BullGuard
 HomeLog InRegisterCommunity CalendarSearch the ForumView The Member ListHelp
Severe Download Trojan - Help :(
   
BullGuard Antivirus Forum > Virus Removal > Removal Tools > Severe Download Trojan - Help :(  
Forum Quick Jump
 
New Topic Post reply to : Severe Download Trojan - Help :( Printable version of : Severe Download Trojan - Help :(
67 posts in this thread.
Viewing Page :
 1  2  3 
[ << Previous Thread | Next Thread >> ]

Jintan
Senior Member




Date Joined Dec 2006
Total Posts : 1428
 
   Posted 8/5/2009 5:18 AM (GMT +3)    Quote: Severe Download Trojan - Help :(Alert an admin about: Severe Download Trojan - Help :(
Those results reflect changes that match some other thread issues I have been involved in. And fortunately also have some corrections from that other thread work that will help here.


Windows Registry Editor Version 5.00

[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cryptsvc]


[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cryptsvc]
"DependOnService"=hex(7):52,00,70,00,63,00,53,00,73,00,00,00,00,00
"Description"="Provides three management services: Catalog Database Service, which confirms the signatures of Windows files; Protected Root Service, which adds and removes Trusted Root Certification Authority certificates from this computer; and Key Service, which helps enroll this computer for certificates. If this service is stopped, these management services will not function properly. If this service is disabled, any services that explicitly depend on it will fail to start."
"DisplayName"="Cryptographic Services"
"ErrorControl"=dword:00000001
"ImagePath"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,\
  74,00,25,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,73,\
  00,76,00,63,00,68,00,6f,00,73,00,74,00,2e,00,65,00,78,00,65,00,20,00,2d,00,\
  6b,00,20,00,6e,00,65,00,74,00,73,00,76,00,63,00,73,00,00,00
"ObjectName"="LocalSystem"
"Start"=dword:00000002
"Type"=dword:00000020

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cryptsvc\Parameters]
"ServiceDll"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,\
  00,74,00,25,00,5c,00,53,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,\
  63,00,72,00,79,00,70,00,74,00,73,00,76,00,63,00,2e,00,64,00,6c,00,6c,00,00,\
  00
"ServiceMain"="CryptServiceMain"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cryptsvc\Security]
"Security"=hex:00,00,0e,00,01

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cryptsvc\Enum]
"0"="Root\\LEGACY_CRYPTSVC\\0000"
"Count"=dword:00000001
"NextInstance"=dword:00000001

[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\seclogon]


[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\seclogon]
"Description"="Enables starting processes under alternate credentials. If this service is stopped, this type of logon access will be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start."
"DisplayName"="Secondary Logon"
"ErrorControl"=dword:00000000
"ImagePath"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,\
  74,00,25,00,5c,00,53,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,73,\
  00,76,00,63,00,68,00,6f,00,73,00,74,00,2e,00,65,00,78,00,65,00,20,00,2d,00,\
  6b,00,20,00,6e,00,65,00,74,00,73,00,76,00,63,00,73,00,00,00
"Objectname"="LocalSystem"
"Start"=dword:00000002
"Type"=dword:00000120

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\seclogon\Parameters]
"ServiceDll"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,\
  00,74,00,25,00,5c,00,53,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,\
  73,00,65,00,63,00,6c,00,6f,00,67,00,6f,00,6e,00,2e,00,64,00,6c,00,6c,00,00,\
  00
"ServiceMain"="SvcEntry_Seclogon"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\seclogon\Security]
"Security"=hex:01,00,14,80,78,00,00,00,84,00,00,00,14,00,00,00,30,00,00,00,02,\
  00,1c,00,01,00,00,00,02,80,14,00,ff,01,0f,00,01,01,00,00,00,00,00,01,00,00,\
  00,00,02,00,48,00,03,00,00,00,00,00,14,00,8d,01,02,00,01,01,00,00,00,00,00,\
  05,0b,00,00,00,00,00,18,00,ff,01,0f,00,01,02,00,00,00,00,00,05,20,00,00,00,\
  20,02,00,00,00,00,14,00,fd,01,02,00,01,01,00,00,00,00,00,05,12,00,00,00,01,\
  01,00,00,00,00,00,05,12,00,00,00,01,01,00,00,00,00,00,05,12,00,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\seclogon\Enum]
"0"="Root\\LEGACY_SECLOGON\\0000"
"Count"=dword:00000001
"NextInstance"=dword:00000001

[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\spooler]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\spooler]
"DependOnService"=hex(7):52,00,50,00,43,00,53,00,53,00,00,00,00,00
"Description"="Loads files to memory for later printing."
"DisplayName"="Print Spooler"
"ErrorControl"=dword:00000001
"FailureActions"=hex:80,51,01,00,00,00,00,00,00,00,00,00,03,00,00,00,e8,47,0c,\
  00,01,00,00,00,60,ea,00,00,01,00,00,00,60,ea,00,00,00,00,00,00,00,00,00,00
"Group"="SpoolerGroup"
"ImagePath"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,\
  74,00,25,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,73,\
  00,70,00,6f,00,6f,00,6c,00,73,00,76,00,2e,00,65,00,78,00,65,00,00,00
"ObjectName"="LocalSystem"
"Start"=dword:00000002
"Type"=dword:00000110

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\spooler\Parameters]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\spooler\Performance]
"Close"="PerfClose"
"Collect"="PerfCollect"
"Collect Timeout"=dword:000007d0
"Library"="winspool.drv"
"Object List"="1450"
"Open"="PerfOpen"
"Open Timeout"=dword:00000fa0
"WbemAdapFileSignature"=hex:12,6c,5c,67,9c,9d,52,12,37,ca,57,4b,78,a2,8d,55
"WbemAdapFileTime"=hex:00,88,ab,ca,c9,e7,a8,01
"WbemAdapFileSize"=dword:00020400
"WbemAdapStatus"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\spooler\Security]
"Security"=hex:01,00,14,80,78,00,00,00,84,00,00,00,14,00,00,00,30,00,00,00,02,\
  00,1c,00,01,00,00,00,02,80,14,00,ff,01,0f,00,01,01,00,00,00,00,00,01,00,00,\
  00,00,02,00,48,00,03,00,00,00,00,00,14,00,8d,01,02,00,01,01,00,00,00,00,00,\
  05,0b,00,00,00,00,00,18,00,ff,01,0f,00,01,02,00,00,00,00,00,05,20,00,00,00,\
  20,02,00,00,00,00,14,00,fd,01,02,00,01,01,00,00,00,00,00,05,12,00,00,00,01,\
  01,00,00,00,00,00,05,12,00,00,00,01,01,00,00,00,00,00,05,12,00,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\spooler\Enum]
"0"="Root\\LEGACY_SPOOLER\\0000"
"Count"=dword:00000001
"NextInstance"=dword:00000001

Open Notepad (Start - Run, type Notepad then press OK), and copy the blue text inside the box above and paste it into the open Notepad textbox.

Save this to your desktop as "bigfix3.reg"

Be sure to include the "" quotes in the name.

Then right click bigfix3.reg, select Merge, and allow it to merge the new information with the Registry.

---------------------

Reboot.

@ECHO OFF
if exist Checkit.txt del /q Checkit.txt
if exist Results.txt del /q Results.txt
sc query Cryptsvc > Checkit.txt
sc query seclogon > Checkit1.txt
sc query spooler > Checkit2.txt
Type Checkit*.txt > Results.txt
del /q Checkit*.txt 
Notepad Results.txt

Open Notepad (Start - Run, type notepad and press Enter).

Copy/paste the above text (inside the box) into the open text box, then save this to your desktop as "3look.bat"

Be sure to include the "" quotes in the name. Then click on 3look.bat. When the scan completes a textbox will open - copy/paste those contents back here please.


Click here and help my friend help stop leukemia, lymphoma, Hodgkin lymphoma and myeloma from taking more lives.

Back to Top
 

Jintan
Senior Member




Date Joined Dec 2006
Total Posts : 1428
 
   Posted 8/5/2009 5:39 AM (GMT +3)    Quote: Severe Download Trojan - Help :(Alert an admin about: Severe Download Trojan - Help :(
If you would, also post in your next reply the C:\ComboFix.txt log from the earlier scan you ran. Don't run and create a new log - I would like the one from your first run of it.


Click here and help my friend help stop leukemia, lymphoma, Hodgkin lymphoma and myeloma from taking more lives.

Back to Top
 

LordBTY
New Member


Date Joined Jun 2009
Total Posts : 35
 
   Posted 8/5/2009 8:13 AM (GMT +3)    Quote: Severe Download Trojan - Help :(Alert an admin about: Severe Download Trojan - Help :(
Ok :)

I've checked the date on my ComboFix log.. and yup, this is the right one.

ComboFix 09-07-28.06 - User 29/07/2009 16:46.1.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1022.377 [GMT 1:00]
Running from: c:\documents and settings\User\Desktop\FIX\ComboFix.exe
AV: avast! antivirus 4.8.1335 [VPS 090728-0] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\a3kebook.ini
c:\windows\akebook.ini
c:\windows\ANS2000.INI
c:\windows\system32\msvcsv60.dll
c:\windows\system32\sfcfiles.dll

.
((((((((((((((((((((((((( Files Created from 2009-06-28 to 2009-07-29 )))))))))))))))))))))))))))))))
.

2009-07-29 15:38 . 2009-07-29 15:38 -------- d--h--w- c:\windows\PIF
2009-07-29 11:57 . 2009-07-29 11:57 -------- d-----w- c:\documents and settings\Louise\Application Data\Malwarebytes
2009-07-29 02:12 . 2009-07-29 02:12 -------- d-----w- c:\program files\Trend Micro
2009-07-29 02:09 . 2009-07-29 02:09 -------- d-----w- c:\documents and settings\User\Application Data\Malwarebytes
2009-07-29 02:09 . 2009-07-13 12:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-07-29 02:09 . 2009-07-29 02:09 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-07-29 02:09 . 2009-07-13 12:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-07-29 02:09 . 2009-07-29 02:09 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-07-28 17:31 . 2009-07-28 17:35 -------- d-----w- c:\documents and settings\User\.housecall6.6
2009-07-27 21:19 . 2009-07-29 02:48 757760 ----a-w- c:\documents and settings\All Users\Application Data\Drv Audio Dog About\Camp Ball.exe
2009-07-27 21:19 . 2009-07-27 21:19 757760 ----a-w- c:\documents and settings\User\Application Data\Error pure\ngafogcl.exe
2009-07-27 21:17 . 2009-07-27 21:17 -------- d-----w- c:\program files\Error pure
2009-07-27 21:17 . 2009-07-27 21:20 401408 ----a-w- c:\documents and settings\User\Application Data\Error pure\DEFAULTHOLDGRAMLIES.exe
2009-07-27 21:17 . 2009-07-27 21:26 757760 ----a-w- c:\documents and settings\All Users\Application Data\Drv Audio Dog About\Funk Enc.exe
2009-07-27 21:17 . 2009-07-27 21:17 757760 ----a-w- c:\documents and settings\User\Application Data\Error pure\qgwpnmzw.exe
2009-07-19 21:25 . 2009-07-27 21:19 -------- d-----w- c:\documents and settings\All Users\Application Data\Drv Audio Dog About
2009-07-19 21:25 . 2009-07-19 21:25 831488 ----a-w- c:\documents and settings\User\Application Data\Error pure\gwmdyikj.exe
2009-07-19 21:24 . 2009-07-27 21:20 -------- d-----w- c:\documents and settings\User\Application Data\Error pure
2009-07-19 21:24 . 2009-07-27 21:15 503808 ----a-w- c:\documents and settings\User\Application Data\Error pure\Less Admin.exe
2009-07-19 21:19 . 2009-07-26 15:12 -------- d-----w- c:\program files\Circle Developement
2009-07-10 23:25 . 2009-07-10 23:25 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-07-10 23:21 . 2009-07-10 23:20 6944624 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\aaw2008_upd.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-07-29 15:44 . 2009-04-13 11:00 -------- d-----w- c:\program files\BitComet
2009-07-26 15:17 . 2009-05-10 20:45 -------- d-----w- c:\documents and settings\All Users\Application Data\AOL
2009-07-19 21:19 . 2008-01-27 20:06 -------- d-----w- c:\program files\Messenger Plus! Live
2009-07-17 23:32 . 2008-01-28 16:20 -------- d-----w- c:\documents and settings\User\Application Data\OpenOffice.org2
2009-07-11 00:02 . 2008-01-29 17:18 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-07-10 23:25 . 2008-01-23 13:01 -------- d-----w- c:\program files\Lavasoft
2009-07-10 23:21 . 2008-02-04 08:59 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2009-07-05 09:36 . 2009-06-27 11:26 2054424 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgcorex.dll
2009-07-05 09:36 . 2008-05-25 06:49 335752 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-07-05 09:35 . 2009-06-27 11:26 3403032 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgui.exe
2009-07-05 09:35 . 2009-06-27 11:25 2167576 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgresf.dll
2009-06-27 11:30 . 2009-06-27 11:24 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG Security Toolbar
2009-06-27 11:24 . 2009-06-27 11:24 -------- d-----w- c:\documents and settings\LocalService\Application Data\AVGTOOLBAR
2009-06-27 11:23 . 2008-05-25 06:49 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2009-06-27 11:23 . 2008-01-21 10:27 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-06-16 14:36 . 2006-02-28 12:00 81920 ----a-w- c:\windows\system32\fontsub.dll
2009-06-16 14:36 . 2006-02-28 12:00 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-06-14 15:07 . 2009-06-27 11:30 1004800 ----a-w- c:\documents and settings\All Users\Application Data\AVG Security Toolbar\IEToolbar.dll
2009-06-05 19:26 . 2008-05-25 06:49 108552 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2009-06-05 19:24 . 2008-05-25 06:49 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
2009-06-04 17:24 . 2008-02-18 18:45 -------- d-----w- c:\documents and settings\User\Application Data\Antares
2009-06-04 17:24 . 2008-02-17 20:09 -------- d-----w- c:\program files\Antares Audio Technologies
2009-06-03 19:09 . 2006-02-28 12:00 1291264 ----a-w- c:\windows\system32\quartz.dll
2009-05-26 02:59 . 2009-05-26 03:00 410984 ----a-w- c:\windows\system32\deploytk.dll
2009-05-26 02:59 . 2009-05-26 02:59 152576 ----a-w- c:\documents and settings\User\Application Data\Sun\Java\jre1.6.0_13\lzma.dll
2009-05-22 17:12 . 2008-12-25 20:20 16 ----a-w- c:\windows\msocreg32.dat
2009-05-11 03:35 . 2008-01-29 08:39 20928 ----a-w- c:\documents and settings\Louise\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-05-10 12:57 . 2009-07-26 16:58 142822 ----a-w- c:\windows\pchealth\helpctr\Config\Cache\Personal_32_1033.dat
2009-05-07 15:32 . 2006-02-28 12:00 345600 ----a-w- c:\windows\system32\localspl.dll
2009-07-23 20:44 . 2009-03-12 16:09 134648 ----a-w- c:\program files\mozilla firefox\components\brwsrcmp.dll
2006-05-03 10:06 . 2009-03-25 22:18 163328 --sh--r- c:\windows\system32\flvDX.dll
2007-02-21 11:47 . 2009-03-25 22:18 31232 --sh--r- c:\windows\system32\msfDX.dll
2008-03-16 13:30 . 2009-03-25 22:19 216064 --sh--r- c:\windows\system32\nbDX.dll
.

------- Sigcheck -------

[-] 2006-02-28 12:00 14336 8F078AE4ED187AAABC0A305146DE6716 c:\windows\$NtServicePackUninstall$\svchost.exe
[-] 2008-04-14 00:12 14336 27C6D03BCDB8CFEB96B716F3D8BE3E18 c:\windows\ServicePackFiles\i386\svchost.exe
[-] 2008-04-14 00:12 14336 27C6D03BCDB8CFEB96B716F3D8BE3E18 c:\windows\system32\svchost.exe

[-] 2005-03-02 18:19 577024 1800F293BCCC8EDE8A70E12B88D80036 c:\windows\$hf_mig$\KB890859\SP2QFE\user32.dll
[-] 2007-03-08 15:48 578048 7AA4F6C00405DFC4B70ED4214E7D687B c:\windows\$hf_mig$\KB925902\SP2QFE\user32.dll
[-] 2006-02-28 12:00 577024 C72661F8552ACE7C5C85E16A3CF505C4 c:\windows\$NtServicePackUninstall$\user32.dll
[-] 2006-02-28 12:00 577024 C72661F8552ACE7C5C85E16A3CF505C4 c:\windows\$NtUninstallKB890859$\user32.dll
[-] 2005-03-02 18:09 577024 DE2DB164BBB35DB061AF0997E4499054 c:\windows\$NtUninstallKB925902$\user32.dll
[-] 2008-04-14 00:12 578560 B26B135FF1B9F60C9388B4A7D16F600B c:\windows\ServicePackFiles\i386\user32.dll
[-] 2008-04-14 00:12 578560 B26B135FF1B9F60C9388B4A7D16F600B c:\windows\system32\user32.dll

[-] 2006-02-28 12:00 82944 2ED0B7F12A60F90092081C50FA0EC2B2 c:\windows\$NtServicePackUninstall$\ws2_32.dll
[-] 2008-04-14 00:12 82432 2CCC474EB85CEAA3E1FA1726580A3E5A c:\windows\ServicePackFiles\i386\ws2_32.dll
[-] 2008-04-14 00:12 82432 2CCC474EB85CEAA3E1FA1726580A3E5A c:\windows\system32\ws2_32.dll

[-] 2007-01-04 14:05 665088 3FFA1573FC274E5AA7467D03941C45EE c:\windows\$hf_mig$\KB928090\SP2QFE\wininet.dll
[-] 2007-02-20 09:52 665600 B258C922D22DEEC880B60720531D7627 c:\windows\$hf_mig$\KB931768\SP2QFE\wininet.dll
[-] 2007-10-11 05:57 666112 80D660A49E0D118144423099B2A9F5DA c:\windows\$hf_mig$\KB942615\SP2QFE\wininet.dll
[-] 2007-10-10 23:47 825344 0E5D918F87EFA7D2424D66B499C7EB04 c:\windows\$hf_mig$\KB942615-IE7\SP2QFE\wininet.dll
[-] 2007-12-07 02:01 825344 B5B411BB229AE6EAD7652A32ED47BFB9 c:\windows\$hf_mig$\KB944533-IE7\SP2QFE\wininet.dll
[-] 2008-03-01 13:03 827392 6316C2F0C61271C8ABDFF7429174879E c:\windows\$hf_mig$\KB947864-IE7\SP2QFE\wininet.dll
[-] 2008-04-23 03:35 827392 41546B396A526918DA7995A02EA04E51 c:\windows\$hf_mig$\KB950759-IE7\SP2QFE\wininet.dll
[-] 2008-08-20 05:33 667648 C91E3A6EF094202F6B5CA8960DFCF243 c:\windows\$hf_mig$\KB956390\SP2QFE\wininet.dll
[-] 2008-08-20 05:30 666112 9AF5F25124FBDC36E2B510729CBA2674 c:\windows\$hf_mig$\KB956390\SP3GDR\wininet.dll
[-] 2008-08-20 04:58 666624 94418F53D2612C26DBADC04DAFBC197C c:\windows\$hf_mig$\KB956390\SP3QFE\wininet.dll
[-] 2008-08-26 09:08 827904 77C192FE56A70D7FA0247BA0A6201C32 c:\windows\$hf_mig$\KB956390-IE7\SP2QFE\wininet.dll
[-] 2008-10-16 10:20 667648 93C9D0A216498EE14EB9B26119BB95EE c:\windows\$hf_mig$\KB958215\SP2QFE\wininet.dll
[-] 2008-10-16 01:00 666112 1576318BF08D28CC61D1278114AD8D5B c:\windows\$hf_mig$\KB958215\SP3GDR\wininet.dll
[-] 2008-10-16 01:04 667136 E8FCE58A470999350F64C591557F9E42 c:\windows\$hf_mig$\KB958215\SP3QFE\wininet.dll
[-] 2008-12-20 23:56 827904 044E0A4E9FE97C0FB9AFE9C89E2A82E6 c:\windows\$hf_mig$\KB961260-IE7\SP2QFE\wininet.dll
[-] 2009-03-03 00:17 828416 C8667854873938CA13C986F16B0CD183 c:\windows\$hf_mig$\KB963027-IE7\SP3QFE\wininet.dll
[-] 2009-04-29 04:49 828928 62CCA075F44015147B8971DAFFBCFF76 c:\windows\$hf_mig$\KB969897-IE7\SP3QFE\wininet.dll
[-] 2008-10-16 10:37 659456 6F1E4BFD78C4E0D05FF3725D59B72925 c:\windows\$NtServicePackUninstall$\wininet.dll
[-] 2006-02-28 12:00 656384 C0823FC5469663BA63E7DB88F9919D70 c:\windows\$NtUninstallKB928090$\wininet.dll
[-] 2007-01-04 13:37 658944 8C393DF5234CBCBFF1EE31902D6B40AE c:\windows\$NtUninstallKB931768$\wininet.dll
[-] 2007-02-20 09:48 658944 30D1C47E40EFBB792FF8D3C3B51CE507 c:\windows\$NtUninstallKB942615$\wininet.dll
[-] 2006-02-28 12:00 656384 C0823FC5469663BA63E7DB88F9919D70 c:\windows\$NtUninstallKB958215$\wininet.dll
[-] 2007-08-13 18:54 818688 A4A0FC92358F39538A6494C42EF99FE9 c:\windows\ie7updates\KB942615-IE7\wininet.dll
[-] 2007-10-10 23:56 824832 30C1E0F34AD2972C72A01DB5C74AB065 c:\windows\ie7updates\KB944533-IE7\wininet.dll
[-] 2007-12-07 02:21 824832 806D274C9A6C3AAEA5EAE8E4AF841E04 c:\windows\ie7updates\KB947864-IE7\wininet.dll
[-] 2008-03-01 13:06 826368 AD21461AEF8244EDEC2EF18E55E1DCF3 c:\windows\ie7updates\KB950759-IE7\wininet.dll
[-] 2008-08-26 07:24 826368 EF8EBA98145BFA44E80D17A3B3453300 c:\windows\ie7updates\KB961260-IE7\wininet.dll
[-] 2009-03-03 00:18 826368 28775945CCD53DEE280EF58DEA1A94C4 c:\windows\ie7updates\KB969897-IE7\wininet.dll
[-] 2008-04-14 00:12 666112 7A4F775ABB2F1C97DEF3E73AFA2FAEDD c:\windows\ServicePackFiles\i386\wininet.dll
[-] 2008-08-20 05:38 659456 87E694D09893978F22024FEEEDF35342 c:\windows\SoftwareDistribution\Download\1185bc01976431096846a9c917b224df\sp2gdr\wininet.dll
[-] 2008-08-20 05:33 667648 C91E3A6EF094202F6B5CA8960DFCF243 c:\windows\SoftwareDistribution\Download\1185bc01976431096846a9c917b224df\sp2qfe\wininet.dll
[-] 2008-08-20 05:30 666112 9AF5F25124FBDC36E2B510729CBA2674 c:\windows\SoftwareDistribution\Download\1185bc01976431096846a9c917b224df\sp3gdr\wininet.dll
[-] 2008-08-20 04:58 666624 94418F53D2612C26DBADC04DAFBC197C c:\windows\SoftwareDistribution\Download\1185bc01976431096846a9c917b224df\sp3qfe\wininet.dll
[-] 2009-06-29 16:12 827392 A39B7BA7AB9B1CC2A0009F59772DB83C c:\windows\SoftwareDistribution\Download\cfdf673d5f64980a67e3f1a551949306\sp3gdr\wininet.dll
[-] 2009-06-29 16:23 828928 4C6B4138165A4C53FE8A5B1D809526C3 c:\windows\SoftwareDistribution\Download\cfdf673d5f64980a67e3f1a551949306\sp3qfe\wininet.dll
[-] 2008-10-16 01:00 666112 1576318BF08D28CC61D1278114AD8D5B c:\windows\system32\wininet.dll
[-] 2008-10-16 01:00 666112 1576318BF08D28CC61D1278114AD8D5B c:\windows\system32\dllcache\wininet.dll

[-] 2006-04-20 12:18 360576 B2220C618B42A2212A59D91EBD6FC4B4 c:\windows\$hf_mig$\KB917953\SP2QFE\tcpip.sys
[-] 2007-10-30 16:53 360832 64798ECFA43D78C7178375FCDD16D8C8 c:\windows\$hf_mig$\KB941644\SP2QFE\tcpip.sys
[-] 2008-06-20 10:44 360960 744E57C99232201AE98C49168B918F48 c:\windows\$hf_mig$\KB951748\SP2QFE\tcpip.sys
[-] 2008-06-20 11:51 361600 9AEFA14BD6B182D61E3119FA5F436D3D c:\windows\$hf_mig$\KB951748\SP3GDR\tcpip.sys
[-] 2008-06-20 11:59 361600 AD978A1B783B5719720CFF204B666C8E c:\windows\$hf_mig$\KB951748\SP3QFE\tcpip.sys
[-] 2006-02-28 12:00 359040 9F4B36614A0FC234525BA224957DE55C c:\windows\$NtServicePackUninstall$\tcpip.sys
[-] 2006-02-28 12:00 359040 9F4B36614A0FC234525BA224957DE55C c:\windows\$NtUninstallKB917953$\tcpip.sys
[-] 2006-04-20 11:51 359808 1DBF125862891817F374F407626967F4 c:\windows\$NtUninstallKB941644$\tcpip.sys
[-] 2008-04-13 19:20 361344 93EA8D04EC73A85DB02EB8805988F733 c:\windows\$NtUninstallKB951748$\tcpip.sys
[-] 2007-10-30 17:20 360064 90CAFF4B094573449A0872A0F919B178 c:\windows\$NtUninstallKB951748_0$\tcpip.sys
[-] 2008-04-13 19:20 361344 93EA8D04EC73A85DB02EB8805988F733 c:\windows\ServicePackFiles\i386\tcpip.sys
[-] 2008-06-20 11:51 361600 9AEFA14BD6B182D61E3119FA5F436D3D c:\windows\system32\dllcache\tcpip.sys
[-] 2008-06-20 11:51 361600 9AEFA14BD6B182D61E3119FA5F436D3D c:\windows\system32\drivers\tcpip.sys

[-] 2006-02-28 12:00 502272 01C3346C241652F43AED8E2149881BFE c:\windows\$NtServicePackUninstall$\winlogon.exe
[-] 2008-04-14 00:12 507904 ED0EF0A136DEC83DF69F04118870003E c:\windows\ServicePackFiles\i386\winlogon.exe
[-] 2008-04-14 00:12 507904 ED0EF0A136DEC83DF69F04118870003E c:\windows\system32\winlogon.exe

[-] 2006-02-28 12:00 182912 558635D3AF1C7546D26067D5D9B6959E c:\windows\$NtServicePackUninstall$\ndis.sys
[-] 2008-04-13 19:20 182656 1DF7F42665C94B825322FAE71721130D c:\windows\ServicePackFiles\i386\ndis.sys
[-] 2008-04-13 19:20 182656 1DF7F42665C94B825322FAE71721130D c:\windows\system32\drivers\ndis.sys

[-] 2006-02-28 12:00 29056 4448006B6BC60E6C027932CFC38D6855 c:\windows\$NtServicePackUninstall$\ip6fw.sys
[-] 2008-04-13 18:53 36608 3BB22519A194418D5FEC05D800A19AD0 c:\windows\ServicePackFiles\i386\ip6fw.sys
[-] 2008-04-13 18:53 36608 3BB22519A194418D5FEC05D800A19AD0 c:\windows\system32\drivers\ip6fw.sys

[-] 2005-03-02 00:36 2056832 D8ABA3EAB509627E707A3B14F00FBB6B c:\windows\$hf_mig$\KB890859\SP2QFE\ntkrnlpa.exe
[-] 2006-12-19 16:12 2059392 BA4B97C00A437C1CC3DA365D93EE1E9D c:\windows\$hf_mig$\KB929338\SP2QFE\ntkrnlpa.exe
[-] 2007-02-28 09:15 2059392 4D3DBDCCBF97F5BA1E74F322B155C3BA c:\windows\$hf_mig$\KB931784\SP2QFE\ntkrnlpa.exe
[-] 2009-02-06 10:30 2066176 607352B9CB3D708C67F6039097801B5A c:\windows\$hf_mig$\KB956572\SP3QFE\ntkrnlpa.exe
[-] 2008-08-14 09:18 2062976 63EC865DFF6CCFC7BEF94B5C50297CAD c:\windows\$hf_mig$\KB956841\SP2QFE\ntkrnlpa.exe
[-] 2008-08-14 09:33 2066048 4AC58F03EB94A72809949D757FC39D80 c:\windows\$hf_mig$\KB956841\SP3GDR\ntkrnlpa.exe
[-] 2008-08-14 15:39 2066048 A25E9B86EFFB2AF33BF51E676B68BFB0 c:\windows\$hf_mig$\KB956841\SP3QFE\ntkrnlpa.exe
[-] 2008-08-14 09:22 2015744 DC097A896A03B8277457D228FD12D4E6 c:\windows\$NtServicePackUninstall$\ntkrnlpa.exe
[-] 2006-02-28 12:00 2015232 FB142B7007CA2EEA76966C6C5CC12150 c:\windows\$NtUninstallKB890859$\ntkrnlpa.exe
[-] 2005-03-02 00:34 2015232 3CD941E472DDF3534E53038535719771 c:\windows\$NtUninstallKB929338$\ntkrnlpa.exe
[-] 2006-12-19 12:55 2015744 BBB2322EB14AD9AD55B1024FFD4D88BF c:\windows\$NtUninstallKB931784$\ntkrnlpa.exe
[-] 2008-08-14 09:33 2023936 8206B5F94A6A9450E934029420C1693F c:\windows\$NtUninstallKB956572$\ntkrnlpa.exe
[-] 2006-02-28 12:00 2015232 FB142B7007CA2EEA76966C6C5CC12150 c:\windows\$NtUninstallKB956841$\ntkrnlpa.exe
[-] 2007-02-28 08:38 2015744 A58AC1C6199EF34228ABEE7FC057AE09 c:\windows\$NtUninstallKB956841_0$\ntkrnlpa.exe
[-] 2009-02-07 18:02 2066048 5BA7F2141BC6DB06100D0E5A732C617A c:\windows\Driver Cache\i386\ntkrnlpa.exe
[-] 2008-04-13 18:31 2065792 109F8E3E3C82E337BB71B6BC9B895D61 c:\windows\ServicePackFiles\i386\ntkrnlpa.exe
[-] 2004-08-03 22:59 2056832 947FB1D86D14AFCFFDB54BF837EC25D0 c:\windows\SoftwareDistribution\Download\S-1-5-18\3e8d5b713517659e134047f6c6f814a6\backup\sp2gdr\ntkrnlpa.exe
[-] 2004-08-03 22:59 2056832 947FB1D86D14AFCFFDB54BF837EC25D0 c:\windows\SoftwareDistribution\Download\S-1-5-18\3e8d5b713517659e134047f6c6f814a6\backup\sp2qfe\ntkrnlpa.exe
[-] 2009-02-06 10:32 2023936 65D4220799E6FC2CB079070A6393CC0E c:\windows\system32\ntkrnlpa.exe
[-] 2009-02-07 18:02 2066048 5BA7F2141BC6DB06100D0E5A732C617A c:\windows\system32\dllcache\ntkrnlpa.exe

[-] 2005-03-02 01:04 2179456 28187802B7C368C0D3AEF7D4C382AABB c:\windows\$hf_mig$\KB890859\SP2QFE\ntoskrnl.exe
[-] 2006-12-19 16:51 2182016 CEF243F6DEFD20BE4ADDE26C7ECACB54 c:\windows\$hf_mig$\KB929338\SP2QFE\ntoskrnl.exe
[-] 2007-02-28 09:55 2182144 5A5C8DB4AA962C714C8371FBDF189FC9 c:\windows\$hf_mig$\KB931784\SP2QFE\ntoskrnl.exe
[-] 2009-02-07 18:35 2189184 EFE8EACE83EAAD5849A7A548FB75B584 c:\windows\$hf_mig$\KB956572\SP3QFE\ntoskrnl.exe
[-] 2008-08-14 09:57 2185984 CE69DBD54221F2D40E49FF6DB77C6507 c:\windows\$hf_mig$\KB956841\SP2QFE\ntoskrnl.exe
[-] 2008-08-14 10:11 2189184 EEAF32F8E15A24F62BECB1BD403BB5C5 c:\windows\$hf_mig$\KB956841\SP3GDR\ntoskrnl.exe
[-] 2008-08-14 16:11 2189184 31914172342BFF330063F343AC6958FE c:\windows\$hf_mig$\KB956841\SP3QFE\ntoskrnl.exe
[-] 2008-08-14 09:58 2136064 DD31AB4B91C2605601A3C108AF57A0C9 c:\windows\$NtServicePackUninstall$\ntoskrnl.exe
[-] 2006-02-28 12:00 2148352 626309040459C3915997EF98EC1C8D40 c:\windows\$NtUninstallKB890859$\ntoskrnl.exe
[-] 2005-03-02 00:57 2135552 48B3E89AF7074CEE0314A3E0C7FAFFDB c:\windows\$NtUninstallKB929338$\ntoskrnl.exe
[-] 2006-12-19 14:15 2136064 8318ED54797F3E513FD5817A1D4BBD18 c:\windows\$NtUninstallKB931784$\ntoskrnl.exe
[-] 2008-08-14 10:09 2145280 F6F8245B3A2E9CA834DD318E7AE0C6D0 c:\windows\$NtUninstallKB956572$\ntoskrnl.exe
[-] 2006-02-28 12:00 2148352 626309040459C3915997EF98EC1C8D40 c:\windows\$NtUninstallKB956841$\ntoskrnl.exe
[-] 2007-02-28 09:08 2136064 1220FAF071DEA8653EE21DE7DCDA8BFD c:\windows\$NtUninstallKB956841_0$\ntoskrnl.exe
[-] 2009-02-06 11:08 2189056 7A95B10A73737EBF24139AAA63F5212B c:\windows\Driver Cache\i386\ntoskrnl.exe
[-] 2008-04-13 19:27 2188928 0C89243C7C3EE199B96FCC16990E0679 c:\windows\ServicePackFiles\i386\ntoskrnl.exe
[-] 2004-08-03 23:20 2180992 CE218BC7088681FAA06633E218596CA7 c:\windows\SoftwareDistribution\Download\S-1-5-18\3e8d5b713517659e134047f6c6f814a6\backup\sp2gdr\ntoskrnl.exe
[-] 2004-08-03 23:20 2180992 CE218BC7088681FAA06633E218596CA7 c:\windows\SoftwareDistribution\Download\S-1-5-18\3e8d5b713517659e134047f6c6f814a6\backup\sp2qfe\ntoskrnl.exe
[-] 2009-02-06 11:06 2145280 0CBA44D0938D57F334C0862424148B70 c:\windows\system32\ntoskrnl.exe
[-] 2009-02-06 11:08 2189056 7A95B10A73737EBF24139AAA63F5212B c:\windows\system32\dllcache\ntoskrnl.exe

[-] 2008-04-14 00:12 1033728 12896823FB95BFB3DC9B46BCAEDC9923 c:\windows\explorer.exe
[-] 2007-06-13 11:26 1033216 7712DF0CDDE3A5AC89843E61CD5B3658 c:\windows\$hf_mig$\KB938828\SP2QFE\explorer.exe
[-] 2006-02-28 12:00 1032192 A0732187050030AE399B241436565E64 c:\windows\$NtServicePackUninstall$\explorer.exe
[-] 2006-02-28 12:00 1032192 A0732187050030AE399B241436565E64 c:\windows\$NtUninstallKB938828$\explorer.exe
[-] 2008-04-14 00:12 1033728 12896823FB95BFB3DC9B46BCAEDC9923 c:\windows\ServicePackFiles\i386\explorer.exe

[-] 2009-02-06 11:06 110592 020CEAAEDC8EB655B6506B8C70D53BB6 c:\windows\$hf_mig$\KB956572\SP3QFE\services.exe
[-] 2006-02-28 12:00 108032 C6CE6EEC82F187615D1002BB3BB50ED4 c:\windows\$NtServicePackUninstall$\services.exe
[-] 2008-04-14 00:12 108544 0E776ED5F7CC9F94299E70461B7B8185 c:\windows\$NtUninstallKB956572$\services.exe
[-] 2008-04-14 00:12 108544 0E776ED5F7CC9F94299E70461B7B8185 c:\windows\ServicePackFiles\i386\services.exe
[-] 2009-02-06 11:11 110592 65DF52F5B8B6E9BBD183505225C37315 c:\windows\system32\services.exe
[-] 2009-02-06 11:11 110592 65DF52F5B8B6E9BBD183505225C37315 c:\windows\system32\dllcache\services.exe

[-] 2006-02-28 12:00 13312 84885F9B82F4D55C6146EBF6065D75D2 c:\windows\$NtServicePackUninstall$\lsass.exe
[-] 2008-04-14 00:12 13312 BF2466B3E18E970D8A976FB95FC1CA85 c:\windows\ServicePackFiles\i386\lsass.exe
[-] 2008-04-14 00:12 13312 BF2466B3E18E970D8A976FB95FC1CA85 c:\windows\system32\lsass.exe

[-] 2006-02-28 12:00 15360 24232996A38C0B0CF151C2140AE29FC8 c:\windows\$NtServicePackUninstall$\ctfmon.exe
[-] 2008-04-14 00:12 15360 5F1D5F88303D4A4DBC8E5F97BA967CC3 c:\windows\ServicePackFiles\i386\ctfmon.exe
[-] 2008-04-14 00:12 15360 5F1D5F88303D4A4DBC8E5F97BA967CC3 c:\windows\system32\ctfmon.exe

[-] 2005-06-11 00:17 57856 AD3D9D191AEA7B5445FE1D82FFBB4788 c:\windows\$hf_mig$\KB896423\SP2QFE\spoolsv.exe
[-] 2006-02-28 12:00 57856 7435B108B935E42EA92CA94F59C8E717 c:\windows\$NtServicePackUninstall$\spoolsv.exe
[-] 2006-02-28 12:00 57856 7435B108B935E42EA92CA94F59C8E717 c:\windows\$NtUninstallKB896423$\spoolsv.exe
[-] 2008-04-14 00:12 57856 D8E14A61ACC1D4A6CD0D38AEBAC7FA3B c:\windows\ServicePackFiles\i386\spoolsv.exe
[-] 2008-04-14 00:12 57856 D8E14A61ACC1D4A6CD0D38AEBAC7FA3B c:\windows\system32\spoolsv.exe

[-] 2006-02-28 12:00 24576 39B1FFB03C2296323832ACBAE50D2AFF c:\windows\$NtServicePackUninstall$\userinit.exe
[-] 2008-04-14 00:12 26112 A93AEE1928A9D7CE3E16D24EC7380F89 c:\windows\ServicePackFiles\i386\userinit.exe
[-] 2008-04-14 00:12 26112 A93AEE1928A9D7CE3E16D24EC7380F89 c:\windows\system32\userinit.exe

[-] 2006-02-28 12:00 295424 B60C877D16D9C880B952FDA04ADF16E6 c:\windows\$NtServicePackUninstall$\termsrv.dll
[-] 2008-04-14 00:12 295424 FF3477C03BE7201C294C35F684B3479F c:\windows\ServicePackFiles\i386\termsrv.dll
[-] 2008-04-14 00:12 295424 FF3477C03BE7201C294C35F684B3479F c:\windows\system32\termsrv.dll

[-] 2006-07-05 10:57 985088 0FDD84928A5DDE2510761B7EC76CCEC9 c:\windows\$hf_mig$\KB917422\SP2QFE\kernel32.dll
[-] 2007-04-16 16:07 986112 09F7CB3687F86EDAA4CA081F7AB66C03 c:\windows\$hf_mig$\KB935839\SP2QFE\kernel32.dll
[-] 2009-03-21 13:59 991744 DA11D9D6ECBDF0F93436A4B7C13F7BEC c:\windows\$hf_mig$\KB959426\SP3QFE\kernel32.dll
[-] 2006-02-28 12:00 983552 888190E31455FAD793312F8D087146EB c:\windows\$NtServicePackUninstall$\kernel32.dll
[-] 2006-02-28 12:00 983552 888190E31455FAD793312F8D087146EB c:\windows\$NtUninstallKB917422$\kernel32.dll
[-] 2006-07-05 10:55 984064 D8DB5397DE07577C1CB50BA6D23B3AD4 c:\windows\$NtUninstallKB935839$\kernel32.dll
[-] 2008-04-14 00:11 989696 C24B983D211C34DA8FCC1AC38477971D c:\windows\$NtUninstallKB959426$\kernel32.dll
[-] 2008-04-14 00:11 989696 C24B983D211C34DA8FCC1AC38477971D c:\windows\ServicePackFiles\i386\kernel32.dll
[-] 2009-03-21 14:06 989696 B921FB870C9AC0D509B2CCABBBBE95F3 c:\windows\system32\kernel32.dll
[-] 2009-03-21 14:06 989696 B921FB870C9AC0D509B2CCABBBBE95F3 c:\windows\system32\dllcache\kernel32.dll

[-] 2006-02-28 12:00 17408 1B5F6923ABB450692E9FE0672C897AED c:\windows\$NtServicePackUninstall$\powrprof.dll
[-] 2008-04-14 00:12 17408 50A166237A0FA771261275A405646CC0 c:\windows\ServicePackFiles\i386\powrprof.dll
[-] 2008-04-14 00:12 17408 50A166237A0FA771261275A405646CC0 c:\windows\system32\powrprof.dll

[-] 2006-02-28 12:00 110080 87CA7CE6469577F059297B9D6556D66D c:\windows\$NtServicePackUninstall$\imm32.dll
[-] 2008-04-14 00:11 110080 0DA85218E92526972A821587E6A8BF8F c:\windows\ServicePackFiles\i386\imm32.dll
[-] 2008-04-14 00:11 110080 0DA85218E92526972A821587E6A8BF8F c:\windows\system32\imm32.dll


[-] 2006-02-28 12:00 24576 EBDEE8A2EE5393890A1ACEE971C4C246 c:\windows\$NtServicePackUninstall$\kbdclass.sys
[-] 2008-04-13 18:39 24576 463C1EC80CD17420A542B7F36A36F128 c:\windows\ServicePackFiles\i386\kbdclass.sys
[-] 2008-04-13 18:39 24576 463C1EC80CD17420A542B7F36A36F128 c:\windows\system32\drivers\kbdclass.sys

[-] 2006-02-28 12:00 792064 6728270CB7DBB776ED086F5AC4C82310 c:\windows\$NtServicePackUninstall$\comres.dll
[-] 2008-04-14 00:11 792064 1280A158C722FA95A80FB7AEBE78FA7D c:\windows\ServicePackFiles\i386\comres.dll
[-] 2008-04-14 00:11 792064 1280A158C722FA95A80FB7AEBE78FA7D c:\windows\system32\comres.dll

[-] 2006-02-28 12:00 22016 74D66B3DE265E8789153414E75175F26 c:\windows\$NtServicePackUninstall$\lpk.dll
[-] 2008-04-14 00:11 22016 012DF358CEBAA23ACB26D82077820817 c:\windows\ServicePackFiles\i386\lpk.dll
[-] 2008-04-14 00:11 22016 012DF358CEBAA23ACB26D82077820817 c:\windows\system32\lpk.dll

[-] 2006-02-28 12:00 4224 DA1F27D85E0D1525F6621372E7B685E9 c:\windows\system32\dllcache\beep.sys
[-] 2006-02-28 12:00 4224 DA1F27D85E0D1525F6621372E7B685E9 c:\windows\system32\drivers\beep.sys

[-] 2006-02-28 12:00 2944 73C1E1F395918BC2C6DD67AF7591A3AD c:\windows\system32\dllcache\null.sys
[-] 2006-02-28 12:00 2944 73C1E1F395918BC2C6DD67AF7591A3AD c:\windows\system32\drivers\null.sys

[-] 2006-02-15 00:30 142464 1EE7B434BA961EF845DE136224C30FEC c:\windows\$hf_mig$\KB900485\SP2QFE\aec.sys
[-] 2006-02-28 12:00 142464 841F385C6CFAF66B58FBD898722BB4F0 c:\windows\$NtServicePackUninstall$\aec.sys
[-] 2004-08-03 22:39 142464 841F385C6CFAF66B58FBD898722BB4F0 c:\windows\$NtUninstallKB900485$\aec.sys
[-] 2008-04-13 16:39 142592 8BED39E3C35D6A489438B8141717A557 c:\windows\ServicePackFiles\i386\aec.sys
[-] 2008-04-13 16:39 142592 8BED39E3C35D6A489438B8141717A557 c:\windows\system32\drivers\aec.sys

[-] 2006-02-28 12:00 924432 DDF8D47ACF8FC3FE5F7F2B95C4D4D136 c:\windows\$NtServicePackUninstall$\mfc40u.dll
[-] 2006-02-28 12:00 924432 DDF8D47ACF8FC3FE5F7F2B95C4D4D136 c:\windows\$NtUninstallKB924667$\mfc40u.dll
[-] 2008-04-14 00:11 927504 CDDD4416B2B4C7295FE3FDB6DDE57E4E c:\windows\ServicePackFiles\i386\mfc40u.dll
[-] 2008-04-14 00:11 927504 CDDD4416B2B4C7295FE3FDB6DDE57E4E c:\windows\system32\mfc40u.dll

[-] 2005-04-28 19:35 396288 DA383FB39A6F1C445F3AFC94B3EB1248 c:\windows\$hf_mig$\KB894391\SP2QFE\rpcss.dll
[-] 2005-07-26 04:20 398336 C369DF215D352B6F3A0B8C3469AA34F8 c:\windows\$hf_mig$\KB902400\SP2QFE\rpcss.dll
[-] 2009-02-09 10:56 401408 9222562D44021B988B9F9F62207FB6F2 c:\windows\$hf_mig$\KB956572\SP3QFE\rpcss.dll
[-] 2006-02-28 12:00 395776 5C83A4408604F737717AB96371201680 c:\windows\$NtServicePackUninstall$\rpcss.dll
[-] 2006-02-28 12:00 395776 5C83A4408604F737717AB96371201680 c:\windows\$NtUninstallKB894391$\rpcss.dll
[-] 2005-04-28 19:31 395776 C8061F289E000703E7672916B7FE1571 c:\windows\$NtUninstallKB902400$\rpcss.dll
[-] 2008-04-14 00:12 399360 2589FE6015A316C0F5D5112B4DA7B509 c:\windows\$NtUninstallKB956572$\rpcss.dll
[-] 2008-04-14 00:12 399360 2589FE6015A316C0F5D5112B4DA7B509 c:\windows\ServicePackFiles\i386\rpcss.dll
[-] 2009-02-09 12:10 401408 6B27A5C03DFB94B4245739065431322C c:\windows\system32\rpcss.dll
[-] 2009-02-09 12:10 401408 6B27A5C03DFB94B4245739065431322C c:\windows\system32\dllcache\rpcss.dll

[-] 2006-02-28 12:00 33792 95FD808E4AC22ABA025A7B3EAC0375D2 c:\windows\$NtServicePackUninstall$\msgsvc.dll
[-] 2008-04-14 00:11 33792 986B1FF5814366D71E0AC5755C88F2D3 c:\windows\ServicePackFiles\i386\msgsvc.dll
[-] 2008-04-14 00:11 33792 986B1FF5814366D71E0AC5755C88F2D3 c:\windows\system32\msgsvc.dll

[-] 2006-02-28 12:00 611328 A77DFB85FAEE49D66C74DA6024EBC69B c:\windows\$NtServicePackUninstall$\comctl32.dll
[-] 2006-02-28 12:00 611328 A77DFB85FAEE49D66C74DA6024EBC69B c:\windows\$NtUninstallKB923191$\comctl32.dll
[-] 2008-04-14 00:11 617472 06F247492BC786CE5C24A23E178C711A c:\windows\ServicePackFiles\i386\comctl32.dll
[-] 2008-04-14 00:11 617472 06F247492BC786CE5C24A23E178C711A c:\windows\system32\comctl32.dll
[-] 2008-04-14 00:12 1054208 BD38D1EBE24A46BD3EDA059560AFBA12 c:\windows\WinSxS\InstallTemp\5799068\comctl32.dll
[-] 2006-02-28 12:00 921088 AEF3D788DBF40C7C4D204EA45EB0C505 c:\windows\WinSxS\InstallTemp\98406\comctl32.dll
[-] 2006-02-28 12:00 921088 AEF3D788DBF40C7C4D204EA45EB0C505 c:\windows\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a\comctl32.dll
[-] 2006-02-28 12:00 1050624 5AF68A5E44734A082442668E9C787743 c:\windows\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2180_x-ww_a84f1ff9\comctl32.dll
[-] 2006-08-25 15:45 1054208 C4E80875C1CF1222FC5EFD0314AE5C01 c:\windows\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2982_x-ww_ac3f9c03\comctl32.dll
[-] 2008-04-14 00:12 1054208 BD38D1EBE24A46BD3EDA059560AFBA12 c:\windows\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll

[-] 2006-02-28 12:00 11648 9859C0F6936E723E4892D7141B1327D5 c:\windows\system32\drivers\acpiec.sys

[-] 2006-02-28 12:00 5120 E8A12A12EA9088B4327D49EDCA3ADD3E c:\windows\$NtServicePackUninstall$\sfc.dll
[-] 2008-04-14 00:12 5120 96E1C926F22EE1BFBAE82901A35F6BF3 c:\windows\ServicePackFiles\i386\sfc.dll
[-] 2008-04-14 00:12 5120 96E1C926F22EE1BFBAE82901A35F6BF3 c:\windows\system32\sfc.dll

[-] 2006-02-28 12:00 407040 96353FCECBA774BB8DA74A1C6507015A c:\windows\$NtServicePackUninstall$\netlogon.dll
[-] 2008-04-14 00:12 407040 1B7F071C51B77C272875C3A23E1E4550 c:\windows\ServicePackFiles\i386\netlogon.dll
[-] 2008-04-14 00:12 407040 1B7F071C51B77C272875C3A23E1E4550 c:\windows\system32\netlogon.dll

[-] 2006-02-28 12:00 170496 92BDF74F12D6CBEC43C94D4B7F804838 c:\windows\$NtServicePackUninstall$\srsvc.dll
[-] 2008-04-14 00:12 171008 3805DF0AC4296A34BA4BF93B346CC378 c:\windows\ServicePackFiles\i386\srsvc.dll
[-] 2008-04-14 00:12 171008 3805DF0AC4296A34BA4BF93B346CC378 c:\windows\system32\srsvc.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-06-26 1008896]

[HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]
2009-06-26 09:36 1008896 ----a-w- c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-06-26 1008896]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-06-26 1008896]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-02-05 81000]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-12-05 8523776]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Nokia.PCSync"="c:\program files\Nokia\Nokia PC Suite 6\PcSync2.exe" [2008-03-26 1232896]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-06-27 11:23 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\dmadmin]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\dmboot.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\dmio.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\dmload.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\dmserver]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sr.sys]
@="FSFilter System Recovery"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SRService]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^WG111v2 Smart Wizard Wireless Setting.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\WG111v2 Smart Wizard Wireless Setting.lnk
backup=c:\windows\pss\WG111v2 Smart Wizard Wireless Setting.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"vsmon"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\usmt\\migwiz.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\FrostWire\\FrostWire.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\mmc.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\AOL 9.0 VR\\waol.exe"=
"c:\\Program Files\\Common Files\\AOL\\TopSpeed\\3.0\\aoltpsd3.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Common Files\\AOL\\System Information\\sinf.exe"=
"c:\\Program Files\\AOL 9.0 VR\\aol.exe"=
"c:\\Program Files\\AOL 9.0 VR\\AOLphx.exe"=
"c:\\Program Files\\AOL 9.0 VR\\AOLphxex.exe"=
"c:\\Program Files\\AOL 9.0 VR\\shellrestart.exe"=
"c:\\Program Files\\AOL 9.0 VR\\shellmon.exe"=
"c:\\Program Files\\Common Files\\AOL\\1241988343\\ee\\aolsoftware.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
"19956:TCP"= 19956:TCP:BitComet 19956 TCP
"19956:UDP"= 19956:UDP:BitComet 19956 UDP

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"= %windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"= c:\program files\Common Files\AOL\ACS\AOLDial.exe:*:Enabled:AOL
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"= c:\program files\Common Files\AOL\ACS\AOLacsd.exe:*:Enabled:AOL
"%windir%\\Network Diagnostic\\xpnetdiag.exe"= %windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000
"c:\\Program Files\\AOL 9.0\\waol.exe"= c:\program files\AOL 9.0\waol.exe:*:Enabled:AOL
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"= c:\program files\Windows Live\Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"= c:\program files\Windows Live\Messenger\livecall.exe:*:Enabled:Windows Live Messenger (Phone)
"c:\\Program Files\\AOL 9.0a\\waol.exe"= c:\program files\AOL 9.0a\waol.exe:*:Enabled:AOL

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile]
"DoNotAllowExceptions"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"= %windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019
"c:\\WINDOWS\\system32\\usmt\\migwiz.exe"= c:\windows\system32\usmt\migwiz.exe:*:Enabled:Files and Settings Transfer Wizard
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"= c:\program files\Common Files\AOL\ACS\AOLDial.exe:*:Enabled:AOL
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"= c:\program files\Common Files\AOL\ACS\AOLacsd.exe:*:Enabled:AOL
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"= c:\program files\Bonjour\mDNSResponder.exe:*:Enabled:Bonjour
"c:\\Program Files\\FrostWire\\FrostWire.exe"= c:\program files\FrostWire\FrostWire.exe:*:Enabled:LimeWire
"c:\\Program Files\\iTunes\\iTunes.exe"= c:\program files\iTunes\iTunes.exe:*:Enabled:iTunes
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"= c:\program files\Yahoo!\Messenger\YahooMessenger.exe:*:Enabled:Yahoo! Messenger
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"= c:\program files\Yahoo!\Messenger\YServer.exe:*:Enabled:Yahoo! FT Server
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"= c:\program files\AVG\AVG8\avgupd.exe:*:Enabled:avgupd.exe
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"= c:\program files\AVG\AVG8\avgemc.exe:*:Enabled:avgemc.exe
"%windir%\\Network Diagnostic\\xpnetdiag.exe"= %windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000
"c:\\WINDOWS\\system32\\mmc.exe"= c:\windows\system32\mmc.exe:*:Enabled:Microsoft Management Console
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"= c:\program files\Windows Live\Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"= c:\program files\Windows Live\Messenger\livecall.exe:*:Enabled:Windows Live Messenger (Phone)
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"= c:\program files\Mozilla Firefox\firefox.exe:*:Enabled:Firefox
"c:\\Program Files\\AOL 9.0 VR\\waol.exe"= c:\program files\AOL 9.0 VR\waol.exe:*:Enabled:AOL
"c:\\Program Files\\Common Files\\AOL\\TopSpeed\\3.0\\aoltpsd3.exe"= c:\program files\Common Files\AOL\TopSpeed\3.0\aoltpsd3.exe:*:Enabled:AOL TopSpeed
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"= c:\program files\Common Files\AOL\Loader\aolload.exe:*:Enabled:AOL Loader
"c:\\Program Files\\Common Files\\AOL\\System Information\\sinf.exe"= c:\program files\Common Files\AOL\System Information\sinf.exe:*:Enabled:AOL System Information
"c:\\Program Files\\AOL 9.0 VR\\aol.exe"= c:\program files\AOL 9.0 VR\aol.exe:*:Enabled:AOL 9.0 VR
"c:\\Program Files\\AOL 9.0 VR\\AOLphx.exe"= c:\program files\AOL 9.0 VR\AOLphx.exe:*:Enabled:AOLphx.exe
"c:\\Program Files\\AOL 9.0 VR\\AOLphxex.exe"= c:\program files\AOL 9.0 VR\AOLphxex.exe:*:Enabled:AOLphxex.exe
"c:\\Program Files\\AOL 9.0 VR\\shellrestart.exe"= c:\program files\AOL 9.0 VR\shellrestart.exe:*:Enabled:shellrestart.exe
"c:\\Program Files\\AOL 9.0 VR\\shellmon.exe"= c:\program files\AOL 9.0 VR\shellmon.exe:*:Enabled:shellmon.exe
"c:\\Program Files\\Common Files\\AOL\\1241988343\\ee\\aolsoftware.exe"= c:\program files\Common Files\AOL\1241988343\ee\aolsoftware.exe:*:Enabled:AOL Shared Components
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"= c:\program files\AVG\AVG8\avgnsx.exe:*:Enabled:avgnsx.exe
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"= c:\program files\Real\RealPlayer\realplay.exe:*:Enabled:RealPlayer

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile\GloballyOpenPorts\List]
"139:TCP"= 139:TCP:LocalSubNet:Disabled:@xpsp2res.dll,-22004
"445:TCP"= 445:TCP:LocalSubNet:Disabled:@xpsp2res.dll,-22005
"137:UDP"= 137:UDP:LocalSubNet:Disabled:@xpsp2res.dll,-22001
"138:UDP"= 138:UDP:LocalSubNet:Disabled:@xpsp2res.dll,-22002
"3389:TCP"= 3389:TCP:*:Enabled:@xpsp2res.dll,-22009
"1900:UDP"= 1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007
"2869:TCP"= 2869:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22008
"19956:TCP"= 19956:TCP:*:Enabled:BitComet 19956 TCP
"19956:UDP"= 19956:UDP:*:Enabled:BitComet 19956 UDP

R1 Asapi;Asapi;c:\windows\system32\drivers\asapi.sys [29/01/2008 17:19 11264]
R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [01/06/2008 21:00 114768]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [25/05/2008 07:49 335752]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [25/05/2008 07:49 108552]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [01/06/2008 21:00 20560]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [25/05/2008 07:49 907032]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [25/05/2008 07:49 298776]
R2 EAPPkt;Realtek EAPPkt Protocol;c:\windows\system32\drivers\EAPPkt.sys [10/05/2009 13:59 66048]
R3 CLEDX;Team H2O CLEDX service;c:\windows\system32\drivers\cledx.sys [26/06/2008 19:03 33792]
R3 COMMONFX.SYS;COMMONFX.SYS;c:\windows\system32\drivers\COMMONFX.sys [12/12/2007 19:35 98328]
S3 COMMONFX;COMMONFX;c:\windows\system32\drivers\COMMONFX.sys [12/12/2007 19:35 98328]
S3 CT20XUT.SYS;CT20XUT.SYS;c:\windows\system32\drivers\CT20XUT.sys [12/12/2007 19:36 171032]
S3 CT20XUT;CT20XUT;c:\windows\system32\drivers\CT20XUT.sys [12/12/2007 19:36 171032]
S3 CTAUDFX.SYS;CTAUDFX.SYS;c:\windows\system32\drivers\CTAUDFX.sys [12/12/2007 19:35 528920]
S3 CTAUDFX;CTAUDFX;c:\windows\system32\drivers\CTAUDFX.sys [12/12/2007 19:35 528920]
S3 CTEAPSFX.SYS;CTEAPSFX.SYS;c:\windows\system32\drivers\CTEAPSFX.sys [12/12/2007 19:36 163352]
S3 CTEAPSFX;CTEAPSFX;c:\windows\system32\drivers\CTEAPSFX.sys [12/12/2007 19:36 163352]
S3 CTEDSPFX.SYS;CTEDSPFX.SYS;c:\windows\system32\drivers\CTEDSPFX.sys [12/12/2007 19:36 259096]
S3 CTEDSPFX;CTEDSPFX;c:\windows\system32\drivers\CTEDSPFX.sys [12/12/2007 19:36 259096]
S3 CTEDSPIO.SYS;CTEDSPIO.SYS;c:\windows\system32\drivers\CTEDSPIO.sys [12/12/2007 19:37 134168]
S3 CTEDSPIO;CTEDSPIO;c:\windows\system32\drivers\CTEDSPIO.sys [12/12/2007 19:37 134168]
S3 CTEDSPSY.SYS;CTEDSPSY.SYS;c:\windows\system32\drivers\CTEDSPSY.sys [12/12/2007 19:37 309784]
S3 CTEDSPSY;CTEDSPSY;c:\windows\system32\drivers\CTEDSPSY.sys [12/12/2007 19:37 309784]
S3 CTERFXFX.SYS;CTERFXFX.SYS;c:\windows\system32\drivers\CTERFXFX.sys [12/12/2007 19:36 99352]
S3 CTERFXFX;CTERFXFX;c:\windows\system32\drivers\CTERFXFX.sys [12/12/2007 19:36 99352]
S3 CTEXFIFX.SYS;CTEXFIFX.SYS;c:\windows\system32\drivers\CTEXFIFX.sys [12/12/2007 19:37 1324056]
S3 CTEXFIFX;CTEXFIFX;c:\windows\system32\drivers\CTEXFIFX.sys [12/12/2007 19:37 1324056]
S3 CTHWIUT.SYS;CTHWIUT.SYS;c:\windows\system32\drivers\CTHWIUT.sys [12/12/2007 19:36 72728]
S3 CTHWIUT;CTHWIUT;c:\windows\system32\drivers\CTHWIUT.sys [12/12/2007 19:36 72728]
S3 CTSBLFX.SYS;CTSBLFX.SYS;c:\windows\system32\drivers\CTSBLFX.sys [12/12/2007 19:36 534040]
S3 CTSBLFX;CTSBLFX;c:\windows\system32\drivers\CTSBLFX.sys [12/12/2007 19:36 534040]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HTTPFilter REG_MULTI_SZ HTTPFilter
DcomLaunch REG_MULTI_SZ DcomLaunch TermService
WudfServiceGroup REG_MULTI_SZ WUDFSvc
eapsvcs REG_MULTI_SZ eaphost
dot3svc REG_MULTI_SZ dot3svc

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - LocalService
Alerter
LmHosts


[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
"c:\program files\Common Files\LightScribe\LSRunOnce.exe"
.
Contents of the 'Scheduled Tasks' folder

2009-07-28 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 16:57]
.
.
------- Supplementary Scan -------
.
uSearchURL,(Default) = hxxp://search.aol.co.uk/web?isinit=true&query=%s
FF - ProfilePath - c:\documents and settings\User\Application Data\Mozilla\Firefox\Profiles\ti6n65sr.default\
FF - prefs.js: browser.startup.homepage - hxxp://en-GB.start2.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-GB:official
FF - prefs.js: network.proxy.type - 4
FF - component: c:\documents and settings\User\Application Data\Mozilla\Firefox\Profiles\ti6n65sr.default\extensions\{B042753D-F57E-4e8e-A01B-7379A6D4CEFB}\components\IBitCometExtension.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1399.3742\npCIDetect13.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npunagi2.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-07-29 16:56
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\softwareSoftware\Classes\CLSID\{1171A62F-05D2-11D1-83FC-00A0C9089C5A}]
@Denied: (A 2) (Everyone)
@="FlashProp Class"

[HKEY_LOCAL_MACHINE\softwareSoftware\Classes\CLSID\{1171A62F-05D2-11D1-83FC-00A0C9089C5A}\InprocServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\Flash6.ocx"
"ThreadingModel"="Apartment"

[HKEY_LOCAL_MACHINE\softwareSoftware\Classes\CLSID\{3DA165B6-CC41-11d2-BDC6-00C04F79EC6B}\ProgID]
@Denied: (A) (Everyone)
@="{5D7611FB-D5E8-4638-9CBA-68997983B832}"

[HKEY_LOCAL_MACHINE\softwareSoftware\Classes\CLSID\{3DA165B6-CC41-11d2-BDC6-00C04F79EC6B}\Version]
@Denied: (A) (Everyone)
@="{5D7611FB-D5E8-4638-9CBA-68997983B832}"

[HKEY_LOCAL_MACHINE\softwareSoftware\Classes\CLSID\{8D8763AB-E93B-4812-964E-F04E0008FD50}\Version]
@Denied: (A) (Everyone)
@="{8D8763AB-E93B-4812-964E-F04E0008FD50}"
"{21701DD0-9D7E-43f7-A1B2-E92ED6E90A51}"=hex:c7,ff,c7,38,7f,1e,b5,c6,9d,b5,22,
f0,bb,aa,7b,43,7f,02,07,b1,d0,f1,08,10,16,68,c8,01

[HKEY_LOCAL_MACHINE\softwareSoftware\Classes\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"

[HKEY_LOCAL_MACHINE\softwareSoftware\Classes\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\Flash9f.ocx"
"ThreadingModel"="Apartment"

[HKEY_LOCAL_MACHINE\softwareSoftware\Classes\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"

[HKEY_LOCAL_MACHINE\softwareSoftware\Classes\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.9"

[HKEY_LOCAL_MACHINE\softwareSoftware\Classes\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\Flash9f.ocx, 1"

[HKEY_LOCAL_MACHINE\softwareSoftware\Classes\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"

[HKEY_LOCAL_MACHINE\softwareSoftware\Classes\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"

[HKEY_LOCAL_MACHINE\softwareSoftware\Classes\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"

[HKEY_LOCAL_MACHINE\softwareSoftware\Classes\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"

[HKEY_LOCAL_MACHINE\softwareSoftware\Classes\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\Flash9f.ocx"
"ThreadingModel"="Apartment"

[HKEY_LOCAL_MACHINE\softwareSoftware\Classes\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"

[HKEY_LOCAL_MACHINE\softwareSoftware\Classes\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\Flash9f.ocx, 1"

[HKEY_LOCAL_MACHINE\softwareSoftware\Classes\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"

[HKEY_LOCAL_MACHINE\softwareSoftware\Classes\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"

[HKEY_LOCAL_MACHINE\softwareSoftware\Classes\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"

[HKEY_LOCAL_MACHINE\softwareSoftware\Classes\CLSID\{D4304BCF-B8E9-4B35-BEA0-DC5B522670C2}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil9f.exe,-101"

[HKEY_LOCAL_MACHINE\softwareSoftware\Classes\CLSID\{D4304BCF-B8E9-4B35-BEA0-DC5B522670C2}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\softwareSoftware\Classes\CLSID\{D4304BCF-B8E9-4B35-BEA0-DC5B522670C2}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil9f.exe"

[HKEY_LOCAL_MACHINE\softwareSoftware\Classes\CLSID\{D4304BCF-B8E9-4B35-BEA0-DC5B522670C2}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\softwareSoftware\Classes\Interface\{2E4BB6BE-A75F-4DC0-9500-68203655A2C4}]
@Denied: (A 2) (Everyone)
@="IFlashBroker"

[HKEY_LOCAL_MACHINE\softwareSoftware\Classes\Interface\{2E4BB6BE-A75F-4DC0-9500-68203655A2C4}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\softwareSoftware\Classes\Interface\{2E4BB6BE-A75F-4DC0-9500-68203655A2C4}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"

[HKEY_LOCAL_MACHINE\softwareSoftware\Classes\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}]
@Denied: (A 2) (Everyone)

[HKEY_LOCAL_MACHINE\softwareSoftware\Classes\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}\1.0]
@="Shockwave Flash"

[HKEY_LOCAL_MACHINE\softwareSoftware\Classes\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}]
@Denied: (A 2) (Everyone)
@=""

[HKEY_LOCAL_MACHINE\softwareSoftware\Classes\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}\1.0]
@="FlashBroker"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3896)
c:\windows\system32\WPDShServiceObj.dll
c:\program files\Nokia\Nokia PC Suite 6\phonebrowser.dll
c:\program files\Nokia\Nokia PC Suite 6\NGSCM.DLL
c:\program files\Nokia\Nokia PC Suite 6\Lang\PhoneBrowser_eng.nlr
c:\program files\Nokia\Nokia PC Suite 6\Resource\PhoneBrowser_Nokia.ngr
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Alwil Software\Avast4\aswUpdSv.exe
c:\program files\Alwil Software\Avast4\ashServ.exe
c:\program files\Common Files\AOL\acs\AOLacsd.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\wdfmgr.exe
c:\program files\AVG\AVG8\avgrsx.exe
c:\progra~1\AVG\AVG8\avgnsx.exe
c:\program files\AVG\AVG8\avgcsrvx.exe
c:\program files\Alwil Software\Avast4\ashMaiSv.exe
c:\program files\Alwil Software\Avast4\ashWebSv.exe
c:\program files\AVG\AVG8\avgsrmax.exe
.
**************************************************************************
.
Completion time: 2009-07-29 17:01 - machine was rebooted
ComboFix-quarantined-files.txt 2009-07-29 16:01

Pre-Run: 90,643,066,880 bytes free
Post-Run: 90,879,283,200 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect /usepmtimer

604 --- E O F --- 2009-07-29 02:03





And the 3look.bat file




SERVICE_NAME: Cryptsvc
TYPE : 20 WIN32_SHARE_PROCESS
STATE : 4 RUNNING
(STOPPABLE,NOT_PAUSABLE,ACCEPTS_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0

SERVICE_NAME: seclogon
TYPE : 120 WIN32_SHARE_PROCESS (interactive)
STATE : 4 RUNNING
(STOPPABLE,PAUSABLE,IGNORES_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0

SERVICE_NAME: spooler
TYPE : 110 WIN32_OWN_PROCESS (interactive)
STATE : 4 RUNNING
(STOPPABLE,NOT_PAUSABLE,ACCEPTS_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0
Back to Top
 

Jintan
Senior Member




Date Joined Dec 2006
Total Posts : 1428
 
   Posted 8/5/2009 6:12 PM (GMT +3)    Quote: Severe Download Trojan - Help :(Alert an admin about: Severe Download Trojan - Help :(
Those services look fixed and up and running now, and you may now also see some good improvements in all the problems you have been having there. A teammate named Mosaic1 has been very helpful in evaluating and providing repair suggestions for these corrupted service issues.

ComboFix shows some Registry keys with permission restrictions that do not appear to be either necessary, or at least are not helpful when users cannot access normal software functions like those. Let's address those now.


Be sure to continue to temporarily disable any protective software when running the scan tools we use here. Also disconnect from net access anytime you run ComboFix, reconnecting after it has completed it's scan.


Open notepad (go to Start, Run, type notepad and press Enter) and copy/paste the text in the codebox below into it:

Reglock::
[HKEY_LOCAL_MACHINE\softwareSoftware\Classes\CLSID\{1171A62F-05D2-11D1-83FC-00A0C9089C5A}]
[HKEY_LOCAL_MACHINE\softwareSoftware\Classes\CLSID\{3DA165B6-CC41-11d2-BDC6-00C04F79EC6B}]
[HKEY_LOCAL_MACHINE\softwareSoftware\Classes\CLSID\{8D8763AB-E93B-4812-964E-F04E0008FD50}]
[HKEY_LOCAL_MACHINE\softwareSoftware\Classes\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
[HKEY_LOCAL_MACHINE\softwareSoftware\Classes\CLSID\{D4304BCF-B8E9-4B35-BEA0-DC5B522670C2}]
[HKEY_LOCAL_MACHINE\softwareSoftware\Classes\Interface\{2E4BB6BE-A75F-4DC0-9500-68203655A2C4}]
[HKEY_LOCAL_MACHINE\softwareSoftware\Classes\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}]
[HKEY_LOCAL_MACHINE\softwareSoftware\Classes\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}]

Save this to your desktop as CFScript.txt


You should now have both ComboFix and that CFScript.txt on the desktop. Just left click/hold on the CFScript file, and drag it into ComboFix to start the scan.

ComboFix will now run as it did before. Allow the scan to run. When completed a text window will appear - please copy/paste the contents back here. This log can also be found at C:\ComboFix.txt.

A caution - do not touch your mouse/keyboard until the scan has completed. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop.

---------

Post back that new C:\ComboFix.txt log, as well as an update on any of those problems you were experiencing please.


Click here and help my friend help stop leukemia, lymphoma, Hodgkin lymphoma and myeloma from taking more lives.

Back to Top
 

LordBTY
New Member


Date Joined Jun 2009
Total Posts : 35
 
   Posted 8/5/2009 6:57 PM (GMT +3)    Quote: Severe Download Trojan - Help :(Alert an admin about: Severe Download Trojan - Help :(
Huh, combofix seems to have vanished...

Would this be because I neglectfully clicked it while the internet was on the other day?

But I'ma download another one...
Back to Top
 

Jintan
Senior Member




Date Joined Dec 2006
Total Posts : 1428
 
   Posted 8/6/2009 3:09 AM (GMT +3)    Quote: Severe Download Trojan - Help :(Alert an admin about: Severe Download Trojan - Help :(
Cryptographic service is altered, so likely failing to start. As well as a few other services related to some unwanted change there.A teammate named Mosaic1 has provided a script we can use to verify these problem service issues, which will allow up to effect needed repairs.

Also, that iexplore.exe file in the Internet Explorer folder just does not seem to be the correct file size. See if you can send me a copy of that. Let's also see if the existing iexplore.exe file will work for you for now.


Make sure you can View Hidden Files. Also uncheck "Hide Extensions for Known File Types"

Please locate the following hilighted file(s), zip a copy of it, and send it to jintan @ malwarecrypt.com as an attachment. Please place "Submitted Files - LordBTY/bg/ie" as the email Subject.

c:\Program Files\Internet Explorer\iexplore.exe

Then for now also right click that file, and name it to iexplore.exe.bad (agree to any warnings).

Then locate this copy, click it and see if you can open IE then:

c:\4bac1b979898353db5fea19d\iexplore.exe

------------------

'Script written by Mosaic1 
'To diagnose a possible problem with CryptoGraphic Services.
'This script makes no changes to your operating system
'It merely reports 
'Problem has so far only been seen in Windows XP SP3!
'Be careful not to fix anything unless you have the correct Registry Files for that operating System version.


Set fso = Wscript.CreateObject("Scripting.FileSystemObject")
Dim Z
set ts = fso.CreateTextFile("CReport.txt","true")
Ts.write Now & vbcrlf & vbcrlf
Set wshshell = Wscript.CreateObject("Wscript.Shell")

strComputer = "."
Set objWMIService = GetObject("winmgmts:" _
    & "{impersonationLevel=impersonate}!\\" & strComputer & "\root\cimv2")
Set colListOfServices = objWMIService.ExecQuery _
    ("Select * from Win32_Service Where Name = 'Cryptsvc'")
For Each objService in colListofServices

If objService.State = "Stopped" then
ts.writeline "Cryptographic services not running!" 
ts.writeline  "It's  Start mode is set to: " & objService.StartMode

Wshshell.run "regedit /a  Crypt.txt HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cryptsvc" ,, true
Wshshell.run "regedit /a  spooler.txt HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\spooler" ,,true
Wshshell.run "regedit /a  Seclogon.txt HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Seclogon" ,,true
If not  fso.Fileexists("Crypt.txt") then ts.writeline " Warning! No export of the Cryptsvc key exists."
If fso.Fileexists("Crypt.txt") then
set cs = fso.opentextfile("Crypt.txt",1)
Do while not cs.AtEndOfStream
C = cs.readall
loop
cs.close

ts.write C & vbcrlf
fso.DeleteFile("Crypt.txt")
End IF 
If not  fso.Fileexists("spooler.txt") then ts.writeline " Warning! No export of the spooler key exists."
If fso.Fileexists("spooler.txt") then
set cs = fso.opentextfile("spooler.txt",1)
Do while not cs.AtEndOfStream
spool = cs.readall
loop
cs.close
Set cs = nothing

ts.write spool & vbcrlf
fso.DeleteFile("spooler.txt")
End IF
If not  fso.Fileexists("Seclogon.txt") then ts.writeline " Warning! No export of the Seclogon key exists."
If fso.Fileexists("Seclogon.txt") then 
set cs = fso.opentextfile("seclogon.txt",1)
Do while not cs.AtEndOfStream
seclogon = cs.readall
loop
cs.close
Set cs = nothing
ts.write seclogon & vbcrlf
fso.DeleteFile("seclogon.txt")
End IF



ts.write vbcrlf & " CryptoGraphic Services Failures Events:" & vbcrlf


Else If objService.State = "Running" then
ts.Writeline "Cryptographic Services is running."
Wshshell.run """CReport.txt"""
wscript.quit
End IF
End IF

Next
strComputer = "."
Set objWMIService = GetObject("winmgmts:" _
    & "{impersonationLevel=impersonate}!\\" & strComputer & "\root\cimv2")
Set colLoggedEvents = objWMIService.ExecQuery _
    ("Select * from Win32_NTLogEvent Where Logfile = 'System' and " _
            & "EventCode = '7000'")
For Each objEvent in colLoggedEvents
If instr(1,ObjEvent.Message,"cryptsvc",1) <> 0 then
 Z = Z + 1
    ts.writeline "Event Code: " & objEvent.EventCode
    ts.writeline "Event date: " & WMIDateStringToDate(objEvent.TimeGenerated)
    ts.writeline "Description: " & objEvent.Message 

End IF

    
Next

If Z = 0 then ts.writeline "No  failure events found for Cryptographic Services."


ts.close

Wshshell.run """CReport.txt"""





Function WMIDateStringToDate(A)
 WMIDateStringToDate = CDate(Mid(A, 5, 2) & "/" & _
 Mid(A, 7, 2) & "/" & Left(A, 4) _
 & " " & Mid (A, 9, 2) & ":" & _
 Mid(A, 11, 2) & ":" & Mid(A, _
 13, 2))
End Function

Open Notepad (Start - Run, type notepad and press Enter).

Copy/paste the above text into the open text box, then save this to your desktop as "Testing Crypto.vbs"

Be sure to include the "" quotes in the name. Then click on Testing Crypto.vbs. When the scan completes a textbox will open - copy/paste those contents back here please. This will also be saved to the same location as the .vbs file named CReport.txt.


Click here and help my friend help stop leukemia, lymphoma, Hodgkin lymphoma and myeloma from taking more lives.

Back to Top
 

LordBTY
New Member


Date Joined Jun 2009
Total Posts : 35
 
   Posted 8/6/2009 6:34 PM (GMT +3)    Quote: Severe Download Trojan - Help :(Alert an admin about: Severe Download Trojan - Help :(
Ok, I renamed it and sent you a mail.

c:\4bac1b979898353db5fea19d\iexplore.exe opens up fine after renaming the main file.

O wait... there now appears to be a new c:\Program Files\Internet Explorer\iexplore.exe

I've renamed it c:\Program Files\Internet Explorer\iexplore.exe.bdd

And it's created another one... what does this mean?



The report came out with


06/08/2009 16:33:27

Cryptographic Services is running.
Back to Top
 

LordBTY
New Member


Date Joined Jun 2009
Total Posts : 35
 
   Posted 8/6/2009 11:12 PM (GMT +3)    Quote: Severe Download Trojan - Help :(Alert an admin about: Severe Download Trojan - Help :(
Ok ok, well BitDefender doesn't seem to be work...

But I did the ESET scan.. these are the results..


C:\Program Files\AskSBar\SrchAstt\1.bin\A2SRCHAS.DLL Win32/Toolbar.AskSBar application cleaned by deleting - quarantined
C:\System Volume Information\_restore{F623FF31-4737-4A48-A07E-C9B8DEE9AE00}\RP171\A0023952.DLL Win32/Toolbar.MyWebSearch application cleaned by deleting - quarantined
C:\System Volume Information\_restore{F623FF31-4737-4A48-A07E-C9B8DEE9AE00}\RP171\A0023971.dll Win32/Toolbar.MyWebSearch application cleaned by deleting - quarantined
C:\System Volume Information\_restore{F623FF31-4737-4A48-A07E-C9B8DEE9AE00}\RP174\A0024255.dll Win32/Adware.RK application cleaned by deleting - quarantined
C:\System Volume Information\_restore{F623FF31-4737-4A48-A07E-C9B8DEE9AE00}\RP174\A0024257.exe Win32/Adware.RK.AA application cleaned by deleting - quarantined
C:\System Volume Information\_restore{F623FF31-4737-4A48-A07E-C9B8DEE9AE00}\RP185\A0027125.exe a variant of Win32/TrojanDownloader.Swizzor.NCG trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{F623FF31-4737-4A48-A07E-C9B8DEE9AE00}\RP185\A0027167.exe a variant of Win32/TrojanDownloader.Swizzor.NBT trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{F623FF31-4737-4A48-A07E-C9B8DEE9AE00}\RP186\A0027228.exe a variant of Win32/TrojanDownloader.Swizzor.NBT trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{F623FF31-4737-4A48-A07E-C9B8DEE9AE00}\RP187\A0027522.exe a variant of Win32/TrojanDownloader.Swizzor.NBT trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{F623FF31-4737-4A48-A07E-C9B8DEE9AE00}\RP188\A0027550.exe a variant of Win32/TrojanDownloader.Swizzor.NBT trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{F623FF31-4737-4A48-A07E-C9B8DEE9AE00}\RP188\A0027595.exe a variant of Win32/TrojanDownloader.Swizzor.NBT trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{F623FF31-4737-4A48-A07E-C9B8DEE9AE00}\RP189\A0028208.exe a variant of Win32/TrojanDownloader.Swizzor.NBT trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{F623FF31-4737-4A48-A07E-C9B8DEE9AE00}\RP189\A0028217.exe a variant of Win32/TrojanDownloader.Swizzor.NBT trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{F623FF31-4737-4A48-A07E-C9B8DEE9AE00}\RP189\A0028220.exe a variant of Win32/TrojanDownloader.Swizzor.NBT trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{F623FF31-4737-4A48-A07E-C9B8DEE9AE00}\RP189\A0028224.exe a variant of Win32/TrojanDownloader.Swizzor.NBT trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{F623FF31-4737-4A48-A07E-C9B8DEE9AE00}\RP189\A0028225.exe a variant of Win32/TrojanDownloader.Swizzor.NBT trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{F623FF31-4737-4A48-A07E-C9B8DEE9AE00}\RP205\A0030251.DLL Win32/Toolbar.AskSBar application cleaned by deleting - quarantined


It appears to be a swizzor virus...
Back to Top
 

Jintan
Senior Member




Date Joined Dec 2006
Total Posts : 1428
 
   Posted 8/7/2009 2:33 AM (GMT +3)    Quote: Severe Download Trojan - Help :(Alert an admin about: Severe Download Trojan - Help :(
No currently active items, as far as those tougher infection the scan located in the System Restore files (System Volume Information). I received that iexplore.exe file, thanks. Not seeing anything wrong with it, though it seems to be for Vista, and not XP. Can't be sure on that though. Windows File Protection likely replaced the renamed file with a backup copy, so the rename suggestion was not the best of ideas for that. Can you open IE using that other file though?

However, in just glancing back through the logs I realize you have two antivirus softwares installed there:

c:\program files\Alwil Software\Avast4\aswUpdSv.exe
c:\program files\Alwil Software\Avast4\ashServ.exe
c:\program files\Common Files\AOL\acs\AOLacsd.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\wdfmgr.exe
c:\program files\AVG\AVG8\avgrsx.exe
c:\progra~1\AVG\AVG8\avgnsx.exe
c:\program files\AVG\AVG8\avgcsrvx.exe
c:\program files\Alwil Software\Avast4\ashMaiSv.exe
c:\program files\Alwil Software\Avast4\ashWebSv.exe
c:\program files\AVG\AVG8\avgsrmax.exe

This will cause many problems, and these two may have now corrupted each other as well. May also be part of some of the problems you have going on now. I suggest you choose one of those, disable all security software and then uninstall it. Reboot, disable and uninstall the other. If either are a paid version be sure to save any registration keys/code.


Once you have done that and rebooted, post back a new RSIT log please.


Click here and help my friend help stop leukemia, lymphoma, Hodgkin lymphoma and myeloma from taking more lives.

Back to Top
 

LordBTY
New Member


Date Joined Jun 2009
Total Posts : 35
 
   Posted 8/7/2009 3:33 PM (GMT +3)    Quote: Severe Download Trojan - Help :(Alert an admin about: Severe Download Trojan - Help :(
I had removed them both and reinstalled them before.

Here's the RSIT log




Logfile of random's system information tool 1.06 (written by random/random)
Run by User at 2009-08-07 13:27:24
Microsoft Windows XP Home Edition Service Pack 3
System drive C: has 87 GB (37%) free of 238 GB
Total RAM: 1022 MB (49% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 13:27:27, on 07/08/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16876)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe
C:\Program Files\SyncroSoft\Pos\H2O\cledx.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Common Files\AOL\1249496189\ee\AOLSoftware.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\Program Files\Creative Professional\E-MU PatchMix DSP\EmuPMixDSP.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\NETGEAR\WG111v2 Configuration Utility\RtlWake.exe
C:\Program Files\AOL Companion\companion.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
E:\RSIT.exe
C:\Program Files\Trend Micro\HijackThis\User.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://search.aol.co.uk/web?isinit=true&query=%s
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = http://go.microsoft.com/fwlink/?LinkId=54843
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,First Home Page = C:\Program Files\AOL Toolbar\welcome.html
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.0.926.3450\swg.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl Class - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [OpwareSE2] "C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe"
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [JMB36X Configure] C:\WINDOWS\system32\JMRaidTool.exe boot
O4 - HKLM\..\Run: [H2O] C:\Program Files\SyncroSoft\Pos\H2O\cledx.exe
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1249496189\ee\AOLSoftware.exe
O4 - HKCU\..\Run: [SetDefaultMIDI] MIDIDef.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [Nokia.PCSync] "C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe" /NoDialog (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Nokia.PCSync] "C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe" /NoDialog (User 'Default user')
O4 - Global Startup: AOL 9.0 Tray Icon.lnk = C:\Program Files\AOL 9.0\aoltray.exe
O4 - Global Startup: AOL Companion.lnk = C:\Program Files\AOL Companion\companion.exe
O4 - Global Startup: WG111v2 Smart Wizard Wireless Setting.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\jp2iexp.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\jp2iexp.dll
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w2/resources/MSNPUpld.cab
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} - http://upload.facebook.com/controls/FacebookPhotoUploader3.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scanner/sources/en/scan8/oscan8.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1238448251250
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} (OnlineScanner Control) - http://download.eset.com/special/eos/OnlineScanner.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/flashplayer/current/swflash.cab
O16 - DPF: {D6E7CFB5-C074-4D1C-B647-663D1A8D96BF} (Facebook Photo Uploader 4) - http://upload.facebook.com/controls/FacebookPhotoUploader4_5.cab
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared files\RichVideo.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe

--
End of file - 10314 bytes

======Scheduled tasks folder======

C:\WINDOWS\tasks\AppleSoftwareUpdate.job

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{02478D38-C3F9-4efb-9B51-7695ECA05670}]
Yahoo! Toolbar Helper - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll [2006-10-26 440384]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
Adobe PDF Reader Link Helper - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll [2006-10-22 62080]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}]
SSVHelper Class - C:\Program Files\Java\jre6\bin\ssv.dll [2009-05-26 320920]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7E853D72-626A-48EC-A868-BA8D5E23E045}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}]
Google Toolbar Notifier BHO - C:\Program Files\Google\GoogleToolbarNotifier\5.0.926.3450\swg.dll [2008-11-10 657904]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}]
Java(tm) Plug-In 2 SSV Helper - C:\Program Files\Java\jre6\bin\jp2ssv.dll [2009-05-26 35840]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E7E6F031-17CE-4C07-BC86-EABFE594F69C}]
JQSIEStartDetectorImpl Class - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll [2009-05-26 73728]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{327C2873-E90D-4c37-AA9D-10AC9BABA46C} - Easy-WebPrint - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll [2004-08-26 405504]
{4982D40A-C53B-4615-B15B-B5B5E98D167C} - AOL Toolbar - C:\Program Files\AOL Toolbar\toolbar.dll [2004-03-22 385024]
{EF99BD32-C1FB-11D2-892F-0090271D4F88} - Yahoo! Toolbar - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll [2006-10-26 440384]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"=C:\WINDOWS\system32\NvCpl.dll [2007-12-05 8523776]
"OpwareSE2"=C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe [2003-05-08 49152]
"nwiz"=nwiz.exe /install []
"JMB36X Configure"=C:\WINDOWS\system32\JMRaidTool.exe [2006-08-14 352256]
"H2O"=C:\Program Files\SyncroSoft\Pos\H2O\cledx.exe [2005-10-23 385024]
"CTHelper"=C:\WINDOWS\system32\CTHELPER.EXE [2007-12-12 23040]
"AOLDialer"=C:\Program Files\Common Files\AOL\ACS\AOLDial.exe [2007-12-07 71008]
"avast!"=C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe [2009-02-05 81000]
"HostManager"=C:\Program Files\Common Files\AOL\1249496189\ee\AOLSoftware.exe [2006-09-26 50736]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"SetDefaultMIDI"=C:\WINDOWS\system32\MIDIDef.exe [2007-12-12 31232]
"msnmsgr"=C:\Program Files\Windows Live\Messenger\msnmsgr.exe [2007-10-18 5724184]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"=C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe [2007-06-01 153136]
"ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LanguageShortcut]
C:\Program Files\CyberLink\PowerDVD\Language\Language.exe [2006-05-18 49152]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LightScribe Control Panel]
C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe [2007-05-15 484904]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PC Suite Tray]
C:\Program Files\Nokia\Nokia PC Suite 6\PCSuite.exe [2008-03-28 1079296]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
C:\Program Files\QuickTime\qttask.exe [2008-03-28 413696]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe [2005-12-07 30208]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"vsmon"=2

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
AOL 9.0 Tray Icon.lnk - C:\Program Files\AOL 9.0\aoltray.exe
AOL Companion.lnk - C:\Program Files\AOL Companion\companion.exe
WG111v2 Smart Wizard Wireless Setting.lnk - C:\Program Files\NETGEAR\WG111v2 Configuration Utility\RtlWake.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll [2006-10-18 133632]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\aawservice]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\vsmon]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\{1a3e09be-1e45-494b-9174-d7385b45bbf5}]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=323
"NoDriveAutoRun"=67108863
"NoDrives"=0

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"HonorAutoRunSetting"=
"NoDriveAutoRun"=
"NoDriveTypeAutoRun"=
"NoDrives"=

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\WINDOWS\system32\usmt\migwiz.exe"="C:\WINDOWS\system32\usmt\migwiz.exe:*:Enabled:Files and Settings Transfer Wizard"
"C:\Program Files\Bonjour\mDNSResponder.exe"="C:\Program Files\Bonjour\mDNSResponder.exe:*:Enabled:Bonjour"
"C:\Program Files\iTunes\iTunes.exe"="C:\Program Files\iTunes\iTunes.exe:*:Enabled:iTunes"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\WINDOWS\system32\mmc.exe"="C:\WINDOWS\system32\mmc.exe:*:Enabled:Microsoft Management Console"
"C:\Program Files\Windows Live\Messenger\msnmsgr.exe"="C:\Program Files\Windows Live\Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\Program Files\Windows Live\Messenger\livecall.exe"="C:\Program Files\Windows Live\Messenger\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"
"C:\Program Files\Mozilla Firefox\firefox.exe"="C:\Program Files\Mozilla Firefox\firefox.exe:*:Enabled:Firefox"
"C:\Program Files\Common Files\AOL\System Information\sinf.exe"="C:\Program Files\Common Files\AOL\System Information\sinf.exe:*:Enabled:AOL System Information"
"C:\Program Files\Real\RealPlayer\realplay.exe"="C:\Program Files\Real\RealPlayer\realplay.exe:*:Enabled:RealPlayer"
"C:\Program Files\Common Files\AOL\ACS\AOLDial.exe"="C:\Program Files\Common Files\AOL\ACS\AOLDial.exe:*:Enabled:AOL"
"C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe"="C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe:*:Enabled:AOL"
"C:\Program Files\AOL 9.0\waol.exe"="C:\Program Files\AOL 9.0\waol.exe:*:Enabled:AOL 9.0"
"C:\Program Files\Common Files\AOL\1249496189\ee\aolsoftware.exe"="C:\Program Files\Common Files\AOL\1249496189\ee\aolsoftware.exe:*:Enabled:AOL Shared Components"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\Program Files\Windows Live\Messenger\msnmsgr.exe"="C:\Program Files\Windows Live\Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\Program Files\Windows Live\Messenger\livecall.exe"="C:\Program Files\Windows Live\Messenger\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"
"C:\Program Files\AOL 9.0a\waol.exe"="C:\Program Files\AOL 9.0a\waol.exe:*:Enabled:AOL"
"C:\Program Files\Common Files\AOL\ACS\AOLDial.exe"="C:\Program Files\Common Files\AOL\ACS\AOLDial.exe:*:Enabled:AOL"
"C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe"="C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe:*:Enabled:AOL"
"C:\Program Files\AOL 9.0\waol.exe"="C:\Program Files\AOL 9.0\waol.exe:*:Enabled:AOL 9.0"

======List of files/folders created in the last 1 months======

2009-08-05 21:25:38 ----D---- C:\WINDOWS\BDOSCAN8
2009-08-05 19:16:12 ----D---- C:\Program Files\AOL
2009-08-05 19:02:23 ----A---- C:\WINDOWS\system32\aswBoot.exe
2009-08-05 18:55:23 ----SHD---- C:\RECYCLER
2009-08-05 17:50:08 ----HDC---- C:\WINDOWS\ie7
2009-08-05 17:18:39 ----D---- C:\WINDOWS\temp
2009-08-05 17:18:37 ----A---- C:\ComboFix.txt
2009-08-05 17:11:33 ----SD---- C:\ComboFix
2009-08-05 16:53:56 ----D---- C:\Program Files\ESET
2009-08-05 02:44:47 ----A---- C:\find.txt
2009-08-04 19:55:55 ----D---- C:\Program Files\ERUNT
2009-08-04 19:41:16 ----RASHD---- C:\autorun.inf
2009-08-03 19:21:50 ----D---- C:\4bac1b979898353db5fea19d
2009-08-03 18:55:29 ----D---- C:\WINDOWS\system32\CatRoot2
2009-08-03 01:10:48 ----D---- C:\Program Files\AOL Companion
2009-08-03 01:10:47 ----D---- C:\Program Files\Learn2.com
2009-08-03 01:09:58 ----D---- C:\Program Files\AOL Toolbar
2009-08-03 01:09:29 ----A---- C:\WINDOWS\system32\jgdwmie.dll
2009-08-03 01:07:56 ----D---- C:\Program Files\Common Files\aolshare
2009-08-03 01:07:54 ----D---- C:\Program Files\AOL 9.0
2009-08-03 01:07:54 ----D---- C:\Documents and Settings\All Users\Application Data\AOL
2009-08-03 00:28:02 ----D---- C:\Program Files\VoyagerModem105Drivers
2009-07-30 21:13:30 ----D---- C:\rsit
2009-07-29 16:45:01 ----A---- C:\Boot.bak
2009-07-29 16:44:57 ----RASHD---- C:\cmdcons
2009-07-29 16:40:11 ----A---- C:\WINDOWS\zip.exe
2009-07-29 16:40:11 ----A---- C:\WINDOWS\SWXCACLS.exe
2009-07-29 16:40:11 ----A---- C:\WINDOWS\SWSC.exe
2009-07-29 16:40:11 ----A---- C:\WINDOWS\SWREG.exe
2009-07-29 16:40:11 ----A---- C:\WINDOWS\sed.exe
2009-07-29 16:40:11 ----A---- C:\WINDOWS\PEV.exe
2009-07-29 16:40:11 ----A---- C:\WINDOWS\NIRCMD.exe
2009-07-29 16:40:11 ----A---- C:\WINDOWS\grep.exe
2009-07-29 16:40:06 ----D---- C:\WINDOWS\ERDNT
2009-07-29 16:39:08 ----D---- C:\Qoobox
2009-07-29 16:38:41 ----HD---- C:\WINDOWS\PIF
2009-07-29 03:12:30 ----D---- C:\Program Files\Trend Micro
2009-07-29 03:09:35 ----D---- C:\Documents and Settings\User\Application Data\Malwarebytes
2009-07-29 03:09:20 ----D---- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2009-07-29 03:09:16 ----D---- C:\Program Files\Malwarebytes' Anti-Malware
2009-07-27 22:08:22 ----N---- C:\WINDOWS\SchedLgU.Txt
2009-07-16 12:38:26 ----HDC---- C:\WINDOWS\$NtUninstallKB973346$
2009-07-16 12:38:14 ----HDC---- C:\WINDOWS\$NtUninstallKB971633$
2009-07-16 12:33:45 ----HDC---- C:\WINDOWS\$NtUninstallKB961371$
2009-07-11 00:25:15 ----D---- C:\Program Files\Common Files\Wise Installation Wizard

======List of files/folders modified in the last 1 months======

2009-08-07 13:03:07 ----D---- C:\Program Files\Mozilla Firefox
2009-08-07 13:02:24 ----D---- C:\WINDOWS
2009-08-07 13:02:14 ----D---- C:\WINDOWS\Prefetch
2009-08-06 21:10:29 ----D---- C:\Downloads
2009-08-06 18:49:00 ----SD---- C:\WINDOWS\Downloaded Program Files
2009-08-06 18:20:15 ----D---- C:\WINDOWS\system32
2009-08-06 17:59:15 ----D---- C:\WINDOWS\Debug
2009-08-06 16:39:55 ----D---- C:\Program Files\CCleaner
2009-08-06 16:37:35 ----D---- C:\Program Files\Yahoo!
2009-08-06 16:31:28 ----RSHDC---- C:\WINDOWS\system32\dllcache
2009-08-06 16:31:23 ----D---- C:\Program Files\Internet Explorer
2009-08-05 21:25:38 ----HD---- C:\WINDOWS\inf
2009-08-05 21:16:25 ----D---- C:\WINDOWS\Microsoft.NET
2009-08-05 21:02:57 ----D---- C:\WINDOWS\system32\CatRoot
2009-08-05 21:02:04 ----SHD---- C:\WINDOWS\Installer
2009-08-05 21:01:24 ----D---- C:\WINDOWS\ie7updates
2009-08-05 20:43:17 ----D---- C:\Program Files\Common Files\AOL
2009-08-05 19:16:12 ----RD---- C:\Program Files
2009-08-05 19:02:40 ----D---- C:\WINDOWS\system32\drivers
2009-08-05 18:58:12 ----A---- C:\WINDOWS\NeroDigital.ini
2009-08-05 18:44:17 ----A---- C:\VETlog.txt
2009-08-05 18:43:50 ----A---- C:\WINDOWS\win.ini
2009-08-05 17:53:26 ----D---- C:\WINDOWS\Help
2009-08-05 17:51:49 ----D---- C:\WINDOWS\system32\en-US
2009-08-05 17:16:22 ----A---- C:\WINDOWS\system.ini
2009-08-05 17:14:57 ----D---- C:\WINDOWS\AppPatch
2009-08-05 17:14:51 ----D---- C:\Program Files\Common Files
2009-08-05 04:22:03 ----D---- C:\Documents and Settings\User\Application Data\OpenOffice.org2
2009-08-03 21:20:50 ----D---- C:\WINDOWS\security
2009-08-03 01:11:10 ----A---- C:\WINDOWS\aolback.exe.lnk
2009-08-03 01:10:47 ----SD---- C:\WINDOWS\occache
2009-08-03 01:09:48 ----A---- C:\WINDOWS\system32\rmoc3260.dll
2009-08-02 22:57:57 ----D---- C:\Program Files\VoyagerModemDrivers
2009-08-02 22:36:34 ----D---- C:\Temp
2009-08-02 21:43:26 ----RASH---- C:\boot.ini
2009-08-02 21:40:59 ----D---- C:\Program Files\Opera
2009-08-02 21:28:24 ----D---- C:\Program Files\FrostWire
2009-08-02 21:21:24 ----D---- C:\Documents and Settings\User\Application Data\Yahoo!
2009-08-02 21:21:24 ----D---- C:\Documents and Settings\All Users\Application Data\Yahoo!
2009-08-02 21:21:09 ----A---- C:\YServer.txt
2009-08-02 21:08:16 ----D---- C:\Documents and Settings\User\Application Data\AOL
2009-08-02 21:08:02 ----A---- C:\WINDOWS\msoffice.ini
2009-07-31 13:47:56 ----D---- C:\WINDOWS\pss
2009-07-30 20:43:42 ----SD---- C:\Documents and Settings\User\Application Data\Microsoft
2009-07-30 20:42:57 ----HD---- C:\$AVG8.VAULT$
2009-07-29 16:46:29 ----D---- C:\WINDOWS\system32\oldcatroot2
2009-07-29 16:44:31 ----D---- C:\Program Files\BitComet
2009-07-29 03:46:10 ----AD---- C:\Documents and Settings\All Users\Application Data\TEMP
2009-07-29 03:01:36 ----D---- C:\WINDOWS\WinSxS
2009-07-28 18:28:09 ----HD---- C:\WINDOWS\$hf_mig$
2009-07-27 23:00:14 ----HDC---- C:\WINDOWS\$NtServicePackUninstall$
2009-07-27 22:16:12 ----SD---- C:\WINDOWS\Tasks
2009-07-26 18:04:17 ----D---- C:\Documents and Settings
2009-07-19 19:03:04 ----A---- C:\WINDOWS\system32\mshtml.dll
2009-07-19 14:32:59 ----A---- C:\WINDOWS\system32\ieframe.dll
2009-07-12 03:53:04 ----A---- C:\WINDOWS\PhotoSnapViewer.INI
2009-07-11 01:02:13 ----D---- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2009-07-11 00:25:35 ----D---- C:\Program Files\Lavasoft
2009-07-11 00:21:53 ----D---- C:\Documents and Settings\All Users\Application Data\Lavasoft

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 Aavmker4;avast! Asynchronous Virus Monitor; C:\WINDOWS\system32\drivers\Aavmker4.sys [2009-02-05 26944]
R1 Asapi;Asapi; C:\WINDOWS\system32\drivers\Asapi.sys [2002-04-17 11264]
R1 ASPI32;ASPI32; C:\WINDOWS\system32\drivers\ASPI32.sys [2002-07-17 16877]
R1 aswSP;avast! Self Protection; C:\WINDOWS\system32\drivers\aswSP.sys [2009-02-05 114768]
R1 aswTdi;avast! Network Shield Support; C:\WINDOWS\system32\drivers\aswTdi.sys [2009-02-05 51376]
R1 intelppm;Intel Processor Driver; C:\WINDOWS\system32\DRIVERS\intelppm.sys [2008-04-13 36352]
R2 ASCTRM;ASCTRM; C:\WINDOWS\system32\drivers\ASCTRM.sys [2008-01-27 8552]
R2 aswFsBlk;aswFsBlk; C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys [2009-02-05 20560]
R2 aswMon2;avast! Standard Shield Support; C:\WINDOWS\system32\drivers\aswMon2.sys [2009-02-05 94032]
R2 EAPPkt;Realtek EAPPkt Protocol; C:\WINDOWS\system32\DRIVERS\EAPPkt.sys [2005-04-01 66048]
R2 Nsynas32;Nsynas32; C:\WINDOWS\system32\drivers\Nsynas32.sys [2001-04-09 17784]
R2 PfModNT;PfModNT; \??\C:\WINDOWS\system32\drivers\PfModNT.sys []
R3 Arp1394;1394 ARP Client Protocol; C:\WINDOWS\system32\DRIVERS\arp1394.sys [2008-04-13 60800]
R3 aswRdr;aswRdr; C:\WINDOWS\system32\drivers\aswRdr.sys [2009-02-05 23152]
R3 CLEDX;Team H2O CLEDX service; C:\WINDOWS\system32\DRIVERS\cledx.sys [2005-10-23 33792]
R3 COMMONFX.SYS;COMMONFX.SYS; C:\WINDOWS\System32\drivers\COMMONFX.SYS [2007-12-12 98328]
R3 ctac32k;Creative AC3 Software Decoder; C:\WINDOWS\System32\drivers\ctac32k.sys [2007-12-12 511000]
R3 ctaud2k;Creative Audio Driver (WDM); C:\WINDOWS\system32\drivers\ctaud2k.sys [2007-12-12 524824]
R3 CTEDSPIO.SYS;CTEDSPIO.SYS; C:\WINDOWS\System32\drivers\CTEDSPIO.SYS [2007-12-12 134168]
R3 CTEDSPSY.SYS;CTEDSPSY.SYS; C:\WINDOWS\System32\drivers\CTEDSPSY.SYS [2007-12-12 309784]
R3 ctprxy2k;Creative Proxy Driver; C:\WINDOWS\System32\drivers\ctprxy2k.sys [2007-12-12 14360]
R3 ctsfm2k;Creative SoundFont Management Device Driver; C:\WINDOWS\System32\drivers\ctsfm2k.sys [2007-12-12 159256]
R3 emupia;E-mu Plug-in Architecture Driver; C:\WINDOWS\System32\drivers\emupia2k.sys [2007-12-12 95768]
R3 GEARAspiWDM;GEARAspiWDM; C:\WINDOWS\System32\Drivers\GEARAspiWDM.sys [2008-01-29 16168]
R3 ha10kx2k;Creative Hardware Abstract Layer Driver; C:\WINDOWS\System32\drivers\ha10kx2k.sys [2007-12-12 802840]
R3 HDAudBus;Microsoft UAA Bus Driver for High Definition Audio; C:\WINDOWS\system32\DRIVERS\HDAudBus.sys [2008-04-13 144384]
R3 MTsensor;ATK0110 ACPI UTILITY; C:\WINDOWS\system32\DRIVERS\ASACPI.sys [2004-08-13 5810]
R3 NIC1394;1394 Net Driver; C:\WINDOWS\system32\DRIVERS\nic1394.sys [2008-04-13 61824]
R3 nv;nv; C:\WINDOWS\system32\DRIVERS\nv4_mini.sys [2007-12-05 7435392]
R3 NVENETFD;NVIDIA nForce Networking Controller Driver; C:\WINDOWS\system32\DRIVERS\NVENETFD.sys [2006-02-17 34176]
R3 nvnetbus;NVIDIA Network Bus Enumerator; C:\WINDOWS\system32\DRIVERS\nvnetbus.sys [2006-02-17 13056]
R3 ossrv;Creative OS Services Driver; C:\WINDOWS\system32\drivers\ctoss2k.sys [2007-12-12 129560]
R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbehci.sys [2008-04-13 30208]
R3 usbhub;Microsoft USB Standard Hub Driver; C:\WINDOWS\system32\DRIVERS\usbhub.sys [2008-04-13 59520]
R3 usbohci;Microsoft USB Open Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbohci.sys [2008-04-13 17152]
R3 USBSTOR;USB Mass Storage Driver; C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2008-04-13 26368]
R3 wanatw;WAN Miniport (ATW); C:\WINDOWS\system32\DRIVERS\wanatw4.sys [2003-01-10 33588]
S3 BRIDGE;MAC Bridge; C:\WINDOWS\system32\DRIVERS\bridge.sys [2008-04-13 71552]
S3 BridgeMP;MAC Bridge Miniport; C:\WINDOWS\system32\DRIVERS\bridge.sys [2008-04-13 71552]
S3 catchme;catchme; \??\C:\DOCUME~1\User\LOCALS~1\Temp\catchme.sys []
S3 COMMONFX;COMMONFX; C:\WINDOWS\system32\drivers\COMMONFX.SYS [2007-12-12 98328]
S3 CT20XUT.SYS;CT20XUT.SYS; C:\WINDOWS\System32\drivers\CT20XUT.SYS [2007-12-12 171032]
S3 CT20XUT;CT20XUT; C:\WINDOWS\system32\drivers\CT20XUT.SYS [2007-12-12 171032]
S3 CTAUDFX.SYS;CTAUDFX.SYS; C:\WINDOWS\System32\drivers\CTAUDFX.SYS [2007-12-12 528920]
S3 CTAUDFX;CTAUDFX; C:\WINDOWS\system32\drivers\CTAUDFX.SYS [2007-12-12 528920]
S3 CTEAPSFX.SYS;CTEAPSFX.SYS; C:\WINDOWS\System32\drivers\CTEAPSFX.SYS [2007-12-12 163352]
S3 CTEAPSFX;CTEAPSFX; C:\WINDOWS\system32\drivers\CTEAPSFX.SYS [2007-12-12 163352]
S3 CTEDSPFX.SYS;CTEDSPFX.SYS; C:\WINDOWS\System32\drivers\CTEDSPFX.SYS [2007-12-12 259096]
S3 CTEDSPFX;CTEDSPFX; C:\WINDOWS\system32\drivers\CTEDSPFX.SYS [2007-12-12 259096]
S3 CTEDSPIO;CTEDSPIO; C:\WINDOWS\system32\drivers\CTEDSPIO.SYS [2007-12-12 134168]
S3 CTEDSPSY;CTEDSPSY; C:\WINDOWS\system32\drivers\CTEDSPSY.SYS [2007-12-12 309784]
S3 CTERFXFX.SYS;CTERFXFX.SYS; C:\WINDOWS\System32\drivers\CTERFXFX.SYS [2007-12-12 99352]
S3 CTERFXFX;CTERFXFX; C:\WINDOWS\system32\drivers\CTERFXFX.SYS [2007-12-12 99352]
S3 CTEXFIFX.SYS;CTEXFIFX.SYS; C:\WINDOWS\System32\drivers\CTEXFIFX.SYS [2007-12-12 1324056]
S3 CTEXFIFX;CTEXFIFX; C:\WINDOWS\system32\drivers\CTEXFIFX.SYS [2007-12-12 1324056]
S3 CTHWIUT.SYS;CTHWIUT.SYS; C:\WINDOWS\System32\drivers\CTHWIUT.SYS [2007-12-12 72728]
S3 CTHWIUT;CTHWIUT; C:\WINDOWS\system32\drivers\CTHWIUT.SYS [2007-12-12 72728]
S3 CTSBLFX.SYS;CTSBLFX.SYS; C:\WINDOWS\System32\drivers\CTSBLFX.SYS [2007-12-12 534040]
S3 CTSBLFX;CTSBLFX; C:\WINDOWS\system32\drivers\CTSBLFX.SYS [2007-12-12 534040]
S3 ENTECH;ENTECH; \??\C:\WINDOWS\system32\DRIVERS\ENTECH.SYS []
S3 Freedom;FREEDOM Miniport; C:\WINDOWS\system32\DRIVERS\FREEDOM.SYS []
S3 hap16v2k;Creative P16V HAL Driver; C:\WINDOWS\System32\drivers\hap16v2k.sys [2007-12-12 163864]
S3 HidUsb;Microsoft HID Class Driver; C:\WINDOWS\system32\DRIVERS\hidusb.sys [2008-04-13 10368]
S3 IntcAzAudAddService;Service for Realtek HD Audio (WDM); C:\WINDOWS\system32\drivers\RtkHDAud.sys []
S3 mouhid;Mouse HID Driver; C:\WINDOWS\system32\DRIVERS\mouhid.sys [2006-02-28 12160]
S3 nmwcd;Nokia USB Phone Parent; C:\WINDOWS\system32\drivers\ccdcmb.sys [2007-11-29 16896]
S3 nmwcdc;Nokia USB Generic; C:\WINDOWS\system32\drivers\ccdcmbo.sys [2007-11-29 19328]
S3 pccsmcfd;PCCS Mode Change Filter Driver; C:\WINDOWS\system32\DRIVERS\pccsmcfd.sys [2007-09-17 21632]
S3 PPPoEWin;PPPoEWin Miniport; C:\WINDOWS\system32\DRIVERS\PPPoEWin.SYS []
S3 upperdev;upperdev; C:\WINDOWS\system32\DRIVERS\usbser_lowerflt.sys [2007-11-29 8064]
S3 USBAAPL;Apple Mobile USB Driver; C:\WINDOWS\System32\Drivers\usbaapl.sys [2008-01-15 30464]
S3 usbaudio;USB Audio Driver (WDM); C:\WINDOWS\system32\drivers\usbaudio.sys [2008-04-13 60032]
S3 usbccgp;Microsoft USB Generic Parent Driver; C:\WINDOWS\system32\DRIVERS\usbccgp.sys [2008-04-13 32128]
S3 usbprint;Microsoft USB PRINTER Class; C:\WINDOWS\system32\DRIVERS\usbprint.sys [2008-04-13 25856]
S3 usbscan;USB Scanner Driver; C:\WINDOWS\system32\DRIVERS\usbscan.sys [2008-04-13 15104]
S3 usbser;Nokia USB Serial Port; C:\WINDOWS\system32\DRIVERS\usbser.sys [2008-04-13 26112]
S3 UsbserFilt;UsbserFilt; C:\WINDOWS\system32\DRIVERS\usbser_lowerfltj.sys [2007-11-29 8064]
S3 Wdf01000;Wdf01000; C:\WINDOWS\system32\DRIVERS\Wdf01000.sys [2006-11-02 492000]
S3 WudfRd;Windows Driver Foundation - User-mode Driver Framework Reflector; C:\WINDOWS\system32\DRIVERS\wudfrd.sys [2006-09-15 82688]
S4 IntelIde;IntelIde; C:\WINDOWS\system32\drivers\IntelIde.sys []
S4 WS2IFSL;Windows Socket 2.0 Non-IFS Service Provider Support Environment; C:\WINDOWS\System32\drivers\ws2ifsl.sys [2006-02-28 12032]

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 AOL ACS;AOL Connectivity Service; C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe [2006-10-23 46640]
R2 aswUpdSv;avast! iAVS4 Control Service; C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe [2009-02-05 18752]
R2 avast! Antivirus;avast! Antivirus; C:\Program Files\Alwil Software\Avast4\ashServ.exe [2009-02-05 138680]
R2 NVSvc;NVIDIA Display Driver Service; C:\WINDOWS\system32\nvsvc32.exe [2007-12-05 155716]
R2 UMWdf;Windows User Mode Driver Framework; C:\WINDOWS\system32\wdfmgr.exe [2005-01-28 38912]
R2 WudfSvc;Windows Driver Foundation - User-mode Driver Framework; C:\WINDOWS\system32\svchost.exe [2008-04-14 14336]
R3 avast! Mail Scanner;avast! Mail Scanner; C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe [2009-02-05 254040]
R3 avast! Web Scanner;avast! Web Scanner; C:\Program Files\Alwil Software\Avast4\ashWebSv.exe [2009-02-05 352920]
R3 NMIndexingService;NMIndexingService; C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe [2007-06-01 271920]
R3 usnjsvc;Messenger Sharing Folders USN Journal Reader service; C:\Program Files\Windows Live\Messenger\usnsvc.exe [2007-10-18 98328]
S3 aawservice;Lavasoft Ad-Aware Service; C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe [2008-07-07 611664]
S3 Apple Mobile Device;Apple Mobile Device; C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe [2008-01-15 110592]
S3 aspnet_state;ASP.NET State Service; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe [2008-07-25 34312]
S3 Bonjour Service;Bonjour Service; C:\Program Files\Bonjour\mDNSResponder.exe [2007-07-24 229376]
S3 clr_optimization_v2.0.50727_32;.NET Runtime Optimization Service v2.0.50727_X86; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe [2008-07-25 69632]
S3 FontCache3.0.0.0;Windows Presentation Foundation Font Cache 3.0.0.0; C:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe [2008-07-29 46104]
S3 gusvc;Google Updater Service; C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-11-10 168432]
S3 idsvc;Windows CardSpace; C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe [2008-07-29 881664]
S3 iPod Service;iPod Service; C:\Program Files\iPod\bin\iPodService.exe [2008-03-30 504104]
S3 JavaQuickStarterService;Java Quick Starter; C:\Program Files\Java\jre6\bin\jqs.exe [2009-05-26 152984]
S3 LightScribeService;LightScribeService Direct Disc Labeling Service; C:\Program Files\Common Files\LightScribe\LSSrvc.exe [2007-05-15 79400]
S3 NBService;NBService; C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe [2007-04-13 792112]
S3 ose;Office Source Engine; C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2003-07-28 89136]
S3 RichVideo;Cyberlink RichVideo Service(CRVS); C:\Program Files\CyberLink\Shared files\RichVideo.exe [2005-08-08 167936]
S3 ServiceLayer;ServiceLayer; C:\Program Files\PC Connectivity Solution\ServiceLayer.exe [2008-04-07 430592]
S3 WLSetupSvc;Windows Live Setup Service; C:\Program Files\Windows Live\installer\WLSetupSvc.exe [2007-10-25 266240]
S3 WMPNetworkSvc;Windows Media Player Network Sharing Service; C:\Program Files\Windows Media Player\WMPNetwk.exe [2006-10-18 913408]
S4 NetTcpPortSharing;Net.Tcp Port Sharing Service; C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe [2008-07-29 132096]

-----------------EOF-----------------
Back to Top
 

LordBTY
New Member


Date Joined Jun 2009
Total Posts : 35
 
   Posted 8/7/2009 7:29 PM (GMT +3)    Quote: Severe Download Trojan - Help :(Alert an admin about: Severe Download Trojan - Help :(
Hmm.... I just downloaded Spyhunter3 unregistered...

I have


A0027702.exe - Malware.DrSmart.A
A0028894.exe - Kontiki
ntoskrnl.exe - Trojan.Dropper


What should I do?

EDIT: I've deleted the first two... not so sure about what to do for the 3rd one though...

Post Edited (LordBTY) : 07-08-2009 16:39:15 GMT

Back to Top
 

Jintan
Senior Member




Date Joined Dec 2006
Total Posts : 1428
 
   Posted 8/7/2009 7:50 PM (GMT +3)    Quote: Severe Download Trojan - Help :(Alert an admin about: Severe Download Trojan - Help :(
Those first two, by the looks of the names, are System Restore files, and the last one is an important and essential system file, as long as that file by that name is located in either the System32 folder of the System32\dllcache folder.

More important is that I not only really need you to not make any independent changes or run your own scans there, but SpyHunter is considered as rogue software itself. You need to uninstall that, and delete any files from it as well.

Once you have done that, reboot, to make sure all changes were made. Then a good idea now would be to check the system with an updated copy of the same tool that provided the initial verification of problems there.


Delete any existing copies of ComboFix, then download ComboFix.exe from here to your desktop, but I would like you to rename the file as you download it (do not download it directly without renaming it - use right click "Save Target/Link As" ). For this, rename the downloading file to 765out.com, then click the renamed 765out.com to run that scan.

Be sure to install the Recovery Console if you are asked to do so. When the scan completes, a text window with your log will open. Please copy and paste that log back here.

A caution - do not touch your mouse/keyboard until the scan has completed. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop.

Allow the scan to run. When completed a text window will appear - please copy/paste the contents back here. This log can also be found at C:\ComboFix.txt.


Click here and help my friend help stop leukemia, lymphoma, Hodgkin lymphoma and myeloma from taking more lives.

Back to Top
 

LordBTY
New Member


Date Joined Jun 2009
Total Posts : 35
 
   Posted 8/8/2009 12:38 AM (GMT +3)    Quote: Severe Download Trojan - Help :(Alert an admin about: Severe Download Trojan - Help :(
Okey dokey

The infected files were in the windows update backup... the same place where the undeletable iexplore files were

Here's the ComboFix Log


ComboFix 09-08-07.04 - User 07/08/2009 22:28.5.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1022.593 [GMT 1:00]
Running from: c:\documents and settings\User\Desktop\765out.com.exe
AV: avast! antivirus 4.8.1335 [VPS 090807-0] *On-access scanning enabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
.

((((((((((((((((((((((((( Files Created from 2009-07-07 to 2009-08-07 )))))))))))))))))))))))))))))))
.

2009-08-07 19:55 . 2009-07-03 14:49 64160 ----a-w- c:\windows\system32\drivers\Lbd.sys
2009-08-07 19:38 . 2009-08-07 19:38 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{EF63305C-BAD7-4144-9208-D65528260864}
2009-08-07 19:38 . 2009-07-08 17:28 2920112 -c--a-w- c:\documents and settings\All Users\Application Data\{EF63305C-BAD7-4144-9208-D65528260864}\Ad-AwareAE.exe
2009-08-07 16:51 . 2009-08-07 16:51 3942048 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2009-08-07 16:12 . 2009-08-07 21:19 -------- d-----w- c:\program files\Enigma Software Group
2009-08-05 20:25 . 2009-08-06 20:20 -------- d-----w- c:\windows\BDOSCAN8
2009-08-05 18:17 . 2009-08-05 18:17 -------- d-----w- c:\documents and settings\User\Local Settings\Application Data\AOL
2009-08-05 18:02 . 2009-02-05 20:06 23152 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2009-08-05 18:02 . 2009-02-05 20:06 51376 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2009-08-05 18:02 . 2009-02-05 20:05 26944 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2009-08-05 18:02 . 2009-02-05 20:04 97480 ----a-w- c:\windows\system32\AvastSS.scr
2009-08-05 18:02 . 2009-02-05 20:08 93296 ----a-w- c:\windows\system32\drivers\aswmon.sys
2009-08-05 18:02 . 2009-02-05 20:08 94032 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2009-08-05 18:02 . 2009-02-05 20:07 114768 ----a-w- c:\windows\system32\drivers\aswSP.sys
2009-08-05 18:02 . 2009-02-05 20:07 20560 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2009-08-05 18:02 . 2009-02-05 20:11 1256296 ----a-w- c:\windows\system32\aswBoot.exe
2009-08-05 16:11 . 2009-08-05 16:18 -------- d-s---w- C:\ComboFix
2009-08-05 15:53 . 2009-08-05 15:53 -------- d-----w- c:\program files\ESET
2009-08-04 18:55 . 2009-08-04 18:56 -------- d-----w- c:\program files\ERUNT
2009-08-03 19:46 . 2009-08-03 19:46 -------- d-----w- c:\documents and settings\User\Local Settings\Application Data\temp
2009-08-03 19:46 . 2009-08-03 19:46 -------- d-----w- c:\documents and settings\Tom\Local Settings\Application Data\temp
2009-08-03 19:46 . 2009-08-03 19:46 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\temp
2009-08-03 19:46 . 2009-08-03 19:46 -------- d-----w- c:\documents and settings\Louise\Local Settings\Application Data\temp
2009-08-03 19:46 . 2009-08-03 19:46 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\temp
2009-08-03 19:46 . 2009-08-03 19:46 -------- d-----w- c:\documents and settings\Default User\Local Settings\Application Data\temp
2009-08-03 19:46 . 2009-08-03 19:46 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\temp
2009-08-03 18:21 . 2009-08-03 18:21 -------- d-----w- C:\4bac1b979898353db5fea19d
2009-08-03 17:55 . 2009-08-07 21:28 -------- d-----w- c:\windows\system32\CatRoot2
2009-08-03 00:10 . 2009-08-05 17:44 -------- d-----w- c:\program files\AOL Companion
2009-08-03 00:10 . 2009-08-03 00:10 -------- d-----w- c:\program files\Learn2.com
2009-08-03 00:10 . 2004-06-22 13:03 173184 ----a-w- c:\windows\system32\ygpss.scr
2009-08-03 00:09 . 2009-08-03 00:11 -------- d-----w- c:\program files\AOL Toolbar
2009-08-03 00:09 . 2004-06-22 13:03 153088 ----a-w- c:\windows\system32\jgdwmie.dll
2009-08-03 00:09 . 2004-06-22 13:03 14538 ----a-w- c:\documents and settings\All Users\Application Data\AOL\C_AOL 9.0\ctem.sys
2009-08-03 00:07 . 2009-08-03 00:10 -------- d-----w- c:\program files\Common Files\aolshare
2009-08-03 00:07 . 2009-08-05 18:16 -------- d-----w- c:\documents and settings\All Users\Application Data\AOL
2009-08-03 00:07 . 2009-08-05 18:16 -------- d-----w- c:\program files\AOL 9.0
2009-08-02 23:28 . 2009-08-02 23:28 -------- d-----w- c:\program files\VoyagerModem105Drivers
2009-08-02 21:36 . 2009-08-02 21:54 -------- d-----w- c:\temp\ext256
2009-08-02 21:36 . 2009-08-02 21:54 -------- d-----w- c:\temp\ext2782
2009-07-30 20:13 . 2009-07-30 20:13 -------- d-----w- C:\rsit
2009-07-29 15:38 . 2009-07-29 15:38 -------- d--h--w- c:\windows\PIF
2009-07-29 11:57 . 2009-07-29 11:57 -------- d-----w- c:\documents and settings\Louise\Application Data\Malwarebytes
2009-07-29 02:12 . 2009-07-29 02:12 -------- d-----w- c:\program files\Trend Micro
2009-07-29 02:09 . 2009-07-29 02:09 -------- d-----w- c:\documents and settings\User\Application Data\Malwarebytes
2009-07-29 02:09 . 2009-08-03 12:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-07-29 02:09 . 2009-07-29 02:09 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-07-29 02:09 . 2009-08-03 12:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-07-29 02:09 . 2009-08-07 16:51 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-07-28 17:31 . 2009-07-28 17:35 -------- d-----w- c:\documents and settings\User\.housecall6.6

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-08-07 21:18 . 2008-05-17 19:04 -------- d-----w- c:\program files\Yahoo!
2009-08-07 19:38 . 2008-01-23 13:01 -------- d-----w- c:\program files\Lavasoft
2009-08-06 15:39 . 2008-01-23 13:10 -------- d-----w- c:\program files\CCleaner
2009-08-05 19:43 . 2008-01-27 16:23 -------- d-----w- c:\program files\Common Files\AOL
2009-08-05 16:24 . 2008-01-24 11:37 20928 ----a-w- c:\documents and settings\User\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-05 03:22 . 2008-01-28 16:20 -------- d-----w- c:\documents and settings\User\Application Data\OpenOffice.org2
2009-08-02 21:57 . 2008-01-27 16:13 -------- d-----w- c:\program files\VoyagerModemDrivers
2009-08-02 20:40 . 2009-03-12 17:13 -------- d-----w- c:\program files\Opera
2009-08-02 20:28 . 2008-01-27 21:51 -------- d-----w- c:\program files\FrostWire
2009-08-02 20:21 . 2008-05-30 06:14 -------- d-----w- c:\documents and settings\User\Application Data\Yahoo!
2009-08-02 20:21 . 2008-05-17 19:07 -------- d-----w- c:\documents and settings\All Users\Application Data\Yahoo!
2009-08-02 20:08 . 2009-05-10 20:49 -------- d-----w- c:\documents and settings\User\Application Data\AOL
2009-07-29 15:44 . 2009-04-13 11:00 -------- d-----w- c:\program files\BitComet
2009-07-29 02:46 . 2008-02-03 00:16 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-07-11 00:02 . 2008-01-29 17:18 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-07-10 23:21 . 2008-02-04 08:59 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2009-06-29 16:12 . 2006-02-28 12:00 827392 ----a-w- c:\windows\system32\wininet.dll
2009-06-29 16:12 . 2006-02-28 12:00 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-06-29 16:12 . 2006-02-28 12:00 17408 ----a-w- c:\windows\system32\corpol.dll
2009-06-16 14:36 . 2006-02-28 12:00 81920 ----a-w- c:\windows\system32\fontsub.dll
2009-06-16 14:36 . 2006-02-28 12:00 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-06-03 19:09 . 2006-02-28 12:00 1291264 ----a-w- c:\windows\system32\quartz.dll
2009-05-26 02:59 . 2009-05-26 03:00 410984 ----a-w- c:\windows\system32\deploytk.dll
2009-05-26 02:59 . 2009-05-26 02:59 152576 ----a-w- c:\documents and settings\User\Application Data\Sun\Java\jre1.6.0_13\lzma.dll
2009-05-22 17:12 . 2008-12-25 20:20 16 ----a-w- c:\windows\msocreg32.dat
2009-05-11 03:35 . 2008-01-29 08:39 20928 ----a-w- c:\documents and settings\Louise\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-05-10 12:57 . 2009-07-26 16:58 142822 ----a-w- c:\windows\pchealth\helpctr\Config\Cache\Personal_32_1033.dat
2006-05-03 10:06 . 2009-03-25 22:18 163328 --sh--r- c:\windows\system32\flvDX.dll
2007-02-21 11:47 . 2009-03-25 22:18 31232 --sh--r- c:\windows\system32\msfDX.dll
2008-03-16 13:30 . 2009-03-25 22:19 216064 --sh--r- c:\windows\system32\nbDX.dll
.

((((((((((((((((((((((((((((( SnapShot@2009-07-29_15.56.42 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-07-29 07:05 . 2008-07-29 07:05 62976 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90rus.dll
+ 2008-07-29 07:05 . 2008-07-29 07:05 46080 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90kor.dll
+ 2008-07-29 07:05 . 2008-07-29 07:05 46592 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90jpn.dll
+ 2008-07-29 07:05 . 2008-07-29 07:05 64512 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90ita.dll
+ 2008-07-29 07:05 . 2008-07-29 07:05 66048 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90fra.dll
+ 2008-07-29 07:05 . 2008-07-29 07:05 65024 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90esp.dll
+ 2008-07-29 07:05 . 2008-07-29 07:05 65024 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90esn.dll
+ 2008-07-29 07:05 . 2008-07-29 07:05 56832 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90enu.dll
+ 2008-07-29 07:05 . 2008-07-29 07:05 66560 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90deu.dll
+ 2008-07-29 07:05 . 2008-07-29 07:05 39936 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90cht.dll
+ 2008-07-29 07:05 . 2008-07-29 07:05 38912 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90chs.dll
+ 2008-07-29 05:07 . 2008-07-29 05:07 59904 c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_405b0943\mfcm90u.dll
+ 2008-07-29 05:07 . 2008-07-29 05:07 59904 c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_405b0943\mfcm90.dll
+ 2008-07-29 05:07 . 2008-07-29 05:07 80896 c:\windows\WinSxS\x86_Microsoft.VC90.DebugMFC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_c94a3a24\mfcm90ud.dll
+ 2008-07-29 05:07 . 2008-07-29 05:07 80896 c:\windows\WinSxS\x86_Microsoft.VC90.DebugMFC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_c94a3a24\mfcm90d.dll
+ 2009-08-07 21:20 . 2009-08-07 21:20 16384 c:\windows\temp\Perflib_Perfdata_60c.dat
+ 2006-02-28 12:00 . 2009-06-29 16:12 44544 c:\windows\system32\pngfilt.dll
+ 2006-02-28 12:00 . 2007-08-13 17:01 48128 c:\windows\system32\mshtmler.dll
+ 2006-02-28 12:00 . 2007-08-13 17:32 45568 c:\windows\system32\mshta.exe
+ 2007-08-13 18:54 . 2009-06-29 16:12 52224 c:\windows\system32\msfeedsbs.dll
- 2007-08-13 18:54 . 2009-04-29 04:55 52224 c:\windows\system32\msfeedsbs.dll
+ 2006-02-28 12:00 . 2007-08-13 17:44 40960 c:\windows\system32\licmgr10.dll
+ 2006-02-28 12:00 . 2009-06-29 16:12 27648 c:\windows\system32\jsproxy.dll
+ 2006-02-28 12:00 . 2007-08-13 17:39 92672 c:\windows\system32\inseng.dll
+ 2001-09-25 13:39 . 2004-06-22 13:03 54784 c:\windows\system32\Inetwh32.dll
- 2001-09-25 13:39 . 2001-09-25 13:39 54784 c:\windows\system32\Inetwh32.dll
+ 2006-02-28 12:00 . 2007-08-13 17:36 36352 c:\windows\system32\imgutil.dll
+ 2007-08-13 18:39 . 2009-06-29 11:07 13824 c:\windows\system32\ieudinit.exe
- 2007-08-13 18:39 . 2009-04-28 09:05 13824 c:\windows\system32\ieudinit.exe
+ 2006-02-28 12:00 . 2007-08-13 17:39 55296 c:\windows\system32\iesetup.dll
+ 2006-02-28 12:00 . 2009-06-29 16:12 44544 c:\windows\system32\iernonce.dll
+ 2006-02-28 12:00 . 2009-06-29 11:07 70656 c:\windows\system32\ie4uinit.exe
+ 2007-08-13 18:36 . 2009-06-29 16:12 63488 c:\windows\system32\icardie.dll
- 2007-08-13 18:36 . 2009-04-29 04:55 63488 c:\windows\system32\icardie.dll
+ 2009-08-07 19:55 . 2009-07-03 14:49 64160 c:\windows\system32\DRVSTORE\lbd_4C6E0193F967021F4DECA024CA3950BECD8BF864\Lbd.sys
+ 2007-08-13 17:36 . 2009-06-29 16:12 44544 c:\windows\system32\dllcache\pngfilt.dll
+ 2007-08-13 17:01 . 2007-08-13 17:01 48128 c:\windows\system32\dllcache\mshtmler.dll
+ 2007-08-13 17:32 . 2007-08-13 17:32 45568 c:\windows\system32\dllcache\mshta.exe
+ 2009-04-13 05:15 . 2009-06-29 16:12 52224 c:\windows\system32\dllcache\msfeedsbs.dll
- 2009-04-13 05:15 . 2009-04-29 04:55 52224 c:\windows\system32\dllcache\msfeedsbs.dll
+ 2007-08-13 17:44 . 2007-08-13 17:44 40960 c:\windows\system32\dllcache\licmgr10.dll
+ 2007-08-13 17:54 . 2009-06-29 16:12 27648 c:\windows\system32\dllcache\jsproxy.dll
+ 2007-08-13 17:39 . 2007-08-13 17:39 92672 c:\windows\system32\dllcache\inseng.dll
+ 2007-08-13 17:36 . 2007-08-13 17:36 36352 c:\windows\system32\dllcache\imgutil.dll
- 2009-04-13 05:15 . 2009-04-28 09:05 13824 c:\windows\system32\dllcache\ieudinit.exe
+ 2009-04-13 05:15 . 2009-06-29 11:07 13824 c:\windows\system32\dllcache\ieudinit.exe
+ 2007-08-13 17:39 . 2007-08-13 17:39 55296 c:\windows\system32\dllcache\iesetup.dll
+ 2007-08-13 17:39 . 2009-06-29 16:12 44544 c:\windows\system32\dllcache\iernonce.dll
+ 2007-08-13 17:45 . 2009-06-29 16:12 78336 c:\windows\system32\dllcache\ieencode.dll
+ 2007-08-13 17:44 . 2007-08-13 17:44 69120 c:\windows\system32\dllcache\iedw.exe
+ 2007-08-13 17:39 . 2009-06-29 11:07 70656 c:\windows\system32\dllcache\ie4uinit.exe
+ 2009-04-13 05:15 . 2009-06-29 16:12 63488 c:\windows\system32\dllcache\icardie.dll
- 2009-04-13 05:15 . 2009-04-29 04:55 63488 c:\windows\system32\dllcache\icardie.dll
+ 2007-08-13 17:18 . 2007-08-13 17:18 60416 c:\windows\system32\dllcache\hmmapi.dll
+ 2007-03-16 08:30 . 2007-08-13 17:54 33792 c:\windows\system32\dllcache\custsat.dll
+ 2007-08-13 17:42 . 2009-06-29 16:12 17408 c:\windows\system32\dllcache\corpol.dll
+ 2008-12-25 20:48 . 2007-04-02 18:26 19456 c:\windows\system32\dllcache\agt040d.dll
+ 2008-12-25 20:48 . 2007-04-02 18:25 19456 c:\windows\system32\dllcache\agt0401.dll
+ 2007-08-13 17:39 . 2007-08-13 17:39 71680 c:\windows\system32\dllcache\admparse.dll
+ 2006-02-28 12:00 . 2007-08-13 17:39 71680 c:\windows\system32\admparse.dll
+ 2008-12-25 20:48 . 2007-04-02 18:26 19456 c:\windows\msagent\intl\agt040d.dll
+ 2008-12-25 20:48 . 2007-04-02 18:25 19456 c:\windows\msagent\intl\agt0401.dll
+ 2009-08-05 20:01 . 2009-08-05 20:01 38240 c:\windows\Installer\{90120000-0020-0409-0000-0000000FF1CE}\O12ConvIcon.exe
- 2009-06-12 02:04 . 2009-06-12 02:04 38240 c:\windows\Installer\{90120000-0020-0409-0000-0000000FF1CE}\O12ConvIcon.exe
+ 2009-08-05 16:51 . 2007-08-13 17:36 44544 c:\windows\ie7updates\KB972260-IE7\pngfilt.dll
+ 2009-08-05 16:51 . 2009-04-29 04:55 52224 c:\windows\ie7updates\KB972260-IE7\msfeedsbs.dll
+ 2009-08-05 16:51 . 2007-08-13 17:54 27136 c:\windows\ie7updates\KB972260-IE7\jsproxy.dll
+ 2009-08-05 16:51 . 2007-08-13 17:39 13312 c:\windows\ie7updates\KB972260-IE7\ieudinit.exe
+ 2009-08-05 16:51 . 2007-08-13 17:39 43008 c:\windows\ie7updates\KB972260-IE7\iernonce.dll
+ 2009-08-05 16:51 . 2009-04-29 04:55 78336 c:\windows\ie7updates\KB972260-IE7\ieencode.dll
+ 2009-08-05 16:51 . 2007-08-13 17:39 54784 c:\windows\ie7updates\KB972260-IE7\ie4uinit.exe
+ 2009-08-05 16:51 . 2009-04-29 04:55 63488 c:\windows\ie7updates\KB972260-IE7\icardie.dll
+ 2009-08-05 16:51 . 2008-04-14 00:11 35328 c:\windows\ie7updates\KB972260-IE7\corpol.dll
+ 2009-08-05 20:01 . 2007-03-06 01:22 14048 c:\windows\ie7updates\KB938127-v2-IE7\spmsg.dll
+ 2009-08-05 20:01 . 2007-03-06 01:22 22752 c:\windows\ie7updates\KB938127-v2-IE7\spcustom.dll
+ 2009-08-05 16:50 . 2008-04-14 00:12 37888 c:\windows\ie7\url.dll
+ 2009-08-05 16:51 . 2007-08-13 17:52 66048 c:\windows\ie7\spuninst\ieResetIcons.exe
+ 2009-08-05 16:50 . 2007-08-13 17:54 32960 c:\windows\ie7\spuninst\iecustom.dll
+ 2009-08-05 16:50 . 2008-04-14 00:12 39424 c:\windows\ie7\pngfilt.dll
+ 2009-08-05 16:50 . 2008-04-14 00:12 96256 c:\windows\ie7\occache.dll
+ 2009-08-05 16:50 . 2008-04-13 16:26 56832 c:\windows\ie7\mshtmler.dll
+ 2009-08-05 16:50 . 2008-04-14 00:12 29184 c:\windows\ie7\mshta.exe
+ 2009-08-05 16:50 . 2008-04-14 00:11 22016 c:\windows\ie7\licmgr10.dll
+ 2009-08-05 16:50 . 2008-04-14 00:11 15872 c:\windows\ie7\jsproxy.dll
+ 2009-08-05 16:50 . 2008-04-14 00:11 96256 c:\windows\ie7\inseng.dll
+ 2009-08-05 16:50 . 2008-04-14 00:11 35840 c:\windows\ie7\imgutil.dll
+ 2009-08-05 16:50 . 2008-04-14 00:11 62976 c:\windows\ie7\iesetup.dll
+ 2009-08-05 16:50 . 2008-04-14 00:11 48640 c:\windows\ie7\iernonce.dll
+ 2009-08-05 16:50 . 2008-04-14 00:12 18432 c:\windows\ie7\iedw.exe
+ 2009-08-05 16:50 . 2008-04-14 00:12 34304 c:\windows\ie7\ie4uinit.exe
+ 2009-08-05 16:50 . 2008-04-14 00:11 38912 c:\windows\ie7\hmmapi.dll
+ 2009-08-05 16:50 . 2008-04-14 00:11 55808 c:\windows\ie7\extmgr.dll
+ 2009-08-05 16:50 . 2005-01-28 13:44 28672 c:\windows\ie7\custsat.dll
+ 2009-08-05 16:50 . 2008-04-14 00:11 99840 c:\windows\ie7\advpack.dll
+ 2009-08-05 16:50 . 2008-04-14 00:11 61440 c:\windows\ie7\admparse.dll
+ 2009-01-05 14:44 . 2009-01-05 14:44 53248 c:\windows\bdoscandel.exe
+ 2009-08-05 20:26 . 2009-08-05 20:26 86016 c:\windows\BDOSCAN8\librtvr.dll
+ 2009-08-05 20:26 . 2009-08-05 20:26 27136 c:\windows\BDOSCAN8\avxt.dll
+ 2009-08-05 20:26 . 2009-08-05 20:26 10240 c:\windows\BDOSCAN8\avxs.dll
+ 2009-08-05 20:26 . 2009-08-05 20:26 45056 c:\windows\BDOSCAN8\avxdisk.dll
+ 2008-11-26 19:23 . 2008-04-14 00:09 6144 c:\windows\system32\dllcache\kbdpash.dll
+ 2008-11-26 19:23 . 2008-04-14 00:09 6144 c:\windows\system32\dllcache\kbdnepr.dll
+ 2006-02-28 12:00 . 2008-04-14 00:09 6656 c:\windows\system32\dllcache\kbdinmal.dll
+ 2006-02-28 12:00 . 2008-04-14 00:09 6144 c:\windows\system32\dllcache\kbdinben.dll
+ 2006-02-28 12:00 . 2008-04-14 00:09 6144 c:\windows\system32\dllcache\kbdinbe1.dll
+ 2008-07-29 07:05 . 2008-07-29 07:05 875520 c:\windows\WinSxS\x86_Microsoft.VC90.DebugCRT_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_f863c71f\msvcp90d.dll
+ 2008-07-29 02:54 . 2008-07-29 02:54 312832 c:\windows\WinSxS\x86_Microsoft.VC90.DebugCRT_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_f863c71f\msvcm90d.dll
+ 2008-07-29 07:05 . 2008-07-29 07:05 655872 c:\windows\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_6f74963e\msvcr90.dll
+ 2008-07-29 07:05 . 2008-07-29 07:05 572928 c:\windows\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_6f74963e\msvcp90.dll
+ 2008-07-29 02:54 . 2008-07-29 02:54 225280 c:\windows\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_6f74963e\msvcm90.dll
+ 2008-07-29 07:05 . 2008-07-29 07:05 161784 c:\windows\WinSxS\x86_Microsoft.VC90.ATL_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_d01483b2\atl90.dll
+ 2006-12-21 14:18 . 2006-12-21 14:18 497496 c:\windows\system32\XceedZip.dll
+ 2006-02-28 12:00 . 2009-06-29 16:12 233472 c:\windows\system32\webcheck.dll
+ 2006-02-28 12:00 . 2009-06-29 16:12 105984 c:\windows\system32\url.dll
- 2008-01-27 16:25 . 2009-05-09 15:57 157696 c:\windows\system32\rmoc3260.dll
+ 2008-01-27 16:25 . 2009-08-03 00:09 157696 c:\windows\system32\rmoc3260.dll
+ 2006-02-28 12:00 . 2009-06-29 16:12 102912 c:\windows\system32\occache.dll
+ 2006-02-28 12:00 . 2009-06-29 16:12 671232 c:\windows\system32\mstime.dll
+ 2006-02-28 12:00 . 2009-06-29 16:12 193024 c:\windows\system32\msrating.dll
+ 2006-02-28 12:00 . 2007-08-13 17:54 156160 c:\windows\system32\msls31.dll
+ 2006-02-28 12:00 . 2009-06-29 16:12 477696 c:\windows\system32\mshtmled.dll
- 2007-08-13 18:54 . 2009-04-29 04:55 459264 c:\windows\system32\msfeeds.dll
+ 2007-08-13 18:54 . 2009-06-29 16:12 459264 c:\windows\system32\msfeeds.dll
+ 2007-08-13 18:34 . 2009-06-29 16:12 268288 c:\windows\system32\iertutil.dll
- 2007-08-13 18:34 . 2009-04-29 04:55 268288 c:\windows\system32\iertutil.dll
+ 2006-02-28 12:00 . 2007-08-13 17:54 191488 c:\windows\system32\iepeers.dll
+ 2006-02-28 12:00 . 2009-06-29 16:12 385024 c:\windows\system32\iedkcs32.dll
+ 2007-07-11 12:27 . 2009-06-29 16:12 380928 c:\windows\system32\ieapfltr.dll
+ 2006-02-28 12:00 . 2009-06-29 08:33 161792 c:\windows\system32\ieakui.dll
+ 2006-02-28 12:00 . 2009-06-29 16:12 230400 c:\windows\system32\ieaksie.dll
+ 2006-02-28 12:00 . 2009-06-29 16:12 153088 c:\windows\system32\ieakeng.dll
+ 2007-03-16 08:21 . 2009-08-04 18:33 127704 c:\windows\system32\FNTCACHE.DAT
- 2007-03-16 08:21 . 2009-06-12 02:12 127704 c:\windows\system32\FNTCACHE.DAT
+ 2006-02-28 12:00 . 2009-06-29 16:12 133120 c:\windows\system32\extmgr.dll
+ 2006-02-28 12:00 . 2009-06-29 16:12 214528 c:\windows\system32\dxtrans.dll
+ 2006-02-28 12:00 . 2009-06-29 16:12 347136 c:\windows\system32\dxtmsft.dll
+ 2009-03-03 17:45 . 2009-06-29 16:12 827392 c:\windows\system32\dllcache\wininet.dll
+ 2007-08-13 17:54 . 2009-06-29 16:12 233472 c:\windows\system32\dllcache\webcheck.dll
+ 2007-08-13 17:54 . 2008-05-27 17:23 765952 c:\windows\system32\dllcache\vgx.dll
+ 2007-08-13 17:44 . 2009-06-29 16:12 105984 c:\windows\system32\dllcache\url.dll
+ 2006-09-23 12:12 . 2006-09-23 12:12 474112 c:\windows\system32\dllcache\shlwapi.dll
+ 2007-08-13 17:44 . 2009-06-29 16:12 102912 c:\windows\system32\dllcache\occache.dll
+ 2007-08-13 17:54 . 2009-06-29 16:12 671232 c:\windows\system32\dllcache\mstime.dll
+ 2007-08-13 17:44 . 2009-06-29 16:12 193024 c:\windows\system32\dllcache\msrating.dll
+ 2006-02-28 12:00 . 2007-08-13 17:54 156160 c:\windows\system32\dllcache\msls31.dll
+ 2007-08-13 17:54 . 2009-06-29 16:12 477696 c:\windows\system32\dllcache\mshtmled.dll
+ 2009-04-13 05:15 . 2009-06-29 16:12 459264 c:\windows\system32\dllcache\msfeeds.dll
- 2009-04-13 05:15 . 2009-04-29 04:55 459264 c:\windows\system32\dllcache\msfeeds.dll
+ 2007-08-13 17:43 . 2009-06-29 08:35 634632 c:\windows\system32\dllcache\iexplore.exe
- 2009-04-13 05:15 . 2009-04-29 04:55 268288 c:\windows\system32\dllcache\iertutil.dll
+ 2009-04-13 05:15 . 2009-06-29 16:12 268288 c:\windows\system32\dllcache\iertutil.dll
+ 2007-08-13 17:54 . 2007-08-13 17:54 191488 c:\windows\system32\dllcache\iepeers.dll
+ 2007-08-13 17:39 . 2009-06-29 16:12 385024 c:\windows\system32\dllcache\iedkcs32.dll
+ 2009-04-13 05:15 . 2009-06-29 16:12 380928 c:\windows\system32\dllcache\ieapfltr.dll
+ 2006-02-28 12:00 . 2009-06-29 08:33 161792 c:\windows\system32\dllcache\ieakui.dll
+ 2007-08-13 17:39 . 2009-06-29 16:12 230400 c:\windows\system32\dllcache\ieaksie.dll
+ 2007-08-13 17:39 . 2009-06-29 16:12 153088 c:\windows\system32\dllcache\ieakeng.dll
+ 2007-08-13 17:54 . 2009-06-29 16:12 133120 c:\windows\system32\dllcache\extmgr.dll
+ 2007-08-13 17:35 . 2009-06-29 16:12 214528 c:\windows\system32\dllcache\dxtrans.dll
+ 2007-08-13 17:35 . 2009-06-29 16:12 347136 c:\windows\system32\dllcache\dxtmsft.dll
+ 2007-08-13 17:39 . 2009-06-29 16:12 124928 c:\windows\system32\dllcache\advpack.dll
+ 2008-05-30 19:58 . 2009-07-30 19:58 262144 c:\windows\system32\config\systemprofile\ntuser.dat
+ 2006-02-28 12:00 . 2009-06-29 16:12 124928 c:\windows\system32\advpack.dll
+ 2009-08-03 00:10 . 2004-06-22 13:03 253952 c:\windows\occache\iestm32.dll
- 2008-01-27 16:25 . 2004-06-22 13:03 253952 c:\windows\occache\iestm32.dll
+ 2009-03-20 10:48 . 2009-03-20 10:48 183808 c:\windows\Installer\5eb74a.msp
+ 2009-08-07 19:38 . 2009-08-07 19:38 236032 c:\windows\Installer\1a36dad.msi
+ 2006-10-26 20:49 . 2006-10-26 20:49 509200 c:\windows\Installer\$PatchCache$\Managed\00002109020090400000000000F01FEC\12.0.6021\WRD12CVR.DLL
+ 2009-08-05 16:51 . 2007-08-13 17:54 818688 c:\windows\ie7updates\KB972260-IE7\wininet.dll
+ 2009-08-05 16:51 . 2007-08-13 17:54 231424 c:\windows\ie7updates\KB972260-IE7\webcheck.dll
+ 2009-08-05 16:51 . 2007-08-13 17:44 105984 c:\windows\ie7updates\KB972260-IE7\url.dll
+ 2009-08-05 16:51 . 2009-05-26 11:40 382840 c:\windows\ie7updates\KB972260-IE7\spuninst\updspapi.dll
+ 2009-08-05 16:51 . 2008-07-08 13:02 231288 c:\windows\ie7updates\KB972260-IE7\spuninst\spuninst.exe
+ 2009-08-05 16:51 . 2007-08-13 17:44 101376 c:\windows\ie7updates\KB972260-IE7\occache.dll
+ 2009-08-05 16:51 . 2007-08-13 17:54 670720 c:\windows\ie7updates\KB972260-IE7\mstime.dll
+ 2009-08-05 16:51 . 2007-08-13 17:44 192000 c:\windows\ie7updates\KB972260-IE7\msrating.dll
+ 2009-08-05 16:51 . 2007-08-13 17:54 475648 c:\windows\ie7updates\KB972260-IE7\mshtmled.dll
+ 2009-08-05 16:51 . 2009-04-29 04:55 459264 c:\windows\ie7updates\KB972260-IE7\msfeeds.dll
+ 2009-08-05 16:51 . 2009-04-25 05:27 636088 c:\windows\ie7updates\KB972260-IE7\iexplore.exe
+ 2009-08-05 16:51 . 2009-04-29 04:55 268288 c:\windows\ie7updates\KB972260-IE7\iertutil.dll
+ 2009-08-05 16:51 . 2007-08-13 17:39 382976 c:\windows\ie7updates\KB972260-IE7\iedkcs32.dll
+ 2009-08-05 16:51 . 2009-04-29 04:55 383488 c:\windows\ie7updates\KB972260-IE7\ieapfltr.dll
+ 2009-08-05 16:51 . 2007-08-13 16:56 161792 c:\windows\ie7updates\KB972260-IE7\ieakui.dll
+ 2009-08-05 16:51 . 2007-08-13 17:39 229376 c:\windows\ie7updates\KB972260-IE7\ieaksie.dll
+ 2009-08-05 16:51 . 2007-08-13 17:39 152064 c:\windows\ie7updates\KB972260-IE7\ieakeng.dll
+ 2009-08-05 16:51 . 2007-08-13 17:54 131584 c:\windows\ie7updates\KB972260-IE7\extmgr.dll
+ 2009-08-05 16:51 . 2007-08-13 17:35 214528 c:\windows\ie7updates\KB972260-IE7\dxtrans.dll
+ 2009-08-05 16:51 . 2007-08-13 17:35 346624 c:\windows\ie7updates\KB972260-IE7\dxtmsft.dll
+ 2009-08-05 16:51 . 2007-08-13 17:39 123904 c:\windows\ie7updates\KB972260-IE7\advpack.dll
+ 2009-08-05 20:01 . 2007-08-13 17:54 765952 c:\windows\ie7updates\KB938127-v2-IE7\vgx.dll
+ 2009-08-05 20:01 . 2007-03-06 01:23 371424 c:\windows\ie7updates\KB938127-v2-IE7\updspapi.dll
+ 2009-08-05 20:01 . 2007-03-06 01:22 716000 c:\windows\ie7updates\KB938127-v2-IE7\update.exe
+ 2009-08-05 20:01 . 2007-03-06 01:23 371424 c:\windows\ie7updates\KB938127-v2-IE7\spuninst\updspapi.dll
+ 2009-08-05 20:01 . 2007-03-06 01:22 213216 c:\windows\ie7updates\KB938127-v2-IE7\spuninst\spuninst.exe
+ 2009-08-05 20:01 . 2007-03-06 01:22 213216 c:\windows\ie7updates\KB938127-v2-IE7\spuninst.exe
+ 2009-08-05 16:50 . 2008-10-16 01:00 666112 c:\windows\ie7\wininet.dll
+ 2009-08-05 16:50 . 2008-04-14 00:12 276480 c:\windows\ie7\webcheck.dll
+ 2009-08-05 16:50 . 2008-04-14 00:12 851968 c:\windows\ie7\vgx.dll
+ 2009-08-05 16:50 . 2008-10-16 01:00 619520 c:\windows\ie7\urlmon.dll
+ 2009-08-05 16:50 . 2006-09-06 16:43 371424 c:\windows\ie7\spuninst\updspapi.dll
+ 2009-08-05 16:50 . 2006-09-06 16:43 213216 c:\windows\ie7\spuninst\spuninst.exe
+ 2009-08-05 16:50 . 2008-04-14 00:12 532480 c:\windows\ie7\mstime.dll
+ 2009-08-05 16:50 . 2008-04-14 00:12 146432 c:\windows\ie7\msrating.dll
+ 2009-08-05 16:50 . 2006-02-28 12:00 146432 c:\windows\ie7\msls31.dll
+ 2009-08-05 16:50 . 2008-04-14 00:11 449024 c:\windows\ie7\mshtmled.dll
+ 2009-08-05 16:50 . 2008-04-14 00:11 251904 c:\windows\ie7\iepeers.dll
+ 2009-08-05 16:50 . 2008-04-14 00:11 323584 c:\windows\ie7\iedkcs32.dll
+ 2009-08-05 16:50 . 2006-02-28 12:00 221184 c:\windows\ie7\ieakui.dll
+ 2009-08-05 16:50 . 2008-04-14 00:11 216576 c:\windows\ie7\ieaksie.dll
+ 2009-08-05 16:50 . 2008-04-14 00:11 143360 c:\windows\ie7\ieakeng.dll
+ 2009-08-05 16:50 . 2008-04-14 00:11 205312 c:\windows\ie7\dxtrans.dll
+ 2009-08-05 16:50 . 2008-04-14 00:11 357888 c:\windows\ie7\dxtmsft.dll
+ 2009-08-04 18:56 . 2009-08-04 18:56 192512 c:\windows\ERDNT\04-08-2009\Users\00000002\UsrClass.dat
+ 2009-08-04 18:54 . 2005-10-20 11:02 163328 c:\windows\ERDNT\04-08-2009\ERDNT.EXE
+ 2009-01-05 14:44 . 2009-01-05 14:44 741376 c:\windows\Downloaded Program Files\ipsupd.dll
+ 2009-01-05 14:44 . 2009-01-05 14:44 741376 c:\windows\BDOSCAN8\ipsupd.dll
+ 2008-07-29 07:05 . 2008-07-29 07:05 3783672 c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_405b0943\mfc90u.dll
+ 2008-07-29 07:05 . 2008-07-29 07:05 3768312 c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_405b0943\mfc90.dll
+ 2008-07-29 07:05 . 2008-07-29 07:05 5982720 c:\windows\WinSxS\x86_Microsoft.VC90.DebugMFC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_c94a3a24\mfc90ud.dll
+ 2008-07-29 07:05 . 2008-07-29 07:05 5937144 c:\windows\WinSxS\x86_Microsoft.VC90.DebugMFC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_c94a3a24\mfc90d.dll
+ 2008-07-29 07:05 . 2008-07-29 07:05 1180672 c:\windows\WinSxS\x86_Microsoft.VC90.DebugCRT_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_f863c71f\msvcr90d.dll
+ 2006-02-28 12:00 . 2009-06-29 16:12 1159680 c:\windows\system32\urlmon.dll
+ 2001-09-25 13:39 . 2004-06-22 13:03 1044480 c:\windows\system32\roboex32.dll
- 2001-09-25 13:39 . 2001-09-25 13:39 1044480 c:\windows\system32\roboex32.dll
+ 2006-02-28 12:00 . 2009-07-19 18:03 3597824 c:\windows\system32\mshtml.dll
+ 2008-01-25 20:47 . 2004-06-22 13:03 1060864 c:\windows\system32\MFC71.dll
- 2008-01-25 20:47 . 2004-06-22 14:03 1060864 c:\windows\system32\MFC71.dll
+ 2007-08-13 18:54 . 2009-07-19 13:32 6067200 c:\windows\system32\ieframe.dll
+ 2007-02-12 16:10 . 2009-06-29 08:33 2452872 c:\windows\system32\ieapfltr.dat
+ 2009-03-03 17:45 . 2009-06-29 16:12 1159680 c:\windows\system32\dllcache\urlmon.dll
+ 2009-03-03 17:22 . 2009-07-19 18:03 3597824 c:\windows\system32\dllcache\mshtml.dll
+ 2009-04-13 05:15 . 2009-07-19 13:32 6067200 c:\windows\system32\dllcache\ieframe.dll
+ 2009-04-13 05:15 . 2009-06-29 08:33 2452872 c:\windows\system32\dllcache\ieapfltr.dat
+ 2006-09-23 12:12 . 2006-09-23 12:12 1022976 c:\windows\system32\dllcache\browseui.dll
+ 2009-08-07 19:38 . 2009-08-07 19:38 1859072 c:\windows\Installer\1a36db4.msi
+ 2009-08-05 16:51 . 2007-08-13 17:54 1162240 c:\windows\ie7updates\KB972260-IE7\urlmon.dll
+ 2009-08-05 16:51 . 2007-08-13 17:54 3578368 c:\windows\ie7updates\KB972260-IE7\mshtml.dll
+ 2009-08-05 16:51 . 2009-04-29 04:55 6066176 c:\windows\ie7updates\KB972260-IE7\ieframe.dll
+ 2009-08-05 16:51 . 2008-07-09 14:25 2455488 c:\windows\ie7updates\KB972260-IE7\ieapfltr.dat
+ 2009-08-05 16:50 . 2008-12-12 17:01 3067904 c:\windows\ie7\mshtml.dll
+ 2009-08-04 18:56 . 2009-08-04 18:56 9170944 c:\windows\ERDNT\04-08-2009\Users\00000001\NTUSER.DAT
+ 2009-04-04 06:35 . 2009-04-04 06:35 38325760 c:\windows\Installer\5eb740.msp
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2007-10-18 5724184]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2007-06-01 153136]
"SetDefaultMIDI"="MIDIDef.exe" - c:\windows\system32\MIDIDEF.EXE [2007-12-12 31232]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-12-05 8523776]
"OpwareSE2"="c:\program files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe" [2003-05-08 49152]
"JMB36X Configure"="c:\windows\system32\JMRaidTool.exe" [2006-08-14 352256]
"H2O"="c:\program files\SyncroSoft\Pos\H2O\cledx.exe" [2005-10-23 385024]
"AOLDialer"="c:\program files\Common Files\AOL\ACS\AOLDial.exe" [2007-12-07 71008]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-02-05 81000]
"HostManager"="c:\program files\Common Files\AOL\1249496189\ee\AOLSoftware.exe" [2006-09-26 50736]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2007-12-05 1626112]
"CTHelper"="CTHELPER.EXE" - c:\windows\system32\CtHelper.exe [2007-12-12 23040]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Nokia.PCSync"="c:\program files\Nokia\Nokia PC Suite 6\PcSync2.exe" [2008-03-26 1232896]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
AOL 9.0 Tray Icon.lnk - c:\program files\AOL 9.0\aoltray.exe [2009-8-3 156784]
AOL Companion.lnk - c:\program files\AOL Companion\companion.exe [2009-8-3 250992]
WG111v2 Smart Wizard Wireless Setting.lnk - c:\program files\NETGEAR\WG111v2 Configuration Utility\RtlWake.exe [2009-5-10 745472]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"vsmon"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\usmt\\migwiz.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\mmc.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Common Files\\AOL\\System Information\\sinf.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLAcsd.exe"=
"c:\\Program Files\\AOL 9.0\\waol.exe"=
"c:\\Program Files\\Common Files\\AOL\\1249496189\\ee\\aolsoftware.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
"19956:TCP"= 19956:TCP:BitComet 19956 TCP
"19956:UDP"= 19956:UDP:BitComet 19956 UDP

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [07/08/2009 20:55 64160]
R1 Asapi;Asapi;c:\windows\system32\drivers\asapi.sys [29/01/2008 17:19 11264]
R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [05/08/2009 19:02 114768]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [05/08/2009 19:02 20560]
R2 EAPPkt;Realtek EAPPkt Protocol;c:\windows\system32\drivers\EAPPkt.sys [10/05/2009 13:59 66048]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [03/07/2009 15:49 1029456]
R3 CLEDX;Team H2O CLEDX service;c:\windows\system32\drivers\cledx.sys [26/06/2008 19:03 33792]
R3 COMMONFX.SYS;COMMONFX.SYS;c:\windows\system32\drivers\COMMONFX.sys [12/12/2007 19:35 98328]
R3 CTEDSPIO.SYS;CTEDSPIO.SYS;c:\windows\system32\drivers\CTEDSPIO.sys [12/12/2007 19:37 134168]
R3 CTEDSPSY.SYS;CTEDSPSY.SYS;c:\windows\system32\drivers\CTEDSPSY.sys [12/12/2007 19:37 309784]
S3 COMMONFX;COMMONFX;c:\windows\system32\drivers\COMMONFX.sys [12/12/2007 19:35 98328]
S3 CT20XUT.SYS;CT20XUT.SYS;c:\windows\system32\drivers\CT20XUT.sys [12/12/2007 19:36 171032]
S3 CT20XUT;CT20XUT;c:\windows\system32\drivers\CT20XUT.sys [12/12/2007 19:36 171032]
S3 CTAUDFX.SYS;CTAUDFX.SYS;c:\windows\system32\drivers\CTAUDFX.sys [12/12/2007 19:35 528920]
S3 CTAUDFX;CTAUDFX;c:\windows\system32\drivers\CTAUDFX.sys [12/12/2007 19:35 528920]
S3 CTEAPSFX.SYS;CTEAPSFX.SYS;c:\windows\system32\drivers\CTEAPSFX.sys [12/12/2007 19:36 163352]
S3 CTEAPSFX;CTEAPSFX;c:\windows\system32\drivers\CTEAPSFX.sys [12/12/2007 19:36 163352]
S3 CTEDSPFX.SYS;CTEDSPFX.SYS;c:\windows\system32\drivers\CTEDSPFX.sys [12/12/2007 19:36 259096]
S3 CTEDSPFX;CTEDSPFX;c:\windows\system32\drivers\CTEDSPFX.sys [12/12/2007 19:36 259096]
S3 CTEDSPIO;CTEDSPIO;c:\windows\system32\drivers\CTEDSPIO.sys [12/12/2007 19:37 134168]
S3 CTEDSPSY;CTEDSPSY;c:\windows\system32\drivers\CTEDSPSY.sys [12/12/2007 19:37 309784]
S3 CTERFXFX.SYS;CTERFXFX.SYS;c:\windows\system32\drivers\CTERFXFX.sys [12/12/2007 19:36 99352]
S3 CTERFXFX;CTERFXFX;c:\windows\system32\drivers\CTERFXFX.sys [12/12/2007 19:36 99352]
S3 CTEXFIFX.SYS;CTEXFIFX.SYS;c:\windows\system32\drivers\CTEXFIFX.sys [12/12/2007 19:37 1324056]
S3 CTEXFIFX;CTEXFIFX;c:\windows\system32\drivers\CTEXFIFX.sys [12/12/2007 19:37 1324056]
S3 CTHWIUT.SYS;CTHWIUT.SYS;c:\windows\system32\drivers\CTHWIUT.sys [12/12/2007 19:36 72728]
S3 CTHWIUT;CTHWIUT;c:\windows\system32\drivers\CTHWIUT.sys [12/12/2007 19:36 72728]
S3 CTSBLFX.SYS;CTSBLFX.SYS;c:\windows\system32\drivers\CTSBLFX.sys [12/12/2007 19:36 534040]
S3 CTSBLFX;CTSBLFX;c:\windows\system32\drivers\CTSBLFX.sys [12/12/2007 19:36 534040]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
"c:\program files\Common Files\LightScribe\LSRunOnce.exe"
.
Contents of the 'Scheduled Tasks' folder

2009-08-07 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-07-03 14:49]

2009-07-28 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 16:57]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
uSearchURL,(Default) = hxxp://search.aol.co.uk/web?isinit=true&query=%s
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
FF - ProfilePath - c:\documents and settings\User\Application Data\Mozilla\Firefox\Profiles\ti6n65sr.default\
FF - prefs.js: browser.startup.homepage - hxxp://en-GB.start2.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-GB:official
FF - prefs.js: network.proxy.type - 4
FF - plugin: c:\program files\Google\Google Updater\2.4.1399.3742\npCIDetect13.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npunagi2.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-08-07 22:35
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(2276)
c:\windows\system32\WININET.dll
c:\program files\ScanSoft\OmniPageSE2.0\ophookSE2.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2009-08-07 22:37
ComboFix-quarantined-files.txt 2009-08-07 21:37
ComboFix2.txt 2009-08-05 16:18
ComboFix3.txt 2009-08-05 16:07
ComboFix4.txt 2009-08-03 19:46
ComboFix5.txt 2009-08-07 21:27

Pre-Run: 91,723,845,632 bytes free
Post-Run: 91,768,631,296 bytes free

467 --- E O F --- 2009-07-29 02:03

Post Edited (LordBTY) : 07-08-2009 21:40:23 GMT

Back to Top
 

Jintan
Senior Member




Date Joined Dec 2006
Total Posts : 1428
 
   Posted 8/8/2009 3:20 AM (GMT +3)    Quote: Severe Download Trojan - Help :(Alert an admin about: Severe Download Trojan - Help :(
That is looking good now.


I do not recognize two folders that are showing in the log. Make sure you can View Hidden Files. Also uncheck "Hide Extensions for Known File Types"

Right click My Computer, left click Explore, and use the plus + symbols to navigate to the following folders, and just let me know what is in them:

c:\temp\ext256
c:\temp\ext2782

If they happen to be empty then go ahead and delete them. If their questionable value software is already uninstalled you can delete this folder as well:

c:\program files\Enigma Software Group


And now let's get a current online scan run, to verify nothing malicious remains there.


Disable your antivirus program and go here and run an online scan using ESET Online Scanner (you will need to use Internet Explorer for this scan, or download the installer to run it in a different browser). If you accept the Terms of Use, check the box and click Start. After the ActiveX Control has loaded, it will take a couple minutes for the scanner to get ready. Next, check the following boxes:

Remove found threats
Scan unwanted applications


Click Start. This scan may take a while, so please be patient. A log may open when the scan is complete (if not, go to C:\Program Files\EsetOnlineScanner\ and open the file log.txt). Click Edit - Select All then copy/paste that log back here please.


If you have any problems getting Eset started, one work-around is to have an open Internet connection, and then click here and download the esetsmartinstaller_enu.exe Eset installer. Then click that file, and follow the same previous steps to run the scan.


Click here and help my friend help stop leukemia, lymphoma, Hodgkin lymphoma and myeloma from taking more lives.

Back to Top
 

LordBTY
New Member


Date Joined Jun 2009
Total Posts : 35
 
   Posted 8/8/2009 4:49 AM (GMT +3)    Quote: Severe Download Trojan - Help :(Alert an admin about: Severe Download Trojan - Help :(
In ext256 there's nothing

In ext2782 there's a file called update.exe

Should I delete it?

Tom
Back to Top
 

Jintan
Senior Member




Date Joined Dec 2006
Total Posts : 1428
 
   Posted 8/8/2009 1:30 PM (GMT +3)    Quote: Severe Download Trojan - Help :(Alert an admin about: Severe Download Trojan - Help :(
Let's check a copy of that file. Just go here, press new topic, fill in the needed details and just give a link to your post back here. Then press the browse button and then navigate to & select the file (c:\temp\ext2782\update.exe) on your computer.

Then for now rename it to update.exe.bad


Click here and help my friend help stop leukemia, lymphoma, Hodgkin lymphoma and myeloma from taking more lives.

Back to Top
 

LordBTY
New Member


Date Joined Jun 2009
Total Posts : 35
 
   Posted 8/8/2009 4:37 PM (GMT +3)    Quote: Severe Download Trojan - Help :(Alert an admin about: Severe Download Trojan - Help :(
OK :)

Here it is

http://thespykiller.co.uk/index.php/topic,8677.0.html

and I've renamed it :)
Back to Top
 

Jintan
Senior Member




Date Joined Dec 2006
Total Posts : 1428
 
   Posted 8/9/2009 1:02 AM (GMT +3)    Quote: Severe Download Trojan - Help :(Alert an admin about: Severe Download Trojan - Help :(
I received the update.exe file, thanks. My best assessment is it is a Windows updater file, though the internal code indicates a Windows 2000 version. Post back the Eset log when ready please.


Click here and help my friend help stop leukemia, lymphoma, Hodgkin lymphoma and myeloma from taking more lives.

Back to Top
 

Jintan
Senior Member




Date Joined Dec 2006
Total Posts : 1428
 
   Posted 8/9/2009 2:43 AM (GMT +3)    Quote: Severe Download Trojan - Help :(Alert an admin about: Severe Download Trojan - Help :(
When you post back that Eset log, also run this scan. We need to check the registry information on all the services there, to make sure all are correct.


Go here and download getservices.zip.

Extract the file to the c:\ drive. Then navigate to the c:\getservice and double-click on the getservices.bat file. A notepad will open up. Please paste the contents of that notepad as a reply to this post.


Click here and help my friend help stop leukemia, lymphoma, Hodgkin lymphoma and myeloma from taking more lives.

Back to Top
 

LordBTY
New Member


Date Joined Jun 2009
Total Posts : 35
 
   Posted 8/9/2009 8:06 AM (GMT +3)    Quote: Severe Download Trojan - Help :(Alert an admin about: Severe Download Trojan - Help :(
Ok, here's the ESET log

C:\System Volume Information\_restore{F623FF31-4737-4A48-A07E-C9B8DEE9AE00}\RP189\A0028221.exe a variant of Win32/TrojanDownloader.Swizzor.NCK trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{F623FF31-4737-4A48-A07E-C9B8DEE9AE00}\RP189\A0028223.exe a variant of Win32/TrojanDownloader.Swizzor.NCL trojan cleaned by deleting - quarantined


And here's the getservice log :)



SERVICE_NAME: ALG
DISPLAY_NAME: Application Layer Gateway Service
TYPE : 10 WIN32_OWN_PROCESS
STATE : 4 RUNNING
(STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0
PID : 1300
FLAGS :
DESCRIPTION : Provides support for 3rd party protocol plug-ins for Internet Connection Sharing and the Windows Firewall.

TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\System32\alg.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Application Layer Gateway Service
SERVICE_START_NAME : NT AUTHORITY\LocalService

SERVICE_NAME: AOL ACS
DISPLAY_NAME: AOL Connectivity Service
TYPE : 110 WIN32_OWN_PROCESS (interactive)
STATE : 4 RUNNING
(STOPPABLE, NOT_PAUSABLE, ACCEPTS_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0
PID : 1908
FLAGS :
DESCRIPTION :

TYPE : 110 WIN32_OWN_PROCESS (interactive)
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : "C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe"
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : AOL Connectivity Service
SERVICE_START_NAME : LocalSystem

SERVICE_NAME: aswUpdSv
DISPLAY_NAME: avast! iAVS4 Control Service
TYPE : 110 WIN32_OWN_PROCESS (interactive)
STATE : 4 RUNNING
(STOPPABLE, NOT_PAUSABLE, ACCEPTS_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0
PID : 1376
FLAGS :
DESCRIPTION : Provides automatic updating for the avast! antivirus.

TYPE : 110 WIN32_OWN_PROCESS (interactive)
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : "C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe"
LOAD_ORDER_GROUP : ShellSvcGroup
TAG : 0
DISPLAY_NAME : avast! iAVS4 Control Service
SERVICE_START_NAME : LocalSystem

SERVICE_NAME: AudioSrv
DISPLAY_NAME: Windows Audio
TYPE : 20 WIN32_SHARE_PROCESS
STATE : 4 RUNNING
(STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0
PID : 1060
FLAGS :
DESCRIPTION : Manages audio devices for Windows-based programs. If this service is stopped, audio devices and effects will not function properly. If this service is disabled, any services that explicitly depend on it will fail to start.

TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k netsvcs
LOAD_ORDER_GROUP : AudioGroup
TAG : 0
DISPLAY_NAME : Windows Audio
DEPENDENCIES : PlugPlay
: RpcSs
SERVICE_START_NAME : LocalSystem

SERVICE_NAME: avast! Antivirus
DISPLAY_NAME: avast! Antivirus
TYPE : 110 WIN32_OWN_PROCESS (interactive)
STATE : 4 RUNNING
(STOPPABLE, NOT_PAUSABLE, ACCEPTS_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0
PID : 1508
FLAGS :
DESCRIPTION : Manages and implements avast! antivirus services for this computer. This includes the resident protection, the virus chest and the scheduler.

TYPE : 110 WIN32_OWN_PROCESS (interactive)
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : "C:\Program Files\Alwil Software\Avast4\ashServ.exe"
LOAD_ORDER_GROUP : ShellSvcGroup
TAG : 0
DISPLAY_NAME : avast! Antivirus
DEPENDENCIES : aswMon2
: RpcSS
SERVICE_START_NAME : LocalSystem

SERVICE_NAME: avast! Mail Scanner
DISPLAY_NAME: avast! Mail Scanner
TYPE : 110 WIN32_OWN_PROCESS (interactive)
STATE : 4 RUNNING
(STOPPABLE, NOT_PAUSABLE, ACCEPTS_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0
PID : 580
FLAGS :
DESCRIPTION : Implements mail scanning for avast! antivirus.

TYPE : 110 WIN32_OWN_PROCESS (interactive)
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : "C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service
LOAD_ORDER_GROUP : ShellSvcGroup
TAG : 0
DISPLAY_NAME : avast! Mail Scanner
DEPENDENCIES : avast! Antivirus
SERVICE_START_NAME : LocalSystem

SERVICE_NAME: avast! Web Scanner
DISPLAY_NAME: avast! Web Scanner
TYPE : 110 WIN32_OWN_PROCESS (interactive)
STATE : 4 RUNNING
(STOPPABLE, NOT_PAUSABLE, ACCEPTS_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0
PID : 624
FLAGS :
DESCRIPTION : Implements web (HTTP) scanning for avast! antivirus.

TYPE : 110 WIN32_OWN_PROCESS (interactive)
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : "C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service
LOAD_ORDER_GROUP : ShellSvcGroup
TAG : 0
DISPLAY_NAME : avast! Web Scanner
DEPENDENCIES : avast! Antivirus
SERVICE_START_NAME : LocalSystem

SERVICE_NAME: BITS
DISPLAY_NAME: Background Intelligent Transfer Service
TYPE : 20 WIN32_SHARE_PROCESS
STATE : 4 RUNNING
(STOPPABLE, NOT_PAUSABLE, ACCEPTS_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0
PID : 1060
FLAGS :
DESCRIPTION : Transfers files in the background using idle network bandwidth. If the service is stopped, features such as Windows Update, and MSN Explorer will be unable to automatically download programs and other information. If this service is disabled, any services that explicitly depend on it may fail to transfer files if they do not have a fail safe mechanism to transfer files directly through IE in case BITS has been disabled.

TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\system32\svchost.exe -k netsvcs
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Background Intelligent Transfer Service
DEPENDENCIES : Rpcss
SERVICE_START_NAME : LocalSystem

SERVICE_NAME: Cryptsvc
DISPLAY_NAME: Cryptsvc
TYPE : 20 WIN32_SHARE_PROCESS
STATE : 4 RUNNING
(STOPPABLE, NOT_PAUSABLE, ACCEPTS_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0
PID : 1060
FLAGS :
DESCRIPTION : Provides three management services: Catalog Database Service, which confirms the signatures of Windows files; Protected Root Service, which adds and removes Trusted Root Certification Authority certificates from this computer; and Key Service, which helps enroll this computer for certificates. If this service is stopped, these management services will not function properly. If this service is disabled, any services that explicitly depend on it will fail to start.

TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\system32\svchost.exe -k netsvcs
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : CryptSvc
DEPENDENCIES : RpcSs
SERVICE_START_NAME : LocalSystem

SERVICE_NAME: DcomLaunch
DISPLAY_NAME: DCOM Server Process Launcher
TYPE : 20 WIN32_SHARE_PROCESS
STATE : 4 RUNNING
(NOT_STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0
PID : 916
FLAGS :
DESCRIPTION : Provides launch functionality for DCOM services.

TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\system32\svchost -k DcomLaunch
LOAD_ORDER_GROUP : Event Log
TAG : 0
DISPLAY_NAME : DCOM Server Process Launcher
SERVICE_START_NAME : LocalSystem

SERVICE_NAME: Dhcp
DISPLAY_NAME: DHCP Client
TYPE : 20 WIN32_SHARE_PROCESS
STATE : 4 RUNNING
(STOPPABLE, NOT_PAUSABLE, ACCEPTS_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0
PID : 1060
FLAGS :
DESCRIPTION : Manages network configuration by registering and updating IP addresses and DNS names.

TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\system32\svchost.exe -k netsvcs
LOAD_ORDER_GROUP : TDI
TAG : 0
DISPLAY_NAME : DHCP Client
SERVICE_START_NAME : LocalSystem

SERVICE_NAME: dmserver
DISPLAY_NAME: Logical Disk Manager
TYPE : 20 WIN32_SHARE_PROCESS
STATE : 4 RUNNING
(STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0
PID : 1060
FLAGS :
DESCRIPTION : Detects and monitors new hard disk drives and sends disk volume information to Logical Disk Manager Administrative Service for configuration. If this service is stopped, dynamic disk status and configuration information may become out of date. If this service is disabled, any services that explicitly depend on it will fail to start.

TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k netsvcs
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Logical Disk Manager
DEPENDENCIES : RpcSs
: PlugPlay
SERVICE_START_NAME : LocalSystem

SERVICE_NAME: Dnscache
DISPLAY_NAME: DNS Client
TYPE : 20 WIN32_SHARE_PROCESS
STATE : 4 RUNNING
(STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0
PID : 1160
FLAGS :
DESCRIPTION : Resolves and caches Domain Name System (DNS) names for this computer. If this service is stopped, this computer will not be able to resolve DNS names and locate Active Directory domain controllers. If this service is disabled, any services that explicitly depend on it will fail to start.

TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\system32\svchost.exe -k NetworkService
LOAD_ORDER_GROUP : TDI
TAG : 0
DISPLAY_NAME : DNS Client
DEPENDENCIES : Tcpip
SERVICE_START_NAME : NT AUTHORITY\NetworkService

SERVICE_NAME: ERSvc
DISPLAY_NAME: Error Reporting Service
TYPE : 20 WIN32_SHARE_PROCESS
STATE : 4 RUNNING
(STOPPABLE, NOT_PAUSABLE, ACCEPTS_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0
PID : 1060
FLAGS :
DESCRIPTION : Allows error reporting for services and applictions running in non-standard environments.

TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 0 IGNORE
BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k netsvcs
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Error Reporting Service
DEPENDENCIES : RpcSs
SERVICE_START_NAME : LocalSystem

SERVICE_NAME: Eventlog
DISPLAY_NAME: Event Log
TYPE : 20 WIN32_SHARE_PROCESS
STATE : 4 RUNNING
(NOT_STOPPABLE, NOT_PAUSABLE, ACCEPTS_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0
PID : 720
FLAGS : SERVICE_RUNS_IN_SYSTEM_PROCESS
DESCRIPTION : Enables event log messages issued by Windows-based programs and components to be viewed in Event Viewer. This service cannot be stopped.

TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\system32\services.exe
LOAD_ORDER_GROUP : Event log
TAG : 0
DISPLAY_NAME : Event Log
SERVICE_START_NAME : LocalSystem

SERVICE_NAME: EventSystem
DISPLAY_NAME: COM+ Event System
TYPE : 20 WIN32_SHARE_PROCESS
STATE : 4 RUNNING
(STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0
PID : 1060
FLAGS :
DESCRIPTION : Supports System Event Notification Service (SENS), which provides automatic distribution of events to subscribing Component Object Model (COM) components. If the service is stopped, SENS will close and will not be able to provide logon and logoff notifications. If this service is disabled, any services that explicitly depend on it will fail to start.

TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\system32\svchost.exe -k netsvcs
LOAD_ORDER_GROUP : Network
TAG : 0
DISPLAY_NAME : COM+ Event System
DEPENDENCIES : RPCSS
SERVICE_START_NAME : LocalSystem

SERVICE_NAME: FastUserSwitchingCompatibility
DISPLAY_NAME: Fast User Switching Compatibility
TYPE : 20 WIN32_SHARE_PROCESS
STATE : 4 RUNNING
(STOPPABLE, NOT_PAUSABLE, ACCEPTS_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0
PID : 1060
FLAGS :
DESCRIPTION : Provides management for applications that require assistance in a multiple user environment.

TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k netsvcs
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Fast User Switching Compatibility
DEPENDENCIES : TermService
SERVICE_START_NAME : LocalSystem

SERVICE_NAME: helpsvc
DISPLAY_NAME: Help and Support
TYPE : 20 WIN32_SHARE_PROCESS
STATE : 4 RUNNING
(STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0
PID : 1060
FLAGS :
DESCRIPTION : Enables Help and Support Center to run on this computer. If this service is stopped, Help and Support Center will be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start.

TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k netsvcs
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Help and Support
DEPENDENCIES : RPCSS
SERVICE_START_NAME : LocalSystem

SERVICE_NAME: HTTPFilter
DISPLAY_NAME: HTTP SSL
TYPE : 20 WIN32_SHARE_PROCESS
STATE : 4 RUNNING
(STOPPABLE, PAUSABLE, ACCEPTS_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0
PID : 936
FLAGS :
DESCRIPTION : This service implements the secure hypertext transfer protocol (HTTPS) for the HTTP service, using the Secure Socket Layer (SSL). If this service is disabled, any services that explicitly depend on it will fail to start.

TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k HTTPFilter
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : HTTP SSL
DEPENDENCIES : HTTP
SERVICE_START_NAME : LocalSystem

SERVICE_NAME: lanmanserver
DISPLAY_NAME: Server
TYPE : 20 WIN32_SHARE_PROCESS
STATE : 4 RUNNING
(STOPPABLE, PAUSABLE, ACCEPTS_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0
PID : 1060
FLAGS :
DESCRIPTION : Supports file, print, and named-pipe sharing over the network for this computer. If this service is stopped, these functions will be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start.

TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\system32\svchost.exe -k netsvcs
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Server
SERVICE_START_NAME : LocalSystem

SERVICE_NAME: Lavasoft Ad-Aware Service
DISPLAY_NAME: Lavasoft Ad-Aware Service
TYPE : 110 WIN32_OWN_PROCESS (interactive)
STATE : 4 RUNNING
(STOPPABLE, NOT_PAUSABLE, ACCEPTS_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0
PID : 1388
FLAGS :
DESCRIPTION : Ad-Aware Service

TYPE : 110 WIN32_OWN_PROCESS (interactive)
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : "C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe"
LOAD_ORDER_GROUP : ShellSvcGroup
TAG : 0
DISPLAY_NAME : Lavasoft Ad-Aware Service
DEPENDENCIES : RpcSS
SERVICE_START_NAME : LocalSystem

SERVICE_NAME: LmHosts
DISPLAY_NAME: TCP/IP NetBIOS Helper
TYPE : 20 WIN32_SHARE_PROCESS
STATE : 4 RUNNING
(STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0
PID : 1276
FLAGS :
DESCRIPTION : Enables support for NetBIOS over TCP/IP (NetBT) service and NetBIOS name resolution.

TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\system32\svchost.exe -k LocalService
LOAD_ORDER_GROUP : TDI
TAG : 0
DISPLAY_NAME : TCP/IP NetBIOS Helper
DEPENDENCIES : NetBT
: Afd
SERVICE_START_NAME : NT AUTHORITY\LocalService

SERVICE_NAME: Netman
DISPLAY_NAME: Network Connections
TYPE : 120 WIN32_SHARE_PROCESS (interactive)
STATE : 4 RUNNING
(STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0
PID : 1060
FLAGS :
DESCRIPTION : Manages objects in the Network and Dial-Up Connections folder, in which you can view both local area network and remote connections.

TYPE : 120 WIN32_SHARE_PROCESS (interactive)
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k netsvcs
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Network Connections
DEPENDENCIES : RpcSs
SERVICE_START_NAME : LocalSystem

SERVICE_NAME: Nla
DISPLAY_NAME: Network Location Awareness (NLA)
TYPE : 20 WIN32_SHARE_PROCESS
STATE : 4 RUNNING
(STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0
PID : 1060
FLAGS :
DESCRIPTION : Collects and stores network configuration and location information, and notifies applications when this information changes.

TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\system32\svchost.exe -k netsvcs
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Network Location Awareness (NLA)
DEPENDENCIES : Tcpip
: Afd
SERVICE_START_NAME : LocalSystem

SERVICE_NAME: NMIndexingService
DISPLAY_NAME: NMIndexingService
TYPE : 10 WIN32_OWN_PROCESS
STATE : 4 RUNNING
(STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0
PID : 1704
FLAGS :
DESCRIPTION :

TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : "C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe"
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : NMIndexingService
DEPENDENCIES : RPCSS
SERVICE_START_NAME : LocalSystem

SERVICE_NAME: NVSvc
DISPLAY_NAME: NVIDIA Display Driver Service
TYPE : 10 WIN32_OWN_PROCESS
STATE : 4 RUNNING
(STOPPABLE, PAUSABLE, ACCEPTS_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0
PID : 1980
FLAGS :
DESCRIPTION : Provides system and desktop level support to the NVIDIA display driver

TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\system32\nvsvc32.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : NVIDIA Display Driver Service
SERVICE_START_NAME : LocalSystem

SERVICE_NAME: PlugPlay
DISPLAY_NAME: Plug and Play
TYPE : 20 WIN32_SHARE_PROCESS
STATE : 4 RUNNING
(NOT_STOPPABLE, NOT_PAUSABLE, ACCEPTS_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0
PID : 720
FLAGS : SERVICE_RUNS_IN_SYSTEM_PROCESS
DESCRIPTION : Enables a computer to recognize and adapt to hardware changes with little or no user input. Stopping or disabling this service will result in system instability.

TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\system32\services.exe
LOAD_ORDER_GROUP : PlugPlay
TAG : 0
DISPLAY_NAME : Plug and Play
SERVICE_START_NAME : LocalSystem

SERVICE_NAME: ProtectedStorage
DISPLAY_NAME: Protected Storage
TYPE : 120 WIN32_SHARE_PROCESS (interactive)
STATE : 4 RUNNING
(STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0
PID : 732
FLAGS : SERVICE_RUNS_IN_SYSTEM_PROCESS
DESCRIPTION : Provides protected storage for sensitive data, such as private keys, to prevent access by unauthorized services, processes, or users.

TYPE : 120 WIN32_SHARE_PROCESS (interactive)
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\system32\lsass.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Protected Storage
DEPENDENCIES : RpcSs
SERVICE_START_NAME : LocalSystem

SERVICE_NAME: RasMan
DISPLAY_NAME: Remote Access Connection Manager
TYPE : 20 WIN32_SHARE_PROCESS
STATE : 4 RUNNING
(STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0
PID : 1060
FLAGS :
DESCRIPTION : Creates a network connection.

TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\system32\svchost.exe -k netsvcs
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Remote Access Connection Manager
DEPENDENCIES : Tapisrv
SERVICE_START_NAME : LocalSystem

SERVICE_NAME: RpcSs
DISPLAY_NAME: Remote Procedure Call (RPC)
TYPE : 10 WIN32_OWN_PROCESS
STATE : 4 RUNNING
(NOT_STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0
PID : 964
FLAGS :
DESCRIPTION : Provides the endpoint mapper and other miscellaneous RPC services.

TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\system32\svchost -k rpcss
LOAD_ORDER_GROUP : COM Infrastructure
TAG : 0
DISPLAY_NAME : Remote Procedure Call (RPC)
SERVICE_START_NAME : NT Authority\NetworkService

SERVICE_NAME: SamSs
DISPLAY_NAME: Security Accounts Manager
TYPE : 20 WIN32_SHARE_PROCESS
STATE : 4 RUNNING
(NOT_STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0
PID : 732
FLAGS : SERVICE_RUNS_IN_SYSTEM_PROCESS
DESCRIPTION : Stores security information for local user accounts.

TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\system32\lsass.exe
LOAD_ORDER_GROUP : LocalValidation
TAG : 0
DISPLAY_NAME : Security Accounts Manager
DEPENDENCIES : RPCSS
SERVICE_START_NAME : LocalSystem

SERVICE_NAME: Schedule
DISPLAY_NAME: Task Scheduler
TYPE : 20 WIN32_SHARE_PROCESS
STATE : 4 RUNNING
(STOPPABLE, PAUSABLE, ACCEPTS_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0
PID : 1060
FLAGS :
DESCRIPTION : Enables a user to configure and schedule automated tasks on this computer. If this service is stopped, these tasks will not be run at their scheduled times. If this service is disabled, any services that explicitly depend on it will fail to start.

TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k netsvcs
LOAD_ORDER_GROUP : SchedulerGroup
TAG : 0
DISPLAY_NAME : Task Scheduler
DEPENDENCIES : RpcSs
SERVICE_START_NAME : LocalSystem

SERVICE_NAME: seclogon
DISPLAY_NAME: Secondary Logon
TYPE : 120 WIN32_SHARE_PROCESS (interactive)
STATE : 4 RUNNING
(STOPPABLE, PAUSABLE, IGNORES_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0
PID : 1060
FLAGS :
DESCRIPTION : Enables starting processes under alternate credentials. If this service is stopped, this type of logon access will be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start.

TYPE : 120 WIN32_SHARE_PROCESS (interactive)
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 0 IGNORE
BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k netsvcs
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Secondary Logon
SERVICE_START_NAME : LocalSystem

SERVICE_NAME: SENS
DISPLAY_NAME: System Event Notification
TYPE : 20 WIN32_SHARE_PROCESS
STATE : 4 RUNNING
(STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0
PID : 1060
FLAGS :
DESCRIPTION : Tracks system events such as Windows logon, network, and power events. Notifies COM+ Event System subscribers of these events.

TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\system32\svchost.exe -k netsvcs
LOAD_ORDER_GROUP : Network
TAG : 0
DISPLAY_NAME : System Event Notification
DEPENDENCIES : EventSystem
SERVICE_START_NAME : LocalSystem

SERVICE_NAME: SharedAccess
DISPLAY_NAME: Windows Firewall/Internet Connection Sharing (ICS)
TYPE : 20 WIN32_SHARE_PROCESS
STATE : 4 RUNNING
(STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0
PID : 1060
FLAGS :
DESCRIPTION : Provides network address translation, addressing, name resolution and/or intrusion prevention services for a home or small office network.

TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k netsvcs
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Windows Firewall/Internet Connection Sharing (ICS)
DEPENDENCIES : Netman
: WinMgmt
SERVICE_START_NAME : LocalSystem

SERVICE_NAME: ShellHWDetection
DISPLAY_NAME: Shell Hardware Detection
TYPE : 20 WIN32_SHARE_PROCESS
STATE : 4 RUNNING
(STOPPABLE, PAUSABLE, ACCEPTS_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0
PID : 1060
FLAGS :
DESCRIPTION : Provides notifications for AutoPlay hardware events.

TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 0 IGNORE
BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k netsvcs
LOAD_ORDER_GROUP : ShellSvcGroup
TAG : 0
DISPLAY_NAME : Shell Hardware Detection
DEPENDENCIES : RpcSs
SERVICE_START_NAME : LocalSystem

SERVICE_NAME: spooler
DISPLAY_NAME: Print Spooler
TYPE : 110 WIN32_OWN_PROCESS (interactive)
STATE : 4 RUNNING
(STOPPABLE, NOT_PAUSABLE, ACCEPTS_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0
PID : 1824
FLAGS :
DESCRIPTION : Loads files to memory for later printing.

TYPE : 110 WIN32_OWN_PROCESS (interactive)
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\system32\spoolsv.exe
LOAD_ORDER_GROUP : SpoolerGroup
TAG : 0
DISPLAY_NAME : Print Spooler
DEPENDENCIES : RPCSS
SERVICE_START_NAME : LocalSystem

SERVICE_NAME: srservice
DISPLAY_NAME: System Restore Service
TYPE : 20 WIN32_SHARE_PROCESS
STATE : 4 RUNNING
(STOPPABLE, NOT_PAUSABLE, ACCEPTS_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0
PID : 1060
FLAGS :
DESCRIPTION : Performs system restore functions. To stop service, turn off System Restore from the System Restore tab in My Computer->Properties

TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\system32\svchost.exe -k netsvcs
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : System Restore Service
DEPENDENCIES : RpcSs
SERVICE_START_NAME : LocalSystem

SERVICE_NAME: SSDPSRV
DISPLAY_NAME: SSDP Discovery Service
TYPE : 20 WIN32_SHARE_PROCESS
STATE : 4 RUNNING
(STOPPABLE, NOT_PAUSABLE, ACCEPTS_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0
PID : 1276
FLAGS :
DESCRIPTION : Enables discovery of UPnP devices on your home network.

TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\system32\svchost.exe -k LocalService
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : SSDP Discovery Service
DEPENDENCIES : HTTP
SERVICE_START_NAME : NT AUTHORITY\LocalService

SERVICE_NAME: stisvc
DISPLAY_NAME: Windows Image Acquisition (WIA)
TYPE : 20 WIN32_SHARE_PROCESS
STATE : 4 RUNNING
(STOPPABLE, NOT_PAUSABLE, ACCEPTS_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0
PID : 2032
FLAGS :
DESCRIPTION : Provides image acquisition services for scanners and cameras.

TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\system32\svchost.exe -k imgsvc
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Windows Image Acquisition (WIA)
DEPENDENCIES : RpcSs
SERVICE_START_NAME : LocalSystem

SERVICE_NAME: TapiSrv
DISPLAY_NAME: Telephony
TYPE : 20 WIN32_SHARE_PROCESS
STATE : 4 RUNNING
(STOPPABLE, PAUSABLE, IGNORES_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0
PID : 1060
FLAGS :
DESCRIPTION : Provides Telephony API (TAPI) support for programs that control telephony devices and IP based voice connections on the local computer and, through the LAN, on servers that are also running the service.

TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k netsvcs
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Telephony
DEPENDENCIES : PlugPlay
: RpcSs
SERVICE_START_NAME : LocalSystem

SERVICE_NAME: TermService
DISPLAY_NAME: Terminal Services
TYPE : 20 WIN32_SHARE_PROCESS
STATE : 4 RUNNING
(NOT_STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0
PID : 916
FLAGS :
DESCRIPTION : Allows multiple users to be connected interactively to a machine as well as the display of desktops and applications to remote computers. The underpinning of Remote Desktop (including RD for Administrators), Fast User Switching, Remote Assistance, and Terminal Server.

TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\System32\svchost -k DComLaunch
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Terminal Services
DEPENDENCIES : RPCSS
SERVICE_START_NAME : LocalSystem

SERVICE_NAME: Themes
DISPLAY_NAME: Themes
TYPE : 20 WIN32_SHARE_PROCESS
STATE : 4 RUNNING
(STOPPABLE, NOT_PAUSABLE, ACCEPTS_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0
PID : 1060
FLAGS :
DESCRIPTION : Provides user experience theme management.

TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k netsvcs
LOAD_ORDER_GROUP : UIGroup
TAG : 0
DISPLAY_NAME : Themes
SERVICE_START_NAME : LocalSystem

SERVICE_NAME: TrkWks
DISPLAY_NAME: Distributed Link Tracking Client
TYPE : 20 WIN32_SHARE_PROCESS
STATE : 4 RUNNING
(STOPPABLE, NOT_PAUSABLE, ACCEPTS_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0
PID : 1060
FLAGS :
DESCRIPTION : Maintains links between NTFS files within a computer or across computers in a network domain.

TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\system32\svchost.exe -k netsvcs
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Distributed Link Tracking Client
DEPENDENCIES : RpcSs
SERVICE_START_NAME : LocalSystem

SERVICE_NAME: UMWdf
DISPLAY_NAME: Windows User Mode Driver Framework
TYPE : 10 WIN32_OWN_PROCESS
STATE : 4 RUNNING
(STOPPABLE, NOT_PAUSABLE, ACCEPTS_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0
PID : 120
FLAGS :
DESCRIPTION : Enables Windows user mode drivers.

TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\system32\wdfmgr.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Windows User Mode Driver Framework
DEPENDENCIES : RpcSs
SERVICE_START_NAME : NT AUTHORITY\LocalService

SERVICE_NAME: usnjsvc
DISPLAY_NAME: Messenger Sharing Folders USN Journal Reader service
TYPE : 10 WIN32_OWN_PROCESS
STATE : 4 RUNNING
(STOPPABLE, NOT_PAUSABLE, ACCEPTS_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0
PID : 3796
FLAGS :
DESCRIPTION : Service installed by Messenger to enable sharing scenarios

TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : "C:\Program Files\Windows Live\Messenger\usnsvc.exe"
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Messenger Sharing Folders USN Journal Reader service
DEPENDENCIES : rpcss
: eventlog
SERVICE_START_NAME : LocalSystem

SERVICE_NAME: WebClient
DISPLAY_NAME: WebClient
TYPE : 10 WIN32_OWN_PROCESS
STATE : 4 RUNNING
(STOPPABLE, NOT_PAUSABLE, ACCEPTS_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0
PID : 1876
FLAGS :
DESCRIPTION : Enables Windows-based programs to create, access, and modify Internet-based files. If this service is stopped, these functions will not be available. If this service is disabled, any services that explicitly depend on it will fail to start.

TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\system32\svchost.exe -k LocalService
LOAD_ORDER_GROUP : NetworkProvider
TAG : 0
DISPLAY_NAME : WebClient
DEPENDENCIES : MRxDAV
SERVICE_START_NAME : NT AUTHORITY\LocalService

SERVICE_NAME: winmgmt
DISPLAY_NAME: Windows Management Instrumentation
TYPE : 20 WIN32_SHARE_PROCESS
STATE : 4 RUNNING
(STOPPABLE, PAUSABLE, ACCEPTS_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0
PID : 1060
FLAGS :
DESCRIPTION : Provides a common interface and object model to access management information about operating system, devices, applications and services. If this service is stopped, most Windows-based software will not function properly. If this service is disabled, any services that explicitly depend on it will fail to start.

TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 0 IGNORE
BINARY_PATH_NAME : C:\WINDOWS\system32\svchost.exe -k netsvcs
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Windows Management Instrumentation
DEPENDENCIES : RPCSS
SERVICE_START_NAME : LocalSystem

SERVICE_NAME: wscsvc
DISPLAY_NAME: Security Center
TYPE : 20 WIN32_SHARE_PROCESS
STATE : 4 RUNNING
(STOPPABLE, NOT_PAUSABLE, ACCEPTS_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0
PID : 1060
FLAGS :
DESCRIPTION : Monitors system security settings and configurations.

TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k netsvcs
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Security Center
DEPENDENCIES : RpcSs
: winmgmt
SERVICE_START_NAME : LocalSystem

SERVICE_NAME: wuauserv
DISPLAY_NAME: Automatic Updates
TYPE : 20 WIN32_SHARE_PROCESS
STATE : 4 RUNNING
(STOPPABLE, NOT_PAUSABLE, ACCEPTS_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0
PID : 1060
FLAGS :
DESCRIPTION : Enables the download and installation of Windows updates. If this service is disabled, this computer will not be able to use the Automatic Updates feature or the Windows Update Web site.

TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\system32\svchost.exe -k netsvcs
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Automatic Updates
SERVICE_START_NAME : LocalSystem

SERVICE_NAME: WudfSvc
DISPLAY_NAME: Windows Driver Foundation - User-mode Driver Framework
TYPE : 20 WIN32_SHARE_PROCESS
STATE : 4 RUNNING
(NOT_STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0
PID : 1100
FLAGS :
DESCRIPTION : Manages user-mode driver host processes

TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
LOAD_ORDER_GROUP : PlugPlay
TAG : 0
DISPLAY_NAME : Windows Driver Foundation - User-mode Driver Framework
DEPENDENCIES : PlugPlay
SERVICE_START_NAME : LocalSystem

SERVICE_NAME: WZCSVC
DISPLAY_NAME: Wireless Zero Configuration
TYPE : 20 WIN32_SHARE_PROCESS
STATE : 4 RUNNING
(STOPPABLE, NOT_PAUSABLE, ACCEPTS_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0
PID : 1060
FLAGS :
DESCRIPTION : Provides automatic configuration for the 802.11 adapters

TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k netsvcs
LOAD_ORDER_GROUP : TDI
TAG : 1
DISPLAY_NAME : Wireless Zero Configuration
DEPENDENCIES : RpcSs
: Ndisuio
SERVICE_START_NAME : LocalSystem
Back to Top
 

Jintan
Senior Member




Date Joined Dec 2006
Total Posts : 1428
 
   Posted 8/9/2009 2:35 PM (GMT +3)    Quote: Severe Download Trojan - Help :(Alert an admin about: Severe Download Trojan - Help :(
Good, those service paths and descriptions are all correct now, and the Eset scan only located infection that had stored itself in the System Restore, which we will be clearing out shortly. Before we consider some last steps to finish our work here post back how things are running please. Any problems we still need to address?


Click here and help my friend help stop leukemia, lymphoma, Hodgkin lymphoma and myeloma from taking more lives.

Back to Top
 

LordBTY
New Member


Date Joined Jun 2009
Total Posts : 35
 
   Posted 8/9/2009 7:04 PM (GMT +3)    Quote: Severe Download Trojan - Help :(Alert an admin about: Severe Download Trojan - Help :(
From what I can tell, no.

The PC is running fine, though I'm concerned about the laptops health.

Because I had seen the windows update icon appear in the lower-right hand corner without my consent before I used the flash drive thing that made the autorun file. This is what happened with the PC when it was full infected.

Also, on startup, I'm given the option to run Microsoft Recovery Console or standard windows XP... does this mean something's wrong and should I be worried about it?

Also, I have an external hard drive with many important files on it, I unplugged it when I caught onto the severity of the virus infestation... what do you recommend for my files safety?

That's all of the problem at the moment

Thank you so much :)
Back to Top
 

Jintan
Senior Member




Date Joined Dec 2006
Total Posts : 1428
 
   Posted 8/9/2009 10:05 PM (GMT +3)    Quote: Severe Download Trojan - Help :(Alert an admin about: Severe Download Trojan - Help :(
When you ran ComboFix it provided the means of installing the Recovery Console there. This is handy to have in case some future problem requires you access the system that way. The option is then added to your boot.ini file, and this is what you see when the computer first starts. As long as it defaults to the normal Windows bootup you should be fine.

I am not sure about the other two issues. To check the external drive it will need to be installed to a system. But at least we have seen no indications of file infectors, like Virut, so should there be other types of malware on the external drive that become active we can address those.

For now connect the external drive to this computer we have been working on. Then on both this computer and the latop, run the following scan and post back those logs (be sure to mention which one if from the laptop):

To keep them from interfering with the repairs, be sure to temporarily disable all antivirus/anti-spyware softwares while these steps are being completed. This can usually be done through right clicking the software's Taskbar icons, or accessing each software through Start - Programs.


Then Go here and run the Kaspersky online scan, and post back the log it creates.

To use the scan, accept the agreement and make sure you allow the ActiveX object to download and install (check the "yellow bar" at the top if needed to allow this). Once the Database download is completed, under Scan in the left column click My Computer to start the scan. This may take a very long time, so allow the scan to run and perhaps find something else to do.

When the scan completes click View Scan Report. Then click Save Report As, and using the dropdown box save the report as "Files of Type: -> Text file (.txt)" to a location where you can find it again. Use any name you wish for the log.

Then locate that log and copy/paste those contents back here please.

The scan requires a good bit of database downloading and can take quite a while to complete.


Click here and help my friend help stop leukemia, lymphoma, Hodgkin lymphoma and myeloma from taking more lives.

Back to Top
 

LordBTY
New Member


Date Joined Jun 2009
Total Posts : 35
 
   Posted 8/9/2009 11:50 PM (GMT +3)    Quote: Severe Download Trojan - Help :(Alert an admin about: Severe Download Trojan - Help :(
It doesn't seem to want to work

It was updating at first, then I got a message saying the download timed out (probably because someone had used the laptop to access the wireless network which slowed the net right down.)

Now, whenever I open it and run the update

"ERROR: Key is expired"

I restarted, but it doesn't seem to work... what should I do?
Back to Top
 

Jintan
Senior Member




Date Joined Dec 2006
Total Posts : 1428
 
   Posted 8/10/2009 3:19 AM (GMT +3)    Quote: Severe Download Trojan - Help :(Alert an admin about: Severe Download Trojan - Help :(
Check in Add/Remove Programs and see if the uninstaller for Kaspersky was created. If so, go ahead and uninstall it and try the scan again. If no uninstall option there do the following instead.


Also, make sure you can View Hidden Files. Also uncheck "Hide Extensions for Known File Types"

Then right click My Computer, left click Explore, and use the plus + symbols to navigate to the following folder:

C:\Windows\Downloaded Program Files

Check those items, and if any indicate being Kaspersky right click - Remove that.


Click here and help my friend help stop leukemia, lymphoma, Hodgkin lymphoma and myeloma from taking more lives.

Back to Top
 
New Topic Post reply to : Severe Download Trojan - Help :( Printable version of : Severe Download Trojan - Help :(
67 posts in this thread.
Viewing Page :
 1  2  3 
 
Forum Information
Currently it is Wednesday, October 22, 2014 9:31 AM (GMT +3)
There are a total of 60,674 posts in 13,333 threads.
In the last 3 days there were 4 new threads and 8 reply posts. View Active Threads
Who's Online
This forum has 36546 registered members. Please welcome our newest member, zrorlkdi.
4 Guest(s), 0 Registered Member(s) are currently online.  Details
5 Latest Threads
Errors, warnings, infections, trojans and junk (8)10/22/2014 5:22:19 AM (Touch)
Cheap kitchen Appliances Online UK (0)10/22/2014 4:38:14 AM (zrorlkdi)
Cheap kitchen Appliances Reviews (0)10/22/2014 2:51:34 AM (ceagceog1)
I very satisfy of this product and I decide to buy it (0)10/21/2014 12:33:09 AM (jaksum)