Solved Have Redirect/Rootkit Virus. Need Help with Removal

pkbrooks · Jan 12, 2011

Howdy!

Have a pretty little nasty! Looks like a Redirect/Rootkit virus. Have included all the proper "pastes". Would love to have some help.

Thanks a bunch,

pkbrooks

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4715

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

1/12/2011 8:09:20 AM
mbam-log-2011-01-12 (08-09-20).txt

Scan type: Quick scan
Objects scanned: 254507
Time elapsed: 17 minute(s), 0 second(s)

Memory Processes Infected: 30
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 67
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 26

Memory Processes Infected:
C:\WINDOWS\spoolsv.exe (Malware.Packer.Gen) -> Unloaded process successfully.
C:\WINDOWS\win.exe (Malware.Packer.Gen) -> Unloaded process successfully.
C:\WINDOWS\winamp.exe (Malware.Packer.Gen) -> Unloaded process successfully.
C:\WINDOWS\avp32.exe (Malware.Packer.Gen) -> Unloaded process successfully.
C:\WINDOWS\nvsvc32.exe (Malware.Packer.Gen) -> Unloaded process successfully.
C:\WINDOWS\mdm.exe (Malware.Packer.Gen) -> Unloaded process successfully.
C:\WINDOWS\hexdump.exe (Malware.Packer.Gen) -> Unloaded process successfully.
C:\WINDOWS\drweb.exe (Malware.Packer.Gen) -> Unloaded process successfully.
C:\WINDOWS\user.exe (Malware.Packer.Gen) -> Unloaded process successfully.
C:\WINDOWS\win16.exe (Malware.Packer.Gen) -> Unloaded process successfully.
C:\WINDOWS\avp.exe (Malware.Packer.Gen) -> Unloaded process successfully.
C:\Documents and Settings\Administrator.MCC\Local Settings\Temp\wininst.exe (Malware.Packer.Gen) -> Unloaded process successfully.
C:\Documents and Settings\Administrator.MCC\Local Settings\Temp\gdi32.exe (Malware.Packer.Gen) -> Unloaded process successfully.
C:\Documents and Settings\Administrator.MCC\Local Settings\Temp\winamp.exe (Malware.Packer.Gen) -> Unloaded process successfully.
C:\WINDOWS\spoolsv.exe (Malware.Packer.Gen) -> Unloaded process successfully.
C:\WINDOWS\win.exe (Malware.Packer.Gen) -> Unloaded process successfully.
C:\WINDOWS\winamp.exe (Malware.Packer.Gen) -> Unloaded process successfully.
C:\WINDOWS\wininst.exe (Malware.Packer.Gen) -> Unloaded process successfully.
C:\WINDOWS\avp32.exe (Malware.Packer.Gen) -> Unloaded process successfully.
C:\WINDOWS\nvsvc32.exe (Malware.Packer.Gen) -> Unloaded process successfully.
C:\WINDOWS\mdm.exe (Malware.Packer.Gen) -> Unloaded process successfully.
C:\WINDOWS\hexdump.exe (Malware.Packer.Gen) -> Unloaded process successfully.
C:\WINDOWS\drweb.exe (Malware.Packer.Gen) -> Unloaded process successfully.
C:\WINDOWS\user.exe (Malware.Packer.Gen) -> Unloaded process successfully.
C:\WINDOWS\win16.exe (Malware.Packer.Gen) -> Unloaded process successfully.
C:\WINDOWS\avp.exe (Malware.Packer.Gen) -> Unloaded process successfully.
C:\Documents and Settings\Administrator.MCC\Local Settings\Temp\wininst.exe (Malware.Packer.Gen) -> Unloaded process successfully.
C:\Documents and Settings\Administrator.MCC\Local Settings\Temp\gdi32.exe (Malware.Packer.Gen) -> Unloaded process successfully.
C:\Documents and Settings\Administrator.MCC\Local Settings\Temp\winamp.exe (Malware.Packer.Gen) -> Unloaded process successfully.
C:\WINDOWS\taskmgr.exe (Worm.Saphira) -> Unloaded process successfully.

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mkeuf (Malware.Packer.Gen) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mkeuf (Malware.Packer.Gen) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mkfa (Malware.Packer.Gen) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mkfa (Malware.Packer.Gen) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mkfpe (Malware.Packer.Gen) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mkfpe (Malware.Packer.Gen) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mkzsc (Malware.Packer.Gen) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mkzsc (Malware.Packer.Gen) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mkdw+ (Malware.Packer.Gen) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mkdw+ (Malware.Packer.Gen) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mkcz (Malware.Packer.Gen) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mkcz (Malware.Packer.Gen) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mkbtc (Malware.Packer.Gen) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mkbtc (Malware.Packer.Gen) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mkasc (Malware.Packer.Gen) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mkasc (Malware.Packer.Gen) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mkee (Malware.Packer.Gen) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mkee (Malware.Packer.Gen) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mkfpc (Malware.Packer.Gen) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mkfpc (Malware.Packer.Gen) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mkze (Malware.Packer.Gen) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mkze (Malware.Packer.Gen) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hnugraoxrsre (Malware.Packer.Gen) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hnugraoxrsre (Malware.Packer.Gen) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hnugraoxromc (Malware.Packer.Gen) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hnugraoxromc (Malware.Packer.Gen) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hnugraoxrspe (Malware.Packer.Gen) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hnugraoxrspe (Malware.Packer.Gen) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mkfre (Malware.Packer.Gen) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mkfre (Malware.Packer.Gen) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hnugraoxrpuc (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hnugraoxrpuc (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hnugraoxrrrb (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hnugraoxrrrb (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hnugraoxrssc (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hnugraoxrssc (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mkerb (Worm.Saphira) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mkerb (Worm.Saphira) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\nofolderoptions (Hijack.FolderOptions) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hnugtoxrnoc (Trojan.Downloader.Gen) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hnugraoxrruf (Trojan.Downloader.Gen) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hnugraoxrnsc (Trojan.Downloader.Gen) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hnugtoxrprc (Trojan.Downloader.Gen) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hnugtoxrspk (Trojan.Downloader.Gen) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hnugtoxrspi (Trojan.Downloader.Gen) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hnugtoxrpuk (Trojan.Downloader.Gen) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hnugtoxrptk (Trojan.Downloader.Gen) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hnugtoxrmn (Trojan.Downloader.Gen) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hnugraoxrota (Trojan.Downloader.Gen) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hnugraoxrmsc (Trojan.Downloader.Gen) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hnugraoxrrxe (Trojan.Downloader.Gen) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hnugraoxrsa (Trojan.Downloader.Gen) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hnugraoxrme (Trojan.Downloader.Gen) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hnugtoxrnoc (Trojan.Downloader.Gen) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hnugraoxrruf (Trojan.Downloader.Gen) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hnugraoxrnsc (Trojan.Downloader.Gen) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hnugtoxrprc (Trojan.Downloader.Gen) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hnugtoxrpuk (Trojan.Downloader.Gen) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hnugtoxrspk (Trojan.Downloader.Gen) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hnugtoxrspi (Trojan.Downloader.Gen) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hnugtoxrptk (Trojan.Downloader.Gen) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hnugtoxrmn (Trojan.Downloader.Gen) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hnugraoxrota (Trojan.Downloader.Gen) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hnugraoxrmsc (Trojan.Downloader.Gen) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hnugraoxrrxe (Trojan.Downloader.Gen) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hnugraoxrsa (Trojan.Downloader.Gen) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hnugraoxrme (Trojan.Downloader.Gen) -> Delete on reboot.

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools (Hijack.Regedit) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\spoolsv.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.
C:\WINDOWS\win.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.
C:\WINDOWS\winamp.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.
C:\WINDOWS\avp32.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.
C:\WINDOWS\nvsvc32.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.
C:\WINDOWS\mdm.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.
C:\WINDOWS\hexdump.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.
C:\WINDOWS\drweb.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.
C:\WINDOWS\user.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.
C:\WINDOWS\win16.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.
C:\WINDOWS\avp.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrator.MCC\Local Settings\Temp\wininst.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrator.MCC\Local Settings\Temp\gdi32.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrator.MCC\Local Settings\Temp\winamp.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.
C:\WINDOWS\wininst.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrator.MCC\Local Settings\Temp\1061093108.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.
C:\Documents and Settings\Break Time\Local Settings\Application Data\rfslia.dll (Trojan.Hiloti.Gen) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrator.MCC\Local Settings\Temp\iExplorer.exe (Trojan.Clicker) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrator.MCC\Local Settings\Temp\lsass.exe (Trojan.Agent) -> Delete on reboot.
C:\Documents and Settings\Administrator.MCC\Local Settings\Temp\taskmgr.exe (Trojan.Downloader) -> Delete on reboot.
C:\Documents and Settings\Administrator.MCC\Local Settings\Temp\winlogon.exe (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\taskmgr.exe (Worm.Saphira) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrator.MCC\Local Settings\Temp\drweb.exe (Trojan.Downloader.Gen) -> Delete on reboot.
C:\Documents and Settings\Administrator.MCC\Local Settings\Temp\system.exe (Trojan.Downloader.Gen) -> Delete on reboot.
C:\Documents and Settings\Administrator.MCC\Local Settings\Temp\win.exe (Trojan.Downloader.Gen) -> Delete on reboot.
C:\Documents and Settings\Administrator.MCC\Local Settings\Temp\avp.exe (Trojan.Downloader.Gen) -> Delete on reboot.

GMER 1.0.15.15530 - http://www.gmer.net
Rootkit scan 2011-01-12 11:44:49
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\iaStor0 Intel___ rev.0.1.
Running: ltmh01wy.exe; Driver: C:\DOCUME~1\ADMINI~1.MCC\LOCALS~1\Temp\uwtdypod.sys

---- System - GMER 1.0.15 ----

SSDT \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS (SASKUTIL.SYS/SUPERAdBlocker.com and SUPERAntiSpyware.com) ZwTerminateProcess [0xBA511620]

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\System32\svchost.exe[1108] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00EF000A
.text C:\WINDOWS\System32\svchost.exe[1108] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00F0000A
.text C:\WINDOWS\System32\svchost.exe[1108] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00EE000C
.text C:\WINDOWS\System32\svchost.exe[1108] USER32.dll!GetCursorPos 7E42974E 5 Bytes JMP 008A000A
.text C:\WINDOWS\System32\svchost.exe[1108] ole32.dll!CoCreateInstance 7750057E 5 Bytes JMP 0105000A
.text C:\WINDOWS\Explorer.EXE[3640] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00D4000A
.text C:\WINDOWS\Explorer.EXE[3640] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00D5000A
.text C:\WINDOWS\Explorer.EXE[3640] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00C2000C

---- Devices - GMER 1.0.15 ----

Device \Driver\iaStor -> DriverStartIo \Device\Ide\iaStor0 86A7FA9F
Device \Device\Ide\IAAStorageDevice-0 -> \??\IDE#DiskRAID_Volume00.1.12_U#4&244ba08&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found

---- Registry - GMER 1.0.15 ----

Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL@Installed 1
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI@Installed 1
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI@NoChange 1
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS@Installed 1
Reg HKLM\SOFTWARE\Classes\CLSID\{16B0E0C0-F695-559D-5E9C-9936C190ABA1}\InprocHandler32@ ole32.dll
Reg HKLM\SOFTWARE\Classes\CLSID\{16B0E0C0-F695-559D-5E9C-9936C190ABA1}\LocalServer32@ C:\PROGRA~1\MICROS~2\Office\OUTLOOK.EXE
Reg HKLM\SOFTWARE\Classes\CLSID\{16B0E0C0-F695-559D-5E9C-9936C190ABA1}\LocalServer32@LocalServer32 10!!!gxsf(Ng]qF`H{LsOUTLOOKFiles>ToT]jI{jf(=1&L[-81-]?
Reg HKLM\SOFTWARE\Classes\CLSID\{1FAA1C40-BEBE-E22A-4256-3A28C943A807}\InprocServer32@ C:\Program Files\Common Files\Microsoft Shared\Picture It!\DigWebX.dll
Reg HKLM\SOFTWARE\Classes\CLSID\{1FAA1C40-BEBE-E22A-4256-3A28C943A807}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{1FAA1C40-BEBE-E22A-4256-3A28C943A807}\MiscStatus@ 0
Reg HKLM\SOFTWARE\Classes\CLSID\{1FAA1C40-BEBE-E22A-4256-3A28C943A807}\MiscStatus\1
Reg HKLM\SOFTWARE\Classes\CLSID\{1FAA1C40-BEBE-E22A-4256-3A28C943A807}\MiscStatus\1@ 131473
Reg HKLM\SOFTWARE\Classes\CLSID\{1FAA1C40-BEBE-E22A-4256-3A28C943A807}\ProgID@ DigWebX2.BatchDownloader.1
Reg HKLM\SOFTWARE\Classes\CLSID\{1FAA1C40-BEBE-E22A-4256-3A28C943A807}\ToolboxBitmap32@ C:\Program Files\Common Files\Microsoft Shared\Picture It!\DigWebX.dll, 105
Reg HKLM\SOFTWARE\Classes\CLSID\{1FAA1C40-BEBE-E22A-4256-3A28C943A807}\TypeLib@ {13FA0C3E-6B1C-4d8b-88CD-6DA8E1CA7653}
Reg HKLM\SOFTWARE\Classes\CLSID\{1FAA1C40-BEBE-E22A-4256-3A28C943A807}\Version@ 1.0
Reg HKLM\SOFTWARE\Classes\CLSID\{1FAA1C40-BEBE-E22A-4256-3A28C943A807}\VersionIndependentProgID@ DigWebX2.BatchDownloader

---- Disk sectors - GMER 1.0.15 ----

Disk \Device\Harddisk0\DR0 sector 00 (MBR): rootkit-like behavior; TDL4 <-- ROOTKIT !!!
Disk \Device\Harddisk0\DR0 sector 32: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 33: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 63: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sectors 312498944 (+255): rootkit-like behavior;

---- EOF - GMER 1.0.15 ----

pkbrooks · Jan 12, 2011

Help

Cant seem to get the DDS and ATTACH files to paste in. Is that normal? Put them in and then attempt to post and it goes to a no-load page.

pkbrooks

Broni · Jan 12, 2011

Welcome aboard

Please, observe following rules:

Read all of my instructions very carefully. Your mistakes during cleaning process may have very serious consequences, like unbootable computer.
If you're stuck, or you're not sure about certain step, always ask before doing anything else.
Please refrain from running tools or applying updates other than those I suggest.
Never run more than one scan at a time.
Keep updating me regarding your computer behavior, good, or bad.
The cleaning process, once started, has to be completed. Even if your computer appears to act better, it may still be infected. Once the computer is totally clean, I'll certainly let you know.
If you leave the topic without explanation in the middle of a cleaning process, you may not be eligible to receive any more help in malware removal forum.
I close my topics if you have not replied in 5 days. If you need more time, simply let me know. If I closed your topic and you need it to be reopened, simply PM me.

=========================================================================

Download TDSSKiller and save it to your desktop.

Extract (unzip) its contents to your desktop.
Open the TDSSKiller folder and doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
If an infected file is detected, the default action will be Cure, click on Continue.
If a suspicious file is detected, the default action will be Skip, click on Continue.
It may ask you to reboot the computer to complete the process. Click on Reboot Now.
If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
If a reboot is required, the report can also be found in your root directory (usually C:\ folder) in the form of TDSSKiller_xxxx_log.txt. Please copy and paste the contents of that file here.

pkbrooks · Jan 13, 2011

tdsskiller log finished

thanks for the quick response. here is the paste.

pkbrooks

2011/01/13 09:38:46.0786 TDSS rootkit removing tool 2.4.13.0 Jan 12 2011 09:51:11
2011/01/13 09:38:46.0786 ================================================================================
2011/01/13 09:38:46.0786 SystemInfo:
2011/01/13 09:38:46.0786
2011/01/13 09:38:46.0786 OS Version: 5.1.2600 ServicePack: 3.0
2011/01/13 09:38:46.0786 Product type: Workstation
2011/01/13 09:38:46.0786 ComputerName: JAMIEB
2011/01/13 09:38:46.0786 UserName: Administrator
2011/01/13 09:38:46.0786 Windows directory: C:\WINDOWS
2011/01/13 09:38:46.0786 System windows directory: C:\WINDOWS
2011/01/13 09:38:46.0786 Processor architecture: Intel x86
2011/01/13 09:38:46.0786 Number of processors: 2
2011/01/13 09:38:46.0786 Page size: 0x1000
2011/01/13 09:38:46.0786 Boot type: Normal boot
2011/01/13 09:38:46.0786 ================================================================================
2011/01/13 09:38:46.0989 Initialize success
2011/01/13 09:39:07.0411 ================================================================================
2011/01/13 09:39:07.0411 Scan started
2011/01/13 09:39:07.0411 Mode: Manual;
2011/01/13 09:39:07.0411 ================================================================================
2011/01/13 09:39:08.0817 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
2011/01/13 09:39:08.0911 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
2011/01/13 09:39:09.0067 aeaudio (11c04b17ed2abbb4833694bcd644ac90) C:\WINDOWS\system32\drivers\aeaudio.sys
2011/01/13 09:39:09.0114 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
2011/01/13 09:39:09.0145 Afc (fe3ea6e9afc1a78e6edca121e006afb7) C:\WINDOWS\system32\drivers\Afc.sys
2011/01/13 09:39:09.0192 AFD (7e775010ef291da96ad17ca4b17137d7) C:\WINDOWS\System32\drivers\afd.sys
2011/01/13 09:39:09.0239 AFS2K (0ebb674888cbdefd5773341c16dd6a07) C:\WINDOWS\system32\drivers\AFS2K.sys
2011/01/13 09:39:09.0614 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
2011/01/13 09:39:09.0692 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
2011/01/13 09:39:09.0817 ati2mtag (c82240ce60a9326e52282f62ba923f27) C:\WINDOWS\system32\DRIVERS\ati2mtag.sys
2011/01/13 09:39:09.0942 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
2011/01/13 09:39:10.0020 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
2011/01/13 09:39:10.0114 b57w2k (4826fcf97c47b361a2e2f68cd487a19e) C:\WINDOWS\system32\DRIVERS\b57xp32.sys
2011/01/13 09:39:10.0207 BANTExt (5d7be7b19e827125e016325334e58ff1) C:\WINDOWS\System32\Drivers\BANTExt.sys
2011/01/13 09:39:10.0270 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
2011/01/13 09:39:10.0317 bvrp_pci (c945dc4eee3f624dfd07788ea7f0db0a) C:\WINDOWS\System32\drivers\bvrp_pci.sys
2011/01/13 09:39:10.0364 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
2011/01/13 09:39:10.0457 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
2011/01/13 09:39:10.0489 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
2011/01/13 09:39:10.0536 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
2011/01/13 09:39:10.0661 Compbatt (6e4c9f21f0fae8940661144f41b13203) C:\WINDOWS\system32\DRIVERS\compbatt.sys
2011/01/13 09:39:10.0926 DgiVecp (770471de2550820feeb7e5d24bf2e273) C:\WINDOWS\system32\Drivers\DgiVecp.sys
2011/01/13 09:39:10.0989 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
2011/01/13 09:39:11.0098 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
2011/01/13 09:39:11.0192 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\DRIVERS\dmio.sys
2011/01/13 09:39:11.0223 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
2011/01/13 09:39:11.0286 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
2011/01/13 09:39:11.0364 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
2011/01/13 09:39:11.0442 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
2011/01/13 09:39:11.0504 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\DRIVERS\fdc.sys
2011/01/13 09:39:11.0551 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
2011/01/13 09:39:11.0582 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\DRIVERS\flpydisk.sys
2011/01/13 09:39:11.0645 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys
2011/01/13 09:39:11.0692 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
2011/01/13 09:39:11.0739 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
2011/01/13 09:39:11.0801 GEARAspiWDM (ab8a6a87d9d7255c3884d5b9541a6e80) C:\WINDOWS\system32\DRIVERS\GEARAspiWDM.sys
2011/01/13 09:39:11.0911 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
2011/01/13 09:39:11.0957 HidBatt (748031ff4fe45ccc47546294905feab8) C:\WINDOWS\system32\DRIVERS\HidBatt.sys
2011/01/13 09:39:11.0989 hidusb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
2011/01/13 09:39:12.0067 HPZid412 (287a63bd8509bd78e7978823b38afa81) C:\WINDOWS\system32\DRIVERS\HPZid412.sys
2011/01/13 09:39:12.0098 HPZipr12 (0b4fda2657c3e0315eaa57f9c6d4fd1f) C:\WINDOWS\system32\DRIVERS\HPZipr12.sys
2011/01/13 09:39:12.0145 HPZius12 (29559db25258b60510a60c4e470fce32) C:\WINDOWS\system32\DRIVERS\HPZius12.sys
2011/01/13 09:39:12.0286 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
2011/01/13 09:39:12.0411 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
2011/01/13 09:39:12.0520 iaStor (f26bfd48b1c314e0f23bf77acfa75940) C:\WINDOWS\system32\drivers\iaStor.sys
2011/01/13 09:39:12.0582 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
2011/01/13 09:39:12.0723 IntelC51 (7509c548400f4c9e0211e3f6e66abbe6) C:\WINDOWS\system32\DRIVERS\IntelC51.sys
2011/01/13 09:39:12.0879 IntelC52 (9584ffdd41d37f2c239681d0dac2513e) C:\WINDOWS\system32\DRIVERS\IntelC52.sys
2011/01/13 09:39:12.0957 IntelC53 (de2686c0e012e6ae24acd6e79eb7ff5d) C:\WINDOWS\system32\DRIVERS\IntelC53.sys
2011/01/13 09:39:13.0067 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys
2011/01/13 09:39:13.0129 ip6fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys
2011/01/13 09:39:13.0207 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
2011/01/13 09:39:13.0270 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
2011/01/13 09:39:13.0332 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
2011/01/13 09:39:13.0395 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
2011/01/13 09:39:13.0457 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
2011/01/13 09:39:13.0520 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
2011/01/13 09:39:13.0582 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
2011/01/13 09:39:13.0645 kbdhid (9ef487a186dea361aa06913a75b3fa99) C:\WINDOWS\system32\DRIVERS\kbdhid.sys
2011/01/13 09:39:13.0692 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
2011/01/13 09:39:13.0770 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
2011/01/13 09:39:13.0911 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
2011/01/13 09:39:13.0973 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
2011/01/13 09:39:14.0004 MODEMCSA (1992e0d143b09653ab0f9c5e04b0fd65) C:\WINDOWS\system32\drivers\MODEMCSA.sys
2011/01/13 09:39:14.0082 mohfilt (59b8b11ff70728eec60e72131c58b716) C:\WINDOWS\system32\DRIVERS\mohfilt.sys
2011/01/13 09:39:14.0114 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
2011/01/13 09:39:14.0176 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
2011/01/13 09:39:14.0223 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
2011/01/13 09:39:14.0270 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
2011/01/13 09:39:14.0332 MRxSmb (f3aefb11abc521122b67095044169e98) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
2011/01/13 09:39:14.0395 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
2011/01/13 09:39:14.0504 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
2011/01/13 09:39:14.0614 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
2011/01/13 09:39:14.0676 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
2011/01/13 09:39:14.0801 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
2011/01/13 09:39:14.0879 Mup (2f625d11385b1a94360bfc70aaefdee1) C:\WINDOWS\system32\drivers\Mup.sys
2011/01/13 09:39:14.0957 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
2011/01/13 09:39:15.0067 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
2011/01/13 09:39:15.0129 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
2011/01/13 09:39:15.0161 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
2011/01/13 09:39:15.0223 NDProxy (6215023940cfd3702b46abc304e1d45a) C:\WINDOWS\system32\drivers\NDProxy.sys
2011/01/13 09:39:15.0317 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
2011/01/13 09:39:15.0364 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
2011/01/13 09:39:15.0473 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
2011/01/13 09:39:15.0520 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
2011/01/13 09:39:15.0582 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
2011/01/13 09:39:15.0629 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
2011/01/13 09:39:15.0707 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
2011/01/13 09:39:15.0754 OMCI (cec7e2c6c1fa00c7ab2f5434f848ae51) C:\WINDOWS\SYSTEM32\DRIVERS\OMCI.SYS
2011/01/13 09:39:15.0801 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys
2011/01/13 09:39:15.0879 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
2011/01/13 09:39:15.0926 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
2011/01/13 09:39:15.0942 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
2011/01/13 09:39:15.0989 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
2011/01/13 09:39:16.0051 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys
2011/01/13 09:39:16.0348 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
2011/01/13 09:39:16.0379 Processor (a32bebaf723557681bfc6bd93e98bd26) C:\WINDOWS\system32\DRIVERS\processr.sys
2011/01/13 09:39:16.0411 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
2011/01/13 09:39:16.0442 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
2011/01/13 09:39:16.0520 PxHelp20 (0457e25bb122b854e267cf552dcdc370) C:\WINDOWS\system32\Drivers\PxHelp20.sys
2011/01/13 09:39:16.0723 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
2011/01/13 09:39:16.0801 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
2011/01/13 09:39:16.0848 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
2011/01/13 09:39:16.0879 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
2011/01/13 09:39:16.0911 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
2011/01/13 09:39:16.0973 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
2011/01/13 09:39:17.0051 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
2011/01/13 09:39:17.0129 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys
2011/01/13 09:39:17.0176 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
2011/01/13 09:39:17.0379 SASDIFSV (a3281aec37e0720a2bc28034c2df2a56) C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS
2011/01/13 09:39:17.0426 SASKUTIL (61db0d0756a99506207fd724e3692b25) C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS
2011/01/13 09:39:17.0520 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
2011/01/13 09:39:17.0598 Sentinel (95a26d5d8ceda33377af627dafc2796f) C:\WINDOWS\System32\Drivers\SENTINEL.SYS
2011/01/13 09:39:17.0676 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys
2011/01/13 09:39:17.0739 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys
2011/01/13 09:39:17.0817 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
2011/01/13 09:39:17.0989 smwdm (4aa922332433cdeb8b82c072c212e32e) C:\WINDOWS\system32\drivers\smwdm.sys
2011/01/13 09:39:18.0129 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
2011/01/13 09:39:18.0176 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
2011/01/13 09:39:18.0254 Srv (da852e3e0bf1cea75d756f9866241e57) C:\WINDOWS\system32\DRIVERS\srv.sys
2011/01/13 09:39:18.0301 StillCam (a9573045baa16eab9b1085205b82f1ed) C:\WINDOWS\system32\DRIVERS\serscan.sys
2011/01/13 09:39:18.0332 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
2011/01/13 09:39:18.0379 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
2011/01/13 09:39:18.0536 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
2011/01/13 09:39:18.0598 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
2011/01/13 09:39:18.0645 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
2011/01/13 09:39:18.0676 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
2011/01/13 09:39:18.0723 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
2011/01/13 09:39:18.0817 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
2011/01/13 09:39:18.0879 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
2011/01/13 09:39:18.0942 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
2011/01/13 09:39:18.0989 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
2011/01/13 09:39:19.0004 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
2011/01/13 09:39:19.0036 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys
2011/01/13 09:39:19.0067 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys
2011/01/13 09:39:19.0098 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
2011/01/13 09:39:19.0129 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
2011/01/13 09:39:19.0192 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
2011/01/13 09:39:19.0301 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
2011/01/13 09:39:19.0364 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
2011/01/13 09:39:19.0442 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
2011/01/13 09:39:19.0551 WS2IFSL (6abe6e225adb5a751622a9cc3bc19ce8) C:\WINDOWS\System32\drivers\ws2ifsl.sys
2011/01/13 09:39:19.0645 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
2011/01/13 09:39:19.0707 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
2011/01/13 09:39:19.0754 \HardDisk0 - detected Rootkit.Win32.TDSS.tdl4 (0)
2011/01/13 09:39:19.0754 ================================================================================
2011/01/13 09:39:19.0754 Scan finished
2011/01/13 09:39:19.0754 ================================================================================
2011/01/13 09:39:19.0786 Detected object count: 1
2011/01/13 09:39:53.0832 \HardDisk0 - will be cured after reboot
2011/01/13 09:39:53.0832 Rootkit.Win32.TDSS.tdl4(\HardDisk0) - User select action: Cure
2011/01/13 09:40:50.0770 Deinitialize success

Broni · Jan 13, 2011

Good job

See, if you can run DDS now.

pkbrooks · Jan 13, 2011

DDS and ATTACH .txt Files

ok, here we go. DDS and then ATTACH.

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_10-12-12.02)

Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 4/6/2006 10:01:45 AM
System Uptime: 1/13/2011 9:46:18 AM (5 hours ago)

Motherboard: Dell Inc. | | 0J3492
Processor: Intel(R) Pentium(R) 4 CPU 3.40GHz | Microprocessor | 3391/800mhz

==== Disk Partitions =========================

A: is Removable
C: is FIXED (NTFS) - 149 GiB total, 112.56 GiB free.
D: is CDROM ()
E: is CDROM ()

==== Disabled Device Manager Items =============

==== System Restore Points ===================

No restore point in system.

==== Installed Programs ======================

ACDSee 5.0 PowerPack
Adobe Acrobat 8 Standard
Adobe Acrobat 8.1.1 Standard
Adobe Atmosphere Player for Acrobat and Adobe Reader
Adobe Flash Player 10 Plugin
Adobe Flash Player ActiveX
Adobe Help Center 2.0
Adobe Photoshop Elements 4.0
Adobe Reader 7.0.5
Adobe Shockwave Player 11.5
APC PowerChute Personal Edition
Apple Mobile Device Support
Apple Software Update
ArcSoft Software Suite
ATI - Software Uninstall Utility
ATI Control Panel
ATI Display Driver
AutoCAD LT 2005 - English
Autodesk Design Review 2009
Autodesk DWF Viewer
Belarc Advisor 7.2
Bonjour
Broadcom Gigabit Integrated Controller
Business Contact Manager for Outlook 2003
Cabinet Vision Solid®
CCleaner
Compatibility Pack for the 2007 Office system
CR115
Critical Update for Windows Media Player 11 (KB959772)
Dell Digital Jukebox Driver
Dell ResourceCD
DeviceFunctionQFolder
DocProc
DocProcQFolder
DWG TrueView 2009
DYMO Label Software
DYMO QuickBooks Add-In
DYMO Stamps
Google Chrome
HighMAT Extension to Microsoft Windows XP CD Writing Wizard
HiJackThis
HijackThis 1.99.1
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Format SDK (KB902344)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB970653-v3)
Hotfix for Windows XP (KB976098-v2)
Hotfix for Windows XP (KB979306)
Hotfix for Windows XP (KB981793)
HP Scanjet 4800 series
HP Scanjet 4800 series 7.0
HP Software Update
HP Solution Center 7.0
HP Update
hpg4850
hpg4850QFolder
hpmdtab
HPProductAssistant
HPSystemDiagnostics
Intel Application Accelerator
Intel(R) 537EP V9x DF PCI Modem
Java Auto Updater
Macromedia Flash Player
Malwarebytes' Anti-Malware
Memories Disc Creator 2.0
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Base Smart Card Cryptographic Service Provider Package
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Default Manager
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office 2000 SR-1 Premium
Microsoft Office 2000 Web Archive Add-On
Microsoft Office 2003 Web Components
Microsoft Office OneNote 2007
Microsoft Office Professional Edition 2003
Microsoft Picture It! Photo Premium 9
Microsoft Search Enhancement Pack
Microsoft Silverlight
Microsoft UI Engine
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Microsoft Works
Microsoft Works 2004 Setup Launcher
Microsoft Works Suite Add-in for Microsoft Word
MobileMe Control Panel
Mozilla Firefox (3.6.10)
MSN Music Assistant
MSN Toolbar
MSN Toolbar Platform
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
MSXML 4.0 SP2 Parser and SDK
MSXML 6.0 Parser (KB925673)
Norton Security Scan
OCR Software by I.R.I.S 7.0
PageScope Cabinet
PowerDVD 5.1
QBFC 4.0
QBFC3.0
QuickTime
Readiris Pro 10
RealPlayer
Samsung SCX-4200 Series
Scan
Security Update for CAPICOM (KB931906)
Security Update for Microsoft .NET Framework 2.0 (KB917283)
Security Update for Microsoft .NET Framework 2.0 (KB922770)
Security Update for Office 2007 (KB934062)
Security Update for the 2007 Microsoft Office System (KB936960)
Security Update for Windows Internet Explorer 7 (KB928090)
Security Update for Windows Internet Explorer 7 (KB929969)
Security Update for Windows Internet Explorer 7 (KB931768)
Security Update for Windows Internet Explorer 7 (KB933566)
Security Update for Windows Internet Explorer 7 (KB937143)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB939653)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Internet Explorer 7 (KB963027)
Security Update for Windows Internet Explorer 7 (KB969897)
Security Update for Windows Internet Explorer 7 (KB972260)
Security Update for Windows Internet Explorer 7 (KB974455)
Security Update for Windows Internet Explorer 7 (KB976325)
Security Update for Windows Internet Explorer 7 (KB978207)
Security Update for Windows Internet Explorer 8 (KB2183461)
Security Update for Windows Internet Explorer 8 (KB971961)
Security Update for Windows Internet Explorer 8 (KB976325)
Security Update for Windows Internet Explorer 8 (KB978207)
Security Update for Windows Internet Explorer 8 (KB981332)
Security Update for Windows Internet Explorer 8 (KB982381)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player (KB975558)
Security Update for Windows Media Player (KB978695)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB2079403)
Security Update for Windows XP (KB2115168)
Security Update for Windows XP (KB2121546)
Security Update for Windows XP (KB2160329)
Security Update for Windows XP (KB2229593)
Security Update for Windows XP (KB2259922)
Security Update for Windows XP (KB2286198)
Security Update for Windows XP (KB2347290)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971468)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB971961)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975561)
Security Update for Windows XP (KB975562)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB977165)
Security Update for Windows XP (KB977816)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978037)
Security Update for Windows XP (KB978251)
Security Update for Windows XP (KB978262)
Security Update for Windows XP (KB978338)
Security Update for Windows XP (KB978542)
Security Update for Windows XP (KB978601)
Security Update for Windows XP (KB979309)
Security Update for Windows XP (KB979482)
Security Update for Windows XP (KB979559)
Security Update for Windows XP (KB979683)
Security Update for Windows XP (KB980195)
Security Update for Windows XP (KB980218)
Security Update for Windows XP (KB980232)
Security Update for Windows XP (KB980436)
Security Update for Windows XP (KB981322)
Security Update for Windows XP (KB981852)
Security Update for Windows XP (KB981997)
Security Update for Windows XP (KB982214)
Security Update for Windows XP (KB982665)
Security Update for Windows XP (KB982802)
Sentinel System Driver Installer 7.4.0
Shockwave
Slide
SmarThru 4
Smead Viewables
Solid 4.1
SolutionCenter
Sonic RecordNow!
SoundMAX
SUPERAntiSpyware
SupportSoft Assisted Service
TightVNC 1.3.9
TracManager 2010
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Office 2007 (KB932080)
Update for Windows Internet Explorer 7 (KB976749)
Update for Windows Internet Explorer 8 (KB976662)
Update for Windows Internet Explorer 8 (KB978506)
Update for Windows Internet Explorer 8 (KB980182)
Update for Windows XP (KB2141007)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955759)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
WebFldrs XP
WebReg
Windows Driver Package - Hewlett-Packard Image (12/27/2006 8.0.0.0)
Windows Genuine Advantage Notifications (KB905474)
Windows Genuine Advantage Validation Tool (KB892130)
Windows Internet Explorer 7
Windows Internet Explorer 8
Windows Live ID Sign-in Assistant
Windows Media Format 11 runtime
Windows Media Player 11
Windows Presentation Foundation
Windows Rights Management Client Backwards Compatibility SP2
Windows Rights Management Client with Service Pack 2
Windows XP Service Pack 3
XML Paper Specification Shared Components Pack 1.0

==== Event Viewer Messages From Past Week ========

1/7/2011 9:40:03 AM, error: DCOM [10005] - DCOM got error "%1053" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
1/7/2011 2:51:19 PM, error: DCOM [10005] - DCOM got error "%1053" attempting to start the service winmgmt with arguments "" in order to run the server: {8BC3F05E-D86B-11D0-A075-00C04FB68820}
1/7/2011 1:25:51 AM, error: Service Control Manager [7032] - The Service Control Manager tried to take a corrective action (Restart the service) after the unexpected termination of the Windows Management Instrumentation service, but this action failed with the following error: An instance of the service is already running.
1/6/2011 9:00:00 PM, error: Schedule [7901] - The At22.job command failed to start due to the following error: General access denied error
1/6/2011 8:00:00 PM, error: Schedule [7901] - The At21.job command failed to start due to the following error: General access denied error
1/6/2011 7:00:00 PM, error: Schedule [7901] - The At20.job command failed to start due to the following error: General access denied error
1/6/2011 6:00:00 PM, error: Schedule [7901] - The At19.job command failed to start due to the following error: General access denied error
1/6/2011 5:00:00 PM, error: Schedule [7901] - The At18.job command failed to start due to the following error: General access denied error
1/6/2011 3:59:59 PM, error: Schedule [7901] - The At17.job command failed to start due to the following error: General access denied error
1/6/2011 3:00:00 PM, error: Schedule [7901] - The At16.job command failed to start due to the following error: General access denied error
1/6/2011 2:00:00 PM, error: Schedule [7901] - The At15.job command failed to start due to the following error: General access denied error
1/6/2011 12:00:00 PM, error: Schedule [7901] - The At13.job command failed to start due to the following error: General access denied error
1/6/2011 11:29:03 AM, error: Print [33] - The PrintQueue Container could not be found because the DNS Domain name could not be retrieved. Error: 54b
1/6/2011 11:28:48 AM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the VNC Server service to connect.
1/6/2011 11:28:48 AM, error: Service Control Manager [7000] - The VNC Server service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
1/6/2011 11:28:47 PM, error: NETLOGON [5719] - No Domain Controller is available for domain MCC due to the following: There are currently no logon servers available to service the logon request. . Make sure that the computer is connected to the network and try again. If the problem persists, please contact your domain administrator.
1/6/2011 11:00:00 PM, error: Schedule [7901] - The At24.job command failed to start due to the following error: General access denied error
1/6/2011 11:00:00 AM, error: Schedule [7901] - The At12.job command failed to start due to the following error: General access denied error
1/6/2011 10:00:00 PM, error: Schedule [7901] - The At23.job command failed to start due to the following error: General access denied error
1/6/2011 10:00:00 AM, error: Schedule [7901] - The At11.job command failed to start due to the following error: General access denied error
1/6/2011 1:00:00 PM, error: Schedule [7901] - The At14.job command failed to start due to the following error: General access denied error
1/13/2011 8:00:00 AM, error: Schedule [7901] - The At9.job command failed to start due to the following error: General access denied error
1/13/2011 7:00:00 AM, error: Schedule [7901] - The At8.job command failed to start due to the following error: General access denied error
1/13/2011 6:00:00 AM, error: Schedule [7901] - The At7.job command failed to start due to the following error: General access denied error
1/13/2011 5:00:00 AM, error: Schedule [7901] - The At6.job command failed to start due to the following error: General access denied error
1/13/2011 4:00:00 AM, error: Schedule [7901] - The At5.job command failed to start due to the following error: General access denied error
1/13/2011 3:00:00 AM, error: Schedule [7901] - The At4.job command failed to start due to the following error: General access denied error
1/13/2011 2:00:00 AM, error: Schedule [7901] - The At3.job command failed to start due to the following error: General access denied error
1/12/2011 8:29:04 AM, error: Print [33] - The PrintQueue Container could not be found because the DNS Domain name could not be retrieved. Error: 836
1/12/2011 12:13:00 AM, error: Schedule [7901] - The At1.job command failed to start due to the following error: General access denied error
1/12/2011 1:00:00 AM, error: Schedule [7901] - The At2.job command failed to start due to the following error: General access denied error
1/11/2011 9:35:59 AM, error: Service Control Manager [7000] - The SASDIFSV service failed to start due to the following error: Cannot create a file when that file already exists.
1/11/2011 9:00:00 AM, error: Schedule [7901] - The At10.job command failed to start due to the following error: General access denied error
1/11/2011 8:28:53 AM, error: DCOM [10005] - DCOM got error "%1058" attempting to start the service SeaPort with arguments "-Service" in order to run the server: {D6381B4A-D254-46EB-9018-A62E0F4BA6BA}
1/11/2011 2:24:43 PM, error: Service Control Manager [7031] - The Print Spooler service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
1/11/2011 2:24:42 PM, error: Service Control Manager [7034] - The spkrmon service terminated unexpectedly. It has done this 1 time(s).
1/11/2011 2:24:42 PM, error: Service Control Manager [7034] - The SeaPort service terminated unexpectedly. It has done this 1 time(s).
1/11/2011 2:24:42 PM, error: Service Control Manager [7034] - The IAA Event Monitor service terminated unexpectedly. It has done this 1 time(s).
1/11/2011 2:24:42 PM, error: Service Control Manager [7034] - The Bonjour Service service terminated unexpectedly. It has done this 1 time(s).
1/11/2011 2:24:42 PM, error: Service Control Manager [7031] - The Windows Live ID Sign-in Assistant service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 10000 milliseconds: Restart the service.
1/11/2011 2:24:41 PM, error: Service Control Manager [7034] - The Ati HotKey Poller service terminated unexpectedly. It has done this 1 time(s).
1/11/2011 2:24:41 PM, error: Service Control Manager [7034] - The APC UPS Service service terminated unexpectedly. It has done this 1 time(s).
1/11/2011 2:24:41 PM, error: Service Control Manager [7034] - The Adobe Active File Monitor V4 service terminated unexpectedly. It has done this 1 time(s).
1/11/2011 2:24:41 PM, error: Service Control Manager [7031] - The Apple Mobile Device service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.

==== End Of File ===========================

DDS (Ver_10-12-12.02) - NTFSx86
Run by Administrator at 14:06:56.87 on Thu 01/13/2011
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.350 [GMT -5:00]

AV: Symantec AntiVirus Corporate Edition *Disabled/Updated* {FB06448E-52B8-493A-90F3-E43226D3305C}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe
C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\Program Files\Analog Devices\SoundMAX\spkrmon.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\System32\ups.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\Samsung\PanelMgr\ssmmgr.exe
C:\WINDOWS\system32\task.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\Administrator.MCC\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\DOCUME~1\ADMINI~1.MCC\LOCALS~1\Temp\drweb.exe
C:\WINDOWS\drweb.exe
C:\DOCUME~1\ADMINI~1.MCC\LOCALS~1\Temp\taskmgr.exe
C:\WINDOWS\wininst.exe
C:\DOCUME~1\ADMINI~1.MCC\LOCALS~1\Temp\mdm.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Documents and Settings\Administrator.MCC\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: WhiteSmoke Toolbar: {52794457-af6c-4c50-9def-f2e24f4c8889} - c:\program files\whitesmoketoolbar\whitesmoketoolbarX.dll
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SEPsearchhelperie.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
BHO: MSN Toolbar BHO: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - c:\program files\msn toolbar\platform\4.0.0379.0\npwinext.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
TB: MSN Toolbar: {8dcb7100-df86-4384-8842-8fa844297b3f} - c:\program files\msn toolbar\platform\4.0.0379.0\npwinext.dll
TB: WhiteSmoke Toolbar: {52794457-af6c-4c50-9def-f2e24f4c8889} - c:\program files\whitesmoketoolbar\whitesmoketoolbarX.dll
TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
EB: {4528BBE0-4E08-11D5-AD55-00010333D0AD} - No File
EB: {32004B8A-44A9-43E7-84E9-808838809519} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [uPc+KQNXKIXniQaGuo] rundll32.exe c:\docume~1\breakt~1\locals~1\temp\yo3p2ya4.dll, SystemServer
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
uRun: [Google Update] "c:\documents and settings\administrator.mcc\local settings\application data\google\update\GoogleUpdate.exe" /c
uRun: [HNUGRAOXRnsc] c:\docume~1\admini~1.mcc\locals~1\temp\drweb.exe
uRun: [MKasc] c:\windows\drweb.exe
uRun: [MKfre] c:\windows\wininst.exe
uRun: [HNUGRAOXRrrb] c:\docume~1\admini~1.mcc\locals~1\temp\taskmgr.exe
uRun: [HNUGRAOXRpZ] c:\docume~1\admini~1.mcc\locals~1\temp\mdm.exe
mRun: [uPc+KQNXKIXniQaGuo] rundll32.exe c:\docume~1\breakt~1\locals~1\temp\yo3p2ya4.dll, SystemServer
mRun: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
mRun: [Samsung PanelMgr] c:\windows\samsung\panelmgr\ssmmgr.exe /autorun
mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup
mRun: [GMorphCl] "c:\windows\system32\task.exe"
mRun: [HNUGRAOXRnsc] c:\docume~1\admini~1.mcc\locals~1\temp\drweb.exe
mRun: [MKasc] c:\windows\drweb.exe
mRun: [MKfre] c:\windows\wininst.exe
mRun: [HNUGRAOXRrrb] c:\docume~1\admini~1.mcc\locals~1\temp\taskmgr.exe
mRun: [HNUGRAOXRpZ] c:\docume~1\admini~1.mcc\locals~1\temp\mdm.exe
dRunOnce: [RunNarrator] Narrator.exe
dRunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe
dRunOnce: [FlashPlayerUpdate] c:\windows\system32\macromed\flash\FlashUtil9f.exe
uPolicies-explorer: NoFolderOptions = 1 (0x1)
uPolicies-system: DisableRegistryTools = 1 (0x1)
mPolicies-explorer: NoWelcomeScreen = 1 (0x1)
mPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
mPolicies-system: EnableLUA = 0 (0x0)
dPolicies-explorer: NoSetActiveDesktop = 1 (0x1)
dPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
dPolicies-system: DisableTaskMgr = 1 (0x1)
IE: Append to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
LSP: c:\windows\system32\lspB.dll
Trusted Zone: fastestdeploy.com
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://download.microsoft.com/download/e/7/3/e7345c16-80aa-4488-ae10-9ac6be844f99/OGAControl.cab
DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} - hxxp://cdn2.zone.msn.com/binFramework/v10/ZPAFramework.cab56649.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/5/b/0/5b0d4654-aa20-495c-b89f-c1c34c691085/LegitCheckControl.cab
DPF: {3DA5D23B-EFE1-4181-ADB7-7D457567AACA} - hxxp://zone.msn.com/bingame/pacz/default/pandaonline.cab
DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} - hxxp://office.microsoft.com/officeupdate/content/opuc3.cab
DPF: {3FE16C08-D6A7-4133-84FC-D5BFB4F7D886} - hxxp://zone.msn.com/bingame/rtlw/default/ReflexiveWebGameLoader.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1159542893046
DPF: {64D01C7F-810D-446E-A07E-16C764235644} - hxxp://zone.msn.com/bingame/amad/default/atomaders.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1219326447803
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} - hxxps://h17000.www1.hp.com/ewfrf-JAVA/Secure/HPGetDownloadManager.ocx
DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} - hxxp://zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
DPF: {BBF0D44D-14E6-4DB3-8211-AEF1ABA7EE84} - hxxp://esupport.cabinetvision.com/ATLWebKeyButton.CAB
DPF: {C7DB51B4-BCF7-4923-8874-7F1A0DC92277} - hxxp://office.microsoft.com/officeupdate/content/opuc4.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {D54160C3-DB7B-4534-9B65-190EE4A9C7F7} - hxxp://zone.msn.com/bingame/feed/default/SproutLauncher.cab
DPF: {D77EF652-9A6B-40C8-A4B9-1C0697C6CF41} - hxxp://zone.msn.com/bingame/gold/default/gf.cab
DPF: {DAF5D9A2-D982-4671-83E4-0398706A5F6A} - hxxp://zone.msn.com/bingame/hsol/default/SCEWebLauncher.cab
DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - hxxp://zone.msn.com/bingame/isan/default/popcaploader_v6.cab
DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} - hxxp://fdl.msn.com/zone/datafiles/heartbeat.cab
DPF: {FF3C5A9F-5A99-4930-80E8-4709194C2AD3} - hxxp://zone.msn.com/bingame/zpagames/ZPA_Backgammon.cab64162.cab
TCP: {385CE9BA-9804-42B2-A2AA-7366CF893524} = 192.168.1.254
Handler: belarc - {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - c:\program files\belarc\advisor\system\BAVoilaX.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
SecurityProviders: msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, zwebauth.dll
mASetup: {B0B9B83C-BBFC-49F5-93F4-BC388B073320} - rundll32.exe "c:\documents and settings\jboggess\application data\bitrix security\hwwkat9.dll", DllUnrer

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\admini~1.mcc\applic~1\mozilla\firefox\profiles\so55ahpw.default\
FF - plugin: c:\documents and settings\administrator.mcc\local settings\application data\google\update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npmozax.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npwebsrv.dll
FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}

============= SERVICES / DRIVERS ===============

R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-5-10 67656]
S0 acxmrkmh;acxmrkmh;c:\windows\system32\drivers\ajtxytg.sys --> c:\windows\system32\drivers\ajtxytg.sys [?]
S3 nosGetPlusHelper;getPlus(R) Helper 3004;c:\windows\system32\svchost.exe -k nosGetPlusHelper [2004-8-4 14336]
S4 QuickBooksDB17;QuickBooksDB17;c:\progra~1\intuit\quickb~3\qbdbmgrn.exe -hvquickbooksdb17 --> c:\progra~1\intuit\quickb~3\QBDBMgrN.exe -hvQuickBooksDB17 [?]

=============== Created Last 30 ================

2011-01-13 18:39:22 44181 ---h--w- c:\windows\wininst.exe
2011-01-13 18:39:21 44181 ---h--w- c:\windows\drweb.exe
2011-01-07 15:06:02 -------- d-----w- c:\docume~1\admini~1.mcc\applic~1\whitesmoketoolbar
2011-01-07 14:45:48 -------- d-----w- c:\docume~1\admini~1.mcc\applic~1\Malwarebytes
2011-01-06 14:41:59 38715 ----a-w- c:\windows\system32\task.exe
2011-01-06 14:41:49 47419 ----a-w- c:\windows\system32\lspB.dll
2011-01-05 19:20:30 14592 -c--a-w- c:\windows\system32\dllcache\kbdhid.sys
2011-01-05 19:20:30 14592 ----a-w- c:\windows\system32\drivers\kbdhid.sys
2011-01-05 12:45:03 80898 ----a-w- c:\docume~1\alluse~1\applic~1\2ki3RIv6.exe
2011-01-05 12:43:51 -------- d-----w- c:\docume~1\alluse~1\applic~1\boost_interprocess
2010-12-29 17:50:15 -------- d-----w- c:\program files\whitesmoketoolbar
2010-12-29 17:49:58 -------- d-----w- c:\windows\system32\%APPDATA%

==================== Find3M ====================

============= FINISH: 14:07:48.30 ===============

Broni · Jan 13, 2011

Good

Download MBRCheck to your desktop

Double click MBRCheck.exe to run (Vista and Windows 7 users, right click and select Run as Administrator).
It will show a black screen with some data on it.
Enter N to exit.
A report called MBRcheckxxxx.txt will be on your desktop
Open this report and post its content in your next reply.

======================================================================

Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**

Please, never rename Combofix unless instructed.
Close any open browsers.
Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
- Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
- Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
NOTE1. If Combofix asks you to install Recovery Console, please allow it.
NOTE 2. If Combofix asks you to update the program, always do so.
- Close any open browsers.
- WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
- Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
- If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
Double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.
Please post the "C:\ComboFix.txt"

**Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall
**Note 2 for AVG users: ComboFix will not run until AVG is uninstalled as a protective measure against the anti-virus. This is because AVG "falsely" detects ComboFix (or its embedded files) as a threat and may remove them resulting in the tool not working correctly which in turn can cause "unpredictable results". Since AVG cannot be effectively disabled before running ComboFix, the author recommends you to uninstall AVG first.
Use AppRemover to uninstall it: https://www.techspot.com/downloads/5514-appremover.html
We can reinstall it when we're done with CF.
**Note 3: If you receive an error "Illegal operation attempted on a registery key that has been marked for deletion", restart computer to fix the issue.

Make sure, you re-enable your security programs, when you're done with Combofix.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

NOTE.
If, for some reason, Combofix refuses to run, try one of the following:

1. Run Combofix from Safe Mode.

2. Delete Combofix file, download fresh one, but rename combofix.exe to your_name.exe BEFORE saving it to your desktop.
Do NOT run it yet.

Please download and run the below tool named Rkill (courtesy of BleepingComputer.com) which may help allow other programs to run.

There are 4 different versions. If one of them won't run then download and try to run the other one.

Vista and Win7 users need to right click Rkill and choose Run as Administrator

You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.

Rkill.com
Rkill.scr
Rkill.exe

Double-click on the Rkill desktop icon to run the tool.
If using Vista or Windows 7 right-click on it and choose Run As Administrator.
A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
If not, delete the file, then download and use the one provided in Link 2.
If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.
Do not reboot until instructed.
If the tool does not run from any of the links provided, please let me know.

Once you've gotten one of them to run, immediately run your_name.exe by double clicking on it.

If normal mode still doesn't work, run BOTH tools from safe mode.

In case #2, please post BOTH logs, rKill and Combofix.

DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!

pkbrooks · Jan 13, 2011

MBR Check log

MBR is ready. Will be a few hours for the other. Have to get back to work.

Thanks, pkbrooks

MBRCheck, version 1.2.3
(c) 2010, AD

Command-line:
Windows Version: Windows XP Professional
Windows Information: Service Pack 3 (build 2600)
Logical Drives Mask: 0x0000001d

Kernel Drivers (total 127):
0x804D7000 \WINDOWS\system32\ntoskrnl.exe
0x806FF000 \WINDOWS\system32\hal.dll
0xF7A24000 \WINDOWS\system32\KDCOM.DLL
0xF7934000 \WINDOWS\system32\BOOTVID.dll
0xF74D5000 ACPI.sys
0xF7A26000 \WINDOWS\system32\DRIVERS\WMILIB.SYS
0xF74C4000 pci.sys
0xF7524000 isapnp.sys
0xF7938000 compbatt.sys
0xF793C000 \WINDOWS\System32\DRIVERS\BATTC.SYS
0xF7AEC000 pciide.sys
0xF77A4000 \WINDOWS\system32\DRIVERS\PCIIDEX.SYS
0xF7534000 MountMgr.sys
0xF74A5000 ftdisk.sys
0xF7A28000 dmload.sys
0xF747F000 dmio.sys
0xF77AC000 PartMgr.sys
0xF7544000 VolSnap.sys
0xF7467000 atapi.sys
0xF73F4000 iaStor.sys
0xF7554000 disk.sys
0xF7564000 \WINDOWS\System32\DRIVERS\CLASSPNP.SYS
0xF73D4000 fltmgr.sys
0xF7574000 PxHelp20.sys
0xF73BD000 KSecDD.sys
0xF7330000 Ntfs.sys
0xF7303000 NDIS.sys
0xF72E9000 Mup.sys
0xF76B4000 \SystemRoot\System32\DRIVERS\intelppm.sys
0xF6BF1000 \SystemRoot\System32\DRIVERS\ati2mtag.sys
0xF6BDD000 \SystemRoot\System32\DRIVERS\VIDEOPRT.SYS
0xF6BAF000 \SystemRoot\System32\DRIVERS\b57xp32.sys
0xF7854000 \SystemRoot\system32\DRIVERS\usbuhci.sys
0xF6B8B000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
0xF785C000 \SystemRoot\system32\DRIVERS\usbehci.sys
0xF6AF5000 \SystemRoot\system32\drivers\smwdm.sys
0xF6AD1000 \SystemRoot\system32\drivers\portcls.sys
0xF76C4000 \SystemRoot\system32\drivers\drmk.sys
0xF6AAE000 \SystemRoot\system32\drivers\ks.sys
0xF7A5C000 \SystemRoot\system32\drivers\aeaudio.sys
0xF7864000 \SystemRoot\system32\DRIVERS\fdc.sys
0xF6A9A000 \SystemRoot\System32\DRIVERS\parport.sys
0xF76D4000 \SystemRoot\system32\DRIVERS\serial.sys
0xF7294000 \SystemRoot\system32\DRIVERS\serenum.sys
0xF786C000 \SystemRoot\system32\drivers\Afc.sys
0xF76E4000 \SystemRoot\System32\Drivers\AFS2K.SYS
0xF76F4000 \SystemRoot\System32\DRIVERS\cdrom.sys
0xF7704000 \SystemRoot\System32\DRIVERS\redbook.sys
0xF7290000 \SystemRoot\SYSTEM32\DRIVERS\GEARAspiWDM.sys
0xF7714000 \SystemRoot\System32\DRIVERS\imapi.sys
0xF7A5E000 \SystemRoot\system32\DRIVERS\serscan.sys
0xF7BE0000 \SystemRoot\System32\DRIVERS\audstub.sys
0xF7724000 \SystemRoot\System32\DRIVERS\rasl2tp.sys
0xF703A000 \SystemRoot\System32\DRIVERS\ndistapi.sys
0xF6A83000 \SystemRoot\System32\DRIVERS\ndiswan.sys
0xF7734000 \SystemRoot\System32\DRIVERS\raspppoe.sys
0xF7744000 \SystemRoot\System32\DRIVERS\raspptp.sys
0xF7874000 \SystemRoot\System32\DRIVERS\TDI.SYS
0xF6A72000 \SystemRoot\System32\DRIVERS\psched.sys
0xF6D4E000 \SystemRoot\System32\DRIVERS\msgpc.sys
0xF787C000 \SystemRoot\System32\DRIVERS\ptilink.sys
0xF7884000 \SystemRoot\System32\DRIVERS\raspti.sys
0xF6A42000 \SystemRoot\system32\DRIVERS\rdpdr.sys
0xF6D3E000 \SystemRoot\System32\DRIVERS\termdd.sys
0xF788C000 \SystemRoot\System32\DRIVERS\kbdclass.sys
0xF7894000 \SystemRoot\System32\DRIVERS\mouclass.sys
0xF7A60000 \SystemRoot\System32\DRIVERS\swenum.sys
0xF69BC000 \SystemRoot\System32\DRIVERS\update.sys
0xF701E000 \SystemRoot\System32\DRIVERS\mssmbios.sys
0xF6D0E000 \SystemRoot\System32\Drivers\NDProxy.SYS
0xED070000 \SystemRoot\system32\DRIVERS\usbhub.sys
0xF7AD4000 \SystemRoot\system32\DRIVERS\USBD.SYS
0xEDDC3000 \SystemRoot\System32\DRIVERS\flpydisk.sys
0xF7A74000 \SystemRoot\System32\Drivers\Fs_Rec.SYS
0xED70C000 \SystemRoot\System32\Drivers\Null.SYS
0xF7A76000 \SystemRoot\System32\Drivers\Beep.SYS
0xED49A000 \SystemRoot\system32\DRIVERS\HIDPARSE.SYS
0xED492000 \SystemRoot\System32\drivers\vga.sys
0xF7A78000 \SystemRoot\System32\Drivers\mnmdd.SYS
0xF7A7A000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
0xED48A000 \SystemRoot\System32\Drivers\Msfs.SYS
0xED482000 \SystemRoot\System32\Drivers\Npfs.SYS
0xED444000 \SystemRoot\System32\DRIVERS\rasacd.sys
0xEC0EE000 \SystemRoot\System32\DRIVERS\ipsec.sys
0xEC095000 \SystemRoot\System32\DRIVERS\tcpip.sys
0xEC06F000 \SystemRoot\system32\DRIVERS\ipnat.sys
0xEC047000 \SystemRoot\System32\DRIVERS\netbt.sys
0xED936000 \SystemRoot\System32\DRIVERS\wanarp.sys
0xED428000 \SystemRoot\System32\drivers\ws2ifsl.sys
0xEC025000 \SystemRoot\System32\drivers\afd.sys
0xED926000 \SystemRoot\System32\DRIVERS\netbios.sys
0xEC003000 \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS
0xED47A000 \??\C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS
0xEBFD8000 \SystemRoot\System32\DRIVERS\rdbss.sys
0xED424000 \SystemRoot\SYSTEM32\DRIVERS\OMCI.SYS
0xEBF68000 \SystemRoot\System32\DRIVERS\mrxsmb.sys
0xED8F6000 \SystemRoot\System32\Drivers\Fips.SYS
0xEDFAB000 \SystemRoot\System32\Drivers\BANTExt.sys
0xEDF46000 \SystemRoot\System32\Drivers\Cdfs.SYS
0xED6CD000 \SystemRoot\system32\DRIVERS\hidusb.sys
0xEDF36000 \SystemRoot\system32\DRIVERS\HIDCLASS.SYS
0xED46A000 \SystemRoot\system32\DRIVERS\usbccgp.sys
0xED6C9000 \SystemRoot\System32\DRIVERS\mouhid.sys
0xED6C1000 \SystemRoot\system32\DRIVERS\kbdhid.sys
0xEBEF5000 \SystemRoot\System32\Drivers\dump_iaStor.sys
0xBF800000 \SystemRoot\System32\win32k.sys
0xEDDEC000 \SystemRoot\System32\drivers\Dxapi.sys
0xED462000 \SystemRoot\System32\watchdog.sys
0xBF000000 \SystemRoot\System32\drivers\dxg.sys
0xED695000 \SystemRoot\System32\drivers\dxgthk.sys
0xBF012000 \SystemRoot\System32\ati2dvag.dll
0xBF049000 \SystemRoot\System32\ati2cqag.dll
0xBF083000 \SystemRoot\System32\ati3duag.dll
0xBF257000 \SystemRoot\System32\ativvaxx.dll
0xBFFA0000 \SystemRoot\System32\ATMFD.DLL
0xF6A3A000 \SystemRoot\System32\DRIVERS\ndisuio.sys
0xB975B000 \SystemRoot\System32\DRIVERS\mrxdav.sys
0xEE6D4000 \SystemRoot\System32\Drivers\ParVdm.SYS
0xB96F6000 \SystemRoot\System32\Drivers\SENTINEL.SYS
0xECC87000 \??\C:\WINDOWS\system32\Drivers\DgiVecp.sys
0xB9627000 \SystemRoot\System32\DRIVERS\srv.sys
0xB9572000 \SystemRoot\system32\drivers\wdmaud.sys
0xED8D6000 \SystemRoot\system32\drivers\sysaudio.sys
0xB8490000 \SystemRoot\System32\Drivers\HTTP.sys
0xB7F5C000 \SystemRoot\system32\drivers\kmixer.sys
0xF77BC000 \??\C:\DOCUME~1\ADMINI~1.MCC\LOCALS~1\Temp\mbr.sys
0x7C900000 \WINDOWS\system32\ntdll.dll

Processes (total 49):
0 System Idle Process
4 System
612 C:\WINDOWS\system32\smss.exe
668 csrss.exe
692 C:\WINDOWS\system32\winlogon.exe
736 C:\WINDOWS\system32\services.exe
748 C:\WINDOWS\system32\lsass.exe
928 C:\WINDOWS\system32\ati2evxx.exe
944 C:\WINDOWS\system32\svchost.exe
1016 svchost.exe
1124 C:\WINDOWS\system32\svchost.exe
1196 svchost.exe
1288 svchost.exe
1388 C:\WINDOWS\system32\spoolsv.exe
1472 svchost.exe
1552 C:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe
1584 C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
1608 C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
1640 C:\Program Files\Bonjour\mDNSResponder.exe
1684 C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
1736 C:\Program Files\Intel\Intel Application Accelerator\IAANTmon.exe
1792 C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe
200 C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
304 C:\Program Files\Analog Devices\SoundMAX\spkrmon.exe
360 C:\WINDOWS\system32\svchost.exe
416 C:\WINDOWS\system32\ups.exe
492 C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
580 C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVCM.EXE
1960 alg.exe
2164 C:\WINDOWS\system32\wscntfy.exe
2316 C:\WINDOWS\explorer.exe
2404 C:\WINDOWS\Samsung\PanelMgr\SSMMgr.exe
2752 C:\WINDOWS\system32\task.exe
2744 C:\WINDOWS\system32\rundll32.exe
2780 C:\WINDOWS\system32\ctfmon.exe
1276 C:\Documents and Settings\Administrator.MCC\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
3656 C:\Program Files\Mozilla Firefox\firefox.exe
2628 C:\DOCUME~1\ADMINI~1.MCC\LOCALS~1\Temp\drweb.exe
1956 C:\WINDOWS\drweb.exe
2516 C:\DOCUME~1\ADMINI~1.MCC\LOCALS~1\Temp\taskmgr.exe
3588 C:\WINDOWS\wininst.exe
2412 C:\DOCUME~1\ADMINI~1.MCC\LOCALS~1\Temp\mdm.exe
1348 C:\WINDOWS\system32\msiexec.exe
3968 C:\Program Files\Mozilla Firefox\plugin-container.exe
2376 C:\Program Files\Internet Explorer\iexplore.exe
1216 C:\Program Files\Internet Explorer\iexplore.exe
320 C:\Program Files\Microsoft\Search Enhancement Pack\SCServer\SCServer.exe
3896 C:\Program Files\Internet Explorer\iexplore.exe
1172 C:\Documents and Settings\Administrator.MCC\Desktop\MBRCheck.exe

\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`00007e00 (NTFS)

PhysicalDrive0 Model Number: IntelRaid 1 Volume, Rev: 0.1.

Size Device Name MBR Status
--------------------------------------------
149 GB \\.\PhysicalDrive0 Windows XP MBR code detected
SHA1: DA38B874B7713D1B51CBC449F4EF809B0DEC644A

Done!

Broni · Jan 13, 2011

That looks good

pkbrooks · Jan 13, 2011

Combofix log, part 1

That was pretty simple. Here is the next paste from Combofix.

thanks, pkbrooks

ComboFix 11-01-12.04 - Administrator 01/13/2011 16:35:27.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.401 [GMT -5:00]
Running from: c:\documents and settings\Administrator.MCC\Desktop\ComboFix.exe
AV: Symantec AntiVirus Corporate Edition *Disabled/Updated* {FB06448E-52B8-493A-90F3-E43226D3305C}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\docume~1\ADMINI~1.MCC\LOCALS~1\Temp\drweb.exe
c:\docume~1\ADMINI~1.MCC\LOCALS~1\Temp\mdm.exe
c:\docume~1\ADMINI~1.MCC\LOCALS~1\Temp\svchost.exe
c:\docume~1\ADMINI~1.MCC\LOCALS~1\Temp\taskmgr.exe
c:\docume~1\ADMINI~1.MCC\LOCALS~1\Temp\user.exe
c:\documents and settings\Administrator.MCC\Application Data\whitesmoketoolbar
c:\documents and settings\Administrator.MCC\Application Data\whitesmoketoolbar\dtx.ini
c:\documents and settings\Administrator.MCC\Application Data\whitesmoketoolbar\guid.dat
c:\documents and settings\Administrator.MCC\Application Data\whitesmoketoolbar\preferences.dat
c:\documents and settings\Administrator.MCC\Application Data\whitesmoketoolbar\stat-history.log
c:\documents and settings\Administrator.MCC\Application Data\whitesmoketoolbar\stat.log
c:\documents and settings\Administrator.MCC\Application Data\whitesmoketoolbar\stats.dat
c:\documents and settings\Administrator.MCC\Application Data\whitesmoketoolbar\uninstallIE.dat
c:\documents and settings\Administrator.MCC\Application Data\whitesmoketoolbar\uninstallStatIE.dat
c:\documents and settings\All Users\Application Data\2ki3RIv6.exe
c:\documents and settings\All Users\Application Data\boost_interprocess\20110105141928.359375
c:\documents and settings\Break Time\Application Data\dwm.exe
c:\documents and settings\Break Time\Application Data\Microsoft\conhost .exe
c:\documents and settings\Break Time\Application Data\Sys32Disp.exe .exe
c:\documents and settings\Break Time\Application Data\whitesmoketoolbar
c:\documents and settings\Break Time\Application Data\whitesmoketoolbar\dtx.ini
c:\documents and settings\Break Time\Application Data\whitesmoketoolbar\guid.dat
c:\documents and settings\Break Time\Application Data\whitesmoketoolbar\log.txt
c:\documents and settings\Break Time\Application Data\whitesmoketoolbar\preferences.dat
c:\documents and settings\Break Time\Application Data\whitesmoketoolbar\stat-history.log
c:\documents and settings\Break Time\Application Data\whitesmoketoolbar\stat.log
c:\documents and settings\Break Time\Application Data\whitesmoketoolbar\stats.dat
c:\documents and settings\Break Time\Application Data\whitesmoketoolbar\uninstallIE.dat
c:\documents and settings\Break Time\Application Data\whitesmoketoolbar\uninstallStatIE.dat
c:\documents and settings\Break Time\Application Data\whitesmoketoolbar\version.xml
c:\documents and settings\Break Time\Application Data\whitesmoketoolbar\weather\07ace42ae9965c98e031d65fcac74a65
c:\documents and settings\Break Time\Application Data\whitesmoketoolbar\weather\c0dff903bae42b3cb87824ccfebc3c17
c:\documents and settings\Break Time\Application Data\whitesmoketoolbar\weather\forecasts_cache.xml
c:\documents and settings\Break Time\Application Data\whitesmoketoolbar\weather\observations_cache.xml
c:\documents and settings\Break Time\Application Data\whitesmoketoolbar\weatherbutton_prefs.xml
c:\documents and settings\Break Time\Local Settings\Application Data\{12581CEB-47C3-4615-9713-05D9765BD458}
c:\documents and settings\Break Time\Local Settings\Application Data\{12581CEB-47C3-4615-9713-05D9765BD458}\chrome.manifest
c:\documents and settings\Break Time\Local Settings\Application Data\{12581CEB-47C3-4615-9713-05D9765BD458}\chrome\content\_cfg.js
c:\documents and settings\Break Time\Local Settings\Application Data\{12581CEB-47C3-4615-9713-05D9765BD458}\chrome\content\overlay.xul
c:\documents and settings\Break Time\Local Settings\Application Data\{12581CEB-47C3-4615-9713-05D9765BD458}\install.rdf
c:\documents and settings\Break Time\Local Settings\Application Data\aravoajk.exe
c:\documents and settings\Break Time\Local Settings\Application Data\ewabakezako.dll
c:\documents and settings\Break Time\Local Settings\Application Data\xdkbebe.exe
c:\documents and settings\Break Time\Start Menu\Programs\Security Shield.lnk
c:\documents and settings\jboggess\Application Data\Bitrix Security
c:\documents and settings\jboggess\Application Data\Bitrix Security\28092010_155905_248546_skey_29-09-2010__09-58-26.zip
c:\documents and settings\jboggess\Application Data\Bitrix Security\hjzvk
c:\documents and settings\jboggess\Application Data\Bitrix Security\hwwkat9_shrd
c:\documents and settings\jboggess\Application Data\Bitrix Security\mxd1.txt
c:\documents and settings\jboggess\Application Data\Bitrix Security\plk.txt
c:\documents and settings\jboggess\Application Data\Bitrix Security\qnf.txt
c:\documents and settings\LocalService\Application Data\whitesmoketoolbar
c:\documents and settings\LocalService\Application Data\whitesmoketoolbar\dtx.ini
c:\documents and settings\LocalService\Application Data\whitesmoketoolbar\exeArgs.xml
c:\documents and settings\LocalService\Application Data\whitesmoketoolbar\guid.dat
c:\documents and settings\LocalService\Application Data\whitesmoketoolbar\preferences.dat
c:\documents and settings\LocalService\Application Data\whitesmoketoolbar\stat-history.log
c:\documents and settings\LocalService\Application Data\whitesmoketoolbar\stat.log
c:\documents and settings\LocalService\Application Data\whitesmoketoolbar\stats.dat
c:\documents and settings\LocalService\Application Data\whitesmoketoolbar\uninstallIE.dat
c:\documents and settings\LocalService\Application Data\whitesmoketoolbar\uninstallStatIE.dat
c:\documents and settings\LocalService\Application Data\whitesmoketoolbar\weather\07ace42ae9965c98e031d65fcac74a65
c:\documents and settings\LocalService\Application Data\whitesmoketoolbar\weather\c0dff903bae42b3cb87824ccfebc3c17
c:\documents and settings\LocalService\Application Data\whitesmoketoolbar\weather\forecasts_cache.xml
c:\documents and settings\LocalService\Application Data\whitesmoketoolbar\weather\observations_cache.xml
c:\documents and settings\LocalService\Application Data\whitesmoketoolbar\weatherbutton_prefs.xml
c:\documents and settings\NetworkService\Application Data\whitesmoketoolbar
c:\documents and settings\NetworkService\Application Data\whitesmoketoolbar\dtx.ini
c:\documents and settings\NetworkService\Application Data\whitesmoketoolbar\guid.dat
c:\documents and settings\NetworkService\Application Data\whitesmoketoolbar\log.txt
c:\documents and settings\NetworkService\Application Data\whitesmoketoolbar\preferences.dat
c:\documents and settings\NetworkService\Application Data\whitesmoketoolbar\stat.log
c:\documents and settings\NetworkService\Application Data\whitesmoketoolbar\stats.dat
c:\documents and settings\NetworkService\Application Data\whitesmoketoolbar\uninstallIE.dat
c:\documents and settings\NetworkService\Application Data\whitesmoketoolbar\uninstallStatIE.dat
c:\documents and settings\NetworkService\Application Data\whitesmoketoolbar\weather\07ace42ae9965c98e031d65fcac74a65
c:\documents and settings\NetworkService\Application Data\whitesmoketoolbar\weather\361b7b5d79ecfba06724fad84f67beaf
c:\documents and settings\NetworkService\Application Data\whitesmoketoolbar\weather\forecasts_cache.xml
c:\documents and settings\NetworkService\Application Data\whitesmoketoolbar\weather\observations_cache.xml
c:\documents and settings\NetworkService\Application Data\whitesmoketoolbar\weatherbutton_prefs.xml
c:\program files\whitesmoketoolbar
c:\program files\whitesmoketoolbar\chrome\content\lib\about.xml
c:\program files\whitesmoketoolbar\chrome\content\lib\dtxpanel.xul
c:\program files\whitesmoketoolbar\chrome\content\lib\dtxpanelwin.xul
c:\program files\whitesmoketoolbar\chrome\content\lib\dtxprefwin.xul
c:\program files\whitesmoketoolbar\chrome\content\lib\dtxwin.xul
c:\program files\whitesmoketoolbar\chrome\content\lib\emailnotifierproviders.xml
c:\program files\whitesmoketoolbar\chrome\content\lib\external.js
c:\program files\whitesmoketoolbar\chrome\content\lib\neterror.xhtml
c:\program files\whitesmoketoolbar\chrome\content\lib\rsspreview.html
c:\program files\whitesmoketoolbar\chrome\content\lib\rsswin.xml
c:\program files\whitesmoketoolbar\chrome\content\lib\rsswin.xsl
c:\program files\whitesmoketoolbar\chrome\content\lib\vmncode.js
c:\program files\whitesmoketoolbar\chrome\content\lib\wmpstreamer.html
c:\program files\whitesmoketoolbar\chrome\content\modules\datastore.jsm
c:\program files\whitesmoketoolbar\chrome\content\neterror.xhtml
c:\program files\whitesmoketoolbar\chrome\content\newtab\images\btn_search.gif
c:\program files\whitesmoketoolbar\chrome\content\newtab\images\bullet.gif
c:\program files\whitesmoketoolbar\chrome\content\newtab\images\field_bg.gif
c:\program files\whitesmoketoolbar\chrome\content\newtab\images\powered_by_yahoo.gif
c:\program files\whitesmoketoolbar\chrome\content\newtab\newtab.html
c:\program files\whitesmoketoolbar\chrome\content\preferences.xml
c:\program files\whitesmoketoolbar\chrome\content\toolbar.htm
c:\program files\whitesmoketoolbar\chrome\content\toolbar.xul
c:\program files\whitesmoketoolbar\chrome\content\vmncode.js
c:\program files\whitesmoketoolbar\chrome\content\vmnrsswin.xml
c:\program files\whitesmoketoolbar\chrome\content\widgets\net.vmn.www.Facebook\skin\css\dialog.css
c:\program files\whitesmoketoolbar\chrome\content\widgets\net.vmn.www.Facebook\skin\images\bg.gif
c:\program files\whitesmoketoolbar\chrome\content\widgets\net.vmn.www.Facebook\skin\images\btn-wide-close-over.png
c:\program files\whitesmoketoolbar\chrome\content\widgets\net.vmn.www.Facebook\skin\images\btn-wide-close.png
c:\program files\whitesmoketoolbar\chrome\content\widgets\net.vmn.www.Facebook\skin\images\default.png
c:\program files\whitesmoketoolbar\chrome\content\widgets\net.vmn.www.Facebook\skin\images\transparent.gif
c:\program files\whitesmoketoolbar\chrome\content\widgets\net.vmn.www.Facebook\skin\images\win-btm-left.png
c:\program files\whitesmoketoolbar\chrome\content\widgets\net.vmn.www.Facebook\skin\images\win-btm-mdl.png
c:\program files\whitesmoketoolbar\chrome\content\widgets\net.vmn.www.Facebook\skin\images\win-btm-right-resize.png
c:\program files\whitesmoketoolbar\chrome\content\widgets\net.vmn.www.Facebook\skin\images\win-btm-right.png
c:\program files\whitesmoketoolbar\chrome\content\widgets\net.vmn.www.Facebook\skin\main.html
c:\program files\whitesmoketoolbar\chrome\content\widgets\net.vmn.www.Facebook\skin\scripts\defscript.js
c:\program files\whitesmoketoolbar\chrome\content\widgets\net.vmn.www.Facebook\tb_icon.png
c:\program files\whitesmoketoolbar\chrome\content\widgets\net.vmn.www.Facebook\widget.jsw
c:\program files\whitesmoketoolbar\chrome\content\widgets\net.vmn.www.Facebook\widget.xml
c:\program files\whitesmoketoolbar\chrome\content\widgets\net.vmn.www.Facebook\widget_version.txt
c:\program files\whitesmoketoolbar\chrome\content\widgets\net.vmn.www.Twitter\css\twitter.css
c:\program files\whitesmoketoolbar\chrome\content\widgets\net.vmn.www.Twitter\images\btn-login-over.png
c:\program files\whitesmoketoolbar\chrome\content\widgets\net.vmn.www.Twitter\images\btn-login.png
c:\program files\whitesmoketoolbar\chrome\content\widgets\net.vmn.www.Twitter\images\btn-submit.png
c:\program files\whitesmoketoolbar\chrome\content\widgets\net.vmn.www.Twitter\images\loginbg.png
c:\program files\whitesmoketoolbar\chrome\content\widgets\net.vmn.www.Twitter\images\refresh-over.gif
c:\program files\whitesmoketoolbar\chrome\content\widgets\net.vmn.www.Twitter\images\refresh.gif
c:\program files\whitesmoketoolbar\chrome\content\widgets\net.vmn.www.Twitter\images\scrollbottom-disable.png
c:\program files\whitesmoketoolbar\chrome\content\widgets\net.vmn.www.Twitter\images\scrollbottom-down.png
c:\program files\whitesmoketoolbar\chrome\content\widgets\net.vmn.www.Twitter\images\scrollbottom-over.png
c:\program files\whitesmoketoolbar\chrome\content\widgets\net.vmn.www.Twitter\images\scrollbottom.png
c:\program files\whitesmoketoolbar\chrome\content\widgets\net.vmn.www.Twitter\images\scrolltop-disable.png
c:\program files\whitesmoketoolbar\chrome\content\widgets\net.vmn.www.Twitter\images\scrolltop-down.png
c:\program files\whitesmoketoolbar\chrome\content\widgets\net.vmn.www.Twitter\images\scrolltop-over.png
c:\program files\whitesmoketoolbar\chrome\content\widgets\net.vmn.www.Twitter\images\scrolltop.png
c:\program files\whitesmoketoolbar\chrome\content\widgets\net.vmn.www.Twitter\images\tab-off-l.png
c:\program files\whitesmoketoolbar\chrome\content\widgets\net.vmn.www.Twitter\images\tab-off-r.png
c:\program files\whitesmoketoolbar\chrome\content\widgets\net.vmn.www.Twitter\images\tab-on-l.png
c:\program files\whitesmoketoolbar\chrome\content\widgets\net.vmn.www.Twitter\images\tab-on-r.png
c:\program files\whitesmoketoolbar\chrome\content\widgets\net.vmn.www.Twitter\images\throbber.gif
c:\program files\whitesmoketoolbar\chrome\content\widgets\net.vmn.www.Twitter\images\Thumbs.db
c:\program files\whitesmoketoolbar\chrome\content\widgets\net.vmn.www.Twitter\images\twitter-logo48.png
c:\program files\whitesmoketoolbar\chrome\content\widgets\net.vmn.www.Twitter\images\twitter_top.png
c:\program files\whitesmoketoolbar\chrome\content\widgets\net.vmn.www.Twitter\js\jquery.js
c:\program files\whitesmoketoolbar\chrome\content\widgets\net.vmn.www.Twitter\js\scripts.js
c:\program files\whitesmoketoolbar\chrome\content\widgets\net.vmn.www.Twitter\skin\css\dialog.css
c:\program files\whitesmoketoolbar\chrome\content\widgets\net.vmn.www.Twitter\skin\images\bg.gif
c:\program files\whitesmoketoolbar\chrome\content\widgets\net.vmn.www.Twitter\skin\images\btn-wide-close-over.png
c:\program files\whitesmoketoolbar\chrome\content\widgets\net.vmn.www.Twitter\skin\images\btn-wide-close.png
c:\program files\whitesmoketoolbar\chrome\content\widgets\net.vmn.www.Twitter\skin\images\default.png
c:\program files\whitesmoketoolbar\chrome\content\widgets\net.vmn.www.Twitter\skin\images\transparent.gif
c:\program files\whitesmoketoolbar\chrome\content\widgets\net.vmn.www.Twitter\skin\images\win-btm-left.png
c:\program files\whitesmoketoolbar\chrome\content\widgets\net.vmn.www.Twitter\skin\images\win-btm-mdl.png
c:\program files\whitesmoketoolbar\chrome\content\widgets\net.vmn.www.Twitter\skin\images\win-btm-right-resize.png
c:\program files\whitesmoketoolbar\chrome\content\widgets\net.vmn.www.Twitter\skin\images\win-btm-right.png
c:\program files\whitesmoketoolbar\chrome\content\widgets\net.vmn.www.Twitter\skin\main.html
c:\program files\whitesmoketoolbar\chrome\content\widgets\net.vmn.www.Twitter\skin\scripts\defscript.js
c:\program files\whitesmoketoolbar\chrome\content\widgets\net.vmn.www.Twitter\tb_icon.png
c:\program files\whitesmoketoolbar\chrome\content\widgets\net.vmn.www.Twitter\Thumbs.db
c:\program files\whitesmoketoolbar\chrome\content\widgets\net.vmn.www.Twitter\widget.jsw
c:\program files\whitesmoketoolbar\chrome\content\widgets\net.vmn.www.Twitter\widget.xml
c:\program files\whitesmoketoolbar\chrome\content\widgets\net.vmn.www.Twitter\widget_version.txt
c:\program files\whitesmoketoolbar\chrome\content\widgets\net.vmn.www.WebTV\skin\css\dialog.css
c:\program files\whitesmoketoolbar\chrome\content\widgets\net.vmn.www.WebTV\skin\images\bg.gif
c:\program files\whitesmoketoolbar\chrome\content\widgets\net.vmn.www.WebTV\skin\images\btn-search.png
c:\program files\whitesmoketoolbar\chrome\content\widgets\net.vmn.www.WebTV\skin\images\btn-wide-close-over.png
c:\program files\whitesmoketoolbar\chrome\content\widgets\net.vmn.www.WebTV\skin\images\btn-wide-close.png
c:\program files\whitesmoketoolbar\chrome\content\widgets\net.vmn.www.WebTV\skin\images\default.png
c:\program files\whitesmoketoolbar\chrome\content\widgets\net.vmn.www.WebTV\skin\images\Thumbs.db
c:\program files\whitesmoketoolbar\chrome\content\widgets\net.vmn.www.WebTV\skin\images\transparent.gif
c:\program files\whitesmoketoolbar\chrome\content\widgets\net.vmn.www.WebTV\skin\images\win-btm-left.png
c:\program files\whitesmoketoolbar\chrome\content\widgets\net.vmn.www.WebTV\skin\images\win-btm-mdl.png
c:\program files\whitesmoketoolbar\chrome\content\widgets\net.vmn.www.WebTV\skin\images\win-btm-right-resize.png
c:\program files\whitesmoketoolbar\chrome\content\widgets\net.vmn.www.WebTV\skin\images\win-btm-right.png
c:\program files\whitesmoketoolbar\chrome\content\widgets\net.vmn.www.WebTV\skin\main.html
c:\program files\whitesmoketoolbar\chrome\content\widgets\net.vmn.www.WebTV\skin\scripts\defscript.js
c:\program files\whitesmoketoolbar\chrome\content\widgets\net.vmn.www.WebTV\tb_icon.png
c:\program files\whitesmoketoolbar\chrome\content\widgets\net.vmn.www.WebTV\widget.jsw
c:\program files\whitesmoketoolbar\chrome\content\widgets\net.vmn.www.WebTV\widget.xml
c:\program files\whitesmoketoolbar\chrome\content\widgets\net.vmn.www.WebTV\widget_version.txt
c:\program files\whitesmoketoolbar\chrome\content\widgets\net.vmn.www.YouTube\css\dialog.css
c:\program files\whitesmoketoolbar\chrome\content\widgets\net.vmn.www.YouTube\images\arrow-grey.png
c:\program files\whitesmoketoolbar\chrome\content\widgets\net.vmn.www.YouTube\images\arrows_grey-left.gif
c:\program files\whitesmoketoolbar\chrome\content\widgets\net.vmn.www.YouTube\images\arrows_grey-right.gif
c:\program files\whitesmoketoolbar\chrome\content\widgets\net.vmn.www.YouTube\images\btn-search-over.png
c:\program files\whitesmoketoolbar\chrome\content\widgets\net.vmn.www.YouTube\images\btn-search.png
c:\program files\whitesmoketoolbar\chrome\content\widgets\net.vmn.www.YouTube\images\powered-by-youtube.gif
c:\program files\whitesmoketoolbar\chrome\content\widgets\net.vmn.www.YouTube\images\scrollb-disable.png
c:\program files\whitesmoketoolbar\chrome\content\widgets\net.vmn.www.YouTube\images\scrollb-down.png
c:\program files\whitesmoketoolbar\chrome\content\widgets\net.vmn.www.YouTube\images\scrollb.png
c:\program files\whitesmoketoolbar\chrome\content\widgets\net.vmn.www.YouTube\images\scrollt-disable.png
c:\program files\whitesmoketoolbar\chrome\content\widgets\net.vmn.www.YouTube\images\scrollt-down.png
c:\program files\whitesmoketoolbar\chrome\content\widgets\net.vmn.www.YouTube\images\scrollt.png
c:\program files\whitesmoketoolbar\chrome\content\widgets\net.vmn.www.YouTube\images\tab-off-l.png
c:\program files\whitesmoketoolbar\chrome\content\widgets\net.vmn.www.YouTube\images\tab-off-r.png
c:\program files\whitesmoketoolbar\chrome\content\widgets\net.vmn.www.YouTube\images\tab-on-l.png
c:\program files\whitesmoketoolbar\chrome\content\widgets\net.vmn.www.YouTube\images\tab-on-r.png
c:\program files\whitesmoketoolbar\chrome\content\widgets\net.vmn.www.YouTube\images\tab-over-l.png
c:\program files\whitesmoketoolbar\chrome\content\widgets\net.vmn.www.YouTube\images\tab-over-r.png
c:\program files\whitesmoketoolbar\chrome\content\widgets\net.vmn.www.YouTube\images\tab-red-left.png
c:\program files\whitesmoketoolbar\chrome\content\widgets\net.vmn.www.YouTube\images\tab-red-mdl.png
c:\program files\whitesmoketoolbar\chrome\content\widgets\net.vmn.www.YouTube\images\tab-red-right.png
c:\program files\whitesmoketoolbar\chrome\content\widgets\net.vmn.www.YouTube\images\tab-white-left.png
c:\program files\whitesmoketoolbar\chrome\content\widgets\net.vmn.www.YouTube\images\tab-white-mdl.png
c:\program files\whitesmoketoolbar\chrome\content\widgets\net.vmn.www.YouTube\images\tab-white-right.png
c:\program files\whitesmoketoolbar\chrome\content\widgets\net.vmn.www.YouTube\images\throbber.gif
c:\program files\whitesmoketoolbar\chrome\content\widgets\net.vmn.www.YouTube\images\Thumbs.db
c:\program files\whitesmoketoolbar\chrome\content\widgets\net.vmn.www.YouTube\images\vid-bg.png
c:\program files\whitesmoketoolbar\chrome\content\widgets\net.vmn.www.YouTube\images\youtube.png
c:\program files\whitesmoketoolbar\chrome\content\widgets\net.vmn.www.YouTube\index.html
c:\program files\whitesmoketoolbar\chrome\content\widgets\net.vmn.www.YouTube\js\jquery-1.3.2.min.js
c:\program files\whitesmoketoolbar\chrome\content\widgets\net.vmn.www.YouTube\js\jquery.autocomplete.min.js
c:\program files\whitesmoketoolbar\chrome\content\widgets\net.vmn.www.YouTube\skin\css\dialog.css
c:\program files\whitesmoketoolbar\chrome\content\widgets\net.vmn.www.YouTube\skin\images\bg.gif
c:\program files\whitesmoketoolbar\chrome\content\widgets\net.vmn.www.YouTube\skin\images\btn-search.png
c:\program files\whitesmoketoolbar\chrome\content\widgets\net.vmn.www.YouTube\skin\images\btn-wide-close-over.png
c:\program files\whitesmoketoolbar\chrome\content\widgets\net.vmn.www.YouTube\skin\images\btn-wide-close.png
c:\program files\whitesmoketoolbar\chrome\content\widgets\net.vmn.www.YouTube\skin\images\default.png
c:\program files\whitesmoketoolbar\chrome\content\widgets\net.vmn.www.YouTube\skin\images\Thumbs.db
c:\program files\whitesmoketoolbar\chrome\content\widgets\net.vmn.www.YouTube\skin\images\transparent.gif
c:\program files\whitesmoketoolbar\chrome\content\widgets\net.vmn.www.YouTube\skin\images\win-btm-left.png
c:\program files\whitesmoketoolbar\chrome\content\widgets\net.vmn.www.YouTube\skin\images\win-btm-mdl.png
c:\program files\whitesmoketoolbar\chrome\content\widgets\net.vmn.www.YouTube\skin\images\win-btm-right-resize.png
c:\program files\whitesmoketoolbar\chrome\content\widgets\net.vmn.www.YouTube\skin\images\win-btm-right.png
c:\program files\whitesmoketoolbar\chrome\content\widgets\net.vmn.www.YouTube\skin\main.html
c:\program files\whitesmoketoolbar\chrome\content\widgets\net.vmn.www.YouTube\skin\scripts\defscript.js
c:\program files\whitesmoketoolbar\chrome\content\widgets\net.vmn.www.YouTube\tb_icon.png
c:\program files\whitesmoketoolbar\chrome\content\widgets\net.vmn.www.YouTube\widget.jsw
c:\program files\whitesmoketoolbar\chrome\content\widgets\net.vmn.www.YouTube\widget.xml
c:\program files\whitesmoketoolbar\chrome\content\widgets\net.vmn.www.YouTube\widget_version.txt
c:\program files\whitesmoketoolbar\chrome\data\dynamicElements\vmntoolbar.xsl
c:\program files\whitesmoketoolbar\chrome\data\rss\rss.xml
c:\program files\whitesmoketoolbar\chrome\data\search\engines.xml
c:\program files\whitesmoketoolbar\chrome\data\search\search.xsl
c:\program files\whitesmoketoolbar\chrome\data\weather\icons.xml
c:\program files\whitesmoketoolbar\chrome\skin\634017460871087500_png
c:\program files\whitesmoketoolbar\chrome\skin\about.gif
c:\program files\whitesmoketoolbar\chrome\skin\babylon_logo.png
c:\program files\whitesmoketoolbar\chrome\skin\bing_16x16.png
c:\program files\whitesmoketoolbar\chrome\skin\bing_searchicon_20x22_spaced_hover_png
c:\program files\whitesmoketoolbar\chrome\skin\bing_searchicon_20x22_spaced_png
c:\program files\whitesmoketoolbar\chrome\skin\blank_png
c:\program files\whitesmoketoolbar\chrome\skin\bluelite.gif
c:\program files\whitesmoketoolbar\chrome\skin\bluesky.gif
c:\program files\whitesmoketoolbar\chrome\skin\btn-search-over.png
c:\program files\whitesmoketoolbar\chrome\skin\btn-search.png
c:\program files\whitesmoketoolbar\chrome\skin\btn-settings-over.png
c:\program files\whitesmoketoolbar\chrome\skin\btn-settings.png
c:\program files\whitesmoketoolbar\chrome\skin\btn-widgets-over.png
c:\program files\whitesmoketoolbar\chrome\skin\btn-widgets.png
c:\program files\whitesmoketoolbar\chrome\skin\btn_settings.png
c:\program files\whitesmoketoolbar\chrome\skin\ca.png
c:\program files\whitesmoketoolbar\chrome\skin\checkMyText_png
c:\program files\whitesmoketoolbar\chrome\skin\checkMyText_png_png
c:\program files\whitesmoketoolbar\chrome\skin\dictionary.png
c:\program files\whitesmoketoolbar\chrome\skin\Dictionary_png
c:\program files\whitesmoketoolbar\chrome\skin\Dictionary_png_png
c:\program files\whitesmoketoolbar\chrome\skin\divider.png
c:\program files\whitesmoketoolbar\chrome\skin\downloadcom.png
c:\program files\whitesmoketoolbar\chrome\skin\dtxlogo.png
c:\program files\whitesmoketoolbar\chrome\skin\DTXWizard\skin\icon_library\Basics\folder.png
c:\program files\whitesmoketoolbar\chrome\skin\email.png
c:\program files\whitesmoketoolbar\chrome\skin\email_on.png
c:\program files\whitesmoketoolbar\chrome\skin\eteacher_png
c:\program files\whitesmoketoolbar\chrome\skin\facebook.png
c:\program files\whitesmoketoolbar\chrome\skin\feed_icon_png
c:\program files\whitesmoketoolbar\chrome\skin\feed_icon2_png
c:\program files\whitesmoketoolbar\chrome\skin\france_png
c:\program files\whitesmoketoolbar\chrome\skin\games.png
c:\program files\whitesmoketoolbar\chrome\skin\games_png
c:\program files\whitesmoketoolbar\chrome\skin\gamesIcon_png
c:\program files\whitesmoketoolbar\chrome\skin\graphred0.png
c:\program files\whitesmoketoolbar\chrome\skin\graphred0_5.png
c:\program files\whitesmoketoolbar\chrome\skin\graphred1.png
c:\program files\whitesmoketoolbar\chrome\skin\graphred1_5.png
c:\program files\whitesmoketoolbar\chrome\skin\graphred2.png
c:\program files\whitesmoketoolbar\chrome\skin\graphred2_5.png
c:\program files\whitesmoketoolbar\chrome\skin\graphred3.png
c:\program files\whitesmoketoolbar\chrome\skin\graphred3_5.png
c:\program files\whitesmoketoolbar\chrome\skin\graphred4.png
c:\program files\whitesmoketoolbar\chrome\skin\graphred4_5.png
c:\program files\whitesmoketoolbar\chrome\skin\graphred5.png
c:\program files\whitesmoketoolbar\chrome\skin\graphredna.png
c:\program files\whitesmoketoolbar\chrome\skin\grey.gif
c:\program files\whitesmoketoolbar\chrome\skin\ico-shield.png
c:\program files\whitesmoketoolbar\chrome\skin\images.png
c:\program files\whitesmoketoolbar\chrome\skin\italy_png
c:\program files\whitesmoketoolbar\chrome\skin\lib\add.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\aol.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\arrow-dn.gif
c:\program files\whitesmoketoolbar\chrome\skin\lib\arrow-right-disabled.gif
c:\program files\whitesmoketoolbar\chrome\skin\lib\arrow-right.gif
c:\program files\whitesmoketoolbar\chrome\skin\lib\arrow-up.gif
c:\program files\whitesmoketoolbar\chrome\skin\lib\bg-btn-divider.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\bg-btn-end.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\bg-btn-mdl.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\bg-btn-mdl_ff.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\bg-btn-start.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\bg-btnover-divider.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\bg-btnover-end.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\bg-btnover-mdl.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\bg-btnover-mdl_ff.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\bg-btnover-start.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\blank.gif
c:\program files\whitesmoketoolbar\chrome\skin\lib\btn-widgets-over.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\btn-widgets.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\btn_slider.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\btnback-down-vista.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\btnback-vista.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\btnleft-down-vista.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\btnleft-vista.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\btnright-down-vista.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\btnright-vista.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\button-splitter-down-vista.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\button-splitter-vista.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\checkmark.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\chevron.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\collapse.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\comcast.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\dtx.css
c:\program files\whitesmoketoolbar\chrome\skin\lib\edit-back-hot.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\edit-back.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\expand.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\found.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\gmail.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\highlight.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\highlight_blue.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\highlight_cyan.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\highlight_lime.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\highlight_magenta.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\highlight_yellow.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\hotmail.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\ico-check.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\imap.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\lastsearch-thumb-back.gif
c:\program files\whitesmoketoolbar\chrome\skin\lib\loadingMid.gif
c:\program files\whitesmoketoolbar\chrome\skin\lib\lock.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\logo-separator.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\mailcom.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\menu_bg-basic.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\menu_separator_bar.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\menu_separator_white.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\menuitem-splitter.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\menuitemback-down-vista.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\menuitemback-vista.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\menuitemleft-down-vista.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\menuitemleft-vista.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\menuitemright-down-vista.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\menuitemright-vista.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\modify.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\move.gif
c:\program files\whitesmoketoolbar\chrome\skin\lib\movetarget.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\panels\css\panels.css
c:\program files\whitesmoketoolbar\chrome\skin\lib\panels\css\popupAbout.css
c:\program files\whitesmoketoolbar\chrome\skin\lib\panels\css\popupGames.css
c:\program files\whitesmoketoolbar\chrome\skin\lib\panels\css\popupRSS.css
c:\program files\whitesmoketoolbar\chrome\skin\lib\panels\css\popupWidgets.css
c:\program files\whitesmoketoolbar\chrome\skin\lib\panels\default\css\dialog.css
c:\program files\whitesmoketoolbar\chrome\skin\lib\panels\default\images\bg.gif
c:\program files\whitesmoketoolbar\chrome\skin\lib\panels\default\images\btn-search.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\panels\default\images\btn-wide-close-over.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\panels\default\images\btn-wide-close.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\panels\default\images\default.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\panels\default\images\tab-off-l.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\panels\default\images\tab-off-r.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\panels\default\images\tab-on-l.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\panels\default\images\tab-on-r.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\panels\default\images\transparent.gif
c:\program files\whitesmoketoolbar\chrome\skin\lib\panels\default\images\ttlbar-left.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\panels\default\images\ttlbar-mdl.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\panels\default\images\ttlbar-right.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\panels\default\images\win-btm-left.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\panels\default\images\win-btm-mdl.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\panels\default\images\win-btm-right-resize.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\panels\default\images\win-btm-right.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\panels\default\images\win-left.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\panels\default\images\win-right.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\panels\default\main.html
c:\program files\whitesmoketoolbar\chrome\skin\lib\panels\default\scripts\defscript.js
c:\program files\whitesmoketoolbar\chrome\skin\lib\panels\footer.htm
c:\program files\whitesmoketoolbar\chrome\skin\lib\panels\gamecategory.xsl
c:\program files\whitesmoketoolbar\chrome\skin\lib\panels\gameData.js
c:\program files\whitesmoketoolbar\chrome\skin\lib\panels\gameList.xsl
c:\program files\whitesmoketoolbar\chrome\skin\lib\panels\games.xsl
c:\program files\whitesmoketoolbar\chrome\skin\lib\panels\gametype.xsl
c:\program files\whitesmoketoolbar\chrome\skin\lib\panels\images\arrow-dn.gif
c:\program files\whitesmoketoolbar\chrome\skin\lib\panels\images\arrow-sml-drop.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\panels\images\arrow-sml.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\panels\images\arrow-up.gif
c:\program files\whitesmoketoolbar\chrome\skin\lib\panels\images\arrowr-bluew5.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\panels\images\bg-aboutbox.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\panels\images\bg-btnover.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\panels\images\bg-pnl520x390.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\panels\images\btn-back.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\panels\images\btn-close-grey.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\panels\images\btn-close-greyover.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\panels\images\btn-drag.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\panels\images\btn-moredetails.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\panels\images\btn-next-over.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\panels\images\btn-next.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\panels\images\btn-previous-over.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\panels\images\btn-previous.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\panels\images\btn-search-pnlbtm-over.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\panels\images\btn-search-pnlbtm.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\panels\images\bullet-orange.gif
c:\program files\whitesmoketoolbar\chrome\skin\lib\panels\images\gamethumb-on.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\panels\images\gamethumb2-over.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\panels\images\ico-calendar.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\panels\images\ico-download.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\panels\images\ico-joystick24.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\panels\images\ico-news24.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\panels\images\ico-play.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\panels\images\ico-tags.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\panels\images\icon-Add.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\panels\images\icon-download.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\panels\images\icon-Info.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\panels\images\icon-play.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\panels\images\icon-shop.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\panels\images\menul-bgon.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\panels\images\menul-bgover.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\panels\images\panel-botm-noscroll.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\panels\images\scroll-bg-206.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\panels\images\scroll-bg.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\panels\images\scroll-topwin.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\panels\images\scrollb-disable.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\panels\images\scrollb-down.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\panels\images\scrollb-over.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\panels\images\scrollb.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\panels\images\scrollt-disable.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\panels\images\scrollt-down.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\panels\images\scrollt-over.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\panels\images\scrollt.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\panels\images\searchbox-pnlbtm.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\panels\images\star_x_grey.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\panels\images\star_x_orange.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\panels\images\TRUSTe_about.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\panels\images\view-detailed-on.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\panels\images\view-detailed-over.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\panels\images\view-thumb-on.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\panels\images\view-thumb-over.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\panels\images\widgets-square-16px.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\panels\images\widgets-square-24px.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\panels\images\widgets.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\panels\initHTML.html
c:\program files\whitesmoketoolbar\chrome\skin\lib\panels\popupGames.html
c:\program files\whitesmoketoolbar\chrome\skin\lib\panels\popupHTML.html
c:\program files\whitesmoketoolbar\chrome\skin\lib\panels\popupRSS.html
c:\program files\whitesmoketoolbar\chrome\skin\lib\panels\popupWidgets.html
c:\program files\whitesmoketoolbar\chrome\skin\lib\panels\scroll.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\pop.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\radio.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\radio\css\manager.css
c:\program files\whitesmoketoolbar\chrome\skin\lib\radio\css\slider.css
c:\program files\whitesmoketoolbar\chrome\skin\lib\radio\images\bg-pnl.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\radio\images\btn-close-grey.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\radio\images\btn-close-greyover.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\radio\images\collapsed_button.gif
c:\program files\whitesmoketoolbar\chrome\skin\lib\radio\images\expanded_button.gif
c:\program files\whitesmoketoolbar\chrome\skin\lib\radio\images\ico-playstation-down.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\radio\images\ico-playstation-over.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\radio\images\ico-playstation.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\radio\images\ico-radio.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\radio\images\music-note.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\radio\images\radio-btn-pause-on.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\radio\images\radio-btn-pause.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\radio\images\radio-btn-play-on.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\radio\images\radio-btn-play.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\radio\images\radio-eq-bg.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\radio\images\radio-eq-buffer.gif
c:\program files\whitesmoketoolbar\chrome\skin\lib\radio\images\radio-eq-busy.gif
c:\program files\whitesmoketoolbar\chrome\skin\lib\radio\images\radio-eq-off.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\radio\images\radio-eq-on.gif
c:\program files\whitesmoketoolbar\chrome\skin\lib\radio\images\radio-eq-warning.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\radio\images\radio-options-design-on.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\radio\images\radio-options-design.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\radio\images\radio-options-on.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\radio\images\radio-options.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\radio\images\radio-volume-0.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\radio\images\radio-volume-1.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\radio\images\radio-volume-2.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\radio\images\radio-volume-3.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\radio\images\radio-volume-mute.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\radio\images\scrollbar-handle.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\radio\images\scrollbar-track.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\radio\images\slider.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\radio\images\slideron.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\radio\images\track.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\radio\managerpanel.html
c:\program files\whitesmoketoolbar\chrome\skin\lib\radio\volumeslider.html
c:\program files\whitesmoketoolbar\chrome\skin\lib\reload.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\remove.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\rename.gif
c:\program files\whitesmoketoolbar\chrome\skin\lib\resize-box.gif
c:\program files\whitesmoketoolbar\chrome\skin\lib\rss.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\rsschannelback.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\RSSLogo.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\rsstabdivider.gif
c:\program files\whitesmoketoolbar\chrome\skin\lib\scroll-left.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\scroll-right.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\search-go.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\search.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\text-ellipsis.xml
c:\program files\whitesmoketoolbar\chrome\skin\lib\throbber.gif
c:\program files\whitesmoketoolbar\chrome\skin\lib\toolbarsplitter.gif
c:\program files\whitesmoketoolbar\chrome\skin\lib\transparent_1px.gif
c:\program files\whitesmoketoolbar\chrome\skin\lib\uwa\border_02.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\uwa\border_03.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\uwa\border_04.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\uwa\border_06.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\uwa\border_07.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\uwa\border_08.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\uwa\border_09.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\uwa\border_10.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\uwa\border_11.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\uwa\border_12.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\uwa\border_13.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\uwa\border_14.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\uwa\border_15.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\uwa\border_16.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\uwa\border_18.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\uwa\border_19.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\uwa\border_20.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\uwa\border_21.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\uwa\btn-close-grey.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\uwa\btn-close-greyover.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\uwa\close-hot.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\uwa\close-normal.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\uwa\loadingMid.gif
c:\program files\whitesmoketoolbar\chrome\skin\lib\uwa\proxy.html
c:\program files\whitesmoketoolbar\chrome\skin\lib\uwa\template.html
c:\program files\whitesmoketoolbar\chrome\skin\lib\uwa\template.xml
c:\program files\whitesmoketoolbar\chrome\skin\lib\uwa\templateFF.html
c:\program files\whitesmoketoolbar\chrome\skin\lib\uwa\throbber.gif

pkbrooks · Jan 13, 2011

Combofix log, part 2

Part 2 paste

c:\program files\whitesmoketoolbar\chrome\skin\lib\weatherbutton\icons\cond999.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\weatherbutton\icons\icons.xml
c:\program files\whitesmoketoolbar\chrome\skin\lib\weatherbutton\icons\na-s.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\weatherbutton\icons\na-t.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\weatherbutton\icons\na.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\weatherbutton\icons\weather.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\weatherbutton\panels\images\add.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\weatherbutton\panels\images\arrowr-bluew5.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\weatherbutton\panels\images\bg-pnl.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\weatherbutton\panels\images\bg-pnl520x350.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\weatherbutton\panels\images\bg-pnl520x350blue-whitebg.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\weatherbutton\panels\images\bg-pnl520x350blue.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\weatherbutton\panels\images\box-check.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\weatherbutton\panels\images\box-uncheck.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\weatherbutton\panels\images\btn-close-grey.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\weatherbutton\panels\images\btn-close-greyover.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\weatherbutton\panels\images\btn-delete.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\weatherbutton\panels\images\btn-search-pnlbtm-over.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\weatherbutton\panels\images\btn-search-pnlbtm.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\weatherbutton\panels\images\btnarrow-next-off.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\weatherbutton\panels\images\btnarrow-next.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\weatherbutton\panels\images\btnarrow-previous-off.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\weatherbutton\panels\images\btnarrow-previous.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\weatherbutton\panels\images\ico-check.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\weatherbutton\panels\images\ico-hotandhumid-s.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\weatherbutton\panels\images\ico-hotandhumid.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\weatherbutton\panels\images\options-weather.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\weatherbutton\panels\images\over-blue.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\weatherbutton\panels\images\over-orange.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\weatherbutton\panels\images\powered-by-weatherbug.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\weatherbutton\panels\images\powered-by-weatherbug2.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\weatherbutton\panels\images\radio-checked.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\weatherbutton\panels\images\radio-unchecked.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\weatherbutton\panels\images\searchbox-pnlbtm.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\weatherbutton\panels\images\weather-contour.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\weatherbutton\panels\popupWeather.css
c:\program files\whitesmoketoolbar\chrome\skin\lib\weatherbutton\panels\popupWeather.html
c:\program files\whitesmoketoolbar\chrome\skin\lib\yahoo.png
c:\program files\whitesmoketoolbar\chrome\skin\lichen.gif
c:\program files\whitesmoketoolbar\chrome\skin\logo-about.png
c:\program files\whitesmoketoolbar\chrome\skin\logo-over.png
c:\program files\whitesmoketoolbar\chrome\skin\logo-separator.png
c:\program files\whitesmoketoolbar\chrome\skin\logo.png
c:\program files\whitesmoketoolbar\chrome\skin\mail.png
c:\program files\whitesmoketoolbar\chrome\skin\menuseparatorback.gif
c:\program files\whitesmoketoolbar\chrome\skin\modify-save.png
c:\program files\whitesmoketoolbar\chrome\skin\modify.png
c:\program files\whitesmoketoolbar\chrome\skin\modifyhot.png
c:\program files\whitesmoketoolbar\chrome\skin\music.png
c:\program files\whitesmoketoolbar\chrome\skin\namespacetoolbar.css
c:\program files\whitesmoketoolbar\chrome\skin\networkIcons_png
c:\program files\whitesmoketoolbar\chrome\skin\news.png
c:\program files\whitesmoketoolbar\chrome\skin\options\options-main.png
c:\program files\whitesmoketoolbar\chrome\skin\options\options-search.png
c:\program files\whitesmoketoolbar\chrome\skin\options\options-weather.png
c:\program files\whitesmoketoolbar\chrome\skin\options\options-widgets.png
c:\program files\whitesmoketoolbar\chrome\skin\orange.gif
c:\program files\whitesmoketoolbar\chrome\skin\pixsy.png
c:\program files\whitesmoketoolbar\chrome\skin\protect-id.png
c:\program files\whitesmoketoolbar\chrome\skin\relatedlinks.png
c:\program files\whitesmoketoolbar\chrome\skin\rss-collapse.png
c:\program files\whitesmoketoolbar\chrome\skin\rss-delete.png
c:\program files\whitesmoketoolbar\chrome\skin\rss-expand.png
c:\program files\whitesmoketoolbar\chrome\skin\rss-feed.png
c:\program files\whitesmoketoolbar\chrome\skin\rss-folder-remove.png
c:\program files\whitesmoketoolbar\chrome\skin\rss-folder-rename.png
c:\program files\whitesmoketoolbar\chrome\skin\rss-folder.png
c:\program files\whitesmoketoolbar\chrome\skin\rss-found.png
c:\program files\whitesmoketoolbar\chrome\skin\rss-reload.png
c:\program files\whitesmoketoolbar\chrome\skin\rss-subscribe.png
c:\program files\whitesmoketoolbar\chrome\skin\rss.png
c:\program files\whitesmoketoolbar\chrome\skin\rss_feed_icon_png
c:\program files\whitesmoketoolbar\chrome\skin\rssback.gif
c:\program files\whitesmoketoolbar\chrome\skin\rsstopback.gif
c:\program files\whitesmoketoolbar\chrome\skin\search-over.png
c:\program files\whitesmoketoolbar\chrome\skin\search.png
c:\program files\whitesmoketoolbar\chrome\skin\searchbar\searchbar-background-left.png
c:\program files\whitesmoketoolbar\chrome\skin\searchbar\searchbar-background-middle.png
c:\program files\whitesmoketoolbar\chrome\skin\searchbar\searchbar-background-right.png
c:\program files\whitesmoketoolbar\chrome\skin\settings.png
c:\program files\whitesmoketoolbar\chrome\skin\shopping.png
c:\program files\whitesmoketoolbar\chrome\skin\siteinfo.png
c:\program files\whitesmoketoolbar\chrome\skin\skin-bluelite.png
c:\program files\whitesmoketoolbar\chrome\skin\skin-bluesky.png
c:\program files\whitesmoketoolbar\chrome\skin\skin-grey.png
c:\program files\whitesmoketoolbar\chrome\skin\skin-lichen.png
c:\program files\whitesmoketoolbar\chrome\skin\skin-orange.png
c:\program files\whitesmoketoolbar\chrome\skin\skin-yellow.png
c:\program files\whitesmoketoolbar\chrome\skin\skin.xml
c:\program files\whitesmoketoolbar\chrome\skin\spain_png
c:\program files\whitesmoketoolbar\chrome\skin\technorati.png
c:\program files\whitesmoketoolbar\chrome\skin\throbber.gif
c:\program files\whitesmoketoolbar\chrome\skin\toolbarsplitter.png
c:\program files\whitesmoketoolbar\chrome\skin\translate.png
c:\program files\whitesmoketoolbar\chrome\skin\Translate_png
c:\program files\whitesmoketoolbar\chrome\skin\Translate_png_png
c:\program files\whitesmoketoolbar\chrome\skin\TRUSTe_about.png
c:\program files\whitesmoketoolbar\chrome\skin\TV_icon3_png
c:\program files\whitesmoketoolbar\chrome\skin\tvicon_png
c:\program files\whitesmoketoolbar\chrome\skin\tvIcons_png
c:\program files\whitesmoketoolbar\chrome\skin\usa_png
c:\program files\whitesmoketoolbar\chrome\skin\vmn.css
c:\program files\whitesmoketoolbar\chrome\skin\vmn.png
c:\program files\whitesmoketoolbar\chrome\skin\web.png
c:\program files\whitesmoketoolbar\chrome\skin\whtsmke_logo_png
c:\program files\whitesmoketoolbar\chrome\skin\whtsmke_logo_png_png
c:\program files\whitesmoketoolbar\chrome\skin\whtsmke_logo_png2_png
c:\program files\whitesmoketoolbar\chrome\skin\whtsmke_logo_png3_png
c:\program files\whitesmoketoolbar\chrome\skin\whtsmke_logo_png4_png
c:\program files\whitesmoketoolbar\chrome\skin\whtsmke_logo_png5_png
c:\program files\whitesmoketoolbar\chrome\skin\wikipedia.png
c:\program files\whitesmoketoolbar\chrome\skin\yahoosearch.png
c:\program files\whitesmoketoolbar\chrome\skin\yellow.gif
c:\program files\whitesmoketoolbar\chrome\skin\youtube.png
c:\program files\whitesmoketoolbar\chrome\skin\zoom.png
c:\program files\whitesmoketoolbar\components\windowmediator.js
c:\program files\whitesmoketoolbar\manifest.xml
c:\program files\whitesmoketoolbar\toolbar.xml
c:\program files\whitesmoketoolbar\uninstall.exe
c:\program files\whitesmoketoolbar\whitesmoketoolbar.dll
c:\program files\whitesmoketoolbar\whITesmoketoolbarx.dll
c:\windows\Downloaded Program Files\popcaploader.inf
c:\windows\drweb.exe
c:\windows\hexdump.exe
c:\windows\system32\11478.exe
c:\windows\system32\11538.exe
c:\windows\system32\11942.exe
c:\windows\system32\12382.exe
c:\windows\system32\14604.exe
c:\windows\system32\14771.exe
c:\windows\system32\15141.exe
c:\windows\system32\153.exe
c:\windows\system32\15724.exe
c:\windows\system32\16827.exe
c:\windows\system32\17035.exe
c:\windows\system32\17421.exe
c:\windows\system32\17673.exe
c:\windows\system32\18467.exe
c:\windows\system32\1869.exe
c:\windows\system32\18716.exe
c:\windows\system32\19169.exe
c:\windows\system32\19718.exe
c:\windows\system32\19895.exe
c:\windows\system32\19912.exe
c:\windows\system32\21726.exe
c:\windows\system32\23281.exe
c:\windows\system32\23811.exe
c:\windows\system32\24464.exe
c:\windows\system32\25547.exe
c:\windows\system32\25667.exe
c:\windows\system32\26299.exe
c:\windows\system32\26500.exe
c:\windows\system32\26962.exe
c:\windows\system32\27644.exe
c:\windows\system32\28145.exe
c:\windows\system32\28253.exe
c:\windows\system32\28703.exe
c:\windows\system32\292.exe
c:\windows\system32\29358.exe
c:\windows\system32\2995.exe
c:\windows\system32\30333.exe
c:\windows\system32\31322.exe
c:\windows\system32\32391.exe
c:\windows\system32\32662.exe
c:\windows\system32\32757.exe
c:\windows\system32\3902.exe
c:\windows\system32\4664.exe
c:\windows\system32\4827.exe
c:\windows\system32\491.exe
c:\windows\system32\5436.exe
c:\windows\system32\5447.exe
c:\windows\system32\5705.exe
c:\windows\system32\6334.exe
c:\windows\system32\6868.exe
c:\windows\system32\7711.exe
c:\windows\system32\9894.exe
c:\windows\system32\9961.exe
c:\windows\system32\aliases.ini
c:\windows\system32\bszip.dll
c:\windows\system32\download
c:\windows\system32\iexplore.sy_
c:\windows\system32\logs
c:\windows\system32\lspB.dll
c:\windows\system32\mirc.ico
c:\windows\system32\mirc.ini
c:\windows\system32\remote.ini
c:\windows\system32\servers.ini
c:\windows\system32\sounds
c:\windows\system32\users.ini
c:\windows\Tasks\At1.job
c:\windows\Tasks\At12.job
c:\windows\win.exe
c:\windows\wininst.exe

----- File Replicators -----

c:\program files\HP\Memories Disc\skins\HewlettPackard_0002\skingen\MEMDISC\PROVIDED\RETAILPF\SETUP.EXE
c:\windows\system32\11478.exe
c:\windows\system32\11538.exe
c:\windows\system32\11942.exe
c:\windows\system32\12382.exe
c:\windows\system32\14604.exe
c:\windows\system32\14771.exe
c:\windows\system32\15141.exe
c:\windows\system32\153.exe
c:\windows\system32\15724.exe
c:\windows\system32\16827.exe
c:\windows\system32\17035.exe
c:\windows\system32\17421.exe
c:\windows\system32\17673.exe
c:\windows\system32\18467.exe
c:\windows\system32\1869.exe
c:\windows\system32\18716.exe
c:\windows\system32\19169.exe
c:\windows\system32\19718.exe
c:\windows\system32\19895.exe
c:\windows\system32\19912.exe
c:\windows\system32\21726.exe
c:\windows\system32\23281.exe
c:\windows\system32\23811.exe
c:\windows\system32\24464.exe
c:\windows\system32\25547.exe
c:\windows\system32\25667.exe
c:\windows\system32\26299.exe
c:\windows\system32\26500.exe
c:\windows\system32\26962.exe
c:\windows\system32\27644.exe
c:\windows\system32\28145.exe
c:\windows\system32\28253.exe
c:\windows\system32\28703.exe
c:\windows\system32\292.exe
c:\windows\system32\29358.exe
c:\windows\system32\2995.exe
c:\windows\system32\30333.exe
c:\windows\system32\31322.exe
c:\windows\system32\32391.exe
c:\windows\system32\32662.exe
c:\windows\system32\32757.exe
c:\windows\system32\3902.exe
c:\windows\system32\4664.exe
c:\windows\system32\4827.exe
c:\windows\system32\491.exe
c:\windows\system32\5436.exe
c:\windows\system32\5447.exe
c:\windows\system32\5705.exe
c:\windows\system32\6334.exe
c:\windows\system32\6868.exe
c:\windows\system32\7711.exe
c:\windows\system32\9894.exe
c:\windows\system32\9961.exe
.
.
((((((((((((((((((((((((( Files Created from 2010-12-13 to 2011-01-13 )))))))))))))))))))))))))))))))
.

2011-01-07 14:45 . 2011-01-07 14:45 -------- d-----w- c:\documents and settings\Administrator.MCC\Application Data\Malwarebytes
2011-01-07 13:22 . 2011-01-07 13:22 3007 ----a-w- c:\documents and settings\Break Time\Local Settings\Application Data\uhubuhuwonezonus.dll
2011-01-07 11:21 . 2011-01-07 11:21 3007 ----a-w- c:\documents and settings\Break Time\Local Settings\Application Data\orasaqitih.dll
2011-01-07 09:19 . 2011-01-07 09:19 3007 ----a-w- c:\documents and settings\Break Time\Local Settings\Application Data\useyutezezuq.dll
2011-01-07 07:17 . 2011-01-07 07:17 3007 ----a-w- c:\documents and settings\Break Time\Local Settings\Application Data\ezaqupalir.dll
2011-01-07 05:15 . 2011-01-07 05:15 3007 ----a-w- c:\documents and settings\Break Time\Local Settings\Application Data\abesucefu.dll
2011-01-07 03:13 . 2011-01-07 03:13 3007 ----a-w- c:\documents and settings\Break Time\Local Settings\Application Data\etoyikovuviyaki.dll
2011-01-07 01:11 . 2011-01-07 01:11 3007 ----a-w- c:\documents and settings\Break Time\Local Settings\Application Data\axotonudo.dll
2011-01-06 23:09 . 2011-01-06 23:09 3007 ----a-w- c:\documents and settings\Break Time\Local Settings\Application Data\ekudizir.dll
2011-01-06 21:07 . 2011-01-06 21:07 3007 ----a-w- c:\documents and settings\Break Time\Local Settings\Application Data\apekatikun.dll
2011-01-06 19:05 . 2011-01-06 19:05 3007 ----a-w- c:\documents and settings\Break Time\Local Settings\Application Data\asiroquqofolinin.dll
2011-01-06 14:41 . 2011-01-06 14:41 38715 ----a-w- c:\windows\system32\task.exe
2011-01-05 19:21 . 2011-01-05 19:21 3007 ----a-w- c:\documents and settings\Break Time\Application Data\yMZ5k.exe
2011-01-05 19:21 . 2011-01-05 19:21 3007 ----a-w- c:\documents and settings\Break Time\Local Settings\Application Data\odasoletunux.dll
2011-01-05 19:20 . 2008-04-14 05:09 14592 -c--a-w- c:\windows\system32\dllcache\kbdhid.sys
2011-01-05 19:20 . 2008-04-14 05:09 14592 ----a-w- c:\windows\system32\drivers\kbdhid.sys
2011-01-05 15:59 . 2011-01-05 15:59 -------- d-sh--w- c:\documents and settings\LocalService\IECompatCache
2011-01-05 15:58 . 2011-01-05 15:58 -------- d-sh--w- c:\documents and settings\LocalService\PrivacIE
2011-01-05 12:49 . 2011-01-05 12:49 -------- d-sh--w- c:\documents and settings\NetworkService\IECompatCache
2011-01-05 12:44 . 2011-01-06 14:39 0 ----a-w- c:\documents and settings\Break Time\Local Settings\Application Data\Elagob.bin
2011-01-05 12:43 . 2011-01-13 21:40 -------- d-----w- c:\documents and settings\All Users\Application Data\boost_interprocess
2011-01-05 12:43 . 2011-01-05 12:43 339968 ----a-w- c:\documents and settings\Break Time\Application Data\WTWum.exe
2011-01-05 12:43 . 2011-01-05 19:20 536 ----a-w- c:\documents and settings\Break Time\Application Data\net.vbs
2011-01-05 12:43 . 2011-01-05 19:20 1026 ----a-w- c:\documents and settings\Break Time\Application Data\net.bat
2011-01-05 12:42 . 2011-01-05 12:42 -------- d-----w- c:\documents and settings\NetworkService\Application Data\WhiteSmokeSetup
2011-01-04 19:12 . 2011-01-04 19:12 -------- d-----w- c:\documents and settings\Break Time\Application Data\SUPERAntiSpyware.com
2010-12-29 17:49 . 2010-12-29 17:49 -------- d-----w- c:\windows\system32\%APPDATA%

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-10-20 20:35 . 2010-10-20 20:35 388096 ----a-r- c:\documents and settings\Administrator.MCC\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
.

Code:

<pre>
c:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray .exe
c:\program files\Adobe\Photoshop Elements 4.0\apdproxy .exe
c:\program files\ATI Technologies\ATI Control Panel\atiptaxx .exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier .exe
c:\program files\Common Files\Microsoft Shared\Works Shared\WkUFind .exe
c:\program files\CyberLink\PowerDVD\DVDLauncher .exe
c:\program files\Intel\Intel Application Accelerator\iaanotif .exe
c:\program files\Microsoft\Search Enhancement Pack\Default Manager\DefMgr .exe
c:\program files\MSN Toolbar\Platform\4.0.0379.0\mswinext .exe
c:\program files\QuickTime\qttask .exe
c:\program files\SecEss\SE11 .exe
c:\program files\TightVNC\WinVNC .exe
</pre>

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"uPc+KQNXKIXniQaGuo"="c:\docume~1\BREAKT~1\LOCALS~1\Temp\yo3p2ya4.dll" [N/A]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [N/A]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2011-01-11 2424560]
"Google Update"="c:\documents and settings\Administrator.MCC\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2010-10-20 136176]
"MKasc"="c:\windows\drweb.exe" [N/A]
"MKfre"="c:\windows\wininst.exe" [N/A]
"MKbtc"="c:\windows\hexdump.exe" [N/A]
"MKfa"="c:\windows\win.exe" [N/A]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"uPc+KQNXKIXniQaGuo"="c:\docume~1\BREAKT~1\LOCALS~1\Temp\yo3p2ya4.dll" [N/A]
"Synchronization Manager"="c:\windows\system32\mobsync.exe" [2008-04-14 143360]
"Samsung PanelMgr"="c:\windows\Samsung\PanelMgr\ssmmgr.exe" [2006-08-16 503808]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-08-09 221184]
"GMorphCl"="c:\windows\system32\task.exe" [2011-01-06 38715]
"MKasc"="c:\windows\drweb.exe" [N/A]
"MKfre"="c:\windows\wininst.exe" [N/A]
"MKbtc"="c:\windows\hexdump.exe" [N/A]
"MKfa"="c:\windows\win.exe" [N/A]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2008-04-14 53760]
"tscuninstall"="c:\windows\system32\tscupgrd.exe" [2004-08-04 44544]
"FlashPlayerUpdate"="c:\windows\system32\Macromed\Flash\FlashUtil9f.exe" [2008-03-25 218496]

c:\documents and settings\jamie\Start Menu\Programs\Startup\
Dropbox.lnk - c:\documents and settings\Administrator.MCC\Application Data\Dropbox\bin\Dropbox.exe [N/A]

c:\documents and settings\jboggess\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2006-10-26 98632]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoWelcomeScreen"= 1 (0x1)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"= 1 (0x1)
"NoActiveDesktopChanges"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 22:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0SsiEfr.e

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, zwebauth.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Minolta\\PageScope Cabinet\\Bin\\MPSCFTPS.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowRedirect"= 0 (0x0)

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 1:25 PM 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/10/2010 1:41 PM 67656]
S0 acxmrkmh;acxmrkmh;c:\windows\system32\drivers\ajtxytg.sys --> c:\windows\system32\drivers\ajtxytg.sys [?]
S3 nosGetPlusHelper;getPlus(R) Helper 3004;c:\windows\System32\svchost.exe -k nosGetPlusHelper [8/4/2004 7:00 AM 14336]
S4 QuickBooksDB17;QuickBooksDB17;c:\progra~1\Intuit\QUICKB~3\QBDBMgrN.exe -hvQuickBooksDB17 --> c:\progra~1\Intuit\QUICKB~3\QBDBMgrN.exe -hvQuickBooksDB17 [?]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
nosGetPlusHelper REG_MULTI_SZ nosGetPlusHelper

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{B0B9B83C-BBFC-49F5-93F4-BC388B073320}]
c:\documents and settings\jboggess\Application Data\Bitrix Security\hwwkat9.dll [N/A]
.
Contents of the 'Scheduled Tasks' folder

2011-01-11 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 16:34]

2010-09-25 c:\windows\Tasks\Disk Cleanup.job
- c:\windows\system32\cleanmgr.exe [2004-08-04 09:42]

2011-01-13 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-763659546-3860924458-1812877018-500Core.job
- c:\documents and settings\Administrator.MCC\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-10-20 20:21]

2011-01-13 c:\windows\Tasks\Outlook.job
- c:\documents and settings\All Users\Start Menu\Programs\Microsoft Office\Microsoft Office Outlook 2003.lnk [2005-07-25 11:25]

2011-01-13 c:\windows\Tasks\WGASetup.job
- c:\windows\system32\KB905474\wgasetup.exe [2009-05-12 02:18]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
IE: Append to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
Trusted Zone: fastestdeploy.com
TCP: {385CE9BA-9804-42B2-A2AA-7366CF893524} = 192.168.1.254
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: {BBF0D44D-14E6-4DB3-8211-AEF1ABA7EE84} - hxxp://esupport.cabinetvision.com/ATLWebKeyButton.CAB
FF - ProfilePath - c:\documents and settings\Administrator.MCC\Application Data\Mozilla\Firefox\Profiles\so55ahpw.default\
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
.
- - - - ORPHANS REMOVED - - - -

ShellIconOverlayIdentifiers-{FB314ED9-A251-47B7-93E1-CDD82E34AF8B} - (no file)
ShellIconOverlayIdentifiers-{FB314EDA-A251-47B7-93E1-CDD82E34AF8B} - (no file)
ShellIconOverlayIdentifiers-{FB314EDB-A251-47B7-93E1-CDD82E34AF8B} - (no file)
Notify-NavLogon - (no file)
AddRemove-HijackThis - c:\program files\HijackThis\HijackThis.exe
AddRemove-Solid.exe - m:\cabinetvision\Solid\NetSetup\..\..\Uninst.isu

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-01-13 16:44
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

c:\windows\TEMP\SEP6.tmp 0 bytes

scan completed successfully
hidden files: 1

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,ec,a1,dd,33,d5,9e,a6,4b,b9,68,53,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,ec,a1,dd,33,d5,9e,a6,4b,b9,68,53,\

[HKEY_USERS\S-1-5-21-763659546-3860924458-1812877018-500\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (Administrator)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,2a,32,10,00,27,a7,22,4b,a6,ee,e1,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,2a,32,10,00,27,a7,22,4b,a6,ee,e1,\

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
@DACL=(02 0000)
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
@DACL=(02 0000)
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
@DACL=(02 0000)
"Installed"="1"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(692)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\WININET.dll

- - - - - - - > 'lsass.exe'(748)
c:\program files\Bonjour\mdnsNSP.dll

- - - - - - - > 'explorer.exe'(3116)
c:\windows\system32\WININET.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.3053_x-ww_b80fa8ca\MSVCR80.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\program files\ArcSoft\Software Suite\PhotoImpression 5\share\pihook.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\program files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe
c:\program files\APC\APC PowerChute Personal Edition\mainserv.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
c:\program files\Intel\Intel Application Accelerator\iaantmon.exe
c:\program files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe
c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\program files\Analog Devices\SoundMAX\spkrmon.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\rundll32.exe
c:\windows\system32\rundll32.exe
.
**************************************************************************
.
Completion time: 2011-01-13 16:47:15 - machine was rebooted
ComboFix-quarantined-files.txt 2011-01-13 21:47

Pre-Run: 120,577,183,744 bytes free
Post-Run: 121,086,128,128 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /noexecute=optin

- - End Of File - - 2347CFF3BFE928FAF3777D9B9D41131E

Broni · Jan 13, 2011

Open Windows Explorer. Go Tools>Folder Options>View tab, put a checkmark next to Show hidden files, and folders.
Upload following files to http://www.virustotal.com/ for security check:
- explorer.exe located @ C:\Windows
- userinit.exe and svchost.exe located @ C:\Windows\System32
IMPORTANT! If the file is listed as already analyzed, click on Reanalyse file now button.
Post scan results.

pkbrooks · Jan 14, 2011

Explorer.exe log

Hello. Sorry its been a little hard to get in today. Hope this set is correct. Couldn't really tell what part was log and what part was just unimportant info. This one is the explorer.exe log.

Antivirus Version Last Update Result
AhnLab-V3 2011.01.14.02 2011.01.14 -
AntiVir 7.11.1.140 2011.01.14 -
Antiy-AVL 2.0.3.7 2011.01.14 -
Avast 4.8.1351.0 2011.01.14 -
Avast5 5.0.677.0 2011.01.14 -
AVG 10.0.0.1190 2011.01.14 -
BitDefender 7.2 2011.01.14 -
CAT-QuickHeal 11.00 2011.01.14 -
ClamAV 0.96.4.0 2011.01.14 -
Command 5.2.11.5 2011.01.14 -
Comodo 7389 2011.01.14 -
DrWeb 5.0.2.03300 2011.01.14 -
eSafe 7.0.17.0 2011.01.13 -
eTrust-Vet 36.1.8099 2011.01.14 -
F-Prot 4.6.2.117 2011.01.13 -
F-Secure 9.0.16160.0 2011.01.14 -
Fortinet 4.2.254.0 2011.01.14 -
GData 21 2011.01.14 -
Ikarus T3.1.1.97.0 2011.01.14 -
Jiangmin 13.0.900 2011.01.14 -
K7AntiVirus 9.75.3535 2011.01.13 -
Kaspersky 7.0.0.125 2011.01.14 -
McAfee 5.400.0.1158 2011.01.14 -
McAfee-GW-Edition 2010.1C 2011.01.14 -
Microsoft 1.6402 2011.01.14 -
NOD32 5785 2011.01.13 -
Norman 6.06.12 2011.01.14 -
nProtect 2011-01-14.01 2011.01.14 -
Panda 10.0.2.7 2011.01.14 -
PCTools 7.0.3.5 2011.01.14 -
Prevx 3.0 2011.01.14 -
Rising 22.82.04.04 2011.01.14 -
Sophos 4.61.0 2011.01.14 -
SUPERAntiSpyware 4.40.0.1006 2011.01.14 -
Symantec 20101.3.0.103 2011.01.14 -
TheHacker 6.7.0.1.114 2011.01.13 -
TrendMicro 9.120.0.1004 2011.01.14 -
TrendMicro-HouseCall 9.120.0.1004 2011.01.14 -
VBA32 3.12.14.2 2011.01.14 -
VIPRE 8068 2011.01.14 -
ViRobot 2011.1.14.4254 2011.01.14 -
VirusBuster 13.6.146.0 2011.01.14 -
Additional information
Show all
MD5 : 12896823fb95bfb3dc9b46bcaedc9923
SHA1 : 9d2bf84874abc5b6e9a2744b7865c193c08d362f
SHA256: 1e675cb7df214172f7eb0497f7275556038a0d09c6e5a3e6862c5e26885ef455
ssdeep: 12288:HHmcoCUyZtwAvAs4wTCyrPTloHWYUrkf8w0Vnzac1/g/J/vMS:nmfty/wAvN7lrvbkf8w
0VnH1/g/J/k
File size : 1033728 bytes
First seen: 2009-02-09 08:59:31
Last seen : 2011-01-14 14:44:26
TrID:
Win32 Executable Generic (42.3%)
Win32 Dynamic Link Library (generic) (37.6%)
Generic Win/DOS Executable (9.9%)
DOS Executable Generic (9.9%)
Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%)
sigcheck:
publisher....: Microsoft Corporation
copyright....: (c) Microsoft Corporation. All rights reserved.
product......: Microsoft_ Windows_ Operating System
description..: Windows Explorer
original name: EXPLORER.EXE
internal name: explorer
file version.: 6.00.2900.5512 (xpsp.080413-2105)
comments.....: n/a
signers......: -
signing date.: -
verified.....: Unsigned
PEInfo: PE structure information

[[ basic data ]]
entrypointaddress: 0x1A55F
timedatestamp....: 0x48025C30 (Sun Apr 13 19:17:04 2008)
machinetype......: 0x14c (I386)

[[ 4 section(s) ]]
name, viradd, virsiz, rawdsiz, ntropy, md5
.text, 0x1000, 0x44C09, 0x44E00, 6.38, fd89c9ce334764ffdbb62637ad9b5809
.data, 0x46000, 0x1DB4, 0x1800, 1.30, 983f35021232560eaaa99fcbc1b7d359
.rsrc, 0x48000, 0xB2268, 0xB2400, 6.63, 95339c37646fa93e3695e06572a21889
.reloc, 0xFB000, 0x374C, 0x3800, 6.78, ec335057489badbf6d8142b57175fd91

[[ 13 import(s) ]]
ADVAPI32.dll: RegSetValueW, RegEnumKeyExW, GetUserNameW, RegNotifyChangeKeyValue, RegEnumValueW, RegQueryValueExA, RegOpenKeyExA, RegEnumKeyW, RegCloseKey, RegCreateKeyW, RegQueryInfoKeyW, RegOpenKeyExW, RegQueryValueExW, RegCreateKeyExW, RegSetValueExW, RegDeleteValueW, RegQueryValueW
BROWSEUI.dll: -, -, -, -
GDI32.dll: GetStockObject, CreatePatternBrush, OffsetViewportOrgEx, GetLayout, CombineRgn, CreateDIBSection, GetTextExtentPoint32W, StretchBlt, CreateRectRgnIndirect, CreateRectRgn, GetClipRgn, IntersectClipRect, GetViewportOrgEx, SetViewportOrgEx, SelectClipRgn, PatBlt, GetBkColor, CreateCompatibleDC, CreateCompatibleBitmap, OffsetWindowOrgEx, DeleteDC, SetBkColor, BitBlt, ExtTextOutW, GetTextExtentPointW, GetClipBox, GetObjectW, SetTextColor, SetBkMode, CreateFontIndirectW, DeleteObject, GetTextMetricsW, SelectObject, GetDeviceCaps, TranslateCharsetInfo, SetStretchBltMode
KERNEL32.dll: GetSystemDirectoryW, CreateThread, CreateJobObjectW, ExitProcess, SetProcessShutdownParameters, ReleaseMutex, CreateMutexW, SetPriorityClass, GetCurrentProcess, GetStartupInfoW, GetCommandLineW, SetErrorMode, LeaveCriticalSection, EnterCriticalSection, ResetEvent, LoadLibraryExA, CompareFileTime, GetSystemTimeAsFileTime, SetThreadPriority, GetCurrentThreadId, GetThreadPriority, GetCurrentThread, GetUserDefaultLangID, Sleep, GetBinaryTypeW, GetModuleHandleExW, SystemTimeToFileTime, GetLocalTime, GetCurrentProcessId, GetEnvironmentVariableW, UnregisterWait, GlobalGetAtomNameW, GetFileAttributesW, MoveFileW, lstrcmpW, LoadLibraryExW, FindClose, FindNextFileW, FindFirstFileW, lstrcmpiA, SetEvent, AssignProcessToJobObject, GetDateFormatW, GetTimeFormatW, FlushInstructionCache, lstrcpynW, GetSystemWindowsDirectoryW, SetLastError, GetProcessHeap, HeapFree, HeapReAlloc, HeapSize, HeapAlloc, GetUserDefaultLCID, ReadProcessMemory, OpenProcess, InterlockedCompareExchange, LoadLibraryA, QueryPerformanceCounter, UnhandledExceptionFilter, SetUnhandledExceptionFilter, VirtualFree, VirtualAlloc, ResumeThread, TerminateProcess, TerminateThread, GetSystemDefaultLCID, GetLocaleInfoW, CreateEventW, GetLastError, OpenEventW, DelayLoadFailureHook, WaitForSingleObject, GetTickCount, ExpandEnvironmentStringsW, GetModuleFileNameW, GetPrivateProfileStringW, lstrcmpiW, CreateProcessW, FreeLibrary, GetWindowsDirectoryW, LocalAlloc, CreateFileW, DeviceIoControl, LocalFree, GetQueuedCompletionStatus, CreateIoCompletionPort, SetInformationJobObject, CloseHandle, LoadLibraryW, GetModuleHandleW, ActivateActCtx, DeactivateActCtx, GetFileAttributesExW, GetProcAddress, DeleteCriticalSection, CreateEventA, HeapDestroy, InitializeCriticalSection, MulDiv, InitializeCriticalSectionAndSpinCount, lstrlenW, InterlockedDecrement, InterlockedIncrement, GlobalAlloc, InterlockedExchange, GetModuleHandleA, GetVersionExA, GlobalFree, GetProcessTimes, lstrcpyW, GetLongPathNameW, RegisterWaitForSingleObject
msvcrt.dll: _itow, free, memmove, realloc, _except_handler3, malloc, _ftol, _vsnwprintf
ntdll.dll: RtlNtStatusToDosError, NtQueryInformationProcess
ole32.dll: CoFreeUnusedLibraries, RegisterDragDrop, CreateBindCtx, RevokeDragDrop, CoInitializeEx, CoUninitialize, OleInitialize, CoRevokeClassObject, CoRegisterClassObject, CoMarshalInterThreadInterfaceInStream, CoCreateInstance, OleUninitialize, DoDragDrop
OLEAUT32.dll: -, -
SHDOCVW.dll: -, -, -
SHELL32.dll: -, -, SHGetFolderPathW, -, -, -, -, -, ExtractIconExW, -, -, -, -, -, -, -, -, -, -, -, -, -, -, SHGetSpecialFolderLocation, ShellExecuteExW, -, -, -, SHGetSpecialFolderPathW, -, -, -, SHBindToParent, -, -, -, SHParseDisplayName, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, SHChangeNotify, SHGetDesktopFolder, SHAddToRecentDocs, -, -, -, DuplicateIcon, -, -, -, -, -, -, -, -, SHUpdateRecycleBinIcon, SHGetFolderLocation, SHGetPathFromIDListA, -, -, -, -, -, -, -, SHGetPathFromIDListW, -, -, -
SHLWAPI.dll: StrCpyNW, -, -, -, -, StrRetToBufW, StrRetToStrW, -, -, -, -, SHQueryValueExW, PathIsNetworkPathW, -, AssocCreate, -, -, -, -, -, StrCatW, StrCpyW, -, -, -, -, -, -, SHGetValueW, -, StrCmpNIW, PathRemoveBlanksW, PathRemoveArgsW, PathFindFileNameW, StrStrIW, PathGetArgsW, -, StrToIntW, SHRegGetBoolUSValueW, SHRegWriteUSValueW, SHRegCloseUSKey, SHRegCreateUSKeyW, SHRegGetUSValueW, SHSetValueW, -, PathAppendW, PathUnquoteSpacesW, -, -, PathQuoteSpacesW, -, SHSetThreadRef, SHCreateThreadRef, -, -, -, PathCombineW, -, -, -, SHStrDupW, PathIsPrefixW, PathParseIconLocationW, AssocQueryKeyW, -, AssocQueryStringW, StrCmpW, -, -, -, -, -, -, -, -, SHRegQueryUSValueW, SHRegOpenUSKeyW, SHRegSetUSValueW, PathIsDirectoryW, PathFileExistsW, PathGetDriveNumberW, -, StrChrW, PathFindExtensionW, -, -, PathRemoveFileSpecW, PathStripToRootW, -, -, -, SHOpenRegStream2W, -, -, -, StrDupW, SHDeleteValueW, StrCatBuffW, SHDeleteKeyW, StrCmpIW, -, -, wnsprintfW, -, -, StrCmpNW, -, -
USER32.dll: TileWindows, GetDoubleClickTime, GetSystemMetrics, GetSysColorBrush, AllowSetForegroundWindow, LoadMenuW, GetSubMenu, RemoveMenu, SetParent, GetMessagePos, CheckDlgButton, EnableWindow, GetDlgItemInt, SetDlgItemInt, CopyIcon, AdjustWindowRectEx, DrawFocusRect, DrawEdge, ExitWindowsEx, WindowFromPoint, SetRect, AppendMenuW, LoadAcceleratorsW, LoadBitmapW, SendNotifyMessageW, SetWindowPlacement, CheckMenuItem, EndDialog, SendDlgItemMessageW, MessageBeep, GetActiveWindow, PostQuitMessage, MoveWindow, GetDlgItem, RemovePropW, GetClassNameW, GetDCEx, SetCursorPos, ChildWindowFromPoint, ChangeDisplaySettingsW, RegisterHotKey, UnregisterHotKey, SetCursor, SendMessageTimeoutW, GetWindowPlacement, LoadImageW, SetWindowRgn, IntersectRect, OffsetRect, EnumDisplayMonitors, RedrawWindow, SubtractRect, TranslateAcceleratorW, WaitMessage, InflateRect, CallWindowProcW, GetDlgCtrlID, SetCapture, LockSetForegroundWindow, SystemParametersInfoW, FindWindowW, CreatePopupMenu, GetMenuDefaultItem, DestroyMenu, GetShellWindow, EnumChildWindows, GetWindowLongW, SendMessageW, RegisterWindowMessageW, GetKeyState, CopyRect, MonitorFromRect, MonitorFromPoint, RegisterClassW, SetPropW, GetWindowLongA, SetWindowLongW, FillRect, GetCursorPos, MessageBoxW, LoadStringW, ReleaseDC, GetDC, EnumDisplaySettingsExW, EnumDisplayDevicesW, PostMessageW, DispatchMessageW, TranslateMessage, GetMessageW, PeekMessageW, PtInRect, BeginPaint, EndPaint, SetWindowTextW, GetAsyncKeyState, InvalidateRect, GetWindow, ShowWindowAsync, TrackPopupMenuEx, UpdateWindow, DestroyIcon, IsRectEmpty, SetActiveWindow, GetSysColor, DrawTextW, IsHungAppWindow, SetTimer, GetMenuItemID, TrackPopupMenu, EndTask, SendMessageCallbackW, GetClassLongW, LoadIconW, OpenInputDesktop, CloseDesktop, SetScrollPos, ShowWindow, BringWindowToTop, GetDesktopWindow, CascadeWindows, CharUpperBuffW, SwitchToThisWindow, InternalGetWindowText, GetScrollInfo, GetMenuItemCount, CreateWindowExW, DialogBoxParamW, MsgWaitForMultipleObjects, CharNextA, RegisterClipboardFormatW, EndDeferWindowPos, DeferWindowPos, BeginDeferWindowPos, PrintWindow, SetClassLongW, GetPropW, GetNextDlgGroupItem, GetNextDlgTabItem, ChildWindowFromPointEx, IsChild, NotifyWinEvent, TrackMouseEvent, GetCapture, GetAncestor, CharUpperW, SetWindowLongA, DrawCaption, ModifyMenuW, InsertMenuW, IsWindowEnabled, GetMenuState, LoadCursorW, GetParent, IsDlgButtonChecked, DestroyWindow, EnumWindows, IsWindowVisible, GetClientRect, UnionRect, EqualRect, GetWindowThreadProcessId, GetForegroundWindow, KillTimer, GetClassInfoExW, DefWindowProcW, RegisterClassExW, GetIconInfo, SetScrollInfo, GetLastActivePopup, SetForegroundWindow, IsWindow, GetSystemMenu, IsIconic, IsZoomed, EnableMenuItem, SetMenuDefaultItem, MonitorFromWindow, GetMonitorInfoW, GetWindowInfo, GetFocus, SetFocus, MapWindowPoints, ScreenToClient, ClientToScreen, GetWindowRect, SetWindowPos, DeleteMenu, GetMenuItemInfoW, SetMenuItemInfoW, CharNextW
UxTheme.dll: GetThemeBackgroundContentRect, GetThemeBool, GetThemePartSize, DrawThemeParentBackground, OpenThemeData, DrawThemeBackground, GetThemeTextExtent, DrawThemeText, CloseThemeData, SetWindowTheme, GetThemeBackgroundRegion, -, GetThemeMargins, GetThemeColor, GetThemeFont, GetThemeRect, IsAppThemed
ExifTool:
file metadata
CharacterSet: Unicode
CodeSize: 282112
CompanyName: Microsoft Corporation
EntryPoint: 0x1a55f
FileDescription: Windows Explorer
FileFlagsMask: 0x003f
FileOS: Windows NT 32-bit
FileSize: 1010 kB
FileSubtype: 0
FileType: Win32 EXE
FileVersion: 6.00.2900.5512 (xpsp.080413-2105)
FileVersionNumber: 6.0.2900.5512
ImageVersion: 5.1
InitializedDataSize: 752128
InternalName: explorer
LanguageCode: English (U.S.)
LegalCopyright: Microsoft Corporation. All rights reserved.
LinkerVersion: 7.1
MIMEType: application/octet-stream
MachineType: Intel 386 or later, and compatibles
OSVersion: 5.1
ObjectFileType: Executable application
OriginalFilename: EXPLORER.EXE
PEType: PE32
ProductName: Microsoft Windows Operating System
ProductVersion: 6.00.2900.5512
ProductVersionNumber: 6.0.2900.5512
Subsystem: Windows GUI
SubsystemVersion: 4.1
TimeStamp: 2008:04:13 21:17:04+02:00
UninitializedDataSize: 0

Broni · Jan 14, 2011

Good. Give me the other two, please.

pkbrooks · Jan 14, 2011

Userinit.exe Paste

here is the userinit.exe file. Again, hope Im getting the right info.

pkbrooks

Antivirus Version Last Update Result
AhnLab-V3 2011.01.14.02 2011.01.14 -
AntiVir 7.11.1.144 2011.01.14 -
Antiy-AVL 2.0.3.7 2011.01.14 -
Avast 4.8.1351.0 2011.01.14 -
Avast5 5.0.677.0 2011.01.14 -
AVG 10.0.0.1190 2011.01.14 -
BitDefender 7.2 2011.01.14 -
CAT-QuickHeal 11.00 2011.01.14 -
ClamAV 0.96.4.0 2011.01.14 -
Command 5.2.11.5 2011.01.14 -
Comodo 7390 2011.01.14 -
DrWeb 5.0.2.03300 2011.01.14 -
Emsisoft 5.1.0.1 2011.01.14 -
eSafe 7.0.17.0 2011.01.13 -
eTrust-Vet 36.1.8099 2011.01.14 -
F-Prot 4.6.2.117 2011.01.14 -
F-Secure 9.0.16160.0 2011.01.14 -
Fortinet 4.2.254.0 2011.01.14 -
GData 21 2011.01.14 -
Ikarus T3.1.1.97.0 2011.01.14 -
Jiangmin 13.0.900 2011.01.14 -
K7AntiVirus 9.75.3548 2011.01.14 -
Kaspersky 7.0.0.125 2011.01.14 -
McAfee 5.400.0.1158 2011.01.14 -
McAfee-GW-Edition 2010.1C 2011.01.14 -
Microsoft 1.6402 2011.01.14 -
NOD32 5785 2011.01.13 -
Norman 6.06.12 2011.01.14 -
nProtect 2011-01-14.01 2011.01.14 -
Panda 10.0.2.7 2011.01.14 -
PCTools 7.0.3.5 2011.01.14 -
Prevx 3.0 2011.01.14 -
Rising 22.82.04.04 2011.01.14 -
Sophos 4.61.0 2011.01.14 -
SUPERAntiSpyware 4.40.0.1006 2011.01.14 -
Symantec 20101.3.0.103 2011.01.14 -
TheHacker 6.7.0.1.115 2011.01.14 -
TrendMicro 9.120.0.1004 2011.01.14 -
TrendMicro-HouseCall 9.120.0.1004 2011.01.14 -
VBA32 3.12.14.2 2011.01.14 -
VIPRE 8068 2011.01.14 -
ViRobot 2011.1.14.4254 2011.01.14 -
VirusBuster 13.6.147.0 2011.01.14 -
Additional information
Show all
MD5 : a93aee1928a9d7ce3e16d24ec7380f89
SHA1 : 513f8bdf67a5a9e09803cfb61f590b39f2683853
SHA256: 944cd2135e171af338352568aa7fe1b8004733a4281395ad6723e0cf43d5f53f
ssdeep: 768:0RMJi8jDLIDSAaQFxfftjaLacmkLGKOq:0RMJbDMDSA7FxffJaLaSLG9q
File size : 26112 bytes
First seen: 2009-02-12 03:28:35
Last seen : 2011-01-14 19:14:07
TrID:
Win32 Executable MS Visual C++ (generic) (65.2%)
Win32 Executable Generic (14.7%)
Win32 Dynamic Link Library (generic) (13.1%)
Generic Win/DOS Executable (3.4%)
DOS Executable Generic (3.4%)
sigcheck:
publisher....: Microsoft Corporation
copyright....: (c) Microsoft Corporation. All rights reserved.
product......: Microsoft_ Windows_ Operating System
description..: Userinit Logon Application
original name: USERINIT.EXE
internal name: userinit
file version.: 5.1.2600.5512 (xpsp.080413-2113)
comments.....: n/a
signers......: -
signing date.: -
verified.....: Unsigned
PEInfo: PE structure information

[[ basic data ]]
entrypointaddress: 0x54AD
timedatestamp....: 0x480251A8 (Sun Apr 13 18:32:08 2008)
machinetype......: 0x14c (I386)

[[ 3 section(s) ]]
name, viradd, virsiz, rawdsiz, ntropy, md5
.text, 0x1000, 0x520E, 0x5400, 5.95, 099b53205ad3f1c3b853a5310d08a9b1
.data, 0x7000, 0x14C, 0x200, 1.86, 0bb948f267e82975313a03d8c0e8a1cf
.rsrc, 0x8000, 0xB50, 0xC00, 3.27, bac832e39f87c4f5f640e5d5c6a1c2fc

[[ 9 import(s) ]]
USER32.dll: CreateWindowExW, DestroyWindow, RegisterClassExW, DefWindowProcW, LoadRemoteFonts, wsprintfW, GetSystemMetrics, GetKeyboardLayout, SystemParametersInfoW, GetDesktopWindow, LoadStringW, MessageBoxW, ExitWindowsEx, CharNextW
ADVAPI32.dll: RegOpenKeyExA, ReportEventW, RegisterEventSourceW, DeregisterEventSource, OpenProcessToken, RegCreateKeyExW, RegSetValueExW, GetUserNameW, RegQueryValueExW, RegOpenKeyExW, RegQueryInfoKeyW, RegCloseKey, RegQueryValueExA
CRYPT32.dll: CryptProtectData
WINSPOOL.DRV: SpoolerInit
ntdll.dll: RtlLengthSid, RtlCopySid, _itow, RtlFreeUnicodeString, DbgPrint, wcslen, wcscpy, wcscat, wcscmp, RtlInitUnicodeString, NtOpenKey, NtClose, _wcsicmp, memmove, RtlConvertSidToUnicodeString, NtQueryInformationToken
NETAPI32.dll: DsGetDcNameW, NetApiBufferFree
WLDAP32.dll: -, -, -, -, -, -
msvcrt.dll: __setusermatherr, _initterm, __getmainargs, _acmdln, _adjust_fdiv, _XcptFilter, _exit, _c_exit, __p__commode, __p__fmode, __set_app_type, _except_handler3, _controlfp, _cexit, exit
KERNEL32.dll: CompareFileTime, LoadLibraryW, GetProcAddress, FreeLibrary, lstrcpyW, CreateProcessW, lstrlenW, GetVersionExW, LocalFree, LocalAlloc, GetEnvironmentVariableW, CloseHandle, lstrcatW, WaitForSingleObject, DelayLoadFailureHook, GetStartupInfoA, GetModuleHandleA, SetUnhandledExceptionFilter, UnhandledExceptionFilter, TerminateProcess, GetSystemTimeAsFileTime, GetCurrentThreadId, GetTickCount, QueryPerformanceCounter, LoadLibraryA, InterlockedCompareExchange, LocalReAlloc, GetSystemTime, lstrcmpW, GetCurrentThread, SetThreadPriority, ExpandEnvironmentStringsW, SearchPathW, GetLastError, CreateThread, GetFileAttributesExW, GetSystemDirectoryW, SetCurrentDirectoryW, FormatMessageW, lstrcmpiW, GetCurrentProcess, GetUserDefaultLangID, GetCurrentProcessId, SetEvent, OpenEventW, Sleep, SetEnvironmentVariableW
ExifTool:
file metadata
CharacterSet: Unicode
CodeSize: 21504
CompanyName: Microsoft Corporation
EntryPoint: 0x54ad
FileDescription: Userinit Logon Application
FileFlagsMask: 0x003f
FileOS: Windows NT 32-bit
FileSize: 26 kB
FileSubtype: 0
FileType: Win32 EXE
FileVersion: 5.1.2600.5512 (xpsp.080413-2113)
FileVersionNumber: 5.1.2600.5512
ImageVersion: 5.1
InitializedDataSize: 3584
InternalName: userinit
LanguageCode: English (U.S.)
LegalCopyright: Microsoft Corporation. All rights reserved.
LinkerVersion: 7.1
MIMEType: application/octet-stream
MachineType: Intel 386 or later, and compatibles
OSVersion: 5.1
ObjectFileType: Executable application
OriginalFilename: USERINIT.EXE
PEType: PE32
ProductName: Microsoft Windows Operating System
ProductVersion: 5.1.2600.5512
ProductVersionNumber: 5.1.2600.5512
Subsystem: Windows GUI
SubsystemVersion: 4.0
TimeStamp: 2008:04:13 20:32:08+02:00
UninitializedDataSize: 0

Broni · Jan 14, 2011

Doing fine

pkbrooks · Jan 14, 2011

svchost.exe paste

and last but least...here is the svchost paste.

pkbrooks

Antivirus Version Last Update Result
AhnLab-V3 2011.01.15.00 2011.01.14 -
AntiVir 7.11.1.144 2011.01.14 -
Antiy-AVL 2.0.3.7 2011.01.14 -
Avast 4.8.1351.0 2011.01.14 -
Avast5 5.0.677.0 2011.01.14 -
BitDefender 7.2 2011.01.14 -
CAT-QuickHeal 11.00 2011.01.14 -
ClamAV 0.96.4.0 2011.01.14 -
Command 5.2.11.5 2011.01.14 -
Comodo 7392 2011.01.14 -
DrWeb 5.0.2.03300 2011.01.14 -
Emsisoft 5.1.0.1 2011.01.14 -
eSafe 7.0.17.0 2011.01.13 -
eTrust-Vet 36.1.8100 2011.01.14 -
F-Prot 4.6.2.117 2011.01.14 -
F-Secure 9.0.16160.0 2011.01.14 -
Fortinet 4.2.254.0 2011.01.14 -
GData 21 2011.01.14 -
Ikarus T3.1.1.97.0 2011.01.14 -
Jiangmin 13.0.900 2011.01.14 -
K7AntiVirus 9.75.3548 2011.01.14 -
Kaspersky 7.0.0.125 2011.01.14 -
McAfee 5.400.0.1158 2011.01.14 -
McAfee-GW-Edition 2010.1C 2011.01.14 -
Microsoft 1.6402 2011.01.14 -
NOD32 5788 2011.01.14 -
Norman 6.06.12 2011.01.14 -
nProtect 2011-01-14.01 2011.01.14 -
Panda 10.0.2.7 2011.01.14 -
PCTools 7.0.3.5 2011.01.14 -
Prevx 3.0 2011.01.14 -
Rising 22.82.04.04 2011.01.14 -
Sophos 4.61.0 2011.01.14 -
SUPERAntiSpyware 4.40.0.1006 2011.01.14 -
Symantec 20101.3.0.103 2011.01.14 -
TheHacker 6.7.0.1.115 2011.01.14 -
TrendMicro 9.120.0.1004 2011.01.14 -
TrendMicro-HouseCall 9.120.0.1004 2011.01.14 -
VBA32 3.12.14.2 2011.01.14 -
VIPRE 8068 2011.01.14 -
ViRobot 2011.1.14.4254 2011.01.14 -
VirusBuster 13.6.147.0 2011.01.14 -
Additional information
Show all
MD5 : 27c6d03bcdb8cfeb96b716f3d8be3e18
SHA1 : 49083ae3725a0488e0a8fbbe1335c745f70c4667
SHA256: 2910ebc692d833d949bfd56059e8106d324a276d5f165f874f3fb1b6c613cdd5
ssdeep: 384:IDvi+JmG6yqlCRaJt4RHS5LutGJae7g9VJnpWCNJbW:INcG6xlCRaJKGOA7SHJ
File size : 14336 bytes
First seen: 2008-05-01 02:35:20
Last seen : 2011-01-14 21:37:23
TrID:
Win32 Executable Generic (42.3%)
Win32 Dynamic Link Library (generic) (37.6%)
Generic Win/DOS Executable (9.9%)
DOS Executable Generic (9.9%)
Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%)
sigcheck:
publisher....: Microsoft Corporation
copyright....: (c) Microsoft Corporation. All rights reserved.
product......: Microsoft_ Windows_ Operating System
description..: Generic Host Process for Win32 Services
original name: svchost.exe
internal name: svchost.exe
file version.: 5.1.2600.5512 (xpsp.080413-2111)
comments.....: n/a
signers......: -
signing date.: -
verified.....: Unsigned
PEInfo: PE structure information

[[ basic data ]]
entrypointaddress: 0x2509
timedatestamp....: 0x48025BC0 (Sun Apr 13 19:15:12 2008)
machinetype......: 0x14c (I386)

[[ 3 section(s) ]]
name, viradd, virsiz, rawdsiz, ntropy, md5
.text, 0x1000, 0x2C00, 0x2C00, 6.29, f6589e1ed3da6afefb0b4294d9ff7f2e
.data, 0x4000, 0x210, 0x200, 1.62, cbd504e46c836e09e8faabdcfbabaec2
.rsrc, 0x5000, 0x408, 0x600, 2.51, dcede0c303bbb48c6875eb64477e5882

[[ 4 import(s) ]]
ADVAPI32.dll: RegQueryValueExW, SetSecurityDescriptorDacl, SetEntriesInAclW, SetSecurityDescriptorGroup, SetSecurityDescriptorOwner, InitializeSecurityDescriptor, GetTokenInformation, OpenProcessToken, OpenThreadToken, SetServiceStatus, RegisterServiceCtrlHandlerW, RegCloseKey, RegOpenKeyExW, StartServiceCtrlDispatcherW
KERNEL32.dll: HeapFree, GetLastError, WideCharToMultiByte, lstrlenW, LocalFree, GetCurrentProcess, GetCurrentThread, GetProcAddress, LoadLibraryExW, LeaveCriticalSection, HeapAlloc, EnterCriticalSection, LCMapStringW, FreeLibrary, lstrcpyW, ExpandEnvironmentStringsW, lstrcmpiW, ExitProcess, GetCommandLineW, InitializeCriticalSection, GetProcessHeap, SetErrorMode, SetUnhandledExceptionFilter, RegisterWaitForSingleObject, InterlockedCompareExchange, LoadLibraryA, QueryPerformanceCounter, GetTickCount, GetCurrentThreadId, GetCurrentProcessId, GetSystemTimeAsFileTime, TerminateProcess, UnhandledExceptionFilter, LocalAlloc, lstrcmpW, DelayLoadFailureHook
ntdll.dll: NtQuerySecurityObject, RtlFreeHeap, NtOpenKey, wcscat, wcscpy, RtlAllocateHeap, RtlCompareUnicodeString, RtlInitUnicodeString, RtlInitializeSid, RtlLengthRequiredSid, RtlSubAuthoritySid, NtClose, RtlSubAuthorityCountSid, RtlGetDaclSecurityDescriptor, RtlQueryInformationAcl, RtlGetAce, RtlImageNtHeader, wcslen, RtlUnhandledExceptionFilter, RtlCopySid
RPCRT4.dll: RpcServerUnregisterIfEx, RpcMgmtWaitServerListen, RpcMgmtSetServerStackSize, RpcServerUnregisterIf, RpcServerListen, RpcServerUseProtseqEpW, RpcServerRegisterIf, I_RpcMapWin32Status, RpcMgmtStopServerListening
ExifTool:
file metadata
CharacterSet: Unicode
CodeSize: 11264
CompanyName: Microsoft Corporation
EntryPoint: 0x2509
FileDescription: Generic Host Process for Win32 Services
FileFlagsMask: 0x003f
FileOS: Windows NT 32-bit
FileSize: 14 kB
FileSubtype: 0
FileType: Win32 EXE
FileVersion: 5.1.2600.5512 (xpsp.080413-2111)
FileVersionNumber: 5.1.2600.5512
ImageVersion: 5.1
InitializedDataSize: 2560
InternalName: svchost.exe
LanguageCode: English (U.S.)
LegalCopyright: Microsoft Corporation. All rights reserved.
LinkerVersion: 7.1
MIMEType: application/octet-stream
MachineType: Intel 386 or later, and compatibles
OSVersion: 5.1
ObjectFileType: Executable application
OriginalFilename: svchost.exe
PEType: PE32
ProductName: Microsoft Windows Operating System
ProductVersion: 5.1.2600.5512
ProductVersionNumber: 5.1.2600.5512
Subsystem: Windows GUI
SubsystemVersion: 4.0
TimeStamp: 2008:04:13 21:15:12+02:00
UninitializedDataSize: 0

Broni · Jan 14, 2011

OK. Those look good

1. Please open Notepad

Click Start , then Run
Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

Code:

File::
c:\documents and settings\Break Time\Local Settings\Application Data\uhubuhuwonezonus.dll
c:\documents and settings\Break Time\Local Settings\Application Data\orasaqitih.dll
c:\documents and settings\Break Time\Local Settings\Application Data\useyutezezuq.dll
c:\documents and settings\Break Time\Local Settings\Application Data\ezaqupalir.dll
c:\documents and settings\Break Time\Local Settings\Application Data\abesucefu.dll
c:\documents and settings\Break Time\Local Settings\Application Data\etoyikovuviyaki.dll
c:\documents and settings\Break Time\Local Settings\Application Data\axotonudo.dll
c:\documents and settings\Break Time\Local Settings\Application Data\ekudizir.dll
c:\documents and settings\Break Time\Local Settings\Application Data\apekatikun.dll
c:\documents and settings\Break Time\Local Settings\Application Data\asiroquqofolinin.dll
c:\windows\system32\task.exe
c:\documents and settings\Break Time\Application Data\yMZ5k.exe
c:\documents and settings\Break Time\Local Settings\Application Data\odasoletunux.dll
c:\documents and settings\Break Time\Local Settings\Application Data\Elagob.bin
c:\documents and settings\Break Time\Application Data\WTWum.exe
c:\documents and settings\Break Time\Application Data\net.vbs
c:\documents and settings\Break Time\Application Data\net.bat
c:\documents and settings\NetworkService\Application Data\WhiteSmokeSetup
c:\docume~1\BREAKT~1\LOCALS~1\Temp\yo3p2ya4.dll
c:\windows\TEMP\SEP6.tmp


RenV::
c:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray .exe
c:\program files\Adobe\Photoshop Elements 4.0\apdproxy .exe
c:\program files\ATI Technologies\ATI Control Panel\atiptaxx .exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier .exe
c:\program files\Common Files\Microsoft Shared\Works Shared\WkUFind .exe
c:\program files\CyberLink\PowerDVD\DVDLauncher .exe
c:\program files\Intel\Intel Application Accelerator\iaanotif .exe
c:\program files\Microsoft\Search Enhancement Pack\Default Manager\DefMgr .exe
c:\program files\MSN Toolbar\Platform\4.0.0379.0\mswinext .exe
c:\program files\QuickTime\qttask .exe
c:\program files\SecEss\SE11 .exe
c:\program files\TightVNC\WinVNC .exe


Folder::

Driver::
acxmrkmh

Rootkit::
c:\windows\system32\drivers\ajtxytg.sys


Registry::
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"uPc+KQNXKIXniQaGuo"=-
"MKasc"=-
"GMorphCl"=-
"MKfre"=-
"MKbtc"=-
"MKfa"=-

3. Save the above as CFScript.txt

4. Close/disable all anti virus and anti malware programs again, so they do not interfere with the running of ComboFix.

5. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

6. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:

Combofix.txt

pkbrooks · Jan 14, 2011

New Combofix log using CFScript.txt

ok. here is the paste of the combofix log.

pkbrooks

ComboFix 11-01-14.01 - Administrator 01/14/2011 16:59:34.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.639 [GMT -5:00]
Running from: c:\documents and settings\Administrator.MCC\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Administrator.MCC\Desktop\CFScript.txt
AV: Symantec AntiVirus Corporate Edition *Disabled/Updated* {FB06448E-52B8-493A-90F3-E43226D3305C}

FILE ::
"c:\docume~1\BREAKT~1\LOCALS~1\Temp\yo3p2ya4.dll"
"c:\documents and settings\Break Time\Application Data\net.bat"
"c:\documents and settings\Break Time\Application Data\net.vbs"
"c:\documents and settings\Break Time\Application Data\WTWum.exe"
"c:\documents and settings\Break Time\Application Data\yMZ5k.exe"
"c:\documents and settings\Break Time\Local Settings\Application Data\abesucefu.dll"
"c:\documents and settings\Break Time\Local Settings\Application Data\apekatikun.dll"
"c:\documents and settings\Break Time\Local Settings\Application Data\asiroquqofolinin.dll"
"c:\documents and settings\Break Time\Local Settings\Application Data\axotonudo.dll"
"c:\documents and settings\Break Time\Local Settings\Application Data\ekudizir.dll"
"c:\documents and settings\Break Time\Local Settings\Application Data\Elagob.bin"
"c:\documents and settings\Break Time\Local Settings\Application Data\etoyikovuviyaki.dll"
"c:\documents and settings\Break Time\Local Settings\Application Data\ezaqupalir.dll"
"c:\documents and settings\Break Time\Local Settings\Application Data\odasoletunux.dll"
"c:\documents and settings\Break Time\Local Settings\Application Data\orasaqitih.dll"
"c:\documents and settings\Break Time\Local Settings\Application Data\uhubuhuwonezonus.dll"
"c:\documents and settings\Break Time\Local Settings\Application Data\useyutezezuq.dll"
"c:\documents and settings\NetworkService\Application Data\WhiteSmokeSetup"
"c:\windows\system32\task.exe"
"c:\windows\TEMP\SEP6.tmp"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Break Time\Application Data\net.bat
c:\documents and settings\Break Time\Application Data\net.vbs
c:\documents and settings\Break Time\Application Data\WTWum.exe
c:\documents and settings\Break Time\Application Data\yMZ5k.exe
c:\documents and settings\Break Time\Local Settings\Application Data\abesucefu.dll
c:\documents and settings\Break Time\Local Settings\Application Data\apekatikun.dll
c:\documents and settings\Break Time\Local Settings\Application Data\asiroquqofolinin.dll
c:\documents and settings\Break Time\Local Settings\Application Data\axotonudo.dll
c:\documents and settings\Break Time\Local Settings\Application Data\ekudizir.dll
c:\documents and settings\Break Time\Local Settings\Application Data\Elagob.bin
c:\documents and settings\Break Time\Local Settings\Application Data\etoyikovuviyaki.dll
c:\documents and settings\Break Time\Local Settings\Application Data\ezaqupalir.dll
c:\documents and settings\Break Time\Local Settings\Application Data\odasoletunux.dll
c:\documents and settings\Break Time\Local Settings\Application Data\orasaqitih.dll
c:\documents and settings\Break Time\Local Settings\Application Data\uhubuhuwonezonus.dll
c:\documents and settings\Break Time\Local Settings\Application Data\useyutezezuq.dll
c:\windows\system32\task.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_acxmrkmh

((((((((((((((((((((((((( Files Created from 2010-12-14 to 2011-01-14 )))))))))))))))))))))))))))))))
.

2011-01-13 19:41 . 2010-11-02 15:17 40960 -c----w- c:\windows\system32\dllcache\ndproxy.sys
2011-01-13 19:39 . 2010-10-11 14:59 45568 -c----w- c:\windows\system32\dllcache\wab.exe
2011-01-07 14:45 . 2011-01-07 14:45 -------- d-----w- c:\documents and settings\Administrator.MCC\Application Data\Malwarebytes
2011-01-05 19:20 . 2008-04-14 05:09 14592 -c--a-w- c:\windows\system32\dllcache\kbdhid.sys
2011-01-05 19:20 . 2008-04-14 05:09 14592 ----a-w- c:\windows\system32\drivers\kbdhid.sys
2011-01-05 15:59 . 2011-01-05 15:59 -------- d-sh--w- c:\documents and settings\LocalService\IECompatCache
2011-01-05 15:58 . 2011-01-05 15:58 -------- d-sh--w- c:\documents and settings\LocalService\PrivacIE
2011-01-05 12:49 . 2011-01-05 12:49 -------- d-sh--w- c:\documents and settings\NetworkService\IECompatCache
2011-01-05 12:43 . 2011-01-13 21:40 -------- d-----w- c:\documents and settings\All Users\Application Data\boost_interprocess
2011-01-05 12:42 . 2011-01-05 12:42 -------- d-----w- c:\documents and settings\NetworkService\Application Data\WhiteSmokeSetup
2011-01-04 19:12 . 2011-01-04 19:12 -------- d-----w- c:\documents and settings\Break Time\Application Data\SUPERAntiSpyware.com
2010-12-29 17:49 . 2010-12-29 17:49 -------- d-----w- c:\windows\system32\%APPDATA%

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-11-18 18:12 . 2004-12-01 05:00 81920 ----a-w- c:\windows\system32\isign32.dll
2010-11-09 14:52 . 2004-08-04 12:00 249856 ----a-w- c:\windows\system32\odbc32.dll
2010-11-06 00:26 . 2004-08-04 12:00 916480 ----a-w- c:\windows\system32\wininet.dll
2010-11-06 00:26 . 2004-08-04 12:00 43520 ----a-w- c:\windows\system32\licmgr10.dll
2010-11-06 00:26 . 2004-08-04 12:00 1469440 ------w- c:\windows\system32\inetcpl.cpl
2010-11-03 12:25 . 2004-08-04 12:00 385024 ----a-w- c:\windows\system32\html.iec
2010-11-02 15:17 . 2004-08-04 12:00 40960 ----a-w- c:\windows\system32\drivers\ndproxy.sys
2010-10-28 13:13 . 2004-08-04 12:00 290048 ----a-w- c:\windows\system32\atmfd.dll
2010-10-26 13:25 . 2004-08-04 12:00 1853312 ----a-w- c:\windows\system32\win32k.sys
2010-10-20 20:35 . 2010-10-20 20:35 388096 ----a-r- c:\documents and settings\Administrator.MCC\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
.

((((((((((((((((((((((((((((( SnapShot@2011-01-13_21.44.22 )))))))))))))))))))))))))))))))))))))))))
.
- 2011-01-13 21:43 . 2011-01-13 21:43 16384 c:\windows\Temp\Perflib_Perfdata_6bc.dat
+ 2011-01-14 22:06 . 2011-01-14 22:06 16384 c:\windows\Temp\Perflib_Perfdata_6bc.dat
- 2007-01-29 08:58 . 2010-04-21 13:28 46080 c:\windows\system32\tzchange.exe
+ 2007-01-29 08:58 . 2010-11-03 13:12 46080 c:\windows\system32\tzchange.exe
+ 2003-07-16 20:41 . 2011-01-14 08:02 76346 c:\windows\system32\perfc009.dat
- 2003-07-16 20:41 . 2011-01-04 21:26 76346 c:\windows\system32\perfc009.dat
+ 2004-08-04 12:00 . 2010-11-06 00:26 66560 c:\windows\system32\mshtmled.dll
- 2004-08-04 12:00 . 2009-03-08 08:31 66560 c:\windows\system32\mshtmled.dll
- 2006-11-08 02:03 . 2010-06-24 12:21 55296 c:\windows\system32\msfeedsbs.dll
+ 2006-11-08 02:03 . 2010-11-06 00:26 55296 c:\windows\system32\msfeedsbs.dll
+ 2004-08-04 12:00 . 2010-11-06 00:26 25600 c:\windows\system32\jsproxy.dll
- 2004-08-04 12:00 . 2010-06-24 12:21 25600 c:\windows\system32\jsproxy.dll
- 2010-03-19 13:20 . 2010-06-24 12:22 12800 c:\windows\system32\dllcache\xpshims.dll
+ 2010-03-19 13:20 . 2010-11-06 00:26 12800 c:\windows\system32\dllcache\xpshims.dll
- 2004-08-04 12:00 . 2009-03-08 08:31 66560 c:\windows\system32\dllcache\mshtmled.dll
+ 2004-08-04 12:00 . 2010-11-06 00:26 66560 c:\windows\system32\dllcache\mshtmled.dll
- 2007-05-09 09:17 . 2010-06-24 12:21 55296 c:\windows\system32\dllcache\msfeedsbs.dll
+ 2007-05-09 09:17 . 2010-11-06 00:26 55296 c:\windows\system32\dllcache\msfeedsbs.dll
+ 2004-08-04 12:00 . 2010-11-06 00:26 43520 c:\windows\system32\dllcache\licmgr10.dll
+ 2004-08-04 12:00 . 2010-11-06 00:26 25600 c:\windows\system32\dllcache\jsproxy.dll
- 2004-08-04 12:00 . 2010-06-24 12:21 25600 c:\windows\system32\dllcache\jsproxy.dll
+ 2010-11-18 18:12 . 2010-11-18 18:12 81920 c:\windows\system32\dllcache\isign32.dll
+ 2010-09-22 14:43 . 2010-09-22 14:43 30544 c:\windows\Microsoft.NET\Framework\v2.0.50727\aspnet_wp.exe
- 2010-03-23 09:31 . 2010-03-23 09:31 30544 c:\windows\Microsoft.NET\Framework\v2.0.50727\aspnet_wp.exe
+ 2011-01-14 08:04 . 2011-01-14 08:04 38240 c:\windows\Installer\{90120000-0020-0409-0000-0000000FF1CE}\O12ConvIcon.exe
- 2010-08-12 17:32 . 2010-08-12 17:32 38240 c:\windows\Installer\{90120000-0020-0409-0000-0000000FF1CE}\O12ConvIcon.exe
+ 2010-06-05 07:01 . 2011-01-14 08:03 49152 c:\windows\Installer\{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}\ConfigIcon.dll
- 2010-06-05 07:01 . 2010-09-08 07:01 49152 c:\windows\Installer\{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}\ConfigIcon.dll
+ 2011-01-14 08:04 . 2010-06-24 12:22 12800 c:\windows\ie8updates\KB2416400-IE8\xpshims.dll
+ 2011-01-14 08:04 . 2009-03-08 08:31 66560 c:\windows\ie8updates\KB2416400-IE8\mshtmled.dll
+ 2011-01-14 08:04 . 2010-06-24 12:21 55296 c:\windows\ie8updates\KB2416400-IE8\msfeedsbs.dll
+ 2011-01-14 08:04 . 2009-03-08 08:34 43008 c:\windows\ie8updates\KB2416400-IE8\licmgr10.dll
+ 2011-01-14 08:04 . 2010-06-24 12:21 25600 c:\windows\ie8updates\KB2416400-IE8\jsproxy.dll
- 2010-08-12 17:38 . 2010-08-12 17:38 77824 c:\windows\assembly\GAC_MSIL\System.Web.RegularExpressions\2.0.0.0__b03f5f7f11d50a3a\System.Web.RegularExpressions.dll
+ 2011-01-14 08:02 . 2011-01-14 08:02 77824 c:\windows\assembly\GAC_MSIL\System.Web.RegularExpressions\2.0.0.0__b03f5f7f11d50a3a\System.Web.RegularExpressions.dll
+ 2011-01-14 08:02 . 2011-01-14 08:02 81920 c:\windows\assembly\GAC_MSIL\System.Drawing.Design\2.0.0.0__b03f5f7f11d50a3a\System.Drawing.Design.dll
- 2010-08-12 17:38 . 2010-08-12 17:38 81920 c:\windows\assembly\GAC_MSIL\System.Drawing.Design\2.0.0.0__b03f5f7f11d50a3a\System.Drawing.Design.dll
- 2010-08-12 17:38 . 2010-08-12 17:38 81920 c:\windows\assembly\GAC_MSIL\System.Configuration.Install\2.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll
+ 2011-01-14 08:02 . 2011-01-14 08:02 81920 c:\windows\assembly\GAC_MSIL\System.Configuration.Install\2.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll
- 2010-08-12 17:38 . 2010-08-12 17:38 32768 c:\windows\assembly\GAC_MSIL\Microsoft.Vsa\8.0.0.0__b03f5f7f11d50a3a\Microsoft.Vsa.dll
+ 2011-01-14 08:02 . 2011-01-14 08:02 32768 c:\windows\assembly\GAC_MSIL\Microsoft.Vsa\8.0.0.0__b03f5f7f11d50a3a\Microsoft.Vsa.dll
- 2010-08-12 17:38 . 2010-08-12 17:38 12800 c:\windows\assembly\GAC_MSIL\Microsoft.Vsa.Vb.CodeDOMProcessor\8.0.0.0__b03f5f7f11d50a3a\Microsoft.Vsa.Vb.CodeDOMProcessor.dll
+ 2011-01-14 08:02 . 2011-01-14 08:02 12800 c:\windows\assembly\GAC_MSIL\Microsoft.Vsa.Vb.CodeDOMProcessor\8.0.0.0__b03f5f7f11d50a3a\Microsoft.Vsa.Vb.CodeDOMProcessor.dll
+ 2011-01-14 08:02 . 2011-01-14 08:02 28672 c:\windows\assembly\GAC_MSIL\Microsoft.VisualBasic.Vsa\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.Vsa.dll
- 2010-08-12 17:38 . 2010-08-12 17:38 28672 c:\windows\assembly\GAC_MSIL\Microsoft.VisualBasic.Vsa\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.Vsa.dll
+ 2011-01-14 08:02 . 2011-01-14 08:02 77824 c:\windows\assembly\GAC_MSIL\Microsoft.Build.Utilities\2.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Utilities.dll
- 2010-08-12 17:38 . 2010-08-12 17:38 77824 c:\windows\assembly\GAC_MSIL\Microsoft.Build.Utilities\2.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Utilities.dll
+ 2011-01-14 08:02 . 2011-01-14 08:02 36864 c:\windows\assembly\GAC_MSIL\Microsoft.Build.Framework\2.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Framework.dll
- 2010-08-12 17:38 . 2010-08-12 17:38 36864 c:\windows\assembly\GAC_MSIL\Microsoft.Build.Framework\2.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Framework.dll
- 2010-08-12 17:38 . 2010-08-12 17:38 77824 c:\windows\assembly\GAC_MSIL\IEHost\2.0.0.0__b03f5f7f11d50a3a\IEHost.dll
+ 2011-01-14 08:02 . 2011-01-14 08:02 77824 c:\windows\assembly\GAC_MSIL\IEHost\2.0.0.0__b03f5f7f11d50a3a\IEHost.dll
- 2010-08-12 17:38 . 2010-08-12 17:38 13312 c:\windows\assembly\GAC_MSIL\cscompmgd\8.0.0.0__b03f5f7f11d50a3a\cscompmgd.dll
+ 2011-01-14 08:02 . 2011-01-14 08:02 13312 c:\windows\assembly\GAC_MSIL\cscompmgd\8.0.0.0__b03f5f7f11d50a3a\cscompmgd.dll
+ 2011-01-14 08:02 . 2011-01-14 08:02 10752 c:\windows\assembly\GAC_MSIL\Accessibility\2.0.0.0__b03f5f7f11d50a3a\Accessibility.dll
- 2010-08-12 17:38 . 2010-08-12 17:38 10752 c:\windows\assembly\GAC_MSIL\Accessibility\2.0.0.0__b03f5f7f11d50a3a\Accessibility.dll
- 2010-08-12 17:38 . 2010-08-12 17:38 72192 c:\windows\assembly\GAC_32\ISymWrapper\2.0.0.0__b03f5f7f11d50a3a\ISymWrapper.dll
+ 2011-01-14 08:02 . 2011-01-14 08:02 72192 c:\windows\assembly\GAC_32\ISymWrapper\2.0.0.0__b03f5f7f11d50a3a\ISymWrapper.dll
- 2010-08-12 17:38 . 2010-08-12 17:38 69120 c:\windows\assembly\GAC_32\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll
+ 2011-01-14 08:02 . 2011-01-14 08:02 69120 c:\windows\assembly\GAC_32\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll
- 2010-08-12 17:38 . 2010-08-12 17:38 8192 c:\windows\WinSxS\MSIL_IEExecRemote_b03f5f7f11d50a3a_2.0.0.0_x-ww_6e57c34e\IEExecRemote.dll
+ 2011-01-14 08:02 . 2011-01-14 08:02 8192 c:\windows\WinSxS\MSIL_IEExecRemote_b03f5f7f11d50a3a_2.0.0.0_x-ww_6e57c34e\IEExecRemote.dll
- 2009-04-15 18:20 . 2010-07-22 05:57 5120 c:\windows\system32\xpsp4res.dll
+ 2009-04-15 18:20 . 2010-08-13 12:53 5120 c:\windows\system32\xpsp4res.dll
+ 2011-01-14 08:02 . 2011-01-14 08:02 7168 c:\windows\assembly\GAC_MSIL\Microsoft_VsaVb\8.0.0.0__b03f5f7f11d50a3a\Microsoft_VsaVb.dll
- 2010-08-12 17:38 . 2010-08-12 17:38 7168 c:\windows\assembly\GAC_MSIL\Microsoft_VsaVb\8.0.0.0__b03f5f7f11d50a3a\Microsoft_VsaVb.dll
- 2010-08-12 17:38 . 2010-08-12 17:38 5632 c:\windows\assembly\GAC_MSIL\Microsoft.VisualC\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualC.Dll
+ 2011-01-14 08:02 . 2011-01-14 08:02 5632 c:\windows\assembly\GAC_MSIL\Microsoft.VisualC\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualC.Dll
- 2010-08-12 17:38 . 2010-08-12 17:38 6656 c:\windows\assembly\GAC_MSIL\IIEHost\2.0.0.0__b03f5f7f11d50a3a\IIEHost.dll
+ 2011-01-14 08:02 . 2011-01-14 08:02 6656 c:\windows\assembly\GAC_MSIL\IIEHost\2.0.0.0__b03f5f7f11d50a3a\IIEHost.dll
+ 2011-01-14 08:02 . 2011-01-14 08:02 8192 c:\windows\assembly\GAC_MSIL\IEExecRemote\2.0.0.0__b03f5f7f11d50a3a\IEExecRemote.dll
- 2010-08-12 17:38 . 2010-08-12 17:38 8192 c:\windows\assembly\GAC_MSIL\IEExecRemote\2.0.0.0__b03f5f7f11d50a3a\IEExecRemote.dll
+ 2011-01-14 08:02 . 2011-01-14 08:02 113664 c:\windows\WinSxS\x86_System.EnterpriseServices_b03f5f7f11d50a3a_2.0.0.0_x-ww_7d5f3790\System.EnterpriseServices.Wrapper.dll
- 2010-08-12 17:38 . 2010-08-12 17:38 113664 c:\windows\WinSxS\x86_System.EnterpriseServices_b03f5f7f11d50a3a_2.0.0.0_x-ww_7d5f3790\System.EnterpriseServices.Wrapper.dll
+ 2011-01-14 08:02 . 2011-01-14 08:02 258048 c:\windows\WinSxS\x86_System.EnterpriseServices_b03f5f7f11d50a3a_2.0.0.0_x-ww_7d5f3790\System.EnterpriseServices.dll
- 2010-08-12 17:38 . 2010-08-12 17:38 258048 c:\windows\WinSxS\x86_System.EnterpriseServices_b03f5f7f11d50a3a_2.0.0.0_x-ww_7d5f3790\System.EnterpriseServices.dll
+ 2004-08-04 12:00 . 2010-08-27 08:02 119808 c:\windows\system32\t2embed.dll
- 2004-08-04 12:00 . 2009-10-15 16:28 119808 c:\windows\system32\t2embed.dll
- 2004-08-04 12:00 . 2010-07-22 15:49 590848 c:\windows\system32\rpcrt4.dll
+ 2004-08-04 12:00 . 2010-08-16 08:45 590848 c:\windows\system32\rpcrt4.dll
+ 2003-07-16 20:41 . 2011-01-14 08:02 454012 c:\windows\system32\perfh009.dat
- 2003-07-16 20:41 . 2011-01-04 21:26 454012 c:\windows\system32\perfh009.dat
+ 2004-08-04 12:00 . 2010-11-06 00:26 206848 c:\windows\system32\occache.dll
- 2004-08-04 12:00 . 2010-06-24 12:22 206848 c:\windows\system32\occache.dll
+ 2004-08-04 12:00 . 2010-11-06 00:26 611840 c:\windows\system32\mstime.dll
- 2004-08-04 12:00 . 2010-06-24 12:22 611840 c:\windows\system32\mstime.dll
+ 2006-11-08 02:03 . 2010-11-06 00:26 602112 c:\windows\system32\msfeeds.dll
+ 2009-05-12 07:00 . 2009-03-11 03:18 453512 c:\windows\system32\KB905474\wgasetup.exe
- 2009-05-12 07:00 . 2009-03-11 02:18 453512 c:\windows\system32\KB905474\wgasetup.exe
+ 2004-08-04 12:00 . 2010-11-06 00:26 184320 c:\windows\system32\iepeers.dll
- 2004-08-04 12:00 . 2010-06-24 12:21 184320 c:\windows\system32\iepeers.dll
- 2004-08-04 12:00 . 2010-06-24 12:21 387584 c:\windows\system32\iedkcs32.dll
+ 2004-08-04 12:00 . 2010-11-06 00:26 387584 c:\windows\system32\iedkcs32.dll
+ 2004-08-04 12:00 . 2010-11-03 12:26 173568 c:\windows\system32\ie4uinit.exe
- 2004-11-30 23:54 . 2010-10-20 11:19 552768 c:\windows\system32\FNTCACHE.DAT
+ 2004-11-30 23:54 . 2011-01-14 08:22 552768 c:\windows\system32\FNTCACHE.DAT
+ 2009-04-15 18:20 . 2010-07-12 12:55 218112 c:\windows\system32\dllcache\wordpad.exe
+ 2004-08-04 12:00 . 2010-11-06 00:26 916480 c:\windows\system32\dllcache\wininet.dll
- 2004-08-04 12:00 . 2010-06-24 12:22 916480 c:\windows\system32\dllcache\wininet.dll
- 2009-06-16 14:36 . 2009-10-15 16:28 119808 c:\windows\system32\dllcache\t2embed.dll
+ 2009-06-16 14:36 . 2010-08-27 08:02 119808 c:\windows\system32\dllcache\t2embed.dll
- 2009-04-15 14:51 . 2010-07-22 15:49 590848 c:\windows\system32\dllcache\rpcrt4.dll
+ 2009-04-15 14:51 . 2010-08-16 08:45 590848 c:\windows\system32\dllcache\rpcrt4.dll
+ 2010-11-09 14:52 . 2010-11-09 14:52 249856 c:\windows\system32\dllcache\odbc32.dll
- 2004-08-04 12:00 . 2010-06-24 12:22 206848 c:\windows\system32\dllcache\occache.dll
+ 2004-08-04 12:00 . 2010-11-06 00:26 206848 c:\windows\system32\dllcache\occache.dll
- 2004-08-04 12:00 . 2010-06-24 12:22 611840 c:\windows\system32\dllcache\mstime.dll
+ 2004-08-04 12:00 . 2010-11-06 00:26 611840 c:\windows\system32\dllcache\mstime.dll
+ 2010-11-09 14:52 . 2010-11-09 14:52 102400 c:\windows\system32\dllcache\msjro.dll
+ 2007-05-09 09:17 . 2010-11-06 00:26 602112 c:\windows\system32\dllcache\msfeeds.dll
+ 2010-11-09 14:52 . 2010-11-09 14:52 200704 c:\windows\system32\dllcache\msadox.dll
+ 2010-11-09 14:52 . 2010-11-09 14:52 180224 c:\windows\system32\dllcache\msadomd.dll
+ 2010-11-09 14:52 . 2010-11-09 14:52 536576 c:\windows\system32\dllcache\msado15.dll
+ 2010-11-09 14:52 . 2010-11-09 14:52 143360 c:\windows\system32\dllcache\msadco.dll
+ 2010-03-19 13:20 . 2010-11-06 00:26 247808 c:\windows\system32\dllcache\ieproxy.dll
- 2010-03-19 13:20 . 2010-06-24 12:21 247808 c:\windows\system32\dllcache\ieproxy.dll
- 2004-08-04 12:00 . 2010-06-24 12:21 184320 c:\windows\system32\dllcache\iepeers.dll
+ 2004-08-04 12:00 . 2010-11-06 00:26 184320 c:\windows\system32\dllcache\iepeers.dll
- 2010-06-10 05:11 . 2010-06-24 12:21 743424 c:\windows\system32\dllcache\iedvtool.dll
+ 2010-06-10 05:11 . 2010-11-06 00:26 743424 c:\windows\system32\dllcache\iedvtool.dll
- 2004-08-04 12:00 . 2010-06-24 12:21 387584 c:\windows\system32\dllcache\iedkcs32.dll
+ 2004-08-04 12:00 . 2010-11-06 00:26 387584 c:\windows\system32\dllcache\iedkcs32.dll
+ 2004-08-04 12:00 . 2010-11-03 12:26 173568 c:\windows\system32\dllcache\ie4uinit.exe
+ 2010-04-20 05:30 . 2010-10-28 13:13 290048 c:\windows\system32\dllcache\atmfd.dll
+ 2010-03-19 13:34 . 2011-01-14 08:04 262144 c:\windows\system32\config\systemprofile\IETldCache\index.dat
- 2010-03-19 13:34 . 2011-01-12 14:06 262144 c:\windows\system32\config\systemprofile\IETldCache\index.dat
- 2010-03-23 09:31 . 2010-03-23 09:31 435024 c:\windows\Microsoft.NET\Framework\v2.0.50727\webengine.dll
+ 2010-09-22 14:43 . 2010-09-22 14:43 435024 c:\windows\Microsoft.NET\Framework\v2.0.50727\webengine.dll
+ 2010-09-24 02:02 . 2010-09-24 02:02 798208 c:\windows\Installer\236093f.msp
+ 2011-01-14 08:04 . 2010-06-24 12:22 916480 c:\windows\ie8updates\KB2416400-IE8\wininet.dll
+ 2011-01-14 08:04 . 2010-07-05 13:16 382840 c:\windows\ie8updates\KB2416400-IE8\spuninst\updspapi.dll
+ 2011-01-14 08:04 . 2010-02-22 14:23 231288 c:\windows\ie8updates\KB2416400-IE8\spuninst\spuninst.exe
+ 2011-01-14 08:04 . 2010-06-24 12:22 206848 c:\windows\ie8updates\KB2416400-IE8\occache.dll
+ 2011-01-14 08:04 . 2010-06-24 12:22 611840 c:\windows\ie8updates\KB2416400-IE8\mstime.dll
+ 2011-01-14 08:04 . 2010-06-24 12:21 599040 c:\windows\ie8updates\KB2416400-IE8\msfeeds.dll
+ 2011-01-14 08:04 . 2010-06-24 12:21 247808 c:\windows\ie8updates\KB2416400-IE8\ieproxy.dll
+ 2011-01-14 08:04 . 2010-06-24 12:21 184320 c:\windows\ie8updates\KB2416400-IE8\iepeers.dll
+ 2011-01-14 08:04 . 2010-06-24 12:21 743424 c:\windows\ie8updates\KB2416400-IE8\iedvtool.dll
+ 2011-01-14 08:04 . 2010-06-24 12:21 387584 c:\windows\ie8updates\KB2416400-IE8\iedkcs32.dll
+ 2011-01-14 08:04 . 2010-06-23 12:08 173056 c:\windows\ie8updates\KB2416400-IE8\ie4uinit.exe
+ 2011-01-14 08:03 . 2011-01-14 08:03 771584 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Runtime.Remo#\a140e8da81b3af34c864ad851fe150fd\System.Runtime.Remoting.ni.dll
+ 2011-01-14 08:05 . 2011-01-14 08:05 842240 c:\windows\assembly\NativeImages_v2.0.50727_32\AspNetMMCExt\af4a3ae6d5c1cafa57002beb487b8d7a\AspNetMMCExt.ni.dll
+ 2011-01-14 08:02 . 2011-01-14 08:02 839680 c:\windows\assembly\GAC_MSIL\System.Web.Services\2.0.0.0__b03f5f7f11d50a3a\System.Web.Services.dll
- 2010-08-12 17:38 . 2010-08-12 17:38 839680 c:\windows\assembly\GAC_MSIL\System.Web.Services\2.0.0.0__b03f5f7f11d50a3a\System.Web.Services.dll
+ 2011-01-14 08:02 . 2011-01-14 08:02 835584 c:\windows\assembly\GAC_MSIL\System.Web.Mobile\2.0.0.0__b03f5f7f11d50a3a\System.Web.Mobile.dll
- 2010-08-12 17:38 . 2010-08-12 17:38 835584 c:\windows\assembly\GAC_MSIL\System.Web.Mobile\2.0.0.0__b03f5f7f11d50a3a\System.Web.Mobile.dll
- 2010-08-12 17:38 . 2010-08-12 17:38 114688 c:\windows\assembly\GAC_MSIL\System.ServiceProcess\2.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll
+ 2011-01-14 08:02 . 2011-01-14 08:02 114688 c:\windows\assembly\GAC_MSIL\System.ServiceProcess\2.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll
+ 2011-01-14 08:02 . 2011-01-14 08:02 258048 c:\windows\assembly\GAC_MSIL\System.Security\2.0.0.0__b03f5f7f11d50a3a\System.Security.dll
- 2010-08-12 17:38 . 2010-08-12 17:38 258048 c:\windows\assembly\GAC_MSIL\System.Security\2.0.0.0__b03f5f7f11d50a3a\System.Security.dll
- 2010-08-12 17:38 . 2010-08-12 17:38 131072 c:\windows\assembly\GAC_MSIL\System.Runtime.Serialization.Formatters.Soap\2.0.0.0__b03f5f7f11d50a3a\System.Runtime.Serialization.Formatters.Soap.dll
+ 2011-01-14 08:02 . 2011-01-14 08:02 131072 c:\windows\assembly\GAC_MSIL\System.Runtime.Serialization.Formatters.Soap\2.0.0.0__b03f5f7f11d50a3a\System.Runtime.Serialization.Formatters.Soap.dll
+ 2011-01-14 08:02 . 2011-01-14 08:02 303104 c:\windows\assembly\GAC_MSIL\System.Runtime.Remoting\2.0.0.0__b77a5c561934e089\System.Runtime.Remoting.dll
- 2010-08-12 17:38 . 2010-08-12 17:38 303104 c:\windows\assembly\GAC_MSIL\System.Runtime.Remoting\2.0.0.0__b77a5c561934e089\System.Runtime.Remoting.dll
- 2010-08-12 17:38 . 2010-08-12 17:38 258048 c:\windows\assembly\GAC_MSIL\System.Messaging\2.0.0.0__b03f5f7f11d50a3a\System.Messaging.dll
+ 2011-01-14 08:02 . 2011-01-14 08:02 258048 c:\windows\assembly\GAC_MSIL\System.Messaging\2.0.0.0__b03f5f7f11d50a3a\System.Messaging.dll
- 2010-08-12 17:38 . 2010-08-12 17:38 372736 c:\windows\assembly\GAC_MSIL\System.Management\2.0.0.0__b03f5f7f11d50a3a\System.Management.dll
+ 2011-01-14 08:02 . 2011-01-14 08:02 372736 c:\windows\assembly\GAC_MSIL\System.Management\2.0.0.0__b03f5f7f11d50a3a\System.Management.dll
- 2010-08-12 17:38 . 2010-08-12 17:38 626688 c:\windows\assembly\GAC_MSIL\System.Drawing\2.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll
+ 2011-01-14 08:02 . 2011-01-14 08:02 626688 c:\windows\assembly\GAC_MSIL\System.Drawing\2.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll
- 2010-08-12 17:38 . 2010-08-12 17:38 401408 c:\windows\assembly\GAC_MSIL\System.DirectoryServices\2.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll
+ 2011-01-14 08:02 . 2011-01-14 08:02 401408 c:\windows\assembly\GAC_MSIL\System.DirectoryServices\2.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll
- 2010-08-12 17:38 . 2010-08-12 17:38 188416 c:\windows\assembly\GAC_MSIL\System.DirectoryServices.Protocols\2.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.Protocols.dll
+ 2011-01-14 08:02 . 2011-01-14 08:02 188416 c:\windows\assembly\GAC_MSIL\System.DirectoryServices.Protocols\2.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.Protocols.dll
- 2010-08-12 17:38 . 2010-08-12 17:38 970752 c:\windows\assembly\GAC_MSIL\System.Deployment\2.0.0.0__b03f5f7f11d50a3a\System.Deployment.dll
+ 2011-01-14 08:02 . 2011-01-14 08:02 970752 c:\windows\assembly\GAC_MSIL\System.Deployment\2.0.0.0__b03f5f7f11d50a3a\System.Deployment.dll
+ 2011-01-14 08:02 . 2011-01-14 08:02 745472 c:\windows\assembly\GAC_MSIL\System.Data.SqlXml\2.0.0.0__b77a5c561934e089\System.Data.SqlXml.dll
- 2010-08-12 17:38 . 2010-08-12 17:38 745472 c:\windows\assembly\GAC_MSIL\System.Data.SqlXml\2.0.0.0__b77a5c561934e089\System.Data.SqlXml.dll
- 2010-08-12 17:38 . 2010-08-12 17:38 425984 c:\windows\assembly\GAC_MSIL\System.Configuration\2.0.0.0__b03f5f7f11d50a3a\System.configuration.dll
+ 2011-01-14 08:02 . 2011-01-14 08:02 425984 c:\windows\assembly\GAC_MSIL\System.Configuration\2.0.0.0__b03f5f7f11d50a3a\System.configuration.dll
- 2010-08-12 17:38 . 2010-08-12 17:38 110592 c:\windows\assembly\GAC_MSIL\sysglobl\2.0.0.0__b03f5f7f11d50a3a\sysglobl.dll
+ 2011-01-14 08:02 . 2011-01-14 08:02 110592 c:\windows\assembly\GAC_MSIL\sysglobl\2.0.0.0__b03f5f7f11d50a3a\sysglobl.dll
- 2010-08-12 17:38 . 2010-08-12 17:38 659456 c:\windows\assembly\GAC_MSIL\Microsoft.VisualBasic\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll
+ 2011-01-14 08:02 . 2011-01-14 08:02 659456 c:\windows\assembly\GAC_MSIL\Microsoft.VisualBasic\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll
- 2010-08-12 17:38 . 2010-08-12 17:38 372736 c:\windows\assembly\GAC_MSIL\Microsoft.VisualBasic.Compatibility\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.Compatibility.dll
+ 2011-01-14 08:02 . 2011-01-14 08:02 372736 c:\windows\assembly\GAC_MSIL\Microsoft.VisualBasic.Compatibility\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.Compatibility.dll
- 2010-08-12 17:38 . 2010-08-12 17:38 110592 c:\windows\assembly\GAC_MSIL\Microsoft.VisualBasic.Compatibility.Data\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.Compatibility.Data.dll
+ 2011-01-14 08:02 . 2011-01-14 08:02 110592 c:\windows\assembly\GAC_MSIL\Microsoft.VisualBasic.Compatibility.Data\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.Compatibility.Data.dll
- 2010-08-12 17:38 . 2010-08-12 17:38 749568 c:\windows\assembly\GAC_MSIL\Microsoft.JScript\8.0.0.0__b03f5f7f11d50a3a\Microsoft.JScript.dll
+ 2011-01-14 08:02 . 2011-01-14 08:02 749568 c:\windows\assembly\GAC_MSIL\Microsoft.JScript\8.0.0.0__b03f5f7f11d50a3a\Microsoft.JScript.dll
+ 2011-01-14 08:02 . 2011-01-14 08:02 655360 c:\windows\assembly\GAC_MSIL\Microsoft.Build.Tasks\2.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Tasks.dll
- 2010-08-12 17:38 . 2010-08-12 17:38 655360 c:\windows\assembly\GAC_MSIL\Microsoft.Build.Tasks\2.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Tasks.dll
- 2010-08-12 17:38 . 2010-08-12 17:38 348160 c:\windows\assembly\GAC_MSIL\Microsoft.Build.Engine\2.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Engine.dll
+ 2011-01-14 08:02 . 2011-01-14 08:02 348160 c:\windows\assembly\GAC_MSIL\Microsoft.Build.Engine\2.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Engine.dll
+ 2011-01-14 08:02 . 2011-01-14 08:02 507904 c:\windows\assembly\GAC_MSIL\AspNetMMCExt\2.0.0.0__b03f5f7f11d50a3a\AspNetMMCExt.dll
- 2010-08-12 17:38 . 2010-08-12 17:38 507904 c:\windows\assembly\GAC_MSIL\AspNetMMCExt\2.0.0.0__b03f5f7f11d50a3a\AspNetMMCExt.dll
- 2010-08-12 17:38 . 2010-08-12 17:38 261632 c:\windows\assembly\GAC_32\System.Transactions\2.0.0.0__b77a5c561934e089\System.Transactions.dll
+ 2011-01-14 08:02 . 2011-01-14 08:02 261632 c:\windows\assembly\GAC_32\System.Transactions\2.0.0.0__b77a5c561934e089\System.Transactions.dll
- 2010-08-12 17:38 . 2010-08-12 17:38 113664 c:\windows\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll
+ 2011-01-14 08:02 . 2011-01-14 08:02 113664 c:\windows\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll
- 2010-08-12 17:38 . 2010-08-12 17:38 258048 c:\windows\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.dll
+ 2011-01-14 08:02 . 2011-01-14 08:02 258048 c:\windows\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.dll
+ 2011-01-14 08:02 . 2011-01-14 08:02 486400 c:\windows\assembly\GAC_32\System.Data.OracleClient\2.0.0.0__b77a5c561934e089\System.Data.OracleClient.dll
- 2010-08-12 17:38 . 2010-08-12 17:38 486400 c:\windows\assembly\GAC_32\System.Data.OracleClient\2.0.0.0__b77a5c561934e089\System.Data.OracleClient.dll
+ 2004-08-04 12:00 . 2010-11-06 00:26 1210880 c:\windows\system32\urlmon.dll
+ 2004-08-04 12:00 . 2010-07-16 12:05 1288192 c:\windows\system32\ole32.dll
+ 2004-08-04 12:00 . 2010-11-06 00:26 5959168 c:\windows\system32\mshtml.dll
+ 2009-05-12 07:00 . 2009-03-11 03:26 1403264 c:\windows\system32\KB905474\wganotifypackageinner.exe
- 2009-05-12 07:00 . 2009-03-11 02:26 1403264 c:\windows\system32\KB905474\wganotifypackageinner.exe
+ 2006-10-17 16:57 . 2010-11-06 00:26 1991680 c:\windows\system32\iertutil.dll
+ 2008-10-16 03:53 . 2010-10-26 13:25 1853312 c:\windows\system32\dllcache\win32k.sys
+ 2004-08-04 12:00 . 2010-11-06 00:26 1210880 c:\windows\system32\dllcache\urlmon.dll
+ 2010-07-16 12:05 . 2010-07-16 12:05 1288192 c:\windows\system32\dllcache\ole32.dll
+ 2004-08-04 12:00 . 2010-11-06 00:26 5959168 c:\windows\system32\dllcache\mshtml.dll
+ 2007-05-09 09:17 . 2010-11-06 00:26 1991680 c:\windows\system32\dllcache\iertutil.dll
- 2010-03-23 09:32 . 2010-03-23 09:32 5242880 c:\windows\Microsoft.NET\Framework\v2.0.50727\System.Web.dll
+ 2010-09-22 14:44 . 2010-09-22 14:44 5242880 c:\windows\Microsoft.NET\Framework\v2.0.50727\System.Web.dll
+ 2010-08-13 22:59 . 2010-08-13 22:59 8182272 c:\windows\Installer\236094f.msp
+ 2010-08-13 23:02 . 2010-08-13 23:02 2545664 c:\windows\Installer\2360947.msp
+ 2010-09-23 12:39 . 2010-09-23 12:39 4265472 c:\windows\Installer\236092e.msp
+ 2011-01-14 08:04 . 2010-06-24 12:22 1210368 c:\windows\ie8updates\KB2416400-IE8\urlmon.dll
+ 2011-01-14 08:04 . 2010-06-24 12:22 5951488 c:\windows\ie8updates\KB2416400-IE8\mshtml.dll
+ 2011-01-14 08:04 . 2010-06-24 12:21 1986560 c:\windows\ie8updates\KB2416400-IE8\iertutil.dll
+ 2011-01-14 08:03 . 2011-01-14 08:03 1840640 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Web.Services\181254ba0cb690decedb950fd26d7bea\System.Web.Services.ni.dll
+ 2011-01-14 08:02 . 2011-01-14 08:02 3182592 c:\windows\assembly\GAC_MSIL\System\2.0.0.0__b77a5c561934e089\System.dll
- 2010-08-12 17:38 . 2010-08-12 17:38 3182592 c:\windows\assembly\GAC_MSIL\System\2.0.0.0__b77a5c561934e089\System.dll
- 2010-08-12 17:38 . 2010-08-12 17:38 2048000 c:\windows\assembly\GAC_MSIL\System.Xml\2.0.0.0__b77a5c561934e089\System.XML.dll
+ 2011-01-14 08:02 . 2011-01-14 08:02 2048000 c:\windows\assembly\GAC_MSIL\System.Xml\2.0.0.0__b77a5c561934e089\System.XML.dll
- 2010-08-12 17:38 . 2010-08-12 17:38 5025792 c:\windows\assembly\GAC_MSIL\System.Windows.Forms\2.0.0.0__b77a5c561934e089\System.Windows.Forms.dll
+ 2011-01-14 08:02 . 2011-01-14 08:02 5025792 c:\windows\assembly\GAC_MSIL\System.Windows.Forms\2.0.0.0__b77a5c561934e089\System.Windows.Forms.dll
- 2009-08-21 07:17 . 2009-08-21 07:17 1277952 c:\windows\assembly\GAC_MSIL\System.Web.Extensions\3.5.0.0__31bf3856ad364e35\System.Web.Extensions.dll
+ 2011-01-14 08:04 . 2011-01-14 08:04 1277952 c:\windows\assembly\GAC_MSIL\System.Web.Extensions\3.5.0.0__31bf3856ad364e35\System.Web.Extensions.dll
+ 2011-01-14 08:02 . 2011-01-14 08:02 5062656 c:\windows\assembly\GAC_MSIL\System.Design\2.0.0.0__b03f5f7f11d50a3a\System.Design.dll
- 2010-08-12 17:38 . 2010-08-12 17:38 5062656 c:\windows\assembly\GAC_MSIL\System.Design\2.0.0.0__b03f5f7f11d50a3a\System.Design.dll
+ 2011-01-14 08:02 . 2011-01-14 08:02 5242880 c:\windows\assembly\GAC_32\System.Web\2.0.0.0__b03f5f7f11d50a3a\System.Web.dll
- 2010-08-12 17:38 . 2010-08-12 17:38 5242880 c:\windows\assembly\GAC_32\System.Web\2.0.0.0__b03f5f7f11d50a3a\System.Web.dll
- 2010-08-12 17:38 . 2010-08-12 17:38 2933248 c:\windows\assembly\GAC_32\System.Data\2.0.0.0__b77a5c561934e089\System.Data.dll
+ 2011-01-14 08:02 . 2011-01-14 08:02 2933248 c:\windows\assembly\GAC_32\System.Data\2.0.0.0__b77a5c561934e089\System.Data.dll
+ 2011-01-14 08:02 . 2011-01-14 08:02 4550656 c:\windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\mscorlib.dll
- 2010-08-12 17:38 . 2010-08-12 17:38 4550656 c:\windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\mscorlib.dll
+ 2004-08-04 12:00 . 2010-08-26 04:36 10841088 c:\windows\system32\wmp.dll
- 2004-08-04 12:00 . 2009-07-14 03:43 10841088 c:\windows\system32\wmp.dll
+ 2006-11-08 02:03 . 2010-11-06 00:26 11080704 c:\windows\system32\ieframe.dll
+ 2004-08-04 12:00 . 2010-08-26 04:36 10841088 c:\windows\system32\dllcache\wmp.dll
- 2004-08-04 12:00 . 2009-07-14 03:43 10841088 c:\windows\system32\dllcache\wmp.dll
+ 2007-05-09 09:17 . 2010-11-06 00:26 11080704 c:\windows\system32\dllcache\ieframe.dll
+ 2011-01-14 08:02 . 2011-01-14 08:02 20303872 c:\windows\Installer\2360939.msp
+ 2011-01-14 08:04 . 2010-06-24 21:51 11077120 c:\windows\ie8updates\KB2416400-IE8\ieframe.dll
+ 2011-01-14 08:03 . 2011-01-14 08:03 11800576 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Web\41f436dae3c8146752d06130f7331527\System.Web.ni.dll
+ 2011-01-14 08:03 . 2011-01-14 08:03 10683392 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Design\fdc42078fd10e4dc8b05087900c63977\System.Design.ni.dll
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2011-01-11 2424560]
"Google Update"="c:\documents and settings\Administrator.MCC\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2010-10-20 136176]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Synchronization Manager"="c:\windows\system32\mobsync.exe" [2008-04-14 143360]
"Samsung PanelMgr"="c:\windows\Samsung\PanelMgr\ssmmgr.exe" [2006-08-16 503808]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-08-09 221184]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2008-04-14 53760]
"tscuninstall"="c:\windows\system32\tscupgrd.exe" [2004-08-04 44544]
"FlashPlayerUpdate"="c:\windows\system32\Macromed\Flash\FlashUtil9f.exe" [2008-03-25 218496]

c:\documents and settings\jamie\Start Menu\Programs\Startup\
Dropbox.lnk - c:\documents and settings\Administrator.MCC\Application Data\Dropbox\bin\Dropbox.exe [N/A]

c:\documents and settings\jboggess\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2006-10-26 98632]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoWelcomeScreen"= 1 (0x1)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"= 1 (0x1)
"NoActiveDesktopChanges"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 22:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0SsiEfr.e

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, zwebauth.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Minolta\\PageScope Cabinet\\Bin\\MPSCFTPS.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowRedirect"= 0 (0x0)

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 1:25 PM 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/10/2010 1:41 PM 67656]
S3 nosGetPlusHelper;getPlus(R) Helper 3004;c:\windows\System32\svchost.exe -k nosGetPlusHelper [8/4/2004 7:00 AM 14336]
S4 QuickBooksDB17;QuickBooksDB17;c:\progra~1\Intuit\QUICKB~3\QBDBMgrN.exe -hvQuickBooksDB17 --> c:\progra~1\Intuit\QUICKB~3\QBDBMgrN.exe -hvQuickBooksDB17 [?]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
nosGetPlusHelper REG_MULTI_SZ nosGetPlusHelper
.
Contents of the 'Scheduled Tasks' folder

2011-01-11 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 16:34]

2010-09-25 c:\windows\Tasks\Disk Cleanup.job
- c:\windows\system32\cleanmgr.exe [2004-08-04 09:42]

2011-01-14 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-763659546-3860924458-1812877018-500Core.job
- c:\documents and settings\Administrator.MCC\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-10-20 20:21]

2011-01-14 c:\windows\Tasks\Outlook.job
- c:\documents and settings\All Users\Start Menu\Programs\Microsoft Office\Microsoft Office Outlook 2003.lnk [2005-07-25 11:25]

2011-01-14 c:\windows\Tasks\WGASetup.job
- c:\windows\system32\KB905474\wgasetup.exe [2009-05-12 03:18]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
IE: Append to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
Trusted Zone: fastestdeploy.com
TCP: {385CE9BA-9804-42B2-A2AA-7366CF893524} = 192.168.1.254
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: {BBF0D44D-14E6-4DB3-8211-AEF1ABA7EE84} - hxxp://esupport.cabinetvision.com/ATLWebKeyButton.CAB
FF - ProfilePath - c:\documents and settings\Administrator.MCC\Application Data\Mozilla\Firefox\Profiles\so55ahpw.default\
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-swg - c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
HKLM-Run-uPc+KQNXKIXniQaGuo - c:\docume~1\BREAKT~1\LOCALS~1\Temp\yo3p2ya4.dll
HKLM-Run-GMorphCl - c:\windows\system32\task.exe
HKLM-Run-MKasc - c:\windows\drweb.exe
HKLM-Run-MKfre - c:\windows\wininst.exe
HKLM-Run-MKbtc - c:\windows\hexdump.exe
HKLM-Run-MKfa - c:\windows\win.exe
HKLM_ActiveSetup-{B0B9B83C-BBFC-49F5-93F4-BC388B073320} - c:\documents and settings\jboggess\Application Data\Bitrix Security\hwwkat9.dll

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-01-14 17:07
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,ec,a1,dd,33,d5,9e,a6,4b,b9,68,53,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,ec,a1,dd,33,d5,9e,a6,4b,b9,68,53,\

[HKEY_USERS\S-1-5-21-763659546-3860924458-1812877018-500\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (Administrator)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,2a,32,10,00,27,a7,22,4b,a6,ee,e1,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,2a,32,10,00,27,a7,22,4b,a6,ee,e1,\

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
@DACL=(02 0000)
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
@DACL=(02 0000)
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
@DACL=(02 0000)
"Installed"="1"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(692)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\WININET.dll

- - - - - - - > 'lsass.exe'(748)
c:\program files\Bonjour\mdnsNSP.dll

- - - - - - - > 'explorer.exe'(2420)
c:\windows\system32\WININET.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.3053_x-ww_b80fa8ca\MSVCR80.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\program files\ArcSoft\Software Suite\PhotoImpression 5\share\pihook.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\program files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe
c:\program files\APC\APC PowerChute Personal Edition\mainserv.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
c:\program files\Intel\Intel Application Accelerator\iaantmon.exe
c:\program files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe
c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\program files\Analog Devices\SoundMAX\spkrmon.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\rundll32.exe
.
**************************************************************************
.
Completion time: 2011-01-14 17:10:27 - machine was rebooted
ComboFix-quarantined-files.txt 2011-01-14 22:10

Pre-Run: 121,054,318,592 bytes free
Post-Run: 120,907,087,872 bytes free

- - End Of File - - 5D2C1D4F7CD55E02DBF3602B189AE4D7

Broni · Jan 14, 2011

It looks much, much better

How is computer doing?

1. Please open Notepad

Click Start , then Run
Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

Code:

Folder::
c:\documents and settings\NetworkService\Application Data\WhiteSmokeSetup

3. Save the above as CFScript.txt

4. Close/disable all anti virus and anti malware programs again, so they do not interfere with the running of ComboFix.

5. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

6. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:

Combofix.txt

pkbrooks · Jan 14, 2011

update

computer is much calmer. Only one .dll popup but that was a while ago now when combofix rebooted the computer. Only the quite hum of the fan instead of the barking of the harddrive.

WIll run the next combofix and post and then I have to go for the weekend. Will be back on monday to continue the process. Thanks for all the help.

pkbrooks

Broni · Jan 14, 2011

You're very welcome

pkbrooks · Jan 14, 2011

o.k. here is the latest combofix log. Is it worth me staying longer for a conclusion or do we still quite a bit more to do?

pkbrooks

ComboFix 11-01-14.01 - Administrator 01/14/2011 17:37:52.3.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.639 [GMT -5:00]
Running from: c:\documents and settings\Administrator.MCC\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Administrator.MCC\Desktop\CFScript.txt
AV: Symantec AntiVirus Corporate Edition *Disabled/Updated* {FB06448E-52B8-493A-90F3-E43226D3305C}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\NetworkService\Application Data\WhiteSmokeSetup
c:\documents and settings\NetworkService\Application Data\WhiteSmokeSetup\0x0409.ini
c:\documents and settings\NetworkService\Application Data\WhiteSmokeSetup\config.txt
c:\documents and settings\NetworkService\Application Data\WhiteSmokeSetup\data1.cab
c:\documents and settings\NetworkService\Application Data\WhiteSmokeSetup\data1.hdr
c:\documents and settings\NetworkService\Application Data\WhiteSmokeSetup\data2.cab
c:\documents and settings\NetworkService\Application Data\WhiteSmokeSetup\ISSetup.dll
c:\documents and settings\NetworkService\Application Data\WhiteSmokeSetup\layout.bin
c:\documents and settings\NetworkService\Application Data\WhiteSmokeSetup\setup.exe
c:\documents and settings\NetworkService\Application Data\WhiteSmokeSetup\setup.ini
c:\documents and settings\NetworkService\Application Data\WhiteSmokeSetup\setup.inx
c:\documents and settings\NetworkService\Application Data\WhiteSmokeSetup\setup.iss
c:\documents and settings\NetworkService\Application Data\WhiteSmokeSetup\setup.log
c:\documents and settings\NetworkService\Application Data\WhiteSmokeSetup\setup.ocx

.
((((((((((((((((((((((((( Files Created from 2010-12-14 to 2011-01-14 )))))))))))))))))))))))))))))))
.

2011-01-13 19:41 . 2010-11-02 15:17 40960 -c----w- c:\windows\system32\dllcache\ndproxy.sys
2011-01-13 19:39 . 2010-10-11 14:59 45568 -c----w- c:\windows\system32\dllcache\wab.exe
2011-01-07 14:45 . 2011-01-07 14:45 -------- d-----w- c:\documents and settings\Administrator.MCC\Application Data\Malwarebytes
2011-01-05 19:20 . 2008-04-14 05:09 14592 -c--a-w- c:\windows\system32\dllcache\kbdhid.sys
2011-01-05 19:20 . 2008-04-14 05:09 14592 ----a-w- c:\windows\system32\drivers\kbdhid.sys
2011-01-05 15:59 . 2011-01-05 15:59 -------- d-sh--w- c:\documents and settings\LocalService\IECompatCache
2011-01-05 15:58 . 2011-01-05 15:58 -------- d-sh--w- c:\documents and settings\LocalService\PrivacIE
2011-01-05 12:49 . 2011-01-05 12:49 -------- d-sh--w- c:\documents and settings\NetworkService\IECompatCache
2011-01-05 12:43 . 2011-01-13 21:40 -------- d-----w- c:\documents and settings\All Users\Application Data\boost_interprocess
2011-01-04 19:12 . 2011-01-04 19:12 -------- d-----w- c:\documents and settings\Break Time\Application Data\SUPERAntiSpyware.com
2010-12-29 17:49 . 2010-12-29 17:49 -------- d-----w- c:\windows\system32\%APPDATA%

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-11-18 18:12 . 2004-12-01 05:00 81920 ----a-w- c:\windows\system32\isign32.dll
2010-11-09 14:52 . 2004-08-04 12:00 249856 ----a-w- c:\windows\system32\odbc32.dll
2010-11-06 00:26 . 2004-08-04 12:00 916480 ----a-w- c:\windows\system32\wininet.dll
2010-11-06 00:26 . 2004-08-04 12:00 43520 ----a-w- c:\windows\system32\licmgr10.dll
2010-11-06 00:26 . 2004-08-04 12:00 1469440 ------w- c:\windows\system32\inetcpl.cpl
2010-11-03 12:25 . 2004-08-04 12:00 385024 ----a-w- c:\windows\system32\html.iec
2010-11-02 15:17 . 2004-08-04 12:00 40960 ----a-w- c:\windows\system32\drivers\ndproxy.sys
2010-10-28 13:13 . 2004-08-04 12:00 290048 ----a-w- c:\windows\system32\atmfd.dll
2010-10-26 13:25 . 2004-08-04 12:00 1853312 ----a-w- c:\windows\system32\win32k.sys
2010-10-20 20:35 . 2010-10-20 20:35 388096 ----a-r- c:\documents and settings\Administrator.MCC\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2011-01-11 2424560]
"Google Update"="c:\documents and settings\Administrator.MCC\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2010-10-20 136176]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Synchronization Manager"="c:\windows\system32\mobsync.exe" [2008-04-14 143360]
"Samsung PanelMgr"="c:\windows\Samsung\PanelMgr\ssmmgr.exe" [2006-08-16 503808]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-08-09 221184]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2008-04-14 53760]
"tscuninstall"="c:\windows\system32\tscupgrd.exe" [2004-08-04 44544]
"FlashPlayerUpdate"="c:\windows\system32\Macromed\Flash\FlashUtil9f.exe" [2008-03-25 218496]

c:\documents and settings\jamie\Start Menu\Programs\Startup\
Dropbox.lnk - c:\documents and settings\Administrator.MCC\Application Data\Dropbox\bin\Dropbox.exe [N/A]

c:\documents and settings\jboggess\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2006-10-26 98632]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoWelcomeScreen"= 1 (0x1)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"= 1 (0x1)
"NoActiveDesktopChanges"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 22:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0SsiEfr.e

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, zwebauth.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Minolta\\PageScope Cabinet\\Bin\\MPSCFTPS.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowRedirect"= 0 (0x0)

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 1:25 PM 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/10/2010 1:41 PM 67656]
S3 nosGetPlusHelper;getPlus(R) Helper 3004;c:\windows\System32\svchost.exe -k nosGetPlusHelper [8/4/2004 7:00 AM 14336]
S4 QuickBooksDB17;QuickBooksDB17;c:\progra~1\Intuit\QUICKB~3\QBDBMgrN.exe -hvQuickBooksDB17 --> c:\progra~1\Intuit\QUICKB~3\QBDBMgrN.exe -hvQuickBooksDB17 [?]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
nosGetPlusHelper REG_MULTI_SZ nosGetPlusHelper
.
Contents of the 'Scheduled Tasks' folder

2011-01-11 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 16:34]

2010-09-25 c:\windows\Tasks\Disk Cleanup.job
- c:\windows\system32\cleanmgr.exe [2004-08-04 09:42]

2011-01-14 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-763659546-3860924458-1812877018-500Core.job
- c:\documents and settings\Administrator.MCC\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-10-20 20:21]

2011-01-14 c:\windows\Tasks\Outlook.job
- c:\documents and settings\All Users\Start Menu\Programs\Microsoft Office\Microsoft Office Outlook 2003.lnk [2005-07-25 11:25]

2011-01-14 c:\windows\Tasks\WGASetup.job
- c:\windows\system32\KB905474\wgasetup.exe [2009-05-12 03:18]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
IE: Append to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
Trusted Zone: fastestdeploy.com
TCP: {385CE9BA-9804-42B2-A2AA-7366CF893524} = 192.168.1.254
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: {BBF0D44D-14E6-4DB3-8211-AEF1ABA7EE84} - hxxp://esupport.cabinetvision.com/ATLWebKeyButton.CAB
FF - ProfilePath - c:\documents and settings\Administrator.MCC\Application Data\Mozilla\Firefox\Profiles\so55ahpw.default\
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-01-14 17:41
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,ec,a1,dd,33,d5,9e,a6,4b,b9,68,53,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,ec,a1,dd,33,d5,9e,a6,4b,b9,68,53,\

[HKEY_USERS\S-1-5-21-763659546-3860924458-1812877018-500\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (Administrator)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,2a,32,10,00,27,a7,22,4b,a6,ee,e1,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,2a,32,10,00,27,a7,22,4b,a6,ee,e1,\

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
@DACL=(02 0000)
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
@DACL=(02 0000)
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
@DACL=(02 0000)
"Installed"="1"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(692)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\WININET.dll

- - - - - - - > 'lsass.exe'(748)
c:\program files\Bonjour\mdnsNSP.dll
.
Completion time: 2011-01-14 17:43:46
ComboFix-quarantined-files.txt 2011-01-14 22:43
ComboFix2.txt 2011-01-14 22:10

Pre-Run: 120,911,089,664 bytes free
Post-Run: 120,891,129,856 bytes free

- - End Of File - - 7F5D75F5E909CA287142F35DC28FC8D7

Broni · Jan 14, 2011

By now, your computer should be in pretty good shape, but we still need to run couple more checks.
No rush. Whatever you can do. We can finish upon your return.

Download OTL to your Desktop.

Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
Click the Scan All Users checkbox.
Under the Custom Scan box paste this in:

netsvcs
drivers32
%SYSTEMDRIVE%\*.*
%systemroot%\Fonts\*.com
%systemroot%\Fonts\*.dll
%systemroot%\Fonts\*.ini
%systemroot%\Fonts\*.ini2
%systemroot%\Fonts\*.exe
%systemroot%\system32\spool\prtprocs\w32x86\*.*
%systemroot%\REPAIR\*.bak1
%systemroot%\REPAIR\*.ini
%systemroot%\system32\*.jpg
%systemroot%\*.jpg
%systemroot%\*.png
%systemroot%\*.scr
%systemroot%\*._sy
%APPDATA%\Adobe\Update\*.*
%ALLUSERSPROFILE%\Favorites\*.*
%APPDATA%\Microsoft\*.*
%PROGRAMFILES%\*.*
%APPDATA%\Update\*.*
%systemroot%\*. /mp /s
CREATERESTOREPOINT
%systemroot%\System32\config\*.sav
%PROGRAMFILES%\bak. /s
%systemroot%\system32\bak. /s
%ALLUSERSPROFILE%\Start Menu\*.lnk /x
%systemroot%\system32\config\systemprofile\*.dat /x
%systemroot%\*.config
%systemroot%\system32\*.db
%APPDATA%\Microsoft\Internet Explorer\Quick Launch\*.lnk /x
%USERPROFILE%\Desktop\*.exe
%PROGRAMFILES%\Common Files\*.*
%systemroot%\*.src
%systemroot%\install\*.*
%systemroot%\system32\DLL\*.*
%systemroot%\system32\HelpFiles\*.*
%systemroot%\system32\rundll\*.*
%systemroot%\winn32\*.*
%systemroot%\Java\*.*
%systemroot%\system32\test\*.*
%systemroot%\system32\Rundll32\*.*
%systemroot%\AppPatch\Custom\*.*
%APPDATA%\Roaming\Microsoft\Windows\Recent\*.lnk /x
%PROGRAMFILES%\PC-Doctor\Downloads\*.*
%PROGRAMFILES%\Internet Explorer\*.tmp
%PROGRAMFILES%\Internet Explorer\*.dat
%USERPROFILE%\My Documents\*.exe
%USERPROFILE%\*.exe
%systemroot%\ADDINS\*.*
%systemroot%\assembly\*.bak2
%systemroot%\Config\*.*
%systemroot%\REPAIR\*.bak2
%systemroot%\SECURITY\Database\*.sdb /x
%systemroot%\SYSTEM\*.bak2
%systemroot%\Web\*.bak2
%systemroot%\Driver Cache\*.*
%PROGRAMFILES%\Mozilla Firefox\0*.exe
%ProgramFiles%\Microsoft Common\*.*
%ProgramFiles%\TinyProxy.
%USERPROFILE%\Favorites\*.url /x
%systemroot%\system32\*.bk
%systemroot%\*.te
%systemroot%\system32\system32\*.*
%ALLUSERSPROFILE%\*.dat /x
%systemroot%\system32\drivers\*.rmv
dir /b "%systemroot%\system32\*.exe" | find /i " " /c
dir /b "%systemroot%\*.exe" | find /i " " /c
%PROGRAMFILES%\Microsoft\*.*
%systemroot%\System32\Wbem\proquota.exe
%PROGRAMFILES%\Mozilla Firefox\*.dat
%USERPROFILE%\Cookies\*.txt /x
%SystemRoot%\system32\fonts\*.*
%systemroot%\system32\winlog\*.*
%systemroot%\system32\Language\*.*
%systemroot%\system32\Settings\*.*
%systemroot%\system32\*.quo
%SYSTEMROOT%\AppPatch\*.exe
%SYSTEMROOT%\inf\*.exe
%SYSTEMROOT%\Installer\*.exe
%systemroot%\system32\config\*.bak2
%systemroot%\system32\Computers\*.*
%SystemRoot%\system32\Sound\*.*
%SystemRoot%\system32\SpecialImg\*.*
%SystemRoot%\system32\code\*.*
%SystemRoot%\system32\draft\*.*
%SystemRoot%\system32\MSSSys\*.*
%ProgramFiles%\Javascript\*.*
%systemroot%\pchealth\helpctr\System\*.exe /s
%systemroot%\Web\*.exe
%systemroot%\system32\msn\*.*
%systemroot%\system32\*.tro
%AppData%\Microsoft\Installer\msupdates\*.*
%ProgramFiles%\Messenger\*.*
%systemroot%\system32\systhem32\*.*
%systemroot%\system\*.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs
/md5start
/md5stop

Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
When the scan completes, it will open two notepad windows: OTL.txt and Extras.txt. These are saved in the same location as OTL.
Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post them back here.

pkbrooks · Jan 14, 2011

thanks

Ok. I will be going then. Will run that next scan on Monday morning and probably post sometime around noon eastern, which is nine in California. Have a good weekend.

pkbrooks

Solved Have Redirect/Rootkit Virus. Need Help with Removal

Posts: 30 +0

Posts: 30 +0

Posts: 56,041 +516

Posts: 30 +0

Posts: 56,041 +516

Posts: 30 +0

Posts: 56,041 +516

Posts: 30 +0

Posts: 56,041 +516

Posts: 30 +0

Posts: 30 +0

Posts: 56,041 +516

Posts: 30 +0

Posts: 56,041 +516

Posts: 30 +0

Posts: 56,041 +516

Posts: 30 +0

Posts: 56,041 +516

Posts: 30 +0

Posts: 56,041 +516

Posts: 30 +0

Posts: 56,041 +516

Posts: 30 +0

Posts: 56,041 +516

Posts: 30 +0

Similar threads