Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

MS security essentials alert

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

MS security essentials alert

Unread postby toshin9 » December 16th, 2010, 6:29 am

Hi,

This is the first Malware i have been unable to remove from my system after trying for over 20 days =/

Most of the removal guides online do not work. I imagine this is a new version (infected mid Nov) with different reinfection methods.

I suspect wuauclt.exe iexplore.exe and perhaps scvhost/mshta is roothooked (nothing seems to detect this though.) Because even though i've disabled updates, that damn process keeps showing up. There are always 2 iexplore instances running in taskmanager.
Also, both wuaulct.exe and iexplore.exe cannot be deleted. They reappear 10 secs after deleting them.

The malware is present on the system but dormant (after running malware bytes and Super anti spyware. Which only pickup the hotfix.exe and various other reg/exes which are obvious).
I know its there due to the iexplore processes etc.
And the PC works fine, albeit losing system resources to the malware processes - Until i connect the network cable.

Then within 30 secs to 15 mins, the MS security essentials alert pops up, and the associated problems such as tons of scheduled tasks, inability to access group policy and regedit, disabling of programs/prompts etc starts up and makes the PC unusable.
I have looked up countless forums and threads on the MS SEA malware, but all the removal steps seem too simple for this reinfection method.

I am wary about connecting to the internet as it managed to download different malwares like security 2010 etc. It even managed to infect me with a MBR? I think dll which caused MBA/Super anti spyrare and a few other scanners to BSOD when it hit that dll. After some research and further problems TDSSkiller managed to fix that.

Right now the PC is running Ok, but is unable to connect to the internet due to guaranteed reinfection. Im at a loss on how its reinfecting me and avoiding detection.
Im sure i was initially infected after a drunken night, and using IE instead of firefox+noscript. sigh.
fyi. posted on another forum but thread closed.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:18:33 PM, on 12/16/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Unable to get Internet Explorer version!
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\RealVNC\VNC4\WinVNC4.exe
C:\WINDOWS\System32\alg.exe
E:\BACKUP D\WINAMP\winamp.exe
C:\Program Files\VideoLAN\VLC\vlc.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:23012
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262F} (System Requirements Lab) - http://www.nvidia.com/content/DriverDow ... ab_nvd.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/house ... hcImpl.cab
O16 - DPF: {3EA4FA88-E0BE-419A-A732-9B79B87A6ED0} (CTVUAxCtrl Object) - http://dl.tvunetworks.com/TVUAx.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} - http://download.bitdefender.com/resourc ... oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupda ... 8211881000
O16 - DPF: {C237A80A-4C55-4C68-BAA9-CBE4408D12B2} (F-Secure Online Scanner 4.0 Launcher) - http://download.sp.f-secure.com/ols/f-s ... uncher.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{15621E4B-AB40-4D99-884E-FFEBD9CA1859}: NameServer = 8.8.8.8
O17 - HKLM\System\CCS\Services\Tcpip\..\{650A012B-2D3E-40C7-978B-0F65BBEADA8A}: NameServer = 8.8.8.8
O17 - HKLM\System\CS1\Services\Tcpip\..\{15621E4B-AB40-4D99-884E-FFEBD9CA1859}: NameServer = 8.8.8.8
O18 - Protocol: gcf - {9875BFAF-B04D-445E-8A69-BE36838CDE3E} - C:\Program Files\Google\Chrome Frame\Application\7.0.517.44\npchrome_frame.dll (file missing)
O18 - Protocol: vsharechrome - {3F3A4B8A-86FC-43A4-BB00-6D7EBE9D4484} - (no file)
O20 - Winlogon Notify: !SASWinLogon - C:\WINDOWS\
O23 - Service: Google Update Service (gupdate) (gupdate) - Unknown owner - C:\Program Files\Google\Update\GoogleUpdate.exe (file missing)
O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\Logishrd\Bluetooth\LBTServ.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Check Point Software Technologies LTD - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: VNC Server Version 4 (WinVNC4) - RealVNC Ltd. - C:\Program Files\RealVNC\VNC4\WinVNC4.exe

--
End of file - 5240 bytes


Adobe AIR
Adobe AIR
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Audacity 1.2.6
CDDRV_Installer
Critical Update for Windows Media Player 11 (KB959772)
eMule
ESET Online Scanner v3
Foxit Reader
GGPO
Google Update Helper
HijackThis 2.0.2
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB2158563)
Hotfix for Windows XP (KB952287)
ImgBurn
JDownloader
KhalInstallWrapper
K-Lite Codec Pack 4.7.5 (Basic)
Logitech SetPoint
Malwarebytes' Anti-Malware
Medieval CUE Splitter
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft Kernel-Mode Driver Framework Feature Pack 1.5
Microsoft National Language Support Downlevel APIs
Microsoft Silverlight
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 Redistributable
Mozilla Firefox (3.5.15)
Nero 7 Essentials
NVIDIA Drivers
NVIDIA nView Desktop Manager
Real Alternative 1.9.0
Rootkit Unhooker LE 3.8 SR 2
Security Update for Windows Internet Explorer 7 (KB938127-v2)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Internet Explorer 7 (KB969897)
Security Update for Windows Internet Explorer 8 (KB2360131)
Security Update for Windows Internet Explorer 8 (KB969897)
Security Update for Windows Internet Explorer 8 (KB971961)
Security Update for Windows Internet Explorer 8 (KB981332)
Security Update for Windows Media Player (KB2378111)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player (KB975558)
Security Update for Windows Media Player (KB978695)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows XP (KB2079403)
Security Update for Windows XP (KB2115168)
Security Update for Windows XP (KB2121546)
Security Update for Windows XP (KB2229593)
Security Update for Windows XP (KB2259922)
Security Update for Windows XP (KB2279986)
Security Update for Windows XP (KB2286198)
Security Update for Windows XP (KB2296011)
Security Update for Windows XP (KB2347290)
Security Update for Windows XP (KB2360937)
Security Update for Windows XP (KB2387149)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923789)
Security Update for Windows XP (KB938464-v2)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975562)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB977816)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978037)
Security Update for Windows XP (KB978338)
Security Update for Windows XP (KB978542)
Security Update for Windows XP (KB978601)
Security Update for Windows XP (KB978706)
Security Update for Windows XP (KB979309)
Security Update for Windows XP (KB979482)
Security Update for Windows XP (KB979687)
Security Update for Windows XP (KB980195)
Security Update for Windows XP (KB980232)
Security Update for Windows XP (KB980436)
Security Update for Windows XP (KB981322)
Security Update for Windows XP (KB981852)
Security Update for Windows XP (KB981957)
Security Update for Windows XP (KB981997)
Security Update for Windows XP (KB982132)
Security Update for Windows XP (KB982214)
Security Update for Windows XP (KB982665)
SopCast 3.0.3
Sound Blaster Live! Web 2K/XP
SUPERAntiSpyware
Update for Windows Internet Explorer 8 (KB971180)
Update for Windows Internet Explorer 8 (KB976662)
Update for Windows XP (KB951978)
Update for Windows XP (KB955759)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB973815)
VC 9.0 Runtime
Veetle TV 0.9.18
VLC media player 1.1.4
VNC Free Edition 4.1.3
vShare Plugin
Windows Internet Explorer 7
Windows Internet Explorer 8
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Player 11
Windows Media Player 11
Windows XP Service Pack 3
WinRAR archiver
ZoneAlarm
toshin9
Active Member
 
Posts: 7
Joined: December 16th, 2010, 6:04 am
Advertisement
Register to Remove

Re: MS security essentials alert

Unread postby muppy03 » December 18th, 2010, 5:54 am

Hello and welcome to Malware Removal Forums

IMPORTANT

Whatever repairs we make, are for fixing your computer problems only and by no means should be used on another computer.
To make cleaning this machine easier:-
  • Continue to respond to this thread until I give you the All Clean!
  • Please DO NOT uninstall/install any programs unless asked to. It is more difficult when files/programs appear or disappear from the logs.
  • Please do not run any scans other than those requested and do not post any logs/reports unless specifically requested to do so.
  • Please follow all instructions in the order posted.
  • If you have any questions or do not understand instructions, please ask before continuing.
  • Please reply to this thread. Do not start a new topic.

Ok, I am a little bit lost at what you said, but that is ok, we shall get there.

Right now the PC is running Ok, but is unable to connect to the internet due to guaranteed reinfection.

Are you saying the computer will not connect to internet (which we can fix) or that you do not connect it due to being reinfected?

There are always 2 iexplore instances running in taskmanager

If running IE8 this is normal :)

IMPORTANT I notice there are signs of one or more P2P (Peer to Peer) File Sharing Programs on your computer.

eMule

I'd like you to read the MRU policy for P2P Programs.

Please go to Control Panel > Add/Remove Programs and uninstall the programs listed above (in red). Also take note that remnants of the above program/s and any other P2P program found will be removed when cleaning.


Let’s get the internet working first.

Open Hijack This and select Do a System Scan Only place a check next to the below lines if still present

    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:23012

Once selected close all windows except HJT an click on Fix Checked

NEXT I would like you to restore your Proxy settings.

To do this:
In Internet Explorer: Tools Menu -> Internet Options -> Connections Tab ->Lan Settings >uncheck "use a proxy server" and check to "Automatically detect settings".
In Firefox in Tools Menu -> Options... -> Advanced Tab -> Network Tab -> "Settings" under Connection.

REBOOT COMPUTER

NEXT Download and Run: RSIT

  • Download random's system information tool (RSIT) by random/random from here and save it to your desktop.
  • Double click on RSIT.exe to run RSIT.
  • Click Continue at the disclaimer screen.
  • Once it has finished, two logs will open. Please post the contents of both log.txt (<<will be maximized) and info.txt (<<will be minimized)

Please reply with:-
  • RSIT logs ( info.txt and log.txt)
User avatar
muppy03
MRU Emeritus
MRU Emeritus
 
Posts: 4782
Joined: December 4th, 2007, 5:30 am
Location: Australia

Re: MS security essentials alert

Unread postby toshin9 » December 18th, 2010, 7:20 am

Hi,

Yeah sorry, in my attempt to be thorough, i was pretty confusing.

Correct - i meant i am choosing not to connect it to the network as i haven't been able to prevent reinfection.
Im posting from a laptop.
At this stage the system is usable. But if i was to connect it to the internet, it will make this removal process much harder since i won't be able to run any scanners and it might install different malwares.

Also, you say it is normal to have 2 processes of iexplore.exe open with IE8.
Is this supposed to happen even without ever opening Ie8. As in, when windows boots up, the processes are already running. If i was to open IE8, i would have yet another process of iexplore.exe.

Logfile of random's system information tool 1.08 (written by random/random)
Run by Gary at 2010-12-18 21:59:39
Microsoft Windows XP Professional Service Pack 3
System drive C: has 13 GB (18%) free of 77 GB
Total RAM: 2047 MB (78% free)

HijackThis download failed

======Registry dump======

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"=C:\WINDOWS\system32\NvCpl.dll [2010-04-03 13670504]
"ZoneAlarm Client"=C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe [2010-11-16 1043968]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"SUPERAntiSpyware"=C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe [2010-11-23 2424560]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
C:\WINDOWS\system32\ctfmon.exe [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Jet Detection]
C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe [2001-10-04 28672]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Kernel and Hardware Abstraction Layer]
C:\WINDOWS\KHALMNPR.EXE [2008-12-19 76304]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
C:\WINDOWS\system32\dumprep 0 -k []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Load]
? []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe [2006-01-12 155648]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
C:\WINDOWS\system32\NvCpl.dll [2010-04-03 13670504]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
C:\WINDOWS\system32\NvMcTray.dll [2010-04-03 110696]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Run]
? []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdReg]
C:\WINDOWS\UpdReg.EXE [2000-05-11 90112]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WINDVDPatch]
C:\WINDOWS\system32\CTHELPER.EXE [2002-02-07 40960]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Administrator.ZAIBATSU.000^Start Menu^Programs^Startup^uvllqkfj.exe]
C:\Documents and Settings\Administrator.ZAIBATSU.000\Start Menu\Programs\Startup\uvllqkfj.exe []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech SetPoint.lnk]
C:\PROGRA~1\Logitech\SetPoint\SetPoint.exe [2009-02-19 809488]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Gary^Start Menu^Programs^Startup^uvllqkfj.exe]
C:\Documents and Settings\Gary\Start Menu\Programs\Startup\uvllqkfj.exe []

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\!SASWinLogon]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\LBTWlgn]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll [2006-10-18 133632]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"=C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2008-05-14 184745]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\vsmon]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\WdfLoadGroup]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\{1a3e09be-1e45-494b-9174-d7385b45bbf5}]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=323
"NoDriveAutoRun"=67108863
"NoDrives"=0

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"HonorAutoRunSetting"=1
"NoDriveAutoRun"=67108863
"NoDriveTypeAutoRun"=323
"NoDrives"=0

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\Program Files\uTorrent\uTorrent.exe"="C:\Program Files\uTorrent\uTorrent.exe:*:Enabled:µTorrent"
"C:\Program Files\Messenger\msmsgs.exe"="C:\Program Files\Messenger\msmsgs.exe:*:Enabled:Windows Messenger"
"C:\WINDOWS\system32\ZoneLabs\vsmon.exe"="C:\WINDOWS\system32\ZoneLabs\vsmon.exe:*:Enabled:vsmon"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

======List of files/folders created in the last 1 months======

2010-12-18 21:59:39 ----D---- C:\rsit
2010-12-16 00:32:46 ----A---- C:\TDSSKiller.2.4.11.0_16.12.2010_00.32.46_log.txt
2010-12-16 00:29:55 ----A---- C:\mbr.exe
2010-12-15 20:50:19 ----A---- C:\WINDOWS\system32\cmdmgr.exe
2010-12-15 20:45:53 ----A---- C:\TDSSKiller.2.4.10.0_15.12.2010_20.45.53_log.txt
2010-12-15 20:45:42 ----A---- C:\WINDOWS\system32\svchostmgr.exe
2010-12-15 20:45:17 ----SHD---- C:\RECYCLER
2010-12-15 20:43:28 ----A---- C:\WINDOWS\explorermgr.exe
2010-12-15 20:41:06 ----A---- C:\ComboFix.txt
2010-12-15 19:49:10 ----D---- C:\Program Files\ESET
2010-12-15 19:18:37 ----D---- C:\Program Files\CheckPoint
2010-12-15 19:18:35 ----A---- C:\WINDOWS\system32\vsregexp.dll
2010-12-15 19:18:34 ----A---- C:\WINDOWS\system32\zlcommdb.dll
2010-12-15 19:18:34 ----A---- C:\WINDOWS\system32\zlcomm.dll
2010-12-15 19:18:31 ----D---- C:\WINDOWS\system32\ZoneLabs
2010-12-15 19:18:31 ----A---- C:\WINDOWS\system32\zpeng25.dll
2010-12-15 19:18:31 ----A---- C:\WINDOWS\system32\vsxml.dll
2010-12-15 19:18:31 ----A---- C:\WINDOWS\system32\vswmi.dll
2010-12-15 19:18:31 ----A---- C:\WINDOWS\system32\vspubapi.dll
2010-12-15 19:18:31 ----A---- C:\WINDOWS\system32\vsmonapi.dll
2010-12-15 19:18:30 ----D---- C:\Program Files\Zone Labs
2010-12-15 19:18:30 ----A---- C:\WINDOWS\system32\vsdatant.sys
2010-12-15 19:18:05 ----D---- C:\WINDOWS\Internet Logs
2010-12-15 19:18:04 ----A---- C:\WINDOWS\system32\vsutil.dll
2010-12-15 19:18:04 ----A---- C:\WINDOWS\system32\vsinit.dll
2010-12-15 19:18:04 ----A---- C:\WINDOWS\system32\vsdata.dll
2010-12-15 18:50:13 ----A---- C:\TDSSKiller.2.4.10.0_15.12.2010_18.50.13_log.txt
2010-12-06 00:04:09 ----D---- C:\Documents and Settings\All Users\Application Data\Norton
2010-12-04 12:23:46 ----D---- C:\WINDOWS\temp
2010-12-03 20:07:03 ----A---- C:\TDSSKiller.2.4.10.0_03.12.2010_20.07.03_log.txt
2010-12-03 19:47:40 ----D---- C:\WINDOWS\system32\appmgmt
2010-12-01 18:08:29 ----D---- C:\Program Files\win
2010-12-01 17:40:28 ----A---- C:\TDSSKiller.2.4.10.0_01.12.2010_17.40.28_log.txt
2010-12-01 01:23:16 ----A---- C:\TDSSKiller.2.4.10.0_01.12.2010_01.23.16_log.txt
2010-12-01 00:54:55 ----A---- C:\TDSSKiller.2.4.10.0_01.12.2010_00.54.55_log.txt
2010-12-01 00:21:27 ----A---- C:\TDSSKiller.2.4.10.0_01.12.2010_00.21.27_log.txt
2010-11-30 23:56:27 ----A---- C:\TDSSKiller.2.4.10.0_30.11.2010_23.56.27_log.txt
2010-11-30 22:51:32 ----A---- C:\TDSSKiller.2.4.10.0_30.11.2010_22.51.32_log.txt
2010-11-30 22:26:25 ----A---- C:\TDSSKiller.2.4.10.0_30.11.2010_22.26.25_log.txt
2010-11-30 22:08:10 ----A---- C:\TDSSKiller.2.4.10.0_30.11.2010_22.08.10_log.txt
2010-11-30 17:01:28 ----D---- C:\Program Files\Trend Micro
2010-11-30 16:47:54 ----A---- C:\TDSSKiller.2.4.10.0_30.11.2010_16.47.54_log.txt
2010-11-30 03:06:35 ----HDC---- C:\WINDOWS\$NtUninstallKB2387149$
2010-11-30 03:06:32 ----HDC---- C:\WINDOWS\$NtUninstallKB2279986$
2010-11-30 03:06:28 ----HDC---- C:\WINDOWS\$NtUninstallKB960859$
2010-11-30 03:06:24 ----HDC---- C:\WINDOWS\$NtUninstallKB982214$
2010-11-30 03:06:19 ----HDC---- C:\WINDOWS\$NtUninstallKB958869$
2010-11-30 03:06:16 ----HDC---- C:\WINDOWS\$NtUninstallKB2259922$
2010-11-30 03:06:12 ----HDC---- C:\WINDOWS\$NtUninstallKB980195$
2010-11-30 03:06:10 ----HDC---- C:\WINDOWS\$NtUninstallKB2296011$
2010-11-30 03:06:07 ----HDC---- C:\WINDOWS\$NtUninstallKB980232$
2010-11-30 03:06:03 ----HDC---- C:\WINDOWS\$NtUninstallKB2115168$
2010-11-30 03:06:00 ----HDC---- C:\WINDOWS\$NtUninstallKB975558_WM8$
2010-11-30 03:05:57 ----HDC---- C:\WINDOWS\$NtUninstallKB955759$
2010-11-30 03:05:52 ----HDC---- C:\WINDOWS\$NtUninstallKB2378111_WM9$
2010-11-30 03:05:49 ----HDC---- C:\WINDOWS\$NtUninstallKB974318$
2010-11-30 03:05:46 ----HDC---- C:\WINDOWS\$NtUninstallKB969059$
2010-11-30 03:05:42 ----HDC---- C:\WINDOWS\$NtUninstallKB2229593$
2010-11-30 03:05:39 ----HDC---- C:\WINDOWS\$NtUninstallKB978037$
2010-11-30 03:05:36 ----HDC---- C:\WINDOWS\$NtUninstallKB975713$
2010-11-30 03:05:32 ----HDC---- C:\WINDOWS\$NtUninstallKB982132$
2010-11-30 03:05:28 ----HDC---- C:\WINDOWS\$NtUninstallKB971657$
2010-11-30 03:05:25 ----HDC---- C:\WINDOWS\$NtUninstallKB978338$
2010-11-30 03:05:21 ----HDC---- C:\WINDOWS\$NtUninstallKB954155_WM9$
2010-11-30 03:05:19 ----HDC---- C:\WINDOWS\$NtUninstallKB972270$
2010-11-30 03:05:15 ----HDC---- C:\WINDOWS\$NtUninstallKB956744$
2010-11-30 03:05:12 ----HDC---- C:\WINDOWS\$NtUninstallKB974112$
2010-11-30 03:05:09 ----HDC---- C:\WINDOWS\$NtUninstallKB2347290$
2010-11-30 03:05:05 ----HDC---- C:\WINDOWS\$NtUninstallKB956844$
2010-11-30 03:05:01 ----HDC---- C:\WINDOWS\$NtUninstallKB981852$
2010-11-30 03:04:55 ----HDC---- C:\WINDOWS\$NtUninstallKB2079403$
2010-11-30 03:04:48 ----D---- C:\WINDOWS\system32\MpEngineStore
2010-11-30 03:04:48 ----A---- C:\WINDOWS\system32\MRT.INI
2010-11-30 03:02:27 ----HDC---- C:\WINDOWS\$NtUninstallKB979687$
2010-11-30 03:02:23 ----HDC---- C:\WINDOWS\$NtUninstallKB2121546$
2010-11-30 03:02:20 ----HDC---- C:\WINDOWS\$NtUninstallKB973869$
2010-11-30 03:02:17 ----HDC---- C:\WINDOWS\$NtUninstallKB975025$
2010-11-30 03:02:14 ----HDC---- C:\WINDOWS\$NtUninstallKB974571$
2010-11-30 03:01:59 ----HDC---- C:\WINDOWS\$NtUninstallKB975560$
2010-11-30 03:01:53 ----HDC---- C:\WINDOWS\$NtUninstallKB973507$
2010-11-30 03:01:48 ----HDC---- C:\WINDOWS\$NtUninstallKB977816$
2010-11-30 03:01:45 ----HDC---- C:\WINDOWS\$NtUninstallKB978601$
2010-11-30 03:01:42 ----HDC---- C:\WINDOWS\$NtUninstallKB980436$
2010-11-30 03:01:38 ----HDC---- C:\WINDOWS\$NtUninstallKB981322$
2010-11-30 03:01:35 ----HDC---- C:\WINDOWS\$NtUninstallKB978695_WM9$
2010-11-30 03:01:32 ----HDC---- C:\WINDOWS\$NtUninstallKB973904$
2010-11-30 03:01:26 ----HDC---- C:\WINDOWS\$NtUninstallKB973540_WM9$
2010-11-30 03:01:23 ----HDC---- C:\WINDOWS\$NtUninstallKB974392$
2010-11-30 03:01:17 ----HDC---- C:\WINDOWS\$NtUninstallKB977914$
2010-11-30 03:01:10 ----HDC---- C:\WINDOWS\$NtUninstallKB978542$
2010-11-30 03:01:05 ----HDC---- C:\WINDOWS\$NtUninstallKB2286198$
2010-11-30 03:01:02 ----HDC---- C:\WINDOWS\$NtUninstallKB981957$
2010-11-30 03:00:58 ----HDC---- C:\WINDOWS\$NtUninstallKB979309$
2010-11-30 03:00:55 ----HDC---- C:\WINDOWS\$NtUninstallKB979482$
2010-11-30 03:00:52 ----HDC---- C:\WINDOWS\$NtUninstallKB978706$
2010-11-30 03:00:48 ----HDC---- C:\WINDOWS\$NtUninstallKB981997$
2010-11-30 03:00:45 ----HDC---- C:\WINDOWS\$NtUninstallKB973815$
2010-11-30 03:00:41 ----HDC---- C:\WINDOWS\$NtUninstallKB975562$
2010-11-30 03:00:35 ----HDC---- C:\WINDOWS\$NtUninstallKB2158563$
2010-11-30 03:00:32 ----HDC---- C:\WINDOWS\$NtUninstallKB982665$
2010-11-30 03:00:29 ----HDC---- C:\WINDOWS\$NtUninstallKB975467$
2010-11-30 03:00:25 ----HDC---- C:\WINDOWS\$NtUninstallKB968389$
2010-11-30 03:00:18 ----HDC---- C:\WINDOWS\$NtUninstallKB2360937$
2010-11-29 21:53:39 ----D---- C:\WINDOWS\system32\SoftwareDistribution
2010-11-29 20:39:15 ----A---- C:\TDSSKiller.2.4.10.0_29.11.2010_20.39.15_log.txt
2010-11-29 20:00:28 ----A---- C:\TDSSKiller.2.4.10.0_29.11.2010_20.00.28_log.txt
2010-11-29 19:57:58 ----A---- C:\TDSSKiller.2.4.10.0_29.11.2010_19.57.58_log.txt
2010-11-29 19:52:36 ----D---- C:\WINDOWS\Minidump
2010-11-29 19:48:08 ----A---- C:\TDSSKiller.2.4.10.0_29.11.2010_19.48.08_log.txt
2010-11-29 19:44:22 ----A---- C:\TDSSKiller.2.4.10.0_29.11.2010_19.44.22_log.txt
2010-11-29 19:39:40 ----A---- C:\TDSSKiller.2.4.10.0_29.11.2010_19.39.40_log.txt
2010-11-28 14:14:21 ----D---- C:\Program Files\SUPERAntiSpyware
2010-11-28 00:44:42 ----A---- C:\WINDOWS\zip.exe
2010-11-28 00:44:42 ----A---- C:\WINDOWS\SWXCACLS.exe
2010-11-28 00:44:42 ----A---- C:\WINDOWS\SWSC.exe
2010-11-28 00:44:42 ----A---- C:\WINDOWS\SWREG.exe
2010-11-28 00:44:42 ----A---- C:\WINDOWS\sed.exe
2010-11-28 00:44:42 ----A---- C:\WINDOWS\PEV.exe
2010-11-28 00:44:42 ----A---- C:\WINDOWS\NIRCMD.exe
2010-11-28 00:44:42 ----A---- C:\WINDOWS\MBR.exe
2010-11-28 00:44:42 ----A---- C:\WINDOWS\grep.exe
2010-11-27 00:53:05 ----D---- C:\Documents and Settings\Gary\Application Data\GetRightToGo
2010-11-26 21:53:08 ----ASH---- C:\pagefile.sys
2010-11-26 21:22:36 ----D---- C:\Documents and Settings\Gary\Application Data\Feul
2010-11-26 21:22:36 ----D---- C:\Documents and Settings\Gary\Application Data\Acfay
2010-11-26 21:04:33 ----A---- C:\Boot.bak
2010-11-26 21:04:27 ----RASHD---- C:\cmdcons
2010-11-26 20:40:37 ----SD---- C:\WINDOWS\Tasks
2010-11-26 20:21:00 ----D---- C:\Documents and Settings\All Users\Application Data\MSN6
2010-11-26 20:12:47 ----D---- C:\Documents and Settings\Gary\Application Data\Ablil
2010-11-26 19:45:55 ----D---- C:\WINDOWS\ERDNT
2010-11-26 19:41:58 ----AD---- C:\Qoobox
2010-11-26 19:35:12 ----D---- C:\Documents and Settings\Gary\Application Data\Xahays
2010-11-26 00:42:58 ----D---- C:\Documents and Settings\Gary\Application Data\SUPERAntiSpyware.com
2010-11-26 00:42:58 ----D---- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2010-11-25 23:52:05 ----D---- C:\Documents and Settings\Gary\Application Data\Ufxu
2010-11-25 23:52:05 ----D---- C:\Documents and Settings\Gary\Application Data\Feunu
2010-11-25 20:13:14 ----HD---- C:\WINDOWS\system32\GroupPolicy
2010-11-24 18:02:49 ----D---- C:\Documents and Settings\Gary\Application Data\updates
2010-11-21 11:52:04 ----D---- C:\Documents and Settings\Gary\Application Data\Taodh
2010-11-21 11:52:04 ----D---- C:\Documents and Settings\Gary\Application Data\Iphia

======List of files/folders modified in the last 1 months======

2010-12-18 21:59:37 ----D---- C:\WINDOWS\Prefetch
2010-12-18 21:59:16 ----RSHDC---- C:\WINDOWS\system32\dllcache
2010-12-18 21:54:55 ----D---- C:\WINDOWS\system32\CatRoot2
2010-12-18 21:53:33 ----A---- C:\WINDOWS\SchedLgU.Txt
2010-12-18 21:53:20 ----A---- C:\WINDOWS\winamp.ini
2010-12-18 21:51:10 ----D---- C:\Program Files\eMule
2010-12-18 21:46:48 ----D---- C:\Program Files\Windows Media Player
2010-12-18 21:46:40 ----D---- C:\Program Files\Outlook Express
2010-12-18 21:46:33 ----D---- C:\Program Files\Movie Maker
2010-12-18 21:46:19 ----D---- C:\Program Files\Internet Explorer
2010-12-18 04:20:58 ----A---- C:\WINDOWS\NeroDigital.ini
2010-12-16 00:32:46 ----D---- C:\WINDOWS\system32\drivers
2010-12-16 00:26:26 ----HDC---- C:\WINDOWS\$NtUninstallKB958690$
2010-12-15 22:29:20 ----D---- C:\Program Files\Mozilla Firefox
2010-12-15 21:54:02 ----D---- C:\Program Files\Common Files\LightScribe
2010-12-15 20:50:19 ----D---- C:\WINDOWS\system32
2010-12-15 20:43:28 ----D---- C:\WINDOWS
2010-12-15 20:38:48 ----A---- C:\WINDOWS\system.ini
2010-12-15 20:38:33 ----D---- C:\WINDOWS\system32\drivers\etc
2010-12-15 20:36:53 ----D---- C:\WINDOWS\AppPatch
2010-12-15 20:36:53 ----D---- C:\Program Files\Common Files
2010-12-15 20:15:48 ----D---- C:\WINDOWS\pss
2010-12-15 20:11:16 ----D---- C:\Program Files\WinRAR
2010-12-15 20:11:10 ----D---- C:\Program Files\Windows Media Connect 2
2010-12-15 20:11:09 ----D---- C:\Program Files\vShare
2010-12-15 20:10:11 ----D---- C:\Program Files\SopCast
2010-12-15 20:09:49 ----D---- C:\Program Files\Real Alternative
2010-12-15 20:09:43 ----D---- C:\Program Files\NetMeeting
2010-12-15 20:07:28 ----D---- C:\Program Files\Messenger
2010-12-15 20:06:52 ----D---- C:\Program Files\K-Lite Codec Pack
2010-12-15 20:05:49 ----D---- C:\Program Files\ImgBurn
2010-12-15 20:05:40 ----D---- C:\Program Files\GGPO
2010-12-15 20:03:25 ----D---- C:\Program Files\Audacity
2010-12-15 19:49:10 ----RD---- C:\Program Files
2010-12-15 19:18:03 ----SHD---- C:\WINDOWS\Installer
2010-12-15 19:18:03 ----D---- C:\WINDOWS\WinSxS
2010-12-07 00:44:58 ----D---- C:\JDownloader
2010-12-06 22:38:30 ----D---- C:\Documents and Settings\Gary\Application Data\vlc
2010-12-03 20:02:24 ----RASH---- C:\boot.ini
2010-12-03 20:02:24 ----A---- C:\WINDOWS\win.ini
2010-12-03 19:59:53 ----D---- C:\Program Files\uTorrent
2010-12-03 19:59:53 ----D---- C:\Program Files\Malwarebytes' Anti-Malware
2010-12-03 19:59:53 ----D---- C:\Documents and Settings\Gary\Application Data\Etis
2010-12-03 19:06:35 ----HDC---- C:\WINDOWS\$NtUninstallKB958687$
2010-12-01 18:49:50 ----A---- C:\WINDOWS\ntbtlog.txt
2010-12-01 18:12:23 ----HD---- C:\WINDOWS\inf
2010-12-01 18:10:53 ----HD---- C:\WINDOWS\$hf_mig$
2010-12-01 02:11:25 ----D---- C:\WINDOWS\system32\Restore
2010-12-01 01:32:42 ----SHD---- C:\System Volume Information
2010-12-01 00:36:38 ----SHD---- C:\WINDOWS\CSC
2010-11-30 17:38:32 ----D---- C:\Documents and Settings\Gary\Application Data\uTorrent
2010-11-30 03:06:38 ----A---- C:\WINDOWS\imsins.BAK
2010-11-29 21:53:40 ----D---- C:\WINDOWS\Help
2010-11-29 20:21:48 ----HDC---- C:\WINDOWS\$NtUninstallKB938464-v2$
2010-11-29 20:01:33 ----D---- C:\Documents and Settings\Gary\Application Data\Wiihx
2010-11-27 14:44:29 ----HDC---- C:\WINDOWS\$NtUninstallKB955069$
2010-11-27 00:15:19 ----D---- C:\WINDOWS\system32\config
2010-11-27 00:02:17 ----HDC---- C:\WINDOWS\$NtUninstallKB951066$
2010-11-26 20:56:32 ----HDC---- C:\WINDOWS\$NtUninstallKB960803$
2010-11-26 20:15:12 ----SD---- C:\WINDOWS\Task
2010-11-26 00:24:01 ----HDC---- C:\WINDOWS\$NtUninstallKB968537$
2010-11-25 21:51:23 ----HDC---- C:\WINDOWS\$NtUninstallKB956802$
2010-11-25 21:18:56 ----D---- C:\Documents and Settings
2010-11-25 20:52:09 ----RSD---- C:\WINDOWS\Fonts
2010-11-24 22:20:31 ----HDC---- C:\WINDOWS\$NtUninstallKB960225$
2010-11-24 21:02:31 ----HDC---- C:\WINDOWS\$NtUninstallKB967715$
2010-11-22 22:40:36 ----HDC---- C:\WINDOWS\ie7
2010-11-21 12:30:44 ----HDC---- C:\WINDOWS\$NtUninstallKB954600$
2010-11-21 12:28:30 ----D---- C:\Documents and Settings\Gary\Application Data\Hosu

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R0 nvata;nvata; C:\WINDOWS\System32\DRIVERS\nvata.sys [2005-08-18 93568]
R0 ohci1394;Texas Instruments OHCI Compliant IEEE 1394 Host Controller; C:\WINDOWS\System32\DRIVERS\ohci1394.sys [2008-04-14 61696]
R1 SASDIFSV;SASDIFSV; \??\C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS []
R1 SASKUTIL;SASKUTIL; \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS []
R1 vsdatant;vsdatant; C:\WINDOWS\System32\vsdatant.sys [2010-05-13 532224]
R2 irda;IrDA Protocol; C:\WINDOWS\System32\DRIVERS\irda.sys [2008-04-14 88192]
R2 LBeepKE;LBeepKE; C:\WINDOWS\System32\Drivers\LBeepKE.sys [2008-12-19 10384]
R2 PfModNT;PfModNT; \??\C:\WINDOWS\system32\PfModNT.sys []
R3 ctac32k;Creative AC3 Software Decoder; C:\WINDOWS\System32\drivers\ctac32k.sys [2002-03-22 114944]
R3 ctaud2k;Creative Audio Driver (WDM); C:\WINDOWS\system32\drivers\ctaud2k.sys [2002-03-22 835636]
R3 ctprxy2k;Creative Proxy Driver; C:\WINDOWS\System32\drivers\ctprxy2k.sys [2002-03-22 11068]
R3 ctsfm2k;Creative SoundFont Management Device Driver; C:\WINDOWS\System32\drivers\ctsfm2k.sys [2002-03-22 211724]
R3 emupia;E-mu Plug-in Architecture Driver; C:\WINDOWS\System32\drivers\emupia2k.sys [2002-03-22 156604]
R3 ha10kx2k;Creative Hardware Abstract Layer Driver; C:\WINDOWS\system32\drivers\ha10kx2k.sys [2002-03-22 991656]
R3 hidusb;Microsoft HID Class Driver; C:\WINDOWS\System32\DRIVERS\hidusb.sys [2008-04-14 10368]
R3 irsir;Microsoft Serial Infrared Driver; C:\WINDOWS\System32\DRIVERS\irsir.sys [2001-08-18 18688]
R3 L8042Kbd;Logitech SetPoint Keyboard Driver; C:\WINDOWS\system32\DRIVERS\L8042Kbd.sys [2008-12-19 20240]
R3 LHidFilt;Logitech SetPoint KMDF HID Filter Driver; C:\WINDOWS\system32\DRIVERS\LHidFilt.Sys [2008-12-19 35472]
R3 LMouFilt;Logitech SetPoint KMDF Mouse Filter Driver; C:\WINDOWS\system32\DRIVERS\LMouFilt.Sys [2008-12-19 37392]
R3 LUsbFilt;Logitech SetPoint KMDF USB Filter; C:\WINDOWS\System32\Drivers\LUsbFilt.Sys [2008-12-19 28816]
R3 mouhid;Mouse HID Driver; C:\WINDOWS\System32\DRIVERS\mouhid.sys [2001-08-17 12160]
R3 nv;nv; C:\WINDOWS\System32\DRIVERS\nv4_mini.sys [2010-04-04 10232128]
R3 NVENETFD;NVIDIA nForce Networking Controller Driver; C:\WINDOWS\System32\DRIVERS\NVENETFD.sys [2005-09-30 34048]
R3 nvnetbus;NVIDIA Network Bus Enumerator; C:\WINDOWS\System32\DRIVERS\nvnetbus.sys [2005-09-30 13056]
R3 ossrv;Creative OS Services Driver; C:\WINDOWS\system32\drivers\ctoss2k.sys [2002-03-22 195432]
R3 Rasirda;WAN Miniport (IrDA); C:\WINDOWS\System32\DRIVERS\rasirda.sys [2001-08-18 19584]
R3 USBSTOR;USB Mass Storage Driver; C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2008-04-14 26368]
R3 Wdf01000;Wdf01000; C:\WINDOWS\system32\DRIVERS\Wdf01000.sys [2006-11-02 492000]
S0 iqazzwfg;iqazzwfg; C:\WINDOWS\system32\drivers\iqazzwfg.sys []
S0 rfly;rfly; C:\WINDOWS\System32\drivers\fpjrl.sys []
S3 Arp1394;1394 ARP Client Protocol; C:\WINDOWS\System32\DRIVERS\arp1394.sys [2008-04-14 60800]
S3 catchme;catchme; \??\C:\DOCUME~1\Gary\LOCALS~1\Temp\catchme.sys []
S3 ctljystk;Creative SBLive! Gameport; C:\WINDOWS\System32\DRIVERS\ctljystk.sys [2001-08-17 3712]
S3 emu10k;Creative SB Live! (WDM); C:\WINDOWS\system32\drivers\emu10k1m.sys [2001-08-17 283904]
S3 emu10k1;Creative Interface Manager Driver (WDM); C:\WINDOWS\system32\drivers\ctlfacem.sys [2001-08-17 6912]
S3 NIC1394;1394 Net Driver; C:\WINDOWS\System32\DRIVERS\nic1394.sys [2008-04-14 61824]
S3 sfman;Creative SoundFont Manager Driver (WDM); C:\WINDOWS\system32\drivers\sfmanm.sys [2001-08-17 36480]
S3 usbaudio;USB Audio Driver (WDM); C:\WINDOWS\system32\drivers\usbaudio.sys [2008-04-14 60032]
S3 usbccgp;Microsoft USB Generic Parent Driver; C:\WINDOWS\system32\DRIVERS\usbccgp.sys [2008-04-14 32128]
S3 usbscan;USB Scanner Driver; C:\WINDOWS\system32\DRIVERS\usbscan.sys [2008-04-14 15104]
S3 WudfPf;Windows Driver Foundation - User-mode Driver Framework Platform Driver; C:\WINDOWS\system32\DRIVERS\WudfPf.sys [2006-09-28 77568]
S3 WudfRd;Windows Driver Foundation - User-mode Driver Framework Reflector; C:\WINDOWS\system32\DRIVERS\wudfrd.sys [2006-09-28 82944]

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 Irmon;Infrared Monitor; C:\WINDOWS\System32\svchost.exe [2008-04-14 14336]
R2 LightScribeService;LightScribeService Direct Disc Labeling Service; C:\Program Files\Common Files\LightScribe\LSSrvc.exe [2006-10-19 168318]
R2 NVSvc;NVIDIA Display Driver Service; C:\WINDOWS\System32\nvsvc32.exe [2010-04-03 154216]
R2 vsmon;TrueVector Internet Monitor; C:\WINDOWS\system32\ZoneLabs\vsmon.exe [2010-11-16 2435592]
R2 WinVNC4;VNC Server Version 4; C:\Program Files\RealVNC\VNC4\WinVNC4.exe [2008-10-15 439632]
S2 gupdate;Google Update Service (gupdate); C:\Program Files\Google\Update\GoogleUpdate.exe /svc []
S3 LBTServ;Logitech Bluetooth Service; C:\Program Files\Common Files\Logishrd\Bluetooth\LBTServ.exe [2009-02-19 121360]
S3 NBService;NBService; C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe [2006-12-05 774144]
S3 NMIndexingService;NMIndexingService; C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe [2006-12-23 262144]
S3 WMPNetworkSvc;Windows Media Player Network Sharing Service; C:\Program Files\Windows Media Player\WMPNetwk.exe [2006-10-18 913408]
S3 WudfSvc;Windows Driver Foundation - User-mode Driver Framework; C:\WINDOWS\system32\svchost.exe [2008-04-14 14336]

-----------------EOF-----------------


As you can see, it failed to find my hijackme for some reason. Its installed in the default location.
In anycase, I have the hijackme logs if you want.
toshin9
Active Member
 
Posts: 7
Joined: December 16th, 2010, 6:04 am

Re: MS security essentials alert

Unread postby muppy03 » December 18th, 2010, 7:48 am

As you can see, it failed to find my hijackme for some reason. Its installed in the default location.
In anycase, I have the hijackme logs if you want.

RSIT does not use HJT that you already have installed, it would have downloaded the latest version. Since you did not connect to the internet this did not happen.

Please do not run anymore tools unless instructed, as this makes things a lot harder to diagnose. Ok I see by looking at your thread on a previous forum that you ran Combofix. Please post the log/s it created. I would also like to see the first TDSSkiller log.

Post them on your next reply with an Updated HJT log.
User avatar
muppy03
MRU Emeritus
MRU Emeritus
 
Posts: 4782
Joined: December 4th, 2007, 5:30 am
Location: Australia

Re: MS security essentials alert

Unread postby toshin9 » December 18th, 2010, 8:30 am

Hi,

Well, I can connect it up to the internet if you need me to. But everything may need to be re-run (with great difficulty) as the malware exes,reg changes,scheduler tasks etc will download and flare up.

2010/11/29 19:44:22.0359 TDSS rootkit removing tool 2.4.10.0 Nov 28 2010 18:35:56
2010/11/29 19:44:22.0359 ================================================================================
2010/11/29 19:44:22.0359 SystemInfo:
2010/11/29 19:44:22.0359
2010/11/29 19:44:22.0359 OS Version: 5.1.2600 ServicePack: 3.0
2010/11/29 19:44:22.0359 Product type: Workstation
2010/11/29 19:44:22.0359 ComputerName: ZAIBATSU
2010/11/29 19:44:22.0359 UserName: Gary
2010/11/29 19:44:22.0359 Windows directory: C:\WINDOWS
2010/11/29 19:44:22.0359 System windows directory: C:\WINDOWS
2010/11/29 19:44:22.0359 Processor architecture: Intel x86
2010/11/29 19:44:22.0359 Number of processors: 1
2010/11/29 19:44:22.0359 Page size: 0x1000
2010/11/29 19:44:22.0359 Boot type: Normal boot
2010/11/29 19:44:22.0359 ================================================================================
2010/11/29 19:44:24.0156 Initialize success
2010/11/29 19:44:37.0046 ================================================================================
2010/11/29 19:44:37.0046 Scan started
2010/11/29 19:44:37.0046 Mode: Manual;
2010/11/29 19:44:37.0046 ================================================================================
2010/11/29 19:44:37.0390 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
2010/11/29 19:44:37.0437 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
2010/11/29 19:44:37.0515 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
2010/11/29 19:44:37.0562 AFD (7e775010ef291da96ad17ca4b17137d7) C:\WINDOWS\System32\drivers\afd.sys
2010/11/29 19:44:37.0687 Arp1394 (b5b8a80875c1dededa8b02765642c32f) C:\WINDOWS\system32\DRIVERS\arp1394.sys
2010/11/29 19:44:37.0765 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
2010/11/29 19:44:37.0781 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
2010/11/29 19:44:37.0843 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
2010/11/29 19:44:37.0890 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
2010/11/29 19:44:37.0953 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
2010/11/29 19:44:38.0093 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
2010/11/29 19:44:38.0140 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
2010/11/29 19:44:38.0156 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
2010/11/29 19:44:38.0203 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
2010/11/29 19:44:38.0343 ctac32k (23d6d320c0d236784ef0ccf7cbf6c1c0) C:\WINDOWS\system32\drivers\ctac32k.sys
2010/11/29 19:44:38.0375 ctaud2k (16693a385321ceac8f24a53070efc378) C:\WINDOWS\system32\drivers\ctaud2k.sys
2010/11/29 19:44:38.0468 ctljystk (71007bd2e1e26927fe3e4eb00c0beedf) C:\WINDOWS\system32\DRIVERS\ctljystk.sys
2010/11/29 19:44:38.0484 ctprxy2k (53b99368d26ab1be9c3842976df5543c) C:\WINDOWS\system32\drivers\ctprxy2k.sys
2010/11/29 19:44:38.0515 ctsfm2k (73746e147e50249b790bc631891063b5) C:\WINDOWS\system32\drivers\ctsfm2k.sys
2010/11/29 19:44:38.0593 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
2010/11/29 19:44:38.0640 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
2010/11/29 19:44:38.0687 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
2010/11/29 19:44:38.0703 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
2010/11/29 19:44:38.0750 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
2010/11/29 19:44:38.0812 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
2010/11/29 19:44:38.0859 emu10k (01f83e1b5dce05f5cb7d99113ca9e890) C:\WINDOWS\system32\drivers\emu10k1m.sys
2010/11/29 19:44:38.0890 emu10k1 (7ffa171cce6a8bfc774862a578ba39a2) C:\WINDOWS\system32\drivers\ctlfacem.sys
2010/11/29 19:44:38.0921 emupia (a75959f10b6b536982f872b55fc6ce27) C:\WINDOWS\system32\drivers\emupia2k.sys
2010/11/29 19:44:38.0953 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
2010/11/29 19:44:38.0984 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\DRIVERS\fdc.sys
2010/11/29 19:44:39.0015 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
2010/11/29 19:44:39.0046 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\DRIVERS\flpydisk.sys
2010/11/29 19:44:39.0062 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys
2010/11/29 19:44:39.0093 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
2010/11/29 19:44:39.0125 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
2010/11/29 19:44:39.0171 gameenum (065639773d8b03f33577f6cdaea21063) C:\WINDOWS\system32\DRIVERS\gameenum.sys
2010/11/29 19:44:39.0203 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
2010/11/29 19:44:39.0296 ha10kx2k (bcb3281bfc4eeb8d82932669490013cd) C:\WINDOWS\system32\drivers\ha10kx2k.sys
2010/11/29 19:44:39.0343 hidusb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
2010/11/29 19:44:39.0375 HTTP (f6aacf5bce2893e0c1754afeb672e5c9) C:\WINDOWS\system32\Drivers\HTTP.sys
2010/11/29 19:44:39.0453 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
2010/11/29 19:44:39.0468 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
2010/11/29 19:44:39.0546 ip6fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys
2010/11/29 19:44:39.0578 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
2010/11/29 19:44:39.0593 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
2010/11/29 19:44:39.0625 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
2010/11/29 19:44:39.0656 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
2010/11/29 19:44:39.0703 irda (aca5e7b54409f9cb5eed97ed0c81120e) C:\WINDOWS\system32\DRIVERS\irda.sys
2010/11/29 19:44:39.0718 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
2010/11/29 19:44:39.0765 irsir (0501f0b9ab08425f8c0eacbdcc04aa32) C:\WINDOWS\system32\DRIVERS\irsir.sys
2010/11/29 19:44:39.0796 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
2010/11/29 19:44:39.0843 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
2010/11/29 19:44:39.0875 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
2010/11/29 19:44:39.0890 KSecDD (1705745d900dabf2d89f90ebaddc7517) C:\WINDOWS\system32\drivers\KSecDD.sys
2010/11/29 19:44:39.0921 L8042Kbd (d8d3f1c1e82117a3776a2d320a7b3694) C:\WINDOWS\system32\DRIVERS\L8042Kbd.sys
2010/11/29 19:44:39.0968 LBeepKE (e254e5b2c5227ddbb47d045940a0a559) C:\WINDOWS\system32\Drivers\LBeepKE.sys
2010/11/29 19:44:40.0015 LHidFilt (8b30311241f97b35167afe68d79e8530) C:\WINDOWS\system32\DRIVERS\LHidFilt.Sys
2010/11/29 19:44:40.0093 LMouFilt (48d7422a6c4eec886b56ac534cfa3acf) C:\WINDOWS\system32\DRIVERS\LMouFilt.Sys
2010/11/29 19:44:40.0140 LUsbFilt (0b808ff2f17c8396fb2ae202f75aed37) C:\WINDOWS\system32\Drivers\LUsbFilt.Sys
2010/11/29 19:44:40.0187 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
2010/11/29 19:44:40.0218 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
2010/11/29 19:44:40.0250 Mouclass (c82ddcaf0d00041c0e5b35a0a5be2993) C:\WINDOWS\system32\DRIVERS\mouclass.sys
2010/11/29 19:44:40.0250 Suspicious file (Forged): C:\WINDOWS\system32\DRIVERS\mouclass.sys. Real md5: c82ddcaf0d00041c0e5b35a0a5be2993, Fake md5: 35c9e97194c8cfb8430125f8dbc34d04
2010/11/29 19:44:40.0250 Mouclass - detected Rootkit.Win32.TDSS.tdl3 (0)
2010/11/29 19:44:40.0281 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
2010/11/29 19:44:40.0312 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
2010/11/29 19:44:40.0343 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
2010/11/29 19:44:40.0390 MRxSmb (60ae98742484e7ab80c3c1450e708148) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
2010/11/29 19:44:40.0421 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
2010/11/29 19:44:40.0453 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
2010/11/29 19:44:40.0468 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
2010/11/29 19:44:40.0500 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
2010/11/29 19:44:40.0546 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
2010/11/29 19:44:40.0562 Mup (2f625d11385b1a94360bfc70aaefdee1) C:\WINDOWS\system32\drivers\Mup.sys
2010/11/29 19:44:40.0593 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
2010/11/29 19:44:40.0625 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
2010/11/29 19:44:40.0656 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
2010/11/29 19:44:40.0687 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
2010/11/29 19:44:40.0703 NDProxy (6215023940cfd3702b46abc304e1d45a) C:\WINDOWS\system32\drivers\NDProxy.sys
2010/11/29 19:44:40.0734 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
2010/11/29 19:44:40.0750 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
2010/11/29 19:44:40.0812 NIC1394 (e9e47cfb2d461fa0fc75b7a74c6383ea) C:\WINDOWS\system32\DRIVERS\nic1394.sys
2010/11/29 19:44:40.0843 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
2010/11/29 19:44:40.0890 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
2010/11/29 19:44:40.0953 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
2010/11/29 19:44:41.0234 nv (30913cbf518396912e54c2c9f1dd0f09) C:\WINDOWS\system32\DRIVERS\nv4_mini.sys
2010/11/29 19:44:41.0484 nvata (0344aa9113dc16eec379f4652020849d) C:\WINDOWS\system32\DRIVERS\nvata.sys
2010/11/29 19:44:41.0515 NVENETFD (a545df28f75bcb109a3aadbb07552b12) C:\WINDOWS\system32\DRIVERS\NVENETFD.sys
2010/11/29 19:44:41.0546 nvnetbus (ea41f641420f3d8271804d287c1ef461) C:\WINDOWS\system32\DRIVERS\nvnetbus.sys
2010/11/29 19:44:41.0609 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
2010/11/29 19:44:41.0625 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
2010/11/29 19:44:41.0656 ohci1394 (ca33832df41afb202ee7aeb05145922f) C:\WINDOWS\system32\DRIVERS\ohci1394.sys
2010/11/29 19:44:41.0703 ossrv (64de7fde0aac66f721addd1e0394e664) C:\WINDOWS\system32\drivers\ctoss2k.sys
2010/11/29 19:44:41.0734 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys
2010/11/29 19:44:41.0750 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
2010/11/29 19:44:41.0781 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
2010/11/29 19:44:41.0812 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
2010/11/29 19:44:41.0859 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
2010/11/29 19:44:41.0890 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys
2010/11/29 19:44:42.0015 PfModNT (2f5532f9b0f903b26847da674b4f55b2) C:\WINDOWS\system32\PfModNT.sys
2010/11/29 19:44:42.0062 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
2010/11/29 19:44:42.0093 Processor (a32bebaf723557681bfc6bd93e98bd26) C:\WINDOWS\system32\DRIVERS\processr.sys
2010/11/29 19:44:42.0125 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
2010/11/29 19:44:42.0156 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
2010/11/29 19:44:42.0250 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
2010/11/29 19:44:42.0296 Rasirda (0207d26ddf796a193ccd9f83047bb5fc) C:\WINDOWS\system32\DRIVERS\rasirda.sys
2010/11/29 19:44:42.0328 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
2010/11/29 19:44:42.0359 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
2010/11/29 19:44:42.0390 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
2010/11/29 19:44:42.0421 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
2010/11/29 19:44:42.0453 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
2010/11/29 19:44:42.0500 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
2010/11/29 19:44:42.0531 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys
2010/11/29 19:44:42.0562 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
2010/11/29 19:44:42.0703 SASDIFSV (a3281aec37e0720a2bc28034c2df2a56) C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS
2010/11/29 19:44:42.0734 SASKUTIL (61db0d0756a99506207fd724e3692b25) C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS
2010/11/29 19:44:42.0765 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
2010/11/29 19:44:42.0812 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys
2010/11/29 19:44:42.0843 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys
2010/11/29 19:44:42.0890 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
2010/11/29 19:44:42.0921 sfman (0b1a5e9cacb5cdd54a2815107bd7c772) C:\WINDOWS\system32\drivers\sfmanm.sys
2010/11/29 19:44:42.0984 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
2010/11/29 19:44:43.0031 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
2010/11/29 19:44:43.0078 Srv (3bb03f2ba89d2be417206c373d2af17c) C:\WINDOWS\system32\DRIVERS\srv.sys
2010/11/29 19:44:43.0125 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
2010/11/29 19:44:43.0140 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
2010/11/29 19:44:43.0250 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
2010/11/29 19:44:43.0312 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
2010/11/29 19:44:43.0328 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
2010/11/29 19:44:43.0359 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
2010/11/29 19:44:43.0390 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
2010/11/29 19:44:43.0453 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
2010/11/29 19:44:43.0468 Suspicious service (NoAccess): uergz
2010/11/29 19:44:43.0515 uergz (583c5a3139aa9c197c15eae4a1a9cad3) C:\WINDOWS\system32\drivers\uergz.sys
2010/11/29 19:44:43.0515 Suspicious file (NoAccess): C:\WINDOWS\system32\drivers\uergz.sys. md5: 583c5a3139aa9c197c15eae4a1a9cad3
2010/11/29 19:44:43.0531 uergz - detected Locked service (1)
2010/11/29 19:44:43.0562 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
2010/11/29 19:44:43.0625 usbaudio (e919708db44ed8543a7c017953148330) C:\WINDOWS\system32\drivers\usbaudio.sys
2010/11/29 19:44:43.0656 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
2010/11/29 19:44:43.0687 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
2010/11/29 19:44:43.0718 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
2010/11/29 19:44:43.0750 usbohci (0daecce65366ea32b162f85f07c6753b) C:\WINDOWS\system32\DRIVERS\usbohci.sys
2010/11/29 19:44:43.0796 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys
2010/11/29 19:44:43.0828 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
2010/11/29 19:44:43.0859 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
2010/11/29 19:44:43.0906 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
2010/11/29 19:44:43.0953 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
2010/11/29 19:44:44.0015 Wdf01000 (fd47474bd21794508af449d9d91af6e6) C:\WINDOWS\system32\DRIVERS\Wdf01000.sys
2010/11/29 19:44:44.0078 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
2010/11/29 19:44:44.0187 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
2010/11/29 19:44:44.0218 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
2010/11/29 19:44:44.0484 ================================================================================
2010/11/29 19:44:44.0484 Scan finished
2010/11/29 19:44:44.0484 ================================================================================
2010/11/29 19:44:44.0500 Detected object count: 2
2010/11/29 19:44:50.0453 Mouclass (c82ddcaf0d00041c0e5b35a0a5be2993) C:\WINDOWS\system32\DRIVERS\mouclass.sys
2010/11/29 19:44:50.0453 Suspicious file (Forged): C:\WINDOWS\system32\DRIVERS\mouclass.sys. Real md5: c82ddcaf0d00041c0e5b35a0a5be2993, Fake md5: 35c9e97194c8cfb8430125f8dbc34d04
2010/11/29 19:44:51.0656 Backup copy found, using it..
2010/11/29 19:44:51.0671 C:\WINDOWS\system32\DRIVERS\mouclass.sys - will be cured after reboot
2010/11/29 19:44:51.0671 Rootkit.Win32.TDSS.tdl3(Mouclass) - User select action: Cure
2010/11/29 19:44:51.0671 Locked service(uergz) - User select action: Skip
2010/11/29 19:44:58.0031 Deinitialize success

ComboFix 10-12-14.05 - Gary 12/15/2010 20:35:08.10.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.262 [GMT 11:00]
Running from: c:\documents and settings\Gary\Desktop\ComboFix.exe
FW: ZoneAlarm Firewall *Enabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\Internet Explorer\dmlconf.dat

.
((((((((((((((((((((((((( Files Created from 2010-11-15 to 2010-12-15 )))))))))))))))))))))))))))))))
.

2010-12-15 08:49 . 2010-12-15 08:49 -------- d-----w- c:\program files\ESET
2010-12-05 13:04 . 2010-12-05 13:04 -------- d-----w- c:\documents and settings\All Users\Application Data\Norton
2010-12-05 13:04 . 2010-12-05 13:04 -------- d-----w- c:\documents and settings\Gary\Local Settings\Application Data\NPE
2010-12-02 12:41 . 2008-04-14 00:12 53760 -c--a-w- c:\windows\system32\dllcache\vfwwdm32.dll
2010-12-02 12:40 . 2001-08-17 01:51 58368 -c--a-w- c:\windows\system32\dllcache\smiminib.sys
2010-12-02 12:39 . 2001-08-17 02:51 17280 -c--a-w- c:\windows\system32\dllcache\scr111.sys
2010-12-02 12:38 . 2001-08-17 02:53 7552 -c--a-w- c:\windows\system32\dllcache\nsmmc.sys
2010-12-02 12:36 . 2001-08-17 11:36 58880 -c--a-w- c:\windows\system32\dllcache\m3092dc.dll
2010-12-02 12:35 . 2001-08-17 02:28 488383 -c--a-w- c:\windows\system32\dllcache\hsf_v124.sys
2010-12-02 12:33 . 2001-08-17 01:12 24618 -c--a-w- c:\windows\system32\dllcache\fa410nd5.sys
2010-12-02 12:32 . 2008-04-13 18:40 8192 -c--a-w- c:\windows\system32\dllcache\changer.sys
2010-12-02 12:31 . 2001-08-17 02:52 22400 -c--a-w- c:\windows\system32\dllcache\asc3350p.sys
2010-12-01 07:08 . 2010-12-03 08:04 -------- d-----w- c:\program files\win
2010-11-30 06:01 . 2010-11-30 06:01 -------- d-----w- c:\program files\Trend Micro
2010-11-29 16:04 . 2010-11-29 16:04 -------- d-----w- c:\windows\system32\MpEngineStore
2010-11-29 11:22 . 2010-09-10 05:58 743424 -c----w- c:\windows\system32\dllcache\iedvtool.dll
2010-11-28 03:14 . 2010-12-15 09:10 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-11-26 13:53 . 2010-11-26 13:53 -------- d-----w- c:\documents and settings\Gary\Application Data\GetRightToGo
2010-11-26 10:22 . 2010-11-26 11:09 -------- d-----w- c:\documents and settings\Gary\Application Data\Acfay
2010-11-26 10:22 . 2010-11-26 10:38 -------- d-----w- c:\documents and settings\Gary\Application Data\Feul
2010-11-26 10:11 . 2010-11-26 10:11 -------- d-----w- c:\documents and settings\Gary\WINDOWS

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-11-29 08:46 . 2002-08-29 01:27 23040 ----a-w- c:\windows\system32\drivers\mouclass.sys
2010-11-29 06:42 . 2009-06-18 13:18 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-11-29 06:42 . 2009-06-18 13:18 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-09-18 06:53 . 2003-03-31 12:00 974848 ----a-w- c:\windows\system32\mfc42.dll
2010-09-18 06:53 . 2003-03-31 12:00 954368 ----a-w- c:\windows\system32\mfc40.dll
2010-09-18 06:53 . 2003-03-31 12:00 953856 ----a-w- c:\windows\system32\mfc40u.dll
2010-09-18 01:23 . 2003-03-31 12:00 974848 ----a-w- c:\windows\system32\mfc42u.dll
.

((((((((((((((((((((((((((((( SnapShot_2010-12-04_01.21.37 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-12-15 08:18 . 2010-11-16 06:45 99328 c:\windows\system32\ZoneLabs\zlquarantine.dll
+ 2010-12-15 08:18 . 2010-11-16 06:46 70656 c:\windows\system32\ZoneLabs\zatray.exe
+ 2010-12-15 08:18 . 2010-11-16 06:46 21504 c:\windows\system32\ZoneLabs\lib\zsys.zip.dll
+ 2010-12-15 08:18 . 2010-11-16 06:46 14336 c:\windows\system32\ZoneLabs\lib\zmenu.zip.dll
+ 2010-12-15 08:18 . 2010-11-16 06:46 48640 c:\windows\system32\ZoneLabs\lib\zfde.zip.dll
+ 2010-12-15 08:18 . 2010-11-16 06:46 85504 c:\windows\system32\ZoneLabs\lib\ZAlert.zip.dll
+ 2010-12-15 08:18 . 2010-11-16 06:46 37376 c:\windows\system32\ZoneLabs\lib\UpdateUI.zip.dll
+ 2010-12-15 08:18 . 2010-11-16 06:46 12800 c:\windows\system32\ZoneLabs\lib\oem_1488.zip.dll
+ 2010-12-15 08:18 . 2010-11-16 06:46 12800 c:\windows\system32\ZoneLabs\lib\oem_1487.zip.dll
+ 2010-12-15 08:18 . 2010-11-16 06:46 12800 c:\windows\system32\ZoneLabs\lib\oem_1486.zip.dll
+ 2010-12-15 08:18 . 2010-11-16 06:46 20992 c:\windows\system32\ZoneLabs\lib\oem_1466.zip.dll
+ 2010-12-15 08:18 . 2010-11-16 06:46 12800 c:\windows\system32\ZoneLabs\lib\oem_1460.zip.dll
+ 2010-12-15 08:18 . 2010-11-16 06:46 10240 c:\windows\system32\ZoneLabs\lib\oem_1454.zip.dll
+ 2010-12-15 08:18 . 2010-11-16 06:46 11264 c:\windows\system32\ZoneLabs\lib\oem_1445.zip.dll
+ 2010-12-15 08:18 . 2010-11-16 06:46 14336 c:\windows\system32\ZoneLabs\lib\oem_1440.zip.dll
+ 2010-12-15 08:18 . 2010-11-16 06:46 12288 c:\windows\system32\ZoneLabs\lib\oem_1413.zip.dll
+ 2010-12-15 08:18 . 2010-11-16 06:46 11264 c:\windows\system32\ZoneLabs\lib\oem_1010.zip.dll
+ 2010-12-15 08:18 . 2010-11-16 06:46 29184 c:\windows\system32\ZoneLabs\lib\NavBar.zip.dll
+ 2010-12-15 08:18 . 2010-11-16 06:46 13312 c:\windows\system32\ZoneLabs\lib\MainLoop.zip.dll
+ 2010-12-15 08:18 . 2010-11-16 06:46 35840 c:\windows\system32\ZoneLabs\lib\Alert.zip.dll
+ 2010-12-15 08:18 . 2010-11-16 06:45 38912 c:\windows\system32\ZoneLabs\featuremap.dll
+ 2010-12-15 08:18 . 2010-11-16 06:45 75776 c:\windows\system32\ZoneLabs\camupd.dll
+ 2010-12-15 08:18 . 2010-11-16 06:45 69120 c:\windows\system32\zlcomm.dll
+ 2010-12-15 08:18 . 2010-11-16 06:45 43008 c:\windows\system32\vswmi.dll
+ 2010-12-15 08:18 . 2010-11-16 06:45 58368 c:\windows\system32\vsregexp.dll
+ 2009-03-27 15:38 . 2003-03-31 12:00 31232 c:\windows\system32\dllcache\weitekp9.sys
- 2009-03-27 15:38 . 2001-08-23 12:00 31232 c:\windows\system32\dllcache\weitekp9.sys
- 2009-03-27 15:38 . 2001-08-23 12:00 41600 c:\windows\system32\dllcache\weitekp9.dll
+ 2009-03-27 15:38 . 2003-03-31 12:00 41600 c:\windows\system32\dllcache\weitekp9.dll
+ 2009-03-27 15:38 . 2003-03-31 12:00 73728 c:\windows\system32\dllcache\w3ext.dll
- 2009-03-27 15:38 . 2001-08-23 12:00 73728 c:\windows\system32\dllcache\w3ext.dll
+ 2009-03-27 15:38 . 2003-03-31 12:00 48256 c:\windows\system32\dllcache\w32.dll
- 2009-03-27 15:38 . 2001-08-23 12:00 48256 c:\windows\system32\dllcache\w32.dll
+ 2009-03-27 15:38 . 2003-03-31 12:00 14336 c:\windows\system32\dllcache\tsprof.exe
- 2009-03-27 15:38 . 2001-08-23 12:00 14336 c:\windows\system32\dllcache\tsprof.exe
+ 2009-03-27 15:38 . 2003-03-31 12:00 19464 c:\windows\system32\dllcache\tdspx.sys
- 2009-03-27 15:38 . 2001-08-23 12:00 19464 c:\windows\system32\dllcache\tdspx.sys
- 2009-03-27 15:38 . 2001-08-23 12:00 21896 c:\windows\system32\dllcache\tdipx.sys
+ 2009-03-27 15:38 . 2003-03-31 12:00 21896 c:\windows\system32\dllcache\tdipx.sys
- 2009-03-27 15:38 . 2001-08-23 12:00 13192 c:\windows\system32\dllcache\tdasync.sys
+ 2009-03-27 15:38 . 2003-03-31 12:00 13192 c:\windows\system32\dllcache\tdasync.sys
- 2009-03-27 15:38 . 2001-08-23 12:00 16896 c:\windows\system32\dllcache\status.dll
+ 2009-03-27 15:38 . 2003-03-31 12:00 16896 c:\windows\system32\dllcache\status.dll
+ 2009-03-27 15:38 . 2003-03-31 12:00 10240 c:\windows\system32\dllcache\snmpstup.dll
- 2009-03-27 15:38 . 2001-08-23 12:00 10240 c:\windows\system32\dllcache\snmpstup.dll
- 2009-03-27 15:38 . 2001-08-23 12:00 15872 c:\windows\system32\dllcache\smierrsm.dll
+ 2009-03-27 15:38 . 2003-03-31 12:00 15872 c:\windows\system32\dllcache\smierrsm.dll
+ 2009-03-27 15:38 . 2003-03-31 12:00 31744 c:\windows\system32\dllcache\smb6w.dll
- 2009-03-27 15:38 . 2001-08-23 12:00 31744 c:\windows\system32\dllcache\smb6w.dll
+ 2009-03-27 15:38 . 2003-03-31 12:00 31744 c:\windows\system32\dllcache\sma3w.dll
- 2009-03-27 15:38 . 2001-08-23 12:00 31744 c:\windows\system32\dllcache\sma3w.dll
+ 2009-03-27 15:38 . 2003-03-31 12:00 38912 c:\windows\system32\dllcache\sm9aw.dll
- 2009-03-27 15:38 . 2001-08-23 12:00 38912 c:\windows\system32\dllcache\sm9aw.dll
- 2009-03-27 15:38 . 2001-08-23 12:00 26624 c:\windows\system32\dllcache\sm93w.dll
+ 2009-03-27 15:38 . 2003-03-31 12:00 26624 c:\windows\system32\dllcache\sm93w.dll
+ 2009-03-27 15:38 . 2003-03-31 12:00 26624 c:\windows\system32\dllcache\sm92w.dll
- 2009-03-27 15:38 . 2001-08-23 12:00 26624 c:\windows\system32\dllcache\sm92w.dll
- 2009-03-27 15:38 . 2001-08-23 12:00 26112 c:\windows\system32\dllcache\sm90w.dll
+ 2009-03-27 15:38 . 2003-03-31 12:00 26112 c:\windows\system32\dllcache\sm90w.dll
+ 2009-03-27 15:38 . 2003-03-31 12:00 26112 c:\windows\system32\dllcache\sm8dw.dll
- 2009-03-27 15:38 . 2001-08-23 12:00 26112 c:\windows\system32\dllcache\sm8dw.dll
+ 2009-03-27 15:38 . 2003-03-31 12:00 29184 c:\windows\system32\dllcache\sm8cw.dll
- 2009-03-27 15:38 . 2001-08-23 12:00 29184 c:\windows\system32\dllcache\sm8cw.dll
+ 2009-03-27 15:38 . 2003-03-31 12:00 26112 c:\windows\system32\dllcache\sm8aw.dll
- 2009-03-27 15:38 . 2001-08-23 12:00 26112 c:\windows\system32\dllcache\sm8aw.dll
- 2009-03-27 15:38 . 2001-08-23 12:00 26112 c:\windows\system32\dllcache\sm89w.dll
+ 2009-03-27 15:38 . 2003-03-31 12:00 26112 c:\windows\system32\dllcache\sm89w.dll
+ 2009-03-27 15:38 . 2003-03-31 12:00 30208 c:\windows\system32\dllcache\sm87w.dll
- 2009-03-27 15:38 . 2001-08-23 12:00 30208 c:\windows\system32\dllcache\sm87w.dll
+ 2009-03-27 15:38 . 2003-03-31 12:00 30208 c:\windows\system32\dllcache\sm81w.dll
- 2009-03-27 15:38 . 2001-08-23 12:00 30208 c:\windows\system32\dllcache\sm81w.dll
+ 2009-03-27 15:38 . 2003-03-31 12:00 25088 c:\windows\system32\dllcache\sm59w.dll
- 2009-03-27 15:38 . 2001-08-23 12:00 25088 c:\windows\system32\dllcache\sm59w.dll
+ 2009-03-27 15:38 . 2003-03-31 12:00 18944 c:\windows\system32\dllcache\simptcp.dll
- 2009-03-27 15:38 . 2001-08-23 12:00 18944 c:\windows\system32\dllcache\simptcp.dll
- 2009-03-27 15:38 . 2001-08-23 12:00 79872 c:\windows\system32\dllcache\rwia330.dll
+ 2009-03-27 15:38 . 2003-03-31 12:00 79872 c:\windows\system32\dllcache\rwia330.dll
+ 2009-03-27 15:38 . 2003-03-31 12:00 79872 c:\windows\system32\dllcache\rwia001.dll
- 2009-03-27 15:38 . 2001-08-23 12:00 79872 c:\windows\system32\dllcache\rwia001.dll
- 2009-03-27 15:38 . 2001-08-23 12:00 14848 c:\windows\system32\dllcache\register.exe
+ 2009-03-27 15:38 . 2003-03-31 12:00 14848 c:\windows\system32\dllcache\register.exe
- 2009-03-27 15:38 . 2001-08-23 12:00 16384 c:\windows\system32\dllcache\quser.exe
+ 2009-03-27 15:38 . 2003-03-31 12:00 16384 c:\windows\system32\dllcache\quser.exe
+ 2009-03-27 15:38 . 2003-03-31 12:00 11264 c:\windows\system32\dllcache\pmxmcro.dll
- 2009-03-27 15:38 . 2001-08-23 12:00 11264 c:\windows\system32\dllcache\pmxmcro.dll
- 2009-03-27 15:38 . 2001-08-23 12:00 20992 c:\windows\system32\dllcache\permchk.dll
+ 2009-03-27 15:38 . 2003-03-31 12:00 20992 c:\windows\system32\dllcache\permchk.dll
+ 2009-03-27 15:38 . 2003-03-31 12:00 31744 c:\windows\system32\dllcache\pagecnt.dll
- 2009-03-27 15:38 . 2001-08-23 12:00 31744 c:\windows\system32\dllcache\pagecnt.dll
+ 2009-03-27 15:38 . 2003-03-31 12:00 14336 c:\windows\system32\dllcache\padrs412.dll
- 2009-03-27 15:38 . 2001-08-23 12:00 14336 c:\windows\system32\dllcache\padrs412.dll
- 2009-03-27 15:38 . 2001-08-23 12:00 36927 c:\windows\system32\dllcache\padrs411.dll
+ 2009-03-27 15:38 . 2003-03-31 12:00 36927 c:\windows\system32\dllcache\padrs411.dll
+ 2009-03-27 15:38 . 2003-03-31 12:00 53248 c:\windows\system32\dllcache\nextlink.dll
- 2009-03-27 15:38 . 2001-08-23 12:00 53248 c:\windows\system32\dllcache\nextlink.dll
- 2009-03-27 15:38 . 2001-08-23 12:00 98304 c:\windows\system32\dllcache\msir3jp.dll
+ 2009-03-27 15:38 . 2003-03-31 12:00 98304 c:\windows\system32\dllcache\msir3jp.dll
+ 2003-03-31 12:00 . 2003-03-31 12:00 34304 c:\windows\system32\dllcache\migisol.exe
- 2003-03-31 12:00 . 2001-08-23 12:00 34304 c:\windows\system32\dllcache\migisol.exe
- 2009-03-27 15:38 . 2001-08-23 12:00 92416 c:\windows\system32\dllcache\mga.sys
+ 2009-03-27 15:38 . 2003-03-31 12:00 92416 c:\windows\system32\dllcache\mga.sys
+ 2009-03-27 15:38 . 2003-03-31 12:00 92032 c:\windows\system32\dllcache\mga.dll
- 2009-03-27 15:38 . 2001-08-23 12:00 92032 c:\windows\system32\dllcache\mga.dll
- 2009-03-27 15:38 . 2001-08-23 12:00 26624 c:\windows\system32\dllcache\mdsync.dll
+ 2009-03-27 15:38 . 2003-03-31 12:00 26624 c:\windows\system32\dllcache\mdsync.dll
- 2009-03-27 15:38 . 2001-08-23 12:00 22016 c:\windows\system32\dllcache\logscrpt.dll
+ 2009-03-27 15:38 . 2003-03-31 12:00 22016 c:\windows\system32\dllcache\logscrpt.dll
- 2009-03-27 15:38 . 2001-08-23 12:00 70656 c:\windows\system32\dllcache\korwbrkr.dll
+ 2009-03-27 15:38 . 2003-03-31 12:00 70656 c:\windows\system32\dllcache\korwbrkr.dll
+ 2009-03-27 15:38 . 2003-03-31 12:00 18432 c:\windows\system32\dllcache\jupiw.dll
- 2009-03-27 15:38 . 2001-08-23 12:00 18432 c:\windows\system32\dllcache\jupiw.dll
- 2009-03-27 15:37 . 2001-08-23 12:00 19968 c:\windows\system32\dllcache\inetsloc.dll
+ 2009-03-27 15:37 . 2003-03-31 12:00 19968 c:\windows\system32\dllcache\inetsloc.dll
- 2009-03-27 15:37 . 2001-08-23 12:00 59904 c:\windows\system32\dllcache\imkrinst.exe
+ 2009-03-27 15:37 . 2003-03-31 12:00 59904 c:\windows\system32\dllcache\imkrinst.exe
- 2009-03-27 15:37 . 2001-08-23 12:00 45109 c:\windows\system32\dllcache\imjpuex.exe
+ 2009-03-27 15:37 . 2003-03-31 12:00 45109 c:\windows\system32\dllcache\imjpuex.exe
- 2009-03-27 15:37 . 2001-08-23 12:00 57398 c:\windows\system32\dllcache\imjpdadm.exe
+ 2009-03-27 15:37 . 2003-03-31 12:00 57398 c:\windows\system32\dllcache\imjpdadm.exe
- 2009-03-27 15:37 . 2001-08-23 12:00 44032 c:\windows\system32\dllcache\imekrmig.exe
+ 2009-03-27 15:37 . 2003-03-31 12:00 44032 c:\windows\system32\dllcache\imekrmig.exe
- 2009-03-27 15:37 . 2001-08-23 12:00 14336 c:\windows\system32\dllcache\iisreset.exe
+ 2009-03-27 15:37 . 2003-03-31 12:00 14336 c:\windows\system32\dllcache\iisreset.exe
- 2009-03-27 15:37 . 2001-08-23 12:00 19456 c:\windows\system32\dllcache\iiscrmap.dll
+ 2009-03-27 15:37 . 2003-03-31 12:00 19456 c:\windows\system32\dllcache\iiscrmap.dll
- 2009-03-27 15:37 . 2001-08-23 12:00 60928 c:\windows\system32\dllcache\iisclex4.dll
+ 2009-03-27 15:37 . 2003-03-31 12:00 60928 c:\windows\system32\dllcache\iisclex4.dll
+ 2009-03-27 15:35 . 2008-04-14 00:12 93184 c:\windows\system32\dllcache\iexplore.exe
- 2009-03-27 15:37 . 2001-08-23 12:00 36864 c:\windows\system32\dllcache\hanjadic.dll
+ 2009-03-27 15:37 . 2003-03-31 12:00 36864 c:\windows\system32\dllcache\hanjadic.dll
+ 2009-03-27 15:37 . 2003-03-31 12:00 11264 c:\windows\system32\dllcache\fxssend.exe
- 2009-03-27 15:37 . 2001-08-23 12:00 11264 c:\windows\system32\dllcache\fxssend.exe
+ 2009-03-27 15:37 . 2003-03-31 12:00 31744 c:\windows\system32\dllcache\fxsroute.dll
- 2009-03-27 15:37 . 2001-08-23 12:00 31744 c:\windows\system32\dllcache\fxsroute.dll
- 2009-03-27 15:37 . 2001-08-23 12:00 14848 c:\windows\system32\dllcache\flattemp.exe
+ 2009-03-27 15:37 . 2003-03-31 12:00 14848 c:\windows\system32\dllcache\flattemp.exe
- 2009-03-27 15:37 . 2001-08-23 12:00 25856 c:\windows\system32\dllcache\et4000.sys
+ 2009-03-27 15:37 . 2003-03-31 12:00 25856 c:\windows\system32\dllcache\et4000.sys
+ 2009-03-27 15:37 . 2003-03-31 12:00 45056 c:\windows\system32\dllcache\esunid.dll
- 2009-03-27 15:37 . 2001-08-23 12:00 45056 c:\windows\system32\dllcache\esunid.dll
+ 2009-03-27 15:37 . 2003-03-31 12:00 57856 c:\windows\system32\dllcache\esuimgd.dll
- 2009-03-27 15:37 . 2001-08-23 12:00 57856 c:\windows\system32\dllcache\esuimgd.dll
+ 2009-03-27 15:37 . 2003-03-31 12:00 31744 c:\windows\system32\dllcache\esucmd.dll
- 2009-03-27 15:37 . 2001-08-23 12:00 31744 c:\windows\system32\dllcache\esucmd.dll
+ 2009-03-27 15:37 . 2003-03-31 12:00 18944 c:\windows\system32\dllcache\cprofile.exe
- 2009-03-27 15:37 . 2001-08-23 12:00 18944 c:\windows\system32\dllcache\cprofile.exe
+ 2009-03-27 15:37 . 2003-03-31 12:00 20480 c:\windows\system32\dllcache\counters.dll
- 2009-03-27 15:37 . 2001-08-23 12:00 20480 c:\windows\system32\dllcache\counters.dll
+ 2009-03-27 15:37 . 2003-03-31 12:00 56320 c:\windows\system32\dllcache\convlog.exe
- 2009-03-27 15:37 . 2001-08-23 12:00 56320 c:\windows\system32\dllcache\convlog.exe
+ 2009-03-27 15:37 . 2003-03-31 12:00 33792 c:\windows\system32\dllcache\controt.dll
- 2009-03-27 15:37 . 2001-08-23 12:00 33792 c:\windows\system32\dllcache\controt.dll
+ 2009-03-27 15:37 . 2003-03-31 12:00 14336 c:\windows\system32\dllcache\chgusr.exe
- 2009-03-27 15:37 . 2001-08-23 12:00 14336 c:\windows\system32\dllcache\chgusr.exe
- 2009-03-27 15:37 . 2001-08-23 12:00 15872 c:\windows\system32\dllcache\chgport.exe
+ 2009-03-27 15:37 . 2003-03-31 12:00 15872 c:\windows\system32\dllcache\chgport.exe
- 2009-03-27 15:37 . 2001-08-23 12:00 13312 c:\windows\system32\dllcache\chglogon.exe
+ 2009-03-27 15:37 . 2003-03-31 12:00 13312 c:\windows\system32\dllcache\chglogon.exe
+ 2009-03-27 15:37 . 2003-03-31 12:00 54528 c:\windows\system32\dllcache\cap7146.sys
- 2009-03-27 15:37 . 2001-08-23 12:00 54528 c:\windows\system32\dllcache\cap7146.sys
- 2009-03-27 15:37 . 2001-08-23 12:00 10752 c:\windows\system32\dllcache\c_iscii.dll
+ 2009-03-27 15:37 . 2003-03-31 12:00 10752 c:\windows\system32\dllcache\c_iscii.dll
+ 2009-03-27 15:37 . 2003-03-31 12:00 45568 c:\windows\system32\dllcache\browscap.dll
- 2009-03-27 15:37 . 2001-08-23 12:00 45568 c:\windows\system32\dllcache\browscap.dll
+ 2009-03-27 15:37 . 2003-03-31 12:00 29184 c:\windows\system32\dllcache\asptxn.dll
- 2009-03-27 15:37 . 2001-08-23 12:00 29184 c:\windows\system32\dllcache\asptxn.dll
- 2009-03-27 15:37 . 2001-08-23 12:00 10240 c:\windows\system32\dllcache\aspperf.dll
+ 2009-03-27 15:37 . 2003-03-31 12:00 10240 c:\windows\system32\dllcache\aspperf.dll
+ 2009-03-27 15:37 . 2003-03-31 12:00 49664 c:\windows\system32\dllcache\adrot.dll
- 2009-03-27 15:37 . 2001-08-23 12:00 49664 c:\windows\system32\dllcache\adrot.dll
+ 2010-12-15 08:18 . 2010-12-15 08:18 62464 c:\windows\Installer\1cfc94.msi
+ 2010-11-29 16:02 . 2009-04-30 21:22 12800 c:\windows\ie8updates\KB2360131-IE8\xpshims.dll
+ 2010-12-15 08:18 . 2010-12-15 08:18 4212 c:\windows\system32\zllictbl.dat
+ 2009-03-27 15:37 . 2003-03-31 12:00 7168 c:\windows\system32\dllcache\wamregps.dll
- 2009-03-27 15:37 . 2001-08-23 12:00 7168 c:\windows\system32\dllcache\wamregps.dll
+ 2009-03-27 15:38 . 2003-03-31 12:00 9216 c:\windows\system32\dllcache\wamps51.dll
- 2009-03-27 15:38 . 2001-08-23 12:00 9216 c:\windows\system32\dllcache\wamps51.dll
+ 2009-03-27 15:38 . 2003-03-31 12:00 5632 c:\windows\system32\dllcache\w3svapi.dll
- 2009-03-27 15:38 . 2001-08-23 12:00 5632 c:\windows\system32\dllcache\w3svapi.dll
+ 2009-03-27 15:38 . 2003-03-31 12:00 4608 c:\windows\system32\dllcache\w3ctrs51.dll
- 2009-03-27 15:38 . 2001-08-23 12:00 4608 c:\windows\system32\dllcache\w3ctrs51.dll
+ 2009-03-27 15:38 . 2003-03-31 12:00 5632 c:\windows\system32\dllcache\smimsgif.dll
- 2009-03-27 15:38 . 2001-08-23 12:00 5632 c:\windows\system32\dllcache\smimsgif.dll
+ 2009-03-27 15:38 . 2003-03-31 12:00 5632 c:\windows\system32\dllcache\smierrsy.dll
- 2009-03-27 15:38 . 2001-08-23 12:00 5632 c:\windows\system32\dllcache\smierrsy.dll
- 2009-03-27 15:38 . 2001-08-23 12:00 9728 c:\windows\system32\dllcache\query.exe
+ 2009-03-27 15:38 . 2003-03-31 12:00 9728 c:\windows\system32\dllcache\query.exe
+ 2009-03-27 15:38 . 2003-03-31 12:00 6144 c:\windows\system32\dllcache\pmxgl.dll
- 2009-03-27 15:38 . 2001-08-23 12:00 6144 c:\windows\system32\dllcache\pmxgl.dll
+ 2009-03-27 15:38 . 2003-03-31 12:00 5632 c:\windows\system32\dllcache\kbdvntc.dll
- 2009-03-27 15:38 . 2001-08-23 12:00 5632 c:\windows\system32\dllcache\kbdvntc.dll
+ 2009-03-27 15:38 . 2003-03-31 12:00 5632 c:\windows\system32\dllcache\kbdusa.dll
- 2009-03-27 15:38 . 2001-08-23 12:00 5632 c:\windows\system32\dllcache\kbdusa.dll
+ 2009-03-27 15:38 . 2003-03-31 12:00 5632 c:\windows\system32\dllcache\kbdurdu.dll
- 2009-03-27 15:38 . 2001-08-23 12:00 5632 c:\windows\system32\dllcache\kbdurdu.dll
+ 2009-03-27 15:38 . 2003-03-31 12:00 6144 c:\windows\system32\dllcache\kbdth3.dll
- 2009-03-27 15:38 . 2001-08-23 12:00 6144 c:\windows\system32\dllcache\kbdth3.dll
+ 2009-03-27 15:38 . 2003-03-31 12:00 6144 c:\windows\system32\dllcache\kbdth2.dll
- 2009-03-27 15:38 . 2001-08-23 12:00 6144 c:\windows\system32\dllcache\kbdth2.dll
- 2009-03-27 15:38 . 2001-08-23 12:00 5632 c:\windows\system32\dllcache\kbdth1.dll
+ 2009-03-27 15:38 . 2003-03-31 12:00 5632 c:\windows\system32\dllcache\kbdth1.dll
+ 2009-03-27 15:38 . 2003-03-31 12:00 5632 c:\windows\system32\dllcache\kbdth0.dll
- 2009-03-27 15:38 . 2001-08-23 12:00 5632 c:\windows\system32\dllcache\kbdth0.dll
- 2009-03-27 15:38 . 2001-08-23 12:00 5632 c:\windows\system32\dllcache\kbdsyr2.dll
+ 2009-03-27 15:38 . 2003-03-31 12:00 5632 c:\windows\system32\dllcache\kbdsyr2.dll
- 2009-03-27 15:38 . 2001-08-23 12:00 5632 c:\windows\system32\dllcache\kbdsyr1.dll
+ 2009-03-27 15:38 . 2003-03-31 12:00 5632 c:\windows\system32\dllcache\kbdsyr1.dll
+ 2009-03-27 15:38 . 2003-03-31 12:00 7680 c:\windows\system32\dllcache\kbdnecnt.dll
- 2009-03-27 15:38 . 2001-08-23 12:00 7680 c:\windows\system32\dllcache\kbdnecnt.dll
- 2009-03-27 15:38 . 2001-08-23 12:00 9216 c:\windows\system32\dllcache\kbdnecat.dll
+ 2009-03-27 15:38 . 2003-03-31 12:00 9216 c:\windows\system32\dllcache\kbdnecat.dll
- 2009-03-27 15:38 . 2001-08-23 12:00 7168 c:\windows\system32\dllcache\kbdnec95.dll
+ 2009-03-27 15:38 . 2003-03-31 12:00 7168 c:\windows\system32\dllcache\kbdnec95.dll
+ 2009-03-27 15:38 . 2003-03-31 12:00 5632 c:\windows\system32\dllcache\kbdintel.dll
- 2009-03-27 15:38 . 2001-08-23 12:00 5632 c:\windows\system32\dllcache\kbdintel.dll
- 2009-03-27 15:38 . 2001-08-23 12:00 5632 c:\windows\system32\dllcache\kbdintam.dll
+ 2009-03-27 15:38 . 2003-03-31 12:00 5632 c:\windows\system32\dllcache\kbdintam.dll
- 2009-03-27 15:38 . 2001-08-23 12:00 6144 c:\windows\system32\dllcache\kbdinpun.dll
+ 2009-03-27 15:38 . 2003-03-31 12:00 6144 c:\windows\system32\dllcache\kbdinpun.dll
+ 2009-03-27 15:38 . 2003-03-31 12:00 5632 c:\windows\system32\dllcache\kbdinmar.dll
- 2009-03-27 15:38 . 2001-08-23 12:00 5632 c:\windows\system32\dllcache\kbdinmar.dll
- 2009-03-27 15:38 . 2001-08-23 12:00 5632 c:\windows\system32\dllcache\kbdinkan.dll
+ 2009-03-27 15:38 . 2003-03-31 12:00 5632 c:\windows\system32\dllcache\kbdinkan.dll
+ 2009-03-27 15:38 . 2003-03-31 12:00 5632 c:\windows\system32\dllcache\kbdinhin.dll
- 2009-03-27 15:38 . 2001-08-23 12:00 5632 c:\windows\system32\dllcache\kbdinhin.dll
+ 2009-03-27 15:38 . 2003-03-31 12:00 5632 c:\windows\system32\dllcache\kbdinguj.dll
- 2009-03-27 15:38 . 2001-08-23 12:00 5632 c:\windows\system32\dllcache\kbdinguj.dll
+ 2009-03-27 15:38 . 2003-03-31 12:00 5632 c:\windows\system32\dllcache\kbdindev.dll
- 2009-03-27 15:38 . 2001-08-23 12:00 5632 c:\windows\system32\dllcache\kbdindev.dll
+ 2009-03-27 15:38 . 2003-03-31 12:00 5632 c:\windows\system32\dllcache\kbdheb.dll
- 2009-03-27 15:38 . 2001-08-23 12:00 5632 c:\windows\system32\dllcache\kbdheb.dll
- 2009-03-27 15:38 . 2001-08-23 12:00 5120 c:\windows\system32\dllcache\kbdgeo.dll
+ 2009-03-27 15:38 . 2003-03-31 12:00 5120 c:\windows\system32\dllcache\kbdgeo.dll
+ 2009-03-27 15:38 . 2003-03-31 12:00 5632 c:\windows\system32\dllcache\kbdfa.dll
- 2009-03-27 15:38 . 2001-08-23 12:00 5632 c:\windows\system32\dllcache\kbdfa.dll
+ 2009-03-27 15:38 . 2003-03-31 12:00 5632 c:\windows\system32\dllcache\kbddiv2.dll
- 2009-03-27 15:38 . 2001-08-23 12:00 5632 c:\windows\system32\dllcache\kbddiv2.dll
- 2009-03-27 15:38 . 2001-08-23 12:00 5632 c:\windows\system32\dllcache\kbddiv1.dll
+ 2009-03-27 15:38 . 2003-03-31 12:00 5632 c:\windows\system32\dllcache\kbddiv1.dll
- 2009-03-27 15:38 . 2001-08-23 12:00 5120 c:\windows\system32\dllcache\kbdarmw.dll
+ 2009-03-27 15:38 . 2003-03-31 12:00 5120 c:\windows\system32\dllcache\kbdarmw.dll
- 2009-03-27 15:38 . 2001-08-23 12:00 5120 c:\windows\system32\dllcache\kbdarme.dll
+ 2009-03-27 15:38 . 2003-03-31 12:00 5120 c:\windows\system32\dllcache\kbdarme.dll
+ 2009-03-27 15:38 . 2003-03-31 12:00 5632 c:\windows\system32\dllcache\kbda3.dll
- 2009-03-27 15:38 . 2001-08-23 12:00 5632 c:\windows\system32\dllcache\kbda3.dll
+ 2009-03-27 15:38 . 2003-03-31 12:00 5632 c:\windows\system32\dllcache\kbda2.dll
- 2009-03-27 15:38 . 2001-08-23 12:00 5632 c:\windows\system32\dllcache\kbda2.dll
+ 2009-03-27 15:38 . 2003-03-31 12:00 5632 c:\windows\system32\dllcache\kbda1.dll
- 2009-03-27 15:38 . 2001-08-23 12:00 5632 c:\windows\system32\dllcache\kbda1.dll
+ 2009-03-27 15:38 . 2003-03-31 12:00 6144 c:\windows\system32\dllcache\kbd101a.dll
- 2009-03-27 15:38 . 2001-08-23 12:00 6144 c:\windows\system32\dllcache\kbd101a.dll
+ 2009-03-27 15:37 . 2003-03-31 12:00 9216 c:\windows\system32\dllcache\iwrps.dll
- 2009-03-27 15:37 . 2001-08-23 12:00 9216 c:\windows\system32\dllcache\iwrps.dll
+ 2009-03-27 15:37 . 2003-03-31 12:00 7168 c:\windows\system32\dllcache\isapips.dll
- 2009-03-27 15:37 . 2001-08-23 12:00 7168 c:\windows\system32\dllcache\isapips.dll
+ 2009-03-27 15:37 . 2003-03-31 12:00 8704 c:\windows\system32\dllcache\infoctrs.dll
- 2009-03-27 15:37 . 2001-08-23 12:00 8704 c:\windows\system32\dllcache\infoctrs.dll
- 2009-03-27 15:37 . 2001-08-23 12:00 7680 c:\windows\system32\dllcache\inetmgr.exe
+ 2009-03-27 15:37 . 2003-03-31 12:00 7680 c:\windows\system32\dllcache\inetmgr.exe
- 2009-03-27 15:37 . 2001-08-23 12:00 6656 c:\windows\system32\dllcache\iissync.exe
+ 2009-03-27 15:37 . 2003-03-31 12:00 6656 c:\windows\system32\dllcache\iissync.exe
- 2009-03-27 15:37 . 2001-08-23 12:00 5632 c:\windows\system32\dllcache\iisrstap.dll
+ 2009-03-27 15:37 . 2003-03-31 12:00 5632 c:\windows\system32\dllcache\iisrstap.dll
- 2009-03-27 15:37 . 2001-08-23 12:00 3584 c:\windows\system32\dllcache\iismui.dll
+ 2009-03-27 15:37 . 2003-03-31 12:00 3584 c:\windows\system32\dllcache\iismui.dll
+ 2009-03-27 15:37 . 2003-03-31 12:00 6144 c:\windows\system32\dllcache\ftpsapi2.dll
- 2009-03-27 15:37 . 2001-08-23 12:00 6144 c:\windows\system32\dllcache\ftpsapi2.dll
+ 2009-03-27 15:37 . 2003-03-31 12:00 7680 c:\windows\system32\dllcache\ftpctrs2.dll
- 2009-03-27 15:37 . 2001-08-23 12:00 7680 c:\windows\system32\dllcache\ftpctrs2.dll
- 2009-03-27 15:37 . 2001-08-23 12:00 6144 c:\windows\system32\dllcache\ftlx041e.dll
+ 2009-03-27 15:37 . 2003-03-31 12:00 6144 c:\windows\system32\dllcache\ftlx041e.dll
- 2009-03-27 15:37 . 2001-08-23 12:00 9728 c:\windows\system32\dllcache\change.exe
+ 2009-03-27 15:37 . 2003-03-31 12:00 9728 c:\windows\system32\dllcache\change.exe
- 2009-03-27 15:37 . 2001-08-23 12:00 6656 c:\windows\system32\dllcache\c_is2022.dll
+ 2009-03-27 15:37 . 2003-03-31 12:00 6656 c:\windows\system32\dllcache\c_is2022.dll
- 2009-03-27 15:37 . 2001-08-23 12:00 9216 c:\windows\system32\dllcache\authfilt.dll
+ 2009-03-27 15:37 . 2003-03-31 12:00 9216 c:\windows\system32\dllcache\authfilt.dll
- 2009-03-27 15:37 . 2001-08-23 12:00 6144 c:\windows\system32\dllcache\admxprox.dll
+ 2009-03-27 15:37 . 2003-03-31 12:00 6144 c:\windows\system32\dllcache\admxprox.dll
+ 2008-07-28 21:05 . 2008-07-28 21:05 655872 c:\windows\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_6f74963e\msvcr90.dll
+ 2008-07-28 21:05 . 2008-07-28 21:05 572928 c:\windows\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_6f74963e\msvcp90.dll
+ 2008-07-28 16:54 . 2008-07-28 16:54 225280 c:\windows\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_6f74963e\msvcm90.dll
+ 2008-07-28 18:23 . 2008-07-28 18:23 626688 c:\windows\WinSxS\amd64_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_a17e7c1e\msvcr90.dll
+ 2008-07-28 18:23 . 2008-07-28 18:23 856576 c:\windows\WinSxS\amd64_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_a17e7c1e\msvcp90.dll
+ 2008-07-28 16:51 . 2008-07-28 16:51 245760 c:\windows\WinSxS\amd64_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_a17e7c1e\msvcm90.dll
+ 2010-12-15 08:18 . 2010-11-16 06:45 141824 c:\windows\system32\ZoneLabs\zlupdate.dll
+ 2010-12-15 08:18 . 2010-11-16 06:45 173056 c:\windows\system32\ZoneLabs\vsvault.dll
+ 2010-12-15 08:18 . 2010-11-16 06:45 211456 c:\windows\system32\ZoneLabs\vsdb.dll
+ 2010-12-15 08:18 . 2007-10-11 05:51 832984 c:\windows\system32\ZoneLabs\updating.dll
+ 2010-12-15 08:18 . 2010-11-16 06:45 434688 c:\windows\system32\ZoneLabs\ssleay32.dll
+ 2010-12-15 08:18 . 2010-11-16 06:45 135680 c:\windows\system32\ZoneLabs\scheduler.dll
+ 2010-12-15 08:18 . 2009-07-13 12:58 722392 c:\windows\system32\ZoneLabs\qrbase.dll
+ 2010-12-15 08:18 . 2010-11-16 06:46 126976 c:\windows\system32\ZoneLabs\lib\zui.zip.dll
+ 2010-12-15 08:18 . 2010-11-16 06:46 280064 c:\windows\system32\ZoneLabs\lib\TrayTest.zip.dll
+ 2010-12-15 08:18 . 2010-11-16 06:46 225792 c:\windows\system32\ZoneLabs\lib\Overview.zip.dll
+ 2010-12-15 08:18 . 2010-11-16 06:46 368640 c:\windows\system32\ZoneLabs\lib\LicenseUI.zip.dll
+ 2010-12-15 08:18 . 2010-11-16 06:46 184832 c:\windows\system32\ZoneLabs\lib\DashBoard.zip.dll
+ 2010-12-15 08:18 . 2010-11-16 06:46 375296 c:\windows\system32\ZoneLabs\lib\ConfigWizard.zip.dll
+ 2010-12-15 08:18 . 2010-02-07 21:41 595432 c:\windows\system32\ZoneLabs\icslta.dll
+ 2010-12-15 08:18 . 2010-11-08 07:58 284136 c:\windows\system32\ZoneLabs\ffapi.dll
+ 2010-12-15 08:18 . 2010-11-16 06:45 169984 c:\windows\system32\ZoneLabs\fbl.dll
+ 2010-12-15 08:18 . 2008-03-17 05:52 813568 c:\windows\system32\ZoneLabs\dbghelp.dll
+ 2010-12-15 08:18 . 2010-11-16 06:45 104448 c:\windows\system32\zlcommdb.dll
+ 2010-12-15 08:18 . 2010-11-16 06:45 110080 c:\windows\system32\vsxml.dll
+ 2010-12-15 08:18 . 2010-11-16 06:45 715264 c:\windows\system32\vsutil.dll
+ 2010-12-15 08:18 . 2010-11-16 06:45 302592 c:\windows\system32\vspubapi.dll
+ 2010-12-15 08:18 . 2010-11-16 06:45 108032 c:\windows\system32\vsmonapi.dll
+ 2010-12-15 08:18 . 2010-11-16 06:45 228864 c:\windows\system32\vsinit.dll
+ 2010-12-15 08:18 . 2010-05-12 23:02 532224 c:\windows\system32\vsdatant.sys
+ 2010-12-15 08:18 . 2010-11-16 06:45 112128 c:\windows\system32\vsdata.dll
- 2009-03-27 15:38 . 2001-08-23 12:00 185344 c:\windows\system32\dllcache\thawbrkr.dll
+ 2009-03-27 15:38 . 2003-03-31 12:00 185344 c:\windows\system32\dllcache\thawbrkr.dll
- 2009-03-27 15:38 . 2001-08-23 12:00 101376 c:\windows\system32\dllcache\srusbusd.dll
+ 2009-03-27 15:38 . 2003-03-31 12:00 101376 c:\windows\system32\dllcache\srusbusd.dll
+ 2009-03-27 15:38 . 2003-03-31 12:00 143422 c:\windows\system32\dllcache\softkey.dll
- 2009-03-27 15:38 . 2001-08-23 12:00 143422 c:\windows\system32\dllcache\softkey.dll
+ 2009-03-27 15:38 . 2003-03-31 12:00 131584 c:\windows\system32\dllcache\pmxviceo.dll
- 2009-03-27 15:38 . 2001-08-23 12:00 131584 c:\windows\system32\dllcache\pmxviceo.dll
- 2009-03-27 15:38 . 2001-08-23 12:00 229439 c:\windows\system32\dllcache\multibox.dll
+ 2009-03-27 15:38 . 2003-03-31 12:00 229439 c:\windows\system32\dllcache\multibox.dll
+ 2009-03-27 15:37 . 2003-03-31 12:00 471102 c:\windows\system32\dllcache\imskdic.dll
- 2009-03-27 15:37 . 2001-08-23 12:00 471102 c:\windows\system32\dllcache\imskdic.dll
+ 2009-03-27 15:37 . 2003-03-31 12:00 311359 c:\windows\system32\dllcache\imepadsv.exe
- 2009-03-27 15:37 . 2001-08-23 12:00 311359 c:\windows\system32\dllcache\imepadsv.exe
+ 2009-03-27 15:37 . 2003-03-31 12:00 102463 c:\windows\system32\dllcache\imepadsm.dll
- 2009-03-27 15:37 . 2001-08-23 12:00 102463 c:\windows\system32\dllcache\imepadsm.dll
+ 2009-03-27 15:37 . 2003-03-31 12:00 169984 c:\windows\system32\dllcache\iisui.dll
- 2009-03-27 15:37 . 2001-08-23 12:00 169984 c:\windows\system32\dllcache\iisui.dll
- 2009-03-27 15:37 . 2001-08-23 12:00 132608 c:\windows\system32\dllcache\fxsclntr.dll
+ 2009-03-27 15:37 . 2003-03-31 12:00 132608 c:\windows\system32\dllcache\fxsclntr.dll
+ 2009-03-27 15:37 . 2003-03-31 12:00 111104 c:\windows\system32\dllcache\fxscfgwz.dll
- 2009-03-27 15:37 . 2001-08-23 12:00 111104 c:\windows\system32\dllcache\fxscfgwz.dll
+ 2009-03-27 15:37 . 2003-03-31 12:00 514587 c:\windows\system32\dllcache\edb500.dll
- 2009-03-27 15:37 . 2001-08-23 12:00 514587 c:\windows\system32\dllcache\edb500.dll
+ 2009-03-27 15:37 . 2003-03-31 12:00 838144 c:\windows\system32\dllcache\chtbrkr.dll
- 2009-03-27 15:37 . 2001-08-23 12:00 838144 c:\windows\system32\dllcache\chtbrkr.dll
+ 2010-11-29 16:02 . 2009-04-30 21:22 246272 c:\windows\ie8updates\KB2360131-IE8\ieproxy.dll
+ 2010-11-29 16:02 . 2009-03-07 18:35 742912 c:\windows\ie8updates\KB2360131-IE8\iedvtool.dll
+ 2010-12-15 08:18 . 2010-11-16 06:45 1238528 c:\windows\system32\zpeng25.dll
+ 2010-12-15 08:18 . 2010-11-16 06:45 1790464 c:\windows\system32\ZoneLabs\vsruledb.dll
+ 2010-12-15 08:18 . 2010-11-16 06:47 2435592 c:\windows\system32\ZoneLabs\vsmon.exe
+ 2010-12-15 08:18 . 2010-11-16 06:46 1536512 c:\windows\system32\ZoneLabs\lib\zpy.zip.dll
- 2009-03-27 15:37 . 2001-08-23 12:00 1677824 c:\windows\system32\dllcache\chsbrkr.dll
+ 2009-03-27 15:37 . 2003-03-31 12:00 1677824 c:\windows\system32\dllcache\chsbrkr.dll
- 2009-03-27 15:37 . 2001-08-23 12:00 10129408 c:\windows\system32\dllcache\hwxkor.dll
+ 2009-03-27 15:37 . 2003-03-31 12:00 10129408 c:\windows\system32\dllcache\hwxkor.dll
+ 2009-03-27 15:37 . 2003-03-31 12:00 10096640 c:\windows\system32\dllcache\hwxcht.dll
- 2009-03-27 15:37 . 2001-08-23 12:00 10096640 c:\windows\system32\dllcache\hwxcht.dll
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2010-11-22 2424560]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2010-04-03 13670504]
"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2010-11-16 1043968]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 184745]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""

[HKLM\~\startupfolder\C:^Documents and Settings^Administrator.ZAIBATSU.000^Start Menu^Programs^Startup^uvllqkfj.exe]
path=c:\documents and settings\Administrator.ZAIBATSU.000\Start Menu\Programs\Startup\uvllqkfj.exe
backup=c:\windows\pss\uvllqkfj.exeStartup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech SetPoint.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Logitech SetPoint.lnk
backup=c:\windows\pss\Logitech SetPoint.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Gary^Start Menu^Programs^Startup^uvllqkfj.exe]
path=c:\documents and settings\Gary\Start Menu\Programs\Startup\uvllqkfj.exe
backup=c:\windows\pss\uvllqkfj.exeStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Load]
? [?]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Run]
? [?]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
c:\windows\system32\dumprep 0 -k [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 00:12 15360 ----a-w- c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Jet Detection]
2001-10-03 14:00 28672 ----a-w- c:\program files\Creative\SBLive\Program\ADGJDet.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Kernel and Hardware Abstraction Layer]
2008-12-18 13:42 76304 ----a-w- c:\windows\KHALMNPR.Exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2006-01-12 04:40 155648 ----a-w- c:\program files\Common Files\Ahead\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
2010-04-03 09:23 13670504 ----a-w- c:\windows\system32\nvcpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
2010-04-03 09:23 110696 ----a-w- c:\windows\system32\nvmctray.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdReg]
2000-05-10 14:00 90112 ------w- c:\windows\Updreg.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WINDVDPatch]
2002-02-07 07:01 40960 ----a-w- c:\windows\system32\CTHELPER.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\WINDOWS\\system32\\ZoneLabs\\vsmon.exe"=

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/18/2010 5:25 AM 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/11/2010 5:41 AM 67656]
R2 LBeepKE;LBeepKE;c:\windows\system32\drivers\LBeepKE.sys [4/24/2009 10:45 PM 10384]
S0 iqazzwfg;iqazzwfg; [x]
S0 rfly;rfly;c:\windows\system32\drivers\fpjrl.sys --> c:\windows\system32\drivers\fpjrl.sys [?]
S2 gupdate;Google Update Service (gupdate);"c:\program files\Google\Update\GoogleUpdate.exe" /svc --> c:\program files\Google\Update\GoogleUpdate.exe [?]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - VSMON
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://google.com/
uInternet Settings,ProxyServer = http=127.0.0.1:23012
uInternet Settings,ProxyOverride = <local>
TCP: {15621E4B-AB40-4D99-884E-FFEBD9CA1859} = 8.8.8.8
TCP: {650A012B-2D3E-40C7-978B-0F65BBEADA8A} = 8.8.8.8
FF - ProfilePath - c:\documents and settings\Gary\Application Data\Mozilla\Firefox\Profiles\45ovj3f3.default\
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: AdBlock Plus: {2993bd65-2ed1-1998-a5bf-65cb77c2c864} - %profile%\extensions\{2993bd65-2ed1-1998-a5bf-65cb77c2c864}
FF - Ext: DownThemAll!: {DDC359D1-844A-42a7-9AA1-88A850A938A8} - %profile%\extensions\{DDC359D1-844A-42a7-9AA1-88A850A938A8}
FF - Ext: NoScript: {73a6fe31-595d-460b-a920-fcc0f8843232} - %profile%\extensions\{73a6fe31-595d-460b-a920-fcc0f8843232}
FF - user.js: network.cookie.cookieBehavior - 0
FF - user.js: privacy.clearOnShutdown.cookies - false
FF - user.js: security.warn_viewing_mixed - false
FF - user.js: security.warn_viewing_mixed.show_once - false
FF - user.js: security.warn_submit_insecure - false
FF - user.js: security.warn_submit_insecure.show_once - false
.
- - - - ORPHANS REMOVED - - - -

MSConfigStartUp-Rmuzox - c:\windows\oqefoxosivolup.dll



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-12-15 20:38
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


c:\documents and settings\Gary\Start Menu\Programs\Startup\uvllqkfj.exe 101872 bytes executable
C:\uvllqkfj.exe 101872 bytes executable

scan completed successfully
hidden files: 2

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10k_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10k_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{0ACDD40C-75AC-47ab-BAA0-BF6DE7E7FE63}]
@DACL=(02 0000)
@="Wireless"
"ProcessGroupPolicy"="ProcessWIRELESSPolicy"
"DllName"=expand:"gptext.dll"
"NoUserPolicy"=dword:00000001
"NoGPOListChanges"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{25537BA6-77A8-11D2-9B6C-0000F8080861}]
@DACL=(02 0000)
@="Folder Redirection"
"ProcessGroupPolicyEx"="ProcessGroupPolicyEx"
"DllName"=expand:"fdeploy.dll"
"NoMachinePolicy"=dword:00000001
"NoSlowLink"=dword:00000001
"PerUserLocalSettings"=dword:00000001
"NoGPOListChanges"=dword:00000000
"NoBackgroundPolicy"=dword:00000000
"GenerateGroupPolicy"="GenerateGroupPolicy"
"EventSources"=multi:"(Folder Redirection,Application)\00\00"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{35378EAC-683F-11D2-A89A-00C04FBBCFA2}]
@DACL=(02 0000)
"Status"=dword:00000000
"RsopStatus"=dword:00000000
"LastPolicyTime"=dword:00f7fe30
"PrevSlowLink"=dword:00000000
"PrevRsopLogging"=dword:00000001
"ForceRefreshFG"=dword:00000000

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{3610eda5-77ef-11d2-8dc5-00c04fa31a66}]
@DACL=(02 0000)
@="Microsoft Disk Quota"
"NoMachinePolicy"=dword:00000000
"NoUserPolicy"=dword:00000001
"NoSlowLink"=dword:00000001
"NoBackgroundPolicy"=dword:00000001
"NoGPOListChanges"=dword:00000001
"PerUserLocalSettings"=dword:00000000
"RequiresSuccessfulRegistry"=dword:00000001
"EnableAsynchronousProcessing"=dword:00000000
"DllName"=expand:"dskquota.dll"
"ProcessGroupPolicy"="ProcessGroupPolicy"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{426031c0-0b47-4852-b0ca-ac3d37bfcb39}]
@DACL=(02 0000)
@="QoS Packet Scheduler"
"ProcessGroupPolicy"="ProcessPSCHEDPolicy"
"DllName"=expand:"gptext.dll"
"NoUserPolicy"=dword:00000001
"NoGPOListChanges"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{42B5FAAE-6536-11d2-AE5A-0000F87571E3}]
@DACL=(02 0000)
@="Scripts"
"ProcessGroupPolicy"="ProcessScriptsGroupPolicy"
"ProcessGroupPolicyEx"="ProcessScriptsGroupPolicyEx"
"GenerateGroupPolicy"="GenerateScriptsGroupPolicy"
"DllName"=expand:"gptext.dll"
"NoSlowLink"=dword:00000001
"NoGPOListChanges"=dword:00000001
"NotifyLinkTransition"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{4CFB60C1-FAA6-47f1-89AA-0B18730C9FD3}]
@DACL=(02 0000)
@="Internet Explorer Zonemapping"
"DllName"="c:\\WINDOWS\\system32\\iedkcs32.dll"
"ProcessGroupPolicy"="ProcessGroupPolicyForZoneMap"
"NoGPOListChanges"=dword:00000001
"RequiresSucessfulRegistry"=dword:00000001
"DisplayName"="@c:\\WINDOWS\\system32\\iedkcs32.dll.mui,-3051"
"RequiresSuccessfulRegistry"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{7B849a69-220F-451E-B3FE-2CB811AF94AE}]
@DACL=(02 0000)
@="Internet Explorer User Accelerators"
"DisplayName"="@c:\\WINDOWS\\system32\\iedkcs32.dll.mui,-3051"
"DllName"="c:\\WINDOWS\\system32\\iedkcs32.dll"
"NoGPOListChanges"=dword:00000001
"ProcessGroupPolicy"="ProcessGroupPolicyForActivities"
"ProcessGroupPolicyEx"="ProcessGroupPolicyForActivitiesEx"
"RequiresSuccessfulRegistry"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{827D319E-6EAC-11D2-A4EA-00C04F79F83A}]
@DACL=(02 0000)
"ProcessGroupPolicy"="SceProcessSecurityPolicyGPO"
"GenerateGroupPolicy"="SceGenerateGroupPolicy"
"ExtensionRsopPlanningDebugLevel"=dword:00000001
"ProcessGroupPolicyEx"="SceProcessSecurityPolicyGPOEx"
"ExtensionDebugLevel"=dword:00000001
"DllName"=expand:"scecli.dll"
@="Security"
"NoUserPolicy"=dword:00000001
"NoGPOListChanges"=dword:00000001
"EnableAsynchronousProcessing"=dword:00000001
"MaxNoGPOListChangesInterval"=dword:000003c0

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{A2E30F80-D7DE-11d2-BBDE-00C04F86AE3B}]
@DACL=(02 0000)
"ProcessGroupPolicyEx"="ProcessGroupPolicyEx"
"GenerateGroupPolicy"="GenerateGroupPolicy"
"ProcessGroupPolicy"="ProcessGroupPolicy"
"DllName"="c:\\WINDOWS\\system32\\iedkcs32.dll"
@="Internet Explorer Branding"
"NoSlowLink"=dword:00000001
"NoBackgroundPolicy"=dword:00000000
"NoGPOListChanges"=dword:00000001
"NoMachinePolicy"=dword:00000001
"DisplayName"="@c:\\WINDOWS\\system32\\iedkcs32.dll.mui,-3014"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{B1BE8D72-6EAC-11D2-A4EA-00C04F79F83A}]
@DACL=(02 0000)
"ProcessGroupPolicy"="SceProcessEFSRecoveryGPO"
"DllName"=expand:"scecli.dll"
@="EFS recovery"
"NoUserPolicy"=dword:00000001
"NoGPOListChanges"=dword:00000001
"RequiresSuccessfulRegistry"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{B587E2B1-4D59-4e7e-AED9-22B9DF11D053}]
@DACL=(02 0000)
@="802.3 Group Policy"
"DisplayName"=expand:"@dot3gpclnt.dll,-100"
"ProcessGroupPolicyEx"="ProcessLANPolicyEx"
"GenerateGroupPolicy"="GenerateLANPolicy"
"DllName"=expand:"dot3gpclnt.dll"
"NoUserPolicy"=dword:00000001
"NoGPOListChanges"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{C631DF4C-088F-4156-B058-4375F0853CD8}]
@DACL=(02 0000)
@="Microsoft Offline Files"
"DllName"=expand:"%SystemRoot%\\System32\\cscui.dll"
"EnableAsynchronousProcessing"=dword:00000000
"NoBackgroundPolicy"=dword:00000000
"NoGPOListChanges"=dword:00000000
"NoMachinePolicy"=dword:00000000
"NoSlowLink"=dword:00000000
"NoUserPolicy"=dword:00000001
"PerUserLocalSettings"=dword:00000000
"ProcessGroupPolicy"="ProcessGroupPolicy"
"RequiresSuccessfulRegistry"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{c6dc5466-785a-11d2-84d0-00c04fb169f7}]
@DACL=(02 0000)
@="Software Installation"
"DllName"=expand:"appmgmts.dll"
"ProcessGroupPolicyEx"="ProcessGroupPolicyObjectsEx"
"GenerateGroupPolicy"="GenerateGroupPolicy"
"NoBackgroundPolicy"=dword:00000000
"RequiresSucessfulRegistry"=dword:00000000
"NoSlowLink"=dword:00000001
"PerUserLocalSettings"=dword:00000001
"EventSources"=multi:"(Application Management,Application)\00(MsiInstaller,Application)\00\00"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{CF7639F3-ABA2-41DB-97F2-81E2C5DBFC5D}]
@DACL=(02 0000)
@="Internet Explorer Machine Accelerators"
"DisplayName"="@c:\\WINDOWS\\system32\\iedkcs32.dll.mui,-3051"
"DllName"="c:\\WINDOWS\\system32\\iedkcs32.dll"
"NoGPOListChanges"=dword:00000001
"ProcessGroupPolicy"="ProcessGroupPolicyForActivities"
"ProcessGroupPolicyEx"="ProcessGroupPolicyForActivitiesEx"
"RequiresSuccessfulRegistry"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{e437bc1c-aa7d-11d2-a382-00c04f991e27}]
@DACL=(02 0000)
@="IP Security"
"ProcessGroupPolicy"="ProcessIPSECPolicy"
"DllName"=expand:"gptext.dll"
"NoUserPolicy"=dword:00000001
"NoGPOListChanges"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\!SASWinLogon]
@DACL=(02 0000)
"DllName"="c:\\Program Files\\SUPERAntiSpyware\\SASWINLO.DLL"
"Logon"="SABWINLOLogon"
"Logoff"="SABWINLOLogoff"
"Startup"="SABWINLOStartup"
"Shutdown"="SABWINLOShutdown"
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
@DACL=(02 0000)
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=expand:"crypt32.dll"
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
@DACL=(02 0000)
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=expand:"cryptnet.dll"
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
@DACL=(02 0000)
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\dimsntfy]
@DACL=(02 0000)
"Asynchronous"=dword:00000001
"DllName"=expand:"%SystemRoot%\\System32\\dimsntfy.dll"
"Startup"="WlDimsStartup"
"Shutdown"="WlDimsShutdown"
"Logon"="WlDimsLogon"
"Logoff"="WlDimsLogoff"
"StartShell"="WlDimsStartShell"
"Lock"="WlDimsLock"
"Unlock"="WlDimsUnlock"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\LBTWlgn]
@DACL=(02 0000)
"DLLName"="c:\\program files\\common files\\logishrd\\bluetooth\\LBTWlgn.dll"
"Asynchronous"=dword:00000000
"Startup"="OnStartup"
"Logon"="OnLogon"
"StartShell"="OnStartShell"
"Logoff"="OnLogoff"
"Shutdown"="OnShutdown"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
@DACL=(02 0000)
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
@DACL=(02 0000)
"Asynchronous"=dword:00000000
"DllName"=expand:"wlnotify.dll"
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
@DACL=(02 0000)
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=expand:"sclgntfy.dll"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
@DACL=(02 0000)
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
@DACL=(02 0000)
"Asynchronous"=dword:00000000
"DllName"=expand:"wlnotify.dll"
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon]
@DACL=(02 0000)
"Logon"="WLEventLogon"
"Logoff"="WLEventLogoff"
"Startup"="WLEventStartup"
"Shutdown"="WLEventShutdown"
"StartScreenSaver"="WLEventStartScreenSaver"
"StopScreenSaver"="WLEventStopScreenSaver"
"Lock"="WLEventLock"
"Unlock"="WLEventUnlock"
"StartShell"="WLEventStartShell"
"PostShell"="WLEventPostShell"
"Disconnect"="WLEventDisconnect"
"Reconnect"="WLEventReconnect"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000000
"SafeMode"=dword:00000001
"MaxWait"=dword:ffffffff
"DllName"=expand:"WgaLogon.dll"
"Event"=dword:00000000
"InstallEvent"="1.9.0040.0"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
@DACL=(02 0000)
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList]
@DACL=(02 0000)
"HelpAssistant"=dword:00000000
"TsInternetUser"=dword:00000000
"SQLAgentCmdExec"=dword:00000000
"NetShowServices"=dword:00000000
"IWAM_"=dword:00010000
"IUSR_"=dword:00010000
"VUSR_"=dword:00010000
.
Completion time: 2010-12-15 20:41:05
ComboFix-quarantined-files.txt 2010-12-15 09:40


Pre-Run: 14,100,090,880 bytes free
Post-Run: 14,107,648,000 bytes free

- - End Of File - - 2AE2129BB6CA8A9EA56467692AD71663


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:13:37 PM, on 12/18/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Unable to get Internet Explorer version!
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\RealVNC\VNC4\WinVNC4.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\uTorrent\uTorrent.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\Documents and Settings\Gary\Desktop\RSIT.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262F} (System Requirements Lab) - http://www.nvidia.com/content/DriverDow ... ab_nvd.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/house ... hcImpl.cab
O16 - DPF: {3EA4FA88-E0BE-419A-A732-9B79B87A6ED0} (CTVUAxCtrl Object) - http://dl.tvunetworks.com/TVUAx.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} - http://download.bitdefender.com/resourc ... oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupda ... 8211881000
O16 - DPF: {C237A80A-4C55-4C68-BAA9-CBE4408D12B2} (F-Secure Online Scanner 4.0 Launcher) - http://download.sp.f-secure.com/ols/f-s ... uncher.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{15621E4B-AB40-4D99-884E-FFEBD9CA1859}: NameServer = 8.8.8.8
O17 - HKLM\System\CCS\Services\Tcpip\..\{650A012B-2D3E-40C7-978B-0F65BBEADA8A}: NameServer = 8.8.8.8
O17 - HKLM\System\CS1\Services\Tcpip\..\{15621E4B-AB40-4D99-884E-FFEBD9CA1859}: NameServer = 8.8.8.8
O18 - Protocol: gcf - {9875BFAF-B04D-445E-8A69-BE36838CDE3E} - C:\Program Files\Google\Chrome Frame\Application\7.0.517.44\npchrome_frame.dll (file missing)
O18 - Protocol: vsharechrome - {3F3A4B8A-86FC-43A4-BB00-6D7EBE9D4484} - (no file)
O20 - Winlogon Notify: !SASWinLogon - C:\WINDOWS\
O23 - Service: Google Update Service (gupdate) (gupdate) - Unknown owner - C:\Program Files\Google\Update\GoogleUpdate.exe (file missing)
O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\Logishrd\Bluetooth\LBTServ.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Check Point Software Technologies LTD - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: VNC Server Version 4 (WinVNC4) - RealVNC Ltd. - C:\Program Files\RealVNC\VNC4\WinVNC4.exe

--
End of file - 5138 bytes
toshin9
Active Member
 
Posts: 7
Joined: December 16th, 2010, 6:04 am

Re: MS security essentials alert

Unread postby muppy03 » December 18th, 2010, 8:42 am

One of the main reasons for re-infections so quickly is you do not appear to have a running Antivirus on board. There is no point in trying to clean the computer without one.

Anti-virus software is a program that detects; cleans and erases harmful virus files on a Computer; Web server or Network. Unchecked, virus files can unintentionally be forwarded to others and thereby spread infection. Because new viruses regularly emerge, anti-virus software should be updated frequently. Anti-virus software scans the computer memory and disk drives for malicious code. They alert the user if a virus is present and will clean; delete (or quarantine) infected files or directories.

Next Please download a free anti-virus software from one these excellent vendors NOW:
1) Antivir PersonalEdition Classic- Free anti-virus software for Windows. Detects and removes more than 50,000 viruses. Free support.
Please note the following if you decide on Antivir Personal Edition
Avira AntiVir Personal - FREE Antivirus is only available for single computer use for home and non commercial use.

2) avast! - Anti-virus program for Windows. The home edition is freeware for noncommercial users.
3) Microsoft Security Essentials - New, from Microsoft, with email scanning, easy to install, easy to use.
** Your PC must run genuine Windows to install Microsoft Security Essentials.

It is strongly recommended that you run only one antivirus program at a time. Having more than one antivirus program active in memory uses additional resources and can result in program conflicts and false virus alerts. If you choose to install more than one antivirus program on your computer then only one of them should be active in memory at a time.

Once you have an Antivirus please re-run RSIT (this time while connected to the internet and post the log it creates.

On a different note please read the following carefully and decide what you want to do.

IMPORTANT
One or more of the identified infections that you have is a backdoor trojan.

This allows hackers to remotely control your computer, steal critical system information and Download and Execute files

If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

The Trojan has been identified and can be killed but many experts in the security community believe that once infected with this type of Trojan, the best course of action would be to reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?

When Should I Format, How Should I Reinstall

Should you have any questions, please feel free to ask.

Let me know what you decide.
User avatar
muppy03
MRU Emeritus
MRU Emeritus
 
Posts: 4782
Joined: December 4th, 2007, 5:30 am
Location: Australia

Re: MS security essentials alert

Unread postby toshin9 » December 18th, 2010, 9:35 am

Umm, so I downloaded security essentials on this laptop, and moved it via usbkey to the infected machine.

Obviously I had to connect to the internet to let it finish the update process.

Bam. As i already told you, it didnt even manage to finish updating.
The malware stopped it and closed all running applications.

Then trying to run RSIT gave me a bsod.
So now im right back where i started.

Generally my process is to run RKill to temporarily stop all the exes long enough for me to run super anti spyrare/MAB.
However, this only brings me back to where i was at the start of the topic.

edit: i am aware about the credit card fraud etc. This machine is not used for any banking etc transactions.
toshin9
Active Member
 
Posts: 7
Joined: December 16th, 2010, 6:04 am

Re: MS security essentials alert

Unread postby toshin9 » December 18th, 2010, 9:58 am

Here are the logs, after connecting to the internet for 1 minute. (i have since disabled the internet again).

You can see in that short time, the system is now full of exes/reg changes etc.
Also im having to run these tools in safemode.

Logfile of random's system information tool 1.08 (written by random/random)
Run by Gary at 2010-12-19 00:53:59
Microsoft Windows XP Professional Service Pack 3
System drive C: has 13 GB (17%) free of 77 GB
Total RAM: 2047 MB (87% free)

HijackThis download failed

======Scheduled tasks folder======

C:\WINDOWS\tasks\MP Scheduled Scan.job

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{B1B220C1-A503-59BD-F413-02B53A2C8954}]
C:\WINDOWS\system32\rige1.dll - C:\WINDOWS\system32\rige1.dll [2010-12-19 30000]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"=C:\WINDOWS\system32\NvCpl.dll [2010-04-03 13670504]
"ZoneAlarm Client"=C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe [2010-11-16 1043968]
"MSC"=C:\Program Files\Microsoft Security Client\msseces.exe [2010-11-30 997408]
"uPc+MV0NcUMCxl"=C:\WINDOWS\system32\mz0x5q35.dll [2010-12-19 30000]
"HNUkOXRoQ_c"=C:\DOCUME~1\Gary\LOCALS~1\Temp\jf64r413f.exe [2010-12-19 30001]
"MKcZ"=C:\WINDOWS\mdm.exe [2010-12-19 60004]
"HNUkOXRouqc"=C:\DOCUME~1\Gary\LOCALS~1\Temp\iexplarer.exe [2010-12-19 54276]
"MKfPc"=C:\WINDOWS\win32.exe [2010-12-19 54276]
"MKcuc"=C:\WINDOWS\lsass.exe [2010-12-19 60004]
"HNUkOXRssc"=C:\DOCUME~1\Gary\LOCALS~1\Temp\winlogon.exe [2010-12-19 60004]
"MKbuqc"=C:\WINDOWS\iexplarer.exe [2010-12-19 60004]
"MKZe"=C:\WINDOWS\avp.exe [2010-12-19 54276]
"HNUkOXRnZ"=C:\DOCUME~1\Gary\LOCALS~1\Temp\cmd.exe [2010-12-19 54276]
"HNUkOXRme"=C:\DOCUME~1\Gary\LOCALS~1\Temp\avp.exe [2010-12-19 54276]
"MKdw+"=C:\WINDOWS\nvsvc32.exe [2010-12-19 54276]
"MKexe"=C:\WINDOWS\system.exe [2010-12-19 54276]
"HNUkOXRpw+"=C:\DOCUME~1\Gary\LOCALS~1\Temp\nvsvc32.exe [2010-12-19 54276]
"MKfsc"=C:\WINDOWS\winlogon.exe [2010-12-19 54276]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"Hyututehobekeyoj"= C:\WINDOWS\dfui20.dll,Startup []
"cleansweep.exe"=C:\cleansweep.exe\cleansweep.exe [2009-02-09 680845]
"ijsqunoa"=C:\DOCUME~1\Gary\LOCALS~1\Temp\hlduykvrs\gtdvogiaffm.exe [2010-12-19 320512]
"uPc+MV0NcUMCxl"=C:\WINDOWS\system32\mz0x5q35.dll [2010-12-19 30000]
"HNUkOXRoQ_c"=C:\DOCUME~1\Gary\LOCALS~1\Temp\jf64r413f.exe [2010-12-19 30001]
"MKcZ"=C:\WINDOWS\mdm.exe [2010-12-19 60004]
"HNUkOXRouqc"=C:\DOCUME~1\Gary\LOCALS~1\Temp\iexplarer.exe [2010-12-19 54276]
"MKfPc"=C:\WINDOWS\win32.exe [2010-12-19 54276]
"MKcuc"=C:\WINDOWS\lsass.exe [2010-12-19 60004]
"HNUkOXRssc"=C:\DOCUME~1\Gary\LOCALS~1\Temp\winlogon.exe [2010-12-19 60004]
"MKbuqc"=C:\WINDOWS\iexplarer.exe [2010-12-19 60004]
"MKZe"=C:\WINDOWS\avp.exe [2010-12-19 54276]
"HNUkOXRnZ"=C:\DOCUME~1\Gary\LOCALS~1\Temp\cmd.exe [2010-12-19 54276]
"HNUkOXRme"=C:\DOCUME~1\Gary\LOCALS~1\Temp\avp.exe [2010-12-19 54276]
"MKdw+"=C:\WINDOWS\nvsvc32.exe [2010-12-19 54276]
"MKexe"=C:\WINDOWS\system.exe [2010-12-19 54276]
"HNUkOXRpw+"=C:\DOCUME~1\Gary\LOCALS~1\Temp\nvsvc32.exe [2010-12-19 54276]
"MKfsc"=C:\WINDOWS\winlogon.exe [2010-12-19 54276]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
C:\WINDOWS\system32\ctfmon.exe [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Jet Detection]
C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe [2001-10-04 28672]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Kernel and Hardware Abstraction Layer]
C:\WINDOWS\KHALMNPR.EXE [2008-12-19 76304]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
C:\WINDOWS\system32\dumprep 0 -k []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Load]
? []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe [2006-01-12 155648]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
C:\WINDOWS\system32\NvCpl.dll [2010-04-03 13670504]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
C:\WINDOWS\system32\NvMcTray.dll [2010-04-03 110696]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Run]
? []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdReg]
C:\WINDOWS\UpdReg.EXE [2000-05-11 90112]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WINDVDPatch]
C:\WINDOWS\system32\CTHELPER.EXE [2002-02-07 40960]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Administrator.ZAIBATSU.000^Start Menu^Programs^Startup^uvllqkfj.exe]
C:\Documents and Settings\Administrator.ZAIBATSU.000\Start Menu\Programs\Startup\uvllqkfj.exe []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech SetPoint.lnk]
C:\PROGRA~1\Logitech\SetPoint\SetPoint.exe [2009-02-19 809488]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Gary^Start Menu^Programs^Startup^uvllqkfj.exe]
C:\Documents and Settings\Gary\Start Menu\Programs\Startup\uvllqkfj.exe []

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\!SASWinLogon]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\LBTWlgn]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll [2006-10-18 133632]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\explorer\SharedTaskScheduler]
juaw98rajewifhausihuggdd - {B1B220C1-A503-59BD-F413-02B53A2C8954} - C:\WINDOWS\system32\rige1.dll [2010-12-19 30000]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"=C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2008-05-14 184745]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\MsMpSvc]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\vsmon]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\WdfLoadGroup]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\{1a3e09be-1e45-494b-9174-d7385b45bbf5}]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"DisableRegistryTools"=1

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=323
"NoDriveAutoRun"=67108863
"NoDrives"=0
"NoFolderOptions"=1

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"HonorAutoRunSetting"=1
"NoDriveAutoRun"=67108863
"NoDriveTypeAutoRun"=323
"NoDrives"=0

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\Program Files\uTorrent\uTorrent.exe"="C:\Program Files\uTorrent\uTorrent.exe:*:Enabled:µTorrent"
"C:\Program Files\Messenger\msmsgs.exe"="C:\Program Files\Messenger\msmsgs.exe:*:Enabled:Windows Messenger"
"C:\WINDOWS\system32\ZoneLabs\vsmon.exe"="C:\WINDOWS\system32\ZoneLabs\vsmon.exe:*:Enabled:vsmon"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

======List of files/folders created in the last 1 months======

2010-12-19 00:33:40 ----D---- C:\spoolerlogs
2010-12-19 00:29:35 ----H---- C:\WINDOWS\winlogon.exe
2010-12-19 00:29:34 ----H---- C:\WINDOWS\system.exe
2010-12-19 00:29:33 ----H---- C:\WINDOWS\nvsvc32.exe
2010-12-19 00:29:31 ----H---- C:\WINDOWS\iexplarer.exe
2010-12-19 00:29:30 ----H---- C:\WINDOWS\taskmgr.exe
2010-12-19 00:29:30 ----H---- C:\WINDOWS\lsass.exe
2010-12-19 00:29:30 ----H---- C:\WINDOWS\avp.exe
2010-12-19 00:29:28 ----H---- C:\WINDOWS\win32.exe
2010-12-19 00:29:27 ----H---- C:\WINDOWS\mdm.exe
2010-12-19 00:29:08 ----A---- C:\WINDOWS\system32\mz0x5q35.dll
2010-12-19 00:29:05 ----A---- C:\WINDOWS\system32\rige1.dll
2010-12-19 00:28:59 ----A---- C:\WINDOWS\system32\drivers\iosreu.sys
2010-12-19 00:28:32 ----A---- C:\hotfix.exe
2010-12-19 00:23:09 ----D---- C:\Program Files\Microsoft Security Client
2010-12-18 21:59:39 ----D---- C:\rsit
2010-12-16 00:32:46 ----A---- C:\TDSSKiller.2.4.11.0_16.12.2010_00.32.46_log.txt
2010-12-16 00:29:55 ----A---- C:\mbr.exe
2010-12-15 20:50:19 ----A---- C:\WINDOWS\system32\cmdmgr.exe
2010-12-15 20:45:53 ----A---- C:\TDSSKiller.2.4.10.0_15.12.2010_20.45.53_log.txt
2010-12-15 20:45:42 ----A---- C:\WINDOWS\system32\svchostmgr.exe
2010-12-15 20:45:17 ----SHD---- C:\RECYCLER
2010-12-15 20:43:28 ----A---- C:\WINDOWS\explorermgr.exe
2010-12-15 20:41:06 ----A---- C:\ComboFix.txt
2010-12-15 19:49:10 ----D---- C:\Program Files\ESET
2010-12-15 19:18:37 ----D---- C:\Program Files\CheckPoint
2010-12-15 19:18:35 ----A---- C:\WINDOWS\system32\vsregexp.dll
2010-12-15 19:18:34 ----A---- C:\WINDOWS\system32\zlcommdb.dll
2010-12-15 19:18:34 ----A---- C:\WINDOWS\system32\zlcomm.dll
2010-12-15 19:18:31 ----D---- C:\WINDOWS\system32\ZoneLabs
2010-12-15 19:18:31 ----A---- C:\WINDOWS\system32\zpeng25.dll
2010-12-15 19:18:31 ----A---- C:\WINDOWS\system32\vsxml.dll
2010-12-15 19:18:31 ----A---- C:\WINDOWS\system32\vswmi.dll
2010-12-15 19:18:31 ----A---- C:\WINDOWS\system32\vspubapi.dll
2010-12-15 19:18:31 ----A---- C:\WINDOWS\system32\vsmonapi.dll
2010-12-15 19:18:30 ----D---- C:\Program Files\Zone Labs
2010-12-15 19:18:30 ----A---- C:\WINDOWS\system32\vsdatant.sys
2010-12-15 19:18:05 ----D---- C:\WINDOWS\Internet Logs
2010-12-15 19:18:04 ----A---- C:\WINDOWS\system32\vsutil.dll
2010-12-15 19:18:04 ----A---- C:\WINDOWS\system32\vsinit.dll
2010-12-15 19:18:04 ----A---- C:\WINDOWS\system32\vsdata.dll
2010-12-15 18:50:13 ----A---- C:\TDSSKiller.2.4.10.0_15.12.2010_18.50.13_log.txt
2010-12-06 00:04:09 ----D---- C:\Documents and Settings\All Users\Application Data\Norton
2010-12-04 12:23:46 ----D---- C:\WINDOWS\temp
2010-12-03 20:07:03 ----A---- C:\TDSSKiller.2.4.10.0_03.12.2010_20.07.03_log.txt
2010-12-03 19:47:40 ----D---- C:\WINDOWS\system32\appmgmt
2010-12-01 18:08:29 ----D---- C:\Program Files\win
2010-12-01 17:40:28 ----A---- C:\TDSSKiller.2.4.10.0_01.12.2010_17.40.28_log.txt
2010-12-01 01:23:16 ----A---- C:\TDSSKiller.2.4.10.0_01.12.2010_01.23.16_log.txt
2010-12-01 00:54:55 ----A---- C:\TDSSKiller.2.4.10.0_01.12.2010_00.54.55_log.txt
2010-12-01 00:21:27 ----A---- C:\TDSSKiller.2.4.10.0_01.12.2010_00.21.27_log.txt
2010-11-30 23:56:27 ----A---- C:\TDSSKiller.2.4.10.0_30.11.2010_23.56.27_log.txt
2010-11-30 22:51:32 ----A---- C:\TDSSKiller.2.4.10.0_30.11.2010_22.51.32_log.txt
2010-11-30 22:26:25 ----A---- C:\TDSSKiller.2.4.10.0_30.11.2010_22.26.25_log.txt
2010-11-30 22:08:10 ----A---- C:\TDSSKiller.2.4.10.0_30.11.2010_22.08.10_log.txt
2010-11-30 17:01:28 ----D---- C:\Program Files\Trend Micro
2010-11-30 16:47:54 ----A---- C:\TDSSKiller.2.4.10.0_30.11.2010_16.47.54_log.txt
2010-11-30 03:06:35 ----HDC---- C:\WINDOWS\$NtUninstallKB2387149$
2010-11-30 03:06:32 ----HDC---- C:\WINDOWS\$NtUninstallKB2279986$
2010-11-30 03:06:28 ----HDC---- C:\WINDOWS\$NtUninstallKB960859$
2010-11-30 03:06:24 ----HDC---- C:\WINDOWS\$NtUninstallKB982214$
2010-11-30 03:06:19 ----HDC---- C:\WINDOWS\$NtUninstallKB958869$
2010-11-30 03:06:16 ----HDC---- C:\WINDOWS\$NtUninstallKB2259922$
2010-11-30 03:06:12 ----HDC---- C:\WINDOWS\$NtUninstallKB980195$
2010-11-30 03:06:10 ----HDC---- C:\WINDOWS\$NtUninstallKB2296011$
2010-11-30 03:06:07 ----HDC---- C:\WINDOWS\$NtUninstallKB980232$
2010-11-30 03:06:03 ----HDC---- C:\WINDOWS\$NtUninstallKB2115168$
2010-11-30 03:06:00 ----HDC---- C:\WINDOWS\$NtUninstallKB975558_WM8$
2010-11-30 03:05:57 ----HDC---- C:\WINDOWS\$NtUninstallKB955759$
2010-11-30 03:05:52 ----HDC---- C:\WINDOWS\$NtUninstallKB2378111_WM9$
2010-11-30 03:05:49 ----HDC---- C:\WINDOWS\$NtUninstallKB974318$
2010-11-30 03:05:46 ----HDC---- C:\WINDOWS\$NtUninstallKB969059$
2010-11-30 03:05:42 ----HDC---- C:\WINDOWS\$NtUninstallKB2229593$
2010-11-30 03:05:39 ----HDC---- C:\WINDOWS\$NtUninstallKB978037$
2010-11-30 03:05:36 ----HDC---- C:\WINDOWS\$NtUninstallKB975713$
2010-11-30 03:05:32 ----HDC---- C:\WINDOWS\$NtUninstallKB982132$
2010-11-30 03:05:28 ----HDC---- C:\WINDOWS\$NtUninstallKB971657$
2010-11-30 03:05:25 ----HDC---- C:\WINDOWS\$NtUninstallKB978338$
2010-11-30 03:05:21 ----HDC---- C:\WINDOWS\$NtUninstallKB954155_WM9$
2010-11-30 03:05:19 ----HDC---- C:\WINDOWS\$NtUninstallKB972270$
2010-11-30 03:05:15 ----HDC---- C:\WINDOWS\$NtUninstallKB956744$
2010-11-30 03:05:12 ----HDC---- C:\WINDOWS\$NtUninstallKB974112$
2010-11-30 03:05:09 ----HDC---- C:\WINDOWS\$NtUninstallKB2347290$
2010-11-30 03:05:05 ----HDC---- C:\WINDOWS\$NtUninstallKB956844$
2010-11-30 03:05:01 ----HDC---- C:\WINDOWS\$NtUninstallKB981852$
2010-11-30 03:04:55 ----HDC---- C:\WINDOWS\$NtUninstallKB2079403$
2010-11-30 03:04:48 ----D---- C:\WINDOWS\system32\MpEngineStore
2010-11-30 03:04:48 ----A---- C:\WINDOWS\system32\MRT.INI
2010-11-30 03:02:27 ----HDC---- C:\WINDOWS\$NtUninstallKB979687$
2010-11-30 03:02:23 ----HDC---- C:\WINDOWS\$NtUninstallKB2121546$
2010-11-30 03:02:20 ----HDC---- C:\WINDOWS\$NtUninstallKB973869$
2010-11-30 03:02:17 ----HDC---- C:\WINDOWS\$NtUninstallKB975025$
2010-11-30 03:02:14 ----HDC---- C:\WINDOWS\$NtUninstallKB974571$
2010-11-30 03:01:59 ----HDC---- C:\WINDOWS\$NtUninstallKB975560$
2010-11-30 03:01:53 ----HDC---- C:\WINDOWS\$NtUninstallKB973507$
2010-11-30 03:01:48 ----HDC---- C:\WINDOWS\$NtUninstallKB977816$
2010-11-30 03:01:45 ----HDC---- C:\WINDOWS\$NtUninstallKB978601$
2010-11-30 03:01:42 ----HDC---- C:\WINDOWS\$NtUninstallKB980436$
2010-11-30 03:01:38 ----HDC---- C:\WINDOWS\$NtUninstallKB981322$
2010-11-30 03:01:35 ----HDC---- C:\WINDOWS\$NtUninstallKB978695_WM9$
2010-11-30 03:01:32 ----HDC---- C:\WINDOWS\$NtUninstallKB973904$
2010-11-30 03:01:26 ----HDC---- C:\WINDOWS\$NtUninstallKB973540_WM9$
2010-11-30 03:01:23 ----HDC---- C:\WINDOWS\$NtUninstallKB974392$
2010-11-30 03:01:17 ----HDC---- C:\WINDOWS\$NtUninstallKB977914$
2010-11-30 03:01:10 ----HDC---- C:\WINDOWS\$NtUninstallKB978542$
2010-11-30 03:01:05 ----HDC---- C:\WINDOWS\$NtUninstallKB2286198$
2010-11-30 03:01:02 ----HDC---- C:\WINDOWS\$NtUninstallKB981957$
2010-11-30 03:00:58 ----HDC---- C:\WINDOWS\$NtUninstallKB979309$
2010-11-30 03:00:55 ----HDC---- C:\WINDOWS\$NtUninstallKB979482$
2010-11-30 03:00:52 ----HDC---- C:\WINDOWS\$NtUninstallKB978706$
2010-11-30 03:00:48 ----HDC---- C:\WINDOWS\$NtUninstallKB981997$
2010-11-30 03:00:45 ----HDC---- C:\WINDOWS\$NtUninstallKB973815$
2010-11-30 03:00:41 ----HDC---- C:\WINDOWS\$NtUninstallKB975562$
2010-11-30 03:00:35 ----HDC---- C:\WINDOWS\$NtUninstallKB2158563$
2010-11-30 03:00:32 ----HDC---- C:\WINDOWS\$NtUninstallKB982665$
2010-11-30 03:00:29 ----HDC---- C:\WINDOWS\$NtUninstallKB975467$
2010-11-30 03:00:25 ----HDC---- C:\WINDOWS\$NtUninstallKB968389$
2010-11-30 03:00:18 ----HDC---- C:\WINDOWS\$NtUninstallKB2360937$
2010-11-29 21:53:39 ----D---- C:\WINDOWS\system32\SoftwareDistribution
2010-11-29 20:39:15 ----A---- C:\TDSSKiller.2.4.10.0_29.11.2010_20.39.15_log.txt
2010-11-29 20:00:28 ----A---- C:\TDSSKiller.2.4.10.0_29.11.2010_20.00.28_log.txt
2010-11-29 19:57:58 ----A---- C:\TDSSKiller.2.4.10.0_29.11.2010_19.57.58_log.txt
2010-11-29 19:52:36 ----D---- C:\WINDOWS\Minidump
2010-11-29 19:48:08 ----A---- C:\TDSSKiller.2.4.10.0_29.11.2010_19.48.08_log.txt
2010-11-29 19:44:22 ----A---- C:\TDSSKiller.2.4.10.0_29.11.2010_19.44.22_log.txt
2010-11-29 19:39:40 ----A---- C:\TDSSKiller.2.4.10.0_29.11.2010_19.39.40_log.txt
2010-11-28 14:14:21 ----D---- C:\Program Files\SUPERAntiSpyware
2010-11-28 00:44:42 ----A---- C:\WINDOWS\zip.exe
2010-11-28 00:44:42 ----A---- C:\WINDOWS\SWXCACLS.exe
2010-11-28 00:44:42 ----A---- C:\WINDOWS\SWSC.exe
2010-11-28 00:44:42 ----A---- C:\WINDOWS\SWREG.exe
2010-11-28 00:44:42 ----A---- C:\WINDOWS\sed.exe
2010-11-28 00:44:42 ----A---- C:\WINDOWS\PEV.exe
2010-11-28 00:44:42 ----A---- C:\WINDOWS\NIRCMD.exe
2010-11-28 00:44:42 ----A---- C:\WINDOWS\MBR.exe
2010-11-28 00:44:42 ----A---- C:\WINDOWS\grep.exe
2010-11-27 00:53:05 ----D---- C:\Documents and Settings\Gary\Application Data\GetRightToGo
2010-11-26 21:53:08 ----ASH---- C:\pagefile.sys
2010-11-26 21:22:36 ----D---- C:\Documents and Settings\Gary\Application Data\Feul
2010-11-26 21:22:36 ----D---- C:\Documents and Settings\Gary\Application Data\Acfay
2010-11-26 21:04:33 ----A---- C:\Boot.bak
2010-11-26 21:04:27 ----RASHD---- C:\cmdcons
2010-11-26 20:40:37 ----SD---- C:\WINDOWS\Tasks
2010-11-26 20:21:00 ----D---- C:\Documents and Settings\All Users\Application Data\MSN6
2010-11-26 20:12:47 ----D---- C:\Documents and Settings\Gary\Application Data\Ablil
2010-11-26 19:45:55 ----D---- C:\WINDOWS\ERDNT
2010-11-26 19:41:58 ----AD---- C:\Qoobox
2010-11-26 19:35:12 ----D---- C:\Documents and Settings\Gary\Application Data\Xahays
2010-11-26 00:42:58 ----D---- C:\Documents and Settings\Gary\Application Data\SUPERAntiSpyware.com
2010-11-26 00:42:58 ----D---- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2010-11-25 23:52:05 ----D---- C:\Documents and Settings\Gary\Application Data\Ufxu
2010-11-25 23:52:05 ----D---- C:\Documents and Settings\Gary\Application Data\Feunu
2010-11-25 20:13:14 ----HD---- C:\WINDOWS\system32\GroupPolicy
2010-11-24 18:02:49 ----D---- C:\Documents and Settings\Gary\Application Data\updates
2010-11-21 11:52:04 ----D---- C:\Documents and Settings\Gary\Application Data\Taodh
2010-11-21 11:52:04 ----D---- C:\Documents and Settings\Gary\Application Data\Iphia

======List of files/folders modified in the last 1 months======

2010-12-19 00:53:40 ----A---- C:\WINDOWS\ntbtlog.txt
2010-12-19 00:48:52 ----D---- C:\WINDOWS\Prefetch
2010-12-19 00:40:53 ----D---- C:\WINDOWS
2010-12-19 00:40:47 ----D---- C:\WINDOWS\system32\CatRoot2
2010-12-19 00:29:32 ----A---- C:\WINDOWS\SchedLgU.Txt
2010-12-19 00:29:08 ----RSHDC---- C:\WINDOWS\system32\dllcache
2010-12-19 00:29:08 ----D---- C:\WINDOWS\system32
2010-12-19 00:29:01 ----D---- C:\WINDOWS\system32\drivers
2010-12-19 00:28:23 ----D---- C:\Program Files\Internet Explorer
2010-12-19 00:23:38 ----SHD---- C:\WINDOWS\Installer
2010-12-19 00:23:30 ----HD---- C:\WINDOWS\inf
2010-12-19 00:23:26 ----SD---- C:\Documents and Settings\All Users\Application Data\Microsoft
2010-12-19 00:23:14 ----D---- C:\Program Files\Common Files\Microsoft Shared
2010-12-19 00:23:13 ----D---- C:\WINDOWS\WinSxS
2010-12-19 00:23:13 ----D---- C:\WINDOWS\PCHealth
2010-12-19 00:23:09 ----RD---- C:\Program Files
2010-12-18 23:59:55 ----D---- C:\Program Files\Windows Media Player
2010-12-18 23:57:50 ----D---- C:\Program Files\Outlook Express
2010-12-18 23:55:34 ----D---- C:\Program Files\Movie Maker
2010-12-18 23:43:01 ----D---- C:\Documents and Settings\Gary\Application Data\uTorrent
2010-12-18 21:53:20 ----A---- C:\WINDOWS\winamp.ini
2010-12-18 21:51:10 ----D---- C:\Program Files\eMule
2010-12-18 04:20:58 ----A---- C:\WINDOWS\NeroDigital.ini
2010-12-16 00:26:26 ----HDC---- C:\WINDOWS\$NtUninstallKB958690$
2010-12-15 22:29:20 ----D---- C:\Program Files\Mozilla Firefox
2010-12-15 21:54:02 ----D---- C:\Program Files\Common Files\LightScribe
2010-12-15 20:38:48 ----A---- C:\WINDOWS\system.ini
2010-12-15 20:38:33 ----D---- C:\WINDOWS\system32\drivers\etc
2010-12-15 20:36:53 ----D---- C:\WINDOWS\AppPatch
2010-12-15 20:36:53 ----D---- C:\Program Files\Common Files
2010-12-15 20:15:48 ----D---- C:\WINDOWS\pss
2010-12-15 20:11:16 ----D---- C:\Program Files\WinRAR
2010-12-15 20:11:10 ----D---- C:\Program Files\Windows Media Connect 2
2010-12-15 20:11:09 ----D---- C:\Program Files\vShare
2010-12-15 20:10:11 ----D---- C:\Program Files\SopCast
2010-12-15 20:09:49 ----D---- C:\Program Files\Real Alternative
2010-12-15 20:09:43 ----D---- C:\Program Files\NetMeeting
2010-12-15 20:07:28 ----D---- C:\Program Files\Messenger
2010-12-15 20:06:52 ----D---- C:\Program Files\K-Lite Codec Pack
2010-12-15 20:05:49 ----D---- C:\Program Files\ImgBurn
2010-12-15 20:05:40 ----D---- C:\Program Files\GGPO
2010-12-15 20:03:25 ----D---- C:\Program Files\Audacity
2010-12-07 00:44:58 ----D---- C:\JDownloader
2010-12-06 22:38:30 ----D---- C:\Documents and Settings\Gary\Application Data\vlc
2010-12-03 20:02:24 ----RASH---- C:\boot.ini
2010-12-03 20:02:24 ----A---- C:\WINDOWS\win.ini
2010-12-03 19:59:53 ----D---- C:\Program Files\uTorrent
2010-12-03 19:59:53 ----D---- C:\Program Files\Malwarebytes' Anti-Malware
2010-12-03 19:59:53 ----D---- C:\Documents and Settings\Gary\Application Data\Etis
2010-12-03 19:06:35 ----HDC---- C:\WINDOWS\$NtUninstallKB958687$
2010-12-01 18:10:53 ----HD---- C:\WINDOWS\$hf_mig$
2010-12-01 02:11:25 ----D---- C:\WINDOWS\system32\Restore
2010-12-01 01:32:42 ----SHD---- C:\System Volume Information
2010-12-01 00:36:38 ----SHD---- C:\WINDOWS\CSC
2010-11-30 03:06:38 ----A---- C:\WINDOWS\imsins.BAK
2010-11-29 21:53:40 ----D---- C:\WINDOWS\Help
2010-11-29 20:21:48 ----HDC---- C:\WINDOWS\$NtUninstallKB938464-v2$
2010-11-29 20:01:33 ----D---- C:\Documents and Settings\Gary\Application Data\Wiihx
2010-11-27 14:44:29 ----HDC---- C:\WINDOWS\$NtUninstallKB955069$
2010-11-27 00:15:19 ----D---- C:\WINDOWS\system32\config
2010-11-27 00:02:17 ----HDC---- C:\WINDOWS\$NtUninstallKB951066$
2010-11-26 20:56:32 ----HDC---- C:\WINDOWS\$NtUninstallKB960803$
2010-11-26 20:15:12 ----SD---- C:\WINDOWS\Task
2010-11-26 00:24:01 ----HDC---- C:\WINDOWS\$NtUninstallKB968537$
2010-11-25 21:51:23 ----HDC---- C:\WINDOWS\$NtUninstallKB956802$
2010-11-25 21:18:56 ----D---- C:\Documents and Settings
2010-11-25 20:52:09 ----RSD---- C:\WINDOWS\Fonts
2010-11-24 22:20:31 ----HDC---- C:\WINDOWS\$NtUninstallKB960225$
2010-11-24 21:02:31 ----HDC---- C:\WINDOWS\$NtUninstallKB967715$
2010-11-22 22:40:36 ----HDC---- C:\WINDOWS\ie7
2010-11-21 12:30:44 ----HDC---- C:\WINDOWS\$NtUninstallKB954600$
2010-11-21 12:28:30 ----D---- C:\Documents and Settings\Gary\Application Data\Hosu

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R0 nvata;nvata; C:\WINDOWS\System32\DRIVERS\nvata.sys [2005-08-18 93568]
R0 ohci1394;Texas Instruments OHCI Compliant IEEE 1394 Host Controller; C:\WINDOWS\System32\DRIVERS\ohci1394.sys [2008-04-14 61696]
R3 hidusb;Microsoft HID Class Driver; C:\WINDOWS\System32\DRIVERS\hidusb.sys [2008-04-14 10368]
R3 L8042Kbd;Logitech SetPoint Keyboard Driver; C:\WINDOWS\system32\DRIVERS\L8042Kbd.sys [2008-12-19 20240]
R3 LHidFilt;Logitech SetPoint KMDF HID Filter Driver; C:\WINDOWS\system32\DRIVERS\LHidFilt.Sys [2008-12-19 35472]
R3 LMouFilt;Logitech SetPoint KMDF Mouse Filter Driver; C:\WINDOWS\system32\DRIVERS\LMouFilt.Sys [2008-12-19 37392]
R3 LUsbFilt;Logitech SetPoint KMDF USB Filter; C:\WINDOWS\System32\Drivers\LUsbFilt.Sys [2008-12-19 28816]
R3 mouhid;Mouse HID Driver; C:\WINDOWS\System32\DRIVERS\mouhid.sys [2001-08-17 12160]
R3 USBSTOR;USB Mass Storage Driver; C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2008-04-14 26368]
R3 Wdf01000;Wdf01000; C:\WINDOWS\system32\DRIVERS\Wdf01000.sys [2006-11-02 492000]
S0 iqazzwfg;iqazzwfg; C:\WINDOWS\system32\drivers\iqazzwfg.sys []
S0 rfly;rfly; C:\WINDOWS\System32\drivers\fpjrl.sys []
S1 MpFilter;Microsoft Malware Protection Driver; C:\WINDOWS\system32\DRIVERS\MpFilter.sys [2010-10-24 165264]
S1 SASDIFSV;SASDIFSV; \??\C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS []
S1 SASKUTIL;SASKUTIL; \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS []
S1 vsdatant;vsdatant; C:\WINDOWS\System32\vsdatant.sys [2010-05-13 532224]
S2 irda;IrDA Protocol; C:\WINDOWS\System32\DRIVERS\irda.sys [2008-04-14 88192]
S2 LBeepKE;LBeepKE; C:\WINDOWS\System32\Drivers\LBeepKE.sys [2008-12-19 10384]
S2 PfModNT;PfModNT; \??\C:\WINDOWS\system32\PfModNT.sys []
S3 Arp1394;1394 ARP Client Protocol; C:\WINDOWS\System32\DRIVERS\arp1394.sys [2008-04-14 60800]
S3 catchme;catchme; \??\C:\DOCUME~1\Gary\LOCALS~1\Temp\catchme.sys []
S3 ctac32k;Creative AC3 Software Decoder; C:\WINDOWS\System32\drivers\ctac32k.sys [2002-03-22 114944]
S3 ctaud2k;Creative Audio Driver (WDM); C:\WINDOWS\system32\drivers\ctaud2k.sys [2002-03-22 835636]
S3 ctljystk;Creative SBLive! Gameport; C:\WINDOWS\System32\DRIVERS\ctljystk.sys [2001-08-17 3712]
S3 ctprxy2k;Creative Proxy Driver; C:\WINDOWS\System32\drivers\ctprxy2k.sys [2002-03-22 11068]
S3 ctsfm2k;Creative SoundFont Management Device Driver; C:\WINDOWS\System32\drivers\ctsfm2k.sys [2002-03-22 211724]
S3 emu10k;Creative SB Live! (WDM); C:\WINDOWS\system32\drivers\emu10k1m.sys [2001-08-17 283904]
S3 emu10k1;Creative Interface Manager Driver (WDM); C:\WINDOWS\system32\drivers\ctlfacem.sys [2001-08-17 6912]
S3 emupia;E-mu Plug-in Architecture Driver; C:\WINDOWS\System32\drivers\emupia2k.sys [2002-03-22 156604]
S3 ha10kx2k;Creative Hardware Abstract Layer Driver; C:\WINDOWS\system32\drivers\ha10kx2k.sys [2002-03-22 991656]
S3 irsir;Microsoft Serial Infrared Driver; C:\WINDOWS\System32\DRIVERS\irsir.sys [2001-08-18 18688]
S3 NIC1394;1394 Net Driver; C:\WINDOWS\System32\DRIVERS\nic1394.sys [2008-04-14 61824]
S3 nv;nv; C:\WINDOWS\System32\DRIVERS\nv4_mini.sys [2010-04-04 10232128]
S3 NVENETFD;NVIDIA nForce Networking Controller Driver; C:\WINDOWS\System32\DRIVERS\NVENETFD.sys [2005-09-30 34048]
S3 nvnetbus;NVIDIA Network Bus Enumerator; C:\WINDOWS\System32\DRIVERS\nvnetbus.sys [2005-09-30 13056]
S3 ossrv;Creative OS Services Driver; C:\WINDOWS\system32\drivers\ctoss2k.sys [2002-03-22 195432]
S3 Rasirda;WAN Miniport (IrDA); C:\WINDOWS\System32\DRIVERS\rasirda.sys [2001-08-18 19584]
S3 sfman;Creative SoundFont Manager Driver (WDM); C:\WINDOWS\system32\drivers\sfmanm.sys [2001-08-17 36480]
S3 usbaudio;USB Audio Driver (WDM); C:\WINDOWS\system32\drivers\usbaudio.sys [2008-04-14 60032]
S3 usbccgp;Microsoft USB Generic Parent Driver; C:\WINDOWS\system32\DRIVERS\usbccgp.sys [2008-04-14 32128]
S3 usbscan;USB Scanner Driver; C:\WINDOWS\system32\DRIVERS\usbscan.sys [2008-04-14 15104]
S3 WudfPf;Windows Driver Foundation - User-mode Driver Framework Platform Driver; C:\WINDOWS\system32\DRIVERS\WudfPf.sys [2006-09-28 77568]
S3 WudfRd;Windows Driver Foundation - User-mode Driver Framework Reflector; C:\WINDOWS\system32\DRIVERS\wudfrd.sys [2006-09-28 82944]

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 MsMpSvc;Microsoft Antimalware Service; C:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe [2010-11-11 11736]
S2 gupdate;Google Update Service (gupdate); C:\Program Files\Google\Update\GoogleUpdate.exe /svc []
S2 Irmon;Infrared Monitor; C:\WINDOWS\System32\svchost.exe [2008-04-14 14336]
S2 LightScribeService;LightScribeService Direct Disc Labeling Service; C:\Program Files\Common Files\LightScribe\LSSrvc.exe [2006-10-19 168318]
S2 NVSvc;NVIDIA Display Driver Service; C:\WINDOWS\System32\nvsvc32.exe [2010-04-03 154216]
S2 vsmon;TrueVector Internet Monitor; C:\WINDOWS\system32\ZoneLabs\vsmon.exe [2010-11-16 2435592]
S2 WinVNC4;VNC Server Version 4; C:\Program Files\RealVNC\VNC4\WinVNC4.exe [2008-10-15 439632]
S3 LBTServ;Logitech Bluetooth Service; C:\Program Files\Common Files\Logishrd\Bluetooth\LBTServ.exe [2009-02-19 121360]
S3 NBService;NBService; C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe [2006-12-05 774144]
S3 NMIndexingService;NMIndexingService; C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe [2006-12-23 262144]
S3 WMPNetworkSvc;Windows Media Player Network Sharing Service; C:\Program Files\Windows Media Player\WMPNetwk.exe [2006-10-18 913408]
S3 WudfSvc;Windows Driver Foundation - User-mode Driver Framework; C:\WINDOWS\system32\svchost.exe [2008-04-14 14336]

-----------------EOF-----------------


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:55:36 AM, on 12/19/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Unable to get Internet Explorer version!
Boot mode: Safe mode

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Microsoft Security Client\msseces.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: C:\WINDOWS\system32\rige1.dll - {B1B220C1-A503-59BD-F413-02B53A2C8954} - C:\WINDOWS\system32\rige1.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [MSC] "C:\Program Files\Microsoft Security Client\msseces.exe" -hide -runkey
O4 - HKLM\..\Run: [uPc+MV0NcUMCxl] rundll32.exe C:\WINDOWS\system32\mz0x5q35.dll, SystemServer
O4 - HKLM\..\Run: [HNUkOXRoQ_c] C:\DOCUME~1\Gary\LOCALS~1\Temp\jf64r413f.exe
O4 - HKLM\..\Run: [MKcZ] C:\WINDOWS\mdm.exe
O4 - HKLM\..\Run: [HNUkOXRouqc] C:\DOCUME~1\Gary\LOCALS~1\Temp\iexplarer.exe
O4 - HKLM\..\Run: [MKfPc] C:\WINDOWS\win32.exe
O4 - HKLM\..\Run: [MKcuc] C:\WINDOWS\lsass.exe
O4 - HKLM\..\Run: [HNUkOXRssc] C:\DOCUME~1\Gary\LOCALS~1\Temp\winlogon.exe
O4 - HKLM\..\Run: [MKbuqc] C:\WINDOWS\iexplarer.exe
O4 - HKLM\..\Run: [MKZe] C:\WINDOWS\avp.exe
O4 - HKLM\..\Run: [HNUkOXRnZ] C:\DOCUME~1\Gary\LOCALS~1\Temp\cmd.exe
O4 - HKLM\..\Run: [HNUkOXRme] C:\DOCUME~1\Gary\LOCALS~1\Temp\avp.exe
O4 - HKLM\..\Run: [MKdw+] C:\WINDOWS\nvsvc32.exe
O4 - HKLM\..\Run: [MKexe] C:\WINDOWS\system.exe
O4 - HKLM\..\Run: [HNUkOXRpw+] C:\DOCUME~1\Gary\LOCALS~1\Temp\nvsvc32.exe
O4 - HKLM\..\Run: [MKfsc] C:\WINDOWS\winlogon.exe
O4 - HKCU\..\Run: [Hyututehobekeyoj] rundll32.exe "C:\WINDOWS\dfui20.dll",Startup
O4 - HKCU\..\Run: [cleansweep.exe] C:\cleansweep.exe\cleansweep.exe
O4 - HKCU\..\Run: [ijsqunoa] C:\DOCUME~1\Gary\LOCALS~1\Temp\hlduykvrs\gtdvogiaffm.exe
O4 - HKCU\..\Run: [uPc+MV0NcUMCxl] rundll32.exe C:\WINDOWS\system32\mz0x5q35.dll, SystemServer
O4 - HKCU\..\Run: [HNUkOXRoQ_c] C:\DOCUME~1\Gary\LOCALS~1\Temp\jf64r413f.exe
O4 - HKCU\..\Run: [MKcZ] C:\WINDOWS\mdm.exe
O4 - HKCU\..\Run: [HNUkOXRouqc] C:\DOCUME~1\Gary\LOCALS~1\Temp\iexplarer.exe
O4 - HKCU\..\Run: [MKfPc] C:\WINDOWS\win32.exe
O4 - HKCU\..\Run: [MKcuc] C:\WINDOWS\lsass.exe
O4 - HKCU\..\Run: [HNUkOXRssc] C:\DOCUME~1\Gary\LOCALS~1\Temp\winlogon.exe
O4 - HKCU\..\Run: [MKbuqc] C:\WINDOWS\iexplarer.exe
O4 - HKCU\..\Run: [MKZe] C:\WINDOWS\avp.exe
O4 - HKCU\..\Run: [HNUkOXRnZ] C:\DOCUME~1\Gary\LOCALS~1\Temp\cmd.exe
O4 - HKCU\..\Run: [HNUkOXRme] C:\DOCUME~1\Gary\LOCALS~1\Temp\avp.exe
O4 - HKCU\..\Run: [MKdw+] C:\WINDOWS\nvsvc32.exe
O4 - HKCU\..\Run: [MKexe] C:\WINDOWS\system.exe
O4 - HKCU\..\Run: [HNUkOXRpw+] C:\DOCUME~1\Gary\LOCALS~1\Temp\nvsvc32.exe
O4 - HKCU\..\Run: [MKfsc] C:\WINDOWS\winlogon.exe
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [JP595IR86O] C:\WINDOWS\TEMP\Kcl.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262F} (System Requirements Lab) - http://www.nvidia.com/content/DriverDow ... ab_nvd.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/house ... hcImpl.cab
O16 - DPF: {3EA4FA88-E0BE-419A-A732-9B79B87A6ED0} (CTVUAxCtrl Object) - http://dl.tvunetworks.com/TVUAx.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} - http://download.bitdefender.com/resourc ... oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupda ... 8211881000
O16 - DPF: {C237A80A-4C55-4C68-BAA9-CBE4408D12B2} (F-Secure Online Scanner 4.0 Launcher) - http://download.sp.f-secure.com/ols/f-s ... uncher.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{15621E4B-AB40-4D99-884E-FFEBD9CA1859}: NameServer = 8.8.8.8
O17 - HKLM\System\CCS\Services\Tcpip\..\{650A012B-2D3E-40C7-978B-0F65BBEADA8A}: NameServer = 8.8.8.8
O17 - HKLM\System\CS1\Services\Tcpip\..\{15621E4B-AB40-4D99-884E-FFEBD9CA1859}: NameServer = 8.8.8.8
O18 - Protocol: gcf - {9875BFAF-B04D-445E-8A69-BE36838CDE3E} - C:\Program Files\Google\Chrome Frame\Application\7.0.517.44\npchrome_frame.dll (file missing)
O18 - Protocol: vsharechrome - {3F3A4B8A-86FC-43A4-BB00-6D7EBE9D4484} - (no file)
O20 - Winlogon Notify: !SASWinLogon - C:\WINDOWS\
O22 - SharedTaskScheduler: juaw98rajewifhausihuggdd - {B1B220C1-A503-59BD-F413-02B53A2C8954} - C:\WINDOWS\system32\rige1.dll
O23 - Service: Google Update Service (gupdate) (gupdate) - Unknown owner - C:\Program Files\Google\Update\GoogleUpdate.exe (file missing)
O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\Logishrd\Bluetooth\LBTServ.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Check Point Software Technologies LTD - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: VNC Server Version 4 (WinVNC4) - RealVNC Ltd. - C:\Program Files\RealVNC\VNC4\WinVNC4.exe

--
End of file - 7423 bytes
toshin9
Active Member
 
Posts: 7
Joined: December 16th, 2010, 6:04 am

Re: MS security essentials alert

Unread postby muppy03 » December 19th, 2010, 12:50 am

Your Computer is severely infected. The best advice I can give you is to do a complete nuke and pave. You say you have been fighting this for 20 days? Formatting and doing a fresh install would have cleared the problem in a matter of hours. As it stands it could well take another 20 days to clean and that only removes infected files and will not reverse all the system changes made. Are all your important files backed up?
User avatar
muppy03
MRU Emeritus
MRU Emeritus
 
Posts: 4782
Joined: December 4th, 2007, 5:30 am
Location: Australia

Re: MS security essentials alert

Unread postby toshin9 » December 19th, 2010, 2:46 am

Hi,
I realise i could have reformatted the system in a matter of hours rather than fight it for 20 days. In saying that, thats a pretty normal timeframe for people who post their issues on these kinds of forums anyway - they could have reformatted too.

As I said at the start of the thread, I was able to get the system to a point where i cannot notice any malware 'present' while using the PC. The worst part is that when i do reach this point, NONE of the tools (and i have basically run them all) seem to detect the presence of anything malicious on the system.
However, obviously there is some system file that is roothooked or something which manages to 'reinfect' me as soon as the system is connected to the internet.

I was hoping the 'almost clean' logs would have been able to tell someone more knowledgeable than myself, what last bit the scanners are missing.

Currently, I am cleaning the system in safe mode (and once done in normal mode) to get it back to the point i was at earlier.

Once this is done, I will back up everything in prep for a reformat.
However, I would still like to try and stop this malware, even using methods which may render the MBR/OS inoperable (it wont matter at this point). I guess its a good learning experience as I have never run across something this severe before.

While I dont expect you to waste time with this anymore, some tools/links or suggestions would be appreciated seeing as my system is now in a far worse state than at the start of the thread.

cheers.
toshin9
Active Member
 
Posts: 7
Joined: December 16th, 2010, 6:04 am

Re: MS security essentials alert

Unread postby muppy03 » December 19th, 2010, 4:51 am

While I dont expect you to waste time with this anymore, some tools/links or suggestions would be appreciated seeing as my system is now in a far worse state than at the start of the thread.


Please, information is never time wasted :) and I am not trying to abandon you.

I have been researching the logs you have presented and unfortunately it appears the worst news for you. What you have is a file infector virus which given time will infect every html and exe file on your computer, including system files. File infectors are notoriously difficult to remove, they are polymorphic and polyencrypted and it is practically impossible to remove them from your computer without causing more problems than we resolve.

There are quite a few proposed clean ups for this particular infection but in all honesty not one will be truly effective.

This virus is able to modify itself each and every time it runs. In addition, when it infects, sometimes it will destroy the file it tries to latch onto and for these reasons will never be truly cleaned.

I suggest you to start backup all of your valuable data/documents/pictures/movies/songs/etc..
Do NOT backup any applications/installers and Do NOT backup any .exe/.scr/.htm/.html/.xml/.zip/.rar files...
This because these files may be infected as well. If you back them up and replace them afterwards, it will infect your computer again.
User avatar
muppy03
MRU Emeritus
MRU Emeritus
 
Posts: 4782
Joined: December 4th, 2007, 5:30 am
Location: Australia

Re: MS security essentials alert

Unread postby toshin9 » December 19th, 2010, 5:11 am

Hmm, that definitely makes sense.

And reading this
http://www.windowsbbs.com/malware-virus ... grams.html
That seems to be exactly the problem i'm having.
I was unaware something this severe was possible via simple browser infection.

Better run scans on my laptop as i was moving files around between system.
toshin9
Active Member
 
Posts: 7
Joined: December 16th, 2010, 6:04 am

Re: MS security essentials alert

Unread postby muppy03 » December 19th, 2010, 5:19 am

toshin9 wrote:Hmm, that definitely makes sense.

And reading this
http://www.windowsbbs.com/malware-virus ... grams.html
That seems to be exactly the problem i'm having.
I was unaware something this severe was possible via simple browser infection.

Better run scans on my laptop as i was moving files around between system.


Yes, be wary of the USB you have been using and if you have put anything on the laptop from the pc , do not run it.

Sorry for being the bearer of bad news. :(
User avatar
muppy03
MRU Emeritus
MRU Emeritus
 
Posts: 4782
Joined: December 4th, 2007, 5:30 am
Location: Australia

Re: MS security essentials alert

Unread postby muppy03 » December 22nd, 2010, 8:23 am

This topic is now closed.


If you are satisfied with our assistance and wish to donate to help with the costs of this volunteer site, please read :
Donations For Malware Removal
User avatar
muppy03
MRU Emeritus
MRU Emeritus
 
Posts: 4782
Joined: December 4th, 2007, 5:30 am
Location: Australia
Advertisement
Register to Remove


  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 30 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware