Any assistance you can provide will be greatly appreciated. I have attached the last log as a zip attachment, as requested - and, as instructed, here are the rest of the logs. Thanks so much in advance for your help - Don Wozniak:
Malwarebytes' Anti-Malware 1.45
www.malwarebytes.org
Database version: 4016
Windows 6.0.6002 Service Pack 2
Internet Explorer 7.0.6002.18005
4/21/2010 2:31:58 PM
mbam-log-2010-04-21 (14-31-58).txt
Scan type: Quick scan
Objects scanned: 167837
Time elapsed: 6 minute(s), 56 second(s)
Memory Processes Infected: 2
Memory Modules Infected: 1
Registry Keys Infected: 2
Registry Values Infected: 11
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 25
Memory Processes Infected:
C:\Windows\System32\PereSvc.exe (Trojan.Koblu) -> Unloaded process successfully.
C:\Windows\System32\GroupPolicy\User\Scripts\Logon\winlogo.exe (Trojan.Agent) -> Unloaded process successfully.
Memory Modules Infected:
c:\Windows\System32\BtwSvc.dll (Trojan.Agent) -> Delete on reboot.
Registry Keys Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\btwsvc (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\peresvc (Trojan.Koblu) -> Quarantined and deleted successfully.
Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\buildw (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\firstinstallflag (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\guid (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\I (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\uid (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\ulrn (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\update (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\updatenew (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\mbt (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\mpe (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\AppCertDlls\appsecdll (Trojan.Agent) -> Quarantined and deleted successfully.
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
c:\Windows\System32\BtwSvc.dll (Trojan.Agent) -> Delete on reboot.
C:\Windows\System32\PereSvc.exe (Trojan.Koblu) -> Quarantined and deleted successfully.
C:\Windows\System32\d.bin (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\Windows\System32\ms.bin (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Windows\System32\t1p0_207384498781.b1k (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\Windows\System32\t1p0_309242508519.b1k (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\Windows\System32\t1p0_579320685922.b1k (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\Windows\System32\t1p0_633867881587.b1k (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\Windows\System32\txpxr_175803499349.b1k (Backdoor.Refpron) -> Quarantined and deleted successfully.
C:\Windows\System32\txpxr_19610067684.b1k (Trojan.Koblu) -> Quarantined and deleted successfully.
C:\Windows\System32\txpxr_276471244028.b1k (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\Windows\System32\txpxr_44471318973.b1k (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Windows\System32\txpxr_56602683827.b1k (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Windows\System32\txpxr_606811425875.b1k (Trojan.Koblu) -> Quarantined and deleted successfully.
C:\Windows\System32\txpxr_72918994244.b1k (Trojan.Koblu) -> Quarantined and deleted successfully.
C:\Windows\System32\6641046.exe (Backdoor.Refpron) -> Quarantined and deleted successfully.
C:\Windows\System32\7398493.exe (Backdoor.Refpron) -> Quarantined and deleted successfully.
C:\Windows\System32\8077051.exe (Backdoor.Refpron) -> Quarantined and deleted successfully.
C:\Windows\System32\9865229.exe (Backdoor.Refpron) -> Quarantined and deleted successfully.
C:\Windows\System32\so.bin (Trojan.Koblu) -> Quarantined and deleted successfully.
C:\Windows\System32\grouppolicy\User\Scripts\Logon\autorun.bat (Malware.Trace) -> Quarantined and deleted successfully.
C:\Windows\System32\w.exe (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\Windows\System32\FInstall.sys (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\Windows\System32\config\systemprofile\Local Settings\Application Data\Windows Server\dgljlc.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Windows\System32\GroupPolicy\User\Scripts\Logon\winlogo.exe (Trojan.Agent) -> Quarantined and deleted successfully.
GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-04-21 15:29:35
Windows 6.0.6002 Service Pack 2
Running: 2fw223l7.exe; Driver: C:\Users\bjones\AppData\Local\Temp\ugtyqfog.sys
---- Registry - GMER 1.0.15 ----
Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\0016419ce247
Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\0016419ce247@0007617efc90 0x22 0x1A 0x36 0xE4 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\0016419ce247@001ccc948464 0xD7 0xD4 0x18 0xD5 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\0016419ce247@001dbe2a3741 0x82 0x63 0x1D 0x2D ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\0016419ce247@0007e095016f 0x5B 0xDF 0x2E 0x7C ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\0016419ce247@000761979534 0x86 0x69 0x34 0x56 ...
Reg HKLM\SYSTEM\ControlSet002\Services\BTHPORT\Parameters\Keys\0016419ce247 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\BTHPORT\Parameters\Keys\0016419ce247@0007617efc90 0x22 0x1A 0x36 0xE4 ...
Reg HKLM\SYSTEM\ControlSet002\Services\BTHPORT\Parameters\Keys\0016419ce247@001ccc948464 0xD7 0xD4 0x18 0xD5 ...
Reg HKLM\SYSTEM\ControlSet002\Services\BTHPORT\Parameters\Keys\0016419ce247@001dbe2a3741 0x82 0x63 0x1D 0x2D ...
Reg HKLM\SYSTEM\ControlSet002\Services\BTHPORT\Parameters\Keys\0016419ce247@0007e095016f 0x5B 0xDF 0x2E 0x7C ...
Reg HKLM\SYSTEM\ControlSet002\Services\BTHPORT\Parameters\Keys\0016419ce247@000761979534 0x86 0x69 0x34 0x56 ...
---- EOF - GMER 1.0.15 ----
DDS (Ver_10-03-17.01) - NTFSx86
Run by Bjones at 15:39:59.12 on Wed 04/21/2010
Internet Explorer: 7.0.6002.18005
Microsoft® Windows Vista™ Ultimate 6.0.6002.2.1252.1.1033.18.2045.1177 [GMT -4:00]
AV: Symantec Endpoint Protection *On-access scanning enabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}
SP: Spybot - Search and Destroy *disabled* (Updated) {ED588FAF-1B8F-43B4-ACA8-8E3C85DADBE9}
SP: Symantec Endpoint Protection *enabled* (Updated) {6C85A515-B91D-4D2B-AF18-40984A4A8493}
SP: Windows Defender *disabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
SP: SUPERAntiSpyware *disabled* (Updated) {222A897C-5018-402e-943F-7E7AC8560DA7}
============== Running Processes ===============
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k NetworkService
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Program Files\Common Files\Logitech\Bluetooth\LBTSERV.EXE
C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\svchost.exe -k bthsvcs
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\STacSV.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\System32\Rundll32.exe
C:\Windows\system32\UI0Detect.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\BillP Studios\WinPatrol\WinPatrol.exe
C:\Program Files\ScreenPrint32 v3\ScreenPrint32.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Pidgin\pidgin.exe
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\UI0Detect.exe
C:\Users\bjones\Desktop\dds.scr
C:\Windows\system32\wbem\wmiprvse.exe
============== Pseudo HJT Report ===============
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: Java(tm) Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
uRun: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [WinPatrol] c:\program files\billp studios\winpatrol\winpatrol.exe -expressboot
mRun: [ScreenPrint32] c:\program files\screenprint32 v3\ScreenPrint32.exe -startup
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\pidgin.lnk - c:\program files\pidgin\pidgin.exe
uPolicies-system: HideLogonScripts = 0 (0x0)
uPolicies-system: HideLegacyLogonScripts = 1 (0x1)
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: Convert link target to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} - hxxp://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.4.6.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_10-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_10-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_10-windows-i586.cab
DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} - hxxps://visionsolutions.webex.com/client/T26L/webex/ieatgpc1.cab
Handler: x-owacid - {0215258f-f0a8-49de-bf1b-0ff02eda8807} - c:\program files\microsoft\outlook web access smime client\mimectl.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: LBTWlgn - c:\program files\common files\logitech\bluetooth\LBTWlgn.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
mASetup: {7070D8E0-650A-46b3-B03C-9497582E6A74} - %SystemRoot%\system32\soundschemes.exe /AddRegistration
mASetup: {B3688A53-AB2A-4b1d-8CEF-8F93D8C51C24} - %SystemRoot%\system32\soundschemes2.exe /AddRegistration
================= FIREFOX ===================
FF - ProfilePath - c:\users\bjones\appdata\roaming\mozilla\firefox\profiles\ojfni43y.default\
FF - plugin: c:\program files\google\update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\program files\nbc direct\npDirectPlayerMozilla.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
============= SERVICES / DRIVERS ===============
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-1-15 8944]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-1-15 55024]
R2 BtwSvc;BtwSvc;c:\windows\system32\svchost.exe -k netsvcs [2008-6-5 21504]
R2 Symantec AntiVirus;Symantec Endpoint Protection;c:\program files\symantec\symantec endpoint protection\Rtvscan.exe [2008-9-11 2436536]
R3 b57nd60x;%SvcDispName%;c:\windows\system32\drivers\b57nd60x.sys [2008-6-5 179712]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2009-9-1 102448]
S3 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-6-5 21504]
S3 motccgp;Motorola USB Composite Device Driver;c:\windows\system32\drivers\motccgp.sys [2008-8-22 18688]
S3 motccgpfl;MotCcgpFlService;c:\windows\system32\drivers\motccgpfl.sys [2008-8-22 8320]
S3 motport;Motorola USB Diagnostic Port;c:\windows\system32\drivers\motport.sys [2006-12-13 20992]
S3 PeerDistSvc;BranchCache;c:\windows\system32\svchost.exe -k PeerDist [2008-6-5 21504]
S3 PTDCWWAN;PANTECH PC Card WWAN Controller device driver;c:\windows\system32\drivers\PTDCWWAN.sys [2008-7-9 58240]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-1-15 7408]
S3 Smcinst;Symantec Auto-upgrade Agent;c:\program files\symantec\symantec endpoint protection\smclu\setup\smcinst.exe --> c:\program files\symantec\symantec endpoint protection\smclu\setup\smcinst.exe [?]
S4 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-1-3 135664]
S4 peresvc;peresvc Service;c:\windows\system32\PereSvc.exe [2006-11-2 65536]
S4 SBSDWSCService;SBSD Security Center Service;c:\program files\spybot - search & destroy\SDWinSec.exe [2010-4-15 1153368]
=============== Created Last 30 ================
2010-04-21 19:33:13 33280 ----a-w- c:\windows\system32\2261424.exe
2010-04-21 19:33:03 170047 ----a-w- c:\windows\system32\7304041.exe
2010-04-21 19:03:50 93056 ----a-w- C:\ugtyqfog.sys
2010-04-21 18:43:48 33280 ----a-w- c:\windows\system32\364036.exe
2010-04-21 18:43:36 92672 ----a-w- c:\windows\system32\w.exe
2010-04-21 18:43:36 44544 ----a-w- c:\windows\system32\ms.bin
2010-04-21 18:43:36 40960 ----a-w- c:\windows\system32\so.bin
2010-04-21 18:43:36 36864 ----a-w- c:\windows\system32\d.bin
2010-04-21 18:43:35 170047 ----a-w- c:\windows\system32\8119928.exe
2010-04-21 18:42:23 142361531 ----a-w- c:\windows\MEMORY.DMP
2010-04-21 18:37:19 33280 ----a-w- c:\windows\system32\2539286.exe
2010-04-21 18:37:08 170047 ----a-w- c:\windows\system32\9225732.exe
2010-04-21 18:34:43 0 ----a-w- c:\windows\system32\t1p0_197158136798.b1k
2010-04-21 18:20:15 0 d-----w- c:\users\bjones\appdata\roaming\Malwarebytes
2010-04-21 18:19:56 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-21 18:19:55 0 d-----w- c:\programdata\Malwarebytes
2010-04-21 18:19:54 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-21 18:19:54 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-04-21 18:17:21 33280 ----a-w- c:\windows\system32\2249369.exe
2010-04-21 16:49:02 33280 ----a-w- c:\windows\system32\3760755.exe
2010-04-21 16:37:22 33280 ----a-w- c:\windows\system32\9612192.exe
2010-04-21 16:17:16 0 d-sh--w- C:\$RECYCLE.BIN
2010-04-21 16:03:08 33280 ----a-w- c:\windows\system32\3861155.exe
2010-04-21 12:42:35 286720 ----a-w- c:\windows\PEV.exe
2010-04-21 12:42:35 186880 ----a-w- c:\windows\SWREG.exe
2010-04-21 12:42:35 123392 ----a-w- c:\windows\sed.exe
2010-04-21 12:42:35 105984 ----a-w- c:\windows\MBR.exe
2010-04-15 12:58:52 0 d-----w- c:\program files\Trend Micro
==================== Find3M ====================
2010-04-21 18:34:28 6396 ----a-w- c:\windows\bthservsdp.dat
2010-02-20 23:06:41 24064 ----a-w- c:\windows\system32\nshhttp.dll
2010-02-20 23:05:14 30720 ----a-w- c:\windows\system32\httpapi.dll
2010-02-20 20:53:34 411648 ----a-w- c:\windows\system32\drivers\http.sys
2010-02-04 12:56:21 51200 ----a-w- c:\windows\inf\infpub.dat
2010-02-04 12:56:15 143360 ----a-w- c:\windows\inf\infstrng.dat
2010-02-04 12:56:01 665600 ----a-w- c:\windows\inf\drvindex.dat
2010-02-04 12:56:00 143360 ----a-w- c:\windows\inf\infstor.dat
2010-01-25 12:00:35 471552 ----a-w- c:\windows\system32\secproc_isv.dll
2010-01-25 12:00:35 152576 ----a-w- c:\windows\system32\secproc_ssp_isv.dll
2010-01-25 12:00:35 152064 ----a-w- c:\windows\system32\secproc_ssp.dll
2010-01-25 12:00:22 471552 ----a-w- c:\windows\system32\secproc.dll
2010-01-25 11:58:52 332288 ----a-w- c:\windows\system32\msdrm.dll
2010-01-25 08:21:20 550912 ----a-w- c:\windows\system32\RMActivate_isv.exe
2010-01-25 08:21:20 371200 ----a-w- c:\windows\system32\RMActivate_ssp_isv.exe
2010-01-25 08:21:18 542720 ----a-w- c:\windows\system32\RMActivate.exe
2010-01-25 08:21:18 371712 ----a-w- c:\windows\system32\RMActivate_ssp.exe
2010-01-23 09:26:13 2048 ----a-w- c:\windows\system32\tzres.dll
2008-06-05 18:31:03 174 --sha-w- c:\program files\desktop.ini
2006-11-02 12:40:37 30674 ----a-w- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 12:40:37 30674 ----a-w- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 12:40:37 287440 ----a-w- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 12:40:37 287440 ----a-w- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfc.dat
2007-02-21 19:50:45 8192 --sha-w- c:\windows\users\default\NTUSER.DAT
============= FINISH: 15:42:52.04 ===============
Malwarebytes' Anti-Malware 1.45
www.malwarebytes.org
Database version: 4016
Windows 6.0.6002 Service Pack 2
Internet Explorer 7.0.6002.18005
4/21/2010 2:31:58 PM
mbam-log-2010-04-21 (14-31-58).txt
Scan type: Quick scan
Objects scanned: 167837
Time elapsed: 6 minute(s), 56 second(s)
Memory Processes Infected: 2
Memory Modules Infected: 1
Registry Keys Infected: 2
Registry Values Infected: 11
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 25
Memory Processes Infected:
C:\Windows\System32\PereSvc.exe (Trojan.Koblu) -> Unloaded process successfully.
C:\Windows\System32\GroupPolicy\User\Scripts\Logon\winlogo.exe (Trojan.Agent) -> Unloaded process successfully.
Memory Modules Infected:
c:\Windows\System32\BtwSvc.dll (Trojan.Agent) -> Delete on reboot.
Registry Keys Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\btwsvc (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\peresvc (Trojan.Koblu) -> Quarantined and deleted successfully.
Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\buildw (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\firstinstallflag (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\guid (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\I (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\uid (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\ulrn (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\update (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\updatenew (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\mbt (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\mpe (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\AppCertDlls\appsecdll (Trojan.Agent) -> Quarantined and deleted successfully.
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
c:\Windows\System32\BtwSvc.dll (Trojan.Agent) -> Delete on reboot.
C:\Windows\System32\PereSvc.exe (Trojan.Koblu) -> Quarantined and deleted successfully.
C:\Windows\System32\d.bin (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\Windows\System32\ms.bin (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Windows\System32\t1p0_207384498781.b1k (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\Windows\System32\t1p0_309242508519.b1k (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\Windows\System32\t1p0_579320685922.b1k (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\Windows\System32\t1p0_633867881587.b1k (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\Windows\System32\txpxr_175803499349.b1k (Backdoor.Refpron) -> Quarantined and deleted successfully.
C:\Windows\System32\txpxr_19610067684.b1k (Trojan.Koblu) -> Quarantined and deleted successfully.
C:\Windows\System32\txpxr_276471244028.b1k (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\Windows\System32\txpxr_44471318973.b1k (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Windows\System32\txpxr_56602683827.b1k (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Windows\System32\txpxr_606811425875.b1k (Trojan.Koblu) -> Quarantined and deleted successfully.
C:\Windows\System32\txpxr_72918994244.b1k (Trojan.Koblu) -> Quarantined and deleted successfully.
C:\Windows\System32\6641046.exe (Backdoor.Refpron) -> Quarantined and deleted successfully.
C:\Windows\System32\7398493.exe (Backdoor.Refpron) -> Quarantined and deleted successfully.
C:\Windows\System32\8077051.exe (Backdoor.Refpron) -> Quarantined and deleted successfully.
C:\Windows\System32\9865229.exe (Backdoor.Refpron) -> Quarantined and deleted successfully.
C:\Windows\System32\so.bin (Trojan.Koblu) -> Quarantined and deleted successfully.
C:\Windows\System32\grouppolicy\User\Scripts\Logon\autorun.bat (Malware.Trace) -> Quarantined and deleted successfully.
C:\Windows\System32\w.exe (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\Windows\System32\FInstall.sys (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\Windows\System32\config\systemprofile\Local Settings\Application Data\Windows Server\dgljlc.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Windows\System32\GroupPolicy\User\Scripts\Logon\winlogo.exe (Trojan.Agent) -> Quarantined and deleted successfully.
GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-04-21 15:29:35
Windows 6.0.6002 Service Pack 2
Running: 2fw223l7.exe; Driver: C:\Users\bjones\AppData\Local\Temp\ugtyqfog.sys
---- Registry - GMER 1.0.15 ----
Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\0016419ce247
Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\0016419ce247@0007617efc90 0x22 0x1A 0x36 0xE4 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\0016419ce247@001ccc948464 0xD7 0xD4 0x18 0xD5 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\0016419ce247@001dbe2a3741 0x82 0x63 0x1D 0x2D ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\0016419ce247@0007e095016f 0x5B 0xDF 0x2E 0x7C ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\0016419ce247@000761979534 0x86 0x69 0x34 0x56 ...
Reg HKLM\SYSTEM\ControlSet002\Services\BTHPORT\Parameters\Keys\0016419ce247 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\BTHPORT\Parameters\Keys\0016419ce247@0007617efc90 0x22 0x1A 0x36 0xE4 ...
Reg HKLM\SYSTEM\ControlSet002\Services\BTHPORT\Parameters\Keys\0016419ce247@001ccc948464 0xD7 0xD4 0x18 0xD5 ...
Reg HKLM\SYSTEM\ControlSet002\Services\BTHPORT\Parameters\Keys\0016419ce247@001dbe2a3741 0x82 0x63 0x1D 0x2D ...
Reg HKLM\SYSTEM\ControlSet002\Services\BTHPORT\Parameters\Keys\0016419ce247@0007e095016f 0x5B 0xDF 0x2E 0x7C ...
Reg HKLM\SYSTEM\ControlSet002\Services\BTHPORT\Parameters\Keys\0016419ce247@000761979534 0x86 0x69 0x34 0x56 ...
---- EOF - GMER 1.0.15 ----
DDS (Ver_10-03-17.01) - NTFSx86
Run by Bjones at 15:39:59.12 on Wed 04/21/2010
Internet Explorer: 7.0.6002.18005
Microsoft® Windows Vista™ Ultimate 6.0.6002.2.1252.1.1033.18.2045.1177 [GMT -4:00]
AV: Symantec Endpoint Protection *On-access scanning enabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}
SP: Spybot - Search and Destroy *disabled* (Updated) {ED588FAF-1B8F-43B4-ACA8-8E3C85DADBE9}
SP: Symantec Endpoint Protection *enabled* (Updated) {6C85A515-B91D-4D2B-AF18-40984A4A8493}
SP: Windows Defender *disabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
SP: SUPERAntiSpyware *disabled* (Updated) {222A897C-5018-402e-943F-7E7AC8560DA7}
============== Running Processes ===============
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k NetworkService
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Program Files\Common Files\Logitech\Bluetooth\LBTSERV.EXE
C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\svchost.exe -k bthsvcs
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\STacSV.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\System32\Rundll32.exe
C:\Windows\system32\UI0Detect.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\BillP Studios\WinPatrol\WinPatrol.exe
C:\Program Files\ScreenPrint32 v3\ScreenPrint32.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Pidgin\pidgin.exe
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\UI0Detect.exe
C:\Users\bjones\Desktop\dds.scr
C:\Windows\system32\wbem\wmiprvse.exe
============== Pseudo HJT Report ===============
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: Java(tm) Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
uRun: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [WinPatrol] c:\program files\billp studios\winpatrol\winpatrol.exe -expressboot
mRun: [ScreenPrint32] c:\program files\screenprint32 v3\ScreenPrint32.exe -startup
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\pidgin.lnk - c:\program files\pidgin\pidgin.exe
uPolicies-system: HideLogonScripts = 0 (0x0)
uPolicies-system: HideLegacyLogonScripts = 1 (0x1)
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: Convert link target to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} - hxxp://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.4.6.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_10-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_10-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_10-windows-i586.cab
DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} - hxxps://visionsolutions.webex.com/client/T26L/webex/ieatgpc1.cab
Handler: x-owacid - {0215258f-f0a8-49de-bf1b-0ff02eda8807} - c:\program files\microsoft\outlook web access smime client\mimectl.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: LBTWlgn - c:\program files\common files\logitech\bluetooth\LBTWlgn.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
mASetup: {7070D8E0-650A-46b3-B03C-9497582E6A74} - %SystemRoot%\system32\soundschemes.exe /AddRegistration
mASetup: {B3688A53-AB2A-4b1d-8CEF-8F93D8C51C24} - %SystemRoot%\system32\soundschemes2.exe /AddRegistration
================= FIREFOX ===================
FF - ProfilePath - c:\users\bjones\appdata\roaming\mozilla\firefox\profiles\ojfni43y.default\
FF - plugin: c:\program files\google\update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\program files\nbc direct\npDirectPlayerMozilla.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
============= SERVICES / DRIVERS ===============
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-1-15 8944]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-1-15 55024]
R2 BtwSvc;BtwSvc;c:\windows\system32\svchost.exe -k netsvcs [2008-6-5 21504]
R2 Symantec AntiVirus;Symantec Endpoint Protection;c:\program files\symantec\symantec endpoint protection\Rtvscan.exe [2008-9-11 2436536]
R3 b57nd60x;%SvcDispName%;c:\windows\system32\drivers\b57nd60x.sys [2008-6-5 179712]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2009-9-1 102448]
S3 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-6-5 21504]
S3 motccgp;Motorola USB Composite Device Driver;c:\windows\system32\drivers\motccgp.sys [2008-8-22 18688]
S3 motccgpfl;MotCcgpFlService;c:\windows\system32\drivers\motccgpfl.sys [2008-8-22 8320]
S3 motport;Motorola USB Diagnostic Port;c:\windows\system32\drivers\motport.sys [2006-12-13 20992]
S3 PeerDistSvc;BranchCache;c:\windows\system32\svchost.exe -k PeerDist [2008-6-5 21504]
S3 PTDCWWAN;PANTECH PC Card WWAN Controller device driver;c:\windows\system32\drivers\PTDCWWAN.sys [2008-7-9 58240]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-1-15 7408]
S3 Smcinst;Symantec Auto-upgrade Agent;c:\program files\symantec\symantec endpoint protection\smclu\setup\smcinst.exe --> c:\program files\symantec\symantec endpoint protection\smclu\setup\smcinst.exe [?]
S4 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-1-3 135664]
S4 peresvc;peresvc Service;c:\windows\system32\PereSvc.exe [2006-11-2 65536]
S4 SBSDWSCService;SBSD Security Center Service;c:\program files\spybot - search & destroy\SDWinSec.exe [2010-4-15 1153368]
=============== Created Last 30 ================
2010-04-21 19:33:13 33280 ----a-w- c:\windows\system32\2261424.exe
2010-04-21 19:33:03 170047 ----a-w- c:\windows\system32\7304041.exe
2010-04-21 19:03:50 93056 ----a-w- C:\ugtyqfog.sys
2010-04-21 18:43:48 33280 ----a-w- c:\windows\system32\364036.exe
2010-04-21 18:43:36 92672 ----a-w- c:\windows\system32\w.exe
2010-04-21 18:43:36 44544 ----a-w- c:\windows\system32\ms.bin
2010-04-21 18:43:36 40960 ----a-w- c:\windows\system32\so.bin
2010-04-21 18:43:36 36864 ----a-w- c:\windows\system32\d.bin
2010-04-21 18:43:35 170047 ----a-w- c:\windows\system32\8119928.exe
2010-04-21 18:42:23 142361531 ----a-w- c:\windows\MEMORY.DMP
2010-04-21 18:37:19 33280 ----a-w- c:\windows\system32\2539286.exe
2010-04-21 18:37:08 170047 ----a-w- c:\windows\system32\9225732.exe
2010-04-21 18:34:43 0 ----a-w- c:\windows\system32\t1p0_197158136798.b1k
2010-04-21 18:20:15 0 d-----w- c:\users\bjones\appdata\roaming\Malwarebytes
2010-04-21 18:19:56 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-21 18:19:55 0 d-----w- c:\programdata\Malwarebytes
2010-04-21 18:19:54 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-21 18:19:54 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-04-21 18:17:21 33280 ----a-w- c:\windows\system32\2249369.exe
2010-04-21 16:49:02 33280 ----a-w- c:\windows\system32\3760755.exe
2010-04-21 16:37:22 33280 ----a-w- c:\windows\system32\9612192.exe
2010-04-21 16:17:16 0 d-sh--w- C:\$RECYCLE.BIN
2010-04-21 16:03:08 33280 ----a-w- c:\windows\system32\3861155.exe
2010-04-21 12:42:35 286720 ----a-w- c:\windows\PEV.exe
2010-04-21 12:42:35 186880 ----a-w- c:\windows\SWREG.exe
2010-04-21 12:42:35 123392 ----a-w- c:\windows\sed.exe
2010-04-21 12:42:35 105984 ----a-w- c:\windows\MBR.exe
2010-04-15 12:58:52 0 d-----w- c:\program files\Trend Micro
==================== Find3M ====================
2010-04-21 18:34:28 6396 ----a-w- c:\windows\bthservsdp.dat
2010-02-20 23:06:41 24064 ----a-w- c:\windows\system32\nshhttp.dll
2010-02-20 23:05:14 30720 ----a-w- c:\windows\system32\httpapi.dll
2010-02-20 20:53:34 411648 ----a-w- c:\windows\system32\drivers\http.sys
2010-02-04 12:56:21 51200 ----a-w- c:\windows\inf\infpub.dat
2010-02-04 12:56:15 143360 ----a-w- c:\windows\inf\infstrng.dat
2010-02-04 12:56:01 665600 ----a-w- c:\windows\inf\drvindex.dat
2010-02-04 12:56:00 143360 ----a-w- c:\windows\inf\infstor.dat
2010-01-25 12:00:35 471552 ----a-w- c:\windows\system32\secproc_isv.dll
2010-01-25 12:00:35 152576 ----a-w- c:\windows\system32\secproc_ssp_isv.dll
2010-01-25 12:00:35 152064 ----a-w- c:\windows\system32\secproc_ssp.dll
2010-01-25 12:00:22 471552 ----a-w- c:\windows\system32\secproc.dll
2010-01-25 11:58:52 332288 ----a-w- c:\windows\system32\msdrm.dll
2010-01-25 08:21:20 550912 ----a-w- c:\windows\system32\RMActivate_isv.exe
2010-01-25 08:21:20 371200 ----a-w- c:\windows\system32\RMActivate_ssp_isv.exe
2010-01-25 08:21:18 542720 ----a-w- c:\windows\system32\RMActivate.exe
2010-01-25 08:21:18 371712 ----a-w- c:\windows\system32\RMActivate_ssp.exe
2010-01-23 09:26:13 2048 ----a-w- c:\windows\system32\tzres.dll
2008-06-05 18:31:03 174 --sha-w- c:\program files\desktop.ini
2006-11-02 12:40:37 30674 ----a-w- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 12:40:37 30674 ----a-w- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 12:40:37 287440 ----a-w- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 12:40:37 287440 ----a-w- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfc.dat
2007-02-21 19:50:45 8192 --sha-w- c:\windows\users\default\NTUSER.DAT
============= FINISH: 15:42:52.04 ===============