Something redirecting searches on Google to shopping sites.
Running Windows XP SP3 with Norton NIS2010 (since April). Something might
have gotten past Microsoft Security Essentials before then
Please help
Thanks
Ken
Logs follow
Malwarebytes' Anti-Malware 1.45
www.malwarebytes.org
Database version: 3967
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702
6/26/2010 10:17:38 AM
mbam-log-2010-06-26 (10-17-38).txt
Scan type: Quick scan
Objects scanned: 127038
Time elapsed: 4 minute(s), 21 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
(No malicious items detected)
GMER 1.0.15.15281 - http://www.gmer.net
Rootkit quick scan 2010-06-26 10:27:18
Windows 5.1.2600 Service Pack 3
Running: qd27nmp4.exe; Driver: C:\DOCUME~1\Ken\LOCALS~1\Temp\pxtdipog.sys
---- Devices - GMER 1.0.15 ----
AttachedDevice \FileSystem\Ntfs \Ntfs symsnap.sys (StorageCraft Volume Snap-Shot/StorageCraft)
AttachedDevice \Driver\Tcpip \Device\Ip SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Tcp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Udp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\RawIp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
---- EOF - GMER 1.0.15 ----
DDS (Ver_10-03-17.01) - NTFSx86
Run by Ken at 10:27:58.00 on Sat 06/26/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_20
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3326.2545 [GMT -7:00]
AV: Norton Internet Security *On-access scanning disabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton Internet Security *disabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}
============== Running Processes ===============
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\Explorer.EXE
svchost.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
D:\Fil\Logitech\MouseWare\system\em_exec.exe
D:\Fixers\Unlocker\UnlockerAssistant.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\ctfmon.exe
D:\Utilities\NortonUtilities14\nu.exe
D:\DiscWriting\AnyDVD\AnyDVDtray.exe
D:\Fil\Aladdin Systems\iClean\iClean.exe
C:\Program Files\Norton Internet Security\Engine\17.7.0.12\ccSvcHst.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Norton Internet Security\Engine\17.7.0.12\ccSvcHst.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\WINDOWS\system32\wuauclt.exe
D:\Video\Replay Media Catcher\FLVSrvc.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Ken\Desktop\dds.scr
============== Pseudo HJT Report ===============
uStart Page = hxxp://www.washingtonpost.com/
uWindow Title = Internet Explorer, optimized for Bing and MSN
uDefault_Page_URL = hxxp://www.msn.com
uInternet Settings,ProxyServer = http=127.0.0.1:5555
uInternet Settings,ProxyOverride = <local>
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: Symantec NCO BHO: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - c:\program files\norton internet security\engine\17.7.0.12\coIEPlg.dll
BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\program files\norton internet security\engine\17.7.0.12\IPSBHO.DLL
BHO: FlashCatchBHO Class: {88618a96-6d8a-42e7-b932-9073d5b2080f} - d:\video\flashcatch\flashcatch.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: FlashCatch: {10cecf4f-a96e-4803-8ac2-f565fb29ff47} - d:\video\flashcatch\flashcatch.dll
TB: Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - c:\program files\norton internet security\engine\17.7.0.12\coIEPlg.dll
TB: {C55BBCD6-41AD-48AD-9953-3609C48EACC7} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [NortonUtilities] d:\utilities\nortonutilities14\nu.exe /H
uRun: [AnyDVD] d:\discwriting\anydvd\AnyDVDtray.exe
uRun: [iClean] "d:\fil\aladdin systems\iclean\iClean.exe" /I
mRun: [Logitech Utility] Logi_MwX.Exe
mRun: [UnlockerAssistant] "d:\fixers\unlocker\UnlockerAssistant.exe"
mRun: [QuickTime Task] "d:\video\quicktime\qttask.exe" -atboottime
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [Ask and Record FLV Service] "d:\video\replay media catcher\FLVSrvc.exe" /run
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\stickies.lnk - d:\fil\stickies\stickies.exe
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
IE: {1F958B09-3312-7f0e-9723-4C1324C57B20} - d:\audio\internet radio\Radio.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - d:\msoffice\office11\REFIEBAR.DLL
Trusted Zone: intuit.com\ttlc
DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} - hxxps://www-secure.symantec.com/techsupp/asa/ss/sa/sa_cabs/tgctlsr.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: belarc - {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - c:\program files\belarc\advisor\system\BAVoilaX.dll
Notify: AtiExtEvent - Ati2evxx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
STS: FencesShlExt Class: {1984dd45-52cf-49cd-ab77-18f378fea264} - d:\utilities\fences\FencesMenu.dll
================= FIREFOX ===================
FF - ProfilePath - c:\docume~1\ken\applic~1\mozilla\firefox\profiles\l3wacew6.default\
FF - component: c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_17.6.0.32\coffplgn\components\coFFPlgn.dll
FF - component: c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_17.6.0.32\ipsffplgn\components\IPSFFPl.dll
FF - component: d:\video\flashcatch\firefox\components\FlashCatch.dll
FF - component: d:\video\flashcatch\firefox\components\FlashCatch191.dll
FF - component: d:\video\flashcatch\firefox\components\FlashCatch192.dll
FF - plugin: c:\windows\system32\npmirage.dll
FF - plugin: c:\windows\system32\npwmsdrm.dll
FF - plugin: d:\video\quicktime\plugins\npqtplugin.dll
FF - plugin: d:\video\quicktime\plugins\npqtplugin2.dll
FF - plugin: d:\video\quicktime\plugins\npqtplugin3.dll
FF - plugin: d:\video\quicktime\plugins\npqtplugin4.dll
FF - plugin: d:\video\quicktime\plugins\npqtplugin5.dll
FF - plugin: d:\video\quicktime\plugins\npqtplugin6.dll
FF - plugin: d:\video\quicktime\plugins\npqtplugin7.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - d:\utilities\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
---- FIREFOX POLICIES ----
d:\utilities\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
d:\utilities\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
d:\utilities\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
d:\utilities\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
d:\utilities\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
d:\utilities\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
d:\utilities\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
d:\utilities\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
d:\utilities\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
d:\utilities\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
d:\utilities\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
d:\utilities\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
d:\utilities\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
d:\utilities\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
d:\utilities\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
d:\utilities\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
d:\utilities\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
d:\utilities\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
d:\utilities\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
d:\utilities\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
d:\utilities\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
d:\utilities\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
d:\utilities\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
d:\utilities\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
d:\utilities\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
d:\utilities\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
d:\utilities\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
d:\utilities\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
d:\utilities\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
d:\utilities\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
d:\utilities\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
d:\utilities\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
d:\utilities\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
d:\utilities\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
d:\utilities\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
d:\utilities\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
d:\utilities\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
============= SERVICES / DRIVERS ===============
R0 MrFilter;EasyWrite Driver;c:\windows\system32\drivers\MRFilter.sys [2009-7-9 12096]
R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\nis\1107000.00c\symds.sys [2010-6-11 328752]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\nis\1107000.00c\symefa.sys [2010-6-11 173104]
R1 BHDrvx86;BHDrvx86;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_17.6.0.32\definitions\bashdefs\20100619.001\BHDrvx86.sys [2010-6-23 691248]
R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\nis\1107000.00c\cchpx86.sys [2010-6-11 501888]
R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\nis\1107000.00c\ironx86.sys [2010-6-11 116784]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2010-6-19 102448]
R3 GenericMount;Generic Mount Driver;c:\windows\system32\drivers\GenericMount.sys [2009-9-21 57840]
R3 IDSxpx86;IDSxpx86;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_17.6.0.32\definitions\ipsdefs\20100625.001\IDSXpx86.sys [2010-6-25 331640]
R3 NAVENG;NAVENG;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_17.6.0.32\definitions\virusdefs\20100626.002\NAVENG.SYS [2010-6-26 85552]
R3 NAVEX15;NAVEX15;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_17.6.0.32\definitions\virusdefs\20100626.002\NAVEX15.SYS [2010-6-26 1347504]
S3 EasyRecordAD;EzRecorder Audio Device;c:\windows\system32\drivers\easyrecord.sys [2010-1-22 18816]
S3 JakNDisMP;JakNDisMP;c:\windows\system32\drivers\jakndis.sys --> c:\windows\system32\drivers\JakNDis.sys [?]
=============== Created Last 30 ================
2010-06-26 17:09:46 73728 ----a-w- c:\windows\system32\javacpl.cpl
2010-06-26 17:05:55 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-06-25 03:04:49 599040 -c----w- c:\windows\system32\dllcache\msfeeds.dll
2010-06-25 03:04:49 55296 -c----w- c:\windows\system32\dllcache\msfeedsbs.dll
2010-06-25 03:04:48 743424 -c----w- c:\windows\system32\dllcache\iedvtool.dll
2010-06-25 03:04:48 247808 -c----w- c:\windows\system32\dllcache\ieproxy.dll
2010-06-25 03:04:48 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll
2010-06-25 03:04:47 1985536 -c----w- c:\windows\system32\dllcache\iertutil.dll
2010-06-25 03:04:46 11076096 -c----w- c:\windows\system32\dllcache\ieframe.dll
2010-06-25 03:03:31 272128 -c----w- c:\windows\system32\dllcache\bthport.sys
2010-06-25 03:03:22 455680 -c----w- c:\windows\system32\dllcache\mrxsmb.sys
2010-06-25 03:03:03 2066432 -c----w- c:\windows\system32\dllcache\mstscax.dll
2010-06-25 03:03:00 2189952 -c----w- c:\windows\system32\dllcache\ntoskrnl.exe
2010-06-25 03:03:00 2024448 -c----w- c:\windows\system32\dllcache\ntkrpamp.exe
2010-06-25 03:02:59 2146304 -c----w- c:\windows\system32\dllcache\ntkrnlmp.exe
2010-06-25 03:02:59 2066816 -c----w- c:\windows\system32\dllcache\ntkrnlpa.exe
2010-06-25 03:02:46 17920 -c----w- c:\windows\system32\dllcache\msyuv.dll
2010-06-25 03:02:20 8704 -c----w- c:\windows\system32\dllcache\tsbyuv.dll
2010-06-25 03:02:20 48128 -c----w- c:\windows\system32\dllcache\iyuv_32.dll
2010-06-24 17:03:12 0 dc-h--w- c:\windows\ie8
2010-06-24 15:45:59 8704 -c--a-w- c:\windows\system32\dllcache\snmptrap.exe
2010-06-24 15:44:57 78848 -c--a-w- c:\windows\system32\dllcache\dayi.ime
2010-06-24 15:43:16 488 ---ha-r- c:\windows\system32\logonui.exe.manifest
2010-06-24 15:43:11 749 ---ha-r- c:\windows\WindowsShell.Manifest
2010-06-24 15:43:11 749 ---ha-r- c:\windows\system32\wuaucpl.cpl.manifest
2010-06-24 15:43:11 749 ---ha-r- c:\windows\system32\sapi.cpl.manifest
2010-06-24 15:43:11 749 ---ha-r- c:\windows\system32\nwc.cpl.manifest
2010-06-24 15:43:11 749 ---ha-r- c:\windows\system32\ncpa.cpl.manifest
2010-06-24 05:36:37 0 d-----w- c:\program files\Online Services
2010-06-18 15:58:15 381219 ----a-w- c:\windows\setupapi.old
2010-06-18 05:31:20 0 d-----w- c:\program files\Applian Director
2010-06-18 05:30:50 0 d-----w- c:\program files\Replay Media Catcher
2010-06-11 03:53:54 805 ----a-w- c:\windows\system32\drivers\SYMEVENT.INF
2010-06-11 03:53:54 7443 ----a-w- c:\windows\system32\drivers\SYMEVENT.CAT
2010-06-11 03:53:54 60808 ----a-w- c:\windows\system32\S32EVNT1.DLL
2010-06-11 03:53:54 124976 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2010-06-11 03:53:30 0 d-----w- c:\windows\system32\drivers\NIS
2010-06-11 03:53:28 0 d-----w- c:\program files\Norton Internet Security
2010-06-11 03:53:06 0 d-----w- c:\program files\NortonInstaller
2010-06-11 02:31:51 0 d-----w- c:\docume~1\ken\applic~1\Tific
2010-06-09 20:41:03 106432 -c--a-w- c:\windows\system32\drivers\AnyDVD.sys
2010-06-03 15:58:48 547 ----a-w- c:\windows\system32\ffdshow.ax.manifest
2010-06-03 15:58:48 547 ----a-w- c:\windows\system32\ff_vfw.dll.manifest
2010-06-03 15:58:48 336384 ----a-w- c:\windows\system32\lame.ax
2010-06-03 15:58:48 1708 ----a-w- c:\windows\system32\openIE.js
2010-06-03 15:58:48 0 d-----w- c:\windows\system32\languages
2010-06-03 15:58:47 707682 ----a-w- c:\windows\system32\unins000.exe
2010-06-03 15:58:47 35888 ----a-w- c:\windows\system32\unins000.dat
2010-06-02 18:24:22 0 dc-h--w- c:\docume~1\alluse~1\applic~1\{A87EB928-0C6C-4071-AEF1-59E32BAEDF1B}
2010-05-28 23:46:19 0 dc-h--w- c:\docume~1\alluse~1\applic~1\{3161C5EB-033A-4593-97E6-741F16996E9C}
==================== Find3M ====================
2010-06-25 02:52:33 237568 -c--a-w- c:\windows\system32\rmc_rtspdl.dll
2010-06-25 02:52:33 156672 -c--a-w- c:\windows\system32\rmc_fixasf.exe
2010-06-24 15:42:00 24940 -c--a-w- c:\windows\system32\emptyregdb.dat
2010-05-06 10:41:53 916480 ----a-w- c:\windows\system32\wininet.dll
2010-05-02 05:22:50 1851264 ----a-w- c:\windows\system32\win32k.sys
2010-04-30 00:09:56 311296 -c--a-w- c:\windows\system32\TubeFinder.exe
2010-04-28 03:58:26 0 -c-ha-w- c:\windows\system32\drivers\Msft_Kernel_GenericMount_01009.Wdf
2010-04-28 03:58:13 0 -c-ha-w- c:\windows\system32\drivers\MsftWdf_Kernel_01009_Coinstaller_Critical.Wdf
2010-04-20 05:30:08 285696 ----a-w- c:\windows\system32\atmfd.dll
2010-04-06 23:09:09 81984 -c--a-w- c:\windows\system32\bdod.bin
2010-03-31 07:16:34 99176 ----a-w- c:\windows\system32\PresentationHostProxy.dll
2010-03-31 07:10:40 295264 ----a-w- c:\windows\system32\PresentationHost.exe
2010-01-01 22:17:46 98304 --sha-r- c:\windows\system32\msrle32O.dll
============= FINISH: 10:29:08.03 ===============
Running Windows XP SP3 with Norton NIS2010 (since April). Something might
have gotten past Microsoft Security Essentials before then
Please help
Thanks
Ken
Logs follow
Malwarebytes' Anti-Malware 1.45
www.malwarebytes.org
Database version: 3967
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702
6/26/2010 10:17:38 AM
mbam-log-2010-06-26 (10-17-38).txt
Scan type: Quick scan
Objects scanned: 127038
Time elapsed: 4 minute(s), 21 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
(No malicious items detected)
GMER 1.0.15.15281 - http://www.gmer.net
Rootkit quick scan 2010-06-26 10:27:18
Windows 5.1.2600 Service Pack 3
Running: qd27nmp4.exe; Driver: C:\DOCUME~1\Ken\LOCALS~1\Temp\pxtdipog.sys
---- Devices - GMER 1.0.15 ----
AttachedDevice \FileSystem\Ntfs \Ntfs symsnap.sys (StorageCraft Volume Snap-Shot/StorageCraft)
AttachedDevice \Driver\Tcpip \Device\Ip SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Tcp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Udp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\RawIp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
---- EOF - GMER 1.0.15 ----
DDS (Ver_10-03-17.01) - NTFSx86
Run by Ken at 10:27:58.00 on Sat 06/26/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_20
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3326.2545 [GMT -7:00]
AV: Norton Internet Security *On-access scanning disabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton Internet Security *disabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}
============== Running Processes ===============
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\Explorer.EXE
svchost.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
D:\Fil\Logitech\MouseWare\system\em_exec.exe
D:\Fixers\Unlocker\UnlockerAssistant.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\ctfmon.exe
D:\Utilities\NortonUtilities14\nu.exe
D:\DiscWriting\AnyDVD\AnyDVDtray.exe
D:\Fil\Aladdin Systems\iClean\iClean.exe
C:\Program Files\Norton Internet Security\Engine\17.7.0.12\ccSvcHst.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Norton Internet Security\Engine\17.7.0.12\ccSvcHst.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\WINDOWS\system32\wuauclt.exe
D:\Video\Replay Media Catcher\FLVSrvc.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Ken\Desktop\dds.scr
============== Pseudo HJT Report ===============
uStart Page = hxxp://www.washingtonpost.com/
uWindow Title = Internet Explorer, optimized for Bing and MSN
uDefault_Page_URL = hxxp://www.msn.com
uInternet Settings,ProxyServer = http=127.0.0.1:5555
uInternet Settings,ProxyOverride = <local>
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: Symantec NCO BHO: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - c:\program files\norton internet security\engine\17.7.0.12\coIEPlg.dll
BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\program files\norton internet security\engine\17.7.0.12\IPSBHO.DLL
BHO: FlashCatchBHO Class: {88618a96-6d8a-42e7-b932-9073d5b2080f} - d:\video\flashcatch\flashcatch.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: FlashCatch: {10cecf4f-a96e-4803-8ac2-f565fb29ff47} - d:\video\flashcatch\flashcatch.dll
TB: Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - c:\program files\norton internet security\engine\17.7.0.12\coIEPlg.dll
TB: {C55BBCD6-41AD-48AD-9953-3609C48EACC7} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [NortonUtilities] d:\utilities\nortonutilities14\nu.exe /H
uRun: [AnyDVD] d:\discwriting\anydvd\AnyDVDtray.exe
uRun: [iClean] "d:\fil\aladdin systems\iclean\iClean.exe" /I
mRun: [Logitech Utility] Logi_MwX.Exe
mRun: [UnlockerAssistant] "d:\fixers\unlocker\UnlockerAssistant.exe"
mRun: [QuickTime Task] "d:\video\quicktime\qttask.exe" -atboottime
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [Ask and Record FLV Service] "d:\video\replay media catcher\FLVSrvc.exe" /run
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\stickies.lnk - d:\fil\stickies\stickies.exe
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
IE: {1F958B09-3312-7f0e-9723-4C1324C57B20} - d:\audio\internet radio\Radio.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - d:\msoffice\office11\REFIEBAR.DLL
Trusted Zone: intuit.com\ttlc
DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} - hxxps://www-secure.symantec.com/techsupp/asa/ss/sa/sa_cabs/tgctlsr.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: belarc - {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - c:\program files\belarc\advisor\system\BAVoilaX.dll
Notify: AtiExtEvent - Ati2evxx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
STS: FencesShlExt Class: {1984dd45-52cf-49cd-ab77-18f378fea264} - d:\utilities\fences\FencesMenu.dll
================= FIREFOX ===================
FF - ProfilePath - c:\docume~1\ken\applic~1\mozilla\firefox\profiles\l3wacew6.default\
FF - component: c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_17.6.0.32\coffplgn\components\coFFPlgn.dll
FF - component: c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_17.6.0.32\ipsffplgn\components\IPSFFPl.dll
FF - component: d:\video\flashcatch\firefox\components\FlashCatch.dll
FF - component: d:\video\flashcatch\firefox\components\FlashCatch191.dll
FF - component: d:\video\flashcatch\firefox\components\FlashCatch192.dll
FF - plugin: c:\windows\system32\npmirage.dll
FF - plugin: c:\windows\system32\npwmsdrm.dll
FF - plugin: d:\video\quicktime\plugins\npqtplugin.dll
FF - plugin: d:\video\quicktime\plugins\npqtplugin2.dll
FF - plugin: d:\video\quicktime\plugins\npqtplugin3.dll
FF - plugin: d:\video\quicktime\plugins\npqtplugin4.dll
FF - plugin: d:\video\quicktime\plugins\npqtplugin5.dll
FF - plugin: d:\video\quicktime\plugins\npqtplugin6.dll
FF - plugin: d:\video\quicktime\plugins\npqtplugin7.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - d:\utilities\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
---- FIREFOX POLICIES ----
d:\utilities\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
d:\utilities\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
d:\utilities\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
d:\utilities\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
d:\utilities\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
d:\utilities\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
d:\utilities\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
d:\utilities\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
d:\utilities\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
d:\utilities\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
d:\utilities\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
d:\utilities\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
d:\utilities\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
d:\utilities\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
d:\utilities\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
d:\utilities\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
d:\utilities\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
d:\utilities\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
d:\utilities\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
d:\utilities\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
d:\utilities\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
d:\utilities\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
d:\utilities\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
d:\utilities\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
d:\utilities\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
d:\utilities\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
d:\utilities\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
d:\utilities\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
d:\utilities\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
d:\utilities\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
d:\utilities\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
d:\utilities\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
d:\utilities\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
d:\utilities\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
d:\utilities\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
d:\utilities\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
d:\utilities\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
============= SERVICES / DRIVERS ===============
R0 MrFilter;EasyWrite Driver;c:\windows\system32\drivers\MRFilter.sys [2009-7-9 12096]
R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\nis\1107000.00c\symds.sys [2010-6-11 328752]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\nis\1107000.00c\symefa.sys [2010-6-11 173104]
R1 BHDrvx86;BHDrvx86;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_17.6.0.32\definitions\bashdefs\20100619.001\BHDrvx86.sys [2010-6-23 691248]
R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\nis\1107000.00c\cchpx86.sys [2010-6-11 501888]
R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\nis\1107000.00c\ironx86.sys [2010-6-11 116784]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2010-6-19 102448]
R3 GenericMount;Generic Mount Driver;c:\windows\system32\drivers\GenericMount.sys [2009-9-21 57840]
R3 IDSxpx86;IDSxpx86;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_17.6.0.32\definitions\ipsdefs\20100625.001\IDSXpx86.sys [2010-6-25 331640]
R3 NAVENG;NAVENG;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_17.6.0.32\definitions\virusdefs\20100626.002\NAVENG.SYS [2010-6-26 85552]
R3 NAVEX15;NAVEX15;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_17.6.0.32\definitions\virusdefs\20100626.002\NAVEX15.SYS [2010-6-26 1347504]
S3 EasyRecordAD;EzRecorder Audio Device;c:\windows\system32\drivers\easyrecord.sys [2010-1-22 18816]
S3 JakNDisMP;JakNDisMP;c:\windows\system32\drivers\jakndis.sys --> c:\windows\system32\drivers\JakNDis.sys [?]
=============== Created Last 30 ================
2010-06-26 17:09:46 73728 ----a-w- c:\windows\system32\javacpl.cpl
2010-06-26 17:05:55 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-06-25 03:04:49 599040 -c----w- c:\windows\system32\dllcache\msfeeds.dll
2010-06-25 03:04:49 55296 -c----w- c:\windows\system32\dllcache\msfeedsbs.dll
2010-06-25 03:04:48 743424 -c----w- c:\windows\system32\dllcache\iedvtool.dll
2010-06-25 03:04:48 247808 -c----w- c:\windows\system32\dllcache\ieproxy.dll
2010-06-25 03:04:48 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll
2010-06-25 03:04:47 1985536 -c----w- c:\windows\system32\dllcache\iertutil.dll
2010-06-25 03:04:46 11076096 -c----w- c:\windows\system32\dllcache\ieframe.dll
2010-06-25 03:03:31 272128 -c----w- c:\windows\system32\dllcache\bthport.sys
2010-06-25 03:03:22 455680 -c----w- c:\windows\system32\dllcache\mrxsmb.sys
2010-06-25 03:03:03 2066432 -c----w- c:\windows\system32\dllcache\mstscax.dll
2010-06-25 03:03:00 2189952 -c----w- c:\windows\system32\dllcache\ntoskrnl.exe
2010-06-25 03:03:00 2024448 -c----w- c:\windows\system32\dllcache\ntkrpamp.exe
2010-06-25 03:02:59 2146304 -c----w- c:\windows\system32\dllcache\ntkrnlmp.exe
2010-06-25 03:02:59 2066816 -c----w- c:\windows\system32\dllcache\ntkrnlpa.exe
2010-06-25 03:02:46 17920 -c----w- c:\windows\system32\dllcache\msyuv.dll
2010-06-25 03:02:20 8704 -c----w- c:\windows\system32\dllcache\tsbyuv.dll
2010-06-25 03:02:20 48128 -c----w- c:\windows\system32\dllcache\iyuv_32.dll
2010-06-24 17:03:12 0 dc-h--w- c:\windows\ie8
2010-06-24 15:45:59 8704 -c--a-w- c:\windows\system32\dllcache\snmptrap.exe
2010-06-24 15:44:57 78848 -c--a-w- c:\windows\system32\dllcache\dayi.ime
2010-06-24 15:43:16 488 ---ha-r- c:\windows\system32\logonui.exe.manifest
2010-06-24 15:43:11 749 ---ha-r- c:\windows\WindowsShell.Manifest
2010-06-24 15:43:11 749 ---ha-r- c:\windows\system32\wuaucpl.cpl.manifest
2010-06-24 15:43:11 749 ---ha-r- c:\windows\system32\sapi.cpl.manifest
2010-06-24 15:43:11 749 ---ha-r- c:\windows\system32\nwc.cpl.manifest
2010-06-24 15:43:11 749 ---ha-r- c:\windows\system32\ncpa.cpl.manifest
2010-06-24 05:36:37 0 d-----w- c:\program files\Online Services
2010-06-18 15:58:15 381219 ----a-w- c:\windows\setupapi.old
2010-06-18 05:31:20 0 d-----w- c:\program files\Applian Director
2010-06-18 05:30:50 0 d-----w- c:\program files\Replay Media Catcher
2010-06-11 03:53:54 805 ----a-w- c:\windows\system32\drivers\SYMEVENT.INF
2010-06-11 03:53:54 7443 ----a-w- c:\windows\system32\drivers\SYMEVENT.CAT
2010-06-11 03:53:54 60808 ----a-w- c:\windows\system32\S32EVNT1.DLL
2010-06-11 03:53:54 124976 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2010-06-11 03:53:30 0 d-----w- c:\windows\system32\drivers\NIS
2010-06-11 03:53:28 0 d-----w- c:\program files\Norton Internet Security
2010-06-11 03:53:06 0 d-----w- c:\program files\NortonInstaller
2010-06-11 02:31:51 0 d-----w- c:\docume~1\ken\applic~1\Tific
2010-06-09 20:41:03 106432 -c--a-w- c:\windows\system32\drivers\AnyDVD.sys
2010-06-03 15:58:48 547 ----a-w- c:\windows\system32\ffdshow.ax.manifest
2010-06-03 15:58:48 547 ----a-w- c:\windows\system32\ff_vfw.dll.manifest
2010-06-03 15:58:48 336384 ----a-w- c:\windows\system32\lame.ax
2010-06-03 15:58:48 1708 ----a-w- c:\windows\system32\openIE.js
2010-06-03 15:58:48 0 d-----w- c:\windows\system32\languages
2010-06-03 15:58:47 707682 ----a-w- c:\windows\system32\unins000.exe
2010-06-03 15:58:47 35888 ----a-w- c:\windows\system32\unins000.dat
2010-06-02 18:24:22 0 dc-h--w- c:\docume~1\alluse~1\applic~1\{A87EB928-0C6C-4071-AEF1-59E32BAEDF1B}
2010-05-28 23:46:19 0 dc-h--w- c:\docume~1\alluse~1\applic~1\{3161C5EB-033A-4593-97E6-741F16996E9C}
==================== Find3M ====================
2010-06-25 02:52:33 237568 -c--a-w- c:\windows\system32\rmc_rtspdl.dll
2010-06-25 02:52:33 156672 -c--a-w- c:\windows\system32\rmc_fixasf.exe
2010-06-24 15:42:00 24940 -c--a-w- c:\windows\system32\emptyregdb.dat
2010-05-06 10:41:53 916480 ----a-w- c:\windows\system32\wininet.dll
2010-05-02 05:22:50 1851264 ----a-w- c:\windows\system32\win32k.sys
2010-04-30 00:09:56 311296 -c--a-w- c:\windows\system32\TubeFinder.exe
2010-04-28 03:58:26 0 -c-ha-w- c:\windows\system32\drivers\Msft_Kernel_GenericMount_01009.Wdf
2010-04-28 03:58:13 0 -c-ha-w- c:\windows\system32\drivers\MsftWdf_Kernel_01009_Coinstaller_Critical.Wdf
2010-04-20 05:30:08 285696 ----a-w- c:\windows\system32\atmfd.dll
2010-04-06 23:09:09 81984 -c--a-w- c:\windows\system32\bdod.bin
2010-03-31 07:16:34 99176 ----a-w- c:\windows\system32\PresentationHostProxy.dll
2010-03-31 07:10:40 295264 ----a-w- c:\windows\system32\PresentationHost.exe
2010-01-01 22:17:46 98304 --sha-r- c:\windows\system32\msrle32O.dll
============= FINISH: 10:29:08.03 ===============