_32\System.WorkflowServ#\22229a30650a9afbac984e1093898b13\System.WorkflowServices.ni.dll
+ 2011-10-03 19:16 . 2011-10-03 19:16 1908224 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Workflow.Run#\4d6b3cc1fc7a4788612241af7966715a\System.Workflow.Runtime.ni.dll
+ 2011-10-03 19:16 . 2011-10-03 19:16 4514304 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Workflow.Com#\e4c9853af945c9cfede19f3faf18af6e\System.Workflow.ComponentModel.ni.dll
+ 2011-10-03 19:16 . 2011-10-03 19:16 2992640 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Workflow.Act#\ab4b50c7c789e46a485903365765fde8\System.Workflow.Activities.ni.dll
+ 2011-10-03 18:59 . 2011-10-03 18:59 1840640 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Web.Services\a2392c995b1bb6b63079091259222357\System.Web.Services.ni.dll
+ 2011-10-03 19:16 . 2011-10-03 19:16 2209280 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Web.Mobile\3da92a0b9b8ac97e11ca8bf4df671a78\System.Web.Mobile.ni.dll
+ 2011-10-03 19:16 . 2011-10-03 19:16 2405376 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Web.Extensio#\01f4d6aa3299a41b8578b7e96afdcfb1\System.Web.Extensions.ni.dll
+ 2011-10-03 19:00 . 2011-10-03 19:00 1917952 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Speech\e1208f0d981c420fc59f806bfbaa713b\System.Speech.ni.dll
+ 2011-10-03 19:16 . 2011-10-03 19:16 1706496 c:\windows\assembly\NativeImages_v2.0.50727_32\System.ServiceModel#\27e1b8dfd5e1ccf2c5b9efc51f674c69\System.ServiceModel.Web.ni.dll
+ 2011-10-03 19:14 . 2011-10-03 19:14 2345472 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Runtime.Seri#\dece01bd9e9c32e47630fdfc78d3bd32\System.Runtime.Serialization.ni.dll
+ 2011-10-03 18:59 . 2011-10-03 18:59 1035776 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Printing\90b444d02047ef27921153d46967ef0e\System.Printing.ni.dll
+ 2011-10-03 19:14 . 2011-10-03 19:14 1070080 c:\windows\assembly\NativeImages_v2.0.50727_32\System.IdentityModel\a50e2fc92db32751857fb8d297f9d7bc\System.IdentityModel.ni.dll
+ 2011-10-03 18:58 . 2011-10-03 18:58 1587200 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\7ed09623172a292eaee51e2e3bcaf784\System.Drawing.ni.dll
+ 2011-10-03 18:59 . 2011-10-03 18:59 1116672 c:\windows\assembly\NativeImages_v2.0.50727_32\System.DirectorySer#\259ecf480769f4e60514b7ae2abaa6f1\System.DirectoryServices.ni.dll
+ 2011-10-03 18:58 . 2011-10-03 18:58 1801216 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Deployment\71cf3eb40fc38e6ac8fba09e872d2878\System.Deployment.ni.dll
+ 2011-10-03 18:59 . 2011-10-03 18:59 6616576 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Data\db2d84e279807592a680ef4135e9fe9a\System.Data.ni.dll
+ 2011-10-03 18:58 . 2011-10-03 18:58 2510336 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Data.SqlXml\0b16305773369cf740c6a2b1f1d785b2\System.Data.SqlXml.ni.dll
+ 2011-10-03 19:16 . 2011-10-03 19:16 1328128 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Data.Services\c1b9b8ce390548dcca661a5e6a908408\System.Data.Services.ni.dll
+ 2011-10-03 18:59 . 2011-10-03 18:59 1115136 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Data.OracleC#\c729750d54f6e7427230622bcccd4709\System.Data.OracleClient.ni.dll
+ 2011-10-03 19:00 . 2011-10-03 19:00 2516480 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Data.Linq\571af34939797a7c1cd05b0b925a45bf\System.Data.Linq.ni.dll
+ 2011-10-03 19:16 . 2011-10-03 19:16 9924096 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Data.Entity\2b58cc071d6bf0c741e91f86c09de5d7\System.Data.Entity.ni.dll
+ 2011-10-03 19:00 . 2011-10-03 19:00 2295296 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Core\e54e013315849f5e34d8f2a8e7fdb450\System.Core.ni.dll
+ 2011-10-03 18:59 . 2011-10-03 18:59 2128896 c:\windows\assembly\NativeImages_v2.0.50727_32\ReachFramework\24ab0cacc77e8696ceff3157942a2de4\ReachFramework.ni.dll
+ 2011-10-03 18:59 . 2011-10-03 18:59 1657856 c:\windows\assembly\NativeImages_v2.0.50727_32\PresentationUI\fac1ca86f4fea17de40d7fdaba38563e\PresentationUI.ni.dll
+ 2011-10-03 18:58 . 2011-10-03 18:58 1451008 c:\windows\assembly\NativeImages_v2.0.50727_32\PresentationBuildTa#\b187becbc388c4ce7f33ede4da76e7b1\PresentationBuildTasks.ni.dll
+ 2011-10-03 19:15 . 2011-10-03 19:15 1873920 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\48f44c94f347619a09a25013a8f2c1e6\Microsoft.VisualStudio.CommonIDE.ni.dll
+ 2011-10-03 19:15 . 2011-10-03 19:15 1712128 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualBas#\c6b19db2534042d435ede580f92bc75c\Microsoft.VisualBasic.ni.dll
+ 2011-10-03 19:15 . 2011-10-03 19:15 1093120 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Transacti#\08594c4ba9ea0253a836fe1d8d341984\Microsoft.Transactions.Bridge.ni.dll
+ 2011-10-03 19:15 . 2011-10-03 19:15 1488384 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.SqlServer#\eefbc05c91800e0e852c5e5686e4a081\Microsoft.SqlServer.SqlEnum.ni.dll
+ 2011-10-03 19:15 . 2011-10-03 19:15 6115328 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.SqlServer#\5fe83e27a2e5abf7c616800c62a5ad6f\Microsoft.SqlServer.Smo.ni.dll
+ 2011-10-03 19:15 . 2011-10-03 19:15 1125888 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.SqlServer#\0caa4a978ba054b8d885ffe488c3c8c1\Microsoft.SqlServer.Management.Sdk.Sfc.ni.dll
+ 2011-10-03 19:16 . 2011-10-03 19:16 2332160 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.JScript\345abd035c9378667b1cac54c1f21c97\Microsoft.JScript.ni.dll
+ 2011-10-03 19:15 . 2011-10-03 19:15 1966080 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Build.Tas#\906cd5555b79e4e0486dc8ef2a748b13\Microsoft.Build.Tasks.v3.5.ni.dll
+ 2011-10-03 19:15 . 2011-10-03 19:15 1620992 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Build.Tas#\7baff7d694394aaba490082c88d48fd2\Microsoft.Build.Tasks.ni.dll
+ 2011-10-03 19:15 . 2011-10-03 19:15 1888768 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Build.Eng#\235a22e1ae9742bb724d411629dd99d5\Microsoft.Build.Engine.ni.dll
+ 2011-10-03 18:57 . 2011-10-03 18:57 3182592 c:\windows\assembly\GAC_MSIL\System\2.0.0.0__b77a5c561934e089\System.dll
- 2011-04-16 07:04 . 2011-04-16 07:04 3182592 c:\windows\assembly\GAC_MSIL\System\2.0.0.0__b77a5c561934e089\System.dll
- 2011-04-16 07:04 . 2011-04-16 07:04 2048000 c:\windows\assembly\GAC_MSIL\System.Xml\2.0.0.0__b77a5c561934e089\System.XML.dll
+ 2011-10-03 18:57 . 2011-10-03 18:57 2048000 c:\windows\assembly\GAC_MSIL\System.Xml\2.0.0.0__b77a5c561934e089\System.XML.dll
+ 2011-10-03 18:57 . 2011-10-03 18:57 5025792 c:\windows\assembly\GAC_MSIL\System.Windows.Forms\2.0.0.0__b77a5c561934e089\System.Windows.Forms.dll
- 2011-04-16 07:04 . 2011-04-16 07:04 5025792 c:\windows\assembly\GAC_MSIL\System.Windows.Forms\2.0.0.0__b77a5c561934e089\System.Windows.Forms.dll
+ 2011-10-03 18:57 . 2011-10-03 18:57 5062656 c:\windows\assembly\GAC_MSIL\System.Design\2.0.0.0__b03f5f7f11d50a3a\System.Design.dll
- 2011-04-16 07:04 . 2011-04-16 07:04 5062656 c:\windows\assembly\GAC_MSIL\System.Design\2.0.0.0__b03f5f7f11d50a3a\System.Design.dll
- 2011-04-16 07:04 . 2011-04-16 07:04 5242880 c:\windows\assembly\GAC_32\System.Web\2.0.0.0__b03f5f7f11d50a3a\System.Web.dll
+ 2011-10-03 18:57 . 2011-10-03 18:57 5242880 c:\windows\assembly\GAC_32\System.Web\2.0.0.0__b03f5f7f11d50a3a\System.Web.dll
+ 2011-10-03 18:57 . 2011-10-03 18:57 2933248 c:\windows\assembly\GAC_32\System.Data\2.0.0.0__b77a5c561934e089\System.Data.dll
- 2011-04-16 07:04 . 2011-04-16 07:04 2933248 c:\windows\assembly\GAC_32\System.Data\2.0.0.0__b77a5c561934e089\System.Data.dll
+ 2011-10-03 18:57 . 2011-10-03 18:57 4550656 c:\windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\mscorlib.dll
- 2011-04-16 07:04 . 2011-04-16 07:04 4550656 c:\windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\mscorlib.dll
+ 2007-06-21 05:51 . 2011-07-30 14:05 52390856 c:\windows\system32\MRT.exe
+ 2011-03-04 17:28 . 2011-03-04 17:28 23081472 c:\windows\Installer\4fece5.msp
+ 2011-03-28 07:27 . 2011-03-28 07:27 15456256 c:\windows\Installer\459a2.msp
+ 2011-10-03 18:57 . 2011-10-03 18:57 12024832 c:\windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP1F6.tmp\System.Windows.Forms.dll
+ 2011-10-03 18:59 . 2011-10-03 18:59 12430848 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\d00cc387e462e4c3cdcd112b137cac87\System.Windows.Forms.ni.dll
+ 2011-10-03 18:59 . 2011-10-03 18:59 11800576 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Web\40893760431f8f0dcce3e18630e45b23\System.Web.ni.dll
+ 2011-10-03 19:14 . 2011-10-03 19:14 17403904 c:\windows\assembly\NativeImages_v2.0.50727_32\System.ServiceModel\e3a0205acab2215fbad7927d9d483aeb\System.ServiceModel.ni.dll
+ 2011-10-03 18:59 . 2011-10-03 18:59 10683392 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Design\63ad0cd9b5e038c8e2e41415657db8fc\System.Design.ni.dll
+ 2011-10-03 18:59 . 2011-10-03 18:59 14328320 c:\windows\assembly\NativeImages_v2.0.50727_32\PresentationFramewo#\704556e34128441ea9f1a81cc89f8a79\PresentationFramework.ni.dll
+ 2011-10-03 18:58 . 2011-10-03 18:58 12215808 c:\windows\assembly\NativeImages_v2.0.50727_32\PresentationCore\5f332c48d03eca57419c4f0e884092ee\PresentationCore.ni.dll
+ 2011-10-03 18:58 . 2011-10-03 18:58 11490816 c:\windows\assembly\NativeImages_v2.0.50727_32\mscorlib\0309936a8e1672d39b9cf14463ce69f9\mscorlib.ni.dll
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2006-12-23 143360]
"MsnMsgr"="c:\program files\Windows Live\Messenger\MsnMsgr.Exe" [2010-04-17 3872080]
"LDM"="c:\program files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe" [N/A]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-03 68856]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2011-06-15 15141768]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="c:\program files\QuickTime\qttask .exe -atboottime" [X]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2006-05-01 843776]
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" [2004-10-21 29696]
"OfficeKB"="c:\progra~1\OfficeKB\OfficeKB.EXE" [N/A]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-09-27 13918208]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-09-27 86016]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-06-02 267048]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-06-08 37296]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-03-30 937920]
"Google Updater"="c:\program files\Google\Google Updater\GoogleUpdater.exe" [2011-06-12 161336]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 437160]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RealUpgradeHelper"="c:\program files\Common Files\Real\Update_OB\upgrdhlp.exe" [N/A]
"FlashPlayerUpdate"="c:\windows\system32\Macromed\Flash\FlashUtil10t_ActiveX.exe" [2011-07-09 240288]
.
c:\documents and settings\Maxim\Start Menu\Programs\Startup\
OpenOffice.org 2.3.lnk - c:\program files\OpenOffice.org 2.3\program\quickstart.exe [2007-8-17 393216]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Logitech Desktop Messenger.lnk - c:\program files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe [2007-6-23 450560]
Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\KEM.exe [2007-6-23 581632]
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-1.12.0-enUS-downloader.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Apprentice\\Appr.exe"=
"c:\\Program Files\\THQ\\Dawn of War - Dark Crusade\\DarkCrusade.exe"=
"c:\\Program Files\\THQ\\Dawn Of War\\W40kWA.exe"=
"c:\\Program Files\\THQ\\Dawn Of War\\W40k.exe"=
"c:\\Program Files\\Warcraft III\\Warcraft III.exe"=
"c:\\Documents and Settings\\Maxim\\Desktop\\Max\\Pokemon Game.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-3.0.8.9506-to-3.0.9.9551-enUS-downloader.exe"=
"c:\\Program Files\\Dawn of War 2\\DOW2.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-3.2.0-enUS-downloader.exe"=
"c:\\Program Files\\mIRC\\mirc.exe"=
"c:\\Program Files\\Steam\\steam.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\aliens vs predator\\AvP_CLI.exe"=
"c:\\Program Files\\SopCast\\adv\\SopAdver.exe"=
"c:\\Program Files\\SopCast\\SopCast.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\transformers war for cybertron\\Binaries\\TWFC.exe"=
"c:\\Program Files\\TeamViewer\\Version5\\TeamViewer.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\TeamViewer\\Version6\\TeamViewer.exe"=
"c:\\Program Files\\TeamViewer\\Version6\\TeamViewer_Service.exe"=
"c:\\Program Files\\Armagetron Advanced\\armagetronad.exe"=
"c:\\Program Files\\Sony Online Entertainment\\Installed Games\\DC Universe Online Live\\UNREAL3\\BINARIES\\WIN32\\DCGAME.EXE"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Riot Games\\League of Legends\\lol.launcher.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\dawn of war 2\\DOW2.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\dawn of war ii - retribution\\DOW2.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3724:TCP"= 3724:TCP:Blizzard Downloader: 3724
"4000:TCP"= 4000:TCP:diablo
"8375:TCP"= 8375:TCP:League of Legends Launcher
"8375:UDP"= 8375:UDP:League of Legends Launcher
"8376:TCP"= 8376:TCP:League of Legends Launcher
"8376:UDP"= 8376:UDP:League of Legends Launcher
"8377:TCP"= 8377:TCP:League of Legends Launcher
"8377:UDP"= 8377:UDP:League of Legends Launcher
"8378:TCP"= 8378:TCP:League of Legends Launcher
"8378:UDP"= 8378:UDP:League of Legends Launcher
"8379:TCP"= 8379:TCP:League of Legends Launcher
"8379:UDP"= 8379:UDP:League of Legends Launcher
"8380:TCP"= 8380:TCP:League of Legends Launcher
"8380:UDP"= 8380:UDP:League of Legends Launcher
"8381:TCP"= 8381:TCP:League of Legends Launcher
"8381:UDP"= 8381:UDP:League of Legends Launcher
"6881:TCP"= 6881:TCP:League of Legends Launcher
"6881:UDP"= 6881:UDP:League of Legends Launcher
"8382:TCP"= 8382:TCP:League of Legends Launcher
"8382:UDP"= 8382:UDP:League of Legends Launcher
"8383:TCP"= 8383:TCP:League of Legends Launcher
"8383:UDP"= 8383:UDP:League of Legends Launcher
"8393:TCP"= 8393:TCP:League of Legends Lobby
"8393:UDP"= 8393:UDP:League of Legends Lobby
"8390:TCP"= 8390:TCP:League of Legends Game Client
"8390:UDP"= 8390:UDP:League of Legends Game Client
"6929:TCP"= 6929:TCP:League of Legends Launcher
"6929:UDP"= 6929:UDP:League of Legends Launcher
.
R2 USmsServ;Desktop Window Manager Sessions Manager;c:\windows\Desktop Manager\dwm.exe [6/10/2011 12:48 PM 142336]
R3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda32.sys [2/27/2010 11:44 AM 57248]
S2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [8/9/2009 6:35 PM 297752]
S2 pgsql-8.3;PostgreSQL Database Server 8.3;c:\program files\PostgreSQL\8.3\bin\pg_ctl.exe [12/10/2009 3:39 AM 65536]
S3 B-Service;B-Service;c:\documents and settings\Maxim\Application Data\Mikogo\B-Service.exe [9/17/2010 12:13 PM 185640]
S3 bcgame;Nostromo HID Device Minidriver;c:\windows\system32\drivers\bcgame.sys --> c:\windows\system32\drivers\bcgame.sys [?]
S3 McComponentHostService;McAfee Security Scan Component Host Service;"c:\program files\McAfee Security Scan\2.0.181\McCHSvc.exe" --> c:\program files\McAfee Security Scan\2.0.181\McCHSvc.exe [?]
S4 sptd;sptd;c:\windows\system32\drivers\sptd.sys [12/13/2007 12:28 AM 722416]
.
Contents of the 'Scheduled Tasks' folder
.
2011-10-04 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2007-07-03 14:27]
.
2011-10-02 c:\windows\Tasks\Norton Security Scan for Maxim.job
- c:\progra~1\NORTON~2\Engine\312~1.9\Nss.exe [2011-06-09 08:19]
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = localhost
LSP: mswsock.dll
Trusted Zone: clonewarsadventures.com
Trusted Zone: freerealms.com
Trusted Zone: soe.com
Trusted Zone: sony.com
TCP: DhcpNameServer = 192.168.0.1
DPF: Garmin Communicator Plug-In - [You must be registered and logged in to see this link.]
FF - ProfilePath - c:\documents and settings\Maxim\Application Data\Mozilla\Firefox\Profiles\pu9jai39.default\
FF - prefs.js: browser.search.defaulturl - [You must be registered and logged in to see this link.]
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - [You must be registered and logged in to see this link.]
FF - prefs.js: keyword.URL - [You must be registered and logged in to see this link.]
FF - prefs.js: network.proxy.type - 0
FF - user.js: yahoo.homepage.dontask - true);user_pref(network.protocol-handler.warn-external.dnupdate, false);user_pref(network.protocol-handler.warn-external.dnupdate, false);user_pref(network.protocol-handler.warn-external.dnupdate, false);user_pref(yahoo.ytff.general.dontshowhpoffer, true);user_pref(network.protocol-handler.warn-external.dnupdate, false
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2011-10-04 03:22
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
.
c:\windows\3029570079:3765267531.exe 816 bytes executable
.
.
**************************************************************************
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, [You must be registered and logged in to see this link.]
Windows 5.1.2600 Disk: WDC_WD3200AAKS-00L9A0 rev.01.03E01 -> Harddisk0\DR0 -> \Device\00000032
.
device: opened successfully
user: MBR read successfully
.
Disk trace:
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x8AC40530]<<
_asm { MOV EAX, [ESP+0x4]; MOV ECX, [EAX+0x28]; PUSH EBP; MOV EBP, [ECX+0x4]; PUSH ESI; MOV ESI, [ESP+0x10]; PUSH EDI; MOV EDI, [ESI+0x60]; MOV AL, [EDI]; CMP AL, 0x16; JNZ 0x36; PUSH ESI; }
1 ntkrnlpa!IofCallDriver[0x804EF1A6] -> \Device\Harddisk0\DR0[0x8AE0BAB8]
3 CLASSPNP[0xB80E8FD7] -> ntkrnlpa!IofCallDriver[0x804EF1A6] -> [0x8A8E6130]
\Driver\00001079[0x8AC9D0F0] -> IRP_MJ_CREATE -> 0x8AC40530
error: Read The request is not supported.
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; STI ; PUSH AX; POP ES; PUSH AX; POP DS; CLD ; MOV SI, 0x7c1b; MOV DI, 0x61b; PUSH AX; PUSH DI; MOV CX, 0x1e5; REP MOVSB ; RETF ; MOV BP, 0x7be; MOV CL, 0x4; CMP [BP+0x0], CH; JL 0x2e; JNZ 0x3a; }
detected disk devices:
\Device\0000006a -> \??\IDE#DiskWDC_WD3200AAKS-00L9A0___________________01.03E01#2020202057202D44435756414332353631363737#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
detected hooks:
user & kernel MBR OK
copy of MBR has been found in sector 625137345
Warning: possible TDL3 rootkit infection !
.
**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\nvsvc32.exe
c:\windows\3029570079:3765267531.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\program files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
c:\windows\system32\RUNDLL32.EXE
c:\program files\Logitech\SetPoint\KHALMNPR.EXE
c:\program files\OpenOffice.org 2.3\program\soffice.exe
c:\program files\OpenOffice.org 2.3\program\soffice.BIN
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2011-10-04 03:28:05 - machine was rebooted
ComboFix-quarantined-files.txt 2011-10-04 07:28
ComboFix2.txt 2011-10-03 18:54
ComboFix3.txt 2011-10-01 18:28
ComboFix4.txt 2011-01-14 22:14
ComboFix5.txt 2011-10-04 07:05
.
Pre-Run: 126,993,297,408 bytes free
Post-Run: 127,007,719,424 bytes free
.
- - End Of File - - 05A5B15368A879FA54AEE24327FFE68B

Uthanak

Rookie Surfer
Rookie Surfer

Posts : 66
Joined : 2009-08-10
Operating System : windows xp

View user profile

Back to top Go down

Re: Need to get rid of rootkit.

Post by Gabethebabe on Sun 04 Sep 2011, 1:56 am

You forgot to run aswMBR

====================

  • Download TDSSKiller by Kaspersky from here and save it to your desktop
  • Doubleclick TDSSKiller.exe to run the tool
  • Click the Start Scan button
  • After the scan has finished, click the Close button
  • Click the Report button and copy/paste the contents of it into your next reply
  • The report can also be found in the root of your Windows drive (most likely C:\).


====================

  • Please create a new text file in Notepad with the following contents:
    Code:
    KILLALL::
    Folder::
    c:\windows\3029570079

    ADS::
    c:\windows\3029570079:3765267531.exe

    Renv::
    c:\program files\OfficeKB\OfficeKB .exe
    c:\program files\QuickTime\qttask  .exe
  • Save that file as CFScript.txt on your desktop
  • Drag and drop the CFScript.txt onto the ComboFix icon, as shown in the animation below.

  • If done correctly, ComboFix will start and perform specific instructions
  • In doing so, ComboFix may request a reboot
  • Please post the contents of Combofix.txt in your next reply

Gabethebabe

Tech Advisor
Tech Advisor

Posts : 1568
Joined : 2010-03-07
Operating System : WIN7 64bit, Ubuntu 12.04 LTS

View user profile

Back to top Go down

Re: Need to get rid of rootkit.

Post by Uthanak on Sun 04 Sep 2011, 2:11 am

aswMBR version 0.9.8.986 Copyright(c) 2011 AVAST Software
Run date: 2011-10-04 03:47:30
-----------------------------
03:47:30.125 OS Version: Windows 5.1.2600 Service Pack 3
03:47:30.125 Number of processors: 2 586 0x4B02
03:47:30.125 ComputerName: MAXIM-9C1E76C15 UserName: Maxim
03:47:30.515 Initialize success
03:49:18.109 AVAST engine defs: 11090201
03:50:11.265 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\00000032
03:50:11.265 Disk 0 Vendor: WDC_WD3200AAKS-00L9A0 01.03E01 Size: 305245MB BusType: 3
03:50:11.265 Device \Device\0000006a -> \??\IDE#DiskWDC_WD3200AAKS-00L9A0___________________01.03E01#2020202057202D44435756414332353631363737#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} not found
03:50:11.265 Disk 0 MBR read error 0
03:50:11.265 Disk 0 MBR scan
03:50:11.296 Disk 0 unknown MBR code
03:50:11.296 MBR BIOS signature not found 0
03:50:11.296 Disk 0 scanning sectors +625137345
03:50:11.312 Disk 0 scanning C:\WINDOWS\system32\drivers
03:50:17.453 File: C:\WINDOWS\system32\drivers\imapi.sys **INFECTED** Win32:Alureon-AJI [Rtk]
03:50:21.843 Service scanning
03:50:22.625 Modules scanning
03:50:23.171 Module: C:\WINDOWS\system32\DRIVERS\imapi.sys **SUSPICIOUS**
03:50:25.453 Disk 0 trace - called modules:
03:50:25.453 ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x8ac40530]<<
03:50:25.453 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8ae0bab8]
03:50:25.453 3 CLASSPNP.SYS[b80e8fd7] -> nt!IofCallDriver -> [0x8a8e6130]
03:50:25.453 \Driver\00001079[0x8ac9d0f0] -> IRP_MJ_CREATE -> 0x8ac40530
03:50:26.140 AVAST engine scan C:\WINDOWS
03:50:27.906 File: C:\WINDOWS\3029570079:3765267531.exe **INFECTED** Win32:Tiny-AMB [Rtk]
03:50:42.468 AVAST engine scan C:\WINDOWS\system32
03:52:16.796 AVAST engine scan C:\WINDOWS\system32\drivers
03:52:23.515 File: C:\WINDOWS\system32\drivers\imapi.sys **INFECTED** Win32:Alureon-AJI [Rtk]
03:52:32.390 AVAST engine scan C:\Documents and Settings\Maxim
03:55:19.437 File: C:\Documents and Settings\Maxim\Application Data\Sun\Java\Deployment\cache\6.0\2\7a23e0c2-4e72f5bd **INFECTED** Win32:FakeAV-CFZ [Trj]
04:14:54.656 File: C:\Documents and Settings\Maxim\Desktop\RK_Quarantine\dwm.exe.vir **INFECTED** Win32:Malware-gen
04:19:54.859 AVAST engine scan C:\Documents and Settings\All Users
04:21:34.656 Scan finished successfully
11:03:33.312 Disk 0 MBR fix error
11:04:52.328 Disk 0 MBR fix error
11:05:00.390 Disk 0 MBR has been saved successfully to "E:\MBR.dat"
11:05:00.468 The log file has been saved successfully to "E:\aswMBR.txt"




When I hit fixmbr button it said 0 error mbr fix or something like that. I also did not forget to run it, I have to sleep sometimes too, bro.

Uthanak

Rookie Surfer
Rookie Surfer

Posts : 66
Joined : 2009-08-10
Operating System : windows xp

View user profile

Back to top Go down

Re: Need to get rid of rootkit.

Post by Uthanak on Mon 05 Sep 2011, 11:11 am

2011/10/05 20:10:47.0265 0340 TDSS rootkit removing tool 2.5.17.0 Aug 22 2011 15:46:57
2011/10/05 20:10:47.0593 0340 ================================================================================
2011/10/05 20:10:47.0593 0340 SystemInfo:
2011/10/05 20:10:47.0593 0340
2011/10/05 20:10:47.0593 0340 OS Version: 5.1.2600 ServicePack: 3.0
2011/10/05 20:10:47.0593 0340 Product type: Workstation
2011/10/05 20:10:47.0593 0340 ComputerName: MAXIM-9C1E76C15
2011/10/05 20:10:47.0593 0340 UserName: Maxim
2011/10/05 20:10:47.0593 0340 Windows directory: C:\WINDOWS
2011/10/05 20:10:47.0593 0340 System windows directory: C:\WINDOWS
2011/10/05 20:10:47.0593 0340 Processor architecture: Intel x86
2011/10/05 20:10:47.0593 0340 Number of processors: 2
2011/10/05 20:10:47.0593 0340 Page size: 0x1000
2011/10/05 20:10:47.0593 0340 Boot type: Normal boot
2011/10/05 20:10:47.0593 0340 ================================================================================
2011/10/05 20:10:47.0625 0340 Initialize success
2011/10/05 20:11:01.0453 0360 ================================================================================
2011/10/05 20:11:01.0453 0360 Scan started
2011/10/05 20:11:01.0453 0360 Mode: Manual;
2011/10/05 20:11:01.0453 0360 ================================================================================
2011/10/05 20:11:01.0625 0360 1f9293b4 (8f2bb1827cac01aee6a16e30a1260199) C:\WINDOWS\3029570079:3765267531.exe
2011/10/05 20:11:01.0640 0360 Suspicious file (Hidden): C:\WINDOWS\3029570079:3765267531.exe. md5: 8f2bb1827cac01aee6a16e30a1260199
2011/10/05 20:11:01.0640 0360 1f9293b4 - detected HiddenFile.Multi.Generic (1)
2011/10/05 20:11:01.0703 0360 30157851 (1f523493bd016d1dfff59fd0f40f8c43) C:\WINDOWS\system32\drivers\19400847.sys
2011/10/05 20:11:01.0765 0360 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
2011/10/05 20:11:01.0828 0360 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
2011/10/05 20:11:01.0875 0360 ADIHdAudAddService (ab0d9669bab1009e48cc91117e59912b) C:\WINDOWS\system32\drivers\ADIHdAud.sys
2011/10/05 20:11:01.0890 0360 AEAudio (03be587e90c8b37c7ff1fe2e9c1d1c90) C:\WINDOWS\system32\drivers\AEAudio.sys
2011/10/05 20:11:01.0937 0360 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
2011/10/05 20:11:01.0984 0360 AFD (355556d9e580915118cd7ef736653a89) C:\WINDOWS\System32\drivers\afd.sys
2011/10/05 20:11:02.0078 0360 AmdK8 (0a4d13b388c814560bd69c3a496ecfa8) C:\WINDOWS\system32\DRIVERS\AmdK8.sys
2011/10/05 20:11:02.0156 0360 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
2011/10/05 20:11:02.0187 0360 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
2011/10/05 20:11:02.0250 0360 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
2011/10/05 20:11:02.0265 0360 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
2011/10/05 20:11:02.0296 0360 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
2011/10/05 20:11:02.0375 0360 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
2011/10/05 20:11:02.0390 0360 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
2011/10/05 20:11:02.0406 0360 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
2011/10/05 20:11:02.0421 0360 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
2011/10/05 20:11:02.0531 0360 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
2011/10/05 20:11:02.0609 0360 DKbFltr (75ad9beb6d4b6bbcb39bfaba454ea05a) C:\WINDOWS\system32\DRIVERS\DKbFltr.sys
2011/10/05 20:11:02.0656 0360 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
2011/10/05 20:11:02.0687 0360 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
2011/10/05 20:11:02.0687 0360 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
2011/10/05 20:11:02.0734 0360 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
2011/10/05 20:11:02.0750 0360 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
2011/10/05 20:11:02.0796 0360 ENTECH (16ebd8bf1d5090923694cc972c7ce1b4) C:\WINDOWS\system32\DRIVERS\ENTECH.sys
2011/10/05 20:11:02.0812 0360 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
2011/10/05 20:11:02.0828 0360 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\DRIVERS\fdc.sys
2011/10/05 20:11:02.0859 0360 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
2011/10/05 20:11:02.0875 0360 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\DRIVERS\flpydisk.sys
2011/10/05 20:11:02.0890 0360 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys
2011/10/05 20:11:02.0953 0360 fssfltr (e0087225b137e57239ff40f8ae82059b) C:\WINDOWS\system32\DRIVERS\fssfltr_tdi.sys
2011/10/05 20:11:02.0968 0360 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
2011/10/05 20:11:02.0984 0360 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
2011/10/05 20:11:03.0000 0360 GEARAspiWDM (5dc17164f66380cbfefd895c18467773) C:\WINDOWS\system32\Drivers\GEARAspiWDM.sys
2011/10/05 20:11:03.0031 0360 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
2011/10/05 20:11:03.0046 0360 HDAudBus (573c7d0a32852b48f3058cfd8026f511) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
2011/10/05 20:11:03.0078 0360 HidUsb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
2011/10/05 20:11:03.0140 0360 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
2011/10/05 20:11:03.0187 0360 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
2011/10/05 20:11:03.0234 0360 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\drivers\tsk2D.tmp
2011/10/05 20:11:03.0234 0360 Suspicious file (NoAccess): C:\WINDOWS\system32\drivers\tsk2D.tmp. md5: 083a052659f5310dd8b6a6cb05edcf8e
2011/10/05 20:11:03.0265 0360 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys
2011/10/05 20:11:03.0296 0360 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
2011/10/05 20:11:03.0296 0360 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
2011/10/05 20:11:03.0343 0360 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
2011/10/05 20:11:03.0343 0360 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
2011/10/05 20:11:03.0375 0360 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
2011/10/05 20:11:03.0390 0360 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
2011/10/05 20:11:03.0406 0360 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
2011/10/05 20:11:03.0421 0360 kbdhid (9ef487a186dea361aa06913a75b3fa99) C:\WINDOWS\system32\DRIVERS\kbdhid.sys
2011/10/05 20:11:03.0453 0360 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
2011/10/05 20:11:03.0515 0360 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
2011/10/05 20:11:03.0593 0360 L8042mou (efcc6d56fe8ba50bb7ecf300b60a66a3) C:\WINDOWS\system32\DRIVERS\L8042mou.Sys
2011/10/05 20:11:03.0609 0360 LHidKe (452ecfc32a4b5d9a761e113f149e1b9e) C:\WINDOWS\system32\DRIVERS\LHidKE.Sys
2011/10/05 20:11:03.0656 0360 LHidUsbK (9c92312dd1ab42e627710fb89bbbcd1e) C:\WINDOWS\system32\Drivers\LHidUsbK.Sys
2011/10/05 20:11:03.0671 0360 LMouKE (95871e8c4aecfed95f884d2d10b8bcfb) C:\WINDOWS\system32\DRIVERS\LMouKE.Sys
2011/10/05 20:11:03.0687 0360 mcdbus (8fd868e32459ece2a1bb0169f513d31e) C:\WINDOWS\system32\DRIVERS\mcdbus.sys
2011/10/05 20:11:03.0718 0360 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
2011/10/05 20:11:03.0750 0360 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
2011/10/05 20:11:03.0765 0360 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
2011/10/05 20:11:03.0796 0360 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
2011/10/05 20:11:03.0796 0360 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
2011/10/05 20:11:03.0828 0360 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
2011/10/05 20:11:03.0890 0360 MRxSmb (7d304a5eb4344ebeeab53a2fe3ffb9f0) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
2011/10/05 20:11:03.0906 0360 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
2011/10/05 20:11:03.0921 0360 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
2011/10/05 20:11:03.0937 0360 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
2011/10/05 20:11:03.0937 0360 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
2011/10/05 20:11:04.0000 0360 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
2011/10/05 20:11:04.0062 0360 MTsensor (d48659bb24c48345d926ecb45c1ebdf5) C:\WINDOWS\system32\DRIVERS\ASACPI.sys
2011/10/05 20:11:04.0078 0360 Mup (de6a75f5c270e756c5508d94b6cf68f5) C:\WINDOWS\system32\drivers\Mup.sys
2011/10/05 20:11:04.0125 0360 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
2011/10/05 20:11:04.0171 0360 NdisTapi (0109c4f3850dfbab279542515386ae22) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
2011/10/05 20:11:04.0187 0360 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
2011/10/05 20:11:04.0203 0360 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
2011/10/05 20:11:04.0234 0360 NDProxy (9282bd12dfb069d3889eb3fcc1000a9b) C:\WINDOWS\system32\drivers\NDProxy.sys
2011/10/05 20:11:04.0250 0360 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
2011/10/05 20:11:04.0281 0360 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
2011/10/05 20:11:04.0312 0360 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
2011/10/05 20:11:04.0328 0360 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
2011/10/05 20:11:04.0375 0360 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
2011/10/05 20:11:04.0546 0360 nv (4c3696c1ed1a36629ebb348bf745a328) C:\WINDOWS\system32\DRIVERS\nv4_mini.sys
2011/10/05 20:11:04.0625 0360 nvata (4d6c6b46b3edf6f2e219a86b61d104ae) C:\WINDOWS\system32\DRIVERS\nvata.sys
2011/10/05 20:11:04.0656 0360 NVENETFD (1b83b60541be1b6db81641c448007f21) C:\WINDOWS\system32\DRIVERS\NVENETFD.sys
2011/10/05 20:11:04.0671 0360 NVHDA (cf68bcac297b4c98c1d25b81e4011de4) C:\WINDOWS\system32\drivers\nvhda32.sys
2011/10/05 20:11:04.0703 0360 nvnetbus (57b669f9234604a350174b86764444b0) C:\WINDOWS\system32\DRIVERS\nvnetbus.sys
2011/10/05 20:11:04.0734 0360 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
2011/10/05 20:11:04.0750 0360 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
2011/10/05 20:11:04.0781 0360 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys
2011/10/05 20:11:04.0796 0360 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
2011/10/05 20:11:04.0812 0360 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
2011/10/05 20:11:04.0828 0360 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
2011/10/05 20:11:04.0859 0360 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
2011/10/05 20:11:04.0875 0360 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys
2011/10/05 20:11:04.0984 0360 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
2011/10/05 20:11:05.0015 0360 Processor (a32bebaf723557681bfc6bd93e98bd26) C:\WINDOWS\system32\DRIVERS\processr.sys
2011/10/05 20:11:05.0031 0360 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
2011/10/05 20:11:05.0078 0360 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
2011/10/05 20:11:05.0093 0360 PxHelp20 (d86b4a68565e444d76457f14172c875a) C:\WINDOWS\system32\Drivers\PxHelp20.sys
2011/10/05 20:11:05.0171 0360 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
2011/10/05 20:11:05.0187 0360 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
2011/10/05 20:11:05.0203 0360 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
2011/10/05 20:11:05.0218 0360 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
2011/10/05 20:11:05.0234 0360 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
2011/10/05 20:11:05.0234 0360 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
2011/10/05 20:11:05.0265 0360 RDPWD (fc105dd312ed64eb66bff111e8ec6eac) C:\WINDOWS\system32\drivers\RDPWD.sys
2011/10/05 20:11:05.0281 0360 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
2011/10/05 20:11:05.0343 0360 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
2011/10/05 20:11:05.0390 0360 SenFiltService (b6a6b409fda9d9ebd3aadb838d3d7173) C:\WINDOWS\system32\drivers\Senfilt.sys
2011/10/05 20:11:05.0453 0360 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys
2011/10/05 20:11:05.0468 0360 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys
2011/10/05 20:11:05.0515 0360 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
2011/10/05 20:11:05.0593 0360 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
2011/10/05 20:11:05.0640 0360 sptd (a80cd850d69d996c832bea37e3a6aa1e) C:\WINDOWS\system32\Drivers\sptd.sys
2011/10/05 20:11:05.0656 0360 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
2011/10/05 20:11:05.0703 0360 Srv (47ddfc2f003f7f9f0592c6874962a2e7) C:\WINDOWS\system32\DRIVERS\srv.sys
2011/10/05 20:11:05.0734 0360 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
2011/10/05 20:11:05.0734 0360 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
2011/10/05 20:11:05.0812 0360 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
2011/10/05 20:11:05.0828 0360 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
2011/10/05 20:11:05.0859 0360 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
2011/10/05 20:11:05.0890 0360 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
2011/10/05 20:11:05.0890 0360 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
2011/10/05 20:11:05.0968 0360 tmcomm (df8444a8fa8fd38d8848bdd40a8403b3) C:\WINDOWS\system32\drivers\tmcomm.sys
2011/10/05 20:11:06.0000 0360 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
2011/10/05 20:11:06.0062 0360 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
2011/10/05 20:11:06.0093 0360 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
2011/10/05 20:11:06.0093 0360 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
2011/10/05 20:11:06.0109 0360 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
2011/10/05 20:11:06.0125 0360 usbohci (0daecce65366ea32b162f85f07c6753b) C:\WINDOWS\system32\DRIVERS\usbohci.sys
2011/10/05 20:11:06.0156 0360 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys
2011/10/05 20:11:06.0187 0360 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
2011/10/05 20:11:06.0203 0360 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
2011/10/05 20:11:06.0250 0360 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
2011/10/05 20:11:06.0265 0360 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
2011/10/05 20:11:06.0296 0360 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
2011/10/05 20:11:06.0375 0360 WS2IFSL (6abe6e225adb5a751622a9cc3bc19ce8) C:\WINDOWS\System32\drivers\ws2ifsl.sys
2011/10/05 20:11:06.0421 0360 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
2011/10/05 20:11:06.0421 0360 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
2011/10/05 20:11:06.0468 0360 MBR (0x1B8) (2839639fa37b8353e792a2a30a12ced3) \Device\Harddisk0\DR0
2011/10/05 20:11:06.0468 0360 \Device\Harddisk0\DR0 - detected Rootkit.Win32.TDSS.tdl4 (0)
2011/10/05 20:11:06.0468 0360 Boot (0x1200) (a1f9dcc0fd9defc49250b0a65e3a23b9) \Device\Harddisk0\DR0\Partition0
2011/10/05 20:11:06.0468 0360 ================================================================================
2011/10/05 20:11:06.0468 0360 Scan finished
2011/10/05 20:11:06.0468 0360 ================================================================================
2011/10/05 20:11:06.0484 3216 Detected object count: 2
2011/10/05 20:11:06.0484 3216 Actual detected object count: 2
2011/10/05 20:11:14.0093 3216 HiddenFile.Multi.Generic(1f9293b4) - User select action: Skip
2011/10/05 20:11:14.0125 3216 \Device\Harddisk0\DR0 (Rootkit.Win32.TDSS.tdl4) - will be cured after reboot
2011/10/05 20:11:14.0140 3216 \Device\Harddisk0\DR0 - ok
2011/10/05 20:11:14.0140 3216 Rootkit.Win32.TDSS.tdl4(\Device\Harddisk0\DR0) - User select action: Cure

Uthanak

Rookie Surfer
Rookie Surfer

Posts : 66
Joined : 2009-08-10
Operating System : windows xp

View user profile

Back to top Go down

Re: Need to get rid of rootkit.

Post by Uthanak on Mon 05 Sep 2011, 11:47 am

ComboFix 11-09-04.03 - Maxim 10/05/2011 20:30:31.12.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.3326.2967 [GMT -4:00]
Running from: c:\documents and settings\Maxim\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Maxim\Desktop\CFScript.txt
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\Maxim\Local Settings\Application Data\ApplicationHistory
c:\documents and settings\Maxim\Local Settings\Application Data\ApplicationHistory\ngen.exe.2c05686e.ini
c:\documents and settings\Maxim\Local Settings\Application Data\ApplicationHistory\WarcraftIIIAutoRefresh - wc3edit.net edition.exe.58328361.ini
c:\windows\$NtUninstallKB29657$\529699764\{1B372133-BFFA-4dba-9CCF-5474BED6A9F6}
c:\windows\$NtUninstallKB29657$\529699764\L\dtxmbwwl
c:\windows\$NtUninstallKB29657$\529699764\loader.tlb
c:\windows\$NtUninstallKB29657$\529699764\U\$00000001
c:\windows\$NtUninstallKB29657$\529699764\U\$000000cf
c:\windows\$NtUninstallKB29657$\529699764\U\@000000c0
c:\windows\$NtUninstallKB29657$\529699764\U\@000000cb
c:\windows\$NtUninstallKB29657$\529699764\U\@000000cf
c:\windows\$NtUninstallKB29657$\529699764\U\@80000000
c:\windows\$NtUninstallKB29657$\529699764\U\@800000c0
c:\windows\$NtUninstallKB29657$\529699764\U\@800000cb
c:\windows\$NtUninstallKB29657$\529699764\U\@800000cf
c:\windows\$NtUninstallKB29657$\882484073
c:\windows\assembly\GAC_MSIL\desktop.ini
c:\windows\$NtUninstallKB29657$ . . . . Failed to delete
.
Infected copy of c:\windows\system32\wuauclt.exe was found and disinfected
Restored copy from - c:\windows\system32\dllcache\wuauclt.exe
.
Infected copy of c:\program files\iPod\bin\iPodService.exe was found and disinfected
Restored copy from - c:\system volume information\_restore{67B3C756-D887-4359-B4D9-A09C29921E96}\RP488\A0083975.exe
.
Infected copy of c:\program files\Java\jre6\bin\jqs.exe was found and disinfected
Restored copy from - c:\system volume information\_restore{67B3C756-D887-4359-B4D9-A09C29921E96}\RP488\A0083978.exe
.
Infected copy of c:\windows\system32\nvsvc32.exe was found and disinfected
Restored copy from - c:\windows\system32\ReinstallBackups\0011\DriverFiles\nvsvc32.exe
.
Infected copy of c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe was found and disinfected
Restored copy from - c:\system volume information\_restore{67B3C756-D887-4359-B4D9-A09C29921E96}\RP488\A0083977.exe
.
Infected copy of c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE was found and disinfected
Restored copy from - c:\system volume information\_restore{67B3C756-D887-4359-B4D9-A09C29921E96}\RP488\A0083976.EXE
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Service_1f9293b4
.
.
((((((((((((((((((((((((( Files Created from 2011-09-06 to 2011-10-06 )))))))))))))))))))))))))))))))
.
.
2011-10-06 00:13 . 2011-10-06 00:13 50112 --sha-w- c:\windows\system32\c_03823.nl_
2011-10-04 07:00 . 2011-10-04 07:00 -------- d-----w- c:\documents and settings\Default User\Local Settings\Application Data\Microsoft Help
2011-10-04 05:37 . 2011-10-04 05:37 -------- d-----w- c:\documents and settings\Maxim\Local Settings\Application Data\PCHealth
2011-10-03 18:58 . 2011-10-03 18:58 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\PCHealth
2011-10-03 06:21 . 2011-10-03 06:25 -------- d-----w- C:\Commy
2011-10-03 06:19 . 2011-10-03 06:19 -------- d-----w- C:\ARK
2011-10-02 04:38 . 2011-10-02 04:38 4194304 ----a-w- c:\windows\system32\dtxmbwwl.dll
2011-10-01 17:25 . 2011-06-24 14:10 139656 -c----w- c:\windows\system32\dllcache\rdpwd.sys
2011-10-01 17:25 . 2011-04-21 13:37 105472 -c----w- c:\windows\system32\dllcache\mup.sys
2011-10-01 17:23 . 2011-07-08 14:02 10496 -c----w- c:\windows\system32\dllcache\ndistapi.sys
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-10-06 00:13 . 2006-02-28 12:00 42112 ----a-w- c:\windows\system32\drivers\imapi.sys
2011-10-04 07:01 . 2009-08-14 21:09 112640 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\VCExpress\9.0\1033\ResourceCache.dll
2011-10-04 07:00 . 2009-08-14 21:09 416 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\MSDN\9.0\1033\ResourceCache.dll
2011-08-28 01:16 . 2011-05-14 05:48 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-07-15 13:29 . 2006-02-28 12:00 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-07-08 14:02 . 2006-02-28 12:00 10496 ----a-w- c:\windows\system32\drivers\ndistapi.sys
2009-05-01 21:02 . 2009-05-01 21:02 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll
2009-05-01 21:02 . 2009-05-01 21:02 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll
2011-10-03 18:59 . 2011-05-08 01:44 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((( SnapShot_2011-10-04_07.23.06 )))))))))))))))))))))))))))))))))))))))))
.
+ 2011-10-06 00:42 . 2011-10-06 00:42 16384 c:\windows\temp\Perflib_Perfdata_6b4.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2006-12-23 143360]
"MsnMsgr"="c:\program files\Windows Live\Messenger\MsnMsgr.Exe" [2010-04-17 3872080]
"LDM"="c:\program files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe" [BU]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-03 68856]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2011-06-15 15141768]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="c:\program files\QuickTime\qttask .exe -atboottime" [X]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2006-05-01 843776]
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" [2004-10-21 29696]
"OfficeKB"="c:\progra~1\OfficeKB\OfficeKB.EXE" [2004-10-22 200704]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-09-27 13918208]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-09-27 86016]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-06-02 267048]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-06-08 37296]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-03-30 937920]
"Google Updater"="c:\program files\Google\Google Updater\GoogleUpdater.exe" [2011-06-12 161336]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 437160]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"FlashPlayerUpdate"="c:\windows\system32\Macromed\Flash\FlashUtil10t_ActiveX.exe" [2011-07-09 240288]
.
c:\documents and settings\Maxim\Start Menu\Programs\Startup\
OpenOffice.org 2.3.lnk - c:\program files\OpenOffice.org 2.3\program\quickstart.exe [2007-8-17 393216]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Logitech Desktop Messenger.lnk - c:\program files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe [2007-6-23 450560]
Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\KEM.exe [2007-6-23 581632]
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-1.12.0-enUS-downloader.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Apprentice\\Appr.exe"=
"c:\\Program Files\\THQ\\Dawn of War - Dark Crusade\\DarkCrusade.exe"=
"c:\\Program Files\\THQ\\Dawn Of War\\W40kWA.exe"=
"c:\\Program Files\\THQ\\Dawn Of War\\W40k.exe"=
"c:\\Program Files\\Warcraft III\\Warcraft III.exe"=
"c:\\Documents and Settings\\Maxim\\Desktop\\Max\\Pokemon Game.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-3.0.8.9506-to-3.0.9.9551-enUS-downloader.exe"=
"c:\\Program Files\\Dawn of War 2\\DOW2.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-3.2.0-enUS-downloader.exe"=
"c:\\Program Files\\mIRC\\mirc.exe"=
"c:\\Program Files\\Steam\\steam.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\aliens vs predator\\AvP_CLI.exe"=
"c:\\Program Files\\SopCast\\adv\\SopAdver.exe"=
"c:\\Program Files\\SopCast\\SopCast.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\transformers war for cybertron\\Binaries\\TWFC.exe"=
"c:\\Program Files\\TeamViewer\\Version5\\TeamViewer.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\TeamViewer\\Version6\\TeamViewer.exe"=
"c:\\Program Files\\TeamViewer\\Version6\\TeamViewer_Service.exe"=
"c:\\Program Files\\Armagetron Advanced\\armagetronad.exe"=
"c:\\Program Files\\Sony Online Entertainment\\Installed Games\\DC Universe Online Live\\UNREAL3\\BINARIES\\WIN32\\DCGAME.EXE"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Riot Games\\League of Legends\\lol.launcher.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\dawn of war 2\\DOW2.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\dawn of war ii - retribution\\DOW2.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3724:TCP"= 3724:TCP:Blizzard Downloader: 3724
"4000:TCP"= 4000:TCP:diablo
"8375:TCP"= 8375:TCP:League of Legends Launcher
"8375:UDP"= 8375:UDP:League of Legends Launcher
"8376:TCP"= 8376:TCP:League of Legends Launcher
"8376:UDP"= 8376:UDP:League of Legends Launcher
"8377:TCP"= 8377:TCP:League of Legends Launcher
"8377:UDP"= 8377:UDP:League of Legends Launcher
"8378:TCP"= 8378:TCP:League of Legends Launcher
"8378:UDP"= 8378:UDP:League of Legends Launcher
"8379:TCP"= 8379:TCP:League of Legends Launcher
"8379:UDP"= 8379:UDP:League of Legends Launcher
"8380:TCP"= 8380:TCP:League of Legends Launcher
"8380:UDP"= 8380:UDP:League of Legends Launcher
"8381:TCP"= 8381:TCP:League of Legends Launcher
"8381:UDP"= 8381:UDP:League of Legends Launcher
"6881:TCP"= 6881:TCP:League of Legends Launcher
"6881:UDP"= 6881:UDP:League of Legends Launcher
"8382:TCP"= 8382:TCP:League of Legends Launcher
"8382:UDP"= 8382:UDP:League of Legends Launcher
"8383:TCP"= 8383:TCP:League of Legends Launcher
"8383:UDP"= 8383:UDP:League of Legends Launcher
"8393:TCP"= 8393:TCP:League of Legends Lobby
"8393:UDP"= 8393:UDP:League of Legends Lobby
"8390:TCP"= 8390:TCP:League of Legends Game Client
"8390:UDP"= 8390:UDP:League of Legends Game Client
"6929:TCP"= 6929:TCP:League of Legends Launcher
"6929:UDP"= 6929:UDP:League of Legends Launcher
.
R2 pgsql-8.3;PostgreSQL Database Server 8.3;c:\program files\PostgreSQL\8.3\bin\pg_ctl.exe [12/10/2009 3:39 AM 65536]
R2 USmsServ;Desktop Window Manager Sessions Manager;c:\windows\Desktop Manager\dwm.exe [6/10/2011 12:48 PM 142336]
R3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda32.sys [2/27/2010 11:44 AM 57248]
S2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [8/9/2009 6:35 PM 297752]
S3 B-Service;B-Service;c:\documents and settings\Maxim\Application Data\Mikogo\B-Service.exe [9/17/2010 12:13 PM 185640]
S3 bcgame;Nostromo HID Device Minidriver;c:\windows\system32\drivers\bcgame.sys --> c:\windows\system32\drivers\bcgame.sys [?]
S3 McComponentHostService;McAfee Security Scan Component Host Service;"c:\program files\McAfee Security Scan\2.0.181\McCHSvc.exe" --> c:\program files\McAfee Security Scan\2.0.181\McCHSvc.exe [?]
S4 sptd;sptd;c:\windows\system32\drivers\sptd.sys [12/13/2007 12:28 AM 722416]
.
Contents of the 'Scheduled Tasks' folder
.
2011-10-06 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2007-07-03 14:27]
.
2011-10-05 c:\windows\Tasks\Norton Security Scan for Maxim.job
- c:\progra~1\NORTON~2\Engine\312~1.9\Nss.exe [2011-06-09 08:19]
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = localhost
Trusted Zone: clonewarsadventures.com
Trusted Zone: freerealms.com
Trusted Zone: soe.com
Trusted Zone: sony.com
TCP: DhcpNameServer = 192.168.0.1
DPF: Garmin Communicator Plug-In - [You must be registered and logged in to see this link.]
FF - ProfilePath - c:\documents and settings\Maxim\Application Data\Mozilla\Firefox\Profiles\pu9jai39.default\
FF - prefs.js: browser.search.defaulturl - [You must be registered and logged in to see this link.]
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - [You must be registered and logged in to see this link.]
FF - prefs.js: keyword.URL - [You must be registered and logged in to see this link.]
FF - prefs.js: network.proxy.type - 0
FF - user.js: yahoo.homepage.dontask - true);user_pref(network.protocol-handler.warn-external.dnupdate, false);user_pref(network.protocol-handler.warn-external.dnupdate, false);user_pref(network.protocol-handler.warn-external.dnupdate, false);user_pref(yahoo.ytff.general.dontshowhpoffer, true);user_pref(network.protocol-handler.warn-external.dnupdate, false
.
- - - - ORPHANS REMOVED - - - -
.
HKU-Default-RunOnce-RealUpgradeHelper - c:\program files\Common Files\Real\Update_OB\upgrdhlp.exe
SafeBoot-30157851.sys
AddRemove-Malwarebytes' Anti-Malware_is1 - e:\malwarebytes' anti-malware\unins000.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2011-10-05 20:42
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(152)
c:\windows\system32\WININET.dll
c:\program files\Logitech\SetPoint\lgscroll.dll
c:\windows\system32\msi.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\nvsvc32.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\program files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
c:\program files\PostgreSQL\8.3\bin\postgres.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
c:\program files\PostgreSQL\8.3\bin\postgres.exe
c:\program files\PostgreSQL\8.3\bin\postgres.exe
c:\program files\PostgreSQL\8.3\bin\postgres.exe
c:\program files\PostgreSQL\8.3\bin\postgres.exe
c:\program files\PostgreSQL\8.3\bin\postgres.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
c:\windows\system32\RUNDLL32.EXE
c:\program files\OpenOffice.org 2.3\program\soffice.exe
c:\program files\Logitech\SetPoint\KHALMNPR.EXE
c:\program files\OpenOffice.org 2.3\program\soffice.BIN
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2011-10-05 20:46:51 - machine was rebooted
ComboFix-quarantined-files.txt 2011-10-06 00:46
ComboFix2.txt 2011-10-04 07:28
ComboFix3.txt 2011-10-03 18:54
ComboFix4.txt 2011-10-01 18:28
ComboFix5.txt 2011-10-06 00:19
.
Pre-Run: 126,653,403,136 bytes free
Post-Run: 126,898,094,080 bytes free
.
- - End Of File - - 92BE69B423E8D104A74FD0BB4CA2B0DB

Uthanak

Rookie Surfer
Rookie Surfer

Posts : 66
Joined : 2009-08-10
Operating System : windows xp

View user profile

Back to top Go down

Re: Need to get rid of rootkit.

Post by Gabethebabe on Mon 05 Sep 2011, 5:23 pm

Hooohoooohooooo

  • Please create a new text file in Notepad with the following contents:
    Code:
    KILLALL::
    File::
    C:\WINDOWS\system32\drivers\tsk2D.tmp
    c:\windows\system32\dtxmbwwl.dll

    Folder::
    C:\WINDOWS\3029570079

    Driver::
    tsk2D
  • Save that file as CFScript.txt on your desktop
  • Drag and drop the CFScript.txt onto the ComboFix icon, as shown in the animation below.

  • If done correctly, ComboFix will start and perform specific instructions
  • In doing so, ComboFix may request a reboot
  • Please post the contents of Combofix.txt in your next reply

====================

  • Double click aswMBR.exe to run the tool
  • Click the Scan button to start the scan
  • Once the scan finishes click Save log to save the log to your desktop
  • Copy and paste the contents of this log (aswMBR.txt) into your next reply.


====================

Please open Malwarebytes' Anti-Malware, click the Update tab and click Check for Updates. Then, click the Scanner tab, select Perform Quick Scan and click Scan. Please post the resulting log in your next reply.

Gabethebabe

Tech Advisor
Tech Advisor

Posts : 1568
Joined : 2010-03-07
Operating System : WIN7 64bit, Ubuntu 12.04 LTS

View user profile

Back to top Go down

Re: Need to get rid of rootkit.

Post by Uthanak on Tue 06 Sep 2011, 3:59 am

ComboFix 11-09-04.03 - Maxim 10/06/2011 4:28.13.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.3326.2708 [GMT -4:00]
Running from: c:\documents and settings\Maxim\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Maxim\Desktop\CFScript.txt
.
FILE ::
"c:\windows\system32\drivers\tsk2D.tmp"
"c:\windows\system32\dtxmbwwl.dll"
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\system32\dtxmbwwl.dll
.
.
((((((((((((((((((((((((( Files Created from 2011-09-06 to 2011-10-06 )))))))))))))))))))))))))))))))
.
.
2011-10-06 00:13 . 2011-10-06 00:13 50112 --sha-w- c:\windows\system32\c_03823.nl_
2011-10-04 07:00 . 2011-10-04 07:00 -------- d-----w- c:\documents and settings\Default User\Local Settings\Application Data\Microsoft Help
2011-10-04 05:37 . 2011-10-04 05:37 -------- d-----w- c:\documents and settings\Maxim\Local Settings\Application Data\PCHealth
2011-10-03 18:58 . 2011-10-03 18:58 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\PCHealth
2011-10-03 06:21 . 2011-10-03 06:25 -------- d-----w- C:\Commy
2011-10-03 06:19 . 2011-10-03 06:19 -------- d-----w- C:\ARK
2011-10-01 17:25 . 2011-06-24 14:10 139656 -c----w- c:\windows\system32\dllcache\rdpwd.sys
2011-10-01 17:25 . 2011-04-21 13:37 105472 -c----w- c:\windows\system32\dllcache\mup.sys
2011-10-01 17:23 . 2011-07-08 14:02 10496 -c----w- c:\windows\system32\dllcache\ndistapi.sys
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-10-06 00:13 . 2006-02-28 12:00 42112 ----a-w- c:\windows\system32\drivers\imapi.sys
2011-10-04 07:01 . 2009-08-14 21:09 112640 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\VCExpress\9.0\1033\ResourceCache.dll
2011-10-04 07:00 . 2009-08-14 21:09 416 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\MSDN\9.0\1033\ResourceCache.dll
2011-08-28 01:16 . 2011-05-14 05:48 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-07-15 13:29 . 2006-02-28 12:00 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2009-05-01 21:02 . 2009-05-01 21:02 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll
2009-05-01 21:02 . 2009-05-01 21:02 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll
2011-10-03 18:59 . 2011-05-08 01:44 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((( SnapShot_2011-10-04_07.23.06 )))))))))))))))))))))))))))))))))))))))))
.
+ 2011-10-06 08:37 . 2011-10-06 08:37 16384 c:\windows\temp\Perflib_Perfdata_63c.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2006-12-23 143360]
"MsnMsgr"="c:\program files\Windows Live\Messenger\MsnMsgr.Exe" [2010-04-17 3872080]
"LDM"="c:\program files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe" [BU]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-03 68856]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2011-06-15 15141768]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="c:\program files\QuickTime\qttask .exe -atboottime" [X]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2006-05-01 843776]
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" [2004-10-21 29696]
"OfficeKB"="c:\progra~1\OfficeKB\OfficeKB.EXE" [2004-10-22 200704]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-09-27 13918208]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-09-27 86016]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-06-02 267048]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-06-08 37296]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-03-30 937920]
"Google Updater"="c:\program files\Google\Google Updater\GoogleUpdater.exe" [2011-06-12 161336]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 437160]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"FlashPlayerUpdate"="c:\windows\system32\Macromed\Flash\FlashUtil10t_ActiveX.exe" [2011-07-09 240288]
.
c:\documents and settings\Maxim\Start Menu\Programs\Startup\
OpenOffice.org 2.3.lnk - c:\program files\OpenOffice.org 2.3\program\quickstart.exe [2007-8-17 393216]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Logitech Desktop Messenger.lnk - c:\program files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe [2007-6-23 450560]
Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\KEM.exe [2007-6-23 581632]
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-1.12.0-enUS-downloader.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Apprentice\\Appr.exe"=
"c:\\Program Files\\THQ\\Dawn of War - Dark Crusade\\DarkCrusade.exe"=
"c:\\Program Files\\THQ\\Dawn Of War\\W40kWA.exe"=
"c:\\Program Files\\THQ\\Dawn Of War\\W40k.exe"=
"c:\\Program Files\\Warcraft III\\Warcraft III.exe"=
"c:\\Documents and Settings\\Maxim\\Desktop\\Max\\Pokemon Game.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-3.0.8.9506-to-3.0.9.9551-enUS-downloader.exe"=
"c:\\Program Files\\Dawn of War 2\\DOW2.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-3.2.0-enUS-downloader.exe"=
"c:\\Program Files\\mIRC\\mirc.exe"=
"c:\\Program Files\\Steam\\steam.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\aliens vs predator\\AvP_CLI.exe"=
"c:\\Program Files\\SopCast\\adv\\SopAdver.exe"=
"c:\\Program Files\\SopCast\\SopCast.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\transformers war for cybertron\\Binaries\\TWFC.exe"=
"c:\\Program Files\\TeamViewer\\Version5\\TeamViewer.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\TeamViewer\\Version6\\TeamViewer.exe"=
"c:\\Program Files\\TeamViewer\\Version6\\TeamViewer_Service.exe"=
"c:\\Program Files\\Armagetron Advanced\\armagetronad.exe"=
"c:\\Program Files\\Sony Online Entertainment\\Installed Games\\DC Universe Online Live\\UNREAL3\\BINARIES\\WIN32\\DCGAME.EXE"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Riot Games\\League of Legends\\lol.launcher.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\dawn of war 2\\DOW2.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\dawn of war ii - retribution\\DOW2.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3724:TCP"= 3724:TCP:Blizzard Downloader: 3724
"4000:TCP"= 4000:TCP:diablo
"8375:TCP"= 8375:TCP:League of Legends Launcher
"8375:UDP"= 8375:UDP:League of Legends Launcher
"8376:TCP"= 8376:TCP:League of Legends Launcher
"8376:UDP"= 8376:UDP:League of Legends Launcher
"8377:TCP"= 8377:TCP:League of Legends Launcher
"8377:UDP"= 8377:UDP:League of Legends Launcher
"8378:TCP"= 8378:TCP:League of Legends Launcher
"8378:UDP"= 8378:UDP:League of Legends Launcher
"8379:TCP"= 8379:TCP:League of Legends Launcher
"8379:UDP"= 8379:UDP:League of Legends Launcher
"8380:TCP"= 8380:TCP:League of Legends Launcher
"8380:UDP"= 8380:UDP:League of Legends Launcher
"8381:TCP"= 8381:TCP:League of Legends Launcher
"8381:UDP"= 8381:UDP:League of Legends Launcher
"6881:TCP"= 6881:TCP:League of Legends Launcher
"6881:UDP"= 6881:UDP:League of Legends Launcher
"8382:TCP"= 8382:TCP:League of Legends Launcher
"8382:UDP"= 8382:UDP:League of Legends Launcher
"8383:TCP"= 8383:TCP:League of Legends Launcher
"8383:UDP"= 8383:UDP:League of Legends Launcher
"8393:TCP"= 8393:TCP:League of Legends Lobby
"8393:UDP"= 8393:UDP:League of Legends Lobby
"8390:TCP"= 8390:TCP:League of Legends Game Client
"8390:UDP"= 8390:UDP:League of Legends Game Client
"6929:TCP"= 6929:TCP:League of Legends Launcher
"6929:UDP"= 6929:UDP:League of Legends Launcher
.
R2 pgsql-8.3;PostgreSQL Database Server 8.3;c:\program files\PostgreSQL\8.3\bin\pg_ctl.exe [12/10/2009 3:39 AM 65536]
R2 USmsServ;Desktop Window Manager Sessions Manager;c:\windows\Desktop Manager\dwm.exe [6/10/2011 12:48 PM 142336]
R3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda32.sys [2/27/2010 11:44 AM 57248]
S2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [8/9/2009 6:35 PM 297752]
S3 B-Service;B-Service;c:\documents and settings\Maxim\Application Data\Mikogo\B-Service.exe [9/17/2010 12:13 PM 185640]
S3 bcgame;Nostromo HID Device Minidriver;c:\windows\system32\drivers\bcgame.sys --> c:\windows\system32\drivers\bcgame.sys [?]
S3 McComponentHostService;McAfee Security Scan Component Host Service;"c:\program files\McAfee Security Scan\2.0.181\McCHSvc.exe" --> c:\program files\McAfee Security Scan\2.0.181\McCHSvc.exe [?]
S4 sptd;sptd;c:\windows\system32\drivers\sptd.sys [12/13/2007 12:28 AM 722416]
.
Contents of the 'Scheduled Tasks' folder
.
2011-10-06 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2007-07-03 14:27]
.
2011-10-05 c:\windows\Tasks\Norton Security Scan for Maxim.job
- c:\progra~1\NORTON~2\Engine\312~1.9\Nss.exe [2011-06-09 08:19]
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = localhost
Trusted Zone: clonewarsadventures.com
Trusted Zone: freerealms.com
Trusted Zone: soe.com
Trusted Zone: sony.com
TCP: DhcpNameServer = 192.168.0.1
DPF: Garmin Communicator Plug-In - [You must be registered and logged in to see this link.]
FF - ProfilePath - c:\documents and settings\Maxim\Application Data\Mozilla\Firefox\Profiles\pu9jai39.default\
FF - prefs.js: browser.search.defaulturl - [You must be registered and logged in to see this link.]
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - [You must be registered and logged in to see this link.]
FF - prefs.js: keyword.URL - [You must be registered and logged in to see this link.]
FF - prefs.js: network.proxy.type - 0
FF - user.js: yahoo.homepage.dontask - true);user_pref(network.protocol-handler.warn-external.dnupdate, false);user_pref(network.protocol-handler.warn-external.dnupdate, false);user_pref(network.protocol-handler.warn-external.dnupdate, false);user_pref(yahoo.ytff.general.dontshowhpoffer, true);user_pref(network.protocol-handler.warn-external.dnupdate, false
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2011-10-06 12:39
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(2264)
c:\windows\system32\WININET.dll
c:\program files\Logitech\SetPoint\lgscroll.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\msi.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\nvsvc32.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\program files\PostgreSQL\8.3\bin\postgres.exe
c:\program files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
c:\program files\PostgreSQL\8.3\bin\postgres.exe
c:\program files\PostgreSQL\8.3\bin\postgres.exe
c:\program files\PostgreSQL\8.3\bin\postgres.exe
c:\program files\PostgreSQL\8.3\bin\postgres.exe
c:\program files\PostgreSQL\8.3\bin\postgres.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
c:\windows\system32\RUNDLL32.EXE
c:\program files\OpenOffice.org 2.3\program\soffice.exe
c:\program files\Logitech\SetPoint\KHALMNPR.EXE
c:\program files\OpenOffice.org 2.3\program\soffice.BIN
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2011-10-06 12:42:55 - machine was rebooted
ComboFix-quarantined-files.txt 2011-10-06 16:42
ComboFix2.txt 2011-10-06 00:46
ComboFix3.txt 2011-10-04 07:28
ComboFix4.txt 2011-10-03 18:54
ComboFix5.txt 2011-10-06 08:27
.
Pre-Run: 126,796,382,208 bytes free
Post-Run: 126,806,532,096 bytes free
.
- - End Of File - - 3DB6B26295D2E668CE338BD30F3C56CF

Uthanak

Rookie Surfer
Rookie Surfer

Posts : 66
Joined : 2009-08-10
Operating System : windows xp

View user profile

Back to top Go down

Re: Need to get rid of rootkit.

Post by Uthanak on Tue 06 Sep 2011, 4:35 am

aswMBR version 0.9.8.986 Copyright(c) 2011 AVAST Software
Run date: 2011-10-06 13:01:44
-----------------------------
13:01:44.734 OS Version: Windows 5.1.2600 Service Pack 3
13:01:44.734 Number of processors: 2 586 0x4B02
13:01:44.734 ComputerName: MAXIM-9C1E76C15 UserName: Maxim
13:01:45.234 Initialize success
13:02:41.390 AVAST engine defs: 11090500
13:02:58.500 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\00000069
13:02:58.500 Disk 0 Vendor: WDC_WD3200AAKS-00L9A0 01.03E01 Size: 305245MB BusType: 3
13:03:00.500 Disk 0 MBR read successfully
13:03:00.500 Disk 0 MBR scan
13:03:00.531 Disk 0 Windows XP default MBR code
13:03:00.531 Disk 0 scanning sectors +625137345
13:03:00.562 Disk 0 malicious Win32:MBRoot code @ sector 625137348 !
13:03:00.562 Disk 0 PE file @ sector 625137370 !
13:03:00.593 Disk 0 scanning C:\WINDOWS\system32\drivers
13:03:06.531 File: C:\WINDOWS\system32\drivers\redbook.sys **INFECTED** Win32:Alureon-AJI [Rtk]
13:03:08.656 Service scanning
13:03:09.453 Modules scanning
13:03:13.140 Disk 0 trace - called modules:
13:03:13.171 ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll nvata.sys
13:03:13.171 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8adc6ab8]
13:03:13.171 3 CLASSPNP.SYS[b80e8fd7] -> nt!IofCallDriver -> \Device\0000006a[0x8ae11f18]
13:03:13.171 5 ACPI.sys[b7f7f620] -> nt!IofCallDriver -> \Device\00000069[0x8adc6030]
13:03:14.046 AVAST engine scan C:\WINDOWS
13:03:53.093 AVAST engine scan C:\WINDOWS\system32
13:05:32.937 AVAST engine scan C:\WINDOWS\system32\drivers
13:05:39.125 File: C:\WINDOWS\system32\drivers\redbook.sys **INFECTED** Win32:Alureon-AJI [Rtk]
13:05:44.953 AVAST engine scan C:\Documents and Settings\Maxim
13:08:31.781 File: C:\Documents and Settings\Maxim\Application Data\Sun\Java\Deployment\cache\6.0\2\7a23e0c2-4e72f5bd **INFECTED** Win32:FakeAV-CFZ [Trj]
13:28:07.828 File: C:\Documents and Settings\Maxim\Desktop\RK_Quarantine\dwm.exe.vir **INFECTED** Win32:Malware-gen
13:32:58.375 AVAST engine scan C:\Documents and Settings\All Users
13:34:39.437 Scan finished successfully
13:35:42.796 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Maxim\Desktop\MBR.dat"
13:35:42.796 The log file has been saved successfully to "C:\Documents and Settings\Maxim\Desktop\aswMBR.txt"



Uthanak

Rookie Surfer
Rookie Surfer

Posts : 66
Joined : 2009-08-10
Operating System : windows xp

View user profile

Back to top Go down

Re: Need to get rid of rootkit.

Post by Gabethebabe on Tue 06 Sep 2011, 7:18 am

still not clean, but were getting close.

  • Please create a new text file in Notepad with the following contents:
    Code:
    KILLALL::
    File::
    C:\Documents and Settings\Maxim\Desktop\RK_Quarantine\dwm.exe.vir

    TDL::
    C:\WINDOWS\system32\drivers\redbook.sys
  • Save that file as CFScript.txt on your desktop
  • Drag and drop the CFScript.txt onto the ComboFix icon, as shown in the animation below.

  • If done correctly, ComboFix will start and perform specific instructions
  • In doing so, ComboFix may request a reboot
  • Please post the contents of Combofix.txt in your next reply

====================

You need to install the latest version of Java. Having the latest version is important to take advantage of fixes that have eliminated security vulnerabilities.
  • Go to Start > Control Panel
  • Double-click on Add or Remove Programs
  • Look for entries that say Java, Java RunTime Environment or J2SE.
  • Uninstall all of them that are not named Java (TM) 6 Update 27

After doing this, you can go to java.com, click on Free Java Download and proceed from there to install the latest version of Java (currently Version 6 Update 27).

After installing Java, go to Start > Control Panel > Java to open the Java Control Panel.
Under the General tab, Temporary Internet Files click Settings, then click Delete Files.
Select both options and click OK to delete the Java cache.

====================

Please open Malwarebytes' Anti-Malware, click the Update tab and click Check for Updates. Then, click the Scanner tab, select Perform Quick Scan and click Scan. Please post the resulting log in your next reply.

Gabethebabe

Tech Advisor
Tech Advisor

Posts : 1568
Joined : 2010-03-07
Operating System : WIN7 64bit, Ubuntu 12.04 LTS

View user profile

Back to top Go down

Re: Need to get rid of rootkit.

Post by Uthanak on Tue 06 Sep 2011, 7:20 pm

ComboFix 11-09-06.01 - Maxim 10/07/2011 3:58.14.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.3326.2521 [GMT -4:00]
Running from: c:\documents and settings\Maxim\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Maxim\Desktop\CFScript.txt
.
FILE ::
"c:\documents and settings\Maxim\Desktop\RK_Quarantine\dwm.exe.vir"
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\Maxim\Desktop\RK_Quarantine\dwm.exe.vir
.
.
((((((((((((((((((((((((( Files Created from 2011-09-07 to 2011-10-07 )))))))))))))))))))))))))))))))
.
.
2011-10-06 00:13 . 2011-10-06 00:13 50112 --sha-w- c:\windows\system32\c_03823.nl_
2011-10-04 07:00 . 2011-10-04 07:00 -------- d-----w- c:\documents and settings\Default User\Local Settings\Application Data\Microsoft Help
2011-10-04 05:37 . 2011-10-04 05:37 -------- d-----w- c:\documents and settings\Maxim\Local Settings\Application Data\PCHealth
2011-10-03 18:58 . 2011-10-03 18:58 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\PCHealth
2011-10-03 06:21 . 2011-10-03 06:25 -------- d-----w- C:\Commy
2011-10-03 06:19 . 2011-10-03 06:19 -------- d-----w- C:\ARK
2011-10-01 17:25 . 2011-06-24 14:10 139656 -c----w- c:\windows\system32\dllcache\rdpwd.sys
2011-10-01 17:25 . 2011-04-21 13:37 105472 -c----w- c:\windows\system32\dllcache\mup.sys
2011-10-01 17:23 . 2011-07-08 14:02 10496 -c----w- c:\windows\system32\dllcache\ndistapi.sys
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-10-06 00:13 . 2006-02-28 12:00 42112 ----a-w- c:\windows\system32\drivers\imapi.sys
2011-10-04 07:01 . 2009-08-14 21:09 112640 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\VCExpress\9.0\1033\ResourceCache.dll
2011-10-04 07:00 . 2009-08-14 21:09 416 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\MSDN\9.0\1033\ResourceCache.dll
2011-08-28 01:16 . 2011-05-14 05:48 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-07-15 13:29 . 2006-02-28 12:00 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2009-05-01 21:02 . 2009-05-01 21:02 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll
2009-05-01 21:02 . 2009-05-01 21:02 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll
2011-10-03 18:59 . 2011-05-08 01:44 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((( SnapShot_2011-10-04_07.23.06 )))))))))))))))))))))))))))))))))))))))))
.
+ 2011-10-07 08:05 . 2011-10-07 08:05 16384 c:\windows\temp\Perflib_Perfdata_638.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2006-12-23 143360]
"MsnMsgr"="c:\program files\Windows Live\Messenger\MsnMsgr.Exe" [2010-04-17 3872080]
"LDM"="c:\program files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe" [BU]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-03 68856]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2011-06-15 15141768]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="c:\program files\QuickTime\qttask .exe -atboottime" [X]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2006-05-01 843776]
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" [2004-10-21 29696]
"OfficeKB"="c:\progra~1\OfficeKB\OfficeKB.EXE" [2004-10-22 200704]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-09-27 13918208]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-09-27 86016]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-06-02 267048]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-06-08 37296]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-03-30 937920]
"Google Updater"="c:\program files\Google\Google Updater\GoogleUpdater.exe" [2011-06-12 161336]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 437160]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"FlashPlayerUpdate"="c:\windows\system32\Macromed\Flash\FlashUtil10t_ActiveX.exe" [2011-07-09 240288]
.
c:\documents and settings\Maxim\Start Menu\Programs\Startup\
OpenOffice.org 2.3.lnk - c:\program files\OpenOffice.org 2.3\program\quickstart.exe [2007-8-17 393216]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Logitech Desktop Messenger.lnk - c:\program files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe [2007-6-23 450560]
Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\KEM.exe [2007-6-23 581632]
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-1.12.0-enUS-downloader.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Apprentice\\Appr.exe"=
"c:\\Program Files\\THQ\\Dawn of War - Dark Crusade\\DarkCrusade.exe"=
"c:\\Program Files\\THQ\\Dawn Of War\\W40kWA.exe"=
"c:\\Program Files\\THQ\\Dawn Of War\\W40k.exe"=
"c:\\Program Files\\Warcraft III\\Warcraft III.exe"=
"c:\\Documents and Settings\\Maxim\\Desktop\\Max\\Pokemon Game.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-3.0.8.9506-to-3.0.9.9551-enUS-downloader.exe"=
"c:\\Program Files\\Dawn of War 2\\DOW2.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-3.2.0-enUS-downloader.exe"=
"c:\\Program Files\\mIRC\\mirc.exe"=
"c:\\Program Files\\Steam\\steam.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\aliens vs predator\\AvP_CLI.exe"=
"c:\\Program Files\\SopCast\\adv\\SopAdver.exe"=
"c:\\Program Files\\SopCast\\SopCast.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\transformers war for cybertron\\Binaries\\TWFC.exe"=
"c:\\Program Files\\TeamViewer\\Version5\\TeamViewer.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\TeamViewer\\Version6\\TeamViewer.exe"=
"c:\\Program Files\\TeamViewer\\Version6\\TeamViewer_Service.exe"=
"c:\\Program Files\\Armagetron Advanced\\armagetronad.exe"=
"c:\\Program Files\\Sony Online Entertainment\\Installed Games\\DC Universe Online Live\\UNREAL3\\BINARIES\\WIN32\\DCGAME.EXE"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Riot Games\\League of Legends\\lol.launcher.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\dawn of war 2\\DOW2.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\dawn of war ii - retribution\\DOW2.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3724:TCP"= 3724:TCP:Blizzard Downloader: 3724
"4000:TCP"= 4000:TCP:diablo
"8375:TCP"= 8375:TCP:League of Legends Launcher
"8375:UDP"= 8375:UDP:League of Legends Launcher
"8376:TCP"= 8376:TCP:League of Legends Launcher
"8376:UDP"= 8376:UDP:League of Legends Launcher
"8377:TCP"= 8377:TCP:League of Legends Launcher
"8377:UDP"= 8377:UDP:League of Legends Launcher
"8378:TCP"= 8378:TCP:League of Legends Launcher
"8378:UDP"= 8378:UDP:League of Legends Launcher
"8379:TCP"= 8379:TCP:League of Legends Launcher
"8379:UDP"= 8379:UDP:League of Legends Launcher
"8380:TCP"= 8380:TCP:League of Legends Launcher
"8380:UDP"= 8380:UDP:League of Legends Launcher
"8381:TCP"= 8381:TCP:League of Legends Launcher
"8381:UDP"= 8381:UDP:League of Legends Launcher
"6881:TCP"= 6881:TCP:League of Legends Launcher
"6881:UDP"= 6881:UDP:League of Legends Launcher
"8382:TCP"= 8382:TCP:League of Legends Launcher
"8382:UDP"= 8382:UDP:League of Legends Launcher
"8383:TCP"= 8383:TCP:League of Legends Launcher
"8383:UDP"= 8383:UDP:League of Legends Launcher
"8393:TCP"= 8393:TCP:League of Legends Lobby
"8393:UDP"= 8393:UDP:League of Legends Lobby
"8390:TCP"= 8390:TCP:League of Legends Game Client
"8390:UDP"= 8390:UDP:League of Legends Game Client
"6929:TCP"= 6929:TCP:League of Legends Launcher
"6929:UDP"= 6929:UDP:League of Legends Launcher
.
R2 pgsql-8.3;PostgreSQL Database Server 8.3;c:\program files\PostgreSQL\8.3\bin\pg_ctl.exe [12/10/2009 3:39 AM 65536]
R2 USmsServ;Desktop Window Manager Sessions Manager;c:\windows\Desktop Manager\dwm.exe [6/10/2011 12:48 PM 142336]
R3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda32.sys [2/27/2010 11:44 AM 57248]
S2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [8/9/2009 6:35 PM 297752]
S3 B-Service;B-Service;c:\documents and settings\Maxim\Application Data\Mikogo\B-Service.exe [9/17/2010 12:13 PM 185640]
S3 bcgame;Nostromo HID Device Minidriver;c:\windows\system32\drivers\bcgame.sys --> c:\windows\system32\drivers\bcgame.sys [?]
S3 McComponentHostService;McAfee Security Scan Component Host Service;"c:\program files\McAfee Security Scan\2.0.181\McCHSvc.exe" --> c:\program files\McAfee Security Scan\2.0.181\McCHSvc.exe [?]
S4 sptd;sptd;c:\windows\system32\drivers\sptd.sys [12/13/2007 12:28 AM 722416]
.
Contents of the 'Scheduled Tasks' folder
.
2011-10-07 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2007-07-03 14:27]
.
2011-10-06 c:\windows\Tasks\Norton Security Scan for Maxim.job
- c:\progra~1\NORTON~2\Engine\312~1.9\Nss.exe [2011-06-09 08:19]
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = localhost
Trusted Zone: clonewarsadventures.com
Trusted Zone: freerealms.com
Trusted Zone: soe.com
Trusted Zone: sony.com
TCP: DhcpNameServer = 192.168.0.1
DPF: Garmin Communicator Plug-In - [You must be registered and logged in to see this link.]
FF - ProfilePath - c:\documents and settings\Maxim\Application Data\Mozilla\Firefox\Profiles\pu9jai39.default\
FF - prefs.js: browser.search.defaulturl - [You must be registered and logged in to see this link.]
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - [You must be registered and logged in to see this link.]
FF - prefs.js: keyword.URL - [You must be registered and logged in to see this link.]
FF - prefs.js: network.proxy.type - 0
FF - user.js: yahoo.homepage.dontask - true);user_pref(network.protocol-handler.warn-external.dnupdate, false);user_pref(network.protocol-handler.warn-external.dnupdate, false);user_pref(network.protocol-handler.warn-external.dnupdate, false);user_pref(yahoo.ytff.general.dontshowhpoffer, true);user_pref(network.protocol-handler.warn-external.dnupdate, false
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2011-10-07 04:06
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(3284)
c:\windows\system32\WININET.dll
c:\program files\Logitech\SetPoint\lgscroll.dll
c:\windows\system32\msi.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\nvsvc32.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\program files\PostgreSQL\8.3\bin\postgres.exe
c:\program files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
c:\program files\PostgreSQL\8.3\bin\postgres.exe
c:\program files\PostgreSQL\8.3\bin\postgres.exe
c:\program files\PostgreSQL\8.3\bin\postgres.exe
c:\program files\PostgreSQL\8.3\bin\postgres.exe
c:\program files\PostgreSQL\8.3\bin\postgres.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
c:\windows\system32\RUNDLL32.EXE
c:\program files\OpenOffice.org 2.3\program\soffice.exe
c:\program files\Logitech\SetPoint\KHALMNPR.EXE
c:\program files\OpenOffice.org 2.3\program\soffice.BIN
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2011-10-07 04:10:49 - machine was rebooted
ComboFix-quarantined-files.txt 2011-10-07 08:10
ComboFix2.txt 2011-10-06 16:42
ComboFix3.txt 2011-10-06 00:46
ComboFix4.txt 2011-10-04 07:28
ComboFix5.txt 2011-10-07 07:57
.
Pre-Run: 126,868,611,072 bytes free
Post-Run: 126,960,566,272 bytes free
.
- - End Of File - - CA29F1F5F8BFDF0EAAD78C0DAD59B240

Uthanak

Rookie Surfer
Rookie Surfer

Posts : 66
Joined : 2009-08-10
Operating System : windows xp

View user profile

Back to top Go down

Re: Need to get rid of rootkit.

Post by Gabethebabe on Tue 06 Sep 2011, 7:24 pm

OK, lets rerun aswMBR, because I think that combofix did not solve the redbook.sys problem.

If the aswMBR log shows something like this again:
13:03:06.531 File: C:\WINDOWS\system32\drivers\redbook.sys **INFECTED** Win32:Alureon-AJI [Rtk]

I would like you to do this:

Please download SystemLook by jpshortstuff from one of the locations below and save it to your desktop.
Download Mirror #1
Download Mirror #2
  • Double-click SystemLook.exe to run it.
  • Copy the following text into the main textfield:

:filefind
redbook.sys
  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop (SystemLook.txt.)

Gabethebabe

Tech Advisor
Tech Advisor

Posts : 1568
Joined : 2010-03-07
Operating System : WIN7 64bit, Ubuntu 12.04 LTS

View user profile

Back to top Go down

Re: Need to get rid of rootkit.

Post by Uthanak on Tue 06 Sep 2011, 7:35 pm

Malwarebytes' Anti-Malware 1.51.1.1800
[You must be registered and logged in to see this link.]

Database version: 7662

Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.11

10/7/2011 4:28:35 AM
mbam-log-2011-10-07 (04-28-35).txt

Scan type: Quick scan
Objects scanned: 202086
Time elapsed: 3 minute(s), 21 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Uthanak

Rookie Surfer
Rookie Surfer

Posts : 66
Joined : 2009-08-10
Operating System : windows xp

View user profile

Back to top Go down

Re: Need to get rid of rootkit.

Post by Uthanak on Wed 07 Sep 2011, 5:06 am

aswMBR version 0.9.8.986 Copyright(c) 2011 AVAST Software
Run date: 2011-10-06 13:01:44
-----------------------------
13:01:44.734 OS Version: Windows 5.1.2600 Service Pack 3
13:01:44.734 Number of processors: 2 586 0x4B02
13:01:44.734 ComputerName: MAXIM-9C1E76C15 UserName: Maxim
13:01:45.234 Initialize success
13:02:41.390 AVAST engine defs: 11090500
13:02:58.500 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\00000069
13:02:58.500 Disk 0 Vendor: WDC_WD3200AAKS-00L9A0 01.03E01 Size: 305245MB BusType: 3
13:03:00.500 Disk 0 MBR read successfully
13:03:00.500 Disk 0 MBR scan
13:03:00.531 Disk 0 Windows XP default MBR code
13:03:00.531 Disk 0 scanning sectors +625137345
13:03:00.562 Disk 0 malicious Win32:MBRoot code @ sector 625137348 !
13:03:00.562 Disk 0 PE file @ sector 625137370 !
13:03:00.593 Disk 0 scanning C:\WINDOWS\system32\drivers
13:03:06.531 File: C:\WINDOWS\system32\drivers\redbook.sys **INFECTED** Win32:Alureon-AJI [Rtk]
13:03:08.656 Service scanning
13:03:09.453 Modules scanning
13:03:13.140 Disk 0 trace - called modules:
13:03:13.171 ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll nvata.sys
13:03:13.171 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8adc6ab8]
13:03:13.171 3 CLASSPNP.SYS[b80e8fd7] -> nt!IofCallDriver -> \Device\0000006a[0x8ae11f18]
13:03:13.171 5 ACPI.sys[b7f7f620] -> nt!IofCallDriver -> \Device\00000069[0x8adc6030]
13:03:14.046 AVAST engine scan C:\WINDOWS
13:03:53.093 AVAST engine scan C:\WINDOWS\system32
13:05:32.937 AVAST engine scan C:\WINDOWS\system32\drivers
13:05:39.125 File: C:\WINDOWS\system32\drivers\redbook.sys **INFECTED** Win32:Alureon-AJI [Rtk]
13:05:44.953 AVAST engine scan C:\Documents and Settings\Maxim
13:08:31.781 File: C:\Documents and Settings\Maxim\Application Data\Sun\Java\Deployment\cache\6.0\2\7a23e0c2-4e72f5bd **INFECTED** Win32:FakeAV-CFZ [Trj]
13:28:07.828 File: C:\Documents and Settings\Maxim\Desktop\RK_Quarantine\dwm.exe.vir **INFECTED** Win32:Malware-gen
13:32:58.375 AVAST engine scan C:\Documents and Settings\All Users
13:34:39.437 Scan finished successfully
13:35:42.796 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Maxim\Desktop\MBR.dat"
13:35:42.796 The log file has been saved successfully to "C:\Documents and Settings\Maxim\Desktop\aswMBR.txt"


aswMBR version 0.9.8.986 Copyright(c) 2011 AVAST Software
Run date: 2011-10-07 04:36:07
-----------------------------
04:36:07.140 OS Version: Windows 5.1.2600 Service Pack 3
04:36:07.140 Number of processors: 2 586 0x4B02
04:36:07.140 ComputerName: MAXIM-9C1E76C15 UserName: Maxim
04:36:07.796 Initialize success
04:37:33.359 AVAST engine defs: 11090501
13:32:40.312 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\00000069
13:32:40.312 Disk 0 Vendor: WDC_WD3200AAKS-00L9A0 01.03E01 Size: 305245MB BusType: 3
13:32:42.328 Disk 0 MBR read successfully
13:32:42.328 Disk 0 MBR scan
13:32:42.375 Disk 0 Windows XP default MBR code
13:32:42.375 Disk 0 scanning sectors +625137345
13:32:42.406 Disk 0 malicious Win32:MBRoot code @ sector 625137348 !
13:32:42.406 Disk 0 PE file @ sector 625137370 !
13:32:42.437 Disk 0 scanning C:\WINDOWS\system32\drivers
13:32:47.906 File: C:\WINDOWS\system32\drivers\redbook.sys **INFECTED** Win32:Alureon-AJI [Rtk]
13:32:51.187 Service scanning
13:32:51.968 Modules scanning
13:32:55.734 Disk 0 trace - called modules:
13:32:56.265 ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll nvata.sys
13:32:56.265 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8addbab8]
13:32:56.265 3 CLASSPNP.SYS[b80e8fd7] -> nt!IofCallDriver -> \Device\0000006a[0x8adf7f18]
13:32:56.265 5 ACPI.sys[b7f7f620] -> nt!IofCallDriver -> \Device\00000069[0x8addb030]
13:32:57.734 AVAST engine scan C:\WINDOWS
13:33:14.468 AVAST engine scan C:\WINDOWS\system32
13:34:46.343 AVAST engine scan C:\WINDOWS\system32\drivers
13:34:52.890 File: C:\WINDOWS\system32\drivers\redbook.sys **INFECTED** Win32:Alureon-AJI [Rtk]
13:34:59.468 AVAST engine scan C:\Documents and Settings\Maxim
13:37:48.421 File: C:\Documents and Settings\Maxim\Application Data\Sun\Java\Deployment\cache\6.0\2\7a23e0c2-4e72f5bd **INFECTED** Win32:FakeAV-CFZ [Trj]
14:02:51.968 AVAST engine scan C:\Documents and Settings\All Users
14:04:39.953 Scan finished successfully
14:06:21.953 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Maxim\Desktop\MBR.dat"
14:06:21.953 The log file has been saved successfully to "C:\Documents and Settings\Maxim\Desktop\aswMBR.txt"



Uthanak

Rookie Surfer
Rookie Surfer

Posts : 66
Joined : 2009-08-10
Operating System : windows xp

View user profile

Back to top Go down

Re: Need to get rid of rootkit.

Post by Uthanak on Wed 07 Sep 2011, 5:11 am

SystemLook 30.07.11 by jpshortstuff
Log created at 14:08 on 07/10/2011 by Maxim
Administrator - Elevation successful

========== filefind ==========

Searching for "redbook.sys"
C:\WINDOWS\$NtServicePackUninstall$\redbook.sys -----c- 57472 bytes [04:11 04/09/2008] [22:59 03/08/2004] B31B4588E4086D8D84ADBF9845C2402B
C:\WINDOWS\ServicePackFiles\i386\redbook.sys ------- 57600 bytes [20:50 22/08/2008] [18:40 13/04/2008] F828DD7E1419B6653894A8F97A0094C5
C:\WINDOWS\system32\drivers\redbook.sys --a---- 57600 bytes [00:50 22/06/2007] [18:40 13/04/2008] F1F8EE9570078585254F2552BD21398D

-= EOF =-

Uthanak

Rookie Surfer
Rookie Surfer

Posts : 66
Joined : 2009-08-10
Operating System : windows xp

View user profile

Back to top Go down

Re: Need to get rid of rootkit.

Post by Gabethebabe on Wed 07 Sep 2011, 5:57 am

OK, now the final action to get rid of the last infected driver:

  • Please create a new text file in Notepad with the following contents:
    Code:
    KILLALL::
    FCopy::
    C:\WINDOWS\ServicePackFiles\i386\redbook.sys|C:\WINDOWS\system32\drivers\redbook.sys

    Folder::
    C:\Documents and Settings\Maxim\Application Data\Sun\Java\Deployment\cache\6.0\2\7a23e0c2-4e72f5bd
  • Save that file as CFScript.txt on your desktop
  • Drag and drop the CFScript.txt onto the ComboFix icon, as shown in the animation below.

  • If done correctly, ComboFix will start and perform specific instructions
  • In doing so, ComboFix may request a reboot
  • Please post the contents of Combofix.txt in your next reply


After doing this, let me know how the computer is running. After all is fine we have to uninstall used tools, so hang on for a bit more. This was a long ride, but it was needed because your computer was crawling with nasty stuff.

Gabethebabe

Tech Advisor
Tech Advisor

Posts : 1568
Joined : 2010-03-07
Operating System : WIN7 64bit, Ubuntu 12.04 LTS

View user profile

Back to top Go down

Re: Need to get rid of rootkit.

Post by Sponsored content Today at 2:39 am


Sponsored content


Back to top Go down

Page 1 of 2 1, 2  Next

View previous topic View next topic Back to top


 
Permissions in this forum:
You cannot reply to topics in this forum