Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

A Hijack this log I could use help with; Thanks

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

A Hijack this log I could use help with; Thanks

Unread postby Negalith » May 20th, 2008, 2:30 pm

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:11:53 PM, on 5/20/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\xwusuhzh.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\Rundll32.exe
C:\WINDOWS\System32\NWTRAY.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\System32\Rundll32.exe
C:\Documents and Settings\jkeleher\Application Data\F?nts\?ervices.exe
C:\DOCUME~1\jkeleher\LOCALS~1\Temp\!update.exe
C:\WINDOWS\ECURIT~1\rundll.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://smbusiness.dellnet.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://auto.search.msn.com/response.asp ... prov=&utf8
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\System32\xwusuhzh.exe,
O2 - BHO: (no name) - {00110011-4b0b-44d5-9718-90c88817369b} - (no file)
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: (no name) - {086ae192-23a6-48d6-96ec-715f53797e85} - (no file)
O2 - BHO: (no name) - {150fa160-130d-451f-b863-b655061432ba} - (no file)
O2 - BHO: (no name) - {17da0c9e-4a27-4ac5-bb75-5d24b8cdb972} - (no file)
O2 - BHO: (no name) - {1f48aa48-c53a-4e21-85e7-ac7cc6b5ffb1} - (no file)
O2 - BHO: (no name) - {1f48aa48-c53a-4e21-85e7-ac7cc6b5ffb2} - (no file)
O2 - BHO: (no name) - {2d38a51a-23c9-48a1-a33c-48675aa2b494} - (no file)
O2 - BHO: (no name) - {2e9caff6-30c7-4208-8807-e79d4ec6f806} - (no file)
O2 - BHO: (no name) - {467faeb2-5f5b-4c81-bae0-2a4752ca7f4e} - (no file)
O2 - BHO: (no name) - {5321e378-ffad-4999-8c62-03ca8155f0b3} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {587dbf2d-9145-4c9e-92c2-1f953da73773} - (no file)
O2 - BHO: (no name) - {6cc1c91a-ae8b-4373-a5b4-28ba1851e39a} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {79369d5c-2903-4b7a-ade2-d5e0dee14d24} - (no file)
O2 - BHO: (no name) - {799a370d-5993-4887-9df7-0a4756a77d00} - (no file)
O2 - BHO: (no name) - {98dbbf16-ca43-4c33-be80-99e6694468a4} - (no file)
O2 - BHO: (no name) - {a55581dc-2cdb-4089-8878-71a080b22342} - (no file)
O2 - BHO: (no name) - {b847676d-72ac-4393-bfff-43a1eb979352} - (no file)
O2 - BHO: (no name) - {bc97b254-b2b9-4d40-971d-78e0978f5f26} - (no file)
O2 - BHO: (no name) - {C7BBC1FA-E415-4926-9A47-9AB58D0B3BC8} - C:\WINDOWS\System32\cbXRKDwU.dll
O2 - BHO: (no name) - {cf021f40-3e14-23a5-cba2-717765721306} - (no file)
O2 - BHO: gooochi browser optimizer - {cf3c54f1-0898-2e1b-b03e-734bacb6372c} - C:\WINDOWS\System32\{2dad0f94-17f5-5ecc-297f-90bfe43bd59d}.dll
O2 - BHO: (no name) - {e2ddf680-9905-4dee-8c64-0a5de7fe133c} - (no file)
O2 - BHO: (no name) - {e3eebbe8-9cab-4c76-b26a-747e25ebb4c6} - (no file)
O2 - BHO: (no name) - {e7afff2a-1b57-49c7-bf6b-e5123394c970} - (no file)
O2 - BHO: (no name) - {EF8462D9-D33B-C095-13E7-D38F0452729C} - C:\WINDOWS\System32\tgjdbp.dll
O2 - BHO: (no name) - {fcaddc14-bd46-408a-9842-cdbe1c6d37eb} - (no file)
O2 - BHO: (no name) - {fd9bc004-8331-4457-b830-4759ff704c22} - (no file)
O2 - BHO: (no name) - {ff1bf4c7-4e08-4a28-a43f-9d60a9f7a880} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NWTRAY] NWTRAY.EXE
O4 - HKLM\..\Run: [BM0b1bc0e9] Rundll32.exe "C:\WINDOWS\System32\puipnyui.dll",s
O4 - HKLM\..\Run: [{5346d4c3-c9e1-b05c-1b41-ab98c95263f2}] C:\WINDOWS\System32\Rundll32.exe "C:\WINDOWS\System32\{2dad0f94-17f5-5ecc-297f-90bfe43bd59d}.dll" DllInit
O4 - HKCU\..\Run: [Ncao] "C:\WINDOWS\ECURIT~1\rundll.exe" -vt yazb
O4 - HKUS\S-1-5-21-3030076218-26982006-702300368-1006\..\Run: [Ncao] "C:\WINDOWS\ECURIT~1\rundll.exe" -vt yazb (User '?')
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O10 - Hijacked Internet access by WebHancer
O10 - Hijacked Internet access by WebHancer
O10 - Hijacked Internet access by WebHancer
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windows ... 0091341109
O17 - HKLM\System\CCS\Services\Tcpip\..\{AE1DCF8F-6FCA-4FF3-9408-F2CEAEDE786B}: NameServer = 66.73.20.40,206.141.193.55
O20 - Winlogon Notify: cbXRKDwU - C:\WINDOWS\SYSTEM32\cbXRKDwU.dll

--
End of file - 5786 bytes
Negalith
Regular Member
 
Posts: 22
Joined: March 22nd, 2008, 12:25 pm
Advertisement
Register to Remove

Re: A Hijack this log I could use help with; Thanks

Unread postby Shaba » May 21st, 2008, 4:55 am

Hi Negalith

You have no antivirus installed so we start with this:

Looking over your log, it seems you don't have any evidence of an anti-virus software.

Anti-virus software are programs that detect, cleanse, and erase harmful virus files on a computer, Web server, or network. Unchecked, virus files can unintentionally be forwarded to others, including trading partners and thereby spreading infection. Because new viruses regularly emerge, anti-virus software should be updated frequently. Anti-virus software can scan the computer memory and disk drives for malicious code. They can alert the user if a virus is present, and will clean, delete (or quarantine) infected files or directories. Please download a free anti-virus software from one these excellent vendors NOW:

1) Antivir PersonalEdition Classic- Free anti-virus software for Windows. Detects and removes more than 50,000 viruses. Free support.
2) avast! 4 Home Edition - Anti-virus program for Windows. The home edition is freeware for noncommercial users.
3) AVG Anti-Virus Free Edition - Free edition of the AVG anti-virus program for Windows.

It is strongly recommended that you run only one antivirus program at a time. Having more than one antivirus program active in memory uses additional resources and can result in program conflicts and false virus alerts. If you choose to install more than one antivirus program on your computer, then only one of them should be active in memory at a time.

After that, please post a fresh HijackThis log :)
User avatar
Shaba
Admin/Teacher Emeritus
 
Posts: 26974
Joined: March 24th, 2006, 4:42 am
Location: Finland

Re: A Hijack this log I could use help with; Thanks

Unread postby Negalith » May 21st, 2008, 3:16 pm

Avast was installed and run.... So was spy bot. Ive noticed some improvement, but problems still exist. Avast keeps catching trojan attempts. My desktop is comvered with adds that keep replacing themselves.


Thank you for your attention.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:13:39 PM, on 5/21/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\NWTRAY.EXE
C:\WINDOWS\System32\Rundll32.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\System32\Rundll32.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://smbusiness.dellnet.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://auto.search.msn.com/response.asp ... prov=&utf8
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,userinit.exe
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {98dbbf16-ca43-4c33-be80-99e6694468a4} - (no file)
O2 - BHO: (no name) - {bc97b254-b2b9-4d40-971d-78e0978f5f26} - (no file)
O2 - BHO: (no name) - {C7BBC1FA-E415-4926-9A47-9AB58D0B3BC8} - C:\WINDOWS\System32\cbXRKDwU.dll
O2 - BHO: gooochi browser optimizer - {cf3c54f1-0898-2e1b-b03e-734bacb6372c} - C:\WINDOWS\System32\{2dad0f94-17f5-5ecc-297f-90bfe43bd59d}.dll
O2 - BHO: (no name) - {EF8462D9-D33B-C095-13E7-D38F0452729C} - C:\WINDOWS\System32\tgjdbp.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NWTRAY] NWTRAY.EXE
O4 - HKLM\..\Run: [{5346d4c3-c9e1-b05c-1b41-ab98c95263f2}] C:\WINDOWS\System32\Rundll32.exe "C:\WINDOWS\System32\{2dad0f94-17f5-5ecc-297f-90bfe43bd59d}.dll" DllInit
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [BM0b1bc0e9] Rundll32.exe "C:\WINDOWS\System32\whrurbws.dll",s
O4 - HKCU\..\Run: [Ncao] "C:\WINDOWS\ECURIT~1\rundll.exe" -vt yazb
O4 - HKUS\S-1-5-21-3030076218-26982006-702300368-1006\..\Run: [Ncao] "C:\WINDOWS\ECURIT~1\rundll.exe" -vt yazb (User '?')
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windows ... 0091341109
O17 - HKLM\System\CCS\Services\Tcpip\..\{AE1DCF8F-6FCA-4FF3-9408-F2CEAEDE786B}: NameServer = 66.73.20.40,206.141.193.55
O20 - Winlogon Notify: cbXRKDwU - C:\WINDOWS\SYSTEM32\cbXRKDwU.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe

--
End of file - 4520 bytes
Negalith
Regular Member
 
Posts: 22
Joined: March 22nd, 2008, 12:25 pm

Re: A Hijack this log I could use help with; Thanks

Unread postby Negalith » May 21st, 2008, 6:20 pm

I had another flare up... so I ran Avast and spybot again in Safe mode. This is the HJT lof after that. Thank you for looking.


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:18:31 PM, on 5/21/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\userinit.exe
C:\WINDOWS\system32\userinit.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\NWTRAY.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://smbusiness.dellnet.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://auto.search.msn.com/response.asp ... prov=&utf8
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,userinit.exe
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: (no name) - {48E21D2F-A4EA-4559-96CB-AEAA5BE63C1B} - (no file)
O2 - BHO: (no name) - {50689C3D-BB82-4DF7-9AD5-3CE74ADF85F3} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {98dbbf16-ca43-4c33-be80-99e6694468a4} - (no file)
O2 - BHO: (no name) - {bc97b254-b2b9-4d40-971d-78e0978f5f26} - (no file)
O2 - BHO: (no name) - {C7BBC1FA-E415-4926-9A47-9AB58D0B3BC8} - C:\WINDOWS\System32\cbXRKDwU.dll
O2 - BHO: gooochi browser optimizer - {cf3c54f1-0898-2e1b-b03e-734bacb6372c} - C:\WINDOWS\System32\{2dad0f94-17f5-5ecc-297f-90bfe43bd59d}.dll (file missing)
O2 - BHO: (no name) - {EF8462D9-D33B-C095-13E7-D38F0452729C} - C:\WINDOWS\System32\tgjdbp.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [NWTRAY] NWTRAY.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O15 - Trusted Zone: http://*.windowsupdate.microsoft.com
O15 - Trusted Zone: http://*.windowsupdate.com
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windows ... 0091341109
O17 - HKLM\System\CCS\Services\Tcpip\..\{AE1DCF8F-6FCA-4FF3-9408-F2CEAEDE786B}: NameServer = 66.73.20.40,206.141.193.55
O20 - Winlogon Notify: cbXRKDwU - C:\WINDOWS\SYSTEM32\cbXRKDwU.dll

--
End of file - 3674 bytes
Negalith
Regular Member
 
Posts: 22
Joined: March 22nd, 2008, 12:25 pm

Re: A Hijack this log I could use help with; Thanks

Unread postby Shaba » May 22nd, 2008, 6:55 am

Hi

Please re-run HijackThis.

Your latest log looks weird as it has no avast! installed.

If you for some reason uninstalled avast!, please re-install it.
User avatar
Shaba
Admin/Teacher Emeritus
 
Posts: 26974
Joined: March 24th, 2006, 4:42 am
Location: Finland

Re: A Hijack this log I could use help with; Thanks

Unread postby Negalith » May 23rd, 2008, 12:16 pm

Avast was never unisntalled, but will not run resident in the background. I can run it manually however.

I CAN NO LONGER ACCESS THIS WEB SITE ON THE INFECTED COMPUTER. I can not use a jump drive to transfer the hijack this log because I have already infected another computer doing so last time. I can not access email on the infected computer, so I can not emial off the log. Basically, I have no way of getting a new Hijack this log posted on this web site.

PLEASE tell me, based on the last log I've posted some way to begin killing some of these infections. Avast and Spybot seem to kill many, but they simply reappear with the next reboot. Ive used msconfig to set the computer to boot up in diagnostic mode loading only the most needed components. That is the only way the computer is not completley over run with pop up adds and infection warnings. I think Avast does not run resident because the start up services have been disabled. Turing on services attmepting to have Avast run in the background allows the infection to flare to such a degree that lack of system resources never lets it fully load.
Negalith
Regular Member
 
Posts: 22
Joined: March 22nd, 2008, 12:25 pm

Re: A Hijack this log I could use help with; Thanks

Unread postby Shaba » May 23rd, 2008, 12:27 pm

Hi

Thanks for the info.

This is the next step:

1. Download combofix from any of these links and save it to Desktop:
Link 1
Link 2
Link 3

**Note: It is important that it is saved directly to your desktop**

2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you (C:\ComboFix.txt). Post that log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.

If you have problems with Combofix usage, see here

Post:

- a fresh HijackThis log
- combofix report
User avatar
Shaba
Admin/Teacher Emeritus
 
Posts: 26974
Joined: March 24th, 2006, 4:42 am
Location: Finland

Re: A Hijack this log I could use help with; Thanks

Unread postby Negalith » May 23rd, 2008, 3:23 pm

It's too early to tell how clean the machine is now.... but I'm writing this from the infected machine, which is a good sign. I was able to log in here with no redirections or pop ups (its still booting under the bare bones start up, however.... Not sure what kind of hell may await me rebooting normally)


*********************************************************************

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:21:53 PM, on 5/23/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\NWTRAY.EXE
C:\WINDOWS\Explorer.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.malwareremoval.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://auto.search.msn.com/response.asp ... prov=&utf8
O2 - BHO: (no name) - {2D7A7340-1DAF-4982-8E80-0CF219E48AC6} - C:\WINDOWS\System32\ddcCSKBS.dll (file missing)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {69844196-21A8-4AA4-B7DA-9632FF9A92B6} - C:\WINDOWS\System32\hgGxUMGy.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7B4046F6-2727-4696-97F1-1DDD6B1C80E2} - C:\WINDOWS\System32\ljJARJya.dll (file missing)
O2 - BHO: (no name) - {EF8462D9-D33B-C095-13E7-D38F0452729C} - C:\WINDOWS\System32\tgjdbp.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NWTRAY] NWTRAY.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O15 - Trusted Zone: http://www.malwareremoval.com
O15 - Trusted Zone: http://*.windowsupdate.microsoft.com
O15 - Trusted Zone: http://*.windowsupdate.com
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windows ... 0091341109
O17 - HKLM\System\CCS\Services\Tcpip\..\{AE1DCF8F-6FCA-4FF3-9408-F2CEAEDE786B}: NameServer = 66.73.20.40,206.141.193.55

--
End of file - 3294 bytes




********************************************************************



ComboFix 08-05-21.3 - JKeleher 2008-05-23 14:12:16.1 - NTFSx86

Running from: C:\Documents and Settings\jkeleher\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
C:\Documents and Settings\jkeleher\Application Data\FNTS~1
C:\Temp\1cb
C:\Temp\1cb\syscheck.log
C:\Temp\tmpvc14
C:\Temp\tmpvc14\dllvc.log
C:\temp\tn3
C:\WINDOWS\pskt.ini
C:\WINDOWS\SYSTEM32\AayFOXbc.ini
C:\WINDOWS\SYSTEM32\AayFOXbc.ini2
C:\WINDOWS\system32\ayervmth.ini
C:\WINDOWS\SYSTEM32\ayJRAJjl.ini
C:\WINDOWS\SYSTEM32\ayJRAJjl.ini2
C:\WINDOWS\SYSTEM32\BaJklUvw.ini
C:\WINDOWS\SYSTEM32\BaJklUvw.ini2
C:\WINDOWS\system32\cbXRKDwU.dll
C:\WINDOWS\system32\cfffPqss.ini
C:\WINDOWS\SYSTEM32\cfffPqss.ini2
C:\WINDOWS\SYSTEM32\cnebjisk.ini
C:\WINDOWS\SYSTEM32\edJPoUvw.ini
C:\WINDOWS\SYSTEM32\edJPoUvw.ini2
C:\WINDOWS\SYSTEM32\ednotire.ini
C:\WINDOWS\system32\mlqnchwt.ini
C:\WINDOWS\system32\MSINET.oca
C:\WINDOWS\system32\rkipshoe.ini
C:\WINDOWS\system32\rundll.exe
C:\WINDOWS\SYSTEM32\SBKSCcdd.ini
C:\WINDOWS\SYSTEM32\SBKSCcdd.ini2
C:\WINDOWS\system32\uELVCJlm.ini
C:\WINDOWS\SYSTEM32\uELVCJlm.ini2
C:\WINDOWS\system32\wuxykjdv.exe
C:\WINDOWS\system32\yGMUxGgh.ini
C:\WINDOWS\SYSTEM32\yGMUxGgh.ini2

----- BITS: Possible infected sites -----

hxxp://80.93.48.74
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_CCEVTSVC
-------\Legacy_CLBDRIVER
-------\Legacy_CMDSERVICE
-------\Legacy_NETWORK_MONITOR
-------\Service_clbdriver


((((((((((((((((((((((((( Files Created from 2008-04-23 to 2008-05-23 )))))))))))))))))))))))))))))))
.

2008-05-23 13:56 . 2008-05-23 13:56 <DIR> d-------- C:\Documents and Settings\jkeleher\Application Data\Malwarebytes
2008-05-23 13:55 . 2008-05-23 13:56 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-05-23 13:55 . 2008-05-23 13:55 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-05-23 13:55 . 2008-05-05 20:46 27,048 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\mbamcatchme.sys
2008-05-23 13:55 . 2008-05-05 20:46 15,864 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\mbam.sys
2008-05-23 13:19 . 2008-05-23 13:19 2,126 --a------ C:\WINDOWS\SYSTEM32\wpa.dbl
2008-05-23 13:11 . 2008-05-23 14:04 91,008 --------- C:\WINDOWS\SYSTEM32\mdjpards.dll
2008-05-23 13:11 . 2008-05-23 13:11 0 --a------ C:\WINDOWS\BM0b1bc0e9.xml
2008-05-23 12:41 . 2008-05-23 13:10 216 -ra------ C:\WINDOWS\SYSTEM32\ftp34.dll
2008-05-23 12:38 . 2008-05-23 12:38 <DIR> d-------- C:\WINDOWS\SYSTEM32\New Folder
2008-05-23 10:22 . 2008-05-23 14:04 5,120 --------- C:\Documents and Settings\jkeleher\ftp34.dll
2008-05-21 17:39 . 2008-05-21 17:44 <DIR> d-------- C:\Documents and Settings\jkeleher\.housecall6.6
2008-05-21 17:21 . 2008-05-21 17:22 <DIR> d-------- C:\Tools
2008-05-21 16:01 . 2008-05-23 09:46 <DIR> d-------- C:\WINDOWS\SYSTEM32\CatRoot2
2008-05-21 12:26 . 2007-09-06 00:22 289,144 --a------ C:\WINDOWS\SYSTEM32\VCCLSID.exe
2008-05-21 12:26 . 2004-07-31 18:50 51,200 --a------ C:\WINDOWS\SYSTEM32\dumphive.exe
2008-05-21 12:26 . 2007-10-04 00:36 25,600 --a------ C:\WINDOWS\SYSTEM32\WS2Fix.exe
2008-05-21 12:25 . 2006-04-27 17:49 288,417 --a------ C:\WINDOWS\SYSTEM32\SrchSTS.exe
2008-05-21 12:25 . 2003-06-05 21:13 53,248 --a------ C:\WINDOWS\SYSTEM32\Process.exe
2008-05-21 12:04 . 2008-05-21 12:04 <DIR> d-------- C:\Program Files\Alwil Software
2008-05-21 12:04 . 2003-03-18 15:20 1,060,864 --a------ C:\WINDOWS\SYSTEM32\MFC71.dll
2008-05-21 12:04 . 2003-03-18 14:14 499,712 --a------ C:\WINDOWS\SYSTEM32\MSVCP71.dll
2008-05-21 12:04 . 2003-02-20 22:42 348,160 --a------ C:\WINDOWS\SYSTEM32\MSVCR71.dll
2008-05-20 13:15 . 2008-05-20 13:15 <DIR> d-------- C:\Program Files\Trend Micro
2008-05-17 13:03 . 2008-05-17 13:03 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-05-17 13:03 . 2008-05-20 12:47 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-05-17 12:42 . 2008-05-17 12:42 <DIR> d-------- C:\Program Files\Lavasoft
2008-05-17 12:42 . 2008-05-17 12:43 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-05-17 12:41 . 2008-05-17 12:41 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-05-17 12:08 . 2008-05-17 12:08 <DIR> d-------- C:\WINDOWS\SYSTEM32\dFrnx06
2008-05-17 12:08 . 2008-05-17 12:52 <DIR> d--hs---- C:\WINDOWS\Q2F0aG9saWMgQ2hhcml0aWVz
2008-05-17 12:08 . 2008-05-23 14:12 <DIR> d-------- C:\Temp
2008-05-17 12:08 . 2002-08-29 06:00 4,224 --a------ C:\WINDOWS\SYSTEM32\beep.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-14 22:17 --------- d-----w C:\Program Files\Common Files\AOL
2008-05-14 16:49 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2008-04-19 16:11 --------- d-----w C:\Program Files\Common Files\Adobe
.

------- Sigcheck -------

2002-08-29 06:00 12800 0f7d9c87b0ce1fa520473119752c6f79 C:\WINDOWS\SYSTEM32\SVCHOST.EXE

2002-08-29 06:00 560128 dd9269230c21ee8fb7fd3fccc3b1cfcb C:\WINDOWS\SYSTEM32\USER32.DLL

2002-08-29 06:00 75264 8529c295df59b564d37a73b5629162b1 C:\WINDOWS\SYSTEM32\WS2_32.DLL

2002-08-29 06:00 599040 f3587750a7481dccbea13d473a0700be C:\WINDOWS\SYSTEM32\WININET.DLL

2002-08-29 06:00 332928 244a2f9816bc9b593957281ef577d976 C:\WINDOWS\SYSTEM32\DRIVERS\TCPIP.SYS

2002-08-29 06:00 516608 2246d8d8f4714a2cedb21ab9b1849abb C:\WINDOWS\SYSTEM32\WINLOGON.EXE

2002-08-29 06:00 167552 3b350e5a2a5e951453f3993275a4523a C:\WINDOWS\SYSTEM32\DRIVERS\NDIS.SYS


2002-08-29 02:04 1947904 0e8efb15746878a9b256e75267337233 C:\WINDOWS\SYSTEM32\ntkrnlpa.exe

2002-08-29 03:03 2042240 b9080d97dbd631aadf9128f7316958d2 C:\WINDOWS\SYSTEM32\ntoskrnl.exe

2002-08-29 06:00 1004032 a82b28bfc2e4455fe43022a498c0ef0a C:\WINDOWS\EXPLORER.EXE

2002-08-29 06:00 101376 e3df4a0252d287c44606ee55355e1623 C:\WINDOWS\SYSTEM32\SERVICES.EXE

2002-08-29 06:00 11776 b2b6ba905d0e3f8a32a0eb3b4051807b C:\WINDOWS\SYSTEM32\LSASS.EXE

2002-08-29 06:00 13312 414de7cf9d3f19c3ea902f1bb38ec116 C:\WINDOWS\SYSTEM32\CTFMON.EXE
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2D7A7340-1DAF-4982-8E80-0CF219E48AC6}]
C:\WINDOWS\System32\ddcCSKBS.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{69844196-21A8-4AA4-B7DA-9632FF9A92B6}]
C:\WINDOWS\System32\hgGxUMGy.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7B4046F6-2727-4696-97F1-1DDD6B1C80E2}]
C:\WINDOWS\System32\ljJARJya.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{EF8462D9-D33B-C095-13E7-D38F0452729C}]
C:\WINDOWS\System32\tgjdbp.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NWTRAY"="NWTRAY.EXE" [2001-12-18 15:24 28672 C:\WINDOWS\SYSTEM32\nwtray.exe]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^jkeleher^Start Menu^Programs^Startup^Deewoo.lnk]
path=C:\Documents and Settings\jkeleher\Start Menu\Programs\Startup\Deewoo.lnk
backup=C:\WINDOWS\pss\Deewoo.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^jkeleher^Start Menu^Programs^Startup^DW_Start.lnk]
path=C:\Documents and Settings\jkeleher\Start Menu\Programs\Startup\DW_Start.lnk
backup=C:\WINDOWS\pss\DW_Start.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2008-01-11 22:16 39792 C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AntiVirusPro]
C:\Program Files\AntiVirusPro\AntiVirusPro.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\autoload]
C:\Documents and Settings\jkeleher\cftmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\avast!]
--a------ 2008-05-15 18:19 79224 C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BluetoothAuthorizationAgent]
C:\WINDOWS\System32\BluetoothAuthorizationAgent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BM0b1bc0e9]
C:\WINDOWS\System32\rnmkswgl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dbar_starter]
C:\Documents and Settings\jkeleher\Application Data\Deskbar_{38F823D2-88FF-46b1-AAFC-EB562BEF3792}\starter.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ExploreUpdSched]
C:\WINDOWS\System32\tcntkkdm.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
--a------ 2002-06-20 03:05 114688 C:\WINDOWS\System32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
--a------ 2002-06-20 03:14 155648 C:\WINDOWS\System32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--a------ 2002-08-20 16:08 1511453 C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Ncao]
C:\WINDOWS\ECURIT~1\rundll.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ntuser]
C:\WINDOWS\system32\drivers\spools.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NWTRAY]
-ra------ 2001-12-18 15:24 28672 C:\WINDOWS\SYSTEM32\nwtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QdrModule16]
C:\Program Files\QdrModule\QdrModule16.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QdrPack16]
C:\Program Files\QdrPack\QdrPack16.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RunDll]
C:\WINDOWS\System32\rundll.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\runwinlogon]
C:\WINDOWS\winlogon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
-rahs---- 2008-01-28 11:43 2097488 C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2007-09-25 01:11 132496 C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WebSUpdater]
C:\Program Files\winvi\wupda.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Weekbpa]
C:\Documents and Settings\jkeleher\Application Data\F?nts\?ervices.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinUpdater]
C:\Program Files\winvi\update.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\YSearchProtection]
C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\{5346d4c3-c9e1-b05c-1b41-ab98c95263f2}]
C:\WINDOWS\System32\{2dad0f94-17f5-5ecc-297f-90bfe43bd59d}.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WZCSVC"=2 (0x2)
"WmiApSrv"=3 (0x3)
"Wmi"=3 (0x3)
"WmdmPmSp"=2 (0x2)
"winmgmt"=2 (0x2)
"Windows Action Script"=2 (0x2)
"WebClient"=2 (0x2)
"w32time"=2 (0x2)
"VSS"=3 (0x3)
"Viewpoint Manager Service"=2 (0x2)
"UPS"=3 (0x3)
"upnphost"=3 (0x3)
"uploadmgr"=2 (0x2)
"TrkWks"=2 (0x2)
"Themes"=2 (0x2)
"TermService"=3 (0x3)
"TapiSrv"=3 (0x3)
"SysmonLog"=3 (0x3)
"SwPrv"=3 (0x3)
"stisvc"=3 (0x3)
"SSDPSRV"=3 (0x3)
"srservice"=2 (0x2)
"Spooler"=2 (0x2)
"ShellHWDetection"=2 (0x2)
"SENS"=2 (0x2)
"seclogon"=2 (0x2)
"Schedule"=2 (0x2)
"SCardSvr"=3 (0x3)
"SCardDrv"=3 (0x3)
"SamSs"=2 (0x2)
"RSVP"=3 (0x3)
"RDSessMgr"=3 (0x3)
"RasMan"=3 (0x3)
"RasAuto"=3 (0x3)
"ProtectedStorage"=2 (0x2)
"PolicyAgent"=2 (0x2)
"PlugPlay"=2 (0x2)
"NtmsSvc"=3 (0x3)
"NtLmSsp"=3 (0x3)
"NMSSvc"=3 (0x3)
"Nla"=3 (0x3)
"Netman"=3 (0x3)
"Netlogon"=3 (0x3)
"NetDDEdsdm"=3 (0x3)
"NetDDE"=3 (0x3)
"MSIServer"=3 (0x3)
"MSDTC"=3 (0x3)
"mnmsrvc"=3 (0x3)
"LmHosts"=2 (0x2)
"lanmanworkstation"=2 (0x2)
"lanmanserver"=2 (0x2)
"ImapiService"=3 (0x3)
"Iap"=2 (0x2)
"helpsvc"=2 (0x2)
"FastUserSwitchingCompatibility"=3 (0x3)
"EventSystem"=3 (0x3)
"Eventlog"=2 (0x2)
"ERSvc"=2 (0x2)
"Dnscache"=2 (0x2)
"dmserver"=2 (0x2)
"dmadmin"=3 (0x3)
"Dhcp"=2 (0x2)
"CryptSvc"=2 (0x2)
"COMSysApp"=3 (0x3)
"ClipSrv"=3 (0x3)
"CiSvc"=2 (0x2)
"Browser"=2 (0x2)
"BITS"=3 (0x3)
"AudioSrv"=2 (0x2)
"ASFAgent"=2 (0x2)
"AppMgmt"=3 (0x3)
"ALG"=3 (0x3)
"Alerter"=3 (0x3)
"aawservice"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001
"AntiVirusDisableNotify"=dword:00000001


.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-23 14:15:15
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


folder error: C:\WINDOWS\TEMP\

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\SYSTEM32\USERINIT.EXE
.
**************************************************************************
.
Completion time: 2008-05-23 14:17:50 - machine was rebooted
ComboFix-quarantined-files.txt 2008-05-23 19:17:46

Pre-Run: 16,170,795,008 bytes free
Post-Run: 16,210,591,744 bytes free

282
Negalith
Regular Member
 
Posts: 22
Joined: March 22nd, 2008, 12:25 pm

Re: A Hijack this log I could use help with; Thanks

Unread postby Shaba » May 24th, 2008, 4:39 am

Hi

Looks better, yes.

"I was able to log in here with no redirections or pop ups (its still booting under the bare bones start up, however.... Not sure what kind of hell may await me rebooting normally)"

You seem to have disabled quite many startups using msconfig, that might be a reason.

Open notepad and copy/paste the text in the codebox below into it:

Code: Select all
File::
C:\WINDOWS\BM0b1bc0e9.xml
C:\WINDOWS\SYSTEM32\ftp34.dll
C:\Documents and Settings\jkeleher\ftp34.dll

Folder::
C:\WINDOWS\SYSTEM32\dFrnx06
C:\WINDOWS\Q2F0aG9saWMgQ2hhcml0aWVz
C:\Temp

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2D7A7340-1DAF-4982-8E80-0CF219E48AC6}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{69844196-21A8-4AA4-B7DA-9632FF9A92B6}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7B4046F6-2727-4696-97F1-1DDD6B1C80E2}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{EF8462D9-D33B-C095-13E7-D38F0452729C}]

[-HKLM\~\startupfolder\C:^Documents and Settings^jkeleher^Start Menu^Programs^Startup^Deewoo.lnk]

[-HKLM\~\startupfolder\C:^Documents and Settings^jkeleher^Start Menu^Programs^Startup^DW_Start.lnk]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AntiVirusPro]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\autoload]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BM0b1bc0e9]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dbar_starter]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ExploreUpdSched]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Ncao]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ntuser]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QdrModule16]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QdrPack16]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RunDll]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\runwinlogon]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WebSUpdater]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Weekbpa]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinUpdater]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\{5346d4c3-c9e1-b05c-1b41-ab98c95263f2}]


Save this as "CFScript"

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

Image

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.

Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.
User avatar
Shaba
Admin/Teacher Emeritus
 
Posts: 26974
Joined: March 24th, 2006, 4:42 am
Location: Finland

Re: A Hijack this log I could use help with; Thanks

Unread postby Fandantium » May 24th, 2008, 1:50 pm

Due to holiday plans, I wont be at my computer till Tuesday. I lookforward to implementing your advice. Thank you much. Ill post after I have had a chance to try it.
Fandantium
Active Member
 
Posts: 2
Joined: May 21st, 2008, 8:59 pm

Re: A Hijack this log I could use help with; Thanks

Unread postby Shaba » May 24th, 2008, 2:00 pm

Hi

Thanks for the info :)
User avatar
Shaba
Admin/Teacher Emeritus
 
Posts: 26974
Joined: March 24th, 2006, 4:42 am
Location: Finland

Re: A Hijack this log I could use help with; Thanks

Unread postby Negalith » May 27th, 2008, 1:50 pm

This is the system running with a normal boot up after Combofix and special script.
I still have no idea why avast is not running resident.
Spybot S&D does seem to run resident


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:45:17 PM, on 5/27/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Intel\ASF Agent\ASFAgent.exe
C:\Program Files\Dell\OpenManage\Client\Iap.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\system32\NWTRAY.EXE
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\Explorer.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://auto.search.msn.com/response.asp ... prov=&utf8
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O4 - HKLM\..\Run: [NWTRAY] NWTRAY.EXE
O4 - HKLM\..\Run: [{5346d4c3-c9e1-b05c-1b41-ab98c95263f2}] C:\WINDOWS\System32\Rundll32.exe "C:\WINDOWS\System32\{2dad0f94-17f5-5ecc-297f-90bfe43bd59d}.dll" DllInit
O4 - HKLM\..\Run: [YSearchProtection] "C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [{8F-F3-3D-DA-DW}] c:\windows\system32\rwwnw64d.exe DWramXX
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [ExploreUpdSched] C:\WINDOWS\System32\tcntkkdm.exe DWramXX
O4 - HKLM\..\Run: [dbar_starter] C:\Documents and Settings\jkeleher\Application Data\Deskbar_{38F823D2-88FF-46b1-AAFC-EB562BEF3792}\starter.exe
O4 - HKCU\..\Run: [Weekbpa] "C:\Documents and Settings\jkeleher\Application Data\F?nts\?ervices.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [QdrPack16] "C:\Program Files\QdrPack\QdrPack16.exe"
O4 - HKCU\..\Run: [QdrModule16] "C:\Program Files\QdrModule\QdrModule16.exe"
O4 - HKCU\..\Run: [Ncao] "C:\WINDOWS\ECURIT~1\rundll.exe" -vt yazb
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [RunDll] C:\WINDOWS\System32\rundll.exe
O4 - HKCU\..\Run: [WinUpdater] "C:\Program Files\winvi\update.exe" /background
O4 - HKCU\..\Run: [WebSUpdater] "C:\Program Files\winvi\wupda.exe" /background
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O15 - Trusted Zone: http://www.malwareremoval.com
O15 - Trusted Zone: http://*.windowsupdate.microsoft.com
O15 - Trusted Zone: http://*.windowsupdate.com
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windows ... 0091341109
O17 - HKLM\System\CCS\Services\Tcpip\..\{AE1DCF8F-6FCA-4FF3-9408-F2CEAEDE786B}: NameServer = 66.73.20.40,206.141.193.55
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: ASF Agent (ASFAgent) - Intel Corporation - C:\Program Files\Intel\ASF Agent\ASFAgent.exe
O23 - Service: Iap - Dell Computer Corporation - C:\Program Files\Dell\OpenManage\Client\Iap.exe
O23 - Service: Intel(R) NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: Windows Action Script - Unknown owner - C:\WINDOWS\system32\scvhost.exe (file missing)

--
End of file - 5663 bytes

_______________________________________________________________________________________________________
********************************************************************************************************

ComboFix 08-05-21.3 - JKeleher 2008-05-27 12:40:03.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.87 [GMT -5:00]
Running from: C:\Documents and Settings\jkeleher\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\jkeleher\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\Documents and Settings\jkeleher\ftp34.dll
C:\WINDOWS\BM0b1bc0e9.xml
C:\WINDOWS\SYSTEM32\ftp34.dll
.

((((((((((((((((((((((((( Files Created from 2008-04-27 to 2008-05-27 )))))))))))))))))))))))))))))))
.

2008-05-27 12:24 . 2006-08-21 04:14 128,896 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\fltmgr.sys
2008-05-27 12:24 . 2006-08-21 04:14 23,040 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\fltmc.exe
2008-05-27 12:24 . 2006-08-21 07:21 16,896 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\fltlib.dll
2008-05-23 16:53 . 2007-07-09 08:09 584,192 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\rpcrt4.dll
2008-05-23 16:27 . 2004-08-04 02:56 221,184 --a------ C:\WINDOWS\SYSTEM32\wmpns.dll
2008-05-23 16:26 . 2008-05-23 16:34 316,640 --a------ C:\WINDOWS\WMSysPr9.prx
2008-05-23 16:24 . 2008-05-23 16:24 <DIR> d-------- C:\WINDOWS\provisioning
2008-05-23 16:24 . 2008-05-23 16:25 <DIR> d-------- C:\WINDOWS\peernet
2008-05-23 16:21 . 2008-05-23 16:21 <DIR> d-------- C:\WINDOWS\ServicePackFiles
2008-05-23 16:14 . 2008-05-23 16:14 <DIR> d-------- C:\WINDOWS\EHome
2008-05-23 16:06 . 2002-04-15 21:11 67,866 --------- C:\WINDOWS\SYSTEM32\DRIVERS\netwlan5.img
2008-05-23 16:06 . 2004-08-04 00:56 11,776 --------- C:\WINDOWS\SYSTEM32\spnpinst.exe
2008-05-23 16:06 . 2004-08-02 14:20 7,208 --------- C:\WINDOWS\SYSTEM32\secupd.sig
2008-05-23 16:06 . 2004-08-02 14:20 4,569 --------- C:\WINDOWS\SYSTEM32\secupd.dat
2008-05-23 14:38 . 2008-05-27 12:34 37 --a------ C:\WINDOWS\win.ini
2008-05-23 14:38 . 2008-05-27 12:41 0 --a------ C:\WINDOWS\system.ini
2008-05-23 13:56 . 2008-05-23 13:56 <DIR> d-------- C:\Documents and Settings\jkeleher\Application Data\Malwarebytes
2008-05-23 13:55 . 2008-05-23 13:56 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-05-23 13:55 . 2008-05-23 13:55 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-05-23 13:55 . 2008-05-05 20:46 27,048 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\mbamcatchme.sys
2008-05-23 13:55 . 2008-05-05 20:46 15,864 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\mbam.sys
2008-05-23 13:19 . 2008-05-27 12:07 2,206 --a------ C:\WINDOWS\SYSTEM32\wpa.dbl
2008-05-23 13:11 . 2008-05-23 14:04 91,008 --------- C:\WINDOWS\SYSTEM32\mdjpards.dll
2008-05-23 12:38 . 2008-05-23 12:38 <DIR> d-------- C:\WINDOWS\SYSTEM32\New Folder
2008-05-21 17:39 . 2008-05-21 17:44 <DIR> d-------- C:\Documents and Settings\jkeleher\.housecall6.6
2008-05-21 17:21 . 2008-05-21 17:22 <DIR> d-------- C:\Tools
2008-05-21 16:01 . 2008-05-27 12:30 <DIR> d-------- C:\WINDOWS\SYSTEM32\CatRoot2
2008-05-21 12:26 . 2007-09-06 00:22 289,144 --a------ C:\WINDOWS\SYSTEM32\VCCLSID.exe
2008-05-21 12:26 . 2004-07-31 18:50 51,200 --a------ C:\WINDOWS\SYSTEM32\dumphive.exe
2008-05-21 12:26 . 2007-10-04 00:36 25,600 --a------ C:\WINDOWS\SYSTEM32\WS2Fix.exe
2008-05-21 12:25 . 2006-04-27 17:49 288,417 --a------ C:\WINDOWS\SYSTEM32\SrchSTS.exe
2008-05-21 12:25 . 2003-06-05 21:13 53,248 --a------ C:\WINDOWS\SYSTEM32\Process.exe
2008-05-21 12:04 . 2008-05-21 12:04 <DIR> d-------- C:\Program Files\Alwil Software
2008-05-21 12:04 . 2003-03-18 15:20 1,060,864 --a------ C:\WINDOWS\SYSTEM32\MFC71.dll
2008-05-21 12:04 . 2003-03-18 14:14 499,712 --a------ C:\WINDOWS\SYSTEM32\MSVCP71.dll
2008-05-21 12:04 . 2003-02-20 22:42 348,160 --a------ C:\WINDOWS\SYSTEM32\MSVCR71.dll
2008-05-20 13:15 . 2008-05-20 13:15 <DIR> d-------- C:\Program Files\Trend Micro
2008-05-17 13:03 . 2008-05-17 13:03 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-05-17 13:03 . 2008-05-20 12:47 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-05-17 12:42 . 2008-05-17 12:42 <DIR> d-------- C:\Program Files\Lavasoft
2008-05-17 12:42 . 2008-05-17 12:43 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-05-17 12:41 . 2008-05-17 12:41 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-05-17 12:08 . 2002-08-29 06:00 4,224 --a------ C:\WINDOWS\SYSTEM32\beep.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-14 22:17 --------- d-----w C:\Program Files\Common Files\AOL
2008-05-14 16:49 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2008-04-19 16:11 --------- d-----w C:\Program Files\Common Files\Adobe
2008-03-27 08:12 151,583 ----a-w C:\WINDOWS\SYSTEM32\msjint40.dll
2008-03-27 08:12 151,583 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\msjint40.dll
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\SYSTEM32\win32k.sys
2008-03-19 09:47 1,845,248 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\win32k.sys
.

((((((((((((((((((((((((((((( snapshot_2008-05-27_12.22.14.90 )))))))))))))))))))))))))))))))))))))))))
.
+ 2004-10-14 16:34:52 7,168 ----a-w C:\WINDOWS\$hf_mig$\KB885836\spmsg.dll
+ 2004-10-14 16:36:18 169,984 ----a-w C:\WINDOWS\$hf_mig$\KB885836\spuninst.exe
+ 2004-10-14 16:36:16 21,504 ----a-w C:\WINDOWS\$hf_mig$\KB885836\update\spcustom.dll
+ 2004-10-14 16:34:54 654,848 ----a-w C:\WINDOWS\$hf_mig$\KB885836\update\update.exe
+ 2004-10-13 16:21:24 1,694,208 ----a-w C:\WINDOWS\$hf_mig$\KB887472\SP2QFE\msmsgs.exe
+ 2004-10-14 16:34:52 7,168 ----a-w C:\WINDOWS\$hf_mig$\KB887472\spmsg.dll
+ 2004-10-14 16:36:18 169,984 ----a-w C:\WINDOWS\$hf_mig$\KB887472\spuninst.exe
+ 2004-10-14 16:36:16 21,504 ----a-w C:\WINDOWS\$hf_mig$\KB887472\update\spcustom.dll
+ 2004-10-14 16:34:54 654,848 ----a-w C:\WINDOWS\$hf_mig$\KB887472\update\update.exe
+ 2004-12-07 19:29:19 96,768 ----a-w C:\WINDOWS\$hf_mig$\KB888302\SP2QFE\srvsvc.dll
+ 2004-11-30 19:46:38 7,168 ----a-w C:\WINDOWS\$hf_mig$\KB888302\spmsg.dll
+ 2004-12-01 01:22:42 169,984 ----a-w C:\WINDOWS\$hf_mig$\KB888302\spuninst.exe
+ 2004-12-01 01:22:40 21,504 ----a-w C:\WINDOWS\$hf_mig$\KB888302\update\spcustom.dll
+ 2004-11-30 19:46:40 654,848 ----a-w C:\WINDOWS\$hf_mig$\KB888302\update\update.exe
+ 2005-04-22 05:18:52 57,344 ----a-w C:\WINDOWS\$hf_mig$\KB890046\SP2QFE\agentdpv.dll
+ 2005-05-17 00:26:30 17,920 ----a-w C:\WINDOWS\$hf_mig$\KB890046\SP2QFE\xpsp3res.dll
+ 2005-02-25 01:35:06 14,048 ----a-w C:\WINDOWS\$hf_mig$\KB890046\spmsg.dll
+ 2005-02-25 01:35:06 209,632 ----a-w C:\WINDOWS\$hf_mig$\KB890046\spuninst.exe
+ 2005-02-25 01:35:06 22,240 ----a-w C:\WINDOWS\$hf_mig$\KB890046\update\spcustom.dll
+ 2005-02-25 01:35:06 718,048 ----a-w C:\WINDOWS\$hf_mig$\KB890046\update\update.exe
+ 2005-02-25 01:35:08 371,936 ----a-w C:\WINDOWS\$hf_mig$\KB890046\update\updspapi.dll
+ 2004-11-30 19:46:38 7,168 ----a-w C:\WINDOWS\$hf_mig$\KB891781\spmsg.dll
+ 2004-12-01 01:22:42 169,984 ----a-w C:\WINDOWS\$hf_mig$\KB891781\spuninst.exe
+ 2004-12-01 01:22:40 21,504 ----a-w C:\WINDOWS\$hf_mig$\KB891781\update\spcustom.dll
+ 2004-11-30 19:46:40 654,848 ----a-w C:\WINDOWS\$hf_mig$\KB891781\update\update.exe
+ 2005-07-08 16:28:58 249,344 ----a-w C:\WINDOWS\$hf_mig$\KB893756\SP2QFE\tapisrv.dll
+ 2005-02-25 01:35:06 14,048 ----a-w C:\WINDOWS\$hf_mig$\KB893756\spmsg.dll
+ 2005-02-25 01:35:06 209,632 ----a-w C:\WINDOWS\$hf_mig$\KB893756\spuninst.exe
+ 2005-07-08 00:27:08 30,720 ----a-w C:\WINDOWS\$hf_mig$\KB893756\update\arpidfix.exe
+ 2005-02-25 01:35:06 22,240 ----a-w C:\WINDOWS\$hf_mig$\KB893756\update\spcustom.dll
+ 2005-02-25 01:35:06 718,048 ----a-w C:\WINDOWS\$hf_mig$\KB893756\update\update.exe
+ 2005-02-25 01:35:08 371,936 ----a-w C:\WINDOWS\$hf_mig$\KB893756\update\updspapi.dll
+ 2005-05-26 23:26:50 10,752 ----a-w C:\WINDOWS\$hf_mig$\KB896358\SP2QFE\hh.exe
+ 2005-05-27 02:08:59 41,472 ----a-w C:\WINDOWS\$hf_mig$\KB896358\SP2QFE\hhsetup.dll
+ 2005-05-27 02:08:59 155,136 ----a-w C:\WINDOWS\$hf_mig$\KB896358\SP2QFE\itircl.dll
+ 2005-05-27 02:08:59 137,216 ----a-w C:\WINDOWS\$hf_mig$\KB896358\SP2QFE\itss.dll
+ 2005-02-25 01:35:06 14,048 ----a-w C:\WINDOWS\$hf_mig$\KB896358\spmsg.dll
+ 2005-02-25 01:35:06 209,632 ----a-w C:\WINDOWS\$hf_mig$\KB896358\spuninst.exe
+ 2005-02-25 01:35:06 22,240 ----a-w C:\WINDOWS\$hf_mig$\KB896358\update\spcustom.dll
+ 2005-02-25 01:35:06 718,048 ----a-w C:\WINDOWS\$hf_mig$\KB896358\update\update.exe
+ 2005-02-25 01:35:08 371,936 ----a-w C:\WINDOWS\$hf_mig$\KB896358\update\updspapi.dll
+ 2005-06-11 00:17:13 57,856 ----a-w C:\WINDOWS\$hf_mig$\KB896423\SP2QFE\spoolsv.exe
+ 2005-02-25 01:35:06 14,048 ----a-w C:\WINDOWS\$hf_mig$\KB896423\spmsg.dll
+ 2005-02-25 01:35:06 209,632 ----a-w C:\WINDOWS\$hf_mig$\KB896423\spuninst.exe
+ 2005-06-29 21:54:32 30,720 ----a-w C:\WINDOWS\$hf_mig$\KB896423\update\arpidfix.exe
+ 2005-02-25 01:35:06 22,240 ----a-w C:\WINDOWS\$hf_mig$\KB896423\update\spcustom.dll
+ 2005-02-25 01:35:06 718,048 ----a-w C:\WINDOWS\$hf_mig$\KB896423\update\update.exe
+ 2005-02-25 01:35:08 371,936 ----a-w C:\WINDOWS\$hf_mig$\KB896423\update\updspapi.dll
+ 2005-06-10 04:06:01 139,528 ----a-w C:\WINDOWS\$hf_mig$\KB899591\SP2QFE\rdpwd.sys
+ 2005-02-25 01:35:06 14,048 ----a-w C:\WINDOWS\$hf_mig$\KB899591\spmsg.dll
+ 2005-02-25 01:35:06 209,632 ----a-w C:\WINDOWS\$hf_mig$\KB899591\spuninst.exe
+ 2005-06-29 21:54:32 30,720 ----a-w C:\WINDOWS\$hf_mig$\KB899591\update\arpidfix.exe
+ 2005-02-25 01:35:06 22,240 ----a-w C:\WINDOWS\$hf_mig$\KB899591\update\spcustom.dll
+ 2005-02-25 01:35:06 718,048 ----a-w C:\WINDOWS\$hf_mig$\KB899591\update\update.exe
+ 2005-02-25 01:35:08 371,936 ----a-w C:\WINDOWS\$hf_mig$\KB899591\update\updspapi.dll
+ 2006-02-15 00:30:07 142,464 ----a-w C:\WINDOWS\$hf_mig$\KB900485\SP2QFE\aec.sys
+ 2005-10-12 23:12:25 14,048 ----a-w C:\WINDOWS\$hf_mig$\KB900485\spmsg.dll
+ 2005-10-12 23:12:26 213,216 ----a-w C:\WINDOWS\$hf_mig$\KB900485\spuninst.exe
+ 2005-10-12 23:12:25 22,752 ----a-w C:\WINDOWS\$hf_mig$\KB900485\update\spcustom.dll
+ 2005-10-12 23:12:29 716,000 ----a-w C:\WINDOWS\$hf_mig$\KB900485\update\update.exe
+ 2005-10-12 23:12:34 371,424 ----a-w C:\WINDOWS\$hf_mig$\KB900485\update\updspapi.dll
+ 2005-09-01 01:44:04 19,968 ----a-w C:\WINDOWS\$hf_mig$\KB900725\SP2QFE\linkinfo.dll
+ 2005-09-23 03:18:20 8,452,608 ----a-w C:\WINDOWS\$hf_mig$\KB900725\SP2QFE\shell32.dll
+ 2005-09-02 23:53:41 474,112 ----a-w C:\WINDOWS\$hf_mig$\KB900725\SP2QFE\shlwapi.dll
+ 2005-09-01 01:44:05 291,840 ----a-w C:\WINDOWS\$hf_mig$\KB900725\SP2QFE\winsrv.dll
+ 2005-09-27 00:29:45 21,504 ----a-w C:\WINDOWS\$hf_mig$\KB900725\SP2QFE\xpsp3res.dll
+ 2005-02-25 01:35:06 14,048 ----a-w C:\WINDOWS\$hf_mig$\KB900725\spmsg.dll
+ 2005-02-25 01:35:06 209,632 ----a-w C:\WINDOWS\$hf_mig$\KB900725\spuninst.exe
+ 2005-09-26 22:36:24 30,720 ----a-w C:\WINDOWS\$hf_mig$\KB900725\update\arpidfix.exe
+ 2005-02-25 01:35:06 22,240 ----a-w C:\WINDOWS\$hf_mig$\KB900725\update\spcustom.dll
+ 2005-02-25 01:35:06 718,048 ----a-w C:\WINDOWS\$hf_mig$\KB900725\update\update.exe
+ 2005-02-25 01:35:08 371,936 ----a-w C:\WINDOWS\$hf_mig$\KB900725\update\updspapi.dll
+ 2005-09-10 01:48:47 2,068,480 ----a-w C:\WINDOWS\$hf_mig$\KB901017\SP2QFE\cdosys.dll
+ 2005-02-25 01:35:06 14,048 ----a-w C:\WINDOWS\$hf_mig$\KB901017\spmsg.dll
+ 2005-02-25 01:35:06 209,632 ----a-w C:\WINDOWS\$hf_mig$\KB901017\spuninst.exe
+ 2005-09-09 21:26:26 30,720 ----a-w C:\WINDOWS\$hf_mig$\KB901017\update\arpidfix.exe
+ 2005-02-25 01:35:06 22,240 ----a-w C:\WINDOWS\$hf_mig$\KB901017\update\spcustom.dll
+ 2005-02-25 01:35:06 718,048 ----a-w C:\WINDOWS\$hf_mig$\KB901017\update\update.exe
+ 2005-02-25 01:35:08 371,936 ----a-w C:\WINDOWS\$hf_mig$\KB901017\update\updspapi.dll
+ 2005-06-29 01:49:55 254,976 ----a-w C:\WINDOWS\$hf_mig$\KB901214\SP2QFE\icm32.dll
+ 2005-06-29 01:49:55 73,728 ----a-w C:\WINDOWS\$hf_mig$\KB901214\SP2QFE\mscms.dll
+ 2005-02-25 01:35:06 14,048 ----a-w C:\WINDOWS\$hf_mig$\KB901214\spmsg.dll
+ 2005-02-25 01:35:06 209,632 ----a-w C:\WINDOWS\$hf_mig$\KB901214\spuninst.exe
+ 2005-02-25 01:35:06 22,240 ----a-w C:\WINDOWS\$hf_mig$\KB901214\update\spcustom.dll
+ 2005-02-25 01:35:06 718,048 ----a-w C:\WINDOWS\$hf_mig$\KB901214\update\update.exe
+ 2005-02-25 01:35:08 371,936 ----a-w C:\WINDOWS\$hf_mig$\KB901214\update\updspapi.dll
+ 2005-07-26 04:20:23 225,792 ----a-w C:\WINDOWS\$hf_mig$\KB902400\SP2QFE\catsrv.dll
+ 2005-07-26 04:20:23 625,152 ----a-w C:\WINDOWS\$hf_mig$\KB902400\SP2QFE\catsrvut.dll
+ 2005-07-26 04:20:23 110,080 ----a-w C:\WINDOWS\$hf_mig$\KB902400\SP2QFE\clbcatex.dll
+ 2005-07-26 04:20:24 498,688 ----a-w C:\WINDOWS\$hf_mig$\KB902400\SP2QFE\clbcatq.dll
+ 2005-07-26 04:20:24 60,416 ----a-w C:\WINDOWS\$hf_mig$\KB902400\SP2QFE\colbact.dll
+ 2005-07-26 04:20:24 195,072 ----a-w C:\WINDOWS\$hf_mig$\KB902400\SP2QFE\comadmin.dll
+ 2005-07-26 04:20:25 97,792 ----a-w C:\WINDOWS\$hf_mig$\KB902400\SP2QFE\comrepl.dll
+ 2005-07-26 04:20:27 1,267,200 ----a-w C:\WINDOWS\$hf_mig$\KB902400\SP2QFE\comsvcs.dll
+ 2005-07-26 04:20:28 540,160 ----a-w C:\WINDOWS\$hf_mig$\KB902400\SP2QFE\comuid.dll
+ 2005-07-26 04:20:28 243,200 ----a-w C:\WINDOWS\$hf_mig$\KB902400\SP2QFE\es.dll
+ 2005-07-25 23:42:35 8,704 ----a-w C:\WINDOWS\$hf_mig$\KB902400\SP2QFE\migregdb.exe
+ 2005-07-26 04:20:29 425,472 ----a-w C:\WINDOWS\$hf_mig$\KB902400\SP2QFE\msdtcprx.dll
+ 2005-07-26 04:20:31 945,152 ----a-w C:\WINDOWS\$hf_mig$\KB902400\SP2QFE\msdtctm.dll
+ 2005-07-26 04:20:31 161,280 ----a-w C:\WINDOWS\$hf_mig$\KB902400\SP2QFE\msdtcuiu.dll
+ 2005-07-26 04:20:39 66,560 ----a-w C:\WINDOWS\$hf_mig$\KB902400\SP2QFE\mtxclu.dll
+ 2005-07-26 04:20:40 91,136 ----a-w C:\WINDOWS\$hf_mig$\KB902400\SP2QFE\mtxoci.dll
+ 2005-07-26 04:20:40 1,285,632 ----a-w C:\WINDOWS\$hf_mig$\KB902400\SP2QFE\ole32.dll
+ 2005-07-26 04:20:40 74,752 ----a-w C:\WINDOWS\$hf_mig$\KB902400\SP2QFE\olecli32.dll
+ 2005-07-26 04:20:40 37,376 ----a-w C:\WINDOWS\$hf_mig$\KB902400\SP2QFE\olecnv32.dll
+ 2005-07-26 04:20:40 398,336 ----a-w C:\WINDOWS\$hf_mig$\KB902400\SP2QFE\rpcss.dll
+ 2005-07-26 04:20:40 101,376 ----a-w C:\WINDOWS\$hf_mig$\KB902400\SP2QFE\txflog.dll
+ 2005-07-26 04:20:40 11,776 ----a-w C:\WINDOWS\$hf_mig$\KB902400\SP2QFE\xolehlp.dll
+ 2005-02-25 01:35:06 14,048 ----a-w C:\WINDOWS\$hf_mig$\KB902400\spmsg.dll
+ 2005-02-25 01:35:06 209,632 ----a-w C:\WINDOWS\$hf_mig$\KB902400\spuninst.exe
+ 2005-07-26 00:21:18 30,720 ----a-w C:\WINDOWS\$hf_mig$\KB902400\update\arpidfix.exe
+ 2005-02-25 01:35:06 22,240 ----a-w C:\WINDOWS\$hf_mig$\KB902400\update\spcustom.dll
+ 2005-02-25 01:35:06 718,048 ----a-w C:\WINDOWS\$hf_mig$\KB902400\update\update.exe
+ 2005-02-25 01:35:08 371,936 ----a-w C:\WINDOWS\$hf_mig$\KB902400\update\updspapi.dll
+ 2005-08-22 18:24:55 197,632 ----a-w C:\WINDOWS\$hf_mig$\KB905414\SP2QFE\netman.dll
+ 2005-02-25 03:35:05 14,048 ----a-w C:\WINDOWS\$hf_mig$\KB905414\spmsg.dll
+ 2005-02-25 03:35:05 209,632 ----a-w C:\WINDOWS\$hf_mig$\KB905414\spuninst.exe
+ 2005-08-19 23:50:31 30,720 ----a-w C:\WINDOWS\$hf_mig$\KB905414\update\arpidfix.exe
+ 2005-02-25 03:35:05 22,240 ----a-w C:\WINDOWS\$hf_mig$\KB905414\update\spcustom.dll
+ 2005-02-25 03:35:05 718,048 ----a-w C:\WINDOWS\$hf_mig$\KB905414\update\update.exe
+ 2005-02-25 03:35:06 371,936 ----a-w C:\WINDOWS\$hf_mig$\KB905414\update\updspapi.dll
+ 2006-06-22 10:36:52 180,736 ----a-w C:\WINDOWS\$hf_mig$\KB911280\SP2QFE\rasmans.dll
+ 2005-10-12 23:12:25 14,048 ----a-w C:\WINDOWS\$hf_mig$\KB911280\spmsg.dll
+ 2005-10-12 23:12:26 213,216 ----a-w C:\WINDOWS\$hf_mig$\KB911280\spuninst.exe
+ 2005-10-12 23:12:25 22,752 ----a-w C:\WINDOWS\$hf_mig$\KB911280\update\spcustom.dll
+ 2005-10-12 23:12:29 716,000 ----a-w C:\WINDOWS\$hf_mig$\KB911280\update\update.exe
+ 2005-10-12 23:12:34 371,424 ----a-w C:\WINDOWS\$hf_mig$\KB911280\update\updspapi.dll
+ 2006-03-23 05:53:08 143,360 ----a-w C:\WINDOWS\$hf_mig$\KB911562\SP2QFE\msadco.dll
+ 2005-10-12 23:12:25 14,048 ----a-w C:\WINDOWS\$hf_mig$\KB911562\spmsg.dll
+ 2005-10-12 23:12:26 213,216 ----a-w C:\WINDOWS\$hf_mig$\KB911562\spuninst.exe
+ 2005-10-12 23:12:25 22,752 ----a-w C:\WINDOWS\$hf_mig$\KB911562\update\spcustom.dll
+ 2005-10-12 23:12:29 716,000 ----a-w C:\WINDOWS\$hf_mig$\KB911562\update\update.exe
+ 2005-10-12 23:12:34 371,424 ----a-w C:\WINDOWS\$hf_mig$\KB911562\update\updspapi.dll
+ 2006-01-04 04:18:34 68,096 ----a-w C:\WINDOWS\$hf_mig$\KB911927\SP2QFE\webclnt.dll
+ 2005-10-12 23:12:25 14,048 ----a-w C:\WINDOWS\$hf_mig$\KB911927\spmsg.dll
+ 2005-10-12 23:12:26 213,216 ----a-w C:\WINDOWS\$hf_mig$\KB911927\spuninst.exe
+ 2005-10-12 23:12:25 22,752 ----a-w C:\WINDOWS\$hf_mig$\KB911927\update\spcustom.dll
+ 2005-10-12 23:12:29 716,000 ----a-w C:\WINDOWS\$hf_mig$\KB911927\update\update.exe
+ 2005-10-12 23:12:34 371,424 ----a-w C:\WINDOWS\$hf_mig$\KB911927\update\updspapi.dll
+ 2006-05-19 13:46:40 112,128 ----a-w C:\WINDOWS\$hf_mig$\KB914388\SP2QFE\dhcpcsvc.dll
+ 2006-05-19 13:46:40 147,456 ----a-w C:\WINDOWS\$hf_mig$\KB914388\SP2QFE\dnsapi.dll
+ 2006-05-19 13:46:40 94,720 ----a-w C:\WINDOWS\$hf_mig$\KB914388\SP2QFE\iphlpapi.dll
+ 2005-10-12 23:12:25 14,048 ----a-w C:\WINDOWS\$hf_mig$\KB914388\spmsg.dll
+ 2005-10-12 23:12:26 213,216 ----a-w C:\WINDOWS\$hf_mig$\KB914388\spuninst.exe
+ 2005-10-12 23:12:25 22,752 ----a-w C:\WINDOWS\$hf_mig$\KB914388\update\spcustom.dll
+ 2005-10-12 23:12:29 716,000 ----a-w C:\WINDOWS\$hf_mig$\KB914388\update\update.exe
+ 2005-10-12 23:12:34 371,424 ----a-w C:\WINDOWS\$hf_mig$\KB914388\update\updspapi.dll
+ 2006-03-17 01:08:10 262,656 ----a-w C:\WINDOWS\$hf_mig$\KB916595\SP2QFE\http.sys
+ 2005-10-12 23:16:49 14,048 ----a-w C:\WINDOWS\$hf_mig$\KB916595\spmsg.dll
+ 2005-10-12 23:16:49 213,216 ----a-w C:\WINDOWS\$hf_mig$\KB916595\spuninst.exe
+ 2005-10-12 23:16:49 22,752 ----a-w C:\WINDOWS\$hf_mig$\KB916595\update\spcustom.dll
+ 2005-10-12 23:16:51 716,000 ----a-w C:\WINDOWS\$hf_mig$\KB916595\update\update.exe
+ 2005-10-12 23:16:56 371,424 ----a-w C:\WINDOWS\$hf_mig$\KB916595\update\updspapi.dll
+ 2006-06-01 19:39:42 163,840 ----a-w C:\WINDOWS\$hf_mig$\KB918439\SP2QFE\jgdw400.dll
+ 2006-06-01 19:39:42 27,648 ----a-w C:\WINDOWS\$hf_mig$\KB918439\SP2QFE\jgpl400.dll
+ 2005-10-12 23:12:25 14,048 ----a-w C:\WINDOWS\$hf_mig$\KB918439\spmsg.dll
+ 2005-10-12 23:12:26 213,216 ----a-w C:\WINDOWS\$hf_mig$\KB918439\spuninst.exe
+ 2005-10-12 23:12:25 22,752 ----a-w C:\WINDOWS\$hf_mig$\KB918439\update\spcustom.dll
+ 2005-10-12 23:12:29 716,000 ----a-w C:\WINDOWS\$hf_mig$\KB918439\update\update.exe
+ 2005-10-12 23:12:34 371,424 ----a-w C:\WINDOWS\$hf_mig$\KB918439\update\updspapi.dll
+ 2006-07-13 11:43:08 202,496 ----a-w C:\WINDOWS\$hf_mig$\KB919007\SP2QFE\rmcast.sys
+ 2005-10-12 23:12:25 14,048 ----a-w C:\WINDOWS\$hf_mig$\KB919007\spmsg.dll
+ 2005-10-12 23:12:26 213,216 ----a-w C:\WINDOWS\$hf_mig$\KB919007\spuninst.exe
+ 2005-10-12 23:12:25 22,752 ----a-w C:\WINDOWS\$hf_mig$\KB919007\update\spcustom.dll
+ 2005-10-12 23:12:29 716,000 ----a-w C:\WINDOWS\$hf_mig$\KB919007\update\update.exe
+ 2005-10-12 23:12:34 371,424 ----a-w C:\WINDOWS\$hf_mig$\KB919007\update\updspapi.dll
+ 2006-07-21 08:26:49 72,704 ----a-w C:\WINDOWS\$hf_mig$\KB920670\SP2QFE\hlink.dll
+ 2005-10-12 23:16:49 14,048 ----a-w C:\WINDOWS\$hf_mig$\KB920670\spmsg.dll
+ 2005-10-12 23:16:49 213,216 ----a-w C:\WINDOWS\$hf_mig$\KB920670\spuninst.exe
+ 2005-10-12 23:16:49 22,752 ----a-w C:\WINDOWS\$hf_mig$\KB920670\update\spcustom.dll
+ 2005-10-12 23:16:51 716,000 ----a-w C:\WINDOWS\$hf_mig$\KB920670\update\update.exe
+ 2005-10-12 23:16:56 371,424 ----a-w C:\WINDOWS\$hf_mig$\KB920670\update\updspapi.dll
+ 2006-06-22 05:22:04 69,120 ----a-w C:\WINDOWS\$hf_mig$\KB920685\SP2QFE\ciodm.dll
+ 2006-06-22 05:22:05 1,435,648 ----a-w C:\WINDOWS\$hf_mig$\KB920685\SP2QFE\query.dll
+ 2005-10-12 23:12:25 14,048 ----a-w C:\WINDOWS\$hf_mig$\KB920685\spmsg.dll
+ 2005-10-12 23:12:26 213,216 ----a-w C:\WINDOWS\$hf_mig$\KB920685\spuninst.exe
+ 2005-10-12 23:12:25 22,752 ----a-w C:\WINDOWS\$hf_mig$\KB920685\update\spcustom.dll
+ 2005-10-12 23:12:29 716,000 ----a-w C:\WINDOWS\$hf_mig$\KB920685\update\update.exe
+ 2005-10-12 23:12:34 371,424 ----a-w C:\WINDOWS\$hf_mig$\KB920685\update\updspapi.dll
+ 2006-06-14 08:50:19 172,416 ----a-w C:\WINDOWS\$hf_mig$\KB920872\SP2QFE\kmixer.sys
+ 2006-06-14 08:50:19 6,272 ----a-w C:\WINDOWS\$hf_mig$\KB920872\SP2QFE\splitter.sys
+ 2006-06-14 09:17:04 82,944 ----a-w C:\WINDOWS\$hf_mig$\KB920872\SP2QFE\wdmaud.sys
+ 2005-10-12 23:12:25 14,048 ----a-w C:\WINDOWS\$hf_mig$\KB920872\spmsg.dll
+ 2005-10-12 23:12:26 213,216 ----a-w C:\WINDOWS\$hf_mig$\KB920872\spuninst.exe
+ 2005-10-12 23:12:25 22,752 ----a-w C:\WINDOWS\$hf_mig$\KB920872\update\spcustom.dll
+ 2005-10-12 23:12:29 716,000 ----a-w C:\WINDOWS\$hf_mig$\KB920872\update\update.exe
+ 2005-10-12 23:12:34 371,424 ----a-w C:\WINDOWS\$hf_mig$\KB920872\update\updspapi.dll
+ 2006-08-14 12:00:42 332,928 ----a-w C:\WINDOWS\$hf_mig$\KB923414\SP2QFE\srv.sys
+ 2005-10-12 23:16:49 14,048 ----a-w C:\WINDOWS\$hf_mig$\KB923414\spmsg.dll
+ 2005-10-12 23:16:49 213,216 ----a-w C:\WINDOWS\$hf_mig$\KB923414\spuninst.exe
+ 2005-10-12 23:16:49 22,752 ----a-w C:\WINDOWS\$hf_mig$\KB923414\update\spcustom.dll
+ 2005-10-12 23:16:51 716,000 ----a-w C:\WINDOWS\$hf_mig$\KB923414\update\update.exe
+ 2005-10-12 23:16:56 371,424 ----a-w C:\WINDOWS\$hf_mig$\KB923414\update\updspapi.dll
+ 2006-08-17 12:37:49 726,528 ----a-w C:\WINDOWS\$hf_mig$\KB924270\SP2QFE\lsasrv.dll
+ 2006-08-17 12:37:49 337,408 ----a-w C:\WINDOWS\$hf_mig$\KB924270\SP2QFE\netapi32.dll
+ 2006-08-17 12:37:49 132,096 ----a-w C:\WINDOWS\$hf_mig$\KB924270\SP2QFE\wkssvc.dll
+ 2005-10-12 23:12:25 14,048 ----a-w C:\WINDOWS\$hf_mig$\KB924270\spmsg.dll
+ 2005-10-12 23:12:26 213,216 ----a-w C:\WINDOWS\$hf_mig$\KB924270\spuninst.exe
+ 2005-10-12 23:12:25 22,752 ----a-w C:\WINDOWS\$hf_mig$\KB924270\update\spcustom.dll
+ 2005-10-12 23:12:29 716,000 ----a-w C:\WINDOWS\$hf_mig$\KB924270\update\update.exe
+ 2005-10-12 23:12:34 371,424 ----a-w C:\WINDOWS\$hf_mig$\KB924270\update\updspapi.dll
+ 2006-09-04 06:12:56 1,497,088 ----a-w C:\WINDOWS\$hf_mig$\KB924496\SP2QFE\shdocvw.dll
+ 2005-10-12 23:12:25 14,048 ----a-w C:\WINDOWS\$hf_mig$\KB924496\spmsg.dll
+ 2005-10-12 23:12:26 213,216 ----a-w C:\WINDOWS\$hf_mig$\KB924496\spuninst.exe
+ 2005-10-12 23:12:25 22,752 ----a-w C:\WINDOWS\$hf_mig$\KB924496\update\spcustom.dll
+ 2005-10-12 23:12:29 716,000 ----a-w C:\WINDOWS\$hf_mig$\KB924496\update\update.exe
+ 2005-10-12 23:12:34 371,424 ----a-w C:\WINDOWS\$hf_mig$\KB924496\update\updspapi.dll
+ 2007-03-08 15:48:36 282,112 ----a-w C:\WINDOWS\$hf_mig$\KB925902\SP2QFE\gdi32.dll
+ 2007-03-08 15:48:36 40,960 ----a-w C:\WINDOWS\$hf_mig$\KB925902\SP2QFE\mf3216.dll
+ 2007-03-08 15:48:36 578,048 ----a-w C:\WINDOWS\$hf_mig$\KB925902\SP2QFE\user32.dll
+ 2007-03-08 13:49:49 1,843,968 ----a-w C:\WINDOWS\$hf_mig$\KB925902\SP2QFE\win32k.sys
+ 2006-01-19 19:29:19 14,048 ----a-w C:\WINDOWS\$hf_mig$\KB925902\spmsg.dll
+ 2006-01-19 19:29:19 213,216 ----a-w C:\WINDOWS\$hf_mig$\KB925902\spuninst.exe
+ 2006-01-19 19:29:19 22,752 ----a-w C:\WINDOWS\$hf_mig$\KB925902\update\spcustom.dll
+ 2006-01-19 19:29:19 716,000 ----a-w C:\WINDOWS\$hf_mig$\KB925902\update\update.exe
+ 2006-01-19 19:29:19 371,424 ----a-w C:\WINDOWS\$hf_mig$\KB925902\update\updspapi.dll
+ 2006-10-19 13:59:58 713,216 ----a-w C:\WINDOWS\$hf_mig$\KB926255\SP2QFE\sxs.dll
+ 2005-10-12 23:12:25 14,048 ----a-w C:\WINDOWS\$hf_mig$\KB926255\spmsg.dll
+ 2005-10-12 23:12:26 213,216 ----a-w C:\WINDOWS\$hf_mig$\KB926255\spuninst.exe
+ 2005-10-12 23:12:25 22,752 ----a-w C:\WINDOWS\$hf_mig$\KB926255\update\spcustom.dll
+ 2005-10-12 23:12:29 716,000 ----a-w C:\WINDOWS\$hf_mig$\KB926255\update\update.exe
+ 2005-10-12 23:12:34 371,424 ----a-w C:\WINDOWS\$hf_mig$\KB926255\update\updspapi.dll
+ 2006-12-19 21:50:10 8,458,752 ----a-w C:\WINDOWS\$hf_mig$\KB928255\SP2QFE\shell32.dll
+ 2006-12-19 21:50:10 135,168 ----a-w C:\WINDOWS\$hf_mig$\KB928255\SP2QFE\shsvcs.dll
+ 2006-12-19 16:10:56 248,320 ----a-w C:\WINDOWS\$hf_mig$\KB928255\SP2QFE\xpsp3res.dll
+ 2006-01-19 19:29:19 14,048 ----a-w C:\WINDOWS\$hf_mig$\KB928255\spmsg.dll
+ 2006-01-19 19:29:19 213,216 ----a-w C:\WINDOWS\$hf_mig$\KB928255\spuninst.exe
+ 2006-01-19 19:29:19 22,752 ----a-w C:\WINDOWS\$hf_mig$\KB928255\update\spcustom.dll
+ 2006-01-19 19:29:19 716,000 ----a-w C:\WINDOWS\$hf_mig$\KB928255\update\update.exe
+ 2006-01-19 19:29:19 371,424 ----a-w C:\WINDOWS\$hf_mig$\KB928255\update\updspapi.dll
+ 2007-05-16 15:32:55 86,528 ----a-w C:\WINDOWS\$hf_mig$\KB929123\SP2QFE\directdb.dll
+ 2007-05-16 15:32:55 683,520 ----a-w C:\WINDOWS\$hf_mig$\KB929123\SP2QFE\inetcomm.dll
+ 2007-05-16 15:32:56 1,314,816 ----a-w C:\WINDOWS\$hf_mig$\KB929123\SP2QFE\msoe.dll
+ 2007-05-16 15:32:56 510,976 ----a-w C:\WINDOWS\$hf_mig$\KB929123\SP2QFE\wab32.dll
+ 2007-05-16 15:32:56 85,504 ----a-w C:\WINDOWS\$hf_mig$\KB929123\SP2QFE\wabimp.dll
+ 2006-01-19 19:29:19 14,048 ----a-w C:\WINDOWS\$hf_mig$\KB929123\spmsg.dll
+ 2006-01-19 19:29:19 213,216 ----a-w C:\WINDOWS\$hf_mig$\KB929123\spuninst.exe
+ 2006-01-19 19:29:19 22,752 ----a-w C:\WINDOWS\$hf_mig$\KB929123\update\spcustom.dll
+ 2006-01-19 19:29:19 716,000 ----a-w C:\WINDOWS\$hf_mig$\KB929123\update\update.exe
+ 2006-01-19 19:29:19 371,424 ----a-w C:\WINDOWS\$hf_mig$\KB929123\update\updspapi.dll
+ 2007-02-09 11:23:36 574,976 ----a-w C:\WINDOWS\$hf_mig$\KB930916\SP2QFE\ntfs.sys
+ 2005-10-12 23:12:25 14,048 ----a-w C:\WINDOWS\$hf_mig$\KB930916\spmsg.dll
+ 2005-10-12 23:12:26 213,216 ----a-w C:\WINDOWS\$hf_mig$\KB930916\spuninst.exe
+ 2005-10-12 23:12:25 22,752 ----a-w C:\WINDOWS\$hf_mig$\KB930916\update\spcustom.dll
+ 2005-10-12 23:12:29 716,000 ----a-w C:\WINDOWS\$hf_mig$\KB930916\update\update.exe
+ 2005-10-12 23:12:34 371,424 ----a-w C:\WINDOWS\$hf_mig$\KB930916\update\updspapi.dll
+ 2007-02-05 20:19:14 185,344 ----a-w C:\WINDOWS\$hf_mig$\KB931261\SP2QFE\upnphost.dll
+ 2006-01-19 19:29:19 14,048 ----a-w C:\WINDOWS\$hf_mig$\KB931261\spmsg.dll
+ 2006-01-19 19:29:19 213,216 ----a-w C:\WINDOWS\$hf_mig$\KB931261\spuninst.exe
+ 2006-01-19 19:29:19 22,752 ----a-w C:\WINDOWS\$hf_mig$\KB931261\update\spcustom.dll
+ 2006-01-19 19:29:19 716,000 ----a-w C:\WINDOWS\$hf_mig$\KB931261\update\update.exe
+ 2006-01-19 19:29:19 371,424 ----a-w C:\WINDOWS\$hf_mig$\KB931261\update\updspapi.dll
+ 2007-02-28 09:53:04 2,137,600 ----a-w C:\WINDOWS\$hf_mig$\KB931784\SP2QFE\ntkrnlmp.exe
+ 2007-02-28 09:15:56 2,059,392 ----a-w C:\WINDOWS\$hf_mig$\KB931784\SP2QFE\ntkrnlpa.exe
+ 2007-02-28 09:15:59 2,017,280 ----a-w C:\WINDOWS\$hf_mig$\KB931784\SP2QFE\ntkrpamp.exe
+ 2007-02-28 09:55:14 2,182,144 ----a-w C:\WINDOWS\$hf_mig$\KB931784\SP2QFE\ntoskrnl.exe
+ 2005-10-12 23:12:25 14,048 ----a-w C:\WINDOWS\$hf_mig$\KB931784\spmsg.dll
+ 2005-10-12 23:12:26 213,216 ----a-w C:\WINDOWS\$hf_mig$\KB931784\spuninst.exe
+ 2005-10-12 23:12:25 22,752 ----a-w C:\WINDOWS\$hf_mig$\KB931784\update\spcustom.dll
+ 2005-10-12 23:12:29 716,000 ----a-w C:\WINDOWS\$hf_mig$\KB931784\update\update.exe
+ 2005-10-12 23:12:34 371,424 ----a-w C:\WINDOWS\$hf_mig$\KB931784\update\updspapi.dll
+ 2007-03-09 13:58:57 57,344 ----a-w C:\WINDOWS\$hf_mig$\KB932168\SP2QFE\agentdpv.dll
+ 2007-03-09 11:28:00 248,320 ----a-w C:\WINDOWS\$hf_mig$\KB932168\SP2QFE\xpsp3res.dll
+ 2006-01-19 19:29:19 14,048 ----a-w C:\WINDOWS\$hf_mig$\KB932168\spmsg.dll
+ 2006-01-19 19:29:19 213,216 ----a-w C:\WINDOWS\$hf_mig$\KB932168\spuninst.exe
+ 2006-01-19 19:29:19 22,752 ----a-w C:\WINDOWS\$hf_mig$\KB932168\update\spcustom.dll
+ 2006-01-19 19:29:19 716,000 ----a-w C:\WINDOWS\$hf_mig$\KB932168\update\update.exe
+ 2006-01-19 19:29:19 371,424 ----a-w C:\WINDOWS\$hf_mig$\KB932168\update\updspapi.dll
+ 2007-07-18 10:33:06 60,416 ----a-w C:\WINDOWS\$hf_mig$\KB933360\SP2QFE\tzchange.exe
+ 2007-03-06 01:22:36 14,048 ----a-w C:\WINDOWS\$hf_mig$\KB933360\spmsg.dll
+ 2007-03-06 01:22:41 213,216 ----a-w C:\WINDOWS\$hf_mig$\KB933360\spuninst.exe
+ 2007-03-06 01:22:34 22,752 ----a-w C:\WINDOWS\$hf_mig$\KB933360\update\spcustom.dll
+ 2007-03-06 01:22:59 716,000 ----a-w C:\WINDOWS\$hf_mig$\KB933360\update\update.exe
+ 2007-03-06 01:23:51 371,424 ----a-w C:\WINDOWS\$hf_mig$\KB933360\update\updspapi.dll
+ 2007-04-25 20:32:22 144,896 ----a-w C:\WINDOWS\$hf_mig$\KB935840\SP2QFE\schannel.dll
+ 2006-01-19 19:29:19 14,048 ----a-w C:\WINDOWS\$hf_mig$\KB935840\spmsg.dll
+ 2006-01-19 19:29:19 213,216 ----a-w C:\WINDOWS\$hf_mig$\KB935840\spuninst.exe
+ 2006-01-19 19:29:19 22,752 ----a-w C:\WINDOWS\$hf_mig$\KB935840\update\spcustom.dll
+ 2006-01-19 19:29:19 716,000 ----a-w C:\WINDOWS\$hf_mig$\KB935840\update\update.exe
+ 2006-01-19 19:29:19 371,424 ----a-w C:\WINDOWS\$hf_mig$\KB935840\update\updspapi.dll
+ 2007-04-23 10:14:23 364,160 ----a-w C:\WINDOWS\$hf_mig$\KB936357\SP2QFE\update.sys
+ 2006-01-19 19:29:19 14,048 ----a-w C:\WINDOWS\$hf_mig$\KB936357\spmsg.dll
+ 2006-01-19 19:29:19 213,216 ----a-w C:\WINDOWS\$hf_mig$\KB936357\spuninst.exe
+ 2006-01-19 19:29:19 22,752 ----a-w C:\WINDOWS\$hf_mig$\KB936357\update\spcustom.dll
+ 2006-01-19 19:29:19 716,000 ----a-w C:\WINDOWS\$hf_mig$\KB936357\update\update.exe
+ 2006-01-19 19:29:19 371,424 ----a-w C:\WINDOWS\$hf_mig$\KB936357\update\updspapi.dll
+ 2007-07-06 09:52:38 72,960 ----a-w C:\WINDOWS\$hf_mig$\KB937894\SP2QFE\mqac.sys
+ 2007-07-06 13:08:11 138,240 ----a-w C:\WINDOWS\$hf_mig$\KB937894\SP2QFE\mqad.dll
+ 2007-07-06 13:08:11 47,104 ----a-w C:\WINDOWS\$hf_mig$\KB937894\SP2QFE\mqdscli.dll
+ 2007-07-06 13:08:11 16,896 ----a-w C:\WINDOWS\$hf_mig$\KB937894\SP2QFE\mqise.dll
+ 2007-07-06 13:08:11 660,992 ----a-w C:\WINDOWS\$hf_mig$\KB937894\SP2QFE\mqqm.dll
+ 2007-07-06 13:08:11 177,152 ----a-w C:\WINDOWS\$hf_mig$\KB937894\SP2QFE\mqrt.dll
+ 2007-07-06 13:08:11 95,744 ----a-w C:\WINDOWS\$hf_mig$\KB937894\SP2QFE\mqsec.dll
+ 2007-07-06 13:08:11 48,640 ----a-w C:\WINDOWS\$hf_mig$\KB937894\SP2QFE\mqupgrd.dll
+ 2007-07-06 13:08:11 471,552 ----a-w C:\WINDOWS\$hf_mig$\KB937894\SP2QFE\mqutil.dll
+ 2005-10-12 23:12:25 14,048 ----a-w C:\WINDOWS\$hf_mig$\KB937894\spmsg.dll
+ 2005-10-12 23:12:26 213,216 ----a-w C:\WINDOWS\$hf_mig$\KB937894\spuninst.exe
+ 2005-10-12 23:12:25 22,752 ----a-w C:\WINDOWS\$hf_mig$\KB937894\update\spcustom.dll
+ 2005-10-12 23:12:29 716,000 ----a-w C:\WINDOWS\$hf_mig$\KB937894\update\update.exe
+ 2005-10-12 23:12:34 371,424 ----a-w C:\WINDOWS\$hf_mig$\KB937894\update\updspapi.dll
+ 2007-06-26 15:16:01 851,968 ----a-w C:\WINDOWS\$hf_mig$\KB938127\SP2QFE\vgx.dll
+ 2005-10-12 23:12:25 14,048 ----a-w C:\WINDOWS\$hf_mig$\KB938127\spmsg.dll
+ 2005-10-12 23:12:26 213,216 ----a-w C:\WINDOWS\$hf_mig$\KB938127\spuninst.exe
+ 2005-10-12 23:12:25 22,752 ----a-w C:\WINDOWS\$hf_mig$\KB938127\update\spcustom.dll
+ 2005-10-12 23:12:29 716,000 ----a-w C:\WINDOWS\$hf_mig$\KB938127\update\update.exe
+ 2005-10-12 23:12:34 371,424 ----a-w C:\WINDOWS\$hf_mig$\KB938127\update\updspapi.dll
+ 2007-06-13 11:26:03 1,033,216 ----a-w C:\WINDOWS\$hf_mig$\KB938828\SP2QFE\explorer.exe
+ 2005-10-12 23:12:25 14,048 ----a-w C:\WINDOWS\$hf_mig$\KB938828\spmsg.dll
+ 2005-10-12 23:12:26 213,216 ----a-w C:\WINDOWS\$hf_mig$\KB938828\spuninst.exe
+ 2005-10-12 23:12:25 22,752 ----a-w C:\WINDOWS\$hf_mig$\KB938828\update\spcustom.dll
+ 2005-10-12 23:12:29 716,000 ----a-w C:\WINDOWS\$hf_mig$\KB938828\update\update.exe
+ 2005-10-12 23:12:34 371,424 ----a-w C:\WINDOWS\$hf_mig$\KB938828\update\updspapi.dll
+ 2007-08-21 06:25:02 683,520 ----a-w C:\WINDOWS\$hf_mig$\KB941202\SP2QFE\inetcomm.dll
+ 2007-03-06 01:22:36 14,048 ----a-w C:\WINDOWS\$hf_mig$\KB941202\spmsg.dll
+ 2007-03-06 01:22:41 213,216 ----a-w C:\WINDOWS\$hf_mig$\KB941202\spuninst.exe
+ 2007-03-06 01:22:34 22,752 ----a-w C:\WINDOWS\$hf_mig$\KB941202\update\spcustom.dll
+ 2007-03-06 01:22:59 716,000 ----a-w C:\WINDOWS\$hf_mig$\KB941202\update\update.exe
+ 2007-03-06 01:23:51 371,424 ----a-w C:\WINDOWS\$hf_mig$\KB941202\update\updspapi.dll
+ 2007-10-29 22:35:13 1,287,680 ----a-w C:\WINDOWS\$hf_mig$\KB941568\SP2QFE\quartz.dll
+ 2007-03-06 01:22:36 14,048 ----a-w C:\WINDOWS\$hf_mig$\KB941568\spmsg.dll
+ 2007-03-06 01:22:41 213,216 ----a-w C:\WINDOWS\$hf_mig$\KB941568\spuninst.exe
+ 2007-03-06 01:22:34 22,752 ----a-w C:\WINDOWS\$hf_mig$\KB941568\update\spcustom.dll
+ 2007-03-06 01:22:59 716,000 ----a-w C:\WINDOWS\$hf_mig$\KB941568\update\update.exe
+ 2007-03-06 01:23:51 371,424 ----a-w C:\WINDOWS\$hf_mig$\KB941568\update\updspapi.dll
+ 2007-10-30 16:53:32 360,832 ----a-w C:\WINDOWS\$hf_mig$\KB941644\SP2QFE\tcpip.sys
+ 2007-03-06 01:22:36 14,048 ----a-w C:\WINDOWS\$hf_mig$\KB941644\spmsg.dll
+ 2007-03-06 01:22:41 213,216 ----a-w C:\WINDOWS\$hf_mig$\KB941644\spuninst.exe
+ 2007-03-06 01:22:34 22,752 ----a-w C:\WINDOWS\$hf_mig$\KB941644\update\spcustom.dll
+ 2007-03-06 01:22:59 716,000 ----a-w C:\WINDOWS\$hf_mig$\KB941644\update\update.exe
+ 2007-03-06 01:23:51 371,424 ----a-w C:\WINDOWS\$hf_mig$\KB941644\update\updspapi.dll
+ 2008-03-19 09:40:27 1,845,888 ----a-w C:\WINDOWS\$hf_mig$\KB941693\SP2QFE\win32k.sys
+ 2007-03-06 01:22:36 14,048 ----a-w C:\WINDOWS\$hf_mig$\KB941693\spmsg.dll
+ 2007-03-06 01:22:41 213,216 ----a-w C:\WINDOWS\$hf_mig$\KB941693\spuninst.exe
+ 2007-03-06 01:22:34 22,752 ----a-w C:\WINDOWS\$hf_mig$\KB941693\update\spcustom.dll
+ 2007-03-06 01:22:59 716,000 ----a-w C:\WINDOWS\$hf_mig$\KB941693\update\update.exe
+ 2007-03-06 01:23:51 371,424 ----a-w C:\WINDOWS\$hf_mig$\KB941693\update\updspapi.dll
+ 2008-02-20 05:19:35 147,968 ----a-w C:\WINDOWS\$hf_mig$\KB945553\SP2QFE\dnsapi.dll
+ 2008-02-20 18:49:36 45,568 ----a-w C:\WINDOWS\$hf_mig$\KB945553\SP2QFE\dnsrslvr.dll
+ 2007-03-06 01:22:36 14,048 ----a-w C:\WINDOWS\$hf_mig$\KB945553\spmsg.dll
+ 2007-03-06 01:22:41 213,216 ----a-w C:\WINDOWS\$hf_mig$\KB945553\spuninst.exe
+ 2007-03-06 01:22:34 22,752 ----a-w C:\WINDOWS\$hf_mig$\KB945553\update\spcustom.dll
+ 2007-03-06 01:22:59 716,000 ----a-w C:\WINDOWS\$hf_mig$\KB945553\update\update.exe
+ 2007-03-06 01:23:51 371,424 ----a-w C:\WINDOWS\$hf_mig$\KB945553\update\updspapi.dll
+ 2007-12-18 09:38:59 179,712 ----a-w C:\WINDOWS\$hf_mig$\KB946026\SP2QFE\mrxdav.sys
+ 2007-03-06 01:22:36 14,048 ----a-w C:\WINDOWS\$hf_mig$\KB946026\spmsg.dll
+ 2007-03-06 01:22:41 213,216 ----a-w C:\WINDOWS\$hf_mig$\KB946026\spuninst.exe
+ 2007-03-06 01:22:34 22,752 ----a-w C:\WINDOWS\$hf_mig$\KB946026\update\spcustom.dll
+ 2007-03-06 01:22:59 716,000 ----a-w C:\WINDOWS\$hf_mig$\KB946026\update\update.exe
+ 2007-03-06 01:23:51 371,424 ----a-w C:\WINDOWS\$hf_mig$\KB946026\update\updspapi.dll
+ 2008-02-16 09:32:03 1,024,000 ----a-w C:\WINDOWS\$hf_mig$\KB947864\SP2QFE\browseui.dll
+ 2008-02-16 09:32:03 151,040 ----a-w C:\WINDOWS\$hf_mig$\KB947864\SP2QFE\cdfview.dll
+ 2008-02-16 09:32:03 1,054,208 ----a-w C:\WINDOWS\$hf_mig$\KB947864\SP2QFE\danim.dll
+ 2008-02-16 09:32:04 357,888 ----a-w C:\WINDOWS\$hf_mig$\KB947864\SP2QFE\dxtmsft.dll
+ 2008-02-16 09:32:04 205,312 ----a-w C:\WINDOWS\$hf_mig$\KB947864\SP2QFE\dxtrans.dll
+ 2008-02-16 09:32:04 55,808 ----a-w C:\WINDOWS\$hf_mig$\KB947864\SP2QFE\extmgr.dll
+ 2008-02-15 09:07:53 18,432 ----a-w C:\WINDOWS\$hf_mig$\KB947864\SP2QFE\iedw.exe
+ 2008-02-16 09:32:04 251,904 ----a-w C:\WINDOWS\$hf_mig$\KB947864\SP2QFE\iepeers.dll
+ 2008-02-16 09:32:04 96,256 ----a-w C:\WINDOWS\$hf_mig$\KB947864\SP2QFE\inseng.dll
+ 2008-02-16 09:32:04 16,384 ----a-w C:\WINDOWS\$hf_mig$\KB947864\SP2QFE\jsproxy.dll
+ 2008-02-16 09:32:06 3,066,880 ----a-w C:\WINDOWS\$hf_mig$\KB947864\SP2QFE\mshtml.dll
+ 2008-02-16 09:32:06 449,024 ----a-w C:\WINDOWS\$hf_mig$\KB947864\SP2QFE\mshtmled.dll
+ 2008-02-16 09:32:06 146,432 ----a-w C:\WINDOWS\$hf_mig$\KB947864\SP2QFE\msrating.dll
+ 2008-02-16 09:32:07 532,480 ----a-w C:\WINDOWS\$hf_mig$\KB947864\SP2QFE\mstime.dll
+ 2008-02-16 09:32:07 39,424 ----a-w C:\WINDOWS\$hf_mig$\KB947864\SP2QFE\pngfilt.dll
+ 2008-02-16 09:32:08 1,499,136 ----a-w C:\WINDOWS\$hf_mig$\KB947864\SP2QFE\shdocvw.dll
+ 2008-02-16 09:32:08 474,112 ----a-w C:\WINDOWS\$hf_mig$\KB947864\SP2QFE\shlwapi.dll
+ 2008-02-16 09:32:08 618,496 ----a-w C:\WINDOWS\$hf_mig$\KB947864\SP2QFE\urlmon.dll
+ 2008-02-16 09:32:09 666,112 ----a-w C:\WINDOWS\$hf_mig$\KB947864\SP2QFE\wininet.dll
+ 2008-02-15 09:06:21 351,744 ----a-w C:\WINDOWS\$hf_mig$\KB947864\SP2QFE\xpsp3res.dll
+ 2007-03-06 01:22:36 14,048 ----a-w C:\WINDOWS\$hf_mig$\KB947864\spmsg.dll
+ 2007-03-06 01:22:41 213,216 ----a-w C:\WINDOWS\$hf_mig$\KB947864\spuninst.exe
+ 2007-03-06 01:22:34 22,752 ----a-w C:\WINDOWS\$hf_mig$\KB947864\update\spcustom.dll
+ 2007-03-06 01:22:59 716,000 ----a-w C:\WINDOWS\$hf_mig$\KB947864\update\update.exe
+ 2007-03-06 01:23:51 371,424 ----a-w C:\WINDOWS\$hf_mig$\KB947864\update\updspapi.dll
+ 2008-02-20 06:52:43 282,624 ----a-w C:\WINDOWS\$hf_mig$\KB948590\SP2QFE\gdi32.dll
+ 2007-03-06 01:22:36 14,048 ----a-w C:\WINDOWS\$hf_mig$\KB948590\spmsg.dll
+ 2007-03-06 01:22:41 213,216 ----a-w C:\WINDOWS\$hf_mig$\KB948590\spuninst.exe
+ 2007-03-06 01:22:34 22,752 ----a-w C:\WINDOWS\$hf_mig$\KB948590\update\spcustom.dll
+ 2007-03-06 01:22:59 716,000 ----a-w C:\WINDOWS\$hf_mig$\KB948590\update\update.exe
+ 2007-03-06 01:23:51 371,424 ----a-w C:\WINDOWS\$hf_mig$\KB948590\update\updspapi.dll
+ 2006-02-15 00:22:26 142,464 ------w C:\WINDOWS\Driver Cache\I386\aec.sys
+ 2006-03-17 00:33:10 262,784 ------w C:\WINDOWS\Driver Cache\I386\http.sys
+ 2006-06-14 08:47:45 172,416 ------w C:\WINDOWS\Driver Cache\I386\kmixer.sys
- 2005-03-02 00:57:44 2,135,552 ------w C:\WINDOWS\Driver Cache\I386\ntkrnlmp.exe
+ 2007-02-28 09:08:48 2,136,064 ------w C:\WINDOWS\Driver Cache\I386\ntkrnlmp.exe
- 2005-03-02 00:34:40 2,056,832 ------w C:\WINDOWS\Driver Cache\I386\ntkrnlpa.exe
+ 2007-02-28 08:38:55 2,057,600 ------w C:\WINDOWS\Driver Cache\I386\ntkrnlpa.exe
- 2005-03-02 00:34:42 2,015,232 ------w C:\WINDOWS\Driver Cache\I386\ntkrpamp.exe
+ 2007-02-28 08:38:57 2,015,744 ------w C:\WINDOWS\Driver Cache\I386\ntkrpamp.exe
- 2005-03-02 00:59:53 2,179,328 ------w C:\WINDOWS\Driver Cache\I386\ntoskrnl.exe
+ 2007-02-28 09:10:57 2,180,352 ------w C:\WINDOWS\Driver Cache\I386\ntoskrnl.exe
+ 2006-06-14 08:47:46 6,400 ------w C:\WINDOWS\Driver Cache\I386\splitter.sys
+ 2006-06-14 09:00:45 82,944 ------w C:\WINDOWS\Driver Cache\I386\wdmaud.sys
- 2004-08-04 07:56:49 1,032,192 ----a-w C:\WINDOWS\explorer.exe
+ 2007-06-13 10:23:07 1,033,216 ----a-w C:\WINDOWS\explorer.exe
- 2001-12-07 15:32:04 1,081,344 ------w C:\WINDOWS\Help\SBSI\Training\orun32.exe
+ 2006-08-21 20:57:14 1,077,321 ------w C:\WINDOWS\Help\SBSI\Training\orun32.exe
- 2004-08-04 07:56:50 10,752 ----a-w C:\WINDOWS\hh.exe
+ 2005-05-26 23:22:01 10,752 ----a-w C:\WINDOWS\hh.exe
- 2004-08-04 07:56:41 58,880 ----a-w C:\WINDOWS\MSAGENT\agentdpv.dll
+ 2007-03-09 13:46:24 57,344 ----a-w C:\WINDOWS\MSAGENT\agentdpv.dll
- 2004-08-04 07:56:41 56,832 ------w C:\WINDOWS\SYSTEM32\authz.dll
+ 2005-03-02 18:09:29 56,832 ----a-w C:\WINDOWS\SYSTEM32\authz.dll
- 2004-08-04 07:56:41 1,016,832 ----a-w C:\WINDOWS\SYSTEM32\browseui.dll
+ 2008-02-16 08:59:34 1,023,488 ----a-w C:\WINDOWS\SYSTEM32\browseui.dll
- 2004-08-04 07:56:41 229,888 ----a-w C:\WINDOWS\SYSTEM32\catsrv.dll
+ 2005-07-26 04:39:42 225,792 ----a-w C:\WINDOWS\SYSTEM32\catsrv.dll
- 2004-08-04 07:56:41 628,224 ----a-w C:\WINDOWS\SYSTEM32\catsrvut.dll
+ 2005-07-26 04:39:43 625,152 ----a-w C:\WINDOWS\SYSTEM32\catsrvut.dll
- 2004-08-04 07:56:41 150,528 ----a-w C:\WINDOWS\SYSTEM32\cdfview.dll
+ 2008-02-16 08:59:35 151,040 ----a-w C:\WINDOWS\SYSTEM32\cdfview.dll
- 2004-08-04 07:56:41 2,067,968 ----a-w C:\WINDOWS\SYSTEM32\cdosys.dll
+ 2005-09-10 01:53:41 2,067,968 ----a-w C:\WINDOWS\SYSTEM32\cdosys.dll
- 2004-08-04 07:56:41 69,120 ----a-w C:\WINDOWS\SYSTEM32\ciodm.dll
+ 2006-06-22 05:06:29 69,120 ----a-w C:\WINDOWS\SYSTEM32\ciodm.dll
- 2004-08-04 07:56:41 110,080 ----a-w C:\WINDOWS\SYSTEM32\clbcatex.dll
+ 2005-07-26 04:39:43 110,080 ----a-w C:\WINDOWS\SYSTEM32\clbcatex.dll
- 2004-08-04 07:56:41 501,248 ----a-w C:\WINDOWS\SYSTEM32\clbcatq.dll
+ 2005-07-26 04:39:43 498,688 ----a-w C:\WINDOWS\SYSTEM32\clbcatq.dll
- 2004-08-04 07:56:41 62,464 ----a-w C:\WINDOWS\SYSTEM32\colbact.dll
+ 2005-07-26 04:39:43 60,416 ----a-w C:\WINDOWS\SYSTEM32\colbact.dll
- 2004-08-04 07:56:41 195,584 ----a-w C:\WINDOWS\SYSTEM32\Com\comadmin.dll
+ 2005-07-26 04:39:44 195,072 ----a-w C:\WINDOWS\SYSTEM32\Com\comadmin.dll
- 2004-08-04 07:56:41 611,328 ----a-w C:\WINDOWS\SYSTEM32\comctl32.dll
+ 2006-08-25 15:45:58 617,472 ----a-w C:\WINDOWS\SYSTEM32\comctl32.dll
- 2002-08-29 11:00:00 82,432 ----a-w C:\WINDOWS\SYSTEM32\COMREPL.DLL
+ 2005-07-26 04:39:44 97,792 ----a-w C:\WINDOWS\SYSTEM32\comrepl.dll
- 2004-08-04 07:56:41 1,251,840 ----a-w C:\WINDOWS\SYSTEM32\comsvcs.dll
+ 2005-07-26 04:39:44 1,267,200 ----a-w C:\WINDOWS\SYSTEM32\comsvcs.dll
- 2004-08-04 07:56:41 540,160 ----a-w C:\WINDOWS\SYSTEM32\comuid.dll
+ 2005-07-26 04:39:45 540,160 ----a-w C:\WINDOWS\SYSTEM32\comuid.dll
- 2004-08-04 07:56:41 1,053,696 ----a-w C:\WINDOWS\SYSTEM32\danim.dll
+ 2008-02-16 08:59:35 1,054,208 ----a-w C:\WINDOWS\SYSTEM32\danim.dll
- 2004-08-04 07:56:42 111,104 ----a-w C:\WINDOWS\SYSTEM32\dhcpcsvc.dll
+ 2006-05-19 12:59:41 111,616 ----a-w C:\WINDOWS\SYSTEM32\dhcpcsvc.dll
+ 2007-03-09 13:46:24 57,344 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\agentdpv.dll
+ 2008-02-16 08:59:34 1,023,488 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\browseui.dll
+ 2008-02-16 08:59:35 151,040 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\cdfview.dll
+ 2006-06-22 05:06:29 69,120 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\ciodm.dll
+ 2006-08-25 15:45:58 617,472 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\comctl32.dll
+ 2008-02-16 08:59:35 1,054,208 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\danim.dll
+ 2006-05-19 12:59:41 111,616 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\dhcpcsvc.dll
+ 2007-05-16 15:12:00 86,528 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\directdb.dll
- 2006-06-26 17:37:10 148,480 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\dnsapi.dll
+ 2008-02-20 05:32:43 148,992 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\dnsapi.dll
+ 2008-02-20 05:32:43 45,568 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\dnsrslvr.dll
+ 2006-08-22 09:05:26 498,742 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\dxmasf.dll
+ 2008-02-16 08:59:35 357,888 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\dxtmsft.dll
+ 2008-02-16 08:59:35 205,312 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\dxtrans.dll
+ 2007-06-13 10:23:07 1,033,216 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\explorer.exe
+ 2008-02-16 08:59:35 55,808 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\extmgr.dll
+ 2008-02-20 06:51:05 282,624 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\gdi32.dll
+ 2006-07-21 08:24:43 72,704 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\hlink.dll
+ 2008-02-15 09:23:37 18,432 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\iedw.exe
+ 2008-02-16 08:59:35 251,392 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\iepeers.dll
+ 2007-08-21 06:15:44 683,520 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\inetcomm.dll
+ 2008-02-16 08:59:35 96,256 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\inseng.dll
+ 2006-05-19 12:59:41 94,720 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\iphlpapi.dll
+ 2006-06-01 18:47:07 163,840 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\jgdw400.dll
+ 2006-06-01 18:47:07 27,648 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\jgpl400.dll
+ 2008-02-16 08:59:35 16,384 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\jsproxy.dll
+ 2006-06-14 08:47:45 172,416 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\kmixer.sys
+ 2006-08-17 12:28:27 721,920 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\lsasrv.dll
+ 2007-03-08 15:36:28 40,960 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\mf3216.dll
+ 2007-07-06 10:05:47 72,960 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\mqac.sys
+ 2007-07-06 12:46:59 138,240 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\mqad.dll
+ 2007-07-06 12:46:59 47,104 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\mqdscli.dll
+ 2007-07-06 12:46:59 16,896 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\mqise.dll
+ 2007-07-06 12:46:59 660,992 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\mqqm.dll
+ 2007-07-06 12:46:59 177,152 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\mqrt.dll
+ 2007-07-06 12:46:59 95,744 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\mqsec.dll
+ 2007-07-06 12:46:59 48,640 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\mqupgrd.dll
+ 2007-07-06 12:46:59 471,552 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\mqutil.dll
+ 2007-12-18 09:51:35 179,584 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\mrxdav.sys
+ 2008-02-16 22:29:38 3,059,712 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\mshtml.dll
+ 2008-02-16 08:59:37 449,024 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\mshtmled.dll
+ 2007-05-16 15:12:08 1,314,816 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\msoe.dll
+ 2008-02-16 08:59:37 146,432 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\msrating.dll
+ 2008-02-16 08:59:37 532,480 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\mstime.dll
+ 2006-08-17 12:28:27 332,288 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\netapi32.dll
+ 2007-02-09 11:10:35 574,464 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\ntfs.sys
+ 2007-02-28 09:08:48 2,136,064 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\ntkrnlmp.exe
+ 2007-02-28 08:38:55 2,057,600 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\ntkrnlpa.exe
+ 2007-02-28 08:38:57 2,015,744 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\ntkrpamp.exe
+ 2007-02-28 09:10:57 2,180,352 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\ntoskrnl.exe
+ 2008-02-16 08:59:37 39,424 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\pngfilt.dll
+ 2007-10-29 22:43:03 1,287,680 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\quartz.dll
+ 2006-06-22 05:06:30 1,435,648 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\query.dll
+ 2006-06-22 10:47:18 181,248 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\rasmans.dll
+ 2006-07-13 08:48:58 202,240 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\rmcast.sys
+ 2007-04-25 14:21:15 144,896 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\schannel.dll
+ 2008-02-16 08:59:38 1,494,528 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\shdocvw.dll
+ 2007-10-26 03:36:51 8,454,656 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\shell32.dll
+ 2008-02-16 08:59:38 474,112 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\shlwapi.dll
+ 2006-12-19 21:52:18 134,656 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\shsvcs.dll
+ 2006-06-14 08:47:46 6,400 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\splitter.sys
+ 2006-08-14 10:34:41 332,928 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\srv.sys
+ 2006-08-21 14:52:08 246,814 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\strmdll.dll
+ 2006-10-19 13:56:32 713,216 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\sxs.dll
+ 2007-10-30 17:20:55 360,064 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\tcpip.sys
+ 2007-04-23 10:32:54 364,160 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\update.sys
+ 2007-02-05 20:17:02 185,344 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\upnphost.dll
+ 2008-02-16 08:59:38 615,936 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\urlmon.dll
+ 2007-03-08 15:36:28 577,536 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\user32.dll
+ 2007-06-26 15:13:22 851,968 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\vgx.dll
+ 2007-05-16 15:12:12 510,976 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\wab32.dll
+ 2007-05-16 15:12:15 85,504 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\wabimp.dll
+ 2006-06-14 09:00:45 82,944 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\wdmaud.sys
+ 2008-02-16 08:59:39 659,456 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\wininet.dll
+ 2006-08-17 12:28:27 132,096 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\wkssvc.dll
+ 2007-10-27 22:39:20 230,912 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\wmasf.dll
+ 2007-10-27 22:37:38 2,109,440 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\wmvcore.dll
- 2004-08-04 07:56:42 148,480 ------w C:\WINDOWS\SYSTEM32\dnsapi.dll
+ 2008-02-20 05:32:43 148,992 ----a-w C:\WINDOWS\SYSTEM32\dnsapi.dll
- 2004-08-04 07:56:42 45,568 ----a-w C:\WINDOWS\SYSTEM32\dnsrslvr.dll
+ 2008-02-20 05:32:43 45,568 ----a-w C:\WINDOWS\SYSTEM32\dnsrslvr.dll
- 2004-08-04 05:39:36 142,464 ----a-w C:\WINDOWS\SYSTEM32\DRIVERS\aec.sys
+ 2006-02-15 00:22:26 142,464 ----a-w C:\WINDOWS\SYSTEM32\DRIVERS\aec.sys
- 2004-08-04 06:01:19 124,800 ------w C:\WINDOWS\SYSTEM32\DRIVERS\fltmgr.sys
+ 2006-08-21 09:14:58 128,896 ------w C:\WINDOWS\SYSTEM32\DRIVERS\fltmgr.sys
- 2004-08-04 06:00:13 263,040 ------w C:\WINDOWS\SYSTEM32\DRIVERS\http.sys
+ 2006-03-17 00:33:10 262,784 ------w C:\WINDOWS\SYSTEM32\DRIVERS\http.sys
- 2004-08-04 06:04:50 134,912 ----a-w C:\WINDOWS\SYSTEM32\DRIVERS\ipnat.sys
+ 2004-09-29 22:28:37 134,912 ----a-w C:\WINDOWS\SYSTEM32\DRIVERS\ipnat.sys
- 2004-08-04 06:07:48 171,776 ----a-w C:\WINDOWS\SYSTEM32\DRIVERS\kmixer.sys
+ 2006-06-14 08:47:45 172,416 ----a-w C:\WINDOWS\SYSTEM32\DRIVERS\kmixer.sys
- 2004-08-04 05:58:20 72,960 ----a-w C:\WINDOWS\SYSTEM32\DRIVERS\mqac.sys
+ 2007-07-06 10:05:47 72,960 ----a-w C:\WINDOWS\SYSTEM32\DRIVERS\mqac.sys
- 2004-08-04 06:00:56 181,248 ----a-w C:\WINDOWS\SYSTEM32\DRIVERS\mrxdav.sys
+ 2007-12-18 09:51:35 179,584 ----a-w C:\WINDOWS\SYSTEM32\DRIVERS\mrxdav.sys
- 2004-08-04 06:15:09 574,592 ----a-w C:\WINDOWS\SYSTEM32\DRIVERS\ntfs.sys
+ 2007-02-09 11:10:35 574,464 ----a-w C:\WINDOWS\SYSTEM32\DRIVERS\ntfs.sys
- 2004-08-04 08:01:08 139,400 ----a-w C:\WINDOWS\SYSTEM32\DRIVERS\rdpwd.sys
+ 2005-06-10 04:09:46 139,528 ----a-w C:\WINDOWS\SYSTEM32\DRIVERS\rdpwd.sys
- 2002-08-29 11:00:00 200,064 ----a-w C:\WINDOWS\SYSTEM32\DRIVERS\RMCast.sys
+ 2006-07-13 08:48:58 202,240 ----a-w C:\WINDOWS\SYSTEM32\DRIVERS\rmcast.sys
- 2004-08-04 06:07:47 6,400 ----a-w C:\WINDOWS\SYSTEM32\DRIVERS\splitter.sys
+ 2006-06-14 08:47:46 6,400 ----a-w C:\WINDOWS\SYSTEM32\DRIVERS\splitter.sys
- 2004-08-04 06:14:45 336,256 ----a-w C:\WINDOWS\SYSTEM32\DRIVERS\srv.sys
+ 2006-08-14 10:34:41 332,928 ----a-w C:\WINDOWS\SYSTEM32\DRIVERS\srv.sys
- 2004-08-04 06:14:40 359,040 ----a-w C:\WINDOWS\SYSTEM32\DRIVERS\tcpip.sys
+ 2007-10-30 17:20:55 360,064 ----a-w C:\WINDOWS\SYSTEM32\DRIVERS\tcpip.sys
- 2004-08-04 05:58:32 209,408 ----a-w C:\WINDOWS\SYSTEM32\DRIVERS\update.sys
+ 2007-04-23 10:32:54 364,160 ----a-w C:\WINDOWS\SYSTEM32\DRIVERS\update.sys
- 2004-08-04 06:15:04 82,944 ----a-w C:\WINDOWS\SYSTEM32\DRIVERS\wdmaud.sys
+ 2006-06-14 09:00:45 82,944 ----a-w C:\WINDOWS\SYSTEM32\DRIVERS\wdmaud.sys
- 2004-08-04 07:56:42 498,205 ----a-w C:\WINDOWS\SYSTEM32\dxmasf.dll
+ 2006-08-22 09:05:26 498,742 ----a-w C:\WINDOWS\SYSTEM32\dxmasf.dll
- 2004-08-04 07:56:42 357,888 ----a-w C:\WINDOWS\SYSTEM32\dxtmsft.dll
+ 2008-02-16 08:59:35 357,888 ----a-w C:\WINDOWS\SYSTEM32\dxtmsft.dll
- 2004-08-04 07:56:42 201,728 ----a-w C:\WINDOWS\SYSTEM32\dxtrans.dll
+ 2008-02-16 08:59:35 205,312 ----a-w C:\WINDOWS\SYSTEM32\dxtrans.dll
- 2004-08-04 07:56:42 243,200 ----a-w C:\WINDOWS\SYSTEM32\es.dll
+ 2005-07-26 04:39:45 243,200 ----a-w C:\WINDOWS\SYSTEM32\es.dll
- 2004-08-04 07:56:42 1,082,368 ----a-w C:\WINDOWS\SYSTEM32\esent.dll
+ 2005-10-20 22:20:03 1,082,368 ----a-w C:\WINDOWS\SYSTEM32\esent.dll
- 2004-08-04 07:56:42 55,808 ------w C:\WINDOWS\SYSTEM32\extmgr.dll
+ 2008-02-16 08:59:35 55,808 ------w C:\WINDOWS\SYSTEM32\extmgr.dll
- 2004-08-04 07:56:42 16,896 ------w C:\WINDOWS\SYSTEM32\fltlib.dll
+ 2006-08-21 12:21:06 16,896 ----a-w C:\WINDOWS\SYSTEM32\fltlib.dll
- 2004-08-04 07:56:49 22,528 ------w C:\WINDOWS\SYSTEM32\fltmc.exe
+ 2006-08-21 09:14:58 23,040 ----a-w C:\WINDOWS\SYSTEM32\fltmc.exe
- 2008-05-23 21:33:00 111,784 ----a-w C:\WINDOWS\SYSTEM32\FNTCACHE.DAT
+ 2008-05-27 17:31:46 111,784 ----a-w C:\WINDOWS\SYSTEM32\FNTCACHE.DAT
- 2004-08-04 07:56:42 278,016 ----a-w C:\WINDOWS\SYSTEM32\gdi32.dll
+ 2008-02-20 06:51:05 282,624 ----a-w C:\WINDOWS\SYSTEM32\gdi32.dll
- 2004-08-04 07:56:42 38,912 ----a-w C:\WINDOWS\SYSTEM32\hhsetup.dll
+ 2005-05-27 02:04:27 41,472 ----a-w C:\WINDOWS\SYSTEM32\hhsetup.dll
- 2002-08-29 11:00:00 77,850 ----a-w C:\WINDOWS\SYSTEM32\HLINK.DLL
+ 2006-07-21 08:24:43 72,704 ----a-w C:\WINDOWS\SYSTEM32\hlink.dll
- 2004-08-04 07:56:42 253,952 ----a-w C:\WINDOWS\SYSTEM32\icm32.dll
+ 2005-06-29 01:46:00 254,976 ----a-w C:\WINDOWS\SYSTEM32\icm32.dll
- 2004-08-04 07:56:42 249,344 ----a-w C:\WINDOWS\SYSTEM32\iepeers.dll
+ 2008-02-16 08:59:35 251,392 ----a-w C:\WINDOWS\SYSTEM32\iepeers.dll
- 2004-08-04 07:56:42 678,400 ----a-w C:\WINDOWS\SYSTEM32\inetcomm.dll
+ 2007-08-21 06:15:44 683,520 ----a-w C:\WINDOWS\SYSTEM32\inetcomm.dll
- 2004-08-04 07:56:42 96,256 ----a-w C:\WINDOWS\SYSTEM32\inseng.dll
+ 2008-02-16 08:59:35 96,256 ----a-w C:\WINDOWS\SYSTEM32\inseng.dll
- 2004-08-04 07:56:42 94,720 ----a-w C:\WINDOWS\SYSTEM32\iphlpapi.dll
+ 2006-05-19 12:59:41 94,720 ----a-w C:\WINDOWS\SYSTEM32\iphlpapi.dll
- 2004-08-04 07:56:42 143,872 ----a-w C:\WINDOWS\SYSTEM32\itircl.dll
+ 2005-05-27 02:04:27 155,136 ----a-w C:\WINDOWS\SYSTEM32\itircl.dll
- 2004-08-04 07:56:42 134,144 ----a-w C:\WINDOWS\SYSTEM32\itss.dll
+ 2005-05-27 02:04:27 137,216 ----a-w C:\WINDOWS\SYSTEM32\itss.dll
- 2002-08-29 11:00:00 144,896 ----a-w C:\WINDOWS\SYSTEM32\JGDW400.DLL
+ 2006-06-01 18:47:07 163,840 ----a-w C:\WINDOWS\SYSTEM32\jgdw400.dll
- 2002-08-29 11:00:00 42,496 ----a-w C:\WINDOWS\SYSTEM32\JGPL400.DLL
+ 2006-06-01 18:47:07 27,648 ----a-w C:\WINDOWS\SYSTEM32\jgpl400.dll
- 2004-08-04 07:56:42 15,872 ----a-w C:\WINDOWS\SYSTEM32\jsproxy.dll
+ 2008-02-16 08:59:35 16,384 ----a-w C:\WINDOWS\SYSTEM32\jsproxy.dll
- 2004-08-04 07:56:42 18,944 ----a-w C:\WINDOWS\SYSTEM32\linkinfo.dll
+ 2005-09-01 01:41:53 19,968 ----a-w C:\WINDOWS\SYSTEM32\linkinfo.dll
- 2004-08-04 07:56:42 721,920 ----a-w C:\WINDOWS\SYSTEM32\lsasrv.dll
+ 2006-08-17 12:28:27 721,920 ----a-w C:\WINDOWS\SYSTEM32\lsasrv.dll
- 2004-08-04 07:56:42 39,936 ----a-w C:\WINDOWS\SYSTEM32\mf3216.dll
+ 2007-03-08 15:36:28 40,960 ----a-w C:\WINDOWS\SYSTEM32\mf3216.dll
- 2004-08-04 07:56:42 138,240 ----a-w C:\WINDOWS\SYSTEM32\mqad.dll
+ 2007-07-06 12:46:59 138,240 ----a-w C:\WINDOWS\SYSTEM32\mqad.dll
- 2004-08-04 07:56:42 47,104 ----a-w C:\WINDOWS\SYSTEM32\mqdscli.dll
+ 2007-07-06 12:46:59 47,104 ----a-w C:\WINDOWS\SYSTEM32\mqdscli.dll
- 2004-08-04 07:56:42 16,896 ----a-w C:\WINDOWS\SYSTEM32\mqise.dll
+ 2007-07-06 12:46:59 16,896 ----a-w C:\WINDOWS\SYSTEM32\mqise.dll
- 2004-08-04 07:56:42 660,992 ----a-w C:\WINDOWS\SYSTEM32\mqqm.dll
+ 2007-07-06 12:46:59 660,992 ----a-w C:\WINDOWS\SYSTEM32\mqqm.dll
- 2004-08-04 07:56:42 177,152 ----a-w C:\WINDOWS\SYSTEM32\mqrt.dll
+ 2007-07-06 12:46:59 177,152 ----a-w C:\WINDOWS\SYSTEM32\mqrt.dll
- 2004-08-04 07:56:42 95,744 ----a-w C:\WINDOWS\SYSTEM32\mqsec.dll
+ 2007-07-06 12:46:59 95,744 ----a-w C:\WINDOWS\SYSTEM32\mqsec.dll
- 2004-08-04 07:56:42 48,640 ----a-w C:\WINDOWS\SYSTEM32\mqupgrd.dll
+ 2007-07-06 12:46:59 48,640 ----a-w C:\WINDOWS\SYSTEM32\mqupgrd.dll
- 2004-08-04 07:56:42 471,552 ----a-w C:\WINDOWS\SYSTEM32\mqutil.dll
+ 2007-07-06 12:46:59 471,552 ----a-w C:\WINDOWS\SYSTEM32\mqutil.dll
- 2004-08-04 07:56:42 73,728 ----a-w C:\WINDOWS\SYSTEM32\mscms.dll
+ 2005-06-29 01:46:00 74,240 ----a-w C:\WINDOWS\SYSTEM32\mscms.dll
- 2004-08-04 07:56:43 3,003,392 ----a-w C:\WINDOWS\SYSTEM32\mshtml.dll
+ 2008-02-16 22:29:38 3,059,712 ----a-w C:\WINDOWS\SYSTEM32\mshtml.dll
- 2004-08-04 07:56:43 448,512 ----a-w C:\WINDOWS\SYSTEM32\mshtmled.dll
+ 2008-02-16 08:59:37 449,024 ----a-w C:\WINDOWS\SYSTEM32\mshtmled.dll
- 2005-05-04 19:45:32 2,890,240 ----a-w C:\WINDOWS\SYSTEM32\msi.dll
+ 2007-04-18 16:12:23 2,854,400 ----a-w C:\WINDOWS\SYSTEM32\msi.dll
- 2004-08-04 07:56:43 146,432 ----a-w C:\WINDOWS\SYSTEM32\msrating.dll
+ 2008-02-16 08:59:37 146,432 ----a-w C:\WINDOWS\SYSTEM32\msrating.dll
- 2004-08-04 07:56:43 530,432 ----a-w C:\WINDOWS\SYSTEM32\mstime.dll
+ 2008-02-16 08:59:37 532,480 ----a-w C:\WINDOWS\SYSTEM32\mstime.dll
- 2004-08-04 07:56:44 66,560 ------w C:\WINDOWS\SYSTEM32\mtxclu.dll
+ 2006-03-01 19:42:42 66,560 ----a-w C:\WINDOWS\SYSTEM32\mtxclu.dll
- 2004-08-04 07:56:44 332,288 ----a-w C:\WINDOWS\SYSTEM32\netapi32.dll
+ 2006-08-17 12:28:27 332,288 ----a-w C:\WINDOWS\SYSTEM32\netapi32.dll
- 2004-08-04 07:56:44 198,144 ----a-w C:\WINDOWS\SYSTEM32\netman.dll
+ 2005-08-22 18:29:46 197,632 ----a-w C:\WINDOWS\SYSTEM32\netman.dll
- 2005-03-02 00:34:40 2,056,832 ----a-w C:\WINDOWS\SYSTEM32\ntkrnlpa.exe
+ 2007-02-28 08:38:55 2,057,600 ----a-w C:\WINDOWS\SYSTEM32\ntkrnlpa.exe
- 2005-03-02 00:59:53 2,179,328 ----a-w C:\WINDOWS\SYSTEM32\ntoskrnl.exe
+ 2007-02-28 09:10:57 2,180,352 ----a-w C:\WINDOWS\SYSTEM32\ntoskrnl.exe
- 2004-08-04 07:56:44 1,281,536 ------w C:\WINDOWS\SYSTEM32\ole32.dll
+ 2005-07-26 04:39:48 1,285,120 ----a-w C:\WINDOWS\SYSTEM32\ole32.dll
- 2002-08-29 11:00:00 68,608 ------w C:\WINDOWS\SYSTEM32\OLECLI32.DLL
+ 2005-07-26 04:39:48 74,752 ----a-w C:\WINDOWS\SYSTEM32\olecli32.dll
- 2005-04-28 19:31:11 37,888 ----a-w C:\WINDOWS\SYSTEM32\olecnv32.dll
+ 2005-07-26 04:39:49 37,888 ----a-w C:\WINDOWS\SYSTEM32\olecnv32.dll
- 2008-05-27 17:12:46 39,992 ----a-w C:\WINDOWS\SYSTEM32\PERFC009.DAT
+ 2008-05-27 17:33:53 39,992 ----a-w C:\WINDOWS\SYSTEM32\PERFC009.DAT
- 2008-05-27 17:12:46 311,604 ----a-w C:\WINDOWS\SYSTEM32\PERFH009.DAT
+ 2008-05-27 17:33:53 311,604 ----a-w C:\WINDOWS\SYSTEM32\PERFH009.DAT
- 2004-08-04 07:56:44 39,424 ----a-w C:\WINDOWS\SYSTEM32\pngfilt.dll
+ 2008-02-16 08:59:37 39,424 ----a-w C:\WINDOWS\SYSTEM32\pngfilt.dll
- 2004-08-04 07:56:44 1,287,680 ----a-w C:\WINDOWS\SYSTEM32\quartz.dll
+ 2007-10-29 22:43:03 1,287,680 ----a-w C:\WINDOWS\SYSTEM32\quartz.dll
- 2004-08-04 07:56:44 1,435,648 ----a-w C:\WINDOWS\SYSTEM32\query.dll
+ 2006-06-22 05:06:30 1,435,648 ----a-w C:\WINDOWS\SYSTEM32\query.dll
- 2004-08-04 07:56:44 8,192 ------w C:\WINDOWS\SYSTEM32\rasadhlp.dll
+ 2006-06-26 17:37:10 8,192 ----a-w C:\WINDOWS\SYSTEM32\rasadhlp.dll
- 2004-08-04 07:56:44 174,080 ----a-w C:\WINDOWS\SYSTEM32\rasmans.dll
+ 2006-06-22 10:47:18 181,248 ----a-w C:\WINDOWS\SYSTEM32\rasmans.dll
- 2004-08-04 07:56:44 581,120 ----a-w C:\WINDOWS\SYSTEM32\rpcrt4.dll
+ 2007-07-09 13:09:42 584,192 ----a-w C:\WINDOWS\SYSTEM32\rpcrt4.dll
- 2004-08-04 07:56:44 395,776 ------w C:\WINDOWS\SYSTEM32\rpcss.dll
+ 2005-07-26 04:39:49 397,824 ----a-w C:\WINDOWS\SYSTEM32\rpcss.dll
- 2004-08-04 07:56:44 144,896 ----a-w C:\WINDOWS\SYSTEM32\schannel.dll
+ 2007-04-25 14:21:15 144,896 ----a-w C:\WINDOWS\SYSTEM32\schannel.dll
- 2004-08-04 07:56:45 1,483,264 ----a-w C:\WINDOWS\SYSTEM32\shdocvw.dll
+ 2008-02-16 08:59:38 1,494,528 ----a-w C:\WINDOWS\SYSTEM32\shdocvw.dll
- 2004-08-04 07:56:45 8,384,000 ----a-w C:\WINDOWS\SYSTEM32\shell32.dll
+ 2007-10-26 03:36:51 8,454,656 ----a-w C:\WINDOWS\SYSTEM32\shell32.dll
- 2004-08-04 07:56:45 473,600 ----a-w C:\WINDOWS\SYSTEM32\shlwapi.dll
+ 2008-02-16 08:59:38 474,112 ----a-w C:\WINDOWS\SYSTEM32\shlwapi.dll
- 2004-08-04 07:56:45 134,656 ----a-w C:\WINDOWS\SYSTEM32\shsvcs.dll
+ 2006-12-19 21:52:18 134,656 ----a-w C:\WINDOWS\SYSTEM32\shsvcs.dll
- 2004-08-04 07:56:57 57,856 ----a-w C:\WINDOWS\SYSTEM32\spoolsv.exe
+ 2005-06-10 23:53:32 57,856 ----a-w C:\WINDOWS\SYSTEM32\spoolsv.exe
- 2005-02-25 03:35:05 22,752 ----a-w C:\WINDOWS\SYSTEM32\spupdsvc.exe
+ 2005-06-28 15:21:34 22,752 ----a-w C:\WINDOWS\SYSTEM32\spupdsvc.exe
- 2004-08-04 07:56:45 96,768 ----a-w C:\WINDOWS\SYSTEM32\srvsvc.dll
+ 2004-12-07 19:32:34 96,768 ----a-w C:\WINDOWS\SYSTEM32\srvsvc.dll
- 2004-08-04 07:56:45 246,302 ----a-w C:\WINDOWS\SYSTEM32\strmdll.dll
+ 2006-08-21 14:52:08 246,814 ----a-w C:\WINDOWS\SYSTEM32\strmdll.dll
- 2004-08-04 07:56:46 713,216 ----a-w C:\WINDOWS\SYSTEM32\sxs.dll
+ 2006-10-19 13:56:32 713,216 ----a-w C:\WINDOWS\SYSTEM32\sxs.dll
- 2004-08-04 07:56:46 246,272 ----a-w C:\WINDOWS\SYSTEM32\tapisrv.dll
+ 2005-07-08 16:27:56 249,344 ----a-w C:\WINDOWS\SYSTEM32\tapisrv.dll
- 2004-08-04 07:56:46 101,376 ----a-w C:\WINDOWS\SYSTEM32\txflog.dll
+ 2005-07-26 04:39:49 101,376 ----a-w C:\WINDOWS\SYSTEM32\txflog.dll
+ 2007-07-18 12:42:22 60,416 ------w C:\WINDOWS\SYSTEM32\tzchange.exe
- 2004-08-04 07:56:46 118,272 ------w C:\WINDOWS\SYSTEM32\umpnpmgr.dll
+ 2005-08-23 03:35:42 123,392 ----a-w C:\WINDOWS\SYSTEM32\umpnpmgr.dll
- 2004-08-04 07:56:46 185,344 ----a-w C:\WINDOWS\SYSTEM32\upnphost.dll
+ 2007-02-05 20:17:02 185,344 ----a-w C:\WINDOWS\SYSTEM32\upnphost.dll
- 2004-08-04 07:56:46 601,088 ----a-w C:\WINDOWS\SYSTEM32\urlmon.dll
+ 2008-02-16 08:59:38 615,936 ----a-w C:\WINDOWS\SYSTEM32\urlmon.dll
- 2004-08-04 07:56:46 577,024 ------w C:\WINDOWS\SYSTEM32\user32.dll
+ 2007-03-08 15:36:28 577,536 ----a-w C:\WINDOWS\SYSTEM32\user32.dll
- 2004-08-04 07:56:46 67,584 ----a-w C:\WINDOWS\SYSTEM32\webclnt.dll
+ 2006-01-04 03:35:05 68,096 ----a-w C:\WINDOWS\SYSTEM32\webclnt.dll
- 2004-08-04 07:56:46 656,384 ----a-w C:\WINDOWS\SYSTEM32\wininet.dll
+ 2008-02-16 08:59:39 659,456 ----a-w C:\WINDOWS\SYSTEM32\wininet.dll
- 2004-08-04 07:56:46 290,816 ------w C:\WINDOWS\SYSTEM32\winsrv.dll
+ 2005-09-01 01:41:54 291,840 ----a-w C:\WINDOWS\SYSTEM32\winsrv.dll
- 2004-08-04 07:56:46 132,096 ----a-w C:\WINDOWS\SYSTEM32\wkssvc.dll
+ 2006-08-17 12:28:27 132,096 ----a-w C:\WINDOWS\SYSTEM32\wkssvc.dll
- 2004-08-04 07:56:46 230,400 ----a-w C:\WINDOWS\SYSTEM32\wmasf.dll
+ 2007-10-27 22:39:20 230,912 ----a-w C:\WINDOWS\SYSTEM32\wmasf.dll
- 2004-08-04 07:56:46 4,874,240 ------w C:\WINDOWS\SYSTEM32\wmp.dll
+ 2007-04-30 07:22:16 4,734,976 ------w C:\WINDOWS\SYSTEM32\wmp.dll
- 2004-08-04 07:57:02 2,105,344 ----a-w C:\WINDOWS\SYSTEM32\wmvcore.dll
+ 2007-10-27 22:37:38 2,109,440 ----a-w C:\WINDOWS\SYSTEM32\wmvcore.dll
+ 2008-02-15 09:06:21 351,744 ----a-w C:\WINDOWS\SYSTEM32\xpsp3res.dll
+ 2006-08-25 15:45:55 1,054,208 ----a-w C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2982_x-ww_ac3f9c03\comctl32.dll
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Weekbpa"="C:\Documents and Settings\jkeleher\Application Data\F?nts\?ervices.exe" [ ]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 11:43 2097488]
"QdrPack16"="C:\Program Files\QdrPack\QdrPack16.exe" [ ]
"QdrModule16"="C:\Program Files\QdrModule\QdrModule16.exe" [ ]
"Ncao"="C:\WINDOWS\ECURIT~1\rundll.exe" [ ]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 11:24 1694208]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NWTRAY"="NWTRAY.EXE" [2001-12-18 15:24 28672 C:\WINDOWS\SYSTEM32\nwtray.exe]
"{5346d4c3-c9e1-b05c-1b41-ab98c95263f2}"="C:\WINDOWS\System32\{2dad0f94-17f5-5ecc-297f-90bfe43bd59d}.dll" [ ]
"YSearchProtection"="C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe" [ ]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11 132496]
"IgfxTray"="C:\WINDOWS\System32\igfxtray.exe" [2002-06-20 03:14 155648]
"HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [2002-06-20 03:05 114688]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]
"{8F-F3-3D-DA-DW}"="c:\windows\system32\rwwnw64d.exe" [ ]
"MSConfig"="C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe" [2004-08-04 02:56 158208]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\avast!]
--a------ 2008-05-15 18:19 79224 C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Schedule"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001
"AntiVirusDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=

R1 aswSP;avast! Self Protection;C:\WINDOWS\system32\drivers\aswSP.sys [2008-05-15 18:20]
R2 ASFAgent;ASF Agent;C:\Program Files\Intel\ASF Agent\ASFAgent.exe [2002-05-08 10:51]
R2 NetAlrt;NetAlrt;C:\WINDOWS\System32\drivers\NetAlrt.sys [2002-05-07 17:05]
R2 PlatAlrt;PlatAlrt;C:\WINDOWS\System32\drivers\PlatAlrt.sys [2002-05-07 17:06]
R2 Viewpoint Manager Service;Viewpoint Manager Service;"C:\Program Files\Viewpoint\Common\ViewpointService.exe" [2007-01-04 16:38]
S2 Windows Action Script;Windows Action Script;"C:\WINDOWS\system32\scvhost.exe" []
S3 NMSCFG;NIC Management Service Configuration Driver;C:\WINDOWS\System32\drivers\NMSCFG.SYS [2002-02-27 10:57]
S3 NMSSvc;Intel(R) NMS;C:\WINDOWS\System32\NMSSvc.exe [2002-02-27 10:57]

.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-27 12:41:49
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-05-27 12:44:14
ComboFix-quarantined-files.txt 2008-05-27 17:44:05
ComboFix2.txt 2008-05-27 17:23:22
ComboFix3.txt 2008-05-23 19:17:51

Pre-Run: 13,305,929,728 bytes free
Post-Run: 13,296,254,976 bytes free

836 --- E O F --- 2008-05-27 17:30:57
Negalith
Regular Member
 
Posts: 22
Joined: March 22nd, 2008, 12:25 pm

Re: A Hijack this log I could use help with; Thanks

Unread postby Shaba » May 27th, 2008, 2:19 pm

Hi

We need first to disable TeaTimer that it doesn't interfere with fixes. You can re-enable it when you're clean again:

1. Run Spybot-S&D in Advanced Mode.
2. If it is not already set to do this Go to the Mode menu select "Advanced Mode"
3. On the left hand side, Click on Tools
4. Then click on the Resident Icon in the List
5. Uncheck "Resident TeaTimer" and OK any prompts.
6. Restart your computer.

After that:

Open HijackThis, click do a system scan only and checkmark these:

O4 - HKLM\..\Run: [{5346d4c3-c9e1-b05c-1b41-ab98c95263f2}] C:\WINDOWS\System32\Rundll32.exe "C:\WINDOWS\System32\{2dad0f94-17f5-5ecc-297f-90bfe43bd59d}.dll" DllInit
O4 - HKLM\..\Run: [{8F-F3-3D-DA-DW}] c:\windows\system32\rwwnw64d.exe DWramXX
O4 - HKLM\..\Run: [ExploreUpdSched] C:\WINDOWS\System32\tcntkkdm.exe DWramXX
O4 - HKLM\..\Run: [dbar_starter] C:\Documents and Settings\jkeleher\Application Data\Deskbar_{38F823D2-88FF-46b1-AAFC-EB562BEF3792}\starter.exe
O4 - HKCU\..\Run: [Weekbpa] "C:\Documents and Settings\jkeleher\Application Data\F?nts\?ervices.exe"
O4 - HKCU\..\Run: [QdrPack16] "C:\Program Files\QdrPack\QdrPack16.exe"
O4 - HKCU\..\Run: [QdrModule16] "C:\Program Files\QdrModule\QdrModule16.exe"
O4 - HKCU\..\Run: [Ncao] "C:\WINDOWS\ECURIT~1\rundll.exe" -vt yazb
O4 - HKCU\..\Run: [RunDll] C:\WINDOWS\System32\rundll.exe
O4 - HKCU\..\Run: [WinUpdater] "C:\Program Files\winvi\update.exe" /background
O4 - HKCU\..\Run: [WebSUpdater] "C:\Program Files\winvi\wupda.exe" /background


Close all windows including browser and press fix checked.

Reboot.

Post back a fresh HijackThis log.
User avatar
Shaba
Admin/Teacher Emeritus
 
Posts: 26974
Joined: March 24th, 2006, 4:42 am
Location: Finland

Re: A Hijack this log I could use help with; Thanks

Unread postby Negalith » May 27th, 2008, 4:33 pm

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:31:09 PM, on 5/27/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Intel\ASF Agent\ASFAgent.exe
C:\Program Files\Dell\OpenManage\Client\Iap.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\NWTRAY.EXE
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://auto.search.msn.com/response.asp ... prov=&utf8
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O4 - HKLM\..\Run: [NWTRAY] NWTRAY.EXE
O4 - HKLM\..\Run: [YSearchProtection] "C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O15 - Trusted Zone: http://www.malwareremoval.com
O15 - Trusted Zone: http://*.windowsupdate.microsoft.com
O15 - Trusted Zone: http://*.windowsupdate.com
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windows ... 0091341109
O17 - HKLM\System\CCS\Services\Tcpip\..\{AE1DCF8F-6FCA-4FF3-9408-F2CEAEDE786B}: NameServer = 66.73.20.40,206.141.193.55
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: ASF Agent (ASFAgent) - Intel Corporation - C:\Program Files\Intel\ASF Agent\ASFAgent.exe
O23 - Service: Iap - Dell Computer Corporation - C:\Program Files\Dell\OpenManage\Client\Iap.exe
O23 - Service: Intel(R) NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: Windows Action Script - Unknown owner - C:\WINDOWS\system32\scvhost.exe (file missing)

--
End of file - 4106 bytes
Negalith
Regular Member
 
Posts: 22
Joined: March 22nd, 2008, 12:25 pm

Re: A Hijack this log I could use help with; Thanks

Unread postby Shaba » May 28th, 2008, 9:42 am

Hi

Looking over your log, it seems you don't have any evidence of an anti-virus software.

Anti-virus software are programs that detect, cleanse, and erase harmful virus files on a computer, Web server, or network. Unchecked, virus files can unintentionally be forwarded to others, including trading partners and thereby spreading infection. Because new viruses regularly emerge, anti-virus software should be updated frequently. Anti-virus software can scan the computer memory and disk drives for malicious code. They can alert the user if a virus is present, and will clean, delete (or quarantine) infected files or directories. Please download a free anti-virus software from one these excellent vendors NOW:

1) Antivir PersonalEdition Classic- Free anti-virus software for Windows. Detects and removes more than 50,000 viruses. Free support.
2) avast! 4 Home Edition - Anti-virus program for Windows. The home edition is freeware for noncommercial users.
3) AVG Anti-Virus Free Edition - Free edition of the AVG anti-virus program for Windows.

It is strongly recommended that you run only one antivirus program at a time. Having more than one antivirus program active in memory uses additional resources and can result in program conflicts and false virus alerts. If you choose to install more than one antivirus program on your computer, then only one of them should be active in memory at a time.

After that, please post back a fresh HijackThis log :)
User avatar
Shaba
Admin/Teacher Emeritus
 
Posts: 26974
Joined: March 24th, 2006, 4:42 am
Location: Finland
Advertisement
Register to Remove

Next

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 52 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware