TechSpot

Browser Redirects

Solved
By Llanonite
Oct 6, 2010
Topic Status:
Not open for further replies.
  1. Random redirects with Firefox. I've been fighting this one for some time. It seems to travel from pc to pc through my home network at times disabling my routers.

    Attached Files:

  2. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    Welcome to TechSpot! I'll help with the malware. I expected to see evidence of a DNS Changer infection from your description, but there isn't any obvious. Have you recently done a reformat/reinstall? I don't get to say this very often, but there aren't many installed programs or running processes.

    Can you explain what you mean about disabling to router? If you do have malware in one system, your description indicates other systems on the network are also affected.

    There is evidence of a rootkit infection.
    Please paste the logs into the next reply. OK to use multiple posts if needed.

    Please download ComboFix from Here and save to your Desktop.

    • [1]. Do NOT rename Combofix unless instructed.
      [2].Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      [3].Close any open browsers.
      [4]. Double click combofix.exe & follow the prompts to run.
    • NOTE: Combofix will disconnect your machine from the Internet as soon as it starts. The connection is automatically restored before CF completes its run. If it does not, restart your computer to restore your connection.
      [5]. If Combofix asks you to install Recovery Console, please allow it.
      [6]. If Combofix asks you to update the program, always allow.
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
      [7]. A report will be generated after the scan. Please paste the C:\ComboFix.txt in next reply.
    Note: Do not mouseclick combofix's window while it's running. That may cause it to stall.
    Note: Make sure you re-enable your security programs, when you're done with Combofix..
    ======================================
    Download the HijackThis Installer and save to the desktop:
    1. Double-click on HJTInstall.exe to run the program.
    2. By default it will install to C:\Program Files\Trend Micro\HijackThis.
    3. Accept the license agreement by clicking the "I Accept" button.
    4. Click on the "Do a system scan and save a log file" button. It will scan and then ask you to save the log.
    5. Click "Save log" to save the log file and then the log will open in notepad.
    6. Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
    7. Come back here to this thread and paste (Ctrl+V) the log in your next reply.

    NOTE: Do NOT have HijackThis fix anything yet! Most of what it finds will be harmless or even required.

    Important!
    Please do not use any other cleaning programs or scans while I'm helping you, unless I direct you to. Do not use a Registry cleaner or make any changes in the Registry.

    Stay off the network. The system will need to be cleaned individually. Don't use a flash drive while we're cleaning.
  3. Llanonite

    Llanonite TS Rookie Topic Starter

    When I say it seems to disable my routers I mean there have been times when I could not connect to the network without resetting my routers. I began to worry that the malware or trojan had somehow found a way into my routers. After an initial cleaning of my hard wired pc's I flashed the bios to my routers and reconfigured them to get them going again. Today I started having issues with connecting my wireless access. I've had to reset my router twice already.


    ComboFix 10-10-05.06 - Debbie 10/06/2010 18:01:52.1.2 - x86
    Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1014.736 [GMT -4:00]
    Running from: c:\documents and settings\Debbie.DEBBIES\My Documents\Downloads\ComboFix.exe
    AV: avast! Antivirus *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    c:\program files\iWin Games\iWinGamesHookIE.dll

    Infected copy of c:\windows\system32\drivers\i8042prt.sys was found and disinfected
    Restored copy from - Kitty had a snack :p
    .
    ((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    -------\Legacy_IWINGAMESINSTALLER
    -------\Service_iWinGamesInstaller


    ((((((((((((((((((((((((( Files Created from 2010-09-06 to 2010-10-06 )))))))))))))))))))))))))))))))
    .

    2010-10-06 14:36 . 2010-10-06 14:36 -------- d-----w- c:\documents and settings\Debbie.DEBBIES\Application Data\Malwarebytes
    2010-10-06 14:35 . 2010-04-29 19:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2010-10-06 14:35 . 2010-10-06 14:36 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2010-10-06 14:35 . 2010-10-06 14:35 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\Malwarebytes
    2010-10-06 14:35 . 2010-04-29 19:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
    2010-10-06 14:35 . 2004-08-04 03:08 26496 -c--a-w- c:\windows\system32\dllcache\usbstor.sys

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2010-10-06 22:05 . 2010-02-14 23:31 -------- d-----w- c:\program files\iWin Games
    2010-10-06 17:11 . 2010-06-28 14:39 664 ----a-w- c:\windows\system32\d3d9caps.dat
    2010-09-07 15:12 . 2010-07-25 13:52 38848 ----a-w- c:\windows\avastSS.scr
    2010-09-07 15:11 . 2008-10-03 21:42 167592 ----a-w- c:\windows\system32\aswBoot.exe
    2010-09-07 14:52 . 2008-10-03 21:42 46672 ----a-w- c:\windows\system32\drivers\aswTdi.sys
    2010-09-07 14:52 . 2008-10-03 22:08 165584 ----a-w- c:\windows\system32\drivers\aswSP.sys
    2010-09-07 14:47 . 2008-10-03 21:42 23376 ----a-w- c:\windows\system32\drivers\aswRdr.sys
    2010-09-07 14:47 . 2008-10-03 21:42 100176 ----a-w- c:\windows\system32\drivers\aswmon2.sys
    2010-09-07 14:47 . 2008-10-03 21:42 94544 ----a-w- c:\windows\system32\drivers\aswmon.sys
    2010-09-07 14:47 . 2008-10-03 22:08 17744 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
    2010-09-07 14:46 . 2008-10-03 21:42 28880 ----a-w- c:\windows\system32\drivers\aavmker4.sys
    2010-08-17 02:30 . 2010-07-15 01:39 -------- d-----w- c:\documents and settings\Debbie.DEBBIES\Application Data\Hoyle Puzzle and Board Games
    2010-08-16 15:24 . 2010-08-16 15:24 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\SOS
    2010-08-04 14:43 . 2010-08-04 14:43 4096 ----a-w- c:\windows\d3dx.dat
    2010-07-14 00:22 . 2010-07-14 00:22 271360 ----a-w- c:\windows\system32\drivers\atksgt.sys
    2010-07-14 00:22 . 2010-07-14 00:22 18048 ----a-w- c:\windows\system32\drivers\lirsgt.sys
    2010-07-11 04:37 . 2010-07-11 04:37 43520 ----a-w- c:\windows\system32\CmdLineExt03.dll
    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Weather"="c:\program files\AWS\WeatherBug\Weather.exe" [2007-08-29 1347584]
    "swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-01-28 39408]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-12-19 135168]
    "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-12-19 159744]
    "Persistence"="c:\windows\system32\igfxpers.exe" [2007-12-19 131072]
    "QlbCtrl"="c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2007-12-06 202032]
    "SynTPStart"="c:\program files\Synaptics\SynTP\SynTPStart.exe" [2007-09-14 102400]
    "Mouse Suite 98 Daemon"="ICO.EXE" [2004-07-14 57344]
    "RTHDCPL"="RTHDCPL.EXE" [2008-01-29 16859648]
    "SMSERIAL"="c:\program files\Motorola\SMSERIAL\sm56hlpr.exe" [2007-01-30 638976]
    "Media Codec Update Service"="c:\program files\Essentials Codec Pack\update.exe" [2007-04-08 303104]
    "avast5"="c:\progra~1\ALWILS~1\Avast5\avastUI.exe" [2010-09-07 2838912]

    c:\documents and settings\Debbie.DEBBIES\Start Menu\Programs\Startup\
    iWin Desktop Alerts.lnk - c:\documents and settings\All Users.WINDOWS\Application Data\iWin Games\DesktopAlerts\DesktopAlerts.exe [2010-2-15 108544]

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
    @="Driver"

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\Program Files\\iWin Games\\iWinGames.exe"=
    "c:\\Program Files\\iWin Games\\WebUpdater.exe"=

    R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [10/3/2008 6:08 PM 165584]
    R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [10/3/2008 6:08 PM 17744]
    S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2/14/2010 7:10 PM 135664]
    .
    Contents of the 'Scheduled Tasks' folder

    2010-10-06 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2010-02-14 23:10]

    2010-10-06 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2010-02-14 23:10]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://lubbockonline.com/
    uSearch Page = hxxp://www.google.com
    uSearch Bar = hxxp://www.google.com/ie
    uSearchAssistant = hxxp://www.google.com/ie
    uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
    IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
    FF - ProfilePath - c:\documents and settings\Debbie.DEBBIES\Application Data\Mozilla\Firefox\Profiles\eljfz2pb.default\
    FF - prefs.js: browser.startup.homepage - www.Lubbockonline.com
    FF - plugin: c:\program files\Google\Update\1.2.183.29\npGoogleOneClick8.dll

    ---- FIREFOX POLICIES ----
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
    .
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------

    [HKEY_USERS\S-1-5-21-1417001333-854245398-725345543-1003\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
    "??"=hex:11,72,75,2a,ed,a4,68,1a,f8,f6,17,c3,8b,83,fa,1f,de,18,66,6a,36,e8,ad,
    fb,de,83,48,b4,3c,20,4c,06,c3,96,57,7b,b3,07,cb,05,36,90,46,09,7d,13,d4,9b,\
    "??"=hex:f6,f4,bc,0a,60,09,bc,89,a6,37,78,c5,dd,08,de,45

    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
    @Denied: (A 2) (Everyone)
    @="FlashBroker"
    "LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe,-101"

    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
    "Enabled"=dword:00000001

    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
    @="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe"

    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
    @Denied: (A 2) (Everyone)
    @="IFlashBroker4"

    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
    @="{00020424-0000-0000-C000-000000000046}"

    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    "Version"="1.0"
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\program files\Alwil Software\Avast5\AvastSvc.exe
    c:\windows\system32\ICO.EXE
    c:\windows\RTHDCPL.EXE
    c:\windows\system32\igfxsrvc.exe
    c:\program files\Synaptics\SynTP\SynTPEnh.exe
    c:\program files\Hewlett-Packard\Shared\hpqwmiex.exe
    .
    **************************************************************************
    .
    Completion time: 2010-10-06 18:11:43 - machine was rebooted
    ComboFix-quarantined-files.txt 2010-10-06 22:11

    Pre-Run: 143,742,013,440 bytes free
    Post-Run: 143,711,916,032 bytes free

    WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
    [boot loader]
    timeout=2
    default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
    [operating systems]
    c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
    UnsupportedDebug="do not select this" /debug
    multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

    - - End Of File - - BFF72FAF4AA9227CE6F1DADC140262D3

    Logfile of Trend Micro HijackThis v2.0.4
    Scan saved at 6:20:06 PM, on 10/6/2010
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\hkcmd.exe
    C:\WINDOWS\system32\igfxpers.exe
    C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe
    C:\WINDOWS\system32\ICO.EXE
    C:\WINDOWS\RTHDCPL.EXE
    C:\WINDOWS\system32\igfxsrvc.exe
    C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe
    C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe
    C:\Program Files\AWS\WeatherBug\Weather.exe
    C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
    C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    C:\Documents and Settings\All Users.WINDOWS\Application Data\iWin Games\DesktopAlerts\DesktopAlerts.exe
    C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://lubbockonline.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
    O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.6.5612.1312\swg.dll
    O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
    O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
    O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
    O4 - HKLM\..\Run: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
    O4 - HKLM\..\Run: [SynTPStart] C:\Program Files\Synaptics\SynTP\SynTPStart.exe
    O4 - HKLM\..\Run: [Mouse Suite 98 Daemon] ICO.EXE
    O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
    O4 - HKLM\..\Run: [SMSERIAL] C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe
    O4 - HKLM\..\Run: [Media Codec Update Service] C:\Program Files\Essentials Codec Pack\update.exe -silent
    O4 - HKLM\..\Run: [avast5] C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe /nogui
    O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe 1
    O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
    O4 - Startup: iWin Desktop Alerts.lnk = C:\Documents and Settings\All Users.WINDOWS\Application Data\iWin Games\DesktopAlerts\DesktopAlerts.exe
    O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
    O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
    O23 - Service: avast! Antivirus - AVAST Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
    O23 - Service: avast! Mail Scanner - AVAST Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
    O23 - Service: avast! Web Scanner - AVAST Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
    O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
    O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
    O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe

    --
    End of file - 4747 bytes
  4. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    I noticed you have iWin Games. This is a well known source of adware- possibly other pests, especially the iWin site itself. Combofix has removed some entries. With your permission, I'd like to include all iWin Games entries in the script I am setting up for you to run through Combofix. This will remove iWin Games.

    While I am helping you, please stay out of the BIOS and the router until we find the cause. The router problem is most likely due to a setting or firmware, but if you keep resetting it, we won't be able to find the source of the problem. You may not be able to use the network while we try to ID the source. You have a rootkit.

    Please download SystemLook from one of the links below and save it to your Desktop.
    Download Mirror #1
    Download Mirror #2

    • Double-click SystemLook.exe to run it.
    • Copy the content of the following codebox into the main textfield:
      Code:
      :filefind
      iastor.*
      i8042prt.*
      
      
    • Click the Look button to start the scan.
    • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
    Note: The log can also be found on your Desktop entitled SystemLook.txt
  5. Llanonite

    Llanonite TS Rookie Topic Starter

    SystemLook 04.09.10 by jpshortstuff
    Log created at 10:05 on 08/10/2010 by Debbie
    Administrator - Elevation successful

    ========== filefind ==========

    Searching for "iastor.*"
    C:\Program Files\Intel\Intel Matrix Storage Manager\Driver\iastor.cat --a---- 11694 bytes [14:41 09/02/2008] [03:32 18/10/2007] 648DC3401A410A1A15DB9AB5FD0D61A6
    C:\Program Files\Intel\Intel Matrix Storage Manager\Driver\iastor.inf --a---- 7676 bytes [14:41 09/02/2008] [03:38 30/09/2007] 7B045FDC2DE32615D924734BCDDEB3DE
    C:\Program Files\Intel\Intel Matrix Storage Manager\Driver\IaStor.sys --a---- 308248 bytes [14:41 09/02/2008] [05:03 30/09/2007] E5A0034847537EAEE3C00349D5C34C5F
    C:\Program Files\Intel\Intel Matrix Storage Manager\Driver64\iastor.cat --a---- 11694 bytes [14:41 09/02/2008] [03:32 18/10/2007] D381B5B3A6037096D6163A37AC1FAC93
    C:\Program Files\Intel\Intel Matrix Storage Manager\Driver64\iastor.inf --a---- 7676 bytes [14:41 09/02/2008] [03:38 30/09/2007] 7B045FDC2DE32615D924734BCDDEB3DE
    C:\Program Files\Intel\Intel Matrix Storage Manager\Driver64\IaStor.sys --a---- 384024 bytes [14:41 09/02/2008] [05:03 30/09/2007] 16A4671255CFB842225F0FDB6DBDB414
    C:\WINDOWS\NLDRV\001\iastor.cat --a---- 11128 bytes [18:46 08/02/2008] [18:46 08/02/2008] 13E7374A879A8EE74EEDB032118DE0D4
    C:\WINDOWS\NLDRV\001\iastor.inf --a---- 7676 bytes [18:46 08/02/2008] [18:46 08/02/2008] A3687F81896CD69048320583E2E70CBC
    C:\WINDOWS\NLDRV\001\iastor.PNF --a---- 13084 bytes [16:41 03/10/2008] [16:41 03/10/2008] 31ADF7E466E45DADF0A09D37198499F2
    C:\WINDOWS\NLDRV\001\iastor.sys --a---- 305176 bytes [18:46 08/02/2008] [18:46 08/02/2008] 2358C53F30CB9DCD1D3843C4E2F299B2
    C:\WINDOWS\system32\drivers\iaStor.sys --a---- 305176 bytes [18:46 08/02/2008] [18:46 08/02/2008] 2358C53F30CB9DCD1D3843C4E2F299B2

    Searching for "i8042prt.*"
    C:\cmdcons\I8042PRT.SY_ --a---- 26025 bytes [03:14 04/08/2004] [03:14 04/08/2004] 819D427AB9DBE6AC2960A585087CB766
    C:\WINDOWS\system32\dllcache\i8042prt.sys --a--c- 52736 bytes [11:00 04/08/2004] [03:14 04/08/2004] 5502B58EEF7486EE6F93F3F164DCB808
    C:\WINDOWS\system32\drivers\i8042prt.sys --a---- 52736 bytes [11:00 04/08/2004] [03:14 04/08/2004] 5502B58EEF7486EE6F93F3F164DCB808
    C:\WINDOWS\system32\ReinstallBackups\0042\DriverFiles\i386\i8042prt.sys --a---- 52736 bytes [21:14 03/10/2008] [11:00 04/08/2004] 5502B58EEF7486EE6F93F3F164DCB808
    C:\WINDOWS\system32\ReinstallBackups\0043\DriverFiles\i386\i8042prt.sys --a---- 52736 bytes [21:16 03/10/2008] [03:14 04/08/2004] 5502B58EEF7486EE6F93F3F164DCB808

    -= EOF =-
  6. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    Okay- I'll set the script up. What about iWin games?
  7. Llanonite

    Llanonite TS Rookie Topic Starter

    If iWin games are a threat then they should be removed.
  8. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    I think you made a wise decision. I see a lot of logs with infections from iWin.

    Please run this Custom CFScript

    • [1]. Close any open browsers.
      [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      [3]. Open notepad and copy/paste the text in the code below into it:
    Code:
    KillAll::
    File::
    c:\documents and settings\All Users.WINDOWS\Application Data\iWin Games\DesktopAlerts\DesktopAlerts.exe 
    Folder::
    c:\program files\iWin Games
    Registry::
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\Auth orizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\Program Files\\iWin Games\\iWinGames.exe"=-
    "c:\\Program Files\\iWin Games\\WebUpdater.exe"=-
    
    RegNull::
    [HKEY_USERS\S-1-5-21-1417001333-854245398-725345543-1003\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
    
    FCopy::
    C:\WINDOWS\NLDRV\001\iastor.sys | C:\WINDOWS\system32\drivers\iaStor.sys
    
    Save this as CFScript.txt, in the same location as ComboFix.exe
    [​IMG]

    Referring to the picture above, drag CFScript into ComboFix.exe

    When finished, it will produce a log for you at C:\ComboFix.txt . Please paste in your next reply.
    ===========================================
    Please reopen HijackThis to 'do system scan only.' Check each of the following, if present:
    C:\Documents and Settings\All Users.WINDOWS\Application Data\iWin Games\DesktopAlerts\DesktopAlerts.exe
    O4 - Startup: iWin Desktop Alerts.lnk = C:\Documents and Settings\All Users.WINDOWS\Application Data\iWin Games\DesktopAlerts\DesktopAlerts.exe


    Close all Windows except for HijackThis and click on "Fix Checked."
    =========================================
    Run Eset NOD32 Online AntiVirus scan HERE
    1. Tick the box next to YES, I accept the Terms of Use.
    2. Click Start
    3. When asked, allow the Active X control to install
    4. Disable your current Antivirus software. You can usually do this with its Notification Tray icon near the clock.
    5. Click Start
    6. Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is checked
    7. Click Scan
    8. Wait for the scan to finish
    9. Re-enable your Antivirus software.
    10. A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.
  9. Llanonite

    Llanonite TS Rookie Topic Starter

    ComboFix 10-10-05.06 - Debbie 10/08/2010 19:21:30.2.2 - x86
    Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1014.646 [GMT -4:00]
    Running from: c:\documents and settings\Debbie.DEBBIES\Desktop\Rootkit\ComboFix.exe
    Command switches used :: c:\documents and settings\Debbie.DEBBIES\Desktop\Rootkit\CFScript.txt
    AV: avast! Antivirus *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

    FILE ::
    "c:\documents and settings\All Users.WINDOWS\Application Data\iWin Games\DesktopAlerts\DesktopAlerts.exe"
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    c:\documents and settings\All Users.WINDOWS\Application Data\iWin Games\DesktopAlerts\DesktopAlerts.exe
    c:\program files\iWin Games
    c:\program files\iWin Games\AdminWorker.exe
    c:\program files\iWin Games\firefox\chrome\iwinarcade.jar
    c:\program files\iWin Games\firefox\install.rdf
    c:\program files\iWin Games\firefox\iWinArcadeLauncher.exe
    c:\program files\iWin Games\ftdownload.dat
    c:\program files\iWin Games\host.cfg
    c:\program files\iWin Games\iWinGames.exe
    c:\program files\iWin Games\iWinGamesInstaller.exe
    c:\program files\iWin Games\pages\alert32x32.gif
    c:\program files\iWin Games\pages\blank.html
    c:\program files\iWin Games\pages\blank2.html
    c:\program files\iWin Games\pages\error.html
    c:\program files\iWin Games\pages\iwin_logo.gif
    c:\program files\iWin Games\pages\login.html
    c:\program files\iWin Games\pages\maintenance.html
    c:\program files\iWin Games\pages\offline_tag.gif
    c:\program files\iWin Games\pages\offlineBg.gif
    c:\program files\iWin Games\sounds\animation.wav
    c:\program files\iWin Games\sounds\animationBack.wav
    c:\program files\iWin Games\sounds\button_click.wav
    c:\program files\iWin Games\sounds\download_completed.wav
    c:\program files\iWin Games\sounds\slidebackin.wav
    c:\program files\iWin Games\sounds\slideout.wav
    c:\program files\iWin Games\sounds\start.wav
    c:\program files\iWin Games\Uninstall.exe
    c:\program files\iWin Games\WebInstaller.exe
    c:\program files\iWin Games\WebUpdater.bmp
    c:\program files\iWin Games\WebUpdater.exe

    .
    --------------- FCopy ---------------

    c:\windows\NLDRV\001\iastor.sys --> c:\windows\system32\drivers\iaStor.sys
    .
    ((((((((((((((((((((((((( Files Created from 2010-09-08 to 2010-10-08 )))))))))))))))))))))))))))))))
    .

    2010-10-08 04:15 . 2010-10-08 23:19 -------- d--h--w- c:\windows\$hf_mig$
    2010-10-06 22:14 . 2010-10-06 22:14 388096 ----a-r- c:\documents and settings\Debbie.DEBBIES\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
    2010-10-06 22:14 . 2010-10-06 22:14 -------- d-----w- c:\program files\Trend Micro
    2010-10-06 14:36 . 2010-10-06 14:36 -------- d-----w- c:\documents and settings\Debbie.DEBBIES\Application Data\Malwarebytes
    2010-10-06 14:35 . 2010-04-29 19:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2010-10-06 14:35 . 2010-10-06 14:36 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2010-10-06 14:35 . 2010-10-06 14:35 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\Malwarebytes
    2010-10-06 14:35 . 2010-04-29 19:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
    2010-10-06 14:35 . 2004-08-04 03:08 26496 -c--a-w- c:\windows\system32\dllcache\usbstor.sys

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2010-10-06 17:11 . 2010-06-28 14:39 664 ----a-w- c:\windows\system32\d3d9caps.dat
    2010-09-07 15:12 . 2010-07-25 13:52 38848 ----a-w- c:\windows\avastSS.scr
    2010-09-07 15:11 . 2008-10-03 21:42 167592 ----a-w- c:\windows\system32\aswBoot.exe
    2010-09-07 14:52 . 2008-10-03 21:42 46672 ----a-w- c:\windows\system32\drivers\aswTdi.sys
    2010-09-07 14:52 . 2008-10-03 22:08 165584 ----a-w- c:\windows\system32\drivers\aswSP.sys
    2010-09-07 14:47 . 2008-10-03 21:42 23376 ----a-w- c:\windows\system32\drivers\aswRdr.sys
    2010-09-07 14:47 . 2008-10-03 21:42 100176 ----a-w- c:\windows\system32\drivers\aswmon2.sys
    2010-09-07 14:47 . 2008-10-03 21:42 94544 ----a-w- c:\windows\system32\drivers\aswmon.sys
    2010-09-07 14:47 . 2008-10-03 22:08 17744 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
    2010-09-07 14:46 . 2008-10-03 21:42 28880 ----a-w- c:\windows\system32\drivers\aavmker4.sys
    2010-08-17 02:30 . 2010-07-15 01:39 -------- d-----w- c:\documents and settings\Debbie.DEBBIES\Application Data\Hoyle Puzzle and Board Games
    2010-08-16 15:24 . 2010-08-16 15:24 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\SOS
    2010-08-04 14:43 . 2010-08-04 14:43 4096 ----a-w- c:\windows\d3dx.dat
    2010-07-14 00:22 . 2010-07-14 00:22 271360 ----a-w- c:\windows\system32\drivers\atksgt.sys
    2010-07-14 00:22 . 2010-07-14 00:22 18048 ----a-w- c:\windows\system32\drivers\lirsgt.sys
    2010-07-11 04:37 . 2010-07-11 04:37 43520 ----a-w- c:\windows\system32\CmdLineExt03.dll
    .

    ------- Sigcheck -------

    [-] 2008-02-08 . 9F960FAC5166F8626B9CDE4DD9A0EB84 . 1580544 . . [5.1.2600.2180] . . c:\windows\system32\sfcfiles.dll
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Weather"="c:\program files\AWS\WeatherBug\Weather.exe" [2007-08-29 1347584]
    "swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-01-28 39408]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-12-19 135168]
    "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-12-19 159744]
    "Persistence"="c:\windows\system32\igfxpers.exe" [2007-12-19 131072]
    "QlbCtrl"="c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2007-12-06 202032]
    "SynTPStart"="c:\program files\Synaptics\SynTP\SynTPStart.exe" [2007-09-14 102400]
    "Mouse Suite 98 Daemon"="ICO.EXE" [2004-07-14 57344]
    "RTHDCPL"="RTHDCPL.EXE" [2008-01-29 16859648]
    "SMSERIAL"="c:\program files\Motorola\SMSERIAL\sm56hlpr.exe" [2007-01-30 638976]
    "Media Codec Update Service"="c:\program files\Essentials Codec Pack\update.exe" [2007-04-08 303104]
    "avast5"="c:\progra~1\ALWILS~1\Avast5\avastUI.exe" [2010-09-07 2838912]

    c:\documents and settings\Debbie.DEBBIES\Start Menu\Programs\Startup\
    iWin Desktop Alerts.lnk - c:\qoobox\Quarantine\C\Documents and Settings\All Users.WINDOWS\Application Data\iWin Games\DesktopAlerts\DesktopAlerts.exe.vir [2010-2-15 108544]

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
    @="Driver"

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=

    R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [10/3/2008 6:08 PM 165584]
    R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [10/3/2008 6:08 PM 17744]
    S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2/14/2010 7:10 PM 135664]
    .
    Contents of the 'Scheduled Tasks' folder

    2010-10-08 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2010-02-14 23:10]

    2010-10-08 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2010-02-14 23:10]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://lubbockonline.com/
    uSearch Page = hxxp://www.google.com
    uSearch Bar = hxxp://www.google.com/ie
    uSearchAssistant = hxxp://www.google.com/ie
    uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
    IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
    FF - ProfilePath - c:\documents and settings\Debbie.DEBBIES\Application Data\Mozilla\Firefox\Profiles\eljfz2pb.default\
    FF - prefs.js: browser.startup.homepage - www.Lubbockonline.com
    FF - plugin: c:\program files\Google\Update\1.2.183.29\npGoogleOneClick8.dll

    ---- FIREFOX POLICIES ----
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
    .
    - - - - ORPHANS REMOVED - - - -

    AddRemove-iWinArcade - c:\program files\iWin Games\Uninstall.exe


    .
    --------------------- LOCKED REGISTRY KEYS ---------------------

    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
    @Denied: (A 2) (Everyone)
    @="FlashBroker"
    "LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe,-101"

    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
    "Enabled"=dword:00000001

    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
    @="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe"

    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
    @Denied: (A 2) (Everyone)
    @="IFlashBroker4"

    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
    @="{00020424-0000-0000-C000-000000000046}"

    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    "Version"="1.0"
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\program files\Alwil Software\Avast5\AvastSvc.exe
    c:\windows\system32\ICO.EXE
    c:\windows\RTHDCPL.EXE
    c:\windows\system32\igfxsrvc.exe
    c:\program files\Synaptics\SynTP\SynTPEnh.exe
    c:\program files\Hewlett-Packard\Shared\hpqwmiex.exe
    .
    **************************************************************************
    .
    Completion time: 2010-10-08 19:32:47 - machine was rebooted
    ComboFix-quarantined-files.txt 2010-10-08 23:32
    ComboFix2.txt 2010-10-06 22:11

    Pre-Run: 143,174,934,528 bytes free
    Post-Run: 143,193,456,640 bytes free

    - - End Of File - - 0CAAD255C44789F21F79ADD9636BD498

    ESETSmartInstaller@High as CAB hook log:
    OnlineScanner.ocx - registred OK
    # version=7
    # iexplore.exe=6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)
    # OnlineScanner.ocx=1.0.0.6211
    # api_version=3.0.2
    # EOSSerial=9896da504e4cd74081fa34bed2e9c2cd
    # end=finished
    # remove_checked=false
    # archives_checked=false
    # unwanted_checked=true
    # unsafe_checked=false
    # antistealth_checked=false
    # utc_time=2010-10-09 12:32:09
    # local_time=2010-10-08 08:32:09 (-0500, Eastern Standard Time)
    # country="United States"
    # lang=9
    # osver=5.1.2600 NT Service Pack 2
    # compatibility_mode=512 16777215 100 0 92768 92768 0 0
    # compatibility_mode=768 16777215 100 0 20310666 20310666 0 0
    # compatibility_mode=8192 67108863 100 0 0 0 0 0
    # scanned=42728
    # found=1
    # cleaned=0
    # scan_time=1913
    C:\System Volume Information\_restore{9DCB3FC2-22A2-45D5-902C-194EE2D29A79}\RP135\A0019645.sys Win32/Olmarik.ZC trojan 586180CB7BBB83D9F57EFF015802F321 I
  10. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    Okay- got many iWin entries off. But there is one you will need to manually handle. I've not seen a Combofix log continue to show a files loading when it's in the Qoobox, which is where Combofix send the quarantined files. But here is one:
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    c:\documents and settings\Debbie.DEBBIES\Start Menu\Programs\Startup\
    iWin Desktop Alerts.lnk - c:\qoobox\Quarantine\C\Documents and Settings\All Users.WINDOWS\Application Data\iWin Games\DesktopAlerts\DesktopAlerts.exe.vir [2010-2-15 108544]


    You will need to display hidden files and folders: Using Windows Explorer: Windows key + E>
    • Click on Tools> Folder Options> View tab>
    • Check 'show hidden files and folders'>
    • Uncheck 'hide operating system files (Recommended'>
    • Click on My Computer> Local Drive> Documents & Settings> All Users>
    • Application data> do a right click> Delete on any iWin files or folders to remove>
    • Click on Apply> OK when finished.
    Now go back and rehide the files and folders, Close Windows Explorer.
    ==================================
    Please run this Custom CFScript

    • [1]. Close any open browsers.
      [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      [3]. Open notepad and copy/paste the text in the code below into it:
    Code:
    File::
    RegLock::
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServ
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\Proxy
    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
    
    
    Save this as CFScript.txt, in the same location as ComboFix.exe
    [​IMG]

    Referring to the picture above, drag CFScript into ComboFix.exe

    When finished, it will produce a log for you at C:\ComboFix.txt . Please paste into to your next reply.
    ====================
    Has the redirect been resolved? Any other related problem? Please rescan with HijackThis to make sure nothing has gotten by. If no more problems and logs are okay, I'l have you remove the cleaning tools.
  11. Llanonite

    Llanonite TS Rookie Topic Starter

    ComboFix 10-10-05.06 - Debbie 10/09/2010 11:52:12.3.2 - x86
    Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1014.634 [GMT -4:00]
    Running from: c:\documents and settings\Debbie.DEBBIES\Desktop\Rootkit\ComboFix.exe
    Command switches used :: c:\documents and settings\Debbie.DEBBIES\Desktop\Rootkit\cfscript.txt
    AV: avast! Antivirus *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
    .

    ((((((((((((((((((((((((( Files Created from 2010-09-09 to 2010-10-09 )))))))))))))))))))))))))))))))
    .

    2010-10-09 01:15 . 2010-10-09 01:15 -------- d-----w- c:\windows\system32\KB905474
    2010-10-09 01:10 . 2004-08-04 04:56 21504 ----a-w- c:\windows\system32\drivers\hidserv.dll
    2010-10-09 01:08 . 2010-10-09 01:08 -------- d-----w- c:\windows\ServicePackFiles
    2010-10-08 23:52 . 2010-10-08 23:52 -------- d-----w- c:\program files\ESET
    2010-10-08 23:42 . 2010-10-09 00:06 -------- d-----w- c:\windows\system32\CatRoot_bak
    2010-10-08 23:37 . 2008-06-13 13:10 272128 -c----w- c:\windows\system32\dllcache\bthport.sys
    2010-10-08 23:37 . 2008-06-13 13:10 272128 ------w- c:\windows\system32\drivers\bthport.sys
    2010-10-08 23:19 . 2010-02-24 12:31 454016 -c----w- c:\windows\system32\dllcache\mrxsmb.sys
    2010-10-08 23:19 . 2010-02-16 13:19 2181376 -c----w- c:\windows\system32\dllcache\ntoskrnl.exe
    2010-10-08 23:19 . 2010-02-16 13:17 2137088 -c----w- c:\windows\system32\dllcache\ntkrnlmp.exe
    2010-10-08 23:19 . 2010-02-16 12:39 2016768 -c----w- c:\windows\system32\dllcache\ntkrpamp.exe
    2010-10-08 23:19 . 2010-02-16 12:39 2058368 -c----w- c:\windows\system32\dllcache\ntkrnlpa.exe
    2010-10-08 04:15 . 2010-10-09 01:16 -------- d--h--w- c:\windows\$hf_mig$
    2010-10-06 22:14 . 2010-10-06 22:14 388096 ----a-r- c:\documents and settings\Debbie.DEBBIES\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
    2010-10-06 22:14 . 2010-10-06 22:14 -------- d-----w- c:\program files\Trend Micro
    2010-10-06 14:36 . 2010-10-06 14:36 -------- d-----w- c:\documents and settings\Debbie.DEBBIES\Application Data\Malwarebytes
    2010-10-06 14:35 . 2010-04-29 19:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2010-10-06 14:35 . 2010-10-06 14:36 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2010-10-06 14:35 . 2010-10-06 14:35 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\Malwarebytes
    2010-10-06 14:35 . 2010-04-29 19:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
    2010-10-06 14:35 . 2004-08-04 03:08 26496 -c--a-w- c:\windows\system32\dllcache\usbstor.sys

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2010-10-09 01:10 . 2010-10-09 01:10 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_NuidFltr_01005.Wdf
    2010-10-06 17:11 . 2010-06-28 14:39 664 ----a-w- c:\windows\system32\d3d9caps.dat
    2010-09-07 15:12 . 2010-07-25 13:52 38848 ----a-w- c:\windows\avastSS.scr
    2010-09-07 15:11 . 2008-10-03 21:42 167592 ----a-w- c:\windows\system32\aswBoot.exe
    2010-09-07 14:52 . 2008-10-03 21:42 46672 ----a-w- c:\windows\system32\drivers\aswTdi.sys
    2010-09-07 14:52 . 2008-10-03 22:08 165584 ----a-w- c:\windows\system32\drivers\aswSP.sys
    2010-09-07 14:47 . 2008-10-03 21:42 23376 ----a-w- c:\windows\system32\drivers\aswRdr.sys
    2010-09-07 14:47 . 2008-10-03 21:42 100176 ----a-w- c:\windows\system32\drivers\aswmon2.sys
    2010-09-07 14:47 . 2008-10-03 21:42 94544 ----a-w- c:\windows\system32\drivers\aswmon.sys
    2010-09-07 14:47 . 2008-10-03 22:08 17744 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
    2010-09-07 14:46 . 2008-10-03 21:42 28880 ----a-w- c:\windows\system32\drivers\aavmker4.sys
    2010-08-17 02:30 . 2010-07-15 01:39 -------- d-----w- c:\documents and settings\Debbie.DEBBIES\Application Data\Hoyle Puzzle and Board Games
    2010-08-16 15:24 . 2010-08-16 15:24 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\SOS
    2010-08-04 14:43 . 2010-08-04 14:43 4096 ----a-w- c:\windows\d3dx.dat
    2010-07-14 00:22 . 2010-07-14 00:22 271360 ----a-w- c:\windows\system32\drivers\atksgt.sys
    2010-07-14 00:22 . 2010-07-14 00:22 18048 ----a-w- c:\windows\system32\drivers\lirsgt.sys
    .

    ------- Sigcheck -------

    [-] 2008-04-14 . 9DD07AF82244867CA36681EA2D29CE79 . 1614848 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\9866fb57abdc0ea2f5d4e132d055ba4e\sfcfiles.dll
    [-] 2008-02-08 . 9F960FAC5166F8626B9CDE4DD9A0EB84 . 1580544 . . [5.1.2600.2180] . . c:\windows\system32\sfcfiles.dll
    .
    ((((((((((((((((((((((((((((( SnapShot@2010-10-06_22.08.26 )))))))))))))))))))))))))))))))))))))))))
    .
    + 2009-08-06 23:24 . 2009-08-06 23:24 44768 c:\windows\system32\wups2.dll
    + 2008-10-03 20:48 . 2009-08-06 23:24 35552 c:\windows\system32\wups.dll
    + 2008-10-03 20:48 . 2009-08-06 23:24 53472 c:\windows\system32\wuauclt.exe
    + 2004-08-04 11:00 . 2009-06-25 08:44 59392 c:\windows\system32\wdigest.dll
    + 2010-10-08 14:09 . 2010-04-21 13:28 46080 c:\windows\system32\tzchange.exe
    + 2004-08-04 11:00 . 2009-06-12 11:50 80896 c:\windows\system32\tlntsess.exe
    + 2004-08-04 11:00 . 2009-06-12 11:50 76288 c:\windows\system32\telnet.exe
    + 2008-10-03 21:11 . 2008-07-09 07:38 26488 c:\windows\system32\spupdsvc.exe
    + 2008-10-03 21:14 . 2009-05-26 11:40 17272 c:\windows\system32\spmsg.dll
    + 2010-10-08 00:43 . 2009-08-06 23:24 35552 c:\windows\system32\SoftwareDistribution\Setup\ServiceStartup\wups.dll\7.4.7600.226\wups.dll
    + 2004-08-04 11:00 . 2009-06-25 08:44 56320 c:\windows\system32\secur32.dll
    + 2004-08-04 11:00 . 2009-02-06 16:54 35328 c:\windows\system32\sc.exe
    + 2010-10-09 01:10 . 2004-08-04 04:56 21504 c:\windows\system32\ReinstallBackups\0044\DriverFiles\i386\hidserv.dll
    - 2004-08-04 11:00 . 2004-08-04 11:00 69632 c:\windows\system32\raschap.dll
    + 2004-08-04 11:00 . 2009-10-12 13:54 69632 c:\windows\system32\raschap.dll
    - 2004-08-04 11:00 . 2004-08-04 11:00 39424 c:\windows\system32\pngfilt.dll
    + 2004-08-04 11:00 . 2010-04-16 15:36 39424 c:\windows\system32\pngfilt.dll
    - 2004-08-04 11:00 . 2010-05-08 17:32 53166 c:\windows\system32\perfc009.dat
    + 2004-08-04 11:00 . 2010-10-09 01:24 53166 c:\windows\system32\perfc009.dat
    + 2008-10-03 20:46 . 2008-06-12 14:16 91648 c:\windows\system32\mtxoci.dll
    + 2004-08-04 11:00 . 2008-06-12 14:16 66560 c:\windows\system32\mtxclu.dll
    - 2004-08-04 11:00 . 2004-08-04 11:00 66560 c:\windows\system32\mtxclu.dll
    + 2004-08-04 00:56 . 2009-11-27 17:33 17920 c:\windows\system32\msyuv.dll
    + 2004-08-04 11:00 . 2009-11-27 16:37 28672 c:\windows\system32\msvidc32.dll
    - 2004-08-04 11:00 . 2004-08-04 11:00 11264 c:\windows\system32\msrle32.dll
    + 2004-08-04 11:00 . 2009-11-27 16:37 11264 c:\windows\system32\msrle32.dll
    + 2004-08-04 11:00 . 2005-05-04 18:45 15360 c:\windows\system32\msisip.dll
    + 2004-08-04 11:00 . 2005-05-04 18:45 78848 c:\windows\system32\msiexec.exe
    - 2008-10-03 20:46 . 2004-08-04 11:00 58880 c:\windows\system32\msdtclog.dll
    + 2008-10-03 20:46 . 2008-06-12 14:16 58880 c:\windows\system32\msdtclog.dll
    - 2003-02-20 23:43 . 2003-02-20 23:43 16896 c:\windows\system32\mscorier.dll
    + 2004-07-15 03:34 . 2004-07-15 03:34 16896 c:\windows\system32\mscorier.dll
    + 2004-08-04 11:00 . 2008-06-24 16:23 74240 c:\windows\system32\mscms.dll
    + 2004-08-04 11:00 . 2009-09-04 20:45 58880 c:\windows\system32\msasn1.dll
    + 2004-08-04 11:00 . 2009-06-25 18:36 48640 c:\windows\system32\mqupgrd.dll
    - 2004-08-04 11:00 . 2004-08-04 11:00 48640 c:\windows\system32\mqupgrd.dll
    + 2004-08-04 11:00 . 2009-06-25 18:36 95744 c:\windows\system32\mqsec.dll
    - 2004-08-04 11:00 . 2004-08-04 11:00 95744 c:\windows\system32\mqsec.dll
    + 2004-08-04 11:00 . 2009-06-25 18:36 16896 c:\windows\system32\mqise.dll
    - 2004-08-04 11:00 . 2004-08-04 11:00 16896 c:\windows\system32\mqise.dll
    + 2004-08-04 11:00 . 2009-06-25 18:36 47104 c:\windows\system32\mqdscli.dll
    - 2004-08-04 11:00 . 2004-08-04 11:00 47104 c:\windows\system32\mqdscli.dll
    - 2004-08-04 11:00 . 2004-08-04 11:00 19968 c:\windows\system32\mqbkup.exe
    + 2004-08-04 11:00 . 2009-06-22 11:49 19968 c:\windows\system32\mqbkup.exe
    + 2004-08-04 11:00 . 2010-04-16 15:36 16384 c:\windows\system32\jsproxy.dll
    + 2004-08-04 00:56 . 2009-11-27 16:37 48128 c:\windows\system32\iyuv_32.dll
    - 2004-08-04 11:00 . 2004-08-04 11:00 96256 c:\windows\system32\inseng.dll
    + 2004-08-04 11:00 . 2010-04-16 15:36 96256 c:\windows\system32\inseng.dll
    - 2004-08-04 11:00 . 2004-08-04 11:00 81920 c:\windows\system32\ieencode.dll
    + 2004-08-04 11:00 . 2010-04-16 15:36 81920 c:\windows\system32\ieencode.dll
    + 2004-08-04 11:00 . 2009-10-15 17:21 82432 c:\windows\system32\fontsub.dll
    + 2008-10-03 16:38 . 2010-10-09 01:19 90296 c:\windows\system32\FNTCACHE.DAT
    - 2008-10-03 16:38 . 2008-10-03 20:55 90296 c:\windows\system32\FNTCACHE.DAT
    - 2004-08-04 11:00 . 2004-08-04 11:00 55808 c:\windows\system32\extmgr.dll
    + 2004-08-04 11:00 . 2010-04-16 15:36 55808 c:\windows\system32\extmgr.dll
    + 2009-05-09 05:14 . 2009-05-09 05:14 14736 c:\windows\system32\drivers\nuidfltr.sys
    + 2004-08-04 11:00 . 2009-06-22 11:48 91776 c:\windows\system32\drivers\mqac.sys
    + 2004-08-04 11:00 . 2009-06-22 11:34 92544 c:\windows\system32\drivers\ksecdd.sys
    + 2008-10-03 20:48 . 2009-08-06 23:24 35552 c:\windows\system32\dllcache\wups.dll
    + 2008-10-03 20:48 . 2009-08-06 23:24 53472 c:\windows\system32\dllcache\wuauclt.exe
    + 2004-08-04 11:00 . 2009-06-25 08:44 59392 c:\windows\system32\dllcache\wdigest.dll
    + 2004-08-04 11:00 . 2009-06-12 11:50 80896 c:\windows\system32\dllcache\tlntsess.exe
    + 2004-08-04 11:00 . 2009-06-12 11:50 76288 c:\windows\system32\dllcache\telnet.exe
    + 2004-08-04 11:00 . 2009-06-25 08:44 56320 c:\windows\system32\dllcache\secur32.dll
    + 2004-08-04 11:00 . 2009-02-06 16:54 35328 c:\windows\system32\dllcache\sc.exe
    - 2004-08-04 11:00 . 2004-08-04 11:00 69632 c:\windows\system32\dllcache\raschap.dll
    + 2004-08-04 11:00 . 2009-10-12 13:54 69632 c:\windows\system32\dllcache\raschap.dll
    + 2004-08-04 11:00 . 2010-04-16 15:36 39424 c:\windows\system32\dllcache\pngfilt.dll
    - 2004-08-04 11:00 . 2004-08-04 11:00 39424 c:\windows\system32\dllcache\pngfilt.dll
    + 2008-10-03 20:46 . 2008-06-12 14:16 91648 c:\windows\system32\dllcache\mtxoci.dll
    - 2004-08-04 11:00 . 2004-08-04 11:00 66560 c:\windows\system32\dllcache\mtxclu.dll
    + 2004-08-04 11:00 . 2008-06-12 14:16 66560 c:\windows\system32\dllcache\mtxclu.dll
    + 2009-11-27 17:33 . 2009-11-27 17:33 17920 c:\windows\system32\dllcache\msyuv.dll
    + 2004-08-04 11:00 . 2009-11-27 16:37 28672 c:\windows\system32\dllcache\msvidc32.dll
    - 2004-08-04 11:00 . 2004-08-04 11:00 11264 c:\windows\system32\dllcache\msrle32.dll
    + 2004-08-04 11:00 . 2009-11-27 16:37 11264 c:\windows\system32\dllcache\msrle32.dll
    + 2004-08-04 11:00 . 2005-05-04 18:45 15360 c:\windows\system32\dllcache\msisip.dll
    + 2004-08-04 11:00 . 2005-05-04 18:45 78848 c:\windows\system32\dllcache\msiexec.exe
    + 2008-10-03 20:46 . 2008-06-12 14:16 58880 c:\windows\system32\dllcache\msdtclog.dll
    - 2008-10-03 20:46 . 2004-08-04 11:00 58880 c:\windows\system32\dllcache\msdtclog.dll
    + 2004-08-04 11:00 . 2008-06-24 16:23 74240 c:\windows\system32\dllcache\mscms.dll
    + 2004-08-04 11:00 . 2009-09-04 20:45 58880 c:\windows\system32\dllcache\msasn1.dll
    + 2004-08-04 11:00 . 2009-06-25 18:36 48640 c:\windows\system32\dllcache\mqupgrd.dll
    - 2004-08-04 11:00 . 2004-08-04 11:00 48640 c:\windows\system32\dllcache\mqupgrd.dll
    - 2004-08-04 11:00 . 2004-08-04 11:00 95744 c:\windows\system32\dllcache\mqsec.dll
    + 2004-08-04 11:00 . 2009-06-25 18:36 95744 c:\windows\system32\dllcache\mqsec.dll
    - 2004-08-04 11:00 . 2004-08-04 11:00 16896 c:\windows\system32\dllcache\mqise.dll
    + 2004-08-04 11:00 . 2009-06-25 18:36 16896 c:\windows\system32\dllcache\mqise.dll
    + 2004-08-04 11:00 . 2009-06-25 18:36 47104 c:\windows\system32\dllcache\mqdscli.dll
    - 2004-08-04 11:00 . 2004-08-04 11:00 47104 c:\windows\system32\dllcache\mqdscli.dll
    + 2004-08-04 11:00 . 2009-06-22 11:49 19968 c:\windows\system32\dllcache\mqbkup.exe
    - 2004-08-04 11:00 . 2004-08-04 11:00 19968 c:\windows\system32\dllcache\mqbkup.exe
    + 2004-08-04 11:00 . 2009-06-22 11:48 91776 c:\windows\system32\dllcache\mqac.sys
    + 2004-08-04 11:00 . 2009-06-22 11:34 92544 c:\windows\system32\dllcache\ksecdd.sys
    + 2004-08-04 11:00 . 2010-04-16 15:36 16384 c:\windows\system32\dllcache\jsproxy.dll
    + 2009-11-27 16:37 . 2009-11-27 16:37 48128 c:\windows\system32\dllcache\iyuv_32.dll
    - 2004-08-04 11:00 . 2004-08-04 11:00 96256 c:\windows\system32\dllcache\inseng.dll
    + 2004-08-04 11:00 . 2010-04-16 15:36 96256 c:\windows\system32\dllcache\inseng.dll
    + 2004-08-04 11:00 . 2010-04-16 15:36 81920 c:\windows\system32\dllcache\ieencode.dll
    - 2004-08-04 11:00 . 2004-08-04 11:00 81920 c:\windows\system32\dllcache\ieencode.dll
    + 2008-02-09 13:50 . 2010-04-16 13:36 18432 c:\windows\system32\dllcache\iedw.exe
    - 2008-02-09 13:50 . 2004-08-04 11:00 18432 c:\windows\system32\dllcache\iedw.exe
    + 2004-08-04 11:00 . 2009-10-15 17:21 82432 c:\windows\system32\dllcache\fontsub.dll
    - 2004-08-04 11:00 . 2004-08-04 11:00 55808 c:\windows\system32\dllcache\extmgr.dll
    + 2004-08-04 11:00 . 2010-04-16 15:36 55808 c:\windows\system32\dllcache\extmgr.dll
    + 2004-08-04 11:00 . 2009-12-14 07:35 33280 c:\windows\system32\dllcache\csrsrv.dll
    + 2008-10-03 20:46 . 2005-07-26 04:39 60416 c:\windows\system32\dllcache\colbact.dll
    + 2004-08-04 11:00 . 2009-08-06 23:24 96480 c:\windows\system32\dllcache\cdm.dll
    + 2004-08-04 11:00 . 2010-01-13 14:10 85504 c:\windows\system32\dllcache\cabview.dll
    + 2004-08-04 11:00 . 2009-11-27 16:37 84992 c:\windows\system32\dllcache\avifil32.dll
    - 2004-08-04 11:00 . 2004-08-04 11:00 84992 c:\windows\system32\dllcache\avifil32.dll
    - 2004-08-04 11:00 . 2004-08-04 11:00 58880 c:\windows\system32\dllcache\atl.dll
    + 2004-08-04 11:00 . 2009-07-17 18:55 58880 c:\windows\system32\dllcache\atl.dll
    + 2004-08-04 11:00 . 2010-03-05 14:57 65536 c:\windows\system32\dllcache\asycfilt.dll
    + 2004-08-04 11:00 . 2009-12-14 07:35 33280 c:\windows\system32\csrsrv.dll
    + 2008-10-03 20:46 . 2005-07-26 04:39 60416 c:\windows\system32\colbact.dll
    + 2004-08-04 11:00 . 2009-08-06 23:24 96480 c:\windows\system32\cdm.dll
    + 2004-08-04 11:00 . 2010-01-13 14:10 85504 c:\windows\system32\cabview.dll
    + 2004-08-04 11:00 . 2009-11-27 16:37 84992 c:\windows\system32\avifil32.dll
    - 2004-08-04 11:00 . 2004-08-04 11:00 84992 c:\windows\system32\avifil32.dll
    + 2004-08-04 11:00 . 2009-07-17 18:55 58880 c:\windows\system32\atl.dll
    - 2004-08-04 11:00 . 2004-08-04 11:00 58880 c:\windows\system32\atl.dll
    + 2004-08-04 11:00 . 2010-03-05 14:57 65536 c:\windows\system32\asycfilt.dll
    - 2003-02-21 01:10 . 2003-02-21 01:10 31744 c:\windows\Microsoft.NET\Framework\v1.1.4322\WMINet_Utils.dll
    + 2004-07-15 06:11 . 2004-07-15 06:11 31744 c:\windows\Microsoft.NET\Framework\v1.1.4322\WMINet_Utils.dll
    + 2004-06-22 17:51 . 2004-06-22 17:51 53248 c:\windows\Microsoft.NET\Framework\v1.1.4322\Updates\hotfix.exe
    + 2004-07-15 18:28 . 2004-07-15 18:28 57344 c:\windows\Microsoft.NET\Framework\v1.1.4322\System.Web.RegularExpressions.dll
    - 2003-02-21 12:24 . 2003-02-21 12:24 57344 c:\windows\Microsoft.NET\Framework\v1.1.4322\System.Web.RegularExpressions.dll
    - 2003-02-21 12:26 . 2003-02-21 12:26 77824 c:\windows\Microsoft.NET\Framework\v1.1.4322\System.Security.dll
    + 2004-07-15 18:28 . 2004-07-15 18:28 77824 c:\windows\Microsoft.NET\Framework\v1.1.4322\System.Security.dll
    + 2004-07-15 04:35 . 2004-07-15 04:35 66560 c:\windows\Microsoft.NET\Framework\v1.1.4322\System.EnterpriseServices.Thunk.dll
    + 2004-07-15 18:28 . 2004-07-15 18:28 90112 c:\windows\Microsoft.NET\Framework\v1.1.4322\System.DirectoryServices.dll
    - 2003-02-21 12:26 . 2003-02-21 12:26 32768 c:\windows\Microsoft.NET\Framework\v1.1.4322\RegCode.dll
    + 2004-07-15 18:28 . 2004-07-15 18:28 32768 c:\windows\Microsoft.NET\Framework\v1.1.4322\RegCode.dll
    + 2004-07-15 04:34 . 2004-07-15 04:34 94208 c:\windows\Microsoft.NET\Framework\v1.1.4322\PerfCounter.dll
    + 2004-07-15 04:33 . 2004-07-15 04:33 81920 c:\windows\Microsoft.NET\Framework\v1.1.4322\mscorsec.dll
    - 2003-02-21 00:09 . 2003-02-21 00:09 81920 c:\windows\Microsoft.NET\Framework\v1.1.4322\mscorsec.dll
    + 2004-07-15 04:32 . 2004-07-15 04:32 86016 c:\windows\Microsoft.NET\Framework\v1.1.4322\mscordbc.dll
    + 2004-07-15 18:28 . 2004-07-15 18:28 49152 c:\windows\Microsoft.NET\Framework\v1.1.4322\MigPolWin.exe
    - 2003-02-21 12:25 . 2003-02-21 12:25 49152 c:\windows\Microsoft.NET\Framework\v1.1.4322\MigPolWin.exe
    - 2003-02-21 12:25 . 2003-02-21 12:25 49152 c:\windows\Microsoft.NET\Framework\v1.1.4322\MigPol.exe
    + 2004-07-15 18:28 . 2004-07-15 18:28 49152 c:\windows\Microsoft.NET\Framework\v1.1.4322\MigPol.exe
    + 2004-07-15 18:31 . 2004-07-15 18:31 32768 c:\windows\Microsoft.NET\Framework\v1.1.4322\IEHost.dll
    - 2003-02-21 12:24 . 2003-02-21 12:24 32768 c:\windows\Microsoft.NET\Framework\v1.1.4322\IEHost.dll
    + 2003-10-08 18:30 . 2003-10-08 18:30 81920 c:\windows\Microsoft.NET\Framework\v1.1.4322\gacutil.exe
    - 2003-02-21 15:20 . 2003-02-21 15:20 49152 c:\windows\Microsoft.NET\Framework\v1.1.4322\csc.exe
    + 2004-07-15 15:23 . 2004-07-15 15:23 49152 c:\windows\Microsoft.NET\Framework\v1.1.4322\csc.exe
     
  12. Llanonite

    Llanonite TS Rookie Topic Starter

    + 2004-07-15 04:32 . 2004-07-15 04:32 81920 c:\windows\Microsoft.NET\Framework\v1.1.4322\CORPerfMonExt.dll
    + 2004-07-15 05:49 . 2004-07-15 05:49 32768 c:\windows\Microsoft.NET\Framework\v1.1.4322\aspnet_wp.exe
    - 2003-02-21 00:19 . 2003-02-21 00:19 32768 c:\windows\Microsoft.NET\Framework\v1.1.4322\aspnet_wp.exe
    + 2004-07-15 05:49 . 2004-07-15 05:49 32768 c:\windows\Microsoft.NET\Framework\v1.1.4322\aspnet_state.exe
    - 2003-02-21 00:19 . 2003-02-21 00:19 32768 c:\windows\Microsoft.NET\Framework\v1.1.4322\aspnet_state.exe
    + 2004-07-15 05:49 . 2004-07-15 05:49 20480 c:\windows\Microsoft.NET\Framework\v1.1.4322\aspnet_regiis.exe
    - 2003-02-21 00:19 . 2003-02-21 00:19 20480 c:\windows\Microsoft.NET\Framework\v1.1.4322\aspnet_regiis.exe
    + 2009-11-27 17:33 . 2009-11-27 17:33 17920 c:\windows\Driver Cache\i386\msyuv.dll
    + 2009-11-27 16:37 . 2009-11-27 16:37 48128 c:\windows\Driver Cache\i386\iyuv_32.dll
    + 2010-10-09 01:08 . 2010-10-09 01:08 90112 c:\windows\assembly\NativeImages1_v1.1.4322\System.Drawing.Design\1.0.5000.0__b03f5f7f11d50a3a_6e66fa76\System.Drawing.Design.dll
    + 2010-10-09 01:08 . 2010-10-09 01:08 61440 c:\windows\assembly\NativeImages1_v1.1.4322\CustomMarshalers\1.0.5000.0__b03f5f7f11d50a3a_dc59ba42\CustomMarshalers.dll
    - 2009-01-18 01:20 . 2009-01-18 01:20 57344 c:\windows\assembly\GAC\System.Web.RegularExpressions\1.0.5000.0__b03f5f7f11d50a3a\System.Web.RegularExpressions.dll
    + 2010-10-09 01:07 . 2010-10-09 01:07 57344 c:\windows\assembly\GAC\System.Web.RegularExpressions\1.0.5000.0__b03f5f7f11d50a3a\System.Web.RegularExpressions.dll
    - 2009-01-18 01:20 . 2009-01-18 01:20 77824 c:\windows\assembly\GAC\System.Security\1.0.5000.0__b03f5f7f11d50a3a\System.Security.dll
    + 2010-10-09 01:07 . 2010-10-09 01:07 77824 c:\windows\assembly\GAC\System.Security\1.0.5000.0__b03f5f7f11d50a3a\System.Security.dll
    + 2010-10-09 01:07 . 2010-10-09 01:07 66560 c:\windows\assembly\GAC\System.EnterpriseServices\1.0.5000.0__b03f5f7f11d50a3a\System.EnterpriseServices.Thunk.dll
    + 2010-10-09 01:07 . 2010-10-09 01:07 90112 c:\windows\assembly\GAC\System.DirectoryServices\1.0.5000.0__b03f5f7f11d50a3a\System.DirectoryServices.dll
    + 2010-10-09 01:07 . 2010-10-09 01:07 32768 c:\windows\assembly\GAC\Regcode\1.0.5000.0__b03f5f7f11d50a3a\RegCode.dll
    - 2009-01-18 01:20 . 2009-01-18 01:20 32768 c:\windows\assembly\GAC\Regcode\1.0.5000.0__b03f5f7f11d50a3a\RegCode.dll
    + 2010-10-09 01:07 . 2010-10-09 01:07 32768 c:\windows\assembly\GAC\IEHost\1.0.5000.0__b03f5f7f11d50a3a\IEHost.dll
    - 2009-01-18 01:20 . 2009-01-18 01:20 32768 c:\windows\assembly\GAC\IEHost\1.0.5000.0__b03f5f7f11d50a3a\IEHost.dll
    + 2001-08-17 22:36 . 2009-11-27 16:37 8704 c:\windows\system32\tsbyuv.dll
    - 2004-08-04 11:00 . 2004-08-04 11:00 4608 c:\windows\system32\mqsvc.exe
    + 2004-08-04 11:00 . 2009-06-22 11:49 4608 c:\windows\system32\mqsvc.exe
    + 2009-11-27 16:37 . 2009-11-27 16:37 8704 c:\windows\system32\dllcache\tsbyuv.dll
    - 2004-08-04 11:00 . 2004-08-04 11:00 4608 c:\windows\system32\dllcache\mqsvc.exe
    + 2004-08-04 11:00 . 2009-06-22 11:49 4608 c:\windows\system32\dllcache\mqsvc.exe
    + 2004-07-15 18:31 . 2004-07-15 18:31 8192 c:\windows\Microsoft.NET\Framework\v1.1.4322\IEExecRemote.dll
    + 2009-11-27 16:37 . 2009-11-27 16:37 8704 c:\windows\Driver Cache\i386\tsbyuv.dll
    + 2010-10-09 01:07 . 2010-10-09 01:07 8192 c:\windows\assembly\GAC\IEExecRemote\1.0.5000.0__b03f5f7f11d50a3a\IEExecRemote.dll
  13. Llanonite

    Llanonite TS Rookie Topic Starter

    + 2010-10-08 14:02 . 2010-04-16 13:21 352768 c:\windows\system32\xpsp3res.dll
    + 2008-10-03 20:48 . 2009-08-06 23:24 209632 c:\windows\system32\wuweb.dll
    + 2008-10-03 20:48 . 2009-08-06 23:24 327896 c:\windows\system32\wucltui.dll
    + 2008-10-03 20:48 . 2009-08-06 23:23 575704 c:\windows\system32\wuapi.dll
    + 2004-08-04 11:00 . 2009-04-03 16:15 485376 c:\windows\system32\wmspdmod.dll
    + 2004-08-04 11:00 . 2009-07-13 06:18 233472 c:\windows\system32\wmpdxm.dll
    - 2004-08-04 11:00 . 2004-08-04 11:00 233472 c:\windows\system32\wmpdxm.dll
    + 2004-08-04 11:00 . 2009-06-10 06:32 132096 c:\windows\system32\wkssvc.dll
    - 2004-08-04 11:00 . 2004-08-04 11:00 132096 c:\windows\system32\wkssvc.dll
    + 2004-08-04 11:00 . 2009-12-24 07:05 177664 c:\windows\system32\wintrust.dll
    + 2004-08-04 11:00 . 2010-04-16 15:36 662016 c:\windows\system32\wininet.dll
    + 2004-08-04 11:00 . 2008-12-16 12:47 351232 c:\windows\system32\winhttp.dll
    - 2004-08-04 11:00 . 2004-08-04 11:00 351232 c:\windows\system32\winhttp.dll
    + 2008-10-03 20:46 . 2009-02-06 16:39 227840 c:\windows\system32\wbem\wmiprvse.exe
    + 2008-10-03 20:46 . 2009-02-09 10:20 453120 c:\windows\system32\wbem\wmiprvsd.dll
    + 2008-10-03 20:46 . 2009-02-09 10:20 473088 c:\windows\system32\wbem\fastprox.dll
    - 2004-08-04 11:00 . 2004-08-04 11:00 417792 c:\windows\system32\vbscript.dll
    + 2004-08-04 11:00 . 2010-03-10 08:02 417792 c:\windows\system32\vbscript.dll
    + 2004-08-04 11:00 . 2010-04-16 15:36 624640 c:\windows\system32\urlmon.dll
    + 2004-08-04 11:00 . 2009-10-16 02:51 119808 c:\windows\system32\t2embed.dll
    + 2004-08-04 11:00 . 2009-08-26 08:16 247326 c:\windows\system32\strmdll.dll
    + 2004-08-04 11:00 . 2010-04-16 15:36 474112 c:\windows\system32\shlwapi.dll
    + 2004-08-04 11:00 . 2009-06-25 18:36 169472 c:\windows\system32\Setup\msmqocm.dll
    + 2004-08-04 11:00 . 2009-02-06 17:14 110592 c:\windows\system32\services.exe
    + 2004-08-04 11:00 . 2009-06-25 08:44 168448 c:\windows\system32\schannel.dll
    + 2004-08-04 11:00 . 2009-02-09 10:20 399360 c:\windows\system32\rpcss.dll
    + 2004-08-04 11:00 . 2009-04-15 15:11 584192 c:\windows\system32\rpcrt4.dll
    + 2004-08-04 11:00 . 2009-10-12 13:54 112128 c:\windows\system32\rastls.dll
    - 2004-08-04 11:00 . 2004-08-04 11:00 112128 c:\windows\system32\rastls.dll
    + 2004-08-04 11:00 . 2010-10-09 01:24 380918 c:\windows\system32\perfh009.dat
    - 2004-08-04 11:00 . 2010-05-08 17:32 380918 c:\windows\system32\perfh009.dat
    - 2004-08-04 11:00 . 2004-08-04 11:00 283648 c:\windows\system32\pdh.dll
    + 2004-08-04 11:00 . 2009-03-06 14:44 283648 c:\windows\system32\pdh.dll
    - 2004-08-04 11:00 . 2004-08-04 11:00 266752 c:\windows\system32\oakley.dll
    + 2004-08-04 11:00 . 2009-10-13 10:53 266752 c:\windows\system32\oakley.dll
    + 2004-08-04 11:00 . 2009-02-09 10:20 714752 c:\windows\system32\ntdll.dll
    + 2004-08-04 11:00 . 2008-10-15 16:57 332800 c:\windows\system32\netapi32.dll
    + 2004-08-04 11:00 . 2008-06-20 17:41 245248 c:\windows\system32\mswsock.dll
    - 2004-08-04 11:00 . 2004-08-04 11:00 245248 c:\windows\system32\mswsock.dll
    + 2004-08-04 11:00 . 2009-08-05 09:11 204800 c:\windows\system32\mswebdvd.dll
    + 2004-08-04 11:00 . 2009-09-11 14:33 133632 c:\windows\system32\msv1_0.dll
    + 2008-10-03 20:46 . 2009-06-05 07:42 655872 c:\windows\system32\mstscax.dll
    + 2004-08-04 11:00 . 2010-04-16 15:36 532480 c:\windows\system32\mstime.dll
    + 2004-08-04 11:00 . 2010-04-16 15:36 146432 c:\windows\system32\msrating.dll
    - 2004-08-04 11:00 . 2004-08-04 11:00 146432 c:\windows\system32\msrating.dll
    - 2008-10-03 20:46 . 2004-08-04 11:00 343040 c:\windows\system32\mspaint.exe
    + 2008-10-03 20:46 . 2009-12-16 12:58 343040 c:\windows\system32\mspaint.exe
    + 2004-08-04 11:00 . 2005-05-04 18:45 884736 c:\windows\system32\msimsg.dll
    - 2004-08-04 11:00 . 2004-08-04 11:00 884736 c:\windows\system32\msimsg.dll
    + 2004-08-04 11:00 . 2005-05-04 18:45 271360 c:\windows\system32\msihnd.dll
    + 2004-08-04 11:00 . 2010-04-16 15:36 449024 c:\windows\system32\mshtmled.dll
    + 2008-10-03 20:46 . 2008-06-12 14:16 161792 c:\windows\system32\msdtcuiu.dll
    + 2008-10-03 20:46 . 2008-06-12 14:16 956928 c:\windows\system32\msdtctm.dll
    + 2008-10-03 20:46 . 2008-06-12 14:16 428032 c:\windows\system32\msdtcprx.dll
    - 2003-02-21 00:06 . 2003-02-21 00:06 155648 c:\windows\system32\mscoree.dll
    + 2004-07-15 04:24 . 2004-07-15 04:24 155648 c:\windows\system32\mscoree.dll
    + 2004-08-04 11:00 . 2009-06-25 18:36 471552 c:\windows\system32\mqutil.dll
    - 2004-08-04 11:00 . 2004-08-04 11:00 471552 c:\windows\system32\mqutil.dll
    + 2004-08-04 11:00 . 2009-06-25 18:36 186880 c:\windows\system32\mqtrig.dll
    - 2004-08-04 11:00 . 2004-08-04 11:00 186880 c:\windows\system32\mqtrig.dll
    + 2004-08-04 11:00 . 2009-06-22 11:49 117248 c:\windows\system32\mqtgsvc.exe
    - 2004-08-04 11:00 . 2004-08-04 11:00 117248 c:\windows\system32\mqtgsvc.exe
    + 2004-08-04 11:00 . 2009-06-25 18:36 517120 c:\windows\system32\mqsnap.dll
    - 2004-08-04 11:00 . 2004-08-04 11:00 123392 c:\windows\system32\mqrtdep.dll
    + 2004-08-04 11:00 . 2009-06-25 18:36 123392 c:\windows\system32\mqrtdep.dll
    + 2004-08-04 11:00 . 2009-06-25 18:36 177152 c:\windows\system32\mqrt.dll
    - 2004-08-04 11:00 . 2004-08-04 11:00 177152 c:\windows\system32\mqrt.dll
    + 2004-08-04 11:00 . 2009-06-25 18:36 661504 c:\windows\system32\mqqm.dll
    - 2004-08-04 11:00 . 2004-08-04 11:00 225280 c:\windows\system32\mqoa.dll
    + 2004-08-04 11:00 . 2009-06-25 18:36 225280 c:\windows\system32\mqoa.dll
    + 2004-08-04 11:00 . 2009-06-25 18:36 138240 c:\windows\system32\mqad.dll
    - 2004-08-04 11:00 . 2004-08-04 11:00 138240 c:\windows\system32\mqad.dll
    + 2004-08-04 11:00 . 2009-06-25 08:44 724480 c:\windows\system32\lsasrv.dll
    - 2004-08-04 11:00 . 2004-08-04 11:00 103936 c:\windows\system32\logagent.exe
    + 2004-08-04 11:00 . 2008-06-10 05:31 103936 c:\windows\system32\logagent.exe
    + 2004-08-04 11:00 . 2009-05-07 15:44 344064 c:\windows\system32\localspl.dll
    + 2004-08-04 11:00 . 2009-03-21 14:18 986112 c:\windows\system32\kernel32.dll
    + 2004-08-04 11:00 . 2009-06-25 08:44 298496 c:\windows\system32\kerberos.dll
    + 2010-10-09 01:15 . 2009-03-11 02:18 453512 c:\windows\system32\KB905474\wgasetup.exe
    - 2004-08-04 11:00 . 2004-08-04 11:00 450560 c:\windows\system32\jscript.dll
    + 2004-08-04 11:00 . 2009-08-21 09:46 450560 c:\windows\system32\jscript.dll
    + 2008-10-03 20:47 . 2010-01-29 15:08 683520 c:\windows\system32\inetcomm.dll
    + 2004-08-04 11:00 . 2010-04-16 15:36 251392 c:\windows\system32\iepeers.dll
    + 2004-08-04 11:00 . 2008-10-23 13:01 283648 c:\windows\system32\gdi32.dll
    + 2004-08-04 11:00 . 2008-07-07 20:32 253952 c:\windows\system32\es.dll
    + 2004-08-04 11:00 . 2010-04-16 15:36 205312 c:\windows\system32\dxtrans.dll
    + 2004-08-04 11:00 . 2010-04-16 15:36 357888 c:\windows\system32\dxtmsft.dll
    - 2004-08-04 11:00 . 2004-08-04 11:00 357888 c:\windows\system32\dxtmsft.dll
    + 2004-08-04 11:00 . 2010-02-11 12:01 226880 c:\windows\system32\drivers\tcpip6.sys
    + 2004-08-04 11:00 . 2008-06-20 10:45 360320 c:\windows\system32\drivers\tcpip.sys
    + 2004-08-04 11:00 . 2009-12-31 16:14 352640 c:\windows\system32\drivers\srv.sys
    + 2004-08-04 11:00 . 2008-05-08 12:28 202752 c:\windows\system32\drivers\rmcast.sys
    + 2004-08-04 11:00 . 2010-02-24 12:31 454016 c:\windows\system32\drivers\mrxsmb.sys
    + 2004-08-04 11:00 . 2008-08-14 09:51 138368 c:\windows\system32\drivers\afd.sys
    + 2004-08-04 11:00 . 2008-06-20 17:41 148992 c:\windows\system32\dnsapi.dll
    + 2008-10-03 20:48 . 2009-08-06 23:24 209632 c:\windows\system32\dllcache\wuweb.dll
    + 2008-10-03 20:48 . 2009-08-06 23:24 327896 c:\windows\system32\dllcache\wucltui.dll
    + 2008-10-03 20:48 . 2009-08-06 23:23 575704 c:\windows\system32\dllcache\wuapi.dll
    + 2008-02-09 13:49 . 2008-04-21 10:02 215552 c:\windows\system32\dllcache\wordpad.exe
    + 2004-08-04 11:00 . 2009-04-03 16:15 485376 c:\windows\system32\dllcache\wmspdmod.dll
    + 2004-08-04 11:00 . 2009-07-13 06:18 233472 c:\windows\system32\dllcache\wmpdxm.dll
    - 2004-08-04 11:00 . 2004-08-04 11:00 233472 c:\windows\system32\dllcache\wmpdxm.dll
    + 2008-10-03 20:46 . 2009-02-06 16:39 227840 c:\windows\system32\dllcache\wmiprvse.exe
    + 2008-10-03 20:46 . 2009-02-09 10:20 453120 c:\windows\system32\dllcache\wmiprvsd.dll
    + 2004-08-04 11:00 . 2009-06-10 06:32 132096 c:\windows\system32\dllcache\wkssvc.dll
    - 2004-08-04 11:00 . 2004-08-04 11:00 132096 c:\windows\system32\dllcache\wkssvc.dll
    + 2004-08-04 11:00 . 2009-12-24 07:05 177664 c:\windows\system32\dllcache\wintrust.dll
    + 2004-08-04 11:00 . 2010-04-16 15:36 662016 c:\windows\system32\dllcache\wininet.dll
    + 2004-08-04 11:00 . 2008-12-16 12:47 351232 c:\windows\system32\dllcache\winhttp.dll
    - 2004-08-04 11:00 . 2004-08-04 11:00 351232 c:\windows\system32\dllcache\winhttp.dll
    + 2004-08-04 11:00 . 2010-03-10 08:02 417792 c:\windows\system32\dllcache\vbscript.dll
    - 2004-08-04 11:00 . 2004-08-04 11:00 417792 c:\windows\system32\dllcache\vbscript.dll
    + 2004-08-04 11:00 . 2010-04-16 15:36 624640 c:\windows\system32\dllcache\urlmon.dll
    + 2008-02-09 13:50 . 2009-06-21 22:04 153088 c:\windows\system32\dllcache\triedit.dll
    - 2008-02-09 13:50 . 2004-08-04 11:00 153088 c:\windows\system32\dllcache\triedit.dll
    + 2004-08-04 11:00 . 2010-02-11 12:01 226880 c:\windows\system32\dllcache\tcpip6.sys
    + 2004-08-04 11:00 . 2008-06-20 10:45 360320 c:\windows\system32\dllcache\tcpip.sys
    + 2004-08-04 11:00 . 2009-10-16 02:51 119808 c:\windows\system32\dllcache\t2embed.dll
    + 2004-08-04 11:00 . 2009-08-26 08:16 247326 c:\windows\system32\dllcache\strmdll.dll
    + 2004-08-04 11:00 . 2009-12-31 16:14 352640 c:\windows\system32\dllcache\srv.sys
    + 2004-08-04 11:00 . 2010-04-16 15:36 474112 c:\windows\system32\dllcache\shlwapi.dll
    + 2004-08-04 11:00 . 2009-02-06 17:14 110592 c:\windows\system32\dllcache\services.exe
    + 2004-08-04 11:00 . 2009-06-25 08:44 168448 c:\windows\system32\dllcache\schannel.dll
    + 2004-08-04 11:00 . 2009-02-09 10:20 399360 c:\windows\system32\dllcache\rpcss.dll
    + 2004-08-04 11:00 . 2009-04-15 15:11 584192 c:\windows\system32\dllcache\rpcrt4.dll
    + 2004-08-04 11:00 . 2008-05-08 12:28 202752 c:\windows\system32\dllcache\rmcast.sys
    + 2004-08-04 11:00 . 2009-10-12 13:54 112128 c:\windows\system32\dllcache\rastls.dll
    - 2004-08-04 11:00 . 2004-08-04 11:00 112128 c:\windows\system32\dllcache\rastls.dll
    + 2004-08-04 11:00 . 2009-03-06 14:44 283648 c:\windows\system32\dllcache\pdh.dll
    - 2004-08-04 11:00 . 2004-08-04 11:00 283648 c:\windows\system32\dllcache\pdh.dll
    - 2004-08-04 11:00 . 2004-08-04 11:00 266752 c:\windows\system32\dllcache\oakley.dll
    + 2004-08-04 11:00 . 2009-10-13 10:53 266752 c:\windows\system32\dllcache\oakley.dll
    + 2004-08-04 11:00 . 2009-02-09 10:20 714752 c:\windows\system32\dllcache\ntdll.dll
    + 2004-08-04 11:00 . 2008-10-15 16:57 332800 c:\windows\system32\dllcache\netapi32.dll
    - 2004-08-04 11:00 . 2004-08-04 11:00 245248 c:\windows\system32\dllcache\mswsock.dll
    + 2004-08-04 11:00 . 2008-06-20 17:41 245248 c:\windows\system32\dllcache\mswsock.dll
    + 2004-08-04 11:00 . 2009-08-05 09:11 204800 c:\windows\system32\dllcache\mswebdvd.dll
    + 2004-08-04 11:00 . 2009-09-11 14:33 133632 c:\windows\system32\dllcache\msv1_0.dll
    + 2008-10-03 20:46 . 2009-06-05 07:42 655872 c:\windows\system32\dllcache\mstscax.dll
    + 2004-08-04 11:00 . 2010-04-16 15:36 532480 c:\windows\system32\dllcache\mstime.dll
    + 2004-08-04 11:00 . 2010-04-16 15:36 146432 c:\windows\system32\dllcache\msrating.dll
    - 2004-08-04 11:00 . 2004-08-04 11:00 146432 c:\windows\system32\dllcache\msrating.dll
    - 2008-10-03 20:46 . 2004-08-04 11:00 343040 c:\windows\system32\dllcache\mspaint.exe
    + 2008-10-03 20:46 . 2009-12-16 12:58 343040 c:\windows\system32\dllcache\mspaint.exe
    + 2004-08-04 11:00 . 2009-06-25 18:36 169472 c:\windows\system32\dllcache\msmqocm.dll
    + 2004-08-04 11:00 . 2005-05-04 18:45 884736 c:\windows\system32\dllcache\msimsg.dll
    - 2004-08-04 11:00 . 2004-08-04 11:00 884736 c:\windows\system32\dllcache\msimsg.dll
    + 2004-08-04 11:00 . 2005-05-04 18:45 271360 c:\windows\system32\dllcache\msihnd.dll
    + 2004-08-04 11:00 . 2010-04-16 15:36 449024 c:\windows\system32\dllcache\mshtmled.dll
    + 2008-10-03 20:46 . 2008-06-12 14:16 161792 c:\windows\system32\dllcache\msdtcuiu.dll
    + 2008-10-03 20:46 . 2008-06-12 14:16 956928 c:\windows\system32\dllcache\msdtctm.dll
    + 2008-10-03 20:46 . 2008-06-12 14:16 428032 c:\windows\system32\dllcache\msdtcprx.dll
    - 2008-02-09 13:50 . 2004-08-04 11:00 331776 c:\windows\system32\dllcache\msadce.dll
    + 2008-02-09 13:50 . 2008-05-01 14:30 331776 c:\windows\system32\dllcache\msadce.dll
    + 2004-08-04 11:00 . 2009-06-25 18:36 471552 c:\windows\system32\dllcache\mqutil.dll
    - 2004-08-04 11:00 . 2004-08-04 11:00 471552 c:\windows\system32\dllcache\mqutil.dll
    - 2004-08-04 11:00 . 2004-08-04 11:00 186880 c:\windows\system32\dllcache\mqtrig.dll
    + 2004-08-04 11:00 . 2009-06-25 18:36 186880 c:\windows\system32\dllcache\mqtrig.dll
    + 2004-08-04 11:00 . 2009-06-22 11:49 117248 c:\windows\system32\dllcache\mqtgsvc.exe
    - 2004-08-04 11:00 . 2004-08-04 11:00 117248 c:\windows\system32\dllcache\mqtgsvc.exe
    + 2004-08-04 11:00 . 2009-06-25 18:36 517120 c:\windows\system32\dllcache\mqsnap.dll
    + 2004-08-04 11:00 . 2009-06-25 18:36 123392 c:\windows\system32\dllcache\mqrtdep.dll
    - 2004-08-04 11:00 . 2004-08-04 11:00 123392 c:\windows\system32\dllcache\mqrtdep.dll
    - 2004-08-04 11:00 . 2004-08-04 11:00 177152 c:\windows\system32\dllcache\mqrt.dll
    + 2004-08-04 11:00 . 2009-06-25 18:36 177152 c:\windows\system32\dllcache\mqrt.dll
    + 2004-08-04 11:00 . 2009-06-25 18:36 661504 c:\windows\system32\dllcache\mqqm.dll
    - 2004-08-04 11:00 . 2004-08-04 11:00 225280 c:\windows\system32\dllcache\mqoa.dll
    + 2004-08-04 11:00 . 2009-06-25 18:36 225280 c:\windows\system32\dllcache\mqoa.dll
    - 2004-08-04 11:00 . 2004-08-04 11:00 138240 c:\windows\system32\dllcache\mqad.dll
    + 2004-08-04 11:00 . 2009-06-25 18:36 138240 c:\windows\system32\dllcache\mqad.dll
    + 2004-08-04 11:00 . 2009-06-25 08:44 724480 c:\windows\system32\dllcache\lsasrv.dll
    + 2004-08-04 11:00 . 2008-06-10 05:31 103936 c:\windows\system32\dllcache\logagent.exe
    - 2004-08-04 11:00 . 2004-08-04 11:00 103936 c:\windows\system32\dllcache\logagent.exe
    + 2004-08-04 11:00 . 2009-05-07 15:44 344064 c:\windows\system32\dllcache\localspl.dll
    + 2004-08-04 11:00 . 2009-03-21 14:18 986112 c:\windows\system32\dllcache\kernel32.dll
    + 2004-08-04 11:00 . 2009-06-25 08:44 298496 c:\windows\system32\dllcache\kerberos.dll
    - 2004-08-04 11:00 . 2004-08-04 11:00 450560 c:\windows\system32\dllcache\jscript.dll
    + 2004-08-04 11:00 . 2009-08-21 09:46 450560 c:\windows\system32\dllcache\jscript.dll
    + 2008-10-03 20:47 . 2010-01-29 15:08 683520 c:\windows\system32\dllcache\inetcomm.dll
    + 2004-08-04 11:00 . 2010-04-16 15:36 251392 c:\windows\system32\dllcache\iepeers.dll
    + 2008-10-03 20:47 . 2010-06-14 14:30 743936 c:\windows\system32\dllcache\helpsvc.exe
    - 2008-10-03 20:47 . 2004-08-04 11:00 743936 c:\windows\system32\dllcache\helpsvc.exe
    + 2004-08-04 11:00 . 2008-10-23 13:01 283648 c:\windows\system32\dllcache\gdi32.dll
    + 2008-10-03 20:46 . 2009-02-09 10:20 473088 c:\windows\system32\dllcache\fastprox.dll
    + 2004-08-04 11:00 . 2008-07-07 20:32 253952 c:\windows\system32\dllcache\es.dll
    + 2004-08-04 11:00 . 2010-04-16 15:36 205312 c:\windows\system32\dllcache\dxtrans.dll
    + 2004-08-04 11:00 . 2010-04-16 15:36 357888 c:\windows\system32\dllcache\dxtmsft.dll
    - 2004-08-04 11:00 . 2004-08-04 11:00 357888 c:\windows\system32\dllcache\dxtmsft.dll
    + 2004-08-04 11:00 . 2008-06-20 17:41 148992 c:\windows\system32\dllcache\dnsapi.dll
    + 2004-08-04 11:00 . 2010-04-16 15:36 151040 c:\windows\system32\dllcache\cdfview.dll
    - 2004-08-04 11:00 . 2004-08-04 11:00 285696 c:\windows\system32\dllcache\atmfd.dll
    + 2004-08-04 11:00 . 2010-04-20 05:51 285696 c:\windows\system32\dllcache\atmfd.dll
    + 2004-08-04 11:00 . 2008-08-14 09:51 138368 c:\windows\system32\dllcache\afd.sys
    + 2004-08-04 11:00 . 2009-02-09 10:20 616960 c:\windows\system32\dllcache\advapi32.dll
    - 2004-08-04 11:00 . 2004-08-04 11:00 616960 c:\windows\system32\dllcache\advapi32.dll
    + 2004-08-04 11:00 . 2009-11-21 16:36 470528 c:\windows\system32\dllcache\aclayers.dll
    + 2004-08-04 11:00 . 2010-02-12 04:47 100864 c:\windows\system32\dllcache\6to4svc.dll
    + 2004-08-04 11:00 . 2010-04-16 15:36 151040 c:\windows\system32\cdfview.dll
    + 2004-08-04 11:00 . 2010-04-20 05:51 285696 c:\windows\system32\atmfd.dll
    - 2004-08-04 11:00 . 2004-08-04 11:00 285696 c:\windows\system32\atmfd.dll
    - 2004-08-04 11:00 . 2004-08-04 11:00 616960 c:\windows\system32\advapi32.dll
    + 2004-08-04 11:00 . 2009-02-09 10:20 616960 c:\windows\system32\advapi32.dll
    + 2004-08-04 11:00 . 2010-02-12 04:47 100864 c:\windows\system32\6to4svc.dll
    + 2008-10-03 20:47 . 2010-06-14 14:30 743936 c:\windows\pchealth\helpctr\binaries\helpsvc.exe
    - 2008-10-03 20:47 . 2004-08-04 11:00 743936 c:\windows\pchealth\helpctr\binaries\HelpSvc.exe
    - 2003-02-21 15:20 . 2003-02-21 15:20 737280 c:\windows\Microsoft.NET\Framework\v1.1.4322\vbc.exe
    + 2004-07-15 15:23 . 2004-07-15 15:23 737280 c:\windows\Microsoft.NET\Framework\v1.1.4322\vbc.exe
  14. Llanonite

    Llanonite TS Rookie Topic Starter

    + 2004-07-15 18:31 . 2004-07-15 18:31 573440 c:\windows\Microsoft.NET\Framework\v1.1.4322\System.Web.Services.dll
    - 2003-02-21 12:27 . 2003-02-21 12:27 819200 c:\windows\Microsoft.NET\Framework\v1.1.4322\System.Web.Mobile.dll
    + 2004-07-15 18:28 . 2004-07-15 18:28 819200 c:\windows\Microsoft.NET\Framework\v1.1.4322\System.Web.Mobile.dll
    + 2004-07-15 18:28 . 2004-07-15 18:28 126976 c:\windows\Microsoft.NET\Framework\v1.1.4322\System.ServiceProcess.dll
    - 2003-02-21 12:27 . 2003-02-21 12:27 126976 c:\windows\Microsoft.NET\Framework\v1.1.4322\System.ServiceProcess.dll
    + 2004-07-15 18:31 . 2004-07-15 18:31 131072 c:\windows\Microsoft.NET\Framework\v1.1.4322\System.Runtime.Serialization.Formatters.Soap.dll
    - 2003-02-21 12:26 . 2003-02-21 12:26 131072 c:\windows\Microsoft.NET\Framework\v1.1.4322\System.Runtime.Serialization.Formatters.Soap.dll
    - 2003-02-21 12:26 . 2003-02-21 12:26 323584 c:\windows\Microsoft.NET\Framework\v1.1.4322\System.Runtime.Remoting.dll
    + 2004-07-15 18:28 . 2004-07-15 18:28 323584 c:\windows\Microsoft.NET\Framework\v1.1.4322\System.Runtime.Remoting.dll
    + 2004-07-15 18:31 . 2004-07-15 18:31 241664 c:\windows\Microsoft.NET\Framework\v1.1.4322\System.Messaging.dll
    - 2003-02-21 12:26 . 2003-02-21 12:26 241664 c:\windows\Microsoft.NET\Framework\v1.1.4322\System.Messaging.dll
    + 2004-07-15 18:31 . 2004-07-15 18:31 372736 c:\windows\Microsoft.NET\Framework\v1.1.4322\System.Management.dll
    - 2003-02-21 12:26 . 2003-02-21 12:26 241664 c:\windows\Microsoft.NET\Framework\v1.1.4322\System.EnterpriseServices.dll
    + 2004-07-15 18:28 . 2004-07-15 18:28 241664 c:\windows\Microsoft.NET\Framework\v1.1.4322\System.EnterpriseServices.dll
    + 2004-07-15 18:28 . 2004-07-15 18:28 466944 c:\windows\Microsoft.NET\Framework\v1.1.4322\System.Drawing.dll
    - 2003-02-21 12:26 . 2003-02-21 12:26 466944 c:\windows\Microsoft.NET\Framework\v1.1.4322\System.Drawing.dll
    + 2004-07-15 18:31 . 2004-07-15 18:31 303104 c:\windows\Microsoft.NET\Framework\v1.1.4322\System.Data.OracleClient.dll
    + 2004-07-15 04:35 . 2004-07-15 04:35 319488 c:\windows\Microsoft.NET\Framework\v1.1.4322\SOS.dll
    - 2003-02-21 00:09 . 2003-02-21 00:09 319488 c:\windows\Microsoft.NET\Framework\v1.1.4322\SOS.dll
    + 2004-08-10 20:20 . 2004-08-10 20:20 106496 c:\windows\Microsoft.NET\Framework\v1.1.4322\netfxupdate.exe
    + 2004-07-15 04:33 . 2004-07-15 04:33 143360 c:\windows\Microsoft.NET\Framework\v1.1.4322\mscorrc.dll
    - 2003-02-21 00:09 . 2003-02-21 00:09 143360 c:\windows\Microsoft.NET\Framework\v1.1.4322\mscorrc.dll
    + 2004-07-15 04:33 . 2004-07-15 04:33 102400 c:\windows\Microsoft.NET\Framework\v1.1.4322\mscorld.dll
    + 2004-07-15 04:25 . 2004-07-15 04:25 315392 c:\windows\Microsoft.NET\Framework\v1.1.4322\mscorjit.dll
    - 2003-02-21 00:09 . 2003-02-21 00:09 233472 c:\windows\Microsoft.NET\Framework\v1.1.4322\mscordbi.dll
    + 2004-07-15 04:32 . 2004-07-15 04:32 233472 c:\windows\Microsoft.NET\Framework\v1.1.4322\mscordbi.dll
    - 2003-02-21 12:26 . 2003-02-21 12:26 299008 c:\windows\Microsoft.NET\Framework\v1.1.4322\Microsoft.VisualBasic.dll
    + 2004-07-15 18:28 . 2004-07-15 18:28 299008 c:\windows\Microsoft.NET\Framework\v1.1.4322\Microsoft.VisualBasic.dll
    + 2004-07-15 18:28 . 2004-07-15 18:28 720896 c:\windows\Microsoft.NET\Framework\v1.1.4322\Microsoft.JScript.dll
    + 2004-07-15 04:35 . 2004-07-15 04:35 196608 c:\windows\Microsoft.NET\Framework\v1.1.4322\ilasm.exe
    - 2003-02-21 00:09 . 2003-02-21 00:09 196608 c:\windows\Microsoft.NET\Framework\v1.1.4322\ilasm.exe
    - 2003-02-21 00:06 . 2003-02-21 00:06 282624 c:\windows\Microsoft.NET\Framework\v1.1.4322\fusion.dll
    + 2004-07-15 04:24 . 2004-07-15 04:24 282624 c:\windows\Microsoft.NET\Framework\v1.1.4322\fusion.dll
    + 2004-07-15 15:23 . 2004-07-15 15:23 626688 c:\windows\Microsoft.NET\Framework\v1.1.4322\cscomp.dll
    - 2003-02-21 15:21 . 2003-02-21 15:21 626688 c:\windows\Microsoft.NET\Framework\v1.1.4322\cscomp.dll
    + 2004-07-15 05:49 . 2004-07-15 05:49 258048 c:\windows\Microsoft.NET\Framework\v1.1.4322\aspnet_isapi.dll
    + 2010-10-08 23:19 . 2010-02-24 12:31 454016 c:\windows\Driver Cache\i386\mrxsmb.sys
    + 2010-10-08 23:37 . 2008-06-13 13:10 272128 c:\windows\Driver Cache\i386\bthport.sys
    + 2010-10-09 01:08 . 2010-10-09 01:08 835584 c:\windows\assembly\NativeImages1_v1.1.4322\System.Drawing\1.0.5000.0__b03f5f7f11d50a3a_1967fcd6\System.Drawing.dll
    + 2010-10-09 01:07 . 2010-10-09 01:07 573440 c:\windows\assembly\GAC\System.Web.Services\1.0.5000.0__b03f5f7f11d50a3a\System.Web.Services.dll
    + 2010-10-09 01:07 . 2010-10-09 01:07 819200 c:\windows\assembly\GAC\System.Web.Mobile\1.0.5000.0__b03f5f7f11d50a3a\System.Web.Mobile.dll
    - 2009-01-18 01:20 . 2009-01-18 01:20 819200 c:\windows\assembly\GAC\System.Web.Mobile\1.0.5000.0__b03f5f7f11d50a3a\System.Web.Mobile.dll
    + 2010-10-09 01:07 . 2010-10-09 01:07 126976 c:\windows\assembly\GAC\System.ServiceProcess\1.0.5000.0__b03f5f7f11d50a3a\System.ServiceProcess.dll
    - 2009-01-18 01:20 . 2009-01-18 01:20 126976 c:\windows\assembly\GAC\System.ServiceProcess\1.0.5000.0__b03f5f7f11d50a3a\System.ServiceProcess.dll
    + 2010-10-09 01:07 . 2010-10-09 01:07 131072 c:\windows\assembly\GAC\System.Runtime.Serialization.Formatters.Soap\1.0.5000.0__b03f5f7f11d50a3a\System.Runtime.Serialization.Formatters.Soap.dll
    - 2009-01-18 01:20 . 2009-01-18 01:20 131072 c:\windows\assembly\GAC\System.Runtime.Serialization.Formatters.Soap\1.0.5000.0__b03f5f7f11d50a3a\System.Runtime.Serialization.Formatters.Soap.dll
    - 2009-01-18 01:20 . 2009-01-18 01:20 323584 c:\windows\assembly\GAC\System.Runtime.Remoting\1.0.5000.0__b77a5c561934e089\System.Runtime.Remoting.dll
    + 2010-10-09 01:07 . 2010-10-09 01:07 323584 c:\windows\assembly\GAC\System.Runtime.Remoting\1.0.5000.0__b77a5c561934e089\System.Runtime.Remoting.dll
    + 2010-10-09 01:08 . 2010-10-09 01:08 241664 c:\windows\assembly\GAC\System.Messaging\1.0.5000.0__b03f5f7f11d50a3a\System.Messaging.dll
    - 2009-01-18 01:20 . 2009-01-18 01:20 241664 c:\windows\assembly\GAC\System.Messaging\1.0.5000.0__b03f5f7f11d50a3a\System.Messaging.dll
    + 2010-10-09 01:07 . 2010-10-09 01:07 372736 c:\windows\assembly\GAC\System.Management\1.0.5000.0__b03f5f7f11d50a3a\System.Management.dll
    - 2009-01-18 01:20 . 2009-01-18 01:20 241664 c:\windows\assembly\GAC\System.EnterpriseServices\1.0.5000.0__b03f5f7f11d50a3a\System.EnterpriseServices.dll
    + 2010-10-09 01:07 . 2010-10-09 01:07 241664 c:\windows\assembly\GAC\System.EnterpriseServices\1.0.5000.0__b03f5f7f11d50a3a\System.EnterpriseServices.dll
    - 2009-01-18 01:20 . 2009-01-18 01:20 466944 c:\windows\assembly\GAC\System.Drawing\1.0.5000.0__b03f5f7f11d50a3a\System.Drawing.dll
    + 2010-10-09 01:07 . 2010-10-09 01:07 466944 c:\windows\assembly\GAC\System.Drawing\1.0.5000.0__b03f5f7f11d50a3a\System.Drawing.dll
    + 2010-10-09 01:07 . 2010-10-09 01:07 303104 c:\windows\assembly\GAC\System.Data.OracleClient\1.0.5000.0__b77a5c561934e089\System.Data.OracleClient.dll
    - 2009-01-18 01:20 . 2009-01-18 01:20 299008 c:\windows\assembly\GAC\Microsoft.VisualBasic\7.0.5000.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll
    + 2010-10-09 01:07 . 2010-10-09 01:07 299008 c:\windows\assembly\GAC\Microsoft.VisualBasic\7.0.5000.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll
    + 2010-10-09 01:07 . 2010-10-09 01:07 720896 c:\windows\assembly\GAC\Microsoft.JScript\7.0.5000.0__b03f5f7f11d50a3a\Microsoft.JScript.dll
    + 2004-08-04 11:00 . 2009-11-21 16:36 470528 c:\windows\AppPatch\aclayers.dll
    + 2010-10-08 23:37 . 2009-08-13 13:55 1748992 c:\windows\WinSxS\x86_Microsoft.Windows.GdiPlus_6595b64144ccf1df_1.0.6001.22319_x-ww_f0b4c2df\GdiPlus.dll
    + 2008-10-03 20:48 . 2009-08-06 23:23 1929952 c:\windows\system32\wuaueng.dll
    + 2004-08-04 11:00 . 2010-04-08 17:53 2113536 c:\windows\system32\WMVCore.dll
    + 2004-08-04 11:00 . 2010-02-16 11:27 4734976 c:\windows\system32\wmp.dll
    + 2004-08-04 11:00 . 2008-06-10 22:18 1053696 c:\windows\system32\WMNetmgr.dll
    + 2004-08-04 11:00 . 2010-05-02 05:56 1850880 c:\windows\system32\win32k.sys
    + 2008-02-10 05:23 . 2009-05-09 05:14 1418120 c:\windows\system32\wdfcoinstaller01005.dll
    + 2004-08-04 11:00 . 2008-07-03 13:16 8454656 c:\windows\system32\shell32.dll
    + 2004-08-04 11:00 . 2010-04-16 15:36 1506304 c:\windows\system32\shdocvw.dll
    - 2004-08-04 11:00 . 2004-08-04 11:00 1435648 c:\windows\system32\query.dll
    + 2004-08-04 11:00 . 2009-07-17 16:27 1435648 c:\windows\system32\query.dll
    + 2004-08-04 11:00 . 2010-02-05 18:40 1291264 c:\windows\system32\quartz.dll
    + 2004-08-04 11:00 . 2010-02-16 13:17 2137088 c:\windows\system32\ntoskrnl.exe
    + 2004-08-03 22:59 . 2010-02-16 12:39 2016768 c:\windows\system32\ntkrnlpa.exe
    + 2004-08-04 11:00 . 2009-07-31 04:57 1172480 c:\windows\system32\msxml3.dll
    + 2004-08-04 11:00 . 2005-05-04 18:45 2890240 c:\windows\system32\msi.dll
    + 2004-08-04 11:00 . 2010-04-16 15:36 3065344 c:\windows\system32\mshtml.dll
    + 2010-10-09 01:15 . 2009-03-11 02:26 1403264 c:\windows\system32\KB905474\wganotifypackageinner.exe
    + 2008-10-03 20:48 . 2009-08-06 23:23 1929952 c:\windows\system32\dllcache\wuaueng.dll
    + 2004-08-04 11:00 . 2010-04-08 17:53 2113536 c:\windows\system32\dllcache\WMVCore.dll
    + 2004-08-04 11:00 . 2010-02-16 11:27 4734976 c:\windows\system32\dllcache\wmp.dll
    + 2004-08-04 11:00 . 2008-06-10 22:18 1053696 c:\windows\system32\dllcache\WMNetmgr.dll
    + 2004-08-04 11:00 . 2010-05-02 05:56 1850880 c:\windows\system32\dllcache\win32k.sys
    + 2004-08-04 11:00 . 2008-07-03 13:16 8454656 c:\windows\system32\dllcache\shell32.dll
    + 2004-08-04 11:00 . 2010-04-16 15:36 1506304 c:\windows\system32\dllcache\shdocvw.dll
    - 2004-08-04 11:00 . 2004-08-04 11:00 1435648 c:\windows\system32\dllcache\query.dll
    + 2004-08-04 11:00 . 2009-07-17 16:27 1435648 c:\windows\system32\dllcache\query.dll
    + 2004-08-04 11:00 . 2010-02-05 18:40 1291264 c:\windows\system32\dllcache\quartz.dll
    + 2004-08-04 11:00 . 2009-07-31 04:57 1172480 c:\windows\system32\dllcache\msxml3.dll
    + 2008-02-09 13:50 . 2010-01-29 15:08 1315840 c:\windows\system32\dllcache\msoe.dll
    + 2004-08-04 11:00 . 2005-05-04 18:45 2890240 c:\windows\system32\dllcache\msi.dll
    + 2004-08-04 11:00 . 2010-04-16 15:36 3065344 c:\windows\system32\dllcache\mshtml.dll
    + 2008-02-09 13:51 . 2009-10-23 14:27 3555328 c:\windows\system32\dllcache\moviemk.exe
    - 2008-02-09 13:51 . 2004-08-04 11:00 3555328 c:\windows\system32\dllcache\moviemk.exe
    + 2004-08-04 11:00 . 2010-04-16 15:36 1054208 c:\windows\system32\dllcache\danim.dll
    + 2004-08-04 11:00 . 2010-04-16 15:36 1023488 c:\windows\system32\dllcache\browseui.dll
    + 2004-08-04 11:00 . 2010-04-16 15:36 1054208 c:\windows\system32\danim.dll
    + 2004-08-04 11:00 . 2010-04-16 15:36 1023488 c:\windows\system32\browseui.dll
    + 2004-07-15 12:15 . 2004-07-15 12:15 1032192 c:\windows\Microsoft.NET\Framework\v1.1.4322\VsaVb7rt.dll
    - 2003-02-21 10:04 . 2003-02-21 10:04 1032192 c:\windows\Microsoft.NET\Framework\v1.1.4322\VsaVb7rt.dll
    + 2004-07-15 18:29 . 2004-07-15 18:29 1339392 c:\windows\Microsoft.NET\Framework\v1.1.4322\System.XML.dll
    + 2004-07-15 18:32 . 2004-07-15 18:32 2052096 c:\windows\Microsoft.NET\Framework\v1.1.4322\System.Windows.Forms.dll
    + 2004-07-15 18:29 . 2004-07-15 18:29 1257472 c:\windows\Microsoft.NET\Framework\v1.1.4322\System.Web.dll
    + 2004-07-15 18:31 . 2004-07-15 18:31 1224704 c:\windows\Microsoft.NET\Framework\v1.1.4322\System.dll
    + 2004-07-15 18:29 . 2004-07-15 18:29 1703936 c:\windows\Microsoft.NET\Framework\v1.1.4322\System.Design.dll
    + 2004-07-15 18:32 . 2004-07-15 18:32 1294336 c:\windows\Microsoft.NET\Framework\v1.1.4322\System.Data.dll
    + 2004-07-15 04:28 . 2004-07-15 04:28 2502656 c:\windows\Microsoft.NET\Framework\v1.1.4322\mscorwks.dll
    + 2004-07-15 04:26 . 2004-07-15 04:26 2510848 c:\windows\Microsoft.NET\Framework\v1.1.4322\mscorsvr.dll
    + 2004-07-15 18:29 . 2004-07-15 18:29 2138112 c:\windows\Microsoft.NET\Framework\v1.1.4322\mscorlib.dll
    + 2010-10-06 22:14 . 2010-10-06 22:14 1094656 c:\windows\Installer\64442.msi
    + 2010-10-08 23:19 . 2010-02-16 13:19 2181376 c:\windows\Driver Cache\i386\ntoskrnl.exe
    + 2010-10-08 23:19 . 2010-02-16 12:39 2016768 c:\windows\Driver Cache\i386\ntkrpamp.exe
    + 2010-10-08 23:19 . 2010-02-16 12:39 2058368 c:\windows\Driver Cache\i386\ntkrnlpa.exe
    + 2010-10-08 23:19 . 2010-02-16 13:17 2137088 c:\windows\Driver Cache\i386\ntkrnlmp.exe
    + 2010-10-09 01:08 . 2010-10-09 01:08 1953792 c:\windows\assembly\NativeImages1_v1.1.4322\System\1.0.5000.0__b77a5c561934e089_373766b2\System.dll
    + 2010-10-09 01:08 . 2010-10-09 01:08 2088960 c:\windows\assembly\NativeImages1_v1.1.4322\System.Xml\1.0.5000.0__b77a5c561934e089_d2fcb88c\System.Xml.dll
    + 2010-10-09 01:08 . 2010-10-09 01:08 3014656 c:\windows\assembly\NativeImages1_v1.1.4322\System.Windows.Forms\1.0.5000.0__b77a5c561934e089_256424db\System.Windows.Forms.dll
    + 2010-10-09 01:08 . 2010-10-09 01:08 1470464 c:\windows\assembly\NativeImages1_v1.1.4322\System.Design\1.0.5000.0__b03f5f7f11d50a3a_e62df0ec\System.Design.dll
    + 2010-10-09 01:08 . 2010-10-09 01:08 3379200 c:\windows\assembly\NativeImages1_v1.1.4322\mscorlib\1.0.5000.0__b77a5c561934e089_6d8e0c0f\mscorlib.dll
    + 2010-10-09 01:08 . 2010-10-09 01:08 1224704 c:\windows\assembly\GAC\System\1.0.5000.0__b77a5c561934e089\System.dll
    + 2010-10-09 01:07 . 2010-10-09 01:07 1339392 c:\windows\assembly\GAC\System.Xml\1.0.5000.0__b77a5c561934e089\System.XML.dll
    + 2010-10-09 01:07 . 2010-10-09 01:07 2052096 c:\windows\assembly\GAC\System.Windows.Forms\1.0.5000.0__b77a5c561934e089\System.Windows.Forms.dll
    + 2010-10-09 01:07 . 2010-10-09 01:07 1257472 c:\windows\assembly\GAC\System.Web\1.0.5000.0__b03f5f7f11d50a3a\System.Web.dll
    + 2010-10-09 01:07 . 2010-10-09 01:07 1703936 c:\windows\assembly\GAC\System.Design\1.0.5000.0__b03f5f7f11d50a3a\System.Design.dll
    + 2010-10-09 01:07 . 2010-10-09 01:07 1294336 c:\windows\assembly\GAC\System.Data\1.0.5000.0__b77a5c561934e089\System.Data.dll
    + 2010-10-09 01:09 . 2010-09-10 18:34 35552200 c:\windows\system32\MRT.exe
    + 2010-10-09 01:06 . 2010-10-09 01:06 19210240 c:\windows\Installer\5c748e.msp
    .
    -- Snapshot reset to current date --
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Weather"="c:\program files\AWS\WeatherBug\Weather.exe" [2007-08-29 1347584]
    "swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-01-28 39408]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-12-19 135168]
    "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-12-19 159744]
    "Persistence"="c:\windows\system32\igfxpers.exe" [2007-12-19 131072]
    "QlbCtrl"="c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2007-12-06 202032]
    "SynTPStart"="c:\program files\Synaptics\SynTP\SynTPStart.exe" [2007-09-14 102400]
    "Mouse Suite 98 Daemon"="ICO.EXE" [2004-07-14 57344]
    "RTHDCPL"="RTHDCPL.EXE" [2008-01-29 16859648]
    "SMSERIAL"="c:\program files\Motorola\SMSERIAL\sm56hlpr.exe" [2007-01-30 638976]
    "Media Codec Update Service"="c:\program files\Essentials Codec Pack\update.exe" [2007-04-08 303104]
    "avast5"="c:\progra~1\ALWILS~1\Avast5\avastUI.exe" [2010-09-07 2838912]

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
    @="Driver"

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=

    R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [10/3/2008 6:08 PM 165584]
    R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [10/3/2008 6:08 PM 17744]
    S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2/14/2010 7:10 PM 135664]
    .
    Contents of the 'Scheduled Tasks' folder

    2010-10-09 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2010-02-14 23:10]

    2010-10-09 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2010-02-14 23:10]

    2010-10-09 c:\windows\Tasks\WGASetup.job
    - c:\windows\system32\KB905474\wgasetup.exe [2010-10-09 02:18]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://lubbockonline.com/
    uSearch Page = hxxp://www.google.com
    uSearch Bar = hxxp://www.google.com/ie
    uSearchAssistant = hxxp://www.google.com/ie
    uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
    IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
    FF - ProfilePath - c:\documents and settings\Debbie.DEBBIES\Application Data\Mozilla\Firefox\Profiles\eljfz2pb.default\
    FF - prefs.js: browser.startup.homepage - www.Lubbockonline.com
    FF - plugin: c:\program files\Google\Update\1.2.183.29\npGoogleOneClick8.dll

    ---- FIREFOX POLICIES ----
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
    .
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------

    - - - - - - - > 'winlogon.exe'(972)
    c:\windows\system32\igfxdev.dll
    .
    Completion time: 2010-10-09 11:57:53
    ComboFix-quarantined-files.txt 2010-10-09 15:57
    ComboFix2.txt 2010-10-08 23:32
    ComboFix3.txt 2010-10-06 22:11

    Pre-Run: 141,494,931,456 bytes free
    Post-Run: 141,485,166,592 bytes free

    - - End Of File - - F3F06D4FD01BD2D38A543178724D1C6D
  15. Llanonite

    Llanonite TS Rookie Topic Starter

    Logfile of Trend Micro HijackThis v2.0.4
    Scan saved at 12:10:49 PM, on 10/9/2010
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\igfxsrvc.exe
    C:\WINDOWS\system32\hkcmd.exe
    C:\WINDOWS\system32\igfxpers.exe
    C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe
    C:\WINDOWS\system32\ICO.EXE
    C:\WINDOWS\RTHDCPL.EXE
    C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe
    C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe
    C:\Program Files\AWS\WeatherBug\Weather.exe
    C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
    C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Program Files\Mozilla Firefox\plugin-container.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\WINDOWS\system32\NOTEPAD.EXE
    C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://lubbockonline.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
    O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.6.5612.1312\swg.dll
    O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
    O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
    O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
    O4 - HKLM\..\Run: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
    O4 - HKLM\..\Run: [SynTPStart] C:\Program Files\Synaptics\SynTP\SynTPStart.exe
    O4 - HKLM\..\Run: [Mouse Suite 98 Daemon] ICO.EXE
    O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
    O4 - HKLM\..\Run: [SMSERIAL] C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe
    O4 - HKLM\..\Run: [Media Codec Update Service] C:\Program Files\Essentials Codec Pack\update.exe -silent
    O4 - HKLM\..\Run: [avast5] C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe /nogui
    O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe 1
    O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
    O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} (OnlineScanner Control) - http://download.eset.com/special/eos/OnlineScanner.cab
    O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
    O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
    O23 - Service: avast! Antivirus - AVAST Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
    O23 - Service: avast! Mail Scanner - AVAST Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
    O23 - Service: avast! Web Scanner - AVAST Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
    O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
    O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
    O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe

    --
    End of file - 4764 bytes


    Thanks for the help. If there are any more problems I will post here.
  16. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    You're welcome. It appears that the redirects have stopped and these logs are clean. Let's go to the last step:
    Removing all of the tools we used and the files and folders they created
    • Uninstall ComboFix and all Backups of the files it deleted
    • Click START> then RUN
    • Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
      [​IMG]
    • Download OTCleanIt by OldTimer and save it to your Desktop.
    • Double click OTCleanIt.exe.
    • Click the CleanUp! button.
    • If you are prompted to Reboot during the cleanup, select Yes.
    • The tool will delete itself once it finishes.
    Note: If you receive a warning from your firewall or other security programs regarding OTC attempting to contact the internet, please allow it to do so.
    • You should now set a new Restore Point and remove the old restore points to prevent infection from any previous Restore Points.
    • Go to Start > All Programs > Accessories > System Tools
    • Click "System Restore".
    • Choose "Create a Restore Point" on the first screen then click "Next".
    • Give the Restore Point a name> click "Create".
    • Go back and follow the path to > System Tools.
      [*]Choose Disc Cleanup
      [*]Click "OK" to select the partition or drive you want.
      [*]Click the "More Options" Tab.
      [*]Click "Clean Up" in the System Restore section to remove all previous Restore Points except the newly created one.


    Empty the Recycle Bin

    Let me know if you need more help. If not, I'll close the thread.
  17. Llanonite

    Llanonite TS Rookie Topic Starter

    Thanks for the help. I have three more pc's that I would like to double check if I may. I will post the preliminary scans.
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.