Need to get rid of rootkit.

2 posters

WiredWX Christian Hobby Weather Tools :: GeekPolice tech support archive :: Technical Support

Need to get rid of rootkit.1st September 2011, 4:56 am

Hello, I came here as a last resort, because I have done a good portion of the disinfection so far, but a rootkit remains and I cannot Find it. I ran OTL and will pot the log below. AswMBR.exe closes down after running for a short while, and I cannot reopen after because it says windows does not have access to it. But I saw before it closed down that it had found Orajeon.rootkit or something like that, which other disinfection tools had not found so far. I also have a security check log that I will post below. Basically as of right now the virus opens new tab as I click on a link while websurfing which says in the new tab congratulation, you have won something.

OTL log:

OTL logfile created on: 10/2/2011 12:23:12 AM - Run 3
OTL by OldTimer - Version 3.2.26.7 Folder = C:\Documents and Settings\Maxim\Desktop
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.11)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

3.25 Gb Total Physical Memory | 2.74 Gb Available Physical Memory | 84.21% Memory free
5.09 Gb Paging File | 4.69 Gb Available in Paging File | 92.21% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 298.09 Gb Total Space | 118.71 Gb Free Space | 39.82% Space Free | Partition Type: NTFS
Drive D: | 1.13 Gb Total Space | 0.00 Gb Free Space | 0.00% Space Free | Partition Type: UDF
Drive E: | 245.23 Mb Total Space | 110.27 Mb Free Space | 44.97% Space Free | Partition Type: FAT
Drive F: | 1.29 Gb Total Space | 0.00 Gb Free Space | 0.00% Space Free | Partition Type: CDFS

Computer Name: MAXIM-9C1E76C15 | User Name: Maxim | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2011/10/02 00:22:28 | 000,580,608 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Maxim\Desktop\OTL.com
PRC - [2011/06/10 13:04:22 | 000,142,336 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Desktop Manager\dwm.exe
PRC - [2009/12/10 03:39:04 | 000,065,536 | ---- | M] (PostgreSQL Global Development Group) -- C:\Program Files\PostgreSQL\8.3\bin\pg_ctl.exe
PRC - [2009/12/10 03:37:16 | 003,690,496 | ---- | M] (PostgreSQL Global Development Group) -- C:\Program Files\PostgreSQL\8.3\bin\postgres.exe
PRC - [2008/04/13 20:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2007/11/13 19:51:24 | 002,510,848 | ---- | M] (OpenOffice.org) -- C:\Program Files\OpenOffice.org 2.3\program\soffice.bin
PRC - [2007/11/13 19:49:22 | 002,359,296 | ---- | M] (OpenOffice.org) -- C:\Program Files\OpenOffice.org 2.3\program\soffice.exe
PRC - [2007/05/28 12:57:54 | 000,275,968 | ---- | M] (Rocket Division Software) -- C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
PRC - [2004/10/28 09:29:48 | 000,581,632 | ---- | M] (Logitech Inc.) -- C:\Program Files\Logitech\SetPoint\KEM.exe
PRC - [2004/10/21 13:28:40 | 000,029,696 | ---- | M] (Logitech Inc.) -- C:\Program Files\Logitech\SetPoint\KHALMNPR.exe

========== Modules (No Company Name) ==========

MOD - [2010/02/05 14:27:45 | 001,291,776 | ---- | M] () -- C:\WINDOWS\system32\quartz.dll
MOD - [2008/04/13 20:11:59 | 000,014,336 | ---- | M] () -- C:\WINDOWS\system32\msdmo.dll
MOD - [2008/04/13 20:11:51 | 000,059,904 | ---- | M] () -- C:\WINDOWS\system32\devenum.dll
MOD - [2007/08/08 19:15:02 | 000,828,416 | ---- | M] () -- C:\Program Files\OpenOffice.org 2.3\program\libxml2.dll
MOD - [2004/10/28 09:27:18 | 000,086,016 | ---- | M] () -- C:\Program Files\Logitech\SetPoint\lgscroll.dll

========== Win32 Services (SafeList) ==========

SRV - File not found [Disabled | Stopped] -- -- (NMIndexingService)
SRV - File not found [On_Demand | Stopped] -- -- (McComponentHostService)
SRV - File not found [On_Demand | Stopped] -- -- (AppMgmt)
SRV - [2011/06/10 13:04:22 | 000,142,336 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\Desktop Manager\dwm.exe -- (USmsServ)
SRV - [2010/09/17 12:13:10 | 000,185,640 | ---- | M] () [On_Demand | Stopped] -- C:\Documents and Settings\Maxim\Application Data\Mikogo\B-Service.exe -- (B-Service)
SRV - [2009/12/10 03:39:04 | 000,065,536 | ---- | M] (PostgreSQL Global Development Group) [Auto | Running] -- C:\Program Files\PostgreSQL\8.3\bin\pg_ctl.exe -- (pgsql-8.3)
SRV - [2009/08/09 18:35:32 | 000,297,752 | ---- | M] (AVG Technologies CZ, s.r.o.) [Auto | Stopped] -- C:\Program Files\AVG\AVG8\avgwdsvc.exe -- (avg8wd)
SRV - [2007/05/28 12:57:54 | 000,275,968 | ---- | M] (Rocket Division Software) [Auto | Running] -- C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe -- (StarWindServiceAE)
SRV - [2002/12/17 17:26:22 | 007,520,337 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\Sony\Shared Plug-Ins\Media Manager\MSSQL$SONY_MEDIAMGR\Binn\sqlservr.exe -- (MSSQL$SONY_MEDIAMGR)
SRV - [2002/12/17 17:23:30 | 000,311,872 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\Sony\Shared Plug-Ins\Media Manager\MSSQL$SONY_MEDIAMGR\Binn\sqlagent.EXE -- (SQLAgent$SONY_MEDIAMGR)

========== Driver Services (SafeList) ==========

DRV - [2011/07/06 19:52:42 | 000,041,272 | ---- | M] (Malwarebytes Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\mbamswissarmy.sys -- (MBAMSwissArmy)
DRV - [2010/04/28 07:44:02 | 000,054,760 | ---- | M] (Microsoft Corporation) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\fssfltr_tdi.sys -- (fssfltr)
DRV - [2009/08/21 16:24:10 | 000,057,248 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\nvhda32.sys -- (NVHDA)
DRV - [2009/08/17 09:38:37 | 000,722,416 | ---- | M] (Duplex Secure Ltd.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\drivers\sptd.sys -- (sptd)
DRV - [2009/06/05 13:23:27 | 000,102,664 | ---- | M] (Trend Micro Inc.) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\tmcomm.sys -- (tmcomm)
DRV - [2009/02/24 18:42:14 | 000,116,736 | ---- | M] (MagicISO, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\mcdbus.sys -- (mcdbus)
DRV - [2006/09/11 07:45:38 | 000,019,968 | R--- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\nvnetbus.sys -- (nvnetbus)
DRV - [2006/09/11 07:45:36 | 000,057,856 | R--- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\NVENETFD.sys -- (NVENETFD)
DRV - [2006/08/21 06:24:28 | 000,105,344 | R--- | M] (NVIDIA Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\nvata.sys -- (nvata)
DRV - [2006/06/18 23:37:34 | 000,036,864 | ---- | M] (Advanced Micro Devices) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\AmdK8.sys -- (AmdK8)
DRV - [2006/03/17 06:18:58 | 000,392,960 | R--- | M] (Sensaura) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\senfilt.sys -- (SenFiltService)
DRV - [2004/10/21 13:31:14 | 000,038,691 | ---- | M] (Logitech, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\LHidUsbK.sys -- (LHidUsbK)
DRV - [2004/10/21 13:31:06 | 000,054,851 | ---- | M] (Logitech, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\L8042mou.Sys -- (L8042mou)
DRV - [2004/10/21 13:30:56 | 000,071,535 | ---- | M] (Logitech, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\LMouKE.Sys -- (LMouKE)
DRV - [2004/10/21 13:30:38 | 000,024,671 | ---- | M] (Logitech, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\LHidKE.Sys -- (LHidKe)
DRV - [2004/08/12 22:56:20 | 000,005,810 | R--- | M] () [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ASACPI.sys -- (MTsensor)

========== Standard Registry (SafeList) ==========

========== Internet Explorer ==========

IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = localhost

========== FireFox ==========

FF - prefs.js..browser.search.defaultenginename: "Bing"
FF - prefs.js..browser.search.defaultthis.engineName: "Veoh Web Player Customized Web Search"
FF - prefs.js..browser.search.defaulturl: "http://search.conduit.com/ResultsExt.aspx?ctid=CT2653012&SearchSource=3&q={searchTerms}"
FF - prefs.js..browser.search.param.yahoo-fr: "chrf-ytbm"
FF - prefs.js..browser.search.param.yahoo-fr-cjkt: "chrf-ytbm"
FF - prefs.js..browser.search.param.yahoo-type: "${8}"
FF - prefs.js..browser.search.selectedEngine: "Google"
FF - prefs.js..browser.search.useDBForOrder: true
FF - prefs.js..browser.startup.homepage: "http://www.google.ca/"
FF - prefs.js..extensions.enabledItems: jqs@sun.com:1.0
FF - prefs.js..extensions.enabledItems: {ABDE892B-13A8-4d1b-88E6-365A6E755758}:1.0
FF - prefs.js..extensions.enabledItems: firefox@tvunetworks.com:2
FF - prefs.js..extensions.enabledItems: 4
FF - prefs.js..extensions.enabledItems: 9
FF - prefs.js..extensions.enabledItems: 1
FF - prefs.js..extensions.enabledItems: {AB2CE124-6272-4b12-94A9-7303C7397BD1}:5.0.0.6906
FF - prefs.js..extensions.enabledItems: {73a6fe31-595d-460b-a920-fcc0f8843232}:2.1.0.2
FF - prefs.js..extensions.enabledItems: {cd90bf73-20f6-44ef-993d-bb920303bd2e}:3.3.3.2
FF - prefs.js..extensions.enabledItems: engine@conduit.com:3.3.3.2
FF - prefs.js..keyword.URL: "http://www.bing.com/search?FORM=IEFM1&q="
FF - prefs.js..network.proxy.type: 0

FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\WINDOWS\system32\Macromed\Flash\NPSWF32.dll ()
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=: File not found
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=1.0: C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll ()
FF - HKLM\Software\MozillaPlugins\@divx.com/DivX Browser Plugin,version=1.0.0: C:\Program Files\DivX\DivX Web Player\npdivx32.dll (DivX,Inc.)
FF - HKLM\Software\MozillaPlugins\@divx.com/DivX Player Plugin,version=1.0.0: C:\Program Files\DivX\DivX Player\npDivxPlayerPlugin.dll (DivX, Inc)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WLPG,version=14.0.8117.0416: C:\Program Files\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@pack.google.com/Google Updater;version=14: C:\Program Files\Google\Google Updater\2.4.1908.5032\npCIDetect14.dll (Google)
FF - HKLM\Software\MozillaPlugins\@pandonetworks.com/PandoWebPlugin: C:\Program Files\Pando Networks\Media Booster\npPandoWebPlugin.dll File not found
FF - HKLM\Software\MozillaPlugins\@veetle.com/vbp;version=0.9.17: C:\Program Files\Veetle\VLCBroadcast\npvbp.dll (Veetle Inc)
FF - HKLM\Software\MozillaPlugins\@veetle.com/veetleCorePlugin,version=0.9.17: C:\Program Files\Veetle\plugins\npVeetle.dll (Veetle Inc)
FF - HKLM\Software\MozillaPlugins\@veetle.com/veetlePlayerPlugin,version=0.9.17: C:\Program Files\Veetle\Player\npvlc.dll (Veetle Inc)
FF - HKLM\Software\MozillaPlugins\@videolan.org/vlc,version=0.9.8a: C:\Program Files\VideoLAN\VLC\npvlc.dll (the VideoLAN Team)
FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Program Files\Adobe\Reader 9.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
FF - HKCU\Software\MozillaPlugins\@tools.google.com/Google Update;version=8: C:\Documents and Settings\Maxim\Local Settings\Application Data\Google\Update\1.2.183.23\npGoogleOneClick8.dll (Google Inc.)
FF - HKCU\Software\MozillaPlugins\@unity3d.com/UnityPlayer,version=1.0: C:\Documents and Settings\Maxim\Local Settings\Application Data\Unity\WebPlayer\loader\npUnity3D32.dll (Unity Technologies ApS)

FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 6.0\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2011/08/16 23:56:54 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 6.0\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2011/07/01 14:18:21 | 000,000,000 | ---D | M]

[2008/08/26 16:23:40 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Maxim\Application Data\Mozilla\Extensions
[2011/09/30 12:44:30 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Maxim\Application Data\Mozilla\Firefox\Profiles\pu9jai39.default\extensions
[2010/05/14 17:23:56 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Documents and Settings\Maxim\Application Data\Mozilla\Firefox\Profiles\pu9jai39.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2011/06/10 12:47:07 | 000,000,000 | ---D | M] (Google Toolbar for Firefox) -- C:\Documents and Settings\Maxim\Application Data\Mozilla\Firefox\Profiles\pu9jai39.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}
[2011/08/16 23:56:57 | 000,000,000 | ---D | M] (Veoh Web Player Community Toolbar) -- C:\Documents and Settings\Maxim\Application Data\Mozilla\Firefox\Profiles\pu9jai39.default\extensions\{cd90bf73-20f6-44ef-993d-bb920303bd2e}
[2011/04/25 12:38:59 | 000,000,000 | ---D | M] (Conduit Engine) -- C:\Documents and Settings\Maxim\Application Data\Mozilla\Firefox\Profiles\pu9jai39.default\extensions\engine@conduit.com
[2010/01/03 00:17:37 | 000,000,000 | ---D | M] (TVU Web Player) -- C:\Documents and Settings\Maxim\Application Data\Mozilla\Firefox\Profiles\pu9jai39.default\extensions\firefox@tvunetworks.com
[2010/05/09 21:48:45 | 000,001,490 | ---- | M] () -- C:\Documents and Settings\Maxim\Application Data\Mozilla\Firefox\Profiles\pu9jai39.default\searchplugins\AOL Search.xml
[2010/07/25 02:57:04 | 000,001,819 | ---- | M] () -- C:\Documents and Settings\Maxim\Application Data\Mozilla\Firefox\Profiles\pu9jai39.default\searchplugins\bing.xml
[2010/06/29 18:22:34 | 000,000,933 | ---- | M] () -- C:\Documents and Settings\Maxim\Application Data\Mozilla\Firefox\Profiles\pu9jai39.default\searchplugins\conduit.xml
[2011/05/14 01:49:54 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
[2007/06/22 16:38:17 | 000,000,000 | ---D | M] (Google Toolbar for Firefox) -- C:\Program Files\Mozilla Firefox\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}
[2011/06/10 13:23:12 | 000,000,000 | ---D | M] (Skype extension) -- C:\Program Files\Mozilla Firefox\extensions\{82AF8DCA-6DE9-405D-BD5E-43525BDAD38A}
[2007/12/13 21:50:58 | 000,000,000 | ---D | M] (AdVantage) -- C:\Program Files\Mozilla Firefox\extensions\{A89AED22-9133-424c-88E7-C8235C5FF302}
() (No name found) -- C:\DOCUMENTS AND SETTINGS\MAXIM\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\PU9JAI39.DEFAULT\EXTENSIONS\{73A6FE31-595D-460B-A920-FCC0F8843232}.XPI
() (No name found) -- C:\DOCUMENTS AND SETTINGS\MAXIM\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\PU9JAI39.DEFAULT\EXTENSIONS\{D10D0BF8-F5B5-C8B4-A8B2-2B9879E08C5D}.XPI
[2009/04/29 15:51:34 | 000,000,000 | ---D | M] (Java Quick Starter) -- C:\PROGRAM FILES\JAVA\JRE6\LIB\DEPLOY\JQS\FF
[2011/08/16 23:56:54 | 000,134,104 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\browsercomps.dll
[2008/11/11 02:54:07 | 000,221,184 | ---- | M] (CNN) -- C:\Program Files\mozilla firefox\plugins\NPTURNMED.dll
[2010/05/09 21:48:45 | 000,001,490 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\AOL Search.xml
[2011/05/07 21:44:41 | 000,002,252 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\bing.xml

O1 HOSTS File: ([2011/10/01 14:18:08 | 000,000,027 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - No CLSID value found.
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - No CLSID value found.
O2 - BHO: (Skype Browser Helper) - {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O2 - BHO: (Google Toolbar Notifier BHO) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.2.4204.1700\swg.dll (Google Inc.)
O4 - HKLM..\Run: [Adobe ARM] File not found
O4 - HKLM..\Run: [Adobe Reader Speed Launcher] File not found
O4 - HKLM..\Run: [Google Updater] File not found
O4 - HKLM..\Run: [iTunesHelper] File not found
O4 - HKLM..\Run: [Logitech Hardware Abstraction Layer] C:\WINDOWS\KHALMNPR.Exe (Logitech Inc.)
O4 - HKLM..\Run: [NvCplDaemon] C:\WINDOWS\System32\NvCpl.dll (NVIDIA Corporation)
O4 - HKLM..\Run: [NvMediaCenter] C:\WINDOWS\System32\NvMcTray.dll (NVIDIA Corporation)
O4 - HKLM..\Run: [OfficeKB] File not found
O4 - HKLM..\Run: [QuickTime Task] File not found
O4 - HKLM..\Run: [SoundMAXPnP] File not found
O4 - HKCU..\Run: [AlcoholAutomount] File not found
O4 - HKCU..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] File not found
O4 - HKCU..\Run: [LDM] File not found
O4 - HKCU..\Run: [swg] File not found
O4 - HKCU..\Run: [UU9W7W0EWIWEVHXDLTEVZ] File not found
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe (Logitech)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\KEM.exe (Logitech Inc.)
O4 - Startup: C:\Documents and Settings\Maxim\Start Menu\Programs\Startup\OpenOffice.org 2.3.lnk = C:\Program Files\OpenOffice.org 2.3\program\quickstart.exe ()
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O9 - Extra Button: PokerStars - {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - C:\Program Files\PokerStars\PokerStarsUpdate.exe (PokerStars)
O9 - Extra Button: Skype Plug-In - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O9 - Extra 'Tools' menuitem : Skype Plug-In - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O9 - Extra Button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - File not found
O9 - Extra 'Tools' menuitem : PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - File not found
O15 - HKCU\..Trusted Domains: clonewarsadventures.com ([]* in Trusted sites)
O15 - HKCU\..Trusted Domains: freerealms.com ([]* in Trusted sites)
O15 - HKCU\..Trusted Domains: soe.com ([]* in Trusted sites)
O15 - HKCU\..Trusted Domains: sony.com ([]* in Trusted sites)
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} http://gfx1.hotmail.com/mail/w2/resources/MSNPUpld.cab (MSN Photo Upload Tool)
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} http://download.eset.com/special/eos/OnlineScanner.cab (OnlineScanner Control)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab (Java Plug-in 1.6.0_18)
O16 - DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab (Java Plug-in 1.6.0_18)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab (Java Plug-in 1.6.0_18)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab (Shockwave Flash Object)
O16 - DPF: Garmin Communicator Plug-In https://static.garmincdn.com/gcp/ie/2.9.3.0/GarminAxControl.CAB (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.0.1
O18 - Protocol\Handler\skype-ie-addon-data {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\system32\userinit.exe) - C:\WINDOWS\system32\userinit.exe (Microsoft Corporation)
O24 - Desktop WallPaper: C:\Documents and Settings\Maxim\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\Maxim\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2007/06/21 00:56:20 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O32 - AutoRun File - [2008/04/30 06:03:45 | 000,000,045 | R--- | M] () - F:\AUTORUN.INF -- [ CDFS ]
O32 - AutoRun File - [2008/06/25 02:50:03 | 000,152,848 | R--- | M] (KOEI Co., Ltd.) - F:\AutoRun.exe -- [ CDFS ]
O32 - AutoRun File - [2008/07/01 06:35:52 | 000,914,704 | R--- | M] (KOEI Co., Ltd.) - F:\AutoRunInstall.exe -- [ CDFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

NetSvcs: 6to4 - File not found
NetSvcs: AppMgmt - File not found
NetSvcs: Ias - File not found
NetSvcs: Iprip - File not found
NetSvcs: Irmon - File not found
NetSvcs: NWCWorkstation - File not found
NetSvcs: Nwsapagent - File not found
NetSvcs: WmdmPmSp - File not found

SafeBootMin: AppMgmt - File not found
SafeBootMin: Base - Driver Group
SafeBootMin: Boot Bus Extender - Driver Group
SafeBootMin: Boot file system - Driver Group
SafeBootMin: File system - Driver Group
SafeBootMin: Filter - Driver Group
SafeBootMin: PCI Configuration - Driver Group
SafeBootMin: PNP Filter - Driver Group
SafeBootMin: Primary disk - Driver Group
SafeBootMin: SCSI Class - Driver Group
SafeBootMin: sermouse.sys - Driver
SafeBootMin: System Bus Extender - Driver Group
SafeBootMin: vds - Service
SafeBootMin: vga.sys - Driver
SafeBootMin: {36FC9E60-C465-11CF-8056-444553540000} - Universal Serial Bus controllers
SafeBootMin: {4D36E965-E325-11CE-BFC1-08002BE10318} - CD-ROM Drive
SafeBootMin: {4D36E967-E325-11CE-BFC1-08002BE10318} - DiskDrive
SafeBootMin: {4D36E969-E325-11CE-BFC1-08002BE10318} - Standard floppy disk controller
SafeBootMin: {4D36E96A-E325-11CE-BFC1-08002BE10318} - Hdc
SafeBootMin: {4D36E96B-E325-11CE-BFC1-08002BE10318} - Keyboard
SafeBootMin: {4D36E96F-E325-11CE-BFC1-08002BE10318} - Mouse
SafeBootMin: {4D36E977-E325-11CE-BFC1-08002BE10318} - PCMCIA Adapters
SafeBootMin: {4D36E97B-E325-11CE-BFC1-08002BE10318} - SCSIAdapter
SafeBootMin: {4D36E97D-E325-11CE-BFC1-08002BE10318} - System
SafeBootMin: {4D36E980-E325-11CE-BFC1-08002BE10318} - Floppy disk drive
SafeBootMin: {533C5B84-EC70-11D2-9505-00C04F79DEAF} - Volume shadow copy
SafeBootMin: {71A27CDD-812A-11D0-BEC7-08002BE2092F} - Volume
SafeBootMin: {745A17A0-74D3-11D0-B6FE-00A0C90F57DA} - Human Interface Devices

SafeBootNet: AppMgmt - File not found
SafeBootNet: Base - Driver Group
SafeBootNet: Boot Bus Extender - Driver Group
SafeBootNet: Boot file system - Driver Group
SafeBootNet: File system - Driver Group
SafeBootNet: Filter - Driver Group
SafeBootNet: NDIS Wrapper - Driver Group
SafeBootNet: NetBIOSGroup - Driver Group
SafeBootNet: NetDDEGroup - Driver Group
SafeBootNet: Network - Driver Group
SafeBootNet: NetworkProvider - Driver Group
SafeBootNet: PCI Configuration - Driver Group
SafeBootNet: PNP Filter - Driver Group
SafeBootNet: PNP_TDI - Driver Group
SafeBootNet: Primary disk - Driver Group
SafeBootNet: SCSI Class - Driver Group
SafeBootNet: sermouse.sys - Driver
SafeBootNet: Streams Drivers - Driver Group
SafeBootNet: System Bus Extender - Driver Group
SafeBootNet: TDI - Driver Group
SafeBootNet: vga.sys - Driver
SafeBootNet: {1a3e09be-1e45-494b-9174-d7385b45bbf5} -
SafeBootNet: {36FC9E60-C465-11CF-8056-444553540000} - Universal Serial Bus controllers
SafeBootNet: {4D36E965-E325-11CE-BFC1-08002BE10318} - CD-ROM Drive
SafeBootNet: {4D36E967-E325-11CE-BFC1-08002BE10318} - DiskDrive
SafeBootNet: {4D36E969-E325-11CE-BFC1-08002BE10318} - Standard floppy disk controller
SafeBootNet: {4D36E96A-E325-11CE-BFC1-08002BE10318} - Hdc
SafeBootNet: {4D36E96B-E325-11CE-BFC1-08002BE10318} - Keyboard
SafeBootNet: {4D36E96F-E325-11CE-BFC1-08002BE10318} - Mouse
SafeBootNet: {4D36E972-E325-11CE-BFC1-08002BE10318} - Net
SafeBootNet: {4D36E973-E325-11CE-BFC1-08002BE10318} - NetClient
SafeBootNet: {4D36E974-E325-11CE-BFC1-08002BE10318} - NetService
SafeBootNet: {4D36E975-E325-11CE-BFC1-08002BE10318} - NetTrans
SafeBootNet: {4D36E977-E325-11CE-BFC1-08002BE10318} - PCMCIA Adapters
SafeBootNet: {4D36E97B-E325-11CE-BFC1-08002BE10318} - SCSIAdapter
SafeBootNet: {4D36E97D-E325-11CE-BFC1-08002BE10318} - System
SafeBootNet: {4D36E980-E325-11CE-BFC1-08002BE10318} - Floppy disk drive
SafeBootNet: {71A27CDD-812A-11D0-BEC7-08002BE2092F} - Volume
SafeBootNet: {745A17A0-74D3-11D0-B6FE-00A0C90F57DA} - Human Interface Devices

ActiveX: {08B0E5C0-4FCB-11CF-AAA5-00401C608500} - Java (Sun)
ActiveX: {10072CEC-8CC1-11D1-986E-00A0C955B42F} - Vector Graphics Rendering (VML)
ActiveX: {2179C5D3-EBFF-11CF-B6FD-00AA00B4E220} - NetShow
ActiveX: {22d6f312-b0f6-11d0-94ab-0080c74c7e95} - Microsoft Windows Media Player 6.4
ActiveX: {283807B5-2C60-11D0-A31D-00AA00B92C03} - DirectAnimation
ActiveX: {2A3320D6-C805-4280-B423-B665BDE33D8F} - Microsoft .NET Framework 1.1 Security Update (KB979906)
ActiveX: {2C7339CF-2B09-4501-B3F3-F3508C9228ED} - %SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll
ActiveX: {2F6EFCE6-10DF-49F9-9E64-9AE3775B2588} - Microsoft .NET Framework 1.1 Security Update (KB2416447)
ActiveX: {36f8ec70-c29a-11d1-b5c7-0000f8051515} - Dynamic HTML Data Binding for Java
ActiveX: {3af36230-a269-11d1-b5bf-0000f8051515} - Offline Browsing Pack
ActiveX: {3bf42070-b3b1-11d1-b5c5-0000f8051515} - Uniscribe
ActiveX: {411EDCF7-755D-414E-A74B-3DCD6583F589} - Microsoft .NET Framework 1.1 Service Pack 1 (KB867460)
ActiveX: {4278c270-a269-11d1-b5bf-0000f8051515} - Advanced Authoring
ActiveX: {44BBA840-CC51-11CF-AAFA-00AA00B6015C} - "%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install
ActiveX: {44BBA842-CC51-11CF-AAFA-00AA00B6015B} - rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msnetmtg.inf,NetMtg.Install.PerUser.NT
ActiveX: {44BBA848-CC51-11CF-AAFA-00AA00B6015C} - DirectShow
ActiveX: {44BBA855-CC51-11CF-AAFA-00AA00B6015F} - DirectDrawEx
ActiveX: {45ea75a0-a269-11d1-b5bf-0000f8051515} - Internet Explorer Help
ActiveX: {4f216970-c90c-11d1-b5c7-0000f8051515} - DirectAnimation Java Classes
ActiveX: {4f645220-306d-11d2-995d-00c04f98bbc9} - Microsoft Windows Script 5.7
ActiveX: {5056b317-8d4c-43ee-8543-b9d1e234b8f4} - Security Update for Windows XP (KB923789)
ActiveX: {5945c046-1e7d-11d1-bc44-00c04fd912be} - rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msmsgs.inf,BLC.QuietInstall.PerUser
ActiveX: {5A8D6EE0-3E18-11D0-821E-444553540000} - ICW
ActiveX: {5fd399c0-a70a-11d1-9948-00c04f98bbc9} - Internet Explorer Setup Tools
ActiveX: {630b1da0-b465-11d1-9948-00c04f98bbc9} - Browsing Enhancements
ActiveX: {6BF52A52-394A-11d3-B153-00C04F79FAA6} - Microsoft Windows Media Player
ActiveX: {6fab99d0-bab8-11d1-994a-00c04f98bbc9} - MSN Site Access
ActiveX: {7131646D-CD3C-40F4-97B9-CD9E4E6262EF} - .NET Framework
ActiveX: {7790769C-0471-11d2-AF11-00C04FA35D02} - "%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install
ActiveX: {89820200-ECBD-11cf-8B85-00AA005B4340} - regsvr32.exe /s /n /i:U shell32.dll
ActiveX: {89820200-ECBD-11cf-8B85-00AA005B4383} - C:\WINDOWS\system32\ie4uinit.exe -BaseSettings
ActiveX: {89B4C1CD-B018-4511-B0A1-5476DBF70820} - c:\WINDOWS\system32\Rundll32.exe c:\WINDOWS\system32\mscories.dll,Install
ActiveX: {9381D8F2-0288-11D0-9501-00AA00B911A5} - Dynamic HTML Data Binding
ActiveX: {B508B3F1-A24A-32C0-B310-85786919EF28} - .NET Framework
ActiveX: {C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F} - .NET Framework
ActiveX: {C9E9A340-D1F1-11D0-821E-444553540600} - Internet Explorer Core Fonts
ActiveX: {CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1} - .NET Framework
ActiveX: {CC2A9BA0-3BDD-11D0-821E-444553540000} - Task Scheduler
ActiveX: {CDD7975E-60F8-41d5-8149-19E51D6F71D0} - Windows Movie Maker v2.1
ActiveX: {D27CDB6E-AE6D-11cf-96B8-444553540000} - Adobe Flash Player
ActiveX: {de5aed00-a4bf-11d1-9948-00c04f98bbc9} - HTML Help
ActiveX: {E92B03AB-B707-11d2-9CBD-0000F87A369E} - Active Directory Service Interface
ActiveX: {EF289A85-8E57-408d-BE47-73B55609861A} - RootsUpdate
ActiveX: <{12d0ed0d-0ee0-4f90-8827-78cefb8f4988} - C:\WINDOWS\system32\ieudinit.exe
ActiveX: >{22d6f312-b0f6-11d0-94ab-0080c74c7e95} - C:\WINDOWS\inf\unregmp2.exe /ShowWMP
ActiveX: >{26923b43-4d38-484f-9b9e-de460746276c} - %systemroot%\system32\shmgrate.exe OCInstallUserConfigIE
ActiveX: >{60B49E34-C7CC-11D0-8953-00A0C90347FF} - RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP
ActiveX: >{60B49E34-C7CC-11D0-8953-00A0C90347FF}MICROS - RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP
ActiveX: >{881dd1c5-3dcf-431b-b061-f3f88e8be88a} - %systemroot%\system32\shmgrate.exe OCInstallUserConfigOE
ActiveX: Microsoft Base Smart Card Crypto Provider Package -

Drivers32: msacm.iac2 - C:\WINDOWS\system32\iac25_32.ax (Intel Corporation)
Drivers32: msacm.l3acm - C:\WINDOWS\system32\l3codeca.acm (Fraunhofer Institut Integrierte Schaltungen IIS)
Drivers32: msacm.lhacm - C:\WINDOWS\System32\lhacm.acm (Microsoft Corporation)
Drivers32: msacm.sl_anet - C:\WINDOWS\System32\sl_anet.acm (Sipro Lab Telecom Inc.)
Drivers32: msacm.trspch - C:\WINDOWS\System32\tssoft32.acm (DSP GROUP, INC.)
Drivers32: vidc.cvid - C:\WINDOWS\System32\iccvid.dll (Radius Inc.)
Drivers32: vidc.DIVX - C:\WINDOWS\System32\DivX.dll (DivX, Inc.)
Drivers32: VIDC.FPS1 - C:\WINDOWS\System32\frapsvid.dll (Beepa P/L)
Drivers32: vidc.iv31 - C:\WINDOWS\System32\ir32_32.dll ()
Drivers32: vidc.iv32 - C:\WINDOWS\System32\ir32_32.dll ()
Drivers32: vidc.iv41 - C:\WINDOWS\System32\ir41_32.ax (Intel Corporation)
Drivers32: vidc.iv50 - C:\WINDOWS\System32\ir50_32.dll (Intel Corporation)
Drivers32: vidc.tscc - C:\WINDOWS\system32\tsccvid.dll (TechSmith Corporation)
Drivers32: vidc.yv12 - C:\WINDOWS\System32\DivX.dll (DivX, Inc.)

CREATERESTOREPOINT
Restore point Set: OTL Restore Point

========== Files/Folders - Created Within 30 Days ==========

[2011/10/01 13:36:29 | 004,191,448 | R--- | C] (Swearware) -- C:\Documents and Settings\Maxim\Desktop\Commy.exe
[2011/10/01 13:10:33 | 000,518,144 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe
[2011/10/01 13:10:33 | 000,406,528 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe
[2011/10/01 13:10:33 | 000,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe
[2011/10/01 13:10:33 | 000,060,416 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe
[2011/10/01 13:06:57 | 000,000,000 | R--D | C] -- C:\Documents and Settings\Maxim\Start Menu\Programs\Administrative Tools
[2011/09/30 01:51:31 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Sun
[2011/09/28 14:35:48 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Application Data\Sun
[2011/09/28 13:10:02 | 002,322,184 | ---- | C] (ESET) -- C:\Documents and Settings\Maxim\Desktop\esetsmartinstaller_enu.exe
[8 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2011/10/02 00:22:28 | 000,580,608 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Maxim\Desktop\OTL.com
[2011/10/02 00:20:54 | 000,013,646 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2011/10/02 00:20:53 | 000,000,868 | ---- | M] () -- C:\WINDOWS\tasks\Google Software Updater.job
[2011/10/02 00:20:41 | 000,249,230 | ---- | M] () -- C:\WINDOWS\System32\NvApps.xml
[2011/10/02 00:20:33 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2011/10/02 00:08:38 | 000,001,324 | ---- | M] () -- C:\WINDOWS\System32\d3d9caps.dat
[2011/10/01 15:51:51 | 000,000,402 | -H-- | M] () -- C:\WINDOWS\tasks\Norton Security Scan for Maxim.job
[2011/10/01 14:18:08 | 000,000,027 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
[2011/10/01 13:35:49 | 004,191,448 | R--- | M] (Swearware) -- C:\Documents and Settings\Maxim\Desktop\Commy.exe
[2011/09/28 14:38:26 | 000,001,200 | -HS- | M] () -- C:\Documents and Settings\All Users\Application Data\04c43552oyhi36rm1b1my06173a47xha7xadku6ggt56
[2011/09/28 13:09:32 | 000,000,112 | ---- | M] () -- C:\Documents and Settings\All Users\Application Data\xLp3TL.dat
[2011/09/28 13:09:19 | 002,322,184 | ---- | M] (ESET) -- C:\Documents and Settings\Maxim\Desktop\esetsmartinstaller_enu.exe
[2011/09/28 06:20:40 | 000,000,844 | -HS- | M] () -- C:\Documents and Settings\Maxim\Local Settings\Application Data\tr6fsajl1433id65s1m04rqrtw5pt462o58343y618vh
[2011/09/28 06:20:40 | 000,000,844 | -HS- | M] () -- C:\Documents and Settings\All Users\Application Data\tr6fsajl1433id65s1m04rqrtw5pt462o58343y618vh
[8 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files Created - No Company Name ==========

Re: Need to get rid of rootkit.1st September 2011, 5:17 am

[2011/10/01 13:10:33 | 000,256,000 | ---- | C] () -- C:\WINDOWS\PEV.exe
[2011/10/01 13:10:33 | 000,208,896 | ---- | C] () -- C:\WINDOWS\MBR.exe
[2011/10/01 13:10:33 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
[2011/10/01 13:10:33 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
[2011/10/01 13:10:33 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
[2011/09/30 12:56:10 | 001,008,092 | ---- | C] () -- C:\Documents and Settings\Maxim\Desktop\rkill.scr
[2011/09/28 14:38:26 | 000,001,200 | -HS- | C] () -- C:\Documents and Settings\LocalService\Local Settings\Application Data\04c43552oyhi36rm1b1my06173a47xha7xadku6ggt56
[2011/09/28 14:38:26 | 000,001,200 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\04c43552oyhi36rm1b1my06173a47xha7xadku6ggt56
[2011/09/28 06:20:40 | 000,000,844 | -HS- | C] () -- C:\Documents and Settings\Maxim\Local Settings\Application Data\tr6fsajl1433id65s1m04rqrtw5pt462o58343y618vh
[2011/09/28 06:20:40 | 000,000,844 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\tr6fsajl1433id65s1m04rqrtw5pt462o58343y618vh
[2011/08/27 20:21:15 | 000,000,112 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\xLp3TL.dat
[2011/08/27 20:06:58 | 000,001,312 | -HS- | C] () -- C:\Documents and Settings\Maxim\Local Settings\Application Data\84i83072ueun14wi5d5vk15770d37sjc7mgaaq1ntg83
[2011/08/27 20:06:58 | 000,001,312 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\84i83072ueun14wi5d5vk15770d37sjc7mgaaq1ntg83
[2011/08/27 20:06:58 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\sodv.exe
[2011/08/27 20:06:58 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\pndo.exe
[2011/08/27 20:06:58 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\ntxu.exe
[2011/08/27 20:06:57 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\jlub.exe
[2011/05/24 02:56:38 | 000,013,822 | -HS- | C] () -- C:\Documents and Settings\Maxim\Local Settings\Application Data\s3y6i48l744h4x280ce123866cp324d301uytp1006
[2011/05/24 02:56:38 | 000,013,822 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\s3y6i48l744h4x280ce123866cp324d301uytp1006
[2011/04/18 00:25:25 | 000,016,742 | -HS- | C] () -- C:\Documents and Settings\Maxim\Local Settings\Application Data\d60olj4151841n3gtp048337hy7eoh
[2011/04/18 00:25:25 | 000,016,742 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\d60olj4151841n3gtp048337hy7eoh
[2011/04/09 18:55:28 | 000,179,261 | ---- | C] () -- C:\WINDOWS\System32\xlive.dll.cat
[2011/03/04 05:27:52 | 000,000,552 | ---- | C] () -- C:\WINDOWS\System32\d3d8caps.dat
[2010/11/14 21:30:55 | 000,000,075 | ---- | C] () -- C:\WINDOWS\System32\nvUnsupRes.dat
[2010/09/16 03:17:58 | 001,628,304 | ---- | C] () -- C:\Documents and Settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
[2010/07/13 11:44:37 | 000,000,056 | -H-- | C] () -- C:\WINDOWS\System32\ezsidmv.dat
[2010/06/22 19:45:00 | 000,005,077 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\bltofzsb.qlf
[2010/04/21 00:05:49 | 000,000,056 | ---- | C] () -- C:\WINDOWS\kgt2k.INI
[2009/11/03 18:00:33 | 001,604,482 | ---- | C] () -- C:\WINDOWS\System32\nvdata.bin
[2009/10/28 15:03:02 | 000,015,144 | -H-- | C] () -- C:\WINDOWS\System32\mlfcache.dat
[2009/08/24 18:00:27 | 000,021,840 | ---- | C] () -- C:\WINDOWS\System32\SIntfNT.dll
[2009/08/24 18:00:27 | 000,017,212 | ---- | C] () -- C:\WINDOWS\System32\SIntf32.dll
[2009/08/24 18:00:27 | 000,012,067 | ---- | C] () -- C:\WINDOWS\System32\SIntf16.dll
[2009/08/09 16:36:22 | 000,001,324 | ---- | C] () -- C:\WINDOWS\System32\d3d9caps.dat
[2009/07/03 14:31:54 | 000,003,972 | ---- | C] () -- C:\WINDOWS\System32\drivers\PciBus.sys
[2009/06/06 02:32:36 | 000,002,119 | ---- | C] () -- C:\Documents and Settings\Maxim\Application Data\waQ1P0bNat.gif
[2009/06/06 02:32:36 | 000,000,607 | ---- | C] () -- C:\Documents and Settings\Maxim\Application Data\waQ1P0bNzn.gif
[2009/06/06 02:32:36 | 000,000,598 | ---- | C] () -- C:\Documents and Settings\Maxim\Application Data\waQ1P0bNby.gif
[2009/04/16 03:01:55 | 000,000,118 | ---- | C] () -- C:\WINDOWS\System32\MRT.INI
[2008/10/07 09:13:22 | 000,058,648 | ---- | C] () -- C:\WINDOWS\System32\AgCPanelTraditionalChinese.dll
[2008/10/07 09:13:20 | 000,058,648 | ---- | C] () -- C:\WINDOWS\System32\AgCPanelSwedish.dll
[2008/10/07 09:13:20 | 000,058,648 | ---- | C] () -- C:\WINDOWS\System32\AgCPanelSpanish.dll
[2008/10/07 09:13:20 | 000,058,648 | ---- | C] () -- C:\WINDOWS\System32\AgCPanelSimplifiedChinese.dll
[2008/10/07 09:13:20 | 000,058,648 | ---- | C] () -- C:\WINDOWS\System32\AgCPanelPortugese.dll
[2008/10/07 09:13:20 | 000,058,648 | ---- | C] () -- C:\WINDOWS\System32\AgCPanelKorean.dll
[2008/10/07 09:13:20 | 000,058,648 | ---- | C] () -- C:\WINDOWS\System32\AgCPanelJapanese.dll
[2008/10/07 09:13:20 | 000,058,648 | ---- | C] () -- C:\WINDOWS\System32\AgCPanelGerman.dll
[2008/10/07 09:13:20 | 000,058,648 | ---- | C] () -- C:\WINDOWS\System32\AgCPanelFrench.dll
[2008/02/02 18:59:03 | 000,043,520 | ---- | C] () -- C:\WINDOWS\System32\CmdLineExt03.dll
[2007/10/21 17:41:15 | 000,211,089 | ---- | C] () -- C:\WINDOWS\War3Unin.dat
[2007/09/11 14:58:00 | 000,002,908 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\QTSBandwidthCache
[2007/07/15 19:04:34 | 000,000,069 | ---- | C] () -- C:\WINDOWS\NeroDigital.ini
[2007/07/06 03:03:38 | 000,160,768 | ---- | C] () -- C:\Documents and Settings\Maxim\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2007/07/03 02:05:51 | 000,008,272 | ---- | C] () -- C:\WINDOWS\cdplayer.ini
[2007/06/26 01:43:53 | 000,001,340 | ---- | C] () -- C:\WINDOWS\mozver.dat
[2007/06/23 19:48:21 | 000,000,000 | ---- | C] () -- C:\WINDOWS\SetSel.INI
[2007/06/23 02:49:14 | 000,000,008 | ---- | C] () -- C:\WINDOWS\System32\nvModes.dat
[2007/06/22 16:38:18 | 000,000,000 | ---- | C] () -- C:\WINDOWS\nsreg.dat
[2007/06/21 20:48:59 | 000,004,161 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI
[2007/06/21 20:46:22 | 000,107,008 | ---- | C] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2007/06/21 01:02:06 | 000,001,428 | R--- | C] () -- C:\WINDOWS\System32\drivers\nvphy.bin
[2007/06/21 01:01:47 | 000,000,396 | R--- | C] () -- C:\WINDOWS\System32\raidmgmt.ini
[2007/06/21 01:01:46 | 000,000,804 | R--- | C] () -- C:\WINDOWS\System32\AsusSetup.ini
[2007/06/21 01:01:35 | 000,024,816 | ---- | C] () -- C:\WINDOWS\Ascd_tmp.ini
[2007/06/21 01:01:35 | 000,005,810 | R--- | C] () -- C:\WINDOWS\System32\drivers\ASACPI.sys
[2007/06/21 01:01:25 | 000,010,288 | ---- | C] () -- C:\WINDOWS\System32\drivers\ASUSHWIO.SYS
[2007/06/21 00:57:45 | 000,002,048 | --S- | C] () -- C:\WINDOWS\bootstat.dat
[2007/06/21 00:54:20 | 000,021,640 | ---- | C] () -- C:\WINDOWS\System32\emptyregdb.dat
[2007/03/13 14:43:04 | 001,018,748 | ---- | C] () -- C:\WINDOWS\System32\nvucode.bin
[2007/03/13 14:43:02 | 000,286,720 | ---- | C] () -- C:\WINDOWS\System32\nvnt4cpl.dll
[2006/02/28 08:00:00 | 013,107,200 | ---- | C] () -- C:\WINDOWS\System32\oembios.bin
[2006/02/28 08:00:00 | 000,673,088 | ---- | C] () -- C:\WINDOWS\System32\mlang.dat
[2006/02/28 08:00:00 | 000,459,732 | ---- | C] () -- C:\WINDOWS\System32\perfh009.dat
[2006/02/28 08:00:00 | 000,272,128 | ---- | C] () -- C:\WINDOWS\System32\perfi009.dat
[2006/02/28 08:00:00 | 000,218,003 | ---- | C] () -- C:\WINDOWS\System32\dssec.dat
[2006/02/28 08:00:00 | 000,079,538 | ---- | C] () -- C:\WINDOWS\System32\perfc009.dat
[2006/02/28 08:00:00 | 000,046,258 | ---- | C] () -- C:\WINDOWS\System32\mib.bin
[2006/02/28 08:00:00 | 000,028,626 | ---- | C] () -- C:\WINDOWS\System32\perfd009.dat
[2006/02/28 08:00:00 | 000,004,569 | ---- | C] () -- C:\WINDOWS\System32\secupd.dat
[2006/02/28 08:00:00 | 000,004,461 | ---- | C] () -- C:\WINDOWS\System32\oembios.dat
[2006/02/28 08:00:00 | 000,001,804 | ---- | C] () -- C:\WINDOWS\System32\dcache.bin
[2006/02/28 08:00:00 | 000,000,741 | ---- | C] () -- C:\WINDOWS\System32\noise.dat
[2000/04/27 15:14:02 | 000,004,500 | ---- | C] () -- C:\WINDOWS\System32\FILTRCOI.DLL

========== Custom Scans ==========

< %APPDATA%\Microsoft\*.* >

< %systemroot%\system32\config\systemprofile\*.dat /x >

< %USERPROFILE%\Desktop\*.exe >
[2009/08/09 20:44:14 | 000,812,344 | ---- | M] (Trend Micro Inc.) -- C:\Documents and Settings\Maxim\Desktop\1234.exe
[2011/08/20 21:56:56 | 007,952,623 | ---- | M] () -- C:\Documents and Settings\Maxim\Desktop\cockatrice_win32_20110309.exe
[2011/10/01 13:35:49 | 004,191,448 | R--- | M] (Swearware) -- C:\Documents and Settings\Maxim\Desktop\Commy.exe
[2011/09/28 13:09:19 | 002,322,184 | ---- | M] (ESET) -- C:\Documents and Settings\Maxim\Desktop\esetsmartinstaller_enu.exe
[2011/05/14 04:41:28 | 000,642,712 | ---- | M] (Microsoft Corporation) -- C:\Documents and Settings\Maxim\Desktop\gfwlivesetup.exe
[2010/02/27 13:25:00 | 001,498,968 | ---- | M] () -- C:\Documents and Settings\Maxim\Desktop\LoLInstaller.exe
[2011/06/04 02:44:53 | 009,690,219 | ---- | M] () -- C:\Documents and Settings\Maxim\Desktop\mws094f.exe
[2008/03/02 22:19:06 | 125,892,318 | ---- | M] () -- C:\Documents and Settings\Maxim\Desktop\OOo_2.3.1_Win32Intel_install_wJRE_en-US.exe
[2010/05/05 08:21:22 | 000,570,880 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Maxim\Desktop\OTL.exe
[2009/08/10 22:26:58 | 000,408,064 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Maxim\Desktop\OTM.exe
[2011/04/22 22:45:32 | 013,732,286 | ---- | M] () -- C:\Documents and Settings\Maxim\Desktop\PT-Install-v3.10.exe
[2010/04/16 16:07:40 | 002,178,224 | ---- | M] () -- C:\Documents and Settings\Maxim\Desktop\TestRealmInstallerDownloader.04_05_2010.exe
[2010/05/11 22:33:25 | 003,249,480 | ---- | M] (Unity Technologies ApS) -- C:\Documents and Settings\Maxim\Desktop\UnityWebPlayer.exe
[2011/04/11 01:20:07 | 000,399,736 | ---- | M] (BitTorrent, Inc.) -- C:\Documents and Settings\Maxim\Desktop\utorrent.exe
[2010/04/10 15:11:12 | 011,048,840 | ---- | M] () -- C:\Documents and Settings\Maxim\Desktop\veetle-0.9.17.exe
[2011/05/14 04:43:03 | 000,823,152 | ---- | M] (Microsoft Corporation) -- C:\Documents and Settings\Maxim\Desktop\WindowsXP-KB938759-x86-ENU.exe

< %PROGRAMFILES%\Common Files\*.* >

< %systemroot%\winn32\*.* >

< %USERPROFILE%\My Documents\*.exe >

< %USERPROFILE%\*.exe >

< %PROGRAMFILES%\Mozilla Firefox\*.exe >
[2011/08/16 23:56:54 | 000,125,912 | ---- | M] (Mozilla Foundation) -- C:\Program Files\Mozilla Firefox\crashreporter.exe
[2011/08/16 23:56:54 | 000,924,632 | ---- | M] (Mozilla Corporation) -- C:\Program Files\Mozilla Firefox\firefox.exe
[2011/08/16 23:56:52 | 000,016,856 | ---- | M] (Mozilla Corporation) -- C:\Program Files\Mozilla Firefox\plugin-container.exe
[2011/08/16 23:56:52 | 000,269,272 | ---- | M] (Mozilla Foundation) -- C:\Program Files\Mozilla Firefox\updater.exe
[2007/10/13 18:59:13 | 140,202,521 | ---- | M] () -- C:\Program Files\Mozilla Firefox\WoW-2.2.3.7359-to-0.3.0.7382-enUS-patch.exe
[2008/02/11 23:41:51 | 141,909,560 | ---- | M] () -- C:\Program Files\Mozilla Firefox\WoW-2.3.3.7799-to-0.4.0.7897-enUS-patch.exe

< %ProgramFiles%\TinyProxy. >

< %systemroot%\system32\*.* /lockedfiles >
[1 C:\WINDOWS\system32\*.tmp files -> C:\WINDOWS\system32\*.tmp -> ]

< %systemroot%\Tasks\*.job /lockedfiles >

< %systemroot%\system32\drivers\*.* /lockedfiles >

< %PROGRAMFILES%\*. >
[2010/05/05 15:54:09 | 000,000,000 | ---D | M] -- C:\Program Files\Absolute Poker
[2011/01/09 19:01:08 | 000,000,000 | ---D | M] -- C:\Program Files\Adobe
[2010/06/25 15:52:41 | 000,000,000 | ---D | M] -- C:\Program Files\AGEIA Technologies
[2009/08/23 23:51:56 | 000,000,000 | ---D | M] -- C:\Program Files\Alcohol Soft
[2011/04/24 14:59:45 | 000,000,000 | ---D | M] -- C:\Program Files\ALL IN Expert
[2007/06/21 01:05:06 | 000,000,000 | ---D | M] -- C:\Program Files\Analog Devices
[2009/08/09 19:02:59 | 000,000,000 | ---D | M] -- C:\Program Files\Apprentice
[2010/12/24 23:44:54 | 000,000,000 | ---D | M] -- C:\Program Files\Armagetron Advanced
[2009/08/09 19:18:13 | 000,000,000 | ---D | M] -- C:\Program Files\Atari
[2011/02/23 14:46:23 | 000,000,000 | ---D | M] -- C:\Program Files\ATMA V
[2011/01/08 03:45:54 | 000,000,000 | ---D | M] -- C:\Program Files\AVG
[2010/02/20 22:17:48 | 000,000,000 | ---D | M] -- C:\Program Files\Belkin
[2011/01/14 20:16:28 | 000,000,000 | ---D | M] -- C:\Program Files\BitTorrent
[2011/08/20 22:01:51 | 000,000,000 | ---D | M] -- C:\Program Files\Cockatrice
[2011/10/01 13:57:26 | 000,000,000 | ---D | M] -- C:\Program Files\Common Files
[2007/06/21 00:54:14 | 000,000,000 | ---D | M] -- C:\Program Files\ComPlus Applications
[2011/04/24 15:00:37 | 000,000,000 | ---D | M] -- C:\Program Files\CyberLink
[2009/08/17 10:00:09 | 000,000,000 | ---D | M] -- C:\Program Files\DAEMON Tools Pro
[2009/03/18 04:58:17 | 000,000,000 | ---D | M] -- C:\Program Files\Dawn of War 2
[2010/02/20 22:17:36 | 000,000,000 | ---D | M] -- C:\Program Files\Diablo II
[2007/06/21 01:03:33 | 000,000,000 | ---D | M] -- C:\Program Files\DIFX
[2009/07/09 10:12:02 | 000,000,000 | ---D | M] -- C:\Program Files\DivX
[2010/05/05 16:04:22 | 000,000,000 | ---D | M] -- C:\Program Files\Electronic Arts
[2011/01/09 20:54:35 | 000,000,000 | ---D | M] -- C:\Program Files\ESET
[2010/05/05 15:56:26 | 000,000,000 | ---D | M] -- C:\Program Files\Eusing Free Registry Cleaner
[2010/11/22 15:58:44 | 000,000,000 | ---D | M] -- C:\Program Files\Full Tilt Poker
[2009/07/03 14:30:52 | 000,000,000 | ---D | M] -- C:\Program Files\Futuremark
[2010/01/03 19:34:26 | 000,000,000 | ---D | M] -- C:\Program Files\GIMP-2.0
[2007/07/03 02:04:26 | 000,000,000 | ---D | M] -- C:\Program Files\Google
[2007/09/05 00:52:49 | 000,000,000 | ---D | M] -- C:\Program Files\Google Video
[2011/04/24 15:00:37 | 000,000,000 | -H-D | M] -- C:\Program Files\InstallShield Installation Information
[2011/04/16 03:05:06 | 000,000,000 | ---D | M] -- C:\Program Files\Internet Explorer
[2008/06/19 22:00:21 | 000,000,000 | ---D | M] -- C:\Program Files\iPod
[2011/09/28 15:02:22 | 000,000,000 | ---D | M] -- C:\Program Files\iTunes
[2010/01/27 06:57:58 | 000,000,000 | ---D | M] -- C:\Program Files\Java
[2011/04/24 15:05:34 | 000,000,000 | ---D | M] -- C:\Program Files\Koei
[2010/05/05 15:59:14 | 000,000,000 | ---D | M] -- C:\Program Files\LimeWire
[2007/06/23 02:20:11 | 000,000,000 | ---D | M] -- C:\Program Files\Logitech
[2011/06/04 14:35:55 | 000,000,000 | ---D | M] -- C:\Program Files\Magic Workstation
[2009/08/17 10:01:47 | 000,000,000 | ---D | M] -- C:\Program Files\MagicDisc
[2009/08/09 18:16:39 | 000,000,000 | ---D | M] -- C:\Program Files\Malwarebytes' Anti-Malware
[2008/09/04 00:18:57 | 000,000,000 | ---D | M] -- C:\Program Files\Messenger
[2009/11/10 12:25:09 | 000,000,000 | ---D | M] -- C:\Program Files\Microsoft
[2007/06/21 00:56:36 | 000,000,000 | ---D | M] -- C:\Program Files\microsoft frontpage
[2011/05/14 04:42:08 | 000,000,000 | ---D | M] -- C:\Program Files\Microsoft Games for Windows - LIVE
[2009/08/14 17:06:34 | 000,000,000 | ---D | M] -- C:\Program Files\Microsoft SDKs
[2009/08/14 17:09:51 | 000,000,000 | ---D | M] -- C:\Program Files\Microsoft SQL Server
[2010/07/25 02:40:06 | 000,000,000 | ---D | M] -- C:\Program Files\Microsoft SQL Server Compact Edition
[2010/07/25 02:40:38 | 000,000,000 | ---D | M] -- C:\Program Files\Microsoft Sync Framework
[2009/08/14 17:08:53 | 000,000,000 | ---D | M] -- C:\Program Files\Microsoft Visual Studio 9.0
[2009/08/14 17:07:34 | 000,000,000 | ---D | M] -- C:\Program Files\Microsoft.NET
[2011/04/25 12:40:54 | 000,000,000 | ---D | M] -- C:\Program Files\mIRC
[2010/08/13 03:00:25 | 000,000,000 | ---D | M] -- C:\Program Files\Movie Maker
[2011/08/16 23:57:28 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox
[2007/06/21 01:50:07 | 000,000,000 | ---D | M] -- C:\Program Files\MSBuild
[2007/06/21 00:53:16 | 000,000,000 | ---D | M] -- C:\Program Files\MSN
[2007/06/21 00:53:44 | 000,000,000 | ---D | M] -- C:\Program Files\MSN Gaming Zone
[2007/08/16 03:00:19 | 000,000,000 | ---D | M] -- C:\Program Files\MSXML 4.0
[2007/06/21 02:00:05 | 000,000,000 | ---D | M] -- C:\Program Files\MSXML 6.0
[2010/02/20 22:18:49 | 000,000,000 | ---D | M] -- C:\Program Files\MUSICMATCH
[2007/06/21 01:20:48 | 000,000,000 | ---D | M] -- C:\Program Files\Nero
[2008/09/04 00:13:50 | 000,000,000 | ---D | M] -- C:\Program Files\NetMeeting
[2011/06/09 02:47:09 | 000,000,000 | ---D | M] -- C:\Program Files\Norton Security Scan
[2011/06/09 02:47:08 | 000,000,000 | ---D | M] -- C:\Program Files\NortonInstaller
[2010/06/25 15:52:41 | 000,000,000 | ---D | M] -- C:\Program Files\NVIDIA Corporation
[2007/12/17 14:11:29 | 000,000,000 | ---D | M] -- C:\Program Files\Ocean Technology
[2011/09/28 15:09:34 | 000,000,000 | ---D | M] -- C:\Program Files\OfficeKB
[2007/06/21 00:53:51 | 000,000,000 | ---D | M] -- C:\Program Files\Online Services
[2008/03/02 22:21:39 | 000,000,000 | ---D | M] -- C:\Program Files\OpenOffice.org 2.3
[2010/12/16 04:01:12 | 000,000,000 | ---D | M] -- C:\Program Files\Outlook Express
[2010/04/16 16:07:53 | 000,000,000 | ---D | M] -- C:\Program Files\Pando Networks
[2010/11/23 09:59:42 | 000,000,000 | ---D | M] -- C:\Program Files\PartyGaming
[2011/07/31 18:55:39 | 000,000,000 | ---D | M] -- C:\Program Files\PokerStars
[2010/10/05 11:11:14 | 000,000,000 | ---D | M] -- C:\Program Files\PokerStove
[2010/12/15 21:23:06 | 000,000,000 | ---D | M] -- C:\Program Files\PokerTracker 3
[2010/06/22 19:56:05 | 000,000,000 | ---D | M] -- C:\Program Files\PostgreSQL
[2011/09/28 15:13:32 | 000,000,000 | ---D | M] -- C:\Program Files\QuickTime
[2009/11/21 02:30:15 | 000,000,000 | ---D | M] -- C:\Program Files\Real
[2007/06/21 01:48:03 | 000,000,000 | ---D | M] -- C:\Program Files\Reference Assemblies
[2011/07/09 00:10:07 | 000,000,000 | R--D | M] -- C:\Program Files\Skype
[2010/05/05 16:04:00 | 000,000,000 | ---D | M] -- C:\Program Files\Sony
[2011/02/05 16:20:09 | 000,000,000 | ---D | M] -- C:\Program Files\Sony Online Entertainment
[2007/08/12 23:39:28 | 000,000,000 | ---D | M] -- C:\Program Files\Sony Setup
[2010/05/21 23:26:48 | 000,000,000 | ---D | M] -- C:\Program Files\SopCast
[2011/07/05 02:01:15 | 000,000,000 | ---D | M] -- C:\Program Files\Steam
[2009/03/18 04:32:35 | 000,000,000 | ---D | M] -- C:\Program Files\SystemRequirementsLab
[2010/12/19 23:15:18 | 000,000,000 | ---D | M] -- C:\Program Files\TeamViewer
[2007/12/13 21:54:45 | 000,000,000 | ---D | M] -- C:\Program Files\THQ
[2009/08/09 20:44:22 | 000,000,000 | ---D | M] -- C:\Program Files\Trend Micro
[2007/08/12 23:41:14 | 000,000,000 | -H-D | M] -- C:\Program Files\Uninstall Information
[2011/04/11 01:20:37 | 000,000,000 | ---D | M] -- C:\Program Files\uTorrent
[2010/01/03 20:57:07 | 000,000,000 | ---D | M] -- C:\Program Files\Vector Magic
[2010/04/10 15:11:26 | 000,000,000 | ---D | M] -- C:\Program Files\Veetle
[2007/11/14 17:47:00 | 000,000,000 | ---D | M] -- C:\Program Files\Ventrilo
[2010/11/07 02:11:40 | 000,000,000 | ---D | M] -- C:\Program Files\Veoh Networks
[2008/08/08 13:55:45 | 000,000,000 | ---D | M] -- C:\Program Files\VideoLAN
[2010/05/05 16:03:14 | 000,000,000 | ---D | M] -- C:\Program Files\VS Revo Group
[2011/01/29 23:02:16 | 000,000,000 | ---D | M] -- C:\Program Files\Warcraft III
[2010/05/05 15:55:53 | 000,000,000 | ---D | M] -- C:\Program Files\Wesnoth
[2010/07/25 02:41:00 | 000,000,000 | ---D | M] -- C:\Program Files\Windows Live
[2009/06/05 13:14:51 | 000,000,000 | ---D | M] -- C:\Program Files\Windows Live SkyDrive
[2007/06/21 01:47:26 | 000,000,000 | ---D | M] -- C:\Program Files\Windows Media Connect 2
[2008/09/04 00:13:48 | 000,000,000 | ---D | M] -- C:\Program Files\Windows Media Player
[2008/09/04 00:13:48 | 000,000,000 | ---D | M] -- C:\Program Files\Windows NT
[2007/07/01 00:28:39 | 000,000,000 | ---D | M] -- C:\Program Files\WinRAR
[2011/04/24 15:06:59 | 000,000,000 | ---D | M] -- C:\Program Files\World of Warcraft
[2007/06/21 00:56:36 | 000,000,000 | ---D | M] -- C:\Program Files\xerox
[2010/09/21 03:35:39 | 000,000,000 | ---D | M] -- C:\Program Files\Yahoo!
[2009/11/12 20:50:12 | 000,000,000 | ---D | M] -- C:\Program Files\_uninstallation_info

< MD5 for: AGP440.SYS >
[2006/02/28 08:00:00 | 018,738,937 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp2.cab:AGP440.sys
[2008/09/04 00:10:58 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp3.cab:AGP440.sys
[2008/09/04 00:10:58 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\ServicePackFiles\i386\sp3.cab:AGP440.sys
[2008/04/13 14:36:38 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\WINDOWS\ERDNT\cache\agp440.sys
[2008/04/13 14:36:38 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\WINDOWS\ServicePackFiles\i386\agp440.sys
[2008/04/13 14:36:38 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\WINDOWS\system32\drivers\agp440.sys

< MD5 for: ATAPI.SYS >
[2006/02/28 08:00:00 | 018,738,937 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp2.cab:atapi.sys
[2008/09/04 00:10:58 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp3.cab:atapi.sys
[2008/09/04 00:10:58 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\ServicePackFiles\i386\sp3.cab:atapi.sys
[2008/04/13 14:40:30 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\ERDNT\cache\atapi.sys
[2008/04/13 14:40:30 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\ServicePackFiles\i386\atapi.sys
[2008/04/13 14:40:30 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\system32\drivers\atapi.sys
[2006/02/28 08:00:00 | 000,095,360 | ---- | M] (Microsoft Corporation) MD5=CDFE4411A69C224BD1D11B2DA92DAC51 -- C:\WINDOWS\$NtServicePackUninstall$\atapi.sys
[2006/02/28 08:00:00 | 000,095,360 | ---- | M] (Microsoft Corporation) MD5=CDFE4411A69C224BD1D11B2DA92DAC51 -- C:\WINDOWS\system32\ReinstallBackups\0000\DriverFiles\i386\atapi.sys

< MD5 for: DISK.SYS >
[2006/02/28 08:00:00 | 018,738,937 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp2.cab:disk.sys
[2008/09/04 00:10:58 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp3.cab:disk.sys
[2008/09/04 00:10:58 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\ServicePackFiles\i386\sp3.cab:disk.sys
[2006/02/28 08:00:00 | 000,036,352 | ---- | M] (Microsoft Corporation) MD5=00CA44E4534865F8A3B64F7C0984BFF0 -- C:\WINDOWS\$NtServicePackUninstall$\disk.sys
[2008/04/13 14:40:47 | 000,036,352 | ---- | M] (Microsoft Corporation) MD5=044452051F3E02E7963599FC8F4F3E25 -- C:\WINDOWS\ServicePackFiles\i386\disk.sys
[2008/04/13 14:40:47 | 000,036,352 | ---- | M] (Microsoft Corporation) MD5=044452051F3E02E7963599FC8F4F3E25 -- C:\WINDOWS\system32\drivers\disk.sys

< MD5 for: NETLOGON.DLL >
[2008/04/13 20:12:01 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\ERDNT\cache\netlogon.dll
[2008/04/13 20:12:01 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\ServicePackFiles\i386\netlogon.dll
[2008/04/13 20:12:01 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\system32\netlogon.dll
[2006/02/28 08:00:00 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=96353FCECBA774BB8DA74A1C6507015A -- C:\WINDOWS\$NtServicePackUninstall$\netlogon.dll

< HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs >
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install\\LastSuccessTime: 2011-10-01 17:22:48

< hklm\software\clients\startmenuinternet|command /rs >
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\chrome.exe\InstallInfo\\ShowIconsCommand: "C:\Documents and Settings\Maxim\Local Settings\Application Data\Google\Chrome\Application\chrome.exe" --show-icons [2010/04/26 13:13:25 | 000,531,440 | ---- | M] (Google Inc.)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\chrome.exe\InstallInfo\\HideIconsCommand: "C:\Documents and Settings\Maxim\Local Settings\Application Data\Google\Chrome\Application\chrome.exe" --hide-icons [2010/04/26 13:13:25 | 000,531,440 | ---- | M] (Google Inc.)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\chrome.exe\InstallInfo\\ReinstallCommand: "C:\Documents and Settings\Maxim\Local Settings\Application Data\Google\Chrome\Application\chrome.exe" --make-default-browser [2010/04/26 13:13:25 | 000,531,440 | ---- | M] (Google Inc.)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\chrome.exe\shell\open\command\\: "C:\Documents and Settings\Maxim\Local Settings\Application Data\Google\Chrome\Application\chrome.exe" [2010/04/26 13:13:25 | 000,531,440 | ---- | M] (Google Inc.)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\FIREFOX.EXE\InstallInfo\\HideIconsCommand: "C:\Program Files\Mozilla Firefox\uninstall\helper.exe" /HideShortcuts [2011/08/16 23:56:52 | 000,712,976 | ---- | M] (Mozilla Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\FIREFOX.EXE\InstallInfo\\ShowIconsCommand: "C:\Program Files\Mozilla Firefox\uninstall\helper.exe" /ShowShortcuts [2011/08/16 23:56:52 | 000,712,976 | ---- | M] (Mozilla Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\FIREFOX.EXE\InstallInfo\\ReinstallCommand: "C:\Program Files\Mozilla Firefox\uninstall\helper.exe" /SetAsDefaultAppGlobal [2011/08/16 23:56:52 | 000,712,976 | ---- | M] (Mozilla Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\FIREFOX.EXE\shell\open\command\\: C:\Program Files\Mozilla Firefox\firefox.exe [2011/08/16 23:56:54 | 000,924,632 | ---- | M] (Mozilla Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\FIREFOX.EXE\shell\properties\command\\: "C:\Program Files\Mozilla Firefox\firefox.exe" -preferences [2011/08/16 23:56:54 | 000,924,632 | ---- | M] (Mozilla Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\FIREFOX.EXE\shell\safemode\command\\: "C:\Program Files\Mozilla Firefox\firefox.exe" -safe-mode [2011/08/16 23:56:54 | 000,924,632 | ---- | M] (Mozilla Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\Google Chrome\InstallInfo\\ShowIconsCommand: "C:\Documents and Settings\Maxim\Local Settings\Application Data\Google\Chrome\Application\chrome.exe" --show-icons [2010/04/26 13:13:25 | 000,531,440 | ---- | M] (Google Inc.)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\Google Chrome\InstallInfo\\HideIconsCommand: "C:\Documents and Settings\Maxim\Local Settings\Application Data\Google\Chrome\Application\chrome.exe" --hide-icons [2010/04/26 13:13:25 | 000,531,440 | ---- | M] (Google Inc.)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\Google Chrome\InstallInfo\\ReinstallCommand: "C:\Documents and Settings\Maxim\Local Settings\Application Data\Google\Chrome\Application\chrome.exe" --make-default-browser [2010/04/26 13:13:25 | 000,531,440 | ---- | M] (Google Inc.)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\Google Chrome\shell\open\command\\: "C:\Documents and Settings\Maxim\Local Settings\Application Data\Google\Chrome\Application\chrome.exe" [2010/04/26 13:13:25 | 000,531,440 | ---- | M] (Google Inc.)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\InstallInfo\\ReinstallCommand: "C:\WINDOWS\system32\ie4uinit.exe" -reinstall [2011/02/17 07:43:27 | 000,070,656 | ---- | M] (Microsoft Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\InstallInfo\\HideIconsCommand: "C:\WINDOWS\system32\ie4uinit.exe" -hide [2011/02/17 07:43:27 | 000,070,656 | ---- | M] (Microsoft Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\InstallInfo\\ShowIconsCommand: "C:\WINDOWS\system32\ie4uinit.exe" -show [2011/02/17 07:43:27 | 000,070,656 | ---- | M] (Microsoft Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\shell\open\command\\: "C:\Program Files\internet explorer\iexplore.exe" [2011/02/14 08:17:08 | 000,634,648 | ---- | M] (Microsoft Corporation)

< hklm\software\clients\startmenuinternet|command /64 /rs >
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\chrome.exe\InstallInfo\\ShowIconsCommand: "C:\Documents and Settings\Maxim\Local Settings\Application Data\Google\Chrome\Application\chrome.exe" --show-icons [2010/04/26 13:13:25 | 000,531,440 | ---- | M] (Google Inc.)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\chrome.exe\InstallInfo\\HideIconsCommand: "C:\Documents and Settings\Maxim\Local Settings\Application Data\Google\Chrome\Application\chrome.exe" --hide-icons [2010/04/26 13:13:25 | 000,531,440 | ---- | M] (Google Inc.)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\chrome.exe\InstallInfo\\ReinstallCommand: "C:\Documents and Settings\Maxim\Local Settings\Application Data\Google\Chrome\Application\chrome.exe" --make-default-browser [2010/04/26 13:13:25 | 000,531,440 | ---- | M] (Google Inc.)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\chrome.exe\shell\open\command\\: "C:\Documents and Settings\Maxim\Local Settings\Application Data\Google\Chrome\Application\chrome.exe" [2010/04/26 13:13:25 | 000,531,440 | ---- | M] (Google Inc.)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\FIREFOX.EXE\InstallInfo\\HideIconsCommand: "C:\Program Files\Mozilla Firefox\uninstall\helper.exe" /HideShortcuts [2011/08/16 23:56:52 | 000,712,976 | ---- | M] (Mozilla Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\FIREFOX.EXE\InstallInfo\\ShowIconsCommand: "C:\Program Files\Mozilla Firefox\uninstall\helper.exe" /ShowShortcuts [2011/08/16 23:56:52 | 000,712,976 | ---- | M] (Mozilla Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\FIREFOX.EXE\InstallInfo\\ReinstallCommand: "C:\Program Files\Mozilla Firefox\uninstall\helper.exe" /SetAsDefaultAppGlobal [2011/08/16 23:56:52 | 000,712,976 | ---- | M] (Mozilla Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\FIREFOX.EXE\shell\open\command\\: C:\Program Files\Mozilla Firefox\firefox.exe [2011/08/16 23:56:54 | 000,924,632 | ---- | M] (Mozilla Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\FIREFOX.EXE\shell\properties\command\\: "C:\Program Files\Mozilla Firefox\firefox.exe" -preferences [2011/08/16 23:56:54 | 000,924,632 | ---- | M] (Mozilla Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\FIREFOX.EXE\shell\safemode\command\\: "C:\Program Files\Mozilla Firefox\firefox.exe" -safe-mode [2011/08/16 23:56:54 | 000,924,632 | ---- | M] (Mozilla Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\Google Chrome\InstallInfo\\ShowIconsCommand: "C:\Documents and Settings\Maxim\Local Settings\Application Data\Google\Chrome\Application\chrome.exe" --show-icons [2010/04/26 13:13:25 | 000,531,440 | ---- | M] (Google Inc.)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\Google Chrome\InstallInfo\\HideIconsCommand: "C:\Documents and Settings\Maxim\Local Settings\Application Data\Google\Chrome\Application\chrome.exe" --hide-icons [2010/04/26 13:13:25 | 000,531,440 | ---- | M] (Google Inc.)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\Google Chrome\InstallInfo\\ReinstallCommand: "C:\Documents and Settings\Maxim\Local Settings\Application Data\Google\Chrome\Application\chrome.exe" --make-default-browser [2010/04/26 13:13:25 | 000,531,440 | ---- | M] (Google Inc.)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\Google Chrome\shell\open\command\\: "C:\Documents and Settings\Maxim\Local Settings\Application Data\Google\Chrome\Application\chrome.exe" [2010/04/26 13:13:25 | 000,531,440 | ---- | M] (Google Inc.)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\InstallInfo\\ReinstallCommand: "C:\WINDOWS\system32\ie4uinit.exe" -reinstall [2011/02/17 07:43:27 | 000,070,656 | ---- | M] (Microsoft Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\InstallInfo\\HideIconsCommand: "C:\WINDOWS\system32\ie4uinit.exe" -hide [2011/02/17 07:43:27 | 000,070,656 | ---- | M] (Microsoft Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\InstallInfo\\ShowIconsCommand: "C:\WINDOWS\system32\ie4uinit.exe" -show [2011/02/17 07:43:27 | 000,070,656 | ---- | M] (Microsoft Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\shell\open\command\\: "C:\Program Files\internet explorer\iexplore.exe" [2011/02/14 08:17:08 | 000,634,648 | ---- | M] (Microsoft Corporation)

========== Alternate Data Streams ==========

@Alternate Data Stream - 136 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:05EE1EEF
@Alternate Data Stream - 113 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:8CEFE51A

< End of report >

Re: Need to get rid of rootkit.1st September 2011, 5:18 am

Results of screen317's Security Check version 0.99.18
Windows XP Service Pack 3
Internet Explorer 7 Out of date!
``````````````````````````````
Antivirus/Firewall Check:
Windows Firewall Disabled!
ESET Online Scanner v3
```````````````````````````````
Anti-malware/Other Utilities Check:
Malwarebytes' Anti-Malware
HijackThis 2.0.2
Java(TM) 6 Update 18
Java(TM) 6 Update 2
Java(TM) 6 Update 3
Java(TM) 6 Update 5
Java(TM) 6 Update 7
Out of date Java installed!
Adobe Flash Player 10.3.183.7
Mozilla Firefox (x86 en-US..)
````````````````````````````````
Process Check:
objlist.exe by Laurent
``````````End of Log````````````

Re: Need to get rid of rootkit.2nd September 2011, 7:37 am

Hi there Uthanak!

I am Gabethebabe and I will be helping you with this issue. Before we start some general remarks/rules:

Whilst I´m helping you, please follow my instructions carefully and do not experiment on your own or accept help from other persons.
Feel free to ask questions! Especially if my instructions are not clear. I´m here to help, not confuse you.
I will try and respond quickly, but please understand I do have a real life (job, wife, 3 kids, kinky hobbies).
Stick with me till the end. If your computer starts running better, doesn´t mean it is clean yet!

====================

Time to use ComboFix by sUBs, a powerful tool that you are advised not to run without supervision of a trained malware helper. Please visit this webpage and read the tutorial on using ComboFix very carefully. After that download the tool and save it to your desktop.

Doubleclick ComboFix.exe to run the tool. Please post its log back here.

Re: Need to get rid of rootkit.2nd September 2011, 8:51 am

Combofix is stuck at rebooting and says to not reboot manually myself, what should I do?

Re: Need to get rid of rootkit.2nd September 2011, 10:00 am

Well, if it is really stuck, you will need to reboot manually I´m afraid.

Do you have the original windows XP setup disk?

Re: Need to get rid of rootkit.2nd September 2011, 6:41 pm

Nope, never had it, bought the pc with xp installed.

Re: Need to get rid of rootkit.2nd September 2011, 7:04 pm

ComboFix 11-09-01.03 - Maxim 10/03/2011 4:30.10.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.3326.2755 [GMT -4:00]
Running from: c:\documents and settings\Maxim\Desktop\ComboFix.exe
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\All Users\Application Data\bpbr.exe
c:\documents and settings\All Users\Application Data\dnlq.exe
c:\documents and settings\All Users\Application Data\oydr.exe
c:\documents and settings\All Users\Application Data\tonq.exe
c:\documents and settings\NetworkService\Local Settings\Application Data\dfhi.exe
c:\documents and settings\NetworkService\Local Settings\Application Data\irbx.exe
c:\documents and settings\NetworkService\Local Settings\Application Data\luoj.exe
c:\documents and settings\NetworkService\Local Settings\Application Data\oenn.exe
c:\documents and settings\NetworkService\Local Settings\Application Data\roe.exe
c:\process\FC78BA656AF.exe
c:\windows\assembly\GAC_MSIL\desktop.ini
c:\windows\dasetup.log
c:\windows\system32\mpix.exe
c:\windows\system32\pbtf.exe
c:\windows\system32\vfge.exe
c:\windows\system32\xbxc.exe
.
Infected copy of c:\program files\Java\jre6\bin\jqs.exe was found and disinfected
Restored copy from - c:\system volume information\_restore{67B3C756-D887-4359-B4D9-A09C29921E96}\RP483\A0079096.exe
.
Infected copy of c:\windows\system32\nvsvc32.exe was found and disinfected
Restored copy from - c:\windows\system32\ReinstallBackups\0011\DriverFiles\nvsvc32.exe
.
Infected copy of c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe was found and disinfected
Restored copy from - c:\system volume information\_restore{67B3C756-D887-4359-B4D9-A09C29921E96}\RP483\A0079095.exe
.
Infected copy of c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE was found and disinfected
Restored copy from - c:\system volume information\_restore{67B3C756-D887-4359-B4D9-A09C29921E96}\RP483\A0079094.EXE
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Service_1f9293b4
.
.
((((((((((((((((((((((((( Files Created from 2011-09-03 to 2011-10-03 )))))))))))))))))))))))))))))))
.
.
2011-10-03 06:21 . 2011-10-03 06:25 -------- d-----w- C:\Commy
2011-10-03 06:19 . 2011-10-03 06:19 -------- d-----w- C:\ARK
2011-10-02 04:38 . 2011-10-02 04:38 4194304 ----a-w- c:\windows\system32\dtxmbwwl.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-08-28 01:16 . 2011-05-14 05:48 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-08-28 00:06 . 2011-08-28 00:06 0 ----a-w- c:\documents and settings\All Users\Application Data\sodv.exe
2011-08-28 00:06 . 2011-08-28 00:06 0 ----a-w- c:\documents and settings\All Users\Application Data\pndo.exe
2011-08-28 00:06 . 2011-08-28 00:06 0 ----a-w- c:\documents and settings\All Users\Application Data\ntxu.exe
2011-08-28 00:06 . 2011-08-28 00:06 0 ----a-w- c:\documents and settings\All Users\Application Data\jlub.exe
2011-07-08 14:02 . 2006-02-28 12:00 10496 ----a-w- c:\windows\system32\drivers\ndistapi.sys
2011-07-06 23:52 . 2009-08-09 21:50 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-07-06 23:52 . 2009-08-09 21:50 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-05-01 21:02 . 2009-05-01 21:02 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll
2009-05-01 21:02 . 2009-05-01 21:02 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll
2011-08-17 03:56 . 2011-05-08 01:44 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.

Code:

<pre>
c:\program files\Adobe\Reader 9.0\Reader\Reader_sl .exe
c:\program files\Alcohol Soft\Alcohol 120\axcmd .exe
c:\program files\Analog Devices\Core\smax4pnp .exe
c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM .exe
c:\program files\Common Files\Ahead\Lib\NMBgMonitor .exe
c:\program files\Google\Google Updater\GoogleUpdater .exe
c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier .exe
c:\program files\iTunes\iTunesHelper .exe
</pre>

.
((((((((((((((((((((((((((((( SnapShot_2011-10-01_18.18.58 )))))))))))))))))))))))))))))))))))))))))
.
+ 2011-10-03 18:49 . 2011-10-03 18:49 16384 c:\windows\temp\Perflib_Perfdata_7ec.dat
+ 2011-10-03 18:43 . 2011-10-03 18:43 16384 c:\windows\temp\Perflib_Perfdata_688.dat
+ 2011-10-03 07:04 . 2011-10-03 07:04 16384 c:\windows\temp\Perflib_Perfdata_680.dat
+ 2007-06-21 05:47 . 2010-07-05 13:15 17272 c:\windows\system32\spmsg.dll
- 2007-06-21 05:47 . 2008-07-08 13:02 17272 c:\windows\system32\spmsg.dll
+ 2011-10-01 17:23 . 2011-07-08 14:02 10496 c:\windows\system32\dllcache\ndistapi.sys
+ 2007-06-21 04:58 . 2011-10-02 06:54 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2007-06-21 04:58 . 2011-06-12 14:22 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2011-10-02 06:54 . 2011-10-02 06:54 16384 c:\windows\system32\config\systemprofile\Cookies\index.dat
- 2011-06-12 14:22 . 2011-06-12 14:22 16384 c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2009-09-27 23:19 . 2007-04-20 10:05 163908 c:\windows\system32\nvsvc32.exe
+ 2008-12-05 06:54 . 2011-04-29 17:25 151552 c:\windows\system32\dllcache\schannel.dll
- 2009-11-21 06:30 . 2011-06-12 14:22 360448 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2009-11-21 06:30 . 2011-10-02 06:54 360448 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2011-04-16 12:44 . 2011-04-16 12:44 2770944 c:\windows\temp\IXP000.TMP\vcredist.msi
+ 2006-02-28 12:00 . 2011-06-02 14:02 1858944 c:\windows\system32\win32k.sys
+ 2008-10-16 03:23 . 2011-06-02 14:02 1858944 c:\windows\system32\dllcache\win32k.sys
+ 2006-02-28 12:00 . 2011-03-03 13:21 1857920 c:\windows\system32\_000006_.tmp.dll
+ 2011-04-16 12:44 . 2011-04-16 12:44 2770944 c:\windows\Installer\45976.msi
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe" [N/A]
"MsnMsgr"="c:\program files\Windows Live\Messenger\MsnMsgr.Exe" [2010-04-17 3872080]
"LDM"="c:\program files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe" [N/A]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [N/A]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2011-06-15 15141768]
"UU9W7W0EWIWEVHXDLTEVZ"="c:\process\FC78BA656AF.exe" [N/A]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="c:\program files\QuickTime\qttask .exe -atboottime" [X]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [N/A]
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" [2004-10-21 29696]
"OfficeKB"="c:\progra~1\OfficeKB\OfficeKB.EXE" [N/A]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-09-27 13918208]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-09-27 86016]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [N/A]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [N/A]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [N/A]
"Google Updater"="c:\program files\Google\Google Updater\GoogleUpdater.exe" [N/A]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RealUpgradeHelper"="c:\program files\Common Files\Real\Update_OB\upgrdhlp.exe" [N/A]
"FlashPlayerUpdate"="c:\windows\system32\Macromed\Flash\FlashUtil10t_ActiveX.exe" [2011-07-09 240288]
.
c:\documents and settings\Maxim\Start Menu\Programs\Startup\
OpenOffice.org 2.3.lnk - c:\program files\OpenOffice.org 2.3\program\quickstart.exe [2007-8-17 393216]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Logitech Desktop Messenger.lnk - c:\program files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe [2007-6-23 450560]
Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\KEM.exe [2007-6-23 581632]
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-1.12.0-enUS-downloader.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Apprentice\\Appr.exe"=
"c:\\Program Files\\THQ\\Dawn of War - Dark Crusade\\DarkCrusade.exe"=
"c:\\Program Files\\THQ\\Dawn Of War\\W40kWA.exe"=
"c:\\Program Files\\THQ\\Dawn Of War\\W40k.exe"=
"c:\\Program Files\\Warcraft III\\Warcraft III.exe"=
"c:\\Documents and Settings\\Maxim\\Desktop\\Max\\Pokemon Game.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-3.0.8.9506-to-3.0.9.9551-enUS-downloader.exe"=
"c:\\Program Files\\Dawn of War 2\\DOW2.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-3.2.0-enUS-downloader.exe"=
"c:\\Program Files\\mIRC\\mirc.exe"=
"c:\\Program Files\\Steam\\steam.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\aliens vs predator\\AvP_CLI.exe"=
"c:\\Program Files\\SopCast\\adv\\SopAdver.exe"=
"c:\\Program Files\\SopCast\\SopCast.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\transformers war for cybertron\\Binaries\\TWFC.exe"=
"c:\\Program Files\\TeamViewer\\Version5\\TeamViewer.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\TeamViewer\\Version6\\TeamViewer.exe"=
"c:\\Program Files\\TeamViewer\\Version6\\TeamViewer_Service.exe"=
"c:\\Program Files\\Armagetron Advanced\\armagetronad.exe"=
"c:\\Program Files\\Sony Online Entertainment\\Installed Games\\DC Universe Online Live\\UNREAL3\\BINARIES\\WIN32\\DCGAME.EXE"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Riot Games\\League of Legends\\lol.launcher.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\dawn of war 2\\DOW2.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\dawn of war ii - retribution\\DOW2.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3724:TCP"= 3724:TCP:Blizzard Downloader: 3724
"4000:TCP"= 4000:TCP:diablo
"8375:TCP"= 8375:TCP:League of Legends Launcher
"8375:UDP"= 8375:UDP:League of Legends Launcher
"8376:TCP"= 8376:TCP:League of Legends Launcher
"8376:UDP"= 8376:UDP:League of Legends Launcher
"8377:TCP"= 8377:TCP:League of Legends Launcher
"8377:UDP"= 8377:UDP:League of Legends Launcher
"8378:TCP"= 8378:TCP:League of Legends Launcher
"8378:UDP"= 8378:UDP:League of Legends Launcher
"8379:TCP"= 8379:TCP:League of Legends Launcher
"8379:UDP"= 8379:UDP:League of Legends Launcher
"8380:TCP"= 8380:TCP:League of Legends Launcher
"8380:UDP"= 8380:UDP:League of Legends Launcher
"8381:TCP"= 8381:TCP:League of Legends Launcher
"8381:UDP"= 8381:UDP:League of Legends Launcher
"6881:TCP"= 6881:TCP:League of Legends Launcher
"6881:UDP"= 6881:UDP:League of Legends Launcher
"8382:TCP"= 8382:TCP:League of Legends Launcher
"8382:UDP"= 8382:UDP:League of Legends Launcher
"8383:TCP"= 8383:TCP:League of Legends Launcher
"8383:UDP"= 8383:UDP:League of Legends Launcher
"8393:TCP"= 8393:TCP:League of Legends Lobby
"8393:UDP"= 8393:UDP:League of Legends Lobby
"8390:TCP"= 8390:TCP:League of Legends Game Client
"8390:UDP"= 8390:UDP:League of Legends Game Client
"6929:TCP"= 6929:TCP:League of Legends Launcher
"6929:UDP"= 6929:UDP:League of Legends Launcher
.
R2 USmsServ;Desktop Window Manager Sessions Manager;c:\windows\Desktop Manager\dwm.exe [6/10/2011 12:48 PM 142336]
R3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda32.sys [2/27/2010 11:44 AM 57248]
S2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [8/9/2009 6:35 PM 297752]
S2 pgsql-8.3;PostgreSQL Database Server 8.3;c:\program files\PostgreSQL\8.3\bin\pg_ctl.exe [12/10/2009 3:39 AM 65536]
S3 B-Service;B-Service;c:\documents and settings\Maxim\Application Data\Mikogo\B-Service.exe [9/17/2010 12:13 PM 185640]
S3 bcgame;Nostromo HID Device Minidriver;c:\windows\system32\drivers\bcgame.sys --> c:\windows\system32\drivers\bcgame.sys [?]
S3 McComponentHostService;McAfee Security Scan Component Host Service;"c:\program files\McAfee Security Scan\2.0.181\McCHSvc.exe" --> c:\program files\McAfee Security Scan\2.0.181\McCHSvc.exe [?]
S4 sptd;sptd;c:\windows\system32\drivers\sptd.sys [12/13/2007 12:28 AM 722416]
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - WUAUSERV
.
Contents of the 'Scheduled Tasks' folder
.
2011-10-03 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2007-07-03 14:27]
.
2011-10-02 c:\windows\Tasks\Norton Security Scan for Maxim.job
- c:\progra~1\NORTON~2\Engine\312~1.9\Nss.exe [2011-06-09 08:19]
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = localhost
LSP: mswsock.dll
Trusted Zone: clonewarsadventures.com
Trusted Zone: freerealms.com
Trusted Zone: soe.com
Trusted Zone: sony.com
TCP: DhcpNameServer = 192.168.0.1
DPF: Garmin Communicator Plug-In - hxxps://static.garmincdn.com/gcp/ie/2.9.3.0/GarminAxControl.CAB
FF - ProfilePath - c:\documents and settings\Maxim\Application Data\Mozilla\Firefox\Profiles\pu9jai39.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2653012&SearchSource=3&q={searchTerms}
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.google.ca/
FF - prefs.js: keyword.URL - hxxp://www.bing.com/search?FORM=IEFM1&q=
FF - prefs.js: network.proxy.type - 0
FF - user.js: yahoo.homepage.dontask - true);user_pref(network.protocol-handler.warn-external.dnupdate, false);user_pref(network.protocol-handler.warn-external.dnupdate, false);user_pref(network.protocol-handler.warn-external.dnupdate, false);user_pref(yahoo.ytff.general.dontshowhpoffer, true);user_pref(network.protocol-handler.warn-external.dnupdate, false
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-10-03 14:46
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
.
c:\windows\3029570079:3765267531.exe 816 bytes executable
c:\windows\$NtUninstallKB2541763$
c:\windows\$NtUninstallKB2555917$
c:\windows\$NtUninstallKB2562937$
c:\windows\$NtUninstallKB2566454$
c:\windows\KB2566454.log 7668 bytes
c:\windows\system32\_000006_.tmp.dll 1857920 bytes executable
c:\windows\system32\SET14.tmp 151552 bytes executable
.
.
**************************************************************************
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: WDC_WD3200AAKS-00L9A0 rev.01.03E01 -> Harddisk0\DR0 -> \Device\00000032
.
device: opened successfully
user: MBR read successfully
.
Disk trace:
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x8AC31530]<<
_asm { MOV EAX, [ESP+0x4]; MOV ECX, [EAX+0x28]; PUSH EBP; MOV EBP, [ECX+0x4]; PUSH ESI; MOV ESI, [ESP+0x10]; PUSH EDI; MOV EDI, [ESI+0x60]; MOV AL, [EDI]; CMP AL, 0x16; JNZ 0x36; PUSH ESI; }
1 ntkrnlpa!IofCallDriver[0x804EF1A6] -> \Device\Harddisk0\DR0[0x8AD6EAB8]
3 CLASSPNP[0xB80E8FD7] -> ntkrnlpa!IofCallDriver[0x804EF1A6] -> [0x8A8C8F08]
\Driver\00001114[0x8A96BCA8] -> IRP_MJ_CREATE -> 0x8AC31530
error: Read The request is not supported.
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; STI ; PUSH AX; POP ES; PUSH AX; POP DS; CLD ; MOV SI, 0x7c1b; MOV DI, 0x61b; PUSH AX; PUSH DI; MOV CX, 0x1e5; REP MOVSB ; RETF ; MOV BP, 0x7be; MOV CL, 0x4; CMP [BP+0x0], CH; JL 0x2e; JNZ 0x3a; }
detected disk devices:
\Device\0000006a -> \??\IDE#DiskWDC_WD3200AAKS-00L9A0___________________01.03E01#2020202057202D44435756414332353631363737#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
detected hooks:
user & kernel MBR OK
copy of MBR has been found in sector 625137345
Warning: possible TDL3 rootkit infection !
.
**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\nvsvc32.exe
c:\windows\3029570079:3765267531.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\program files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
c:\windows\system32\RUNDLL32.EXE
c:\program files\OpenOffice.org 2.3\program\soffice.exe
c:\program files\Logitech\SetPoint\KHALMNPR.EXE
c:\program files\OpenOffice.org 2.3\program\soffice.BIN
c:\windows\system32\msiexec.exe
c:\windows\SoftwareDistribution\Download\Install\VS90SP1-KB2251487-x86.exe
c:\53c62789f54aa0c8a6601544\HotFixInstaller.exe
c:\windows\system32\MsiExec.exe
.
**************************************************************************
.
Completion time: 2011-10-03 14:54:47 - machine was rebooted
ComboFix-quarantined-files.txt 2011-10-03 18:54
ComboFix2.txt 2011-10-01 18:28
ComboFix3.txt 2011-01-14 22:14
ComboFix4.txt 2011-01-09 07:15
ComboFix5.txt 2011-10-03 08:28
.
Pre-Run: 126,926,155,776 bytes free
Post-Run: 127,373,467,648 bytes free
.
- - End Of File - - 53DB6E7A28A44B22A10A56B792E3551F

Re: Need to get rid of rootkit.2nd September 2011, 8:14 pm

Your computer is quite seriously infected. Combofix cleaned up something but we are not half way yet.

Please create a new text file in Notepad with the following contents:
Code:
KILLALL:: File:: c:\documents and settings\All Users\Application Data\sodv.exe c:\documents and settings\All Users\Application Data\pndo.exe c:\documents and settings\All Users\Application Data\ntxu.exe c:\documents and settings\All Users\Application Data\jlub.exe c:\windows\system32\_000006_.tmp.dll c:\windows\system32\SET14.tmp Renv:: c:\program files\Adobe\Reader 9.0\Reader\Reader_sl .exe c:\program files\Alcohol Soft\Alcohol 120\axcmd .exe c:\program files\Analog Devices\Core\smax4pnp .exe c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM .exe c:\program files\Common Files\Ahead\Lib\NMBgMonitor .exe c:\program files\Google\Google Updater\GoogleUpdater .exe c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier .exe c:\program files\iTunes\iTunesHelper .exe Folder:: c:\windows\3029570079 Registry:: [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "UU9W7W0EWIWEVHXDLTEVZ"=-
Save that file as CFScript.txt on your desktop
Drag and drop the CFScript.txt onto the ComboFix icon, as shown in the animation below.
If done correctly, ComboFix will start and perform specific instructions
In doing so, ComboFix may request a reboot
Please post the contents of Combofix.txt in your next reply

====================

You should try and get aswMBR running, before or after the combofix fix. It is possible that aswMBR will run now that we have removed a bunch of malware processes.

Double click aswMBR.exe to run the tool
Click the Scan button to start the scan
Once the scan finishes click Fix to fix the infected MBR
Reboot the computer
After the reboot, re-run aswMBR
Once the scan finishes click Save log to save the log to your desktop
Copy and paste the contents of this log (aswMBR.txt) into your next reply.

Re: Need to get rid of rootkit.3rd September 2011, 7:41 am

ComboFix 11-09-02.04 - Maxim 10/04/2011 3:08.11.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.3326.2706 [GMT -4:00]
Running from: c:\documents and settings\Maxim\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Maxim\Desktop\CFScript.txt
.
FILE ::
"c:\documents and settings\All Users\Application Data\jlub.exe"
"c:\documents and settings\All Users\Application Data\ntxu.exe"
"c:\documents and settings\All Users\Application Data\pndo.exe"
"c:\documents and settings\All Users\Application Data\sodv.exe"
"c:\windows\system32\_000006_.tmp.dll"
"c:\windows\system32\SET14.tmp"
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\All Users\Application Data\jlub.exe
c:\documents and settings\All Users\Application Data\ntxu.exe
c:\documents and settings\All Users\Application Data\pndo.exe
c:\documents and settings\All Users\Application Data\sodv.exe
c:\windows\assembly\GAC_MSIL\desktop.ini
.
Infected copy of c:\windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe was found and disinfected
Restored copy from - c:\system volume information\_restore{67B3C756-D887-4359-B4D9-A09C29921E96}\RP485\A0082890.exe
.
Infected copy of c:\program files\Java\jre6\bin\jqs.exe was found and disinfected
Restored copy from - c:\system volume information\_restore{67B3C756-D887-4359-B4D9-A09C29921E96}\RP485\A0082893.exe
.
Infected copy of c:\windows\system32\nvsvc32.exe was found and disinfected
Restored copy from - c:\windows\system32\ReinstallBackups\0011\DriverFiles\nvsvc32.exe
.
Infected copy of c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe was found and disinfected
Restored copy from - c:\system volume information\_restore{67B3C756-D887-4359-B4D9-A09C29921E96}\RP485\A0082892.exe
.
Infected copy of c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE was found and disinfected
Restored copy from - c:\system volume information\_restore{67B3C756-D887-4359-B4D9-A09C29921E96}\RP485\A0082891.EXE
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Service_1f9293b4
.
.
((((((((((((((((((((((((( Files Created from 2011-09-04 to 2011-10-04 )))))))))))))))))))))))))))))))
.
.
2011-10-04 07:00 . 2011-10-04 07:00 -------- d-----w- c:\documents and settings\Default User\Local Settings\Application Data\Microsoft Help
2011-10-04 05:37 . 2011-10-04 05:37 -------- d-----w- c:\documents and settings\Maxim\Local Settings\Application Data\PCHealth
2011-10-03 18:58 . 2011-10-03 18:58 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\PCHealth
2011-10-03 06:21 . 2011-10-03 06:25 -------- d-----w- C:\Commy
2011-10-03 06:19 . 2011-10-03 06:19 -------- d-----w- C:\ARK
2011-10-02 04:38 . 2011-10-02 04:38 4194304 ----a-w- c:\windows\system32\dtxmbwwl.dll
2011-10-01 17:25 . 2011-06-24 14:10 139656 -c----w- c:\windows\system32\dllcache\rdpwd.sys
2011-10-01 17:25 . 2011-04-21 13:37 105472 -c----w- c:\windows\system32\dllcache\mup.sys
2011-10-01 17:23 . 2011-07-08 14:02 10496 -c----w- c:\windows\system32\dllcache\ndistapi.sys
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-10-04 07:01 . 2009-08-14 21:09 112640 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\VCExpress\9.0\1033\ResourceCache.dll
2011-10-04 07:00 . 2009-08-14 21:09 416 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\MSDN\9.0\1033\ResourceCache.dll
2011-08-28 01:16 . 2011-05-14 05:48 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-07-15 13:29 . 2006-02-28 12:00 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-07-08 14:02 . 2006-02-28 12:00 10496 ----a-w- c:\windows\system32\drivers\ndistapi.sys
2011-07-06 23:52 . 2009-08-09 21:50 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-07-06 23:52 . 2009-08-09 21:50 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-05-01 21:02 . 2009-05-01 21:02 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll
2009-05-01 21:02 . 2009-05-01 21:02 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll
2011-10-03 18:59 . 2011-05-08 01:44 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.

Code:

<pre>
c:\program files\OfficeKB\OfficeKB .exe
c:\program files\QuickTime\qttask  .exe
</pre>

.
((((((((((((((((((((((((((((( SnapShot_2011-10-01_18.18.58 )))))))))))))))))))))))))))))))))))))))))
.
+ 2011-04-19 02:51 . 2011-04-19 02:51 51024 c:\windows\WinSxS\x86_Microsoft.VC90.OpenMP_1fc8b3b9a1e18e3b_9.0.30729.6161_x-ww_4ddc769f\vcomp90.dll
+ 2011-04-19 02:51 . 2011-04-19 02:51 59728 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.6161_x-ww_730c3508\mfc90rus.dll
+ 2011-04-19 02:51 . 2011-04-19 02:51 42832 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.6161_x-ww_730c3508\mfc90kor.dll
+ 2011-04-19 02:51 . 2011-04-19 02:51 43344 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.6161_x-ww_730c3508\mfc90jpn.dll
+ 2011-04-19 02:51 . 2011-04-19 02:51 61264 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.6161_x-ww_730c3508\mfc90ita.dll
+ 2011-04-19 02:51 . 2011-04-19 02:51 62800 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.6161_x-ww_730c3508\mfc90fra.dll
+ 2011-04-19 02:51 . 2011-04-19 02:51 61776 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.6161_x-ww_730c3508\mfc90esp.dll
+ 2011-04-19 02:51 . 2011-04-19 02:51 61776 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.6161_x-ww_730c3508\mfc90esn.dll
+ 2011-04-19 02:51 . 2011-04-19 02:51 53584 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.6161_x-ww_730c3508\mfc90enu.dll
+ 2011-04-19 02:51 . 2011-04-19 02:51 63312 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.6161_x-ww_730c3508\mfc90deu.dll
+ 2011-04-19 02:51 . 2011-04-19 02:51 36688 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.6161_x-ww_730c3508\mfc90cht.dll
+ 2011-04-19 02:51 . 2011-04-19 02:51 35664 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.6161_x-ww_730c3508\mfc90chs.dll
+ 2011-04-19 02:51 . 2011-04-19 02:51 59904 c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.6161_x-ww_028bc148\mfcm90u.dll
+ 2011-04-19 02:51 . 2011-04-19 02:51 59904 c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.6161_x-ww_028bc148\mfcm90.dll
+ 2011-05-14 00:17 . 2011-05-14 00:17 65536 c:\windows\WinSxS\x86_Microsoft.VC80.OpenMP_1fc8b3b9a1e18e3b_8.0.50727.6195_x-ww_452bf920\vcomp.dll
+ 2011-05-13 23:45 . 2011-05-13 23:45 49152 c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.6195_x-ww_6a5bb789\mfc80KOR.dll
+ 2011-05-13 23:45 . 2011-05-13 23:45 49152 c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.6195_x-ww_6a5bb789\mfc80JPN.dll
+ 2011-05-13 23:45 . 2011-05-13 23:45 61440 c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.6195_x-ww_6a5bb789\mfc80ITA.dll
+ 2011-05-13 23:45 . 2011-05-13 23:45 61440 c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.6195_x-ww_6a5bb789\mfc80FRA.dll
+ 2011-05-13 23:45 . 2011-05-13 23:45 61440 c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.6195_x-ww_6a5bb789\mfc80ESP.dll
+ 2011-05-13 23:45 . 2011-05-13 23:45 57344 c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.6195_x-ww_6a5bb789\mfc80ENU.dll
+ 2011-05-13 23:45 . 2011-05-13 23:45 65536 c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.6195_x-ww_6a5bb789\mfc80DEU.dll
+ 2011-05-13 23:45 . 2011-05-13 23:45 45056 c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.6195_x-ww_6a5bb789\mfc80CHT.dll
+ 2011-05-13 23:45 . 2011-05-13 23:45 40960 c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.6195_x-ww_6a5bb789\mfc80CHS.dll
+ 2011-05-14 05:06 . 2011-05-14 05:06 57856 c:\windows\WinSxS\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.6195_x-ww_150c9e8b\mfcm80u.dll
+ 2011-05-14 05:23 . 2011-05-14 05:23 69632 c:\windows\WinSxS\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.6195_x-ww_150c9e8b\mfcm80.dll
+ 2011-05-13 22:37 . 2011-05-13 22:37 97280 c:\windows\WinSxS\x86_Microsoft.VC80.ATL_1fc8b3b9a1e18e3b_8.0.50727.6195_x-ww_a4c618fa\ATL80.dll
+ 2011-10-04 07:19 . 2011-10-04 07:19 16384 c:\windows\temp\Perflib_Perfdata_678.dat
+ 2011-10-04 05:33 . 2011-10-04 05:33 16384 c:\windows\temp\Perflib_Perfdata_414.dat
- 2007-01-29 08:58 . 2010-11-03 13:12 46080 c:\windows\system32\tzchange.exe
+ 2007-01-29 08:58 . 2011-07-08 13:49 46080 c:\windows\system32\tzchange.exe
+ 2007-06-21 05:47 . 2010-07-05 13:15 17272 c:\windows\system32\spmsg.dll
- 2007-06-21 05:47 . 2008-07-08 13:02 17272 c:\windows\system32\spmsg.dll
- 2006-02-28 12:00 . 2011-02-17 19:00 44544 c:\windows\system32\pngfilt.dll
+ 2006-02-28 12:00 . 2011-06-21 18:45 44544 c:\windows\system32\pngfilt.dll
+ 2006-02-28 12:00 . 2011-10-03 18:57 79538 c:\windows\system32\perfc009.dat
- 2006-02-28 12:00 . 2011-04-16 07:04 79538 c:\windows\system32\perfc009.dat
- 2006-11-08 01:03 . 2011-02-17 19:00 52224 c:\windows\system32\msfeedsbs.dll
+ 2006-11-08 01:03 . 2011-06-21 18:45 52224 c:\windows\system32\msfeedsbs.dll
+ 2006-02-28 12:00 . 2011-06-21 18:45 27648 c:\windows\system32\jsproxy.dll
- 2006-02-28 12:00 . 2011-02-17 19:00 27648 c:\windows\system32\jsproxy.dll
- 2006-11-07 07:26 . 2011-02-17 11:43 13824 c:\windows\system32\ieudinit.exe
+ 2006-11-07 07:26 . 2011-06-21 11:46 13824 c:\windows\system32\ieudinit.exe
- 2006-02-28 12:00 . 2011-02-17 19:00 44544 c:\windows\system32\iernonce.dll
+ 2006-02-28 12:00 . 2011-06-21 18:45 44544 c:\windows\system32\iernonce.dll
- 2006-02-28 12:00 . 2011-02-17 19:00 78336 c:\windows\system32\ieencode.dll
+ 2006-02-28 12:00 . 2011-06-21 18:45 78336 c:\windows\system32\ieencode.dll
+ 2006-02-28 12:00 . 2011-06-21 11:46 70656 c:\windows\system32\ie4uinit.exe
- 2006-02-28 12:00 . 2011-02-17 11:43 70656 c:\windows\system32\ie4uinit.exe
+ 2006-10-17 15:58 . 2011-06-21 18:45 63488 c:\windows\system32\icardie.dll
- 2006-10-17 15:58 . 2011-02-17 19:00 63488 c:\windows\system32\icardie.dll
+ 2006-02-28 12:00 . 2011-06-21 18:45 44544 c:\windows\system32\dllcache\pngfilt.dll
- 2006-02-28 12:00 . 2011-02-17 19:00 44544 c:\windows\system32\dllcache\pngfilt.dll
+ 2007-04-25 08:41 . 2011-06-21 18:45 52224 c:\windows\system32\dllcache\msfeedsbs.dll
- 2007-04-25 08:41 . 2011-02-17 19:00 52224 c:\windows\system32\dllcache\msfeedsbs.dll
- 2006-02-28 12:00 . 2011-02-17 19:00 27648 c:\windows\system32\dllcache\jsproxy.dll
+ 2006-02-28 12:00 . 2011-06-21 18:45 27648 c:\windows\system32\dllcache\jsproxy.dll
+ 2007-04-24 14:26 . 2011-06-21 11:46 13824 c:\windows\system32\dllcache\ieudinit.exe
- 2007-04-24 14:26 . 2011-02-17 11:43 13824 c:\windows\system32\dllcache\ieudinit.exe
+ 2006-02-28 12:00 . 2011-06-21 18:45 44544 c:\windows\system32\dllcache\iernonce.dll
- 2006-02-28 12:00 . 2011-02-17 19:00 44544 c:\windows\system32\dllcache\iernonce.dll
+ 2009-02-20 18:09 . 2011-06-21 18:45 78336 c:\windows\system32\dllcache\ieencode.dll
- 2009-02-20 18:09 . 2011-02-17 19:00 78336 c:\windows\system32\dllcache\ieencode.dll
+ 2006-02-28 12:00 . 2011-06-21 11:46 70656 c:\windows\system32\dllcache\ie4uinit.exe
- 2006-02-28 12:00 . 2011-02-17 11:43 70656 c:\windows\system32\dllcache\ie4uinit.exe
+ 2007-08-20 10:04 . 2011-06-21 18:45 63488 c:\windows\system32\dllcache\icardie.dll
- 2007-08-20 10:04 . 2011-02-17 19:00 63488 c:\windows\system32\dllcache\icardie.dll
- 2009-12-14 07:08 . 2010-12-09 14:30 33280 c:\windows\system32\dllcache\csrsrv.dll
+ 2009-12-14 07:08 . 2011-04-26 11:07 33280 c:\windows\system32\dllcache\csrsrv.dll
- 2009-06-29 16:12 . 2011-02-17 19:00 17408 c:\windows\system32\dllcache\corpol.dll
+ 2009-06-29 16:12 . 2011-06-21 18:45 17408 c:\windows\system32\dllcache\corpol.dll
+ 2006-02-28 12:00 . 2011-04-26 11:07 33280 c:\windows\system32\csrsrv.dll
- 2006-02-28 12:00 . 2010-12-09 14:30 33280 c:\windows\system32\csrsrv.dll
+ 2006-02-28 12:00 . 2011-06-21 18:45 17408 c:\windows\system32\corpol.dll
- 2006-02-28 12:00 . 2011-02-17 19:00 17408 c:\windows\system32\corpol.dll
+ 2007-06-21 04:58 . 2011-10-02 06:54 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2007-06-21 04:58 . 2011-06-12 14:22 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2008-07-25 15:17 . 2008-07-25 15:17 69632 c:\windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
+ 2011-10-04 07:16 . 2008-07-25 15:17 69632 c:\windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
+ 2011-10-03 18:53 . 2011-02-17 19:00 44544 c:\windows\ie7updates\KB2559049-IE7\pngfilt.dll
+ 2011-10-03 18:53 . 2011-02-17 19:00 52224 c:\windows\ie7updates\KB2559049-IE7\msfeedsbs.dll
+ 2011-10-03 18:53 . 2011-02-17 19:00 27648 c:\windows\ie7updates\KB2559049-IE7\jsproxy.dll
+ 2011-10-03 18:53 . 2011-02-17 11:43 13824 c:\windows\ie7updates\KB2559049-IE7\ieudinit.exe
+ 2011-10-03 18:53 . 2011-02-17 19:00 44544 c:\windows\ie7updates\KB2559049-IE7\iernonce.dll
+ 2011-10-03 18:53 . 2011-02-17 19:00 78336 c:\windows\ie7updates\KB2559049-IE7\ieencode.dll
+ 2011-10-03 18:53 . 2011-02-17 11:43 70656 c:\windows\ie7updates\KB2559049-IE7\ie4uinit.exe
+ 2011-10-03 18:53 . 2011-02-17 19:00 63488 c:\windows\ie7updates\KB2559049-IE7\icardie.dll
+ 2011-10-03 18:53 . 2011-02-17 19:00 17408 c:\windows\ie7updates\KB2559049-IE7\corpol.dll
+ 2011-10-03 19:15 . 2011-10-03 19:15 47616 c:\windows\assembly\NativeImages_v2.0.50727_32\WindowsLiveWriter\e01941c4292a588e4f1eb5585822087c\WindowsLiveWriter.ni.exe
+ 2011-10-03 19:15 . 2011-10-03 19:15 99840 c:\windows\assembly\NativeImages_v2.0.50727_32\WindowsLive.Writer.#\6730cd9fbbafc6c69651abefafb0667a\WindowsLive.Writer.Api.ni.dll
+ 2011-10-03 18:58 . 2011-10-03 18:58 60928 c:\windows\assembly\NativeImages_v2.0.50727_32\UIAutomationProvider\1492e9393417d6e91b5ddc746b5ef320\UIAutomationProvider.ni.dll
+ 2011-10-03 19:16 . 2011-10-03 19:16 37888 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Pres#\343c52b741531ce9ae874ea7508831a7\System.Windows.Presentation.ni.dll
+ 2011-10-03 19:16 . 2011-10-03 19:16 36864 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Web.DynamicD#\246110974e3c48733458819b07464b23\System.Web.DynamicData.Design.ni.dll
+ 2011-10-03 19:15 . 2011-10-03 19:15 94208 c:\windows\assembly\NativeImages_v2.0.50727_32\System.ComponentMod#\ace861fe8dbf146c3e449abaa7691e9f\System.ComponentModel.DataAnnotations.ni.dll
+ 2011-10-03 19:15 . 2011-10-03 19:15 82944 c:\windows\assembly\NativeImages_v2.0.50727_32\System.AddIn.Contra#\177a17af98d803ab79006d6785706462\System.AddIn.Contract.ni.dll
+ 2011-10-03 18:59 . 2011-10-03 18:59 47104 c:\windows\assembly\NativeImages_v2.0.50727_32\PresentationFontCac#\40ee65aacd9d7472cd6f8dddbfca604b\PresentationFontCache.ni.exe
+ 2011-10-03 18:58 . 2011-10-03 18:58 39424 c:\windows\assembly\NativeImages_v2.0.50727_32\PresentationCFFRast#\12c424eed7ee0e9c017bf72ff09eb78c\PresentationCFFRasterizer.ni.dll
+ 2011-10-03 19:16 . 2011-10-03 19:16 55296 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Vsa\f9c514544c8e23220493cd42a0e20678\Microsoft.Vsa.ni.dll
+ 2011-10-03 19:15 . 2011-10-03 19:15 22016 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\3b4ad8da0cbaa896c4d589f578aafa72\Microsoft.VisualStudio.Designer.Interfaces.ni.dll
+ 2011-10-03 19:15 . 2011-10-03 19:15 74752 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\2c43daba93b3ba97181b9989aa16ac6b\Microsoft.VisualStudio.Shell.Interop.9.0.ni.dll
+ 2011-10-03 18:58 . 2011-10-03 18:58 15872 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualC\a96b02abbfcaae424cfb91a198a9e0e9\Microsoft.VisualC.ni.dll
+ 2011-10-03 19:15 . 2011-10-03 19:15 25600 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.SqlServer#\fb512f845450258bade202c55d71f9f7\Microsoft.SqlServer.SqlClrProvider.ni.dll
+ 2011-10-03 19:15 . 2011-10-03 19:15 65024 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.SqlServer#\ea9d072be5a0a195fa4f581a71dc084d\Microsoft.SqlServer.SqlTDiagM.ni.dll
+ 2011-10-03 19:15 . 2011-10-03 19:15 32768 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.SqlServer#\e9338317231b3a111c1e03e09d2e7dac\Microsoft.SqlServer.PolicyEnum.ni.dll
+ 2011-10-03 19:14 . 2011-10-03 19:14 42496 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.SqlServer#\c78025f5d7f5d6577680edfe21309557\Microsoft.SqlServer.ServiceBrokerEnum.ni.dll
+ 2011-10-03 19:15 . 2011-10-03 19:15 65536 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.SqlServer#\7fcf1d80b88a778575dd9ec8795e66d3\Microsoft.SqlServer.WmiEnum.ni.dll
+ 2011-10-03 19:15 . 2011-10-03 19:15 72704 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.SqlServer#\175a23975dabef3caa7927810cfbbb12\Microsoft.SqlServer.BatchParserClient.ni.dll
+ 2011-10-03 19:15 . 2011-10-03 19:15 42496 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.SqlServer#\08a6c1b7f4cde3cf62e18c93d47f7ca3\Microsoft.SqlServer.SString.ni.dll
+ 2011-10-03 19:15 . 2011-10-03 19:15 18944 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Internal.#\d9c730065629e1d6aca8bee7a0d50b51\Microsoft.Internal.VisualStudio.Shell.Interop.9.0.ni.dll
+ 2011-10-03 18:58 . 2011-10-03 18:58 65024 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Build.Fra#\f5057c30d89ad8d99e38c946a68def9e\Microsoft.Build.Framework.ni.dll
+ 2011-10-03 19:15 . 2011-10-03 19:15 74752 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Build.Fra#\623c05a555ac0719a1367f511d4a9270\Microsoft.Build.Framework.ni.dll
+ 2011-10-03 19:14 . 2011-10-03 19:14 47616 c:\windows\assembly\NativeImages_v2.0.50727_32\MetaGen\fc10af3b73da597150ad5ee9f033fe8b\MetaGen.ni.dll
+ 2011-10-03 19:15 . 2011-10-03 19:15 31232 c:\windows\assembly\NativeImages_v2.0.50727_32\EnvDTE90a\ce5c47995565f9a2f148ebd8ec812e71\EnvDTE90a.ni.dll
+ 2011-10-03 19:15 . 2011-10-03 19:15 46080 c:\windows\assembly\NativeImages_v2.0.50727_32\EnvDTE90\111531ba5fdba583b81c67151e91a789\EnvDTE90.ni.dll
+ 2011-10-03 19:15 . 2011-10-03 19:15 14336 c:\windows\assembly\NativeImages_v2.0.50727_32\dfsvc\c40d3caad8bff3c52db7e7562286406a\dfsvc.ni.exe
+ 2011-10-03 18:59 . 2011-10-03 18:59 25600 c:\windows\assembly\NativeImages_v2.0.50727_32\Accessibility\d9228d58804dfd75fd92a4d12ffac8af\Accessibility.ni.dll
- 2011-04-16 07:04 . 2011-04-16 07:04 77824 c:\windows\assembly\GAC_MSIL\System.Web.RegularExpressions\2.0.0.0__b03f5f7f11d50a3a\System.Web.RegularExpressions.dll
+ 2011-10-03 18:57 . 2011-10-03 18:57 77824 c:\windows\assembly\GAC_MSIL\System.Web.RegularExpressions\2.0.0.0__b03f5f7f11d50a3a\System.Web.RegularExpressions.dll
- 2011-04-16 07:04 . 2011-04-16 07:04 81920 c:\windows\assembly\GAC_MSIL\System.Drawing.Design\2.0.0.0__b03f5f7f11d50a3a\System.Drawing.Design.dll
+ 2011-10-03 18:57 . 2011-10-03 18:57 81920 c:\windows\assembly\GAC_MSIL\System.Drawing.Design\2.0.0.0__b03f5f7f11d50a3a\System.Drawing.Design.dll
+ 2011-10-03 18:57 . 2011-10-03 18:57 81920 c:\windows\assembly\GAC_MSIL\System.Configuration.Install\2.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll
- 2011-04-16 07:04 . 2011-04-16 07:04 81920 c:\windows\assembly\GAC_MSIL\System.Configuration.Install\2.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll
+ 2011-10-03 18:57 . 2011-10-03 18:57 32768 c:\windows\assembly\GAC_MSIL\Microsoft.Vsa\8.0.0.0__b03f5f7f11d50a3a\Microsoft.Vsa.dll
- 2011-04-16 07:04 . 2011-04-16 07:04 32768 c:\windows\assembly\GAC_MSIL\Microsoft.Vsa\8.0.0.0__b03f5f7f11d50a3a\Microsoft.Vsa.dll
+ 2011-10-03 18:57 . 2011-10-03 18:57 12800 c:\windows\assembly\GAC_MSIL\Microsoft.Vsa.Vb.CodeDOMProcessor\8.0.0.0__b03f5f7f11d50a3a\Microsoft.Vsa.Vb.CodeDOMProcessor.dll
- 2011-04-16 07:04 . 2011-04-16 07:04 12800 c:\windows\assembly\GAC_MSIL\Microsoft.Vsa.Vb.CodeDOMProcessor\8.0.0.0__b03f5f7f11d50a3a\Microsoft.Vsa.Vb.CodeDOMProcessor.dll
+ 2011-10-03 18:57 . 2011-10-03 18:57 28672 c:\windows\assembly\GAC_MSIL\Microsoft.VisualBasic.Vsa\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.Vsa.dll
- 2011-04-16 07:04 . 2011-04-16 07:04 28672 c:\windows\assembly\GAC_MSIL\Microsoft.VisualBasic.Vsa\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.Vsa.dll
- 2011-04-16 07:04 . 2011-04-16 07:04 77824 c:\windows\assembly\GAC_MSIL\Microsoft.Build.Utilities\2.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Utilities.dll
+ 2011-10-03 18:57 . 2011-10-03 18:57 77824 c:\windows\assembly\GAC_MSIL\Microsoft.Build.Utilities\2.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Utilities.dll
+ 2011-10-03 18:57 . 2011-10-03 18:57 36864 c:\windows\assembly\GAC_MSIL\Microsoft.Build.Framework\2.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Framework.dll
- 2011-04-16 07:04 . 2011-04-16 07:04 36864 c:\windows\assembly\GAC_MSIL\Microsoft.Build.Framework\2.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Framework.dll
- 2011-04-16 07:04 . 2011-04-16 07:04 77824 c:\windows\assembly\GAC_MSIL\IEHost\2.0.0.0__b03f5f7f11d50a3a\IEHost.dll
+ 2011-10-03 18:57 . 2011-10-03 18:57 77824 c:\windows\assembly\GAC_MSIL\IEHost\2.0.0.0__b03f5f7f11d50a3a\IEHost.dll
- 2011-04-16 07:04 . 2011-04-16 07:04 13312 c:\windows\assembly\GAC_MSIL\cscompmgd\8.0.0.0__b03f5f7f11d50a3a\cscompmgd.dll
+ 2011-10-03 18:57 . 2011-10-03 18:57 13312 c:\windows\assembly\GAC_MSIL\cscompmgd\8.0.0.0__b03f5f7f11d50a3a\cscompmgd.dll
+ 2011-10-03 18:57 . 2011-10-03 18:57 10752 c:\windows\assembly\GAC_MSIL\Accessibility\2.0.0.0__b03f5f7f11d50a3a\Accessibility.dll
- 2011-04-16 07:04 . 2011-04-16 07:04 10752 c:\windows\assembly\GAC_MSIL\Accessibility\2.0.0.0__b03f5f7f11d50a3a\Accessibility.dll
+ 2011-10-03 18:57 . 2011-10-03 18:57 72192 c:\windows\assembly\GAC_32\ISymWrapper\2.0.0.0__b03f5f7f11d50a3a\ISymWrapper.dll
- 2011-04-16 07:04 . 2011-04-16 07:04 72192 c:\windows\assembly\GAC_32\ISymWrapper\2.0.0.0__b03f5f7f11d50a3a\ISymWrapper.dll
+ 2011-10-03 18:57 . 2011-10-03 18:57 69120 c:\windows\assembly\GAC_32\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll
- 2011-04-16 07:04 . 2011-04-16 07:04 69120 c:\windows\assembly\GAC_32\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll
+ 2011-10-03 18:57 . 2011-10-03 18:57 8192 c:\windows\WinSxS\MSIL_IEExecRemote_b03f5f7f11d50a3a_2.0.0.0_x-ww_6e57c34e\IEExecRemote.dll
- 2011-04-16 07:04 . 2011-04-16 07:04 8192 c:\windows\WinSxS\MSIL_IEExecRemote_b03f5f7f11d50a3a_2.0.0.0_x-ww_6e57c34e\IEExecRemote.dll
- 2011-04-16 07:04 . 2011-04-16 07:04 7168 c:\windows\assembly\GAC_MSIL\Microsoft_VsaVb\8.0.0.0__b03f5f7f11d50a3a\Microsoft_VsaVb.dll
+ 2011-10-03 18:57 . 2011-10-03 18:57 7168 c:\windows\assembly\GAC_MSIL\Microsoft_VsaVb\8.0.0.0__b03f5f7f11d50a3a\Microsoft_VsaVb.dll
+ 2011-10-03 18:57 . 2011-10-03 18:57 5632 c:\windows\assembly\GAC_MSIL\Microsoft.VisualC\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualC.Dll
- 2011-04-16 07:04 . 2011-04-16 07:04 5632 c:\windows\assembly\GAC_MSIL\Microsoft.VisualC\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualC.Dll
- 2011-04-16 07:04 . 2011-04-16 07:04 6656 c:\windows\assembly\GAC_MSIL\IIEHost\2.0.0.0__b03f5f7f11d50a3a\IIEHost.dll
+ 2011-10-03 18:57 . 2011-10-03 18:57 6656 c:\windows\assembly\GAC_MSIL\IIEHost\2.0.0.0__b03f5f7f11d50a3a\IIEHost.dll
+ 2011-10-03 18:57 . 2011-10-03 18:57 113664 c:\windows\WinSxS\x86_System.EnterpriseServices_b03f5f7f11d50a3a_2.0.0.0_x-ww_7d5f3790\System.EnterpriseServices.Wrapper.dll
- 2011-04-16 07:04 . 2011-04-16 07:04 113664 c:\windows\WinSxS\x86_System.EnterpriseServices_b03f5f7f11d50a3a_2.0.0.0_x-ww_7d5f3790\System.EnterpriseServices.Wrapper.dll
+ 2011-10-03 18:57 . 2011-10-03 18:57 258048 c:\windows\WinSxS\x86_System.EnterpriseServices_b03f5f7f11d50a3a_2.0.0.0_x-ww_7d5f3790\System.EnterpriseServices.dll
- 2011-04-16 07:04 . 2011-04-16 07:04 258048 c:\windows\WinSxS\x86_System.EnterpriseServices_b03f5f7f11d50a3a_2.0.0.0_x-ww_7d5f3790\System.EnterpriseServices.dll
+ 2011-04-19 02:51 . 2011-04-19 02:51 653136 c:\windows\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.6161_x-ww_31a54e43\msvcr90.dll
+ 2011-04-19 02:51 . 2011-04-19 02:51 569680 c:\windows\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.6161_x-ww_31a54e43\msvcp90.dll
+ 2011-04-19 02:51 . 2011-04-19 02:51 225280 c:\windows\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.6161_x-ww_31a54e43\msvcm90.dll
+ 2011-04-19 02:51 . 2011-04-19 02:51 159048 c:\windows\WinSxS\x86_Microsoft.VC90.ATL_1fc8b3b9a1e18e3b_9.0.30729.6161_x-ww_92453bb7\atl90.dll
+ 2011-05-14 05:17 . 2011-05-14 05:17 632656 c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.6195_x-ww_44262b86\msvcr80.dll
+ 2011-05-14 05:12 . 2011-05-14 05:12 554832 c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.6195_x-ww_44262b86\msvcp80.dll
+ 2011-05-14 05:11 . 2011-05-14 05:11 479232 c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.6195_x-ww_44262b86\msvcm80.dll
- 2006-02-28 12:00 . 2010-06-18 17:45 293376 c:\windows\system32\winsrv.dll
+ 2006-02-28 12:00 . 2011-06-20 17:44 293376 c:\windows\system32\winsrv.dll
+ 2006-02-28 12:00 . 2011-06-21 18:45 832512 c:\windows\system32\wininet.dll
- 2006-02-28 12:00 . 2011-02-17 19:00 832512 c:\windows\system32\wininet.dll
- 2006-02-28 12:00 . 2011-02-17 19:00 233472 c:\windows\system32\webcheck.dll
+ 2006-02-28 12:00 . 2011-06-21 18:45 233472 c:\windows\system32\webcheck.dll
+ 2006-02-28 12:00 . 2011-06-21 18:45 106496 c:\windows\system32\url.dll
+ 2006-02-28 12:00 . 2011-04-29 17:25 151552 c:\windows\system32\schannel.dll
- 2006-02-28 12:00 . 2011-04-16 07:04 459732 c:\windows\system32\perfh009.dat
+ 2006-02-28 12:00 . 2011-10-03 18:57 459732 c:\windows\system32\perfh009.dat
+ 2006-02-28 12:00 . 2010-12-20 17:32 551936 c:\windows\system32\oleaut32.dll
- 2006-02-28 12:00 . 2008-04-14 00:12 551936 c:\windows\system32\oleaut32.dll
- 2006-02-28 12:00 . 2011-02-17 19:00 102912 c:\windows\system32\occache.dll
+ 2006-02-28 12:00 . 2011-06-21 18:45 102912 c:\windows\system32\occache.dll
+ 2009-09-27 23:19 . 2007-04-20 10:05 163908 c:\windows\system32\nvsvc32.exe
+ 2006-02-28 12:00 . 2011-06-21 18:45 671232 c:\windows\system32\mstime.dll
- 2006-02-28 12:00 . 2011-02-17 19:00 671232 c:\windows\system32\mstime.dll
+ 2006-02-28 12:00 . 2011-06-21 18:45 193024 c:\windows\system32\msrating.dll
- 2006-02-28 12:00 . 2011-02-17 19:00 193024 c:\windows\system32\msrating.dll
+ 2006-02-28 12:00 . 2011-06-21 18:45 478720 c:\windows\system32\mshtmled.dll
- 2006-11-08 01:03 . 2011-02-17 19:00 468480 c:\windows\system32\msfeeds.dll
+ 2006-11-08 01:03 . 2011-06-21 18:45 468480 c:\windows\system32\msfeeds.dll
+ 2007-06-21 04:54 . 2011-05-02 15:31 692736 c:\windows\system32\inetcomm.dll
- 2007-06-21 04:54 . 2011-03-07 05:33 692736 c:\windows\system32\inetcomm.dll
- 2006-10-17 15:57 . 2011-02-17 19:00 268288 c:\windows\system32\iertutil.dll
+ 2006-10-17 15:57 . 2011-06-21 18:45 268288 c:\windows\system32\iertutil.dll
+ 2006-02-28 12:00 . 2011-06-21 18:45 192512 c:\windows\system32\iepeers.dll
- 2006-02-28 12:00 . 2011-02-17 19:00 192512 c:\windows\system32\iepeers.dll
+ 2006-02-28 12:00 . 2011-06-21 18:45 384512 c:\windows\system32\iedkcs32.dll
- 2006-02-28 12:00 . 2011-02-17 19:00 384512 c:\windows\system32\iedkcs32.dll
+ 2006-10-17 15:27 . 2011-06-21 18:45 380928 c:\windows\system32\ieapfltr.dll
- 2006-10-17 15:27 . 2011-02-17 19:00 380928 c:\windows\system32\ieapfltr.dll
- 2006-02-28 12:00 . 2011-02-14 12:15 161792 c:\windows\system32\ieakui.dll
+ 2006-02-28 12:00 . 2011-06-20 11:27 161792 c:\windows\system32\ieakui.dll
- 2006-02-28 12:00 . 2011-02-17 19:00 230400 c:\windows\system32\ieaksie.dll
+ 2006-02-28 12:00 . 2011-06-21 18:45 230400 c:\windows\system32\ieaksie.dll
+ 2006-02-28 12:00 . 2011-06-21 18:45 153088 c:\windows\system32\ieakeng.dll
- 2006-02-28 12:00 . 2011-02-17 19:00 153088 c:\windows\system32\ieakeng.dll
+ 2007-06-22 00:46 . 2011-10-04 05:33 107008 c:\windows\system32\FNTCACHE.DAT
- 2007-06-22 00:46 . 2011-04-16 08:05 107008 c:\windows\system32\FNTCACHE.DAT
- 2006-02-28 12:00 . 2011-02-17 19:00 133120 c:\windows\system32\extmgr.dll
+ 2006-02-28 12:00 . 2011-06-21 18:45 133120 c:\windows\system32\extmgr.dll
- 2006-02-28 12:00 . 2011-02-17 19:00 214528 c:\windows\system32\dxtrans.dll
+ 2006-02-28 12:00 . 2011-06-21 18:45 214528 c:\windows\system32\dxtrans.dll
- 2006-02-28 12:00 . 2011-02-17 19:00 347136 c:\windows\system32\dxtmsft.dll
+ 2006-02-28 12:00 . 2011-06-21 18:45 347136 c:\windows\system32\dxtmsft.dll
- 2007-06-21 04:53 . 2008-04-14 00:13 139656 c:\windows\system32\drivers\rdpwd.sys
+ 2007-06-21 04:53 . 2011-06-24 14:10 139656 c:\windows\system32\drivers\rdpwd.sys
+ 2006-02-28 12:00 . 2011-04-21 13:37 105472 c:\windows\system32\drivers\mup.sys
+ 2006-02-28 12:00 . 2011-02-16 13:22 138496 c:\windows\system32\drivers\afd.sys
- 2006-02-28 12:00 . 2008-10-16 14:43 138496 c:\windows\system32\drivers\afd.sys
- 2010-06-18 17:45 . 2010-06-18 17:45 293376 c:\windows\system32\dllcache\winsrv.dll
+ 2010-06-18 17:45 . 2011-06-20 17:44 293376 c:\windows\system32\dllcache\winsrv.dll
+ 2006-02-28 12:00 . 2011-06-21 18:45 832512 c:\windows\system32\dllcache\wininet.dll
- 2006-02-28 12:00 . 2011-02-17 19:00 832512 c:\windows\system32\dllcache\wininet.dll
+ 2006-02-28 12:00 . 2011-06-21 18:45 233472 c:\windows\system32\dllcache\webcheck.dll
- 2006-02-28 12:00 . 2011-02-17 19:00 233472 c:\windows\system32\dllcache\webcheck.dll
+ 2007-06-21 04:54 . 2011-04-30 08:50 766464 c:\windows\system32\dllcache\vgx.dll
+ 2006-02-28 12:00 . 2011-06-21 18:45 106496 c:\windows\system32\dllcache\url.dll
+ 2008-12-05 06:54 . 2011-04-29 17:25 151552 c:\windows\system32\dllcache\schannel.dll
+ 2010-12-20 17:32 . 2010-12-20 17:32 551936 c:\windows\system32\dllcache\oleaut32.dll
- 2006-02-28 12:00 . 2011-02-17 19:00 102912 c:\windows\system32\dllcache\occache.dll
+ 2006-02-28 12:00 . 2011-06-21 18:45 102912 c:\windows\system32\dllcache\occache.dll
+ 2006-02-28 12:00 . 2011-06-21 18:45 671232 c:\windows\system32\dllcache\mstime.dll
- 2006-02-28 12:00 . 2011-02-17 19:00 671232 c:\windows\system32\dllcache\mstime.dll
- 2006-02-28 12:00 . 2011-02-17 19:00 193024 c:\windows\system32\dllcache\msrating.dll
+ 2006-02-28 12:00 . 2011-06-21 18:45 193024 c:\windows\system32\dllcache\msrating.dll
+ 2006-02-28 12:00 . 2011-06-21 18:45 478720 c:\windows\system32\dllcache\mshtmled.dll
+ 2007-04-25 08:41 . 2011-06-21 18:45 468480 c:\windows\system32\dllcache\msfeeds.dll
- 2007-04-25 08:41 . 2011-02-17 19:00 468480 c:\windows\system32\dllcache\msfeeds.dll
+ 2008-11-13 00:46 . 2011-07-15 13:29 456320 c:\windows\system32\dllcache\mrxsmb.sys
- 2008-08-13 14:30 . 2011-03-07 05:33 692736 c:\windows\system32\dllcache\inetcomm.dll
+ 2008-08-13 14:30 . 2011-05-02 15:31 692736 c:\windows\system32\dllcache\inetcomm.dll
- 2007-06-21 04:54 . 2011-02-14 12:17 634648 c:\windows\system32\dllcache\iexplore.exe
+ 2007-06-21 04:54 . 2011-06-20 11:29 634648 c:\windows\system32\dllcache\iexplore.exe
- 2007-04-25 08:41 . 2011-02-17 19:00 268288 c:\windows\system32\dllcache\iertutil.dll
+ 2007-04-25 08:41 . 2011-06-21 18:45 268288 c:\windows\system32\dllcache\iertutil.dll
- 2006-02-28 12:00 . 2011-02-17 19:00 192512 c:\windows\system32\dllcache\iepeers.dll
+ 2006-02-28 12:00 . 2011-06-21 18:45 192512 c:\windows\system32\dllcache\iepeers.dll
- 2006-02-28 12:00 . 2011-02-17 19:00 384512 c:\windows\system32\dllcache\iedkcs32.dll
+ 2006-02-28 12:00 . 2011-06-21 18:45 384512 c:\windows\system32\dllcache\iedkcs32.dll
- 2007-04-25 08:41 . 2011-02-17 19:00 380928 c:\windows\system32\dllcache\ieapfltr.dll
+ 2007-04-25 08:41 . 2011-06-21 18:45 380928 c:\windows\system32\dllcache\ieapfltr.dll
- 2006-02-28 12:00 . 2011-02-14 12:15 161792 c:\windows\system32\dllcache\ieakui.dll
+ 2006-02-28 12:00 . 2011-06-20 11:27 161792 c:\windows\system32\dllcache\ieakui.dll
- 2006-02-28 12:00 . 2011-02-17 19:00 230400 c:\windows\system32\dllcache\ieaksie.dll
+ 2006-02-28 12:00 . 2011-06-21 18:45 230400 c:\windows\system32\dllcache\ieaksie.dll
- 2006-02-28 12:00 . 2011-02-17 19:00 153088 c:\windows\system32\dllcache\ieakeng.dll
+ 2006-02-28 12:00 . 2011-06-21 18:45 153088 c:\windows\system32\dllcache\ieakeng.dll
- 2006-02-28 12:00 . 2011-02-17 19:00 133120 c:\windows\system32\dllcache\extmgr.dll
+ 2006-02-28 12:00 . 2011-06-21 18:45 133120 c:\windows\system32\dllcache\extmgr.dll
+ 2006-02-28 12:00 . 2011-06-21 18:45 214528 c:\windows\system32\dllcache\dxtrans.dll
- 2006-02-28 12:00 . 2011-02-17 19:00 214528 c:\windows\system32\dllcache\dxtrans.dll
- 2006-02-28 12:00 . 2011-02-17 19:00 347136 c:\windows\system32\dllcache\dxtmsft.dll
+ 2006-02-28 12:00 . 2011-06-21 18:45 347136 c:\windows\system32\dllcache\dxtmsft.dll
+ 2008-06-20 11:40 . 2011-02-16 13:22 138496 c:\windows\system32\dllcache\afd.sys
- 2008-06-20 11:40 . 2008-10-16 14:43 138496 c:\windows\system32\dllcache\afd.sys
- 2006-02-28 12:00 . 2011-02-17 19:00 124928 c:\windows\system32\dllcache\advpack.dll
+ 2006-02-28 12:00 . 2011-06-21 18:45 124928 c:\windows\system32\dllcache\advpack.dll
- 2009-11-21 06:30 . 2011-06-12 14:22 360448 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2009-11-21 06:30 . 2011-10-02 06:54 360448 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2006-02-28 12:00 . 2011-02-17 19:00 124928 c:\windows\system32\advpack.dll
+ 2006-02-28 12:00 . 2011-06-21 18:45 124928 c:\windows\system32\advpack.dll
- 2011-01-18 08:39 . 2011-01-18 08:39 388936 c:\windows\Microsoft.NET\Framework\v2.0.50727\SOS.dll
+ 2011-03-25 10:15 . 2011-03-25 10:15 388936 c:\windows\Microsoft.NET\Framework\v2.0.50727\SOS.dll
- 2011-01-18 08:39 . 2011-01-18 08:39 363856 c:\windows\Microsoft.NET\Framework\v2.0.50727\mscorjit.dll
+ 2011-03-25 10:15 . 2011-03-25 10:15 363856 c:\windows\Microsoft.NET\Framework\v2.0.50727\mscorjit.dll
- 2011-01-18 08:39 . 2011-01-18 08:39 989016 c:\windows\Microsoft.NET\Framework\v2.0.50727\mscordacwks.dll
+ 2011-03-25 10:15 . 2011-03-25 10:15 989016 c:\windows\Microsoft.NET\Framework\v2.0.50727\mscordacwks.dll
+ 2011-10-03 18:53 . 2011-10-03 18:53 223744 c:\windows\Installer\4598c.msi
+ 2011-10-03 18:50 . 2011-10-03 18:50 467456 c:\windows\Installer\45986.msi
+ 2011-10-03 18:53 . 2011-02-17 19:00 832512 c:\windows\ie7updates\KB2559049-IE7\wininet.dll
+ 2011-10-03 18:53 . 2011-02-17 19:00 233472 c:\windows\ie7updates\KB2559049-IE7\webcheck.dll
+ 2011-10-03 18:53 . 2011-02-17 19:00 105984 c:\windows\ie7updates\KB2559049-IE7\url.dll
+ 2011-10-03 18:53 . 2010-07-05 13:16 382840 c:\windows\ie7updates\KB2559049-IE7\spuninst\updspapi.dll
+ 2011-10-03 18:53 . 2010-07-05 13:15 231288 c:\windows\ie7updates\KB2559049-IE7\spuninst\spuninst.exe
+ 2011-10-03 18:53 . 2011-02-17 19:00 102912 c:\windows\ie7updates\KB2559049-IE7\occache.dll
+ 2011-10-03 18:53 . 2011-02-17 19:00 671232 c:\windows\ie7updates\KB2559049-IE7\mstime.dll
+ 2011-10-03 18:53 . 2011-02-17 19:00 193024 c:\windows\ie7updates\KB2559049-IE7\msrating.dll
+ 2011-10-03 18:53 . 2011-02-17 19:00 478208 c:\windows\ie7updates\KB2559049-IE7\mshtmled.dll
+ 2011-10-03 18:53 . 2011-02-17 19:00 468480 c:\windows\ie7updates\KB2559049-IE7\msfeeds.dll
+ 2011-10-03 18:53 . 2011-02-14 12:17 634648 c:\windows\ie7updates\KB2559049-IE7\iexplore.exe
+ 2011-10-03 18:53 . 2011-02-17 19:00 268288 c:\windows\ie7updates\KB2559049-IE7\iertutil.dll
+ 2011-10-03 18:53 . 2011-02-17 19:00 192512 c:\windows\ie7updates\KB2559049-IE7\iepeers.dll
+ 2011-10-03 18:53 . 2011-02-17 19:00 384512 c:\windows\ie7updates\KB2559049-IE7\iedkcs32.dll
+ 2011-10-03 18:53 . 2011-02-17 19:00 380928 c:\windows\ie7updates\KB2559049-IE7\ieapfltr.dll
+ 2011-10-03 18:53 . 2011-02-14 12:15 161792 c:\windows\ie7updates\KB2559049-IE7\ieakui.dll
+ 2011-10-03 18:53 . 2011-02-17 19:00 230400 c:\windows\ie7updates\KB2559049-IE7\ieaksie.dll
+ 2011-10-03 18:53 . 2011-02-17 19:00 153088 c:\windows\ie7updates\KB2559049-IE7\ieakeng.dll
+ 2011-10-03 18:53 . 2011-02-17 19:00 133120 c:\windows\ie7updates\KB2559049-IE7\extmgr.dll
+ 2011-10-03 18:53 . 2011-02-17 19:00 214528 c:\windows\ie7updates\KB2559049-IE7\dxtrans.dll
+ 2011-10-03 18:53 . 2011-02-17 19:00 347136 c:\windows\ie7updates\KB2559049-IE7\dxtmsft.dll
+ 2011-10-03 18:53 . 2011-02-17 19:00 124928 c:\windows\ie7updates\KB2559049-IE7\advpack.dll
+ 2011-10-03 18:53 . 2007-07-12 23:31 765952 c:\windows\ie7updates\KB2544521-IE7\vgx.dll
+ 2011-10-03 18:53 . 2010-07-05 13:16 382840 c:\windows\ie7updates\KB2544521-IE7\spuninst\updspapi.dll
+ 2011-10-03 18:53 . 2010-07-05 13:15 231288 c:\windows\ie7updates\KB2544521-IE7\spuninst\spuninst.exe
+ 2008-11-13 00:46 . 2011-07-15 13:29 456320 c:\windows\Driver Cache\i386\mrxsmb.sys
+ 2011-10-03 19:15 . 2011-10-03 19:15 321536 c:\windows\assembly\NativeImages_v2.0.50727_32\WsatConfig\cc14c69205b984edba1db26fd5e421ac\WsatConfig.ni.exe
+ 2011-10-03 19:15 . 2011-10-03 19:15 626688 c:\windows\assembly\NativeImages_v2.0.50727_32\WindowsLiveLocal.Wr#\3c563025202d24342179c8a1a0a755ad\WindowsLiveLocal.WriterPlugin.ni.dll
+ 2011-10-03 19:15 . 2011-10-03 19:15 152064 c:\windows\assembly\NativeImages_v2.0.50727_32\WindowsLive.Writer.#\fe621804d2c95c0e4fc8dff970b4f3f3\WindowsLive.Writer.HtmlParser.ni.dll
+ 2011-10-03 19:15 . 2011-10-03 19:15 851968 c:\windows\assembly\NativeImages_v2.0.50727_32\WindowsLive.Writer.#\fc64a3a9c3629479f0b1239f00825bbc\WindowsLive.Writer.BlogClient.ni.dll
+ 2011-10-03 19:15 . 2011-10-03 19:15 108544 c:\windows\assembly\NativeImages_v2.0.50727_32\WindowsLive.Writer.#\efe876b4b72a7027fdec114bf09e7a88\WindowsLive.Writer.Passport.ni.dll
+ 2011-10-03 19:15 . 2011-10-03 19:15 117760 c:\windows\assembly\NativeImages_v2.0.50727_32\WindowsLive.Writer.#\ed53ada3701a243ad82946a6565391e9\WindowsLive.Writer.Instrumentation.ni.dll
+ 2011-10-03 19:15 . 2011-10-03 19:15 313856 c:\windows\assembly\NativeImages_v2.0.50727_32\WindowsLive.Writer.#\d78f83ddd58e30d6b7beb63b7534f092\WindowsLive.Writer.Interop.SHDocVw.ni.dll
+ 2011-10-03 19:15 . 2011-10-03 19:15 322048 c:\windows\assembly\NativeImages_v2.0.50727_32\WindowsLive.Writer.#\93c0a88195c257f98b0fb4371bfccc03\WindowsLive.Writer.SpellChecker.ni.dll
+ 2011-10-03 19:15 . 2011-10-03 19:15 843776 c:\windows\assembly\NativeImages_v2.0.50727_32\WindowsLive.Writer.#\8211d331938ec70d8f6c630b2eb74658\WindowsLive.Writer.Controls.ni.dll
+ 2011-10-03 19:15 . 2011-10-03 19:15 428032 c:\windows\assembly\NativeImages_v2.0.50727_32\WindowsLive.Writer.#\7a787d90ccf09155f4436bb4d53c941b\WindowsLive.Writer.Localization.ni.dll
+ 2011-10-03 19:15 . 2011-10-03 19:15 258048 c:\windows\assembly\NativeImages_v2.0.50727_32\WindowsLive.Writer.#\5f4061dfd69553f192267517ab2dc226\WindowsLive.Writer.Mshtml.ni.dll
+ 2011-10-03 19:15 . 2011-10-03 19:15 174080 c:\windows\assembly\NativeImages_v2.0.50727_32\WindowsLive.Writer.#\486d51f1da2fb066734ce15fdf8c9733\WindowsLive.Writer.BrowserControl.ni.dll
+ 2011-10-03 19:15 . 2011-10-03 19:15 594944 c:\windows\assembly\NativeImages_v2.0.50727_32\WindowsLive.Writer.#\470af3d7e20d0819ac6dab6f001264c1\WindowsLive.Writer.HtmlEditor.ni.dll
+ 2011-10-03 19:15 . 2011-10-03 19:15 119296 c:\windows\assembly\NativeImages_v2.0.50727_32\WindowsLive.Writer.#\3e2eb2d5abfe8d71ae30931a68ce6fe4\WindowsLive.Writer.FileDestinations.ni.dll
+ 2011-10-03 19:15 . 2011-10-03 19:15 118784 c:\windows\assembly\NativeImages_v2.0.50727_32\WindowsLive.Writer.#\21b955e068018c3e384bd504b600a78a\WindowsLive.Writer.Extensibility.ni.dll
+ 2011-10-03 19:15 . 2011-10-03 19:15 334848 c:\windows\assembly\NativeImages_v2.0.50727_32\WindowsLive.Writer.#\1802baf79662b34a028da7f1a5de1e64\WindowsLive.Writer.Interop.Mshtml.ni.dll
+ 2011-10-03 19:15 . 2011-10-03 19:15 319488 c:\windows\assembly\NativeImages_v2.0.50727_32\WindowsLive.Writer.#\0d88a9ab4974e271b5ad2fc0a699d8c4\WindowsLive.Writer.Interop.ni.dll
+ 2011-10-03 19:15 . 2011-10-03 19:15 145920 c:\windows\assembly\NativeImages_v2.0.50727_32\WindowsLive.Client\50952e96ff796d55954df71508ec0899\WindowsLive.Client.ni.dll
+ 2011-10-03 19:00 . 2011-10-03 19:00 240128 c:\windows\assembly\NativeImages_v2.0.50727_32\WindowsFormsIntegra#\39ce0c9c9cc294c0ee26c4ff01522961\WindowsFormsIntegration.ni.dll
+ 2011-10-03 18:58 . 2011-10-03 18:58 187904 c:\windows\assembly\NativeImages_v2.0.50727_32\UIAutomationTypes\3740d6db28af31a6523a79fcdd71fbeb\UIAutomationTypes.ni.dll
+ 2011-10-03 19:00 . 2011-10-03 19:00 447488 c:\windows\assembly\NativeImages_v2.0.50727_32\UIAutomationClient\431e918aee8da919f5b9e3a5195ccf93\UIAutomationClient.ni.dll
+ 2011-10-03 19:17 . 2011-10-03 19:17 400896 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Xml.Linq\946eefb99bc116ee68e0e7c69a5a8a5c\System.Xml.Linq.ni.dll
+ 2011-10-03 19:16 . 2011-10-03 19:16 129536 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Web.Routing\a82eef3128b9527dc05b3c8667e713bc\System.Web.Routing.ni.dll
+ 2011-10-03 18:59 . 2011-10-03 18:59 202240 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Web.RegularE#\203c148c913357bfc2ae9d209101f2b3\System.Web.RegularExpressions.ni.dll
+ 2011-10-03 19:16 . 2011-10-03 19:16 859648 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Web.Extensio#\f89fe39468ea6faf71c4257c89cf3c54\System.Web.Extensions.Design.ni.dll
+ 2011-10-03 19:16 . 2011-10-03 19:16 328704 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Web.Entity\2314ff800782dc85224e69e802a073f7\System.Web.Entity.ni.dll
+ 2011-10-03 19:16 . 2011-10-03 19:16 301056 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Web.Entity.D#\f690a8f5d784a5bb20f2cbaa7277eb6c\System.Web.Entity.Design.ni.dll
+ 2011-10-03 19:16 . 2011-10-03 19:16 547328 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Web.DynamicD#\c5c96400424b85536443623f96f64581\System.Web.DynamicData.ni.dll
+ 2011-10-03 19:16 . 2011-10-03 19:16 141312 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Web.Abstract#\5f8e87b47465a038403e73012c6d102a\System.Web.Abstractions.ni.dll
+ 2011-10-03 18:59 . 2011-10-03 18:59 627200 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Transactions\846dd505f97805f00999ee26aec9bf75\System.Transactions.ni.dll
+ 2011-10-03 19:00 . 2011-10-03 19:00 212992 c:\windows\assembly\NativeImages_v2.0.50727_32\System.ServiceProce#\70a1400affdc775d7c7398e036359286\System.ServiceProcess.ni.dll
+ 2011-10-03 18:58 . 2011-10-03 18:58 679936 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Security\de9cd25ccb24bcf8a0316756e766721f\System.Security.ni.dll
+ 2011-10-03 18:59 . 2011-10-03 18:59 311296 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Runtime.Seri#\21248037960cf6dfa2ce401d355bd6c9\System.Runtime.Serialization.Formatters.Soap.ni.dll
+ 2011-10-03 18:59 . 2011-10-03 18:59 771584 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Runtime.Remo#\b7e0214a811f81e09041864081139641\System.Runtime.Remoting.ni.dll
+ 2011-10-03 19:16 . 2011-10-03 19:16 621056 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Net\480ea914e13fe41cdd8fb542bb1f7e81\System.Net.ni.dll
+ 2011-10-03 19:16 . 2011-10-03 19:16 593408 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Messaging\18a7efd299665b8bfa0d0dc6701343c6\System.Messaging.ni.dll
+ 2011-10-03 19:16 . 2011-10-03 19:16 998400 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Management\6e563a58e6fc0117070d5b8fd59e4e1b\System.Management.ni.dll
+ 2011-10-03 19:16 . 2011-10-03 19:16 330752 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Management.I#\dc72c7581f1b3794c0ea595ba02ff7ad\System.Management.Instrumentation.ni.dll
+ 2011-10-03 19:14 . 2011-10-03 19:14 381440 c:\windows\assembly\NativeImages_v2.0.50727_32\System.IO.Log\fcf8612a210d1f76e0b37dc8467b4696\System.IO.Log.ni.dll
+ 2011-10-03 19:14 . 2011-10-03 19:14 212992 c:\windows\assembly\NativeImages_v2.0.50727_32\System.IdentityMode#\ec017b5a95d02fccaefd835490ef1e14\System.IdentityModel.Selectors.ni.dll
+ 2011-10-03 18:59 . 2011-10-03 18:59 280064 c:\windows\assembly\NativeImages_v2.0.50727_32\System.EnterpriseSe#\75f452279422a7898e840ee5768c9d2e\System.EnterpriseServices.Wrapper.dll
+ 2011-10-03 18:59 . 2011-10-03 18:59 627712 c:\windows\assembly\NativeImages_v2.0.50727_32\System.EnterpriseSe#\75f452279422a7898e840ee5768c9d2e\System.EnterpriseServices.ni.dll
+ 2011-10-03 18:59 . 2011-10-03 18:59 208384 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Drawing.Desi#\f7cd3d07c15366b76fe4c38d24455d6b\System.Drawing.Design.ni.dll
+ 2011-10-03 19:16 . 2011-10-03 19:16 881152 c:\windows\assembly\NativeImages_v2.0.50727_32\System.DirectorySer#\822c996e6ad4901219b7de399a6f78bf\System.DirectoryServices.AccountManagement.ni.dll
+ 2011-10-03 19:00 . 2011-10-03 19:00 455680 c:\windows\assembly\NativeImages_v2.0.50727_32\System.DirectorySer#\1ffe911e62f482e42be2c4428bd08c10\System.DirectoryServices.Protocols.ni.dll
+ 2011-10-03 19:16 . 2011-10-03 19:16 354816 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Data.Service#\e1c009b2c9becdb732a2ea45f32a46b8\System.Data.Services.Design.ni.dll
+ 2011-10-03 19:16 . 2011-10-03 19:16 939008 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Data.Service#\1defd94e1662a4478ccf2cd0b1b4e6a6\System.Data.Services.Client.ni.dll
+ 2011-10-03 19:16 . 2011-10-03 19:16 756736 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Data.Entity.#\04267c1dbdcdd8ec37e1518126767ead\System.Data.Entity.Design.ni.dll
+ 2011-10-03 19:15 . 2011-10-03 19:15 135680 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Data.DataSet#\f2a6d41b3f6e26eea6dcac9298aa637b\System.Data.DataSetExtensions.ni.dll
+ 2011-10-03 18:58 . 2011-10-03 18:58 971264 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Configuration\77df2cd21a5b85a1605b335aa9ad9d44\System.Configuration.ni.dll
+ 2011-10-03 19:00 . 2011-10-03 19:00 141312 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Configuratio#\585e68739b2a8aff61ee6b2786513245\System.Configuration.Install.ni.dll
+ 2011-10-03 19:15 . 2011-10-03 19:15 633856 c:\windows\assembly\NativeImages_v2.0.50727_32\System.AddIn\fbf6ef12d1456058acde29f2640092fb\System.AddIn.ni.dll
+ 2011-10-03 19:00 . 2011-10-03 19:00 232448 c:\windows\assembly\NativeImages_v2.0.50727_32\sysglobl\b87b5e03cdda1e29cd412a315c45a9ad\sysglobl.ni.dll
+ 2011-10-03 19:15 . 2011-10-03 19:15 366080 c:\windows\assembly\NativeImages_v2.0.50727_32\SMSvcHost\896e42071939e038008b0bbbfed1213c\SMSvcHost.ni.exe
+ 2011-10-03 19:15 . 2011-10-03 19:15 256000 c:\windows\assembly\NativeImages_v2.0.50727_32\SMDiagnostics\ca07e9cf488af1290d2340d682574a24\SMDiagnostics.ni.dll
+ 2011-10-03 19:15 . 2011-10-03 19:15 320512 c:\windows\assembly\NativeImages_v2.0.50727_32\ServiceModelReg\a5aa977dd575a6beb3a416bd480b98a7\ServiceModelReg.ni.exe
+ 2011-10-03 19:00 . 2011-10-03 19:00 224768 c:\windows\assembly\NativeImages_v2.0.50727_32\PresentationFramewo#\f52e48f55258d0a04fbab3a1f93752e9\PresentationFramework.Classic.ni.dll
+ 2011-10-03 19:00 . 2011-10-03 19:00 368128 c:\windows\assembly\NativeImages_v2.0.50727_32\PresentationFramewo#\cf812b99f587ab514afb36fa9d4c1567\PresentationFramework.Aero.ni.dll
+ 2011-10-03 19:00 . 2011-10-03 19:00 539648 c:\windows\assembly\NativeImages_v2.0.50727_32\PresentationFramewo#\b7795999cc67f3a6cec40f5b24005e00\PresentationFramework.Luna.ni.dll
+ 2011-10-03 19:00 . 2011-10-03 19:00 258048 c:\windows\assembly\NativeImages_v2.0.50727_32\PresentationFramewo#\09f5af61ea2af04eb32c04b3091ffc86\PresentationFramework.Royale.ni.dll
+ 2011-10-03 19:15 . 2011-10-03 19:15 133632 c:\windows\assembly\NativeImages_v2.0.50727_32\MSBuild\2d89c7b72bc8e527b26d5b6f3b931012\MSBuild.ni.exe
+ 2011-10-03 19:15 . 2011-10-03 19:15 876032 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\fb4774beedf30755f8b1301883fb1506\Microsoft.VisualStudio.Shell.9.0.ni.dll
+ 2011-10-03 19:15 . 2011-10-03 19:15 220672 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\c0756004c70945180abc71e46202b84e\Microsoft.VisualStudio.Configuration.ni.dll
+ 2011-10-03 19:15 . 2011-10-03 19:15 306176 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\90cd38aaa7ed1b3e1bbc4c0303744381\Microsoft.VisualStudio.OLE.Interop.ni.dll
+ 2011-10-03 19:15 . 2011-10-03 19:15 159744 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\791751150dd31c42740c73dbeb90a9c2\Microsoft.VisualStudio.WizardFramework.ni.dll
+ 2011-10-03 19:15 . 2011-10-03 19:15 373248 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\775e413e8006c0063ebcdd72b7d7324c\Microsoft.VisualStudio.Shell.Interop.8.0.ni.dll
+ 2011-10-03 19:15 . 2011-10-03 19:15 822272 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\57479fad3b751103d2dbec0d81ecf21d\Microsoft.VisualStudio.Shell.ni.dll
+ 2011-10-03 19:15 . 2011-10-03 19:15 513024 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\038a3aee2192f2ac9628a2c537387701\Microsoft.VisualStudio.Shell.Design.ni.dll
+ 2011-10-03 19:15 . 2011-10-03 19:15 386560 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Transacti#\39e9d172f0cf5eec30b1b67212cc032b\Microsoft.Transactions.Bridge.Dtc.ni.dll
+ 2011-10-03 19:15 . 2011-10-03 19:15 137216 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.SqlServer#\f770d04f347372b67367ae4080624d41\Microsoft.SqlServer.ConnectionInfoExtended.ni.dll
+ 2011-10-03 19:15 . 2011-10-03 19:15 632320 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.SqlServer#\b37dbade38cfac41b08b53c143c4ee87\Microsoft.SqlServer.BatchParser.ni.dll
+ 2011-10-03 19:15 . 2011-10-03 19:15 128000 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.SqlServer#\ae2f332910305ea399ebdc1093734406\Microsoft.SqlServer.RegSvrEnum.ni.dll
+ 2011-10-03 19:15 . 2011-10-03 19:15 400896 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.SqlServer#\a8047d52ef02857925d0c154b1416c65\Microsoft.SqlServer.SmoExtended.ni.dll
+ 2011-10-03 19:15 . 2011-10-03 19:15 251904 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.SqlServer#\2a9beb33cc9c3f32239beff7ae26c867\Microsoft.SqlServer.SqlWmiManagement.ni.dll
+ 2011-10-03 19:15 . 2011-10-03 19:15 244736 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.SqlServer#\0e6fae83b938e4c105c0a013b1169fbe\Microsoft.SqlServer.ConnectionInfo.ni.dll
+ 2011-10-03 18:58 . 2011-10-03 18:58 144384 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Build.Uti#\f1b0ec3ccde9142e67ac681fb521ac66\Microsoft.Build.Utilities.ni.dll
+ 2011-10-03 19:15 . 2011-10-03 19:15 175104 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Build.Uti#\9250f038410f0d6432e3ccb0b046862b\Microsoft.Build.Utilities.v3.5.ni.dll
+ 2011-10-03 19:15 . 2011-10-03 19:15 839680 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Build.Eng#\a4672179aba638cd78bdfe268391b47b\Microsoft.Build.Engine.ni.dll
+ 2011-10-03 19:15 . 2011-10-03 19:15 222720 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Build.Con#\37db660a84ee52b61a7ca55812581bbd\Microsoft.Build.Conversion.v3.5.ni.dll

Re: Need to get rid of rootkit.3rd September 2011, 7:42 am

+ 2011-10-03 19:15 . 2011-10-03 19:15 276480 c:\windows\assembly\NativeImages_v2.0.50727_32\EnvDTE80\ee98355fcd61c7690e1878a286c31cc5\EnvDTE80.ni.dll
+ 2011-10-03 19:14 . 2011-10-03 19:14 573440 c:\windows\assembly\NativeImages_v2.0.50727_32\EnvDTE\22d54b56b1f2e30f35c8ac8fcbfb24d6\EnvDTE.ni.dll
+ 2011-10-03 19:15 . 2011-10-03 19:15 220672 c:\windows\assembly\NativeImages_v2.0.50727_32\CustomMarshalers\80bd17388778c90f301746ad88700758\CustomMarshalers.ni.dll
+ 2011-10-03 19:15 . 2011-10-03 19:15 410112 c:\windows\assembly\NativeImages_v2.0.50727_32\ComSvcConfig\fe9a21b94803f74697bb42b9d1fdea5b\ComSvcConfig.ni.exe
+ 2011-10-03 19:14 . 2011-10-03 19:14 842240 c:\windows\assembly\NativeImages_v2.0.50727_32\AspNetMMCExt\f160c8e40b60edd47ae74b0b911fece1\AspNetMMCExt.ni.dll
+ 2011-10-03 18:57 . 2011-10-03 18:57 839680 c:\windows\assembly\GAC_MSIL\System.Web.Services\2.0.0.0__b03f5f7f11d50a3a\System.Web.Services.dll
- 2011-04-16 07:04 . 2011-04-16 07:04 839680 c:\windows\assembly\GAC_MSIL\System.Web.Services\2.0.0.0__b03f5f7f11d50a3a\System.Web.Services.dll
- 2011-04-16 07:04 . 2011-04-16 07:04 835584 c:\windows\assembly\GAC_MSIL\System.Web.Mobile\2.0.0.0__b03f5f7f11d50a3a\System.Web.Mobile.dll
+ 2011-10-03 18:57 . 2011-10-03 18:57 835584 c:\windows\assembly\GAC_MSIL\System.Web.Mobile\2.0.0.0__b03f5f7f11d50a3a\System.Web.Mobile.dll
+ 2011-10-03 18:57 . 2011-10-03 18:57 114688 c:\windows\assembly\GAC_MSIL\System.ServiceProcess\2.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll
- 2011-04-16 07:04 . 2011-04-16 07:04 114688 c:\windows\assembly\GAC_MSIL\System.ServiceProcess\2.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll
- 2011-04-16 07:04 . 2011-04-16 07:04 258048 c:\windows\assembly\GAC_MSIL\System.Security\2.0.0.0__b03f5f7f11d50a3a\System.Security.dll
+ 2011-10-03 18:57 . 2011-10-03 18:57 258048 c:\windows\assembly\GAC_MSIL\System.Security\2.0.0.0__b03f5f7f11d50a3a\System.Security.dll
- 2011-04-16 07:04 . 2011-04-16 07:04 131072 c:\windows\assembly\GAC_MSIL\System.Runtime.Serialization.Formatters.Soap\2.0.0.0__b03f5f7f11d50a3a\System.Runtime.Serialization.Formatters.Soap.dll
+ 2011-10-03 18:57 . 2011-10-03 18:57 131072 c:\windows\assembly\GAC_MSIL\System.Runtime.Serialization.Formatters.Soap\2.0.0.0__b03f5f7f11d50a3a\System.Runtime.Serialization.Formatters.Soap.dll
+ 2011-10-03 18:57 . 2011-10-03 18:57 303104 c:\windows\assembly\GAC_MSIL\System.Runtime.Remoting\2.0.0.0__b77a5c561934e089\System.Runtime.Remoting.dll
- 2011-04-16 07:04 . 2011-04-16 07:04 303104 c:\windows\assembly\GAC_MSIL\System.Runtime.Remoting\2.0.0.0__b77a5c561934e089\System.Runtime.Remoting.dll
- 2011-04-16 07:04 . 2011-04-16 07:04 258048 c:\windows\assembly\GAC_MSIL\System.Messaging\2.0.0.0__b03f5f7f11d50a3a\System.Messaging.dll
+ 2011-10-03 18:57 . 2011-10-03 18:57 258048 c:\windows\assembly\GAC_MSIL\System.Messaging\2.0.0.0__b03f5f7f11d50a3a\System.Messaging.dll
+ 2011-10-03 18:57 . 2011-10-03 18:57 372736 c:\windows\assembly\GAC_MSIL\System.Management\2.0.0.0__b03f5f7f11d50a3a\System.Management.dll
- 2011-04-16 07:04 . 2011-04-16 07:04 372736 c:\windows\assembly\GAC_MSIL\System.Management\2.0.0.0__b03f5f7f11d50a3a\System.Management.dll
- 2011-04-16 07:04 . 2011-04-16 07:04 626688 c:\windows\assembly\GAC_MSIL\System.Drawing\2.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll
+ 2011-10-03 18:57 . 2011-10-03 18:57 626688 c:\windows\assembly\GAC_MSIL\System.Drawing\2.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll
+ 2011-10-03 18:57 . 2011-10-03 18:57 401408 c:\windows\assembly\GAC_MSIL\System.DirectoryServices\2.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll
- 2011-04-16 07:04 . 2011-04-16 07:04 401408 c:\windows\assembly\GAC_MSIL\System.DirectoryServices\2.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll
+ 2011-10-03 18:57 . 2011-10-03 18:57 188416 c:\windows\assembly\GAC_MSIL\System.DirectoryServices.Protocols\2.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.Protocols.dll
- 2011-04-16 07:04 . 2011-04-16 07:04 188416 c:\windows\assembly\GAC_MSIL\System.DirectoryServices.Protocols\2.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.Protocols.dll
+ 2011-10-03 18:57 . 2011-10-03 18:57 970752 c:\windows\assembly\GAC_MSIL\System.Deployment\2.0.0.0__b03f5f7f11d50a3a\System.Deployment.dll
- 2011-04-16 07:04 . 2011-04-16 07:04 970752 c:\windows\assembly\GAC_MSIL\System.Deployment\2.0.0.0__b03f5f7f11d50a3a\System.Deployment.dll
+ 2011-10-03 18:57 . 2011-10-03 18:57 745472 c:\windows\assembly\GAC_MSIL\System.Data.SqlXml\2.0.0.0__b77a5c561934e089\System.Data.SqlXml.dll
- 2011-04-16 07:04 . 2011-04-16 07:04 745472 c:\windows\assembly\GAC_MSIL\System.Data.SqlXml\2.0.0.0__b77a5c561934e089\System.Data.SqlXml.dll
+ 2011-10-03 18:57 . 2011-10-03 18:57 425984 c:\windows\assembly\GAC_MSIL\System.Configuration\2.0.0.0__b03f5f7f11d50a3a\System.configuration.dll
- 2011-04-16 07:04 . 2011-04-16 07:04 425984 c:\windows\assembly\GAC_MSIL\System.Configuration\2.0.0.0__b03f5f7f11d50a3a\System.configuration.dll
- 2011-04-16 07:04 . 2011-04-16 07:04 110592 c:\windows\assembly\GAC_MSIL\sysglobl\2.0.0.0__b03f5f7f11d50a3a\sysglobl.dll
+ 2011-10-03 18:57 . 2011-10-03 18:57 110592 c:\windows\assembly\GAC_MSIL\sysglobl\2.0.0.0__b03f5f7f11d50a3a\sysglobl.dll
- 2011-04-16 07:04 . 2011-04-16 07:04 659456 c:\windows\assembly\GAC_MSIL\Microsoft.VisualBasic\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll
+ 2011-10-03 18:57 . 2011-10-03 18:57 659456 c:\windows\assembly\GAC_MSIL\Microsoft.VisualBasic\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll
+ 2011-10-03 18:57 . 2011-10-03 18:57 372736 c:\windows\assembly\GAC_MSIL\Microsoft.VisualBasic.Compatibility\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.Compatibility.dll
- 2011-04-16 07:04 . 2011-04-16 07:04 372736 c:\windows\assembly\GAC_MSIL\Microsoft.VisualBasic.Compatibility\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.Compatibility.dll
- 2011-04-16 07:04 . 2011-04-16 07:04 110592 c:\windows\assembly\GAC_MSIL\Microsoft.VisualBasic.Compatibility.Data\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.Compatibility.Data.dll
+ 2011-10-03 18:57 . 2011-10-03 18:57 110592 c:\windows\assembly\GAC_MSIL\Microsoft.VisualBasic.Compatibility.Data\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.Compatibility.Data.dll
- 2011-04-16 07:04 . 2011-04-16 07:04 749568 c:\windows\assembly\GAC_MSIL\Microsoft.JScript\8.0.0.0__b03f5f7f11d50a3a\Microsoft.JScript.dll
+ 2011-10-03 18:57 . 2011-10-03 18:57 749568 c:\windows\assembly\GAC_MSIL\Microsoft.JScript\8.0.0.0__b03f5f7f11d50a3a\Microsoft.JScript.dll
+ 2011-10-03 18:57 . 2011-10-03 18:57 655360 c:\windows\assembly\GAC_MSIL\Microsoft.Build.Tasks\2.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Tasks.dll
- 2011-04-16 07:04 . 2011-04-16 07:04 655360 c:\windows\assembly\GAC_MSIL\Microsoft.Build.Tasks\2.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Tasks.dll
+ 2011-10-03 18:57 . 2011-10-03 18:57 348160 c:\windows\assembly\GAC_MSIL\Microsoft.Build.Engine\2.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Engine.dll
- 2011-04-16 07:04 . 2011-04-16 07:04 348160 c:\windows\assembly\GAC_MSIL\Microsoft.Build.Engine\2.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Engine.dll
- 2011-04-16 07:04 . 2011-04-16 07:04 507904 c:\windows\assembly\GAC_MSIL\AspNetMMCExt\2.0.0.0__b03f5f7f11d50a3a\AspNetMMCExt.dll
+ 2011-10-03 18:57 . 2011-10-03 18:57 507904 c:\windows\assembly\GAC_MSIL\AspNetMMCExt\2.0.0.0__b03f5f7f11d50a3a\AspNetMMCExt.dll
+ 2011-10-03 18:57 . 2011-10-03 18:57 261632 c:\windows\assembly\GAC_32\System.Transactions\2.0.0.0__b77a5c561934e089\System.Transactions.dll
- 2011-04-16 07:04 . 2011-04-16 07:04 261632 c:\windows\assembly\GAC_32\System.Transactions\2.0.0.0__b77a5c561934e089\System.Transactions.dll
+ 2011-10-03 18:57 . 2011-10-03 18:57 486400 c:\windows\assembly\GAC_32\System.Data.OracleClient\2.0.0.0__b77a5c561934e089\System.Data.OracleClient.dll
- 2011-04-16 07:04 . 2011-04-16 07:04 486400 c:\windows\assembly\GAC_32\System.Data.OracleClient\2.0.0.0__b77a5c561934e089\System.Data.OracleClient.dll
+ 2011-04-19 02:51 . 2011-04-19 02:51 3781960 c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.6161_x-ww_028bc148\mfc90u.dll
+ 2011-04-19 02:51 . 2011-04-19 02:51 3766600 c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.6161_x-ww_028bc148\mfc90.dll
+ 2011-05-14 00:04 . 2011-05-14 00:04 1093120 c:\windows\WinSxS\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.6195_x-ww_150c9e8b\mfc80u.dll
+ 2011-05-14 00:04 . 2011-05-14 00:04 1101824 c:\windows\WinSxS\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.6195_x-ww_150c9e8b\mfc80.dll
+ 2006-02-28 12:00 . 2011-06-02 14:02 1858944 c:\windows\system32\win32k.sys
+ 2006-02-28 12:00 . 2011-06-21 18:45 1168896 c:\windows\system32\urlmon.dll
+ 2006-02-28 12:00 . 2011-07-22 16:35 3613696 c:\windows\system32\mshtml.dll
+ 2006-11-08 01:03 . 2011-06-21 18:45 6076416 c:\windows\system32\ieframe.dll
+ 2008-10-16 03:23 . 2011-06-02 14:02 1858944 c:\windows\system32\dllcache\win32k.sys
+ 2006-02-28 12:00 . 2011-06-21 18:45 1168896 c:\windows\system32\dllcache\urlmon.dll
+ 2006-02-28 12:00 . 2011-07-22 16:35 3613696 c:\windows\system32\dllcache\mshtml.dll
+ 2007-04-25 08:41 . 2011-06-21 18:45 6076416 c:\windows\system32\dllcache\ieframe.dll
- 2008-07-25 15:17 . 2008-07-25 15:17 5025792 c:\windows\Microsoft.NET\Framework\v2.0.50727\System.Windows.Forms.dll
+ 2011-03-25 10:15 . 2011-03-25 10:15 5025792 c:\windows\Microsoft.NET\Framework\v2.0.50727\System.Windows.Forms.dll
- 2010-03-23 09:32 . 2010-03-23 09:32 3182592 c:\windows\Microsoft.NET\Framework\v2.0.50727\System.dll
+ 2011-04-29 01:50 . 2011-04-29 01:50 3182592 c:\windows\Microsoft.NET\Framework\v2.0.50727\System.dll
+ 2011-03-25 10:15 . 2011-03-25 10:15 5912400 c:\windows\Microsoft.NET\Framework\v2.0.50727\mscorwks.dll
+ 2011-03-25 10:15 . 2011-03-25 10:15 4550656 c:\windows\Microsoft.NET\Framework\v2.0.50727\mscorlib.dll
- 2011-01-18 08:39 . 2011-01-18 08:39 4550656 c:\windows\Microsoft.NET\Framework\v2.0.50727\mscorlib.dll
+ 2011-05-02 04:06 . 2011-05-02 04:06 2705920 c:\windows\Installer\45996.msp
+ 2011-10-03 18:53 . 2011-02-17 19:00 1168384 c:\windows\ie7updates\KB2559049-IE7\urlmon.dll
+ 2011-10-03 18:53 . 2011-02-17 19:00 3607040 c:\windows\ie7updates\KB2559049-IE7\mshtml.dll
+ 2011-10-03 18:53 . 2011-02-17 19:00 6075904 c:\windows\ie7updates\KB2559049-IE7\ieframe.dll
+ 2011-10-03 19:15 . 2011-10-03 19:15 1105920 c:\windows\assembly\NativeImages_v2.0.50727_32\WindowsLive.Writer.#\fd91703869c4577ee385f6950b744cbe\WindowsLive.Writer.ApplicationFramework.ni.dll
+ 2011-10-03 19:15 . 2011-10-03 19:15 6392832 c:\windows\assembly\NativeImages_v2.0.50727_32\WindowsLive.Writer.#\dae5a7d92344cb126cd6f3fdfd661c07\WindowsLive.Writer.PostEditor.ni.dll
+ 2011-10-03 19:15 . 2011-10-03 19:15 2018816 c:\windows\assembly\NativeImages_v2.0.50727_32\WindowsLive.Writer.#\9855902aee545bdeae2cbbd1bd6151c9\WindowsLive.Writer.CoreServices.ni.dll
+ 2011-10-03 18:58 . 2011-10-03 18:58 3325440 c:\windows\assembly\NativeImages_v2.0.50727_32\WindowsBase\fd6e0cd6f124a6d041ef1b4c9a5f080b\WindowsBase.ni.dll
+ 2011-10-03 19:00 . 2011-10-03 19:00 1049600 c:\windows\assembly\NativeImages_v2.0.50727_32\UIAutomationClients#\162600dde59fbaa0c048a949158ecba3\UIAutomationClientsideProviders.ni.dll
+ 2011-10-03 18:58 . 2011-10-03 18:58 7950848 c:\windows\assembly\NativeImages_v2.0.50727_32\System\e6c79e1d71b0c9000afd7e5e439b5c54\System.ni.dll
+ 2011-10-03 18:58 . 2011-10-03 18:58 5450752 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Xml\10154dcad2d62f226af2fd4211460a4b\System.Xml.ni.dll
+ 2011-10-03 19:17 . 2011-10-03 19:17 1356288 c:\windows\assembly\NativeImages_v2.0.50727_32\System.WorkflowServ#\22229a30650a9afbac984e1093898b13\System.WorkflowServices.ni.dll
+ 2011-10-03 19:16 . 2011-10-03 19:16 1908224 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Workflow.Run#\4d6b3cc1fc7a4788612241af7966715a\System.Workflow.Runtime.ni.dll
+ 2011-10-03 19:16 . 2011-10-03 19:16 4514304 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Workflow.Com#\e4c9853af945c9cfede19f3faf18af6e\System.Workflow.ComponentModel.ni.dll
+ 2011-10-03 19:16 . 2011-10-03 19:16 2992640 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Workflow.Act#\ab4b50c7c789e46a485903365765fde8\System.Workflow.Activities.ni.dll
+ 2011-10-03 18:59 . 2011-10-03 18:59 1840640 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Web.Services\a2392c995b1bb6b63079091259222357\System.Web.Services.ni.dll
+ 2011-10-03 19:16 . 2011-10-03 19:16 2209280 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Web.Mobile\3da92a0b9b8ac97e11ca8bf4df671a78\System.Web.Mobile.ni.dll
+ 2011-10-03 19:16 . 2011-10-03 19:16 2405376 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Web.Extensio#\01f4d6aa3299a41b8578b7e96afdcfb1\System.Web.Extensions.ni.dll
+ 2011-10-03 19:00 . 2011-10-03 19:00 1917952 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Speech\e1208f0d981c420fc59f806bfbaa713b\System.Speech.ni.dll
+ 2011-10-03 19:16 . 2011-10-03 19:16 1706496 c:\windows\assembly\NativeImages_v2.0.50727_32\System.ServiceModel#\27e1b8dfd5e1ccf2c5b9efc51f674c69\System.ServiceModel.Web.ni.dll
+ 2011-10-03 19:14 . 2011-10-03 19:14 2345472 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Runtime.Seri#\dece01bd9e9c32e47630fdfc78d3bd32\System.Runtime.Serialization.ni.dll
+ 2011-10-03 18:59 . 2011-10-03 18:59 1035776 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Printing\90b444d02047ef27921153d46967ef0e\System.Printing.ni.dll
+ 2011-10-03 19:14 . 2011-10-03 19:14 1070080 c:\windows\assembly\NativeImages_v2.0.50727_32\System.IdentityModel\a50e2fc92db32751857fb8d297f9d7bc\System.IdentityModel.ni.dll
+ 2011-10-03 18:58 . 2011-10-03 18:58 1587200 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\7ed09623172a292eaee51e2e3bcaf784\System.Drawing.ni.dll
+ 2011-10-03 18:59 . 2011-10-03 18:59 1116672 c:\windows\assembly\NativeImages_v2.0.50727_32\System.DirectorySer#\259ecf480769f4e60514b7ae2abaa6f1\System.DirectoryServices.ni.dll
+ 2011-10-03 18:58 . 2011-10-03 18:58 1801216 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Deployment\71cf3eb40fc38e6ac8fba09e872d2878\System.Deployment.ni.dll
+ 2011-10-03 18:59 . 2011-10-03 18:59 6616576 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Data\db2d84e279807592a680ef4135e9fe9a\System.Data.ni.dll
+ 2011-10-03 18:58 . 2011-10-03 18:58 2510336 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Data.SqlXml\0b16305773369cf740c6a2b1f1d785b2\System.Data.SqlXml.ni.dll
+ 2011-10-03 19:16 . 2011-10-03 19:16 1328128 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Data.Services\c1b9b8ce390548dcca661a5e6a908408\System.Data.Services.ni.dll
+ 2011-10-03 18:59 . 2011-10-03 18:59 1115136 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Data.OracleC#\c729750d54f6e7427230622bcccd4709\System.Data.OracleClient.ni.dll
+ 2011-10-03 19:00 . 2011-10-03 19:00 2516480 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Data.Linq\571af34939797a7c1cd05b0b925a45bf\System.Data.Linq.ni.dll
+ 2011-10-03 19:16 . 2011-10-03 19:16 9924096 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Data.Entity\2b58cc071d6bf0c741e91f86c09de5d7\System.Data.Entity.ni.dll
+ 2011-10-03 19:00 . 2011-10-03 19:00 2295296 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Core\e54e013315849f5e34d8f2a8e7fdb450\System.Core.ni.dll
+ 2011-10-03 18:59 . 2011-10-03 18:59 2128896 c:\windows\assembly\NativeImages_v2.0.50727_32\ReachFramework\24ab0cacc77e8696ceff3157942a2de4\ReachFramework.ni.dll
+ 2011-10-03 18:59 . 2011-10-03 18:59 1657856 c:\windows\assembly\NativeImages_v2.0.50727_32\PresentationUI\fac1ca86f4fea17de40d7fdaba38563e\PresentationUI.ni.dll
+ 2011-10-03 18:58 . 2011-10-03 18:58 1451008 c:\windows\assembly\NativeImages_v2.0.50727_32\PresentationBuildTa#\b187becbc388c4ce7f33ede4da76e7b1\PresentationBuildTasks.ni.dll
+ 2011-10-03 19:15 . 2011-10-03 19:15 1873920 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualStu#\48f44c94f347619a09a25013a8f2c1e6\Microsoft.VisualStudio.CommonIDE.ni.dll
+ 2011-10-03 19:15 . 2011-10-03 19:15 1712128 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualBas#\c6b19db2534042d435ede580f92bc75c\Microsoft.VisualBasic.ni.dll
+ 2011-10-03 19:15 . 2011-10-03 19:15 1093120 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Transacti#\08594c4ba9ea0253a836fe1d8d341984\Microsoft.Transactions.Bridge.ni.dll
+ 2011-10-03 19:15 . 2011-10-03 19:15 1488384 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.SqlServer#\eefbc05c91800e0e852c5e5686e4a081\Microsoft.SqlServer.SqlEnum.ni.dll
+ 2011-10-03 19:15 . 2011-10-03 19:15 6115328 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.SqlServer#\5fe83e27a2e5abf7c616800c62a5ad6f\Microsoft.SqlServer.Smo.ni.dll
+ 2011-10-03 19:15 . 2011-10-03 19:15 1125888 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.SqlServer#\0caa4a978ba054b8d885ffe488c3c8c1\Microsoft.SqlServer.Management.Sdk.Sfc.ni.dll
+ 2011-10-03 19:16 . 2011-10-03 19:16 2332160 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.JScript\345abd035c9378667b1cac54c1f21c97\Microsoft.JScript.ni.dll
+ 2011-10-03 19:15 . 2011-10-03 19:15 1966080 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Build.Tas#\906cd5555b79e4e0486dc8ef2a748b13\Microsoft.Build.Tasks.v3.5.ni.dll
+ 2011-10-03 19:15 . 2011-10-03 19:15 1620992 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Build.Tas#\7baff7d694394aaba490082c88d48fd2\Microsoft.Build.Tasks.ni.dll
+ 2011-10-03 19:15 . 2011-10-03 19:15 1888768 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Build.Eng#\235a22e1ae9742bb724d411629dd99d5\Microsoft.Build.Engine.ni.dll
+ 2011-10-03 18:57 . 2011-10-03 18:57 3182592 c:\windows\assembly\GAC_MSIL\System\2.0.0.0__b77a5c561934e089\System.dll
- 2011-04-16 07:04 . 2011-04-16 07:04 3182592 c:\windows\assembly\GAC_MSIL\System\2.0.0.0__b77a5c561934e089\System.dll
- 2011-04-16 07:04 . 2011-04-16 07:04 2048000 c:\windows\assembly\GAC_MSIL\System.Xml\2.0.0.0__b77a5c561934e089\System.XML.dll
+ 2011-10-03 18:57 . 2011-10-03 18:57 2048000 c:\windows\assembly\GAC_MSIL\System.Xml\2.0.0.0__b77a5c561934e089\System.XML.dll
+ 2011-10-03 18:57 . 2011-10-03 18:57 5025792 c:\windows\assembly\GAC_MSIL\System.Windows.Forms\2.0.0.0__b77a5c561934e089\System.Windows.Forms.dll
- 2011-04-16 07:04 . 2011-04-16 07:04 5025792 c:\windows\assembly\GAC_MSIL\System.Windows.Forms\2.0.0.0__b77a5c561934e089\System.Windows.Forms.dll
+ 2011-10-03 18:57 . 2011-10-03 18:57 5062656 c:\windows\assembly\GAC_MSIL\System.Design\2.0.0.0__b03f5f7f11d50a3a\System.Design.dll
- 2011-04-16 07:04 . 2011-04-16 07:04 5062656 c:\windows\assembly\GAC_MSIL\System.Design\2.0.0.0__b03f5f7f11d50a3a\System.Design.dll
- 2011-04-16 07:04 . 2011-04-16 07:04 5242880 c:\windows\assembly\GAC_32\System.Web\2.0.0.0__b03f5f7f11d50a3a\System.Web.dll
+ 2011-10-03 18:57 . 2011-10-03 18:57 5242880 c:\windows\assembly\GAC_32\System.Web\2.0.0.0__b03f5f7f11d50a3a\System.Web.dll
+ 2011-10-03 18:57 . 2011-10-03 18:57 2933248 c:\windows\assembly\GAC_32\System.Data\2.0.0.0__b77a5c561934e089\System.Data.dll
- 2011-04-16 07:04 . 2011-04-16 07:04 2933248 c:\windows\assembly\GAC_32\System.Data\2.0.0.0__b77a5c561934e089\System.Data.dll
+ 2011-10-03 18:57 . 2011-10-03 18:57 4550656 c:\windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\mscorlib.dll
- 2011-04-16 07:04 . 2011-04-16 07:04 4550656 c:\windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\mscorlib.dll
+ 2007-06-21 05:51 . 2011-07-30 14:05 52390856 c:\windows\system32\MRT.exe
+ 2011-03-04 17:28 . 2011-03-04 17:28 23081472 c:\windows\Installer\4fece5.msp
+ 2011-03-28 07:27 . 2011-03-28 07:27 15456256 c:\windows\Installer\459a2.msp
+ 2011-10-03 18:57 . 2011-10-03 18:57 12024832 c:\windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP1F6.tmp\System.Windows.Forms.dll
+ 2011-10-03 18:59 . 2011-10-03 18:59 12430848 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\d00cc387e462e4c3cdcd112b137cac87\System.Windows.Forms.ni.dll
+ 2011-10-03 18:59 . 2011-10-03 18:59 11800576 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Web\40893760431f8f0dcce3e18630e45b23\System.Web.ni.dll
+ 2011-10-03 19:14 . 2011-10-03 19:14 17403904 c:\windows\assembly\NativeImages_v2.0.50727_32\System.ServiceModel\e3a0205acab2215fbad7927d9d483aeb\System.ServiceModel.ni.dll
+ 2011-10-03 18:59 . 2011-10-03 18:59 10683392 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Design\63ad0cd9b5e038c8e2e41415657db8fc\System.Design.ni.dll
+ 2011-10-03 18:59 . 2011-10-03 18:59 14328320 c:\windows\assembly\NativeImages_v2.0.50727_32\PresentationFramewo#\704556e34128441ea9f1a81cc89f8a79\PresentationFramework.ni.dll
+ 2011-10-03 18:58 . 2011-10-03 18:58 12215808 c:\windows\assembly\NativeImages_v2.0.50727_32\PresentationCore\5f332c48d03eca57419c4f0e884092ee\PresentationCore.ni.dll
+ 2011-10-03 18:58 . 2011-10-03 18:58 11490816 c:\windows\assembly\NativeImages_v2.0.50727_32\mscorlib\0309936a8e1672d39b9cf14463ce69f9\mscorlib.ni.dll
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2006-12-23 143360]
"MsnMsgr"="c:\program files\Windows Live\Messenger\MsnMsgr.Exe" [2010-04-17 3872080]
"LDM"="c:\program files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe" [N/A]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-03 68856]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2011-06-15 15141768]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="c:\program files\QuickTime\qttask .exe -atboottime" [X]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2006-05-01 843776]
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" [2004-10-21 29696]
"OfficeKB"="c:\progra~1\OfficeKB\OfficeKB.EXE" [N/A]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-09-27 13918208]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-09-27 86016]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-06-02 267048]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-06-08 37296]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-03-30 937920]
"Google Updater"="c:\program files\Google\Google Updater\GoogleUpdater.exe" [2011-06-12 161336]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 437160]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RealUpgradeHelper"="c:\program files\Common Files\Real\Update_OB\upgrdhlp.exe" [N/A]
"FlashPlayerUpdate"="c:\windows\system32\Macromed\Flash\FlashUtil10t_ActiveX.exe" [2011-07-09 240288]
.
c:\documents and settings\Maxim\Start Menu\Programs\Startup\
OpenOffice.org 2.3.lnk - c:\program files\OpenOffice.org 2.3\program\quickstart.exe [2007-8-17 393216]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Logitech Desktop Messenger.lnk - c:\program files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe [2007-6-23 450560]
Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\KEM.exe [2007-6-23 581632]
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-1.12.0-enUS-downloader.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Apprentice\\Appr.exe"=
"c:\\Program Files\\THQ\\Dawn of War - Dark Crusade\\DarkCrusade.exe"=
"c:\\Program Files\\THQ\\Dawn Of War\\W40kWA.exe"=
"c:\\Program Files\\THQ\\Dawn Of War\\W40k.exe"=
"c:\\Program Files\\Warcraft III\\Warcraft III.exe"=
"c:\\Documents and Settings\\Maxim\\Desktop\\Max\\Pokemon Game.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-3.0.8.9506-to-3.0.9.9551-enUS-downloader.exe"=
"c:\\Program Files\\Dawn of War 2\\DOW2.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-3.2.0-enUS-downloader.exe"=
"c:\\Program Files\\mIRC\\mirc.exe"=
"c:\\Program Files\\Steam\\steam.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\aliens vs predator\\AvP_CLI.exe"=
"c:\\Program Files\\SopCast\\adv\\SopAdver.exe"=
"c:\\Program Files\\SopCast\\SopCast.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\transformers war for cybertron\\Binaries\\TWFC.exe"=
"c:\\Program Files\\TeamViewer\\Version5\\TeamViewer.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\TeamViewer\\Version6\\TeamViewer.exe"=
"c:\\Program Files\\TeamViewer\\Version6\\TeamViewer_Service.exe"=
"c:\\Program Files\\Armagetron Advanced\\armagetronad.exe"=
"c:\\Program Files\\Sony Online Entertainment\\Installed Games\\DC Universe Online Live\\UNREAL3\\BINARIES\\WIN32\\DCGAME.EXE"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Riot Games\\League of Legends\\lol.launcher.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\dawn of war 2\\DOW2.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\dawn of war ii - retribution\\DOW2.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3724:TCP"= 3724:TCP:Blizzard Downloader: 3724
"4000:TCP"= 4000:TCP:diablo
"8375:TCP"= 8375:TCP:League of Legends Launcher
"8375:UDP"= 8375:UDP:League of Legends Launcher
"8376:TCP"= 8376:TCP:League of Legends Launcher
"8376:UDP"= 8376:UDP:League of Legends Launcher
"8377:TCP"= 8377:TCP:League of Legends Launcher
"8377:UDP"= 8377:UDP:League of Legends Launcher
"8378:TCP"= 8378:TCP:League of Legends Launcher
"8378:UDP"= 8378:UDP:League of Legends Launcher
"8379:TCP"= 8379:TCP:League of Legends Launcher
"8379:UDP"= 8379:UDP:League of Legends Launcher
"8380:TCP"= 8380:TCP:League of Legends Launcher
"8380:UDP"= 8380:UDP:League of Legends Launcher
"8381:TCP"= 8381:TCP:League of Legends Launcher
"8381:UDP"= 8381:UDP:League of Legends Launcher
"6881:TCP"= 6881:TCP:League of Legends Launcher
"6881:UDP"= 6881:UDP:League of Legends Launcher
"8382:TCP"= 8382:TCP:League of Legends Launcher
"8382:UDP"= 8382:UDP:League of Legends Launcher
"8383:TCP"= 8383:TCP:League of Legends Launcher
"8383:UDP"= 8383:UDP:League of Legends Launcher
"8393:TCP"= 8393:TCP:League of Legends Lobby
"8393:UDP"= 8393:UDP:League of Legends Lobby
"8390:TCP"= 8390:TCP:League of Legends Game Client
"8390:UDP"= 8390:UDP:League of Legends Game Client
"6929:TCP"= 6929:TCP:League of Legends Launcher
"6929:UDP"= 6929:UDP:League of Legends Launcher
.
R2 USmsServ;Desktop Window Manager Sessions Manager;c:\windows\Desktop Manager\dwm.exe [6/10/2011 12:48 PM 142336]
R3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda32.sys [2/27/2010 11:44 AM 57248]
S2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [8/9/2009 6:35 PM 297752]
S2 pgsql-8.3;PostgreSQL Database Server 8.3;c:\program files\PostgreSQL\8.3\bin\pg_ctl.exe [12/10/2009 3:39 AM 65536]
S3 B-Service;B-Service;c:\documents and settings\Maxim\Application Data\Mikogo\B-Service.exe [9/17/2010 12:13 PM 185640]
S3 bcgame;Nostromo HID Device Minidriver;c:\windows\system32\drivers\bcgame.sys --> c:\windows\system32\drivers\bcgame.sys [?]
S3 McComponentHostService;McAfee Security Scan Component Host Service;"c:\program files\McAfee Security Scan\2.0.181\McCHSvc.exe" --> c:\program files\McAfee Security Scan\2.0.181\McCHSvc.exe [?]
S4 sptd;sptd;c:\windows\system32\drivers\sptd.sys [12/13/2007 12:28 AM 722416]
.
Contents of the 'Scheduled Tasks' folder
.
2011-10-04 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2007-07-03 14:27]
.
2011-10-02 c:\windows\Tasks\Norton Security Scan for Maxim.job
- c:\progra~1\NORTON~2\Engine\312~1.9\Nss.exe [2011-06-09 08:19]
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = localhost
LSP: mswsock.dll
Trusted Zone: clonewarsadventures.com
Trusted Zone: freerealms.com
Trusted Zone: soe.com
Trusted Zone: sony.com
TCP: DhcpNameServer = 192.168.0.1
DPF: Garmin Communicator Plug-In - hxxps://static.garmincdn.com/gcp/ie/2.9.3.0/GarminAxControl.CAB
FF - ProfilePath - c:\documents and settings\Maxim\Application Data\Mozilla\Firefox\Profiles\pu9jai39.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2653012&SearchSource=3&q={searchTerms}
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.google.ca/
FF - prefs.js: keyword.URL - hxxp://www.bing.com/search?FORM=IEFM1&q=
FF - prefs.js: network.proxy.type - 0
FF - user.js: yahoo.homepage.dontask - true);user_pref(network.protocol-handler.warn-external.dnupdate, false);user_pref(network.protocol-handler.warn-external.dnupdate, false);user_pref(network.protocol-handler.warn-external.dnupdate, false);user_pref(yahoo.ytff.general.dontshowhpoffer, true);user_pref(network.protocol-handler.warn-external.dnupdate, false
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-10-04 03:22
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
.
c:\windows\3029570079:3765267531.exe 816 bytes executable
.
.
**************************************************************************
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: WDC_WD3200AAKS-00L9A0 rev.01.03E01 -> Harddisk0\DR0 -> \Device\00000032
.
device: opened successfully
user: MBR read successfully
.
Disk trace:
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x8AC40530]<<
_asm { MOV EAX, [ESP+0x4]; MOV ECX, [EAX+0x28]; PUSH EBP; MOV EBP, [ECX+0x4]; PUSH ESI; MOV ESI, [ESP+0x10]; PUSH EDI; MOV EDI, [ESI+0x60]; MOV AL, [EDI]; CMP AL, 0x16; JNZ 0x36; PUSH ESI; }
1 ntkrnlpa!IofCallDriver[0x804EF1A6] -> \Device\Harddisk0\DR0[0x8AE0BAB8]
3 CLASSPNP[0xB80E8FD7] -> ntkrnlpa!IofCallDriver[0x804EF1A6] -> [0x8A8E6130]
\Driver\00001079[0x8AC9D0F0] -> IRP_MJ_CREATE -> 0x8AC40530
error: Read The request is not supported.
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; STI ; PUSH AX; POP ES; PUSH AX; POP DS; CLD ; MOV SI, 0x7c1b; MOV DI, 0x61b; PUSH AX; PUSH DI; MOV CX, 0x1e5; REP MOVSB ; RETF ; MOV BP, 0x7be; MOV CL, 0x4; CMP [BP+0x0], CH; JL 0x2e; JNZ 0x3a; }
detected disk devices:
\Device\0000006a -> \??\IDE#DiskWDC_WD3200AAKS-00L9A0___________________01.03E01#2020202057202D44435756414332353631363737#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
detected hooks:
user & kernel MBR OK
copy of MBR has been found in sector 625137345
Warning: possible TDL3 rootkit infection !
.
**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\nvsvc32.exe
c:\windows\3029570079:3765267531.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\program files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
c:\windows\system32\RUNDLL32.EXE
c:\program files\Logitech\SetPoint\KHALMNPR.EXE
c:\program files\OpenOffice.org 2.3\program\soffice.exe
c:\program files\OpenOffice.org 2.3\program\soffice.BIN
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2011-10-04 03:28:05 - machine was rebooted
ComboFix-quarantined-files.txt 2011-10-04 07:28
ComboFix2.txt 2011-10-03 18:54
ComboFix3.txt 2011-10-01 18:28
ComboFix4.txt 2011-01-14 22:14
ComboFix5.txt 2011-10-04 07:05
.
Pre-Run: 126,993,297,408 bytes free
Post-Run: 127,007,719,424 bytes free
.
- - End Of File - - 05A5B15368A879FA54AEE24327FFE68B

Re: Need to get rid of rootkit.3rd September 2011, 2:56 pm

You forgot to run aswMBR Indifferent or Blank

====================

Download TDSSKiller by Kaspersky from here and save it to your desktop
Doubleclick TDSSKiller.exe to run the tool
Click the Start Scan button
After the scan has finished, click the Close button
Click the Report button and copy/paste the contents of it into your next reply
The report can also be found in the root of your Windows drive (most likely C:\).

====================

Please create a new text file in Notepad with the following contents:
Code:
KILLALL:: Folder:: c:\windows\3029570079 ADS:: c:\windows\3029570079:3765267531.exe Renv:: c:\program files\OfficeKB\OfficeKB .exe c:\program files\QuickTime\qttask .exe
Save that file as CFScript.txt on your desktop
Drag and drop the CFScript.txt onto the ComboFix icon, as shown in the animation below.
If done correctly, ComboFix will start and perform specific instructions
In doing so, ComboFix may request a reboot
Please post the contents of Combofix.txt in your next reply

Re: Need to get rid of rootkit.3rd September 2011, 3:11 pm

aswMBR version 0.9.8.986 Copyright(c) 2011 AVAST Software
Run date: 2011-10-04 03:47:30
-----------------------------
03:47:30.125 OS Version: Windows 5.1.2600 Service Pack 3
03:47:30.125 Number of processors: 2 586 0x4B02
03:47:30.125 ComputerName: MAXIM-9C1E76C15 UserName: Maxim
03:47:30.515 Initialize success
03:49:18.109 AVAST engine defs: 11090201
03:50:11.265 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\00000032
03:50:11.265 Disk 0 Vendor: WDC_WD3200AAKS-00L9A0 01.03E01 Size: 305245MB BusType: 3
03:50:11.265 Device \Device\0000006a -> \??\IDE#DiskWDC_WD3200AAKS-00L9A0___________________01.03E01#2020202057202D44435756414332353631363737#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} not found
03:50:11.265 Disk 0 MBR read error 0
03:50:11.265 Disk 0 MBR scan
03:50:11.296 Disk 0 unknown MBR code
03:50:11.296 MBR BIOS signature not found 0
03:50:11.296 Disk 0 scanning sectors +625137345
03:50:11.312 Disk 0 scanning C:\WINDOWS\system32\drivers
03:50:17.453 File: C:\WINDOWS\system32\drivers\imapi.sys **INFECTED** Win32:Alureon-AJI [Rtk]
03:50:21.843 Service scanning
03:50:22.625 Modules scanning
03:50:23.171 Module: C:\WINDOWS\system32\DRIVERS\imapi.sys **SUSPICIOUS**
03:50:25.453 Disk 0 trace - called modules:
03:50:25.453 ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x8ac40530]<<
03:50:25.453 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8ae0bab8]
03:50:25.453 3 CLASSPNP.SYS[b80e8fd7] -> nt!IofCallDriver -> [0x8a8e6130]
03:50:25.453 \Driver\00001079[0x8ac9d0f0] -> IRP_MJ_CREATE -> 0x8ac40530
03:50:26.140 AVAST engine scan C:\WINDOWS
03:50:27.906 File: C:\WINDOWS\3029570079:3765267531.exe **INFECTED** Win32:Tiny-AMB [Rtk]
03:50:42.468 AVAST engine scan C:\WINDOWS\system32
03:52:16.796 AVAST engine scan C:\WINDOWS\system32\drivers
03:52:23.515 File: C:\WINDOWS\system32\drivers\imapi.sys **INFECTED** Win32:Alureon-AJI [Rtk]
03:52:32.390 AVAST engine scan C:\Documents and Settings\Maxim
03:55:19.437 File: C:\Documents and Settings\Maxim\Application Data\Sun\Java\Deployment\cache\6.0\2\7a23e0c2-4e72f5bd **INFECTED** Win32:FakeAV-CFZ [Trj]
04:14:54.656 File: C:\Documents and Settings\Maxim\Desktop\RK_Quarantine\dwm.exe.vir **INFECTED** Win32:Malware-gen
04:19:54.859 AVAST engine scan C:\Documents and Settings\All Users
04:21:34.656 Scan finished successfully
11:03:33.312 Disk 0 MBR fix error
11:04:52.328 Disk 0 MBR fix error
11:05:00.390 Disk 0 MBR has been saved successfully to "E:\MBR.dat"
11:05:00.468 The log file has been saved successfully to "E:\aswMBR.txt"

When I hit fixmbr button it said 0 error mbr fix or something like that. I also did not forget to run it, I have to sleep sometimes too, bro.

Re: Need to get rid of rootkit.5th September 2011, 12:11 am

2011/10/05 20:10:47.0265 0340 TDSS rootkit removing tool 2.5.17.0 Aug 22 2011 15:46:57
2011/10/05 20:10:47.0593 0340 ================================================================================
2011/10/05 20:10:47.0593 0340 SystemInfo:
2011/10/05 20:10:47.0593 0340
2011/10/05 20:10:47.0593 0340 OS Version: 5.1.2600 ServicePack: 3.0
2011/10/05 20:10:47.0593 0340 Product type: Workstation
2011/10/05 20:10:47.0593 0340 ComputerName: MAXIM-9C1E76C15
2011/10/05 20:10:47.0593 0340 UserName: Maxim
2011/10/05 20:10:47.0593 0340 Windows directory: C:\WINDOWS
2011/10/05 20:10:47.0593 0340 System windows directory: C:\WINDOWS
2011/10/05 20:10:47.0593 0340 Processor architecture: Intel x86
2011/10/05 20:10:47.0593 0340 Number of processors: 2
2011/10/05 20:10:47.0593 0340 Page size: 0x1000
2011/10/05 20:10:47.0593 0340 Boot type: Normal boot
2011/10/05 20:10:47.0593 0340 ================================================================================
2011/10/05 20:10:47.0625 0340 Initialize success
2011/10/05 20:11:01.0453 0360 ================================================================================
2011/10/05 20:11:01.0453 0360 Scan started
2011/10/05 20:11:01.0453 0360 Mode: Manual;
2011/10/05 20:11:01.0453 0360 ================================================================================
2011/10/05 20:11:01.0625 0360 1f9293b4 (8f2bb1827cac01aee6a16e30a1260199) C:\WINDOWS\3029570079:3765267531.exe
2011/10/05 20:11:01.0640 0360 Suspicious file (Hidden): C:\WINDOWS\3029570079:3765267531.exe. md5: 8f2bb1827cac01aee6a16e30a1260199
2011/10/05 20:11:01.0640 0360 1f9293b4 - detected HiddenFile.Multi.Generic (1)
2011/10/05 20:11:01.0703 0360 30157851 (1f523493bd016d1dfff59fd0f40f8c43) C:\WINDOWS\system32\drivers\19400847.sys
2011/10/05 20:11:01.0765 0360 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
2011/10/05 20:11:01.0828 0360 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
2011/10/05 20:11:01.0875 0360 ADIHdAudAddService (ab0d9669bab1009e48cc91117e59912b) C:\WINDOWS\system32\drivers\ADIHdAud.sys
2011/10/05 20:11:01.0890 0360 AEAudio (03be587e90c8b37c7ff1fe2e9c1d1c90) C:\WINDOWS\system32\drivers\AEAudio.sys
2011/10/05 20:11:01.0937 0360 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
2011/10/05 20:11:01.0984 0360 AFD (355556d9e580915118cd7ef736653a89) C:\WINDOWS\System32\drivers\afd.sys
2011/10/05 20:11:02.0078 0360 AmdK8 (0a4d13b388c814560bd69c3a496ecfa8) C:\WINDOWS\system32\DRIVERS\AmdK8.sys
2011/10/05 20:11:02.0156 0360 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
2011/10/05 20:11:02.0187 0360 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
2011/10/05 20:11:02.0250 0360 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
2011/10/05 20:11:02.0265 0360 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
2011/10/05 20:11:02.0296 0360 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
2011/10/05 20:11:02.0375 0360 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
2011/10/05 20:11:02.0390 0360 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
2011/10/05 20:11:02.0406 0360 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
2011/10/05 20:11:02.0421 0360 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
2011/10/05 20:11:02.0531 0360 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
2011/10/05 20:11:02.0609 0360 DKbFltr (75ad9beb6d4b6bbcb39bfaba454ea05a) C:\WINDOWS\system32\DRIVERS\DKbFltr.sys
2011/10/05 20:11:02.0656 0360 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
2011/10/05 20:11:02.0687 0360 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
2011/10/05 20:11:02.0687 0360 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
2011/10/05 20:11:02.0734 0360 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
2011/10/05 20:11:02.0750 0360 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
2011/10/05 20:11:02.0796 0360 ENTECH (16ebd8bf1d5090923694cc972c7ce1b4) C:\WINDOWS\system32\DRIVERS\ENTECH.sys
2011/10/05 20:11:02.0812 0360 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
2011/10/05 20:11:02.0828 0360 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\DRIVERS\fdc.sys
2011/10/05 20:11:02.0859 0360 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
2011/10/05 20:11:02.0875 0360 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\DRIVERS\flpydisk.sys
2011/10/05 20:11:02.0890 0360 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys
2011/10/05 20:11:02.0953 0360 fssfltr (e0087225b137e57239ff40f8ae82059b) C:\WINDOWS\system32\DRIVERS\fssfltr_tdi.sys
2011/10/05 20:11:02.0968 0360 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
2011/10/05 20:11:02.0984 0360 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
2011/10/05 20:11:03.0000 0360 GEARAspiWDM (5dc17164f66380cbfefd895c18467773) C:\WINDOWS\system32\Drivers\GEARAspiWDM.sys
2011/10/05 20:11:03.0031 0360 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
2011/10/05 20:11:03.0046 0360 HDAudBus (573c7d0a32852b48f3058cfd8026f511) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
2011/10/05 20:11:03.0078 0360 HidUsb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
2011/10/05 20:11:03.0140 0360 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
2011/10/05 20:11:03.0187 0360 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
2011/10/05 20:11:03.0234 0360 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\drivers\tsk2D.tmp
2011/10/05 20:11:03.0234 0360 Suspicious file (NoAccess): C:\WINDOWS\system32\drivers\tsk2D.tmp. md5: 083a052659f5310dd8b6a6cb05edcf8e
2011/10/05 20:11:03.0265 0360 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys
2011/10/05 20:11:03.0296 0360 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
2011/10/05 20:11:03.0296 0360 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
2011/10/05 20:11:03.0343 0360 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
2011/10/05 20:11:03.0343 0360 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
2011/10/05 20:11:03.0375 0360 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
2011/10/05 20:11:03.0390 0360 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
2011/10/05 20:11:03.0406 0360 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
2011/10/05 20:11:03.0421 0360 kbdhid (9ef487a186dea361aa06913a75b3fa99) C:\WINDOWS\system32\DRIVERS\kbdhid.sys
2011/10/05 20:11:03.0453 0360 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
2011/10/05 20:11:03.0515 0360 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
2011/10/05 20:11:03.0593 0360 L8042mou (efcc6d56fe8ba50bb7ecf300b60a66a3) C:\WINDOWS\system32\DRIVERS\L8042mou.Sys
2011/10/05 20:11:03.0609 0360 LHidKe (452ecfc32a4b5d9a761e113f149e1b9e) C:\WINDOWS\system32\DRIVERS\LHidKE.Sys
2011/10/05 20:11:03.0656 0360 LHidUsbK (9c92312dd1ab42e627710fb89bbbcd1e) C:\WINDOWS\system32\Drivers\LHidUsbK.Sys
2011/10/05 20:11:03.0671 0360 LMouKE (95871e8c4aecfed95f884d2d10b8bcfb) C:\WINDOWS\system32\DRIVERS\LMouKE.Sys
2011/10/05 20:11:03.0687 0360 mcdbus (8fd868e32459ece2a1bb0169f513d31e) C:\WINDOWS\system32\DRIVERS\mcdbus.sys
2011/10/05 20:11:03.0718 0360 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
2011/10/05 20:11:03.0750 0360 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
2011/10/05 20:11:03.0765 0360 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
2011/10/05 20:11:03.0796 0360 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
2011/10/05 20:11:03.0796 0360 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
2011/10/05 20:11:03.0828 0360 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
2011/10/05 20:11:03.0890 0360 MRxSmb (7d304a5eb4344ebeeab53a2fe3ffb9f0) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
2011/10/05 20:11:03.0906 0360 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
2011/10/05 20:11:03.0921 0360 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
2011/10/05 20:11:03.0937 0360 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
2011/10/05 20:11:03.0937 0360 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
2011/10/05 20:11:04.0000 0360 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
2011/10/05 20:11:04.0062 0360 MTsensor (d48659bb24c48345d926ecb45c1ebdf5) C:\WINDOWS\system32\DRIVERS\ASACPI.sys
2011/10/05 20:11:04.0078 0360 Mup (de6a75f5c270e756c5508d94b6cf68f5) C:\WINDOWS\system32\drivers\Mup.sys
2011/10/05 20:11:04.0125 0360 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
2011/10/05 20:11:04.0171 0360 NdisTapi (0109c4f3850dfbab279542515386ae22) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
2011/10/05 20:11:04.0187 0360 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
2011/10/05 20:11:04.0203 0360 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
2011/10/05 20:11:04.0234 0360 NDProxy (9282bd12dfb069d3889eb3fcc1000a9b) C:\WINDOWS\system32\drivers\NDProxy.sys
2011/10/05 20:11:04.0250 0360 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
2011/10/05 20:11:04.0281 0360 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
2011/10/05 20:11:04.0312 0360 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
2011/10/05 20:11:04.0328 0360 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
2011/10/05 20:11:04.0375 0360 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
2011/10/05 20:11:04.0546 0360 nv (4c3696c1ed1a36629ebb348bf745a328) C:\WINDOWS\system32\DRIVERS\nv4_mini.sys
2011/10/05 20:11:04.0625 0360 nvata (4d6c6b46b3edf6f2e219a86b61d104ae) C:\WINDOWS\system32\DRIVERS\nvata.sys
2011/10/05 20:11:04.0656 0360 NVENETFD (1b83b60541be1b6db81641c448007f21) C:\WINDOWS\system32\DRIVERS\NVENETFD.sys
2011/10/05 20:11:04.0671 0360 NVHDA (cf68bcac297b4c98c1d25b81e4011de4) C:\WINDOWS\system32\drivers\nvhda32.sys
2011/10/05 20:11:04.0703 0360 nvnetbus (57b669f9234604a350174b86764444b0) C:\WINDOWS\system32\DRIVERS\nvnetbus.sys
2011/10/05 20:11:04.0734 0360 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
2011/10/05 20:11:04.0750 0360 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
2011/10/05 20:11:04.0781 0360 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys
2011/10/05 20:11:04.0796 0360 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
2011/10/05 20:11:04.0812 0360 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
2011/10/05 20:11:04.0828 0360 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
2011/10/05 20:11:04.0859 0360 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
2011/10/05 20:11:04.0875 0360 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys
2011/10/05 20:11:04.0984 0360 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
2011/10/05 20:11:05.0015 0360 Processor (a32bebaf723557681bfc6bd93e98bd26) C:\WINDOWS\system32\DRIVERS\processr.sys
2011/10/05 20:11:05.0031 0360 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
2011/10/05 20:11:05.0078 0360 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
2011/10/05 20:11:05.0093 0360 PxHelp20 (d86b4a68565e444d76457f14172c875a) C:\WINDOWS\system32\Drivers\PxHelp20.sys
2011/10/05 20:11:05.0171 0360 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
2011/10/05 20:11:05.0187 0360 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
2011/10/05 20:11:05.0203 0360 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
2011/10/05 20:11:05.0218 0360 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
2011/10/05 20:11:05.0234 0360 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
2011/10/05 20:11:05.0234 0360 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
2011/10/05 20:11:05.0265 0360 RDPWD (fc105dd312ed64eb66bff111e8ec6eac) C:\WINDOWS\system32\drivers\RDPWD.sys
2011/10/05 20:11:05.0281 0360 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
2011/10/05 20:11:05.0343 0360 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
2011/10/05 20:11:05.0390 0360 SenFiltService (b6a6b409fda9d9ebd3aadb838d3d7173) C:\WINDOWS\system32\drivers\Senfilt.sys
2011/10/05 20:11:05.0453 0360 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys
2011/10/05 20:11:05.0468 0360 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys
2011/10/05 20:11:05.0515 0360 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
2011/10/05 20:11:05.0593 0360 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
2011/10/05 20:11:05.0640 0360 sptd (a80cd850d69d996c832bea37e3a6aa1e) C:\WINDOWS\system32\Drivers\sptd.sys
2011/10/05 20:11:05.0656 0360 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
2011/10/05 20:11:05.0703 0360 Srv (47ddfc2f003f7f9f0592c6874962a2e7) C:\WINDOWS\system32\DRIVERS\srv.sys
2011/10/05 20:11:05.0734 0360 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
2011/10/05 20:11:05.0734 0360 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
2011/10/05 20:11:05.0812 0360 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
2011/10/05 20:11:05.0828 0360 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
2011/10/05 20:11:05.0859 0360 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
2011/10/05 20:11:05.0890 0360 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
2011/10/05 20:11:05.0890 0360 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
2011/10/05 20:11:05.0968 0360 tmcomm (df8444a8fa8fd38d8848bdd40a8403b3) C:\WINDOWS\system32\drivers\tmcomm.sys
2011/10/05 20:11:06.0000 0360 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
2011/10/05 20:11:06.0062 0360 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
2011/10/05 20:11:06.0093 0360 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
2011/10/05 20:11:06.0093 0360 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
2011/10/05 20:11:06.0109 0360 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
2011/10/05 20:11:06.0125 0360 usbohci (0daecce65366ea32b162f85f07c6753b) C:\WINDOWS\system32\DRIVERS\usbohci.sys
2011/10/05 20:11:06.0156 0360 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys
2011/10/05 20:11:06.0187 0360 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
2011/10/05 20:11:06.0203 0360 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
2011/10/05 20:11:06.0250 0360 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
2011/10/05 20:11:06.0265 0360 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
2011/10/05 20:11:06.0296 0360 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
2011/10/05 20:11:06.0375 0360 WS2IFSL (6abe6e225adb5a751622a9cc3bc19ce8) C:\WINDOWS\System32\drivers\ws2ifsl.sys
2011/10/05 20:11:06.0421 0360 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
2011/10/05 20:11:06.0421 0360 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
2011/10/05 20:11:06.0468 0360 MBR (0x1B8) (2839639fa37b8353e792a2a30a12ced3) \Device\Harddisk0\DR0
2011/10/05 20:11:06.0468 0360 \Device\Harddisk0\DR0 - detected Rootkit.Win32.TDSS.tdl4 (0)
2011/10/05 20:11:06.0468 0360 Boot (0x1200) (a1f9dcc0fd9defc49250b0a65e3a23b9) \Device\Harddisk0\DR0\Partition0
2011/10/05 20:11:06.0468 0360 ================================================================================
2011/10/05 20:11:06.0468 0360 Scan finished
2011/10/05 20:11:06.0468 0360 ================================================================================
2011/10/05 20:11:06.0484 3216 Detected object count: 2
2011/10/05 20:11:06.0484 3216 Actual detected object count: 2
2011/10/05 20:11:14.0093 3216 HiddenFile.Multi.Generic(1f9293b4) - User select action: Skip
2011/10/05 20:11:14.0125 3216 \Device\Harddisk0\DR0 (Rootkit.Win32.TDSS.tdl4) - will be cured after reboot
2011/10/05 20:11:14.0140 3216 \Device\Harddisk0\DR0 - ok
2011/10/05 20:11:14.0140 3216 Rootkit.Win32.TDSS.tdl4(\Device\Harddisk0\DR0) - User select action: Cure

Re: Need to get rid of rootkit.5th September 2011, 12:47 am

ComboFix 11-09-04.03 - Maxim 10/05/2011 20:30:31.12.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.3326.2967 [GMT -4:00]
Running from: c:\documents and settings\Maxim\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Maxim\Desktop\CFScript.txt
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\Maxim\Local Settings\Application Data\ApplicationHistory
c:\documents and settings\Maxim\Local Settings\Application Data\ApplicationHistory\ngen.exe.2c05686e.ini
c:\documents and settings\Maxim\Local Settings\Application Data\ApplicationHistory\WarcraftIIIAutoRefresh - wc3edit.net edition.exe.58328361.ini
c:\windows\$NtUninstallKB29657$\529699764\{1B372133-BFFA-4dba-9CCF-5474BED6A9F6}
c:\windows\$NtUninstallKB29657$\529699764\L\dtxmbwwl
c:\windows\$NtUninstallKB29657$\529699764\loader.tlb
c:\windows\$NtUninstallKB29657$\529699764\U\$00000001
c:\windows\$NtUninstallKB29657$\529699764\U\$000000cf
c:\windows\$NtUninstallKB29657$\529699764\U\@000000c0
c:\windows\$NtUninstallKB29657$\529699764\U\@000000cb
c:\windows\$NtUninstallKB29657$\529699764\U\@000000cf
c:\windows\$NtUninstallKB29657$\529699764\U\@80000000
c:\windows\$NtUninstallKB29657$\529699764\U\@800000c0
c:\windows\$NtUninstallKB29657$\529699764\U\@800000cb
c:\windows\$NtUninstallKB29657$\529699764\U\@800000cf
c:\windows\$NtUninstallKB29657$\882484073
c:\windows\assembly\GAC_MSIL\desktop.ini
c:\windows\$NtUninstallKB29657$ . . . . Failed to delete
.
Infected copy of c:\windows\system32\wuauclt.exe was found and disinfected
Restored copy from - c:\windows\system32\dllcache\wuauclt.exe
.
Infected copy of c:\program files\iPod\bin\iPodService.exe was found and disinfected
Restored copy from - c:\system volume information\_restore{67B3C756-D887-4359-B4D9-A09C29921E96}\RP488\A0083975.exe
.
Infected copy of c:\program files\Java\jre6\bin\jqs.exe was found and disinfected
Restored copy from - c:\system volume information\_restore{67B3C756-D887-4359-B4D9-A09C29921E96}\RP488\A0083978.exe
.
Infected copy of c:\windows\system32\nvsvc32.exe was found and disinfected
Restored copy from - c:\windows\system32\ReinstallBackups\0011\DriverFiles\nvsvc32.exe
.
Infected copy of c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe was found and disinfected
Restored copy from - c:\system volume information\_restore{67B3C756-D887-4359-B4D9-A09C29921E96}\RP488\A0083977.exe
.
Infected copy of c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE was found and disinfected
Restored copy from - c:\system volume information\_restore{67B3C756-D887-4359-B4D9-A09C29921E96}\RP488\A0083976.EXE
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Service_1f9293b4
.
.
((((((((((((((((((((((((( Files Created from 2011-09-06 to 2011-10-06 )))))))))))))))))))))))))))))))
.
.
2011-10-06 00:13 . 2011-10-06 00:13 50112 --sha-w- c:\windows\system32\c_03823.nl_
2011-10-04 07:00 . 2011-10-04 07:00 -------- d-----w- c:\documents and settings\Default User\Local Settings\Application Data\Microsoft Help
2011-10-04 05:37 . 2011-10-04 05:37 -------- d-----w- c:\documents and settings\Maxim\Local Settings\Application Data\PCHealth
2011-10-03 18:58 . 2011-10-03 18:58 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\PCHealth
2011-10-03 06:21 . 2011-10-03 06:25 -------- d-----w- C:\Commy
2011-10-03 06:19 . 2011-10-03 06:19 -------- d-----w- C:\ARK
2011-10-02 04:38 . 2011-10-02 04:38 4194304 ----a-w- c:\windows\system32\dtxmbwwl.dll
2011-10-01 17:25 . 2011-06-24 14:10 139656 -c----w- c:\windows\system32\dllcache\rdpwd.sys
2011-10-01 17:25 . 2011-04-21 13:37 105472 -c----w- c:\windows\system32\dllcache\mup.sys
2011-10-01 17:23 . 2011-07-08 14:02 10496 -c----w- c:\windows\system32\dllcache\ndistapi.sys
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-10-06 00:13 . 2006-02-28 12:00 42112 ----a-w- c:\windows\system32\drivers\imapi.sys
2011-10-04 07:01 . 2009-08-14 21:09 112640 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\VCExpress\9.0\1033\ResourceCache.dll
2011-10-04 07:00 . 2009-08-14 21:09 416 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\MSDN\9.0\1033\ResourceCache.dll
2011-08-28 01:16 . 2011-05-14 05:48 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-07-15 13:29 . 2006-02-28 12:00 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-07-08 14:02 . 2006-02-28 12:00 10496 ----a-w- c:\windows\system32\drivers\ndistapi.sys
2009-05-01 21:02 . 2009-05-01 21:02 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll
2009-05-01 21:02 . 2009-05-01 21:02 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll
2011-10-03 18:59 . 2011-05-08 01:44 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((( SnapShot_2011-10-04_07.23.06 )))))))))))))))))))))))))))))))))))))))))
.
+ 2011-10-06 00:42 . 2011-10-06 00:42 16384 c:\windows\temp\Perflib_Perfdata_6b4.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2006-12-23 143360]
"MsnMsgr"="c:\program files\Windows Live\Messenger\MsnMsgr.Exe" [2010-04-17 3872080]
"LDM"="c:\program files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe" [BU]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-03 68856]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2011-06-15 15141768]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="c:\program files\QuickTime\qttask .exe -atboottime" [X]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2006-05-01 843776]
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" [2004-10-21 29696]
"OfficeKB"="c:\progra~1\OfficeKB\OfficeKB.EXE" [2004-10-22 200704]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-09-27 13918208]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-09-27 86016]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-06-02 267048]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-06-08 37296]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-03-30 937920]
"Google Updater"="c:\program files\Google\Google Updater\GoogleUpdater.exe" [2011-06-12 161336]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 437160]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"FlashPlayerUpdate"="c:\windows\system32\Macromed\Flash\FlashUtil10t_ActiveX.exe" [2011-07-09 240288]
.
c:\documents and settings\Maxim\Start Menu\Programs\Startup\
OpenOffice.org 2.3.lnk - c:\program files\OpenOffice.org 2.3\program\quickstart.exe [2007-8-17 393216]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Logitech Desktop Messenger.lnk - c:\program files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe [2007-6-23 450560]
Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\KEM.exe [2007-6-23 581632]
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-1.12.0-enUS-downloader.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Apprentice\\Appr.exe"=
"c:\\Program Files\\THQ\\Dawn of War - Dark Crusade\\DarkCrusade.exe"=
"c:\\Program Files\\THQ\\Dawn Of War\\W40kWA.exe"=
"c:\\Program Files\\THQ\\Dawn Of War\\W40k.exe"=
"c:\\Program Files\\Warcraft III\\Warcraft III.exe"=
"c:\\Documents and Settings\\Maxim\\Desktop\\Max\\Pokemon Game.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-3.0.8.9506-to-3.0.9.9551-enUS-downloader.exe"=
"c:\\Program Files\\Dawn of War 2\\DOW2.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-3.2.0-enUS-downloader.exe"=
"c:\\Program Files\\mIRC\\mirc.exe"=
"c:\\Program Files\\Steam\\steam.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\aliens vs predator\\AvP_CLI.exe"=
"c:\\Program Files\\SopCast\\adv\\SopAdver.exe"=
"c:\\Program Files\\SopCast\\SopCast.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\transformers war for cybertron\\Binaries\\TWFC.exe"=
"c:\\Program Files\\TeamViewer\\Version5\\TeamViewer.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\TeamViewer\\Version6\\TeamViewer.exe"=
"c:\\Program Files\\TeamViewer\\Version6\\TeamViewer_Service.exe"=
"c:\\Program Files\\Armagetron Advanced\\armagetronad.exe"=
"c:\\Program Files\\Sony Online Entertainment\\Installed Games\\DC Universe Online Live\\UNREAL3\\BINARIES\\WIN32\\DCGAME.EXE"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Riot Games\\League of Legends\\lol.launcher.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\dawn of war 2\\DOW2.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\dawn of war ii - retribution\\DOW2.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3724:TCP"= 3724:TCP:Blizzard Downloader: 3724
"4000:TCP"= 4000:TCP:diablo
"8375:TCP"= 8375:TCP:League of Legends Launcher
"8375:UDP"= 8375:UDP:League of Legends Launcher
"8376:TCP"= 8376:TCP:League of Legends Launcher
"8376:UDP"= 8376:UDP:League of Legends Launcher
"8377:TCP"= 8377:TCP:League of Legends Launcher
"8377:UDP"= 8377:UDP:League of Legends Launcher
"8378:TCP"= 8378:TCP:League of Legends Launcher
"8378:UDP"= 8378:UDP:League of Legends Launcher
"8379:TCP"= 8379:TCP:League of Legends Launcher
"8379:UDP"= 8379:UDP:League of Legends Launcher
"8380:TCP"= 8380:TCP:League of Legends Launcher
"8380:UDP"= 8380:UDP:League of Legends Launcher
"8381:TCP"= 8381:TCP:League of Legends Launcher
"8381:UDP"= 8381:UDP:League of Legends Launcher
"6881:TCP"= 6881:TCP:League of Legends Launcher
"6881:UDP"= 6881:UDP:League of Legends Launcher
"8382:TCP"= 8382:TCP:League of Legends Launcher
"8382:UDP"= 8382:UDP:League of Legends Launcher
"8383:TCP"= 8383:TCP:League of Legends Launcher
"8383:UDP"= 8383:UDP:League of Legends Launcher
"8393:TCP"= 8393:TCP:League of Legends Lobby
"8393:UDP"= 8393:UDP:League of Legends Lobby
"8390:TCP"= 8390:TCP:League of Legends Game Client
"8390:UDP"= 8390:UDP:League of Legends Game Client
"6929:TCP"= 6929:TCP:League of Legends Launcher
"6929:UDP"= 6929:UDP:League of Legends Launcher
.
R2 pgsql-8.3;PostgreSQL Database Server 8.3;c:\program files\PostgreSQL\8.3\bin\pg_ctl.exe [12/10/2009 3:39 AM 65536]
R2 USmsServ;Desktop Window Manager Sessions Manager;c:\windows\Desktop Manager\dwm.exe [6/10/2011 12:48 PM 142336]
R3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda32.sys [2/27/2010 11:44 AM 57248]
S2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [8/9/2009 6:35 PM 297752]
S3 B-Service;B-Service;c:\documents and settings\Maxim\Application Data\Mikogo\B-Service.exe [9/17/2010 12:13 PM 185640]
S3 bcgame;Nostromo HID Device Minidriver;c:\windows\system32\drivers\bcgame.sys --> c:\windows\system32\drivers\bcgame.sys [?]
S3 McComponentHostService;McAfee Security Scan Component Host Service;"c:\program files\McAfee Security Scan\2.0.181\McCHSvc.exe" --> c:\program files\McAfee Security Scan\2.0.181\McCHSvc.exe [?]
S4 sptd;sptd;c:\windows\system32\drivers\sptd.sys [12/13/2007 12:28 AM 722416]
.
Contents of the 'Scheduled Tasks' folder
.
2011-10-06 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2007-07-03 14:27]
.
2011-10-05 c:\windows\Tasks\Norton Security Scan for Maxim.job
- c:\progra~1\NORTON~2\Engine\312~1.9\Nss.exe [2011-06-09 08:19]
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = localhost
Trusted Zone: clonewarsadventures.com
Trusted Zone: freerealms.com
Trusted Zone: soe.com
Trusted Zone: sony.com
TCP: DhcpNameServer = 192.168.0.1
DPF: Garmin Communicator Plug-In - hxxps://static.garmincdn.com/gcp/ie/2.9.3.0/GarminAxControl.CAB
FF - ProfilePath - c:\documents and settings\Maxim\Application Data\Mozilla\Firefox\Profiles\pu9jai39.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2653012&SearchSource=3&q={searchTerms}
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.google.ca/
FF - prefs.js: keyword.URL - hxxp://www.bing.com/search?FORM=IEFM1&q=
FF - prefs.js: network.proxy.type - 0
FF - user.js: yahoo.homepage.dontask - true);user_pref(network.protocol-handler.warn-external.dnupdate, false);user_pref(network.protocol-handler.warn-external.dnupdate, false);user_pref(network.protocol-handler.warn-external.dnupdate, false);user_pref(yahoo.ytff.general.dontshowhpoffer, true);user_pref(network.protocol-handler.warn-external.dnupdate, false
.
- - - - ORPHANS REMOVED - - - -
.
HKU-Default-RunOnce-RealUpgradeHelper - c:\program files\Common Files\Real\Update_OB\upgrdhlp.exe
SafeBoot-30157851.sys
AddRemove-Malwarebytes' Anti-Malware_is1 - e:\malwarebytes' anti-malware\unins000.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-10-05 20:42
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(152)
c:\windows\system32\WININET.dll
c:\program files\Logitech\SetPoint\lgscroll.dll
c:\windows\system32\msi.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\nvsvc32.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\program files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
c:\program files\PostgreSQL\8.3\bin\postgres.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
c:\program files\PostgreSQL\8.3\bin\postgres.exe
c:\program files\PostgreSQL\8.3\bin\postgres.exe
c:\program files\PostgreSQL\8.3\bin\postgres.exe
c:\program files\PostgreSQL\8.3\bin\postgres.exe
c:\program files\PostgreSQL\8.3\bin\postgres.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
c:\windows\system32\RUNDLL32.EXE
c:\program files\OpenOffice.org 2.3\program\soffice.exe
c:\program files\Logitech\SetPoint\KHALMNPR.EXE
c:\program files\OpenOffice.org 2.3\program\soffice.BIN
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2011-10-05 20:46:51 - machine was rebooted
ComboFix-quarantined-files.txt 2011-10-06 00:46
ComboFix2.txt 2011-10-04 07:28
ComboFix3.txt 2011-10-03 18:54
ComboFix4.txt 2011-10-01 18:28
ComboFix5.txt 2011-10-06 00:19
.
Pre-Run: 126,653,403,136 bytes free
Post-Run: 126,898,094,080 bytes free
.
- - End Of File - - 92BE69B423E8D104A74FD0BB4CA2B0DB

Re: Need to get rid of rootkit.5th September 2011, 6:23 am

Hooohoooohooooo

Please create a new text file in Notepad with the following contents:
Code:
KILLALL:: File:: C:\WINDOWS\system32\drivers\tsk2D.tmp c:\windows\system32\dtxmbwwl.dll Folder:: C:\WINDOWS\3029570079 Driver:: tsk2D
Save that file as CFScript.txt on your desktop
Drag and drop the CFScript.txt onto the ComboFix icon, as shown in the animation below.
If done correctly, ComboFix will start and perform specific instructions
In doing so, ComboFix may request a reboot
Please post the contents of Combofix.txt in your next reply

====================

Double click aswMBR.exe to run the tool
Click the Scan button to start the scan
Once the scan finishes click Save log to save the log to your desktop
Copy and paste the contents of this log (aswMBR.txt) into your next reply.

====================

Please open Malwarebytes' Anti-Malware, click the Update tab and click Check for Updates. Then, click the Scanner tab, select Perform Quick Scan and click Scan. Please post the resulting log in your next reply.

Re: Need to get rid of rootkit.5th September 2011, 4:59 pm

ComboFix 11-09-04.03 - Maxim 10/06/2011 4:28.13.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.3326.2708 [GMT -4:00]
Running from: c:\documents and settings\Maxim\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Maxim\Desktop\CFScript.txt
.
FILE ::
"c:\windows\system32\drivers\tsk2D.tmp"
"c:\windows\system32\dtxmbwwl.dll"
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\system32\dtxmbwwl.dll
.
.
((((((((((((((((((((((((( Files Created from 2011-09-06 to 2011-10-06 )))))))))))))))))))))))))))))))
.
.
2011-10-06 00:13 . 2011-10-06 00:13 50112 --sha-w- c:\windows\system32\c_03823.nl_
2011-10-04 07:00 . 2011-10-04 07:00 -------- d-----w- c:\documents and settings\Default User\Local Settings\Application Data\Microsoft Help
2011-10-04 05:37 . 2011-10-04 05:37 -------- d-----w- c:\documents and settings\Maxim\Local Settings\Application Data\PCHealth
2011-10-03 18:58 . 2011-10-03 18:58 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\PCHealth
2011-10-03 06:21 . 2011-10-03 06:25 -------- d-----w- C:\Commy
2011-10-03 06:19 . 2011-10-03 06:19 -------- d-----w- C:\ARK
2011-10-01 17:25 . 2011-06-24 14:10 139656 -c----w- c:\windows\system32\dllcache\rdpwd.sys
2011-10-01 17:25 . 2011-04-21 13:37 105472 -c----w- c:\windows\system32\dllcache\mup.sys
2011-10-01 17:23 . 2011-07-08 14:02 10496 -c----w- c:\windows\system32\dllcache\ndistapi.sys
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-10-06 00:13 . 2006-02-28 12:00 42112 ----a-w- c:\windows\system32\drivers\imapi.sys
2011-10-04 07:01 . 2009-08-14 21:09 112640 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\VCExpress\9.0\1033\ResourceCache.dll
2011-10-04 07:00 . 2009-08-14 21:09 416 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\MSDN\9.0\1033\ResourceCache.dll
2011-08-28 01:16 . 2011-05-14 05:48 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-07-15 13:29 . 2006-02-28 12:00 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2009-05-01 21:02 . 2009-05-01 21:02 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll
2009-05-01 21:02 . 2009-05-01 21:02 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll
2011-10-03 18:59 . 2011-05-08 01:44 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((( SnapShot_2011-10-04_07.23.06 )))))))))))))))))))))))))))))))))))))))))
.
+ 2011-10-06 08:37 . 2011-10-06 08:37 16384 c:\windows\temp\Perflib_Perfdata_63c.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2006-12-23 143360]
"MsnMsgr"="c:\program files\Windows Live\Messenger\MsnMsgr.Exe" [2010-04-17 3872080]
"LDM"="c:\program files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe" [BU]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-03 68856]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2011-06-15 15141768]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="c:\program files\QuickTime\qttask .exe -atboottime" [X]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2006-05-01 843776]
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" [2004-10-21 29696]
"OfficeKB"="c:\progra~1\OfficeKB\OfficeKB.EXE" [2004-10-22 200704]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-09-27 13918208]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-09-27 86016]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-06-02 267048]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-06-08 37296]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-03-30 937920]
"Google Updater"="c:\program files\Google\Google Updater\GoogleUpdater.exe" [2011-06-12 161336]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 437160]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"FlashPlayerUpdate"="c:\windows\system32\Macromed\Flash\FlashUtil10t_ActiveX.exe" [2011-07-09 240288]
.
c:\documents and settings\Maxim\Start Menu\Programs\Startup\
OpenOffice.org 2.3.lnk - c:\program files\OpenOffice.org 2.3\program\quickstart.exe [2007-8-17 393216]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Logitech Desktop Messenger.lnk - c:\program files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe [2007-6-23 450560]
Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\KEM.exe [2007-6-23 581632]
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-1.12.0-enUS-downloader.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Apprentice\\Appr.exe"=
"c:\\Program Files\\THQ\\Dawn of War - Dark Crusade\\DarkCrusade.exe"=
"c:\\Program Files\\THQ\\Dawn Of War\\W40kWA.exe"=
"c:\\Program Files\\THQ\\Dawn Of War\\W40k.exe"=
"c:\\Program Files\\Warcraft III\\Warcraft III.exe"=
"c:\\Documents and Settings\\Maxim\\Desktop\\Max\\Pokemon Game.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-3.0.8.9506-to-3.0.9.9551-enUS-downloader.exe"=
"c:\\Program Files\\Dawn of War 2\\DOW2.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-3.2.0-enUS-downloader.exe"=
"c:\\Program Files\\mIRC\\mirc.exe"=
"c:\\Program Files\\Steam\\steam.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\aliens vs predator\\AvP_CLI.exe"=
"c:\\Program Files\\SopCast\\adv\\SopAdver.exe"=
"c:\\Program Files\\SopCast\\SopCast.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\transformers war for cybertron\\Binaries\\TWFC.exe"=
"c:\\Program Files\\TeamViewer\\Version5\\TeamViewer.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\TeamViewer\\Version6\\TeamViewer.exe"=
"c:\\Program Files\\TeamViewer\\Version6\\TeamViewer_Service.exe"=
"c:\\Program Files\\Armagetron Advanced\\armagetronad.exe"=
"c:\\Program Files\\Sony Online Entertainment\\Installed Games\\DC Universe Online Live\\UNREAL3\\BINARIES\\WIN32\\DCGAME.EXE"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Riot Games\\League of Legends\\lol.launcher.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\dawn of war 2\\DOW2.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\dawn of war ii - retribution\\DOW2.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3724:TCP"= 3724:TCP:Blizzard Downloader: 3724
"4000:TCP"= 4000:TCP:diablo
"8375:TCP"= 8375:TCP:League of Legends Launcher
"8375:UDP"= 8375:UDP:League of Legends Launcher
"8376:TCP"= 8376:TCP:League of Legends Launcher
"8376:UDP"= 8376:UDP:League of Legends Launcher
"8377:TCP"= 8377:TCP:League of Legends Launcher
"8377:UDP"= 8377:UDP:League of Legends Launcher
"8378:TCP"= 8378:TCP:League of Legends Launcher
"8378:UDP"= 8378:UDP:League of Legends Launcher
"8379:TCP"= 8379:TCP:League of Legends Launcher
"8379:UDP"= 8379:UDP:League of Legends Launcher
"8380:TCP"= 8380:TCP:League of Legends Launcher
"8380:UDP"= 8380:UDP:League of Legends Launcher
"8381:TCP"= 8381:TCP:League of Legends Launcher
"8381:UDP"= 8381:UDP:League of Legends Launcher
"6881:TCP"= 6881:TCP:League of Legends Launcher
"6881:UDP"= 6881:UDP:League of Legends Launcher
"8382:TCP"= 8382:TCP:League of Legends Launcher
"8382:UDP"= 8382:UDP:League of Legends Launcher
"8383:TCP"= 8383:TCP:League of Legends Launcher
"8383:UDP"= 8383:UDP:League of Legends Launcher
"8393:TCP"= 8393:TCP:League of Legends Lobby
"8393:UDP"= 8393:UDP:League of Legends Lobby
"8390:TCP"= 8390:TCP:League of Legends Game Client
"8390:UDP"= 8390:UDP:League of Legends Game Client
"6929:TCP"= 6929:TCP:League of Legends Launcher
"6929:UDP"= 6929:UDP:League of Legends Launcher
.
R2 pgsql-8.3;PostgreSQL Database Server 8.3;c:\program files\PostgreSQL\8.3\bin\pg_ctl.exe [12/10/2009 3:39 AM 65536]
R2 USmsServ;Desktop Window Manager Sessions Manager;c:\windows\Desktop Manager\dwm.exe [6/10/2011 12:48 PM 142336]
R3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda32.sys [2/27/2010 11:44 AM 57248]
S2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [8/9/2009 6:35 PM 297752]
S3 B-Service;B-Service;c:\documents and settings\Maxim\Application Data\Mikogo\B-Service.exe [9/17/2010 12:13 PM 185640]
S3 bcgame;Nostromo HID Device Minidriver;c:\windows\system32\drivers\bcgame.sys --> c:\windows\system32\drivers\bcgame.sys [?]
S3 McComponentHostService;McAfee Security Scan Component Host Service;"c:\program files\McAfee Security Scan\2.0.181\McCHSvc.exe" --> c:\program files\McAfee Security Scan\2.0.181\McCHSvc.exe [?]
S4 sptd;sptd;c:\windows\system32\drivers\sptd.sys [12/13/2007 12:28 AM 722416]
.
Contents of the 'Scheduled Tasks' folder
.
2011-10-06 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2007-07-03 14:27]
.
2011-10-05 c:\windows\Tasks\Norton Security Scan for Maxim.job
- c:\progra~1\NORTON~2\Engine\312~1.9\Nss.exe [2011-06-09 08:19]
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = localhost
Trusted Zone: clonewarsadventures.com
Trusted Zone: freerealms.com
Trusted Zone: soe.com
Trusted Zone: sony.com
TCP: DhcpNameServer = 192.168.0.1
DPF: Garmin Communicator Plug-In - hxxps://static.garmincdn.com/gcp/ie/2.9.3.0/GarminAxControl.CAB
FF - ProfilePath - c:\documents and settings\Maxim\Application Data\Mozilla\Firefox\Profiles\pu9jai39.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2653012&SearchSource=3&q={searchTerms}
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.google.ca/
FF - prefs.js: keyword.URL - hxxp://www.bing.com/search?FORM=IEFM1&q=
FF - prefs.js: network.proxy.type - 0
FF - user.js: yahoo.homepage.dontask - true);user_pref(network.protocol-handler.warn-external.dnupdate, false);user_pref(network.protocol-handler.warn-external.dnupdate, false);user_pref(network.protocol-handler.warn-external.dnupdate, false);user_pref(yahoo.ytff.general.dontshowhpoffer, true);user_pref(network.protocol-handler.warn-external.dnupdate, false
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-10-06 12:39
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(2264)
c:\windows\system32\WININET.dll
c:\program files\Logitech\SetPoint\lgscroll.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\msi.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\nvsvc32.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\program files\PostgreSQL\8.3\bin\postgres.exe
c:\program files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
c:\program files\PostgreSQL\8.3\bin\postgres.exe
c:\program files\PostgreSQL\8.3\bin\postgres.exe
c:\program files\PostgreSQL\8.3\bin\postgres.exe
c:\program files\PostgreSQL\8.3\bin\postgres.exe
c:\program files\PostgreSQL\8.3\bin\postgres.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
c:\windows\system32\RUNDLL32.EXE
c:\program files\OpenOffice.org 2.3\program\soffice.exe
c:\program files\Logitech\SetPoint\KHALMNPR.EXE
c:\program files\OpenOffice.org 2.3\program\soffice.BIN
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2011-10-06 12:42:55 - machine was rebooted
ComboFix-quarantined-files.txt 2011-10-06 16:42
ComboFix2.txt 2011-10-06 00:46
ComboFix3.txt 2011-10-04 07:28
ComboFix4.txt 2011-10-03 18:54
ComboFix5.txt 2011-10-06 08:27
.
Pre-Run: 126,796,382,208 bytes free
Post-Run: 126,806,532,096 bytes free
.
- - End Of File - - 3DB6B26295D2E668CE338BD30F3C56CF

Re: Need to get rid of rootkit.5th September 2011, 5:35 pm

Re: Need to get rid of rootkit.5th September 2011, 8:18 pm

still not clean, but we´re getting close.

Please create a new text file in Notepad with the following contents:
Code:
KILLALL:: File:: C:\Documents and Settings\Maxim\Desktop\RK_Quarantine\dwm.exe.vir TDL:: C:\WINDOWS\system32\drivers\redbook.sys
Save that file as CFScript.txt on your desktop
Drag and drop the CFScript.txt onto the ComboFix icon, as shown in the animation below.
If done correctly, ComboFix will start and perform specific instructions
In doing so, ComboFix may request a reboot
Please post the contents of Combofix.txt in your next reply

====================

You need to install the latest version of Java. Having the latest version is important to take advantage of fixes that have eliminated security vulnerabilities.

Go to Start > Control Panel
Double-click on Add or Remove Programs
Look for entries that say Java, Java RunTime Environment or J2SE.
Uninstall all of them that are not named Java (TM) 6 Update 27

After doing this, you can go to java.com, click on Free Java Download and proceed from there to install the latest version of Java (currently Version 6 Update 27).

After installing Java, go to Start > Control Panel > Java to open the Java Control Panel.
Under the General tab, Temporary Internet Files click Settings, then click Delete Files.
Select both options and click OK to delete the Java cache.

====================

Please open Malwarebytes' Anti-Malware, click the Update tab and click Check for Updates. Then, click the Scanner tab, select Perform Quick Scan and click Scan. Please post the resulting log in your next reply.

Re: Need to get rid of rootkit.6th September 2011, 8:20 am

ComboFix 11-09-06.01 - Maxim 10/07/2011 3:58.14.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.3326.2521 [GMT -4:00]
Running from: c:\documents and settings\Maxim\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Maxim\Desktop\CFScript.txt
.
FILE ::
"c:\documents and settings\Maxim\Desktop\RK_Quarantine\dwm.exe.vir"
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\Maxim\Desktop\RK_Quarantine\dwm.exe.vir
.
.
((((((((((((((((((((((((( Files Created from 2011-09-07 to 2011-10-07 )))))))))))))))))))))))))))))))
.
.
2011-10-06 00:13 . 2011-10-06 00:13 50112 --sha-w- c:\windows\system32\c_03823.nl_
2011-10-04 07:00 . 2011-10-04 07:00 -------- d-----w- c:\documents and settings\Default User\Local Settings\Application Data\Microsoft Help
2011-10-04 05:37 . 2011-10-04 05:37 -------- d-----w- c:\documents and settings\Maxim\Local Settings\Application Data\PCHealth
2011-10-03 18:58 . 2011-10-03 18:58 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\PCHealth
2011-10-03 06:21 . 2011-10-03 06:25 -------- d-----w- C:\Commy
2011-10-03 06:19 . 2011-10-03 06:19 -------- d-----w- C:\ARK
2011-10-01 17:25 . 2011-06-24 14:10 139656 -c----w- c:\windows\system32\dllcache\rdpwd.sys
2011-10-01 17:25 . 2011-04-21 13:37 105472 -c----w- c:\windows\system32\dllcache\mup.sys
2011-10-01 17:23 . 2011-07-08 14:02 10496 -c----w- c:\windows\system32\dllcache\ndistapi.sys
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-10-06 00:13 . 2006-02-28 12:00 42112 ----a-w- c:\windows\system32\drivers\imapi.sys
2011-10-04 07:01 . 2009-08-14 21:09 112640 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\VCExpress\9.0\1033\ResourceCache.dll
2011-10-04 07:00 . 2009-08-14 21:09 416 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\MSDN\9.0\1033\ResourceCache.dll
2011-08-28 01:16 . 2011-05-14 05:48 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-07-15 13:29 . 2006-02-28 12:00 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2009-05-01 21:02 . 2009-05-01 21:02 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll
2009-05-01 21:02 . 2009-05-01 21:02 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll
2011-10-03 18:59 . 2011-05-08 01:44 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((( SnapShot_2011-10-04_07.23.06 )))))))))))))))))))))))))))))))))))))))))
.
+ 2011-10-07 08:05 . 2011-10-07 08:05 16384 c:\windows\temp\Perflib_Perfdata_638.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2006-12-23 143360]
"MsnMsgr"="c:\program files\Windows Live\Messenger\MsnMsgr.Exe" [2010-04-17 3872080]
"LDM"="c:\program files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe" [BU]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-03 68856]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2011-06-15 15141768]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="c:\program files\QuickTime\qttask .exe -atboottime" [X]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2006-05-01 843776]
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" [2004-10-21 29696]
"OfficeKB"="c:\progra~1\OfficeKB\OfficeKB.EXE" [2004-10-22 200704]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-09-27 13918208]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-09-27 86016]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-06-02 267048]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-06-08 37296]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-03-30 937920]
"Google Updater"="c:\program files\Google\Google Updater\GoogleUpdater.exe" [2011-06-12 161336]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 437160]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"FlashPlayerUpdate"="c:\windows\system32\Macromed\Flash\FlashUtil10t_ActiveX.exe" [2011-07-09 240288]
.
c:\documents and settings\Maxim\Start Menu\Programs\Startup\
OpenOffice.org 2.3.lnk - c:\program files\OpenOffice.org 2.3\program\quickstart.exe [2007-8-17 393216]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Logitech Desktop Messenger.lnk - c:\program files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe [2007-6-23 450560]
Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\KEM.exe [2007-6-23 581632]
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-1.12.0-enUS-downloader.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Apprentice\\Appr.exe"=
"c:\\Program Files\\THQ\\Dawn of War - Dark Crusade\\DarkCrusade.exe"=
"c:\\Program Files\\THQ\\Dawn Of War\\W40kWA.exe"=
"c:\\Program Files\\THQ\\Dawn Of War\\W40k.exe"=
"c:\\Program Files\\Warcraft III\\Warcraft III.exe"=
"c:\\Documents and Settings\\Maxim\\Desktop\\Max\\Pokemon Game.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-3.0.8.9506-to-3.0.9.9551-enUS-downloader.exe"=
"c:\\Program Files\\Dawn of War 2\\DOW2.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-3.2.0-enUS-downloader.exe"=
"c:\\Program Files\\mIRC\\mirc.exe"=
"c:\\Program Files\\Steam\\steam.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\aliens vs predator\\AvP_CLI.exe"=
"c:\\Program Files\\SopCast\\adv\\SopAdver.exe"=
"c:\\Program Files\\SopCast\\SopCast.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\transformers war for cybertron\\Binaries\\TWFC.exe"=
"c:\\Program Files\\TeamViewer\\Version5\\TeamViewer.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\TeamViewer\\Version6\\TeamViewer.exe"=
"c:\\Program Files\\TeamViewer\\Version6\\TeamViewer_Service.exe"=
"c:\\Program Files\\Armagetron Advanced\\armagetronad.exe"=
"c:\\Program Files\\Sony Online Entertainment\\Installed Games\\DC Universe Online Live\\UNREAL3\\BINARIES\\WIN32\\DCGAME.EXE"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Riot Games\\League of Legends\\lol.launcher.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\dawn of war 2\\DOW2.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\dawn of war ii - retribution\\DOW2.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3724:TCP"= 3724:TCP:Blizzard Downloader: 3724
"4000:TCP"= 4000:TCP:diablo
"8375:TCP"= 8375:TCP:League of Legends Launcher
"8375:UDP"= 8375:UDP:League of Legends Launcher
"8376:TCP"= 8376:TCP:League of Legends Launcher
"8376:UDP"= 8376:UDP:League of Legends Launcher
"8377:TCP"= 8377:TCP:League of Legends Launcher
"8377:UDP"= 8377:UDP:League of Legends Launcher
"8378:TCP"= 8378:TCP:League of Legends Launcher
"8378:UDP"= 8378:UDP:League of Legends Launcher
"8379:TCP"= 8379:TCP:League of Legends Launcher
"8379:UDP"= 8379:UDP:League of Legends Launcher
"8380:TCP"= 8380:TCP:League of Legends Launcher
"8380:UDP"= 8380:UDP:League of Legends Launcher
"8381:TCP"= 8381:TCP:League of Legends Launcher
"8381:UDP"= 8381:UDP:League of Legends Launcher
"6881:TCP"= 6881:TCP:League of Legends Launcher
"6881:UDP"= 6881:UDP:League of Legends Launcher
"8382:TCP"= 8382:TCP:League of Legends Launcher
"8382:UDP"= 8382:UDP:League of Legends Launcher
"8383:TCP"= 8383:TCP:League of Legends Launcher
"8383:UDP"= 8383:UDP:League of Legends Launcher
"8393:TCP"= 8393:TCP:League of Legends Lobby
"8393:UDP"= 8393:UDP:League of Legends Lobby
"8390:TCP"= 8390:TCP:League of Legends Game Client
"8390:UDP"= 8390:UDP:League of Legends Game Client
"6929:TCP"= 6929:TCP:League of Legends Launcher
"6929:UDP"= 6929:UDP:League of Legends Launcher
.
R2 pgsql-8.3;PostgreSQL Database Server 8.3;c:\program files\PostgreSQL\8.3\bin\pg_ctl.exe [12/10/2009 3:39 AM 65536]
R2 USmsServ;Desktop Window Manager Sessions Manager;c:\windows\Desktop Manager\dwm.exe [6/10/2011 12:48 PM 142336]
R3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda32.sys [2/27/2010 11:44 AM 57248]
S2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [8/9/2009 6:35 PM 297752]
S3 B-Service;B-Service;c:\documents and settings\Maxim\Application Data\Mikogo\B-Service.exe [9/17/2010 12:13 PM 185640]
S3 bcgame;Nostromo HID Device Minidriver;c:\windows\system32\drivers\bcgame.sys --> c:\windows\system32\drivers\bcgame.sys [?]
S3 McComponentHostService;McAfee Security Scan Component Host Service;"c:\program files\McAfee Security Scan\2.0.181\McCHSvc.exe" --> c:\program files\McAfee Security Scan\2.0.181\McCHSvc.exe [?]
S4 sptd;sptd;c:\windows\system32\drivers\sptd.sys [12/13/2007 12:28 AM 722416]
.
Contents of the 'Scheduled Tasks' folder
.
2011-10-07 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2007-07-03 14:27]
.
2011-10-06 c:\windows\Tasks\Norton Security Scan for Maxim.job
- c:\progra~1\NORTON~2\Engine\312~1.9\Nss.exe [2011-06-09 08:19]
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = localhost
Trusted Zone: clonewarsadventures.com
Trusted Zone: freerealms.com
Trusted Zone: soe.com
Trusted Zone: sony.com
TCP: DhcpNameServer = 192.168.0.1
DPF: Garmin Communicator Plug-In - hxxps://static.garmincdn.com/gcp/ie/2.9.3.0/GarminAxControl.CAB
FF - ProfilePath - c:\documents and settings\Maxim\Application Data\Mozilla\Firefox\Profiles\pu9jai39.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2653012&SearchSource=3&q={searchTerms}
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.google.ca/
FF - prefs.js: keyword.URL - hxxp://www.bing.com/search?FORM=IEFM1&q=
FF - prefs.js: network.proxy.type - 0
FF - user.js: yahoo.homepage.dontask - true);user_pref(network.protocol-handler.warn-external.dnupdate, false);user_pref(network.protocol-handler.warn-external.dnupdate, false);user_pref(network.protocol-handler.warn-external.dnupdate, false);user_pref(yahoo.ytff.general.dontshowhpoffer, true);user_pref(network.protocol-handler.warn-external.dnupdate, false
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-10-07 04:06
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(3284)
c:\windows\system32\WININET.dll
c:\program files\Logitech\SetPoint\lgscroll.dll
c:\windows\system32\msi.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\nvsvc32.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\program files\PostgreSQL\8.3\bin\postgres.exe
c:\program files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
c:\program files\PostgreSQL\8.3\bin\postgres.exe
c:\program files\PostgreSQL\8.3\bin\postgres.exe
c:\program files\PostgreSQL\8.3\bin\postgres.exe
c:\program files\PostgreSQL\8.3\bin\postgres.exe
c:\program files\PostgreSQL\8.3\bin\postgres.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
c:\windows\system32\RUNDLL32.EXE
c:\program files\OpenOffice.org 2.3\program\soffice.exe
c:\program files\Logitech\SetPoint\KHALMNPR.EXE
c:\program files\OpenOffice.org 2.3\program\soffice.BIN
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2011-10-07 04:10:49 - machine was rebooted
ComboFix-quarantined-files.txt 2011-10-07 08:10
ComboFix2.txt 2011-10-06 16:42
ComboFix3.txt 2011-10-06 00:46
ComboFix4.txt 2011-10-04 07:28
ComboFix5.txt 2011-10-07 07:57
.
Pre-Run: 126,868,611,072 bytes free
Post-Run: 126,960,566,272 bytes free
.
- - End Of File - - CA29F1F5F8BFDF0EAAD78C0DAD59B240

Re: Need to get rid of rootkit.6th September 2011, 8:24 am

OK, lets rerun aswMBR, because I think that combofix did not solve the redbook.sys problem.

If the aswMBR log shows something like this again:

13:03:06.531 File: C:\WINDOWS\system32\drivers\redbook.sys **INFECTED** Win32:Alureon-AJI [Rtk]

I would like you to do this:

Please download SystemLook by jpshortstuff from one of the locations below and save it to your desktop.
Download Mirror #1
Download Mirror #2

Double-click SystemLook.exe to run it.
Copy the following text into the main textfield:

:filefind
redbook.sys

Click the Look button to start the scan.
When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.

Note: The log can also be found on your Desktop (SystemLook.txt.)

Re: Need to get rid of rootkit.6th September 2011, 8:35 am

Malwarebytes' Anti-Malware 1.51.1.1800
www.malwarebytes.org

Database version: 7662

Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.11

10/7/2011 4:28:35 AM
mbam-log-2011-10-07 (04-28-35).txt

Scan type: Quick scan
Objects scanned: 202086
Time elapsed: 3 minute(s), 21 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Re: Need to get rid of rootkit.6th September 2011, 6:06 pm

Re: Need to get rid of rootkit.6th September 2011, 6:11 pm

SystemLook 30.07.11 by jpshortstuff
Log created at 14:08 on 07/10/2011 by Maxim
Administrator - Elevation successful

========== filefind ==========

Searching for "redbook.sys"
C:\WINDOWS\$NtServicePackUninstall$\redbook.sys -----c- 57472 bytes [04:11 04/09/2008] [22:59 03/08/2004] B31B4588E4086D8D84ADBF9845C2402B
C:\WINDOWS\ServicePackFiles\i386\redbook.sys ------- 57600 bytes [20:50 22/08/2008] [18:40 13/04/2008] F828DD7E1419B6653894A8F97A0094C5
C:\WINDOWS\system32\drivers\redbook.sys --a---- 57600 bytes [00:50 22/06/2007] [18:40 13/04/2008] F1F8EE9570078585254F2552BD21398D

-= EOF =-

Re: Need to get rid of rootkit.6th September 2011, 6:57 pm

OK, now the final action to get rid of the last infected driver:

Please create a new text file in Notepad with the following contents:
Code:
KILLALL:: FCopy:: C:\WINDOWS\ServicePackFiles\i386\redbook.sys|C:\WINDOWS\system32\drivers\redbook.sys Folder:: C:\Documents and Settings\Maxim\Application Data\Sun\Java\Deployment\cache\6.0\2\7a23e0c2-4e72f5bd
Save that file as CFScript.txt on your desktop
Drag and drop the CFScript.txt onto the ComboFix icon, as shown in the animation below.
If done correctly, ComboFix will start and perform specific instructions
In doing so, ComboFix may request a reboot
Please post the contents of Combofix.txt in your next reply

After doing this, let me know how the computer is running. After all is fine we have to uninstall used tools, so hang on for a bit more. This was a long ride, but it was needed because your computer was crawling with nasty stuff.

Re: Need to get rid of rootkit.7th September 2011, 8:04 am

ComboFix 11-09-06.03 - Maxim 10/08/2011 3:50.15.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.3326.2490 [GMT -4:00]
Running from: c:\documents and settings\Maxim\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Maxim\Desktop\CFScript.txt
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
.
--------------- FCopy ---------------
.
c:\windows\ServicePackFiles\i386\redbook.sys --> c:\windows\system32\drivers\redbook.sys
.
((((((((((((((((((((((((( Files Created from 2011-09-08 to 2011-10-08 )))))))))))))))))))))))))))))))
.
.
2011-10-04 07:00 . 2011-10-04 07:00 -------- d-----w- c:\documents and settings\Default User\Local Settings\Application Data\Microsoft Help
2011-10-04 05:37 . 2011-10-04 05:37 -------- d-----w- c:\documents and settings\Maxim\Local Settings\Application Data\PCHealth
2011-10-03 18:58 . 2011-10-03 18:58 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\PCHealth
2011-10-03 06:21 . 2011-10-03 06:25 -------- d-----w- C:\Commy
2011-10-03 06:19 . 2011-10-03 06:19 -------- d-----w- C:\ARK
2011-10-01 17:25 . 2011-06-24 14:10 139656 -c----w- c:\windows\system32\dllcache\rdpwd.sys
2011-10-01 17:25 . 2011-04-21 13:37 105472 -c----w- c:\windows\system32\dllcache\mup.sys
2011-10-01 17:23 . 2011-07-08 14:02 10496 -c----w- c:\windows\system32\dllcache\ndistapi.sys
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-10-06 00:13 . 2006-02-28 12:00 42112 ----a-w- c:\windows\system32\drivers\imapi.sys
2011-10-04 07:01 . 2009-08-14 21:09 112640 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\VCExpress\9.0\1033\ResourceCache.dll
2011-10-04 07:00 . 2009-08-14 21:09 416 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\MSDN\9.0\1033\ResourceCache.dll
2011-08-28 01:16 . 2011-05-14 05:48 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-07-15 13:29 . 2006-02-28 12:00 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2009-05-01 21:02 . 2009-05-01 21:02 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll
2009-05-01 21:02 . 2009-05-01 21:02 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll
2011-10-03 18:59 . 2011-05-08 01:44 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((( SnapShot_2011-10-04_07.23.06 )))))))))))))))))))))))))))))))))))))))))
.
+ 2011-10-08 07:56 . 2011-10-08 07:56 16384 c:\windows\temp\Perflib_Perfdata_658.dat
+ 2007-06-22 00:50 . 2008-04-13 18:40 57600 c:\windows\system32\dllcache\redbook.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2006-12-23 143360]
"MsnMsgr"="c:\program files\Windows Live\Messenger\MsnMsgr.Exe" [2010-04-17 3872080]
"LDM"="c:\program files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe" [BU]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-03 68856]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2011-06-15 15141768]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="c:\program files\QuickTime\qttask .exe -atboottime" [X]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2006-05-01 843776]
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" [2004-10-21 29696]
"OfficeKB"="c:\progra~1\OfficeKB\OfficeKB.EXE" [2004-10-22 200704]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-09-27 13918208]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-09-27 86016]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-06-02 267048]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-06-08 37296]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-03-30 937920]
"Google Updater"="c:\program files\Google\Google Updater\GoogleUpdater.exe" [2011-06-12 161336]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 437160]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"FlashPlayerUpdate"="c:\windows\system32\Macromed\Flash\FlashUtil10t_ActiveX.exe" [2011-07-09 240288]
.
c:\documents and settings\Maxim\Start Menu\Programs\Startup\
OpenOffice.org 2.3.lnk - c:\program files\OpenOffice.org 2.3\program\quickstart.exe [2007-8-17 393216]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Logitech Desktop Messenger.lnk - c:\program files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe [2007-6-23 450560]
Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\KEM.exe [2007-6-23 581632]
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-1.12.0-enUS-downloader.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Apprentice\\Appr.exe"=
"c:\\Program Files\\THQ\\Dawn of War - Dark Crusade\\DarkCrusade.exe"=
"c:\\Program Files\\THQ\\Dawn Of War\\W40kWA.exe"=
"c:\\Program Files\\THQ\\Dawn Of War\\W40k.exe"=
"c:\\Program Files\\Warcraft III\\Warcraft III.exe"=
"c:\\Documents and Settings\\Maxim\\Desktop\\Max\\Pokemon Game.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-3.0.8.9506-to-3.0.9.9551-enUS-downloader.exe"=
"c:\\Program Files\\Dawn of War 2\\DOW2.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-3.2.0-enUS-downloader.exe"=
"c:\\Program Files\\mIRC\\mirc.exe"=
"c:\\Program Files\\Steam\\steam.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\aliens vs predator\\AvP_CLI.exe"=
"c:\\Program Files\\SopCast\\adv\\SopAdver.exe"=
"c:\\Program Files\\SopCast\\SopCast.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\transformers war for cybertron\\Binaries\\TWFC.exe"=
"c:\\Program Files\\TeamViewer\\Version5\\TeamViewer.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\TeamViewer\\Version6\\TeamViewer.exe"=
"c:\\Program Files\\TeamViewer\\Version6\\TeamViewer_Service.exe"=
"c:\\Program Files\\Armagetron Advanced\\armagetronad.exe"=
"c:\\Program Files\\Sony Online Entertainment\\Installed Games\\DC Universe Online Live\\UNREAL3\\BINARIES\\WIN32\\DCGAME.EXE"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Riot Games\\League of Legends\\lol.launcher.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\dawn of war 2\\DOW2.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\dawn of war ii - retribution\\DOW2.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3724:TCP"= 3724:TCP:Blizzard Downloader: 3724
"4000:TCP"= 4000:TCP:diablo
"8375:TCP"= 8375:TCP:League of Legends Launcher
"8375:UDP"= 8375:UDP:League of Legends Launcher
"8376:TCP"= 8376:TCP:League of Legends Launcher
"8376:UDP"= 8376:UDP:League of Legends Launcher
"8377:TCP"= 8377:TCP:League of Legends Launcher
"8377:UDP"= 8377:UDP:League of Legends Launcher
"8378:TCP"= 8378:TCP:League of Legends Launcher
"8378:UDP"= 8378:UDP:League of Legends Launcher
"8379:TCP"= 8379:TCP:League of Legends Launcher
"8379:UDP"= 8379:UDP:League of Legends Launcher
"8380:TCP"= 8380:TCP:League of Legends Launcher
"8380:UDP"= 8380:UDP:League of Legends Launcher
"8381:TCP"= 8381:TCP:League of Legends Launcher
"8381:UDP"= 8381:UDP:League of Legends Launcher
"6881:TCP"= 6881:TCP:League of Legends Launcher
"6881:UDP"= 6881:UDP:League of Legends Launcher
"8382:TCP"= 8382:TCP:League of Legends Launcher
"8382:UDP"= 8382:UDP:League of Legends Launcher
"8383:TCP"= 8383:TCP:League of Legends Launcher
"8383:UDP"= 8383:UDP:League of Legends Launcher
"8393:TCP"= 8393:TCP:League of Legends Lobby
"8393:UDP"= 8393:UDP:League of Legends Lobby
"8390:TCP"= 8390:TCP:League of Legends Game Client
"8390:UDP"= 8390:UDP:League of Legends Game Client
"6929:TCP"= 6929:TCP:League of Legends Launcher
"6929:UDP"= 6929:UDP:League of Legends Launcher
.
R2 pgsql-8.3;PostgreSQL Database Server 8.3;c:\program files\PostgreSQL\8.3\bin\pg_ctl.exe [12/10/2009 3:39 AM 65536]
R2 USmsServ;Desktop Window Manager Sessions Manager;c:\windows\Desktop Manager\dwm.exe [6/10/2011 12:48 PM 142336]
R3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda32.sys [2/27/2010 11:44 AM 57248]
S2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [8/9/2009 6:35 PM 297752]
S3 B-Service;B-Service;c:\documents and settings\Maxim\Application Data\Mikogo\B-Service.exe [9/17/2010 12:13 PM 185640]
S3 bcgame;Nostromo HID Device Minidriver;c:\windows\system32\drivers\bcgame.sys --> c:\windows\system32\drivers\bcgame.sys [?]
S3 McComponentHostService;McAfee Security Scan Component Host Service;"c:\program files\McAfee Security Scan\2.0.181\McCHSvc.exe" --> c:\program files\McAfee Security Scan\2.0.181\McCHSvc.exe [?]
S4 sptd;sptd;c:\windows\system32\drivers\sptd.sys [12/13/2007 12:28 AM 722416]
.
Contents of the 'Scheduled Tasks' folder
.
2011-10-08 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2007-07-03 14:27]
.
2011-10-07 c:\windows\Tasks\Norton Security Scan for Maxim.job
- c:\progra~1\NORTON~2\Engine\312~1.9\Nss.exe [2011-06-09 08:19]
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = localhost
Trusted Zone: clonewarsadventures.com
Trusted Zone: freerealms.com
Trusted Zone: soe.com
Trusted Zone: sony.com
TCP: DhcpNameServer = 192.168.0.1
DPF: Garmin Communicator Plug-In - hxxps://static.garmincdn.com/gcp/ie/2.9.3.0/GarminAxControl.CAB
FF - ProfilePath - c:\documents and settings\Maxim\Application Data\Mozilla\Firefox\Profiles\pu9jai39.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2653012&SearchSource=3&q={searchTerms}
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.google.ca/
FF - prefs.js: keyword.URL - hxxp://www.bing.com/search?FORM=IEFM1&q=
FF - prefs.js: network.proxy.type - 0
FF - user.js: yahoo.homepage.dontask - true);user_pref(network.protocol-handler.warn-external.dnupdate, false);user_pref(network.protocol-handler.warn-external.dnupdate, false);user_pref(network.protocol-handler.warn-external.dnupdate, false);user_pref(yahoo.ytff.general.dontshowhpoffer, true);user_pref(network.protocol-handler.warn-external.dnupdate, false
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-10-08 04:00
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(160)
c:\windows\system32\WININET.dll
c:\program files\Logitech\SetPoint\lgscroll.dll
c:\windows\system32\msi.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\nvsvc32.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\program files\PostgreSQL\8.3\bin\postgres.exe
c:\program files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
c:\program files\PostgreSQL\8.3\bin\postgres.exe
c:\program files\PostgreSQL\8.3\bin\postgres.exe
c:\program files\PostgreSQL\8.3\bin\postgres.exe
c:\program files\PostgreSQL\8.3\bin\postgres.exe
c:\program files\PostgreSQL\8.3\bin\postgres.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
c:\windows\system32\RUNDLL32.EXE
c:\program files\Logitech\SetPoint\KHALMNPR.EXE
c:\program files\OpenOffice.org 2.3\program\soffice.exe
c:\program files\OpenOffice.org 2.3\program\soffice.BIN
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2011-10-08 04:03:50 - machine was rebooted
ComboFix-quarantined-files.txt 2011-10-08 08:03
ComboFix2.txt 2011-10-07 08:10
ComboFix3.txt 2011-10-06 16:42
ComboFix4.txt 2011-10-06 00:46
ComboFix5.txt 2011-10-08 07:50
.
Pre-Run: 126,769,295,360 bytes free
Post-Run: 126,861,365,248 bytes free
.
- - End Of File - - CD9880FE8B9B9593E0D953C232354086

Re: Need to get rid of rootkit.7th September 2011, 8:04 am

shall i run ASwmbr to see if everything is gone?

Re: Need to get rid of rootkit.7th September 2011, 8:07 am

Sure why not.
I will run through the logs to see if I missed anything

Re: Need to get rid of rootkit.7th September 2011, 8:12 am

Please also run TDSSKiller again and post the report and do the following:

Please download SystemLook by jpshortstuff from one of the locations below and save it to your desktop.
Download Mirror #1
Download Mirror #2

Double-click SystemLook.exe to run it.
Copy the following text into the main textfield:

:filefind
imapi.sys

Click the Look button to start the scan.
When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.

Note: The log can also be found on your Desktop (SystemLook.txt.)

Re: Need to get rid of rootkit.7th September 2011, 5:38 pm

aswMBR version 0.9.8.986 Copyright(c) 2011 AVAST Software
Run date: 2011-10-06 13:01:44
-----------------------------
13:01:44.734 OS Version: Windows 5.1.2600 Service Pack 3
13:01:44.734 Number of processors: 2 586 0x4B02
13:01:44.734 ComputerName: MAXIM-9C1E76C15 UserName: Maxim
13:01:45.234 Initialize success
13:02:41.390 AVAST engine defs: 11090500
13:02:58.500 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\00000069
13:02:58.500 Disk 0 Vendor: WDC_WD3200AAKS-00L9A0 01.03E01 Size: 305245MB BusType: 3
13:03:00.500 Disk 0 MBR read successfully
13:03:00.500 Disk 0 MBR scan
13:03:00.531 Disk 0 Windows XP default MBR code
13:03:00.531 Disk 0 scanning sectors +625137345
13:03:00.562 Disk 0 malicious Win32:MBRoot code @ sector 625137348 !
13:03:00.562 Disk 0 PE file @ sector 625137370 !
13:03:00.593 Disk 0 scanning C:\WINDOWS\system32\drivers
13:03:06.531 File: C:\WINDOWS\system32\drivers\redbook.sys **INFECTED** Win32:Alureon-AJI [Rtk]
13:03:08.656 Service scanning
13:03:09.453 Modules scanning
13:03:13.140 Disk 0 trace - called modules:
13:03:13.171 ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll nvata.sys
13:03:13.171 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8adc6ab8]
13:03:13.171 3 CLASSPNP.SYS[b80e8fd7] -> nt!IofCallDriver -> \Device\0000006a[0x8ae11f18]
13:03:13.171 5 ACPI.sys[b7f7f620] -> nt!IofCallDriver -> \Device\00000069[0x8adc6030]
13:03:14.046 AVAST engine scan C:\WINDOWS
13:03:53.093 AVAST engine scan C:\WINDOWS\system32
13:05:32.937 AVAST engine scan C:\WINDOWS\system32\drivers
13:05:39.125 File: C:\WINDOWS\system32\drivers\redbook.sys **INFECTED** Win32:Alureon-AJI [Rtk]
13:05:44.953 AVAST engine scan C:\Documents and Settings\Maxim
13:08:31.781 File: C:\Documents and Settings\Maxim\Application Data\Sun\Java\Deployment\cache\6.0\2\7a23e0c2-4e72f5bd **INFECTED** Win32:FakeAV-CFZ [Trj]
13:28:07.828 File: C:\Documents and Settings\Maxim\Desktop\RK_Quarantine\dwm.exe.vir **INFECTED** Win32:Malware-gen
13:32:58.375 AVAST engine scan C:\Documents and Settings\All Users
13:34:39.437 Scan finished successfully
13:35:42.796 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Maxim\Desktop\MBR.dat"
13:35:42.796 The log file has been saved successfully to "C:\Documents and Settings\Maxim\Desktop\aswMBR.txt"

aswMBR version 0.9.8.986 Copyright(c) 2011 AVAST Software
Run date: 2011-10-07 04:36:07
-----------------------------
04:36:07.140 OS Version: Windows 5.1.2600 Service Pack 3
04:36:07.140 Number of processors: 2 586 0x4B02
04:36:07.140 ComputerName: MAXIM-9C1E76C15 UserName: Maxim
04:36:07.796 Initialize success
04:37:33.359 AVAST engine defs: 11090501
13:32:40.312 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\00000069
13:32:40.312 Disk 0 Vendor: WDC_WD3200AAKS-00L9A0 01.03E01 Size: 305245MB BusType: 3
13:32:42.328 Disk 0 MBR read successfully
13:32:42.328 Disk 0 MBR scan
13:32:42.375 Disk 0 Windows XP default MBR code
13:32:42.375 Disk 0 scanning sectors +625137345
13:32:42.406 Disk 0 malicious Win32:MBRoot code @ sector 625137348 !
13:32:42.406 Disk 0 PE file @ sector 625137370 !
13:32:42.437 Disk 0 scanning C:\WINDOWS\system32\drivers
13:32:47.906 File: C:\WINDOWS\system32\drivers\redbook.sys **INFECTED** Win32:Alureon-AJI [Rtk]
13:32:51.187 Service scanning
13:32:51.968 Modules scanning
13:32:55.734 Disk 0 trace - called modules:
13:32:56.265 ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll nvata.sys
13:32:56.265 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8addbab8]
13:32:56.265 3 CLASSPNP.SYS[b80e8fd7] -> nt!IofCallDriver -> \Device\0000006a[0x8adf7f18]
13:32:56.265 5 ACPI.sys[b7f7f620] -> nt!IofCallDriver -> \Device\00000069[0x8addb030]
13:32:57.734 AVAST engine scan C:\WINDOWS
13:33:14.468 AVAST engine scan C:\WINDOWS\system32
13:34:46.343 AVAST engine scan C:\WINDOWS\system32\drivers
13:34:52.890 File: C:\WINDOWS\system32\drivers\redbook.sys **INFECTED** Win32:Alureon-AJI [Rtk]
13:34:59.468 AVAST engine scan C:\Documents and Settings\Maxim
13:37:48.421 File: C:\Documents and Settings\Maxim\Application Data\Sun\Java\Deployment\cache\6.0\2\7a23e0c2-4e72f5bd **INFECTED** Win32:FakeAV-CFZ [Trj]
14:02:51.968 AVAST engine scan C:\Documents and Settings\All Users
14:04:39.953 Scan finished successfully
14:06:21.953 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Maxim\Desktop\MBR.dat"
14:06:21.953 The log file has been saved successfully to "C:\Documents and Settings\Maxim\Desktop\aswMBR.txt"

aswMBR version 0.9.8.986 Copyright(c) 2011 AVAST Software
Run date: 2011-10-08 12:55:08
-----------------------------
12:55:08.828 OS Version: Windows 5.1.2600 Service Pack 3
12:55:08.828 Number of processors: 2 586 0x4B02
12:55:08.828 ComputerName: MAXIM-9C1E76C15 UserName: Maxim
12:55:09.218 Initialize success
12:56:53.890 AVAST engine defs: 11090700
12:58:20.234 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\00000069
12:58:20.234 Disk 0 Vendor: WDC_WD3200AAKS-00L9A0 01.03E01 Size: 305245MB BusType: 3
12:58:22.250 Disk 0 MBR read successfully
12:58:22.250 Disk 0 MBR scan
12:58:22.281 Disk 0 Windows XP default MBR code
12:58:22.281 Disk 0 scanning sectors +625137345
12:58:22.312 Disk 0 malicious Win32:MBRoot code @ sector 625137348 !
12:58:22.312 Disk 0 PE file @ sector 625137370 !
12:58:22.359 Disk 0 scanning C:\WINDOWS\system32\drivers
12:58:31.062 Service scanning
12:58:31.859 Modules scanning
12:58:34.984 Disk 0 trace - called modules:
12:58:35.015 ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll nvata.sys
12:58:35.515 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8add3ab8]
12:58:35.515 3 CLASSPNP.SYS[b80e8fd7] -> nt!IofCallDriver -> \Device\0000006a[0x8adf7f18]
12:58:35.515 5 ACPI.sys[b7f7f620] -> nt!IofCallDriver -> \Device\00000069[0x8add3030]
12:58:36.140 AVAST engine scan C:\WINDOWS
12:58:53.031 AVAST engine scan C:\WINDOWS\system32
13:00:26.703 AVAST engine scan C:\WINDOWS\system32\drivers
13:00:38.640 AVAST engine scan C:\Documents and Settings\Maxim
13:03:20.531 File: C:\Documents and Settings\Maxim\Application Data\Sun\Java\Deployment\cache\6.0\2\7a23e0c2-4e72f5bd **INFECTED** Win32:FakeAV-CFZ [Trj]
13:28:15.718 AVAST engine scan C:\Documents and Settings\All Users
13:29:56.125 Scan finished successfully
13:38:14.062 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Maxim\Desktop\MBR.dat"
13:38:14.062 The log file has been saved successfully to "C:\Documents and Settings\Maxim\Desktop\aswMBR.txt"

Re: Need to get rid of rootkit.7th September 2011, 5:39 pm

2011/09/07 13:39:19.0078 1404 TDSS rootkit removing tool 2.5.19.0 Sep 6 2011 19:23:56
2011/09/07 13:39:19.0296 1404 ================================================================================
2011/09/07 13:39:19.0296 1404 SystemInfo:
2011/09/07 13:39:19.0296 1404
2011/09/07 13:39:19.0296 1404 OS Version: 5.1.2600 ServicePack: 3.0
2011/09/07 13:39:19.0296 1404 Product type: Workstation
2011/09/07 13:39:19.0296 1404 ComputerName: MAXIM-9C1E76C15
2011/09/07 13:39:19.0296 1404 UserName: Maxim
2011/09/07 13:39:19.0296 1404 Windows directory: C:\WINDOWS
2011/09/07 13:39:19.0296 1404 System windows directory: C:\WINDOWS
2011/09/07 13:39:19.0296 1404 Processor architecture: Intel x86
2011/09/07 13:39:19.0296 1404 Number of processors: 2
2011/09/07 13:39:19.0296 1404 Page size: 0x1000
2011/09/07 13:39:19.0296 1404 Boot type: Normal boot
2011/09/07 13:39:19.0296 1404 ================================================================================
2011/09/07 13:39:19.0484 1404 Initialize success
2011/09/07 13:39:24.0937 3440 ================================================================================
2011/09/07 13:39:24.0937 3440 Scan started
2011/09/07 13:39:24.0937 3440 Mode: Manual;
2011/09/07 13:39:24.0937 3440 ================================================================================
2011/09/07 13:39:26.0062 3440 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
2011/09/07 13:39:26.0109 3440 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
2011/09/07 13:39:26.0156 3440 ADIHdAudAddService (ab0d9669bab1009e48cc91117e59912b) C:\WINDOWS\system32\drivers\ADIHdAud.sys
2011/09/07 13:39:26.0187 3440 AEAudio (03be587e90c8b37c7ff1fe2e9c1d1c90) C:\WINDOWS\system32\drivers\AEAudio.sys
2011/09/07 13:39:26.0250 3440 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
2011/09/07 13:39:26.0296 3440 AFD (355556d9e580915118cd7ef736653a89) C:\WINDOWS\System32\drivers\afd.sys
2011/09/07 13:39:26.0390 3440 AmdK8 (0a4d13b388c814560bd69c3a496ecfa8) C:\WINDOWS\system32\DRIVERS\AmdK8.sys
2011/09/07 13:39:26.0500 3440 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
2011/09/07 13:39:26.0531 3440 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
2011/09/07 13:39:26.0578 3440 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
2011/09/07 13:39:26.0609 3440 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
2011/09/07 13:39:26.0640 3440 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
2011/09/07 13:39:26.0671 3440 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
2011/09/07 13:39:26.0703 3440 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
2011/09/07 13:39:26.0703 3440 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
2011/09/07 13:39:26.0718 3440 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
2011/09/07 13:39:26.0843 3440 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
2011/09/07 13:39:26.0890 3440 DKbFltr (75ad9beb6d4b6bbcb39bfaba454ea05a) C:\WINDOWS\system32\DRIVERS\DKbFltr.sys
2011/09/07 13:39:26.0968 3440 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
2011/09/07 13:39:27.0000 3440 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
2011/09/07 13:39:27.0015 3440 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
2011/09/07 13:39:27.0031 3440 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
2011/09/07 13:39:27.0062 3440 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
2011/09/07 13:39:27.0093 3440 ENTECH (16ebd8bf1d5090923694cc972c7ce1b4) C:\WINDOWS\system32\DRIVERS\ENTECH.sys
2011/09/07 13:39:27.0109 3440 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
2011/09/07 13:39:27.0125 3440 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\DRIVERS\fdc.sys
2011/09/07 13:39:27.0171 3440 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
2011/09/07 13:39:27.0187 3440 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\DRIVERS\flpydisk.sys
2011/09/07 13:39:27.0187 3440 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys
2011/09/07 13:39:27.0265 3440 fssfltr (e0087225b137e57239ff40f8ae82059b) C:\WINDOWS\system32\DRIVERS\fssfltr_tdi.sys
2011/09/07 13:39:27.0281 3440 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
2011/09/07 13:39:27.0296 3440 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
2011/09/07 13:39:27.0328 3440 GEARAspiWDM (5dc17164f66380cbfefd895c18467773) C:\WINDOWS\system32\Drivers\GEARAspiWDM.sys
2011/09/07 13:39:27.0359 3440 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
2011/09/07 13:39:27.0406 3440 HDAudBus (573c7d0a32852b48f3058cfd8026f511) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
2011/09/07 13:39:27.0453 3440 HidUsb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
2011/09/07 13:39:27.0531 3440 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
2011/09/07 13:39:27.0562 3440 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
2011/09/07 13:39:27.0578 3440 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
2011/09/07 13:39:27.0625 3440 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys
2011/09/07 13:39:27.0671 3440 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
2011/09/07 13:39:27.0687 3440 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
2011/09/07 13:39:27.0718 3440 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
2011/09/07 13:39:27.0734 3440 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
2011/09/07 13:39:27.0750 3440 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
2011/09/07 13:39:27.0765 3440 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
2011/09/07 13:39:27.0781 3440 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
2011/09/07 13:39:27.0796 3440 kbdhid (9ef487a186dea361aa06913a75b3fa99) C:\WINDOWS\system32\DRIVERS\kbdhid.sys
2011/09/07 13:39:27.0828 3440 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
2011/09/07 13:39:27.0890 3440 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
2011/09/07 13:39:27.0953 3440 L8042mou (efcc6d56fe8ba50bb7ecf300b60a66a3) C:\WINDOWS\system32\DRIVERS\L8042mou.Sys
2011/09/07 13:39:27.0968 3440 LHidKe (452ecfc32a4b5d9a761e113f149e1b9e) C:\WINDOWS\system32\DRIVERS\LHidKE.Sys
2011/09/07 13:39:28.0015 3440 LHidUsbK (9c92312dd1ab42e627710fb89bbbcd1e) C:\WINDOWS\system32\Drivers\LHidUsbK.Sys
2011/09/07 13:39:28.0031 3440 LMouKE (95871e8c4aecfed95f884d2d10b8bcfb) C:\WINDOWS\system32\DRIVERS\LMouKE.Sys
2011/09/07 13:39:28.0078 3440 mcdbus (8fd868e32459ece2a1bb0169f513d31e) C:\WINDOWS\system32\DRIVERS\mcdbus.sys
2011/09/07 13:39:28.0093 3440 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
2011/09/07 13:39:28.0125 3440 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
2011/09/07 13:39:28.0140 3440 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
2011/09/07 13:39:28.0171 3440 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
2011/09/07 13:39:28.0171 3440 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
2011/09/07 13:39:28.0203 3440 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
2011/09/07 13:39:28.0265 3440 MRxSmb (7d304a5eb4344ebeeab53a2fe3ffb9f0) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
2011/09/07 13:39:28.0281 3440 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
2011/09/07 13:39:28.0296 3440 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
2011/09/07 13:39:28.0312 3440 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
2011/09/07 13:39:28.0328 3440 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
2011/09/07 13:39:28.0375 3440 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
2011/09/07 13:39:28.0437 3440 MTsensor (d48659bb24c48345d926ecb45c1ebdf5) C:\WINDOWS\system32\DRIVERS\ASACPI.sys
2011/09/07 13:39:28.0484 3440 Mup (de6a75f5c270e756c5508d94b6cf68f5) C:\WINDOWS\system32\drivers\Mup.sys
2011/09/07 13:39:28.0515 3440 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
2011/09/07 13:39:28.0578 3440 NdisTapi (0109c4f3850dfbab279542515386ae22) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
2011/09/07 13:39:28.0593 3440 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
2011/09/07 13:39:28.0593 3440 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
2011/09/07 13:39:28.0625 3440 NDProxy (9282bd12dfb069d3889eb3fcc1000a9b) C:\WINDOWS\system32\drivers\NDProxy.sys
2011/09/07 13:39:28.0640 3440 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
2011/09/07 13:39:28.0703 3440 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
2011/09/07 13:39:28.0734 3440 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
2011/09/07 13:39:28.0765 3440 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
2011/09/07 13:39:28.0781 3440 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
2011/09/07 13:39:28.0968 3440 nv (4c3696c1ed1a36629ebb348bf745a328) C:\WINDOWS\system32\DRIVERS\nv4_mini.sys
2011/09/07 13:39:29.0109 3440 nvata (4d6c6b46b3edf6f2e219a86b61d104ae) C:\WINDOWS\system32\DRIVERS\nvata.sys
2011/09/07 13:39:29.0140 3440 NVENETFD (1b83b60541be1b6db81641c448007f21) C:\WINDOWS\system32\DRIVERS\NVENETFD.sys
2011/09/07 13:39:29.0156 3440 NVHDA (cf68bcac297b4c98c1d25b81e4011de4) C:\WINDOWS\system32\drivers\nvhda32.sys
2011/09/07 13:39:29.0187 3440 nvnetbus (57b669f9234604a350174b86764444b0) C:\WINDOWS\system32\DRIVERS\nvnetbus.sys
2011/09/07 13:39:29.0234 3440 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
2011/09/07 13:39:29.0250 3440 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
2011/09/07 13:39:29.0281 3440 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys
2011/09/07 13:39:29.0296 3440 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
2011/09/07 13:39:29.0312 3440 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
2011/09/07 13:39:29.0328 3440 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
2011/09/07 13:39:29.0390 3440 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
2011/09/07 13:39:29.0421 3440 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys
2011/09/07 13:39:29.0515 3440 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
2011/09/07 13:39:29.0531 3440 Processor (a32bebaf723557681bfc6bd93e98bd26) C:\WINDOWS\system32\DRIVERS\processr.sys
2011/09/07 13:39:29.0546 3440 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
2011/09/07 13:39:29.0593 3440 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
2011/09/07 13:39:29.0593 3440 PxHelp20 (d86b4a68565e444d76457f14172c875a) C:\WINDOWS\system32\Drivers\PxHelp20.sys
2011/09/07 13:39:29.0671 3440 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
2011/09/07 13:39:29.0687 3440 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
2011/09/07 13:39:29.0703 3440 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
2011/09/07 13:39:29.0703 3440 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
2011/09/07 13:39:29.0718 3440 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
2011/09/07 13:39:29.0734 3440 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
2011/09/07 13:39:29.0765 3440 RDPWD (fc105dd312ed64eb66bff111e8ec6eac) C:\WINDOWS\system32\drivers\RDPWD.sys
2011/09/07 13:39:29.0812 3440 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
2011/09/07 13:39:29.0859 3440 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
2011/09/07 13:39:29.0921 3440 SenFiltService (b6a6b409fda9d9ebd3aadb838d3d7173) C:\WINDOWS\system32\drivers\Senfilt.sys
2011/09/07 13:39:29.0984 3440 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys
2011/09/07 13:39:30.0000 3440 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys
2011/09/07 13:39:30.0046 3440 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
2011/09/07 13:39:30.0109 3440 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
2011/09/07 13:39:30.0171 3440 sptd (a80cd850d69d996c832bea37e3a6aa1e) C:\WINDOWS\system32\Drivers\sptd.sys
2011/09/07 13:39:30.0203 3440 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
2011/09/07 13:39:30.0234 3440 Srv (47ddfc2f003f7f9f0592c6874962a2e7) C:\WINDOWS\system32\DRIVERS\srv.sys
2011/09/07 13:39:30.0281 3440 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
2011/09/07 13:39:30.0281 3440 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
2011/09/07 13:39:30.0390 3440 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
2011/09/07 13:39:30.0406 3440 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
2011/09/07 13:39:30.0437 3440 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
2011/09/07 13:39:30.0453 3440 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
2011/09/07 13:39:30.0500 3440 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
2011/09/07 13:39:30.0578 3440 tmcomm (df8444a8fa8fd38d8848bdd40a8403b3) C:\WINDOWS\system32\drivers\tmcomm.sys
2011/09/07 13:39:30.0609 3440 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
2011/09/07 13:39:30.0656 3440 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
2011/09/07 13:39:30.0703 3440 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
2011/09/07 13:39:30.0718 3440 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
2011/09/07 13:39:30.0734 3440 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
2011/09/07 13:39:30.0750 3440 usbohci (0daecce65366ea32b162f85f07c6753b) C:\WINDOWS\system32\DRIVERS\usbohci.sys
2011/09/07 13:39:30.0781 3440 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys
2011/09/07 13:39:30.0812 3440 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
2011/09/07 13:39:30.0828 3440 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
2011/09/07 13:39:30.0875 3440 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
2011/09/07 13:39:30.0890 3440 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
2011/09/07 13:39:30.0921 3440 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
2011/09/07 13:39:31.0015 3440 WS2IFSL (6abe6e225adb5a751622a9cc3bc19ce8) C:\WINDOWS\System32\drivers\ws2ifsl.sys
2011/09/07 13:39:31.0046 3440 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
2011/09/07 13:39:31.0062 3440 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
2011/09/07 13:39:31.0093 3440 MBR (0x1B8) (8f558eb6672622401da993e1e865c861) \Device\Harddisk0\DR0
2011/09/07 13:39:31.0140 3440 Boot (0x1200) (a1f9dcc0fd9defc49250b0a65e3a23b9) \Device\Harddisk0\DR0\Partition0
2011/09/07 13:39:31.0156 3440 ================================================================================
2011/09/07 13:39:31.0156 3440 Scan finished
2011/09/07 13:39:31.0156 3440 ================================================================================
2011/09/07 13:39:31.0171 3860 Detected object count: 0
2011/09/07 13:39:31.0171 3860 Actual detected object count: 0

Re: Need to get rid of rootkit.7th September 2011, 7:57 pm

Well, looks we beat it Big Grin

There is some trace left - you should navigate to this folder:
C:\Documents and Settings\Maxim\Application Data\Sun\Java\Deployment\cache\6.0\2

and whatever is present in that "2" folder ==> delete it.

====================

Time to uninstall used tools.

Go to Start > Run and type or copy/paste Combofix /uninstall (note the space before the "/").
Double click OTL.exe to run it again and click the CleanUp button.
If we used any other tools and they still remain on your desktop, please delete them manually.

====================

Do you have any more questions or do you want to see my ALORTKYCC (Awesome List Or Recommendations To Keep Your Computer Clean)?

Re: Need to get rid of rootkit.8th September 2011, 6:10 am

I would like your ALORTKYCC. Also other questions may follow later, let me think about it please. Thank you for your help.

Re: Need to get rid of rootkit.8th September 2011, 7:52 am

Allright! Here follows my ALORTKYCC (Awesome List Of Recommendations To Keep Your Computer Clean):

1) Keep your Windows up-to-date. Windows Autoupdate should be ON (see Start >> Control Panel >> Security Center). An alternative way (but more time-consuming) is to periodically visit http://windowsupdate.microsoft.com. Hackers are looking every day for new security holes. Microsoft keeps patching them. You cannot fall behind in this race, it will make your system vulnerable.

2) For your average daily computer activities, use a limited/standard user account, not an administrator account. If you use Vista/WIN7 do not disable User Account Control (UAC). You would be amazed to know how much malware can´t touch you if you deny it admin rights. Create a separate password-protected administrator account that you use for admin activities, like (un)installing software.

3) Use a good antivirus. There are various free ones, you cannot go wrong with either of the following three:

Panda Cloud Antivirus. If you want your antivirus to be light on resources, I recommend Panda. Install without the toolbar.
Ad-Aware Free Internet Security has received great reviews from leading security analysts.
Avast! is a very complete antivirus, with modules like mailscanner and webshield.

4) If your computer has 1GB system memory or more, you should install a third party firewall, to replace the weak Windows Firewall. I recommend:

Comodo Firewall. Install the internet security suite, but without the antivirus and without the Hopsurf toolbar.
Online Armor. A very smart and user friendly firewall.
Outpost Firewall is another rocksolid choice.

Note: you should run only ONE antivirus and ONE firewall. Running multiples of either is bad, it will cause slowdowns and/or conflicts.

5) Miscellaneous advice:

Stay away from cracks and keygens (look here for the why). Get free software instead. Gizmo is an excellent source of freeware reviews.
Navigate safely. Google Chrome is the safest browser available. However, Mozilla Firefox can be made extremely safe with the NoScript addon. Internet Explorer (always use the last version) can be made a lot safer with Spywareblaster (manual here).
The WOT (Webs Of Trust) addon will help you to stay on reliable webpages.
WinPatrol alerts you when changes are made in vital system areas. Especially good on light systems not running a third party firewall.
Make sure you have ways to recuperate your operating system and vital other data if its gets frustrated by malware and/or other problems. A Windows setup CD and recent backups/disk images will be priceless, if you find yourself in an unexpected tight spot.

Finally: did we help you? Help us back!

Re: Need to get rid of rootkit.19th September 2011, 5:42 am

I think we did no fully manage the infection. Some more problems arose with my computer and i ran a MBAM scan and it found nothing, so I ran the ESEt online scanner and here is what it found:

C:\Documents and Settings\LocalService\Application Data\Sun\Java\Deployment\cache\6.0\24\1b20b198-2845a65f a variant of Win32/Kryptik.SPH trojan cleaned by deleting - quarantined
C:\Documents and Settings\NetworkService\Application Data\Sun\Java\Deployment\cache\6.0\2\126b69c2-203b0280 Java/Agent.DJ trojan deleted - quarantined
C:\Documents and Settings\NetworkService\Application Data\Sun\Java\Deployment\cache\6.0\20\3b4ce654-63949c6c Java/Agent.DJ trojan deleted - quarantined
C:\Documents and Settings\NetworkService\Application Data\Sun\Java\Deployment\cache\6.0\34\27299ae2-2aad74da a variant of Win32/Kryptik.SHQ trojan cleaned by deleting - quarantined
C:\Documents and Settings\NetworkService\Application Data\Sun\Java\Deployment\cache\6.0\39\4c67b7e7-1c84e586 a variant of Win32/Kryptik.SIS trojan cleaned by deleting - quarantined
C:\Documents and Settings\NetworkService\Application Data\Sun\Java\Deployment\cache\6.0\47\276507af-3dde0e1b Java/Agent.DJ trojan deleted - quarantined
C:\iTunes\iTunesHelper.exe a variant of Win32/TrojanDownloader.Tunahlp.B trojan cleaned by deleting - quarantined
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVCM.EXE Win32/Patched.HN trojan error while cleaning
C:\Qoobox\Quarantine\C\Documents and Settings\Maxim\Desktop\RK_Quarantine\dwm.exe.vir.vir Win32/TrojanDownloader.Agent.QXA trojan cleaned by deleting - quarantined
C:\Qoobox\Quarantine\C\Documents and Settings\Maxim\Local Settings\Application Data\lhh .exe.vir probably a variant of Win32/Agent.HZOPRRM trojan cleaned by deleting - quarantined
C:\Qoobox\Quarantine\C\Documents and Settings\NetworkService\Local Settings\Application Data\roe.exe.vir a variant of Win32/Kryptik.SIS trojan cleaned by deleting - quarantined
C:\Qoobox\Quarantine\C\process\FC78BA656AF.exe.vir a variant of Win32/Injector.IYC trojan cleaned by deleting - quarantined
C:\Qoobox\Quarantine\C\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE.vir Win32/Patched.HN trojan cleaned - quarantined
C:\Qoobox\Quarantine\C\Program Files\iPod\bin\iPodService.exe.vir Win32/Patched.HN trojan cleaned - quarantined
C:\Qoobox\Quarantine\C\Program Files\Java\jre6\bin\jqs.exe.vir Win32/Patched.HN trojan cleaned - quarantined
C:\Qoobox\Quarantine\C\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe.vir Win32/Patched.HN trojan cleaned - quarantined
C:\Qoobox\Quarantine\C\WINDOWS\assembly\GAC_MSIL\desktop.ini.vir Win32/Sirefef.CH trojan cleaned by deleting - quarantined
C:\Qoobox\Quarantine\C\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe.vir Win32/Patched.HN trojan cleaned - quarantined
C:\Qoobox\Quarantine\C\WINDOWS\system32\nvsvc32.exe.vir Win32/Patched.HN trojan cleaned - quarantined
C:\Qoobox\Quarantine\C\WINDOWS\system32\wuauclt.exe.vir Win32/Patched.HN trojan cleaned - quarantined
C:\Qoobox\Quarantine\C\WINDOWS\system32\Drivers\redbook.sys.vir Win32/Sirefef.CV trojan cleaned by deleting - quarantined
C:\RECYCLER\S-1-5-21-1417001333-1801674531-839522115-1004\Dc5 probably a variant of Win32/Agent.LQRXYJI trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{67B3C756-D887-4359-B4D9-A09C29921E96}\RP477\A0067861.exe probably a variant of Win32/Agent.LQRXYJI trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{67B3C756-D887-4359-B4D9-A09C29921E96}\RP479\A0074921.exe a variant of Win32/Kryptik.SHQ trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{67B3C756-D887-4359-B4D9-A09C29921E96}\RP479\A0074922.exe a variant of Win32/Kryptik.SHQ trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{67B3C756-D887-4359-B4D9-A09C29921E96}\RP481\A0077036.exe probably a variant of Win32/Agent.HZOPRRM trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{67B3C756-D887-4359-B4D9-A09C29921E96}\RP481\A0077044.exe a variant of Win32/Injector.IYC trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{67B3C756-D887-4359-B4D9-A09C29921E96}\RP483\A0079091.sys a variant of Win32/Rootkit.Kryptik.DM trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{67B3C756-D887-4359-B4D9-A09C29921E96}\RP483\A0079092.ini Win32/Sirefef.CH trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{67B3C756-D887-4359-B4D9-A09C29921E96}\RP484\A0081362.exe a variant of Win32/Kryptik.SIS trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{67B3C756-D887-4359-B4D9-A09C29921E96}\RP484\A0081363.ini Win32/Sirefef.CH trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{67B3C756-D887-4359-B4D9-A09C29921E96}\RP484\A0081368.exe Win32/Patched.HN trojan cleaned - quarantined
C:\System Volume Information\_restore{67B3C756-D887-4359-B4D9-A09C29921E96}\RP484\A0081369.exe Win32/Patched.HN trojan cleaned - quarantined
C:\System Volume Information\_restore{67B3C756-D887-4359-B4D9-A09C29921E96}\RP484\A0081370.exe Win32/Patched.HN trojan cleaned - quarantined
C:\System Volume Information\_restore{67B3C756-D887-4359-B4D9-A09C29921E96}\RP484\A0081371.EXE Win32/Patched.HN trojan cleaned - quarantined
C:\System Volume Information\_restore{67B3C756-D887-4359-B4D9-A09C29921E96}\RP484\A0082329.sys a variant of Win32/Rootkit.Kryptik.DM trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{67B3C756-D887-4359-B4D9-A09C29921E96}\RP485\A0082889.sys a variant of Win32/Rootkit.Kryptik.DM trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{67B3C756-D887-4359-B4D9-A09C29921E96}\RP486\A0083033.ini Win32/Sirefef.CH trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{67B3C756-D887-4359-B4D9-A09C29921E96}\RP486\A0083034.exe Win32/Patched.HN trojan cleaned - quarantined
C:\System Volume Information\_restore{67B3C756-D887-4359-B4D9-A09C29921E96}\RP486\A0083035.exe Win32/Patched.HN trojan cleaned - quarantined
C:\System Volume Information\_restore{67B3C756-D887-4359-B4D9-A09C29921E96}\RP486\A0083036.exe Win32/Patched.HN trojan cleaned - quarantined
C:\System Volume Information\_restore{67B3C756-D887-4359-B4D9-A09C29921E96}\RP486\A0083037.exe Win32/Patched.HN trojan cleaned - quarantined
C:\System Volume Information\_restore{67B3C756-D887-4359-B4D9-A09C29921E96}\RP486\A0083038.EXE Win32/Patched.HN trojan cleaned - quarantined
C:\System Volume Information\_restore{67B3C756-D887-4359-B4D9-A09C29921E96}\RP486\A0083889.sys a variant of Win32/Rootkit.Kryptik.DM trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{67B3C756-D887-4359-B4D9-A09C29921E96}\RP488\A0083973.sys a variant of Win32/Rootkit.Kryptik.DM trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{67B3C756-D887-4359-B4D9-A09C29921E96}\RP488\A0084016.ini Win32/Sirefef.CH trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{67B3C756-D887-4359-B4D9-A09C29921E96}\RP488\A0084020.exe Win32/Patched.HN trojan cleaned - quarantined
C:\System Volume Information\_restore{67B3C756-D887-4359-B4D9-A09C29921E96}\RP488\A0084021.exe Win32/Patched.HN trojan cleaned - quarantined
C:\System Volume Information\_restore{67B3C756-D887-4359-B4D9-A09C29921E96}\RP488\A0084022.exe Win32/Patched.HN trojan cleaned - quarantined
C:\System Volume Information\_restore{67B3C756-D887-4359-B4D9-A09C29921E96}\RP488\A0084023.exe Win32/Patched.HN trojan cleaned - quarantined
C:\System Volume Information\_restore{67B3C756-D887-4359-B4D9-A09C29921E96}\RP488\A0084024.exe Win32/Patched.HN trojan cleaned - quarantined
C:\System Volume Information\_restore{67B3C756-D887-4359-B4D9-A09C29921E96}\RP488\A0084025.EXE Win32/Patched.HN trojan cleaned - quarantined
C:\System Volume Information\_restore{67B3C756-D887-4359-B4D9-A09C29921E96}\RP491\A0084522.sys Win32/Sirefef.CV trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{67B3C756-D887-4359-B4D9-A09C29921E96}\RP515\A0087741.exe a variant of Win32/TrojanDownloader.Tunahlp.B trojan cleaned by deleting - quarantined
C:\WINDOWS\Desktop Manager\dwm.exe Win32/TrojanDownloader.Agent.QXA trojan cleaned by deleting - quarantined
C:\WINDOWS\temp\31.tmpj a variant of Win32/TrojanDownloader.Tunahlp.A trojan cleaned by deleting - quarantined
Operating memory Win32/Patched.HN trojan

Re: Need to get rid of rootkit.19th September 2011, 12:13 pm

Most of that stuff are dead bodies that were already disabled, but not everything.

We´re going to run a bunch of scans and a cleaner.

Please download TFC (Temp File Cleaner) by OldTimer from here and save it to your desktop.
Close all programs before proceeding with the next step.
Double-click TFC.exe to start the cleaning process and allow it to run
Depending on the amount of files that needs to be deleted this can take seconds or up to several minutes.
If requested, allow TFC to reboot your computer to finish the cleaning process.

Double click aswMBR.exe to run the tool
Click the Scan button to start the scan
Don´t panic if you see any **Rootkit** entries. The tool sometimes produces false alarms
Once the scan finishes click Save log to save the log to your desktop
Copy and paste the contents of this log (aswMBR.txt) into your next reply.

====================

Download TDSSKiller by Kaspersky from here and save it to your desktop
Doubleclick TDSSKiller.exe to run the tool
Click the Start Scan button
After the scan has finished, click the Close button
Click the Report button and copy/paste the contents of it into your next reply
The report can also be found in the root of your Windows drive (most likely C:\).

Re: Need to get rid of rootkit.23rd September 2011, 2:41 pm

aswMBR version 0.9.8.986 Copyright(c) 2011 AVAST Software
Run date: 2011-09-23 09:31:49
-----------------------------
09:31:49.353 OS Version: Windows 5.1.2600 Service Pack 3
09:31:49.353 Number of processors: 2 586 0x4B02
09:31:49.353 ComputerName: MAXIM-9C1E76C15 UserName: Maxim
09:31:50.322 Initialize success
09:33:50.228 AVAST engine defs: 11092300
09:38:25.213 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\00000069
09:38:25.213 Disk 0 Vendor: WDC_WD3200AAKS-00L9A0 01.03E01 Size: 305245MB BusType: 3
09:38:27.244 Disk 0 MBR read successfully
09:38:27.244 Disk 0 MBR scan
09:38:27.291 Disk 0 Windows XP default MBR code
09:38:27.291 Disk 0 scanning sectors +625137345
09:38:27.306 Disk 0 malicious Win32:MBRoot code @ sector 625137348 !
09:38:27.306 Disk 0 PE file @ sector 625137370 !
09:38:27.353 Disk 0 scanning C:\WINDOWS\system32\drivers
09:38:35.666 Service scanning
09:38:36.588 Modules scanning
09:38:40.588 Disk 0 trace - called modules:
09:38:40.603 ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll nvata.sys
09:38:40.603 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8ad8cab8]
09:38:40.603 3 CLASSPNP.SYS[b80e8fd7] -> nt!IofCallDriver -> \Device\0000006a[0x8ad34f18]
09:38:40.603 5 ACPI.sys[b7f7f620] -> nt!IofCallDriver -> \Device\00000069[0x8ad8c030]
09:38:41.884 AVAST engine scan C:\WINDOWS
09:39:02.759 AVAST engine scan C:\WINDOWS\system32
09:40:34.275 AVAST engine scan C:\WINDOWS\system32\drivers
09:40:49.025 AVAST engine scan C:\Documents and Settings\Maxim
10:36:11.213 AVAST engine scan C:\Documents and Settings\All Users
10:38:40.072 Scan finished successfully
10:40:59.963 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Maxim\Desktop\MBR.dat"
10:40:59.963 The log file has been saved successfully to "C:\Documents and Settings\Maxim\Desktop\aswMBR.txt"

Re: Need to get rid of rootkit.26th September 2011, 12:35 pm

That is log 1 of 3 and it is clean.

Need to get rid of rootkit.

descriptionNeed to get rid of rootkit.1st September 2011, 4:56 am

descriptionRe: Need to get rid of rootkit.1st September 2011, 5:17 am

descriptionRe: Need to get rid of rootkit.1st September 2011, 5:18 am

descriptionRe: Need to get rid of rootkit.2nd September 2011, 7:37 am

descriptionRe: Need to get rid of rootkit.2nd September 2011, 8:51 am

descriptionRe: Need to get rid of rootkit.2nd September 2011, 10:00 am

descriptionRe: Need to get rid of rootkit.2nd September 2011, 6:41 pm

descriptionRe: Need to get rid of rootkit.2nd September 2011, 7:04 pm

descriptionRe: Need to get rid of rootkit.2nd September 2011, 8:14 pm

descriptionRe: Need to get rid of rootkit.3rd September 2011, 7:41 am

descriptionRe: Need to get rid of rootkit.3rd September 2011, 7:42 am

descriptionRe: Need to get rid of rootkit.3rd September 2011, 2:56 pm

descriptionRe: Need to get rid of rootkit.3rd September 2011, 3:11 pm

descriptionRe: Need to get rid of rootkit.5th September 2011, 12:11 am

descriptionRe: Need to get rid of rootkit.5th September 2011, 12:47 am

descriptionRe: Need to get rid of rootkit.5th September 2011, 6:23 am

descriptionRe: Need to get rid of rootkit.5th September 2011, 4:59 pm

descriptionRe: Need to get rid of rootkit.5th September 2011, 5:35 pm

descriptionRe: Need to get rid of rootkit.5th September 2011, 8:18 pm

descriptionRe: Need to get rid of rootkit.6th September 2011, 8:20 am

descriptionRe: Need to get rid of rootkit.6th September 2011, 8:24 am

descriptionRe: Need to get rid of rootkit.6th September 2011, 8:35 am

descriptionRe: Need to get rid of rootkit.6th September 2011, 6:06 pm

descriptionRe: Need to get rid of rootkit.6th September 2011, 6:11 pm

descriptionRe: Need to get rid of rootkit.6th September 2011, 6:57 pm

descriptionRe: Need to get rid of rootkit.7th September 2011, 8:04 am

descriptionRe: Need to get rid of rootkit.7th September 2011, 8:04 am

descriptionRe: Need to get rid of rootkit.7th September 2011, 8:07 am

descriptionRe: Need to get rid of rootkit.7th September 2011, 8:12 am

descriptionRe: Need to get rid of rootkit.7th September 2011, 5:38 pm

descriptionRe: Need to get rid of rootkit.7th September 2011, 5:39 pm

descriptionRe: Need to get rid of rootkit.7th September 2011, 7:57 pm

descriptionRe: Need to get rid of rootkit.8th September 2011, 6:10 am

descriptionRe: Need to get rid of rootkit.8th September 2011, 7:52 am

descriptionRe: Need to get rid of rootkit.19th September 2011, 5:42 am

descriptionRe: Need to get rid of rootkit.19th September 2011, 12:13 pm

descriptionRe: Need to get rid of rootkit.23rd September 2011, 2:41 pm

descriptionRe: Need to get rid of rootkit.26th September 2011, 12:35 pm

descriptionRe: Need to get rid of rootkit.