Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Infection right after format

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Infection right after format

Unread postby Vegeta » September 17th, 2009, 5:01 pm

Just as I formatted my computer got infection. This all happened because I let my brother use it while I had some things to do.
I had problems running hijackthis(it was flashing all the time/exiting) but I somehow managed to get a log of it.
Also firefox doesnt work.
Please help me.
hijackthis log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:53:16 PM, on 9/17/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Documents and Settings\jack\Local Settings\Application Data\Octoshape\Octoshape Streaming Services\OctoshapeClient.exe
C:\Documents and Settings\jack\Desktop\flvplayer.exe
C:\DOCUME~1\jack\LOCALS~1\Temp\IXP001.TMP\FLVplayr.exe
C:\WINDOWS\sysrest32.exe
C:\Documents and Settings\jack\Desktop\fotos.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O4 - HKLM\..\Run: [Secure System Restore] sysrest32.exe
O4 - HKLM\..\Run: [Windows Login Assistance] "C:\Documents and Settings\jack\Application Data\S05-3636-T34636-7574-BLAZEBOT-ASGET-UEIAASH\winlogon.exe"
O4 - HKLM\..\Run: [dllhost] C:\Documents and Settings\jack\Desktop\fotos.exe
O4 - HKLM\..\RunOnce: [wextract_cleanup0] rundll32.exe C:\WINDOWS\system32\advpack.dll,DelNodeRunDLL32 "C:\DOCUME~1\jack\LOCALS~1\Temp\IXP001.TMP\"
O4 - HKCU\..\Run: [Octoshape Streaming Services] "C:\Documents and Settings\jack\Local Settings\Application Data\Octoshape\Octoshape Streaming Services\OctoshapeClient.exe" -inv:bootrun
O4 - HKCU\..\Run: [Windows Login Assistance] "C:\Documents and Settings\jack\Application Data\S05-3636-T34636-7574-BLAZEBOT-ASGET-UEIAASH\winlogon.exe"
O4 - HKLM\..\Policies\Explorer\Run: [Windows Login Assistance] "C:\Documents and Settings\jack\Application Data\S05-3636-T34636-7574-BLAZEBOT-ASGET-UEIAASH\winlogon.exe"
O4 - HKCU\..\Policies\Explorer\Run: [Windows Login Assistance] "C:\Documents and Settings\jack\Application Data\S05-3636-T34636-7574-BLAZEBOT-ASGET-UEIAASH\winlogon.exe"
O7 - HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O20 - Winlogon Notify: hgGvwxvW - C:\WINDOWS\SYSTEM32\hgGvwxvW.dll

--
End of file - 2641 bytes
Vegeta
Active Member
 
Posts: 11
Joined: September 17th, 2009, 4:19 pm
Advertisement
Register to Remove

Re: Infection right after format

Unread postby francis327 » September 20th, 2009, 10:59 pm

Please note that all instructions given are customised for this computer only, the tools used may cause damage if used on a computer with different infections.

If you think you have similar problems, please post a log in the HJT forum and wait for help.


Hi, Welcome to the Malware Removal.
My name is francis, and I'll be helping you with your malware problems.
HijackThis logs can take a while to research, so please be patient.

Before we begin...please note the following important guidelines.
  1. The instructions being given are for YOUR computer and system only!.
    Using these instructions on a different computer can cause damage to that computer and possibly render it inoperable!
  2. Please, if you have questions about something...ASK, don't guess or assume.
  3. Please -only- post your problem at one help site. Applying fixes from multiple help sites can cause problems.
  4. Please -only- reply to this thread, do not start another!
  5. Please do not run any other fix/removal tools unless instructed to do so!
  6. Print each set of instructions...if possible...your Internet connection will not be available during some fix processes.
  7. Please, continue responding, until I give you the "All Clean"


No reply after 3 days in your thread will result in your topic being closed
Please notify me in advance if you are not able to reply me within 3 days


If you agree with the above terms and condition, we shall begin

Disclaimer: Given the nature of the infections that were present on the machine, I give no guarantees about the security of this computer and have to the best of my abilities tried to both identify and eradicate all malware.


1 - HJT Uninstall List
Please run HijackThis
If you are on the "scan & fix stuff" page... Press the "Main Menu"...button.

  • From the Main Menu...Press the "Open the Misc Tools"...button.
  • Press the "Open Uninstall Manager... button.
  • Press only the Save List...button.
  • Press the "Save" button.
    The file "uninstall_list.txt" will be saved in your HJT folder.
  • Copy and Paste the contents of "uninstall_list.txt' in your next reply.


2 - Status Check
To post in next reply:

  • Uninstall List
User avatar
francis327
Regular Member
 
Posts: 939
Joined: September 4th, 2008, 3:42 am
Location: Far East (GMT + 8)

Re: Infection right after format

Unread postby Vegeta » September 21st, 2009, 8:01 am

3D Virtual Cube
Adobe Flash Player 10 Plugin
foobar2000 v0.9.6
HijackThis 2.0.2
Malwarebytes' Anti-Malware
mIRC
Mozilla Firefox (3.5)
PowerArchiver 2007
Sophos Anti-Rootkit 1.3.1
Ulead GIF Animator 5 Trial
VentriloMIX
Zuma Deluxe 1.0
Vegeta
Active Member
 
Posts: 11
Joined: September 17th, 2009, 4:19 pm

Re: Infection right after format

Unread postby francis327 » September 23rd, 2009, 10:29 pm

Hi vegeta,
As mentioned,
I am still in training and I am still awaiting my teacher's approval for your fixes.
I will get back to you once my teacher approves it.
Please hold on. Please response to this post so i will know that you have read it.

Thanks
francis327
User avatar
francis327
Regular Member
 
Posts: 939
Joined: September 4th, 2008, 3:42 am
Location: Far East (GMT + 8)

Re: Infection right after format

Unread postby Vegeta » September 24th, 2009, 9:15 am

it's alright
Vegeta
Active Member
 
Posts: 11
Joined: September 17th, 2009, 4:19 pm

Re: Infection right after format

Unread postby francis327 » September 25th, 2009, 6:59 am

Hi Vegeta, sorry for the late reply.
I am afraid i have bad news for you.

Your computer has multiple infections, including a backdoor. A Backdoor compromises system integrity by making changes to the system that allow it to by used by the attacker for malicious purposes unknown to the user.

You are strongly advised to do the following:

  • Disconnect the computer from the Internet and from any networked computers until it is cleaned.
  • Back up all your important data except programs. The programs can be reinstalled back from the original disc or from the Net.
  • Call all your banks, financial institutions, credit card companies and inform them that you may be a victim of identity theft and put a watch on your accounts. If you don't mind the hassle, change all your account numbers.
  • From a clean computer, change all your passwords (ISP login password, your email address(es) passwords, financial accounts, PayPal, eBay, Amazon, online groups and forums and any other online activities you carry out which require a username and password).

Do NOT change your passwords from this computer as the attacker will be able to get all the new passwords and transaction records.

Due to its backdoor functionality, your computer is very likely to have been compromised and there is no way that it can be trusted again. Many experts in the security community believe that once infected with this type of Trojan, the best course of action would be to do a reformat and reinstallation of the operating system (OS). However, if you do not have the resources to reinstall your OS and would like me to attempt to clean your machine, I will be happy to do so.

To help you understand more, please take some time to read the following articles:

What are Remote Access Trojans and why are they dangerous
How do I respond to a possible identity theft and how do I prevent it
When should do a reformat and reinstallation of my OS
Where to backup your files
How to backup your files in Windows XP
Restoring your backups

If you read the above, and still decide you want to proceed with cleaning it, please let me know and i will try my best to assist you.

2 - Status Check
To post in next reply:

  • Your decision whether to clean your system
User avatar
francis327
Regular Member
 
Posts: 939
Joined: September 4th, 2008, 3:42 am
Location: Far East (GMT + 8)

Re: Infection right after format

Unread postby Vegeta » September 25th, 2009, 10:01 am

Thanks for the information.

Well I didn't do any banking or similar so I think you(we) should attempt to clean this computer.
Thank you.
Vegeta
Active Member
 
Posts: 11
Joined: September 17th, 2009, 4:19 pm

Re: Infection right after format

Unread postby francis327 » September 25th, 2009, 10:05 am

Hi Vegeta, thank you for the confirmation.
Lets begin with the following

1 - ComboFix
We will begin with ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix


* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Please include the C:\ComboFix.txt in your next reply for further review.

2 - Status Check
To post in next reply

  • ComboFix log
User avatar
francis327
Regular Member
 
Posts: 939
Joined: September 4th, 2008, 3:42 am
Location: Far East (GMT + 8)

Re: Infection right after format

Unread postby Vegeta » September 25th, 2009, 2:46 pm

When I tried to run ComboFix a loading windows showed up and nothing happened for the following few minutes.
From looking around at forums like these in the near past I've noticed they usually rename Combofix(without prior warnings) so I did rename it to Combo-Fix.exe and it ran fine
Tricky trojans hehe
Hope I didn't do something bad

ComboFix 09-09-24.01 - jack 09/25/2009 20:20.1.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.802 [GMT 2:00]
Running from: c:\documents and settings\jack\Desktop\Combo-Fix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\hgGVwxvw.dll
c:\windows\system32\nnnoMEVN.dll
c:\windows\system32\reg_0001.txt

.
((((((((((((((((((((((((( Files Created from 2009-08-25 to 2009-09-25 )))))))))))))))))))))))))))))))
.

2009-09-20 15:53 . 2009-09-20 15:53 -------- d-----w- c:\documents and settings\jack\Application Data\InstallShield
2009-09-20 15:03 . 2009-09-20 15:03 -------- d-----w- c:\documents and settings\jack\Application Data\Malwarebytes
2009-09-20 15:03 . 2009-09-10 12:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-20 15:03 . 2009-09-21 12:02 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-09-20 15:03 . 2009-09-20 15:03 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-09-20 15:03 . 2009-09-10 12:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-09-20 15:59 . 2009-09-17 20:38 -------- d-----w- c:\program files\PowerArchiver
2009-09-20 15:53 . 2009-09-17 20:52 -------- d-----w- c:\program files\Trend Micro
2009-09-20 15:53 . 2009-09-17 20:12 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-09-17 20:50 . 2009-09-17 20:50 438784 ----a-w- C:\winsystem.exe
2009-09-17 20:46 . 2009-09-17 20:46 -------- d-sh--w- c:\documents and settings\jack\Application Data\S05-3636-T34636-7574-BLAZEBOT-ASGET-UEIAASH
2009-09-17 20:38 . 2009-09-17 20:38 -------- d-----w- c:\documents and settings\All Users\Application Data\ConeXware
2009-09-17 20:17 . 2009-09-17 20:17 0 ----a-w- c:\windows\nsreg.dat
2009-09-17 20:14 . 2009-09-17 20:14 -------- d-----w- c:\program files\VentriloMIX
2009-09-17 20:14 . 2009-09-17 20:14 -------- d-----w- c:\program files\NIERSOFT
2009-09-17 20:13 . 2009-09-17 20:13 -------- d-----w- c:\program files\PopCap Games
2009-09-17 20:13 . 2009-09-17 20:13 0 ----a-w- c:\windows\popcreg.dat
2009-09-17 20:13 . 2009-09-17 20:13 0 ----a-w- c:\windows\popcinfot.dat
2009-09-17 20:13 . 2009-09-17 20:13 -------- d-----w- c:\program files\foobar2000
2009-09-17 20:12 . 2009-09-17 20:12 -------- d-----w- c:\documents and settings\All Users\Application Data\Ulead Systems
2009-09-17 20:12 . 2009-09-17 20:12 -------- d-----w- c:\program files\Ulead Systems
2009-09-17 20:12 . 2009-09-17 20:12 -------- d-----w- c:\program files\Common Files\InstallShield
2009-09-17 20:11 . 2009-09-17 20:11 -------- d-----w- c:\program files\mIRC
2009-09-17 20:11 . 2009-09-17 20:11 -------- d-----w- c:\documents and settings\jack\Application Data\mIRC
2009-09-17 19:57 . 2009-09-17 19:57 -------- d-----w- c:\program files\microsoft frontpage
2009-09-17 19:52 . 2009-09-17 19:52 21640 ----a-w- c:\windows\system32\emptyregdb.dat
2008-12-28 18:16 . 2009-09-17 20:45 55858 --sh--r- c:\windows\sysrest32.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Octoshape Streaming Services"="c:\documents and settings\jack\Local Settings\Application Data\Octoshape\Octoshape Streaming Services\OctoshapeClient.exe" [2008-05-22 156944]
"Windows Login Assistance"="c:\documents and settings\jack\Application Data\S05-3636-T34636-7574-BLAZEBOT-ASGET-UEIAASH\winlogon.exe" [2008-04-14 90704]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Login Assistance"="c:\documents and settings\jack\Application Data\S05-3636-T34636-7574-BLAZEBOT-ASGET-UEIAASH\winlogon.exe" [2008-04-14 90704]
"TMRUBottedTray"="c:\program files\Trend Micro\RUBotted\TMRUBottedTray.exe" [2007-12-18 288088]
"Secure System Restore"="sysrest32.exe" - c:\windows\sysrest32.exe [2008-12-28 55858]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\Currentversion\policies\explorer\Run]
"Windows Login Assistance"="c:\documents and settings\jack\Application Data\S05-3636-T34636-7574-BLAZEBOT-ASGET-UEIAASH\winlogon.exe" [2008-04-14 90704]

[HKEY_CURRENT_USER\software\microsoft\windows\Currentversion\policies\explorer\Run]
"Windows Login Assistance"="c:\documents and settings\jack\Application Data\S05-3636-T34636-7574-BLAZEBOT-ASGET-UEIAASH\winlogon.exe" [2008-04-14 90704]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"= 1 (0x1)
"DisableCMD"= 1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableCMD"= 1 (0x1)
"DisableRegistryTools"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoFolderOptions"= 1 (0x1)
"NoRun"= 1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoFolderOptions"= 1 (0x1)
"NoRun"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=

S2 gupdate1c9d6e793718690;Google Update Service (gupdate1c9d6e793718690);c:\program files\Google\Update\GoogleUpdate.exe [17.05.2009 14:04 133104]
S2 RUBotted;Trend Micro RUBotted Service;"c:\program files\Trend Micro\RUBotted\TMRUBotted.exe" --> c:\program files\Trend Micro\RUBotted\TMRUBotted.exe [?]
S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\1.tmp --> c:\windows\system32\1.tmp [?]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{4175C5F3-D47F-143B-DD4D-E67A0EB4E773}]
"c:\documents and settings\jack\Application Data\S05-3636-T34636-7574-BLAZEBOT-ASGET-UEIAASH\winlogon.exe"

[HKEY_CURRENT_USER\software\microsoft\active setup\installed components\{4175C5F3-D47F-143B-DD4D-E67A0EB4E773}]
"c:\documents and settings\jack\Application Data\S05-3636-T34636-7574-BLAZEBOT-ASGET-UEIAASH\winlogon.exe"
.
.
------- Supplementary Scan -------
.
FF - ProfilePath - c:\documents and settings\jack\Application Data\Mozilla\Firefox\Profiles\z3u8esrr.default\
FF - prefs.js: browser.startup.homepage - google.com
FF - plugin: c:\documents and settings\jack\Application Data\Mozilla\plugins\npoctoshape.dll
FF - plugin: c:\documents and settings\jack\Local Settings\Application Data\Octoshape\Octoshape Streaming Services\octoprogram-L03-NMS0907280_SUA_000\npoctoshape.dll
.
- - - - ORPHANS REMOVED - - - -

AddRemove-HijackThis - c:\program files\Trend Micro\HijackThis\HijackThis.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-09-25 20:27
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

c:\documents and settings\jack\Application Data\S05-3636-T34636-7574-BLAZEBOT-ASGET-UEIAASH\winlogon.exe [1632] 0x86603560

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MEMSWEEP2]
"ImagePath"="\??\c:\windows\system32\1.tmp"
.
Completion time: 2009-09-25 20:29 - machine was rebooted
ComboFix-quarantined-files.txt 2009-09-25 18:29

Pre-Run: 1,908,088,832 bytes free
Post-Run: 1,890,725,888 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

138
Vegeta
Active Member
 
Posts: 11
Joined: September 17th, 2009, 4:19 pm

Re: Infection right after format

Unread postby francis327 » September 26th, 2009, 9:14 am

Hi Vegeta,
Thanks for the reply,
You are doing just fine,
However, i would like you to notice the following

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix on your own.
This tool is not a toy and not for everyday use. ComboFix SHOULD NOT be used unless requested by a forum helper


I would be more in favour if you can alert me first if you encounters any problem with the tools i ask you to run before you do some modification by your own so that i will be informed of what is going on.
If you are clear on the above reminder, please proceed with the following.


1 - ComboFix Script
1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Login Assistance"=-
"Secure System Restore"=-

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Login Assistance"=-

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run]
"Windows Login Assistance"=-

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run]
"Windows Login Assistance"=-

[-HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{4175C5F3-D47F-143B-DD4D-E67A0EB4E773}]

[-HKEY_CURRENT_USER\software\microsoft\active setup\installed components\{4175C5F3-D47F-143B-DD4D-E67A0EB4E773}]

File::
C:\winsystem.exe

Folder::
c:\documents and settings\jack\Application Data\S05-3636-T34636-7574-BLAZEBOT-ASGET-UEIAASH



Save this as "CFScript.txt", and as Type: All Files (*.*) in the same location as ComboFix.exe


Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.



2 - OTL
Please download the OTL by OldTimer

  • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
  • When the window appears, underneath Output at the top change it to Minimal Output.
  • Check the boxes beside LOP Check and Purity Check.
  • Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
    • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt.
      Note:These logs can be located in the OTL. folder on you C:\ drive if they fail to open automatically.
    • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post it with your next reply. You may need two posts to fit them both in.



3 - GMER
Download GMER Rootkit Scanner from here.
  • Double click the .exe file. If asked to allow gmer.sys driver to load, please consent
  • If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO

    Image
    Click the image to enlarge it
  • In the right panel, you will see several boxes that have been checked. Uncheck the following ...
    • Sections
    • IAT/EAT
    • Drives/Partition other than Systemdrive (typically C:\)
    • Show All (don't miss this one)
  • Then click the Scan button & wait for it to finish
  • Once done click on the [Save..] button, and in the File name area, type in "Gmer.txt" or it will save as a .log file
  • Save it where you can easily find it, such as your desktop, and post it in reply
**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries

Note: Do not run any programs while Gmer is running.



4 - Status Check
In your next reply, please post the following

  • ComboFix log
  • OTL log
  • GMER log
User avatar
francis327
Regular Member
 
Posts: 939
Joined: September 4th, 2008, 3:42 am
Location: Far East (GMT + 8)

Re: Infection right after format

Unread postby Vegeta » September 26th, 2009, 11:24 am

Yes, it's clear sorry about that.
I have followed your instructions exactly like you've posted.
Here are the logs

Combofix
ComboFix 09-09-25.01 - jack 09/26/2009 15:41.2.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.815 [GMT 2:00]
Running from: c:\documents and settings\jack\Desktop\Combo-Fix.exe
Command switches used :: c:\documents and settings\jack\Desktop\CFScript.txt

FILE ::
"C:\winsystem.exe"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\jack\Application Data\S05-3636-T34636-7574-BLAZEBOT-ASGET-UEIAASH
c:\documents and settings\jack\Application Data\S05-3636-T34636-7574-BLAZEBOT-ASGET-UEIAASH\Desktop.ini
c:\documents and settings\jack\Application Data\S05-3636-T34636-7574-BLAZEBOT-ASGET-UEIAASH\winlogon.exe
C:\winsystem.exe

.
((((((((((((((((((((((((( Files Created from 2009-08-26 to 2009-09-26 )))))))))))))))))))))))))))))))
.

2009-09-20 15:53 . 2009-09-20 15:53 -------- d-----w- c:\documents and settings\jack\Application Data\InstallShield
2009-09-20 15:03 . 2009-09-20 15:03 -------- d-----w- c:\documents and settings\jack\Application Data\Malwarebytes
2009-09-20 15:03 . 2009-09-10 12:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-20 15:03 . 2009-09-21 12:02 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-09-20 15:03 . 2009-09-20 15:03 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-09-20 15:03 . 2009-09-10 12:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-09-20 15:59 . 2009-09-17 20:38 -------- d-----w- c:\program files\PowerArchiver
2009-09-20 15:53 . 2009-09-17 20:52 -------- d-----w- c:\program files\Trend Micro
2009-09-20 15:53 . 2009-09-17 20:12 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-09-17 20:38 . 2009-09-17 20:38 -------- d-----w- c:\documents and settings\All Users\Application Data\ConeXware
2009-09-17 20:17 . 2009-09-17 20:17 0 ----a-w- c:\windows\nsreg.dat
2009-09-17 20:14 . 2009-09-17 20:14 -------- d-----w- c:\program files\VentriloMIX
2009-09-17 20:14 . 2009-09-17 20:14 -------- d-----w- c:\program files\NIERSOFT
2009-09-17 20:13 . 2009-09-17 20:13 -------- d-----w- c:\program files\PopCap Games
2009-09-17 20:13 . 2009-09-17 20:13 0 ----a-w- c:\windows\popcreg.dat
2009-09-17 20:13 . 2009-09-17 20:13 0 ----a-w- c:\windows\popcinfot.dat
2009-09-17 20:13 . 2009-09-17 20:13 -------- d-----w- c:\program files\foobar2000
2009-09-17 20:12 . 2009-09-17 20:12 -------- d-----w- c:\documents and settings\All Users\Application Data\Ulead Systems
2009-09-17 20:12 . 2009-09-17 20:12 -------- d-----w- c:\program files\Ulead Systems
2009-09-17 20:12 . 2009-09-17 20:12 -------- d-----w- c:\program files\Common Files\InstallShield
2009-09-17 20:11 . 2009-09-17 20:11 -------- d-----w- c:\program files\mIRC
2009-09-17 20:11 . 2009-09-17 20:11 -------- d-----w- c:\documents and settings\jack\Application Data\mIRC
2009-09-17 19:57 . 2009-09-17 19:57 -------- d-----w- c:\program files\microsoft frontpage
2009-09-17 19:52 . 2009-09-17 19:52 21640 ----a-w- c:\windows\system32\emptyregdb.dat
2008-12-28 18:16 . 2009-09-17 20:45 55858 --sh--r- c:\windows\sysrest32.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Octoshape Streaming Services"="c:\documents and settings\jack\Local Settings\Application Data\Octoshape\Octoshape Streaming Services\OctoshapeClient.exe" [2008-05-22 156944]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TMRUBottedTray"="c:\program files\Trend Micro\RUBotted\TMRUBottedTray.exe" [2007-12-18 288088]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=

S2 gupdate1c9d6e793718690;Google Update Service (gupdate1c9d6e793718690);c:\program files\Google\Update\GoogleUpdate.exe [17.05.2009 14:04 133104]
S2 RUBotted;Trend Micro RUBotted Service;"c:\program files\Trend Micro\RUBotted\TMRUBotted.exe" --> c:\program files\Trend Micro\RUBotted\TMRUBotted.exe [?]
S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\1.tmp --> c:\windows\system32\1.tmp [?]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{4175C5F3-D47F-143B-DD4D-E67A0EB4E773}]
"c:\documents and settings\jack\Application Data\S05-3636-T34636-7574-BLAZEBOT-ASGET-UEIAASH\winlogon.exe"

[HKEY_CURRENT_USER\software\microsoft\active setup\installed components\{4175C5F3-D47F-143B-DD4D-E67A0EB4E773}]
"c:\documents and settings\jack\Application Data\S05-3636-T34636-7574-BLAZEBOT-ASGET-UEIAASH\winlogon.exe"
.
.
------- Supplementary Scan -------
.
FF - ProfilePath - c:\documents and settings\jack\Application Data\Mozilla\Firefox\Profiles\z3u8esrr.default\
FF - prefs.js: browser.startup.homepage - google.com
FF - plugin: c:\documents and settings\jack\Application Data\Mozilla\plugins\npoctoshape.dll
FF - plugin: c:\documents and settings\jack\Local Settings\Application Data\Octoshape\Octoshape Streaming Services\octoprogram-L03-NMS0907280_SUA_000\npoctoshape.dll
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-Windows Login Assistance - c:\documents and settings\jack\Application Data\S05-3636-T34636-7574-BLAZEBOT-ASGET-UEIAASH\winlogon.exe
HKLM-Run-Windows Login Assistance - c:\documents and settings\jack\Application Data\S05-3636-T34636-7574-BLAZEBOT-ASGET-UEIAASH\winlogon.exe
HKLM-Explorer_Run-Windows Login Assistance - c:\documents and settings\jack\Application Data\S05-3636-T34636-7574-BLAZEBOT-ASGET-UEIAASH\winlogon.exe
HKCU-Explorer_Run-Windows Login Assistance - c:\documents and settings\jack\Application Data\S05-3636-T34636-7574-BLAZEBOT-ASGET-UEIAASH\winlogon.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-09-26 15:45
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

c:\documents and settings\jack\Application Data\S05-3636-T34636-7574-BLAZEBOT-ASGET-UEIAASH\winlogon.exe [236] 0x86603C08

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MEMSWEEP2]
"ImagePath"="\??\c:\windows\system32\1.tmp"
.
Completion time: 2009-09-26 15:47
ComboFix-quarantined-files.txt 2009-09-26 13:47
ComboFix2.txt 2009-09-25 18:29

Pre-Run: 1,883,197,440 bytes free
Post-Run: 1,857,400,832 bytes free

116

OTL
OTL logfile created on: 9/26/2009 3:49:55 PM - Run 1
OTL by OldTimer - Version 3.0.14.0 Folder = C:\Documents and Settings\jack\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 6.0.2900.5512)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1023.48 Mb Total Physical Memory | 798.72 Mb Available Physical Memory | 78.04% Memory free
926.10 Mb Paging File | 815.69 Mb Available in Paging File | 88.08% Paging File free
Paging file location(s): [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 38.24 Gb Total Space | 30.74 Gb Free Space | 80.38% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: j-7D5BCBCF9
Current User Name: jack
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Minimal

========== Processes (SafeList) ==========

PRC - C:\WINDOWS\System32\wscntfy.exe (Microsoft Corporation)
PRC - C:\WINDOWS\System32\wbem\wmiprvse.exe (Microsoft Corporation)
PRC - C:\WINDOWS\explorer.exe (Microsoft Corporation)
PRC - C:\Documents and Settings\jack\Desktop\OTL.exe (OldTimer Tools)

========== Win32 Services (SafeList) ==========

SRV - (helpsvc [Auto | Running]) -- C:\WINDOWS\PCHealth\HelpCtr\Binaries\pchsvc.dll (Microsoft Corporation)
SRV - (RUBotted [Auto | Stopped]) -- File not found

========== Driver Services (SafeList) ==========

DRV - (catchme [On_Demand | Running]) -- File not found
DRV - (es1371 [On_Demand | Running]) -- C:\WINDOWS\System32\drivers\es1371mp.sys (Creative Technology Ltd.)
DRV - (gameenum [On_Demand | Running]) -- C:\WINDOWS\System32\DRIVERS\gameenum.sys (Microsoft Corporation)
DRV - (PCnet [On_Demand | Stopped]) -- C:\WINDOWS\System32\DRIVERS\pcntpci5.sys (AMD Inc.)
DRV - (Ptilink [On_Demand | Running]) -- C:\WINDOWS\System32\DRIVERS\ptilink.sys (Parallel Technologies, Inc.)
DRV - (Secdrv [On_Demand | Stopped]) -- C:\WINDOWS\System32\DRIVERS\secdrv.sys (Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K.)

========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,CustomizeSearch = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\system32\blank.htm
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dl ... r=iesearch
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dl ... ar=msnhome
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..browser.startup.homepage: "google.com"

FF - HKLM\software\mozilla\Mozilla Firefox 3.5\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2009/09/17 22:17:12 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.5\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2009/09/17 22:11:21 | 00,000,000 | ---D | M]

[2009/09/17 22:17:18 | 00,000,000 | ---D | M] -- C:\Documents and Settings\jack\Application Data\mozilla\Extensions
[2009/09/17 22:28:09 | 00,000,000 | ---D | M] -- C:\Documents and Settings\jack\Application Data\mozilla\Firefox\Profiles\z3u8esrr.default\extensions
[2009/09/17 22:11:21 | 00,000,000 | ---D | M] -- C:\Program Files\mozilla firefox\extensions
[2009/09/17 22:11:21 | 00,000,000 | ---D | M] -- C:\Program Files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
[2009/06/24 15:26:10 | 00,023,544 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\browserdirprovider.dll
[2009/06/24 15:26:11 | 00,137,208 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\brwsrcmp.dll
[2009/06/24 15:26:12 | 00,065,016 | ---- | M] (mozilla.org) -- C:\Program Files\mozilla firefox\plugins\npnul32.dll
[2009/06/24 13:27:00 | 00,001,394 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\amazondotcom.xml
[2009/06/24 13:27:00 | 00,002,193 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\answers.xml
[2009/06/24 13:27:00 | 00,001,534 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\creativecommons.xml
[2009/06/24 13:27:00 | 00,002,344 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\eBay.xml
[2009/06/24 13:27:00 | 00,002,371 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\google.xml
[2009/06/24 13:27:00 | 00,001,178 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\wikipedia.xml
[2009/06/24 13:27:00 | 00,000,792 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\yahoo.xml

O1 HOSTS File: (27 bytes) - C:\WINDOWS\System32\drivers\etc\Hosts
O1 - Hosts: 127.0.0.1 localhost
O4 - HKLM..\Run: [TMRUBottedTray] C:\Program Files\Trend Micro\RUBotted\TMRUBottedTray.exe (Trend Micro Inc.)
O4 - HKLM..\Run: [Windows Login Assistance] C:\Documents and Settings\jack\Application Data\S05-3636-T34636-7574-BLAZEBOT-ASGET-UEIAASH\winlogon.exe File not found
O4 - HKCU..\Run: [Octoshape Streaming Services] C:\Documents and Settings\jack\Local Settings\Application Data\Octoshape\Octoshape Streaming Services\OctoshapeClient.exe (Octoshape ApS)
O4 - HKCU..\Run: [Windows Login Assistance] C:\Documents and Settings\jack\Application Data\S05-3636-T34636-7574-BLAZEBOT-ASGET-UEIAASH\winlogon.exe File not found
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: dontdisplaylastusername=0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticecaption =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticetext =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: shutdownwithoutlogon = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: undockwithoutlogon = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableRegistryTools = 0
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O9 - Extra 'Tools' menuitem : @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe (Microsoft Corporation)
O9 - Extra Button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000004 - C:\WINDOWS\System32\rsvpsp.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000005 - C:\WINDOWS\System32\rsvpsp.dll (Microsoft Corporation)
O15 - HKLM\..Trusted Domains: 1 domain(s) and sub-domain(s) not assigned to a zone.
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.1
O18 - Protocol\Handler\http\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\http\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\https\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\https\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\ipp - No CLSID value found
O18 - Protocol\Handler\ipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp - No CLSID value found
O18 - Protocol\Handler\msdaipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\Explorer.exe (Microsoft Corporation)
O24 - Desktop Components:0 (My Current Home Page) - About:Home
O31 - SafeBoot: AlternateShell - cmd.exe
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2009/09/17 21:56:39 | 00,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck) - File not found
O34 - HKLM BootExecute: (autochk) - C:\WINDOWS\System32\autochk.exe (Microsoft Corporation)
O34 - HKLM BootExecute: (*) - File not found

========== Files/Folders - Created Within 30 Days ==========

[1 C:\WINDOWS\System32\*.tmp files]
[3 C:\WINDOWS\*.tmp files]
[2009/09/26 15:49:00 | 00,514,560 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\jack\Desktop\OTL.exe
[2009/09/26 15:47:53 | 00,000,000 | ---D | C] -- C:\WINDOWS\temp
[2009/09/25 20:20:04 | 00,000,211 | ---- | C] () -- C:\Boot.bak
[2009/09/25 20:20:03 | 00,260,272 | ---- | C] () -- C:\cmldr
[2009/09/25 20:20:01 | 00,000,000 | RHSD | C] -- C:\cmdcons
[2009/09/25 20:17:29 | 00,229,888 | ---- | C] () -- C:\WINDOWS\PEV.exe
[2009/09/25 20:17:29 | 00,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe
[2009/09/25 20:17:29 | 00,161,792 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe
[2009/09/25 20:17:29 | 00,136,704 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe
[2009/09/25 20:17:29 | 00,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
[2009/09/25 20:17:29 | 00,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
[2009/09/25 20:17:29 | 00,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
[2009/09/25 20:17:29 | 00,031,232 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe
[2009/09/25 20:17:21 | 00,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
[2009/09/25 20:17:07 | 00,000,000 | ---D | C] -- C:\Qoobox
[2009/09/25 20:13:34 | 03,321,356 | R--- | C] () -- C:\Documents and Settings\jack\Desktop\Combo-Fix.exe
[2009/09/23 21:03:42 | 00,000,210 | -H-- | C] () -- C:\Documents and Settings\jack\Desktop\7a445c7453c44c30f3505e094ebefceef4c374ab.frd
[2009/09/20 17:53:14 | 00,000,000 | ---D | C] -- C:\Documents and Settings\jack\Application Data\InstallShield
[2009/09/20 17:53:09 | 05,183,696 | ---- | C] (Macrovision Corporation) -- C:\Documents and Settings\jack\Desktop\RUBotted.exe
[2009/09/20 17:03:33 | 00,000,000 | ---D | C] -- C:\Documents and Settings\jack\Application Data\Malwarebytes
[2009/09/20 17:03:30 | 00,000,701 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2009/09/20 17:03:28 | 00,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2009/09/20 17:03:26 | 00,019,160 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2009/09/20 17:03:26 | 00,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2009/09/20 17:03:26 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
[2009/09/20 17:02:55 | 04,045,528 | ---- | C] (Malwarebytes Corporation ) -- C:\Documents and Settings\jack\Desktop\mbam-setup.exe
[2009/09/17 23:49:45 | 00,004,444 | ---- | C] () -- C:\WINDOWS\System32\pid.PNF
[2009/09/17 23:49:10 | 00,006,272 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\drivers\splitter.sys
[2009/09/17 23:49:09 | 00,142,592 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\drivers\aec.sys
[2009/09/17 23:49:08 | 00,056,576 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\drivers\swmidi.sys
[2009/09/17 23:49:06 | 00,052,864 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\drivers\DMusic.sys
[2009/09/17 23:49:06 | 00,002,944 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\drivers\drmkaud.sys
[2009/09/17 23:49:04 | 00,007,552 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\drivers\MSKSSRV.sys
[2009/09/17 23:49:03 | 00,004,992 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\drivers\MSPQM.sys
[2009/09/17 23:49:02 | 00,083,072 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\drivers\wdmaud.sys
[2009/09/17 23:49:01 | 00,172,416 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\drivers\kmixer.sys
[2009/09/17 23:48:59 | 00,005,376 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\drivers\MSPCLOCK.sys
[2009/09/17 23:48:58 | 00,060,800 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\drivers\sysaudio.sys
[2009/09/17 23:48:55 | 00,003,072 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\drivers\audstub.sys
[2009/09/17 23:48:37 | 00,010,624 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\drivers\gameenum.sys
[2009/09/17 23:48:19 | 00,057,600 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\drivers\redbook.sys
[2009/09/17 23:48:08 | 00,040,704 | ---- | C] (Creative Technology Ltd.) -- C:\WINDOWS\System32\drivers\es1371mp.sys
[2009/09/17 23:48:07 | 00,146,048 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\drivers\portcls.sys
[2009/09/17 23:48:07 | 00,129,536 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\ksproxy.ax
[2009/09/17 23:48:07 | 00,060,160 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\drivers\drmk.sys
[2009/09/17 23:48:07 | 00,004,096 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\ksuser.dll
[2009/09/17 23:48:05 | 00,035,328 | ---- | C] (AMD Inc.) -- C:\WINDOWS\System32\drivers\pcntpci5.sys
[2009/09/17 23:47:54 | 00,042,368 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\drivers\AGP440.SYS
[2009/09/17 23:47:48 | 00,074,240 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\usbui.dll
[2009/09/17 23:47:45 | 00,010,240 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\drivers\compbatt.sys
[2009/09/17 23:47:44 | 00,014,208 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\drivers\battc.sys
[2009/09/17 23:47:44 | 00,013,952 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\drivers\CmBatt.sys
[2009/09/17 23:46:15 | 00,004,382 | ---- | C] () -- C:\WINDOWS\imsins.BAK
[2009/09/17 23:46:11 | 00,000,000 | -HSD | C] -- C:\WINDOWS\Installer
[2009/09/17 23:46:09 | 00,000,000 | ---D | C] -- C:\Program Files\Common Files\ODBC
[2009/09/17 23:46:04 | 00,000,000 | R--D | C] -- C:\Program Files
[2009/09/17 23:46:04 | 00,000,000 | ---D | C] -- C:\Program Files\Common Files\SpeechEngines
[2009/09/17 23:46:04 | 00,000,000 | ---D | C] -- C:\Program Files\Common Files\Microsoft Shared
[2009/09/17 23:46:04 | 00,000,000 | ---D | C] -- C:\Program Files\Common Files
[2009/09/17 23:45:53 | 00,066,082 | ---- | C] () -- C:\WINDOWS\System32\c_28603.nls
[2009/09/17 23:45:52 | 00,006,144 | R--- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\kbdtuq.dll
[2009/09/17 23:45:52 | 00,006,144 | R--- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\kbdtuf.dll
[2009/09/17 23:45:52 | 00,005,632 | R--- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\kbdazel.dll
[2009/09/17 23:45:51 | 00,066,594 | ---- | C] () -- C:\WINDOWS\System32\c_857.nls
[2009/09/17 23:45:51 | 00,066,082 | ---- | C] () -- C:\WINDOWS\System32\c_28599.nls
[2009/09/17 23:45:51 | 00,066,082 | ---- | C] () -- C:\WINDOWS\System32\c_10081.nls
[2009/09/17 23:45:51 | 00,005,632 | R--- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\kbdycc.dll
[2009/09/17 23:45:51 | 00,005,632 | R--- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\kbduzb.dll
[2009/09/17 23:45:51 | 00,005,632 | R--- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\kbdur.dll
[2009/09/17 23:45:51 | 00,005,632 | R--- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\kbdtat.dll
[2009/09/17 23:45:51 | 00,005,632 | R--- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\kbdru1.dll
[2009/09/17 23:45:51 | 00,005,632 | R--- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\kbdru.dll
[2009/09/17 23:45:51 | 00,005,632 | R--- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\kbdmon.dll
[2009/09/17 23:45:51 | 00,005,632 | R--- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\kbdkyr.dll
[2009/09/17 23:45:51 | 00,005,632 | R--- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\kbdkaz.dll
[2009/09/17 23:45:51 | 00,005,632 | R--- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\kbdbu.dll
[2009/09/17 23:45:51 | 00,005,632 | R--- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\kbdblr.dll
[2009/09/17 23:45:51 | 00,005,632 | R--- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\kbdaze.dll
[2009/09/17 23:45:50 | 00,066,082 | ---- | C] () -- C:\WINDOWS\System32\C_28597.NLS
[2009/09/17 23:45:50 | 00,066,082 | ---- | C] () -- C:\WINDOWS\System32\C_28595.NLS
[2009/09/17 23:45:50 | 00,066,082 | ---- | C] () -- C:\WINDOWS\System32\c_10017.nls
[2009/09/17 23:45:50 | 00,066,082 | ---- | C] () -- C:\WINDOWS\System32\c_10007.nls
[2009/09/17 23:45:50 | 00,066,082 | ---- | C] () -- C:\WINDOWS\System32\c_10006.nls
[2009/09/17 23:45:50 | 00,008,192 | R--- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\kbdhept.dll
[2009/09/17 23:45:50 | 00,006,656 | R--- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\kbdhela3.dll
[2009/09/17 23:45:50 | 00,006,144 | R--- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\kbdhela2.dll
[2009/09/17 23:45:50 | 00,006,144 | R--- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\kbdgkl.dll
[2009/09/17 23:45:50 | 00,005,632 | R--- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\kbdhe319.dll
[2009/09/17 23:45:50 | 00,005,632 | R--- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\kbdhe220.dll
[2009/09/17 23:45:50 | 00,005,632 | R--- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\kbdhe.dll
[2009/09/17 23:45:49 | 00,066,594 | ---- | C] () -- C:\WINDOWS\System32\c_869.nls
[2009/09/17 23:45:49 | 00,066,594 | ---- | C] () -- C:\WINDOWS\System32\c_866.nls
[2009/09/17 23:45:49 | 00,066,594 | ---- | C] () -- C:\WINDOWS\System32\c_855.nls
[2009/09/17 23:45:49 | 00,066,594 | ---- | C] () -- C:\WINDOWS\System32\c_737.nls
[2009/09/17 23:45:49 | 00,066,082 | ---- | C] () -- C:\WINDOWS\System32\c_875.nls
[2009/09/17 23:45:49 | 00,066,082 | ---- | C] () -- C:\WINDOWS\System32\C_28594.NLS
[2009/09/17 23:45:49 | 00,006,144 | R--- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\kbdlv1.dll
[2009/09/17 23:45:49 | 00,006,144 | R--- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\kbdlv.dll
[2009/09/17 23:45:49 | 00,006,144 | R--- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\kbdest.dll
[2009/09/17 23:45:49 | 00,005,632 | R--- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\kbdlt1.dll
[2009/09/17 23:45:49 | 00,005,632 | R--- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\kbdlt.dll
[2009/09/17 23:45:48 | 00,066,594 | ---- | C] () -- C:\WINDOWS\System32\c_852.nls
[2009/09/17 23:45:48 | 00,066,082 | ---- | C] () -- C:\WINDOWS\System32\c_10082.nls
[2009/09/17 23:45:48 | 00,066,082 | ---- | C] () -- C:\WINDOWS\System32\c_10029.nls
[2009/09/17 23:45:48 | 00,066,082 | ---- | C] () -- C:\WINDOWS\System32\c_10010.nls
[2009/09/17 23:45:48 | 00,007,168 | R--- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\kbdcz.dll
[2009/09/17 23:45:48 | 00,006,656 | R--- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\kbdycl.dll
[2009/09/17 23:45:48 | 00,006,656 | R--- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\kbdsl1.dll
[2009/09/17 23:45:48 | 00,006,656 | R--- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\kbdsl.dll
[2009/09/17 23:45:48 | 00,006,656 | R--- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\kbdpl.dll
[2009/09/17 23:45:48 | 00,006,656 | R--- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\kbdhu.dll
[2009/09/17 23:45:48 | 00,006,656 | R--- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\kbdcz2.dll
[2009/09/17 23:45:48 | 00,006,656 | R--- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\kbdcz1.dll
[2009/09/17 23:45:48 | 00,006,656 | R--- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\kbdcr.dll
[2009/09/17 23:45:48 | 00,006,656 | R--- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\KBDAL.DLL
[2009/09/17 23:45:48 | 00,005,632 | R--- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\kbdro.dll
[2009/09/17 23:45:48 | 00,005,632 | R--- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\kbdpl1.dll
[2009/09/17 23:45:48 | 00,005,632 | R--- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\kbdhu1.dll
[2009/09/17 23:45:44 | 00,066,082 | ---- | C] () -- C:\WINDOWS\System32\c_20127.nls
[2009/09/17 23:45:43 | 00,176,157 | ---- | C] (Digi International, Inc.) -- C:\WINDOWS\System32\dgrpsetu.dll
[2009/09/17 23:45:43 | 00,085,020 | ---- | C] (Digi International) -- C:\WINDOWS\System32\dgsetup.dll
[2009/09/17 23:45:43 | 00,024,661 | ---- | C] (Perle Systems Ltd.) -- C:\WINDOWS\System32\spxcoins.dll
[2009/09/17 23:45:43 | 00,013,312 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\irclass.dll
[2009/09/17 23:45:42 | 00,126,912 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System\MSVIDEO.DLL
[2009/09/17 23:45:42 | 00,103,424 | ---- | C] (Equinox Systems Inc.) -- C:\WINDOWS\System32\EqnClass.Dll
[2009/09/17 23:45:42 | 00,082,944 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System\OLECLI.DLL
[2009/09/17 23:45:42 | 00,073,376 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System\MCIAVI.DRV
[2009/09/17 23:45:42 | 00,028,160 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System\MCIWAVE.DRV
[2009/09/17 23:45:42 | 00,025,264 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System\MCISEQ.DRV
[2009/09/17 23:45:42 | 00,024,064 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System\OLESVR.DLL
[2009/09/17 23:45:42 | 00,019,200 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System\TAPI.DLL
[2009/09/17 23:45:42 | 00,013,600 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System\WFWNET.DRV
[2009/09/17 23:45:42 | 00,009,008 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System\VER.DLL
[2009/09/17 23:45:42 | 00,005,120 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System\SHELL.DLL
[2009/09/17 23:45:42 | 00,004,048 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System\TIMER.DRV
[2009/09/17 23:45:42 | 00,003,360 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System\SYSTEM.DRV
[2009/09/17 23:45:42 | 00,002,176 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System\VGA.DRV
[2009/09/17 23:45:42 | 00,002,032 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System\MOUSE.DRV
[2009/09/17 23:45:42 | 00,002,000 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System\KEYBOARD.DRV
[2009/09/17 23:45:42 | 00,001,744 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System\SOUND.DRV
[2009/09/17 23:45:42 | 00,001,152 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System\MMTASK.TSK
[2009/09/17 23:45:41 | 00,146,432 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System\WINSPOOL.DRV
[2009/09/17 23:45:41 | 00,109,456 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System\AVIFILE.DLL
[2009/09/17 23:45:41 | 00,069,584 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System\AVICAP.DLL
[2009/09/17 23:45:41 | 00,069,120 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\NOTEPAD.EXE
[2009/09/17 23:45:41 | 00,068,768 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System\MMSYSTEM.DLL
[2009/09/17 23:45:41 | 00,032,816 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System\COMMDLG.DLL
[2009/09/17 23:45:41 | 00,015,360 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\TASKMAN.EXE
[2009/09/17 23:45:41 | 00,011,264 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\drivers\irenum.sys
[2009/09/17 23:45:41 | 00,009,936 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System\LZEXPAND.DLL
[2009/09/17 23:45:41 | 00,008,704 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\batt.dll
[2009/09/17 23:45:41 | 00,001,688 | ---- | C] () -- C:\WINDOWS\System32\AUTOEXEC.NT
[2009/09/17 23:45:39 | 00,074,752 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\storprop.dll
[2009/09/17 23:45:29 | 00,144,484 | ---- | C] () -- C:\WINDOWS\System32\dllcache\netfx.cat
[2009/09/17 23:45:29 | 00,112,918 | ---- | C] () -- C:\WINDOWS\System32\dllcache\tabletpc.cat
[2009/09/17 23:45:29 | 00,034,747 | ---- | C] () -- C:\WINDOWS\System32\dllcache\mediactr.cat
[2009/09/17 23:45:29 | 00,026,991 | ---- | C] () -- C:\WINDOWS\System32\dllcache\msn7.cat
[2009/09/17 23:45:29 | 00,014,433 | ---- | C] () -- C:\WINDOWS\System32\dllcache\msn9.cat
[2009/09/17 23:45:29 | 00,010,027 | ---- | C] () -- C:\WINDOWS\System32\dllcache\MSTSWEB.CAT
[2009/09/17 23:45:29 | 00,008,574 | ---- | C] () -- C:\WINDOWS\System32\dllcache\IASNT4.CAT
[2009/09/17 23:45:29 | 00,007,382 | ---- | C] () -- C:\WINDOWS\System32\dllcache\OEMBIOS.CAT
[2009/09/17 23:45:28 | 01,088,840 | ---- | C] () -- C:\WINDOWS\System32\dllcache\NTPRINT.CAT
[2009/09/17 23:45:28 | 00,797,189 | ---- | C] () -- C:\WINDOWS\System32\dllcache\NT5IIS.CAT
[2009/09/17 23:45:28 | 00,399,645 | ---- | C] () -- C:\WINDOWS\System32\dllcache\MAPIMIG.CAT
[2009/09/17 23:45:28 | 00,037,484 | ---- | C] () -- C:\WINDOWS\System32\dllcache\MW770.CAT
[2009/09/17 23:45:28 | 00,034,063 | ---- | C] () -- C:\WINDOWS\System32\dllcache\FP4.CAT
[2009/09/17 23:45:28 | 00,016,535 | ---- | C] () -- C:\WINDOWS\System32\dllcache\IMS.CAT
[2009/09/17 23:45:28 | 00,013,472 | ---- | C] () -- C:\WINDOWS\System32\dllcache\HPCRDP.CAT
[2009/09/17 23:45:28 | 00,012,363 | ---- | C] () -- C:\WINDOWS\System32\dllcache\MSMSGS.CAT
[2009/09/17 23:45:28 | 00,007,334 | ---- | C] () -- C:\WINDOWS\System32\dllcache\wmerrenu.cat
[2009/09/17 23:45:27 | 02,144,487 | ---- | C] () -- C:\WINDOWS\System32\dllcache\NT5.CAT
[2009/09/17 23:45:27 | 01,296,669 | ---- | C] () -- C:\WINDOWS\System32\dllcache\SP3.CAT
[2009/09/17 23:45:27 | 00,522,220 | ---- | C] () -- C:\WINDOWS\System32\dllcache\NT5INF.CAT
[2009/09/17 23:45:15 | 00,000,000 | ---D | C] -- C:\WINDOWS\System32\CatRoot2
[2009/09/17 23:45:15 | 00,000,000 | ---D | C] -- C:\WINDOWS\System32\CatRoot
[2009/09/17 23:45:07 | 00,000,000 | --SD | C] -- C:\Documents and Settings\All Users\Application Data\Microsoft
[2009/09/17 23:44:52 | 00,000,000 | ---D | C] -- C:\Documents and Settings
[2009/09/17 23:44:51 | 00,000,000 | -HSD | C] -- C:\System Volume Information
[2009/09/17 23:44:50 | 00,091,088 | ---- | C] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2009/09/17 23:44:17 | 00,000,281 | RHS- | C] () -- C:\boot.ini
[2009/09/17 23:44:15 | 00,000,261 | ---- | C] () -- C:\WINDOWS\System32\$winnt$.inf
[2009/09/17 23:41:42 | 00,000,000 | R-SD | C] -- C:\WINDOWS\Fonts
[2009/09/17 23:41:42 | 00,000,000 | RHSD | C] -- C:\WINDOWS\System32\dllcache
[2009/09/17 23:41:42 | 00,000,000 | R--D | C] -- C:\WINDOWS\Web
[2009/09/17 23:41:42 | 00,000,000 | -H-D | C] -- C:\WINDOWS\inf
[2009/09/17 23:41:42 | 00,000,000 | ---D | C] -- C:\WINDOWS\WinSxS
[2009/09/17 23:41:42 | 00,000,000 | ---D | C] -- C:\WINDOWS\twain_32
[2009/09/17 23:41:42 | 00,000,000 | ---D | C] -- C:\WINDOWS\System32\wins
[2009/09/17 23:41:42 | 00,000,000 | ---D | C] -- C:\WINDOWS\System32\wbem
[2009/09/17 23:41:42 | 00,000,000 | ---D | C] -- C:\WINDOWS\System32\usmt
[2009/09/17 23:41:42 | 00,000,000 | ---D | C] -- C:\WINDOWS\System32\spool
[2009/09/17 23:41:42 | 00,000,000 | ---D | C] -- C:\WINDOWS\System32\ShellExt
[2009/09/17 23:41:42 | 00,000,000 | ---D | C] -- C:\WINDOWS\System32\Setup
[2009/09/17 23:41:42 | 00,000,000 | ---D | C] -- C:\WINDOWS\System32\scripting
[2009/09/17 23:41:42 | 00,000,000 | ---D | C] -- C:\WINDOWS\System32\ras
[2009/09/17 23:41:42 | 00,000,000 | ---D | C] -- C:\WINDOWS\System32\oobe
[2009/09/17 23:41:42 | 00,000,000 | ---D | C] -- C:\WINDOWS\System32\npp
[2009/09/17 23:41:42 | 00,000,000 | ---D | C] -- C:\WINDOWS\System32\mui
[2009/09/17 23:41:42 | 00,000,000 | ---D | C] -- C:\WINDOWS\System32\inetsrv
[2009/09/17 23:41:42 | 00,000,000 | ---D | C] -- C:\WINDOWS\System32\IME
[2009/09/17 23:41:42 | 00,000,000 | ---D | C] -- C:\WINDOWS\System32\icsxml
[2009/09/17 23:41:42 | 00,000,000 | ---D | C] -- C:\WINDOWS\System32\ias
[2009/09/17 23:41:42 | 00,000,000 | ---D | C] -- C:\WINDOWS\System32\export
[2009/09/17 23:41:42 | 00,000,000 | ---D | C] -- C:\WINDOWS\System32\en
[2009/09/17 23:41:42 | 00,000,000 | ---D | C] -- C:\WINDOWS\System32\drivers\etc
[2009/09/17 23:41:42 | 00,000,000 | ---D | C] -- C:\WINDOWS\System32\drivers\disdn
[2009/09/17 23:41:42 | 00,000,000 | ---D | C] -- C:\WINDOWS\System32\drivers
[2009/09/17 23:41:42 | 00,000,000 | ---D | C] -- C:\WINDOWS\System32\dhcp
[2009/09/17 23:41:42 | 00,000,000 | ---D | C] -- C:\WINDOWS\System32\config
[2009/09/17 23:41:42 | 00,000,000 | ---D | C] -- C:\WINDOWS\System32\3com_dmi
[2009/09/17 23:41:42 | 00,000,000 | ---D | C] -- C:\WINDOWS\System32\3076
[2009/09/17 23:41:42 | 00,000,000 | ---D | C] -- C:\WINDOWS\System32\2052
[2009/09/17 23:41:42 | 00,000,000 | ---D | C] -- C:\WINDOWS\System32\1054
[2009/09/17 23:41:42 | 00,000,000 | ---D | C] -- C:\WINDOWS\System32\1042
[2009/09/17 23:41:42 | 00,000,000 | ---D | C] -- C:\WINDOWS\System32\1041
[2009/09/17 23:41:42 | 00,000,000 | ---D | C] -- C:\WINDOWS\System32\1037
[2009/09/17 23:41:42 | 00,000,000 | ---D | C] -- C:\WINDOWS\System32\1033
[2009/09/17 23:41:42 | 00,000,000 | ---D | C] -- C:\WINDOWS\System32\1031
[2009/09/17 23:41:42 | 00,000,000 | ---D | C] -- C:\WINDOWS\System32\1028
[2009/09/17 23:41:42 | 00,000,000 | ---D | C] -- C:\WINDOWS\System32\1025
[2009/09/17 23:41:42 | 00,000,000 | ---D | C] -- C:\WINDOWS\system32
[2009/09/17 23:41:42 | 00,000,000 | ---D | C] -- C:\WINDOWS\system
[2009/09/17 23:41:42 | 00,000,000 | ---D | C] -- C:\WINDOWS\security
[2009/09/17 23:41:42 | 00,000,000 | ---D | C] -- C:\WINDOWS\Resources
[2009/09/17 23:41:42 | 00,000,000 | ---D | C] -- C:\WINDOWS\repair
[2009/09/17 23:41:42 | 00,000,000 | ---D | C] -- C:\WINDOWS\Provisioning
[2009/09/17 23:41:42 | 00,000,000 | ---D | C] -- C:\WINDOWS\PeerNet
[2009/09/17 23:41:42 | 00,000,000 | ---D | C] -- C:\WINDOWS\pchealth
[2009/09/17 23:41:42 | 00,000,000 | ---D | C] -- C:\WINDOWS\Network Diagnostic
[2009/09/17 23:41:42 | 00,000,000 | ---D | C] -- C:\WINDOWS\mui
[2009/09/17 23:41:42 | 00,000,000 | ---D | C] -- C:\WINDOWS\msapps
[2009/09/17 23:41:42 | 00,000,000 | ---D | C] -- C:\WINDOWS\msagent
[2009/09/17 23:41:42 | 00,000,000 | ---D | C] -- C:\WINDOWS\Media
[2009/09/17 23:41:42 | 00,000,000 | ---D | C] -- C:\WINDOWS\L2Schemas
[2009/09/17 23:41:42 | 00,000,000 | ---D | C] -- C:\WINDOWS\java
[2009/09/17 23:41:42 | 00,000,000 | ---D | C] -- C:\WINDOWS\ime
[2009/09/17 23:41:42 | 00,000,000 | ---D | C] -- C:\WINDOWS\Help
[2009/09/17 23:41:42 | 00,000,000 | ---D | C] -- C:\WINDOWS\ehome
[2009/09/17 23:41:42 | 00,000,000 | ---D | C] -- C:\WINDOWS\Driver Cache
[2009/09/17 23:41:42 | 00,000,000 | ---D | C] -- C:\WINDOWS\Debug
[2009/09/17 23:41:42 | 00,000,000 | ---D | C] -- C:\WINDOWS\Cursors
[2009/09/17 23:41:42 | 00,000,000 | ---D | C] -- C:\WINDOWS\Connection Wizard
[2009/09/17 23:41:42 | 00,000,000 | ---D | C] -- C:\WINDOWS\Config
[2009/09/17 23:41:42 | 00,000,000 | ---D | C] -- C:\WINDOWS\AppPatch
[2009/09/17 23:41:42 | 00,000,000 | ---D | C] -- C:\WINDOWS\addins
[2009/09/17 23:41:42 | 00,000,000 | ---D | C] -- C:\WINDOWS
[2009/09/17 22:52:09 | 00,001,739 | ---- | C] () -- C:\Documents and Settings\jack\Desktop\HijackThis.lnk
[2009/09/17 22:52:08 | 00,000,000 | ---D | C] -- C:\Program Files\Trend Micro
[2009/09/17 22:51:49 | 00,812,344 | ---- | C] (Trend Micro Inc.) -- C:\Documents and Settings\jack\Desktop\HJTInstall.exe
[2009/09/17 22:45:43 | 00,055,858 | RHS- | C] () -- C:\WINDOWS\sysrest32.exe
[2009/09/17 22:38:57 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\ConeXware
[2009/09/17 22:38:49 | 00,001,711 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\PowerArchiver.lnk
[2009/09/17 22:38:47 | 00,000,000 | ---D | C] -- C:\Program Files\PowerArchiver
[2009/09/17 22:38:19 | 04,638,112 | ---- | C] () -- C:\Documents and Settings\jack\Desktop\powarc1020.exe
[2009/09/17 22:17:56 | 00,000,000 | ---D | C] -- C:\Documents and Settings\jack\Application Data\Macromedia
[2009/09/17 22:17:56 | 00,000,000 | ---D | C] -- C:\Documents and Settings\jack\Application Data\Adobe
[2009/09/17 22:17:16 | 00,000,000 | ---- | C] () -- C:\WINDOWS\nsreg.dat
[2009/09/17 22:17:10 | 00,000,000 | ---D | C] -- C:\Documents and Settings\jack\Local Settings\Application Data\Mozilla
[2009/09/17 22:14:44 | 00,000,000 | ---D | C] -- C:\Program Files\VentriloMIX
[2009/09/17 22:14:25 | 00,000,000 | ---D | C] -- C:\Documents and Settings\jack\Application Data\Mozilla
[2009/09/17 22:14:24 | 00,000,000 | ---D | C] -- C:\Documents and Settings\jack\Local Settings\Application Data\Octoshape
[2009/09/17 22:14:05 | 00,000,000 | ---D | C] -- C:\Program Files\NIERSOFT
[2009/09/17 22:13:36 | 00,000,000 | ---D | C] -- C:\Program Files\PopCap Games
[2009/09/17 22:13:36 | 00,000,000 | ---- | C] () -- C:\WINDOWS\popcreg.dat
[2009/09/17 22:13:36 | 00,000,000 | ---- | C] () -- C:\WINDOWS\popcinfot.dat
[2009/09/17 22:13:08 | 00,000,000 | ---D | C] -- C:\Program Files\foobar2000
[2009/09/17 22:12:51 | 00,000,000 | ---D | C] -- C:\WINDOWS\Vbox
[2009/09/17 22:12:48 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Ulead Systems
[2009/09/17 22:12:46 | 00,000,000 | ---D | C] -- C:\Program Files\Ulead Systems
[2009/09/17 22:12:45 | 00,000,000 | -H-D | C] -- C:\Program Files\InstallShield Installation Information
[2009/09/17 22:12:37 | 00,000,000 | ---D | C] -- C:\WINDOWS\Noslip
[2009/09/17 22:12:35 | 00,000,000 | ---D | C] -- C:\Program Files\Common Files\InstallShield
[2009/09/17 22:11:56 | 00,000,000 | ---D | C] -- C:\Program Files\mIRC
[2009/09/17 22:11:56 | 00,000,000 | ---D | C] -- C:\Documents and Settings\jack\Application Data\mIRC
[2009/09/17 22:11:23 | 00,001,602 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Mozilla Firefox.lnk
[2009/09/17 22:11:20 | 00,000,000 | ---D | C] -- C:\Program Files\Mozilla Firefox
[2009/09/17 22:10:41 | 00,000,000 | ---D | C] -- C:\WINDOWS\System32\ReinstallBackups
[2009/09/17 22:07:02 | 05,349,026 | -H-- | C] () -- C:\Documents and Settings\jack\Local Settings\Application Data\IconCache.db
[2009/09/17 22:03:11 | 00,618,605 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\fp4autl.dll
[2009/09/17 22:02:40 | 00,000,000 | ---D | C] -- C:\Documents and Settings\jack\Application Data\Identities
[2009/09/17 22:02:09 | 00,000,000 | -H-D | C] -- C:\Program Files\Uninstall Information
[2009/09/17 22:02:02 | 00,000,000 | R--D | C] -- C:\Documents and Settings\jack\My Documents\My Pictures
[2009/09/17 22:02:02 | 00,000,000 | R--D | C] -- C:\Documents and Settings\jack\My Documents\My Music
[2009/09/17 22:01:52 | 00,000,000 | --SD | C] -- C:\Documents and Settings\jack\Application Data\Microsoft
[2009/09/17 22:01:52 | 00,000,000 | ---D | C] -- C:\Documents and Settings\jack\Local Settings\Application Data\Microsoft
[2009/09/17 22:00:37 | 00,000,000 | ---D | C] -- C:\WINDOWS\SoftwareDistribution
[2009/09/17 22:00:26 | 00,000,000 | ---D | C] -- C:\WINDOWS\Prefetch
[2009/09/17 22:00:25 | 00,000,006 | -H-- | C] () -- C:\WINDOWS\tasks\SA.DAT
[2009/09/17 22:00:25 | 00,000,000 | --SD | C] -- C:\WINDOWS\System32\Microsoft
[2009/09/17 21:59:29 | 00,008,192 | ---- | C] () -- C:\WINDOWS\REGLOCS.OLD
[2009/09/17 21:58:29 | 00,002,048 | --S- | C] () -- C:\WINDOWS\bootstat.dat
[2009/09/17 21:57:18 | 00,000,000 | ---D | C] -- C:\Program Files\xerox
[2009/09/17 21:57:17 | 00,000,000 | ---D | C] -- C:\WINDOWS\System32\xircom
[2009/09/17 21:57:17 | 00,000,000 | ---D | C] -- C:\Program Files\microsoft frontpage
[2009/09/17 21:56:39 | 00,002,577 | ---- | C] () -- C:\WINDOWS\System32\CONFIG.NT
[2009/09/17 21:56:39 | 00,000,000 | RHS- | C] () -- C:\MSDOS.SYS
[2009/09/17 21:56:39 | 00,000,000 | RHS- | C] () -- C:\IO.SYS
[2009/09/17 21:56:39 | 00,000,000 | ---- | C] () -- C:\CONFIG.SYS
[2009/09/17 21:56:39 | 00,000,000 | ---- | C] () -- C:\AUTOEXEC.BAT
[2009/09/17 21:56:26 | 00,023,392 | ---- | C] () -- C:\WINDOWS\System32\nscompat.tlb
[2009/09/17 21:56:26 | 00,016,832 | ---- | C] () -- C:\WINDOWS\System32\amcompat.tlb
[2009/09/17 21:56:24 | 00,316,640 | ---- | C] () -- C:\WINDOWS\WMSysPr9.prx
[2009/09/17 21:56:04 | 00,112,128 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\mapi32.dll
[2009/09/17 21:54:31 | 00,000,488 | RH-- | C] () -- C:\WINDOWS\System32\WindowsLogon.manifest
[2009/09/17 21:54:31 | 00,000,488 | RH-- | C] () -- C:\WINDOWS\System32\logonui.exe.manifest
[2009/09/17 21:54:31 | 00,000,000 | --SD | C] -- C:\WINDOWS\Downloaded Program Files
[2009/09/17 21:54:31 | 00,000,000 | R--D | C] -- C:\WINDOWS\Offline Web Pages
[2009/09/17 21:54:20 | 00,000,749 | RH-- | C] () -- C:\WINDOWS\WindowsShell.Manifest
[2009/09/17 21:54:20 | 00,000,749 | RH-- | C] () -- C:\WINDOWS\System32\wuaucpl.cpl.manifest
[2009/09/17 21:54:20 | 00,000,749 | RH-- | C] () -- C:\WINDOWS\System32\sapi.cpl.manifest
[2009/09/17 21:54:20 | 00,000,749 | RH-- | C] () -- C:\WINDOWS\System32\nwc.cpl.manifest
[2009/09/17 21:54:20 | 00,000,749 | RH-- | C] () -- C:\WINDOWS\System32\ncpa.cpl.manifest
[2009/09/17 21:54:20 | 00,000,749 | RH-- | C] () -- C:\WINDOWS\System32\cdplayer.exe.manifest
[2009/09/17 21:54:13 | 00,000,000 | -H-D | C] -- C:\Program Files\WindowsUpdate
[2009/09/17 21:53:55 | 00,000,000 | ---D | C] -- C:\WINDOWS\System32\DirectX
[2009/09/17 21:53:52 | 00,011,264 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\atrace.dll
[2009/09/17 21:53:51 | 00,048,680 | -HS- | C] () -- C:\WINDOWS\winnt256.bmp
[2009/09/17 21:53:51 | 00,048,680 | -HS- | C] () -- C:\WINDOWS\winnt.bmp
[2009/09/17 21:53:48 | 00,118,784 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\msg723.acm
[2009/09/17 21:53:48 | 00,064,512 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\acctres.dll
[2009/09/17 21:53:48 | 00,012,288 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\nmevtmsg.dll
[2009/09/17 21:53:48 | 00,000,000 | ---D | C] -- C:\Program Files\Common Files\Services
[2009/09/17 21:53:45 | 00,016,384 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\icfgnt5.dll
[2009/09/17 21:53:45 | 00,000,000 | --SD | C] -- C:\WINDOWS\Tasks
[2009/09/17 21:53:45 | 00,000,000 | ---D | C] -- C:\Program Files\Common Files\MSSoap
[2009/09/17 21:53:43 | 00,000,000 | ---D | C] -- C:\WINDOWS\System32\Macromed
[2009/09/17 21:53:43 | 00,000,000 | ---D | C] -- C:\WINDOWS\srchasst
[2009/09/17 21:53:41 | 01,135,616 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\wuaueng.dll
[2009/09/17 21:53:41 | 00,430,592 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\wuapi.dll
[2009/09/17 21:53:41 | 00,409,088 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\qmgr.dll
[2009/09/17 21:53:41 | 00,183,296 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\wuaueng1.dll
[2009/09/17 21:53:41 | 00,165,888 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\wuauclt1.exe
[2009/09/17 21:53:41 | 00,162,304 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\wuaucpl.cpl
[2009/09/17 21:53:41 | 00,120,320 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\wuweb.dll
[2009/09/17 21:53:41 | 00,112,640 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\wucltui.dll
[2009/09/17 21:53:41 | 00,111,104 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\wuauclt.exe
[2009/09/17 21:53:41 | 00,032,256 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\wups.dll
[2009/09/17 21:53:41 | 00,018,944 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\qmgrprxy.dll
[2009/09/17 21:53:41 | 00,008,192 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\bitsprx2.dll
[2009/09/17 21:53:41 | 00,007,168 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\bitsprx4.dll
[2009/09/17 21:53:41 | 00,007,168 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\bitsprx3.dll
[2009/09/17 21:53:41 | 00,006,656 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\wuauserv.dll
[2009/09/17 21:53:39 | 00,000,000 | ---D | C] -- C:\Program Files\Movie Maker
[2009/09/17 21:53:24 | 00,045,568 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\safrslv.dll
[2009/09/17 21:53:24 | 00,043,520 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\safrcdlg.dll
[2009/09/17 21:53:24 | 00,043,520 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\racpldlg.dll
[2009/09/17 21:53:24 | 00,029,696 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\safrdm.dll
[2009/09/17 21:53:23 | 00,023,040 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\fltMc.exe
[2009/09/17 21:53:23 | 00,016,896 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\fltlib.dll
[2009/09/17 21:53:22 | 00,239,104 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\srrstr.dll
[2009/09/17 21:53:22 | 00,188,416 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\msh261.drv
[2009/09/17 21:53:22 | 00,171,008 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\srsvc.dll
[2009/09/17 21:53:22 | 00,129,792 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\drivers\fltMgr.sys
[2009/09/17 21:53:22 | 00,081,920 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\ils.dll
[2009/09/17 21:53:22 | 00,073,472 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\drivers\sr.sys
[2009/09/17 21:53:22 | 00,069,632 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\msconf.dll
[2009/09/17 21:53:22 | 00,067,584 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\srclient.dll
[2009/09/17 21:53:22 | 00,034,560 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\mnmdd.dll
[2009/09/17 21:53:22 | 00,032,768 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\mnmsrvc.exe
[2009/09/17 21:53:22 | 00,032,768 | ---- | C] (Intel Corporation) -- C:\WINDOWS\System32\isrdbg32.dll
[2009/09/17 21:53:22 | 00,028,672 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\nmmkcert.dll
[2009/09/17 21:53:22 | 00,000,000 | ---D | C] -- C:\WINDOWS\System32\Restore
[2009/09/17 21:53:21 | 00,252,928 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\msoeacct.dll
[2009/09/17 21:53:21 | 00,105,984 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\msoert2.dll
[2009/09/17 21:53:21 | 00,000,000 | ---D | C] -- C:\Program Files\NetMeeting
[2009/09/17 21:53:20 | 00,691,712 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\inetcomm.dll
[2009/09/17 21:53:20 | 00,048,128 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\inetres.dll
[2009/09/17 21:53:19 | 00,274,944 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\mstask.dll
[2009/09/17 21:53:19 | 00,274,432 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\inetcfg.dll
[2009/09/17 21:53:19 | 00,192,512 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\schedsvc.dll
[2009/09/17 21:53:19 | 00,081,920 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\isign32.dll
[2009/09/17 21:53:19 | 00,073,728 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\icwdial.dll
[2009/09/17 21:53:19 | 00,065,536 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\icwphbk.dll
[2009/09/17 21:53:19 | 00,012,288 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\mstinit.exe
[2009/09/17 21:53:19 | 00,000,000 | ---D | C] -- C:\Program Files\Outlook Express
[2009/09/17 21:53:16 | 00,000,000 | ---D | C] -- C:\Program Files\Common Files\System
[2009/09/17 21:53:15 | 00,000,000 | ---D | C] -- C:\Program Files\Internet Explorer
[2009/09/17 21:53:13 | 00,000,000 | R--D | C] -- C:\Documents and Settings\All Users\Documents\My Pictures
[2009/09/17 21:52:32 | 00,021,640 | ---- | C] () -- C:\WINDOWS\System32\emptyregdb.dat
[2009/09/17 21:52:29 | 00,000,000 | ---D | C] -- C:\Program Files\ComPlus Applications
[2009/09/17 21:52:26 | 00,000,000 | ---D | C] -- C:\WINDOWS\Registration
[2009/09/17 21:52:19 | 00,000,000 | R--D | C] -- C:\Documents and Settings\All Users\Documents\My Music
[2009/09/17 21:52:19 | 00,000,000 | ---D | C] -- C:\Program Files\Online Services
[2009/09/17 21:52:18 | 00,000,000 | ---D | C] -- C:\Program Files\Windows Media Player
[2009/09/17 21:52:12 | 00,000,000 | ---D | C] -- C:\Program Files\Messenger
[2009/09/17 21:52:11 | 00,005,632 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\write.exe
[2009/09/17 21:52:11 | 00,000,000 | ---D | C] -- C:\Program Files\MSN Gaming Zone
[2009/09/17 21:52:03 | 00,227,840 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\avtapi.dll
[2009/09/17 21:52:03 | 00,138,752 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\sndvol32.exe
[2009/09/17 21:52:03 | 00,073,216 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\avwav.dll
[2009/09/17 21:52:03 | 00,044,544 | ---- | C] (Hilgraeve, Inc.) -- C:\WINDOWS\System32\hticons.dll
[2009/09/17 21:52:03 | 00,016,384 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\avmeter.dll
[2009/09/17 21:52:02 | 00,035,328 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\winchat.exe
[2009/09/17 21:51:59 | 00,065,954 | ---- | C] () -- C:\WINDOWS\Prairie Wind.bmp
[2009/09/17 21:51:59 | 00,065,832 | ---- | C] () -- C:\WINDOWS\Santa Fe Stucco.bmp
[2009/09/17 21:51:59 | 00,026,680 | ---- | C] () -- C:\WINDOWS\River Sumida.bmp
[2009/09/17 21:51:59 | 00,026,582 | ---- | C] () -- C:\WINDOWS\Greenstone.bmp
[2009/09/17 21:51:59 | 00,017,362 | ---- | C] () -- C:\WINDOWS\Rhododendron.bmp
[2009/09/17 21:51:59 | 00,017,336 | ---- | C] () -- C:\WINDOWS\Gone Fishing.bmp
[2009/09/17 21:51:59 | 00,009,522 | ---- | C] () -- C:\WINDOWS\Zapotec.bmp
[2009/09/17 21:51:58 | 00,605,696 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\getuname.dll
[2009/09/17 21:51:58 | 00,114,688 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\calc.exe
[2009/09/17 21:51:58 | 00,093,702 | ---- | C] () -- C:\WINDOWS\System32\subrange.uce
[2009/09/17 21:51:58 | 00,080,384 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\charmap.exe
[2009/09/17 21:51:58 | 00,065,978 | ---- | C] () -- C:\WINDOWS\Soap Bubbles.bmp
[2009/09/17 21:51:58 | 00,060,458 | ---- | C] () -- C:\WINDOWS\System32\ideograf.uce
[2009/09/17 21:51:58 | 00,024,006 | ---- | C] () -- C:\WINDOWS\System32\gb2312.uce
[2009/09/17 21:51:58 | 00,022,984 | ---- | C] () -- C:\WINDOWS\System32\bopomofo.uce
[2009/09/17 21:51:58 | 00,017,062 | ---- | C] () -- C:\WINDOWS\Coffee Bean.bmp
[2009/09/17 21:51:58 | 00,016,740 | ---- | C] () -- C:\WINDOWS\System32\shiftjis.uce
[2009/09/17 21:51:58 | 00,016,730 | ---- | C] () -- C:\WINDOWS\FeatherTexture.bmp
[2009/09/17 21:51:58 | 00,012,876 | ---- | C] () -- C:\WINDOWS\System32\korean.uce
[2009/09/17 21:51:58 | 00,008,484 | ---- | C] () -- C:\WINDOWS\System32\kanji_2.uce
[2009/09/17 21:51:58 | 00,006,948 | ---- | C] () -- C:\WINDOWS\System32\kanji_1.uce
[2009/09/17 21:51:58 | 00,001,272 | ---- | C] () -- C:\WINDOWS\Blue Lace 16.bmp
[2009/09/17 21:51:57 | 00,126,976 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\mshearts.exe
[2009/09/17 21:51:57 | 00,119,808 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\winmine.exe
[2009/09/17 21:51:57 | 00,056,832 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\sol.exe
[2009/09/17 21:51:57 | 00,055,296 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\freecell.exe
[2009/09/17 21:51:57 | 00,016,896 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\tsshutdn.exe
[2009/09/17 21:51:57 | 00,016,384 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\tskill.exe
[2009/09/17 21:51:57 | 00,014,848 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\tsdiscon.exe
[2009/09/17 21:51:57 | 00,014,848 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\tscon.exe
[2009/09/17 21:51:57 | 00,014,848 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\shadow.exe
[2009/09/17 21:51:57 | 00,009,728 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\reset.exe
[2009/09/17 21:51:57 | 00,003,286 | ---- | C] () -- C:\WINDOWS\System32\tslabels.h
[2009/09/17 21:51:57 | 00,001,161 | ---- | C] () -- C:\WINDOWS\System32\usrlogon.cmd
[2009/09/17 21:51:56 | 00,033,792 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\regini.exe
[2009/09/17 21:51:56 | 00,022,016 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\qwinsta.exe
[2009/09/17 21:51:56 | 00,020,992 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\msg.exe
[2009/09/17 21:51:56 | 00,016,896 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\qappsrv.exe
[2009/09/17 21:51:56 | 00,015,872 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\rwinsta.exe
[2009/09/17 21:51:56 | 00,015,872 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\cdmodem.dll
[2009/09/17 21:51:56 | 00,015,360 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\logoff.exe
[2009/09/17 21:51:56 | 00,004,096 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\rdpcfgex.dll
[2009/09/17 21:51:56 | 00,000,768 | ---- | C] () -- C:\WINDOWS\System32\msdtcprf.h
[2009/09/17 21:51:52 | 00,063,488 | ---- | C] () -- C:\WINDOWS\System32\wmimgmt.msc
[2009/09/17 21:51:47 | 00,000,000 | ---D | C] -- C:\Program Files\MSN
[2009/09/17 21:51:46 | 00,347,136 | ---- | C] (Hilgraeve, Inc.) -- C:\WINDOWS\System32\hypertrm.dll
[2009/09/17 21:51:46 | 00,184,320 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\accwiz.exe
[2009/09/17 21:51:46 | 00,131,584 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\sndrec32.exe
[2009/09/17 21:51:46 | 00,123,392 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\mplay32.exe
[2009/09/17 21:51:46 | 00,068,608 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\access.cpl
[2009/09/17 21:51:46 | 00,000,000 | ---D | C] -- C:\Program Files\Windows NT
[2009/09/17 21:51:45 | 00,538,624 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\spider.exe
[2009/09/17 21:51:45 | 00,343,040 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\mspaint.exe
[2009/09/17 21:51:45 | 00,290,304 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\rhttpaa.dll
[2009/09/17 21:51:45 | 00,139,656 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\drivers\rdpwd.sys
[2009/09/17 21:51:45 | 00,136,192 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\aaclient.dll
[2009/09/17 21:51:45 | 00,102,912 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\clipbrd.exe
[2009/09/17 21:51:45 | 00,093,696 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\tscfgwmi.dll
[2009/09/17 21:51:45 | 00,053,248 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\tsgqec.dll
[2009/09/17 21:51:45 | 00,021,896 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\drivers\tdtcp.sys
[2009/09/17 21:51:45 | 00,012,040 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\drivers\tdpipe.sys
[2009/09/17 21:51:45 | 00,000,000 | ---D | C] -- C:\WINDOWS\System32\en-US
[2009/09/17 21:51:44 | 02,061,824 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\mstscax.dll
[2009/09/17 21:51:44 | 00,677,888 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\mstsc.exe
[2009/09/17 21:51:44 | 00,295,424 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\termsrv.dll
[2009/09/17 21:51:44 | 00,161,792 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\msdtcuiu.dll
[2009/09/17 21:51:44 | 00,147,968 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\rdchost.dll
[2009/09/17 21:51:44 | 00,141,312 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\sessmgr.exe
[2009/09/17 21:51:44 | 00,091,648 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\mtxoci.dll
[2009/09/17 21:51:44 | 00,087,176 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\rdpwsx.dll
[2009/09/17 21:51:44 | 00,067,072 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\rdshost.exe
[2009/09/17 21:51:44 | 00,062,976 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\rdpclip.exe
[2009/09/17 21:51:44 | 00,060,416 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\remotepg.dll
[2009/09/17 21:51:44 | 00,038,912 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\cfgbkend.dll
[2009/09/17 21:51:44 | 00,019,968 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\rdpsnd.dll
[2009/09/17 21:51:44 | 00,019,968 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\qprocess.exe
[2009/09/17 21:51:44 | 00,013,824 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\rdsaddin.exe
[2009/09/17 21:51:44 | 00,011,264 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\icaapi.dll
[2009/09/17 21:51:44 | 00,000,000 | ---D | C] -- C:\WINDOWS\System32\MsDtc
[2009/09/17 21:51:43 | 00,956,928 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\msdtctm.dll
[2009/09/17 21:51:43 | 00,427,008 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\msdtcprx.dll
[2009/09/17 21:51:43 | 00,060,416 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\colbact.dll
[2009/09/17 21:51:43 | 00,058,880 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\msdtclog.dll
[2009/09/17 21:51:43 | 00,034,304 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\mtxlegih.dll
[2009/09/17 21:51:43 | 00,030,720 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\mtxdm.dll
[2009/09/17 21:51:43 | 00,028,160 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\comaddin.dll
[2009/09/17 21:51:43 | 00,011,776 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\xolehlp.dll
[2009/09/17 21:51:43 | 00,006,144 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\msdtc.exe
[2009/09/17 21:51:43 | 00,006,144 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dcomcnfg.exe
[2009/09/17 21:51:43 | 00,004,096 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\mtxex.dll
[2009/09/17 21:51:43 | 00,000,000 | ---D | C] -- C:\WINDOWS\System32\Com
[2009/09/17 21:51:42 | 01,267,200 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\comsvcs.dll
[2009/09/17 21:51:42 | 00,625,664 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\catsrvut.dll
[2009/09/17 21:51:42 | 00,539,648 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\comuid.dll
[2009/09/17 21:51:42 | 00,226,304 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\catsrv.dll
[2009/09/17 21:51:42 | 00,167,424 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\comsnap.dll
[2009/09/17 21:51:42 | 00,110,592 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\clbcatex.dll
[2009/09/17 21:51:42 | 00,097,792 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\comrepl.dll
[2009/09/17 21:51:42 | 00,085,504 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\catsrvps.dll
[2009/09/17 21:51:42 | 00,059,392 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\stclient.dll
[2009/09/17 21:51:41 | 00,498,688 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\clbcatq.dll
[2009/09/17 21:51:37 | 00,185,344 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\cmprops.dll
[2009/09/17 21:51:37 | 00,058,880 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\licwmi.dll
[2009/09/17 21:51:37 | 00,056,320 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\servdeps.dll
[2009/09/17 21:51:37 | 00,017,408 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\mmfutil.dll
[2009/09/17 21:51:36 | 00,196,224 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\drivers\rdpdr.sys
[2009/09/17 21:51:36 | 00,040,840 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\drivers\termdd.sys
[2009/09/17 21:51:34 | 00,000,000 | R--D | C] -- C:\Documents and Settings\All Users\Documents\My Videos
[2001/08/23 22:00:00 | 00,000,477 | ---- | C] () -- C:\WINDOWS\win.ini
[2001/08/23 22:00:00 | 00,000,227 | ---- | C] () -- C:\WINDOWS\system.ini

========== Files - Modified Within 30 Days ==========

[1 C:\WINDOWS\System32\*.tmp files]
[3 C:\WINDOWS\*.tmp files]
[2009/09/26 15:49:00 | 00,514,560 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\jack\Desktop\OTL.exe
[2009/09/26 15:47:47 | 00,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2009/09/26 15:46:02 | 00,000,227 | ---- | M] () -- C:\WINDOWS\system.ini
[2009/09/26 15:39:17 | 03,321,356 | R--- | M] () -- C:\Documents and Settings\jack\Desktop\Combo-Fix.exe
[2009/09/26 15:33:24 | 00,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2009/09/25 20:47:03 | 05,349,026 | -H-- | M] () -- C:\Documents and Settings\jack\Local Settings\Application Data\IconCache.db
[2009/09/25 20:27:07 | 00,000,027 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
[2009/09/25 20:20:04 | 00,000,281 | RHS- | M] () -- C:\boot.ini
[2009/09/25 20:03:30 | 00,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2009/09/23 21:04:02 | 00,000,210 | -H-- | M] () -- C:\Documents and Settings\jack\Desktop\7a445c7453c44c30f3505e094ebefceef4c374ab.frd
[2009/09/21 13:57:18 | 00,001,739 | ---- | M] () -- C:\Documents and Settings\jack\Desktop\HijackThis.lnk
[2009/09/20 17:53:09 | 05,183,696 | ---- | M] (Macrovision Corporation) -- C:\Documents and Settings\jack\Desktop\RUBotted.exe
[2009/09/20 17:24:51 | 00,000,701 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2009/09/20 17:02:55 | 04,045,528 | ---- | M] (Malwarebytes Corporation ) -- C:\Documents and Settings\jack\Desktop\mbam-setup.exe
[2009/09/17 23:49:45 | 00,004,444 | ---- | M] () -- C:\WINDOWS\System32\pid.PNF
[2009/09/17 22:51:49 | 00,812,344 | ---- | M] (Trend Micro Inc.) -- C:\Documents and Settings\jack\Desktop\HJTInstall.exe
[2009/09/17 22:38:49 | 00,001,711 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\PowerArchiver.lnk
[2009/09/17 22:38:19 | 04,638,112 | ---- | M] () -- C:\Documents and Settings\jack\Desktop\powarc1020.exe
[2009/09/17 22:17:16 | 00,000,000 | ---- | M] () -- C:\WINDOWS\nsreg.dat
[2009/09/17 22:16:02 | 00,091,088 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2009/09/17 22:13:36 | 00,000,000 | ---- | M] () -- C:\WINDOWS\popcreg.dat
[2009/09/17 22:13:36 | 00,000,000 | ---- | M] () -- C:\WINDOWS\popcinfot.dat
[2009/09/17 22:11:23 | 00,001,602 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Mozilla Firefox.lnk
[2009/09/17 22:06:02 | 00,355,636 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI
[2009/09/17 22:06:02 | 00,311,934 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2009/09/17 22:06:02 | 00,040,196 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2009/09/17 21:59:29 | 00,008,192 | ---- | M] () -- C:\WINDOWS\REGLOCS.OLD
[2009/09/17 21:58:40 | 00,004,382 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2009/09/17 21:58:29 | 00,000,261 | ---- | M] () -- C:\WINDOWS\System32\$winnt$.inf
[2009/09/17 21:56:39 | 00,002,577 | ---- | M] () -- C:\WINDOWS\System32\CONFIG.NT
[2009/09/17 21:56:39 | 00,000,477 | ---- | M] () -- C:\WINDOWS\win.ini
[2009/09/17 21:56:39 | 00,000,000 | RHS- | M] () -- C:\MSDOS.SYS
[2009/09/17 21:56:39 | 00,000,000 | RHS- | M] () -- C:\IO.SYS
[2009/09/17 21:56:39 | 00,000,000 | ---- | M] () -- C:\WINDOWS\control.ini
[2009/09/17 21:56:39 | 00,000,000 | ---- | M] () -- C:\CONFIG.SYS
[2009/09/17 21:56:39 | 00,000,000 | ---- | M] () -- C:\AUTOEXEC.BAT
[2009/09/17 21:56:28 | 00,316,640 | ---- | M] () -- C:\WINDOWS\WMSysPr9.prx
[2009/09/17 21:56:26 | 00,023,392 | ---- | M] () -- C:\WINDOWS\System32\nscompat.tlb
[2009/09/17 21:56:26 | 00,016,832 | ---- | M] () -- C:\WINDOWS\System32\amcompat.tlb
[2009/09/17 21:56:05 | 00,004,161 | ---- | M] () -- C:\WINDOWS\ODBCINST.INI
[2009/09/17 21:54:31 | 00,000,488 | RH-- | M] () -- C:\WINDOWS\System32\WindowsLogon.manifest
[2009/09/17 21:54:31 | 00,000,488 | RH-- | M] () -- C:\WINDOWS\System32\logonui.exe.manifest
[2009/09/17 21:54:20 | 00,000,749 | RH-- | M] () -- C:\WINDOWS\WindowsShell.Manifest
[2009/09/17 21:54:20 | 00,000,749 | RH-- | M] () -- C:\WINDOWS\System32\wuaucpl.cpl.manifest
[2009/09/17 21:54:20 | 00,000,749 | RH-- | M] () -- C:\WINDOWS\System32\sapi.cpl.manifest
[2009/09/17 21:54:20 | 00,000,749 | RH-- | M] () -- C:\WINDOWS\System32\nwc.cpl.manifest
[2009/09/17 21:54:20 | 00,000,749 | RH-- | M] () -- C:\WINDOWS\System32\ncpa.cpl.manifest
[2009/09/17 21:54:20 | 00,000,749 | RH-- | M] () -- C:\WINDOWS\System32\cdplayer.exe.manifest
[2009/09/17 21:52:32 | 00,021,640 | ---- | M] () -- C:\WINDOWS\System32\emptyregdb.dat
[2009/09/17 21:52:28 | 00,000,037 | ---- | M] () -- C:\WINDOWS\vbaddin.ini
[2009/09/17 21:52:28 | 00,000,036 | ---- | M] () -- C:\WINDOWS\vb.ini
[2009/09/17 21:50:24 | 00,000,211 | ---- | M] () -- C:\Boot.bak
[2009/09/14 02:12:36 | 00,229,888 | ---- | M] () -- C:\WINDOWS\PEV.exe
[2009/09/10 14:54:06 | 00,038,224 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2009/09/10 14:53:50 | 00,019,160 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys

========== LOP Check ==========

[2009/09/20 17:03:26 | 00,000,000 | RH-D | M] -- C:\Documents and Settings\All Users\Application Data
[2009/09/17 22:38:57 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\ConeXware
[2009/09/17 22:12:48 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Ulead Systems
[2009/09/26 15:45:26 | 00,000,000 | RH-D | M] -- C:\Documents and Settings\jack\Application Data
[2009/09/17 22:11:57 | 00,000,000 | ---D | M] -- C:\Documents and Settings\jack\Application Data\mIRC
[2001/08/23 22:00:00 | 00,000,065 | RH-- | M] () -- C:\WINDOWS\Tasks\desktop.ini
[2009/09/26 15:47:47 | 00,000,006 | -H-- | M] () -- C:\WINDOWS\Tasks\SA.DAT

========== Purity Check ==========


< End of report >

OTL EXTRAS
OTL Extras logfile created on: 9/26/2009 3:49:55 PM - Run 1
OTL by OldTimer - Version 3.0.14.0 Folder = C:\Documents and Settings\jack\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 6.0.2900.5512)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1023.48 Mb Total Physical Memory | 798.72 Mb Available Physical Memory | 78.04% Memory free
926.10 Mb Paging File | 815.69 Mb Available in Paging File | 88.08% Paging File free
Paging file location(s): [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 38.24 Gb Total Space | 30.74 Gb Free Space | 80.38% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: j-7D5BCBCF9
Current User Name: jack
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Minimal

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.chm [@ = chm.file] -- C:\WINDOWS\hh.exe (Microsoft Corporation)
.html [@ = htmlfile] -- C:\Program Files\Internet Explorer\IEXPLORE.EXE (Microsoft Corporation)

[HKEY_CURRENT_USER\SOFTWARE\Classes\<extension>]
.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %* File not found
chm.file [open] -- "%SYSTEMROOT%\hh.exe" %1 (Microsoft Corporation)
cmdfile [open] -- "%1" %* File not found
comfile [open] -- "%1" %* File not found
exefile [open] -- "%1" %* File not found
htmlfile [edit] -- Reg Error: Key error.
htmlfile [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome (Microsoft Corporation)
htmlfile [opennew] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" %1 (Microsoft Corporation)
http [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome (Microsoft Corporation)
https [open] -- "C:\Program Files\Internet Explorer\iexplore.exe" -nohome (Microsoft Corporation)
piffile [open] -- "%1" %* File not found
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1" File not found
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S File not found
txtfile [edit] -- Reg Error: Key error.
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Applications\iexplore.exe [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" %1 (Microsoft Corporation)
CLSID\{871C5380-42A0-1069-A2EA-08002B30309D} [OpenHomePage] -- "%programfiles%\internet explorer\iexplore.exe" (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 0
"FirewallOverride" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\Network Diagnostic\xpnetdiag.exe" = %windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000 -- (Microsoft Corporation)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\Network Diagnostic\xpnetdiag.exe" = %windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000 -- (Microsoft Corporation)


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{85E5C804-7DD5-4CEA-9724-E1DAA21FC615}" = 3D Virtual Cube
"{8AF3E926-ED59-11D4-A44B-0000E86D2305}" = Ulead GIF Animator 5 Trial
"{D0F210C9-64C5-41C6-8882-A111C6C49911}" = PowerArchiver 2007
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"foobar2000" = foobar2000 v0.9.6
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"mIRC" = mIRC
"Mozilla Firefox (3.5)" = Mozilla Firefox (3.5)
"VentriloMIX" = VentriloMIX
"Zuma Deluxe 1.0" = Zuma Deluxe 1.0

========== HKEY_CURRENT_USER Uninstall List ==========

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"Octoshape Streaming Services" = Octoshape Streaming Services

========== Last 10 Event Log Errors ==========

[ System Events ]
Error - 9/25/2009 2:12:43 PM | Computer name=j-7D5BCBCF9 | Source = Service Control Manager | ID = 7000
Description = The Trend Micro RUBotted Service service failed to start due to the
following error: %%2

Error - 9/25/2009 2:20:33 PM | Computer name=j-7D5BCBCF9 | Source = Service Control Manager | ID = 7009
Description = Timeout (30000 milliseconds) waiting for the PEVSystemStart service
to connect.

Error - 9/25/2009 2:26:02 PM | Computer name=j-7D5BCBCF9 | Source = Service Control Manager | ID = 7009
Description = Timeout (30000 milliseconds) waiting for the PEVSystemStart service
to connect.

Error - 9/25/2009 2:27:36 PM | Computer name=j-7D5BCBCF9 | Source = Service Control Manager | ID = 7000
Description = The Trend Micro RUBotted Service service failed to start due to the
following error: %%2

Error - 9/25/2009 5:38:58 PM | Computer name=j-7D5BCBCF9 | Source = Service Control Manager | ID = 7000
Description = The Trend Micro RUBotted Service service failed to start due to the
following error: %%2

Error - 9/26/2009 9:33:30 AM | Computer name=j-7D5BCBCF9 | Source = Dhcp | ID = 1002
Description = The IP address lease 192.168.1.4 for the Network Card with network
address 000C297DB875 has been denied by the DHCP server 192.168.1.1 (The DHCP Server
sent a DHCPNACK message).

Error - 9/26/2009 9:33:51 AM | Computer name=j-7D5BCBCF9 | Source = Service Control Manager | ID = 7000
Description = The Trend Micro RUBotted Service service failed to start due to the
following error: %%2

Error - 9/26/2009 9:40:44 AM | Computer name=j-7D5BCBCF9 | Source = Service Control Manager | ID = 7009
Description = Timeout (30000 milliseconds) waiting for the PEVSystemStart service
to connect.

Error - 9/26/2009 9:45:23 AM | Computer name=j-7D5BCBCF9 | Source = Service Control Manager | ID = 7009
Description = Timeout (30000 milliseconds) waiting for the PEVSystemStart service
to connect.

Error - 9/26/2009 9:45:53 AM | Computer name=j-7D5BCBCF9 | Source = Service Control Manager | ID = 7009
Description = Timeout (30000 milliseconds) waiting for the PEVSystemStart service
to connect.


< End of report >
Vegeta
Active Member
 
Posts: 11
Joined: September 17th, 2009, 4:19 pm

Re: Infection right after format

Unread postby Vegeta » September 26th, 2009, 11:33 am

Forgot the gmer log

GMER 1.0.15.15087 - http://www.gmer.net
Rootkit scan 2009-09-26 15:59:55
Windows 5.1.2600 Service Pack 3
Running: 8i36yu3y.exe; Driver: C:\DOCUME~1\jack\LOCALS~1\Temp\kwkyrpob.sys


---- System - GMER 1.0.15 ----

Code \??\C:\DOCUME~1\jack\LOCALS~1\Temp\catchme.sys pIofCallDriver

---- Processes - GMER 1.0.15 ----

Process C:\Documents (*** hidden *** ) 236
Library C:\Documents (*** hidden *** ) @ C:\Documents [236] 0x00400000

---- EOF - GMER 1.0.15 ----
Vegeta
Active Member
 
Posts: 11
Joined: September 17th, 2009, 4:19 pm

Re: Infection right after format

Unread postby francis327 » September 27th, 2009, 11:35 pm

Hello, Vegeta.
Thank you for the log, please proceed with the following:

1 - OTL Fix
Run OTL.exe
  • Copy/paste the following text written inside of the code box into the Custom Scans/Fixes box located at the bottom of OTL

    Code: Select all
    :OTL
    PRC - C:\WINDOWS\explorer.exe (Microsoft Corporation)
    
    :Reg
    [-HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{4175C5F3-D47F-143B-DD4D-E67A0EB4E773}]
    [-HKEY_CURRENT_USER\software\microsoft\active setup\installed components\{4175C5F3-D47F-143B-DD4D-E67A0EB4E773}]
    
    :Files
    C:\Program Files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
    c:\windows\sysrest32.exe
    
    :Commands
    [emptytemp]
    [start explorer]
    [Reboot]

  • Then click the Run Fix button at the top
  • Let the program run unhindered, reboot when it is done
  • Then post a new OTL log ( don't check the boxes beside LOP Check or Purity this time )


2 - Malwarebytes Anti Malware
Note: I notice that you already have Malwarebytes' Anti-Malware, just run and update it.. Then do a "Perform Full Scan"
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Full Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.


In your next reply, please include the following:
  • OTL.txt
  • MBAM log
  • A brief description on how your system/Firefox is behaving now
User avatar
francis327
Regular Member
 
Posts: 939
Joined: September 4th, 2008, 3:42 am
Location: Far East (GMT + 8)

Re: Infection right after format

Unread postby Vegeta » September 28th, 2009, 8:21 am

Hi

after running the fix with OTL, it asked me to reboot and after i did so there was open notepad file with contents in it
you didn't asked for it but i thought you need this

All processes killed
========== OTL ==========
No active process named explorer.exe was found!
========== REGISTRY ==========
Registry key HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{4175C5F3-D47F-143B-DD4D-E67A0EB4E773}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4175C5F3-D47F-143B-DD4D-E67A0EB4E773}\ not found.
Registry key HKEY_CURRENT_USER\software\microsoft\active setup\installed components\{4175C5F3-D47F-143B-DD4D-E67A0EB4E773}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4175C5F3-D47F-143B-DD4D-E67A0EB4E773}\ not found.
========== FILES ==========
C:\Program Files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd} moved successfully.
c:\windows\sysrest32.exe moved successfully.
========== COMMANDS ==========

[EMPTYTEMP]

User: All Users

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes

User: jack
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 32902 bytes
->FireFox cache emptied: 25179370 bytes

User: LocalService
->Temp folder emptied: 0 bytes
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
->Temporary Internet Files folder emptied: 32902 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
File delete failed. C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
->Temporary Internet Files folder emptied: 32902 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 2402044 bytes
%systemroot%\System32 .tmp files removed: 2577 bytes
Windows Temp folder emptied: 0 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 26.40 mb


OTL by OldTimer - Version 3.0.14.0 log created on 09282009_133546

Files\Folders moved on Reboot...

Registry entries deleted on Reboot...

Here's a new OTL log

OTL logfile created on: 9/28/2009 1:41:22 PM - Run 2
OTL by OldTimer - Version 3.0.14.0 Folder = C:\Documents and Settings\jack\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 6.0.2900.5512)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1023.48 Mb Total Physical Memory | 818.17 Mb Available Physical Memory | 79.94% Memory free
926.10 Mb Paging File | 817.86 Mb Available in Paging File | 88.31% Paging File free
Paging file location(s): [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 38.24 Gb Total Space | 30.92 Gb Free Space | 80.85% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: j-7D5BCBCF9
Current User Name: jack
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Minimal

========== Processes (SafeList) ==========

PRC - C:\WINDOWS\Explorer.EXE (Microsoft Corporation)
PRC - C:\Documents and Settings\jack\Local Settings\Application Data\Octoshape\Octoshape Streaming Services\OctoshapeClient.exe (Octoshape ApS)
PRC - C:\WINDOWS\System32\wscntfy.exe (Microsoft Corporation)
PRC - C:\Documents and Settings\jack\Desktop\OTL.exe (OldTimer Tools)

========== Win32 Services (SafeList) ==========

SRV - (helpsvc [Auto | Running]) -- C:\WINDOWS\PCHealth\HelpCtr\Binaries\pchsvc.dll (Microsoft Corporation)
SRV - (RUBotted [Auto | Stopped]) -- File not found

========== Driver Services (SafeList) ==========

DRV - (es1371 [On_Demand | Running]) -- C:\WINDOWS\System32\drivers\es1371mp.sys (Creative Technology Ltd.)
DRV - (gameenum [On_Demand | Running]) -- C:\WINDOWS\System32\DRIVERS\gameenum.sys (Microsoft Corporation)
DRV - (PCnet [On_Demand | Stopped]) -- C:\WINDOWS\System32\DRIVERS\pcntpci5.sys (AMD Inc.)
DRV - (Ptilink [On_Demand | Running]) -- C:\WINDOWS\System32\DRIVERS\ptilink.sys (Parallel Technologies, Inc.)
DRV - (Secdrv [On_Demand | Stopped]) -- C:\WINDOWS\System32\DRIVERS\secdrv.sys (Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K.)

========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,CustomizeSearch = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\system32\blank.htm
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dl ... r=iesearch
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dl ... ar=msnhome
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..browser.startup.homepage: "google.com"

FF - HKLM\software\mozilla\Mozilla Firefox 3.5\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2009/09/17 22:17:12 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.5\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2009/09/17 22:11:21 | 00,000,000 | ---D | M]

[2009/09/17 22:17:18 | 00,000,000 | ---D | M] -- C:\Documents and Settings\jack\Application Data\mozilla\Extensions
[2009/09/17 22:28:09 | 00,000,000 | ---D | M] -- C:\Documents and Settings\jack\Application Data\mozilla\Firefox\Profiles\z3u8esrr.default\extensions
[2009/09/28 13:35:47 | 00,000,000 | ---D | M] -- C:\Program Files\mozilla firefox\extensions
[2009/06/24 15:26:10 | 00,023,544 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\browserdirprovider.dll
[2009/06/24 15:26:11 | 00,137,208 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\brwsrcmp.dll
[2009/06/24 15:26:12 | 00,065,016 | ---- | M] (mozilla.org) -- C:\Program Files\mozilla firefox\plugins\npnul32.dll
[2009/06/24 13:27:00 | 00,001,394 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\amazondotcom.xml
[2009/06/24 13:27:00 | 00,002,193 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\answers.xml
[2009/06/24 13:27:00 | 00,001,534 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\creativecommons.xml
[2009/06/24 13:27:00 | 00,002,344 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\eBay.xml
[2009/06/24 13:27:00 | 00,002,371 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\google.xml
[2009/06/24 13:27:00 | 00,001,178 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\wikipedia.xml
[2009/06/24 13:27:00 | 00,000,792 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\yahoo.xml

O1 HOSTS File: (27 bytes) - C:\WINDOWS\System32\drivers\etc\Hosts
O1 - Hosts: 127.0.0.1 localhost
O4 - HKLM..\Run: [TMRUBottedTray] C:\Program Files\Trend Micro\RUBotted\TMRUBottedTray.exe (Trend Micro Inc.)
O4 - HKLM..\Run: [Windows Login Assistance] C:\Documents and Settings\jack\Application Data\S05-3636-T34636-7574-BLAZEBOT-ASGET-UEIAASH\winlogon.exe File not found
O4 - HKCU..\Run: [Octoshape Streaming Services] C:\Documents and Settings\jack\Local Settings\Application Data\Octoshape\Octoshape Streaming Services\OctoshapeClient.exe (Octoshape ApS)
O4 - HKCU..\Run: [Windows Login Assistance] C:\Documents and Settings\jack\Application Data\S05-3636-T34636-7574-BLAZEBOT-ASGET-UEIAASH\winlogon.exe File not found
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: dontdisplaylastusername=0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticecaption =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticetext =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: shutdownwithoutlogon = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: undockwithoutlogon = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableRegistryTools = 0
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O9 - Extra 'Tools' menuitem : @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe (Microsoft Corporation)
O9 - Extra Button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000004 - C:\WINDOWS\System32\rsvpsp.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000005 - C:\WINDOWS\System32\rsvpsp.dll (Microsoft Corporation)
O15 - HKLM\..Trusted Domains: 1 domain(s) and sub-domain(s) not assigned to a zone.
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.1
O18 - Protocol\Handler\http\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\http\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\https\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\https\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\ipp - No CLSID value found
O18 - Protocol\Handler\ipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp - No CLSID value found
O18 - Protocol\Handler\msdaipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\Explorer.exe (Microsoft Corporation)
O24 - Desktop Components:0 (My Current Home Page) - About:Home
O31 - SafeBoot: AlternateShell - cmd.exe
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2009/09/17 21:56:39 | 00,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck) - File not found
O34 - HKLM BootExecute: (autochk) - C:\WINDOWS\System32\autochk.exe (Microsoft Corporation)
O34 - HKLM BootExecute: (*) - File not found

========== Files/Folders - Created Within 30 Days ==========

[2009/09/28 13:35:48 | 00,000,000 | -HSD | C] -- C:\RECYCLER
[2009/09/28 13:35:46 | 00,000,000 | ---D | C] -- C:\_OTL
[2009/09/26 15:51:40 | 00,288,768 | ---- | C] () -- C:\Documents and Settings\jack\Desktop\8i36yu3y.exe
[2009/09/26 15:49:00 | 00,514,560 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\jack\Desktop\OTL.exe
[2009/09/26 15:47:53 | 00,000,000 | ---D | C] -- C:\WINDOWS\temp
[2009/09/25 20:20:04 | 00,000,211 | ---- | C] () -- C:\Boot.bak
[2009/09/25 20:20:03 | 00,260,272 | ---- | C] () -- C:\cmldr
[2009/09/25 20:20:01 | 00,000,000 | RHSD | C] -- C:\cmdcons
[2009/09/25 20:17:29 | 00,229,888 | ---- | C] () -- C:\WINDOWS\PEV.exe
[2009/09/25 20:17:29 | 00,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe
[2009/09/25 20:17:29 | 00,161,792 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe
[2009/09/25 20:17:29 | 00,136,704 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe
[2009/09/25 20:17:29 | 00,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
[2009/09/25 20:17:29 | 00,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
[2009/09/25 20:17:29 | 00,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
[2009/09/25 20:17:29 | 00,031,232 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe
[2009/09/25 20:17:21 | 00,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
[2009/09/25 20:17:07 | 00,000,000 | ---D | C] -- C:\Qoobox
[2009/09/25 20:13:34 | 03,321,356 | R--- | C] () -- C:\Documents and Settings\jack\Desktop\Combo-Fix.exe
[2009/09/23 21:03:42 | 00,000,210 | -H-- | C] () -- C:\Documents and Settings\jack\Desktop\7a445c7453c44c30f3505e094ebefceef4c374ab.frd
[2009/09/20 17:53:14 | 00,000,000 | ---D | C] -- C:\Documents and Settings\jack\Application Data\InstallShield
[2009/09/20 17:53:09 | 05,183,696 | ---- | C] (Macrovision Corporation) -- C:\Documents and Settings\jack\Desktop\RUBotted.exe
[2009/09/20 17:03:33 | 00,000,000 | ---D | C] -- C:\Documents and Settings\jack\Application Data\Malwarebytes
[2009/09/20 17:03:30 | 00,000,701 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2009/09/20 17:03:28 | 00,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2009/09/20 17:03:26 | 00,019,160 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2009/09/20 17:03:26 | 00,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2009/09/20 17:03:26 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
[2009/09/20 17:02:55 | 04,045,528 | ---- | C] (Malwarebytes Corporation ) -- C:\Documents and Settings\jack\Desktop\mbam-setup.exe
[2009/09/17 23:49:45 | 00,004,444 | ---- | C] () -- C:\WINDOWS\System32\pid.PNF
[2009/09/17 23:49:10 | 00,006,272 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\drivers\splitter.sys
[2009/09/17 23:49:09 | 00,142,592 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\drivers\aec.sys
[2009/09/17 23:49:08 | 00,056,576 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\drivers\swmidi.sys
[2009/09/17 23:49:06 | 00,052,864 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\drivers\DMusic.sys
[2009/09/17 23:49:06 | 00,002,944 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\drivers\drmkaud.sys
[2009/09/17 23:49:04 | 00,007,552 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\drivers\MSKSSRV.sys
[2009/09/17 23:49:03 | 00,004,992 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\drivers\MSPQM.sys
[2009/09/17 23:49:02 | 00,083,072 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\drivers\wdmaud.sys
[2009/09/17 23:49:01 | 00,172,416 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\drivers\kmixer.sys
[2009/09/17 23:48:59 | 00,005,376 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\drivers\MSPCLOCK.sys
[2009/09/17 23:48:58 | 00,060,800 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\drivers\sysaudio.sys
[2009/09/17 23:48:55 | 00,003,072 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\drivers\audstub.sys
[2009/09/17 23:48:37 | 00,010,624 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\drivers\gameenum.sys
[2009/09/17 23:48:19 | 00,057,600 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\drivers\redbook.sys
[2009/09/17 23:48:08 | 00,040,704 | ---- | C] (Creative Technology Ltd.) -- C:\WINDOWS\System32\drivers\es1371mp.sys
[2009/09/17 23:48:07 | 00,146,048 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\drivers\portcls.sys
[2009/09/17 23:48:07 | 00,129,536 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\ksproxy.ax
[2009/09/17 23:48:07 | 00,060,160 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\drivers\drmk.sys
[2009/09/17 23:48:07 | 00,004,096 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\ksuser.dll
[2009/09/17 23:48:05 | 00,035,328 | ---- | C] (AMD Inc.) -- C:\WINDOWS\System32\drivers\pcntpci5.sys
[2009/09/17 23:47:54 | 00,042,368 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\drivers\AGP440.SYS
[2009/09/17 23:47:48 | 00,074,240 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\usbui.dll
[2009/09/17 23:47:45 | 00,010,240 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\drivers\compbatt.sys
[2009/09/17 23:47:44 | 00,014,208 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\drivers\battc.sys
[2009/09/17 23:47:44 | 00,013,952 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\drivers\CmBatt.sys
[2009/09/17 23:46:15 | 00,004,382 | ---- | C] () -- C:\WINDOWS\imsins.BAK
[2009/09/17 23:46:11 | 00,000,000 | -HSD | C] -- C:\WINDOWS\Installer
[2009/09/17 23:46:09 | 00,000,000 | ---D | C] -- C:\Program Files\Common Files\ODBC
[2009/09/17 23:46:04 | 00,000,000 | R--D | C] -- C:\Program Files
[2009/09/17 23:46:04 | 00,000,000 | ---D | C] -- C:\Program Files\Common Files\SpeechEngines
[2009/09/17 23:46:04 | 00,000,000 | ---D | C] -- C:\Program Files\Common Files\Microsoft Shared
[2009/09/17 23:46:04 | 00,000,000 | ---D | C] -- C:\Program Files\Common Files
[2009/09/17 23:45:53 | 00,066,082 | ---- | C] () -- C:\WINDOWS\System32\c_28603.nls
[2009/09/17 23:45:52 | 00,006,144 | R--- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\kbdtuq.dll
[2009/09/17 23:45:52 | 00,006,144 | R--- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\kbdtuf.dll
[2009/09/17 23:45:52 | 00,005,632 | R--- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\kbdazel.dll
[2009/09/17 23:45:51 | 00,066,594 | ---- | C] () -- C:\WINDOWS\System32\c_857.nls
[2009/09/17 23:45:51 | 00,066,082 | ---- | C] () -- C:\WINDOWS\System32\c_28599.nls
[2009/09/17 23:45:51 | 00,066,082 | ---- | C] () -- C:\WINDOWS\System32\c_10081.nls
[2009/09/17 23:45:51 | 00,005,632 | R--- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\kbdycc.dll
[2009/09/17 23:45:51 | 00,005,632 | R--- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\kbduzb.dll
[2009/09/17 23:45:51 | 00,005,632 | R--- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\kbdur.dll
[2009/09/17 23:45:51 | 00,005,632 | R--- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\kbdtat.dll
[2009/09/17 23:45:51 | 00,005,632 | R--- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\kbdru1.dll
[2009/09/17 23:45:51 | 00,005,632 | R--- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\kbdru.dll
[2009/09/17 23:45:51 | 00,005,632 | R--- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\kbdmon.dll
[2009/09/17 23:45:51 | 00,005,632 | R--- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\kbdkyr.dll
[2009/09/17 23:45:51 | 00,005,632 | R--- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\kbdkaz.dll
[2009/09/17 23:45:51 | 00,005,632 | R--- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\kbdbu.dll
[2009/09/17 23:45:51 | 00,005,632 | R--- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\kbdblr.dll
[2009/09/17 23:45:51 | 00,005,632 | R--- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\kbdaze.dll
[2009/09/17 23:45:50 | 00,066,082 | ---- | C] () -- C:\WINDOWS\System32\C_28597.NLS
[2009/09/17 23:45:50 | 00,066,082 | ---- | C] () -- C:\WINDOWS\System32\C_28595.NLS
[2009/09/17 23:45:50 | 00,066,082 | ---- | C] () -- C:\WINDOWS\System32\c_10017.nls
[2009/09/17 23:45:50 | 00,066,082 | ---- | C] () -- C:\WINDOWS\System32\c_10007.nls
[2009/09/17 23:45:50 | 00,066,082 | ---- | C] () -- C:\WINDOWS\System32\c_10006.nls
[2009/09/17 23:45:50 | 00,008,192 | R--- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\kbdhept.dll
[2009/09/17 23:45:50 | 00,006,656 | R--- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\kbdhela3.dll
[2009/09/17 23:45:50 | 00,006,144 | R--- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\kbdhela2.dll
[2009/09/17 23:45:50 | 00,006,144 | R--- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\kbdgkl.dll
[2009/09/17 23:45:50 | 00,005,632 | R--- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\kbdhe319.dll
[2009/09/17 23:45:50 | 00,005,632 | R--- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\kbdhe220.dll
[2009/09/17 23:45:50 | 00,005,632 | R--- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\kbdhe.dll
[2009/09/17 23:45:49 | 00,066,594 | ---- | C] () -- C:\WINDOWS\System32\c_869.nls
[2009/09/17 23:45:49 | 00,066,594 | ---- | C] () -- C:\WINDOWS\System32\c_866.nls
[2009/09/17 23:45:49 | 00,066,594 | ---- | C] () -- C:\WINDOWS\System32\c_855.nls
[2009/09/17 23:45:49 | 00,066,594 | ---- | C] () -- C:\WINDOWS\System32\c_737.nls
[2009/09/17 23:45:49 | 00,066,082 | ---- | C] () -- C:\WINDOWS\System32\c_875.nls
[2009/09/17 23:45:49 | 00,066,082 | ---- | C] () -- C:\WINDOWS\System32\C_28594.NLS
[2009/09/17 23:45:49 | 00,006,144 | R--- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\kbdlv1.dll
[2009/09/17 23:45:49 | 00,006,144 | R--- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\kbdlv.dll
[2009/09/17 23:45:49 | 00,006,144 | R--- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\kbdest.dll
[2009/09/17 23:45:49 | 00,005,632 | R--- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\kbdlt1.dll
[2009/09/17 23:45:49 | 00,005,632 | R--- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\kbdlt.dll
[2009/09/17 23:45:48 | 00,066,594 | ---- | C] () -- C:\WINDOWS\System32\c_852.nls
[2009/09/17 23:45:48 | 00,066,082 | ---- | C] () -- C:\WINDOWS\System32\c_10082.nls
[2009/09/17 23:45:48 | 00,066,082 | ---- | C] () -- C:\WINDOWS\System32\c_10029.nls
[2009/09/17 23:45:48 | 00,066,082 | ---- | C] () -- C:\WINDOWS\System32\c_10010.nls
[2009/09/17 23:45:48 | 00,007,168 | R--- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\kbdcz.dll
[2009/09/17 23:45:48 | 00,006,656 | R--- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\kbdycl.dll
[2009/09/17 23:45:48 | 00,006,656 | R--- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\kbdsl1.dll
[2009/09/17 23:45:48 | 00,006,656 | R--- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\kbdsl.dll
[2009/09/17 23:45:48 | 00,006,656 | R--- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\kbdpl.dll
[2009/09/17 23:45:48 | 00,006,656 | R--- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\kbdhu.dll
[2009/09/17 23:45:48 | 00,006,656 | R--- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\kbdcz2.dll
[2009/09/17 23:45:48 | 00,006,656 | R--- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\kbdcz1.dll
[2009/09/17 23:45:48 | 00,006,656 | R--- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\kbdcr.dll
[2009/09/17 23:45:48 | 00,006,656 | R--- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\KBDAL.DLL
[2009/09/17 23:45:48 | 00,005,632 | R--- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\kbdro.dll
[2009/09/17 23:45:48 | 00,005,632 | R--- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\kbdpl1.dll
[2009/09/17 23:45:48 | 00,005,632 | R--- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\kbdhu1.dll
[2009/09/17 23:45:44 | 00,066,082 | ---- | C] () -- C:\WINDOWS\System32\c_20127.nls
[2009/09/17 23:45:43 | 00,176,157 | ---- | C] (Digi International, Inc.) -- C:\WINDOWS\System32\dgrpsetu.dll
[2009/09/17 23:45:43 | 00,085,020 | ---- | C] (Digi International) -- C:\WINDOWS\System32\dgsetup.dll
[2009/09/17 23:45:43 | 00,024,661 | ---- | C] (Perle Systems Ltd.) -- C:\WINDOWS\System32\spxcoins.dll
[2009/09/17 23:45:43 | 00,013,312 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\irclass.dll
[2009/09/17 23:45:42 | 00,126,912 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System\MSVIDEO.DLL
[2009/09/17 23:45:42 | 00,103,424 | ---- | C] (Equinox Systems Inc.) -- C:\WINDOWS\System32\EqnClass.Dll
[2009/09/17 23:45:42 | 00,082,944 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System\OLECLI.DLL
[2009/09/17 23:45:42 | 00,073,376 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System\MCIAVI.DRV
[2009/09/17 23:45:42 | 00,028,160 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System\MCIWAVE.DRV
[2009/09/17 23:45:42 | 00,025,264 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System\MCISEQ.DRV
[2009/09/17 23:45:42 | 00,024,064 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System\OLESVR.DLL
[2009/09/17 23:45:42 | 00,019,200 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System\TAPI.DLL
[2009/09/17 23:45:42 | 00,013,600 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System\WFWNET.DRV
[2009/09/17 23:45:42 | 00,009,008 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System\VER.DLL
[2009/09/17 23:45:42 | 00,005,120 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System\SHELL.DLL
[2009/09/17 23:45:42 | 00,004,048 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System\TIMER.DRV
[2009/09/17 23:45:42 | 00,003,360 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System\SYSTEM.DRV
[2009/09/17 23:45:42 | 00,002,176 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System\VGA.DRV
[2009/09/17 23:45:42 | 00,002,032 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System\MOUSE.DRV
[2009/09/17 23:45:42 | 00,002,000 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System\KEYBOARD.DRV
[2009/09/17 23:45:42 | 00,001,744 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System\SOUND.DRV
[2009/09/17 23:45:42 | 00,001,152 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System\MMTASK.TSK
[2009/09/17 23:45:41 | 00,146,432 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System\WINSPOOL.DRV
[2009/09/17 23:45:41 | 00,109,456 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System\AVIFILE.DLL
[2009/09/17 23:45:41 | 00,069,584 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System\AVICAP.DLL
[2009/09/17 23:45:41 | 00,069,120 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\NOTEPAD.EXE
[2009/09/17 23:45:41 | 00,068,768 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System\MMSYSTEM.DLL
[2009/09/17 23:45:41 | 00,032,816 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System\COMMDLG.DLL
[2009/09/17 23:45:41 | 00,015,360 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\TASKMAN.EXE
[2009/09/17 23:45:41 | 00,011,264 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\drivers\irenum.sys
[2009/09/17 23:45:41 | 00,009,936 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System\LZEXPAND.DLL
[2009/09/17 23:45:41 | 00,008,704 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\batt.dll
[2009/09/17 23:45:41 | 00,001,688 | ---- | C] () -- C:\WINDOWS\System32\AUTOEXEC.NT
[2009/09/17 23:45:39 | 00,074,752 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\storprop.dll
[2009/09/17 23:45:29 | 00,144,484 | ---- | C] () -- C:\WINDOWS\System32\dllcache\netfx.cat
[2009/09/17 23:45:29 | 00,112,918 | ---- | C] () -- C:\WINDOWS\System32\dllcache\tabletpc.cat
[2009/09/17 23:45:29 | 00,034,747 | ---- | C] () -- C:\WINDOWS\System32\dllcache\mediactr.cat
[2009/09/17 23:45:29 | 00,026,991 | ---- | C] () -- C:\WINDOWS\System32\dllcache\msn7.cat
[2009/09/17 23:45:29 | 00,014,433 | ---- | C] () -- C:\WINDOWS\System32\dllcache\msn9.cat
[2009/09/17 23:45:29 | 00,010,027 | ---- | C] () -- C:\WINDOWS\System32\dllcache\MSTSWEB.CAT
[2009/09/17 23:45:29 | 00,008,574 | ---- | C] () -- C:\WINDOWS\System32\dllcache\IASNT4.CAT
[2009/09/17 23:45:29 | 00,007,382 | ---- | C] () -- C:\WINDOWS\System32\dllcache\OEMBIOS.CAT
[2009/09/17 23:45:28 | 01,088,840 | ---- | C] () -- C:\WINDOWS\System32\dllcache\NTPRINT.CAT
[2009/09/17 23:45:28 | 00,797,189 | ---- | C] () -- C:\WINDOWS\System32\dllcache\NT5IIS.CAT
[2009/09/17 23:45:28 | 00,399,645 | ---- | C] () -- C:\WINDOWS\System32\dllcache\MAPIMIG.CAT
[2009/09/17 23:45:28 | 00,037,484 | ---- | C] () -- C:\WINDOWS\System32\dllcache\MW770.CAT
[2009/09/17 23:45:28 | 00,034,063 | ---- | C] () -- C:\WINDOWS\System32\dllcache\FP4.CAT
[2009/09/17 23:45:28 | 00,016,535 | ---- | C] () -- C:\WINDOWS\System32\dllcache\IMS.CAT
[2009/09/17 23:45:28 | 00,013,472 | ---- | C] () -- C:\WINDOWS\System32\dllcache\HPCRDP.CAT
[2009/09/17 23:45:28 | 00,012,363 | ---- | C] () -- C:\WINDOWS\System32\dllcache\MSMSGS.CAT
[2009/09/17 23:45:28 | 00,007,334 | ---- | C] () -- C:\WINDOWS\System32\dllcache\wmerrenu.cat
[2009/09/17 23:45:27 | 02,144,487 | ---- | C] () -- C:\WINDOWS\System32\dllcache\NT5.CAT
[2009/09/17 23:45:27 | 01,296,669 | ---- | C] () -- C:\WINDOWS\System32\dllcache\SP3.CAT
[2009/09/17 23:45:27 | 00,522,220 | ---- | C] () -- C:\WINDOWS\System32\dllcache\NT5INF.CAT
[2009/09/17 23:45:15 | 00,000,000 | ---D | C] -- C:\WINDOWS\System32\CatRoot2
[2009/09/17 23:45:15 | 00,000,000 | ---D | C] -- C:\WINDOWS\System32\CatRoot
[2009/09/17 23:45:07 | 00,000,000 | --SD | C] -- C:\Documents and Settings\All Users\Application Data\Microsoft
[2009/09/17 23:44:52 | 00,000,000 | ---D | C] -- C:\Documents and Settings
[2009/09/17 23:44:51 | 00,000,000 | -HSD | C] -- C:\System Volume Information
[2009/09/17 23:44:50 | 00,091,088 | ---- | C] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2009/09/17 23:44:17 | 00,000,281 | RHS- | C] () -- C:\boot.ini
[2009/09/17 23:44:15 | 00,000,261 | ---- | C] () -- C:\WINDOWS\System32\$winnt$.inf
[2009/09/17 23:41:42 | 00,000,000 | R-SD | C] -- C:\WINDOWS\Fonts
[2009/09/17 23:41:42 | 00,000,000 | RHSD | C] -- C:\WINDOWS\System32\dllcache
[2009/09/17 23:41:42 | 00,000,000 | R--D | C] -- C:\WINDOWS\Web
[2009/09/17 23:41:42 | 00,000,000 | -H-D | C] -- C:\WINDOWS\inf
[2009/09/17 23:41:42 | 00,000,000 | ---D | C] -- C:\WINDOWS\WinSxS
[2009/09/17 23:41:42 | 00,000,000 | ---D | C] -- C:\WINDOWS\twain_32
[2009/09/17 23:41:42 | 00,000,000 | ---D | C] -- C:\WINDOWS\System32\wins
[2009/09/17 23:41:42 | 00,000,000 | ---D | C] -- C:\WINDOWS\System32\wbem
[2009/09/17 23:41:42 | 00,000,000 | ---D | C] -- C:\WINDOWS\System32\usmt
[2009/09/17 23:41:42 | 00,000,000 | ---D | C] -- C:\WINDOWS\System32\spool
[2009/09/17 23:41:42 | 00,000,000 | ---D | C] -- C:\WINDOWS\System32\ShellExt
[2009/09/17 23:41:42 | 00,000,000 | ---D | C] -- C:\WINDOWS\System32\Setup
[2009/09/17 23:41:42 | 00,000,000 | ---D | C] -- C:\WINDOWS\System32\scripting
[2009/09/17 23:41:42 | 00,000,000 | ---D | C] -- C:\WINDOWS\System32\ras
[2009/09/17 23:41:42 | 00,000,000 | ---D | C] -- C:\WINDOWS\System32\oobe
[2009/09/17 23:41:42 | 00,000,000 | ---D | C] -- C:\WINDOWS\System32\npp
[2009/09/17 23:41:42 | 00,000,000 | ---D | C] -- C:\WINDOWS\System32\mui
[2009/09/17 23:41:42 | 00,000,000 | ---D | C] -- C:\WINDOWS\System32\inetsrv
[2009/09/17 23:41:42 | 00,000,000 | ---D | C] -- C:\WINDOWS\System32\IME
[2009/09/17 23:41:42 | 00,000,000 | ---D | C] -- C:\WINDOWS\System32\icsxml
[2009/09/17 23:41:42 | 00,000,000 | ---D | C] -- C:\WINDOWS\System32\ias
[2009/09/17 23:41:42 | 00,000,000 | ---D | C] -- C:\WINDOWS\System32\export
[2009/09/17 23:41:42 | 00,000,000 | ---D | C] -- C:\WINDOWS\System32\en
[2009/09/17 23:41:42 | 00,000,000 | ---D | C] -- C:\WINDOWS\System32\drivers\etc
[2009/09/17 23:41:42 | 00,000,000 | ---D | C] -- C:\WINDOWS\System32\drivers\disdn
[2009/09/17 23:41:42 | 00,000,000 | ---D | C] -- C:\WINDOWS\System32\drivers
[2009/09/17 23:41:42 | 00,000,000 | ---D | C] -- C:\WINDOWS\System32\dhcp
[2009/09/17 23:41:42 | 00,000,000 | ---D | C] -- C:\WINDOWS\System32\config
[2009/09/17 23:41:42 | 00,000,000 | ---D | C] -- C:\WINDOWS\System32\3com_dmi
[2009/09/17 23:41:42 | 00,000,000 | ---D | C] -- C:\WINDOWS\System32\3076
[2009/09/17 23:41:42 | 00,000,000 | ---D | C] -- C:\WINDOWS\System32\2052
[2009/09/17 23:41:42 | 00,000,000 | ---D | C] -- C:\WINDOWS\System32\1054
[2009/09/17 23:41:42 | 00,000,000 | ---D | C] -- C:\WINDOWS\System32\1042
[2009/09/17 23:41:42 | 00,000,000 | ---D | C] -- C:\WINDOWS\System32\1041
[2009/09/17 23:41:42 | 00,000,000 | ---D | C] -- C:\WINDOWS\System32\1037
[2009/09/17 23:41:42 | 00,000,000 | ---D | C] -- C:\WINDOWS\System32\1033
[2009/09/17 23:41:42 | 00,000,000 | ---D | C] -- C:\WINDOWS\System32\1031
[2009/09/17 23:41:42 | 00,000,000 | ---D | C] -- C:\WINDOWS\System32\1028
[2009/09/17 23:41:42 | 00,000,000 | ---D | C] -- C:\WINDOWS\System32\1025
[2009/09/17 23:41:42 | 00,000,000 | ---D | C] -- C:\WINDOWS\system32
[2009/09/17 23:41:42 | 00,000,000 | ---D | C] -- C:\WINDOWS\system
[2009/09/17 23:41:42 | 00,000,000 | ---D | C] -- C:\WINDOWS\security
[2009/09/17 23:41:42 | 00,000,000 | ---D | C] -- C:\WINDOWS\Resources
[2009/09/17 23:41:42 | 00,000,000 | ---D | C] -- C:\WINDOWS\repair
[2009/09/17 23:41:42 | 00,000,000 | ---D | C] -- C:\WINDOWS\Provisioning
[2009/09/17 23:41:42 | 00,000,000 | ---D | C] -- C:\WINDOWS\PeerNet
[2009/09/17 23:41:42 | 00,000,000 | ---D | C] -- C:\WINDOWS\pchealth
[2009/09/17 23:41:42 | 00,000,000 | ---D | C] -- C:\WINDOWS\Network Diagnostic
[2009/09/17 23:41:42 | 00,000,000 | ---D | C] -- C:\WINDOWS\mui
[2009/09/17 23:41:42 | 00,000,000 | ---D | C] -- C:\WINDOWS\msapps
[2009/09/17 23:41:42 | 00,000,000 | ---D | C] -- C:\WINDOWS\msagent
[2009/09/17 23:41:42 | 00,000,000 | ---D | C] -- C:\WINDOWS\Media
[2009/09/17 23:41:42 | 00,000,000 | ---D | C] -- C:\WINDOWS\L2Schemas
[2009/09/17 23:41:42 | 00,000,000 | ---D | C] -- C:\WINDOWS\java
[2009/09/17 23:41:42 | 00,000,000 | ---D | C] -- C:\WINDOWS\ime
[2009/09/17 23:41:42 | 00,000,000 | ---D | C] -- C:\WINDOWS\Help
[2009/09/17 23:41:42 | 00,000,000 | ---D | C] -- C:\WINDOWS\ehome
[2009/09/17 23:41:42 | 00,000,000 | ---D | C] -- C:\WINDOWS\Driver Cache
[2009/09/17 23:41:42 | 00,000,000 | ---D | C] -- C:\WINDOWS\Debug
[2009/09/17 23:41:42 | 00,000,000 | ---D | C] -- C:\WINDOWS\Cursors
[2009/09/17 23:41:42 | 00,000,000 | ---D | C] -- C:\WINDOWS\Connection Wizard
[2009/09/17 23:41:42 | 00,000,000 | ---D | C] -- C:\WINDOWS\Config
[2009/09/17 23:41:42 | 00,000,000 | ---D | C] -- C:\WINDOWS\AppPatch
[2009/09/17 23:41:42 | 00,000,000 | ---D | C] -- C:\WINDOWS\addins
[2009/09/17 23:41:42 | 00,000,000 | ---D | C] -- C:\WINDOWS
[2009/09/17 22:52:09 | 00,001,739 | ---- | C] () -- C:\Documents and Settings\jack\Desktop\HijackThis.lnk
[2009/09/17 22:52:08 | 00,000,000 | ---D | C] -- C:\Program Files\Trend Micro
[2009/09/17 22:51:49 | 00,812,344 | ---- | C] (Trend Micro Inc.) -- C:\Documents and Settings\jack\Desktop\HJTInstall.exe
[2009/09/17 22:45:43 | 00,055,858 | RHS- | C] () -- C:\WINDOWS\sysrest32.exe
[2009/09/17 22:38:57 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\ConeXware
[2009/09/17 22:38:49 | 00,001,711 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\PowerArchiver.lnk
[2009/09/17 22:38:47 | 00,000,000 | ---D | C] -- C:\Program Files\PowerArchiver
[2009/09/17 22:38:19 | 04,638,112 | ---- | C] () -- C:\Documents and Settings\jack\Desktop\powarc1020.exe
[2009/09/17 22:17:56 | 00,000,000 | ---D | C] -- C:\Documents and Settings\jack\Application Data\Macromedia
[2009/09/17 22:17:56 | 00,000,000 | ---D | C] -- C:\Documents and Settings\jack\Application Data\Adobe
[2009/09/17 22:17:16 | 00,000,000 | ---- | C] () -- C:\WINDOWS\nsreg.dat
[2009/09/17 22:17:10 | 00,000,000 | ---D | C] -- C:\Documents and Settings\jack\Local Settings\Application Data\Mozilla
[2009/09/17 22:14:44 | 00,000,000 | ---D | C] -- C:\Program Files\VentriloMIX
[2009/09/17 22:14:25 | 00,000,000 | ---D | C] -- C:\Documents and Settings\jack\Application Data\Mozilla
[2009/09/17 22:14:24 | 00,000,000 | ---D | C] -- C:\Documents and Settings\jack\Local Settings\Application Data\Octoshape
[2009/09/17 22:14:05 | 00,000,000 | ---D | C] -- C:\Program Files\NIERSOFT
[2009/09/17 22:13:36 | 00,000,000 | ---D | C] -- C:\Program Files\PopCap Games
[2009/09/17 22:13:36 | 00,000,000 | ---- | C] () -- C:\WINDOWS\popcreg.dat
[2009/09/17 22:13:36 | 00,000,000 | ---- | C] () -- C:\WINDOWS\popcinfot.dat
[2009/09/17 22:13:08 | 00,000,000 | ---D | C] -- C:\Program Files\foobar2000
[2009/09/17 22:12:51 | 00,000,000 | ---D | C] -- C:\WINDOWS\Vbox
[2009/09/17 22:12:48 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Ulead Systems
[2009/09/17 22:12:46 | 00,000,000 | ---D | C] -- C:\Program Files\Ulead Systems
[2009/09/17 22:12:45 | 00,000,000 | -H-D | C] -- C:\Program Files\InstallShield Installation Information
[2009/09/17 22:12:37 | 00,000,000 | ---D | C] -- C:\WINDOWS\Noslip
[2009/09/17 22:12:35 | 00,000,000 | ---D | C] -- C:\Program Files\Common Files\InstallShield
[2009/09/17 22:11:56 | 00,000,000 | ---D | C] -- C:\Program Files\mIRC
[2009/09/17 22:11:56 | 00,000,000 | ---D | C] -- C:\Documents and Settings\jack\Application Data\mIRC
[2009/09/17 22:11:23 | 00,001,602 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Mozilla Firefox.lnk
[2009/09/17 22:11:20 | 00,000,000 | ---D | C] -- C:\Program Files\Mozilla Firefox
[2009/09/17 22:10:41 | 00,000,000 | ---D | C] -- C:\WINDOWS\System32\ReinstallBackups
[2009/09/17 22:07:02 | 05,349,026 | -H-- | C] () -- C:\Documents and Settings\jack\Local Settings\Application Data\IconCache.db
[2009/09/17 22:03:11 | 00,618,605 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\fp4autl.dll
[2009/09/17 22:02:40 | 00,000,000 | ---D | C] -- C:\Documents and Settings\jack\Application Data\Identities
[2009/09/17 22:02:09 | 00,000,000 | -H-D | C] -- C:\Program Files\Uninstall Information
[2009/09/17 22:02:02 | 00,000,000 | R--D | C] -- C:\Documents and Settings\jack\My Documents\My Pictures
[2009/09/17 22:02:02 | 00,000,000 | R--D | C] -- C:\Documents and Settings\jack\My Documents\My Music
[2009/09/17 22:01:52 | 00,000,000 | --SD | C] -- C:\Documents and Settings\jack\Application Data\Microsoft
[2009/09/17 22:01:52 | 00,000,000 | ---D | C] -- C:\Documents and Settings\jack\Local Settings\Application Data\Microsoft
[2009/09/17 22:00:37 | 00,000,000 | ---D | C] -- C:\WINDOWS\SoftwareDistribution
[2009/09/17 22:00:26 | 00,000,000 | ---D | C] -- C:\WINDOWS\Prefetch
[2009/09/17 22:00:25 | 00,000,006 | -H-- | C] () -- C:\WINDOWS\tasks\SA.DAT
[2009/09/17 22:00:25 | 00,000,000 | --SD | C] -- C:\WINDOWS\System32\Microsoft
[2009/09/17 21:59:29 | 00,008,192 | ---- | C] () -- C:\WINDOWS\REGLOCS.OLD
[2009/09/17 21:58:29 | 00,002,048 | --S- | C] () -- C:\WINDOWS\bootstat.dat
[2009/09/17 21:57:18 | 00,000,000 | ---D | C] -- C:\Program Files\xerox
[2009/09/17 21:57:17 | 00,000,000 | ---D | C] -- C:\WINDOWS\System32\xircom
[2009/09/17 21:57:17 | 00,000,000 | ---D | C] -- C:\Program Files\microsoft frontpage
[2009/09/17 21:56:39 | 00,002,577 | ---- | C] () -- C:\WINDOWS\System32\CONFIG.NT
[2009/09/17 21:56:39 | 00,000,000 | RHS- | C] () -- C:\MSDOS.SYS
[2009/09/17 21:56:39 | 00,000,000 | RHS- | C] () -- C:\IO.SYS
[2009/09/17 21:56:39 | 00,000,000 | ---- | C] () -- C:\CONFIG.SYS
[2009/09/17 21:56:39 | 00,000,000 | ---- | C] () -- C:\AUTOEXEC.BAT
[2009/09/17 21:56:26 | 00,023,392 | ---- | C] () -- C:\WINDOWS\System32\nscompat.tlb
[2009/09/17 21:56:26 | 00,016,832 | ---- | C] () -- C:\WINDOWS\System32\amcompat.tlb
[2009/09/17 21:56:24 | 00,316,640 | ---- | C] () -- C:\WINDOWS\WMSysPr9.prx
[2009/09/17 21:56:04 | 00,112,128 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\mapi32.dll
[2009/09/17 21:54:31 | 00,000,488 | RH-- | C] () -- C:\WINDOWS\System32\WindowsLogon.manifest
[2009/09/17 21:54:31 | 00,000,488 | RH-- | C] () -- C:\WINDOWS\System32\logonui.exe.manifest
[2009/09/17 21:54:31 | 00,000,000 | --SD | C] -- C:\WINDOWS\Downloaded Program Files
[2009/09/17 21:54:31 | 00,000,000 | R--D | C] -- C:\WINDOWS\Offline Web Pages
[2009/09/17 21:54:20 | 00,000,749 | RH-- | C] () -- C:\WINDOWS\WindowsShell.Manifest
[2009/09/17 21:54:20 | 00,000,749 | RH-- | C] () -- C:\WINDOWS\System32\wuaucpl.cpl.manifest
[2009/09/17 21:54:20 | 00,000,749 | RH-- | C] () -- C:\WINDOWS\System32\sapi.cpl.manifest
[2009/09/17 21:54:20 | 00,000,749 | RH-- | C] () -- C:\WINDOWS\System32\nwc.cpl.manifest
[2009/09/17 21:54:20 | 00,000,749 | RH-- | C] () -- C:\WINDOWS\System32\ncpa.cpl.manifest
[2009/09/17 21:54:20 | 00,000,749 | RH-- | C] () -- C:\WINDOWS\System32\cdplayer.exe.manifest
[2009/09/17 21:54:13 | 00,000,000 | -H-D | C] -- C:\Program Files\WindowsUpdate
[2009/09/17 21:53:55 | 00,000,000 | ---D | C] -- C:\WINDOWS\System32\DirectX
[2009/09/17 21:53:52 | 00,011,264 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\atrace.dll
[2009/09/17 21:53:51 | 00,048,680 | -HS- | C] () -- C:\WINDOWS\winnt256.bmp
[2009/09/17 21:53:51 | 00,048,680 | -HS- | C] () -- C:\WINDOWS\winnt.bmp
[2009/09/17 21:53:48 | 00,118,784 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\msg723.acm
[2009/09/17 21:53:48 | 00,064,512 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\acctres.dll
[2009/09/17 21:53:48 | 00,012,288 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\nmevtmsg.dll
[2009/09/17 21:53:48 | 00,000,000 | ---D | C] -- C:\Program Files\Common Files\Services
[2009/09/17 21:53:45 | 00,016,384 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\icfgnt5.dll
[2009/09/17 21:53:45 | 00,000,000 | --SD | C] -- C:\WINDOWS\Tasks
[2009/09/17 21:53:45 | 00,000,000 | ---D | C] -- C:\Program Files\Common Files\MSSoap
[2009/09/17 21:53:43 | 00,000,000 | ---D | C] -- C:\WINDOWS\System32\Macromed
[2009/09/17 21:53:43 | 00,000,000 | ---D | C] -- C:\WINDOWS\srchasst
[2009/09/17 21:53:41 | 01,135,616 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\wuaueng.dll
[2009/09/17 21:53:41 | 00,430,592 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\wuapi.dll
[2009/09/17 21:53:41 | 00,409,088 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\qmgr.dll
[2009/09/17 21:53:41 | 00,183,296 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\wuaueng1.dll
[2009/09/17 21:53:41 | 00,165,888 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\wuauclt1.exe
[2009/09/17 21:53:41 | 00,162,304 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\wuaucpl.cpl
[2009/09/17 21:53:41 | 00,120,320 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\wuweb.dll
[2009/09/17 21:53:41 | 00,112,640 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\wucltui.dll
[2009/09/17 21:53:41 | 00,111,104 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\wuauclt.exe
[2009/09/17 21:53:41 | 00,032,256 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\wups.dll
[2009/09/17 21:53:41 | 00,018,944 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\qmgrprxy.dll
[2009/09/17 21:53:41 | 00,008,192 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\bitsprx2.dll
[2009/09/17 21:53:41 | 00,007,168 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\bitsprx4.dll
[2009/09/17 21:53:41 | 00,007,168 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\bitsprx3.dll
[2009/09/17 21:53:41 | 00,006,656 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\wuauserv.dll
[2009/09/17 21:53:39 | 00,000,000 | ---D | C] -- C:\Program Files\Movie Maker
[2009/09/17 21:53:24 | 00,045,568 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\safrslv.dll
[2009/09/17 21:53:24 | 00,043,520 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\safrcdlg.dll
[2009/09/17 21:53:24 | 00,043,520 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\racpldlg.dll
[2009/09/17 21:53:24 | 00,029,696 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\safrdm.dll
[2009/09/17 21:53:23 | 00,023,040 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\fltMc.exe
[2009/09/17 21:53:23 | 00,016,896 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\fltlib.dll
[2009/09/17 21:53:22 | 00,239,104 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\srrstr.dll
[2009/09/17 21:53:22 | 00,188,416 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\msh261.drv
[2009/09/17 21:53:22 | 00,171,008 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\srsvc.dll
[2009/09/17 21:53:22 | 00,129,792 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\drivers\fltMgr.sys
[2009/09/17 21:53:22 | 00,081,920 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\ils.dll
[2009/09/17 21:53:22 | 00,073,472 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\drivers\sr.sys
[2009/09/17 21:53:22 | 00,069,632 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\msconf.dll
[2009/09/17 21:53:22 | 00,067,584 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\srclient.dll
[2009/09/17 21:53:22 | 00,034,560 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\mnmdd.dll
[2009/09/17 21:53:22 | 00,032,768 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\mnmsrvc.exe
[2009/09/17 21:53:22 | 00,032,768 | ---- | C] (Intel Corporation) -- C:\WINDOWS\System32\isrdbg32.dll
[2009/09/17 21:53:22 | 00,028,672 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\nmmkcert.dll
[2009/09/17 21:53:22 | 00,000,000 | ---D | C] -- C:\WINDOWS\System32\Restore
[2009/09/17 21:53:21 | 00,252,928 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\msoeacct.dll
[2009/09/17 21:53:21 | 00,105,984 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\msoert2.dll
[2009/09/17 21:53:21 | 00,000,000 | ---D | C] -- C:\Program Files\NetMeeting
[2009/09/17 21:53:20 | 00,691,712 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\inetcomm.dll
[2009/09/17 21:53:20 | 00,048,128 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\inetres.dll
[2009/09/17 21:53:19 | 00,274,944 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\mstask.dll
[2009/09/17 21:53:19 | 00,274,432 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\inetcfg.dll
[2009/09/17 21:53:19 | 00,192,512 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\schedsvc.dll
[2009/09/17 21:53:19 | 00,081,920 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\isign32.dll
[2009/09/17 21:53:19 | 00,073,728 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\icwdial.dll
[2009/09/17 21:53:19 | 00,065,536 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\icwphbk.dll
[2009/09/17 21:53:19 | 00,012,288 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\mstinit.exe
[2009/09/17 21:53:19 | 00,000,000 | ---D | C] -- C:\Program Files\Outlook Express
[2009/09/17 21:53:16 | 00,000,000 | ---D | C] -- C:\Program Files\Common Files\System
[2009/09/17 21:53:15 | 00,000,000 | ---D | C] -- C:\Program Files\Internet Explorer
[2009/09/17 21:53:13 | 00,000,000 | R--D | C] -- C:\Documents and Settings\All Users\Documents\My Pictures
[2009/09/17 21:52:32 | 00,021,640 | ---- | C] () -- C:\WINDOWS\System32\emptyregdb.dat
[2009/09/17 21:52:29 | 00,000,000 | ---D | C] -- C:\Program Files\ComPlus Applications
[2009/09/17 21:52:26 | 00,000,000 | ---D | C] -- C:\WINDOWS\Registration
[2009/09/17 21:52:19 | 00,000,000 | R--D | C] -- C:\Documents and Settings\All Users\Documents\My Music
[2009/09/17 21:52:19 | 00,000,000 | ---D | C] -- C:\Program Files\Online Services
[2009/09/17 21:52:18 | 00,000,000 | ---D | C] -- C:\Program Files\Windows Media Player
[2009/09/17 21:52:12 | 00,000,000 | ---D | C] -- C:\Program Files\Messenger
[2009/09/17 21:52:11 | 00,005,632 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\write.exe
[2009/09/17 21:52:11 | 00,000,000 | ---D | C] -- C:\Program Files\MSN Gaming Zone
[2009/09/17 21:52:03 | 00,227,840 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\avtapi.dll
[2009/09/17 21:52:03 | 00,138,752 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\sndvol32.exe
[2009/09/17 21:52:03 | 00,073,216 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\avwav.dll
[2009/09/17 21:52:03 | 00,044,544 | ---- | C] (Hilgraeve, Inc.) -- C:\WINDOWS\System32\hticons.dll
[2009/09/17 21:52:03 | 00,016,384 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\avmeter.dll
[2009/09/17 21:52:02 | 00,035,328 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\winchat.exe
[2009/09/17 21:51:59 | 00,065,954 | ---- | C] () -- C:\WINDOWS\Prairie Wind.bmp
[2009/09/17 21:51:59 | 00,065,832 | ---- | C] () -- C:\WINDOWS\Santa Fe Stucco.bmp
[2009/09/17 21:51:59 | 00,026,680 | ---- | C] () -- C:\WINDOWS\River Sumida.bmp
[2009/09/17 21:51:59 | 00,026,582 | ---- | C] () -- C:\WINDOWS\Greenstone.bmp
[2009/09/17 21:51:59 | 00,017,362 | ---- | C] () -- C:\WINDOWS\Rhododendron.bmp
[2009/09/17 21:51:59 | 00,017,336 | ---- | C] () -- C:\WINDOWS\Gone Fishing.bmp
[2009/09/17 21:51:59 | 00,009,522 | ---- | C] () -- C:\WINDOWS\Zapotec.bmp
[2009/09/17 21:51:58 | 00,605,696 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\getuname.dll
[2009/09/17 21:51:58 | 00,114,688 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\calc.exe
[2009/09/17 21:51:58 | 00,093,702 | ---- | C] () -- C:\WINDOWS\System32\subrange.uce
[2009/09/17 21:51:58 | 00,080,384 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\charmap.exe
[2009/09/17 21:51:58 | 00,065,978 | ---- | C] () -- C:\WINDOWS\Soap Bubbles.bmp
[2009/09/17 21:51:58 | 00,060,458 | ---- | C] () -- C:\WINDOWS\System32\ideograf.uce
[2009/09/17 21:51:58 | 00,024,006 | ---- | C] () -- C:\WINDOWS\System32\gb2312.uce
[2009/09/17 21:51:58 | 00,022,984 | ---- | C] () -- C:\WINDOWS\System32\bopomofo.uce
[2009/09/17 21:51:58 | 00,017,062 | ---- | C] () -- C:\WINDOWS\Coffee Bean.bmp
[2009/09/17 21:51:58 | 00,016,740 | ---- | C] () -- C:\WINDOWS\System32\shiftjis.uce
[2009/09/17 21:51:58 | 00,016,730 | ---- | C] () -- C:\WINDOWS\FeatherTexture.bmp
[2009/09/17 21:51:58 | 00,012,876 | ---- | C] () -- C:\WINDOWS\System32\korean.uce
[2009/09/17 21:51:58 | 00,008,484 | ---- | C] () -- C:\WINDOWS\System32\kanji_2.uce
[2009/09/17 21:51:58 | 00,006,948 | ---- | C] () -- C:\WINDOWS\System32\kanji_1.uce
[2009/09/17 21:51:58 | 00,001,272 | ---- | C] () -- C:\WINDOWS\Blue Lace 16.bmp
[2009/09/17 21:51:57 | 00,126,976 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\mshearts.exe
[2009/09/17 21:51:57 | 00,119,808 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\winmine.exe
[2009/09/17 21:51:57 | 00,056,832 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\sol.exe
[2009/09/17 21:51:57 | 00,055,296 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\freecell.exe
[2009/09/17 21:51:57 | 00,016,896 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\tsshutdn.exe
[2009/09/17 21:51:57 | 00,016,384 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\tskill.exe
[2009/09/17 21:51:57 | 00,014,848 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\tsdiscon.exe
[2009/09/17 21:51:57 | 00,014,848 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\tscon.exe
[2009/09/17 21:51:57 | 00,014,848 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\shadow.exe
[2009/09/17 21:51:57 | 00,009,728 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\reset.exe
[2009/09/17 21:51:57 | 00,003,286 | ---- | C] () -- C:\WINDOWS\System32\tslabels.h
[2009/09/17 21:51:57 | 00,001,161 | ---- | C] () -- C:\WINDOWS\System32\usrlogon.cmd
[2009/09/17 21:51:56 | 00,033,792 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\regini.exe
[2009/09/17 21:51:56 | 00,022,016 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\qwinsta.exe
[2009/09/17 21:51:56 | 00,020,992 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\msg.exe
[2009/09/17 21:51:56 | 00,016,896 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\qappsrv.exe
[2009/09/17 21:51:56 | 00,015,872 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\rwinsta.exe
[2009/09/17 21:51:56 | 00,015,872 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\cdmodem.dll
[2009/09/17 21:51:56 | 00,015,360 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\logoff.exe
[2009/09/17 21:51:56 | 00,004,096 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\rdpcfgex.dll
[2009/09/17 21:51:56 | 00,000,768 | ---- | C] () -- C:\WINDOWS\System32\msdtcprf.h
[2009/09/17 21:51:52 | 00,063,488 | ---- | C] () -- C:\WINDOWS\System32\wmimgmt.msc
[2009/09/17 21:51:47 | 00,000,000 | ---D | C] -- C:\Program Files\MSN
[2009/09/17 21:51:46 | 00,347,136 | ---- | C] (Hilgraeve, Inc.) -- C:\WINDOWS\System32\hypertrm.dll
[2009/09/17 21:51:46 | 00,184,320 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\accwiz.exe
[2009/09/17 21:51:46 | 00,131,584 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\sndrec32.exe
[2009/09/17 21:51:46 | 00,123,392 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\mplay32.exe
[2009/09/17 21:51:46 | 00,068,608 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\access.cpl
[2009/09/17 21:51:46 | 00,000,000 | ---D | C] -- C:\Program Files\Windows NT
[2009/09/17 21:51:45 | 00,538,624 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\spider.exe
[2009/09/17 21:51:45 | 00,343,040 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\mspaint.exe
[2009/09/17 21:51:45 | 00,290,304 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\rhttpaa.dll
[2009/09/17 21:51:45 | 00,139,656 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\drivers\rdpwd.sys
[2009/09/17 21:51:45 | 00,136,192 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\aaclient.dll
[2009/09/17 21:51:45 | 00,102,912 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\clipbrd.exe
[2009/09/17 21:51:45 | 00,093,696 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\tscfgwmi.dll
[2009/09/17 21:51:45 | 00,053,248 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\tsgqec.dll
[2009/09/17 21:51:45 | 00,021,896 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\drivers\tdtcp.sys
[2009/09/17 21:51:45 | 00,012,040 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\drivers\tdpipe.sys
[2009/09/17 21:51:45 | 00,000,000 | ---D | C] -- C:\WINDOWS\System32\en-US
[2009/09/17 21:51:44 | 02,061,824 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\mstscax.dll
[2009/09/17 21:51:44 | 00,677,888 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\mstsc.exe
[2009/09/17 21:51:44 | 00,295,424 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\termsrv.dll
[2009/09/17 21:51:44 | 00,161,792 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\msdtcuiu.dll
[2009/09/17 21:51:44 | 00,147,968 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\rdchost.dll
[2009/09/17 21:51:44 | 00,141,312 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\sessmgr.exe
[2009/09/17 21:51:44 | 00,091,648 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\mtxoci.dll
[2009/09/17 21:51:44 | 00,087,176 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\rdpwsx.dll
[2009/09/17 21:51:44 | 00,067,072 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\rdshost.exe
[2009/09/17 21:51:44 | 00,062,976 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\rdpclip.exe
[2009/09/17 21:51:44 | 00,060,416 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\remotepg.dll
[2009/09/17 21:51:44 | 00,038,912 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\cfgbkend.dll
[2009/09/17 21:51:44 | 00,019,968 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\rdpsnd.dll
[2009/09/17 21:51:44 | 00,019,968 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\qprocess.exe
[2009/09/17 21:51:44 | 00,013,824 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\rdsaddin.exe
[2009/09/17 21:51:44 | 00,011,264 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\icaapi.dll
[2009/09/17 21:51:44 | 00,000,000 | ---D | C] -- C:\WINDOWS\System32\MsDtc
[2009/09/17 21:51:43 | 00,956,928 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\msdtctm.dll
[2009/09/17 21:51:43 | 00,427,008 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\msdtcprx.dll
[2009/09/17 21:51:43 | 00,060,416 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\colbact.dll
[2009/09/17 21:51:43 | 00,058,880 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\msdtclog.dll
[2009/09/17 21:51:43 | 00,034,304 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\mtxlegih.dll
[2009/09/17 21:51:43 | 00,030,720 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\mtxdm.dll
[2009/09/17 21:51:43 | 00,028,160 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\comaddin.dll
[2009/09/17 21:51:43 | 00,011,776 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\xolehlp.dll
[2009/09/17 21:51:43 | 00,006,144 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\msdtc.exe
[2009/09/17 21:51:43 | 00,006,144 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dcomcnfg.exe
[2009/09/17 21:51:43 | 00,004,096 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\mtxex.dll
[2009/09/17 21:51:43 | 00,000,000 | ---D | C] -- C:\WINDOWS\System32\Com
[2009/09/17 21:51:42 | 01,267,200 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\comsvcs.dll
[2009/09/17 21:51:42 | 00,625,664 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\catsrvut.dll
[2009/09/17 21:51:42 | 00,539,648 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\comuid.dll
[2009/09/17 21:51:42 | 00,226,304 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\catsrv.dll
[2009/09/17 21:51:42 | 00,167,424 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\comsnap.dll
[2009/09/17 21:51:42 | 00,110,592 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\clbcatex.dll
[2009/09/17 21:51:42 | 00,097,792 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\comrepl.dll
[2009/09/17 21:51:42 | 00,085,504 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\catsrvps.dll
[2009/09/17 21:51:42 | 00,059,392 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\stclient.dll
[2009/09/17 21:51:41 | 00,498,688 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\clbcatq.dll
[2009/09/17 21:51:37 | 00,185,344 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\cmprops.dll
[2009/09/17 21:51:37 | 00,058,880 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\licwmi.dll
[2009/09/17 21:51:37 | 00,056,320 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\servdeps.dll
[2009/09/17 21:51:37 | 00,017,408 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\mmfutil.dll
[2009/09/17 21:51:36 | 00,196,224 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\drivers\rdpdr.sys
[2009/09/17 21:51:36 | 00,040,840 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\drivers\termdd.sys
[2009/09/17 21:51:34 | 00,000,000 | R--D | C] -- C:\Documents and Settings\All Users\Documents\My Videos
[2001/08/23 22:00:00 | 00,000,477 | ---- | C] () -- C:\WINDOWS\win.ini
[2001/08/23 22:00:00 | 00,000,227 | ---- | C] () -- C:\WINDOWS\system.ini

========== Files - Modified Within 30 Days ==========

[2009/09/28 13:36:40 | 00,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2009/09/28 13:36:35 | 00,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2009/09/28 13:31:04 | 00,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2009/09/26 20:06:52 | 05,877,962 | -H-- | M] () -- C:\Documents and Settings\jack\Local Settings\Application Data\IconCache.db
[2009/09/26 15:51:40 | 00,288,768 | ---- | M] () -- C:\Documents and Settings\jack\Desktop\8i36yu3y.exe
[2009/09/26 15:49:00 | 00,514,560 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\jack\Desktop\OTL.exe
[2009/09/26 15:46:02 | 00,000,227 | ---- | M] () -- C:\WINDOWS\system.ini
[2009/09/26 15:39:17 | 03,321,356 | R--- | M] () -- C:\Documents and Settings\jack\Desktop\Combo-Fix.exe
[2009/09/25 20:27:07 | 00,000,027 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
[2009/09/25 20:20:04 | 00,000,281 | RHS- | M] () -- C:\boot.ini
[2009/09/23 21:04:02 | 00,000,210 | -H-- | M] () -- C:\Documents and Settings\jack\Desktop\7a445c7453c44c30f3505e094ebefceef4c374ab.frd
[2009/09/21 13:57:18 | 00,001,739 | ---- | M] () -- C:\Documents and Settings\jack\Desktop\HijackThis.lnk
[2009/09/20 17:53:09 | 05,183,696 | ---- | M] (Macrovision Corporation) -- C:\Documents and Settings\jack\Desktop\RUBotted.exe
[2009/09/20 17:24:51 | 00,000,701 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2009/09/20 17:02:55 | 04,045,528 | ---- | M] (Malwarebytes Corporation ) -- C:\Documents and Settings\jack\Desktop\mbam-setup.exe
[2009/09/17 23:49:45 | 00,004,444 | ---- | M] () -- C:\WINDOWS\System32\pid.PNF
[2009/09/17 22:51:49 | 00,812,344 | ---- | M] (Trend Micro Inc.) -- C:\Documents and Settings\jack\Desktop\HJTInstall.exe
[2009/09/17 22:38:49 | 00,001,711 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\PowerArchiver.lnk
[2009/09/17 22:38:19 | 04,638,112 | ---- | M] () -- C:\Documents and Settings\jack\Desktop\powarc1020.exe
[2009/09/17 22:17:16 | 00,000,000 | ---- | M] () -- C:\WINDOWS\nsreg.dat
[2009/09/17 22:16:02 | 00,091,088 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2009/09/17 22:13:36 | 00,000,000 | ---- | M] () -- C:\WINDOWS\popcreg.dat
[2009/09/17 22:13:36 | 00,000,000 | ---- | M] () -- C:\WINDOWS\popcinfot.dat
[2009/09/17 22:11:23 | 00,001,602 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Mozilla Firefox.lnk
[2009/09/17 22:06:02 | 00,355,636 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI
[2009/09/17 22:06:02 | 00,311,934 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2009/09/17 22:06:02 | 00,040,196 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2009/09/17 21:59:29 | 00,008,192 | ---- | M] () -- C:\WINDOWS\REGLOCS.OLD
[2009/09/17 21:58:40 | 00,004,382 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2009/09/17 21:58:29 | 00,000,261 | ---- | M] () -- C:\WINDOWS\System32\$winnt$.inf
[2009/09/17 21:56:39 | 00,002,577 | ---- | M] () -- C:\WINDOWS\System32\CONFIG.NT
[2009/09/17 21:56:39 | 00,000,477 | ---- | M] () -- C:\WINDOWS\win.ini
[2009/09/17 21:56:39 | 00,000,000 | RHS- | M] () -- C:\MSDOS.SYS
[2009/09/17 21:56:39 | 00,000,000 | RHS- | M] () -- C:\IO.SYS
[2009/09/17 21:56:39 | 00,000,000 | ---- | M] () -- C:\WINDOWS\control.ini
[2009/09/17 21:56:39 | 00,000,000 | ---- | M] () -- C:\CONFIG.SYS
[2009/09/17 21:56:39 | 00,000,000 | ---- | M] () -- C:\AUTOEXEC.BAT
[2009/09/17 21:56:28 | 00,316,640 | ---- | M] () -- C:\WINDOWS\WMSysPr9.prx
[2009/09/17 21:56:26 | 00,023,392 | ---- | M] () -- C:\WINDOWS\System32\nscompat.tlb
[2009/09/17 21:56:26 | 00,016,832 | ---- | M] () -- C:\WINDOWS\System32\amcompat.tlb
[2009/09/17 21:56:05 | 00,004,161 | ---- | M] () -- C:\WINDOWS\ODBCINST.INI
[2009/09/17 21:54:31 | 00,000,488 | RH-- | M] () -- C:\WINDOWS\System32\WindowsLogon.manifest
[2009/09/17 21:54:31 | 00,000,488 | RH-- | M] () -- C:\WINDOWS\System32\logonui.exe.manifest
[2009/09/17 21:54:20 | 00,000,749 | RH-- | M] () -- C:\WINDOWS\WindowsShell.Manifest
[2009/09/17 21:54:20 | 00,000,749 | RH-- | M] () -- C:\WINDOWS\System32\wuaucpl.cpl.manifest
[2009/09/17 21:54:20 | 00,000,749 | RH-- | M] () -- C:\WINDOWS\System32\sapi.cpl.manifest
[2009/09/17 21:54:20 | 00,000,749 | RH-- | M] () -- C:\WINDOWS\System32\nwc.cpl.manifest
[2009/09/17 21:54:20 | 00,000,749 | RH-- | M] () -- C:\WINDOWS\System32\ncpa.cpl.manifest
[2009/09/17 21:54:20 | 00,000,749 | RH-- | M] () -- C:\WINDOWS\System32\cdplayer.exe.manifest
[2009/09/17 21:52:32 | 00,021,640 | ---- | M] () -- C:\WINDOWS\System32\emptyregdb.dat
[2009/09/17 21:52:28 | 00,000,037 | ---- | M] () -- C:\WINDOWS\vbaddin.ini
[2009/09/17 21:52:28 | 00,000,036 | ---- | M] () -- C:\WINDOWS\vb.ini
[2009/09/17 21:50:24 | 00,000,211 | ---- | M] () -- C:\Boot.bak
[2009/09/14 02:12:36 | 00,229,888 | ---- | M] () -- C:\WINDOWS\PEV.exe
[2009/09/10 14:54:06 | 00,038,224 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2009/09/10 14:53:50 | 00,019,160 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
< End of report >

when i tried to follow the instructions for mbam i got a bit confused
the first line says something which i couldn't find but i remembered those 2 lines after i installed mbam

anyhow i updated the application and here's the log

Malwarebytes' Anti-Malware 1.41
Database version: 2866
Windows 5.1.2600 Service Pack 3

9/28/2009 1:55:35 PM
mbam-log-2009-09-28 (13-55-35).txt

Scan type: Full Scan (C:\|)
Objects scanned: 90827
Time elapsed: 4 minute(s), 53 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 4
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 8

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\windows login assistance (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\windows login assistance (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\windows login assistance (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\windows login assistance (Backdoor.Bot) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Qoobox\Quarantine\C\winsystem.exe.vir (Trojan.Pincav) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\hgGvwxvW.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\nnnoMEVN.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{0B38D124-F7F6-41E9-BC30-B270D23407F6}\RP5\A0000335.exe (Trojan.Banker) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{0B38D124-F7F6-41E9-BC30-B270D23407F6}\RP6\A0000672.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{0B38D124-F7F6-41E9-BC30-B270D23407F6}\RP6\A0000673.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{0B38D124-F7F6-41E9-BC30-B270D23407F6}\RP6\A0000850.exe (Trojan.Pincav) -> Quarantined and deleted successfully.
C:\_OTL\MovedFiles\09282009_133546\windows\sysrest32.exe (Backdoor.Bot) -> Quarantined and deleted successfully.

Computer seems to be running much faster and i can browse normally with firefox all thanks to you!
are we done?

Also I wanted to ask you can I get the same training you are getting now?

oh and one other thing, i dont know if you noticed but i dont have an anti virus.. i know this is bad but i dont know which one should i get.. any recommendations?
Vegeta
Active Member
 
Posts: 11
Joined: September 17th, 2009, 4:19 pm

Re: Infection right after format

Unread postby francis327 » September 28th, 2009, 10:35 am

Hi Vegeta,

Computer seems to be running much faster and i can browse normally with firefox all thanks to you!
are we done?

It looks to me like we are done here. But i need you to run one more online scan before i can eventually "release" you.

Also I wanted to ask you can I get the same training you are getting now?

You are most welcome to join. Register yourself at Malware Removal University. Read through all the information on that page and you will be clear how actually the University operates and what you are expected to do here.


oh and one other thing, i dont know if you noticed but i dont have an anti virus.. i know this is bad but i dont know which one should i get.. any recommendations?

I am right about to give you a warning that your system is not equipped with AV. Below are a few that you can choose.

Personally i am using the free edition of Avira AV. You can get it below
1) Antivir PersonalEdition Classic- Free anti-virus software for Windows. Detects and removes more than 50,000 viruses. Free support.

It is strongly recommended that you run only -one- antivirus program at a time.
Having more than one antivirus program active in memory uses additional resources and can result in program conflicts and false virus alerts.



If you are clear with the above, please proceed with the following before we wrap this up.

1 - Java
  • Go to Java Site
  • Click to Download Java SE Runtime Environment (JRE) 6 Update 16
  • In Platform box choose Windows.
  • Check the box to Accept License Agreement and click Continue.
  • Click on Windows Offline Installation, click on the link under it which says "jre-6u16-windows-i586-p.exe" and save the downloaded file to your desktop.
  • Install the new version by running the newly-downloaded file with the java icon which will be at your desktop, and follow the on-screen instructions.
  • Reboot your computer



2 - ATF-Cleaner
Please download ATF Cleaner by Atribune.

  • Save it to your desktop
  • Double-click ATF-Cleaner.exe to run the program.
  • Under Main choose: Select All
  • Click the Empty Selected button.

    If you use Firefox browser
  • Click Firefox at the top and choose: Select All
  • Click the Empty Selected button.

    NOTE: If you would like to keep your saved passwords
    please click No at the prompt.


    If you use Opera browser
  • Click Opera at the top and choose: Select All
  • Click the Empty Selected button.

    NOTE: If you would like to keep your saved passwords
    please click No at the prompt.

  • Click Exit on the Main menu to close the program.



3 - Kaspersky Online Scanner
Please go to Kaspersky website and perform an online antivirus scan.

  1. Read through the requirements and privacy statement and click on Accept button.
  2. It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
  3. When the downloads have finished, click on Settings.
  4. Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
    1. Spyware, Adware, Dialers, and other potentially dangerous programs
    2. Archives
    3. Mail Databases
  5. Click on My Computer under Scan.
  6. Once the scan is complete, it will display the results. Click on View Scan Report.
  7. You will see a list of infected items there. Click on Save Report As....
  8. Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
  9. Please post this log in your next reply along with a fresh HijackThis log.

If you need a tutorial, see here

In your next reply, please post
  • Kaspersky Scanner Report
  • New HijackThis Log
User avatar
francis327
Regular Member
 
Posts: 939
Joined: September 4th, 2008, 3:42 am
Location: Far East (GMT + 8)
Advertisement
Register to Remove

Next

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 19 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware