site Search:
Home Reviews Tools Forums FAQs Find Service ISP News Maps About  
    All Forums Hot Topics Gallery
 
Forums >

Broadband Tech > Security > Security Cleanup > Always get redirected after clicking link in google

Search Topic:
 Uniqs:
2291		 Share Topic
Posting?
Post a:
Post a:
Links: ·SCU FAQ ·Pre-Clean ·Site IMs ·VundoFix ·Zlob/Smitfraud ·SCU Helpers
AuthorAll Replies


Siko
Premium
join:2006-11-27
Mechanicsburg, PA
Reviews:
·Dish Network
1 edit

Always get redirected after clicking link in google

Every other time I click on a link in google I get redirect to 67.29.139.220 which gives me advertising. I click back and reclick on the link and it works. Here is my HJT log.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:01:50 AM, on 4/6/2008
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Grisoft\AVG7\avgcc.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\uTorrent\uTorrent.exe
C:\Program Files\Xfire\xfire.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\Program Files\DAEMON Tools Lite\daemon.exe
N:\installNY.exe
C:\Users\MURLIN~1\AppData\Local\Temp\is-7R5Q8.tmp\is-L77DO.tmp
C:\Program Files\Grisoft\AVG7\avgw.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = »go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = »google.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = »go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = »go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = »go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = »go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O1 - Hosts: ::1 localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [uTorrent] "C:\Program Files\uTorrent\uTorrent.exe"
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Startup: Xfire.lnk = C:\Program Files\Xfire\xfire.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - H:\Program Files\Microsoft Office\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\Spybot - Search & Destroy\SDHelper.dll
O13 - Gopher Prefix:
O16 - DPF: {2E4A92AB-F2C0-456A-9935-B715439790D7} (Setup Class) - »www.opinionsquare.com/Config/CSetup.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - »download.divx.com/player/DivXBro···ugin.cab
O16 - DPF: {A977FF0C-8757-4E76-8533-482F91946233} (Neowiz Login Control) - »gpdl.pmang.com/sayclub/sayctl/sayax.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{816238D4-1ADE-4801-AF6C-1CB6A0BDC37F}: NameServer = 4.2.2.1,4.2.2.2
O17 - HKLM\System\CS1\Services\Tcpip\..\{816238D4-1ADE-4801-AF6C-1CB6A0BDC37F}: NameServer = 4.2.2.1,4.2.2.2
O20 - AppInit_DLLs:
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: avgwlntf - C:\Windows\SYSTEM32\avgwlntf.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - H:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Acronis OS Selector Reinstall Service (AcronisOSSReinstallSvc) - Unknown owner - C:\Program Files\Common Files\Acronis\Acronis Disk Director\oss_reinstall_svc.exe
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - H:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG7 Resident Shield Service (AvgCoreSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: O&O Defrag - O&O Software GmbH - C:\Windows\system32\oodag.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe

--
End of file - 6783 bytes

I googled it and they said it is a wareout infection, but they also said there is no wareout for vista...
to forum · permalink · 2008-04-06 08:02:37 ·


bcastner
Premium,VIP,MVM
join:2002-09-25
Chevy Chase, MD
kudos:7

First Steps

:!: The following instructions are only for this Forum member. Please do not use these instructions on another computer system. You can seriously damage your system by following the instructions below without guided assistance. You assuredly will make a cleanup of your system more difficult.

Please download ATF Cleaner

http://www.atribune.org/ccount/click.php?id=1

It does not require any installation.. It is set up to clean Windows 2k, XP & Vista TEMP folders, as well as IE, FireFox and Opera, Temporary Internet Files and Cookies.
• Double-click ATF-Cleaner.exe to run the program.
For all browsers:
• Under Main choose: Select All
• Click the Empty Selected button.
Next, if you use Firefox (and some Mozilla-based browsers)
• Click Firefox at the top and choose: Select All
• Click the Empty Selected button.
Next, if you use the Opera browser
• Click Opera at the top and choose: Select All
• Click the Empty Selected button. :!: Click Exit on the Main menu to close the program.

Reconfigure Windows Vista to show hidden files:
To enable the viewing of Hidden files follow these steps:
•Close all programs so that you are at your desktop.
•Open the Control Panel menu and click Folder Options.
•After the new window appears select the View tab.
•Put a checkmark in the checkbox labeled Display the contents of system folders.
•Under the Hidden files and folders section select the radio button labeled Show hidden files and folders.
•Remove the checkmark from the checkbox labeled Hide file extensions for known file types.
•Remove the checkmark from the checkbox labeled Hide protected operating system files.
•Press the Apply button and then the OK button and exit My Computer.
•Now your computer is configured to show all hidden files. Malware Removal Steps

1. Please download to your Desktop OT_MOVEIT:
http://download.bleepingcomputer.com/oldtimer/OTMoveIt2.exe

Please double-click OTMoveIt2.exe to run the utility.

Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

C:\Users\MURLIN~1\AppData\Local\Temp\is-7R5Q8.tmp\is-L77DO.tmp
C:\Users\MURLIN~1\AppData\Local\Temp\is-7R5Q8.tmp\

Return to OTMoveIt2, right click in the "Paste List Of Files/Patterns To Search For and Move" window.
IMPORTANT -- Paste only into the bottom input panel (under the Yellow bar), The top panel will not help you.
Right-click and choose Paste.

Click the red Moveit button.
This will not be quick. I am asking it to scan your entire Drive C twice.
When it has finished, use your mouse and do a Copy/Paste of the large right-hand panel that shows Results.
Save your Clipboard contents in a new Notepad file, as we will want to review these results later.
Close OTMoveIt2 when it has finished.

Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

2. Download and Run -- ComboFix©
Download this file -- to your Desktop -- from any of these sources:
http://download.bleepingcomputer.com/sUBs/ComboFix.exe
http://www.forospyware.com/sUBs/ComboFix.exe
http://subs.geekstogo.com/ComboFix.exe

• Disconnect from the Internet.
• Disable your Antivirus software -- this includes any Script Blocking Feature it may have.

Important: Have no other programs running. Your Task Bar should be clear of any program entries including your Browser.
• A window will open with a warning. Accept any disclaimers to start the fix. When the scan completes Notepad will open with with your results log open. Do a File, Exit and answer 'Yes' to save changes.
A caution - Do not run Combofix more than once. Do not touch your mouse/keyboard until the scan has completed, as this may cause the process to stall or your computer to lock.

3. Please download MalwareBytes Anti-malware (MBAM) from one of the following links:
http://www.majorgeeks.com/Malwarebytes_Anti-Malware_d5756.html
http://www.besttechie.net/tools/mbam-setup.exe

Once downloaded, close all programs and Windows on your computer (including this one.)

Double-click on the icon on your desktop named Download_mbam-setup.exe. This will start the installation of MBAM onto your computer.

When the installation begins, keep following the prompts in order to continue with the installation process. Do not make any changes to default settings and when the program has finished installing, make sure you leave both the Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware checked. Then click on the Finish button.

MBAM will now automatically start and you will see a message stating that you should update the program before performing a scan. As MBAM will automatically update itself after the install, you can press the OK button to close that box and you will now be at the main program.

On the Scanner tab, make sure the the Perform quick scan option is selected and then click on the Scan button to start scanning your computer.

MBAM will now start scanning your computer for malware. This process can take quite a while, so we suggest you go and do something else and periodically check on the status of the scan.

When the scan is finished a message box will appear that it has completed scanning successfully. Click OK. Now click Show Results. Make sure all entries have a checkmark at their far left. You should now click on the Remove Selected button to remove all the listed malware. MBAM will now delete all of the files and registry keys and add them to the programs quarantine.

When MBAM has finished removing the malware, it will open the scan log and display it in Notepad. Review the log as desired, and then close the Notepad window. Remember where you saved the log file, as we will want to see it later.

4. Run HijackThis again, and save the log file.

Submit to the Forum:
• The contents of C:\Combofix.txt;
• The MBAM log;
• The new HijackThis log.

--
============
MS-MVP 2004 - -2008, ASAP Member
Users Helping Users

to forum · permalink · 2008-04-06 14:45:35 ·


Siko
Premium
join:2006-11-27
Mechanicsburg, PA
Reviews:
·Dish Network
3 edits

Sorry for all the spaces stretching this page soo wide. I just directly copied it from the log to here. By the way, after doing this I'm still getting redirected.

Combo Fix

ComboFix 08-04-06.1 - Murlin Wei 2008-04-06 19:34:17.1 - NTFSx86
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.1277 [GMT -4:00]
Running from: C:\Users\Murlin Wei\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Windows\system32\x64

.
((((((((((((((((((((((((( Files Created from 2008-03-06 to 2008-04-06 )))))))))))))))))))))))))))))))
.

2008-04-06 19:31 . 2008-04-06 19:31 d-------- C:\_OTMoveIt
2008-04-06 19:10 . 2008-04-06 19:10 d-------- C:\Program Files\Azureus
2008-04-06 10:00 . 2008-04-06 19:32 d-------- C:\Users\Murlin Wei\AppData\Roaming\Azureus
2008-04-06 10:00 . 2008-04-06 10:00 d-------- C:\Users\All Users\Azureus
2008-04-06 10:00 . 2008-04-06 10:00 d-------- C:\ProgramData\Azureus
2008-04-06 09:38 . 2008-04-06 09:38 d-------- C:\fixwareout
2008-04-06 08:03 . 2008-04-06 08:05 178 --a------ C:\megaScenery.ini
2008-04-05 19:34 . 2008-04-06 08:06 d-------- C:\Users\Murlin Wei\AppData\Roaming\AVG7
2008-04-05 19:33 . 2008-04-05 19:33 9,216 --a------ C:\Windows\System32\avgwlntf.dll
2008-04-05 14:50 . 2008-04-05 19:35 d-------- C:\Program Files\COMODO
2008-04-05 14:45 . 2008-04-06 08:06 d-------- C:\Users\All Users\Avg7
2008-04-05 14:45 . 2008-04-06 08:06 d-------- C:\ProgramData\Avg7
2008-04-05 09:07 . 2007-02-22 22:19 172,032 --a------ C:\Windows\System32\igfxres.dll
2008-04-05 09:03 . 2008-04-05 09:03 d-------- C:\Intel
2008-04-05 09:03 . 2006-12-13 03:17 3,276,800 --a------ C:\Windows\System32\igfxress.dll
2008-04-05 09:03 . 2006-12-13 03:16 212,992 --a------ C:\Windows\System32\igfxdev.dll
2008-04-05 09:03 . 2007-02-22 23:44 204,800 --a------ C:\Windows\System32\igfxCoIn_v1214.dll
2008-04-05 09:03 . 2006-12-13 03:16 196,608 --a------ C:\Windows\System32\igfxsrvc.exe
2008-04-05 09:03 . 2006-12-13 03:16 155,648 --a------ C:\Windows\System32\igfxpph.dll
2008-04-04 21:01 . 2008-04-04 21:01 d-------- C:\Users\Murlin Wei\AppData\Roaming\Apple Computer
2008-04-04 21:01 . 2008-04-04 21:01 d-------- C:\Users\All Users\Apple Computer
2008-04-04 21:01 . 2008-04-04 21:01 d-------- C:\ProgramData\Apple Computer
2008-04-04 21:01 . 2008-04-04 21:01 d-------- C:\Program Files\QuickTime
2008-04-04 21:01 . 2008-04-04 21:01 d-------- C:\Program Files\iPod
2008-04-04 21:01 . 2008-04-06 15:58 54,156 --ah----- C:\Windows\QTFont.qfn
2008-04-04 21:01 . 2008-04-04 21:01 1,409 --a------ C:\Windows\QTFont.for
2008-04-04 21:00 . 2008-04-04 21:00 d-------- C:\Users\All Users\Apple
2008-04-04 21:00 . 2008-04-04 21:00 d-------- C:\ProgramData\Apple
2008-04-04 21:00 . 2008-04-04 21:00 d-------- C:\Program Files\Common Files\Apple
2008-04-04 21:00 . 2008-04-04 21:00 d-------- C:\Program Files\Apple Software Update
2008-04-04 20:39 . 2008-04-04 20:39 d-------- C:\Program Files\Real
2008-04-04 20:39 . 2008-04-04 20:39 d-------- C:\Program Files\Common Files\xing shared
2008-04-04 20:39 . 2008-04-04 20:39 d-------- C:\Program Files\Common Files\Real
2008-04-04 15:31 . 2008-04-04 15:31 d-------- C:\Users\Murlin Wei\AppData\Roaming\Microsoft Game Studios
2008-03-31 17:00 . 2008-03-31 17:00 d-------- C:\Users\Murlin Wei\AppData\Roaming\InstallShield
2008-03-29 17:45 . 2008-03-29 17:45 d-------- C:\Program Files\Ken Salter
2008-03-29 16:23 . 2008-03-29 16:23 d-------- C:\Users\Murlin Wei\AppData\Roaming\Ethereal
2008-03-29 16:21 . 2008-03-29 16:21 d-------- C:\Temp
2008-03-29 16:21 . 2008-03-29 16:21 d-------- C:\Program Files\Ethereal
2008-03-29 16:21 . 2008-03-29 16:21 d-------- C:\Program Files\AirSnare
2008-03-28 23:37 . 2008-03-28 23:37 90,112 --a------ C:\Windows\System32\QuickTimeVR.qtx
2008-03-28 23:37 . 2008-03-28 23:37 57,344 --a------ C:\Windows\System32\QuickTime.qts
2008-03-27 18:33 . 2008-03-27 18:33 1,024 --a------ C:\Windows\utraffic1.lic
2008-03-26 16:50 . 2008-03-26 16:50 1,107 --a------ C:\Windows\mozver.dat
2008-03-25 18:20 . 2008-03-25 18:20 d-------- C:\Windows\System32\Adobe
2008-03-24 21:04 . 2008-03-24 21:04 d-------- C:\Program Files\7-Zip
2008-03-23 20:33 . 2008-03-23 20:33 2,048 --a------ C:\Windows\atr72-500.lic
2008-03-23 18:44 . 2008-03-23 18:44 d-------- C:\Program Files\Dragonfly
2008-03-23 07:47 . 2008-03-23 07:52 d-------- C:\Windows\Lhsp
2008-03-22 21:21 . 2008-03-22 21:22 d-------- C:\Program Files\FSFDT
2008-03-22 16:27 . 2008-03-22 16:27 d-------- C:\Program Files\XviD
2008-03-22 16:26 . 2008-03-25 16:58 d-------- C:\Program Files\Common Files\GC Install
2008-03-22 14:57 . 2008-04-06 18:09 d-------- C:\Users\Murlin Wei\AppData\Roaming\SiteAdvisor
2008-03-22 14:57 . 2008-03-22 14:57 d-------- C:\Users\All Users\SiteAdvisor
2008-03-22 14:57 . 2008-03-22 14:57 d-------- C:\Users\All Users\McAfee
2008-03-22 14:57 . 2008-03-22 14:57 d-------- C:\ProgramData\SiteAdvisor
2008-03-22 14:57 . 2008-03-22 14:57 d-------- C:\ProgramData\McAfee
2008-03-22 14:20 . 2008-03-22 14:20 d-------- C:\Users\All Users\Adobe
2008-03-22 13:56 . 2008-03-22 13:56 d-------- C:\Program Files\GARMIN
2008-03-22 13:55 . 1997-11-19 15:49 303,616 --a------ C:\Windows\IsUninst.exe
2008-03-22 13:54 . 2008-03-22 13:54 2,048 --a------ C:\Windows\dfa36.lic
2008-03-22 07:49 . 2008-03-22 07:51 3,675 --a------ C:\Windows\aitt.ini
2008-03-21 16:29 . 2008-03-21 16:37 d-------- C:\Users\All Users\Lavasoft
2008-03-21 16:29 . 2008-03-21 16:37 d-------- C:\ProgramData\Lavasoft
2008-03-21 15:51 . 2008-03-21 15:51 d-------- C:\Users\Murlin Wei\AppData\Roaming\Grisoft
2008-03-21 15:51 . 2007-05-30 08:10 10,872 --a------ C:\Windows\System32\drivers\AvgAsCln.sys
2008-03-21 09:49 . 2008-04-05 08:59 d-------- C:\Program Files\Realtek
2008-03-21 09:49 . 2006-09-12 00:34 499,712 --a------ C:\Windows\RtlExUpd.dll
2008-03-20 15:40 . 2008-03-20 15:40 d-------- C:\Users\Murlin Wei\{aa0d5936-10b8-4d4e-b491-2ffd51f2ccbe}
2008-03-20 15:15 . 2008-03-20 15:15 dr-h----- C:\MSOCache
2008-03-19 20:56 . 2008-01-19 03:35 9,847,296 --a------ C:\Windows\System32\NlsData000a.dll
2008-03-19 20:55 . 2008-01-19 02:06 8,147,456 --a------ C:\Windows\System32\wmploc.DLL
2008-03-18 20:32 . 2008-03-18 20:32 d-------- C:\Windows\System32\VC
2008-03-18 20:32 . 2008-03-18 20:32 d-------- C:\Windows\System32\MinGW
2008-03-18 20:32 . 2008-03-18 20:32 d-------- C:\Windows\System32\Builder5
2008-03-18 20:22 . 2008-03-18 20:26 155,648 --a------ C:\Windows\System32\libssl32.dll
2008-03-18 18:32 . 2008-03-18 18:32 286,720 --a------ C:\Windows\iun506.exe
2008-03-17 15:34 . 2008-03-17 15:34 d-------- C:\Users\Murlin Wei\AppData\Roaming\eMule
2008-03-17 15:34 . 2008-04-04 18:16 d-------- C:\Users\All Users\eMule
2008-03-17 15:34 . 2008-04-04 18:16 d-------- C:\ProgramData\eMule
2008-03-16 14:12 . 2008-03-16 14:12 4 --a------ C:\Windows\startup_BBCP.ini
2008-03-16 14:03 . 2008-03-16 14:03 d-------- C:\Users\All Users\Ubisoft
2008-03-16 14:03 . 2008-03-16 14:03 d-------- C:\ProgramData\Ubisoft
2008-03-16 14:03 . 2008-03-16 14:03 d-------- C:\Program Files\Microsoft Speech SDK 5.1
2008-03-16 14:03 . 2008-03-16 14:03 d-------- C:\Program Files\IL2 Sturmovik
2008-03-16 14:03 . 2008-03-16 14:03 d-------- C:\Program Files\IL-2 Sturmovik Forgotten Battles
2008-03-16 14:03 . 2004-03-29 17:23 90,112 --a------ C:\Windows\unvise32.exe
2008-03-16 10:43 . 2008-03-29 16:21 d-------- C:\Program Files\WinPcap
2008-03-15 07:21 . 2008-03-15 07:21 176,937 --a------ C:\Windows\Sky Environment Ultra FS9 Uninstaller.exe
2008-03-13 19:06 . 2008-03-13 19:06 41,296 --a------ C:\Windows\System32\xfcodec.dll
2008-03-13 16:36 . 2008-03-13 16:36 d-------- C:\Program Files\Bevelstone Production
2008-03-13 16:16 . 2008-03-15 18:22 d-------- C:\Program Files\Common Files\InstallShield
2008-03-13 15:11 . 2008-03-13 15:11 d-------- C:\Program Files\Common Files\Macrovision Shared
2008-03-13 15:10 . 2008-03-22 14:20 d-------- C:\Program Files\Common Files\Adobe
2008-03-13 15:09 . 2008-03-13 15:09 d-------- C:\Program Files\Microsoft Silverlight
2008-03-12 20:41 . 2008-03-12 20:41 0 --ah----- C:\Windows\System32\drivers\Msft_User_WpdFs_01_00_00.Wdf
2008-03-12 16:48 . 2008-03-12 16:48 d-------- C:\Program Files\DocPad
2008-03-12 16:48 . 2008-03-12 16:48 d-------- C:\Program Files\Common Files\System-G
2008-03-10 15:22 . 2008-03-29 09:15 56 --a------ C:\Windows\fs9configurator.ini
2008-03-09 18:11 . 2008-03-09 18:11 d-------- C:\Program Files\Trend Micro

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-06 23:11 --------- d-----w C:\Users\Murlin Wei\AppData\Roaming\uTorrent
2008-04-06 17:17 --------- d-----w C:\Program Files\SUPERAntiSpyware
2008-04-06 13:54 --------- d---a-w C:\ProgramData\TEMP
2008-04-06 13:54 --------- d-----w C:\Program Files\SpywareBlaster
2008-04-05 23:33 --------- d-----w C:\ProgramData\Grisoft
2008-04-05 16:42 --------- d-----w C:\Users\Murlin Wei\AppData\Roaming\Xfire
2008-04-05 12:59 319,984 ----a-w C:\Windows\DIFxAPI.dll
2008-04-03 22:26 --------- d-----w C:\ProgramData\Xfire
2008-04-01 20:27 737,280 ----a-w C:\Windows\iun6002.exe
2008-03-31 21:00 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-03-30 22:54 --------- d-----w C:\Program Files\IEPro
2008-03-29 17:25 --------- d-----w C:\Users\Murlin Wei\AppData\Roaming\Winamp
2008-03-23 19:04 1,392,304 ----a-w C:\Windows\System32\AutoPartNt.exe
2008-03-23 19:01 114,048 ----a-w C:\Windows\system32\drivers\snapman.sys
2008-03-23 19:01 --------- d-----w C:\Program Files\Common Files\Acronis
2008-03-23 19:01 --------- d-----w C:\Program Files\Acronis
2008-03-22 18:48 --------- d-----w C:\Program Files\Java
2008-03-22 16:54 --------- d-----w C:\Program Files\FS Real Time
2008-03-21 20:33 12,632 ----a-w C:\Windows\System32\lsdelete.exe
2008-03-21 20:29 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-03-20 01:20 174 --sha-w C:\Program Files\desktop.ini
2008-03-20 01:15 --------- d-----w C:\Program Files\Windows Sidebar
2008-03-20 01:15 --------- d-----w C:\Program Files\Windows Photo Gallery
2008-03-20 01:15 --------- d-----w C:\Program Files\Windows Mail
2008-03-20 01:15 --------- d-----w C:\Program Files\Windows Defender
2008-03-20 01:15 --------- d-----w C:\Program Files\Windows Calendar
2008-03-20 01:05 82,432 ----a-w C:\Windows\System32\axaltocm.dll
2008-03-20 01:05 101,888 ----a-w C:\Windows\System32\ifxcardm.dll
2008-03-20 00:17 --------- d-----w C:\Program Files\Microsoft Games
2008-03-18 19:09 --------- d-----w C:\Program Files\Xfire
2008-03-09 01:03 169,109 ----a-w C:\Windows\system32\drivers\scskusbs.sys
2008-03-09 01:03 11,385 ----a-w C:\Windows\system32\drivers\scskusbf.sys
2008-03-05 21:03 479,752 ----a-w C:\Windows\System32\XAudio2_0.dll
2008-03-05 21:03 238,088 ----a-w C:\Windows\System32\xactengine3_0.dll
2008-03-05 21:00 25,608 ----a-w C:\Windows\System32\X3DAudio1_3.dll
2008-03-05 20:56 3,786,760 ----a-w C:\Windows\System32\D3DX9_37.dll
2008-03-05 20:56 1,420,824 ----a-w C:\Windows\System32\D3DCompiler_37.dll
2008-03-03 00:21 --------- d-----w C:\Program Files\OO Software
2008-03-02 19:51 --------- d-----w C:\Program Files\SwiftSwitch
2008-03-02 19:32 --------- d-----w C:\ProgramData\SwiftSwitch
2008-03-02 16:09 --------- d-----w C:\Users\Murlin Wei\AppData\Roaming\Ventrilo
2008-03-02 12:12 --------- d-----w C:\Program Files\FSFlyingSchool
2008-03-02 02:32 --------- d-----w C:\Users\Murlin Wei\AppData\Roaming\HiFi
2008-03-01 19:37 --------- d-----w C:\Program Files\FOC 2003
2008-02-29 20:20 --------- d-----w C:\Program Files\Runtime Software
2008-02-29 00:23 --------- d-----w C:\Program Files\Recuva
2008-02-28 21:55 --------- d-----w C:\Users\Murlin Wei\AppData\Roaming\SUPERAntiSpyware.com
2008-02-28 21:55 --------- d-----w C:\ProgramData\SUPERAntiSpyware.com
2008-02-28 15:45 230,152 ----a-w C:\Windows\System32\PDBoot.exe
2008-02-27 00:10 --------- d-----w C:\Program Files\RegSeeker
2008-02-26 23:34 --------- d-----w C:\Program Files\Shockwave 3D Lights Redux for FS9
2008-02-24 12:35 --------- d-----w C:\Program Files\DivX
2008-02-21 02:45 --------- d-----w C:\Program Files\SquawkBox3
2008-02-21 02:05 200,704 ----a-w C:\Windows\System32\ssldivx.dll
2008-02-21 02:05 1,044,480 ----a-w C:\Windows\System32\libdivx.dll
2008-02-19 08:24 7,808 ----a-w C:\Windows\system32\drivers\psi_mf.sys
2008-02-19 01:58 316,768 ----a-w C:\Windows\System32\sayax.dll
2008-02-19 00:50 --------- d-----w C:\Program Files\Microsoft Works
2008-02-18 15:14 --------- d-----w C:\Program Files\MSXML 4.0
2008-02-18 11:57 --------- d-----w C:\Program Files\rcv4
2008-02-17 20:15 --------- d-----w C:\Users\Murlin Wei\AppData\Roaming\Flight1
2008-02-17 18:10 202,149 ----a-w C:\Windows\Water Details FS 2004 Uninstaller.exe
2008-02-17 16:21 --------- d-----w C:\Program Files\Flight One Software
2008-02-16 16:43 --------- d-----w C:\Program Files\Intel
2008-02-16 16:40 --------- d-----w C:\Program Files\Belarc
2008-02-15 19:22 59,392 ----a-w C:\Windows\system32\drivers\RTSTOR.sys
2008-02-14 01:17 --------- d-----w C:\Program Files\Microsoft ActiveSync
2008-02-14 01:17 --------- d-----w C:\Program Files\Common Files\L&H
2008-02-14 01:16 --------- d-----w C:\Program Files\Microsoft.NET
2008-02-13 13:01 --------- d-----w C:\Users\Murlin Wei\AppData\Roaming\OpenOffice.org2
2008-02-12 23:40 6,656 ----a-w C:\Windows\System32\kbd106n.dll
2008-02-12 21:59 --------- d-----w C:\ProgramData\Abacus
2008-02-12 18:36 --------- d-----w C:\Program Files\Common Files\InstallShieldCrap
2008-02-11 15:55 147,456 ----a-w C:\Windows\System32\igfxCoIn_v1437.dll
2008-02-11 15:34 29,932 ----a-w C:\Windows\System32\igmedcompkrn.bin
2008-02-11 15:34 2,215,364 ----a-w C:\Windows\System32\igklg400.bin
2008-02-11 15:34 1,971,732 ----a-w C:\Windows\System32\igklg450.bin
2008-02-11 00:19 --------- d-----w C:\Program Files\Ventrilo
2008-02-10 17:11 543 ----a-w C:\Program Files\INSTALL.LOG
2008-02-10 14:03 --------- d-----w C:\Program Files\Common Files\SWF Studio
2008-02-09 19:25 --------- d-----w C:\Program Files\Common Files\INCA Shared
2008-02-07 01:03 --------- d-----w C:\ProgramData\Spybot - Search & Destroy
2008-02-07 00:47 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-02-06 04:07 462,864 ----a-w C:\Windows\System32\d3dx10_37.dll
2008-01-29 16:02 107,368 ----a-w C:\Windows\System32\GEARAspi.dll
2008-01-19 07:44 986,680 ----a-w C:\Windows\System32\winload.exe
2008-01-19 07:44 926,776 ----a-w C:\Windows\System32\winresume.exe
2008-01-19 07:43 614,968 ----a-w C:\Windows\System32\ci.dll
2008-01-19 07:43 376,376 ----a-w C:\Windows\System32\mcupdate_GenuineIntel.dll
2008-01-19 07:43 3,600,440 ----a-w C:\Windows\System32\ntkrnlpa.exe
2008-01-19 07:43 3,548,728 ----a-w C:\Windows\System32\ntoskrnl.exe
2008-01-19 07:42 94,776 ----a-w C:\Windows\System32\MigAutoPlay.exe
2008-01-19 07:42 51,768 ----a-w C:\Windows\System32\PSHED.DLL
2008-01-19 07:42 247,352 ----a-w C:\Windows\System32\clfs.sys
2008-01-19 07:42 177,208 ----a-w C:\Windows\System32\halmacpi.dll
2008-01-19 07:42 141,880 ----a-w C:\Windows\System32\halacpi.dll
2008-01-19 07:41 24,120 ----a-w C:\Windows\System32\BOOTVID.DLL
2008-01-19 07:41 21,560 ----a-w C:\Windows\System32\kdusb.dll
2008-01-19 07:41 19,512 ----a-w C:\Windows\System32\kdcom.dll
2008-01-19 07:38 46,080 ----a-w C:\Windows\System32\NAPCRYPT.DLL
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2008-01-19 03:33 202240]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2008-01-19 03:38 1008184]
"IgfxTray"="C:\Windows\system32\igfxtray.exe" [2006-12-13 03:17 98304]
"HotKeysCmds"="C:\Windows\system32\hkcmd.exe" [2006-12-13 03:19 106496]
"Persistence"="C:\Windows\system32\igfxpers.exe" [2006-12-13 03:17 81920]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2008-04-05 19:33 579072]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2008-04-05 19:33 219136]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgwlntf]
avgwlntf.dll 2008-04-05 19:33 9216 C:\Windows\System32\avgwlntf.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.FPS1"= frapsvid.dll
"VIDC.XFR1"= xfcodec.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 relog_ap

[HKLM\~\startupfolder\C:^Users^Murlin Wei^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^OpenOffice.org 2.3.lnk]
path=C:\Users\Murlin Wei\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OpenOffice.org 2.3.lnk
backup=C:\Windows\pss\OpenOffice.org 2.3.lnk.Startup
backupExtension=.Startup

[HKLM\~\startupfolder\C:^Users^Murlin Wei^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^Secunia PSI (RC1).lnk]
path=C:\Users\Murlin Wei\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Secunia PSI (RC1).lnk
backup=C:\Windows\pss\Secunia PSI (RC1).lnk.Startup
backupExtension=.Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\!AVG Anti-Spyware]
--a------ 2007-06-11 05:25 6731312 H:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acronis Scheduler2 Service]
--a------ 2007-02-16 19:49 149024 C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AcronisTimounterMonitor]
--a------ 2007-02-16 19:57 1945960 C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2008-01-11 22:16 39792 H:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools Lite]
--a------ 2008-01-17 12:51 486856 C:\Program Files\DAEMON Tools Lite\daemon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
--a------ 2006-12-13 03:19 106496 C:\Windows\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
--a------ 2006-12-13 03:17 98304 C:\Windows\system32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-03-30 10:36 267048 H:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OODefragTray]
--a------ 2007-05-11 03:08 2512392 C:\Windows\system32\oodtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Persistence]
--a------ 2006-12-13 03:17 81920 C:\Windows\system32\igfxpers.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PWRISOVM.EXE]
--a------ 2007-08-06 20:05 200704 H:\Program Files\PowerISO\PWRISOVM.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-03-28 23:37 413696 C:\Program Files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Rapget]
E:\Flight Simulator Software\rapget140\rapget.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RtHDVCpl]
--a------ 2006-12-01 00:37 4186112 C:\Windows\RtHDVCpl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2008-02-22 04:25 144784 C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SUPERAntiSpyware]
--a------ 2008-04-06 13:17 1481968 C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2008-04-04 20:39 185896 C:\Program Files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TrueImageMonitor.exe]
--a------ 2007-02-16 19:45 1169776 C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WindowsWelcomeCenter]
--a------ 2008-01-19 03:36 2153472 C:\Windows\System32\oobefldr.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WMPNSCFG]
--a------ 2008-01-19 03:33 202240 C:\Program Files\Windows Media Player\WMPNSCFG.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-2738104663-2755392700-2221383480-1000]
"EnableNotificationsRef"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"TCP Query User{61455193-5548-4882-BB4F-1FFC86E41172}C:\\ijji\\english\\u_skid.exe"= UDP:C:\ijji\english\u_skid.exe:
"UDP Query User{6099BF92-BFC5-416D-AEC6-DA00AFB25A65}C:\\ijji\\english\\u_skid.exe"= TCP:C:\ijji\english\u_skid.exe:
"TCP Query User{7E27783F-27CC-4E95-8A1E-47091E0453EF}K:\\program files\\driftcity\\driftcity.exe"= UDP:K:\program files\driftcity\driftcity.exe:DriftCity
"UDP Query User{68C2CEBB-F1D1-4589-A707-19610F1F7E77}K:\\program files\\driftcity\\driftcity.exe"= TCP:K:\program files\driftcity\driftcity.exe:DriftCity
"TCP Query User{FE38E010-F2C0-4967-83FD-96B25A3F5B30}C:\\ijji\\english\\u_sf\\soldierfront.exe"= UDP:C:\ijji\english\u_sf\soldierfront.exe:soldierfront
"UDP Query User{19A69707-47F5-4ED8-A3D4-D983B5833183}C:\\ijji\\english\\u_sf\\soldierfront.exe"= TCP:C:\ijji\english\u_sf\soldierfront.exe:soldierfront
"TCP Query User{B66503DB-7D5D-4DE9-9921-A25C9F1EA5AB}H:\\program files\\driftcity\\driftcity.exe"= UDP:H:\program files\driftcity\driftcity.exe:DriftCity
"UDP Query User{14612DD0-8A9C-44A2-9B51-5491B5A88018}H:\\program files\\driftcity\\driftcity.exe"= TCP:H:\program files\driftcity\driftcity.exe:DriftCity
"TCP Query User{A8D6E0B6-86C5-4D81-9FDF-F0378CD75F37}C:\\program files\\xfire\\xfire.exe"= UDP:C:\program files\xfire\xfire.exe:Xfire
"UDP Query User{5DC64609-489B-4CCD-8BDC-DA888571FCC7}C:\\program files\\xfire\\xfire.exe"= TCP:C:\program files\xfire\xfire.exe:Xfire
"{17C23B69-DBF2-487A-A532-7D9ABF255A9E}"= UDP:C:\Program Files\uTorrent\uTorrent.exe:µTorrent
"{94906B86-E338-4979-ADE4-B4200BD59672}"= TCP:C:\Program Files\uTorrent\uTorrent.exe:µTorrent
"TCP Query User{30964450-8A26-40BA-A03B-E0D17BDCC6BB}G:\\program files\\microsoft games\\flight simulator 9\\fs9.exe"= UDP:G:\program files\microsoft games\flight simulator 9\fs9.exe:Microsoft Flight Simulator
"UDP Query User{426ADF18-258D-442E-B866-DE3813E88673}G:\\program files\\microsoft games\\flight simulator 9\\fs9.exe"= TCP:G:\program files\microsoft games\flight simulator 9\fs9.exe:Microsoft Flight Simulator
"{0E586831-FC73-45B0-9F08-096BF0D40C38}"= UDP:80:80
"{34AD0E95-78FA-44A3-A14A-4A598E511536}"= TCP:80:80
"{28CEFC0F-00A3-4EAB-9D8B-9D64D7265705}"= UDP:6112:6112
"{991C1B7E-6DA8-49BB-9C14-B6C74730B50A}"= TCP:6112:6112
"{8A3679AF-CD19-4CE2-A038-9DE3E3E5A34B}"= UDP:54789:54789
"{8C63877E-7C19-4DA5-B287-AA6D0F8CFC28}"= TCP:54789:54789
"TCP Query User{58038DE4-2BB8-41E1-8189-030A5E823718}H:\\nexon\\maplestory\\patcher.exe"= UDP:H:\nexon\maplestory\patcher.exe:Patcher MFC ?? ????
"UDP Query User{41D9A998-FD0B-4C1B-A90E-B0F2BED2BFC4}H:\\nexon\\maplestory\\patcher.exe"= TCP:H:\nexon\maplestory\patcher.exe:Patcher MFC ?? ????
"TCP Query User{57B550CD-25EA-460B-AE48-681C32F87C39}H:\\nexon\\maplestory\\maplestory.exe"= UDP:H:\nexon\maplestory\maplestory.exe:MapleStory
"UDP Query User{609320D2-5ECE-4286-8362-B486263DA9E3}H:\\nexon\\maplestory\\maplestory.exe"= TCP:H:\nexon\maplestory\maplestory.exe:MapleStory
"TCP Query User{83AB73F7-1946-4300-A08C-DB73E9369C8F}C:\\program files\\internet explorer\\iexplore.exe"= UDP:C:\program files\internet explorer\iexplore.exe:Internet Explorer
"UDP Query User{48ACEBD7-DC97-4FF2-BB6F-704618FB53B2}C:\\program files\\internet explorer\\iexplore.exe"= TCP:C:\program files\internet explorer\iexplore.exe:Internet Explorer
"1c9b3cdd-3bce-43a9-881b-5fb372fe469c"=

 
TCP:2300|LPort=2301|LPort=2302|LPort=2303|LPort=2304|LPort=2305|LPort=2306|LPort=2307|LPort=2308|LPort=2309|LPort=2310|LPort=2311|LPort=2312|LPort=2313|LPort=2314|LPort=2315|LPort=2316|LPort=2317|LPort=2318|LPort=2319|LPort=2320|LPort=2321|LPort=2322|LPort=2323|LPort=2324|LPort=2325
|LPort=2326|LPort=2327|LPort=2328|LPort=2329|LPort=2330|LPort=2331|LPort=2332|LPort=2333|LPort=2334|LPort=2335|LPort=2336|LPort=2337|LPort=2338|LPort=2339|LPort=2340|LPort=2341|LPort=2342|LPort=2343|LPort=2344|LPort=2345|LPort=2346|LPort=2347|LPort=2348|LPort=2349|LPort=2350|LPort=2351|LPort=2352|LPort=2353|LPort=2354|LPort=2355|LPort=2356|LPort=2357|LPort=2358|LPort=2359|LPort=2360|LPort=2361|LPort=2362|LPort=2363|LPort=2364|LPort=2365|LPort=2366|LPort=2367|LPort=2368|LPort=2369|LPort=2370|LPort=2371|LPort=2372|LPort=2373|LPort=2374|LPort=2375|LPort=2376
|LPort=2377|LPort=2378|LPort=2379|LPort=2380|LPort=2381|LPort=2382|LPort=2383|LPort=2384|LPort=2385|LPort=2386|LPort=2387|LPort=2388|LPort=2389|LPort=2390|LPort=2391|LPort=2392|LPort=2393|LPort=2394|LPort=2395|LPort=2396|LPort=2397|LPort=2398|LPort=2399:Wolf Team
"TCP Query User{6A3FA9AA-E952-4D4D-8FD7-FC7ED8BD727F}H:\\program files\\america's army\\system\\armyops.exe"= UDP:H:\program files\america's army\system\armyops.exe:ArmyOps
"UDP Query User{BEB13D38-D94C-4F4C-9245-7E48245BFA1D}H:\\program files\\america's army\\system\\armyops.exe"= TCP:H:\program files\america's army\system\armyops.exe:ArmyOps
"TCP Query User{50F33169-380A-49AF-81BE-7C6E8C8C2451}C:\\windows\\system32\\dpnsvr.exe"= UDP:C:\windows\system32\dpnsvr.exe:Microsoft DirectPlay8 Server
"UDP Query User{DF0B00AF-395E-4FA4-B850-2BD9EF20F7ED}C:\\windows\\system32\\dpnsvr.exe"= TCP:C:\windows\system32\dpnsvr.exe:Microsoft DirectPlay8 Server
"TCP Query User{5021BF18-01CD-4258-97B4-0C63DB4C1B7E}C:\\program files\\fsfdt\\control panel\\fsfdtcp.exe"= UDP:C:\program files\fsfdt\control panel\fsfdtcp.exe:FSFDT Control Panel
"UDP Query User{3DB1FC88-0596-4F01-A186-E39F227CE84D}C:\\program files\\fsfdt\\control panel\\fsfdtcp.exe"= TCP:C:\program files\fsfdt\control panel\fsfdtcp.exe:FSFDT Control Panel
"TCP Query User{1AB14382-F73F-48C9-B315-3EE9B8CB2694}C:\\program files\\mozilla firefox\\firefox.exe"= UDP:C:\program files\mozilla firefox\firefox.exe:Firefox
"UDP Query User{17CAEFA6-0C1E-42AC-978B-C4A6CBAAC66B}C:\\program files\\mozilla firefox\\firefox.exe"= TCP:C:\program files\mozilla firefox\firefox.exe:Firefox
"eb8b0e56-37ab-4db7-9f9e-1a1d6608d4e0"= %ProgramFiles%\FSFDT\FSInn UI\FSInnUI.exe:FSINN
"UDP Query User{D86A64A0-98DB-45F2-B30E-9C99810EA427}C:\\program files\\fsfdt\\fwinn\\fwinn.exe"= C:\program files\fsfdt\fwinn\fwinn.exe:FSInn Application
"TCP Query User{F3FF54FA-890C-4280-937A-E4B25DFDC64A}C:\\program files\\fsfdt\\fwinn\\fwinn.exe"= C:\program files\fsfdt\fwinn\fwinn.exe:FSInn Application
"5d038ed9-b69c-43ca-9e9d-361f03d7074d"= %ProgramFiles%\FSFDT\Control Panel\FSFDTCP.exe:FSUDCP
"09c2c1b0-5d17-4e76-8c53-65f0895ca6d1"= UDP:3782|LPort=3290|LPort=3783|LPort=6809:SQ
"3a769932-0d65-4226-8f87-9af21c6399fa"= TCP:3782|LPort=3290|LPort=3783|LPort=6809:SQ1
"7bda4004-dec1-4e68-ae03-4b18dca28327"= TCP:32062:FSINN
"TCP Query User{7BA25555-49F6-4C6F-A3BE-B1091A7CD7E6}C:\\program files\\swiftswitch\\swiftswitch.exe"= UDP:C:\program files\swiftswitch\swiftswitch.exe:Utility for RuneScape
"UDP Query User{F3D3B80D-3F35-4E98-BAE6-FFC8C8B398CB}C:\\program files\\swiftswitch\\swiftswitch.exe"= TCP:C:\program files\swiftswitch\swiftswitch.exe:Utility for RuneScape
"TCP Query User{2E3A70D7-0AC2-4254-B11B-0A2EC31E6D05}H:\\program files\\dragonfly\\special force\\specialforce.exe"= UDP:H:\program files\dragonfly\special force\specialforce.exe:SpecialForce
"UDP Query User{6137764F-CAE8-4517-AF49-6CB2607C5DB8}H:\\program files\\dragonfly\\special force\\specialforce.exe"= TCP:H:\program files\dragonfly\special force\specialforce.exe:SpecialForce
"TCP Query User{0D1EF090-833B-4967-9D45-EAF64C49861F}C:\\ijji\\english\\gunz\\gunz.exe"= UDP:C:\ijji\english\gunz\gunz.exe:Gunz
"UDP Query User{560CD26A-B4D8-4DD6-9AF8-BA438C3E071D}C:\\ijji\\english\\gunz\\gunz.exe"= TCP:C:\ijji\english\gunz\gunz.exe:Gunz
"TCP Query User{63EC054C-903B-40D8-A36F-D2F80B55FF3D}C:\\users\\murlin wei\\desktop\\fshost32\\fshost32.exe"= UDP:C:\users\murlin wei\desktop\fshost32\fshost32.exe:fshost32.exe
"UDP Query User{D8E76696-D62C-4EBD-8A08-5450B40122C9}C:\\users\\murlin wei\\desktop\\fshost32\\fshost32.exe"= TCP:C:\users\murlin wei\desktop\fshost32\fshost32.exe:fshost32.exe
"TCP Query User{854A4DB3-1DFB-4B87-A7E0-AEA6B9C0074B}C:\\windows\\system32\\dplaysvr.exe"= UDP:C:\windows\system32\dplaysvr.exe:Microsoft DirectPlay Helper
"UDP Query User{A36A3890-68AE-4E2D-BC3B-FDAC339499B3}C:\\windows\\system32\\dplaysvr.exe"= TCP:C:\windows\system32\dplaysvr.exe:Microsoft DirectPlay Helper
"TCP Query User{2D0919A8-6553-4CDF-A595-A46EF1D2F4D3}C:\\program files\\dragonfly\\special force\\specialforce.exe"= UDP:C:\program files\dragonfly\special force\specialforce.exe:specialforce
"UDP Query User{BC4A08A4-5B7E-4662-810F-1D9F1662B2AC}C:\\program files\\dragonfly\\special force\\specialforce.exe"= TCP:C:\program files\dragonfly\special force\specialforce.exe:specialforce
"{73852E8D-6030-4943-9978-138A7E864BD9}"= UDP:C:\Windows\Temp\~osCD95.tmp\ossproxy.exe:ossproxy.exe
"{43868274-2029-4933-8F1C-885F387F06D2}"= UDP:C:\Windows\Temp\~osDBBC.tmp\ossproxy.exe:ossproxy.exe
"{607558EF-6597-4863-8D25-F007069A2EC9}"= UDP:C:\Program Files\uTorrent\uTorrent.exe:µTorrent
"{46E5FDB3-D48D-4321-B224-C365CF959155}"= TCP:C:\Program Files\uTorrent\uTorrent.exe:µTorrent
"{9B21F62D-DF09-44A2-BD05-BC7EEE8742C9}"= UDP:C:\Program Files\Bonjour\mDNSResponder.exe:Bonjour
"{68F77BA3-1444-44C8-AC53-D586A7FD787C}"= TCP:C:\Program Files\Bonjour\mDNSResponder.exe:Bonjour
"{48866029-02D4-420C-AF33-2058433DC7D9}"= UDP:H:\Program Files\iTunes\iTunes.exe:iTunes
"{AB169B2B-5F22-47D8-B596-C06720D2E476}"= TCP:H:\Program Files\iTunes\iTunes.exe:iTunes
"TCP Query User{37AFDF7F-9FEF-441B-B24D-75F2E325B8C7}H:\\program files\\azureus\\azureus.exe"= UDP:H:\program files\azureus\azureus.exe:Azureus
"UDP Query User{2414528D-9012-4CCF-B04D-4D7AC667B755}H:\\program files\\azureus\\azureus.exe"= TCP:H:\program files\azureus\azureus.exe:Azureus
"TCP Query User{9225565D-E33E-467E-9533-ED9B2675E3C6}C:\\program files\\azureus\\azureus.exe"= UDP:C:\program files\azureus\azureus.exe:Azureus
"UDP Query User{9F98D73A-65DD-4D0E-B968-DC1D3C6EBAA6}C:\\program files\\azureus\\azureus.exe"= TCP:C:\program files\azureus\azureus.exe:Azureus

R2 SBSDWSCService;SBSD Security Center Service;C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe [2008-01-28 12:43]
R3 HPFXBULK;HPFXBULK;C:\Windows\system32\drivers\hpfxbulk.sys [2007-06-20 03:21]
R3 igfx;igfx;C:\Windows\system32\DRIVERS\igdkmd32.sys [2006-12-13 04:32]
R3 RTSTOR;USB Mass Storage Device;C:\Windows\system32\drivers\RTSTOR.SYS [2008-02-15 15:22]
R3 rxpvbus;Reality XP Avionics Bus Driver;C:\Windows\system32\DRIVERS\rxpvbus.sys [2005-11-04 09:35]
R3 yukonwlh;NDIS6.0 Miniport Driver for Marvell Yukon Ethernet Controller;C:\Windows\system32\DRIVERS\yk60x86.sys [2006-11-02 03:30]
S2 AcronisOSSReinstallSvc;Acronis OS Selector Reinstall Service;"C:\Program Files\Common Files\Acronis\Acronis Disk Director\oss_reinstall_svc.exe" [2007-02-22 19:53]
S3 PSI;PSI;C:\Windows\system32\DRIVERS\psi_mf.sys [2008-02-19 04:24]
S3 scskusbf;USB SCSK Filter Driver Service;C:\Windows\system32\drivers\scskusbf.sys [2008-03-08 21:03]
S3 scskusbs;USB SCSK Driver Service;C:\Windows\system32\drivers\scskusbs.sys [2008-03-08 21:03]
S4 PD91Agent;PD91Agent;"C:\Program Files\Raxco\PerfectDisk\PD91Agent.exe" []
S4 PD91Engine;PD91Engine;"C:\Program Files\Raxco\PerfectDisk\PD91Engine.exe" []
S4 PD91VMDefrag;PD91VMDefrag;"C:\Program Files\Raxco\PerfectDisk\PD91VMDefrag.exe" []

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
rsmsvcs REG_MULTI_SZ ntmssvc

.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, »www.gmer.net
Rootkit scan 2008-04-06 19:37:56
Windows 6.0.6001 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
H:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Grisoft\AVG7\avgcc.exe
C:\Program Files\Xfire\xfire.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
H:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
C:\Windows\system32\oodag.exe
C:\Windows\system32\DllHost.exe
.
**************************************************************************
.
Completion time: 2008-04-06 19:40:33 - machine was rebooted
ComboFix-quarantined-files.txt 2008-04-06 23:40:27
Pre-Run: 22,094,360,576 bytes free
Post-Run: 21,846,478,848 bytes free
.
2008-04-06 19:37:25 --- E O F ---

MBAM

Malwarebytes' Anti-Malware 1.10
Database version: 597

Scan type: Quick Scan
Objects scanned: 28169
Time elapsed: 3 minute(s), 0 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 5
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\Interface\{48d78be5-cfb9-4b66-9ac4-96d4cf21de06} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{74d46bba-5638-473a-83b6-97e7804a7411} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\AppID\{d2a8552d-4340-413e-b94e-245827fbc269} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{4340df8e-d7a3-4675-be74-80077b2b3e81} (Rogue.AntiSpamBoy) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\ausctv32a.dll (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

HiJackThis

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:52:12 PM, on 4/6/2008
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Grisoft\AVG7\avgcc.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Xfire\xfire.exe
C:\Windows\Explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = »google.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = »go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = »go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = »go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = »go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Startup: Azureus.exe - Shortcut.lnk = H:\Program Files\Azureus\Azureus.exe
O4 - Startup: Xfire.lnk = C:\Program Files\Xfire\xfire.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - H:\Program Files\Microsoft Office\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\Spybot - Search & Destroy\SDHelper.dll
O13 - Gopher Prefix:
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - »download.divx.com/player/DivXBro···ugin.cab
O16 - DPF: {A977FF0C-8757-4E76-8533-482F91946233} (Neowiz Login Control) - »gpdl.pmang.com/sayclub/sayctl/sayax.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{816238D4-1ADE-4801-AF6C-1CB6A0BDC37F}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS1\Services\Tcpip\..\{816238D4-1ADE-4801-AF6C-1CB6A0BDC37F}: NameServer = 208.67.220.220,208.67.222.222
O20 - AppInit_DLLs:
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: avgwlntf - C:\Windows\SYSTEM32\avgwlntf.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - H:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Acronis OS Selector Reinstall Service (AcronisOSSReinstallSvc) - Unknown owner - C:\Program Files\Common Files\Acronis\Acronis Disk Director\oss_reinstall_svc.exe
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - H:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG7 Resident Shield Service (AvgCoreSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: O&O Defrag - O&O Software GmbH - C:\Windows\system32\oodag.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe

--
End of file - 6062 bytes
to forum · permalink · 2008-04-06 19:52:55 ·


bcastner
Premium,VIP,MVM
join:2002-09-25
Chevy Chase, MD
kudos:7

reply to Siko
2. Please double-click OTMoveIt2.exe to run the utility.

Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

%TEMP%\ossproxy.exe /S
C:\Users\ossproxy.exe /S

Return to OTMoveIt2, right click in the "Paste List Of Files/Patterns To Search For and Move" window.
IMPORTANT -- Paste only into the bottom input panel (under the Yellow bar), The top panel will not help you.
Right-click and choose Paste.

Click the red Moveit button.
This will not be quick. I am asking it to scan your entire Drive C twice.
When it has finished, use your mouse and do a Copy/Paste of the large right-hand panel that shows Results.
Save your Clipboard contents in a new Notepad file, as we will want to review these results later.
Close OTMoveIt2 when it has finished.

Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

2. Right-click on the header of the Code box below, where on the right side it says: "Copy to clipboard":
File::
C:\Windows\Temp\~osCD95.tmp\ossproxy.exe
C:\Windows\Temp\~osCD95.tmp\ossproxy.exe.rvt
C:\Windows\System32\entrnd.exe
 
Folder::
C:\Windows\Temp\~osCD95.tmp
 
Registry::
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{73852E8D-6030-4943-9978-138A7E864BD9}"=-
"{43868274-2029-4933-8F1C-885F387F06D2}"=-

Open a new Notepad session - (Do not use a Word Processor or WordPad). Click "Format" and be certain that Word Wrap is not enabled. Right-click | Paste the Code box contents from above into Notepad. Click File, Save as..., and set the location to your Desktop, and enter (including quotation marks) as the filename: "CFscript.txt" .

• Disconnect from the Internet.
• Disable your Antivirus. If the Antivirus software you use has any Script Blocking features, be certain to disable these as well.
Important: Have no other programs running. Your Task Bar should be clear of any program entries including your Browser.
• A window will open with a warning. Accept any Disclaimers to start the fix.

Using your mouse, drag the new file CFscript.txt and drop it on the ComboFix.exe icon as shown in this little picture:


When the scan completes Notepad will open with with your results log open. Do a File, Exit and answer 'Yes' to save changes.

!• A caution - Do not run Combofix more than once. Do not touch your mouse/keyboard until the scan has completed, as this may cause the process to stall or your computer to lock.

Post back to the Forum the contents of C:\Combofix.txt

--
============
MS-MVP 2004 - -2008, ASAP Member
Users Helping Users

to forum · permalink · 2008-04-07 20:58:52 ·


Siko
Premium
join:2006-11-27
Mechanicsburg, PA
Reviews:
·Dish Network
1 edit

Here they are

ComboFix 08-04-08.4 - Murlin Wei 2008-04-08 15:28:56.2 - NTFSx86
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.1299 [GMT -4:00]
Running from: C:\Users\Murlin Wei\Desktop\ComboFix.exe
Command switches used :: C:\Users\Murlin Wei\Desktop\CFscript.txt
.

((((((((((((((((((((((((( Files Created from 2008-03-08 to 2008-04-08 )))))))))))))))))))))))))))))))
.

2008-04-06 19:44 . 2008-04-06 19:44 d-------- C:\Users\Murlin Wei\AppData\Roaming\Malwarebytes
2008-04-06 19:44 . 2008-04-06 19:44 d-------- C:\Users\All Users\Malwarebytes
2008-04-06 19:44 . 2008-04-06 19:44 d-------- C:\ProgramData\Malwarebytes
2008-04-06 19:44 . 2008-04-06 19:44 d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-04-06 19:31 . 2008-04-06 19:31 d-------- C:\_OTMoveIt
2008-04-06 19:10 . 2008-04-06 19:10 d-------- C:\Program Files\Azureus
2008-04-06 10:00 . 2008-04-08 15:27 d-------- C:\Users\Murlin Wei\AppData\Roaming\Azureus
2008-04-06 10:00 . 2008-04-06 10:00 d-------- C:\Users\All Users\Azureus
2008-04-06 10:00 . 2008-04-06 10:00 d-------- C:\ProgramData\Azureus
2008-04-06 08:03 . 2008-04-06 08:05 178 --a------ C:\megaScenery.ini
2008-04-05 19:34 . 2008-04-06 08:06 d-------- C:\Users\Murlin Wei\AppData\Roaming\AVG7
2008-04-05 19:33 . 2008-04-05 19:33 9,216 --a------ C:\Windows\System32\avgwlntf.dll
2008-04-05 14:50 . 2008-04-05 19:35 d-------- C:\Program Files\COMODO
2008-04-05 14:45 . 2008-04-06 08:06 d-------- C:\Users\All Users\Avg7
2008-04-05 14:45 . 2008-04-06 08:06 d-------- C:\ProgramData\Avg7
2008-04-05 09:07 . 2007-02-22 22:19 172,032 --a------ C:\Windows\System32\igfxres.dll
2008-04-05 09:03 . 2008-04-05 09:03 d-------- C:\Intel
2008-04-05 09:03 . 2006-12-13 03:17 3,276,800 --a------ C:\Windows\System32\igfxress.dll
2008-04-05 09:03 . 2006-12-13 03:16 212,992 --a------ C:\Windows\System32\igfxdev.dll
2008-04-05 09:03 . 2007-02-22 23:44 204,800 --a------ C:\Windows\System32\igfxCoIn_v1214.dll
2008-04-05 09:03 . 2006-12-13 03:16 196,608 --a------ C:\Windows\System32\igfxsrvc.exe
2008-04-05 09:03 . 2006-12-13 03:16 155,648 --a------ C:\Windows\System32\igfxpph.dll
2008-04-04 21:01 . 2008-04-04 21:01 d-------- C:\Users\Murlin Wei\AppData\Roaming\Apple Computer
2008-04-04 21:01 . 2008-04-04 21:01 d-------- C:\Users\All Users\Apple Computer
2008-04-04 21:01 . 2008-04-04 21:01 d-------- C:\ProgramData\Apple Computer
2008-04-04 21:01 . 2008-04-04 21:01 d-------- C:\Program Files\QuickTime
2008-04-04 21:01 . 2008-04-04 21:01 d-------- C:\Program Files\iPod
2008-04-04 21:01 . 2008-04-07 16:47 54,156 --ah----- C:\Windows\QTFont.qfn
2008-04-04 21:01 . 2008-04-04 21:01 1,409 --a------ C:\Windows\QTFont.for
2008-04-04 21:00 . 2008-04-04 21:00 d-------- C:\Users\All Users\Apple
2008-04-04 21:00 . 2008-04-04 21:00 d-------- C:\ProgramData\Apple
2008-04-04 21:00 . 2008-04-04 21:00 d-------- C:\Program Files\Common Files\Apple
2008-04-04 21:00 . 2008-04-04 21:00 d-------- C:\Program Files\Apple Software Update
2008-04-04 20:39 . 2008-04-04 20:39 d-------- C:\Program Files\Real
2008-04-04 20:39 . 2008-04-04 20:39 d-------- C:\Program Files\Common Files\xing shared
2008-04-04 20:39 . 2008-04-04 20:39 d-------- C:\Program Files\Common Files\Real
2008-04-04 15:31 . 2008-04-04 15:31 d-------- C:\Users\Murlin Wei\AppData\Roaming\Microsoft Game Studios
2008-04-02 19:26 . 2008-04-02 19:26 41,296 --a------ C:\Windows\System32\xfcodec.dll
2008-03-31 17:00 . 2008-03-31 17:00 d-------- C:\Users\Murlin Wei\AppData\Roaming\InstallShield
2008-03-29 17:45 . 2008-03-29 17:45 d-------- C:\Program Files\Ken Salter
2008-03-29 16:23 . 2008-03-29 16:23 d-------- C:\Users\Murlin Wei\AppData\Roaming\Ethereal
2008-03-29 16:21 . 2008-03-29 16:21 d-------- C:\Temp
2008-03-29 16:21 . 2008-03-29 16:21 d-------- C:\Program Files\Ethereal
2008-03-29 16:21 . 2008-03-29 16:21 d-------- C:\Program Files\AirSnare
2008-03-28 23:37 . 2008-03-28 23:37 90,112 --a------ C:\Windows\System32\QuickTimeVR.qtx
2008-03-28 23:37 . 2008-03-28 23:37 57,344 --a------ C:\Windows\System32\QuickTime.qts
2008-03-27 18:33 . 2008-03-27 18:33 1,024 --a------ C:\Windows\utraffic1.lic
2008-03-26 16:50 . 2008-03-26 16:50 1,107 --a------ C:\Windows\mozver.dat
2008-03-25 18:20 . 2008-03-25 18:20 d-------- C:\Windows\System32\Adobe
2008-03-24 21:04 . 2008-03-24 21:04 d-------- C:\Program Files\7-Zip
2008-03-23 20:33 . 2008-03-23 20:33 2,048 --a------ C:\Windows\atr72-500.lic
2008-03-23 18:44 . 2008-03-23 18:44 d-------- C:\Program Files\Dragonfly
2008-03-23 07:47 . 2008-03-23 07:52 d-------- C:\Windows\Lhsp
2008-03-22 21:21 . 2008-03-22 21:22 d-------- C:\Program Files\FSFDT
2008-03-22 16:27 . 2008-03-22 16:27 d-------- C:\Program Files\XviD
2008-03-22 16:26 . 2008-03-25 16:58 d-------- C:\Program Files\Common Files\GC Install
2008-03-22 14:57 . 2008-04-08 15:27 d-------- C:\Users\Murlin Wei\AppData\Roaming\SiteAdvisor
2008-03-22 14:57 . 2008-03-22 14:57 d-------- C:\Users\All Users\SiteAdvisor
2008-03-22 14:57 . 2008-03-22 14:57 d-------- C:\Users\All Users\McAfee
2008-03-22 14:57 . 2008-03-22 14:57 d-------- C:\ProgramData\SiteAdvisor
2008-03-22 14:57 . 2008-03-22 14:57 d-------- C:\ProgramData\McAfee
2008-03-22 14:20 . 2008-03-22 14:20 d-------- C:\Users\All Users\Adobe
2008-03-22 13:56 . 2008-03-22 13:56 d-------- C:\Program Files\GARMIN
2008-03-22 13:55 . 1997-11-19 15:49 303,616 --a------ C:\Windows\IsUninst.exe
2008-03-22 13:54 . 2008-03-22 13:54 2,048 --a------ C:\Windows\dfa36.lic
2008-03-22 07:49 . 2008-03-22 07:51 3,675 --a------ C:\Windows\aitt.ini
2008-03-21 16:29 . 2008-03-21 16:37 d-------- C:\Users\All Users\Lavasoft
2008-03-21 16:29 . 2008-03-21 16:37 d-------- C:\ProgramData\Lavasoft
2008-03-21 15:51 . 2008-03-21 15:51 d-------- C:\Users\Murlin Wei\AppData\Roaming\Grisoft
2008-03-21 15:51 . 2007-05-30 08:10 10,872 --a------ C:\Windows\System32\drivers\AvgAsCln.sys
2008-03-21 09:49 . 2008-04-05 08:59 d-------- C:\Program Files\Realtek
2008-03-21 09:49 . 2006-09-12 00:34 499,712 --a------ C:\Windows\RtlExUpd.dll
2008-03-20 15:40 . 2008-03-20 15:40 d-------- C:\Users\Murlin Wei\{aa0d5936-10b8-4d4e-b491-2ffd51f2ccbe}
2008-03-20 15:15 . 2008-03-20 15:15 dr-h----- C:\MSOCache
2008-03-19 20:56 . 2008-01-19 03:35 9,847,296 --a------ C:\Windows\System32\NlsData000a.dll
2008-03-19 20:55 . 2008-01-19 02:06 8,147,456 --a------ C:\Windows\System32\wmploc.DLL
2008-03-18 20:32 . 2008-03-18 20:32 d-------- C:\Windows\System32\VC
2008-03-18 20:32 . 2008-03-18 20:32 d-------- C:\Windows\System32\MinGW
2008-03-18 20:32 . 2008-03-18 20:32 d-------- C:\Windows\System32\Builder5
2008-03-18 20:22 . 2008-03-18 20:26 155,648 --a------ C:\Windows\System32\libssl32.dll
2008-03-18 18:32 . 2008-03-18 18:32 286,720 --a------ C:\Windows\iun506.exe
2008-03-17 15:34 . 2008-03-17 15:34 d-------- C:\Users\Murlin Wei\AppData\Roaming\eMule
2008-03-17 15:34 . 2008-04-04 18:16 d-------- C:\Users\All Users\eMule
2008-03-17 15:34 . 2008-04-04 18:16 d-------- C:\ProgramData\eMule
2008-03-16 14:12 . 2008-03-16 14:12 4 --a------ C:\Windows\startup_BBCP.ini
2008-03-16 14:03 . 2008-03-16 14:03 d-------- C:\Users\All Users\Ubisoft
2008-03-16 14:03 . 2008-03-16 14:03 d-------- C:\ProgramData\Ubisoft
2008-03-16 14:03 . 2008-03-16 14:03 d-------- C:\Program Files\Microsoft Speech SDK 5.1
2008-03-16 14:03 . 2008-03-16 14:03 d-------- C:\Program Files\IL2 Sturmovik
2008-03-16 14:03 . 2008-03-16 14:03 d-------- C:\Program Files\IL-2 Sturmovik Forgotten Battles
2008-03-16 14:03 . 2004-03-29 17:23 90,112 --a------ C:\Windows\unvise32.exe
2008-03-16 10:43 . 2008-03-29 16:21 d-------- C:\Program Files\WinPcap
2008-03-15 07:21 . 2008-03-15 07:21 176,937 --a------ C:\Windows\Sky Environment Ultra FS9 Uninstaller.exe
2008-03-13 16:36 . 2008-03-13 16:36 d-------- C:\Program Files\Bevelstone Production
2008-03-13 16:16 . 2008-03-15 18:22 d-------- C:\Program Files\Common Files\InstallShield
2008-03-13 15:11 . 2008-03-13 15:11 d-------- C:\Program Files\Common Files\Macrovision Shared
2008-03-13 15:10 . 2008-03-22 14:20 d-------- C:\Program Files\Common Files\Adobe
2008-03-13 15:09 . 2008-03-13 15:09 d-------- C:\Program Files\Microsoft Silverlight
2008-03-12 20:41 . 2008-03-12 20:41 0 --ah----- C:\Windows\System32\drivers\Msft_User_WpdFs_01_00_00.Wdf
2008-03-12 16:48 . 2008-03-12 16:48 d-------- C:\Program Files\DocPad

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-08 19:32 --------- d-----w C:\ProgramData\Xfire
2008-04-08 19:32 --------- d-----w C:\Program Files\Xfire
2008-04-08 00:12 --------- d-----w C:\Users\Murlin Wei\AppData\Roaming\Xfire
2008-04-07 22:27 179,034,213 ----a-w C:\Windows\DUMP449a.tmp
2008-04-06 23:11 --------- d-----w C:\Users\Murlin Wei\AppData\Roaming\uTorrent
2008-04-06 17:17 --------- d-----w C:\Program Files\SUPERAntiSpyware
2008-04-06 13:54 --------- d---a-w C:\ProgramData\TEMP
2008-04-06 13:54 --------- d-----w C:\Program Files\SpywareBlaster
2008-04-05 23:33 --------- d-----w C:\ProgramData\Grisoft
2008-04-05 12:59 319,984 ----a-w C:\Windows\DIFxAPI.dll
2008-04-01 20:27 737,280 ----a-w C:\Windows\iun6002.exe
2008-03-31 21:00 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-03-30 22:54 --------- d-----w C:\Program Files\IEPro
2008-03-29 17:25 --------- d-----w C:\Users\Murlin Wei\AppData\Roaming\Winamp
2008-03-23 19:04 1,392,304 ----a-w C:\Windows\System32\AutoPartNt.exe
2008-03-23 19:01 114,048 ----a-w C:\Windows\system32\drivers\snapman.sys
2008-03-23 19:01 --------- d-----w C:\Program Files\Common Files\Acronis
2008-03-23 19:01 --------- d-----w C:\Program Files\Acronis
2008-03-22 18:48 --------- d-----w C:\Program Files\Java
2008-03-22 16:54 --------- d-----w C:\Program Files\FS Real Time
2008-03-21 20:33 12,632 ----a-w C:\Windows\System32\lsdelete.exe
2008-03-21 20:29 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-03-20 01:20 174 --sha-w C:\Program Files\desktop.ini
2008-03-20 01:15 --------- d-----w C:\Program Files\Windows Sidebar
2008-03-20 01:15 --------- d-----w C:\Program Files\Windows Photo Gallery
2008-03-20 01:15 --------- d-----w C:\Program Files\Windows Mail
2008-03-20 01:15 --------- d-----w C:\Program Files\Windows Defender
2008-03-20 01:15 --------- d-----w C:\Program Files\Windows Calendar
2008-03-20 01:05 82,432 ----a-w C:\Windows\System32\axaltocm.dll
2008-03-20 01:05 101,888 ----a-w C:\Windows\System32\ifxcardm.dll
2008-03-20 00:17 --------- d-----w C:\Program Files\Microsoft Games
2008-03-09 01:03 169,109 ----a-w C:\Windows\system32\drivers\scskusbs.sys
2008-03-09 01:03 11,385 ----a-w C:\Windows\system32\drivers\scskusbf.sys
2008-03-06 21:25 --------- d-----w C:\Users\Murlin Wei\AppData\Roaming\NPLUTO Corporation
2008-03-05 21:03 479,752 ----a-w C:\Windows\System32\XAudio2_0.dll
2008-03-05 21:03 238,088 ----a-w C:\Windows\System32\xactengine3_0.dll
2008-03-05 21:00 25,608 ----a-w C:\Windows\System32\X3DAudio1_3.dll
2008-03-05 20:56 3,786,760 ----a-w C:\Windows\System32\D3DX9_37.dll
2008-03-05 20:56 1,420,824 ----a-w C:\Windows\System32\D3DCompiler_37.dll
2008-03-03 00:21 --------- d-----w C:\Program Files\OO Software
2008-03-02 19:51 --------- d-----w C:\Program Files\SwiftSwitch
2008-03-02 19:32 --------- d-----w C:\ProgramData\SwiftSwitch
2008-03-02 16:09 --------- d-----w C:\Users\Murlin Wei\AppData\Roaming\Ventrilo
2008-03-02 12:12 --------- d-----w C:\Program Files\FSFlyingSchool
2008-03-02 02:32 --------- d-----w C:\Users\Murlin Wei\AppData\Roaming\HiFi
2008-03-01 19:37 --------- d-----w C:\Program Files\FOC 2003
2008-02-29 20:20 --------- d-----w C:\Program Files\Runtime Software
2008-02-29 00:23 --------- d-----w C:\Program Files\Recuva
2008-02-28 21:55 --------- d-----w C:\Users\Murlin Wei\AppData\Roaming\SUPERAntiSpyware.com
2008-02-28 21:55 --------- d-----w C:\ProgramData\SUPERAntiSpyware.com
2008-02-28 15:45 230,152 ----a-w C:\Windows\System32\PDBoot.exe
2008-02-27 00:10 --------- d-----w C:\Program Files\RegSeeker
2008-02-26 23:34 --------- d-----w C:\Program Files\Shockwave 3D Lights Redux for FS9
2008-02-24 12:35 --------- d-----w C:\Program Files\DivX
2008-02-21 02:45 --------- d-----w C:\Program Files\SquawkBox3
2008-02-21 02:05 200,704 ----a-w C:\Windows\System32\ssldivx.dll
2008-02-21 02:05 1,044,480 ----a-w C:\Windows\System32\libdivx.dll
2008-02-19 08:24 7,808 ----a-w C:\Windows\system32\drivers\psi_mf.sys
2008-02-19 01:58 316,768 ----a-w C:\Windows\System32\sayax.dll
2008-02-19 00:50 --------- d-----w C:\Program Files\Microsoft Works
2008-02-18 15:14 --------- d-----w C:\Program Files\MSXML 4.0
2008-02-18 11:57 --------- d-----w C:\Program Files\rcv4
2008-02-17 20:15 --------- d-----w C:\Users\Murlin Wei\AppData\Roaming\Flight1
2008-02-17 18:10 202,149 ----a-w C:\Windows\Water Details FS 2004 Uninstaller.exe
2008-02-17 16:21 --------- d-----w C:\Program Files\Flight One Software
2008-02-16 16:43 --------- d-----w C:\Program Files\Intel
2008-02-16 16:40 --------- d-----w C:\Program Files\Belarc
2008-02-15 19:22 59,392 ----a-w C:\Windows\system32\drivers\RTSTOR.sys
2008-02-14 01:17 --------- d-----w C:\Program Files\Microsoft ActiveSync
2008-02-14 01:17 --------- d-----w C:\Program Files\Common Files\L&H
2008-02-14 01:16 --------- d-----w C:\Program Files\Microsoft.NET
2008-02-13 13:01 --------- d-----w C:\Users\Murlin Wei\AppData\Roaming\OpenOffice.org2
2008-02-12 23:40 6,656 ----a-w C:\Windows\System32\kbd106n.dll
2008-02-12 21:59 --------- d-----w C:\ProgramData\Abacus
2008-02-12 18:36 --------- d-----w C:\Program Files\Common Files\InstallShieldCrap
2008-02-11 15:55 147,456 ----a-w C:\Windows\System32\igfxCoIn_v1437.dll
2008-02-11 15:34 29,932 ----a-w C:\Windows\System32\igmedcompkrn.bin
2008-02-11 15:34 2,215,364 ----a-w C:\Windows\System32\igklg400.bin
2008-02-11 15:34 1,971,732 ----a-w C:\Windows\System32\igklg450.bin
2008-02-11 00:19 --------- d-----w C:\Program Files\Ventrilo
2008-02-10 17:11 543 ----a-w C:\Program Files\INSTALL.LOG
2008-02-10 14:03 --------- d-----w C:\Program Files\Common Files\SWF Studio
2008-02-09 19:25 --------- d-----w C:\Program Files\Common Files\INCA Shared
2008-02-06 04:07 462,864 ----a-w C:\Windows\System32\d3dx10_37.dll
2008-01-29 16:02 107,368 ----a-w C:\Windows\System32\GEARAspi.dll
2008-01-19 07:44 986,680 ----a-w C:\Windows\System32\winload.exe
2008-01-19 07:44 926,776 ----a-w C:\Windows\System32\winresume.exe
2008-01-19 07:43 614,968 ----a-w C:\Windows\System32\ci.dll
2008-01-19 07:43 376,376 ----a-w C:\Windows\System32\mcupdate_GenuineIntel.dll
2008-01-19 07:43 3,600,440 ----a-w C:\Windows\System32\ntkrnlpa.exe
2008-01-19 07:43 3,548,728 ----a-w C:\Windows\System32\ntoskrnl.exe
2008-01-19 07:42 94,776 ----a-w C:\Windows\System32\MigAutoPlay.exe
2008-01-19 07:42 51,768 ----a-w C:\Windows\System32\PSHED.DLL
2008-01-19 07:42 247,352 ----a-w C:\Windows\System32\clfs.sys
2008-01-19 07:42 177,208 ----a-w C:\Windows\System32\halmacpi.dll
2008-01-19 07:42 141,880 ----a-w C:\Windows\System32\halacpi.dll
2008-01-19 07:41 24,120 ----a-w C:\Windows\System32\BOOTVID.DLL
2008-01-19 07:41 21,560 ----a-w C:\Windows\System32\kdusb.dll
2008-01-19 07:41 19,512 ----a-w C:\Windows\System32\kdcom.dll
2008-01-19 07:38 46,080 ----a-w C:\Windows\System32\NAPCRYPT.DLL
.

((((((((((((((((((((((((((((( snapshot@2008-04-06_19.39.55.30 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-04-06 23:37:39 67,584 --s-a-w C:\Windows\bootstat.dat
+ 2008-04-08 19:32:09 67,584 --s-a-w C:\Windows\bootstat.dat
- 2008-04-06 23:17:13 262,144 ----a-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\usrclass.dat
+ 2008-04-08 18:42:55 262,144 ----a-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\usrclass.dat
- 2008-04-06 23:37:49 262,144 --sha-w C:\Windows\ServiceProfiles\LocalService\NTUSER.DAT
+ 2008-04-08 19:32:33 262,144 --sha-w C:\Windows\ServiceProfiles\LocalService\NTUSER.DAT
+ 2008-04-08 19:32:33 262,144 ---ha-w C:\Windows\ServiceProfiles\LocalService\ntuser.dat.LOG1
- 2008-04-06 23:33:53 262,144 ----a-w C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\usrclass.dat
+ 2008-04-08 19:28:41 262,144 ----a-w C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\usrclass.dat
- 2008-04-06 23:37:49 262,144 --sha-w C:\Windows\ServiceProfiles\NetworkService\NTUSER.DAT
+ 2008-04-08 19:32:33 262,144 --sha-w C:\Windows\ServiceProfiles\NetworkService\NTUSER.DAT
+ 2008-04-08 19:32:33 262,144 ---ha-w C:\Windows\ServiceProfiles\NetworkService\ntuser.dat.LOG1
- 2008-04-06 23:34:10 262,144 ----a-w C:\Windows\System32\config\systemprofile\ntuser.dat
+ 2008-04-08 19:28:50 262,144 ----a-w C:\Windows\System32\config\systemprofile\ntuser.dat
- 2008-04-06 18:06:50 108,178 ----a-w C:\Windows\System32\perfc009.dat
+ 2008-04-07 22:34:13 108,178 ----a-w C:\Windows\System32\perfc009.dat
- 2008-04-06 18:06:50 629,252 ----a-w C:\Windows\System32\perfh009.dat
+ 2008-04-07 22:34:13 629,252 ----a-w C:\Windows\System32\perfh009.dat
- 2008-04-06 18:04:09 8,110 ----a-w C:\Windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-2738104663-2755392700-2221383480-1000_UserData.bin
+ 2008-04-07 22:29:38 8,468 ----a-w C:\Windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-2738104663-2755392700-2221383480-1000_UserData.bin
- 2008-04-06 18:04:08 59,130 ----a-w C:\Windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
+ 2008-04-07 22:29:38 59,434 ----a-w C:\Windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2008-01-19 03:33 202240]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2008-01-19 03:38 1008184]
"IgfxTray"="C:\Windows\system32\igfxtray.exe" [2006-12-13 03:17 98304]
"HotKeysCmds"="C:\Windows\system32\hkcmd.exe" [2006-12-13 03:19 106496]
"Persistence"="C:\Windows\system32\igfxpers.exe" [2006-12-13 03:17 81920]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2008-04-05 19:33 579072]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2008-04-05 19:33 219136]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgwlntf]
avgwlntf.dll 2008-04-05 19:33 9216 C:\Windows\System32\avgwlntf.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.XFR1"= xfcodec.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 relog_ap

[HKLM\~\startupfolder\C:^Users^Murlin Wei^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^OpenOffice.org 2.3.lnk]
path=C:\Users\Murlin Wei\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OpenOffice.org 2.3.lnk
backup=C:\Windows\pss\OpenOffice.org 2.3.lnk.Startup
backupExtension=.Startup

[HKLM\~\startupfolder\C:^Users^Murlin Wei^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^Secunia PSI (RC1).lnk]
path=C:\Users\Murlin Wei\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Secunia PSI (RC1).lnk
backup=C:\Windows\pss\Secunia PSI (RC1).lnk.Startup
backupExtension=.Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\!AVG Anti-Spyware]
--a------ 2007-06-11 05:25 6731312 H:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acronis Scheduler2 Service]
--a------ 2007-02-16 19:49 149024 C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AcronisTimounterMonitor]
--a------ 2007-02-16 19:57 1945960 C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2008-01-11 22:16 39792 H:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools Lite]
--a------ 2008-01-17 12:51 486856 C:\Program Files\DAEMON Tools Lite\daemon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
--a------ 2006-12-13 03:19 106496 C:\Windows\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
--a------ 2006-12-13 03:17 98304 C:\Windows\system32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-03-30 10:36 267048 H:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OODefragTray]
--a------ 2007-05-11 03:08 2512392 C:\Windows\system32\oodtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Persistence]
--a------ 2006-12-13 03:17 81920 C:\Windows\system32\igfxpers.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PWRISOVM.EXE]
--a------ 2007-08-06 20:05 200704 H:\Program Files\PowerISO\PWRISOVM.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-03-28 23:37 413696 C:\Program Files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Rapget]
E:\Flight Simulator Software\rapget140\rapget.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RtHDVCpl]
--a------ 2006-12-01 00:37 4186112 C:\Windows\RtHDVCpl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2008-02-22 04:25 144784 C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SUPERAntiSpyware]
--a------ 2008-04-06 13:17 1481968 C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2008-04-04 20:39 185896 C:\Program Files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TrueImageMonitor.exe]
--a------ 2007-02-16 19:45 1169776 C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WindowsWelcomeCenter]
--a------ 2008-01-19 03:36 2153472 C:\Windows\System32\oobefldr.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WMPNSCFG]
--a------ 2008-01-19 03:33 202240 C:\Program Files\Windows Media Player\WMPNSCFG.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-2738104663-2755392700-2221383480-1000]
"EnableNotificationsRef"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"TCP Query User{61455193-5548-4882-BB4F-1FFC86E41172}C:\\ijji\\english\\u_skid.exe"= UDP:C:\ijji\english\u_skid.exe:
"UDP Query User{6099BF92-BFC5-416D-AEC6-DA00AFB25A65}C:\\ijji\\english\\u_skid.exe"= TCP:C:\ijji\english\u_skid.exe:
"TCP Query User{7E27783F-27CC-4E95-8A1E-47091E0453EF}K:\\program files\\driftcity\\driftcity.exe"= UDP:K:\program files\driftcity\driftcity.exe:DriftCity
"UDP Query User{68C2CEBB-F1D1-4589-A707-19610F1F7E77}K:\\program files\\driftcity\\driftcity.exe"= TCP:K:\program files\driftcity\driftcity.exe:DriftCity
"TCP Query User{FE38E010-F2C0-4967-83FD-96B25A3F5B30}C:\\ijji\\english\\u_sf\\soldierfront.exe"= UDP:C:\ijji\english\u_sf\soldierfront.exe:soldierfront
"UDP Query User{19A69707-47F5-4ED8-A3D4-D983B5833183}C:\\ijji\\english\\u_sf\\soldierfront.exe"= TCP:C:\ijji\english\u_sf\soldierfront.exe:soldierfront
"TCP Query User{B66503DB-7D5D-4DE9-9921-A25C9F1EA5AB}H:\\program files\\driftcity\\driftcity.exe"= UDP:H:\program files\driftcity\driftcity.exe:DriftCity
"UDP Query User{14612DD0-8A9C-44A2-9B51-5491B5A88018}H:\\program files\\driftcity\\driftcity.exe"= TCP:H:\program files\driftcity\driftcity.exe:DriftCity
"TCP Query User{A8D6E0B6-86C5-4D81-9FDF-F0378CD75F37}C:\\program files\\xfire\\xfire.exe"= UDP:C:\program files\xfire\xfire.exe:Xfire
"UDP Query User{5DC64609-489B-4CCD-8BDC-DA888571FCC7}C:\\program files\\xfire\\xfire.exe"= TCP:C:\program files\xfire\xfire.exe:Xfire
"{17C23B69-DBF2-487A-A532-7D9ABF255A9E}"= UDP:C:\Program Files\uTorrent\uTorrent.exe:µTorrent
"{94906B86-E338-4979-ADE4-B4200BD59672}"= TCP:C:\Program Files\uTorrent\uTorrent.exe:µTorrent
"TCP Query User{30964450-8A26-40BA-A03B-E0D17BDCC6BB}G:\\program files\\microsoft games\\flight simulator 9\\fs9.exe"= UDP:G:\program files\microsoft games\flight simulator 9\fs9.exe:Microsoft Flight Simulator
"UDP Query User{426ADF18-258D-442E-B866-DE3813E88673}G:\\program files\\microsoft games\\flight simulator 9\\fs9.exe"= TCP:G:\program files\microsoft games\flight simulator 9\fs9.exe:Microsoft Flight Simulator
"{0E586831-FC73-45B0-9F08-096BF0D40C38}"= UDP:80:80
"{34AD0E95-78FA-44A3-A14A-4A598E511536}"= TCP:80:80
"{28CEFC0F-00A3-4EAB-9D8B-9D64D7265705}"= UDP:6112:6112
"{991C1B7E-6DA8-49BB-9C14-B6C74730B50A}"= TCP:6112:6112
"{8A3679AF-CD19-4CE2-A038-9DE3E3E5A34B}"= UDP:54789:54789
"{8C63877E-7C19-4DA5-B287-AA6D0F8CFC28}"= TCP:54789:54789
"TCP Query User{58038DE4-2BB8-41E1-8189-030A5E823718}H:\\nexon\\maplestory\\patcher.exe"= UDP:H:\nexon\maplestory\patcher.exe:Patcher MFC ?? ????
"UDP Query User{41D9A998-FD0B-4C1B-A90E-B0F2BED2BFC4}H:\\nexon\\maplestory\\patcher.exe"= TCP:H:\nexon\maplestory\patcher.exe:Patcher MFC ?? ????
"TCP Query User{57B550CD-25EA-460B-AE48-681C32F87C39}H:\\nexon\\maplestory\\maplestory.exe"= UDP:H:\nexon\maplestory\maplestory.exe:MapleStory
"UDP Query User{609320D2-5ECE-4286-8362-B486263DA9E3}H:\\nexon\\maplestory\\maplestory.exe"= TCP:H:\nexon\maplestory\maplestory.exe:MapleStory
"TCP Query User{83AB73F7-1946-4300-A08C-DB73E9369C8F}C:\\program files\\internet explorer\\iexplore.exe"= UDP:C:\program files\internet explorer\iexplore.exe:Internet Explorer
"UDP Query User{48ACEBD7-DC97-4FF2-BB6F-704618FB53B2}C:\\program files\\internet explorer\\iexplore.exe"= TCP:C:\program files\internet explorer\iexplore.exe:Internet Explorer
"1c9b3cdd-3bce-43a9-881b-5fb372fe469c"=

 
TCP:2300|LPort=2301|LPort=2302|LPort=2303|LPort=2304|LPort=2305|LPort=2306|LPort=2307|LPort=2308|LPort=2309|LPort=2310|LPort=2311|LPort=2312|LPort=2313|LPort=2314|LPort=2315|LPort=2316|LPort=2317|LPort=2318|LPort=2319|LPort=2320|LPort=2321|LPort=2322|LPort=2323|LPort=2324|LPort=2325|LPort=2326|LPort=2327|LPort=2328|LPort=2329|LPort=2330|LPort=2331|LPort=2332|LPort=2333|LPort=2334|LPort=2335|LPort=2336|LPort=2337|LPort=2338|LPort=2339|LPort=2340|LPort=2341|LPort=2342|LPort=2343|LPort=2344|LPort=2345|LPort=2346|LPort=2347|LPort=2348|LPort=2349|LPort=2350|LPort=2351|LPort=2352|LPort=2353|LPort=2354|LPort=2355|LPort=2356|LPort=2357|LPort=2358|LPort=2359|LPort=2360|LPort=2361|LPort=2362|LPort=2363|LPort=2364|LPort=2365|LPort=2366|LPort=2367|LPort=2368|LPort=2369|LPort=2370|LPort=2371|LPort=2372|LPort=2373|LPort=2374|LPort=2375|LPort=2376|LPort=2377|LPort=2378|LPort=2379|LPort=2380|LPort=2381|LPort=2382|LPort=2383|LPort=2384|LPort=2385|LPort=2386|LPort=2387|LPort=2388|LPort=2389|LPort=2390|LPort=2391|LPort=2392|LPort=2393|LPort=2394|LPort=2395|LPort=2396|LPort=2397|LPort=2398|LPort=2399:Wolf Team
"TCP Query User{6A3FA9AA-E952-4D4D-8FD7-FC7ED8BD727F}H:\\program files\\america's army\\system\\armyops.exe"= UDP:H:\program files\america's army\system\armyops.exe:ArmyOps
"UDP Query User{BEB13D38-D94C-4F4C-9245-7E48245BFA1D}H:\\program files\\america's army\\system\\armyops.exe"= TCP:H:\program files\america's army\system\armyops.exe:ArmyOps
"TCP Query User{50F33169-380A-49AF-81BE-7C6E8C8C2451}C:\\windows\\system32\\dpnsvr.exe"= UDP:C:\windows\system32\dpnsvr.exe:Microsoft DirectPlay8 Server
"UDP Query User{DF0B00AF-395E-4FA4-B850-2BD9EF20F7ED}C:\\windows\\system32\\dpnsvr.exe"= TCP:C:\windows\system32\dpnsvr.exe:Microsoft DirectPlay8 Server
"TCP Query User{5021BF18-01CD-4258-97B4-0C63DB4C1B7E}C:\\program files\\fsfdt\\control panel\\fsfdtcp.exe"= UDP:C:\program files\fsfdt\control panel\fsfdtcp.exe:FSFDT Control Panel
"UDP Query User{3DB1FC88-0596-4F01-A186-E39F227CE84D}C:\\program files\\fsfdt\\control panel\\fsfdtcp.exe"= TCP:C:\program files\fsfdt\control panel\fsfdtcp.exe:FSFDT Control Panel
"TCP Query User{1AB14382-F73F-48C9-B315-3EE9B8CB2694}C:\\program files\\mozilla firefox\\firefox.exe"= UDP:C:\program files\mozilla firefox\firefox.exe:Firefox
"UDP Query User{17CAEFA6-0C1E-42AC-978B-C4A6CBAAC66B}C:\\program files\\mozilla firefox\\firefox.exe"= TCP:C:\program files\mozilla firefox\firefox.exe:Firefox
"eb8b0e56-37ab-4db7-9f9e-1a1d6608d4e0"= %ProgramFiles%\FSFDT\FSInn UI\FSInnUI.exe:FSINN
"UDP Query User{D86A64A0-98DB-45F2-B30E-9C99810EA427}C:\\program files\\fsfdt\\fwinn\\fwinn.exe"= C:\program files\fsfdt\fwinn\fwinn.exe:FSInn Application
"TCP Query User{F3FF54FA-890C-4280-937A-E4B25DFDC64A}C:\\program files\\fsfdt\\fwinn\\fwinn.exe"= C:\program files\fsfdt\fwinn\fwinn.exe:FSInn Application
"5d038ed9-b69c-43ca-9e9d-361f03d7074d"= %ProgramFiles%\FSFDT\Control Panel\FSFDTCP.exe:FSUDCP
"09c2c1b0-5d17-4e76-8c53-65f0895ca6d1"= UDP:3782|LPort=3290|LPort=3783|LPort=6809:SQ
"3a769932-0d65-4226-8f87-9af21c6399fa"= TCP:3782|LPort=3290|LPort=3783|LPort=6809:SQ1
"7bda4004-dec1-4e68-ae03-4b18dca28327"= TCP:32062:FSINN
"TCP Query User{7BA25555-49F6-4C6F-A3BE-B1091A7CD7E6}C:\\program files\\swiftswitch\\swiftswitch.exe"= UDP:C:\program files\swiftswitch\swiftswitch.exe:Utility for RuneScape
"UDP Query User{F3D3B80D-3F35-4E98-BAE6-FFC8C8B398CB}C:\\program files\\swiftswitch\\swiftswitch.exe"= TCP:C:\program files\swiftswitch\swiftswitch.exe:Utility for RuneScape
"TCP Query User{2E3A70D7-0AC2-4254-B11B-0A2EC31E6D05}H:\\program files\\dragonfly\\special force\\specialforce.exe"= UDP:H:\program files\dragonfly\special force\specialforce.exe:SpecialForce
"UDP Query User{6137764F-CAE8-4517-AF49-6CB2607C5DB8}H:\\program files\\dragonfly\\special force\\specialforce.exe"= TCP:H:\program files\dragonfly\special force\specialforce.exe:SpecialForce
"TCP Query User{0D1EF090-833B-4967-9D45-EAF64C49861F}C:\\ijji\\english\\gunz\\gunz.exe"= UDP:C:\ijji\english\gunz\gunz.exe:Gunz
"UDP Query User{560CD26A-B4D8-4DD6-9AF8-BA438C3E071D}C:\\ijji\\english\\gunz\\gunz.exe"= TCP:C:\ijji\english\gunz\gunz.exe:Gunz
"TCP Query User{63EC054C-903B-40D8-A36F-D2F80B55FF3D}C:\\users\\murlin wei\\desktop\\fshost32\\fshost32.exe"= UDP:C:\users\murlin wei\desktop\fshost32\fshost32.exe:fshost32.exe
"UDP Query User{D8E76696-D62C-4EBD-8A08-5450B40122C9}C:\\users\\murlin wei\\desktop\\fshost32\\fshost32.exe"= TCP:C:\users\murlin wei\desktop\fshost32\fshost32.exe:fshost32.exe
"TCP Query User{854A4DB3-1DFB-4B87-A7E0-AEA6B9C0074B}C:\\windows\\system32\\dplaysvr.exe"= UDP:C:\windows\system32\dplaysvr.exe:Microsoft DirectPlay Helper
"UDP Query User{A36A3890-68AE-4E2D-BC3B-FDAC339499B3}C:\\windows\\system32\\dplaysvr.exe"= TCP:C:\windows\system32\dplaysvr.exe:Microsoft DirectPlay Helper
"TCP Query User{2D0919A8-6553-4CDF-A595-A46EF1D2F4D3}C:\\program files\\dragonfly\\special force\\specialforce.exe"= UDP:C:\program files\dragonfly\special force\specialforce.exe:specialforce
"UDP Query User{BC4A08A4-5B7E-4662-810F-1D9F1662B2AC}C:\\program files\\dragonfly\\special force\\specialforce.exe"= TCP:C:\program files\dragonfly\special force\specialforce.exe:specialforce
"{73852E8D-6030-4943-9978-138A7E864BD9}"= UDP:C:\Windows\Temp\~osCD95.tmp\ossproxy.exe:ossproxy.exe
"{43868274-2029-4933-8F1C-885F387F06D2}"= UDP:C:\Windows\Temp\~osDBBC.tmp\ossproxy.exe:ossproxy.exe
"{607558EF-6597-4863-8D25-F007069A2EC9}"= UDP:C:\Program Files\uTorrent\uTorrent.exe:µTorrent
"{46E5FDB3-D48D-4321-B224-C365CF959155}"= TCP:C:\Program Files\uTorrent\uTorrent.exe:µTorrent
"{9B21F62D-DF09-44A2-BD05-BC7EEE8742C9}"= UDP:C:\Program Files\Bonjour\mDNSResponder.exe:Bonjour
"{68F77BA3-1444-44C8-AC53-D586A7FD787C}"= TCP:C:\Program Files\Bonjour\mDNSResponder.exe:Bonjour
"{48866029-02D4-420C-AF33-2058433DC7D9}"= UDP:H:\Program Files\iTunes\iTunes.exe:iTunes
"{AB169B2B-5F22-47D8-B596-C06720D2E476}"= TCP:H:\Program Files\iTunes\iTunes.exe:iTunes
"TCP Query User{37AFDF7F-9FEF-441B-B24D-75F2E325B8C7}H:\\program files\\azureus\\azureus.exe"= UDP:H:\program files\azureus\azureus.exe:Azureus
"UDP Query User{2414528D-9012-4CCF-B04D-4D7AC667B755}H:\\program files\\azureus\\azureus.exe"= TCP:H:\program files\azureus\azureus.exe:Azureus
"TCP Query User{9225565D-E33E-467E-9533-ED9B2675E3C6}C:\\program files\\azureus\\azureus.exe"= UDP:C:\program files\azureus\azureus.exe:Azureus
"UDP Query User{9F98D73A-65DD-4D0E-B968-DC1D3C6EBAA6}C:\\program files\\azureus\\azureus.exe"= TCP:C:\program files\azureus\azureus.exe:Azureus
"TCP Query User{BC712732-FEB9-4EDA-8C73-9FC226F9DB1A}H:\\program files\\counter-strike source\\hl2.exe"= UDP:H:\program files\counter-strike source\hl2.exe:hl2
"UDP Query User{57A7C5E6-CBE4-4652-AFEF-DCFD72CBE342}H:\\program files\\counter-strike source\\hl2.exe"= TCP:H:\program files\counter-strike source\hl2.exe:hl2

R2 SBSDWSCService;SBSD Security Center Service;C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe [2008-01-28 12:43]
R3 igfx;igfx;C:\Windows\system32\DRIVERS\igdkmd32.sys [2006-12-13 04:32]
R3 RTSTOR;USB Mass Storage Device;C:\Windows\system32\drivers\RTSTOR.SYS [2008-02-15 15:22]
R3 rxpvbus;Reality XP Avionics Bus Driver;C:\Windows\system32\DRIVERS\rxpvbus.sys [2005-11-04 09:35]
S2 AcronisOSSReinstallSvc;Acronis OS Selector Reinstall Service;"C:\Program Files\Common Files\Acronis\Acronis Disk Director\oss_reinstall_svc.exe" [2007-02-22 19:53]
S3 HPFXBULK;HPFXBULK;C:\Windows\system32\drivers\hpfxbulk.sys [2007-06-20 03:21]
S3 PSI;PSI;C:\Windows\system32\DRIVERS\psi_mf.sys [2008-02-19 04:24]
S3 scskusbf;USB SCSK Filter Driver Service;C:\Windows\system32\drivers\scskusbf.sys [2008-03-08 21:03]
S3 scskusbs;USB SCSK Driver Service;C:\Windows\system32\drivers\scskusbs.sys [2008-03-08 21:03]
S3 yukonwlh;NDIS6.0 Miniport Driver for Marvell Yukon Ethernet Controller;C:\Windows\system32\DRIVERS\yk60x86.sys [2006-11-02 03:30]
S4 PD91Agent;PD91Agent;"C:\Program Files\Raxco\PerfectDisk\PD91Agent.exe" []
S4 PD91Engine;PD91Engine;"C:\Program Files\Raxco\PerfectDisk\PD91Engine.exe" []
S4 PD91VMDefrag;PD91VMDefrag;"C:\Program Files\Raxco\PerfectDisk\PD91VMDefrag.exe" []

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
rsmsvcs REG_MULTI_SZ ntmssvc

.
**************************************************************************

catchme 0.3.1351 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, »www.gmer.net
Rootkit scan 2008-04-08 15:32:40
Windows 6.0.6001 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
H:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
H:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Windows\system32\oodag.exe
C:\Program Files\Grisoft\AVG7\avgcc.exe
C:\Program Files\Xfire\xfire.exe
C:\Windows\system32\DllHost.exe
.
**************************************************************************
.
Completion time: 2008-04-08 15:33:44 - machine was rebooted
ComboFix-quarantined-files.txt 2008-04-08 19:33:39
ComboFix2.txt 2008-04-06 23:40:34
Pre-Run: 20,452,012,032 bytes free
Post-Run: 20,367,503,360 bytes free
.
2008-04-06 19:37:25 --- E O F ---

and MoveIt didn't find anything to move.

File/Folder # %TEMP%\ossproxy.exe not found.

File/Folder # C:\Users\ossproxy.exe not found.

OTMoveIt2 by OldTimer - Version 1.0.4.1 log created on 04082008_152529
to forum · permalink · 2008-04-08 15:36:58 ·


Siko
Premium
join:2006-11-27
Mechanicsburg, PA

reply to Siko
I'm sorry, but this is still going on.

to forum · permalink · 2008-04-19 19:21:06 ·


bcastner
Premium,VIP,MVM
join:2002-09-25
Chevy Chase, MD
kudos:7
4 edits

reply to Siko
1. Delete Combofix.exe from your Desktop.
Download it again from my original links.

Then create a new CFScript.txt file. Your log above shows that the CFScript.txt file you created above was empty.
The contents of that log should match exactly the Code box contents.
Then drag and drop CFScript.txt onto Combofix again to run it, just as pictured.

2. Please double-click OTMoveIt2.exe to run the utility.

Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

C:\WINDOWS\Temp\kd*.* 
%TEMP%\kd*.*
C:\TEMP
C:\Windows\Temp\~osCD95.tmp\
C:\Windows\Temp\~osDBBC.tmp\
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls

Return to OTMoveIt2, right click in the "Paste List Of Files/Patterns To Search For and Move" window.
IMPORTANT -- Paste only into the bottom input panel (under the Yellow bar), The top panel will not help you.
Right-click and choose Paste.

Click the red Moveit button.
This will not be quick. I am asking it to scan your entire Drive C twice.
When it has finished, use your mouse and do a Copy/Paste of the large right-hand panel that shows Results.
Save your Clipboard contents in a new Notepad file, as we will want to review these results later.
Close OTMoveIt2 when it has finished.

Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

3. Eset NOD32 scanner
Go here to run an online scannner from ESET: »www.eset.eu/online-scanner
Note: You will need to use Internet Explorer for this scan.

• Tick the box next to YES, I accept the Terms of Use.
• Click Start
• When asked, allow the activex control to install
Disable your Antivirus software. You can usually do this with its Notfication Tray icon near the clock.
• Click Start
• Make sure that the option "Remove found threats" is Checked, and the option "Scan unwanted applications" is also Checked.
• Click Scan.
• Wait for the scan to finish.
• :!: Re-enable your Anvirisus software.
• A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt. We will need this later.

Post back to the Forum the contents of C:\Combofix.txt, and the ESET log results: C:\Program Files\EsetOnlineScanner\log.txt.
--
============
MS-MVP 2004 - -2008, ASAP Member
Users Helping Users

to forum · permalink · 2008-04-19 20:16:06 ·


Siko
Premium
join:2006-11-27
Mechanicsburg, PA
Reviews:
·Dish Network

I'm just going to make my ComboFix Log 3 pages long.. 65k limit..

ComboFix 08-04-20.1 - Murlin Wei 2008-04-20 14:39:17.3 - NTFSx86
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.1158 [GMT -4:00]
Running from: C:\Users\Murlin Wei\Desktop\ComboFix.exe
Command switches used :: C:\Users\Murlin Wei\Desktop\CFscript.txt

FILE ::
C:\Windows\System32\entrnd.exe
C:\Windows\Temp\~osCD95.tmp\ossproxy.exe
C:\Windows\Temp\~osCD95.tmp\ossproxy.exe.rvt
.

((((((((((((((((((((((((( Files Created from 2008-03-20 to 2008-04-20 )))))))))))))))))))))))))))))))
.

2008-04-18 18:53 . 2008-04-18 18:53 d-------- C:\Windows\BirdsEyeView
2008-04-18 16:42 . 2008-04-18 16:42 d--hs---- C:\Windows\ftpcache
2008-04-18 15:11 . 2008-04-18 15:11 66,936 --ahs---- C:\Windows\dlinfo_0.drv
2008-04-18 15:10 . 2008-04-18 15:10 86,528 --a------ C:\Windows\bnetunin.exe
2008-04-18 15:10 . 2008-04-18 15:10 61,440 --a------ C:\Windows\diabunin.exe
2008-04-16 20:23 . 2008-04-16 20:23 d-------- C:\Program Files\FSFDT
2008-04-16 18:35 . 2008-04-16 18:35 d-------- C:\Program Files\Sun
2008-04-16 17:59 . 2008-04-16 18:00 d-------- C:\Users\Murlin Wei\.SunDownloadManager
2008-04-16 16:38 . 2008-04-16 16:39 d-------- C:\Fs Sky World 2004
2008-04-16 16:29 . 2008-04-16 16:29 d-------- C:\Program Files\TrueGrass
2008-04-14 20:56 . 2008-04-14 20:56 d-------- C:\Program Files\Lovett Software
2008-04-14 20:48 . 2008-04-15 20:56 524,288 --ahs---- C:\Windows\ServiceProfiles\NetworkService\NTUSER.DAT{ef70cd4c-0a82-11dd-8ed8-0019211aa092}.TMContainer00000000000000000002.regtrans-ms
2008-04-14 20:48 . 2008-04-20 14:41 524,288 --ahs---- C:\Windows\ServiceProfiles\NetworkService\NTUSER.DAT{ef70cd4c-0a82-11dd-8ed8-0019211aa092}.TMContainer00000000000000000001.regtrans-ms
2008-04-14 20:48 . 2008-04-15 20:56 524,288 --ahs---- C:\Windows\ServiceProfiles\LocalService\NTUSER.DAT{ef70cd4e-0a82-11dd-8ed8-0019211aa092}.TMContainer00000000000000000002.regtrans-ms
2008-04-14 20:48 . 2008-04-20 14:41 524,288 --ahs---- C:\Windows\ServiceProfiles\LocalService\NTUSER.DAT{ef70cd4e-0a82-11dd-8ed8-0019211aa092}.TMContainer00000000000000000001.regtrans-ms
2008-04-14 20:48 . 2008-04-15 20:56 524,288 --ahs---- C:\Users\Murlin Wei\NTUSER.DAT{ef70cd50-0a82-11dd-8ed8-0019211aa092}.TMContainer00000000000000000002.regtrans-ms
2008-04-14 20:48 . 2008-04-20 14:41 524,288 --ahs---- C:\Users\Murlin Wei\NTUSER.DAT{ef70cd50-0a82-11dd-8ed8-0019211aa092}.TMContainer00000000000000000001.regtrans-ms
2008-04-14 20:48 . 2008-04-20 14:41 65,536 --ahs---- C:\Windows\ServiceProfiles\NetworkService\NTUSER.DAT{ef70cd4c-0a82-11dd-8ed8-0019211aa092}.TM.blf
2008-04-14 20:48 . 2008-04-20 14:41 65,536 --ahs---- C:\Windows\ServiceProfiles\LocalService\NTUSER.DAT{ef70cd4e-0a82-11dd-8ed8-0019211aa092}.TM.blf
2008-04-14 20:48 . 2008-04-20 14:41 65,536 --ahs---- C:\Users\Murlin Wei\NTUSER.DAT{ef70cd50-0a82-11dd-8ed8-0019211aa092}.TM.blf
2008-04-14 20:33 . 2008-04-14 20:40 d-------- C:\Windows\$regcmp$
2008-04-14 20:22 . 2008-04-14 20:22 d-------- C:\Program Files\Raxco
2008-04-14 17:31 . 2008-04-14 17:31 d-------- C:\Users\Murlin Wei\AppData\Roaming\Ashampoo
2008-04-14 17:29 . 2008-04-14 17:29 d-------- C:\Users\All Users\ashampoo
2008-04-14 17:29 . 2008-04-14 17:29 d-------- C:\ProgramData\ashampoo
2008-04-14 17:29 . 2008-04-14 17:29 d-------- C:\Program Files\vso
2008-04-14 17:29 . 2008-04-14 17:29 d-------- C:\Program Files\Ashampoo
2008-04-13 18:34 . 2008-04-16 20:07 d-------- C:\Program Files\AI Traffic Mover
2008-04-12 21:36 . 2008-04-12 21:36 d-------- C:\Program Files\TweakNow RegCleaner Std
2008-04-12 21:36 . 2008-04-12 21:36 d-------- C:\Program Files\Registry Clean Expert
2008-04-12 21:24 . 2008-04-12 21:24 45 --a------ C:\Windows\System32\initdebug.nfo
2008-04-12 21:20 . 2008-04-12 21:20 d-------- C:\Program Files\VS Revo Group
2008-04-12 15:45 . 1999-01-12 10:55 192,272 --a------ C:\Windows\System32\MCI32.OCX
2008-04-12 15:31 . 2008-04-12 15:31 73,216 --a------ C:\Windows\ST6UNST.EXE
2008-04-11 20:43 . 2008-04-11 20:44 d-------- C:\Users\Murlin Wei\AppData\Roaming\SecondLife
2008-04-10 22:04 . 2008-04-10 22:04 d-------- C:\Program Files\SAS
2008-04-08 21:06 . 2008-04-08 21:12 d-------- C:\Program Files\Folding@Home
2008-04-08 21:06 . 2002-04-18 18:50 73,728 --a------ C:\Windows\System32\GkSui18.EXE
2008-04-08 21:06 . 2002-01-16 03:27 69,632 --a------ C:\Windows\System32\Copy of GkSui18.EXE
2008-04-08 16:54 . 2008-02-21 22:50 1,383,424 --a------ C:\Windows\System32\mshtml.tlb
2008-04-08 16:54 . 2008-02-22 01:01 826,880 --a------ C:\Windows\System32\wininet.dll
2008-04-08 16:53 . 2008-02-29 00:21 2,032,128 --a------ C:\Windows\System32\win32k.sys
2008-04-06 19:44 . 2008-04-06 19:44 d-------- C:\Users\Murlin Wei\AppData\Roaming\Malwarebytes
2008-04-06 19:44 . 2008-04-06 19:44 d-------- C:\Users\All Users\Malwarebytes
2008-04-06 19:44 . 2008-04-06 19:44 d-------- C:\ProgramData\Malwarebytes
2008-04-06 19:31 . 2008-04-06 19:31 d-------- C:\_OTMoveIt
2008-04-06 19:10 . 2008-04-06 19:10 d-------- C:\Program Files\Azureus
2008-04-06 10:00 . 2008-04-12 19:07 d-------- C:\Users\Murlin Wei\AppData\Roaming\Azureus
2008-04-06 10:00 . 2008-04-06 10:00 d-------- C:\Users\All Users\Azureus
2008-04-06 10:00 . 2008-04-06 10:00 d-------- C:\ProgramData\Azureus
2008-04-06 08:03 . 2008-04-18 15:45 178 --a------ C:\megaScenery.ini
2008-04-05 19:34 . 2008-04-06 08:06 d-------- C:\Users\Murlin Wei\AppData\Roaming\AVG7
2008-04-05 19:33 . 2008-04-05 19:33 9,216 --a------ C:\Windows\System32\avgwlntf.dll
2008-04-05 14:50 . 2008-04-12 21:31 d-------- C:\Program Files\COMODO
2008-04-05 14:45 . 2008-04-06 08:06 d-------- C:\Users\All Users\Avg7
2008-04-05 14:45 . 2008-04-06 08:06 d-------- C:\ProgramData\Avg7
2008-04-05 09:07 . 2007-02-22 22:19 172,032 --a------ C:\Windows\System32\igfxres.dll
2008-04-05 09:03 . 2008-04-05 09:03 d-------- C:\Intel
2008-04-05 09:03 . 2006-12-13 03:17 3,276,800 --a------ C:\Windows\System32\igfxress.dll
2008-04-05 09:03 . 2006-12-13 03:16 212,992 --a------ C:\Windows\System32\igfxdev.dll
2008-04-05 09:03 . 2007-02-22 23:44 204,800 --a------ C:\Windows\System32\igfxCoIn_v1214.dll
2008-04-05 09:03 . 2006-12-13 03:16 196,608 --a------ C:\Windows\System32\igfxsrvc.exe
2008-04-05 09:03 . 2006-12-13 03:16 155,648 --a------ C:\Windows\System32\igfxpph.dll
2008-04-04 21:01 . 2008-04-04 21:01 d-------- C:\Users\Murlin Wei\AppData\Roaming\Apple Computer
2008-04-04 21:01 . 2008-04-04 21:01 d-------- C:\Users\All Users\Apple Computer
2008-04-04 21:01 . 2008-04-04 21:01 d-------- C:\ProgramData\Apple Computer
2008-04-04 21:01 . 2008-04-04 21:01 d-------- C:\Program Files\QuickTime
2008-04-04 21:01 . 2008-04-04 21:01 d-------- C:\Program Files\iPod
2008-04-04 21:01 . 2008-04-20 06:55 54,156 --ah----- C:\Windows\QTFont.qfn
2008-04-04 21:01 . 2008-04-04 21:01 1,409 --a------ C:\Windows\QTFont.for
2008-04-04 21:00 . 2008-04-04 21:00 d-------- C:\Users\All Users\Apple
2008-04-04 21:00 . 2008-04-04 21:00 d-------- C:\ProgramData\Apple
2008-04-04 21:00 . 2008-04-04 21:00 d-------- C:\Program Files\Common Files\Apple
2008-04-04 21:00 . 2008-04-04 21:00 d-------- C:\Program Files\Apple Software Update
2008-04-04 20:39 . 2008-04-04 20:39 d-------- C:\Program Files\Real
2008-04-04 20:39 . 2008-04-04 20:39 d-------- C:\Program Files\Common Files\xing shared
2008-04-04 20:39 . 2008-04-04 20:39 d-------- C:\Program Files\Common Files\Real
2008-04-04 15:31 . 2008-04-04 15:31 d-------- C:\Users\Murlin Wei\AppData\Roaming\Microsoft Game Studios
2008-04-02 19:26 . 2008-04-02 19:26 41,296 --a------ C:\Windows\System32\xfcodec.dll
2008-03-31 17:00 . 2008-03-31 17:00 d-------- C:\Users\Murlin Wei\AppData\Roaming\InstallShield
2008-03-29 17:45 . 2008-03-29 17:45 d-------- C:\Program Files\Ken Salter
2008-03-29 16:23 . 2008-03-29 16:23 d-------- C:\Users\Murlin Wei\AppData\Roaming\Ethereal
2008-03-29 16:21 . 2008-03-29 16:21 d-------- C:\Temp
2008-03-29 16:21 . 2008-03-29 16:21 d-------- C:\Program Files\Ethereal
2008-03-29 16:21 . 2008-03-29 16:21 d-------- C:\Program Files\AirSnare
2008-03-28 23:37 . 2008-03-28 23:37 90,112 --a------ C:\Windows\System32\QuickTimeVR.qtx
2008-03-28 23:37 . 2008-03-28 23:37 57,344 --a------ C:\Windows\System32\QuickTime.qts
2008-03-27 18:33 . 2008-03-27 18:33 1,024 --a------ C:\Windows\utraffic1.lic
2008-03-26 16:50 . 2008-03-26 16:50 1,107 --a------ C:\Windows\mozver.dat
2008-03-25 18:20 . 2008-03-25 18:20 d-------- C:\Windows\System32\Adobe
2008-03-24 21:04 . 2008-03-24 21:04 d-------- C:\Program Files\7-Zip
2008-03-23 20:33 . 2008-03-23 20:33 2,048 --a------ C:\Windows\atr72-500.lic
2008-03-23 18:44 . 2008-03-23 18:44 d-------- C:\Program Files\Dragonfly
2008-03-23 07:47 . 2008-04-14 20:15 d-------- C:\Windows\Lhsp
2008-03-22 16:27 . 2008-03-22 16:27 d-------- C:\Program Files\XviD
2008-03-22 16:26 . 2008-03-25 16:58 d-------- C:\Program Files\Common Files\GC Install
2008-03-22 14:57 . 2008-04-20 14:30 d-------- C:\Users\Murlin Wei\AppData\Roaming\SiteAdvisor
2008-03-22 14:57 . 2008-03-22 14:57 d-------- C:\Users\All Users\SiteAdvisor
2008-03-22 14:57 . 2008-03-22 14:57 d-------- C:\Users\All Users\McAfee
2008-03-22 14:57 . 2008-03-22 14:57 d-------- C:\ProgramData\SiteAdvisor
2008-03-22 14:57 . 2008-03-22 14:57 d-------- C:\ProgramData\McAfee
2008-03-22 14:20 . 2008-04-12 21:32 d-------- C:\Users\All Users\Adobe
2008-03-22 13:55 . 1997-11-19 15:49 303,616 --a------ C:\Windows\IsUninst.exe
2008-03-22 13:54 . 2008-03-22 13:54 2,048 --a------ C:\Windows\dfa36.lic
2008-03-22 07:49 . 2008-03-22 07:51 3,675 --a------ C:\Windows\aitt.ini
2008-03-21 16:29 . 2008-03-21 16:37 d-------- C:\Users\All Users\Lavasoft
2008-03-21 16:29 . 2008-03-21 16:37 d-------- C:\ProgramData\Lavasoft
2008-03-21 15:51 . 2008-03-21 15:51 d-------- C:\Users\Murlin Wei\AppData\Roaming\Grisoft
2008-03-21 15:51 . 2007-05-30 08:10 10,872 --a------ C:\Windows\System32\drivers\AvgAsCln.sys
2008-03-21 09:49 . 2008-04-05 08:59 d-------- C:\Program Files\Realtek
2008-03-21 09:49 . 2006-09-12 00:34 499,712 --a------ C:\Windows\RtlExUpd.dll
2008-03-20 15:40 . 2008-03-20 15:40 d-------- C:\Users\Murlin Wei\{aa0d5936-10b8-4d4e-b491-2ffd51f2ccbe}
2008-03-20 15:15 . 2008-03-20 15:15 dr-h----- C:\MSOCache

to forum · permalink · 2008-04-21 15:13:52 ·


Siko
Premium
join:2006-11-27
Mechanicsburg, PA
Reviews:
·Dish Network

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-20 15:41 737,280 ----a-w C:\Windows\iun6002.exe
2008-04-20 10:46 --------- d-----w C:\Users\Murlin Wei\AppData\Roaming\uTorrent
2008-04-19 18:51 --------- d---a-w C:\ProgramData\TEMP
2008-04-19 15:17 --------- d-----w C:\ProgramData\Xfire
2008-04-18 22:22 --------- d-----w C:\Users\Murlin Wei\AppData\Roaming\Xfire
2008-04-18 21:03 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-04-18 20:42 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-04-16 22:35 --------- d-----w C:\Program Files\Java
2008-04-15 00:18 --------- d-----w C:\Program Files\SwiftSwitch
2008-04-13 22:33 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-04-13 18:44 --------- d-----w C:\Program Files\SpywareBlaster
2008-04-08 21:22 --------- d-----w C:\Program Files\Windows Mail
2008-04-08 19:32 --------- d-----w C:\Program Files\Xfire
2008-04-07 22:27 179,034,213 ----a-w C:\Windows\DUMP449a.tmp
2008-04-06 17:17 --------- d-----w C:\Program Files\SUPERAntiSpyware
2008-04-05 23:33 --------- d-----w C:\ProgramData\Grisoft
2008-04-05 12:59 319,984 ----a-w C:\Windows\DIFxAPI.dll
2008-04-04 22:16 --------- d-----w C:\ProgramData\eMule
2008-03-30 22:54 --------- d-----w C:\Program Files\IEPro
2008-03-29 20:21 --------- d-----w C:\Program Files\WinPcap
2008-03-29 17:25 --------- d-----w C:\Users\Murlin Wei\AppData\Roaming\Winamp
2008-03-23 19:04 1,392,304 ----a-w C:\Windows\System32\AutoPartNt.exe
2008-03-23 19:01 114,048 ----a-w C:\Windows\system32\drivers\snapman.sys
2008-03-23 19:01 --------- d-----w C:\Program Files\Common Files\Acronis
2008-03-23 19:01 --------- d-----w C:\Program Files\Acronis
2008-03-22 18:20 --------- d-----w C:\Program Files\Common Files\Adobe
2008-03-22 16:54 --------- d-----w C:\Program Files\FS Real Time
2008-03-21 20:33 12,632 ----a-w C:\Windows\System32\lsdelete.exe
2008-03-20 01:20 174 --sha-w C:\Program Files\desktop.ini
2008-03-20 01:15 --------- d-----w C:\Program Files\Windows Sidebar
2008-03-20 01:15 --------- d-----w C:\Program Files\Windows Photo Gallery
2008-03-20 01:15 --------- d-----w C:\Program Files\Windows Defender
2008-03-20 01:15 --------- d-----w C:\Program Files\Windows Calendar
2008-03-20 01:05 82,432 ----a-w C:\Windows\System32\axaltocm.dll
2008-03-20 01:05 101,888 ----a-w C:\Windows\System32\ifxcardm.dll
2008-03-20 00:17 --------- d-----w C:\Program Files\Microsoft Games
2008-03-19 00:26 155,648 ----a-w C:\Windows\System32\libssl32.dll
2008-03-18 22:32 286,720 ----a-w C:\Windows\iun506.exe
2008-03-17 19:34 --------- d-----w C:\Users\Murlin Wei\AppData\Roaming\eMule
2008-03-16 18:03 --------- d-----w C:\ProgramData\Ubisoft
2008-03-16 18:03 --------- d-----w C:\Program Files\Microsoft Speech SDK 5.1
2008-03-16 18:03 --------- d-----w C:\Program Files\IL2 Sturmovik
2008-03-16 18:03 --------- d-----w C:\Program Files\IL-2 Sturmovik Forgotten Battles
2008-03-15 11:21 176,937 ----a-w C:\Windows\Sky Environment Ultra FS9 Uninstaller.exe
2008-03-13 20:36 --------- d-----w C:\Program Files\Bevelstone Production
2008-03-13 19:11 --------- d-----w C:\Program Files\Common Files\Macrovision Shared
2008-03-13 19:09 --------- d-----w C:\Program Files\Microsoft Silverlight
2008-03-13 00:41 0 ---ha-w C:\Windows\system32\drivers\Msft_User_WpdFs_01_00_00.Wdf
2008-03-12 20:48 --------- d-----w C:\Program Files\DocPad
2008-03-12 20:48 --------- d-----w C:\Program Files\Common Files\System-G
2008-03-09 22:11 --------- d-----w C:\Program Files\Trend Micro
2008-03-06 21:25 --------- d-----w C:\Users\Murlin Wei\AppData\Roaming\NPLUTO Corporation
2008-03-05 21:03 479,752 ----a-w C:\Windows\System32\XAudio2_0.dll
2008-03-05 21:03 238,088 ----a-w C:\Windows\System32\xactengine3_0.dll
2008-03-05 21:00 25,608 ----a-w C:\Windows\System32\X3DAudio1_3.dll
2008-03-05 20:56 3,786,760 ----a-w C:\Windows\System32\D3DX9_37.dll
2008-03-05 20:56 1,420,824 ----a-w C:\Windows\System32\D3DCompiler_37.dll
2008-03-02 19:32 --------- d-----w C:\ProgramData\SwiftSwitch
2008-03-02 16:09 --------- d-----w C:\Users\Murlin Wei\AppData\Roaming\Ventrilo
2008-03-02 12:12 --------- d-----w C:\Program Files\FSFlyingSchool
2008-03-02 02:32 --------- d-----w C:\Users\Murlin Wei\AppData\Roaming\HiFi
2008-03-01 19:37 --------- d-----w C:\Program Files\FOC 2003
2008-02-29 20:20 --------- d-----w C:\Program Files\Runtime Software
2008-02-29 07:14 19,000 ----a-w C:\Windows\System32\kd1394.dll
2008-02-29 07:11 988,216 ----a-w C:\Windows\System32\winload.exe
2008-02-29 07:11 927,288 ----a-w C:\Windows\System32\winresume.exe
2008-02-29 06:53 46,592 ----a-w C:\Windows\System32\setbcdlocale.dll
2008-02-29 06:53 40,960 ----a-w C:\Windows\System32\srclient.dll
2008-02-29 06:53 378,368 ----a-w C:\Windows\System32\srcore.dll
2008-02-29 06:35 6,656 ----a-w C:\Windows\System32\kbd106n.dll
2008-02-29 04:12 318,464 ----a-w C:\Windows\System32\rstrui.exe
2008-02-29 04:12 14,848 ----a-w C:\Windows\System32\srdelayed.exe
2008-02-29 00:23 --------- d-----w C:\Program Files\Recuva
2008-02-28 23:43 1,910 ----a-w C:\Windows\System32\tmp.reg
2008-02-28 21:55 --------- d-----w C:\Users\Murlin Wei\AppData\Roaming\SUPERAntiSpyware.com
2008-02-28 21:55 --------- d-----w C:\ProgramData\SUPERAntiSpyware.com
2008-02-28 15:45 230,152 ----a-w C:\Windows\System32\PDBoot.exe
2008-02-27 00:10 --------- d-----w C:\Program Files\RegSeeker
2008-02-26 23:34 --------- d-----w C:\Program Files\Shockwave 3D Lights Redux for FS9
2008-02-24 12:35 --------- d-----w C:\Program Files\DivX
2008-02-22 05:05 615,992 ----a-w C:\Windows\System32\ci.dll
2008-02-22 04:57 295,936 ----a-w C:\Windows\System32\gdi32.dll
2008-02-21 02:45 --------- d-----w C:\Program Files\SquawkBox3
2008-02-21 02:05 200,704 ----a-w C:\Windows\System32\ssldivx.dll
2008-02-21 02:05 1,044,480 ----a-w C:\Windows\System32\libdivx.dll
2008-02-19 01:58 316,768 ----a-w C:\Windows\System32\sayax.dll
2008-02-17 18:10 202,149 ----a-w C:\Windows\Water Details FS 2004 Uninstaller.exe
2008-02-11 15:55 147,456 ----a-w C:\Windows\System32\igfxCoIn_v1437.dll
2008-02-11 15:34 29,932 ----a-w C:\Windows\System32\igmedcompkrn.bin
2008-02-11 15:34 2,215,364 ----a-w C:\Windows\System32\igklg400.bin
2008-02-11 15:34 1,971,732 ----a-w C:\Windows\System32\igklg450.bin
2008-02-10 17:11 543 ----a-w C:\Program Files\INSTALL.LOG
2008-02-06 04:07 462,864 ----a-w C:\Windows\System32\d3dx10_37.dll
2008-01-29 16:02 107,368 ----a-w C:\Windows\System32\GEARAspi.dll
1998-09-25 18:16 270,848 ----a-w C:\Program Files\UNWISE.EXE
2008-01-18 00:12 90 --sh--w C:\Windows\cnerolf.dat
.

((((((((((((((((((((((((((((( snapshot@2008-04-06_19.39.55.30 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-04-13 19:32:08 98,678 ----a-w C:\Windows\.jagex_cache_32\loginapplet\cache-1965029828.dat
+ 2006-11-02 07:11:38 2,560 ----a-w C:\Windows\AppPatch\AcRes.dll
+ 2008-04-18 22:53:25 472,064 ----a-w C:\Windows\BirdsEyeView\uninstall.exe
+ 2008-01-05 11:23:07 2,048 ----a-w C:\Windows\Boot\DVD\PCAT\etfsboot.com
- 2008-04-06 23:37:39 67,584 --s-a-w C:\Windows\bootstat.dat
+ 2008-04-20 18:42:37 67,584 --s-a-w C:\Windows\bootstat.dat
- 2007-05-08 22:01:12 208,896 ----a-w C:\Windows\CMDLIC.DLL
+ 2007-05-08 21:01:12 208,896 ----a-w C:\Windows\CMDLIC.DLL
- 2008-01-14 20:40:30 925,696 ----a-w C:\Windows\Downloaded Program Files\ijjistarter2.exe
+ 2008-04-16 01:03:16 925,696 ----a-w C:\Windows\Downloaded Program Files\ijjistarter2.exe
- 2008-03-20 01:13:36 665,600 ----a-w C:\Windows\inf\drvindex.dat
+ 2008-04-08 21:22:53 665,600 ----a-w C:\Windows\inf\drvindex.dat
- 2008-04-05 23:54:01 51,200 ----a-w C:\Windows\inf\infpub.dat
+ 2008-04-08 21:22:56 51,200 ----a-w C:\Windows\inf\infpub.dat
- 2008-04-05 23:54:01 86,016 ----a-w C:\Windows\inf\infstor.dat
+ 2008-04-08 21:22:56 86,016 ----a-w C:\Windows\inf\infstor.dat
- 2008-04-05 23:54:01 86,016 ----a-w C:\Windows\inf\infstrng.dat
+ 2008-04-08 21:22:53 86,016 ----a-w C:\Windows\inf\infstrng.dat
+ 2008-04-09 20:09:11 2,816 ----a-r C:\Windows\Installer\{1B588991-22A6-408B-88C2-1DC9769C59A3}\controlPanelIcon.exe
- 2008-03-08 01:41:14 7,406 ----a-r C:\Windows\Installer\{2B6EC03E-6FA0-4D7C-9CCE-1B03819AB613}\ARPPRODUCTICON.exe
+ 2008-04-15 00:22:32 7,406 ----a-r C:\Windows\Installer\{2B6EC03E-6FA0-4D7C-9CCE-1B03819AB613}\ARPPRODUCTICON.exe
- 2008-03-08 01:41:14 7,406 ----a-r C:\Windows\Installer\{2B6EC03E-6FA0-4D7C-9CCE-1B03819AB613}\DesktopStartPD9_2B6EC03E6FA04D7C9CCE1B03819AB613.exe
+ 2008-04-15 00:22:32 7,406 ----a-r C:\Windows\Installer\{2B6EC03E-6FA0-4D7C-9CCE-1B03819AB613}\DesktopStartPD9_2B6EC03E6FA04D7C9CCE1B03819AB613.exe
- 2008-03-08 01:41:14 7,406 ----a-r C:\Windows\Installer\{2B6EC03E-6FA0-4D7C-9CCE-1B03819AB613}\MenuStartPD9_2B6EC03E6FA04D7C9CCE1B03819AB613.exe
+ 2008-04-15 00:22:32 7,406 ----a-r C:\Windows\Installer\{2B6EC03E-6FA0-4D7C-9CCE-1B03819AB613}\MenuStartPD9_2B6EC03E6FA04D7C9CCE1B03819AB613.exe
- 2008-03-20 19:17:17 12,288 ----a-r C:\Windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\cagicon.exe
+ 2008-04-08 21:02:15 12,288 ----a-r C:\Windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\cagicon.exe
- 2008-03-20 19:17:17 135,168 ----a-r C:\Windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\misc.exe
+ 2008-04-08 21:02:15 135,168 ----a-r C:\Windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\misc.exe
- 2008-03-20 19:17:17 11,264 ----a-r C:\Windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\mspicons.exe
+ 2008-04-08 21:02:15 11,264 ----a-r C:\Windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\mspicons.exe
- 2008-03-20 19:17:17 27,136 ----a-r C:\Windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\oisicon.exe
+ 2008-04-08 21:02:15 27,136 ----a-r C:\Windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\oisicon.exe
- 2008-03-20 19:17:17 4,096 ----a-r C:\Windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\opwicon.exe
+ 2008-04-08 21:02:15 4,096 ----a-r C:\Windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\opwicon.exe
- 2008-03-20 19:17:17 794,624 ----a-r C:\Windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\outicon.exe
+ 2008-04-08 21:02:15 794,624 ----a-r C:\Windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\outicon.exe
- 2008-03-20 19:17:17 249,856 ----a-r C:\Windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\pptico.exe
+ 2008-04-08 21:02:15 249,856 ----a-r C:\Windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\pptico.exe
- 2008-03-20 19:17:17 23,040 ----a-r C:\Windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\unbndico.exe
+ 2008-04-08 21:02:16 23,040 ----a-r C:\Windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\unbndico.exe
- 2008-03-20 19:17:17 286,720 ----a-r C:\Windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\wordicon.exe
+ 2008-04-08 21:02:15 286,720 ----a-r C:\Windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\wordicon.exe
- 2008-03-20 19:17:17 409,600 ----a-r C:\Windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\xlicons.exe
+ 2008-04-08 21:02:15 409,600 ----a-r C:\Windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\xlicons.exe
+ 2008-04-09 19:16:08 2,816 ----a-r C:\Windows\Installer\{98297A57-368B-4FC3-A236-5BDEBB0C3702}\controlPanelIcon.exe
+ 2008-03-16 18:03:51 2,238 ----a-r C:\Windows\Installer\{A403D88E-ED7D-48E3-91FD-B8C8A720EDA1}\coffee.exe
+ 2008-03-16 18:03:51 2,238 ----a-r C:\Windows\Installer\{A403D88E-ED7D-48E3-91FD-B8C8A720EDA1}\dictpad.exe
+ 2008-03-16 18:03:51 2,238 ----a-r C:\Windows\Installer\{A403D88E-ED7D-48E3-91FD-B8C8A720EDA1}\simpledict.exe
+ 2008-03-16 18:03:51 2,238 ----a-r C:\Windows\Installer\{A403D88E-ED7D-48E3-91FD-B8C8A720EDA1}\simpletelephony.exe
+ 2008-03-16 18:03:51 2,238 ----a-r C:\Windows\Installer\{A403D88E-ED7D-48E3-91FD-B8C8A720EDA1}\talkback.exe
- 2008-03-22 18:20:25 295,606 ----a-r C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-A81200000003}\SC_Reader.exe
+ 2008-04-13 01:32:56 295,606 ----a-r C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-A81200000003}\SC_Reader.exe
+ 2008-04-09 19:14:53 2,816 ----a-r C:\Windows\Installer\{EEDEB067-83FC-42AE-9BD5-62116F63D9F1}\controlPanelIcon.exe
+ 2008-01-19 07:31:57 2,560 ----a-w C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\ServiceModelEvents.dll
+ 2006-11-02 12:36:02 2,560 ----a-w C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\ServiceModelInstallRC.dll
+ 2006-11-02 08:12:29 2,048 ----a-w C:\Windows\MSAgent\AgtUI.dll
- 2008-03-01 23:55:07 16,384 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2008-04-16 22:35:17 16,384 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2008-03-01 23:55:07 32,768 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2008-04-16 22:35:17 32,768 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2008-04-06 23:17:13 262,144 ----a-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\usrclass.dat
+ 2008-04-20 17:55:29 262,144 ----a-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\usrclass.dat
- 2008-03-01 23:55:07 16,384 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2008-04-16 22:35:17 16,384 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2008-04-06 23:37:49 262,144 --sha-w C:\Windows\ServiceProfiles\LocalService\NTUSER.DAT
+ 2008-04-20 18:42:55 151,552 ----a-w C:\Windows\ServiceProfiles\LocalService\NTUSER.DAT
- 2008-04-06 23:33:53 262,144 ----a-w C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\usrclass.dat
+ 2008-04-20 18:38:38 262,144 ----a-w C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\usrclass.dat
- 2008-04-06 23:37:49 262,144 --sha-w C:\Windows\ServiceProfiles\NetworkService\NTUSER.DAT
+ 2008-04-20 18:42:55 151,552 ----a-w C:\Windows\ServiceProfiles\NetworkService\NTUSER.DAT
+ 1999-01-12 14:55:34 71,680 ----a-w C:\Windows\ST5UNST.EXE
+ 2006-11-02 07:10:15 2,000 ----a-w C:\Windows\system\keyboard.drv
+ 2006-11-02 07:10:18 2,032 ----a-w C:\Windows\system\mouse.drv
+ 2006-11-02 07:10:16 1,744 ----a-w C:\Windows\system\sound.drv
+ 2006-11-02 07:10:17 2,176 ----a-w C:\Windows\system\vga.drv
+ 2006-11-02 07:11:39 2,048 ----a-w C:\Windows\System32\acprgwiz.dll
+ 2006-11-02 12:35:57 2,048 ----a-w C:\Windows\System32\asferror.dll
- 2008-01-19 07:44:08 986,680 ----a-w C:\Windows\System32\Boot\winload.exe
+ 2008-02-29 07:11:54 988,216 ----a-w C:\Windows\System32\Boot\winload.exe
- 2008-01-19 07:44:06 926,776 ----a-w C:\Windows\System32\Boot\winresume.exe
+ 2008-02-29 07:11:56 927,288 ----a-w C:\Windows\System32\Boot\winresume.exe
+ 2008-01-19 05:27:25 2,560 ----a-w C:\Windows\System32\bootstr.dll
+ 2006-11-02 07:38:48 2,048 ----a-w C:\Windows\System32\bridgeres.dll
- 2008-04-05 18:57:03 32,768 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2008-04-16 21:58:10 32,768 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2008-04-05 18:57:03 49,152 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2008-04-16 21:58:10 49,152 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2008-04-05 18:57:03 32,768 --sha-w C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2008-04-16 21:58:10 32,768 --sha-w C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2008-04-06 23:34:10 262,144 ----a-w C:\Windows\System32\config\systemprofile\ntuser.dat
+ 2008-04-20 18:39:11 262,144 ----a-w C:\Windows\System32\config\systemprofile\ntuser.dat
+ 2008-01-19 05:49:54 2,048 ----a-w C:\Windows\System32\dmdskres2.dll
- 2008-01-10 03:00:04 68,624 ----a-r C:\Windows\System32\drivers\DefragFS.sys
+ 2008-01-10 02:00:04 68,624 ----a-r C:\Windows\System32\drivers\DefragFS.sys
+ 2006-11-02 08:27:54 2,048 ----a-w C:\Windows\System32\DriverStore\FileRepository\prnca001.inf_92fbd03f\I386\CNBPGR02.DLL
+ 2006-11-02 09:41:10 2,560 ----a-w C:\Windows\System32\DriverStore\FileRepository\prndc001.inf_79bb12be\I386\DICONRES.DLL
+ 2006-09-18 21:40:29 1,960 ----a-w C:\Windows\System32\DriverStore\FileRepository\prnep001.inf_f0a9a372\I386\EPNDDE11.DAT
+ 2006-09-18 21:40:29 1,778 ----a-w C:\Windows\System32\DriverStore\FileRepository\prnep001.inf_f0a9a372\I386\EPNDDE12.DAT
+ 2006-09-18 21:40:29 1,960 ----a-w C:\Windows\System32\DriverStore\FileRepository\prnep001.inf_f0a9a372\I386\EPNDDE16.DAT
+ 2006-09-18 21:40:29 1,992 ----a-w C:\Windows\System32\DriverStore\FileRepository\prnep001.inf_f0a9a372\I386\EPNDDE2J.DAT
+ 2006-09-18 21:40:29 1,948 ----a-w C:\Windows\System32\DriverStore\FileRepository\prnep001.inf_f0a9a372\I386\EPNDDE2K.DAT
+ 2006-09-18 21:40:29 2,128 ----a-w C:\Windows\System32\DriverStore\FileRepository\prnep001.inf_f0a9a372\I386\EPNDDE2M.DAT
+ 2006-09-18 21:40:29 2,398 ----a-w C:\Windows\System32\DriverStore\FileRepository\prnep001.inf_f0a9a372\I386\EPNDDE3N.DAT
+ 2006-09-18 21:40:29 1,976 ----a-w C:\Windows\System32\DriverStore\FileRepository\prnep001.inf_f0a9a372\I386\EPNDDE3O.DAT
+ 2006-09-18 21:40:29 1,764 ----a-w C:\Windows\System32\DriverStore\FileRepository\prnep001.inf_f0a9a372\I386\EPNDDE3P.DAT
+ 2006-09-18 21:40:29 2,398 ----a-w C:\Windows\System32\DriverStore\FileRepository\prnep001.inf_f0a9a372\I386\EPNDDE3Q.DAT
+ 2006-09-18 21:40:29 2,618 ----a-w C:\Windows\System32\DriverStore\FileRepository\prnep001.inf_f0a9a372\I386\EPNDDE3T.DAT
+ 2006-09-18 21:40:29 2,188 ----a-w C:\Windows\System32\DriverStore\FileRepository\prnep001.inf_f0a9a372\I386\EPNDDE3V.DAT
+ 2006-09-18 21:40:29 2,984 ----a-w C:\Windows\System32\DriverStore\FileRepository\prnep001.inf_f0a9a372\I386\EPNDDE4A.DAT
+ 2006-09-18 21:40:29 2,632 ----a-w C:\Windows\System32\DriverStore\FileRepository\prnep001.inf_f0a9a372\I386\EPNDDE4D.DAT
+ 2006-09-18 21:40:30 2,496 ----a-w C:\Windows\System32\DriverStore\FileRepository\prnep001.inf_f0a9a372\I386\EPNDDE4S.DAT
- 2008-04-02 01:30:13 1,622,616 ----a-w C:\Windows\System32\FNTCACHE.DAT
+ 2008-04-08 21:24:47 1,622,616 ----a-w C:\Windows\System32\FNTCACHE.DAT
- 2007-11-21 18:47:42 81,920 ----a-w C:\Windows\System32\frapsvid.dll
+ 2008-01-14 12:15:42 81,920 ----a-w C:\Windows\System32\frapsvid.dll
+ 1996-04-03 19:33:26 5,248 ----a-w C:\Windows\System32\giveio.sys
+ 2006-11-02 09:39:39 2,048 ----a-w C:\Windows\System32\iologmsg.dll
- 2008-02-22 05:23:35 135,168 ----a-w C:\Windows\System32\java.exe
+ 2008-03-25 05:28:39 135,168 ----a-w C:\Windows\System32\java.exe
- 2008-02-22 05:23:39 135,168 ----a-w C:\Windows\System32\javaw.exe
+ 2008-03-25 05:28:43 135,168 ----a-w C:\Windows\System32\javaw.exe
- 2008-02-22 06:33:32 139,264 ----a-w C:\Windows\System32\javaws.exe
+ 2008-03-25 06:37:01 139,264 ----a-w C:\Windows\System32\javaws.exe
- 2008-01-19 07:34:35 28,160 ----a-w C:\Windows\System32\jsproxy.dll
+ 2008-02-22 04:58:23 28,160 ----a-w C:\Windows\System32\jsproxy.dll
+ 2006-11-02 07:10:15 2,000 ----a-w C:\Windows\System32\keyboard.drv
+ 2006-11-02 07:38:59 2,048 ----a-w C:\Windows\System32\lltdres.dll
+ 2006-11-02 12:35:51 2,048 ----a-w C:\Windows\System32\mferror.dll
- 2008-01-19 07:36:55 64,512 ----a-w C:\Windows\System32\migration\WininetPlugin.dll
+ 2008-02-22 05:01:41 64,512 ----a-w C:\Windows\System32\migration\WininetPlugin.dll
+ 2006-11-02 07:10:18 2,032 ----a-w C:\Windows\System32\mouse.drv
- 2008-03-05 16:30:54 19,148,408 ----a-w C:\Windows\System32\mrt.exe
+ 2008-04-06 05:56:20 19,836,024 ----a-w C:\Windows\System32\mrt.exe
- 2008-01-19 07:34:59 3,578,368 ----a-w C:\Windows\System32\mshtml.dll
+ 2008-02-22 04:59:30 3,578,368 ----a-w C:\Windows\System32\mshtml.dll
+ 2006-11-02 07:15:56 2,560 ----a-w C:\Windows\System32\msimsg.dll
+ 2006-11-02 07:18:28 2,048 ----a-w C:\Windows\System32\msprivs.dll
- 2008-01-19 07:35:13 671,232 ----a-w C:\Windows\System32\mstime.dll
+ 2008-02-22 04:59:51 671,232 ----a-w C:\Windows\System32\mstime.dll
+ 2006-11-02 09:41:09 2,048 ----a-w C:\Windows\System32\msxml3r.dll
+ 2006-11-02 09:41:09 2,048 ----a-w C:\Windows\System32\msxml6r.dll
+ 2006-11-02 09:41:16 2,048 ----a-w C:\Windows\System32\neth.dll
+ 2006-11-02 09:41:17 2,048 ----a-w C:\Windows\System32\netmsg.dll
+ 2006-09-19 11:41:49 2,456 ----a-w C:\Windows\System32\networklist\icons\StockIcons\bench_24.bin
+ 2006-09-19 11:41:49 2,456 ----a-w C:\Windows\System32\networklist\icons\StockIcons\house_24.bin
+ 2006-09-19 11:41:49 2,456 ----a-w C:\Windows\System32\networklist\icons\StockIcons\office_24.bin
+ 2006-11-02 08:33:06 2,560 ----a-w C:\Windows\System32\normaliz.dll
+ 2006-11-02 07:08:53 2,048 ----a-w C:\Windows\System32\oleaccrc.dll
- 2008-04-06 18:06:50 108,178 ----a-w C:\Windows\System32\perfc009.dat
+ 2008-04-19 18:47:06 108,178 ----a-w C:\Windows\System32\perfc009.dat
- 2008-04-06 18:06:50 629,252 ----a-w C:\Windows\System32\perfh009.dat
+ 2008-04-19 18:47:06 629,252 ----a-w C:\Windows\System32\perfh009.dat
+ 2006-11-02 07:10:00 2,842 ----a-w C:\Windows\System32\redir.exe
+ 2006-11-02 09:43:00 2,560 ----a-w C:\Windows\System32\rnr20.dll
+ 2006-11-02 12:34:48 2,048 ----a-w C:\Windows\System32\SampleRes.dll
- 2002-11-21 00:09:00 24,576 ----a-w C:\Windows\System32\SmartSubClass.dll
+ 2002-11-20 22:09:00 24,576 ----a-w C:\Windows\System32\SmartSubClass.dll
- 2008-04-04 19:42:55 6,553,600 ----a-w C:\Windows\System32\SMI\Store\Machine\SCHEMA.DAT
+ 2008-04-17 01:03:47 6,553,600 ----a-w C:\Windows\System32\SMI\Store\Machine\SCHEMA.DAT
+ 2006-11-02 07:10:16 1,744 ----a-w C:\Windows\System32\sound.drv
+ 2005-06-15 14:55:53 4,096 ----a-w C:\Windows\System32\speedfan.sys
+ 2006-11-02 06:58:59 2,048 ----a-w C:\Windows\System32\tzres.dll
- 2008-01-19 07:36:46 1,165,824 ----a-w C:\Windows\System32\urlmon.dll
+ 2008-02-22 05:01:33 1,166,336 ----a-w C:\Windows\System32\urlmon.dll
+ 1999-01-12 14:55:36 29,696 ----a-w C:\Windows\System32\VB5StKit.dll
+ 2006-11-02 07:10:17 2,176 ----a-w C:\Windows\System32\vga.drv
+ 1999-12-07 10:00:00 162,064 ----a-w C:\Windows\System32\vtext.dll
+ 2006-11-02 07:15:27 2,048 ----a-w C:\Windows\System32\wbem\WmiApRes.dll
- 2008-04-06 18:04:09 8,110 ----a-w C:\Windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-2738104663-2755392700-2221383480-1000_UserData.bin
+ 2008-04-08 19:34:09 8,516 ----a-w C:\Windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-2738104663-2755392700-2221383480-1000_UserData.bin
- 2008-04-06 18:04:08 59,130 ----a-w C:\Windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
+ 2008-04-08 19:34:08 59,504 ----a-w C:\Windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
- 2008-04-06 18:04:06 28,992 ----a-w C:\Windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2008-04-12 23:11:21 31,128 ----a-w C:\Windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2006-11-02 07:10:22 2,864 ----a-w C:\Windows\System32\WINSOCK.DLL
+ 2006-11-02 07:10:18 2,112 ----a-w C:\Windows\System32\WINSPOOL.EXE
+ 2006-11-02 12:35:54 2,048 ----a-w C:\Windows\System32\wmerror.dll
+ 2006-11-02 07:10:27 2,864 ----a-w C:\Windows\System32\WOWDEB.EXE
+ 2008-01-19 05:39:36 1,536 ----a-w C:\Windows\System32\WsmCl.dll
+ 1999-12-07 10:00:00 193,808 ----a-w C:\Windows\System32\xlisten.dll
+ 1999-12-07 10:00:00 184,080 ----a-w C:\Windows\System32\xvoice.dll
- 2007-11-26 15:38:46 238,848 ----a-w C:\Windows\UNBOC.EXE
+ 2007-11-26 14:38:46 238,848 ----a-w C:\Windows\UNBOC.EXE
- 2008-04-04 19:24:04 106,963,463 ----a-w C:\Windows\winsxs\ManifestCache\6.0.6001.18000_001c50b5_blobs.bin
+ 2008-04-16 21:57:54 118,101,081 ----a-w C:\Windows\winsxs\ManifestCache\6.0.6001.18000_001c50b5_blobs.bin
+ 2006-11-02 07:11:38 2,560 ----a-w C:\Windows\winsxs\x86_microsoft-windows-a..ence-mitigations-c1_31bf3856ad364e35_6.0.6000.16386_none_09eb762df5615af9\AcRes.dll
+ 2008-02-12 23:38:30 2,560 ----a-w C:\Windows\winsxs\x86_microsoft-windows-a..ence-mitigations-c1_31bf3856ad364e35_6.0.6000.16633_none_0a1e8a9df53b7ab4\AcRes.dll
+ 2008-02-12 23:38:30 2,560 ----a-w C:\Windows\winsxs\x86_microsoft-windows-a..ence-mitigations-c1_31bf3856ad364e35_6.0.6000.20762_none_0a86b75b0e7254fa\AcRes.dll
+ 2006-11-02 07:11:38 2,560 ----a-w C:\Windows\winsxs\x86_microsoft-windows-a..ence-mitigations-c1_31bf3856ad364e35_6.0.6001.18000_none_0c223829f24c6bcd\AcRes.dll
+ 2006-11-02 07:11:39 2,048 ----a-w C:\Windows\winsxs\x86_microsoft-windows-a..on-experience-tools_31bf3856ad364e35_6.0.6000.16386_none_92936507ab8702dd\acprgwiz.dll
+ 2006-11-02 07:11:39 2,048 ----a-w C:\Windows\winsxs\x86_microsoft-windows-a..on-experience-tools_31bf3856ad364e35_6.0.6001.18000_none_94ca2703a87213b1\acprgwiz.dll
+ 2008-02-21 04:43:34 124,928 ----a-w C:\Windows\winsxs\x86_microsoft-windows-advpack_31bf3856ad364e35_6.0.6000.16643_none_a9bce801f5c7b8c8\advpack.dll
+ 2008-02-22 04:48:31 124,928 ----a-w C:\Windows\winsxs\x86_microsoft-windows-advpack_31bf3856ad364e35_6.0.6000.20777_none_aa2a16310efa11c1\advpack.dll
+ 2006-11-02 08:12:29 2,048 ----a-w C:\Windows\winsxs\x86_microsoft-windows-agent0409_31bf3856ad364e35_6.0.6000.16386_none_cba6dc9d9ccc4898\AgtUI.dll
+ 2006-11-02 06:56:11 2,560 ----a-w C:\Windows\winsxs\x86_microsoft-windows-b..environment-strings_31bf3856ad364e35_6.0.6000.16386_none_f64b4db1100349a8\bootstr.dll
+ 2008-01-19 05:27:25 2,560 ----a-w C:\Windows\winsxs\x86_microsoft-windows-b..environment-strings_31bf3856ad364e35_6.0.6001.18000_none_f8820fad0cee5a7c\bootstr.dll
+ 2008-02-29 06:53:29 46,592 ----a-w C:\Windows\winsxs\x86_microsoft-windows-b..environment-windows_31bf3856ad364e35_6.0.6001.18027_none_6929f9588cd4875c\setbcdlocale.dll
+ 2008-02-29 07:11:54 988,216 ----a-w C:\Windows\winsxs\x86_microsoft-windows-b..environment-windows_31bf3856ad364e35_6.0.6001.18027_none_6929f9588cd4875c\winload.exe
+ 2008-02-29 07:11:56 927,288 ----a-w C:\Windows\winsxs\x86_microsoft-windows-b..environment-windows_31bf3856ad364e35_6.0.6001.18027_none_6929f9588cd4875c\winresume.exe
+ 2008-02-29 06:37:41 46,592 ----a-w C:\Windows\winsxs\x86_microsoft-windows-b..environment-windows_31bf3856ad364e35_6.0.6001.22125_none_69b1958fa5f3f478\setbcdlocale.dll
+ 2008-02-29 07:02:42 988,216 ----a-w C:\Windows\winsxs\x86_microsoft-windows-b..environment-windows_31bf3856ad364e35_6.0.6001.22125_none_69b1958fa5f3f478\winload.exe
+ 2008-02-29 07:02:41 927,288 ----a-w C:\Windows\winsxs\x86_microsoft-windows-b..environment-windows_31bf3856ad364e35_6.0.6001.22125_none_69b1958fa5f3f478\winresume.exe
+ 2008-01-05 11:23:07 2,048 ----a-w C:\Windows\winsxs\x86_microsoft-windows-b..onment-dvd-etfsboot_31bf3856ad364e35_6.0.6001.18000_none_827be8b16a696de9\etfsboot.com
+ 2008-02-29 06:51:24 19,000 ----a-w C:\Windows\winsxs\x86_microsoft-windows-b..uggertransport-1394_31bf3856ad364e35_6.0.6000.16646_none_61bfda98f6d6f5d5\kd1394.dll
+ 2008-02-29 06:54:17 19,000 ----a-w C:\Windows\winsxs\x86_microsoft-windows-b..uggertransport-1394_31bf3856ad364e35_6.0.6000.20782_none_621a368c1018a007\kd1394.dll
+ 2008-02-29 07:14:21 19,000 ----a-w C:\Windows\winsxs\x86_microsoft-windows-b..uggertransport-1394_31bf3856ad364e35_6.0.6001.18027_none_63bcb960f3ec683b\kd1394.dll
+ 2008-02-29 06:57:07 19,000 ----a-w C:\Windows\winsxs\x86_microsoft-windows-b..uggertransport-1394_31bf3856ad364e35_6.0.6001.22125_none_644455980d0bd557\kd1394.dll
+ 2008-02-14 23:19:24 944,184 ----a-w C:\Windows\winsxs\x86_microsoft-windows-b..vironment-os-loader_31bf3856ad364e35_6.0.6000.16646_none_591b3d986f9b5725\winload.exe
+ 2008-02-12 23:40:30 905,400 ----a-w C:\Windows\winsxs\x86_microsoft-windows-b..vironment-os-loader_31bf3856ad364e35_6.0.6000.16646_none_591b3d986f9b5725\winresume.exe
+ 2008-02-14 23:13:10 944,696 ----a-w C:\Windows\winsxs\x86_microsoft-windows-b..vironment-os-loader_31bf3856ad364e35_6.0.6000.20782_none_5975998b88dd0157\winload.exe
+ 2008-02-12 23:40:30 905,400 ----a-w C:\Windows\winsxs\x86_microsoft-windows-b..vironment-os-loader_31bf3856ad364e35_6.0.6000.20782_none_5975998b88dd0157\winresume.exe
+ 2008-02-29 07:11:54 988,216 ----a-w C:\Windows\winsxs\x86_microsoft-windows-b..vironment-os-loader_31bf3856ad364e35_6.0.6001.18027_none_5b181c606cb0c98b\winload.exe
+ 2008-02-29 07:11:56 927,288 ----a-w C:\Windows\winsxs\x86_microsoft-windows-b..vironment-os-loader_31bf3856ad364e35_6.0.6001.18027_none_5b181c606cb0c98b\winresume.exe
+ 2008-02-29 07:02:42 988,216 ----a-w C:\Windows\winsxs\x86_microsoft-windows-b..vironment-os-loader_31bf3856ad364e35_6.0.6001.22125_none_5b9fb89785d036a7\winload.exe
+ 2008-02-29 07:02:41 927,288 ----a-w C:\Windows\winsxs\x86_microsoft-windows-b..vironment-os-loader_31bf3856ad364e35_6.0.6001.22125_none_5b9fb89785d036a7\winresume.exe
+ 2006-11-02 09:41:17 2,048 ----a-w C:\Windows\winsxs\x86_microsoft-windows-basic-misc-tools_31bf3856ad364e35_6.0.6000.16386_none_1525f574c2807ea3\netmsg.dll
+ 2006-11-02 09:41:17 2,048 ----a-w C:\Windows\winsxs\x86_microsoft-windows-basic-misc-tools_31bf3856ad364e35_6.0.6001.18000_none_175cb770bf6b8f77\netmsg.dll
+ 2008-02-19 05:10:22 620,088 ----a-w C:\Windows\winsxs\x86_microsoft-windows-codeintegrity_31bf3856ad364e35_6.0.6000.16642_none_9e68737c07b7f5c7\ci.dll
+ 2008-02-19 04:54:56 620,088 ----a-w C:\Windows\winsxs\x86_microsoft-windows-codeintegrity_31bf3856ad364e35_6.0.6000.20775_none_9ed4a16120eb3569\ci.dll
+ 2008-02-22 05:05:52 615,992 ----a-w C:\Windows\winsxs\x86_microsoft-windows-codeintegrity_31bf3856ad364e35_6.0.6001.18023_none_a065524404cd682d\ci.dll
+ 2008-02-22 04:57:25 615,992 ----a-w C:\Windows\winsxs\x86_microsoft-windows-codeintegrity_31bf3856ad364e35_6.0.6001.22120_none_a0ebee311dedbbf2\ci.dll
+ 2006-11-02 12:36:25 2,048 ----a-w C:\Windows\winsxs\x86_microsoft-windows-dfsr-core-clientonly_31bf3856ad364e35_6.0.6000.16386_none_b442caae9d1904a7\dfsrres.dll
+ 2006-11-02 12:36:25 2,048 ----a-w C:\Windows\winsxs\x86_microsoft-windows-dfsr-core-clientonly_31bf3856ad364e35_6.0.6001.18000_none_b6798caa9a04157b\dfsrres.dll
+ 2008-01-19 05:49:54 2,048 ----a-w C:\Windows\winsxs\x86_microsoft-windows-diskmanagement_31bf3856ad364e35_6.0.6001.18000_none_0197b5b76fbd3f60\dmdskres2.dll
+ 2008-02-21 04:43:35 296,448 ----a-w C:\Windows\winsxs\x86_microsoft-windows-gdi32_31bf3856ad364e35_6.0.6000.16643_none_57702c844c48b643\gdi32.dll
+ 2008-02-22 04:49:18 296,448 ----a-w C:\Windows\winsxs\x86_microsoft-windows-gdi32_31bf3856ad364e35_6.0.6000.20777_none_57dd5ab3657b0f3c\gdi32.dll
+ 2008-02-22 04:57:23 295,936 ----a-w C:\Windows\winsxs\x86_microsoft-windows-gdi32_31bf3856ad364e35_6.0.6001.18023_none_596c0b02495f0f52\gdi32.dll
+ 2008-02-22 04:48:18 295,936 ----a-w C:\Windows\winsxs\x86_microsoft-windows-gdi32_31bf3856ad364e35_6.0.6001.22120_none_59f2a6ef627f6317\gdi32.dll
+ 2008-02-21 04:43:38 44,544 ----a-w C:\Windows\winsxs\x86_microsoft-windows-i..ablenetworkgraphics_31bf3856ad364e35_6.0.6000.16643_none_ebb7f1b116609ec7\pngfilt.dll
+ 2008-02-22 04:51:42 44,544 ----a-w C:\Windows\winsxs\x86_microsoft-windows-i..ablenetworkgraphics_31bf3856ad364e35_6.0.6000.20777_none_ec251fe02f92f7c0\pngfilt.dll
+ 2008-02-21 04:43:41 1,159,680 ----a-w C:\Windows\winsxs\x86_microsoft-windows-i..ersandsecurityzones_31bf3856ad364e35_6.0.6000.16643_none_b2d49a63d9c1162b\urlmon.dll
+ 2008-02-22 04:52:08 1,162,752 ----a-w C:\Windows\winsxs\x86_microsoft-windows-i..ersandsecurityzones_31bf3856ad364e35_6.0.6000.20777_none_b341c892f2f36f24\urlmon.dll
+ 2008-02-22 05:01:33 1,166,336 ----a-w C:\Windows\winsxs\x86_microsoft-windows-i..ersandsecurityzones_31bf3856ad364e35_6.0.6001.18023_none_b4d078e1d6d76f3a\urlmon.dll
+ 2008-02-22 04:52:15 1,166,336 ----a-w C:\Windows\winsxs\x86_microsoft-windows-i..ersandsecurityzones_31bf3856ad364e35_6.0.6001.22120_none_b55714ceeff7c2ff\urlmon.dll
+ 2008-02-29 06:34:50 7,168 ----a-w C:\Windows\winsxs\x86_microsoft-windows-i..humb-shift_keyboard_31bf3856ad364e35_6.0.6000.16646_none_ebb5eec692f230bc\f3ahvoas.dll
+ 2008-02-29 06:30:51 7,168 ----a-w C:\Windows\winsxs\x86_microsoft-windows-i..humb-shift_keyboard_31bf3856ad364e35_6.0.6000.20782_none_ec104ab9ac33daee\f3ahvoas.dll
+ 2008-02-21 04:43:37 671,232 ----a-w C:\Windows\winsxs\x86_microsoft-windows-i..mlrenderingadvanced_31bf3856ad364e35_6.0.6000.16643_none_deb7292c7f69d59a\mstime.dll
+ 2008-02-22 04:50:37 671,232 ----a-w C:\Windows\winsxs\x86_microsoft-windows-i..mlrenderingadvanced_31bf3856ad364e35_6.0.6000.20777_none_df24575b989c2e93\mstime.dll
+ 2008-02-22 04:59:51 671,232 ----a-w C:\Windows\winsxs\x86_microsoft-windows-i..mlrenderingadvanced_31bf3856ad364e35_6.0.6001.18023_none_e0b307aa7c802ea9\mstime.dll
+ 2008-02-22 04:50:26 671,232 ----a-w C:\Windows\winsxs\x86_microsoft-windows-i..mlrenderingadvanced_31bf3856ad364e35_6.0.6001.22120_none_e139a39795a0826e\mstime.dll
+ 2008-02-29 06:35:17 6,656 ----a-w C:\Windows\winsxs\x86_microsoft-windows-i..rd-japanese_106_key_31bf3856ad364e35_6.0.6000.16646_none_dafbedd9168fe683\kbd106n.dll
+ 2008-02-29 06:31:23 6,656 ----a-w C:\Windows\winsxs\x86_microsoft-windows-i..rd-japanese_106_key_31bf3856ad364e35_6.0.6000.20782_none_db5649cc2fd190b5\kbd106n.dll
+ 2006-11-02 06:58:59 2,048 ----a-w C:\Windows\winsxs\x86_microsoft-windows-i..rnational-timezones_31bf3856ad364e35_6.0.6000.16386_none_1310947a0ca7000f\tzres.dll
+ 2008-01-11 21:27:36 2,048 ----a-w C:\Windows\winsxs\x86_microsoft-windows-i..rnational-timezones_31bf3856ad364e35_6.0.6000.16589_none_131399240ca44662\tzres.dll
+ 2008-01-11 21:27:36 2,048 ----a-w C:\Windows\winsxs\x86_microsoft-windows-i..rnational-timezones_31bf3856ad364e35_6.0.6000.20712_none_13e1e543258f6e5b\tzres.dll
+ 2006-11-02 06:58:59 2,048 ----a-w C:\Windows\winsxs\x86_microsoft-windows-i..rnational-timezones_31bf3856ad364e35_6.0.6001.18000_none_15475676099210e3\tzres.dll
+ 2008-02-21 04:43:36 27,648 ----a-w C:\Windows\winsxs\x86_microsoft-windows-i..tocolimplementation_31bf3856ad364e35_6.0.6000.16643_none_ffda7605a4ca3cbe\jsproxy.dll
+ 2008-02-21 04:43:42 826,368 ----a-w C:\Windows\winsxs\x86_microsoft-windows-i..tocolimplementation_31bf3856ad364e35_6.0.6000.16643_none_ffda7605a4ca3cbe\wininet.dll
+ 2008-02-21 04:43:42 64,512 ----a-w C:\Windows\winsxs\x86_microsoft-windows-i..tocolimplementation_31bf3856ad364e35_6.0.6000.16643_none_ffda7605a4ca3cbe\WininetPlugin.dll
+ 2008-02-22 04:49:41 27,648 ----a-w C:\Windows\winsxs\x86_microsoft-windows-i..tocolimplementation_31bf3856ad364e35_6.0.6000.20777_none_0047a434bdfc95b7\jsproxy.dll
+ 2008-02-22 04:52:15 827,392 ----a-w C:\Windows\winsxs\x86_microsoft-windows-i..tocolimplementation_31bf3856ad364e35_6.0.6000.20777_none_0047a434bdfc95b7\wininet.dll
+ 2008-02-22 04:52:15 64,512 ----a-w C:\Windows\winsxs\x86_microsoft-windows-i..tocolimplementation_31bf3856ad364e35_6.0.6000.20777_none_0047a434bdfc95b7\WininetPlugin.dll
+ 2008-02-22 04:58:23 28,160 ----a-w C:\Windows\winsxs\x86_microsoft-windows-i..tocolimplementation_31bf3856ad364e35_6.0.6001.18023_none_01d65483a1e095cd\jsproxy.dll
+ 2008-02-22 05:01:41 826,880 ----a-w C:\Windows\winsxs\x86_microsoft-windows-i..tocolimplementation_31bf3856ad364e35_6.0.6001.18023_none_01d65483a1e095cd\wininet.dll
+ 2008-02-22 05:01:41 64,512 ----a-w C:\Windows\winsxs\x86_microsoft-windows-i..tocolimplementation_31bf3856ad364e35_6.0.6001.18023_none_01d65483a1e095cd\WininetPlugin.dll
+ 2008-02-22 04:49:22 28,160 ----a-w C:\Windows\winsxs\x86_microsoft-windows-i..tocolimplementation_31bf3856ad364e35_6.0.6001.22120_none_025cf070bb00e992\jsproxy.dll
+ 2008-02-22 04:52:21 826,880 ----a-w C:\Windows\winsxs\x86_microsoft-windows-i..tocolimplementation_31bf3856ad364e35_6.0.6001.22120_none_025cf070bb00e992\wininet.dll
+ 2008-02-22 04:52:21 64,512 ----a-w C:\Windows\winsxs\x86_microsoft-windows-i..tocolimplementation_31bf3856ad364e35_6.0.6001.22120_none_025cf070bb00e992\WininetPlugin.dll
+ 2008-02-12 23:36:10 2,455,488 ----a-w C:\Windows\winsxs\x86_microsoft-windows-ie-antiphishfilter_31bf3856ad364e35_6.0.6000.16643_none_f98398df6eb5b711\ieapfltr.dat
+ 2008-02-21 04:43:35 383,488 ----a-w C:\Windows\winsxs\x86_microsoft-windows-ie-antiphishfilter_31bf3856ad364e35_6.0.6000.16643_none_f98398df6eb5b711\ieapfltr.dll
+ 2008-02-12 23:36:10 2,455,488 ----a-w C:\Windows\winsxs\x86_microsoft-windows-ie-antiphishfilter_31bf3856ad364e35_6.0.6000.20777_none_f9f0c70e87e8100a\ieapfltr.dat
+ 2008-02-22 04:49:22 383,488 ----a-w C:\Windows\winsxs\x86_microsoft-windows-ie-antiphishfilter_31bf3856ad364e35_6.0.6000.20777_none_f9f0c70e87e8100a\ieapfltr.dll
+ 2008-02-21 04:43:35 347,136 ----a-w C:\Windows\winsxs\x86_microsoft-windows-ie-directxtransforms_31bf3856ad364e35_6.0.6000.16643_none_95b7d197849b3d3f\dxtmsft.dll
+ 2008-02-21 04:43:35 214,528 ----a-w C:\Windows\winsxs\x86_microsoft-windows-ie-directxtransforms_31bf3856ad364e35_6.0.6000.16643_none_95b7d197849b3d3f\dxtrans.dll
+ 2008-02-22 04:49:00 347,136 ----a-w C:\Windows\winsxs\x86_microsoft-windows-ie-directxtransforms_31bf3856ad364e35_6.0.6000.20777_none_9624ffc69dcd9638\dxtmsft.dll
+ 2008-02-22 04:49:00 214,528 ----a-w C:\Windows\winsxs\x86_microsoft-windows-ie-directxtransforms_31bf3856ad364e35_6.0.6000.20777_none_9624ffc69dcd9638\dxtrans.dll
+ 2008-02-21 04:43:36 478,208 ----a-w C:\Windows\winsxs\x86_microsoft-windows-ie-htmlediting_31bf3856ad364e35_6.0.6000.16643_none_461a6bef465befcc\mshtmled.dll
+ 2008-02-22 04:50:17 478,208 ----a-w C:\Windows\winsxs\x86_microsoft-windows-ie-htmlediting_31bf3856ad364e35_6.0.6000.20777_none_46879a1e5f8e48c5\mshtmled.dll
+ 2008-02-21 04:43:36 3,591,680 ----a-w C:\Windows\winsxs\x86_microsoft-windows-ie-htmlrendering_31bf3856ad364e35_6.0.6000.16643_none_113495242520a5f4\mshtml.dll
+ 2008-02-22 04:50:17 3,593,728 ----a-w C:\Windows\winsxs\x86_microsoft-windows-ie-htmlrendering_31bf3856ad364e35_6.0.6000.20777_none_11a1c3533e52feed\mshtml.dll
+ 2008-02-22 04:59:30 3,578,368 ----a-w C:\Windows\winsxs\x86_microsoft-windows-ie-htmlrendering_31bf3856ad364e35_6.0.6001.18023_none_133073a22236ff03\mshtml.dll
+ 2008-02-22 04:50:05 3,578,368 ----a-w C:\Windows\winsxs\x86_microsoft-windows-ie-htmlrendering_31bf3856ad364e35_6.0.6001.22120_none_13b70f8f3b5752c8\mshtml.dll
+ 2008-02-21 04:43:35 63,488 ----a-w C:\Windows\winsxs\x86_microsoft-windows-ie-infocard_31bf3856ad364e35_6.0.6000.16643_none_588d01ee673531fd\icardie.dll
+ 2008-02-22 04:49:21 63,488 ----a-w C:\Windows\winsxs\x86_microsoft-windows-ie-infocard_31bf3856ad364e35_6.0.6000.20777_none_58fa301d80678af6\icardie.dll
+ 2008-02-21 04:43:03 26,624 ----a-w C:\Windows\winsxs\x86_microsoft-windows-ie-internetexplorer_31bf3856ad364e35_6.0.6000.16643_none_2d5382911cf5aba1\ieUnatt.exe
+ 2008-02-21 04:43:03 625,664 ----a-w C:\Windows\winsxs\x86_microsoft-windows-ie-internetexplorer_31bf3856ad364e35_6.0.6000.16643_none_2d5382911cf5aba1\iexplore.exe
+ 2008-02-22 02:43:50 26,624 ----a-w C:\Windows\winsxs\x86_microsoft-windows-ie-internetexplorer_31bf3856ad364e35_6.0.6000.20777_none_2dc0b0c03628049a\ieUnatt.exe
+ 2008-02-22 02:44:11 625,664 ----a-w C:\Windows\winsxs\x86_microsoft-windows-ie-internetexplorer_31bf3856ad364e35_6.0.6000.20777_none_2dc0b0c03628049a\iexplore.exe
+ 2008-02-21 04:43:03 70,656 ----a-w C:\Windows\winsxs\x86_microsoft-windows-ie-setup-support_31bf3856ad364e35_6.0.6000.16643_none_c3c237ac61707446\ie4uinit.exe
+ 2008-02-21 04:43:36 44,544 ----a-w C:\Windows\winsxs\x86_microsoft-windows-ie-setup-support_31bf3856ad364e35_6.0.6000.16643_none_c3c237ac61707446\iernonce.dll
+ 2008-02-21 04:43:36 56,320 ----a-w C:\Windows\winsxs\x86_microsoft-windows-ie-setup-support_31bf3856ad364e35_6.0.6000.16643_none_c3c237ac61707446\iesetup.dll
+ 2008-02-22 02:43:42 70,656 ----a-w C:\Windows\winsxs\x86_microsoft-windows-ie-setup-support_31bf3856ad364e35_6.0.6000.20777_none_c42f65db7aa2cd3f\ie4uinit.exe
+ 2008-02-22 04:49:24 44,544 ----a-w C:\Windows\winsxs\x86_microsoft-windows-ie-setup-support_31bf3856ad364e35_6.0.6000.20777_none_c42f65db7aa2cd3f\iernonce.dll
+ 2008-02-22 04:49:24 56,320 ----a-w C:\Windows\winsxs\x86_microsoft-windows-ie-setup-support_31bf3856ad364e35_6.0.6000.20777_none_c42f65db7aa2cd3f\iesetup.dll
+ 2008-02-21 04:43:35 52,736 ----a-w C:\Windows\winsxs\x86_microsoft-windows-iebrshim_31bf3856ad364e35_6.0.6000.16643_none_29e74e1c682049a3\iebrshim.dll
+ 2008-02-22 04:49:22 52,736 ----a-w C:\Windows\winsxs\x86_microsoft-windows-iebrshim_31bf3856ad364e35_6.0.6000.20777_none_2a547c4b8152a29c\iebrshim.dll
+ 2008-02-21 04:43:35 6,066,176 ----a-w C:\Windows\winsxs\x86_microsoft-windows-ieframe_31bf3856ad364e35_6.0.6000.16643_none_6293ef27b1163421\ieframe.dll
+ 2008-02-21 04:43:36 180,736 ----a-w C:\Windows\winsxs\x86_microsoft-windows-ieframe_31bf3856ad364e35_6.0.6000.16643_none_6293ef27b1163421\ieui.dll
+ 2008-02-22 04:49:24 6,067,712 ----a-w C:\Windows\winsxs\x86_microsoft-windows-ieframe_31bf3856ad364e35_6.0.6000.20777_none_63011d56ca488d1a\ieframe.dll
+ 2008-02-22 04:49:24 180,736 ----a-w C:\Windows\winsxs\x86_microsoft-windows-ieframe_31bf3856ad364e35_6.0.6000.20777_none_63011d56ca488d1a\ieui.dll
+ 2008-02-21 04:43:03 263,168 ----a-w C:\Windows\winsxs\x86_microsoft-windows-ieinstal_31bf3856ad364e35_6.0.6000.16643_none_e68d5ba694998859\ieinstal.exe
+ 2008-02-22 02:44:02 263,168 ----a-w C:\Windows\winsxs\x86_microsoft-windows-ieinstal_31bf3856ad364e35_6.0.6000.20777_none_e6fa89d5adcbe152\ieinstal.exe
+ 2008-02-21 04:43:03 301,568 ----a-w C:\Windows\winsxs\x86_microsoft-windows-ieuser_31bf3856ad364e35_6.0.6000.16643_none_0b3590c2d714480b\ieuser.exe
+ 2008-02-22 02:44:03 301,568 ----a-w C:\Windows\winsxs\x86_microsoft-windows-ieuser_31bf3856ad364e35_6.0.6000.20777_none_0ba2bef1f046a104\ieuser.exe
+ 2006-11-02 12:36:24 2,048 ----a-w C:\Windows\winsxs\x86_microsoft-windows-iis-legacysnapin_31bf3856ad364e35_6.0.6000.16386_none_7eea120bb51aecf6\iismui.dll
+ 2006-11-02 12:36:24 2,048 ----a-w C:\Windows\winsxs\x86_microsoft-windows-iis-legacysnapin_31bf3856ad364e35_6.0.6001.18000_none_8120d407b205fdca\iismui.dll
+ 2006-11-02 07:15:56 2,560 ----a-w C:\Windows\winsxs\x86_microsoft-windows-installer-engine_31bf3856ad364e35_6.0.6000.16386_none_0143bc2fb699ae2d\msimsg.dll
+ 2006-11-02 07:15:56 2,560 ----a-w C:\Windows\winsxs\x86_microsoft-windows-installer-engine_31bf3856ad364e35_6.0.6001.18000_none_037a7e2bb384bf01\msimsg.dll
+ 2006-11-02 08:33:06 2,560 ----a-w C:\Windows\winsxs\x86_microsoft-windows-international-core_31bf3856ad364e35_6.0.6000.16386_none_e773a28cdcd5ef62\normaliz.dll
+ 2006-11-02 08:33:06 2,560 ----a-w C:\Windows\winsxs\x86_microsoft-windows-international-core_31bf3856ad364e35_6.0.6001.18000_none_e9aa6488d9c10036\normaliz.dll
+ 2006-11-02 09:39:39 2,048 ----a-w C:\Windows\winsxs\x86_microsoft-windows-iologgingdll_31bf3856ad364e35_6.0.6000.16386_none_b4a74430ff7bd85d\iologmsg.dll
+ 2006-11-02 07:18:28 2,048 ----a-w C:\Windows\winsxs\x86_microsoft-windows-lsa-msprivs_31bf3856ad364e35_6.0.6000.16386_none_09e22f167e7ac9b3\msprivs.dll
+ 2006-11-02 12:35:51 2,048 ----a-w C:\Windows\winsxs\x86_microsoft-windows-mediafoundation_31bf3856ad364e35_6.0.6000.16386_none_9a286d400fd699af\mferror.dll
+ 2006-11-02 12:35:51 2,048 ----a-w C:\Windows\winsxs\x86_microsoft-windows-mediafoundation_31bf3856ad364e35_6.0.6001.18000_none_9c5f2f3c0cc1aa83\mferror.dll
+ 2006-11-02 12:35:57 2,048 ----a-w C:\Windows\winsxs\x86_microsoft-windows-mediaplayer-wmasf_31bf3856ad364e35_6.0.6000.16386_none_a57f2ea4437cfc78\asferror.dll
+ 2008-01-12 00:33:31 2,048 ----a-w C:\Windows\winsxs\x86_microsoft-windows-mediaplayer-wmasf_31bf3856ad364e35_6.0.6000.16585_none_a57e3226437ddd6f\asferror.dll
+ 2008-01-12 00:33:31 2,048 ----a-w C:\Windows\winsxs\x86_microsoft-windows-mediaplayer-wmasf_31bf3856ad364e35_6.0.6000.20708_none_a66151155c57e6dd\asferror.dll
+ 2006-11-02 12:35:57 2,048 ----a-w C:\Windows\winsxs\x86_microsoft-windows-mediaplayer-wmasf_31bf3856ad364e35_6.0.6001.18000_none_a7b5f0a040680d4c\asferror.dll
+ 2006-11-02 12:35:54 2,048 ----a-w C:\Windows\winsxs\x86_microsoft-windows-mediaplayer-wmerror_31bf3856ad364e35_6.0.6000.16386_none_351e30f1ba0b5cbe\wmerror.dll
+ 2006-11-02 09:41:09 2,048 ----a-w C:\Windows\winsxs\x86_microsoft-windows-msxml30_31bf3856ad364e35_6.0.6000.16386_none_86377e9e99eb1168\msxml3r.dll
+ 2008-01-12 00:35:37 2,048 ----a-w C:\Windows\winsxs\x86_microsoft-windows-msxml30_31bf3856ad364e35_6.0.6000.16500_none_8688000e99af9424\msxml3r.dll
+ 2008-01-12 00:35:37 2,048 ----a-w C:\Windows\winsxs\x86_microsoft-windows-msxml30_31bf3856ad364e35_6.0.6000.20613_none_8709cdcbb2d29be4\msxml3r.dll
+ 2006-11-02 09:41:09 2,048 ----a-w C:\Windows\winsxs\x86_microsoft-windows-msxml30_31bf3856ad364e35_6.0.6001.18000_none_886e409a96d6223c\msxml3r.dll
+ 2006-11-02 09:41:09 2,048 ----a-w C:\Windows\winsxs\x86_microsoft-windows-msxml60_31bf3856ad364e35_6.0.6000.16386_none_86373a4699eb5e4b\msxml6r.dll
+ 2008-01-12 00:32:03 2,048 ----a-w C:\Windows\winsxs\x86_microsoft-windows-msxml60_31bf3856ad364e35_6.0.6000.16472_none_863e0af099e6da25\msxml6r.dll
+ 2008-01-12 00:32:03 2,048 ----a-w C:\Windows\winsxs\x86_microsoft-windows-msxml60_31bf3856ad364e35_6.0.6000.20582_none_86bcd7cfb30c95e0\msxml6r.dll
+ 2006-11-02 09:41:09 2,048 ----a-w C:\Windows\winsxs\x86_microsoft-windows-msxml60_31bf3856ad364e35_6.0.6001.18000_none_886dfc4296d66f1f\msxml6r.dll
+ 2006-11-02 09:41:16 2,048 ----a-w C:\Windows\winsxs\x86_microsoft-windows-net-command-line-tool_31bf3856ad364e35_6.0.6000.16386_none_4ffb8f84758bff07\neth.dll
+ 2006-11-02 09:41:16 2,048 ----a-w C:\Windows\winsxs\x86_microsoft-windows-net-command-line-tool_31bf3856ad364e35_6.0.6001.18000_none_5232518072770fdb\neth.dll
+ 2006-09-19 11:41:49 2,456 ----a-w C:\Windows\winsxs\x86_microsoft-windows-netshell_31bf3856ad364e35_6.0.6000.16386_none_d34ca8d7111fb859\bench_24.bin
+ 2006-09-19 11:41:49 2,456 ----a-w C:\Windows\winsxs\x86_microsoft-windows-netshell_31bf3856ad364e35_6.0.6000.16386_none_d34ca8d7111fb859\house_24.bin
+ 2006-09-19 11:41:49 2,456 ----a-w C:\Windows\winsxs\x86_microsoft-windows-netshell_31bf3856ad364e35_6.0.6000.16386_none_d34ca8d7111fb859\office_24.bin
+ 2006-09-19 11:41:49 2,456 ----a-w C:\Windows\winsxs\x86_microsoft-windows-netshell_31bf3856ad364e35_6.0.6001.18000_none_d5836ad30e0ac92d\bench_24.bin
+ 2006-09-19 11:41:49 2,456 ----a-w C:\Windows\winsxs\x86_microsoft-windows-netshell_31bf3856ad364e35_6.0.6001.18000_none_d5836ad30e0ac92d\house_24.bin
+ 2006-09-19 11:41:49 2,456 ----a-w C:\Windows\winsxs\x86_microsoft-windows-netshell_31bf3856ad364e35_6.0.6001.18000_none_d5836ad30e0ac92d\office_24.bin
+ 2006-11-02 07:38:48 2,048 ----a-w C:\Windows\winsxs\x86_microsoft-windows-networkbridge_31bf3856ad364e35_6.0.6000.16386_none_05b32edf092a8853\bridgeres.dll
+ 2006-11-02 07:38:48 2,048 ----a-w C:\Windows\winsxs\x86_microsoft-windows-networkbridge_31bf3856ad364e35_6.0.6001.18000_none_07e9f0db06159927\bridgeres.dll
+ 2006-11-02 07:38:59 2,048 ----a-w C:\Windows\winsxs\x86_microsoft-windows-networktopology_31bf3856ad364e35_6.0.6000.16386_none_cf1f3538fd925a7b\lltdres.dll
+ 2006-11-02 07:38:59 2,048 ----a-w C:\Windows\winsxs\x86_microsoft-windows-networktopology_31bf3856ad364e35_6.0.6001.18000_none_d155f734fa7d6b4f\lltdres.dll
+ 2006-11-02 07:10:15 2,000 ----a-w C:\Windows\winsxs\x86_microsoft-windows-ntvdm-system_31bf3856ad364e35_6.0.6000.16386_none_1e1753ed2313c813\keyboard.drv
+ 2006-11-02 07:10:18 2,032 ----a-w C:\Windows\winsxs\x86_microsoft-windows-ntvdm-system_31bf3856ad364e35_6.0.6000.16386_none_1e1753ed2313c813\mouse.drv
+ 2006-11-02 07:10:16 1,744 ----a-w C:\Windows\winsxs\x86_microsoft-windows-ntvdm-system_31bf3856ad364e35_6.0.6000.16386_none_1e1753ed2313c813\sound.drv
+ 2006-11-02 07:10:17 2,176 ----a-w C:\Windows\winsxs\x86_microsoft-windows-ntvdm-system_31bf3856ad364e35_6.0.6000.16386_none_1e1753ed2313c813\vga.drv
+ 2006-11-02 07:10:15 2,000 ----a-w C:\Windows\winsxs\x86_microsoft-windows-ntvdm-system32_31bf3856ad364e35_6.0.6000.16386_none_fbd6b71e75a2c6c8\keyboard.drv
+ 2006-11-02 07:10:18 2,032 ----a-w C:\Windows\winsxs\x86_microsoft-windows-ntvdm-system32_31bf3856ad364e35_6.0.6000.16386_none_fbd6b71e75a2c6c8\mouse.drv
+ 2006-11-02 07:10:00 2,842 ----a-w C:\Windows\winsxs\x86_microsoft-windows-ntvdm-system32_31bf3856ad364e35_6.0.6000.16386_none_fbd6b71e75a2c6c8\redir.exe
+ 2006-11-02 07:10:16 1,744 ----a-w C:\Windows\winsxs\x86_microsoft-windows-ntvdm-system32_31bf3856ad364e35_6.0.6000.16386_none_fbd6b71e75a2c6c8\sound.drv
+ 2006-11-02 07:10:17 2,176 ----a-w C:\Windows\winsxs\x86_microsoft-windows-ntvdm-system32_31bf3856ad364e35_6.0.6000.16386_none_fbd6b71e75a2c6c8\vga.drv
+ 2006-11-02 07:10:22 2,864 ----a-w C:\Windows\winsxs\x86_microsoft-windows-ntvdm-system32_31bf3856ad364e35_6.0.6000.16386_none_fbd6b71e75a2c6c8\WINSOCK.DLL
+ 2006-11-02 07:10:18 2,112 ----a-w C:\Windows\winsxs\x86_microsoft-windows-ntvdm-system32_31bf3856ad364e35_6.0.6000.16386_none_fbd6b71e75a2c6c8\WINSPOOL.EXE
+ 2006-11-02 07:10:27 2,864 ----a-w C:\Windows\winsxs\x86_microsoft-windows-ntvdm-system32_31bf3856ad364e35_6.0.6000.16386_none_fbd6b71e75a2c6c8\WOWDEB.EXE
+ 2006-11-02 07:10:15 2,000 ----a-w C:\Windows\winsxs\x86_microsoft-windows-ntvdm-system32_31bf3856ad364e35_6.0.6001.18000_none_fe0d791a728dd79c\keyboard.drv
+ 2006-11-02 07:10:18 2,032 ----a-w C:\Windows\winsxs\x86_microsoft-windows-ntvdm-system32_31bf3856ad364e35_6.0.6001.18000_none_fe0d791a728dd79c\mouse.drv
+ 2006-11-02 07:10:00 2,842 ----a-w C:\Windows\winsxs\x86_microsoft-windows-ntvdm-system32_31bf3856ad364e35_6.0.6001.18000_none_fe0d791a728dd79c\redir.exe
+ 2006-11-02 07:10:16 1,744 ----a-w C:\Windows\winsxs\x86_microsoft-windows-ntvdm-system32_31bf3856ad364e35_6.0.6001.18000_none_fe0d791a728dd79c\sound.drv
+ 2006-11-02 07:10:17 2,176 ----a-w C:\Windows\winsxs\x86_microsoft-windows-ntvdm-system32_31bf3856ad364e35_6.0.6001.18000_none_fe0d791a728dd79c\vga.drv
+ 2006-11-02 07:10:22 2,864 ----a-w C:\Windows\winsxs\x86_microsoft-windows-ntvdm-system32_31bf3856ad364e35_6.0.6001.18000_none_fe0d791a728dd79c\WINSOCK.DLL
+ 2006-11-02 07:10:18 2,112 ----a-w C:\Windows\winsxs\x86_microsoft-windows-ntvdm-system32_31bf3856ad364e35_6.0.6001.18000_none_fe0d791a728dd79c\WINSPOOL.EXE
+ 2006-11-02 07:10:27 2,864 ----a-w C:\Windows\winsxs\x86_microsoft-windows-ntvdm-system32_31bf3856ad364e35_6.0.6001.18000_none_fe0d791a728dd79c\WOWDEB.EXE
+ 2008-03-17 22:43:16 2,413,032 ----a-w C:\Windows\winsxs\x86_microsoft-windows-oespamfilter-dat_31bf3856ad364e35_6.0.6000.16660_none_f060fbf66e8469dc\OESpamFilter.dat
+ 2008-03-17 22:16:50 2,413,032 ----a-w C:\Windows\winsxs\x86_microsoft-windows-oespamfilter-dat_31bf3856ad364e35_6.0.6000.20801_none_f12c7a798770787e\OESpamFilter.dat
+ 2008-03-17 22:18:52 2,413,032 ----a-w C:\Windows\winsxs\x86_microsoft-windows-oespamfilter-dat_31bf3856ad364e35_6.0.6001.18040_none_f25cda746b9ac2eb\OESpamFilter.dat
+ 2008-03-17 22:17:41 2,413,032 ----a-w C:\Windows\winsxs\x86_microsoft-windows-oespamfilter-dat_31bf3856ad364e35_6.0.6001.22144_none_f2ea786784b4c811\OESpamFilter.dat
+ 2006-11-02 07:08:53 2,048 ----a-w C:\Windows\winsxs\x86_microsoft-windows-oleaccrc_31bf3856ad364e35_6.0.6000.16386_none_76f32d528a780cf2\oleaccrc.dll
+ 2006-11-02 12:34:48 2,048 ----a-w C:\Windows\winsxs\x86_microsoft-windows-photosamples_31bf3856ad364e35_6.0.6000.16386_none_95425ac284e42b43\SampleRes.dll
+ 2008-02-29 06:38:54 313,856 ----a-w C:\Windows\winsxs\x86_microsoft-windows-systemrestore-main_31bf3856ad364e35_6.0.6000.16646_none_44d4534db6337506\rstrui.exe
+ 2008-02-29 06:39:13 40,960 ----a-w C:\Windows\winsxs\x86_microsoft-windows-systemrestore-main_31bf3856ad364e35_6.0.6000.16646_none_44d4534db6337506\srclient.dll
+ 2008-02-29 06:39:13 371,712 ----a-w C:\Windows\winsxs\x86_microsoft-windows-systemrestore-main_31bf3856ad364e35_6.0.6000.16646_none_44d4534db6337506\srcore.dll
+ 2008-02-29 06:38:59 16,384 ----a-w C:\Windows\winsxs\x86_microsoft-windows-systemrestore-main_31bf3856ad364e35_6.0.6000.16646_none_44d4534db6337506\srdelayed.exe
+ 2008-02-29 04:05:40 313,856 ----a-w C:\Windows\winsxs\x86_microsoft-windows-systemrestore-main_31bf3856ad364e35_6.0.6000.20782_none_452eaf40cf751f38\rstrui.exe
+ 2008-02-29 06:33:44 40,960 ----a-w C:\Windows\winsxs\x86_microsoft-windows-systemrestore-main_31bf3856ad364e35_6.0.6000.20782_none_452eaf40cf751f38\srclient.dll
+ 2008-02-29 06:33:44 371,712 ----a-w C:\Windows\winsxs\x86_microsoft-windows-systemrestore-main_31bf3856ad364e35_6.0.6000.20782_none_452eaf40cf751f38\srcore.dll
+ 2008-02-29 04:05:32 16,384 ----a-w C:\Windows\winsxs\x86_microsoft-windows-systemrestore-main_31bf3856ad364e35_6.0.6000.20782_none_452eaf40cf751f38\srdelayed.exe
+ 2008-02-29 04:12:59 318,464 ----a-w C:\Windows\winsxs\x86_microsoft-windows-systemrestore-main_31bf3856ad364e35_6.0.6001.18027_none_46d13215b348e76c\rstrui.exe
+ 2008-02-29 06:53:38 40,960 ----a-w C:\Windows\winsxs\x86_microsoft-windows-systemrestore-main_31bf3856ad364e35_6.0.6001.18027_none_46d13215b348e76c\srclient.dll
+ 2008-02-29 06:53:39 378,368 ----a-w C:\Windows\winsxs\x86_microsoft-windows-systemrestore-main_31bf3856ad364e35_6.0.6001.18027_none_46d13215b348e76c\srcore.dll
+ 2008-02-29 04:12:53 14,848 ----a-w C:\Windows\winsxs\x86_microsoft-windows-systemrestore-main_31bf3856ad364e35_6.0.6001.18027_none_46d13215b348e76c\srdelayed.exe
+ 2008-02-29 04:06:52 318,464 ----a-w C:\Windows\winsxs\x86_microsoft-windows-systemrestore-main_31bf3856ad364e35_6.0.6001.22125_none_4758ce4ccc685488\rstrui.exe
+ 2008-02-29 06:37:51 40,960 ----a-w C:\Windows\winsxs\x86_microsoft-windows-systemrestore-main_31bf3856ad364e35_6.0.6001.22125_none_4758ce4ccc685488\srclient.dll
+ 2008-02-29 06:37:51 378,368 ----a-w C:\Windows\winsxs\x86_microsoft-windows-systemrestore-main_31bf3856ad364e35_6.0.6001.22125_none_4758ce4ccc685488\srcore.dll
+ 2008-02-29 04:06:46 14,848 ----a-w C:\Windows\winsxs\x86_microsoft-windows-systemrestore-main_31bf3856ad364e35_6.0.6001.22125_none_4758ce4ccc685488\srdelayed.exe
+ 2006-11-02 07:39:56 1,536 ----a-w C:\Windows\winsxs\x86_microsoft-windows-t..acyinkingcomponents_31bf3856ad364e35_6.0.6000.16386_none_3fbb09cf8caa385d\penchs.dll
+ 2006-11-02 07:39:56 1,536 ----a-w C:\Windows\winsxs\x86_microsoft-windows-t..acyinkingcomponents_31bf3856ad364e35_6.0.6000.16386_none_3fbb09cf8caa385d\pencht.dll
+ 2006-11-02 07:39:56 1,536 ----a-w C:\Windows\winsxs\x86_microsoft-windows-t..acyinkingcomponents_31bf3856ad364e35_6.0.6000.16386_none_3fbb09cf8caa385d\penjpn.dll
+ 2006-11-02 07:39:56 1,536 ----a-w C:\Windows\winsxs\x86_microsoft-windows-t..acyinkingcomponents_31bf3856ad364e35_6.0.6000.16386_none_3fbb09cf8caa385d\penkor.dll
+ 2006-11-02 07:39:56 1,536 ----a-w C:\Windows\winsxs\x86_microsoft-windows-t..acyinkingcomponents_31bf3856ad364e35_6.0.6000.16386_none_3fbb09cf8caa385d\penusa.dll
+ 2006-11-02 07:39:56 1,536 ----a-w C:\Windows\winsxs\x86_microsoft-windows-t..acyinkingcomponents_31bf3856ad364e35_6.0.6000.16386_none_3fbb09cf8caa385d\pipres.dll
+ 2006-11-02 07:39:56 1,536 ----a-w C:\Windows\winsxs\x86_microsoft-windows-t..acyinkingcomponents_31bf3856ad364e35_6.0.6000.16386_none_3fbb09cf8caa385d\skchobj.dll
+ 2006-11-02 07:39:56 1,536 ----a-w C:\Windows\winsxs\x86_microsoft-windows-t..acyinkingcomponents_31bf3856ad364e35_6.0.6000.16386_none_3fbb09cf8caa385d\skchui.dll
+ 2006-11-02 07:39:56 1,536 ----a-w C:\Windows\winsxs\x86_microsoft-windows-t..acyinkingcomponents_31bf3856ad364e35_6.0.6001.18000_none_41f1cbcb89954931\penchs.dll
+ 2006-11-02 07:39:56 1,536 ----a-w C:\Windows\winsxs\x86_microsoft-windows-t..acyinkingcomponents_31bf3856ad364e35_6.0.6001.18000_none_41f1cbcb89954931\pencht.dll
+ 2006-11-02 07:39:56 1,536 ----a-w C:\Windows\winsxs\x86_microsoft-windows-t..acyinkingcomponents_31bf3856ad364e35_6.0.6001.18000_none_41f1cbcb89954931\penjpn.dll
+ 2006-11-02 07:39:56 1,536 ----a-w C:\Windows\winsxs\x86_microsoft-windows-t..acyinkingcomponents_31bf3856ad364e35_6.0.6001.18000_none_41f1cbcb89954931\penkor.dll
+ 2006-11-02 07:39:56 1,536 ----a-w C:\Windows\winsxs\x86_microsoft-windows-t..acyinkingcomponents_31bf3856ad364e35_6.0.6001.18000_none_41f1cbcb89954931\penusa.dll
+ 2006-11-02 07:39:56 1,536 ----a-w C:\Windows\winsxs\x86_microsoft-windows-t..acyinkingcomponents_31bf3856ad364e35_6.0.6001.18000_none_41f1cbcb89954931\pipres.dll
+ 2006-11-02 07:39:56 1,536 ----a-w C:\Windows\winsxs\x86_microsoft-windows-t..acyinkingcomponents_31bf3856ad364e35_6.0.6001.18000_none_41f1cbcb89954931\skchobj.dll
+ 2006-11-02 07:39:56 1,536 ----a-w C:\Windows\winsxs\x86_microsoft-windows-t..acyinkingcomponents_31bf3856ad364e35_6.0.6001.18000_none_41f1cbcb89954931\skchui.dll
+ 2006-11-02 12:35:47 2,048 ----a-w C:\Windows\winsxs\x86_microsoft-windows-t..nputpersonalization_31bf3856ad364e35_6.0.6000.16386_none_3d7550f9c9692474\IPSEventLogMsg.dll
+ 2006-11-02 12:35:47 2,048 ----a-w C:\Windows\winsxs\x86_microsoft-windows-t..nputpersonalization_31bf3856ad364e35_6.0.6001.18000_none_3fac12f5c6543548\IPSEventLogMsg.dll
+ 2006-11-02 12:35:47 2,048 ----a-w C:\Windows\winsxs\x86_microsoft-windows-tabletpc-pentraining_31bf3856ad364e35_6.0.6000.16386_none_dfb8647a7b1e856b\PTRes.dll
+ 2006-11-02 12:35:43 2,048 ----a-w C:\Windows\winsxs\x86_microsoft-windows-tabletpc-touchtraining_31bf3856ad364e35_6.0.6000.16386_none_c41ca1245ce8094b\TTRes.dll
+ 2008-01-19 05:39:36 1,536 ----a-w C:\Windows\winsxs\x86_microsoft-windows-w..for-management-core_31bf3856ad364e35_6.0.6001.18000_none_ca65755fad07cc55\WsmCl.dll
+ 2008-02-29 04:16:38 2,027,008 ----a-w C:\Windows\winsxs\x86_microsoft-windows-win32k_31bf3856ad364e35_6.0.6000.16646_none_b6e7fd209d7b409d\win32k.sys
+ 2008-02-29 04:14:24 2,028,544 ----a-w C:\Windows\winsxs\x86_microsoft-windows-win32k_31bf3856ad364e35_6.0.6000.20782_none_b7425913b6bceacf\win32k.sys
+ 2008-02-29 04:21:49 2,032,128 ----a-w C:\Windows\winsxs\x86_microsoft-windows-win32k_31bf3856ad364e35_6.0.6001.18027_none_b8e4dbe89a90b303\win32k.sys
+ 2008-02-29 04:15:56 2,032,128 ----a-w C:\Windows\winsxs\x86_microsoft-windows-win32k_31bf3856ad364e35_6.0.6001.22125_none_b96c781fb3b0201f\win32k.sys
+ 2006-11-02 09:43:00 2,560 ----a-w C:\Windows\winsxs\x86_microsoft-windows-winsock-legacy_31bf3856ad364e35_6.0.6000.16386_none_e12e74ad149badfc\rnr20.dll
+ 2006-11-02 09:43:00 2,560 ----a-w C:\Windows\winsxs\x86_microsoft-windows-winsock-legacy_31bf3856ad364e35_6.0.6001.18000_none_e36536a91186bed0\rnr20.dll
+ 2006-11-02 07:15:27 2,048 ----a-w C:\Windows\winsxs\x86_microsoft-windows-wmi-core_31bf3856ad364e35_6.0.6000.16386_none_b71d411922ad8f1f\WmiApRes.dll
+ 2006-11-02 07:15:27 2,048 ----a-w C:\Windows\winsxs\x86_microsoft-windows-wmi-core_31bf3856ad364e35_6.0.6001.18000_none_b95403151f989ff3\WmiApRes.dll
+ 2006-11-02 12:35:25 2,048 ----a-w C:\Windows\winsxs\x86_microsoft-windows-wmi-snmp-provider_31bf3856ad364e35_6.0.6000.16386_none_a884bc8dc9d4ada2\smierrsm.dll
+ 2006-11-02 12:35:25 2,048 ----a-w C:\Windows\winsxs\x86_microsoft-windows-wmi-snmp-provider_31bf3856ad364e35_6.0.6000.16386_none_a884bc8dc9d4ada2\smierrsy.dll
+ 2006-11-02 12:35:25 2,048 ----a-w C:\Windows\winsxs\x86_microsoft-windows-wmi-snmp-provider_31bf3856ad364e35_6.0.6000.16386_none_a884bc8dc9d4ada2\smimsgif.dll
+ 2008-01-19 05:39:14 2,048 ----a-w C:\Windows\winsxs\x86_microsoft-windows-wmi-snmp-provider_31bf3856ad364e35_6.0.6001.18000_none_aabb7e89c6bfbe76\smierrsm.dll
+ 2008-01-19 05:39:16 2,048 ----a-w C:\Windows\winsxs\x86_microsoft-windows-wmi-snmp-provider_31bf3856ad364e35_6.0.6001.18000_none_aabb7e89c6bfbe76\smierrsy.dll
+ 2008-01-19 05:39:17 2,048 ----a-w C:\Windows\winsxs\x86_microsoft-windows-wmi-snmp-provider_31bf3856ad364e35_6.0.6001.18000_none_aabb7e89c6bfbe76\smimsgif.dll
+ 2006-11-02 12:36:03 2,560 ----a-w C:\Windows\winsxs\x86_wcf-m_sm_evt_dll_vista_31bf3856ad364e35_6.0.6000.16386_none_76336ee89b768fbf\ServiceModelEvents.dll
+ 2008-01-19 07:31:57 2,560 ----a-w C:\Windows\winsxs\x86_wcf-m_sm_evt_dll_vista_31bf3856ad364e35_6.0.6001.18000_none_786a30e49861a093\ServiceModelEvents.dll
+ 2006-11-02 12:36:02 2,560 ----a-w C:\Windows\winsxs\x86_wcf-m_sm_ins_rc_dll_31bf3856ad364e35_6.0.6000.16386_none_c6c5835b4cd99252\ServiceModelInstallRC.dll
.
-- Snapshot reset to current date --
.

to forum · permalink · 2008-04-21 15:14:24 ·


Siko
Premium
join:2006-11-27
Mechanicsburg, PA
Reviews:
·Dish Network
1 edit

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2008-01-19 03:33 202240]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2008-01-19 03:38 1008184]
"IgfxTray"="C:\Windows\system32\igfxtray.exe" [2006-12-13 03:17 98304]
"HotKeysCmds"="C:\Windows\system32\hkcmd.exe" [2006-12-13 03:19 106496]
"Persistence"="C:\Windows\system32\igfxpers.exe" [2006-12-13 03:17 81920]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2008-04-15 08:47 579584]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe" [2008-03-25 04:28 144784]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2008-04-04 20:39 185896]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2008-04-05 19:33 219136]

C:\Users\Murlin Wei\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Xfire.lnk - C:\Program Files\Xfire\xfire.exe [2008-04-02 19:25:58 2987856]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgwlntf]
avgwlntf.dll 2008-04-05 19:33 9216 C:\Windows\System32\avgwlntf.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 relog_ap

[HKLM\~\startupfolder\C:^Users^Murlin Wei^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^OpenOffice.org 2.3.lnk]
path=C:\Users\Murlin Wei\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OpenOffice.org 2.3.lnk
backup=C:\Windows\pss\OpenOffice.org 2.3.lnk.Startup
backupExtension=.Startup

[HKLM\~\startupfolder\C:^Users^Murlin Wei^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^Secunia PSI (RC1).lnk]
path=C:\Users\Murlin Wei\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Secunia PSI (RC1).lnk
backup=C:\Windows\pss\Secunia PSI (RC1).lnk.Startup
backupExtension=.Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\!AVG Anti-Spyware]
--a------ 2007-06-11 05:25 6731312 H:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acronis Scheduler2 Service]
--a------ 2007-02-16 19:49 149024 C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AcronisTimounterMonitor]
--a------ 2007-02-16 19:57 1945960 C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2008-01-11 22:16 39792 H:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools Lite]
--a------ 2008-01-17 12:51 486856 C:\Program Files\DAEMON Tools Lite\daemon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
--a------ 2006-12-13 03:19 106496 C:\Windows\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
--a------ 2006-12-13 03:17 98304 C:\Windows\system32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-03-30 10:36 267048 H:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OODefragTray]
C:\Windows\system32\oodtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Persistence]
--a------ 2006-12-13 03:17 81920 C:\Windows\system32\igfxpers.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PWRISOVM.EXE]
--a------ 2007-08-06 20:05 200704 H:\Program Files\PowerISO\PWRISOVM.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-03-28 23:37 413696 C:\Program Files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Rapget]
E:\Flight Simulator Software\rapget140\rapget.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RtHDVCpl]
--a------ 2006-12-01 00:37 4186112 C:\Windows\RtHDVCpl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2008-02-22 04:25 144784 C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SUPERAntiSpyware]
--a------ 2008-04-06 13:17 1481968 C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2008-04-04 20:39 185896 C:\Program Files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TrueImageMonitor.exe]
--a------ 2007-02-16 19:45 1169776 C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WindowsWelcomeCenter]
--a------ 2008-01-19 03:36 2153472 C:\Windows\System32\oobefldr.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WMPNSCFG]
--a------ 2008-01-19 03:33 202240 C:\Program Files\Windows Media Player\WMPNSCFG.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-2738104663-2755392700-2221383480-1000]
"EnableNotificationsRef"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"TCP Query User{61455193-5548-4882-BB4F-1FFC86E41172}C:\\ijji\\english\\u_skid.exe"= UDP:C:\ijji\english\u_skid.exe:
"UDP Query User{6099BF92-BFC5-416D-AEC6-DA00AFB25A65}C:\\ijji\\english\\u_skid.exe"= TCP:C:\ijji\english\u_skid.exe:
"TCP Query User{7E27783F-27CC-4E95-8A1E-47091E0453EF}K:\\program files\\driftcity\\driftcity.exe"= UDP:K:\program files\driftcity\driftcity.exe:DriftCity
"UDP Query User{68C2CEBB-F1D1-4589-A707-19610F1F7E77}K:\\program files\\driftcity\\driftcity.exe"= TCP:K:\program files\driftcity\driftcity.exe:DriftCity
"TCP Query User{FE38E010-F2C0-4967-83FD-96B25A3F5B30}C:\\ijji\\english\\u_sf\\soldierfront.exe"= UDP:C:\ijji\english\u_sf\soldierfront.exe:soldierfront
"UDP Query User{19A69707-47F5-4ED8-A3D4-D983B5833183}C:\\ijji\\english\\u_sf\\soldierfront.exe"= TCP:C:\ijji\english\u_sf\soldierfront.exe:soldierfront
"TCP Query User{B66503DB-7D5D-4DE9-9921-A25C9F1EA5AB}H:\\program files\\driftcity\\driftcity.exe"= UDP:H:\program files\driftcity\driftcity.exe:DriftCity
"UDP Query User{14612DD0-8A9C-44A2-9B51-5491B5A88018}H:\\program files\\driftcity\\driftcity.exe"= TCP:H:\program files\driftcity\driftcity.exe:DriftCity
"TCP Query User{A8D6E0B6-86C5-4D81-9FDF-F0378CD75F37}C:\\program files\\xfire\\xfire.exe"= UDP:C:\program files\xfire\xfire.exe:Xfire
"UDP Query User{5DC64609-489B-4CCD-8BDC-DA888571FCC7}C:\\program files\\xfire\\xfire.exe"= TCP:C:\program files\xfire\xfire.exe:Xfire
"{17C23B69-DBF2-487A-A532-7D9ABF255A9E}"= UDP:C:\Program Files\uTorrent\uTorrent.exe:µTorrent
"{94906B86-E338-4979-ADE4-B4200BD59672}"= TCP:C:\Program Files\uTorrent\uTorrent.exe:µTorrent
"TCP Query User{30964450-8A26-40BA-A03B-E0D17BDCC6BB}G:\\program files\\microsoft games\\flight simulator 9\\fs9.exe"= UDP:G:\program files\microsoft games\flight simulator 9\fs9.exe:Microsoft Flight Simulator
"UDP Query User{426ADF18-258D-442E-B866-DE3813E88673}G:\\program files\\microsoft games\\flight simulator 9\\fs9.exe"= TCP:G:\program files\microsoft games\flight simulator 9\fs9.exe:Microsoft Flight Simulator
"{0E586831-FC73-45B0-9F08-096BF0D40C38}"= UDP:80:80
"{34AD0E95-78FA-44A3-A14A-4A598E511536}"= TCP:80:80
"{28CEFC0F-00A3-4EAB-9D8B-9D64D7265705}"= UDP:6112:6112
"{991C1B7E-6DA8-49BB-9C14-B6C74730B50A}"= TCP:6112:6112
"{8A3679AF-CD19-4CE2-A038-9DE3E3E5A34B}"= UDP:54789:54789
"{8C63877E-7C19-4DA5-B287-AA6D0F8CFC28}"= TCP:54789:54789
"TCP Query User{58038DE4-2BB8-41E1-8189-030A5E823718}H:\\nexon\\maplestory\\patcher.exe"= UDP:H:\nexon\maplestory\patcher.exe:Patcher MFC ?? ????
"UDP Query User{41D9A998-FD0B-4C1B-A90E-B0F2BED2BFC4}H:\\nexon\\maplestory\\patcher.exe"= TCP:H:\nexon\maplestory\patcher.exe:Patcher MFC ?? ????
"TCP Query User{57B550CD-25EA-460B-AE48-681C32F87C39}H:\\nexon\\maplestory\\maplestory.exe"= UDP:H:\nexon\maplestory\maplestory.exe:MapleStory
"UDP Query User{609320D2-5ECE-4286-8362-B486263DA9E3}H:\\nexon\\maplestory\\maplestory.exe"= TCP:H:\nexon\maplestory\maplestory.exe:MapleStory
"TCP Query User{83AB73F7-1946-4300-A08C-DB73E9369C8F}C:\\program files\\internet explorer\\iexplore.exe"= UDP:C:\program files\internet explorer\iexplore.exe:Internet Explorer
"UDP Query User{48ACEBD7-DC97-4FF2-BB6F-704618FB53B2}C:\\program files\\internet explorer\\iexplore.exe"= TCP:C:\program files\internet explorer\iexplore.exe:Internet Explorer
"1c9b3cdd-3bce-43a9-881b-5fb372fe469c"=

 
TCP:2300|LPort=2301|LPort=2302|LPort=2303|LPort=2304|LPort=2305|LPort=2306|LPort=2307|LPort=2308|LPort=2309|LPort=2310|LPort=2311|LPort=2312|LPort=2313|LPort=2314|LPort=2315|LPort=2316|LPort=2317|LPort=2318|LPort=2319|LPort=2320|LPort=2321|LPort=2322|LPort=2323|LPort=2324|LPort=2325|LPort=2326|LPort=2327|LPort=2328|LPort=2329|LPort=2330|LPort=2331|LPort=2332|LPort=2333|LPort=2334|LPort=2335|LPort=2336|LPort=2337|LPort=2338|LPort=2339|LPort=2340|LPort=2341|LPort=2342|LPort=2343|LPort=2344|LPort=2345|LPort=2346|LPort=2347|LPort=2348|LPort=2349|LPort=2350|LPort=2351|LPort=2352|LPort=2353|LPort=2354|LPort=2355|LPort=2356|LPort=2357|LPort=2358|LPort=2359|LPort=2360|LPort=2361|LPort=2362|LPort=2363|LPort=2364|LPort=2365|LPort=2366|LPort=2367|LPort=2368|LPort=2369|LPort=2370|LPort=2371|LPort=2372|LPort=2373|LPort=2374|LPort=2375|LPort=2376|LPort=2377|LPort=2378|LPort=2379|LPort=2380|LPort=2381|LPort=2382|LPort=2383|LPort=2384|LPort=2385|LPort=2386|LPort=2387|LPort=2388|LPort=2389|LPort=2390|LPort=2391|LPort=2392|LPort=2393|LPort=2394|LPort=2395|LPort=2396|LPort=2397|LPort=2398|LPort=2399:Wolf Team
"TCP Query User{6A3FA9AA-E952-4D4D-8FD7-FC7ED8BD727F}H:\\program files\\america's army\\system\\armyops.exe"= UDP:H:\program files\america's army\system\armyops.exe:ArmyOps
"UDP Query User{BEB13D38-D94C-4F4C-9245-7E48245BFA1D}H:\\program files\\america's army\\system\\armyops.exe"= TCP:H:\program files\america's army\system\armyops.exe:ArmyOps
"TCP Query User{50F33169-380A-49AF-81BE-7C6E8C8C2451}C:\\windows\\system32\\dpnsvr.exe"= UDP:C:\windows\system32\dpnsvr.exe:Microsoft DirectPlay8 Server
"UDP Query User{DF0B00AF-395E-4FA4-B850-2BD9EF20F7ED}C:\\windows\\system32\\dpnsvr.exe"= TCP:C:\windows\system32\dpnsvr.exe:Microsoft DirectPlay8 Server
"TCP Query User{5021BF18-01CD-4258-97B4-0C63DB4C1B7E}C:\\program files\\fsfdt\\control panel\\fsfdtcp.exe"= UDP:C:\program files\fsfdt\control panel\fsfdtcp.exe:FSFDT Control Panel
"UDP Query User{3DB1FC88-0596-4F01-A186-E39F227CE84D}C:\\program files\\fsfdt\\control panel\\fsfdtcp.exe"= TCP:C:\program files\fsfdt\control panel\fsfdtcp.exe:FSFDT Control Panel
"TCP Query User{1AB14382-F73F-48C9-B315-3EE9B8CB2694}C:\\program files\\mozilla firefox\\firefox.exe"= UDP:C:\program files\mozilla firefox\firefox.exe:Firefox
"UDP Query User{17CAEFA6-0C1E-42AC-978B-C4A6CBAAC66B}C:\\program files\\mozilla firefox\\firefox.exe"= TCP:C:\program files\mozilla firefox\firefox.exe:Firefox
"eb8b0e56-37ab-4db7-9f9e-1a1d6608d4e0"= %ProgramFiles%\FSFDT\FSInn UI\FSInnUI.exe:FSINN
"UDP Query User{D86A64A0-98DB-45F2-B30E-9C99810EA427}C:\\program files\\fsfdt\\fwinn\\fwinn.exe"= C:\program files\fsfdt\fwinn\fwinn.exe:FSInn Application
"TCP Query User{F3FF54FA-890C-4280-937A-E4B25DFDC64A}C:\\program files\\fsfdt\\fwinn\\fwinn.exe"= C:\program files\fsfdt\fwinn\fwinn.exe:FSInn Application
"5d038ed9-b69c-43ca-9e9d-361f03d7074d"= %ProgramFiles%\FSFDT\Control Panel\FSFDTCP.exe:FSUDCP
"09c2c1b0-5d17-4e76-8c53-65f0895ca6d1"= UDP:3782|LPort=3290|LPort=3783|LPort=6809:SQ
"3a769932-0d65-4226-8f87-9af21c6399fa"= TCP:3782|LPort=3290|LPort=3783|LPort=6809:SQ1
"7bda4004-dec1-4e68-ae03-4b18dca28327"= TCP:32062:FSINN
"TCP Query User{7BA25555-49F6-4C6F-A3BE-B1091A7CD7E6}C:\\program files\\swiftswitch\\swiftswitch.exe"= UDP:C:\program files\swiftswitch\swiftswitch.exe:Utility for RuneScape
"UDP Query User{F3D3B80D-3F35-4E98-BAE6-FFC8C8B398CB}C:\\program files\\swiftswitch\\swiftswitch.exe"= TCP:C:\program files\swiftswitch\swiftswitch.exe:Utility for RuneScape
"TCP Query User{2E3A70D7-0AC2-4254-B11B-0A2EC31E6D05}H:\\program files\\dragonfly\\special force\\specialforce.exe"= UDP:H:\program files\dragonfly\special force\specialforce.exe:SpecialForce
"UDP Query User{6137764F-CAE8-4517-AF49-6CB2607C5DB8}H:\\program files\\dragonfly\\special force\\specialforce.exe"= TCP:H:\program files\dragonfly\special force\specialforce.exe:SpecialForce
"TCP Query User{0D1EF090-833B-4967-9D45-EAF64C49861F}C:\\ijji\\english\\gunz\\gunz.exe"= UDP:C:\ijji\english\gunz\gunz.exe:Gunz
"UDP Query User{560CD26A-B4D8-4DD6-9AF8-BA438C3E071D}C:\\ijji\\english\\gunz\\gunz.exe"= TCP:C:\ijji\english\gunz\gunz.exe:Gunz
"TCP Query User{63EC054C-903B-40D8-A36F-D2F80B55FF3D}C:\\users\\murlin wei\\desktop\\fshost32\\fshost32.exe"= UDP:C:\users\murlin wei\desktop\fshost32\fshost32.exe:fshost32.exe
"UDP Query User{D8E76696-D62C-4EBD-8A08-5450B40122C9}C:\\users\\murlin wei\\desktop\\fshost32\\fshost32.exe"= TCP:C:\users\murlin wei\desktop\fshost32\fshost32.exe:fshost32.exe
"TCP Query User{854A4DB3-1DFB-4B87-A7E0-AEA6B9C0074B}C:\\windows\\system32\\dplaysvr.exe"= UDP:C:\windows\system32\dplaysvr.exe:Microsoft DirectPlay Helper
"UDP Query User{A36A3890-68AE-4E2D-BC3B-FDAC339499B3}C:\\windows\\system32\\dplaysvr.exe"= TCP:C:\windows\system32\dplaysvr.exe:Microsoft DirectPlay Helper
"TCP Query User{2D0919A8-6553-4CDF-A595-A46EF1D2F4D3}C:\\program files\\dragonfly\\special force\\specialforce.exe"= UDP:C:\program files\dragonfly\special force\specialforce.exe:specialforce
"UDP Query User{BC4A08A4-5B7E-4662-810F-1D9F1662B2AC}C:\\program files\\dragonfly\\special force\\specialforce.exe"= TCP:C:\program files\dragonfly\special force\specialforce.exe:specialforce
"{607558EF-6597-4863-8D25-F007069A2EC9}"= UDP:C:\Program Files\uTorrent\uTorrent.exe:µTorrent
"{46E5FDB3-D48D-4321-B224-C365CF959155}"= TCP:C:\Program Files\uTorrent\uTorrent.exe:µTorrent
"{9B21F62D-DF09-44A2-BD05-BC7EEE8742C9}"= UDP:C:\Program Files\Bonjour\mDNSResponder.exe:Bonjour
"{68F77BA3-1444-44C8-AC53-D586A7FD787C}"= TCP:C:\Program Files\Bonjour\mDNSResponder.exe:Bonjour
"{48866029-02D4-420C-AF33-2058433DC7D9}"= UDP:H:\Program Files\iTunes\iTunes.exe:iTunes
"{AB169B2B-5F22-47D8-B596-C06720D2E476}"= TCP:H:\Program Files\iTunes\iTunes.exe:iTunes
"TCP Query User{37AFDF7F-9FEF-441B-B24D-75F2E325B8C7}H:\\program files\\azureus\\azureus.exe"= UDP:H:\program files\azureus\azureus.exe:Azureus
"UDP Query User{2414528D-9012-4CCF-B04D-4D7AC667B755}H:\\program files\\azureus\\azureus.exe"= TCP:H:\program files\azureus\azureus.exe:Azureus
"TCP Query User{9225565D-E33E-467E-9533-ED9B2675E3C6}C:\\program files\\azureus\\azureus.exe"= UDP:C:\program files\azureus\azureus.exe:Azureus
"UDP Query User{9F98D73A-65DD-4D0E-B968-DC1D3C6EBAA6}C:\\program files\\azureus\\azureus.exe"= TCP:C:\program files\azureus\azureus.exe:Azureus
"TCP Query User{BC712732-FEB9-4EDA-8C73-9FC226F9DB1A}H:\\program files\\counter-strike source\\hl2.exe"= UDP:H:\program files\counter-strike source\hl2.exe:hl2
"UDP Query User{57A7C5E6-CBE4-4652-AFEF-DCFD72CBE342}H:\\program files\\counter-strike source\\hl2.exe"= TCP:H:\program files\counter-strike source\hl2.exe:hl2
"TCP Query User{1DB411BF-E55D-4961-A89F-4494677D10B3}H:\\program files\\secondlife\\slvoice.exe"= UDP:H:\program files\secondlife\slvoice.exe:SLVoice
"UDP Query User{27A63D2C-CAAE-42C6-A3F5-87CC36F583D3}H:\\program files\\secondlife\\slvoice.exe"= TCP:H:\program files\secondlife\slvoice.exe:SLVoice
"TCP Query User{71DB6B6F-9435-4ED3-A6DB-D8EBC799C9E1}C:\\program files\\real\\realplayer\\realplay.exe"= UDP:C:\program files\real\realplayer\realplay.exe:RealPlayer
"UDP Query User{AD20223A-2548-4E8F-A6E3-8E0542F0F9A5}C:\\program files\\real\\realplayer\\realplay.exe"= TCP:C:\program files\real\realplayer\realplay.exe:RealPlayer

R2 NPF;NetGroup Packet Filter Driver;C:\Windows\system32\drivers\npf.sys [2007-11-06 16:22]
R2 PD91Agent;PD91Agent;"C:\Program Files\Raxco\PerfectDisk\PD91Agent.exe" [2008-02-28 10:44]
R2 SBSDWSCService;SBSD Security Center Service;C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe [2008-01-28 12:43]
R3 HPFXBULK;HPFXBULK;C:\Windows\system32\drivers\hpfxbulk.sys [2007-06-20 03:21]
R3 igfx;igfx;C:\Windows\system32\DRIVERS\igdkmd32.sys [2006-12-13 04:32]
R3 RTSTOR;USB Mass Storage Device;C:\Windows\system32\drivers\RTSTOR.SYS [2008-02-15 15:22]
R3 rxpvbus;Reality XP Avionics Bus Driver;C:\Windows\system32\DRIVERS\rxpvbus.sys [2005-11-04 09:35]
S2 AcronisOSSReinstallSvc;Acronis OS Selector Reinstall Service;"C:\Program Files\Common Files\Acronis\Acronis Disk Director\oss_reinstall_svc.exe" [2007-02-22 19:53]
S3 PD91Engine;PD91Engine;"C:\Program Files\Raxco\PerfectDisk\PD91Engine.exe" [2008-02-29 14:08]
S3 PD91VMDefrag;PD91VMDefrag;"C:\Program Files\Raxco\PerfectDisk\PD91VMDefrag.exe" [2008-02-29 10:44]
S3 PSI;PSI;C:\Windows\system32\DRIVERS\psi_mf.sys [2008-02-19 04:24]
S3 yukonwlh;NDIS6.0 Miniport Driver for Marvell Yukon Ethernet Controller;C:\Windows\system32\DRIVERS\yk60x86.sys [2006-11-02 03:30]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
rsmsvcs REG_MULTI_SZ ntmssvc

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F]
\shell\AutoRun\command - F:\autorun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\I]
\shell\AutoRun\command - I:\Setup\rsrc\autorun.exe
\shell\dinstall\command - I:\Directx\dxsetup.exe

.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, »www.gmer.net
Rootkit scan 2008-04-20 14:43:01
Windows 6.0.6001 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Windows\System32\audiodg.exe
H:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
H:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Grisoft\AVG7\avgamsvr.exe
C:\Program Files\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\Grisoft\AVG7\avgrssvc.exe
C:\Program Files\Common Files\microsoft shared\VS7DEBUG\MDM.EXE
C:\Program Files\Grisoft\AVG7\avgrssvc.exe
C:\Program Files\Raxco\PerfectDisk\PD91AgentS1.exe
C:\Program Files\Grisoft\AVG7\avgcc.exe
.
**************************************************************************
.
Completion time: 2008-04-20 14:45:21 - machine was rebooted
ComboFix-quarantined-files.txt 2008-04-20 18:45:13
ComboFix2.txt 2008-04-08 19:33:44
ComboFix3.txt 2008-04-06 23:40:34

Pre-Run: 20,521,390,080 bytes free
Post-Run: 20,575,760,384 bytes free

846 --- E O F --- 2008-04-17 19:16:34
to forum · permalink · 2008-04-21 15:14:38 ·


Siko
Premium
join:2006-11-27
Mechanicsburg, PA
Reviews:
·Dish Network

Thanks for scanning through that, now here is my ESET log, it didn't find anything.

# version=4
# OnlineScanner.ocx=1.0.0.635
# OnlineScannerDLLA.dll=1, 0, 0, 79
# OnlineScannerDLLW.dll=1, 0, 0, 78
# OnlineScannerUninstaller.exe=1, 0, 0, 49
# vers_standard_module=3041 (20080419)
# vers_arch_module=1.064 (20080214)
# vers_adv_heur_module=1.064 (20070717)
# EOSSerial=f94ebf675e76f444bc9bef3e67f7aa40
# end=finished
# remove_checked=true
# unwanted_checked=true
# utc_time=2008-04-21 02:01:17
# local_time=2008-04-20 10:01:17 (-0500, Eastern Daylight Time)
# country="United States"
# osver=6.0.6001 NT Service Pack 1
# scanned=931132
# found=0
# scan_time=6361

to forum · permalink · 2008-04-21 15:15:26 ·


bcastner
Premium,VIP,MVM
join:2002-09-25
Chevy Chase, MD
kudos:7

reply to Siko
I am certain there is a Wareout rootkit infector here, but because this is Vista we may not be able to locate it.

Please download Gmer version 1.0.14.14105:

http://www2.gmer.net/beta/gmer.exe

Keep all protection programs OFF including your AVG Antivirus. Disconnect from internet while performing these scans. After the scans are done, you can re-enable active protection and connect again.

Double-click gmer.exe to run it

Click the ">>>" Tab

Click the Files Tab

Check the "Only Hidden" check box on upper left side of Display to see rootkit hidden files.

Click "+" signs and navigate to C:\Windows\System32\Drivers (assuming your primary OS drive is C:\)
Any Hidden Rootkit drivers will be displayed in the right pane in RED.
Maybe a culprit rootkit driver will be listed there if it indeed exists.

Repeat the above for the following directory:
C:\Windows\System32\

To see if any files are hidden by a rootkit. Again, they will be listed in red.

Next - do a Gmer Autostart Scan

Click the "Autostart" Tab
Click the Scan button
When the autostart scan is finished, click Copy to save the Autostart log to the Windows clipboard
Open Notepad or a similar text editor
Paste the clipboard contents into a text file by clicking Edit | Paste or Ctl V
Save the log and post it in your next reply.

Now, perform a Gmer Rootkit/Malware scan by selecting the "Rootkit/Malware" Tab.
On the right-side of the Gmer screen, check all the items to be scanned (it should be this way by default.)
Select all drives that are connected to your system to be scanned
Click the Scan button
When the scan is finished, click Copy to save the scan log to the Windows clipboard
Open Notepad or a similar text editor
Paste the clipboard contents into a text file by clicking Edit | Paste or Ctl V
Save the gmer scan log and post it in your next reply.
Close Gmer
Open a command prompt (Start | run |type cmd and hit Enter)
Type or paste the following to unload the gmer driver:
net stop gmer
Hit Enter
Exit the command prompt.
Re-enable all active protection that you had disabled to conduct the scans.

Please post back to the Forum both Gmer scan reports.

--
============
MS-MVP 2004 - -2008, ASAP Member
Users Helping Users

to forum · permalink · 2008-04-21 15:41:43 ·


Siko
Premium
join:2006-11-27
Mechanicsburg, PA
Reviews:
·Dish Network

Here they are

GMER 1.0.14.14316 - »www.gmer.net
Autostart scan 2008-04-21 19:39:11
Windows 6.0.6001 Service Pack 1

HKLM\SYSTEM\CurrentControlSet\Control\Session Manager@BootExecute = PDBoot.exe autocheck autochk * OODBS lsdelete

HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\SubSystems@Windows = %SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,12288,512 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ProfileControl=Off MaxRequestThreads=16

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon@Userinit = C:\Windows\system32\userinit.exe,

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ >>>
!SASWinLogon@DLLName = C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
avgwlntf@DLLName = avgwlntf.dll
igfxcui@DLLName = igfxdev.dll

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows@AppInit_DLLs =

HKLM\SYSTEM\CurrentControlSet\Services\ >>>
aawservice@ = "H:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe"
AcronisOSSReinstallSvc@ = "C:\Program Files\Common Files\Acronis\Acronis Disk Director\oss_reinstall_svc.exe"
AcrSch2Svc@ = "C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe"
Apple Mobile Device@ = "C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe"
AVG Anti-Spyware Guard@ = H:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
Avg7Alrt@ = C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
Avg7UpdSvc@ = C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
AvgCoreSvc@ = C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
MDM@ = "C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE"
PD91Agent@ = "C:\Program Files\Raxco\PerfectDisk\PD91Agent.exe"
SBSDWSCService@ = C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
slsvc@ = %SystemRoot%\system32\SLsvc.exe

HKLM\Software\Microsoft\Windows\CurrentVersion\Run >>>
@Windows Defender%ProgramFiles%\Windows Defender\MSASCui.exe -hide /*file not found*/ = %ProgramFiles%\Windows Defender\MSASCui.exe -hide /*file not found*/
@IgfxTrayC:\Windows\system32\igfxtray.exe = C:\Windows\system32\igfxtray.exe
@HotKeysCmdsC:\Windows\system32\hkcmd.exe = C:\Windows\system32\hkcmd.exe
@PersistenceC:\Windows\system32\igfxpers.exe = C:\Windows\system32\igfxpers.exe
@AVG7_CCC:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP = C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
@SunJavaUpdateSched"C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe" = "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
@TkBellExe"C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot = "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

HKCU\Software\Microsoft\Windows\CurrentVersion\Run@WMPNSCFG = C:\Program Files\Windows Media Player\WMPNSCFG.exe

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks >>>
@{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}C:\Program Files\SUPERAntiSpyware\SASSEH.DLL = C:\Program Files\SUPERAntiSpyware\SASSEH.DLL
@{57B86673-276A-48B2-BAE7-C6DBB3020EB8}H:\Program Files\Grisoft\AVG Anti-Spyware 7.5\shellexecutehook.dll = H:\Program Files\Grisoft\AVG Anti-Spyware 7.5\shellexecutehook.dll

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved >>>
@{F02C1A0D-BE21-4350-88B0-7367FC96EF3C} /*Computers and Devices*/%systemroot%\system32\NetworkExplorer.dll = %systemroot%\system32\NetworkExplorer.dll
@{4A1E5ACD-A108-4100-9E26-D2FAFA1BA486} /*IGD Property Sheet Handler*/%SystemRoot%\System32\icsigd.dll = %SystemRoot%\System32\icsigd.dll
@{6CF48EF8-44CD-45d2-8832-A16EA016311B} /*IE IShellFolderBand*/C:\Windows\system32\ieframe.dll = C:\Windows\system32\ieframe.dll
@{00020d75-0000-0000-c000-000000000046} /*Microsoft Office Outlook Desktop Icon Handler*/H:\Program Files\Microsoft Office\OFFICE11\MLSHEXT.DLL = H:\Program Files\Microsoft Office\OFFICE11\MLSHEXT.DLL
@{CC6EEFFB-43F6-46c5-9619-51D571967F7D} /*Web Publishing Wizard*/%SystemRoot%\System32\shwebsvc.dll = %SystemRoot%\System32\shwebsvc.dll
@{add36aa8-751a-4579-a266-d66f5202ccbb} /*Print Ordering via the Web*/%SystemRoot%\System32\shwebsvc.dll = %SystemRoot%\System32\shwebsvc.dll
@{6b33163c-76a5-4b6c-bf21-45de9cd503a1} /*Shell Publishing Wizard Object*/%SystemRoot%\System32\shwebsvc.dll = %SystemRoot%\System32\shwebsvc.dll
@{74246bfc-4c96-11d0-abef-0020af6b0b7a} /*Device Manager*/%SystemRoot%\System32\devmgr.dll = %SystemRoot%\System32\devmgr.dll
@{7A979262-40CE-46ff-AEEE-7884AC3B6136} /*Add New Hardware*/(null) =
@{3e7efb4c-faf1-453d-89eb-56026875ef90} /*Get Programs Online*/(null) =
@{5399E694-6CE5-4D6C-8FCE-1D8870FDCBA0} /*Control Panel command object for Start menu*/(null) =
@{E44E5D18-0652-4508-A4E2-8A090067BCB0} /*Default Programs command object for Start menu*/(null) =
@{6dfd7c5c-2451-11d3-a299-00c04f8ef6af} /*Folder Options*/(null) =
@{97e467b4-98c6-4f19-9588-161b7773d6f6} /*Office Document Property Handler*/%SystemRoot%\system32\propsys.dll = %SystemRoot%\system32\propsys.dll
@{DC1C5A9C-E88A-4dde-A5A1-60F82A20AEF7} /*File Open Dialog*/%SystemRoot%\System32\comdlg32.dll = %SystemRoot%\System32\comdlg32.dll
@{C0B4E2F3-BA21-4773-8DBA-335EC946EB8B} /*File Save Dialog*/%SystemRoot%\System32\comdlg32.dll = %SystemRoot%\System32\comdlg32.dll
@{E37E2028-CE1A-4f42-AF05-6CEABC4E5D75} /*Shell Icon Handler for Application References*/C:\Windows\system32\dfshim.dll = C:\Windows\system32\dfshim.dll
@{e82a2d71-5b2f-43a0-97b8-81be15854de8} /*ShellLink for Application References*/C:\Windows\system32\dfshim.dll = C:\Windows\system32\dfshim.dll
@{44121072-A222-48f2-A58A-6D9AD51EBBE9} /*Microsoft XPS Thumbnail*/%SystemRoot%\system32\XPSSHHDR.DLL = %SystemRoot%\system32\XPSSHHDR.DLL
@{13D3C4B8-B179-4ebb-BF62-F704173E7448} /*Windows Contact Preview Handler*/%CommonProgramFiles%\System\wab32.dll = %CommonProgramFiles%\System\wab32.dll
@{4026492f-2f69-46b8-b9bf-5654fc07e423} /*Windows Firewall*/(null) =
@{a304259d-52b8-4526-8b1a-a1d6cecc8243} /*iSCSI Initiator*/(null) =
@{11dbb47c-a525-400b-9e80-a54615a090c0} /*Execute Folder*/ExplorerFrame.dll = ExplorerFrame.dll
@{90b9bce2-b6db-4fd3-8451-35917ea1081b} /*Search Execute Command*/ExplorerFrame.dll = ExplorerFrame.dll
@{BC65FB43-1958-4349-971A-210290480130} /*Network Explorer Property Sheet Handler*/%SystemRoot%\System32\NcdProp.dll = %SystemRoot%\System32\NcdProp.dll
@{d3e34b21-9d75-101a-8c3d-00aa001a1652} /*Bitmap Image*/(null) =
@{40C3D757-D6E4-4b49-BB41-0E5BBEA28817} /*Video Media Properties Handler*/%SystemRoot%\System32\mediametadatahandler.dll = %SystemRoot%\System32\mediametadatahandler.dll
@{E598560B-28D5-46aa-A14A-8A3BEA34B576} /*Windows Photo Gallery Viewer Video Verbs*/%ProgramFiles%\Windows Photo Gallery\PhotoViewer.dll /*file not found*/ = %ProgramFiles%\Windows Photo Gallery\PhotoViewer.dll /*file not found*/
@{0a4286ea-e355-44fb-8086-af3df7645bd9} /*Windows Media Player*/C:\PROGRA~1\WI4EB4~1\wmpband.dll = C:\PROGRA~1\WI4EB4~1\wmpband.dll
@{BB6B2374-3D79-41DB-87F4-896C91846510} /*EMDFileProperties*/emdmgmt.dll = emdmgmt.dll
@{875CB1A1-0F29-45de-A1AE-CFB4950D0B78} /*Audio Media Properties Handler*/%SystemRoot%\System32\mediametadatahandler.dll = %SystemRoot%\System32\mediametadatahandler.dll
@{7A0F6AB7-ED84-46B6-B47E-02AA159A152B} /*Sync Center Simple Conflict Presenter*/%SystemRoot%\System32\SyncCenter.dll = %SystemRoot%\System32\SyncCenter.dll
@{9D687A4C-1404-41ef-A089-883B6FBECDE6} /*Windows Photo Gallery Viewer Autoplay Handler*/(null) =
@{37efd44d-ef8d-41b1-940d-96973a50e9e0} /*Windows Sidebar Properties*/(null) =
@{BC48B32F-5910-47F5-8570-5074A8A5636A} /*Sync Results Delegate Folder*/%SystemRoot%\System32\SyncCenter.dll = %SystemRoot%\System32\SyncCenter.dll
@{E413D040-6788-4C22-957E-175D1C513A34} /*Sync Center Conflict Delegate Folder*/%SystemRoot%\System32\SyncCenter.dll = %SystemRoot%\System32\SyncCenter.dll
@{67718415-c450-4f3c-bf8a-b487642dc39b} /*Windows Features*/(null) =
@{91ADC906-6722-4B05-A12B-471ADDCCE132} /*Touch Band*/%SystemRoot%\System32\TouchX.dll = %SystemRoot%\System32\TouchX.dll
@{2781761E-28E0-4109-99FE-B9D127C57AFE} /*Windows Defender IOfficeAntiVirus implementation*/%ProgramFiles%\Windows Defender\MpOav.dll /*file not found*/ = %ProgramFiles%\Windows Defender\MpOav.dll /*file not found*/
@{FFE2A43C-56B9-4bf5-9A79-CC6D4285608A} /*Windows Photo Gallery Viewer Image Verbs*/%ProgramFiles%\Windows Photo Gallery\PhotoViewer.dll /*file not found*/ = %ProgramFiles%\Windows Photo Gallery\PhotoViewer.dll /*file not found*/
@{4B534112-3AF6-4697-A77C-D62CE9B9E7CF} /*Sync Center Event Properties Extension*/%SystemRoot%\System32\SyncCenter.dll = %SystemRoot%\System32\SyncCenter.dll
@{F1390A9A-A3F4-4E5D-9C5F-98F3BD8D935C} /*Sync Setup Delegate Folder*/%SystemRoot%\System32\SyncCenter.dll = %SystemRoot%\System32\SyncCenter.dll
@{4E5BFBF8-F59A-4e87-9805-1F9B42CC254A} /*GameUX.RichGameMediaThumbnail*/C:\Windows\System32\gameux.dll = C:\Windows\System32\gameux.dll
@{576C9E85-1300-4EF5-BF6B-D00509F4EDCD} /*Sync Center Handler Properties Extension*/%SystemRoot%\System32\SyncCenter.dll = %SystemRoot%\System32\SyncCenter.dll
@{289978AC-A101-4341-A817-21EBA7FD046D} /*Sync Center Conflict Folder*/%SystemRoot%\System32\SyncCenter.dll = %SystemRoot%\System32\SyncCenter.dll
@{71D99464-3B6B-475C-B241-E15883207529} /*Sync Results Folder*/%SystemRoot%\System32\SyncCenter.dll = %SystemRoot%\System32\SyncCenter.dll
@{B32D3949-ED98-4DBB-B347-17A144969BBA} /*Sync Center Item Properties Extension*/%SystemRoot%\System32\SyncCenter.dll = %SystemRoot%\System32\SyncCenter.dll
@{2E9E59C0-B437-4981-A647-9C34B9B90891} /*Sync Setup Folder*/%SystemRoot%\System32\SyncCenter.dll = %SystemRoot%\System32\SyncCenter.dll
@{9C73F5E5-7AE7-4E32-A8E8-8D23B85255BF} /*Sync Center Folder*/%SystemRoot%\System32\SyncCenter.dll = %SystemRoot%\System32\SyncCenter.dll
@{CB1B7F8C-C50A-4176-B604-9E24DEE8D4D1} /*Welcome Center*/oobefldr.dll = oobefldr.dll
@{F04CC277-03A2-4277-96A9-77967471BDFF} /*Sync Center Conflict Properties Extension*/%SystemRoot%\System32\SyncCenter.dll = %SystemRoot%\System32\SyncCenter.dll
@{6b9228da-9c15-419e-856c-19e768a13bdc} /*Windows gadget DropTarget*/%ProgramFiles%\Windows Sidebar\sbdrop.dll /*file not found*/ = %ProgramFiles%\Windows Sidebar\sbdrop.dll /*file not found*/
@{8E25992B-373E-486E-80E5-BD23AE417E66} /*Sync Center Device Notification Sink*/%SystemRoot%\System32\SyncCenter.dll = %SystemRoot%\System32\SyncCenter.dll
@{031EE060-67BC-460d-8847-E4A7C5E45A27} /*Windows Media Player Rich Preview Handler*/(null) =
@{1FA9085F-25A2-489B-85D4-86326EEDCD87} /*Manage Wireless Networks*/%SystemRoot%\system32\wlanpref.dll = %SystemRoot%\system32\wlanpref.dll
@{7dda204b-2097-47c9-8323-c40bb840ae44} /*XPS document*/(null) =
@{ECDD6472-2B9B-4b4b-AE36-F316DF3C8D60} /*RichGameMediaPropertyStore Class*/C:\Windows\System32\gameux.dll = C:\Windows\System32\gameux.dll
@{c5a40261-cd64-4ccf-84cb-c394da41d590} /*Video Thumbnail Extractor*/%SystemRoot%\System32\mediametadatahandler.dll = %SystemRoot%\System32\mediametadatahandler.dll
@{C539A15A-3AF9-4c92-B771-50CB78F5C751} /*Acronis True Image Shell Context Menu Extension*/C:\Program Files\Acronis\TrueImageHome\tishell.dll = C:\Program Files\Acronis\TrueImageHome\tishell.dll
@{C539A15B-3AF9-4c92-B771-50CB78F5C751} /*Acronis True Image Shell Extension*/C:\Program Files\Acronis\TrueImageHome\tishell.dll = C:\Program Files\Acronis\TrueImageHome\tishell.dll
@{B41DB860-8EE4-11D2-9906-E49FADC173CA} /*WinRAR shell extension*/C:\Program Files\WinRAR\rarext.dll = C:\Program Files\WinRAR\rarext.dll
@{BDEADF00-C265-11D0-BCED-00A0C90AB50F} /*Web Folders*/C:\PROGRA~1\COMMON~1\MICROS~1\Web Folders\MSONSEXT.DLL = C:\PROGRA~1\COMMON~1\MICROS~1\Web Folders\MSONSEXT.DLL
@{0006F045-0000-0000-C000-000000000046} /*Microsoft Office Outlook Custom Icon Handler*/H:\Program Files\Microsoft Office\OFFICE11\OLKFSTUB.DLL = H:\Program Files\Microsoft Office\OFFICE11\OLKFSTUB.DLL
@{42042206-2D85-11D3-8CFF-005004838597} /*Microsoft Office HTML Icon Handler*/H:\Program Files\Microsoft Office\OFFICE11\msohev.dll = H:\Program Files\Microsoft Office\OFFICE11\msohev.dll
@{BD7A2E7B-21CB-41b2-A086-B309680C6B7E} /*Client Side Cache Namespace Extension*/%systemroot%\system32\mssvp.dll = %systemroot%\system32\mssvp.dll
@{35786D3C-B075-49b9-88DD-029876E11C01} /*Portable Devices*/%SystemRoot%\system32\wpdshext.dll = %SystemRoot%\system32\wpdshext.dll
@{53BEDF0B-4E5B-4183-8DC9-B844344FA104} /*Microsoft Windows MAPI Preview Handler*/%SystemRoot%\system32\mssvp.dll = %SystemRoot%\system32\mssvp.dll
@{D6791A63-E7E2-4fee-BF52-5DED8E86E9B8} /*Portable Devices Menu*/%SystemRoot%\system32\wpdshext.dll = %SystemRoot%\system32\wpdshext.dll
@{877ca5ac-cb41-4842-9c69-9136e42d47e2} /*File Backup Index*/%systemroot%\system32\sdshext.dll = %systemroot%\system32\sdshext.dll
@{5ea4f148-308c-46d7-98a9-49041b1dd468} /*Mobility Center Control Panel*/(null) =
@{d8559eb9-20c0-410e-beda-7ed416aecc2a} /*Windows Defender*/(null) =
@{ED228FDF-9EA8-4870-83B1-96B02CFE0D52} /*Games Folder*/C:\Windows\System32\gameux.dll = C:\Windows\System32\gameux.dll
@{00f20eb5-8fd6-4d9d-b75e-36801766c8f1} /*PhotoAcqDropTarget*/%ProgramFiles%\Windows Photo Gallery\PhotoAcq.dll /*file not found*/ = %ProgramFiles%\Windows Photo Gallery\PhotoAcq.dll /*file not found*/
@{89D83576-6BD1-4c86-9454-BEB04E94C819} /*MAPI Search Namespace Extension*/%systemroot%\system32\mssvp.dll = %systemroot%\system32\mssvp.dll
@{00f2886f-cd64-4fc9-8ec5-30ef6cdbe8c3} /*Microsoft.ScannersAndCameras*/(null) =
@{3F30C968-480A-4C6C-862D-EFC0897BB84B} /*Photo Thumbnail Extractor*/C:\Windows\system32\PhotoMetadataHandler.dll = C:\Windows\system32\PhotoMetadataHandler.dll
@{C7657C4A-9F68-40fa-A4DF-96BC08EB3551} /*Photo Thumbnail Provider*/C:\Windows\system32\PhotoMetadataHandler.dll = C:\Windows\system32\PhotoMetadataHandler.dll
@{a38b883c-1682-497e-97b0-0a3a9e801682} /*IPropertyStore Handler for Images*/C:\Windows\system32\PhotoMetadataHandler.dll = C:\Windows\system32\PhotoMetadataHandler.dll
@{da67b8ad-e81b-4c70-9b91b417b5e33527} /*Windows Search Shell Service*/(null) =
@{911051fa-c21c-4246-b470-070cd8df6dc4} /*.cab or .zip files*/(null) =
@{fcfeecae-ee1b-4849-ae50-685dcf7717ec} /*Problem Reports and Solutions*/(null) =
@{692F0339-CBAA-47e6-B5B5-3B84DB604E87} /*Extensions Manager Folder*/C:\Windows\system32\extmgr.dll = C:\Windows\system32\extmgr.dll
@{513D916F-2A8E-4F51-AEAB-0CBC76FB1AF8} /*Compatibility Property Page*/%windir%\system32\acppage.dll = %windir%\system32\acppage.dll
@{CF67796C-F57F-45F8-92FB-AD698826C602} /*contact_wab_auto_file*/%CommonProgramFiles%\System\wab32.dll = %CommonProgramFiles%\System\wab32.dll
@{16C2C29D-0E5F-45f3-A445-03E03F587B7D} /*group_wab_auto_file*/%CommonProgramFiles%\System\wab32.dll = %CommonProgramFiles%\System\wab32.dll
@{8082C5E6-4C27-48ec-A809-B8E1122E8F97} /*.contact shell extension handler*/%CommonProgramFiles%\System\wab32.dll = %CommonProgramFiles%\System\wab32.dll
@{4F58F63F-244B-4c07-B29F-210BE59BE9B4} /*.group shell extension handler*/%CommonProgramFiles%\System\wab32.dll = %CommonProgramFiles%\System\wab32.dll
@{0F8604A5-4ECE-4DE1-BA7D-CF10F8AA4F48} /*Contacts folder*/(null) =
@{38a98528-6cbf-4ca9-8dc0-b1e1d10f7b1b} /*View Available Networks*/(null) =
@{45670FA8-ED97-4F44-BC93-305082590BFB} /*Microsoft XPS Properties*/%SystemRoot%\system32\XPSSHHDR.DLL = %SystemRoot%\system32\XPSSHHDR.DLL
@{92337A8C-E11D-11D0-BE48-00C04FC30DF6} /*OlePrn.PrinterURL*/%SystemRoot%\system32\oleprn.dll = %SystemRoot%\system32\oleprn.dll
@{2C2577C2-63A7-40e3-9B7F-586602617ECB} /*Explorer Query Band*/(null) =
@{E29F9716-5C08-4FCD-955A-119FDB5A522D} /*Sam Account Folder*/(null) =
@{C8494E42-ACDD-4739-B0FB-217361E4894F} /*Sam Account Folder*/(null) =
@{34449847-FD14-4fc8-A75A-7432F5181EFB} /*ActiveDirectory Folder*/(null) =
@{1b24a030-9b20-49bc-97ac-1be4426f9e59} /*ActiveDirectory Folder*/(null) =
@{b2c761c6-29bc-4f19-9251-e6195265baf1} /*Color Control Panel Applet*/(null) =
@{DBCE2480-C732-101B-BE72-BA78E9AD5B27} /*ICC Profile*/%SystemRoot%\system32\colorui.dll = %SystemRoot%\system32\colorui.dll
@{675F097E-4C4D-11D0-B6C1-0800091AA605} /*ICM Printer Management*/%SystemRoot%\system32\colorui.dll = %SystemRoot%\system32\colorui.dll
@{5DB2625A-54DF-11D0-B6C4-0800091AA605} /*ICM Monitor Management*/%SystemRoot%\System32\colorui.dll = %SystemRoot%\System32\colorui.dll
@{176d6597-26d3-11d1-b350-080036a75b03} /*ICM Scanner Management*/%SystemRoot%\System32\colorui.dll = %SystemRoot%\System32\colorui.dll
@{8856f961-340a-11d0-a96b-00c04fd705a2} /*Microsoft Web Browser*/C:\Windows\system32\ieframe.dll = C:\Windows\system32\ieframe.dll
@{9A096BB5-9DC3-4D1C-8526-C3CBF991EA4E} /*IE RSS Feeder Folder*/C:\Windows\system32\ieframe.dll = C:\Windows\system32\ieframe.dll
@{871C5380-42A0-1069-A2EA-08002B30309D} /*Internet Name Space*/C:\Windows\system32\ieframe.dll = C:\Windows\system32\ieframe.dll
@{205D7A97-F16D-4691-86EF-F3075DCCA57D} /*IE Menu Desk Bar*/C:\Windows\system32\ieframe.dll = C:\Windows\system32\ieframe.dll
@{44C76ECD-F7FA-411c-9929-1B77BA77F524} /*IE Menu Site*/C:\Windows\system32\ieframe.dll = C:\Windows\system32\ieframe.dll
@{6B4ECC4F-16D1-4474-94AB-5A763F2A54AE} /*IE Tracking Shell Menu*/C:\Windows\system32\ieframe.dll = C:\Windows\system32\ieframe.dll
@{1C1EDB47-CE22-4bbb-B608-77B48F83C823} /*IE Fade Task*/C:\Windows\system32\ieframe.dll = C:\Windows\system32\ieframe.dll
@{F2CF5485-4E02-4f68-819C-B92DE9277049} /*&Links*/C:\Windows\system32\ieframe.dll = C:\Windows\system32\ieframe.dll
@{4B78D326-D922-44f9-AF2A-07805C2A3560} /*IE Menu Band*/C:\Windows\system32\ieframe.dll = C:\Windows\system32\ieframe.dll
@{FAC3CBF6-8697-43d0-BAB9-DCD1FCE19D75} /*IE User Assist*/C:\Windows\system32\ieframe.dll = C:\Windows\system32\ieframe.dll
@{BFAD62EE-9D54-4b2a-BF3B-76F90697BD2A} /*IE Shell Rebar BandSite*/C:\Windows\system32\ieframe.dll = C:\Windows\system32\ieframe.dll
@{E6EE9AAC-F76B-4947-8260-A9F136138E11} /*IE Shell Band Site Menu*/C:\Windows\system32\ieframe.dll = C:\Windows\system32\ieframe.dll
@{B31C5FAE-961F-415b-BAF0-E697A5178B94} /*IE Microsoft Multiple AutoComplete List Container*/C:\Windows\system32\ieframe.dll = C:\Windows\system32\ieframe.dll
@{9D958C62-3954-4b44-8FAB-C4670C1DB4C2} /*IE Microsoft Shell Folder AutoComplete List*/C:\Windows\system32\ieframe.dll = C:\Windows\system32\ieframe.dll
@{6038EF75-ABFC-4e59-AB6F-12D397F6568D} /*IE Microsoft History AutoComplete List*/C:\Windows\system32\ieframe.dll = C:\Windows\system32\ieframe.dll
@{FDE7673D-2E19-4145-8376-BBD58C4BC7BA} /*IE Custom MRU AutoCompleted List*/C:\Windows\system32\ieframe.dll = C:\Windows\system32\ieframe.dll
@{98FF6D4B-6387-4b0a-8FBD-C5C4BB17B4F8} /*IE MRU AutoComplete List*/C:\Windows\system32\ieframe.dll = C:\Windows\system32\ieframe.dll
@{3028902F-6374-48b2-8DC6-9725E775B926} /*IE AutoComplete*/C:\Windows\system32\ieframe.dll = C:\Windows\system32\ieframe.dll
@{F83DAC1C-9BB9-4f2b-B619-09819DA81B0E} /*IE Registry Tree Options Utility*/C:\Windows\system32\ieframe.dll = C:\Windows\system32\ieframe.dll
@{30D02401-6A81-11d0-8274-00C04FD5AE38} /*IE Search Band*/C:\Windows\system32\ieframe.dll = C:\Windows\system32\ieframe.dll
@{43886CD5-6529-41c4-A707-7B3C92C05E68} /*IE Navigation Bar*/C:\Windows\system32\ieframe.dll = C:\Windows\system32\ieframe.dll
@{07C45BB1-4A8C-4642-A1F5-237E7215FF66} /*IE Microsoft BrowserBand*/C:\Windows\system32\ieframe.dll = C:\Windows\system32\ieframe.dll
@{73CFD649-CD48-4fd8-A272-2070EA56526B} /*IE BandProxy*/C:\Windows\system32\ieframe.dll = C:\Windows\system32\ieframe.dll
@{3DC7A020-0ACD-11CF-A9BB-00AA004AE837} /*The Internet*/C:\Windows\system32\ieframe.dll = C:\Windows\system32\ieframe.dll
@{CFBFAE00-17A6-11D0-99CB-00C04FD64497} /*Microsoft Url Search Hook*/C:\Windows\system32\ieframe.dll = C:\Windows\system32\ieframe.dll
@{7BD29E01-76C1-11CF-9DD0-00A0C9034933} /*Temporary Internet Files*/C:\Windows\system32\ieframe.dll = C:\Windows\system32\ieframe.dll
@{7BD29E00-76C1-11CF-9DD0-00A0C9034933} /*Temporary Internet Files*/C:\Windows\system32\ieframe.dll = C:\Windows\system32\ieframe.dll
@{FF393560-C2A7-11CF-BFF4-444553540000} /*History*/C:\Windows\system32\ieframe.dll = C:\Windows\system32\ieframe.dll
@{3C374A40-BAE4-11CF-BF7D-00AA006946EE} /*Microsoft Url History Service*/C:\Windows\system32\ieframe.dll = C:\Windows\system32\ieframe.dll
@{FBF23B40-E3F0-101B-8488-00AA003E56F8} /*InternetShortcut*/C:\Windows\system32\ieframe.dll = C:\Windows\system32\ieframe.dll
@{BC476F4C-D9D7-4100-8D4E-E043F6DEC409} /*Microsoft Browser Architecture*/C:\Windows\system32\ieframe.dll = C:\Windows\system32\ieframe.dll
@{E7E4BC40-E76A-11CE-A9BB-00AA004AE837} /*Shell DocObject Viewer*/C:\Windows\system32\ieframe.dll = C:\Windows\system32\ieframe.dll
@{5FA29220-36A1-40f9-89C6-F4B384B7642E} /*Shell Message Handler*/%SystemRoot%\system32\inetcomm.dll = %SystemRoot%\system32\inetcomm.dll
@{f8b8412b-dea3-4130-b36c-5e8be73106ac} /*Microsoft Windows Mail Html Preview Handler*/%SystemRoot%\system32\inetcomm.dll = %SystemRoot%\system32\inetcomm.dll
@{b9815375-5d7f-4ce2-9245-c9d4da436930} /*Microsoft Windows Mail Html Preview Handler*/%SystemRoot%\system32\inetcomm.dll = %SystemRoot%\system32\inetcomm.dll
@{92dbad9f-5025-49b0-9078-2d78f935e341} /*Microsoft Windows Mail Html Preview Handler*/%SystemRoot%\system32\inetcomm.dll = %SystemRoot%\system32\inetcomm.dll
@{967B2D40-8B7D-4127-9049-61EA0C2C6DCE} /*PowerISO*/(null) =
@{23170F69-40C1-278A-1000-000100020000} /*7-Zip Shell Extension*/C:\Program Files\7-Zip\7-zip.dll = C:\Program Files\7-Zip\7-zip.dll
@{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4} /*Shell Extensions for RealOne Player*/C:\Program Files\Real\RealPlayer\rpshell.dll = C:\Program Files\Real\RealPlayer\rpshell.dll
@{B9E1D2CB-CCFF-4AA6-9579-D7A4754030EF} /*iTunes*/H:\Program Files\iTunes\iTunesMiniPlayer.dll = H:\Program Files\iTunes\iTunesMiniPlayer.dll
@{9F97547E-4609-42C5-AE0C-81C61FFAEBC3} /*AVG7 Shell Extension*/C:\Program Files\Grisoft\AVG7\avgse.dll = C:\Program Files\Grisoft\AVG7\avgse.dll
@{9F97547E-460A-42C5-AE0C-81C61FFAEBC3} /*AVG7 Find Extension*/C:\Program Files\Grisoft\AVG7\avgse.dll = C:\Program Files\Grisoft\AVG7\avgse.dll

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\ >>>
7-Zip@{23170F69-40C1-278A-1000-000100020000} = C:\Program Files\7-Zip\7-zip.dll
AVG Anti-Spyware@{8934FCEF-F5B8-468f-951F-78A921CD3920} = H:\Program Files\Grisoft\AVG Anti-Spyware 7.5\context.dll
AVG7 Shell Extension@{9F97547E-4609-42C5-AE0C-81C61FFAEBC3} = C:\Program Files\Grisoft\AVG7\avgse.dll
PowerISO@{967B2D40-8B7D-4127-9049-61EA0C2C6DCE} =
WinRAR@{B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Program Files\WinRAR\rarext.dll

HKLM\Software\Classes\*\shellex\ContextMenuHandlers >>>
@{C539A15A-3AF9-4c92-B771-50CB78F5C751}C:\Program Files\Acronis\TrueImageHome\tishell.dll = C:\Program Files\Acronis\TrueImageHome\tishell.dll
@{CA8ACAFA-5FBB-467B-B348-90DD488DE003}C:\Program Files\SUPERAntiSpyware\SASCTXMN.DLL = C:\Program Files\SUPERAntiSpyware\SASCTXMN.DLL

HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\ >>>
7-Zip@{23170F69-40C1-278A-1000-000100020000} = C:\Program Files\7-Zip\7-zip.dll
AVG Anti-Spyware@{8934FCEF-F5B8-468f-951F-78A921CD3920} = H:\Program Files\Grisoft\AVG Anti-Spyware 7.5\context.dll
PowerISO@{967B2D40-8B7D-4127-9049-61EA0C2C6DCE} =
WinRAR@{B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Program Files\WinRAR\rarext.dll

HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers@{CA8ACAFA-5FBB-467B-B348-90DD488DE003} = C:\Program Files\SUPERAntiSpyware\SASCTXMN.DLL

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\ >>>
AVG7 Shell Extension@{9F97547E-4609-42C5-AE0C-81C61FFAEBC3} = C:\Program Files\Grisoft\AVG7\avgse.dll
PowerISO@{967B2D40-8B7D-4127-9049-61EA0C2C6DCE} =
WinRAR@{B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Program Files\WinRAR\rarext.dll

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers@{C539A15A-3AF9-4c92-B771-50CB78F5C751} = C:\Program Files\Acronis\TrueImageHome\tishell.dll

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects >>>
@{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll = C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
@{53707962-6F74-2D53-2644-206D7942484F}C:\PROGRA~1\Spybot - Search & Destroy\SDHelper.dll = C:\PROGRA~1\Spybot - Search & Destroy\SDHelper.dll
@{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll = C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll

HKLM\Software\Microsoft\Internet Explorer\Main >>>
@Default_Page_URLhttp://go.microsoft.com/fwlink/?LinkId=69157 = »go.microsoft.com/fwlink/?LinkId=69157
@Start Pagehttp://go.microsoft.com/fwlink/?LinkId=69157 = »go.microsoft.com/fwlink/?LinkId=69157
@Local Page%SystemRoot%\system32\blank.htm = %SystemRoot%\system32\blank.htm

HKCU\Software\Microsoft\Internet Explorer\Main >>>
@Start Pagehttp://google.com/ = »google.com/
@Local PageC:\WINDOWS\System32\blank.htm = C:\WINDOWS\System32\blank.htm

HKLM\Software\Classes\PROTOCOLS\Filter\text/xml@CLSID = C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL

HKLM\Software\Classes\PROTOCOLS\Handler\ >>>
belarc@CLSID = C:\Program Files\Belarc\Advisor\System\BAVoilaX.dll
dvd@CLSID = C:\Windows\System32\msvidctl.dll
its@CLSID = %SystemRoot%\System32\itss.dll
mhtml@CLSID = %SystemRoot%\system32\inetcomm.dll
ms-its@CLSID = %SystemRoot%\System32\itss.dll
ms-itss@CLSID = C:\Program Files\Common Files\Microsoft Shared\Information Retrieval\MSITSS.DLL
mso-offdap11@CLSID = C:\PROGRA~1\COMMON~1\MICROS~1\Web Components\11\OWC11.DLL
tv@CLSID = C:\Windows\System32\msvidctl.dll

HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{816238D4-1ADE-4801-AF6C-1CB6A0BDC37F} /*Local Area Connection*/ >>>
@IPAddress192.168.1.100 = 192.168.1.100
@NameServer208.67.220.220,208.67.222.222 = 208.67.220.220,208.67.222.222
@DefaultGateway192.168.1.1 = 192.168.1.1
@Domain =

HKLM\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ >>>
000000000001@LibraryPath = %SystemRoot%\system32\NLAapi.dll
000000000002@LibraryPath = %SystemRoot%\system32\napinsp.dll
000000000003@LibraryPath = %SystemRoot%\system32\pnrpnsp.dll

HKLM\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000004@LibraryPath = %SystemRoot%\system32\pnrpnsp.dll

C:\Users\Murlin Wei\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup = Xfire.lnk

---- EOF - GMER 1.0.14 ----

GMER 1.0.14.14316 - »www.gmer.net
Rootkit scan 2008-04-21 20:13:34
Windows 6.0.6001 Service Pack 1

---- System - GMER 1.0.14 ----

SSDT \??\H:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.sys ZwOpenProcess [0x945688AC]
SSDT \??\H:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.sys ZwTerminateProcess [0x94568812]

---- Kernel code sections - GMER 1.0.14 ----

.text ntoskrnl.exe!ZwQueryLicenseValue + D11 81C72AE9 1 Byte [ 06 ]
.text ntoskrnl.exe!KeInsertQueue + 5E1 81C88B98 4 Bytes [ AC, 88, 56, 94 ]
.text ntoskrnl.exe!KeInsertQueue + 811 81C88DC8 4 Bytes [ 12, 88, 56, 94 ]
_PAGELK C:\Windows\system32\ntoskrnl.exe entry point in "_PAGELK" section [0x81CFE4B0]
? System32\Drivers\spmq.sys The system cannot find the file specified. !
.text USBPORT.SYS!DllUnload 8D7AA46F 5 Bytes JMP 84CCC4E0
.text a3nub5gf.SYS 882D5000 22 Bytes [ 26, C2, FC, 81, 10, C1, FC, ... ]
.text a3nub5gf.SYS 882D5017 105 Bytes [ 00, 32, A7, B3, 82, 3D, A5, ... ]
.text a3nub5gf.SYS 882D5081 53 Bytes [ 25, C6, 81, 60, 2E, C8, 81, ... ]
.text a3nub5gf.SYS 882D50B7 22 Bytes [ 00, 00, 00, 00, 00, 00, 00, ... ]
.text a3nub5gf.SYS 882D50CE 80 Bytes [ 00, 00, 26, 00, 00, 00, E0, ... ]
.text ...
? C:\ComboFix\catchme.sys The system cannot find the file specified. !
? C:\Windows\system32\Drivers\PROCEXP90.SYS The system cannot find the file specified. !

---- Kernel IAT/EAT - GMER 1.0.14 ----

IAT \SystemRoot\System32\Drivers\SCSIPORT.SYS[ntoskrnl.exe!DbgBreakPoint] 8407D2D8
IAT \SystemRoot\system32\drivers\pci.sys[ntoskrnl.exe!IoDetachDevice] [82A6393C] \SystemRoot\System32\Drivers\spmq.sys
IAT \SystemRoot\system32\drivers\pci.sys[ntoskrnl.exe!IoAttachDeviceToDeviceStack] [82A63990] \SystemRoot\System32\Drivers\spmq.sys
IAT \SystemRoot\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortUchar] [82A346D2] \SystemRoot\System32\Drivers\spmq.sys
IAT \SystemRoot\system32\drivers\atapi.sys[ataport.SYS!AtaPortReadPortUchar] [82A34040] \SystemRoot\System32\Drivers\spmq.sys
IAT \SystemRoot\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortBufferUshort] [82A347FC] \SystemRoot\System32\Drivers\spmq.sys
IAT \SystemRoot\system32\drivers\atapi.sys[ataport.SYS!AtaPortReadPortUshort] [82A340BE] \SystemRoot\System32\Drivers\spmq.sys
IAT \SystemRoot\system32\drivers\atapi.sys[ataport.SYS!AtaPortReadPortBufferUshort] [82A3413C] \SystemRoot\System32\Drivers\spmq.sys
IAT \SystemRoot\system32\drivers\ataport.SYS[ntoskrnl.exe!DbgBreakPoint] 8407E2D8
IAT \SystemRoot\system32\DRIVERS\USBPORT.SYS[ntoskrnl.exe!DbgBreakPoint] 84CCC5E0
IAT \SystemRoot\System32\Drivers\a3nub5gf.SYS[ataport.SYS!AtaPortNotification] F73BFF33
IAT \SystemRoot\System32\Drivers\a3nub5gf.SYS[ataport.SYS!AtaPortWritePortUchar] B85F0B75
IAT \SystemRoot\System32\Drivers\a3nub5gf.SYS[ataport.SYS!AtaPortWritePortUlong] FFFFFFFE
IAT \SystemRoot\System32\Drivers\a3nub5gf.SYS[ataport.SYS!AtaPortGetPhysicalAddress] 08C25D5E
IAT \SystemRoot\System32\Drivers\a3nub5gf.SYS[ataport.SYS!AtaPortConvertPhysicalAddressToUlong] 5D8B5300
IAT \SystemRoot\System32\Drivers\a3nub5gf.SYS[ataport.SYS!AtaPortGetScatterGatherList] 74DF3B0C
IAT \SystemRoot\System32\Drivers\a3nub5gf.SYS[ataport.SYS!AtaPortReadPortUchar] 01FB8311
IAT \SystemRoot\System32\Drivers\a3nub5gf.SYS[ataport.SYS!AtaPortStallExecution] 5F5B0C74
IAT \SystemRoot\System32\Drivers\a3nub5gf.SYS[ataport.SYS!AtaPortGetParentBusType] FFFFFEB8
IAT \SystemRoot\System32\Drivers\a3nub5gf.SYS[ataport.SYS!AtaPortRequestCallback] C25D5EFF
IAT \SystemRoot\System32\Drivers\a3nub5gf.SYS[ataport.SYS!AtaPortWritePortBufferUshort] 7E390008
IAT \SystemRoot\System32\Drivers\a3nub5gf.SYS[ataport.SYS!AtaPortGetUnCachedExtension] C7077524
IAT \SystemRoot\System32\Drivers\a3nub5gf.SYS[ataport.SYS!AtaPortCompleteRequest] 31642446
IAT \SystemRoot\System32\Drivers\a3nub5gf.SYS[ataport.SYS!AtaPortMoveMemory] 7E39882E
IAT \SystemRoot\System32\Drivers\a3nub5gf.SYS[ataport.SYS!AtaPortCompleteAllActiveRequests] C7077528
IAT \SystemRoot\System32\Drivers\a3nub5gf.SYS[ataport.SYS!AtaPortReleaseRequestSenseIrb] 31902846
IAT \SystemRoot\System32\Drivers\a3nub5gf.SYS[ataport.SYS!AtaPortBuildRequestSenseIrb] 468B882E
IAT \SystemRoot\System32\Drivers\a3nub5gf.SYS[ataport.SYS!AtaPortReadPortUshort] 244E8B2C
IAT \SystemRoot\System32\Drivers\a3nub5gf.SYS[ataport.SYS!AtaPortReadPortBufferUshort] 7468016A
IAT \SystemRoot\System32\Drivers\a3nub5gf.SYS[ataport.SYS!AtaPortInitialize] 500000FA
IAT \SystemRoot\System32\Drivers\a3nub5gf.SYS[ataport.SYS!AtaPortGetDeviceBase] C73BD1FF
IAT \SystemRoot\System32\Drivers\a3nub5gf.SYS[ataport.SYS!AtaPortDeviceStateChange] 5F5B0C75
IAT \SystemRoot\System32\Drivers\a3nub5gf.SYS[NTOSKRNL.exe!KeTickCount] 56EC8B55
IAT \SystemRoot\system32\DRIVERS\storport.sys[ntoskrnl.exe!DbgBreakPoint] 84DC45E0

---- User IAT/EAT - GMER 1.0.14 ----

IAT C:\Windows\explorer.exe[2424] @ C:\Windows\explorer.exe [gdiplus.dll!GdiplusShutdown] [73877BA4] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18000_none_9e752e5ac9c619f3\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\explorer.exe[2424] @ C:\Windows\explorer.exe [gdiplus.dll!GdipCloneImage] [738B98C5] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18000_none_9e752e5ac9c619f3\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\explorer.exe[2424] @ C:\Windows\explorer.exe [gdiplus.dll!GdipDrawImageRectI] [7387D3C8] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18000_none_9e752e5ac9c619f3\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\explorer.exe[2424] @ C:\Windows\explorer.exe [gdiplus.dll!GdipSetInterpolationMode] [7386F527] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18000_none_9e752e5ac9c619f3\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\explorer.exe[2424] @ C:\Windows\explorer.exe [gdiplus.dll!GdiplusStartup] [73877599] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18000_none_9e752e5ac9c619f3\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\explorer.exe[2424] @ C:\Windows\explorer.exe [gdiplus.dll!GdipCreateFromHDC] [7386E43D] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18000_none_9e752e5ac9c619f3\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\explorer.exe[2424] @ C:\Windows\explorer.exe [gdiplus.dll!GdipCreateBitmapFromStreamICM] [738AB33D] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18000_none_9e752e5ac9c619f3\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\explorer.exe[2424] @ C:\Windows\explorer.exe [gdiplus.dll!GdipCreateBitmapFromStream] [7387D68A] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18000_none_9e752e5ac9c619f3\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\explorer.exe[2424] @ C:\Windows\explorer.exe [gdiplus.dll!GdipGetImageHeight] [7387012E] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18000_none_9e752e5ac9c619f3\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\explorer.exe[2424] @ C:\Windows\explorer.exe [gdiplus.dll!GdipGetImageWidth] [73870095] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18000_none_9e752e5ac9c619f3\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\explorer.exe[2424] @ C:\Windows\explorer.exe [gdiplus.dll!GdipDisposeImage] [738671F3] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18000_none_9e752e5ac9c619f3\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\explorer.exe[2424] @ C:\Windows\explorer.exe [gdiplus.dll!GdipLoadImageFromFileICM] [738FD810] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18000_none_9e752e5ac9c619f3\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\explorer.exe[2424] @ C:\Windows\explorer.exe [gdiplus.dll!GdipLoadImageFromFile] [738975E1] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18000_none_9e752e5ac9c619f3\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\explorer.exe[2424] @ C:\Windows\explorer.exe [gdiplus.dll!GdipDeleteGraphics] [7386DAE1] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18000_none_9e752e5ac9c619f3\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\explorer.exe[2424] @ C:\Windows\explorer.exe [gdiplus.dll!GdipFree] [7386668F] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18000_none_9e752e5ac9c619f3\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\explorer.exe[2424] @ C:\Windows\explorer.exe [gdiplus.dll!GdipAlloc] [738666BA] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18000_none_9e752e5ac9c619f3\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\explorer.exe[2424] @ C:\Windows\explorer.exe [gdiplus.dll!GdipSetCompositingMode] [73871E45] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18000_none_9e752e5ac9c619f3\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)

---- Devices - GMER 1.0.14 ----

Device \FileSystem\Ntfs \Ntfs 84A141F8
Device \FileSystem\fastfat \FatCdrom 8569A500
Device \Driver\volmgr \Device\VolMgrControl 840801F8
Device \Driver\usbuhci \Device\USBPDO-0 84D3C500
Device \Driver\usbuhci \Device\USBPDO-1 84D3C500
Device \Driver\usbuhci \Device\USBPDO-2 84D3C500
Device \Driver\usbuhci \Device\USBPDO-3 84D3C500
Device \Driver\usbehci \Device\USBPDO-4 84D79500
Device \Driver\PCI_PNP7864 \Device\00000056 spmq.sys
Device \Driver\USBSTOR \Device\00000070 85495500
Device \Driver\volmgr \Device\HarddiskVolume1 840801F8

AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 snapman.sys (Acronis Snapshot API/Acronis)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 timntr.sys (Acronis True Image Backup Archive Explorer/Acronis)

Device \Driver\volmgr \Device\HarddiskVolume2 840801F8

AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 snapman.sys (Acronis Snapshot API/Acronis)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 timntr.sys (Acronis True Image Backup Archive Explorer/Acronis)

Device \Driver\cdrom \Device\CdRom0 84D7D500
Device \Driver\USBSTOR \Device\00000072 85495500
Device \Driver\cdrom \Device\CdRom1 84D7D500
Device \Driver\volmgr \Device\HarddiskVolume3 840801F8

AttachedDevice \Driver\volmgr \Device\HarddiskVolume3 snapman.sys (Acronis Snapshot API/Acronis)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume3 timntr.sys (Acronis True Image Backup Archive Explorer/Acronis)

Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-0 84A131F8
Device \Driver\atapi \Device\Ide\IdePort0 84A131F8
Device \Driver\atapi \Device\Ide\IdePort1 84A131F8
Device \Driver\atapi \Device\Ide\IdePort2 84A131F8
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-1 84A131F8
Device \Driver\volmgr \Device\HarddiskVolume4 840801F8

AttachedDevice \Driver\volmgr \Device\HarddiskVolume4 snapman.sys (Acronis Snapshot API/Acronis)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume4 timntr.sys (Acronis True Image Backup Archive Explorer/Acronis)

Device \Driver\USBSTOR \Device\00000074 85495500
Device \Driver\volmgr \Device\HarddiskVolume5 840801F8

AttachedDevice \Driver\volmgr \Device\HarddiskVolume5 snapman.sys (Acronis Snapshot API/Acronis)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume5 timntr.sys (Acronis True Image Backup Archive Explorer/Acronis)

Device \Driver\volmgr \Device\HarddiskVolume6 840801F8

AttachedDevice \Driver\volmgr \Device\HarddiskVolume6 snapman.sys (Acronis Snapshot API/Acronis)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume6 timntr.sys (Acronis True Image Backup Archive Explorer/Acronis)

Device \Driver\sptd \Device\1003614114 spmq.sys
Device \Driver\volmgr \Device\HarddiskVolume7 840801F8

AttachedDevice \Driver\volmgr \Device\HarddiskVolume7 snapman.sys (Acronis Snapshot API/Acronis)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume7 timntr.sys (Acronis True Image Backup Archive Explorer/Acronis)

Device \Driver\netbt \Device\NetBt_Wins_Export 8552D500
Device \Driver\volmgr \Device\HarddiskVolume8 840801F8

AttachedDevice \Driver\volmgr \Device\HarddiskVolume8 snapman.sys (Acronis Snapshot API/Acronis)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume8 timntr.sys (Acronis True Image Backup Archive Explorer/Acronis)

Device \Driver\volmgr \Device\HarddiskVolume9 840801F8

AttachedDevice \Driver\volmgr \Device\HarddiskVolume9 snapman.sys (Acronis Snapshot API/Acronis)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume9 timntr.sys (Acronis True Image Backup Archive Explorer/Acronis)

Device \Driver\Smb \Device\NetbiosSmb 856D3500
Device \Driver\iScsiPrt \Device\RaidPort0 84D55500
Device \Driver\usbuhci \Device\USBFDO-0 84D3C500
Device \Driver\usbuhci \Device\USBFDO-1 84D3C500
Device \Driver\usbuhci \Device\USBFDO-2 84D3C500
Device \Driver\netbt \Device\NetBT_Tcpip_{816238D4-1ADE-4801-AF6C-1CB6A0BDC37F} 8552D500
Device \Driver\usbuhci \Device\USBFDO-3 84D3C500
Device \Driver\USBSTOR \Device\0000007d 85495500
Device \Driver\usbehci \Device\USBFDO-4 84D79500
Device \Driver\a3nub5gf \Device\Scsi\a3nub5gf1 84D431F8
Device \Driver\a3nub5gf \Device\Scsi\a3nub5gf1Port4Path0Target0Lun0 84D431F8
Device \FileSystem\fastfat \Fat 8569A500

AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

Device \FileSystem\cdfs \Cdfs 865041F8

---- Registry - GMER 1.0.14 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1 771343423
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2 285507792
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@h0 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools Lite\
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x2E 0x8D 0xA6 0x2F ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0x58 0xFA 0x7F 0x40 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0xDB 0x17 0x36 0x99 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools Lite\
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x2E 0x8D 0xA6 0x2F ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0x58 0xFA 0x7F 0x40 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0xDB 0x17 0x36 0x99 ...
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\System
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\System@OODEFRAG10.00.00.01WORKSTATION C6C2342C31A3A1E2F7533810634F3DF2DC2D421A17EB3D7F576CBDB4F4C273935EF8098AB9F5F4F47A 95BF9776B7F2A7D1401C9062D62439C064E498C09235588457E64350C454C974AE8DE74EDBC39DD0D9 F6FEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74C FEBC9E127BECC74CA6A0AC4980AC7933A2D97226D213B555BA7FD869164D67949DB7CE019D40AA5CE6 90EFABE4D83A3417C329AFC37058287DD22401D91E5617EAF249D1C9461AA86AFB243B11114B0614ED DA55C43279773282F9DB1AC78A12364F0765C643F778FBF66FAB2BE3652860ED3BDDCF3FFDD5A24C9A 0DB0DE21DE9C2F3A9BDE6A6C49442EEDCAE1DE82CC0159AA4A02DD317650CD4B6649835FD23CDBAAB6 E7D24F311CB20E6B5BB42FED2C29DB9EEDF7F6D3EE8AA3BD82761B08E5FDF6FD303A8D8B12F892E631 B78C474DBAD7E29A9A44AA6667116BEFA040DC9EA7103CF77E27F76AD79297EEE2D05804CF792601F9 267CD330D4CF960BCCF221CABD3E71242FD81A0E775E1651C4E4258DF0758FE8B78E089304CAF36656 B15ABD18D9C5544FD44B3A829E1D454576B67DC069A8E22D69862286C1750582416B3E0DE21058C359 5E60443F6BA3C359740E43172186CCD989D2991F7F5C0E912B6ADE36E1235C14E3EA242DDDF4461C4F 8E221EC315EF72FB024DCFE789C6D4A1C5A330B

---- EOF - GMER 1.0.14 ----

to forum · permalink · 2008-04-21 20:16:35 ·


bcastner
Premium,VIP,MVM
join:2002-09-25
Chevy Chase, MD
kudos:7
4 edits

reply to Siko
It is clearly not a Userland hooked entry, nor a Zlob DNS redirector.

1. Delete this enormous file:
2008-04-07 22:27 179,034,213 ----a-w C:\Windows\DUMP449a.tmp

2. I am still troubled by the running process:
"N:\installNY.exe" Do you know what this is? Is this on a USB flash drive?

3. Install a HOSTS block:
Visit, download and install a HOSTS file for blocking:
»www.mvps.org/winhelp2002/hosts.htm

How To: Download and Extract the HOSTS file
»www.mvps.org/winhelp2002/hosts2.htm

HOSTS File - Frequently Asked Questions
»www.mvps.org/winhelp2002/hostsfaq.htm

4. Using your mouse, left click once below where it says: "Copy to clipboard":

@echo off
dir C:\windows\temp\*.dll>log.txt
dir C:\windows\system32\?????.dll>>log.txt
regedit /E ruins.reg "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins"
regedit /E URLS.reg "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls"
copy log.txt+ruins.reg+urls.reg finallog.txt 
del /q log.txt, ruins.reg, urls.reg>nul
notepad finallog.txt
 
del %0

Open a new Notepad document. (Do not use a Word Processor or WordPad). Click "Format" and be certain that Word Wrap is not enabled.
Right-click | Paste the Code box contents from above into Notepad. Click File, Save as..., and enter (including quotation marks) as the filename: "Templog.cmd". Exit Notepad.

Double click your new file. After a moment, Notepad will open. Post the contents of Notepad back to the Forum.

--
============
MS-MVP 2004 - -2008, ASAP Member
Users Helping Users

to forum · permalink · 2008-04-21 22:14:10 ·


Siko
Premium
join:2006-11-27
Mechanicsburg, PA
Reviews:
·Dish Network

N:\installNY.exe was the installer for MegaScenery New York(Flight Simulator Add on), as I was running the scan or w\e it was. »www.megascenery.com/vol2-us-full.htm

I downloaded the hosts file and put it in to the drivers/etc folder.

Here is my temp

Volume in drive C is Vista
Volume Serial Number is 244C-F86D

Directory of C:\windows\temp

Volume in drive C is Vista
Volume Serial Number is 244C-F86D

Directory of C:\windows\system32

01/19/2008 03:33 AM 127,488 aclui.dll
01/19/2008 03:33 AM 257,024 adsnt.dll
01/19/2008 03:33 AM 1,730,560 apds.dll
01/19/2008 03:33 AM 198,656 apss.dll
01/19/2008 03:33 AM 71,680 atl.dll
01/19/2008 01:36 AM 289,792 atmfd.dll
01/19/2008 03:33 AM 79,360 authz.dll
01/19/2008 03:33 AM 12,800 avrt.dll
01/19/2008 03:33 AM 12,800 batt.dll
01/19/2008 03:33 AM 328,704 BFE.DLL
01/19/2008 03:33 AM 1,342,464 brcpl.dll
01/19/2008 03:33 AM 45,568 bthci.dll
01/19/2008 03:26 AM 36,864 cdd.dll
06/15/2006 12:14 PM 53,248 cdh00.dll
04/11/2006 10:45 AM 147,456 cdh01.dll
04/25/2006 11:21 AM 46,592 cdh02.dll
02/22/2008 01:05 AM 615,992 ci.dll
01/19/2008 03:33 AM 171,520 cic.dll
11/02/2006 05:46 AM 13,824 clb.dll
01/19/2008 03:33 AM 67,584 cmifw.dll
01/19/2008 03:33 AM 32,768 cmlua.dll
07/26/2007 05:15 PM 53,248 CSVer.dll
01/19/2008 03:34 AM 1,029,120 d3d10.dll
01/19/2008 03:34 AM 1,039,360 d3d8.dll
01/19/2008 03:34 AM 1,788,928 d3d9.dll
01/19/2008 03:34 AM 384,512 d3dim.dll
11/02/2006 03:10 AM 39,424 DDEML.DLL
01/19/2008 03:34 AM 522,752 ddraw.dll
01/19/2008 03:34 AM 39,936 dfdts.dll
01/19/2008 03:34 AM 178,688 dmime.dll
01/19/2008 03:34 AM 42,496 dmocx.dll
01/19/2008 03:34 AM 48,128 dnshc.dll
01/19/2008 03:34 AM 376,320 dpnet.dll
01/19/2008 03:34 AM 134,656 dps.dll
01/19/2008 03:34 AM 258,560 dpx.dll
01/19/2008 03:34 AM 173,568 dsdmo.dll
01/19/2008 03:34 AM 44,032 dssec.dll
11/02/2006 05:46 AM 28,672 dtsh.dll
01/19/2008 03:34 AM 183,808 duser.dll
08/04/2004 08:00 AM 619,008 dx7vb.dll
08/04/2004 12:56 AM 1,227,264 dx8vb.dll
01/19/2008 03:34 AM 171,520 dxgi.dll
01/19/2008 03:34 AM 64,512 dxva2.dll
01/19/2008 03:34 AM 179,200 els.dll
01/19/2008 03:34 AM 262,144 es.dll
01/19/2008 03:34 AM 1,452,544 esent.dll
01/19/2008 03:34 AM 485,888 evr.dll
01/19/2008 03:34 AM 131,072 fde.dll
01/19/2008 03:34 AM 69,120 fdWCN.dll
01/19/2008 03:34 AM 67,072 fdWSD.dll
06/06/2007 11:53 AM 1,195,888 FM20.DLL
01/19/2008 03:34 AM 23,040 fmifs.dll
01/19/2008 03:34 AM 50,688 fphc.dll
01/19/2008 03:34 AM 54,272 fwcfg.dll
11/02/2006 08:34 AM 120,832 gcdef.dll
02/22/2008 12:57 AM 295,936 gdi32.dll
11/02/2006 05:46 AM 133,632 glu32.dll
01/19/2008 03:34 AM 75,264 gpapi.dll
01/19/2008 03:34 AM 574,464 gpsvc.dll
01/19/2008 03:42 AM 177,208 hal.dll
11/02/2006 05:46 AM 22,016 hid.dll
01/19/2008 03:34 AM 83,968 hlink.dll
11/02/2006 05:46 AM 33,792 htui.dll
01/19/2008 03:34 AM 18,944 ias.dll
01/19/2008 03:34 AM 215,040 icm32.dll
11/02/2006 05:39 AM 3,072 icmp.dll
11/02/2006 05:46 AM 21,504 icmui.dll
01/19/2008 03:34 AM 26,112 idndl.dll
01/19/2008 03:34 AM 180,736 ieui.dll
01/19/2008 03:34 AM 29,696 ifmon.dll
01/19/2008 03:34 AM 105,984 imapi.dll
01/19/2008 03:34 AM 114,688 imm32.dll
01/19/2008 03:34 AM 217,600 InkEd.dll
01/19/2008 03:34 AM 200,704 input.dll
11/02/2006 05:39 AM 3,072 iprop.dll
11/02/2006 05:46 AM 17,920 irmon.dll
01/19/2008 03:34 AM 141,824 itss.dll
11/02/2006 05:39 AM 6,144 KBDA1.DLL
11/02/2006 05:39 AM 5,632 KBDA2.DLL
11/02/2006 05:39 AM 6,144 KBDA3.DLL
11/02/2006 05:39 AM 6,656 KBDAL.DLL
11/02/2006 05:39 AM 6,144 KBDBE.DLL
11/02/2006 05:39 AM 6,144 KBDBR.DLL
11/02/2006 05:39 AM 6,144 KBDBU.DLL
11/02/2006 05:39 AM 6,656 KBDCA.DLL
11/02/2006 05:39 AM 7,168 KBDCR.DLL
11/02/2006 05:39 AM 7,168 KBDCZ.DLL
11/02/2006 05:39 AM 6,144 KBDDA.DLL
11/02/2006 05:39 AM 5,632 KBDDV.DLL
11/02/2006 05:39 AM 6,656 KBDES.DLL
11/02/2006 05:39 AM 5,632 KBDFA.DLL
11/02/2006 05:39 AM 6,656 KBDFC.DLL
11/02/2006 05:39 AM 6,144 KBDFI.DLL
11/02/2006 05:39 AM 6,144 KBDFO.DLL
11/02/2006 05:39 AM 6,144 KBDFR.DLL
11/02/2006 05:39 AM 6,144 KBDGR.DLL
11/02/2006 05:39 AM 5,632 KBDHE.DLL
11/02/2006 05:39 AM 6,656 KBDHU.DLL
11/02/2006 05:39 AM 6,144 KBDIC.DLL
11/02/2006 05:39 AM 5,632 KBDIR.DLL
11/02/2006 05:39 AM 5,632 KBDIT.DLL
11/02/2006 05:39 AM 6,656 KBDLA.DLL
11/02/2006 05:39 AM 5,632 KBDLT.DLL
11/02/2006 05:39 AM 6,144 KBDLV.DLL
11/02/2006 05:39 AM 6,144 KBDNE.DLL
11/02/2006 05:39 AM 6,144 KBDNO.DLL
11/02/2006 05:39 AM 6,656 KBDPL.DLL
11/02/2006 05:39 AM 6,144 KBDPO.DLL
11/02/2006 05:39 AM 7,168 KBDRO.DLL
11/02/2006 05:39 AM 5,632 KBDRU.DLL
11/02/2006 05:39 AM 6,656 KBDSF.DLL
11/02/2006 05:39 AM 7,168 KBDSG.DLL
11/02/2006 05:39 AM 6,656 KBDSL.DLL
11/02/2006 05:39 AM 6,144 KBDSP.DLL
11/02/2006 05:39 AM 6,144 KBDSW.DLL
11/02/2006 05:39 AM 6,144 KBDUK.DLL
11/02/2006 05:39 AM 5,632 KBDUR.DLL
11/02/2006 05:39 AM 6,144 KBDUS.DLL
01/19/2008 03:41 AM 19,512 kdcom.dll
01/19/2008 03:41 AM 21,560 kdusb.dll
01/19/2008 03:34 AM 68,096 KMSVC.DLL
01/19/2008 03:34 AM 23,552 lpk.dll
11/02/2006 04:33 AM 3,072 lz32.dll
01/19/2008 03:34 AM 852,992 mcmde.dll
01/19/2008 03:36 AM 2,867,712 mf.dll
11/02/2006 05:46 AM 924,944 mfc40.dll
01/19/2008 03:34 AM 1,135,104 mfc42.dll
03/18/2003 05:20 PM 1,060,864 MFC71.dll
01/19/2008 03:34 AM 98,816 mfps.dll
01/19/2008 03:34 AM 187,904 mlang.dll
11/02/2006 05:46 AM 52,224 mmci.dll
01/19/2008 03:34 AM 45,056 mmcss.dll
01/19/2008 03:34 AM 68,608 mpr.dll
11/02/2006 08:34 AM 61,168 msacm.dll
11/02/2006 05:40 AM 3,072 msafd.dll
01/19/2008 03:34 AM 391,168 mscms.dll
01/19/2008 03:34 AM 806,912 msctf.dll
01/19/2008 03:34 AM 30,720 msdmo.dll
01/19/2008 03:34 AM 415,232 msdri.dll
01/19/2008 03:34 AM 329,216 msdrm.dll
01/19/2008 03:34 AM 212,992 msdt.dll
01/19/2008 03:35 AM 2,085,888 msi.dll
01/19/2008 03:35 AM 23,552 msscb.dll
01/19/2008 03:35 AM 414,208 msscp.dll
01/19/2008 03:35 AM 169,472 mssha.dll
01/19/2008 03:35 AM 333,824 mssph.dll
01/19/2008 03:35 AM 1,696,768 mssvp.dll
01/19/2008 03:35 AM 163,328 msutb.dll
11/02/2006 05:46 AM 22,528 msyuv.dll
01/19/2008 03:35 AM 22,016 mtxdm.dll
11/02/2006 05:46 AM 7,168 mtxex.dll
01/19/2008 03:35 AM 74,240 nci.dll
01/19/2008 03:35 AM 93,184 ncsi.dll
11/02/2006 05:41 AM 2,048 neth.dll
01/19/2008 03:35 AM 119,808 netid.dll
01/19/2008 03:35 AM 154,624 nlmgp.dll
01/19/2008 03:35 AM 25,088 Nlsdl.dll
01/19/2008 03:35 AM 8,192 nsi.dll
01/19/2008 03:38 AM 1,203,792 ntdll.dll
09/18/2006 05:35 PM 42,592 ole2.dll
01/19/2008 03:36 AM 1,315,328 ole32.dll
01/19/2008 03:36 AM 1,541,120 onex.dll
01/19/2008 03:36 AM 202,240 P2P.dll
01/19/2008 03:36 AM 26,624 pcadm.dll
01/19/2008 03:36 AM 464,384 pcaui.dll
01/19/2008 03:36 AM 242,688 pdh.dll
01/19/2008 03:36 AM 46,592 pdhui.dll
11/02/2006 08:34 AM 36,352 pid.dll
01/19/2008 03:36 AM 1,502,208 pla.dll
09/18/2006 05:43 PM 46,592 pmspl.dll
04/04/2008 08:39 PM 278,528 pncrt.dll
01/19/2008 03:36 AM 10,752 pnpts.dll
01/19/2008 03:36 AM 542,208 pnpui.dll
01/19/2008 03:36 AM 16,896 pots.dll
11/02/2006 05:46 AM 12,288 psapi.dll
01/19/2008 03:42 AM 51,768 PSHED.DLL
03/07/2007 07:51 PM 547,576 px.dll
03/07/2007 07:51 PM 129,784 pxafs.dll
03/07/2007 07:51 PM 510,712 pxdrv.dll
03/07/2007 07:51 PM 187,128 pxmas.dll
03/07/2007 07:51 PM 1,628,920 pxsfs.dll
01/19/2008 03:36 AM 208,896 qasf.dll
01/19/2008 03:36 AM 192,000 qcap.dll
01/19/2008 03:36 AM 281,600 qdv.dll
01/19/2008 03:36 AM 497,152 qdvd.dll
01/19/2008 03:36 AM 505,344 qedit.dll
01/19/2008 03:36 AM 758,272 qmgr.dll
01/19/2008 03:36 AM 1,381,376 Query.dll
01/19/2008 03:36 AM 79,360 QUTIL.DLL
01/19/2008 03:36 AM 243,712 qwave.dll
01/19/2008 03:36 AM 975,360 RASMM.dll
01/19/2008 02:01 AM 134,656 rdpdd.dll
11/02/2006 05:43 AM 2,560 rnr20.dll
01/19/2008 03:36 AM 547,328 rpcss.dll
11/02/2006 08:36 AM 17,920 rsmps.dll
01/19/2008 03:36 AM 114,688 rtm.dll
02/18/2008 09:58 PM 316,768 sayax.dll
01/19/2008 03:36 AM 322,560 sbe.dll
01/19/2008 03:36 AM 153,088 sbeio.dll
01/19/2008 03:36 AM 140,288 scksp.dll
03/24/1998 10:54 PM 15,872 SCP32.DLL
01/19/2008 03:36 AM 47,104 Sens.dll
11/02/2006 05:46 AM 4,608 sfc.dll
11/02/2006 03:10 AM 5,120 SHELL.DLL
01/19/2008 03:36 AM 225,792 SLC.dll
01/19/2008 03:36 AM 777,216 slcc.dll
01/19/2008 03:36 AM 12,288 slwga.dll
01/19/2008 03:36 AM 35,328 slwmi.dll
01/19/2008 03:36 AM 64,512 spbcd.dll
11/02/2006 05:46 AM 8,192 spnet.dll
01/19/2008 03:36 AM 15,872 spopk.dll
01/19/2008 03:36 AM 142,336 spp.dll
01/19/2008 03:36 AM 44,544 sppnp.dll
01/19/2008 03:36 AM 7,680 spwmp.dll
01/19/2008 03:36 AM 24,064 srwmi.dll
11/02/2006 08:34 AM 198,144 sti.dll
01/19/2008 03:36 AM 1,224,192 sud.dll
01/19/2008 03:36 AM 310,784 swprv.dll
01/19/2008 03:36 AM 376,832 sxs.dll
09/18/2006 05:49 PM 19,216 tapi.dll
11/02/2006 05:46 AM 858,112 tapi3.dll
01/19/2008 03:36 AM 11,776 tbs.dll
01/19/2008 03:36 AM 431,104 tdh.dll
01/19/2008 03:36 AM 1,298,432 TMM.dll
11/02/2006 05:46 AM 18,944 TRAPI.dll
01/19/2008 02:01 AM 14,336 tsddd.dll
01/19/2008 03:36 AM 62,464 TSpkg.dll
11/02/2006 02:58 AM 2,048 tzres.dll
01/19/2008 03:36 AM 208,384 uDWM.dll
01/19/2008 03:36 AM 92,672 ufat.dll
11/02/2006 05:46 AM 34,816 uicom.dll
01/19/2008 03:36 AM 2,588,160 UIHub.dll
01/19/2008 03:36 AM 99,840 ulib.dll
01/19/2008 03:36 AM 51,712 umb.dll
01/19/2008 03:36 AM 736,768 unbcl.dll
01/19/2008 03:36 AM 322,560 untfs.dll
01/19/2008 03:36 AM 195,584 upnp.dll
11/02/2006 05:46 AM 23,040 ureg.dll
01/19/2008 03:36 AM 105,984 url.dll
01/19/2008 03:36 AM 83,456 usbui.dll
01/19/2008 03:36 AM 501,760 usp10.dll
01/19/2008 03:36 AM 130,560 uudf.dll
01/19/2008 03:36 AM 28,672 uxsms.dll
01/19/2008 03:36 AM 257,024 VAN.dll
06/18/1998 01:00 AM 89,360 VB5DB.DLL
07/06/1998 05:56 PM 125,712 VB6DE.DLL
11/24/1999 07:40 PM 40,960 VBAME.DLL
01/12/2001 06:52 AM 94,208 vbpng.dll
09/18/2006 05:43 PM 9,008 ver.dll
01/19/2008 01:52 AM 10,752 vga.dll
12/07/1999 06:00 AM 162,064 vtext.dll
01/19/2008 03:36 AM 1,020,928 wdc.dll
01/19/2008 03:36 AM 73,728 wdi.dll
01/19/2008 03:36 AM 876,032 wer.dll
01/19/2008 03:36 AM 189,952 winmm.dll
01/19/2008 03:36 AM 223,232 WMASF.DLL
11/02/2006 05:44 AM 5,120 wmi.dll
01/19/2008 03:36 AM 154,624 wmidx.dll
01/19/2008 03:37 AM 10,620,928 wmp.dll
01/19/2008 03:37 AM 22,016 wmpcm.dll
11/02/2006 08:35 AM 131,072 wmpps.dll
01/19/2008 03:37 AM 273,920 wow32.dll
01/19/2008 03:37 AM 296,960 Wpc.dll
01/19/2008 03:37 AM 532,992 wpcao.dll
11/06/2007 04:23 PM 240,248 wpcap.dll
01/19/2008 03:37 AM 349,184 WPDSp.dll
11/02/2006 05:46 AM 14,848 wshrm.dll
01/19/2008 01:39 AM 1,536 WsmCl.dll
01/19/2008 03:37 AM 534,016 wuapi.dll
01/19/2008 03:37 AM 305,152 WUDFx.dll
01/19/2008 03:37 AM 23,040 wups.dll
01/19/2008 03:37 AM 32,768 wups2.dll
01/19/2008 03:37 AM 456,704 wvc.dll
04/17/2007 03:34 PM 7,677,744 xlive.dll
11/02/2006 05:46 AM 79,360 xwreg.dll
03/13/2002 06:46 PM 53,248 zlib.dll
276 File(s) 90,167,944 bytes
0 Dir(s) 20,178,452,480 bytes free


to forum · permalink · 2008-04-22 15:34:24 ·


bcastner
Premium,VIP,MVM
join:2002-09-25
Chevy Chase, MD
kudos:7

reply to Siko
Download The Avenger by Swandog46 from:

http://swandog46.geekstogo.com/avenger2/download.php

• Unzip/extract it to a folder on your desktop.
• Double click on avenger.exe to run The Avenger.
• Click OK.
• Make sure that the box next to Scan for rootkits has a tick in it and that the box next to Automatically disable any rootkits found does not have a tick in it.
• Click the Execute button.
• You will be asked No script has been entered. Do you want to execute a rootkit scan only?.
• Click Yes.
• You will now be asked First step completed --- The Avenger has been successfully set up to run on next boot. Reboot now?.
• Click Yes.
• Your PC will now be rebooted.
• After your PC has completed the necessary reboots, a log should automatically open. If it does not automatically open, then the log can be found at %systemdrive%\avenger.txt (typically C:\avenger.txt)..
• Please post this log in your next reply.

--
============
MS-MVP 2004 - -2008, ASAP Member
Users Helping Users

to forum · permalink · 2008-04-23 15:15:00 ·


Siko
Premium
join:2006-11-27
Mechanicsburg, PA
Reviews:
·Dish Network

Sigh, nothing there.

Logfile of The Avenger Version 2.0, (c) by Swandog46
»swandog46.geekstogo.com

Platform: Windows Vista

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!

Completed script processing.

*******************

Finished! Terminate.

to forum · permalink · 2008-04-23 16:41:34 ·


bcastner
Premium,VIP,MVM
join:2002-09-25
Chevy Chase, MD
kudos:7
2 edits

reply to Siko
Well, I believe there is something, but where it is escapes me and all the tools we have used to scan your system. Your logs are a little tedious, as there are over a hundred firewall exceptions, each one had to be checked; and your file and folder activity is voluminous. Lets take two steps, then do some cleanup.

1. Make an entry in your HOSTS file, anywhere in the active portion of the file (not the header) that reads:

127.0.0.1 localhost

To do this, right click NOTEPAD.EXE and choose to Run as Administrator. Below the header portion you will begin to see entries added by the HOSTS file you installed. Place your new entry anywhere in this active portion of the listing, and save the file.

2. Consider using OpenDNS servers for DNS resolution. It is completely possible the redirection is occuring from your ISP DNS servers. It is not unheard of.
»www.opendns.com/

Open Acrobat if you have the Full Version installed Click Help and run the Upgrade applet found there. If no update is offered: Use the Preferences, Internet submenu of Acrobat and uncheck to integrate with your Browser. Close Acrobat.
Whether you had the Full Version of Acrobat or not, download and install Adobe Reader 8.1.1 and use this as the integrated PDF Reader insider your browser: »www.adobe.com/products/acrobat/r···ep2.html

Clean-up & Prevention:

• Click Start, then click Run.
Enter into the command box that opens: combofix /u and then click OK.
(If we have renamed this file, please use the current name for the program in this instruction.)


• Run ATF Cleaner , and checkmark "Empty Recycle Bin", click "Empty Selected" and exit the program. You can delete or keep this utility as you wish.

• Use Control Panel, Add or Remove Programs, and Uninstall any entry related to an On-Line scanner we may have used.
If you find any files or folders created during this cleanup operation remaining, please feel free to delete them. Please Uninstall [b]MBAM[/b.

• Please download to your Desktop OT_MOVEIT:

http://download.bleepingcomputer.com/oldtimer/OTMoveIt2.exe

Please double-click OTMoveIt2.exe to run the utility.

Click the greeb CleanUp! button.
It downloads a small script from the internet. If you Firewall complains, allow the download.

• Configure your Antivirus software to check for updates daily, at a time in which you are sure the computer will be on.

• If I asked you to Disable something like TeaTimer or another malware blocker, please go ahead an re-enable them if you wish.

Download and install Comodo BOClean (free):
http://www.comodo.com/boclean/CBO_download.html

Download, install, and keep updated Spyware Blaster (free):
http://www.javacoolsoftware.com/spywareblaster.html

• Refer to my first set of instructions above, and reconfigure Hidden Files and Folders to your choosing.

Best wishes.
Bill Castner

--
============
MS-MVP 2004 - -2008, ASAP Member
Users Helping Users

to forum · permalink · 2008-04-23 21:00:05 ·


Siko
Premium
join:2006-11-27
Mechanicsburg, PA
Reviews:
·Dish Network
4 edits

Here is a tracert to google. I don't know if this helps or not.

C:\Users\Murlin Wei>tracert google.com

Tracing route to google.com [64.233.187.99]
over a maximum of 30 hops:

1 1 ms 1 ms 1 ms 192.168.1.1
2 17 ms 17 ms 18 ms 10.12.17.1
3 16 ms 17 ms 17 ms P3-3.LCR-01.HRBGPA.verizon-gni.net [130.81.36.204]
4 28 ms 28 ms 29 ms so-7-0-0-0.BB-RTR1.RES.verizon-gni.net [130.81.19.50]
5 81 ms 28 ms 28 ms 0.ge-6-0-0.BR2.IAD8.ALTER.NET [152.63.41.149]
6 89 ms 29 ms 28 ms 192.205.35.37
7 31 ms 31 ms 31 ms tbr1.wswdc.ip.att.net [12.123.8.98]
8 30 ms 29 ms 28 ms 12.122.113.46
9 173 ms 150 ms 42 ms 12.88.155.14
10 29 ms 31 ms 31 ms 209.85.130.16
11 46 ms 49 ms 44 ms 66.249.95.149
12 50 ms 47 ms 47 ms 72.14.236.15
13 47 ms 54 ms 53 ms 216.239.49.222
14 50 ms 49 ms 49 ms jc-in-f99.google.com [64.233.187.99]

Trace complete.

to forum · permalink · 2008-04-27 19:18:52 ·


bcastner
Premium,VIP,MVM
join:2002-09-25
Chevy Chase, MD
kudos:7

reply to Siko
There likely is a Wareout type DNS redirector there, but I just cannot see it, nor can any of the scanners used.

You have an enormous number of firewall exceptions, as well as a great deal of file and folder activity over the last two months that make this log too tedious to be able to parse by hand.

There is no evidence of a kernel rootkit or a Zlob DNS redirector. The userland space appears clean, relatively speaking, as the only file of interest is reported by GMER to be missing, spmq.sys.

I really have no other ideas to offer; you can try if you like some additional online scans. Suprisingly good for this issue is the Microsoft free "OneCare Live Safety scan", as well as the free online scan by ESET.

Best wishes,
Bill Castner
--
============
MS-MVP 2004 - -2008, ASAP Member
Users Helping Users

to forum · permalink · 2008-04-29 07:06:04 ·
Forums > Broadband Tech > Security > Security Cleanup

Wednesday, 30-May 12:37:35 Terms of Use & Privacy | feedback | contact | Hosting by nac.net - DSL,Hosting & Co-lo
over 12.5 years online © 1999-2012 dslreports.com.
Most commented news this week
Hot Topics