http://www.dslreports.com/forum/r20299397 en Thu, 21 Aug 2008 01:37:12 EDT Thu, 21 Aug 2008 01:37:12 EDT http://www.dslreports.com/forum/remark,20403836 bcastner : There likely is a Wareout type DNS redirector there, but I just cannot see it, nor can any of the scanners used.

You have an enormous number of firewall exceptions, as well as a great deal of file and folder activity over the last two months that make this log too tedious to be able to parse by hand.

There is no evidence of a kernel rootkit or a Zlob DNS redirector. The userland space appears clean, relatively speaking, as the only file of interest is reported by GMER to be missing, spmq.sys.

I really have no other ideas to offer; you can try if you like some additional online scans. Suprisingly good for this issue is the Microsoft free "OneCare Live Safety scan", as well as the free online scan by ESET.

Best wishes,
Bill Castner
--
============
MS-MVP 2004 - -2008, ASAP Member
Users Helping Users

]]> http://www.dslreports.com/forum/remark,20403836 Tue, 29 Apr 2008 07:06:04 EDT http://www.dslreports.com/forum/remark,20396469 Siko : Here is a tracert to google. I don't know if this helps or not.

C:\Users\Murlin Wei>tracert google.com

Tracing route to google.com [64.233.187.99]
over a maximum of 30 hops:

1 1 ms 1 ms 1 ms 192.168.1.1
2 17 ms 17 ms 18 ms 10.12.17.1
3 16 ms 17 ms 17 ms P3-3.LCR-01.HRBGPA.verizon-gni.net [130.81.36.204]
4 28 ms 28 ms 29 ms so-7-0-0-0.BB-RTR1.RES.verizon-gni.net [130.81.19.50]
5 81 ms 28 ms 28 ms 0.ge-6-0-0.BR2.IAD8.ALTER.NET [152.63.41.149]
6 89 ms 29 ms 28 ms 192.205.35.37
7 31 ms 31 ms 31 ms tbr1.wswdc.ip.att.net [12.123.8.98]
8 30 ms 29 ms 28 ms 12.122.113.46
9 173 ms 150 ms 42 ms 12.88.155.14
10 29 ms 31 ms 31 ms 209.85.130.16
11 46 ms 49 ms 44 ms 66.249.95.149
12 50 ms 47 ms 47 ms 72.14.236.15
13 47 ms 54 ms 53 ms 216.239.49.222
14 50 ms 49 ms 49 ms jc-in-f99.google.com [64.233.187.99]

Trace complete.]]> http://www.dslreports.com/forum/remark,20396469 Sun, 27 Apr 2008 19:18:52 EDT http://www.dslreports.com/forum/remark,20376674 bcastner : Well, I believe there is something, but where it is escapes me and all the tools we have used to scan your system. Your logs are a little tedious, as there are over a hundred firewall exceptions, each one had to be checked; and your file and folder activity is voluminous. Lets take two steps, then do some cleanup.

1. Make an entry in your HOSTS file, anywhere in the active portion of the file (not the header) that reads:

127.0.0.1 localhost

To do this, right click NOTEPAD.EXE and choose to Run as Administrator. Below the header portion you will begin to see entries added by the HOSTS file you installed. Place your new entry anywhere in this active portion of the listing, and save the file.

2. Consider using OpenDNS servers for DNS resolution. It is completely possible the redirection is occuring from your ISP DNS servers. It is not unheard of.
»www.opendns.com/

Open Acrobat if you have the Full Version installed Click Help and run the Upgrade applet found there. If no update is offered: Use the Preferences, Internet submenu of Acrobat and uncheck to integrate with your Browser. Close Acrobat.
Whether you had the Full Version of Acrobat or not, download and install Adobe Reader 8.1.1 and use this as the integrated PDF Reader insider your browser: »www.adobe.com/products/acrobat/r···ep2.html

Clean-up & Prevention:

• Click Start, then click Run.
Enter into the command box that opens: combofix /u and then click OK.
(If we have renamed this file, please use the current name for the program in this instruction.)


• Run ATF Cleaner , and checkmark "Empty Recycle Bin", click "Empty Selected" and exit the program. You can delete or keep this utility as you wish.

• Use Control Panel, Add or Remove Programs, and Uninstall any entry related to an On-Line scanner we may have used.
If you find any files or folders created during this cleanup operation remaining, please feel free to delete them. Please Uninstall [b]MBAM[/b.

• Please download to your Desktop OT_MOVEIT:
http://download.bleepingcomputer.com/oldtimer/OTMoveIt2.exe
Please double-click OTMoveIt2.exe to run the utility.

Click the greeb CleanUp! button.
It downloads a small script from the internet. If you Firewall complains, allow the download.

• Configure your Antivirus software to check for updates daily, at a time in which you are sure the computer will be on.

• If I asked you to Disable something like TeaTimer or another malware blocker, please go ahead an re-enable them if you wish.

• Download and install Comodo BOClean (free):
http://www.comodo.com/boclean/CBO_download.html
• Download, install, and keep updated Spyware Blaster (free):
http://www.javacoolsoftware.com/spywareblaster.html
• Refer to my first set of instructions above, and reconfigure Hidden Files and Folders to your choosing.

Best wishes.
Bill Castner

--
============
MS-MVP 2004 - -2008, ASAP Member
Users Helping Users

]]> http://www.dslreports.com/forum/remark,20376674 Wed, 23 Apr 2008 21:00:05 EDT http://www.dslreports.com/forum/remark,20375420 Siko : Sigh, nothing there.

Logfile of The Avenger Version 2.0, (c) by Swandog46
»swandog46.geekstogo.com

Platform: Windows Vista

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!

Completed script processing.

*******************

Finished! Terminate.]]> http://www.dslreports.com/forum/remark,20375420 Wed, 23 Apr 2008 16:41:34 EDT http://www.dslreports.com/forum/remark,20374900 bcastner : Download The Avenger by Swandog46 from:
http://swandog46.geekstogo.com/avenger2/download.php
• Unzip/extract it to a folder on your desktop.
• Double click on avenger.exe to run The Avenger.
• Click OK.
• Make sure that the box next to Scan for rootkits has a tick in it and that the box next to Automatically disable any rootkits found does not have a tick in it.
• Click the Execute button.
• You will be asked No script has been entered. Do you want to execute a rootkit scan only?.
• Click Yes.
• You will now be asked First step completed --- The Avenger has been successfully set up to run on next boot. Reboot now?.
• Click Yes.
• Your PC will now be rebooted.
• After your PC has completed the necessary reboots, a log should automatically open. If it does not automatically open, then the log can be found at %systemdrive%\avenger.txt (typically C:\avenger.txt)..
• Please post this log in your next reply.

--
============
MS-MVP 2004 - -2008, ASAP Member
Users Helping Users

]]> http://www.dslreports.com/forum/remark,20374900 Wed, 23 Apr 2008 15:15:00 EDT http://www.dslreports.com/forum/remark,20369311 Siko : N:\installNY.exe was the installer for MegaScenery New York(Flight Simulator Add on), as I was running the scan or w\e it was. »www.megascenery.com/vol2-us-full.htm

I downloaded the hosts file and put it in to the drivers/etc folder.

Here is my temp

Volume in drive C is Vista
Volume Serial Number is 244C-F86D

Directory of C:\windows\temp

Volume in drive C is Vista
Volume Serial Number is 244C-F86D

Directory of C:\windows\system32

01/19/2008 03:33 AM 127,488 aclui.dll
01/19/2008 03:33 AM 257,024 adsnt.dll
01/19/2008 03:33 AM 1,730,560 apds.dll
01/19/2008 03:33 AM 198,656 apss.dll
01/19/2008 03:33 AM 71,680 atl.dll
01/19/2008 01:36 AM 289,792 atmfd.dll
01/19/2008 03:33 AM 79,360 authz.dll
01/19/2008 03:33 AM 12,800 avrt.dll
01/19/2008 03:33 AM 12,800 batt.dll
01/19/2008 03:33 AM 328,704 BFE.DLL
01/19/2008 03:33 AM 1,342,464 brcpl.dll
01/19/2008 03:33 AM 45,568 bthci.dll
01/19/2008 03:26 AM 36,864 cdd.dll
06/15/2006 12:14 PM 53,248 cdh00.dll
04/11/2006 10:45 AM 147,456 cdh01.dll
04/25/2006 11:21 AM 46,592 cdh02.dll
02/22/2008 01:05 AM 615,992 ci.dll
01/19/2008 03:33 AM 171,520 cic.dll
11/02/2006 05:46 AM 13,824 clb.dll
01/19/2008 03:33 AM 67,584 cmifw.dll
01/19/2008 03:33 AM 32,768 cmlua.dll
07/26/2007 05:15 PM 53,248 CSVer.dll
01/19/2008 03:34 AM 1,029,120 d3d10.dll
01/19/2008 03:34 AM 1,039,360 d3d8.dll
01/19/2008 03:34 AM 1,788,928 d3d9.dll
01/19/2008 03:34 AM 384,512 d3dim.dll
11/02/2006 03:10 AM 39,424 DDEML.DLL
01/19/2008 03:34 AM 522,752 ddraw.dll
01/19/2008 03:34 AM 39,936 dfdts.dll
01/19/2008 03:34 AM 178,688 dmime.dll
01/19/2008 03:34 AM 42,496 dmocx.dll
01/19/2008 03:34 AM 48,128 dnshc.dll
01/19/2008 03:34 AM 376,320 dpnet.dll
01/19/2008 03:34 AM 134,656 dps.dll
01/19/2008 03:34 AM 258,560 dpx.dll
01/19/2008 03:34 AM 173,568 dsdmo.dll
01/19/2008 03:34 AM 44,032 dssec.dll
11/02/2006 05:46 AM 28,672 dtsh.dll
01/19/2008 03:34 AM 183,808 duser.dll
08/04/2004 08:00 AM 619,008 dx7vb.dll
08/04/2004 12:56 AM 1,227,264 dx8vb.dll
01/19/2008 03:34 AM 171,520 dxgi.dll
01/19/2008 03:34 AM 64,512 dxva2.dll
01/19/2008 03:34 AM 179,200 els.dll
01/19/2008 03:34 AM 262,144 es.dll
01/19/2008 03:34 AM 1,452,544 esent.dll
01/19/2008 03:34 AM 485,888 evr.dll
01/19/2008 03:34 AM 131,072 fde.dll
01/19/2008 03:34 AM 69,120 fdWCN.dll
01/19/2008 03:34 AM 67,072 fdWSD.dll
06/06/2007 11:53 AM 1,195,888 FM20.DLL
01/19/2008 03:34 AM 23,040 fmifs.dll
01/19/2008 03:34 AM 50,688 fphc.dll
01/19/2008 03:34 AM 54,272 fwcfg.dll
11/02/2006 08:34 AM 120,832 gcdef.dll
02/22/2008 12:57 AM 295,936 gdi32.dll
11/02/2006 05:46 AM 133,632 glu32.dll
01/19/2008 03:34 AM 75,264 gpapi.dll
01/19/2008 03:34 AM 574,464 gpsvc.dll
01/19/2008 03:42 AM 177,208 hal.dll
11/02/2006 05:46 AM 22,016 hid.dll
01/19/2008 03:34 AM 83,968 hlink.dll
11/02/2006 05:46 AM 33,792 htui.dll
01/19/2008 03:34 AM 18,944 ias.dll
01/19/2008 03:34 AM 215,040 icm32.dll
11/02/2006 05:39 AM 3,072 icmp.dll
11/02/2006 05:46 AM 21,504 icmui.dll
01/19/2008 03:34 AM 26,112 idndl.dll
01/19/2008 03:34 AM 180,736 ieui.dll
01/19/2008 03:34 AM 29,696 ifmon.dll
01/19/2008 03:34 AM 105,984 imapi.dll
01/19/2008 03:34 AM 114,688 imm32.dll
01/19/2008 03:34 AM 217,600 InkEd.dll
01/19/2008 03:34 AM 200,704 input.dll
11/02/2006 05:39 AM 3,072 iprop.dll
11/02/2006 05:46 AM 17,920 irmon.dll
01/19/2008 03:34 AM 141,824 itss.dll
11/02/2006 05:39 AM 6,144 KBDA1.DLL
11/02/2006 05:39 AM 5,632 KBDA2.DLL
11/02/2006 05:39 AM 6,144 KBDA3.DLL
11/02/2006 05:39 AM 6,656 KBDAL.DLL
11/02/2006 05:39 AM 6,144 KBDBE.DLL
11/02/2006 05:39 AM 6,144 KBDBR.DLL
11/02/2006 05:39 AM 6,144 KBDBU.DLL
11/02/2006 05:39 AM 6,656 KBDCA.DLL
11/02/2006 05:39 AM 7,168 KBDCR.DLL
11/02/2006 05:39 AM 7,168 KBDCZ.DLL
11/02/2006 05:39 AM 6,144 KBDDA.DLL
11/02/2006 05:39 AM 5,632 KBDDV.DLL
11/02/2006 05:39 AM 6,656 KBDES.DLL
11/02/2006 05:39 AM 5,632 KBDFA.DLL
11/02/2006 05:39 AM 6,656 KBDFC.DLL
11/02/2006 05:39 AM 6,144 KBDFI.DLL
11/02/2006 05:39 AM 6,144 KBDFO.DLL
11/02/2006 05:39 AM 6,144 KBDFR.DLL
11/02/2006 05:39 AM 6,144 KBDGR.DLL
11/02/2006 05:39 AM 5,632 KBDHE.DLL
11/02/2006 05:39 AM 6,656 KBDHU.DLL
11/02/2006 05:39 AM 6,144 KBDIC.DLL
11/02/2006 05:39 AM 5,632 KBDIR.DLL
11/02/2006 05:39 AM 5,632 KBDIT.DLL
11/02/2006 05:39 AM 6,656 KBDLA.DLL
11/02/2006 05:39 AM 5,632 KBDLT.DLL
11/02/2006 05:39 AM 6,144 KBDLV.DLL
11/02/2006 05:39 AM 6,144 KBDNE.DLL
11/02/2006 05:39 AM 6,144 KBDNO.DLL
11/02/2006 05:39 AM 6,656 KBDPL.DLL
11/02/2006 05:39 AM 6,144 KBDPO.DLL
11/02/2006 05:39 AM 7,168 KBDRO.DLL
11/02/2006 05:39 AM 5,632 KBDRU.DLL
11/02/2006 05:39 AM 6,656 KBDSF.DLL
11/02/2006 05:39 AM 7,168 KBDSG.DLL
11/02/2006 05:39 AM 6,656 KBDSL.DLL
11/02/2006 05:39 AM 6,144 KBDSP.DLL
11/02/2006 05:39 AM 6,144 KBDSW.DLL
11/02/2006 05:39 AM 6,144 KBDUK.DLL
11/02/2006 05:39 AM 5,632 KBDUR.DLL
11/02/2006 05:39 AM 6,144 KBDUS.DLL
01/19/2008 03:41 AM 19,512 kdcom.dll
01/19/2008 03:41 AM 21,560 kdusb.dll
01/19/2008 03:34 AM 68,096 KMSVC.DLL
01/19/2008 03:34 AM 23,552 lpk.dll
11/02/2006 04:33 AM 3,072 lz32.dll
01/19/2008 03:34 AM 852,992 mcmde.dll
01/19/2008 03:36 AM 2,867,712 mf.dll
11/02/2006 05:46 AM 924,944 mfc40.dll
01/19/2008 03:34 AM 1,135,104 mfc42.dll
03/18/2003 05:20 PM 1,060,864 MFC71.dll
01/19/2008 03:34 AM 98,816 mfps.dll
01/19/2008 03:34 AM 187,904 mlang.dll
11/02/2006 05:46 AM 52,224 mmci.dll
01/19/2008 03:34 AM 45,056 mmcss.dll
01/19/2008 03:34 AM 68,608 mpr.dll
11/02/2006 08:34 AM 61,168 msacm.dll
11/02/2006 05:40 AM 3,072 msafd.dll
01/19/2008 03:34 AM 391,168 mscms.dll
01/19/2008 03:34 AM 806,912 msctf.dll
01/19/2008 03:34 AM 30,720 msdmo.dll
01/19/2008 03:34 AM 415,232 msdri.dll
01/19/2008 03:34 AM 329,216 msdrm.dll
01/19/2008 03:34 AM 212,992 msdt.dll
01/19/2008 03:35 AM 2,085,888 msi.dll
01/19/2008 03:35 AM 23,552 msscb.dll
01/19/2008 03:35 AM 414,208 msscp.dll
01/19/2008 03:35 AM 169,472 mssha.dll
01/19/2008 03:35 AM 333,824 mssph.dll
01/19/2008 03:35 AM 1,696,768 mssvp.dll
01/19/2008 03:35 AM 163,328 msutb.dll
11/02/2006 05:46 AM 22,528 msyuv.dll
01/19/2008 03:35 AM 22,016 mtxdm.dll
11/02/2006 05:46 AM 7,168 mtxex.dll
01/19/2008 03:35 AM 74,240 nci.dll
01/19/2008 03:35 AM 93,184 ncsi.dll
11/02/2006 05:41 AM 2,048 neth.dll
01/19/2008 03:35 AM 119,808 netid.dll
01/19/2008 03:35 AM 154,624 nlmgp.dll
01/19/2008 03:35 AM 25,088 Nlsdl.dll
01/19/2008 03:35 AM 8,192 nsi.dll
01/19/2008 03:38 AM 1,203,792 ntdll.dll
09/18/2006 05:35 PM 42,592 ole2.dll
01/19/2008 03:36 AM 1,315,328 ole32.dll
01/19/2008 03:36 AM 1,541,120 onex.dll
01/19/2008 03:36 AM 202,240 P2P.dll
01/19/2008 03:36 AM 26,624 pcadm.dll
01/19/2008 03:36 AM 464,384 pcaui.dll
01/19/2008 03:36 AM 242,688 pdh.dll
01/19/2008 03:36 AM 46,592 pdhui.dll
11/02/2006 08:34 AM 36,352 pid.dll
01/19/2008 03:36 AM 1,502,208 pla.dll
09/18/2006 05:43 PM 46,592 pmspl.dll
04/04/2008 08:39 PM 278,528 pncrt.dll
01/19/2008 03:36 AM 10,752 pnpts.dll
01/19/2008 03:36 AM 542,208 pnpui.dll
01/19/2008 03:36 AM 16,896 pots.dll
11/02/2006 05:46 AM 12,288 psapi.dll
01/19/2008 03:42 AM 51,768 PSHED.DLL
03/07/2007 07:51 PM 547,576 px.dll
03/07/2007 07:51 PM 129,784 pxafs.dll
03/07/2007 07:51 PM 510,712 pxdrv.dll
03/07/2007 07:51 PM 187,128 pxmas.dll
03/07/2007 07:51 PM 1,628,920 pxsfs.dll
01/19/2008 03:36 AM 208,896 qasf.dll
01/19/2008 03:36 AM 192,000 qcap.dll
01/19/2008 03:36 AM 281,600 qdv.dll
01/19/2008 03:36 AM 497,152 qdvd.dll
01/19/2008 03:36 AM 505,344 qedit.dll
01/19/2008 03:36 AM 758,272 qmgr.dll
01/19/2008 03:36 AM 1,381,376 Query.dll
01/19/2008 03:36 AM 79,360 QUTIL.DLL
01/19/2008 03:36 AM 243,712 qwave.dll
01/19/2008 03:36 AM 975,360 RASMM.dll
01/19/2008 02:01 AM 134,656 rdpdd.dll
11/02/2006 05:43 AM 2,560 rnr20.dll
01/19/2008 03:36 AM 547,328 rpcss.dll
11/02/2006 08:36 AM 17,920 rsmps.dll
01/19/2008 03:36 AM 114,688 rtm.dll
02/18/2008 09:58 PM 316,768 sayax.dll
01/19/2008 03:36 AM 322,560 sbe.dll
01/19/2008 03:36 AM 153,088 sbeio.dll
01/19/2008 03:36 AM 140,288 scksp.dll
03/24/1998 10:54 PM 15,872 SCP32.DLL
01/19/2008 03:36 AM 47,104 Sens.dll
11/02/2006 05:46 AM 4,608 sfc.dll
11/02/2006 03:10 AM 5,120 SHELL.DLL
01/19/2008 03:36 AM 225,792 SLC.dll
01/19/2008 03:36 AM 777,216 slcc.dll
01/19/2008 03:36 AM 12,288 slwga.dll
01/19/2008 03:36 AM 35,328 slwmi.dll
01/19/2008 03:36 AM 64,512 spbcd.dll
11/02/2006 05:46 AM 8,192 spnet.dll
01/19/2008 03:36 AM 15,872 spopk.dll
01/19/2008 03:36 AM 142,336 spp.dll
01/19/2008 03:36 AM 44,544 sppnp.dll
01/19/2008 03:36 AM 7,680 spwmp.dll
01/19/2008 03:36 AM 24,064 srwmi.dll
11/02/2006 08:34 AM 198,144 sti.dll
01/19/2008 03:36 AM 1,224,192 sud.dll
01/19/2008 03:36 AM 310,784 swprv.dll
01/19/2008 03:36 AM 376,832 sxs.dll
09/18/2006 05:49 PM 19,216 tapi.dll
11/02/2006 05:46 AM 858,112 tapi3.dll
01/19/2008 03:36 AM 11,776 tbs.dll
01/19/2008 03:36 AM 431,104 tdh.dll
01/19/2008 03:36 AM 1,298,432 TMM.dll
11/02/2006 05:46 AM 18,944 TRAPI.dll
01/19/2008 02:01 AM 14,336 tsddd.dll
01/19/2008 03:36 AM 62,464 TSpkg.dll
11/02/2006 02:58 AM 2,048 tzres.dll
01/19/2008 03:36 AM 208,384 uDWM.dll
01/19/2008 03:36 AM 92,672 ufat.dll
11/02/2006 05:46 AM 34,816 uicom.dll
01/19/2008 03:36 AM 2,588,160 UIHub.dll
01/19/2008 03:36 AM 99,840 ulib.dll
01/19/2008 03:36 AM 51,712 umb.dll
01/19/2008 03:36 AM 736,768 unbcl.dll
01/19/2008 03:36 AM 322,560 untfs.dll
01/19/2008 03:36 AM 195,584 upnp.dll
11/02/2006 05:46 AM 23,040 ureg.dll
01/19/2008 03:36 AM 105,984 url.dll
01/19/2008 03:36 AM 83,456 usbui.dll
01/19/2008 03:36 AM 501,760 usp10.dll
01/19/2008 03:36 AM 130,560 uudf.dll
01/19/2008 03:36 AM 28,672 uxsms.dll
01/19/2008 03:36 AM 257,024 VAN.dll
06/18/1998 01:00 AM 89,360 VB5DB.DLL
07/06/1998 05:56 PM 125,712 VB6DE.DLL
11/24/1999 07:40 PM 40,960 VBAME.DLL
01/12/2001 06:52 AM 94,208 vbpng.dll
09/18/2006 05:43 PM 9,008 ver.dll
01/19/2008 01:52 AM 10,752 vga.dll
12/07/1999 06:00 AM 162,064 vtext.dll
01/19/2008 03:36 AM 1,020,928 wdc.dll
01/19/2008 03:36 AM 73,728 wdi.dll
01/19/2008 03:36 AM 876,032 wer.dll
01/19/2008 03:36 AM 189,952 winmm.dll
01/19/2008 03:36 AM 223,232 WMASF.DLL
11/02/2006 05:44 AM 5,120 wmi.dll
01/19/2008 03:36 AM 154,624 wmidx.dll
01/19/2008 03:37 AM 10,620,928 wmp.dll
01/19/2008 03:37 AM 22,016 wmpcm.dll
11/02/2006 08:35 AM 131,072 wmpps.dll
01/19/2008 03:37 AM 273,920 wow32.dll
01/19/2008 03:37 AM 296,960 Wpc.dll
01/19/2008 03:37 AM 532,992 wpcao.dll
11/06/2007 04:23 PM 240,248 wpcap.dll
01/19/2008 03:37 AM 349,184 WPDSp.dll
11/02/2006 05:46 AM 14,848 wshrm.dll
01/19/2008 01:39 AM 1,536 WsmCl.dll
01/19/2008 03:37 AM 534,016 wuapi.dll
01/19/2008 03:37 AM 305,152 WUDFx.dll
01/19/2008 03:37 AM 23,040 wups.dll
01/19/2008 03:37 AM 32,768 wups2.dll
01/19/2008 03:37 AM 456,704 wvc.dll
04/17/2007 03:34 PM 7,677,744 xlive.dll
11/02/2006 05:46 AM 79,360 xwreg.dll
03/13/2002 06:46 PM 53,248 zlib.dll
276 File(s) 90,167,944 bytes
0 Dir(s) 20,178,452,480 bytes free
]]> http://www.dslreports.com/forum/remark,20369311 Tue, 22 Apr 2008 15:34:24 EDT http://www.dslreports.com/forum/remark,20365767 bcastner : It is clearly not a Userland hooked entry, nor a Zlob DNS redirector.

1. Delete this enormous file:
2008-04-07 22:27 179,034,213 ----a-w C:\Windows\DUMP449a.tmp

2. I am still troubled by the running process:
"N:\installNY.exe" Do you know what this is? Is this on a USB flash drive?

3. Install a HOSTS block:
Visit, download and install a HOSTS file for blocking:
»www.mvps.org/winhelp2002/hosts.htm

How To: Download and Extract the HOSTS file
»www.mvps.org/winhelp2002/hosts2.htm

HOSTS File - Frequently Asked Questions
»www.mvps.org/winhelp2002/hostsfaq.htm

4. Using your mouse, left click once below where it says: "Copy to clipboard":
@echo offdir C:\windows\temp\*.dll>log.txtdir C:\windows\system32\?????.dll>>log.txtregedit /E ruins.reg "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins"regedit /E URLS.reg "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls"copy log.txt+ruins.reg+urls.reg finallog.txt del /q log.txt, ruins.reg, urls.reg>nulnotepad finallog.txt del %0
Open a new Notepad document. (Do not use a Word Processor or WordPad). Click "Format" and be certain that Word Wrap is not enabled.
Right-click | Paste the Code box contents from above into Notepad. Click File, Save as..., and enter (including quotation marks) as the filename: "Templog.cmd". Exit Notepad.

Double click your new file. After a moment, Notepad will open. Post the contents of Notepad back to the Forum.

--
============
MS-MVP 2004 - -2008, ASAP Member
Users Helping Users

]]> http://www.dslreports.com/forum/remark,20365767 Mon, 21 Apr 2008 22:14:10 EDT http://www.dslreports.com/forum/remark,20365120 Siko : Here they are :)

GMER 1.0.14.14316 - »www.gmer.net
Autostart scan 2008-04-21 19:39:11
Windows 6.0.6001 Service Pack 1

HKLM\SYSTEM\CurrentControlSet\Control\Session Manager@BootExecute = PDBoot.exe autocheck autochk * OODBS lsdelete

HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\SubSystems@Windows = %SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,12288,512 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ProfileControl=Off MaxRequestThreads=16

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon@Userinit = C:\Windows\system32\userinit.exe,

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ >>>
!SASWinLogon@DLLName = C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
avgwlntf@DLLName = avgwlntf.dll
igfxcui@DLLName = igfxdev.dll

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows@AppInit_DLLs =

HKLM\SYSTEM\CurrentControlSet\Services\ >>>
aawservice@ = "H:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe"
AcronisOSSReinstallSvc@ = "C:\Program Files\Common Files\Acronis\Acronis Disk Director\oss_reinstall_svc.exe"
AcrSch2Svc@ = "C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe"
Apple Mobile Device@ = "C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe"
AVG Anti-Spyware Guard@ = H:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
Avg7Alrt@ = C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
Avg7UpdSvc@ = C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
AvgCoreSvc@ = C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
MDM@ = "C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE"
PD91Agent@ = "C:\Program Files\Raxco\PerfectDisk\PD91Agent.exe"
SBSDWSCService@ = C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
slsvc@ = %SystemRoot%\system32\SLsvc.exe

HKLM\Software\Microsoft\Windows\CurrentVersion\Run >>>
@Windows Defender%ProgramFiles%\Windows Defender\MSASCui.exe -hide /*file not found*/ = %ProgramFiles%\Windows Defender\MSASCui.exe -hide /*file not found*/
@IgfxTrayC:\Windows\system32\igfxtray.exe = C:\Windows\system32\igfxtray.exe
@HotKeysCmdsC:\Windows\system32\hkcmd.exe = C:\Windows\system32\hkcmd.exe
@PersistenceC:\Windows\system32\igfxpers.exe = C:\Windows\system32\igfxpers.exe
@AVG7_CCC:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP = C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
@SunJavaUpdateSched"C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe" = "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
@TkBellExe"C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot = "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

HKCU\Software\Microsoft\Windows\CurrentVersion\Run@WMPNSCFG = C:\Program Files\Windows Media Player\WMPNSCFG.exe

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks >>>
@{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}C:\Program Files\SUPERAntiSpyware\SASSEH.DLL = C:\Program Files\SUPERAntiSpyware\SASSEH.DLL
@{57B86673-276A-48B2-BAE7-C6DBB3020EB8}H:\Program Files\Grisoft\AVG Anti-Spyware 7.5\shellexecutehook.dll = H:\Program Files\Grisoft\AVG Anti-Spyware 7.5\shellexecutehook.dll

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved >>>
@{F02C1A0D-BE21-4350-88B0-7367FC96EF3C} /*Computers and Devices*/%systemroot%\system32\NetworkExplorer.dll = %systemroot%\system32\NetworkExplorer.dll
@{4A1E5ACD-A108-4100-9E26-D2FAFA1BA486} /*IGD Property Sheet Handler*/%SystemRoot%\System32\icsigd.dll = %SystemRoot%\System32\icsigd.dll
@{6CF48EF8-44CD-45d2-8832-A16EA016311B} /*IE IShellFolderBand*/C:\Windows\system32\ieframe.dll = C:\Windows\system32\ieframe.dll
@{00020d75-0000-0000-c000-000000000046} /*Microsoft Office Outlook Desktop Icon Handler*/H:\Program Files\Microsoft Office\OFFICE11\MLSHEXT.DLL = H:\Program Files\Microsoft Office\OFFICE11\MLSHEXT.DLL
@{CC6EEFFB-43F6-46c5-9619-51D571967F7D} /*Web Publishing Wizard*/%SystemRoot%\System32\shwebsvc.dll = %SystemRoot%\System32\shwebsvc.dll
@{add36aa8-751a-4579-a266-d66f5202ccbb} /*Print Ordering via the Web*/%SystemRoot%\System32\shwebsvc.dll = %SystemRoot%\System32\shwebsvc.dll
@{6b33163c-76a5-4b6c-bf21-45de9cd503a1} /*Shell Publishing Wizard Object*/%SystemRoot%\System32\shwebsvc.dll = %SystemRoot%\System32\shwebsvc.dll
@{74246bfc-4c96-11d0-abef-0020af6b0b7a} /*Device Manager*/%SystemRoot%\System32\devmgr.dll = %SystemRoot%\System32\devmgr.dll
@{7A979262-40CE-46ff-AEEE-7884AC3B6136} /*Add New Hardware*/(null) =
@{3e7efb4c-faf1-453d-89eb-56026875ef90} /*Get Programs Online*/(null) =
@{5399E694-6CE5-4D6C-8FCE-1D8870FDCBA0} /*Control Panel command object for Start menu*/(null) =
@{E44E5D18-0652-4508-A4E2-8A090067BCB0} /*Default Programs command object for Start menu*/(null) =
@{6dfd7c5c-2451-11d3-a299-00c04f8ef6af} /*Folder Options*/(null) =
@{97e467b4-98c6-4f19-9588-161b7773d6f6} /*Office Document Property Handler*/%SystemRoot%\system32\propsys.dll = %SystemRoot%\system32\propsys.dll
@{DC1C5A9C-E88A-4dde-A5A1-60F82A20AEF7} /*File Open Dialog*/%SystemRoot%\System32\comdlg32.dll = %SystemRoot%\System32\comdlg32.dll
@{C0B4E2F3-BA21-4773-8DBA-335EC946EB8B} /*File Save Dialog*/%SystemRoot%\System32\comdlg32.dll = %SystemRoot%\System32\comdlg32.dll
@{E37E2028-CE1A-4f42-AF05-6CEABC4E5D75} /*Shell Icon Handler for Application References*/C:\Windows\system32\dfshim.dll = C:\Windows\system32\dfshim.dll
@{e82a2d71-5b2f-43a0-97b8-81be15854de8} /*ShellLink for Application References*/C:\Windows\system32\dfshim.dll = C:\Windows\system32\dfshim.dll
@{44121072-A222-48f2-A58A-6D9AD51EBBE9} /*Microsoft XPS Thumbnail*/%SystemRoot%\system32\XPSSHHDR.DLL = %SystemRoot%\system32\XPSSHHDR.DLL
@{13D3C4B8-B179-4ebb-BF62-F704173E7448} /*Windows Contact Preview Handler*/%CommonProgramFiles%\System\wab32.dll = %CommonProgramFiles%\System\wab32.dll
@{4026492f-2f69-46b8-b9bf-5654fc07e423} /*Windows Firewall*/(null) =
@{a304259d-52b8-4526-8b1a-a1d6cecc8243} /*iSCSI Initiator*/(null) =
@{11dbb47c-a525-400b-9e80-a54615a090c0} /*Execute Folder*/ExplorerFrame.dll = ExplorerFrame.dll
@{90b9bce2-b6db-4fd3-8451-35917ea1081b} /*Search Execute Command*/ExplorerFrame.dll = ExplorerFrame.dll
@{BC65FB43-1958-4349-971A-210290480130} /*Network Explorer Property Sheet Handler*/%SystemRoot%\System32\NcdProp.dll = %SystemRoot%\System32\NcdProp.dll
@{d3e34b21-9d75-101a-8c3d-00aa001a1652} /*Bitmap Image*/(null) =
@{40C3D757-D6E4-4b49-BB41-0E5BBEA28817} /*Video Media Properties Handler*/%SystemRoot%\System32\mediametadatahandler.dll = %SystemRoot%\System32\mediametadatahandler.dll
@{E598560B-28D5-46aa-A14A-8A3BEA34B576} /*Windows Photo Gallery Viewer Video Verbs*/%ProgramFiles%\Windows Photo Gallery\PhotoViewer.dll /*file not found*/ = %ProgramFiles%\Windows Photo Gallery\PhotoViewer.dll /*file not found*/
@{0a4286ea-e355-44fb-8086-af3df7645bd9} /*Windows Media Player*/C:\PROGRA~1\WI4EB4~1\wmpband.dll = C:\PROGRA~1\WI4EB4~1\wmpband.dll
@{BB6B2374-3D79-41DB-87F4-896C91846510} /*EMDFileProperties*/emdmgmt.dll = emdmgmt.dll
@{875CB1A1-0F29-45de-A1AE-CFB4950D0B78} /*Audio Media Properties Handler*/%SystemRoot%\System32\mediametadatahandler.dll = %SystemRoot%\System32\mediametadatahandler.dll
@{7A0F6AB7-ED84-46B6-B47E-02AA159A152B} /*Sync Center Simple Conflict Presenter*/%SystemRoot%\System32\SyncCenter.dll = %SystemRoot%\System32\SyncCenter.dll
@{9D687A4C-1404-41ef-A089-883B6FBECDE6} /*Windows Photo Gallery Viewer Autoplay Handler*/(null) =
@{37efd44d-ef8d-41b1-940d-96973a50e9e0} /*Windows Sidebar Properties*/(null) =
@{BC48B32F-5910-47F5-8570-5074A8A5636A} /*Sync Results Delegate Folder*/%SystemRoot%\System32\SyncCenter.dll = %SystemRoot%\System32\SyncCenter.dll
@{E413D040-6788-4C22-957E-175D1C513A34} /*Sync Center Conflict Delegate Folder*/%SystemRoot%\System32\SyncCenter.dll = %SystemRoot%\System32\SyncCenter.dll
@{67718415-c450-4f3c-bf8a-b487642dc39b} /*Windows Features*/(null) =
@{91ADC906-6722-4B05-A12B-471ADDCCE132} /*Touch Band*/%SystemRoot%\System32\TouchX.dll = %SystemRoot%\System32\TouchX.dll
@{2781761E-28E0-4109-99FE-B9D127C57AFE} /*Windows Defender IOfficeAntiVirus implementation*/%ProgramFiles%\Windows Defender\MpOav.dll /*file not found*/ = %ProgramFiles%\Windows Defender\MpOav.dll /*file not found*/
@{FFE2A43C-56B9-4bf5-9A79-CC6D4285608A} /*Windows Photo Gallery Viewer Image Verbs*/%ProgramFiles%\Windows Photo Gallery\PhotoViewer.dll /*file not found*/ = %ProgramFiles%\Windows Photo Gallery\PhotoViewer.dll /*file not found*/
@{4B534112-3AF6-4697-A77C-D62CE9B9E7CF} /*Sync Center Event Properties Extension*/%SystemRoot%\System32\SyncCenter.dll = %SystemRoot%\System32\SyncCenter.dll
@{F1390A9A-A3F4-4E5D-9C5F-98F3BD8D935C} /*Sync Setup Delegate Folder*/%SystemRoot%\System32\SyncCenter.dll = %SystemRoot%\System32\SyncCenter.dll
@{4E5BFBF8-F59A-4e87-9805-1F9B42CC254A} /*GameUX.RichGameMediaThumbnail*/C:\Windows\System32\gameux.dll = C:\Windows\System32\gameux.dll
@{576C9E85-1300-4EF5-BF6B-D00509F4EDCD} /*Sync Center Handler Properties Extension*/%SystemRoot%\System32\SyncCenter.dll = %SystemRoot%\System32\SyncCenter.dll
@{289978AC-A101-4341-A817-21EBA7FD046D} /*Sync Center Conflict Folder*/%SystemRoot%\System32\SyncCenter.dll = %SystemRoot%\System32\SyncCenter.dll
@{71D99464-3B6B-475C-B241-E15883207529} /*Sync Results Folder*/%SystemRoot%\System32\SyncCenter.dll = %SystemRoot%\System32\SyncCenter.dll
@{B32D3949-ED98-4DBB-B347-17A144969BBA} /*Sync Center Item Properties Extension*/%SystemRoot%\System32\SyncCenter.dll = %SystemRoot%\System32\SyncCenter.dll
@{2E9E59C0-B437-4981-A647-9C34B9B90891} /*Sync Setup Folder*/%SystemRoot%\System32\SyncCenter.dll = %SystemRoot%\System32\SyncCenter.dll
@{9C73F5E5-7AE7-4E32-A8E8-8D23B85255BF} /*Sync Center Folder*/%SystemRoot%\System32\SyncCenter.dll = %SystemRoot%\System32\SyncCenter.dll
@{CB1B7F8C-C50A-4176-B604-9E24DEE8D4D1} /*Welcome Center*/oobefldr.dll = oobefldr.dll
@{F04CC277-03A2-4277-96A9-77967471BDFF} /*Sync Center Conflict Properties Extension*/%SystemRoot%\System32\SyncCenter.dll = %SystemRoot%\System32\SyncCenter.dll
@{6b9228da-9c15-419e-856c-19e768a13bdc} /*Windows gadget DropTarget*/%ProgramFiles%\Windows Sidebar\sbdrop.dll /*file not found*/ = %ProgramFiles%\Windows Sidebar\sbdrop.dll /*file not found*/
@{8E25992B-373E-486E-80E5-BD23AE417E66} /*Sync Center Device Notification Sink*/%SystemRoot%\System32\SyncCenter.dll = %SystemRoot%\System32\SyncCenter.dll
@{031EE060-67BC-460d-8847-E4A7C5E45A27} /*Windows Media Player Rich Preview Handler*/(null) =
@{1FA9085F-25A2-489B-85D4-86326EEDCD87} /*Manage Wireless Networks*/%SystemRoot%\system32\wlanpref.dll = %SystemRoot%\system32\wlanpref.dll
@{7dda204b-2097-47c9-8323-c40bb840ae44} /*XPS document*/(null) =
@{ECDD6472-2B9B-4b4b-AE36-F316DF3C8D60} /*RichGameMediaPropertyStore Class*/C:\Windows\System32\gameux.dll = C:\Windows\System32\gameux.dll
@{c5a40261-cd64-4ccf-84cb-c394da41d590} /*Video Thumbnail Extractor*/%SystemRoot%\System32\mediametadatahandler.dll = %SystemRoot%\System32\mediametadatahandler.dll
@{C539A15A-3AF9-4c92-B771-50CB78F5C751} /*Acronis True Image Shell Context Menu Extension*/C:\Program Files\Acronis\TrueImageHome\tishell.dll = C:\Program Files\Acronis\TrueImageHome\tishell.dll
@{C539A15B-3AF9-4c92-B771-50CB78F5C751} /*Acronis True Image Shell Extension*/C:\Program Files\Acronis\TrueImageHome\tishell.dll = C:\Program Files\Acronis\TrueImageHome\tishell.dll
@{B41DB860-8EE4-11D2-9906-E49FADC173CA} /*WinRAR shell extension*/C:\Program Files\WinRAR\rarext.dll = C:\Program Files\WinRAR\rarext.dll
@{BDEADF00-C265-11D0-BCED-00A0C90AB50F} /*Web Folders*/C:\PROGRA~1\COMMON~1\MICROS~1\Web Folders\MSONSEXT.DLL = C:\PROGRA~1\COMMON~1\MICROS~1\Web Folders\MSONSEXT.DLL
@{0006F045-0000-0000-C000-000000000046} /*Microsoft Office Outlook Custom Icon Handler*/H:\Program Files\Microsoft Office\OFFICE11\OLKFSTUB.DLL = H:\Program Files\Microsoft Office\OFFICE11\OLKFSTUB.DLL
@{42042206-2D85-11D3-8CFF-005004838597} /*Microsoft Office HTML Icon Handler*/H:\Program Files\Microsoft Office\OFFICE11\msohev.dll = H:\Program Files\Microsoft Office\OFFICE11\msohev.dll
@{BD7A2E7B-21CB-41b2-A086-B309680C6B7E} /*Client Side Cache Namespace Extension*/%systemroot%\system32\mssvp.dll = %systemroot%\system32\mssvp.dll
@{35786D3C-B075-49b9-88DD-029876E11C01} /*Portable Devices*/%SystemRoot%\system32\wpdshext.dll = %SystemRoot%\system32\wpdshext.dll
@{53BEDF0B-4E5B-4183-8DC9-B844344FA104} /*Microsoft Windows MAPI Preview Handler*/%SystemRoot%\system32\mssvp.dll = %SystemRoot%\system32\mssvp.dll
@{D6791A63-E7E2-4fee-BF52-5DED8E86E9B8} /*Portable Devices Menu*/%SystemRoot%\system32\wpdshext.dll = %SystemRoot%\system32\wpdshext.dll
@{877ca5ac-cb41-4842-9c69-9136e42d47e2} /*File Backup Index*/%systemroot%\system32\sdshext.dll = %systemroot%\system32\sdshext.dll
@{5ea4f148-308c-46d7-98a9-49041b1dd468} /*Mobility Center Control Panel*/(null) =
@{d8559eb9-20c0-410e-beda-7ed416aecc2a} /*Windows Defender*/(null) =
@{ED228FDF-9EA8-4870-83B1-96B02CFE0D52} /*Games Folder*/C:\Windows\System32\gameux.dll = C:\Windows\System32\gameux.dll
@{00f20eb5-8fd6-4d9d-b75e-36801766c8f1} /*PhotoAcqDropTarget*/%ProgramFiles%\Windows Photo Gallery\PhotoAcq.dll /*file not found*/ = %ProgramFiles%\Windows Photo Gallery\PhotoAcq.dll /*file not found*/
@{89D83576-6BD1-4c86-9454-BEB04E94C819} /*MAPI Search Namespace Extension*/%systemroot%\system32\mssvp.dll = %systemroot%\system32\mssvp.dll
@{00f2886f-cd64-4fc9-8ec5-30ef6cdbe8c3} /*Microsoft.ScannersAndCameras*/(null) =
@{3F30C968-480A-4C6C-862D-EFC0897BB84B} /*Photo Thumbnail Extractor*/C:\Windows\system32\PhotoMetadataHandler.dll = C:\Windows\system32\PhotoMetadataHandler.dll
@{C7657C4A-9F68-40fa-A4DF-96BC08EB3551} /*Photo Thumbnail Provider*/C:\Windows\system32\PhotoMetadataHandler.dll = C:\Windows\system32\PhotoMetadataHandler.dll
@{a38b883c-1682-497e-97b0-0a3a9e801682} /*IPropertyStore Handler for Images*/C:\Windows\system32\PhotoMetadataHandler.dll = C:\Windows\system32\PhotoMetadataHandler.dll
@{da67b8ad-e81b-4c70-9b91b417b5e33527} /*Windows Search Shell Service*/(null) =
@{911051fa-c21c-4246-b470-070cd8df6dc4} /*.cab or .zip files*/(null) =
@{fcfeecae-ee1b-4849-ae50-685dcf7717ec} /*Problem Reports and Solutions*/(null) =
@{692F0339-CBAA-47e6-B5B5-3B84DB604E87} /*Extensions Manager Folder*/C:\Windows\system32\extmgr.dll = C:\Windows\system32\extmgr.dll
@{513D916F-2A8E-4F51-AEAB-0CBC76FB1AF8} /*Compatibility Property Page*/%windir%\system32\acppage.dll = %windir%\system32\acppage.dll
@{CF67796C-F57F-45F8-92FB-AD698826C602} /*contact_wab_auto_file*/%CommonProgramFiles%\System\wab32.dll = %CommonProgramFiles%\System\wab32.dll
@{16C2C29D-0E5F-45f3-A445-03E03F587B7D} /*group_wab_auto_file*/%CommonProgramFiles%\System\wab32.dll = %CommonProgramFiles%\System\wab32.dll
@{8082C5E6-4C27-48ec-A809-B8E1122E8F97} /*.contact shell extension handler*/%CommonProgramFiles%\System\wab32.dll = %CommonProgramFiles%\System\wab32.dll
@{4F58F63F-244B-4c07-B29F-210BE59BE9B4} /*.group shell extension handler*/%CommonProgramFiles%\System\wab32.dll = %CommonProgramFiles%\System\wab32.dll
@{0F8604A5-4ECE-4DE1-BA7D-CF10F8AA4F48} /*Contacts folder*/(null) =
@{38a98528-6cbf-4ca9-8dc0-b1e1d10f7b1b} /*View Available Networks*/(null) =
@{45670FA8-ED97-4F44-BC93-305082590BFB} /*Microsoft XPS Properties*/%SystemRoot%\system32\XPSSHHDR.DLL = %SystemRoot%\system32\XPSSHHDR.DLL
@{92337A8C-E11D-11D0-BE48-00C04FC30DF6} /*OlePrn.PrinterURL*/%SystemRoot%\system32\oleprn.dll = %SystemRoot%\system32\oleprn.dll
@{2C2577C2-63A7-40e3-9B7F-586602617ECB} /*Explorer Query Band*/(null) =
@{E29F9716-5C08-4FCD-955A-119FDB5A522D} /*Sam Account Folder*/(null) =
@{C8494E42-ACDD-4739-B0FB-217361E4894F} /*Sam Account Folder*/(null) =
@{34449847-FD14-4fc8-A75A-7432F5181EFB} /*ActiveDirectory Folder*/(null) =
@{1b24a030-9b20-49bc-97ac-1be4426f9e59} /*ActiveDirectory Folder*/(null) =
@{b2c761c6-29bc-4f19-9251-e6195265baf1} /*Color Control Panel Applet*/(null) =
@{DBCE2480-C732-101B-BE72-BA78E9AD5B27} /*ICC Profile*/%SystemRoot%\system32\colorui.dll = %SystemRoot%\system32\colorui.dll
@{675F097E-4C4D-11D0-B6C1-0800091AA605} /*ICM Printer Management*/%SystemRoot%\system32\colorui.dll = %SystemRoot%\system32\colorui.dll
@{5DB2625A-54DF-11D0-B6C4-0800091AA605} /*ICM Monitor Management*/%SystemRoot%\System32\colorui.dll = %SystemRoot%\System32\colorui.dll
@{176d6597-26d3-11d1-b350-080036a75b03} /*ICM Scanner Management*/%SystemRoot%\System32\colorui.dll = %SystemRoot%\System32\colorui.dll
@{8856f961-340a-11d0-a96b-00c04fd705a2} /*Microsoft Web Browser*/C:\Windows\system32\ieframe.dll = C:\Windows\system32\ieframe.dll
@{9A096BB5-9DC3-4D1C-8526-C3CBF991EA4E} /*IE RSS Feeder Folder*/C:\Windows\system32\ieframe.dll = C:\Windows\system32\ieframe.dll
@{871C5380-42A0-1069-A2EA-08002B30309D} /*Internet Name Space*/C:\Windows\system32\ieframe.dll = C:\Windows\system32\ieframe.dll
@{205D7A97-F16D-4691-86EF-F3075DCCA57D} /*IE Menu Desk Bar*/C:\Windows\system32\ieframe.dll = C:\Windows\system32\ieframe.dll
@{44C76ECD-F7FA-411c-9929-1B77BA77F524} /*IE Menu Site*/C:\Windows\system32\ieframe.dll = C:\Windows\system32\ieframe.dll
@{6B4ECC4F-16D1-4474-94AB-5A763F2A54AE} /*IE Tracking Shell Menu*/C:\Windows\system32\ieframe.dll = C:\Windows\system32\ieframe.dll
@{1C1EDB47-CE22-4bbb-B608-77B48F83C823} /*IE Fade Task*/C:\Windows\system32\ieframe.dll = C:\Windows\system32\ieframe.dll
@{F2CF5485-4E02-4f68-819C-B92DE9277049} /*&Links*/C:\Windows\system32\ieframe.dll = C:\Windows\system32\ieframe.dll
@{4B78D326-D922-44f9-AF2A-07805C2A3560} /*IE Menu Band*/C:\Windows\system32\ieframe.dll = C:\Windows\system32\ieframe.dll
@{FAC3CBF6-8697-43d0-BAB9-DCD1FCE19D75} /*IE User Assist*/C:\Windows\system32\ieframe.dll = C:\Windows\system32\ieframe.dll
@{BFAD62EE-9D54-4b2a-BF3B-76F90697BD2A} /*IE Shell Rebar BandSite*/C:\Windows\system32\ieframe.dll = C:\Windows\system32\ieframe.dll
@{E6EE9AAC-F76B-4947-8260-A9F136138E11} /*IE Shell Band Site Menu*/C:\Windows\system32\ieframe.dll = C:\Windows\system32\ieframe.dll
@{B31C5FAE-961F-415b-BAF0-E697A5178B94} /*IE Microsoft Multiple AutoComplete List Container*/C:\Windows\system32\ieframe.dll = C:\Windows\system32\ieframe.dll
@{9D958C62-3954-4b44-8FAB-C4670C1DB4C2} /*IE Microsoft Shell Folder AutoComplete List*/C:\Windows\system32\ieframe.dll = C:\Windows\system32\ieframe.dll
@{6038EF75-ABFC-4e59-AB6F-12D397F6568D} /*IE Microsoft History AutoComplete List*/C:\Windows\system32\ieframe.dll = C:\Windows\system32\ieframe.dll
@{FDE7673D-2E19-4145-8376-BBD58C4BC7BA} /*IE Custom MRU AutoCompleted List*/C:\Windows\system32\ieframe.dll = C:\Windows\system32\ieframe.dll
@{98FF6D4B-6387-4b0a-8FBD-C5C4BB17B4F8} /*IE MRU AutoComplete List*/C:\Windows\system32\ieframe.dll = C:\Windows\system32\ieframe.dll
@{3028902F-6374-48b2-8DC6-9725E775B926} /*IE AutoComplete*/C:\Windows\system32\ieframe.dll = C:\Windows\system32\ieframe.dll
@{F83DAC1C-9BB9-4f2b-B619-09819DA81B0E} /*IE Registry Tree Options Utility*/C:\Windows\system32\ieframe.dll = C:\Windows\system32\ieframe.dll
@{30D02401-6A81-11d0-8274-00C04FD5AE38} /*IE Search Band*/C:\Windows\system32\ieframe.dll = C:\Windows\system32\ieframe.dll
@{43886CD5-6529-41c4-A707-7B3C92C05E68} /*IE Navigation Bar*/C:\Windows\system32\ieframe.dll = C:\Windows\system32\ieframe.dll
@{07C45BB1-4A8C-4642-A1F5-237E7215FF66} /*IE Microsoft BrowserBand*/C:\Windows\system32\ieframe.dll = C:\Windows\system32\ieframe.dll
@{73CFD649-CD48-4fd8-A272-2070EA56526B} /*IE BandProxy*/C:\Windows\system32\ieframe.dll = C:\Windows\system32\ieframe.dll
@{3DC7A020-0ACD-11CF-A9BB-00AA004AE837} /*The Internet*/C:\Windows\system32\ieframe.dll = C:\Windows\system32\ieframe.dll
@{CFBFAE00-17A6-11D0-99CB-00C04FD64497} /*Microsoft Url Search Hook*/C:\Windows\system32\ieframe.dll = C:\Windows\system32\ieframe.dll
@{7BD29E01-76C1-11CF-9DD0-00A0C9034933} /*Temporary Internet Files*/C:\Windows\system32\ieframe.dll = C:\Windows\system32\ieframe.dll
@{7BD29E00-76C1-11CF-9DD0-00A0C9034933} /*Temporary Internet Files*/C:\Windows\system32\ieframe.dll = C:\Windows\system32\ieframe.dll
@{FF393560-C2A7-11CF-BFF4-444553540000} /*History*/C:\Windows\system32\ieframe.dll = C:\Windows\system32\ieframe.dll
@{3C374A40-BAE4-11CF-BF7D-00AA006946EE} /*Microsoft Url History Service*/C:\Windows\system32\ieframe.dll = C:\Windows\system32\ieframe.dll
@{FBF23B40-E3F0-101B-8488-00AA003E56F8} /*InternetShortcut*/C:\Windows\system32\ieframe.dll = C:\Windows\system32\ieframe.dll
@{BC476F4C-D9D7-4100-8D4E-E043F6DEC409} /*Microsoft Browser Architecture*/C:\Windows\system32\ieframe.dll = C:\Windows\system32\ieframe.dll
@{E7E4BC40-E76A-11CE-A9BB-00AA004AE837} /*Shell DocObject Viewer*/C:\Windows\system32\ieframe.dll = C:\Windows\system32\ieframe.dll
@{5FA29220-36A1-40f9-89C6-F4B384B7642E} /*Shell Message Handler*/%SystemRoot%\system32\inetcomm.dll = %SystemRoot%\system32\inetcomm.dll
@{f8b8412b-dea3-4130-b36c-5e8be73106ac} /*Microsoft Windows Mail Html Preview Handler*/%SystemRoot%\system32\inetcomm.dll = %SystemRoot%\system32\inetcomm.dll
@{b9815375-5d7f-4ce2-9245-c9d4da436930} /*Microsoft Windows Mail Html Preview Handler*/%SystemRoot%\system32\inetcomm.dll = %SystemRoot%\system32\inetcomm.dll
@{92dbad9f-5025-49b0-9078-2d78f935e341} /*Microsoft Windows Mail Html Preview Handler*/%SystemRoot%\system32\inetcomm.dll = %SystemRoot%\system32\inetcomm.dll
@{967B2D40-8B7D-4127-9049-61EA0C2C6DCE} /*PowerISO*/(null) =
@{23170F69-40C1-278A-1000-000100020000} /*7-Zip Shell Extension*/C:\Program Files\7-Zip\7-zip.dll = C:\Program Files\7-Zip\7-zip.dll
@{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4} /*Shell Extensions for RealOne Player*/C:\Program Files\Real\RealPlayer\rpshell.dll = C:\Program Files\Real\RealPlayer\rpshell.dll
@{B9E1D2CB-CCFF-4AA6-9579-D7A4754030EF} /*iTunes*/H:\Program Files\iTunes\iTunesMiniPlayer.dll = H:\Program Files\iTunes\iTunesMiniPlayer.dll
@{9F97547E-4609-42C5-AE0C-81C61FFAEBC3} /*AVG7 Shell Extension*/C:\Program Files\Grisoft\AVG7\avgse.dll = C:\Program Files\Grisoft\AVG7\avgse.dll
@{9F97547E-460A-42C5-AE0C-81C61FFAEBC3} /*AVG7 Find Extension*/C:\Program Files\Grisoft\AVG7\avgse.dll = C:\Program Files\Grisoft\AVG7\avgse.dll

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\ >>>
7-Zip@{23170F69-40C1-278A-1000-000100020000} = C:\Program Files\7-Zip\7-zip.dll
AVG Anti-Spyware@{8934FCEF-F5B8-468f-951F-78A921CD3920} = H:\Program Files\Grisoft\AVG Anti-Spyware 7.5\context.dll
AVG7 Shell Extension@{9F97547E-4609-42C5-AE0C-81C61FFAEBC3} = C:\Program Files\Grisoft\AVG7\avgse.dll
PowerISO@{967B2D40-8B7D-4127-9049-61EA0C2C6DCE} =
WinRAR@{B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Program Files\WinRAR\rarext.dll

HKLM\Software\Classes\*\shellex\ContextMenuHandlers >>>
@{C539A15A-3AF9-4c92-B771-50CB78F5C751}C:\Program Files\Acronis\TrueImageHome\tishell.dll = C:\Program Files\Acronis\TrueImageHome\tishell.dll
@{CA8ACAFA-5FBB-467B-B348-90DD488DE003}C:\Program Files\SUPERAntiSpyware\SASCTXMN.DLL = C:\Program Files\SUPERAntiSpyware\SASCTXMN.DLL

HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\ >>>
7-Zip@{23170F69-40C1-278A-1000-000100020000} = C:\Program Files\7-Zip\7-zip.dll
AVG Anti-Spyware@{8934FCEF-F5B8-468f-951F-78A921CD3920} = H:\Program Files\Grisoft\AVG Anti-Spyware 7.5\context.dll
PowerISO@{967B2D40-8B7D-4127-9049-61EA0C2C6DCE} =
WinRAR@{B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Program Files\WinRAR\rarext.dll

HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers@{CA8ACAFA-5FBB-467B-B348-90DD488DE003} = C:\Program Files\SUPERAntiSpyware\SASCTXMN.DLL

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\ >>>
AVG7 Shell Extension@{9F97547E-4609-42C5-AE0C-81C61FFAEBC3} = C:\Program Files\Grisoft\AVG7\avgse.dll
PowerISO@{967B2D40-8B7D-4127-9049-61EA0C2C6DCE} =
WinRAR@{B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Program Files\WinRAR\rarext.dll

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers@{C539A15A-3AF9-4c92-B771-50CB78F5C751} = C:\Program Files\Acronis\TrueImageHome\tishell.dll

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects >>>
@{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll = C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
@{53707962-6F74-2D53-2644-206D7942484F}C:\PROGRA~1\Spybot - Search & Destroy\SDHelper.dll = C:\PROGRA~1\Spybot - Search & Destroy\SDHelper.dll
@{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll = C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll

HKLM\Software\Microsoft\Internet Explorer\Main >>>
@Default_Page_URLhttp://go.microsoft.com/fwlink/?LinkId=69157 = »go.microsoft.com/fwlink/?LinkId=69157
@Start Pagehttp://go.microsoft.com/fwlink/?LinkId=69157 = »go.microsoft.com/fwlink/?LinkId=69157
@Local Page%SystemRoot%\system32\blank.htm = %SystemRoot%\system32\blank.htm

HKCU\Software\Microsoft\Internet Explorer\Main >>>
@Start Pagehttp://google.com/ = »google.com/
@Local PageC:\WINDOWS\System32\blank.htm = C:\WINDOWS\System32\blank.htm

HKLM\Software\Classes\PROTOCOLS\Filter\text/xml@CLSID = C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL

HKLM\Software\Classes\PROTOCOLS\Handler\ >>>
belarc@CLSID = C:\Program Files\Belarc\Advisor\System\BAVoilaX.dll
dvd@CLSID = C:\Windows\System32\msvidctl.dll
its@CLSID = %SystemRoot%\System32\itss.dll
mhtml@CLSID = %SystemRoot%\system32\inetcomm.dll
ms-its@CLSID = %SystemRoot%\System32\itss.dll
ms-itss@CLSID = C:\Program Files\Common Files\Microsoft Shared\Information Retrieval\MSITSS.DLL
mso-offdap11@CLSID = C:\PROGRA~1\COMMON~1\MICROS~1\Web Components\11\OWC11.DLL
tv@CLSID = C:\Windows\System32\msvidctl.dll

HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{816238D4-1ADE-4801-AF6C-1CB6A0BDC37F} /*Local Area Connection*/ >>>
@IPAddress192.168.1.100 = 192.168.1.100
@NameServer208.67.220.220,208.67.222.222 = 208.67.220.220,208.67.222.222
@DefaultGateway192.168.1.1 = 192.168.1.1
@Domain =

HKLM\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ >>>
000000000001@LibraryPath = %SystemRoot%\system32\NLAapi.dll
000000000002@LibraryPath = %SystemRoot%\system32\napinsp.dll
000000000003@LibraryPath = %SystemRoot%\system32\pnrpnsp.dll

HKLM\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000004@LibraryPath = %SystemRoot%\system32\pnrpnsp.dll

C:\Users\Murlin Wei\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup = Xfire.lnk

---- EOF - GMER 1.0.14 ----

GMER 1.0.14.14316 - »www.gmer.net
Rootkit scan 2008-04-21 20:13:34
Windows 6.0.6001 Service Pack 1

---- System - GMER 1.0.14 ----

SSDT \??\H:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.sys ZwOpenProcess [0x945688AC]
SSDT \??\H:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.sys ZwTerminateProcess [0x94568812]

---- Kernel code sections - GMER 1.0.14 ----

.text ntoskrnl.exe!ZwQueryLicenseValue + D11 81C72AE9 1 Byte [ 06 ]
.text ntoskrnl.exe!KeInsertQueue + 5E1 81C88B98 4 Bytes [ AC, 88, 56, 94 ]
.text ntoskrnl.exe!KeInsertQueue + 811 81C88DC8 4 Bytes [ 12, 88, 56, 94 ]
_PAGELK C:\Windows\system32\ntoskrnl.exe entry point in "_PAGELK" section [0x81CFE4B0]
? System32\Drivers\spmq.sys The system cannot find the file specified. !
.text USBPORT.SYS!DllUnload 8D7AA46F 5 Bytes JMP 84CCC4E0
.text a3nub5gf.SYS 882D5000 22 Bytes [ 26, C2, FC, 81, 10, C1, FC, ... ]
.text a3nub5gf.SYS 882D5017 105 Bytes [ 00, 32, A7, B3, 82, 3D, A5, ... ]
.text a3nub5gf.SYS 882D5081 53 Bytes [ 25, C6, 81, 60, 2E, C8, 81, ... ]
.text a3nub5gf.SYS 882D50B7 22 Bytes [ 00, 00, 00, 00, 00, 00, 00, ... ]
.text a3nub5gf.SYS 882D50CE 80 Bytes [ 00, 00, 26, 00, 00, 00, E0, ... ]
.text ...
? C:\ComboFix\catchme.sys The system cannot find the file specified. !
? C:\Windows\system32\Drivers\PROCEXP90.SYS The system cannot find the file specified. !

---- Kernel IAT/EAT - GMER 1.0.14 ----

IAT \SystemRoot\System32\Drivers\SCSIPORT.SYS[ntoskrnl.exe!DbgBreakPoint] 8407D2D8
IAT \SystemRoot\system32\drivers\pci.sys[ntoskrnl.exe!IoDetachDevice] [82A6393C] \SystemRoot\System32\Drivers\spmq.sys
IAT \SystemRoot\system32\drivers\pci.sys[ntoskrnl.exe!IoAttachDeviceToDeviceStack] [82A63990] \SystemRoot\System32\Drivers\spmq.sys
IAT \SystemRoot\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortUchar] [82A346D2] \SystemRoot\System32\Drivers\spmq.sys
IAT \SystemRoot\system32\drivers\atapi.sys[ataport.SYS!AtaPortReadPortUchar] [82A34040] \SystemRoot\System32\Drivers\spmq.sys
IAT \SystemRoot\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortBufferUshort] [82A347FC] \SystemRoot\System32\Drivers\spmq.sys
IAT \SystemRoot\system32\drivers\atapi.sys[ataport.SYS!AtaPortReadPortUshort] [82A340BE] \SystemRoot\System32\Drivers\spmq.sys
IAT \SystemRoot\system32\drivers\atapi.sys[ataport.SYS!AtaPortReadPortBufferUshort] [82A3413C] \SystemRoot\System32\Drivers\spmq.sys
IAT \SystemRoot\system32\drivers\ataport.SYS[ntoskrnl.exe!DbgBreakPoint] 8407E2D8
IAT \SystemRoot\system32\DRIVERS\USBPORT.SYS[ntoskrnl.exe!DbgBreakPoint] 84CCC5E0
IAT \SystemRoot\System32\Drivers\a3nub5gf.SYS[ataport.SYS!AtaPortNotification] F73BFF33
IAT \SystemRoot\System32\Drivers\a3nub5gf.SYS[ataport.SYS!AtaPortWritePortUchar] B85F0B75
IAT \SystemRoot\System32\Drivers\a3nub5gf.SYS[ataport.SYS!AtaPortWritePortUlong] FFFFFFFE
IAT \SystemRoot\System32\Drivers\a3nub5gf.SYS[ataport.SYS!AtaPortGetPhysicalAddress] 08C25D5E
IAT \SystemRoot\System32\Drivers\a3nub5gf.SYS[ataport.SYS!AtaPortConvertPhysicalAddressToUlong] 5D8B5300
IAT \SystemRoot\System32\Drivers\a3nub5gf.SYS[ataport.SYS!AtaPortGetScatterGatherList] 74DF3B0C
IAT \SystemRoot\System32\Drivers\a3nub5gf.SYS[ataport.SYS!AtaPortReadPortUchar] 01FB8311
IAT \SystemRoot\System32\Drivers\a3nub5gf.SYS[ataport.SYS!AtaPortStallExecution] 5F5B0C74
IAT \SystemRoot\System32\Drivers\a3nub5gf.SYS[ataport.SYS!AtaPortGetParentBusType] FFFFFEB8
IAT \SystemRoot\System32\Drivers\a3nub5gf.SYS[ataport.SYS!AtaPortRequestCallback] C25D5EFF
IAT \SystemRoot\System32\Drivers\a3nub5gf.SYS[ataport.SYS!AtaPortWritePortBufferUshort] 7E390008
IAT \SystemRoot\System32\Drivers\a3nub5gf.SYS[ataport.SYS!AtaPortGetUnCachedExtension] C7077524
IAT \SystemRoot\System32\Drivers\a3nub5gf.SYS[ataport.SYS!AtaPortCompleteRequest] 31642446
IAT \SystemRoot\System32\Drivers\a3nub5gf.SYS[ataport.SYS!AtaPortMoveMemory] 7E39882E
IAT \SystemRoot\System32\Drivers\a3nub5gf.SYS[ataport.SYS!AtaPortCompleteAllActiveRequests] C7077528
IAT \SystemRoot\System32\Drivers\a3nub5gf.SYS[ataport.SYS!AtaPortReleaseRequestSenseIrb] 31902846
IAT \SystemRoot\System32\Drivers\a3nub5gf.SYS[ataport.SYS!AtaPortBuildRequestSenseIrb] 468B882E
IAT \SystemRoot\System32\Drivers\a3nub5gf.SYS[ataport.SYS!AtaPortReadPortUshort] 244E8B2C
IAT \SystemRoot\System32\Drivers\a3nub5gf.SYS[ataport.SYS!AtaPortReadPortBufferUshort] 7468016A
IAT \SystemRoot\System32\Drivers\a3nub5gf.SYS[ataport.SYS!AtaPortInitialize] 500000FA
IAT \SystemRoot\System32\Drivers\a3nub5gf.SYS[ataport.SYS!AtaPortGetDeviceBase] C73BD1FF
IAT \SystemRoot\System32\Drivers\a3nub5gf.SYS[ataport.SYS!AtaPortDeviceStateChange] 5F5B0C75
IAT \SystemRoot\System32\Drivers\a3nub5gf.SYS[NTOSKRNL.exe!KeTickCount] 56EC8B55
IAT \SystemRoot\system32\DRIVERS\storport.sys[ntoskrnl.exe!DbgBreakPoint] 84DC45E0

---- User IAT/EAT - GMER 1.0.14 ----

IAT C:\Windows\explorer.exe[2424] @ C:\Windows\explorer.exe [gdiplus.dll!GdiplusShutdown] [73877BA4] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18000_none_9e752e5ac9c619f3\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\explorer.exe[2424] @ C:\Windows\explorer.exe [gdiplus.dll!GdipCloneImage] [738B98C5] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18000_none_9e752e5ac9c619f3\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\explorer.exe[2424] @ C:\Windows\explorer.exe [gdiplus.dll!GdipDrawImageRectI] [7387D3C8] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18000_none_9e752e5ac9c619f3\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\explorer.exe[2424] @ C:\Windows\explorer.exe [gdiplus.dll!GdipSetInterpolationMode] [7386F527] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18000_none_9e752e5ac9c619f3\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\explorer.exe[2424] @ C:\Windows\explorer.exe [gdiplus.dll!GdiplusStartup] [73877599] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18000_none_9e752e5ac9c619f3\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\explorer.exe[2424] @ C:\Windows\explorer.exe [gdiplus.dll!GdipCreateFromHDC] [7386E43D] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18000_none_9e752e5ac9c619f3\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\explorer.exe[2424] @ C:\Windows\explorer.exe [gdiplus.dll!GdipCreateBitmapFromStreamICM] [738AB33D] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18000_none_9e752e5ac9c619f3\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\explorer.exe[2424] @ C:\Windows\explorer.exe [gdiplus.dll!GdipCreateBitmapFromStream] [7387D68A] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18000_none_9e752e5ac9c619f3\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\explorer.exe[2424] @ C:\Windows\explorer.exe [gdiplus.dll!GdipGetImageHeight] [7387012E] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18000_none_9e752e5ac9c619f3\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\explorer.exe[2424] @ C:\Windows\explorer.exe [gdiplus.dll!GdipGetImageWidth] [73870095] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18000_none_9e752e5ac9c619f3\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\explorer.exe[2424] @ C:\Windows\explorer.exe [gdiplus.dll!GdipDisposeImage] [738671F3] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18000_none_9e752e5ac9c619f3\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\explorer.exe[2424] @ C:\Windows\explorer.exe [gdiplus.dll!GdipLoadImageFromFileICM] [738FD810] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18000_none_9e752e5ac9c619f3\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\explorer.exe[2424] @ C:\Windows\explorer.exe [gdiplus.dll!GdipLoadImageFromFile] [738975E1] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18000_none_9e752e5ac9c619f3\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\explorer.exe[2424] @ C:\Windows\explorer.exe [gdiplus.dll!GdipDeleteGraphics] [7386DAE1] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18000_none_9e752e5ac9c619f3\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\explorer.exe[2424] @ C:\Windows\explorer.exe [gdiplus.dll!GdipFree] [7386668F] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18000_none_9e752e5ac9c619f3\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\explorer.exe[2424] @ C:\Windows\explorer.exe [gdiplus.dll!GdipAlloc] [738666BA] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18000_none_9e752e5ac9c619f3\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\explorer.exe[2424] @ C:\Windows\explorer.exe [gdiplus.dll!GdipSetCompositingMode] [73871E45] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18000_none_9e752e5ac9c619f3\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)

---- Devices - GMER 1.0.14 ----

Device \FileSystem\Ntfs \Ntfs 84A141F8
Device \FileSystem\fastfat \FatCdrom 8569A500
Device \Driver\volmgr \Device\VolMgrControl 840801F8
Device \Driver\usbuhci \Device\USBPDO-0 84D3C500
Device \Driver\usbuhci \Device\USBPDO-1 84D3C500
Device \Driver\usbuhci \Device\USBPDO-2 84D3C500
Device \Driver\usbuhci \Device\USBPDO-3 84D3C500
Device \Driver\usbehci \Device\USBPDO-4 84D79500
Device \Driver\PCI_PNP7864 \Device\00000056 spmq.sys
Device \Driver\USBSTOR \Device\00000070 85495500
Device \Driver\volmgr \Device\HarddiskVolume1 840801F8

AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 snapman.sys (Acronis Snapshot API/Acronis)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 timntr.sys (Acronis True Image Backup Archive Explorer/Acronis)

Device \Driver\volmgr \Device\HarddiskVolume2 840801F8

AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 snapman.sys (Acronis Snapshot API/Acronis)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 timntr.sys (Acronis True Image Backup Archive Explorer/Acronis)

Device \Driver\cdrom \Device\CdRom0 84D7D500
Device \Driver\USBSTOR \Device\00000072 85495500
Device \Driver\cdrom \Device\CdRom1 84D7D500
Device \Driver\volmgr \Device\HarddiskVolume3 840801F8

AttachedDevice \Driver\volmgr \Device\HarddiskVolume3 snapman.sys (Acronis Snapshot API/Acronis)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume3 timntr.sys (Acronis True Image Backup Archive Explorer/Acronis)

Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-0 84A131F8
Device \Driver\atapi \Device\Ide\IdePort0 84A131F8
Device \Driver\atapi \Device\Ide\IdePort1 84A131F8
Device \Driver\atapi \Device\Ide\IdePort2 84A131F8
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-1 84A131F8
Device \Driver\volmgr \Device\HarddiskVolume4 840801F8

AttachedDevice \Driver\volmgr \Device\HarddiskVolume4 snapman.sys (Acronis Snapshot API/Acronis)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume4 timntr.sys (Acronis True Image Backup Archive Explorer/Acronis)

Device \Driver\USBSTOR \Device\00000074 85495500
Device \Driver\volmgr \Device\HarddiskVolume5 840801F8

AttachedDevice \Driver\volmgr \Device\HarddiskVolume5 snapman.sys (Acronis Snapshot API/Acronis)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume5 timntr.sys (Acronis True Image Backup Archive Explorer/Acronis)

Device \Driver\volmgr \Device\HarddiskVolume6 840801F8

AttachedDevice \Driver\volmgr \Device\HarddiskVolume6 snapman.sys (Acronis Snapshot API/Acronis)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume6 timntr.sys (Acronis True Image Backup Archive Explorer/Acronis)

Device \Driver\sptd \Device\1003614114 spmq.sys
Device \Driver\volmgr \Device\HarddiskVolume7 840801F8

AttachedDevice \Driver\volmgr \Device\HarddiskVolume7 snapman.sys (Acronis Snapshot API/Acronis)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume7 timntr.sys (Acronis True Image Backup Archive Explorer/Acronis)

Device \Driver\netbt \Device\NetBt_Wins_Export 8552D500
Device \Driver\volmgr \Device\HarddiskVolume8 840801F8

AttachedDevice \Driver\volmgr \Device\HarddiskVolume8 snapman.sys (Acronis Snapshot API/Acronis)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume8 timntr.sys (Acronis True Image Backup Archive Explorer/Acronis)

Device \Driver\volmgr \Device\HarddiskVolume9 840801F8

AttachedDevice \Driver\volmgr \Device\HarddiskVolume9 snapman.sys (Acronis Snapshot API/Acronis)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume9 timntr.sys (Acronis True Image Backup Archive Explorer/Acronis)

Device \Driver\Smb \Device\NetbiosSmb 856D3500
Device \Driver\iScsiPrt \Device\RaidPort0 84D55500
Device \Driver\usbuhci \Device\USBFDO-0 84D3C500
Device \Driver\usbuhci \Device\USBFDO-1 84D3C500
Device \Driver\usbuhci \Device\USBFDO-2 84D3C500
Device \Driver\netbt \Device\NetBT_Tcpip_{816238D4-1ADE-4801-AF6C-1CB6A0BDC37F} 8552D500
Device \Driver\usbuhci \Device\USBFDO-3 84D3C500
Device \Driver\USBSTOR \Device\0000007d 85495500
Device \Driver\usbehci \Device\USBFDO-4 84D79500
Device \Driver\a3nub5gf \Device\Scsi\a3nub5gf1 84D431F8
Device \Driver\a3nub5gf \Device\Scsi\a3nub5gf1Port4Path0Target0Lun0 84D431F8
Device \FileSystem\fastfat \Fat 8569A500

AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

Device \FileSystem\cdfs \Cdfs 865041F8

---- Registry - GMER 1.0.14 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1 771343423
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2 285507792
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@h0 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools Lite\
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x2E 0x8D 0xA6 0x2F ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0x58 0xFA 0x7F 0x40 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0xDB 0x17 0x36 0x99 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools Lite\
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x2E 0x8D 0xA6 0x2F ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0x58 0xFA 0x7F 0x40 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0xDB 0x17 0x36 0x99 ...
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\System
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\System@OODEFRAG10.00.00.01WORKSTATION C6C2342C31A3A1E2F7533810634F3DF2DC2D421A17EB3D7F576CBDB4F4C273935EF8098AB9F5F4F47A 95BF9776B7F2A7D1401C9062D62439C064E498C09235588457E64350C454C974AE8DE74EDBC39DD0D9 F6FEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74C FEBC9E127BECC74CA6A0AC4980AC7933A2D97226D213B555BA7FD869164D67949DB7CE019D40AA5CE6 90EFABE4D83A3417C329AFC37058287DD22401D91E5617EAF249D1C9461AA86AFB243B11114B0614ED DA55C43279773282F9DB1AC78A12364F0765C643F778FBF66FAB2BE3652860ED3BDDCF3FFDD5A24C9A 0DB0DE21DE9C2F3A9BDE6A6C49442EEDCAE1DE82CC0159AA4A02DD317650CD4B6649835FD23CDBAAB6 E7D24F311CB20E6B5BB42FED2C29DB9EEDF7F6D3EE8AA3BD82761B08E5FDF6FD303A8D8B12F892E631 B78C474DBAD7E29A9A44AA6667116BEFA040DC9EA7103CF77E27F76AD79297EEE2D05804CF792601F9 267CD330D4CF960BCCF221CABD3E71242FD81A0E775E1651C4E4258DF0758FE8B78E089304CAF36656 B15ABD18D9C5544FD44B3A829E1D454576B67DC069A8E22D69862286C1750582416B3E0DE21058C359 5E60443F6BA3C359740E43172186CCD989D2991F7F5C0E912B6ADE36E1235C14E3EA242DDDF4461C4F 8E221EC315EF72FB024DCFE789C6D4A1C5A330B

---- EOF - GMER 1.0.14 ----]]> http://www.dslreports.com/forum/remark,20365120 Mon, 21 Apr 2008 20:16:35 EDT http://www.dslreports.com/forum/remark,20363737 bcastner : I am certain there is a Wareout rootkit infector here, but because this is Vista we may not be able to locate it.

Please download Gmer version 1.0.14.14105:
http://www2.gmer.net/beta/gmer.exe 
Keep all protection programs OFF including your AVG Antivirus. Disconnect from internet while performing these scans. After the scans are done, you can re-enable active protection and connect again.

Double-click gmer.exe to run it

Click the ">>>" Tab

Click the Files Tab

Check the "Only Hidden" check box on upper left side of Display to see rootkit hidden files.

Click "+" signs and navigate to C:\Windows\System32\Drivers (assuming your primary OS drive is C:\)
Any Hidden Rootkit drivers will be displayed in the right pane in RED.
Maybe a culprit rootkit driver will be listed there if it indeed exists.

Repeat the above for the following directory:
C:\Windows\System32\

To see if any files are hidden by a rootkit. Again, they will be listed in red.

Next - do a Gmer Autostart Scan

Click the "Autostart" Tab
Click the Scan button
When the autostart scan is finished, click Copy to save the Autostart log to the Windows clipboard
Open Notepad or a similar text editor
Paste the clipboard contents into a text file by clicking Edit | Paste or Ctl V
Save the log and post it in your next reply.

Now, perform a Gmer Rootkit/Malware scan by selecting the "Rootkit/Malware" Tab.
On the right-side of the Gmer screen, check all the items to be scanned (it should be this way by default.)
Select all drives that are connected to your system to be scanned
Click the Scan button
When the scan is finished, click Copy to save the scan log to the Windows clipboard
Open Notepad or a similar text editor
Paste the clipboard contents into a text file by clicking Edit | Paste or Ctl V
Save the gmer scan log and post it in your next reply.
Close Gmer
Open a command prompt (Start | run |type cmd and hit Enter)
Type or paste the following to unload the gmer driver:
net stop gmer
Hit Enter
Exit the command prompt.
Re-enable all active protection that you had disabled to conduct the scans.

Please post back to the Forum both Gmer scan reports.

--
============
MS-MVP 2004 - -2008, ASAP Member
Users Helping Users

]]> http://www.dslreports.com/forum/remark,20363737 Mon, 21 Apr 2008 15:41:43 EDT http://www.dslreports.com/forum/remark,20363588 Siko : Thanks for scanning through that, now here is my ESET log, it didn't find anything.

# version=4
# OnlineScanner.ocx=1.0.0.635
# OnlineScannerDLLA.dll=1, 0, 0, 79
# OnlineScannerDLLW.dll=1, 0, 0, 78
# OnlineScannerUninstaller.exe=1, 0, 0, 49
# vers_standard_module=3041 (20080419)
# vers_arch_module=1.064 (20080214)
# vers_adv_heur_module=1.064 (20070717)
# EOSSerial=f94ebf675e76f444bc9bef3e67f7aa40
# end=finished
# remove_checked=true
# unwanted_checked=true
# utc_time=2008-04-21 02:01:17
# local_time=2008-04-20 10:01:17 (-0500, Eastern Daylight Time)
# country="United States"
# osver=6.0.6001 NT Service Pack 1
# scanned=931132
# found=0
# scan_time=6361]]> http://www.dslreports.com/forum/remark,20363588 Mon, 21 Apr 2008 15:15:26 EDT http://www.dslreports.com/forum/remark,20363584 Siko : ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2008-01-19 03:33 202240]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2008-01-19 03:38 1008184]
"IgfxTray"="C:\Windows\system32\igfxtray.exe" [2006-12-13 03:17 98304]
"HotKeysCmds"="C:\Windows\system32\hkcmd.exe" [2006-12-13 03:19 106496]
"Persistence"="C:\Windows\system32\igfxpers.exe" [2006-12-13 03:17 81920]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2008-04-15 08:47 579584]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe" [2008-03-25 04:28 144784]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2008-04-04 20:39 185896]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2008-04-05 19:33 219136]

C:\Users\Murlin Wei\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Xfire.lnk - C:\Program Files\Xfire\xfire.exe [2008-04-02 19:25:58 2987856]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgwlntf]
avgwlntf.dll 2008-04-05 19:33 9216 C:\Windows\System32\avgwlntf.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 relog_ap

[HKLM\~\startupfolder\C:^Users^Murlin Wei^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^OpenOffice.org 2.3.lnk]
path=C:\Users\Murlin Wei\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OpenOffice.org 2.3.lnk
backup=C:\Windows\pss\OpenOffice.org 2.3.lnk.Startup
backupExtension=.Startup

[HKLM\~\startupfolder\C:^Users^Murlin Wei^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^Secunia PSI (RC1).lnk]
path=C:\Users\Murlin Wei\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Secunia PSI (RC1).lnk
backup=C:\Windows\pss\Secunia PSI (RC1).lnk.Startup
backupExtension=.Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\!AVG Anti-Spyware]
--a------ 2007-06-11 05:25 6731312 H:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acronis Scheduler2 Service]
--a------ 2007-02-16 19:49 149024 C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AcronisTimounterMonitor]
--a------ 2007-02-16 19:57 1945960 C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2008-01-11 22:16 39792 H:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools Lite]
--a------ 2008-01-17 12:51 486856 C:\Program Files\DAEMON Tools Lite\daemon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
--a------ 2006-12-13 03:19 106496 C:\Windows\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
--a------ 2006-12-13 03:17 98304 C:\Windows\system32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-03-30 10:36 267048 H:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OODefragTray]
C:\Windows\system32\oodtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Persistence]
--a------ 2006-12-13 03:17 81920 C:\Windows\system32\igfxpers.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PWRISOVM.EXE]
--a------ 2007-08-06 20:05 200704 H:\Program Files\PowerISO\PWRISOVM.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-03-28 23:37 413696 C:\Program Files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Rapget]
E:\Flight Simulator Software\rapget140\rapget.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RtHDVCpl]
--a------ 2006-12-01 00:37 4186112 C:\Windows\RtHDVCpl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2008-02-22 04:25 144784 C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SUPERAntiSpyware]
--a------ 2008-04-06 13:17 1481968 C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2008-04-04 20:39 185896 C:\Program Files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TrueImageMonitor.exe]
--a------ 2007-02-16 19:45 1169776 C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WindowsWelcomeCenter]
--a------ 2008-01-19 03:36 2153472 C:\Windows\System32\oobefldr.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WMPNSCFG]
--a------ 2008-01-19 03:33 202240 C:\Program Files\Windows Media Player\WMPNSCFG.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-2738104663-2755392700-2221383480-1000]
"EnableNotificationsRef"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"TCP Query User{61455193-5548-4882-BB4F-1FFC86E41172}C:\\ijji\\english\\u_skid.exe"= UDP:C:\ijji\english\u_skid.exe:
"UDP Query User{6099BF92-BFC5-416D-AEC6-DA00AFB25A65}C:\\ijji\\english\\u_skid.exe"= TCP:C:\ijji\english\u_skid.exe:
"TCP Query User{7E27783F-27CC-4E95-8A1E-47091E0453EF}K:\\program files\\driftcity\\driftcity.exe"= UDP:K:\program files\driftcity\driftcity.exe:DriftCity
"UDP Query User{68C2CEBB-F1D1-4589-A707-19610F1F7E77}K:\\program files\\driftcity\\driftcity.exe"= TCP:K:\program files\driftcity\driftcity.exe:DriftCity
"TCP Query User{FE38E010-F2C0-4967-83FD-96B25A3F5B30}C:\\ijji\\english\\u_sf\\soldierfront.exe"= UDP:C:\ijji\english\u_sf\soldierfront.exe:soldierfront
"UDP Query User{19A69707-47F5-4ED8-A3D4-D983B5833183}C:\\ijji\\english\\u_sf\\soldierfront.exe"= TCP:C:\ijji\english\u_sf\soldierfront.exe:soldierfront
"TCP Query User{B66503DB-7D5D-4DE9-9921-A25C9F1EA5AB}H:\\program files\\driftcity\\driftcity.exe"= UDP:H:\program files\driftcity\driftcity.exe:DriftCity
"UDP Query User{14612DD0-8A9C-44A2-9B51-5491B5A88018}H:\\program files\\driftcity\\driftcity.exe"= TCP:H:\program files\driftcity\driftcity.exe:DriftCity
"TCP Query User{A8D6E0B6-86C5-4D81-9FDF-F0378CD75F37}C:\\program files\\xfire\\xfire.exe"= UDP:C:\program files\xfire\xfire.exe:Xfire
"UDP Query User{5DC64609-489B-4CCD-8BDC-DA888571FCC7}C:\\program files\\xfire\\xfire.exe"= TCP:C:\program files\xfire\xfire.exe:Xfire
"{17C23B69-DBF2-487A-A532-7D9ABF255A9E}"= UDP:C:\Program Files\uTorrent\uTorrent.exe:µTorrent
"{94906B86-E338-4979-ADE4-B4200BD59672}"= TCP:C:\Program Files\uTorrent\uTorrent.exe:µTorrent
"TCP Query User{30964450-8A26-40BA-A03B-E0D17BDCC6BB}G:\\program files\\microsoft games\\flight simulator 9\\fs9.exe"= UDP:G:\program files\microsoft games\flight simulator 9\fs9.exe:Microsoft Flight Simulator
"UDP Query User{426ADF18-258D-442E-B866-DE3813E88673}G:\\program files\\microsoft games\\flight simulator 9\\fs9.exe"= TCP:G:\program files\microsoft games\flight simulator 9\fs9.exe:Microsoft Flight Simulator
"{0E586831-FC73-45B0-9F08-096BF0D40C38}"= UDP:80:80
"{34AD0E95-78FA-44A3-A14A-4A598E511536}"= TCP:80:80
"{28CEFC0F-00A3-4EAB-9D8B-9D64D7265705}"= UDP:6112:6112
"{991C1B7E-6DA8-49BB-9C14-B6C74730B50A}"= TCP:6112:6112
"{8A3679AF-CD19-4CE2-A038-9DE3E3E5A34B}"= UDP:54789:54789
"{8C63877E-7C19-4DA5-B287-AA6D0F8CFC28}"= TCP:54789:54789
"TCP Query User{58038DE4-2BB8-41E1-8189-030A5E823718}H:\\nexon\\maplestory\\patcher.exe"= UDP:H:\nexon\maplestory\patcher.exe:Patcher MFC ?? ????
"UDP Query User{41D9A998-FD0B-4C1B-A90E-B0F2BED2BFC4}H:\\nexon\\maplestory\\patcher.exe"= TCP:H:\nexon\maplestory\patcher.exe:Patcher MFC ?? ????
"TCP Query User{57B550CD-25EA-460B-AE48-681C32F87C39}H:\\nexon\\maplestory\\maplestory.exe"= UDP:H:\nexon\maplestory\maplestory.exe:MapleStory
"UDP Query User{609320D2-5ECE-4286-8362-B486263DA9E3}H:\\nexon\\maplestory\\maplestory.exe"= TCP:H:\nexon\maplestory\maplestory.exe:MapleStory
"TCP Query User{83AB73F7-1946-4300-A08C-DB73E9369C8F}C:\\program files\\internet explorer\\iexplore.exe"= UDP:C:\program files\internet explorer\iexplore.exe:Internet Explorer
"UDP Query User{48ACEBD7-DC97-4FF2-BB6F-704618FB53B2}C:\\program files\\internet explorer\\iexplore.exe"= TCP:C:\program files\internet explorer\iexplore.exe:Internet Explorer
"1c9b3cdd-3bce-43a9-881b-5fb372fe469c"=
TCP:2300|LPort=2301|LPort=2302|LPort=2303|LPort=2304|LPort=2305|LPort=2306|LPort=2307|LPort=2308|LPort=2309|LPort=2310|LPort=2311|LPort=2312|LPort=2313|LPort=2314|LPort=2315|LPort=2316|LPort=2317|LPort=2318|LPort=2319|LPort=2320|LPort=2321|LPort=2322|LPort=2323|LPort=2324|LPort=2325|LPort=2326|LPort=2327|LPort=2328|LPort=2329|LPort=2330|LPort=2331|LPort=2332|LPort=2333|LPort=2334|LPort=2335|LPort=2336|LPort=2337|LPort=2338|LPort=2339|LPort=2340|LPort=2341|LPort=2342|LPort=2343|LPort=2344|LPort=2345|LPort=2346|LPort=2347|LPort=2348|LPort=2349|LPort=2350|LPort=2351|LPort=2352|LPort=2353|LPort=2354|LPort=2355|LPort=2356|LPort=2357|LPort=2358|LPort=2359|LPort=2360|LPort=2361|LPort=2362|LPort=2363|LPort=2364|LPort=2365|LPort=2366|LPort=2367|LPort=2368|LPort=2369|LPort=2370|LPort=2371|LPort=2372|LPort=2373|LPort=2374|LPort=2375|LPort=2376|LPort=2377|LPort=2378|LPort=2379|LPort=2380|LPort=2381|LPort=2382|LPort=2383|LPort=2384|LPort=2385|LPort=2386|LPort=2387|LPort=2388|LPort=2389|LPort=2390|LPort=2391|LPort=2392|LPort=2393|LPort=2394|LPort=2395|LPort=2396|LPort=2397|LPort=2398|LPort=2399:Wolf Team "TCP Query User{6A3FA9AA-E952-4D4D-8FD7-FC7ED8BD727F}H:\\program files\\america's army\\system\\armyops.exe"= UDP:H:\program files\america's army\system\armyops.exe:ArmyOps
"UDP Query User{BEB13D38-D94C-4F4C-9245-7E48245BFA1D}H:\\program files\\america's army\\system\\armyops.exe"= TCP:H:\program files\america's army\system\armyops.exe:ArmyOps
"TCP Query User{50F33169-380A-49AF-81BE-7C6E8C8C2451}C:\\windows\\system32\\dpnsvr.exe"= UDP:C:\windows\system32\dpnsvr.exe:Microsoft DirectPlay8 Server
"UDP Query User{DF0B00AF-395E-4FA4-B850-2BD9EF20F7ED}C:\\windows\\system32\\dpnsvr.exe"= TCP:C:\windows\system32\dpnsvr.exe:Microsoft DirectPlay8 Server
"TCP Query User{5021BF18-01CD-4258-97B4-0C63DB4C1B7E}C:\\program files\\fsfdt\\control panel\\fsfdtcp.exe"= UDP:C:\program files\fsfdt\control panel\fsfdtcp.exe:FSFDT Control Panel
"UDP Query User{3DB1FC88-0596-4F01-A186-E39F227CE84D}C:\\program files\\fsfdt\\control panel\\fsfdtcp.exe"= TCP:C:\program files\fsfdt\control panel\fsfdtcp.exe:FSFDT Control Panel
"TCP Query User{1AB14382-F73F-48C9-B315-3EE9B8CB2694}C:\\program files\\mozilla firefox\\firefox.exe"= UDP:C:\program files\mozilla firefox\firefox.exe:Firefox
"UDP Query User{17CAEFA6-0C1E-42AC-978B-C4A6CBAAC66B}C:\\program files\\mozilla firefox\\firefox.exe"= TCP:C:\program files\mozilla firefox\firefox.exe:Firefox
"eb8b0e56-37ab-4db7-9f9e-1a1d6608d4e0"= %ProgramFiles%\FSFDT\FSInn UI\FSInnUI.exe:FSINN
"UDP Query User{D86A64A0-98DB-45F2-B30E-9C99810EA427}C:\\program files\\fsfdt\\fwinn\\fwinn.exe"= C:\program files\fsfdt\fwinn\fwinn.exe:FSInn Application
"TCP Query User{F3FF54FA-890C-4280-937A-E4B25DFDC64A}C:\\program files\\fsfdt\\fwinn\\fwinn.exe"= C:\program files\fsfdt\fwinn\fwinn.exe:FSInn Application
"5d038ed9-b69c-43ca-9e9d-361f03d7074d"= %ProgramFiles%\FSFDT\Control Panel\FSFDTCP.exe:FSUDCP
"09c2c1b0-5d17-4e76-8c53-65f0895ca6d1"= UDP:3782|LPort=3290|LPort=3783|LPort=6809:SQ
"3a769932-0d65-4226-8f87-9af21c6399fa"= TCP:3782|LPort=3290|LPort=3783|LPort=6809:SQ1
"7bda4004-dec1-4e68-ae03-4b18dca28327"= TCP:32062:FSINN
"TCP Query User{7BA25555-49F6-4C6F-A3BE-B1091A7CD7E6}C:\\program files\\swiftswitch\\swiftswitch.exe"= UDP:C:\program files\swiftswitch\swiftswitch.exe:Utility for RuneScape
"UDP Query User{F3D3B80D-3F35-4E98-BAE6-FFC8C8B398CB}C:\\program files\\swiftswitch\\swiftswitch.exe"= TCP:C:\program files\swiftswitch\swiftswitch.exe:Utility for RuneScape
"TCP Query User{2E3A70D7-0AC2-4254-B11B-0A2EC31E6D05}H:\\program files\\dragonfly\\special force\\specialforce.exe"= UDP:H:\program files\dragonfly\special force\specialforce.exe:SpecialForce
"UDP Query User{6137764F-CAE8-4517-AF49-6CB2607C5DB8}H:\\program files\\dragonfly\\special force\\specialforce.exe"= TCP:H:\program files\dragonfly\special force\specialforce.exe:SpecialForce
"TCP Query User{0D1EF090-833B-4967-9D45-EAF64C49861F}C:\\ijji\\english\\gunz\\gunz.exe"= UDP:C:\ijji\english\gunz\gunz.exe:Gunz
"UDP Query User{560CD26A-B4D8-4DD6-9AF8-BA438C3E071D}C:\\ijji\\english\\gunz\\gunz.exe"= TCP:C:\ijji\english\gunz\gunz.exe:Gunz
"TCP Query User{63EC054C-903B-40D8-A36F-D2F80B55FF3D}C:\\users\\murlin wei\\desktop\\fshost32\\fshost32.exe"= UDP:C:\users\murlin wei\desktop\fshost32\fshost32.exe:fshost32.exe
"UDP Query User{D8E76696-D62C-4EBD-8A08-5450B40122C9}C:\\users\\murlin wei\\desktop\\fshost32\\fshost32.exe"= TCP:C:\users\murlin wei\desktop\fshost32\fshost32.exe:fshost32.exe
"TCP Query User{854A4DB3-1DFB-4B87-A7E0-AEA6B9C0074B}C:\\windows\\system32\\dplaysvr.exe"= UDP:C:\windows\system32\dplaysvr.exe:Microsoft DirectPlay Helper
"UDP Query User{A36A3890-68AE-4E2D-BC3B-FDAC339499B3}C:\\windows\\system32\\dplaysvr.exe"= TCP:C:\windows\system32\dplaysvr.exe:Microsoft DirectPlay Helper
"TCP Query User{2D0919A8-6553-4CDF-A595-A46EF1D2F4D3}C:\\program files\\dragonfly\\special force\\specialforce.exe"= UDP:C:\program files\dragonfly\special force\specialforce.exe:specialforce
"UDP Query User{BC4A08A4-5B7E-4662-810F-1D9F1662B2AC}C:\\program files\\dragonfly\\special force\\specialforce.exe"= TCP:C:\program files\dragonfly\special force\specialforce.exe:specialforce
"{607558EF-6597-4863-8D25-F007069A2EC9}"= UDP:C:\Program Files\uTorrent\uTorrent.exe:µTorrent
"{46E5FDB3-D48D-4321-B224-C365CF959155}"= TCP:C:\Program Files\uTorrent\uTorrent.exe:µTorrent
"{9B21F62D-DF09-44A2-BD05-BC7EEE8742C9}"= UDP:C:\Program Files\Bonjour\mDNSResponder.exe:Bonjour
"{68F77BA3-1444-44C8-AC53-D586A7FD787C}"= TCP:C:\Program Files\Bonjour\mDNSResponder.exe:Bonjour
"{48866029-02D4-420C-AF33-2058433DC7D9}"= UDP:H:\Program Files\iTunes\iTunes.exe:iTunes
"{AB169B2B-5F22-47D8-B596-C06720D2E476}"= TCP:H:\Program Files\iTunes\iTunes.exe:iTunes
"TCP Query User{37AFDF7F-9FEF-441B-B24D-75F2E325B8C7}H:\\program files\\azureus\\azureus.exe"= UDP:H:\program files\azureus\azureus.exe:Azureus
"UDP Query User{2414528D-9012-4CCF-B04D-4D7AC667B755}H:\\program files\\azureus\\azureus.exe"= TCP:H:\program files\azureus\azureus.exe:Azureus
"TCP Query User{9225565D-E33E-467E-9533-ED9B2675E3C6}C:\\program files\\azureus\\azureus.exe"= UDP:C:\program files\azureus\azureus.exe:Azureus
"UDP Query User{9F98D73A-65DD-4D0E-B968-DC1D3C6EBAA6}C:\\program files\\azureus\\azureus.exe"= TCP:C:\program files\azureus\azureus.exe:Azureus
"TCP Query User{BC712732-FEB9-4EDA-8C73-9FC226F9DB1A}H:\\program files\\counter-strike source\\hl2.exe"= UDP:H:\program files\counter-strike source\hl2.exe:hl2
"UDP Query User{57A7C5E6-CBE4-4652-AFEF-DCFD72CBE342}H:\\program files\\counter-strike source\\hl2.exe"= TCP:H:\program files\counter-strike source\hl2.exe:hl2
"TCP Query User{1DB411BF-E55D-4961-A89F-4494677D10B3}H:\\program files\\secondlife\\slvoice.exe"= UDP:H:\program files\secondlife\slvoice.exe:SLVoice
"UDP Query User{27A63D2C-CAAE-42C6-A3F5-87CC36F583D3}H:\\program files\\secondlife\\slvoice.exe"= TCP:H:\program files\secondlife\slvoice.exe:SLVoice
"TCP Query User{71DB6B6F-9435-4ED3-A6DB-D8EBC799C9E1}C:\\program files\\real\\realplayer\\realplay.exe"= UDP:C:\program files\real\realplayer\realplay.exe:RealPlayer
"UDP Query User{AD20223A-2548-4E8F-A6E3-8E0542F0F9A5}C:\\program files\\real\\realplayer\\realplay.exe"= TCP:C:\program files\real\realplayer\realplay.exe:RealPlayer

R2 NPF;NetGroup Packet Filter Driver;C:\Windows\system32\drivers\npf.sys [2007-11-06 16:22]
R2 PD91Agent;PD91Agent;"C:\Program Files\Raxco\PerfectDisk\PD91Agent.exe" [2008-02-28 10:44]
R2 SBSDWSCService;SBSD Security Center Service;C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe [2008-01-28 12:43]
R3 HPFXBULK;HPFXBULK;C:\Windows\system32\drivers\hpfxbulk.sys [2007-06-20 03:21]
R3 igfx;igfx;C:\Windows\system32\DRIVERS\igdkmd32.sys [2006-12-13 04:32]
R3 RTSTOR;USB Mass Storage Device;C:\Windows\system32\drivers\RTSTOR.SYS [2008-02-15 15:22]
R3 rxpvbus;Reality XP Avionics Bus Driver;C:\Windows\system32\DRIVERS\rxpvbus.sys [2005-11-04 09:35]
S2 AcronisOSSReinstallSvc;Acronis OS Selector Reinstall Service;"C:\Program Files\Common Files\Acronis\Acronis Disk Director\oss_reinstall_svc.exe" [2007-02-22 19:53]
S3 PD91Engine;PD91Engine;"C:\Program Files\Raxco\PerfectDisk\PD91Engine.exe" [2008-02-29 14:08]
S3 PD91VMDefrag;PD91VMDefrag;"C:\Program Files\Raxco\PerfectDisk\PD91VMDefrag.exe" [2008-02-29 10:44]
S3 PSI;PSI;C:\Windows\system32\DRIVERS\psi_mf.sys [2008-02-19 04:24]
S3 yukonwlh;NDIS6.0 Miniport Driver for Marvell Yukon Ethernet Controller;C:\Windows\system32\DRIVERS\yk60x86.sys [2006-11-02 03:30]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
rsmsvcs REG_MULTI_SZ ntmssvc

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F]
\shell\AutoRun\command - F:\autorun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\I]
\shell\AutoRun\command - I:\Setup\rsrc\autorun.exe
\shell\dinstall\command - I:\Directx\dxsetup.exe

.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, »www.gmer.net
Rootkit scan 2008-04-20 14:43:01
Windows 6.0.6001 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Windows\System32\audiodg.exe
H:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
H:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Grisoft\AVG7\avgamsvr.exe
C:\Program Files\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\Grisoft\AVG7\avgrssvc.exe
C:\Program Files\Common Files\microsoft shared\VS7DEBUG\MDM.EXE
C:\Program Files\Grisoft\AVG7\avgrssvc.exe
C:\Program Files\Raxco\PerfectDisk\PD91AgentS1.exe
C:\Program Files\Grisoft\AVG7\avgcc.exe
.
**************************************************************************
.
Completion time: 2008-04-20 14:45:21 - machine was rebooted
ComboFix-quarantined-files.txt 2008-04-20 18:45:13
ComboFix2.txt 2008-04-08 19:33:44
ComboFix3.txt 2008-04-06 23:40:34

Pre-Run: 20,521,390,080 bytes free
Post-Run: 20,575,760,384 bytes free

846 --- E O F --- 2008-04-17 19:16:34]]> http://www.dslreports.com/forum/remark,20363584 Mon, 21 Apr 2008 15:14:38 EDT http://www.dslreports.com/forum/remark,20363582 Siko : .
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-20 15:41 737,280 ----a-w C:\Windows\iun6002.exe
2008-04-20 10:46 --------- d-----w C:\Users\Murlin Wei\AppData\Roaming\uTorrent
2008-04-19 18:51 --------- d---a-w C:\ProgramData\TEMP
2008-04-19 15:17 --------- d-----w C:\ProgramData\Xfire
2008-04-18 22:22 --------- d-----w C:\Users\Murlin Wei\AppData\Roaming\Xfire
2008-04-18 21:03 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-04-18 20:42 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-04-16 22:35 --------- d-----w C:\Program Files\Java
2008-04-15 00:18 --------- d-----w C:\Program Files\SwiftSwitch
2008-04-13 22:33 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-04-13 18:44 --------- d-----w C:\Program Files\SpywareBlaster
2008-04-08 21:22 --------- d-----w C:\Program Files\Windows Mail
2008-04-08 19:32 --------- d-----w C:\Program Files\Xfire
2008-04-07 22:27 179,034,213 ----a-w C:\Windows\DUMP449a.tmp
2008-04-06 17:17 --------- d-----w C:\Program Files\SUPERAntiSpyware
2008-04-05 23:33 --------- d-----w C:\ProgramData\Grisoft
2008-04-05 12:59 319,984 ----a-w C:\Windows\DIFxAPI.dll
2008-04-04 22:16 --------- d-----w C:\ProgramData\eMule
2008-03-30 22:54 --------- d-----w C:\Program Files\IEPro
2008-03-29 20:21 --------- d-----w C:\Program Files\WinPcap
2008-03-29 17:25 --------- d-----w C:\Users\Murlin Wei\AppData\Roaming\Winamp
2008-03-23 19:04 1,392,304 ----a-w C:\Windows\System32\AutoPartNt.exe
2008-03-23 19:01 114,048 ----a-w C:\Windows\system32\drivers\snapman.sys
2008-03-23 19:01 --------- d-----w C:\Program Files\Common Files\Acronis
2008-03-23 19:01 --------- d-----w C:\Program Files\Acronis
2008-03-22 18:20 --------- d-----w C:\Program Files\Common Files\Adobe
2008-03-22 16:54 --------- d-----w C:\Program Files\FS Real Time
2008-03-21 20:33 12,632 ----a-w C:\Windows\System32\lsdelete.exe
2008-03-20 01:20 174 --sha-w C:\Program Files\desktop.ini
2008-03-20 01:15 --------- d-----w C:\Program Files\Windows Sidebar
2008-03-20 01:15 --------- d-----w C:\Program Files\Windows Photo Gallery
2008-03-20 01:15 --------- d-----w C:\Program Files\Windows Defender
2008-03-20 01:15 --------- d-----w C:\Program Files\Windows Calendar
2008-03-20 01:05 82,432 ----a-w C:\Windows\System32\axaltocm.dll
2008-03-20 01:05 101,888 ----a-w C:\Windows\System32\ifxcardm.dll
2008-03-20 00:17 --------- d-----w C:\Program Files\Microsoft Games
2008-03-19 00:26 155,648 ----a-w C:\Windows\System32\libssl32.dll
2008-03-18 22:32 286,720 ----a-w C:\Windows\iun506.exe
2008-03-17 19:34 --------- d-----w C:\Users\Murlin Wei\AppData\Roaming\eMule
2008-03-16 18:03 --------- d-----w C:\ProgramData\Ubisoft
2008-03-16 18:03 --------- d-----w C:\Program Files\Microsoft Speech SDK 5.1
2008-03-16 18:03 --------- d-----w C:\Program Files\IL2 Sturmovik
2008-03-16 18:03 --------- d-----w C:\Program Files\IL-2 Sturmovik Forgotten Battles
2008-03-15 11:21 176,937 ----a-w C:\Windows\Sky Environment Ultra FS9 Uninstaller.exe
2008-03-13 20:36 --------- d-----w C:\Program Files\Bevelstone Production
2008-03-13 19:11 --------- d-----w C:\Program Files\Common Files\Macrovision Shared
2008-03-13 19:09 --------- d-----w C:\Program Files\Microsoft Silverlight
2008-03-13 00:41 0 ---ha-w C:\Windows\system32\drivers\Msft_User_WpdFs_01_00_00.Wdf
2008-03-12 20:48 --------- d-----w C:\Program Files\DocPad
2008-03-12 20:48 --------- d-----w C:\Program Files\Common Files\System-G
2008-03-09 22:11 --------- d-----w C:\Program Files\Trend Micro
2008-03-06 21:25 --------- d-----w C:\Users\Murlin Wei\AppData\Roaming\NPLUTO Corporation
2008-03-05 21:03 479,752 ----a-w C:\Windows\System32\XAudio2_0.dll
2008-03-05 21:03 238,088 ----a-w C:\Windows\System32\xactengine3_0.dll
2008-03-05 21:00 25,608 ----a-w C:\Windows\System32\X3DAudio1_3.dll
2008-03-05 20:56 3,786,760 ----a-w C:\Windows\System32\D3DX9_37.dll
2008-03-05 20:56 1,420,824 ----a-w C:\Windows\System32\D3DCompiler_37.dll
2008-03-02 19:32 --------- d-----w C:\ProgramData\SwiftSwitch
2008-03-02 16:09 --------- d-----w C:\Users\Murlin Wei\AppData\Roaming\Ventrilo
2008-03-02 12:12 --------- d-----w C:\Program Files\FSFlyingSchool
2008-03-02 02:32 --------- d-----w C:\Users\Murlin Wei\AppData\Roaming\HiFi
2008-03-01 19:37 --------- d-----w C:\Program Files\FOC 2003
2008-02-29 20:20 --------- d-----w C:\Program Files\Runtime Software
2008-02-29 07:14 19,000 ----a-w C:\Windows\System32\kd1394.dll
2008-02-29 07:11 988,216 ----a-w C:\Windows\System32\winload.exe
2008-02-29 07:11 927,288 ----a-w C:\Windows\System32\winresume.exe
2008-02-29 06:53 46,592 ----a-w C:\Windows\System32\setbcdlocale.dll
2008-02-29 06:53 40,960 ----a-w C:\Windows\System32\srclient.dll
2008-02-29 06:53 378,368 ----a-w C:\Windows\System32\srcore.dll
2008-02-29 06:35 6,656 ----a-w C:\Windows\System32\kbd106n.dll
2008-02-29 04:12 318,464 ----a-w C:\Windows\System32\rstrui.exe
2008-02-29 04:12 14,848 ----a-w C:\Windows\System32\srdelayed.exe
2008-02-29 00:23 --------- d-----w C:\Program Files\Recuva
2008-02-28 23:43 1,910 ----a-w C:\Windows\System32\tmp.reg
2008-02-28 21:55 --------- d-----w C:\Users\Murlin Wei\AppData\Roaming\SUPERAntiSpyware.com
2008-02-28 21:55 --------- d-----w C:\ProgramData\SUPERAntiSpyware.com
2008-02-28 15:45 230,152 ----a-w C:\Windows\System32\PDBoot.exe
2008-02-27 00:10 --------- d-----w C:\Program Files\RegSeeker
2008-02-26 23:34 --------- d-----w C:\Program Files\Shockwave 3D Lights Redux for FS9
2008-02-24 12:35 --------- d-----w C:\Program Files\DivX
2008-02-22 05:05 615,992 ----a-w C:\Windows\System32\ci.dll
2008-02-22 04:57 295,936 ----a-w C:\Windows\System32\gdi32.dll
2008-02-21 02:45 --------- d-----w C:\Program Files\SquawkBox3
2008-02-21 02:05 200,704 ----a-w C:\Windows\System32\ssldivx.dll
2008-02-21 02:05 1,044,480 ----a-w C:\Windows\System32\libdivx.dll
2008-02-19 01:58 316,768 ----a-w C:\Windows\System32\sayax.dll
2008-02-17 18:10 202,149 ----a-w C:\Windows\Water Details FS 2004 Uninstaller.exe
2008-02-11 15:55 147,456 ----a-w C:\Windows\System32\igfxCoIn_v1437.dll
2008-02-11 15:34 29,932 ----a-w C:\Windows\System32\igmedcompkrn.bin
2008-02-11 15:34 2,215,364 ----a-w C:\Windows\System32\igklg400.bin
2008-02-11 15:34 1,971,732 ----a-w C:\Windows\System32\igklg450.bin
2008-02-10 17:11 543 ----a-w C:\Program Files\INSTALL.LOG
2008-02-06 04:07 462,864 ----a-w C:\Windows\System32\d3dx10_37.dll
2008-01-29 16:02 107,368 ----a-w C:\Windows\System32\GEARAspi.dll
1998-09-25 18:16 270,848 ----a-w C:\Program Files\UNWISE.EXE
2008-01-18 00:12 90 --sh--w C:\Windows\cnerolf.dat
.

((((((((((((((((((((((((((((( snapshot@2008-04-06_19.39.55.30 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-04-13 19:32:08 98,678 ----a-w C:\Windows\.jagex_cache_32\loginapplet\cache-1965029828.dat
+ 2006-11-02 07:11:38 2,560 ----a-w C:\Windows\AppPatch\AcRes.dll
+ 2008-04-18 22:53:25 472,064 ----a-w C:\Windows\BirdsEyeView\uninstall.exe
+ 2008-01-05 11:23:07 2,048 ----a-w C:\Windows\Boot\DVD\PCAT\etfsboot.com
- 2008-04-06 23:37:39 67,584 --s-a-w C:\Windows\bootstat.dat
+ 2008-04-20 18:42:37 67,584 --s-a-w C:\Windows\bootstat.dat
- 2007-05-08 22:01:12 208,896 ----a-w C:\Windows\CMDLIC.DLL
+ 2007-05-08 21:01:12 208,896 ----a-w C:\Windows\CMDLIC.DLL
- 2008-01-14 20:40:30 925,696 ----a-w C:\Windows\Downloaded Program Files\ijjistarter2.exe
+ 2008-04-16 01:03:16 925,696 ----a-w C:\Windows\Downloaded Program Files\ijjistarter2.exe
- 2008-03-20 01:13:36 665,600 ----a-w C:\Windows\inf\drvindex.dat
+ 2008-04-08 21:22:53 665,600 ----a-w C:\Windows\inf\drvindex.dat
- 2008-04-05 23:54:01 51,200 ----a-w C:\Windows\inf\infpub.dat
+ 2008-04-08 21:22:56 51,200 ----a-w C:\Windows\inf\infpub.dat
- 2008-04-05 23:54:01 86,016 ----a-w C:\Windows\inf\infstor.dat
+ 2008-04-08 21:22:56 86,016 ----a-w C:\Windows\inf\infstor.dat
- 2008-04-05 23:54:01 86,016 ----a-w C:\Windows\inf\infstrng.dat
+ 2008-04-08 21:22:53 86,016 ----a-w C:\Windows\inf\infstrng.dat
+ 2008-04-09 20:09:11 2,816 ----a-r C:\Windows\Installer\{1B588991-22A6-408B-88C2-1DC9769C59A3}\controlPanelIcon.exe
- 2008-03-08 01:41:14 7,406 ----a-r C:\Windows\Installer\{2B6EC03E-6FA0-4D7C-9CCE-1B03819AB613}\ARPPRODUCTICON.exe
+ 2008-04-15 00:22:32 7,406 ----a-r C:\Windows\Installer\{2B6EC03E-6FA0-4D7C-9CCE-1B03819AB613}\ARPPRODUCTICON.exe
- 2008-03-08 01:41:14 7,406 ----a-r C:\Windows\Installer\{2B6EC03E-6FA0-4D7C-9CCE-1B03819AB613}\DesktopStartPD9_2B6EC03E6FA04D7C9CCE1B03819AB613.exe
+ 2008-04-15 00:22:32 7,406 ----a-r C:\Windows\Installer\{2B6EC03E-6FA0-4D7C-9CCE-1B03819AB613}\DesktopStartPD9_2B6EC03E6FA04D7C9CCE1B03819AB613.exe
- 2008-03-08 01:41:14 7,406 ----a-r C:\Windows\Installer\{2B6EC03E-6FA0-4D7C-9CCE-1B03819AB613}\MenuStartPD9_2B6EC03E6FA04D7C9CCE1B03819AB613.exe
+ 2008-04-15 00:22:32 7,406 ----a-r C:\Windows\Installer\{2B6EC03E-6FA0-4D7C-9CCE-1B03819AB613}\MenuStartPD9_2B6EC03E6FA04D7C9CCE1B03819AB613.exe
- 2008-03-20 19:17:17 12,288 ----a-r C:\Windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\cagicon.exe
+ 2008-04-08 21:02:15 12,288 ----a-r C:\Windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\cagicon.exe
- 2008-03-20 19:17:17 135,168 ----a-r C:\Windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\misc.exe
+ 2008-04-08 21:02:15 135,168 ----a-r C:\Windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\misc.exe
- 2008-03-20 19:17:17 11,264 ----a-r C:\Windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\mspicons.exe
+ 2008-04-08 21:02:15 11,264 ----a-r C:\Windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\mspicons.exe
- 2008-03-20 19:17:17 27,136 ----a-r C:\Windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\oisicon.exe
+ 2008-04-08 21:02:15 27,136 ----a-r C:\Windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\oisicon.exe
- 2008-03-20 19:17:17 4,096 ----a-r C:\Windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\opwicon.exe
+ 2008-04-08 21:02:15 4,096 ----a-r C:\Windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\opwicon.exe
- 2008-03-20 19:17:17 794,624 ----a-r C:\Windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\outicon.exe
+ 2008-04-08 21:02:15 794,624 ----a-r C:\Windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\outicon.exe
- 2008-03-20 19:17:17 249,856 ----a-r C:\Windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\pptico.exe
+ 2008-04-08 21:02:15 249,856 ----a-r C:\Windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\pptico.exe
- 2008-03-20 19:17:17 23,040 ----a-r C:\Windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\unbndico.exe
+ 2008-04-08 21:02:16 23,040 ----a-r C:\Windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\unbndico.exe
- 2008-03-20 19:17:17 286,720 ----a-r C:\Windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\wordicon.exe
+ 2008-04-08 21:02:15 286,720 ----a-r C:\Windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\wordicon.exe
- 2008-03-20 19:17:17 409,600 ----a-r C:\Windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\xlicons.exe
+ 2008-04-08 21:02:15 409,600 ----a-r C:\Windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\xlicons.exe
+ 2008-04-09 19:16:08 2,816 ----a-r C:\Windows\Installer\{98297A57-368B-4FC3-A236-5BDEBB0C3702}\controlPanelIcon.exe
+ 2008-03-16 18:03:51 2,238 ----a-r C:\Windows\Installer\{A403D88E-ED7D-48E3-91FD-B8C8A720EDA1}\coffee.exe
+ 2008-03-16 18:03:51 2,238 ----a-r C:\Windows\Installer\{A403D88E-ED7D-48E3-91FD-B8C8A720EDA1}\dictpad.exe
+ 2008-03-16 18:03:51 2,238 ----a-r C:\Windows\Installer\{A403D88E-ED7D-48E3-91FD-B8C8A720EDA1}\simpledict.exe
+ 2008-03-16 18:03:51 2,238 ----a-r C:\Windows\Installer\{A403D88E-ED7D-48E3-91FD-B8C8A720EDA1}\simpletelephony.exe
+ 2008-03-16 18:03:51 2,238 ----a-r C:\Windows\Installer\{A403D88E-ED7D-48E3-91FD-B8C8A720EDA1}\talkback.exe
- 2008-03-22 18:20:25 295,606 ----a-r C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-A81200000003}\SC_Reader.exe
+ 2008-04-13 01:32:56 295,606 ----a-r C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-A81200000003}\SC_Reader.exe
+ 2008-04-09 19:14:53 2,816 ----a-r C:\Windows\Installer\{EEDEB067-83FC-42AE-9BD5-62116F63D9F1}\controlPanelIcon.exe
+ 2008-01-19 07:31:57 2,560 ----a-w C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\ServiceModelEvents.dll
+ 2006-11-02 12:36:02 2,560 ----a-w C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\ServiceModelInstallRC.dll
+ 2006-11-02 08:12:29 2,048 ----a-w C:\Windows\MSAgent\AgtUI.dll
- 2008-03-01 23:55:07 16,384 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2008-04-16 22:35:17 16,384 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2008-03-01 23:55:07 32,768 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2008-04-16 22:35:17 32,768 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2008-04-06 23:17:13 262,144 ----a-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\usrclass.dat
+ 2008-04-20 17:55:29 262,144 ----a-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\usrclass.dat
- 2008-03-01 23:55:07 16,384 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2008-04-16 22:35:17 16,384 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2008-04-06 23:37:49 262,144 --sha-w C:\Windows\ServiceProfiles\LocalService\NTUSER.DAT
+ 2008-04-20 18:42:55 151,552 ----a-w C:\Windows\ServiceProfiles\LocalService\NTUSER.DAT
- 2008-04-06 23:33:53 262,144 ----a-w C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\usrclass.dat
+ 2008-04-20 18:38:38 262,144 ----a-w C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\usrclass.dat
- 2008-04-06 23:37:49 262,144 --sha-w C:\Windows\ServiceProfiles\NetworkService\NTUSER.DAT
+ 2008-04-20 18:42:55 151,552 ----a-w C:\Windows\ServiceProfiles\NetworkService\NTUSER.DAT
+ 1999-01-12 14:55:34 71,680 ----a-w C:\Windows\ST5UNST.EXE
+ 2006-11-02 07:10:15 2,000 ----a-w C:\Windows\system\keyboard.drv
+ 2006-11-02 07:10:18 2,032 ----a-w C:\Windows\system\mouse.drv
+ 2006-11-02 07:10:16 1,744 ----a-w C:\Windows\system\sound.drv
+ 2006-11-02 07:10:17 2,176 ----a-w C:\Windows\system\vga.drv
+ 2006-11-02 07:11:39 2,048 ----a-w C:\Windows\System32\acprgwiz.dll
+ 2006-11-02 12:35:57 2,048 ----a-w C:\Windows\System32\asferror.dll
- 2008-01-19 07:44:08 986,680 ----a-w C:\Windows\System32\Boot\winload.exe
+ 2008-02-29 07:11:54 988,216 ----a-w C:\Windows\System32\Boot\winload.exe
- 2008-01-19 07:44:06 926,776 ----a-w C:\Windows\System32\Boot\winresume.exe
+ 2008-02-29 07:11:56 927,288 ----a-w C:\Windows\System32\Boot\winresume.exe
+ 2008-01-19 05:27:25 2,560 ----a-w C:\Windows\System32\bootstr.dll
+ 2006-11-02 07:38:48 2,048 ----a-w C:\Windows\System32\bridgeres.dll
- 2008-04-05 18:57:03 32,768 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2008-04-16 21:58:10 32,768 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2008-04-05 18:57:03 49,152 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2008-04-16 21:58:10 49,152 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2008-04-05 18:57:03 32,768 --sha-w C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2008-04-16 21:58:10 32,768 --sha-w C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2008-04-06 23:34:10 262,144 ----a-w C:\Windows\System32\config\systemprofile\ntuser.dat
+ 2008-04-20 18:39:11 262,144 ----a-w C:\Windows\System32\config\systemprofile\ntuser.dat
+ 2008-01-19 05:49:54 2,048 ----a-w C:\Windows\System32\dmdskres2.dll
- 2008-01-10 03:00:04 68,624 ----a-r C:\Windows\System32\drivers\DefragFS.sys
+ 2008-01-10 02:00:04 68,624 ----a-r C:\Windows\System32\drivers\DefragFS.sys
+ 2006-11-02 08:27:54 2,048 ----a-w C:\Windows\System32\DriverStore\FileRepository\prnca001.inf_92fbd03f\I386\CNBPGR02.DLL
+ 2006-11-02 09:41:10 2,560 ----a-w C:\Windows\System32\DriverStore\FileRepository\prndc001.inf_79bb12be\I386\DICONRES.DLL
+ 2006-09-18 21:40:29 1,960 ----a-w C:\Windows\System32\DriverStore\FileRepository\prnep001.inf_f0a9a372\I386\EPNDDE11.DAT
+ 2006-09-18 21:40:29 1,778 ----a-w C:\Windows\System32\DriverStore\FileRepository\prnep001.inf_f0a9a372\I386\EPNDDE12.DAT
+ 2006-09-18 21:40:29 1,960 ----a-w C:\Windows\System32\DriverStore\FileRepository\prnep001.inf_f0a9a372\I386\EPNDDE16.DAT
+ 2006-09-18 21:40:29 1,992 ----a-w C:\Windows\System32\DriverStore\FileRepository\prnep001.inf_f0a9a372\I386\EPNDDE2J.DAT
+ 2006-09-18 21:40:29 1,948 ----a-w C:\Windows\System32\DriverStore\FileRepository\prnep001.inf_f0a9a372\I386\EPNDDE2K.DAT
+ 2006-09-18 21:40:29 2,128 ----a-w C:\Windows\System32\DriverStore\FileRepository\prnep001.inf_f0a9a372\I386\EPNDDE2M.DAT
+ 2006-09-18 21:40:29 2,398 ----a-w C:\Windows\System32\DriverStore\FileRepository\prnep001.inf_f0a9a372\I386\EPNDDE3N.DAT
+ 2006-09-18 21:40:29 1,976 ----a-w C:\Windows\System32\DriverStore\FileRepository\prnep001.inf_f0a9a372\I386\EPNDDE3O.DAT
+ 2006-09-18 21:40:29 1,764 ----a-w C:\Windows\System32\DriverStore\FileRepository\prnep001.inf_f0a9a372\I386\EPNDDE3P.DAT
+ 2006-09-18 21:40:29 2,398 ----a-w C:\Windows\System32\DriverStore\FileRepository\prnep001.inf_f0a9a372\I386\EPNDDE3Q.DAT
+ 2006-09-18 21:40:29 2,618 ----a-w C:\Windows\System32\DriverStore\FileRepository\prnep001.inf_f0a9a372\I386\EPNDDE3T.DAT
+ 2006-09-18 21:40:29 2,188 ----a-w C:\Windows\System32\DriverStore\FileRepository\prnep001.inf_f0a9a372\I386\EPNDDE3V.DAT
+ 2006-09-18 21:40:29 2,984 ----a-w C:\Windows\System32\DriverStore\FileRepository\prnep001.inf_f0a9a372\I386\EPNDDE4A.DAT
+ 2006-09-18 21:40:29 2,632 ----a-w C:\Windows\System32\DriverStore\FileRepository\prnep001.inf_f0a9a372\I386\EPNDDE4D.DAT
+ 2006-09-18 21:40:30 2,496 ----a-w C:\Windows\System32\DriverStore\FileRepository\prnep001.inf_f0a9a372\I386\EPNDDE4S.DAT
- 2008-04-02 01:30:13 1,622,616 ----a-w C:\Windows\System32\FNTCACHE.DAT
+ 2008-04-08 21:24:47 1,622,616 ----a-w C:\Windows\System32\FNTCACHE.DAT
- 2007-11-21 18:47:42 81,920 ----a-w C:\Windows\System32\frapsvid.dll
+ 2008-01-14 12:15:42 81,920 ----a-w C:\Windows\System32\frapsvid.dll
+ 1996-04-03 19:33:26 5,248 ----a-w C:\Windows\System32\giveio.sys
+ 2006-11-02 09:39:39 2,048 ----a-w C:\Windows\System32\iologmsg.dll
- 2008-02-22 05:23:35 135,168 ----a-w C:\Windows\System32\java.exe
+ 2008-03-25 05:28:39 135,168 ----a-w C:\Windows\System32\java.exe
- 2008-02-22 05:23:39 135,168 ----a-w C:\Windows\System32\javaw.exe
+ 2008-03-25 05:28:43 135,168 ----a-w C:\Windows\System32\javaw.exe
- 2008-02-22 06:33:32 139,264 ----a-w C:\Windows\System32\javaws.exe
+ 2008-03-25 06:37:01 139,264 ----a-w C:\Windows\System32\javaws.exe
- 2008-01-19 07:34:35 28,160 ----a-w C:\Windows\System32\jsproxy.dll
+ 2008-02-22 04:58:23 28,160 ----a-w C:\Windows\System32\jsproxy.dll
+ 2006-11-02 07:10:15 2,000 ----a-w C:\Windows\System32\keyboard.drv
+ 2006-11-02 07:38:59 2,048 ----a-w C:\Windows\System32\lltdres.dll
+ 2006-11-02 12:35:51 2,048 ----a-w C:\Windows\System32\mferror.dll
- 2008-01-19 07:36:55 64,512 ----a-w C:\Windows\System32\migration\WininetPlugin.dll
+ 2008-02-22 05:01:41 64,512 ----a-w C:\Windows\System32\migration\WininetPlugin.dll
+ 2006-11-02 07:10:18 2,032 ----a-w C:\Windows\System32\mouse.drv
- 2008-03-05 16:30:54 19,148,408 ----a-w C:\Windows\System32\mrt.exe
+ 2008-04-06 05:56:20 19,836,024 ----a-w C:\Windows\System32\mrt.exe
- 2008-01-19 07:34:59 3,578,368 ----a-w C:\Windows\System32\mshtml.dll
+ 2008-02-22 04:59:30 3,578,368 ----a-w C:\Windows\System32\mshtml.dll
+ 2006-11-02 07:15:56 2,560 ----a-w C:\Windows\System32\msimsg.dll
+ 2006-11-02 07:18:28 2,048 ----a-w C:\Windows\System32\msprivs.dll
- 2008-01-19 07:35:13 671,232 ----a-w C:\Windows\System32\mstime.dll
+ 2008-02-22 04:59:51 671,232 ----a-w C:\Windows\System32\mstime.dll
+ 2006-11-02 09:41:09 2,048 ----a-w C:\Windows\System32\msxml3r.dll
+ 2006-11-02 09:41:09 2,048 ----a-w C:\Windows\System32\msxml6r.dll
+ 2006-11-02 09:41:16 2,048 ----a-w C:\Windows\System32\neth.dll
+ 2006-11-02 09:41:17 2,048 ----a-w C:\Windows\System32\netmsg.dll
+ 2006-09-19 11:41:49 2,456