1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Virus infected

Discussion in 'Virus & Other Malware Removal' started by kgrsbh, Jan 17, 2011.

Thread Status:
Not open for further replies.
Advertisement
  1. kgrsbh

    kgrsbh Thread Starter

    Joined:
    Jan 11, 2011
    Messages:
    12
    Virus infected .. please help..
     
  2. kgrsbh

    kgrsbh Thread Starter

    Joined:
    Jan 11, 2011
    Messages:
    12
    Logfile of Trend Micro HijackThis v2.0.2Scan saved at 7:29:23 AM, on 18-Jan-2011Platform: Windows XP SP3 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\spoolsv.exeC:\Program Files\Avira\AntiVir Desktop\sched.exeC:\WINDOWS\Explorer.exeC:\WINDOWS\system32\hkcmd.exeC:\WINDOWS\system32\igfxpers.exeC:\Program Files\Avira\AntiVir Desktop\avgnt.exeC:\Program Files\Avira\AntiVir Desktop\avguard.exeC:\Program Files\Trend Micro\HijackThis\HijackThis.exeF2 - REG:system.ini: Shell=Explorer.exe RVHOST.exeO2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocxO4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exeO4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exeO4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exeO4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /minO4 - HKCU\..\Run: [king_mg] C:\WINDOWS\system32\mgking.exeO4 - HKCU\..\Run: [Yahoo Messengger] C:\WINDOWS\system32\RVHOST.exeO4 - HKCU\..\Run: [King_ar] C:\WINDOWS\system32\arking.exeO4 - HKUS\S-1-5-18\..\Run: [Yahoo Messengger] C:\WINDOWS\system32\RVHOST.exe (User 'SYSTEM')O4 - HKUS\.DEFAULT\..\Run: [Yahoo Messengger] C:\WINDOWS\system32\RVHOST.exe (User 'Default user')O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXEO7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exeO9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exeO9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dllO12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dllO15 - Trusted IP range: 192.168.1.3O17 - HKLM\System\CCS\Services\Tcpip\..\{2B712EA6-5A76-4B33-AE99-15ED1AB271C1}: NameServer = 202.188.0.133O17 - HKLM\System\CS1\Services\Tcpip\..\{2B712EA6-5A76-4B33-AE99-15ED1AB271C1}: NameServer = 202.188.0.133O17 - HKLM\System\CS2\Services\Tcpip\..\{2B712EA6-5A76-4B33-AE99-15ED1AB271C1}: NameServer = 202.188.0.133O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exeO23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe--End of file - 3063 bytes
     
  3. kgrsbh

    kgrsbh Thread Starter

    Joined:
    Jan 11, 2011
    Messages:
    12
    Anyone can help?
     
  4. muppy03

    muppy03 Malware Specialist

    Joined:
    Jun 19, 2006
    Messages:
    1,879
    Your log is unreadeable. Please make sure that you have word wrap unchecked in notepad. What symptoms are you experiencing?

    Make an uninstall list using HijackThis
    To access the Uninstall Manager you would do the following:
    • Start HijackThis
    • Click on the Config button
    • Click on the Misc Tools button
    • Click on the Open Uninstall Manager button.
    • Click on the Save list... button and specify where you would like to save this file. When you press Save button a notepad will open with the contents of that file. Save the file to your desktop.

    Please post this log on your next reply.

    NEXT Download and Run: RSIT

    • Download random's system information tool (RSIT) by random/random from here and save it to your desktop.
    • Double click on RSIT.exe to run RSIT.
    • Click Continue at the disclaimer screen.
    • Once it has finished, two logs will open. Please post the contents of both log.txt (<<will be maximized) and info.txt (<<will be minimized)

    Please reply with:-
    • Uninstall list
    • RSIT logs ( info.txt and log.txt)
     
  5. kgrsbh

    kgrsbh Thread Starter

    Joined:
    Jan 11, 2011
    Messages:
    12
    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 7:45:58 AM, on 22-Jan-2011
    Platform: Windows XP SP3 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
    Boot mode: Normal
    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Avira\AntiVir Desktop\sched.exe
    C:\Program Files\Avira\AntiVir Desktop\avguard.exe
    C:\WINDOWS\Explorer.exe
    C:\WINDOWS\system32\hkcmd.exe
    C:\WINDOWS\system32\igfxpers.exe
    C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
    C:\WINDOWS\system32\NOTEPAD.EXE
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
    F2 - REG:system.ini: Shell=Explorer.exe RVHOST.exe
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
    O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
    O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
    O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
    O4 - HKCU\..\Run: [king_mg] C:\WINDOWS\system32\mgking.exe
    O4 - HKCU\..\Run: [Yahoo Messengger] C:\WINDOWS\system32\RVHOST.exe
    O4 - HKCU\..\Run: [King_ar] C:\WINDOWS\system32\arking.exe
    O4 - HKUS\S-1-5-18\..\Run: [Yahoo Messengger] C:\WINDOWS\system32\RVHOST.exe (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [Yahoo Messengger] C:\WINDOWS\system32\RVHOST.exe (User 'Default user')
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O15 - Trusted IP range: 192.168.1.3
    O17 - HKLM\System\CCS\Services\Tcpip\..\{2B712EA6-5A76-4B33-AE99-15ED1AB271C1}: NameServer = 22.174.2.3,202.188.0.133
    O17 - HKLM\System\CS1\Services\Tcpip\..\{2B712EA6-5A76-4B33-AE99-15ED1AB271C1}: NameServer = 22.174.2.3,202.188.0.133
    O17 - HKLM\System\CS2\Services\Tcpip\..\{2B712EA6-5A76-4B33-AE99-15ED1AB271C1}: NameServer = 22.174.2.3,202.188.0.133
    O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
    O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
    --
    End of file - 3129 bytes
     
  6. kgrsbh

    kgrsbh Thread Starter

    Joined:
    Jan 11, 2011
    Messages:
    12
    Adobe Acrobat 5.0
    Adobe Flash Player 10 ActiveX
    Avira AntiVir Personal - Free Antivirus
    HijackThis 2.0.2
    Hotfix for Windows XP (KB2158563)
    Hotfix for Windows XP (KB2443685)
    Hotfix for Windows XP (KB952287)
    Hotfix for Windows XP (KB981793)
    Intel(R) Extreme Graphics 2 Driver
    Ipswitch WS_FTP Pro
    Microsoft Office 2000 Premium
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
    Security Update for Windows Media Player (KB952069)
    Security Update for Windows Media Player (KB954155)
    Security Update for Windows Media Player (KB973540)
    Security Update for Windows Media Player (KB975558)
    Security Update for Windows Media Player (KB978695)
    Security Update for Windows Media Player (KB979402)
    Security Update for Windows XP (KB2079403)
    Security Update for Windows XP (KB2115168)
    Security Update for Windows XP (KB2121546)
    Security Update for Windows XP (KB2160329)
    Security Update for Windows XP (KB2183461)
    Security Update for Windows XP (KB2229593)
    Security Update for Windows XP (KB2259922)
    Security Update for Windows XP (KB2279986)
    Security Update for Windows XP (KB2286198)
    Security Update for Windows XP (KB2296011)
    Security Update for Windows XP (KB2296199)
    Security Update for Windows XP (KB2347290)
    Security Update for Windows XP (KB2360131)
    Security Update for Windows XP (KB2360937)
    Security Update for Windows XP (KB2387149)
    Security Update for Windows XP (KB2416400)
    Security Update for Windows XP (KB2423089)
    Security Update for Windows XP (KB2436673)
    Security Update for Windows XP (KB2440591)
    Security Update for Windows XP (KB2443105)
    Security Update for Windows XP (KB923561)
    Security Update for Windows XP (KB923789)
    Security Update for Windows XP (KB946648)
    Security Update for Windows XP (KB950760)
    Security Update for Windows XP (KB950762)
    Security Update for Windows XP (KB950974)
    Security Update for Windows XP (KB951376-v2)
    Security Update for Windows XP (KB951748)
    Security Update for Windows XP (KB952004)
    Security Update for Windows XP (KB952954)
    Security Update for Windows XP (KB954459)
    Security Update for Windows XP (KB956572)
    Security Update for Windows XP (KB956744)
    Security Update for Windows XP (KB956802)
    Security Update for Windows XP (KB956803)
    Security Update for Windows XP (KB956844)
    Security Update for Windows XP (KB958644)
    Security Update for Windows XP (KB958869)
    Security Update for Windows XP (KB959426)
    Security Update for Windows XP (KB960225)
    Security Update for Windows XP (KB960803)
    Security Update for Windows XP (KB960859)
    Security Update for Windows XP (KB961501)
    Security Update for Windows XP (KB969059)
    Security Update for Windows XP (KB970238)
    Security Update for Windows XP (KB970430)
    Security Update for Windows XP (KB971468)
    Security Update for Windows XP (KB971961)
    Security Update for Windows XP (KB972270)
    Security Update for Windows XP (KB973869)
    Security Update for Windows XP (KB973904)
    Security Update for Windows XP (KB974112)
    Security Update for Windows XP (KB974318)
    Security Update for Windows XP (KB974392)
    Security Update for Windows XP (KB974571)
    Security Update for Windows XP (KB975467)
    Security Update for Windows XP (KB975560)
    Security Update for Windows XP (KB975561)
    Security Update for Windows XP (KB975562)
    Security Update for Windows XP (KB975713)
    Security Update for Windows XP (KB977816)
    Security Update for Windows XP (KB977914)
    Security Update for Windows XP (KB978037)
    Security Update for Windows XP (KB978338)
    Security Update for Windows XP (KB978542)
    Security Update for Windows XP (KB978706)
    Security Update for Windows XP (KB979482)
    Security Update for Windows XP (KB979559)
    Security Update for Windows XP (KB979683)
    Security Update for Windows XP (KB979687)
    Security Update for Windows XP (KB980195)
    Security Update for Windows XP (KB980218)
    Security Update for Windows XP (KB980232)
    Security Update for Windows XP (KB980436)
    Security Update for Windows XP (KB981322)
    Security Update for Windows XP (KB981349)
    Security Update for Windows XP (KB981852)
    Security Update for Windows XP (KB981957)
    Security Update for Windows XP (KB981997)
    Security Update for Windows XP (KB982132)
    Security Update for Windows XP (KB982214)
    Security Update for Windows XP (KB982381)
    Security Update for Windows XP (KB982665)
    Security Update for Windows XP (KB982802)
    Update for Windows XP (KB2141007)
    Update for Windows XP (KB2345886)
    Update for Windows XP (KB2467659)
    Update for Windows XP (KB898461)
    Update for Windows XP (KB951978)
    Update for Windows XP (KB955759)
    Update for Windows XP (KB967715)
    Update for Windows XP (KB968389)
    Update for Windows XP (KB971737)
    Update for Windows XP (KB973687)
    Update for Windows XP (KB973815)
    USB ACF Modem
     
  7. kgrsbh

    kgrsbh Thread Starter

    Joined:
    Jan 11, 2011
    Messages:
    12
    Logfile of random's system information tool 1.08 (written by random/random)
    Run by user at 2011-01-22 07:50:48
    Microsoft Windows XP Home Edition Service Pack 3
    System drive C: has 36 GB (92%) free of 39 GB
    Total RAM: 503 MB (65% free)
    Logfile of Trend Micro HijackThis v2.0.4
    Scan saved at 7:50:53 AM, on 22-Jan-2011
    Platform: Windows XP SP3 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
    Boot mode: Normal
    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Avira\AntiVir Desktop\sched.exe
    C:\Program Files\Avira\AntiVir Desktop\avguard.exe
    C:\WINDOWS\Explorer.exe
    C:\WINDOWS\system32\hkcmd.exe
    C:\WINDOWS\system32\igfxpers.exe
    C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
    C:\Documents and Settings\user\Desktop\RSIT.exe
    C:\Program Files\trend micro\user.exe
    F2 - REG:system.ini: Shell=Explorer.exe RVHOST.exe
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program
    Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
    O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
    O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
    O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
    O4 - HKCU\..\Run: [king_mg] C:\WINDOWS\system32\mgking.exe
    O4 - HKCU\..\Run: [Yahoo Messengger] C:\WINDOWS\system32\RVHOST.exe
    O4 - HKCU\..\Run: [King_ar] C:\WINDOWS\system32\arking.exe
    O4 - HKUS\S-1-5-18\..\Run: [Yahoo Messengger] C:\WINDOWS\system32\RVHOST.exe (User
    'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [Yahoo Messengger] C:\WINDOWS\system32\RVHOST.exe (User
    'Default user')
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} -
    C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 -
    {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network
    Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program
    Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger -
    {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O15 - Trusted IP range: 192.168.1.3
    O17 - HKLM\System\CCS\Services\Tcpip\..\{2B712EA6-5A76-4B33-AE99-15ED1AB271C1}:
    NameServer = 22.174.2.3,202.188.0.133
    O17 - HKLM\System\CS1\Services\Tcpip\..\{2B712EA6-5A76-4B33-AE99-15ED1AB271C1}:
    NameServer = 22.174.2.3,202.188.0.133
    O17 - HKLM\System\CS2\Services\Tcpip\..\{2B712EA6-5A76-4B33-AE99-15ED1AB271C1}:
    NameServer = 22.174.2.3,202.188.0.133
    O22 - SharedTaskScheduler: Browseui preloader -
    {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
    O22 - SharedTaskScheduler: Component Categories cache daemon -
    {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
    O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program
    Files\Avira\AntiVir Desktop\sched.exe
    O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program
    Files\Avira\AntiVir Desktop\avguard.exe
    --
    End of file - 3389 bytes
    ======Scheduled tasks folder======
    C:\WINDOWS\tasks\At1.job
    C:\WINDOWS\tasks\At2.job
    ======Registry dump======
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser
    Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
    AcroIEHlprObj Class - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    [2001-04-16 37808]
    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
    "igfxtray"=C:\WINDOWS\system32\igfxtray.exe [2005-09-20 94208]
    "igfxhkcmd"=C:\WINDOWS\system32\hkcmd.exe [2005-09-20 77824]
    "igfxpers"=C:\WINDOWS\system32\igfxpers.exe [2005-09-20 114688]
    "avgnt"=C:\Program Files\Avira\AntiVir Desktop\avgnt.exe [2009-03-02 209153]
    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
    "king_mg"=C:\WINDOWS\system32\mgking.exe [2010-11-09 178176]
    "Yahoo Messengger"=C:\WINDOWS\system32\RVHOST.exe []
    "King_ar"=C:\WINDOWS\system32\arking.exe [2011-01-22 186368]
    C:\Documents and Settings\All Users\Start Menu\Programs\Startup
    Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
    NT\CurrentVersion\Winlogon\Notify\igfxcui]
    C:\WINDOWS\system32\igfxdev.dll [2005-09-20 135168]
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\nm]
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\nm.sys]
    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]
    "DisableTaskMgr"=1
    "DisableRegistryTools"=1
    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
    "dontdisplaylastusername"=0
    "legalnoticecaption"=
    "legalnoticetext"=
    "shutdownwithoutlogon"=1
    "undockwithoutlogon"=1
    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
    "NoDriveTypeAutoRun"=145
    "NofolderOptions"=1
    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
    "HonorAutoRunSetting"=1
    [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallp
    olicy\standardprofile\authorizedapplications\list]
    "%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network
    Diagnostic\xpnetdiag.exe:*:Enabled:mad:xpsp3res.dll,-20000"
    "%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:mad:xpsp2res.dll
    ,-22019"
    "\\Bki-mkt\CIS\CIS\Transfer\wsftp.exe"="\\Bki-mkt\CIS\CIS\Transfer\wsftp.exe:*:Enabled:wsft
    p"
    [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallp
    olicy\domainprofile\authorizedapplications\list]
    "%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network
    Diagnostic\xpnetdiag.exe:*:Enabled:mad:xpsp3res.dll,-20000"
    "%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:mad:xpsp2res.dll
    ,-22019"
    ======List of files/folders created in the last 1 months======
    2011-01-22 07:50:48 ----D---- C:\rsit
    2011-01-18 07:29:17 ----D---- C:\Program Files\Trend Micro
    2011-01-14 14:52:50 ----RSH---- C:\dwh.exe
    2011-01-14 14:20:56 ----D---- C:\virus
    2011-01-11 16:03:53 ----A---- C:\WINDOWS\ntbtlog.txt
    2011-01-11 11:26:33 ----A---- C:\WINDOWS\system32\drivers\avipbb.sys
    2011-01-11 11:26:33 ----A---- C:\WINDOWS\system32\drivers\avgntmgr.sys
    2011-01-11 11:26:33 ----A---- C:\WINDOWS\system32\drivers\avgntdd.sys
    2011-01-11 11:26:31 ----A---- C:\WINDOWS\system32\drivers\ssmdrv.sys
    2011-01-11 11:26:30 ----D---- C:\Program Files\Avira
    2011-01-11 11:26:30 ----D---- C:\Documents and Settings\All Users\Application Data\Avira
    2011-01-10 12:26:16 ----RSH---- C:\WINDOWS\system32\arking1.dll
    2011-01-08 07:48:20 ----A---- C:\WINDOWS\system32\drivers\avgntflt.sys
    2011-01-07 19:28:30 ----HDC---- C:\WINDOWS\$NtUninstallKB2416400$
    2011-01-06 19:33:36 ----HDC---- C:\WINDOWS\$NtUninstallKB2467659$
    2011-01-06 19:33:11 ----HDC---- C:\WINDOWS\$NtUninstallKB2423089$
    2011-01-05 19:56:18 ----HDC---- C:\WINDOWS\$NtUninstallKB2296199$
    2011-01-05 19:56:14 ----HDC---- C:\WINDOWS\$NtUninstallKB2440591$
    2011-01-05 19:56:09 ----HDC---- C:\WINDOWS\$NtUninstallKB2443685$
    2011-01-05 19:56:03 ----HDC---- C:\WINDOWS\$NtUninstallKB2436673$
    2011-01-04 19:20:01 ----HDC---- C:\WINDOWS\$NtUninstallKB2443105$
    2011-01-04 07:58:21 ----RSH---- C:\WINDOWS\system32\arking0.dll
    2011-01-04 07:58:21 ----RSH---- C:\WINDOWS\system32\arking.exe
    2011-01-03 11:02:32 ----RASH---- C:\WINDOWS\system32\setting.ini
    ======List of files/folders modified in the last 1 months======
    2011-01-22 07:32:28 ----D---- C:\WINDOWS\system32
    2011-01-22 07:31:53 ----D---- C:\WINDOWS\Temp
    2011-01-22 07:31:50 ----D---- C:\WINDOWS\system32\CatRoot2
    2011-01-22 07:31:43 ----RSH---- C:\WINDOWS\system32\mgking0.dll
    2011-01-21 19:49:11 ----A---- C:\WINDOWS\SchedLgU.Txt
    2011-01-21 07:53:06 ----D---- C:\WINDOWS\Prefetch
    2011-01-18 07:29:17 ----D---- C:\Program Files
    2011-01-14 17:05:11 ----D---- C:\Peter
    2011-01-14 14:41:25 ----D---- C:\WINDOWS
    2011-01-14 07:54:41 ----D---- C:\WINDOWS\system32\drivers
    2011-01-13 11:45:51 ----HD---- C:\WINDOWS\inf
    2011-01-11 16:04:05 ----D---- C:\Documents and Settings
    2011-01-11 12:34:37 ----D---- C:\Cis
    2011-01-11 11:26:18 ----SHD---- C:\WINDOWS\Installer
    2011-01-11 11:26:17 ----D---- C:\WINDOWS\WinSxS
    2011-01-11 11:26:17 ----D---- C:\Program Files\Common Files\Microsoft Shared
    2011-01-11 11:18:52 ----SHD---- C:\System Volume Information
    2011-01-11 11:18:52 ----D---- C:\WINDOWS\system32\Restore
    2011-01-08 17:09:58 ----A---- C:\WINDOWS\system32\MRT.exe
    2011-01-08 07:41:49 ----SD---- C:\WINDOWS\Tasks
    2011-01-07 19:28:36 ----RSHDC---- C:\WINDOWS\system32\dllcache
    2011-01-06 19:33:49 ----A---- C:\WINDOWS\imsins.BAK
    2011-01-06 19:33:30 ----HD---- C:\WINDOWS\$hf_mig$
    2011-01-06 19:33:13 ----D---- C:\Program Files\Outlook Express
    ======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand,
    4=Disabled)======
    R1 avgio;avgio; \??\C:\Program Files\Avira\AntiVir Desktop\avgio.sys []
    R1 avipbb;avipbb; C:\WINDOWS\system32\DRIVERS\avipbb.sys [2009-03-30 96104]
    R1 intelppm;Intel Processor Driver; C:\WINDOWS\system32\DRIVERS\intelppm.sys [2008-04-14
    36352]
    R1 kbdhid;Keyboard HID Driver; C:\WINDOWS\system32\DRIVERS\kbdhid.sys [2008-04-14
    14592]
    R1 ssmdrv;ssmdrv; C:\WINDOWS\system32\DRIVERS\ssmdrv.sys [2009-05-11 28520]
    R2 avgntflt;avgntflt; C:\WINDOWS\system32\DRIVERS\avgntflt.sys [2009-07-28 55656]
    R2 mdmxsdk;Modem SDK Driver; C:\WINDOWS\system32\DRIVERS\ACFSDK32.sys [2007-03-15
    12672]
    R2 NwlnkIpx;NWLink IPX/SPX/NetBIOS Compatible Transport Protocol;
    C:\WINDOWS\system32\DRIVERS\nwlnkipx.sys [2008-04-14 88320]
    R2 NwlnkNb;NWLink NetBIOS; C:\WINDOWS\system32\DRIVERS\nwlnknb.sys [2008-04-14
    63232]
    R2 NwlnkSpx;NWLink SPX/SPXII Protocol; C:\WINDOWS\system32\DRIVERS\nwlnkspx.sys
    [2008-04-14 55936]
    R3 b57w2k;Broadcom NetXtreme Gigabit Ethernet;
    C:\WINDOWS\system32\DRIVERS\b57xp32.sys [2010-03-15 222248]
    R3 HidUsb;Microsoft HID Class Driver; C:\WINDOWS\system32\DRIVERS\hidusb.sys
    [2008-04-14 10368]
    R3 ialm;ialm; C:\WINDOWS\system32\DRIVERS\ialmnt5.sys [2005-09-20 1302332]
    R3 usbccgp;Microsoft USB Generic Parent Driver; C:\WINDOWS\system32\DRIVERS\usbccgp.sys
    [2008-04-14 32128]
    R3 usbuhci;Microsoft USB Universal Host Controller Miniport Driver;
    C:\WINDOWS\system32\DRIVERS\usbuhci.sys [2008-04-14 20608]
    S3 acfva;acfva; C:\WINDOWS\system32\DRIVERS\ACFVA32.sys [2007-04-26 86784]
    S3 dgcfltr;DGC Filter Driver; C:\WINDOWS\system32\DRIVERS\ACFDCP32.sys [2007-05-09
    29056]
    S3 hwdatacard;Huawei DataCard USB Modem and USB Serial;
    C:\WINDOWS\system32\DRIVERS\ewusbmdm.sys []
    S3 hwusbdev;Huawei DataCard USB PNP Device; C:\WINDOWS\system32\DRIVERS\ewusbdev.sys
    []
    S3 mouhid;Mouse HID Driver; C:\WINDOWS\system32\DRIVERS\mouhid.sys [2001-08-17
    12160]
    S3 usbser;USB Modem Driver; C:\WINDOWS\system32\DRIVERS\usbser.sys [2008-04-14 26112]
    S3 USBSTOR;USB Mass Storage Driver; C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
    [2008-04-14 26368]
    ======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand,
    4=Disabled)======
    R2 AntiVirSchedulerService;Avira AntiVir Scheduler; C:\Program Files\Avira\AntiVir
    Desktop\sched.exe [2009-05-13 108289]
    R2 AntiVirService;Avira AntiVir Guard; C:\Program Files\Avira\AntiVir Desktop\avguard.exe
    [2009-07-21 185089]
    -----------------EOF-----------------
     
  8. kgrsbh

    kgrsbh Thread Starter

    Joined:
    Jan 11, 2011
    Messages:
    12
    info.txt logfile of random's system information tool 1.08 2011-01-22 07:50:55
    ======Uninstall list======
    -->rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
    Adobe Acrobat 5.0-->C:\WINDOWS\ISUNINST.EXE -f"C:\Program Files\Common Files\Adobe\Acrobat 5.0\NT\Uninst.isu" -c"C:\Program Files\Common Files\Adobe\Acrobat 5.0\NT\Uninst.dll"
    Adobe Flash Player 10 ActiveX-->C:\WINDOWS\system32\Macromed\Flash\FlashUtil10l_ActiveX.exe -maintain activex
    Avira AntiVir Personal - Free Antivirus-->C:\Program Files\Avira\AntiVir Desktop\setup.exe /REMOVE
    HijackThis 2.0.2-->"C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall
    Hotfix for Windows XP (KB2158563)-->"C:\WINDOWS\$NtUninstallKB2158563$\spuninst\spuninst.exe"
    Hotfix for Windows XP (KB2443685)-->"C:\WINDOWS\$NtUninstallKB2443685$\spuninst\spuninst.exe"
    Hotfix for Windows XP (KB952287)-->"C:\WINDOWS\$NtUninstallKB952287$\spuninst\spuninst.exe"
    Hotfix for Windows XP (KB981793)-->"C:\WINDOWS\$NtUninstallKB981793$\spuninst\spuninst.exe"
    Intel(R) Extreme Graphics 2 Driver-->RUNDLL32.EXE C:\WINDOWS\system32\ialmrem.dll,UninstallW2KIGfx PCI\VEN_8086&DEV_2572
    Ipswitch WS_FTP Pro-->C:\WINDOWS\ISUNINST.EXE -f"C:\Program Files\WS_FTP Pro\uninst.isu" -c"C:\Program Files\WS_FTP Pro\FTPInstUtils.dll"
    Microsoft Office 2000 Premium-->MsiExec.exe /I{00000409-78E1-11D2-B60F-006097C998E7}
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17-->MsiExec.exe /X{9A25302D-30C0-39D9-BD6F-21E6EC160475}
    Security Update for Windows Media Player (KB952069)-->"C:\WINDOWS\$NtUninstallKB952069_WM9$\spuninst\spuninst.exe"
    Security Update for Windows Media Player (KB954155)-->"C:\WINDOWS\$NtUninstallKB954155_WM9$\spuninst\spuninst.exe"
    Security Update for Windows Media Player (KB973540)-->"C:\WINDOWS\$NtUninstallKB973540_WM9$\spuninst\spuninst.exe"
    Security Update for Windows Media Player (KB975558)-->"C:\WINDOWS\$NtUninstallKB975558_WM8$\spuninst\spuninst.exe"
    Security Update for Windows Media Player (KB978695)-->"C:\WINDOWS\$NtUninstallKB978695_WM9$\spuninst\spuninst.exe"
    Security Update for Windows Media Player (KB979402)-->"C:\WINDOWS\$NtUninstallKB979402_WM9$\spuninst\spuninst.exe"
    Security Update for Windows XP (KB2079403)-->"C:\WINDOWS\$NtUninstallKB2079403$\spuninst\spuninst.exe"
    Security Update for Windows XP (KB2115168)-->"C:\WINDOWS\$NtUninstallKB2115168$\spuninst\spuninst.exe"
    Security Update for Windows XP (KB2121546)-->"C:\WINDOWS\$NtUninstallKB2121546$\spuninst\spuninst.exe"
    Security Update for Windows XP (KB2160329)-->"C:\WINDOWS\$NtUninstallKB2160329$\spuninst\spuninst.exe"
    Security Update for Windows XP (KB2183461)-->"C:\WINDOWS\$NtUninstallKB2183461$\spuninst\spuninst.exe"
    Security Update for Windows XP (KB2229593)-->"C:\WINDOWS\$NtUninstallKB2229593$\spuninst\spuninst.exe"
    Security Update for Windows XP (KB2259922)-->"C:\WINDOWS\$NtUninstallKB2259922$\spuninst\spuninst.exe"
    Security Update for Windows XP (KB2279986)-->"C:\WINDOWS\$NtUninstallKB2279986$\spuninst\spuninst.exe"
    Security Update for Windows XP (KB2286198)-->"C:\WINDOWS\$NtUninstallKB2286198$\spuninst\spuninst.exe"
    Security Update for Windows XP (KB2296011)-->"C:\WINDOWS\$NtUninstallKB2296011$\spuninst\spuninst.exe"
    Security Update for Windows XP (KB2296199)-->"C:\WINDOWS\$NtUninstallKB2296199$\spuninst\spuninst.exe"
    Security Update for Windows XP (KB2347290)-->"C:\WINDOWS\$NtUninstallKB2347290$\spuninst\spuninst.exe"
    Security Update for Windows XP (KB2360131)-->"C:\WINDOWS\$NtUninstallKB2360131$\spuninst\spuninst.exe"
    Security Update for Windows XP (KB2360937)-->"C:\WINDOWS\$NtUninstallKB2360937$\spuninst\spuninst.exe"
    Security Update for Windows XP (KB2387149)-->"C:\WINDOWS\$NtUninstallKB2387149$\spuninst\spuninst.exe"
    Security Update for Windows XP (KB2416400)-->"C:\WINDOWS\$NtUninstallKB2416400$\spuninst\spuninst.exe"
    Security Update for Windows XP (KB2423089)-->"C:\WINDOWS\$NtUninstallKB2423089$\spuninst\spuninst.exe"
    Security Update for Windows XP (KB2436673)-->"C:\WINDOWS\$NtUninstallKB2436673$\spuninst\spuninst.exe"
    Security Update for Windows XP (KB2440591)-->"C:\WINDOWS\$NtUninstallKB2440591$\spuninst\spuninst.exe"
    Security Update for Windows XP (KB2443105)-->"C:\WINDOWS\$NtUninstallKB2443105$\spuninst\spuninst.exe"
    Security Update for Windows XP (KB923561)-->"C:\WINDOWS\$NtUninstallKB923561$\spuninst\spuninst.exe"
    Security Update for Windows XP (KB923789)-->C:\WINDOWS\system32\MacroMed\Flash\genuinst.exe C:\WINDOWS\system32\MacroMed\Flash\KB923789.inf
    Security Update for Windows XP (KB946648)-->"C:\WINDOWS\$NtUninstallKB946648$\spuninst\spuninst.exe"
    Security Update for Windows XP (KB950760)-->"C:\WINDOWS\$NtUninstallKB950760$\spuninst\spuninst.exe"
    Security Update for Windows XP (KB950762)-->"C:\WINDOWS\$NtUninstallKB950762$\spuninst\spuninst.exe"
    Security Update for Windows XP (KB950974)-->"C:\WINDOWS\$NtUninstallKB950974$\spuninst\spuninst.exe"
    Security Update for Windows XP (KB951376-v2)-->"C:\WINDOWS\$NtUninstallKB951376-v2$\spuninst\spuninst.exe"
    Security Update for Windows XP (KB951748)-->"C:\WINDOWS\$NtUninstallKB951748$\spuninst\spuninst.exe"
    Security Update for Windows XP (KB952004)-->"C:\WINDOWS\$NtUninstallKB952004$\spuninst\spuninst.exe"
    Security Update for Windows XP (KB952954)-->"C:\WINDOWS\$NtUninstallKB952954$\spuninst\spuninst.exe"
    Security Update for Windows XP (KB954459)-->"C:\WINDOWS\$NtUninstallKB954459$\spuninst\spuninst.exe"
    Security Update for Windows XP (KB956572)-->"C:\WINDOWS\$NtUninstallKB956572$\spuninst\spuninst.exe"
    Security Update for Windows XP (KB956744)-->"C:\WINDOWS\$NtUninstallKB956744$\spuninst\spuninst.exe"
    Security Update for Windows XP (KB956802)-->"C:\WINDOWS\$NtUninstallKB956802$\spuninst\spuninst.exe"
    Security Update for Windows XP (KB956803)-->"C:\WINDOWS\$NtUninstallKB956803$\spuninst\spuninst.exe"
    Security Update for Windows XP (KB956844)-->"C:\WINDOWS\$NtUninstallKB956844$\spuninst\spuninst.exe"
    Security Update for Windows XP (KB958644)-->"C:\WINDOWS\$NtUninstallKB958644$\spuninst\spuninst.exe"
    Security Update for Windows XP (KB958869)-->"C:\WINDOWS\$NtUninstallKB958869$\spuninst\spuninst.exe"
    Security Update for Windows XP (KB959426)-->"C:\WINDOWS\$NtUninstallKB959426$\spuninst\spuninst.exe"
    Security Update for Windows XP (KB960225)-->"C:\WINDOWS\$NtUninstallKB960225$\spuninst\spuninst.exe"
    Security Update for Windows XP (KB960803)-->"C:\WINDOWS\$NtUninstallKB960803$\spuninst\spuninst.exe"
    Security Update for Windows XP (KB960859)-->"C:\WINDOWS\$NtUninstallKB960859$\spuninst\spuninst.exe"
    Security Update for Windows XP (KB961501)-->"C:\WINDOWS\$NtUninstallKB961501$\spuninst\spuninst.exe"
    Security Update for Windows XP (KB969059)-->"C:\WINDOWS\$NtUninstallKB969059$\spuninst\spuninst.exe"
    Security Update for Windows XP (KB970238)-->"C:\WINDOWS\$NtUninstallKB970238$\spuninst\spuninst.exe"
    Security Update for Windows XP (KB970430)-->"C:\WINDOWS\$NtUninstallKB970430$\spuninst\spuninst.exe"
    Security Update for Windows XP (KB971468)-->"C:\WINDOWS\$NtUninstallKB971468$\spuninst\spuninst.exe"
    Security Update for Windows XP (KB971961)-->"C:\WINDOWS\$NtUninstallKB971961$\spuninst\spuninst.exe"
    Security Update for Windows XP (KB972270)-->"C:\WINDOWS\$NtUninstallKB972270$\spuninst\spuninst.exe"
    Security Update for Windows XP (KB973869)-->"C:\WINDOWS\$NtUninstallKB973869$\spuninst\spuninst.exe"
    Security Update for Windows XP (KB973904)-->"C:\WINDOWS\$NtUninstallKB973904$\spuninst\spuninst.exe"
    Security Update for Windows XP (KB974112)-->"C:\WINDOWS\$NtUninstallKB974112$\spuninst\spuninst.exe"
    Security Update for Windows XP (KB974318)-->"C:\WINDOWS\$NtUninstallKB974318$\spuninst\spuninst.exe"
    Security Update for Windows XP (KB974392)-->"C:\WINDOWS\$NtUninstallKB974392$\spuninst\spuninst.exe"
    Security Update for Windows XP (KB974571)-->"C:\WINDOWS\$NtUninstallKB974571$\spuninst\spuninst.exe"
    Security Update for Windows XP (KB975467)-->"C:\WINDOWS\$NtUninstallKB975467$\spuninst\spuninst.exe"
    Security Update for Windows XP (KB975560)-->"C:\WINDOWS\$NtUninstallKB975560$\spuninst\spuninst.exe"
    Security Update for Windows XP (KB975561)-->"C:\WINDOWS\$NtUninstallKB975561$\spuninst\spuninst.exe"
    Security Update for Windows XP (KB975562)-->"C:\WINDOWS\$NtUninstallKB975562$\spuninst\spuninst.exe"
    Security Update for Windows XP (KB975713)-->"C:\WINDOWS\$NtUninstallKB975713$\spuninst\spuninst.exe"
    Security Update for Windows XP (KB977816)-->"C:\WINDOWS\$NtUninstallKB977816$\spuninst\spuninst.exe"
    Security Update for Windows XP (KB977914)-->"C:\WINDOWS\$NtUninstallKB977914$\spuninst\spuninst.exe"
    Security Update for Windows XP (KB978037)-->"C:\WINDOWS\$NtUninstallKB978037$\spuninst\spuninst.exe"
    Security Update for Windows XP (KB978338)-->"C:\WINDOWS\$NtUninstallKB978338$\spuninst\spuninst.exe"
    Security Update for Windows XP (KB978542)-->"C:\WINDOWS\$NtUninstallKB978542$\spuninst\spuninst.exe"
    Security Update for Windows XP (KB978706)-->"C:\WINDOWS\$NtUninstallKB978706$\spuninst\spuninst.exe"
    Security Update for Windows XP (KB979482)-->"C:\WINDOWS\$NtUninstallKB979482$\spuninst\spuninst.exe"
    Security Update for Windows XP (KB979559)-->"C:\WINDOWS\$NtUninstallKB979559$\spuninst\spuninst.exe"
    Security Update for Windows XP (KB979683)-->"C:\WINDOWS\$NtUninstallKB979683$\spuninst\spuninst.exe"
    Security Update for Windows XP (KB979687)-->"C:\WINDOWS\$NtUninstallKB979687$\spuninst\spuninst.exe"
    Security Update for Windows XP (KB980195)-->"C:\WINDOWS\$NtUninstallKB980195$\spuninst\spuninst.exe"
    Security Update for Windows XP (KB980218)-->"C:\WINDOWS\$NtUninstallKB980218$\spuninst\spuninst.exe"
    Security Update for Windows XP (KB980232)-->"C:\WINDOWS\$NtUninstallKB980232$\spuninst\spuninst.exe"
    Security Update for Windows XP (KB980436)-->"C:\WINDOWS\$NtUninstallKB980436$\spuninst\spuninst.exe"
    Security Update for Windows XP (KB981322)-->"C:\WINDOWS\$NtUninstallKB981322$\spuninst\spuninst.exe"
    Security Update for Windows XP (KB981349)-->"C:\WINDOWS\$NtUninstallKB981349$\spuninst\spuninst.exe"
    Security Update for Windows XP (KB981852)-->"C:\WINDOWS\$NtUninstallKB981852$\spuninst\spuninst.exe"
    Security Update for Windows XP (KB981957)-->"C:\WINDOWS\$NtUninstallKB981957$\spuninst\spuninst.exe"
    Security Update for Windows XP (KB981997)-->"C:\WINDOWS\$NtUninstallKB981997$\spuninst\spuninst.exe"
    Security Update for Windows XP (KB982132)-->"C:\WINDOWS\$NtUninstallKB982132$\spuninst\spuninst.exe"
    Security Update for Windows XP (KB982214)-->"C:\WINDOWS\$NtUninstallKB982214$\spuninst\spuninst.exe"
    Security Update for Windows XP (KB982381)-->"C:\WINDOWS\$NtUninstallKB982381$\spuninst\spuninst.exe"
    Security Update for Windows XP (KB982665)-->"C:\WINDOWS\$NtUninstallKB982665$\spuninst\spuninst.exe"
    Security Update for Windows XP (KB982802)-->"C:\WINDOWS\$NtUninstallKB982802$\spuninst\spuninst.exe"
    Update for Windows XP (KB2141007)-->"C:\WINDOWS\$NtUninstallKB2141007$\spuninst\spuninst.exe"
    Update for Windows XP (KB2345886)-->"C:\WINDOWS\$NtUninstallKB2345886$\spuninst\spuninst.exe"
    Update for Windows XP (KB2467659)-->"C:\WINDOWS\$NtUninstallKB2467659$\spuninst\spuninst.exe"
    Update for Windows XP (KB898461)-->"C:\WINDOWS\$NtUninstallKB898461$\spuninst\spuninst.exe"
    Update for Windows XP (KB951978)-->"C:\WINDOWS\$NtUninstallKB951978$\spuninst\spuninst.exe"
    Update for Windows XP (KB955759)-->"C:\WINDOWS\$NtUninstallKB955759$\spuninst\spuninst.exe"
    Update for Windows XP (KB967715)-->"C:\WINDOWS\$NtUninstallKB967715$\spuninst\spuninst.exe"
    Update for Windows XP (KB968389)-->"C:\WINDOWS\$NtUninstallKB968389$\spuninst\spuninst.exe"
    Update for Windows XP (KB971737)-->"C:\WINDOWS\$NtUninstallKB971737$\spuninst\spuninst.exe"
    Update for Windows XP (KB973687)-->"C:\WINDOWS\$NtUninstallKB973687$\spuninst\spuninst.exe"
    Update for Windows XP (KB973815)-->"C:\WINDOWS\$NtUninstallKB973815$\spuninst\spuninst.exe"
    USB ACF Modem-->C:\Program Files\CONEXANT\CNXT_MODEM_USB_ACF\UIU32c.exe -U -IPACFUSB5.INF
    ======Security center information======
    AV: AntiVir Desktop (outdated)
    ======System event log======
    Computer Name: KBO-MAIN
    Event Code: 4
    Message: Broadcom NetXtreme Gigabit Ethernet: The network link is down. Check to make sure the network cable is properly connected.
    Record Number: 4339
    Source Name: b57w2k
    Time Written: 20101029130824.000000+480
    Event Type: warning
    User:
    Computer Name: KBO-MAIN
    Event Code: 4226
    Message: TCP/IP has reached the security limit imposed on the number of concurrent TCP connect attempts.
    Record Number: 4336
    Source Name: Tcpip
    Time Written: 20101029114749.000000+480
    Event Type: warning
    User:
    Computer Name: KBO-MAIN
    Event Code: 4
    Message: Broadcom NetXtreme Gigabit Ethernet: The network link is down. Check to make sure the network cable is properly connected.
    Record Number: 4328
    Source Name: b57w2k
    Time Written: 20101029092220.000000+480
    Event Type: warning
    User:
    Computer Name: KBO-MAIN
    Event Code: 4
    Message: Broadcom NetXtreme Gigabit Ethernet: The network link is down. Check to make sure the network cable is properly connected.
    Record Number: 4325
    Source Name: b57w2k
    Time Written: 20101029092214.000000+480
    Event Type: warning
    User:
    Computer Name: KBO-MAIN
    Event Code: 4
    Message: Broadcom NetXtreme Gigabit Ethernet: The network link is down. Check to make sure the network cable is properly connected.
    Record Number: 4321
    Source Name: b57w2k
    Time Written: 20101029073342.000000+480
    Event Type: warning
    User:
    =====Application event log=====
    Computer Name: KBO-MAIN
    Event Code: 1004
    Message: Detection of product '{00000409-78E1-11D2-B60F-006097C998E7}', feature 'OutlookOMI', component '{6485D250-C2AC-11D1-AD3E-00A0C911C9C0}' failed. The resource 'C:\Program Files\Common Files\System\Mapi\1033\NT\OMINT.DLL' does not exist.
    Record Number: 1110
    Source Name: MsiInstaller
    Time Written: 20101020111738.000000+480
    Event Type: warning
    User: KBO-MAIN\user
    Computer Name: KBO-MAIN
    Event Code: 1001
    Message: Detection of product '{00000409-78E1-11D2-B60F-006097C998E7}', feature 'OutlookOMI' failed during request for component '{6485D250-C2AC-11D1-AD3E-00A0C911C9C0}'
    Record Number: 1107
    Source Name: MsiInstaller
    Time Written: 20101020111736.000000+480
    Event Type: warning
    User: KBO-MAIN\user
    Computer Name: KBO-MAIN
    Event Code: 1004
    Message: Detection of product '{00000409-78E1-11D2-B60F-006097C998E7}', feature 'OutlookOMI', component '{6485D250-C2AC-11D1-AD3E-00A0C911C9C0}' failed. The resource 'C:\Program Files\Common Files\System\Mapi\1033\NT\OMINT.DLL' does not exist.
    Record Number: 1106
    Source Name: MsiInstaller
    Time Written: 20101020111736.000000+480
    Event Type: warning
    User: KBO-MAIN\user
    Computer Name: KBO-MAIN
    Event Code: 1004
    Message: Detection of product '{00000409-78E1-11D2-B60F-006097C998E7}', feature 'OutlookOMI', component '{6485D250-C2AC-11D1-AD3E-00A0C911C9C0}' failed. The resource 'C:\Program Files\Common Files\System\Mapi\1033\NT\OMINT.DLL' does not exist.
    Record Number: 1105
    Source Name: MsiInstaller
    Time Written: 20101020111736.000000+480
    Event Type: warning
    User: KBO-MAIN\user
    Computer Name: KBO-MAIN
    Event Code: 1001
    Message: Detection of product '{00000409-78E1-11D2-B60F-006097C998E7}', feature 'OutlookOMI' failed during request for component '{6485D250-C2AC-11D1-AD3E-00A0C911C9C0}'
    Record Number: 1103
    Source Name: MsiInstaller
    Time Written: 20101020111734.000000+480
    Event Type: warning
    User: KBO-MAIN\user
    ======Environment variables======
    "ComSpec"=%SystemRoot%\system32\cmd.exe
    "Path"=%SystemRoot%\system32;%SystemRoot%;%SystemRoot%\System32\Wbem
    "windir"=%SystemRoot%
    "FP_NO_HOST_CHECK"=NO
    "OS"=Windows_NT
    "PROCESSOR_ARCHITECTURE"=x86
    "PROCESSOR_LEVEL"=15
    "PROCESSOR_IDENTIFIER"=x86 Family 15 Model 2 Stepping 9, GenuineIntel
    "PROCESSOR_REVISION"=0209
    "NUMBER_OF_PROCESSORS"=1
    "PATHEXT"=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
    "TEMP"=%SystemRoot%\TEMP
    "TMP"=%SystemRoot%\TEMP
    -----------------EOF-----------------
     
  9. muppy03

    muppy03 Malware Specialist

    Joined:
    Jun 19, 2006
    Messages:
    1,879
    TFC(Temp File Cleaner):

    • Please download TFC to your desktop,
    • Save any unsaved work. TFC will close all open application windows.
    • Double-click TFC.exe to run the program.
    • If prompted, click "Yes" to reboot.

    Note: Save your work. TFC will automatically close any open programs, let it run uninterrupted. It shouldn't take longer take a couple of minutes, and may only take a few seconds. Only if needed will you be prompted to reboot.



    Please download Malwarebytes' Anti-Malware and save to your desktop.

    • Double-click mbam-setup.exe and follow the prompts to install the program.
    • At the end, be sure a checkmark is placed next to:

      Update Malwarebytes' Anti-Malware
      Launch Malwarebytes' Anti-Malware
    • Then click Finish.
    • If an update is found, it will download and install the latest version.
    • Once the program has loaded, select Perform Quick scan, then click Scan.
    • When the scan is complete, click OK, then Show Results to view the results.
    • If it found any malware items. Check all items except items in the C:\System Volume Information folder... and click Remove Selected.
    • When completed, a log will open in Notepad. Please copy and paste the log back into your next reply

      Note:
    • The log can also be found here:
      C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt
    • Or via the Logs tab when Malwarebytes' Anti-Malware is started.

    Please reply with:-
    • MBAM log
    • New HJT log
     
  10. kgrsbh

    kgrsbh Thread Starter

    Joined:
    Jan 11, 2011
    Messages:
    12
    Malwarebytes' Anti-Malware 1.50.1.1100
    www.malwarebytes.org
    Database version: 5583
    Windows 5.1.2600 Service Pack 3
    Internet Explorer 6.0.2900.5512
    24-Jan-2011 9:22:11 AM
    mbam-log-2011-01-24 (09-22-11).txt
    Scan type: Quick scan
    Objects scanned: 137082
    Time elapsed: 4 minute(s), 36 second(s)
    Memory Processes Infected: 0
    Memory Modules Infected: 1
    Registry Keys Infected: 1
    Registry Values Infected: 4
    Registry Data Items Infected: 7
    Folders Infected: 0
    Files Infected: 8
    Memory Processes Infected:
    (No malicious items detected)
    Memory Modules Infected:
    c:\WINDOWS\system32\arking0.dll (Spyware.OnlineGames.Gen) -> Delete on reboot.
    Registry Keys Infected:
    HKEY_CLASSES_ROOT\CLSID\MADOWN (Worm.Magania) -> Quarantined and deleted
    successfully.
    Registry Values Infected:
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\king_mg
    (Spyware.OnlineGames) -> Value: king_mg -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\King_ar
    (Spyware.OnlineGames.Gen) -> Value: King_ar -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Nof
    olderOptions (Hijack.FolderOptions) -> Value: NofolderOptions -> Quarantined and
    deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Yahoo
    Messengger (Backdoor.Bot) -> Value: Yahoo Messengger -> Quarantined and deleted
    successfully.
    Registry Data Items Infected:
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Disa
    bleTaskMgr (PUM.Hijack.TaskManager) -> Bad: (1) Good: (0) -> Quarantined and deleted
    successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Disa
    bleRegistryTools (PUM.Hijack.Regedit) -> Bad: (1) Good: (0) -> Quarantined and deleted
    successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify
    (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted
    successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify
    (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted
    successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify
    (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted
    successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell
    (Hijack.Shell) -> Bad: (Explorer.exe RVHOST.exe) Good: (Explorer.exe) -> Quarantined and
    deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\
    Folder\Hidden\SHOWALL\CheckedValue (PUM.Hijack.System.Hidden) -> Bad: (0) Good: (1)
    -> Quarantined and deleted successfully.
    Folders Infected:
    (No malicious items detected)
    Files Infected:
    c:\WINDOWS\system32\arking0.dll (Spyware.OnlineGames.Gen) -> Delete on reboot.
    c:\WINDOWS\system32\mgking.exe (Spyware.OnlineGames) -> Quarantined and deleted
    successfully.
    c:\WINDOWS\system32\arking.exe (Spyware.OnlineGames.Gen) -> Quarantined and
    deleted successfully.
    c:\dwh.exe (Spyware.OnlineGames) -> Quarantined and deleted successfully.
    c:\WINDOWS\system32\arking1.dll (Spyware.OnlineGames.Gen) -> Quarantined and
    deleted successfully.
    c:\WINDOWS\system32\mgking0.dll (Spyware.OnlineGames) -> Quarantined and deleted
    successfully.
    c:\documents and settings\all users\documents\My Music\My Music.exe (Worm.AutoRun)
    -> Quarantined and deleted successfully.
    c:\documents and settings\all users\documents\my pictures\my pictures.exe
    (Worm.AutoRun) -> Quarantined and deleted successfully.
     
  11. kgrsbh

    kgrsbh Thread Starter

    Joined:
    Jan 11, 2011
    Messages:
    12
    Logfile of Trend Micro HijackThis v2.0.2Scan saved at 9:25:04 AM, on 24-Jan-2011Platform: Windows XP SP3 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\spoolsv.exeC:\Program Files\Avira\AntiVir Desktop\sched.exeC:\Program Files\Avira\AntiVir Desktop\avguard.exeC:\WINDOWS\system32\wuauclt.exeC:\WINDOWS\Explorer.EXEC:\WINDOWS\system32\hkcmd.exeC:\WINDOWS\system32\igfxpers.exeC:\Program Files\Avira\AntiVir Desktop\avgnt.exeC:\WINDOWS\system32\wscntfy.exeC:\Program Files\Trend Micro\HijackThis\HijackThis.exeO2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocxO4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exeO4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exeO4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exeO4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /minO4 - HKUS\S-1-5-18\..\Run: [Yahoo Messengger] C:\WINDOWS\system32\RVHOST.exe (User 'SYSTEM')O4 - HKUS\.DEFAULT\..\Run: [Yahoo Messengger] C:\WINDOWS\system32\RVHOST.exe (User 'Default user')O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXEO9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exeO9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exeO9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dllO12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dllO15 - Trusted IP range: 192.168.1.3O17 - HKLM\System\CCS\Services\Tcpip\..\{2B712EA6-5A76-4B33-AE99-15ED1AB271C1}: NameServer = 22.174.2.3,202.188.0.133O17 - HKLM\System\CS1\Services\Tcpip\..\{2B712EA6-5A76-4B33-AE99-15ED1AB271C1}: NameServer = 22.174.2.3,202.188.0.133O17 - HKLM\System\CS2\Services\Tcpip\..\{2B712EA6-5A76-4B33-AE99-15ED1AB271C1}: NameServer = 22.174.2.3,202.188.0.133O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exeO23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe--End of file - 2834 bytes
     
  12. kgrsbh

    kgrsbh Thread Starter

    Joined:
    Jan 11, 2011
    Messages:
    12
    Double Click C drive doesn't open..
     
  13. muppy03

    muppy03 Malware Specialist

    Joined:
    Jun 19, 2006
    Messages:
    1,879
    When posting HJT logs, make sure wordwrap is unchecked, otherwise I cannot read them. This is important.


    Open Hijack This and select Do a System Scan Only place a check next to the below lines if still present


    • O4 - HKUS\S-1-5-18\..\Run: [Yahoo Messengger] C:\WINDOWS\system32\RVHOST.exe (User 'SYSTEM')
      O4 - HKUS\.DEFAULT\..\Run: [Yahoo Messengger] C:\WINDOWS\system32\RVHOST.exe (User 'Default user')
      O15 - Trusted IP range: 192.168.1.3

    Once selected close all windows except HJT an click on Fix Checked

    Download and run Combofix
    This tool is not a toy and not for everyday use.
    ComboFix SHOULD NOT be used unless requested by a forum helper


    Please download ComboFix from one of these locations:

    Link 1
    Link 2

    * IMPORTANT !!! Save ComboFix.exe to your Desktop

    • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools.
    • If you need help to disable your protection programs see here.
    • Double click on ComboFix.exe & follow the prompts.
    • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
    • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
    **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

    [​IMG]
    Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

    [​IMG]
    Click on Yes, to continue scanning for malware.

    When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply along with a fresh HijackThis log.

    If you need help, see this link:
    http://www.bleepingcomputer.com/combofix/how-to-use-combofix

    Please reply with:-
    • Combofix log
    • New HJT log
     
  14. kgrsbh

    kgrsbh Thread Starter

    Joined:
    Jan 11, 2011
    Messages:
    12
    ComboFix 11-01-23.04 - user 4-Jan-2011 12:43:46.1.1 - x86
    Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.503.318 [GMT 8:00]
    Running from: c:\virus\ComboFix.exe
    AV: AntiVir Desktop *Disabled/Outdated* {AD166499-45F9-482A-A743-FDD3350758C7}
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    C:\Autorun.inf
    c:\windows\system32\setting.ini
    c:\windows\regedit.exe . . . is infected!!
    .
    ((((((((((((((((((((((((( Files Created from 2010-12-24 to 2011-01-24 )))))))))))))))))))))))))))))))
    .
    2011-01-24 01:15 . 2011-01-24 01:15 -------- d-----w- c:\documents and settings\user\Application Data\Malwarebytes
    2011-01-24 01:15 . 2010-12-20 10:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2011-01-24 01:15 . 2011-01-24 01:15 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
    2011-01-24 01:15 . 2011-01-24 01:15 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2011-01-24 01:15 . 2010-12-20 10:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
    2011-01-21 23:50 . 2011-01-21 23:50 -------- d-----w- C:\rsit
    2011-01-17 23:29 . 2011-01-21 23:50 -------- d-----w- c:\program files\Trend Micro
    2011-01-14 06:20 . 2011-01-24 04:41 -------- d-----w- C:\virus
    2011-01-11 08:04 . 2011-01-11 08:04 -------- d-----w- c:\documents and settings\Administrator
    2011-01-11 03:26 . 2009-03-30 01:33 96104 ----a-w- c:\windows\system32\drivers\avipbb.sys
    2011-01-11 03:26 . 2009-02-13 03:29 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys
    2011-01-11 03:26 . 2009-02-13 03:17 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys
    2011-01-11 03:26 . 2011-01-11 03:26 -------- d-----w- c:\program files\Avira
    2011-01-11 03:26 . 2011-01-11 03:26 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira
    2011-01-07 23:48 . 2009-07-28 07:33 55656 ----a-w- c:\windows\system32\drivers\avgntflt.sys
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2010-11-29 00:04 . 2010-06-15 00:07 425317 ----a-w- C:\CIS_DAT2.ZIP
    2010-11-29 00:04 . 2010-06-15 00:07 2263905 ----a-w- C:\CIS_DAT1.ZIP
    2010-11-18 18:12 . 2010-06-03 03:02 81920 ----a-w- c:\windows\system32\isign32.dll
    2010-11-05 05:05 . 2008-04-14 12:00 667136 ----a-w- c:\windows\system32\wininet.dll
    2010-11-05 05:05 . 2008-04-14 12:00 61952 ----a-w- c:\windows\system32\tdc.ocx
    2010-11-05 05:05 . 2008-04-14 12:00 81920 ----a-w- c:\windows\system32\ieencode.dll
    2010-11-03 12:59 . 2008-04-14 12:00 369664 ----a-w- c:\windows\system32\html.iec
    2010-11-02 15:17 . 2008-04-14 12:00 40960 ----a-w- c:\windows\system32\drivers\ndproxy.sys
    2010-10-28 13:13 . 2008-04-14 12:00 290048 ----a-w- c:\windows\system32\atmfd.dll
    2010-10-26 13:25 . 2008-04-14 12:00 1853312 ----a-w- c:\windows\system32\win32k.sys
    .
    ------- Sigcheck -------
    [-] 2008-04-14 . 9F3A2F5AA6875C72BF062C712CFA2674 . 96512 . . [5.1.2600.5512] . . c:\windows\system32\drivers\atapi.sys
    [-] 2008-04-14 . B153AFFAC761E7F5FCFA822B9C4E97BC . 14336 . . [5.1.2600.5512] . . c:\windows\system32\dllcache\asyncmac.sys
    [-] 2008-04-14 . B153AFFAC761E7F5FCFA822B9C4E97BC . 14336 . . [5.1.2600.5512] . . c:\windows\system32\drivers\asyncmac.sys
    [-] 2008-04-14 . DA1F27D85E0D1525F6621372E7B685E9 . 4224 . . [5.1.2600.0] . . c:\windows\system32\dllcache\beep.sys
    [-] 2008-04-14 . DA1F27D85E0D1525F6621372E7B685E9 . 4224 . . [5.1.2600.0] . . c:\windows\system32\drivers\beep.sys
    [-] 2008-04-13 . 463C1EC80CD17420A542B7F36A36F128 . 24576 . . [5.1.2600.5512] . . c:\windows\system32\drivers\kbdclass.sys
    [-] 2008-04-14 . 1DF7F42665C94B825322FAE71721130D . 182656 . . [5.1.2600.5512] . . c:\windows\system32\dllcache\ndis.sys
    [-] 2008-04-14 . 1DF7F42665C94B825322FAE71721130D . 182656 . . [5.1.2600.5512] . . c:\windows\system32\drivers\ndis.sys
    [-] 2008-04-14 . 78A08DD6A8D65E697C18E1DB01C5CDCA . 574976 . . [5.1.2600.5512] . . c:\windows\system32\dllcache\ntfs.sys
    [-] 2008-04-14 . 78A08DD6A8D65E697C18E1DB01C5CDCA . 574976 . . [5.1.2600.5512] . . c:\windows\system32\drivers\ntfs.sys
    [-] 2008-04-14 . 73C1E1F395918BC2C6DD67AF7591A3AD . 2944 . . [5.1.2600.0] . . c:\windows\system32\dllcache\null.sys
    [-] 2008-04-14 . 73C1E1F395918BC2C6DD67AF7591A3AD . 2944 . . [5.1.2600.0] . . c:\windows\system32\drivers\null.sys
    [-] 2008-06-20 . AD978A1B783B5719720CFF204B666C8E . 361600 . . [5.1.2600.5625] . . c:\windows\$hf_mig$\KB951748\SP3QFE\tcpip.sys
    [-] 2008-06-20 . 9AEFA14BD6B182D61E3119FA5F436D3D . 361600 . . [5.1.2600.5625] . . c:\windows\system32\dllcache\tcpip.sys
    [-] 2008-06-20 . 9AEFA14BD6B182D61E3119FA5F436D3D . 361600 . . [5.1.2600.5625] . . c:\windows\system32\drivers\tcpip.sys
    [-] 2008-04-14 . 93EA8D04EC73A85DB02EB8805988F733 . 361344 . . [5.1.2600.5512] . . c:\windows\$NtUninstallKB951748$\tcpip.sys
    [-] 2008-04-14 . A06CE3399D16DB864F55FAEB1F1927A9 . 77824 . . [5.1.2600.5512] . . c:\windows\system32\browser.dll
    [-] 2008-04-14 . A06CE3399D16DB864F55FAEB1F1927A9 . 77824 . . [5.1.2600.5512] . . c:\windows\system32\dllcache\browser.dll
    [-] 2008-04-14 . BF2466B3E18E970D8A976FB95FC1CA85 . 13312 . . [5.1.2600.5512] . . c:\windows\system32\lsass.exe
    [-] 2008-04-14 . BF2466B3E18E970D8A976FB95FC1CA85 . 13312 . . [5.1.2600.5512] . . c:\windows\system32\dllcache\lsass.exe
    [-] 2008-04-14 . 13E67B55B3ABD7BF3FE7AAE5A0F9A9DE . 198144 . . [5.1.2600.5512] . . c:\windows\system32\netman.dll
    [-] 2008-04-14 . 13E67B55B3ABD7BF3FE7AAE5A0F9A9DE . 198144 . . [5.1.2600.5512] . . c:\windows\system32\dllcache\netman.dll
    [-] 2008-04-14 . 574738F61FCA2935F5265DC4E5691314 . 409088 . . [6.7.2600.5512] . . c:\windows\system32\qmgr.dll
    [-] 2008-04-14 . 574738F61FCA2935F5265DC4E5691314 . 409088 . . [6.7.2600.5512] . . c:\windows\system32\dllcache\qmgr.dll
    [-] 2009-02-09 . 6B27A5C03DFB94B4245739065431322C . 401408 . . [5.1.2600.5755] . . c:\windows\system32\rpcss.dll
    [-] 2009-02-09 . 6B27A5C03DFB94B4245739065431322C . 401408 . . [5.1.2600.5755] . . c:\windows\system32\dllcache\rpcss.dll
    [-] 2009-02-09 . 9222562D44021B988B9F9F62207FB6F2 . 401408 . . [5.1.2600.5755] . . c:\windows\$hf_mig$\KB956572\SP3QFE\rpcss.dll
    [-] 2008-04-14 . 2589FE6015A316C0F5D5112B4DA7B509 . 399360 . . [5.1.2600.5512] . . c:\windows\$NtUninstallKB956572$\rpcss.dll
    [-] 2009-02-06 . 65DF52F5B8B6E9BBD183505225C37315 . 110592 . . [5.1.2600.5755] . . c:\windows\system32\services.exe
    [-] 2009-02-06 . 65DF52F5B8B6E9BBD183505225C37315 . 110592 . . [5.1.2600.5755] . . c:\windows\system32\dllcache\services.exe
    [-] 2009-02-06 . 020CEAAEDC8EB655B6506B8C70D53BB6 . 110592 . . [5.1.2600.5755] . . c:\windows\$hf_mig$\KB956572\SP3QFE\services.exe
    [-] 2008-04-14 . 0E776ED5F7CC9F94299E70461B7B8185 . 108544 . . [5.1.2600.5512] . . c:\windows\$NtUninstallKB956572$\services.exe
    [-] 2010-08-17 . 258DD5D4283FD9F9A7166BE9AE45CE73 . 58880 . . [5.1.2600.6024] . . c:\windows\$hf_mig$\KB2347290\SP3QFE\spoolsv.exe
    [-] 2010-08-17 . 60784F891563FB1B767F70117FC2428F . 58880 . . [5.1.2600.6024] . . c:\windows\system32\spoolsv.exe
    [-] 2010-08-17 . 60784F891563FB1B767F70117FC2428F . 58880 . . [5.1.2600.6024] . . c:\windows\system32\dllcache\spoolsv.exe
    [-] 2008-04-14 . D8E14A61ACC1D4A6CD0D38AEBAC7FA3B . 57856 . . [5.1.2600.5512] . . c:\windows\$NtUninstallKB2347290$\spoolsv.exe
    [-] 2008-04-14 . ED0EF0A136DEC83DF69F04118870003E . 507904 . . [5.1.2600.5512] . . c:\windows\system32\winlogon.exe
    [-] 2008-04-14 . ED0EF0A136DEC83DF69F04118870003E . 507904 . . [5.1.2600.5512] . . c:\windows\system32\dllcache\winlogon.exe
    [-] 2010-08-23 . 93AFB83FBC1F9443CAC722FCA63D73BF . 617472 . . [5.82] . . c:\windows\system32\comctl32.dll
    [-] 2010-08-23 . 93AFB83FBC1F9443CAC722FCA63D73BF . 617472 . . [5.82] . . c:\windows\system32\dllcache\comctl32.dll
    [-] 2010-08-23 . 736B12B725AEB2B07F0241A9F680CB10 . 1054208 . . [6.0] . . c:\windows\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll
    [-] 2008-04-14 . 06F247492BC786CE5C24A23E178C711A . 617472 . . [5.82] . . c:\windows\$NtUninstallKB2296011$\comctl32.dll
    [-] 2008-04-14 . AEF3D788DBF40C7C4D204EA45EB0C505 . 921088 . . [6.0] . . c:\windows\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a\comctl32.dll
    [-] 2008-04-14 . BD38D1EBE24A46BD3EDA059560AFBA12 . 1054208 . . [6.0] . . c:\windows\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll
    [-] 2008-04-14 . 3D4E199942E29207970E04315D02AD3B . 62464 . . [5.1.2600.5512] . . c:\windows\system32\cryptsvc.dll
    [-] 2008-04-14 . 3D4E199942E29207970E04315D02AD3B . 62464 . . [5.1.2600.5512] . . c:\windows\system32\dllcache\cryptsvc.dll
    [-] 2008-07-07 20:26 . D4991D98F2DB73C60D042F1AEF79EFAE . 253952 . . [2001.12.4414.706] . . c:\windows\system32\es.dll
    [-] 2008-07-07 20:26 . D4991D98F2DB73C60D042F1AEF79EFAE . 253952 . . [2001.12.4414.706] . . c:\windows\system32\dllcache\es.dll
    [-] 2008-07-07 20:23 . F17F6226BDC0CD5F0BEF0DAF84D29BEC . 253952 . . [2001.12.4414.706] . . c:\windows\$hf_mig$\KB950974\SP3QFE\es.dll
    [-] 2008-04-14 12:00 . 19A799805B24990867B00C120D300C3A . 246272 . . [2001.12.4414.701] . . c:\windows\$NtUninstallKB950974$\es.dll
    [-] 2008-04-14 . 0DA85218E92526972A821587E6A8BF8F . 110080 . . [5.1.2600.5512] . . c:\windows\system32\imm32.dll
    [-] 2008-04-14 . 0DA85218E92526972A821587E6A8BF8F . 110080 . . [5.1.2600.5512] . . c:\windows\system32\dllcache\imm32.dll
    [-] 2009-03-21 . B921FB870C9AC0D509B2CCABBBBE95F3 . 989696 . . [5.1.2600.5781] . . c:\windows\system32\kernel32.dll
    [-] 2009-03-21 . B921FB870C9AC0D509B2CCABBBBE95F3 . 989696 . . [5.1.2600.5781] . . c:\windows\system32\dllcache\kernel32.dll
    [-] 2009-03-21 . DA11D9D6ECBDF0F93436A4B7C13F7BEC . 991744 . . [5.1.2600.5781] . . c:\windows\$hf_mig$\KB959426\SP3QFE\kernel32.dll
    [-] 2008-04-14 . C24B983D211C34DA8FCC1AC38477971D . 989696 . . [5.1.2600.5512] . . c:\windows\$NtUninstallKB959426$\kernel32.dll
    [-] 2008-04-14 . 2DC5A8019E2387987905F77C664E4BE2 . 19968 . . [5.1.2600.5512] . . c:\windows\system32\linkinfo.dll
    [-] 2008-04-14 . 2DC5A8019E2387987905F77C664E4BE2 . 19968 . . [5.1.2600.5512] . . c:\windows\system32\dllcache\linkinfo.dll
    [-] 2008-04-14 . 012DF358CEBAA23ACB26D82077820817 . 22016 . . [5.1.2600.5512] . . c:\windows\system32\lpk.dll
    [-] 2008-04-14 . 012DF358CEBAA23ACB26D82077820817 . 22016 . . [5.1.2600.5512] . . c:\windows\system32\dllcache\lpk.dll
    [-] 2008-04-14 . 355EDBB4D412B01F1740C17E3F50FA00 . 343040 . . [7.0.2600.5512] . . c:\windows\system32\msvcrt.dll
    [-] 2008-04-14 . 355EDBB4D412B01F1740C17E3F50FA00 . 343040 . . [7.0.2600.5512] . . c:\windows\system32\dllcache\msvcrt.dll
    [-] 2008-04-14 . 4200BE3808F6406DBE45A7B88DAE5035 . 322560 . . [7.0.2600.0] . . c:\windows\WinSxS\x86_Microsoft.Windows.CPlusPlusRuntime_6595b64144ccf1df_7.0.0.0_x-ww_2726e76a\msvcrt.dll
    [-] 2008-04-14 . D7075E95AA599EE77B7A89D39296BD3D . 343040 . . [7.0.2600.5512] . . c:\windows\WinSxS\x86_Microsoft.Windows.CPlusPlusRuntime_6595b64144ccf1df_7.0.2600.5512_x-ww_3fd60d63\msvcrt.dll
    [-] 2008-06-20 . 832E4DD8964AB7ACC880B2837CB1ED20 . 245248 . . [5.1.2600.5625] . . c:\windows\system32\mswsock.dll
    [-] 2008-06-20 . 832E4DD8964AB7ACC880B2837CB1ED20 . 245248 . . [5.1.2600.5625] . . c:\windows\system32\dllcache\mswsock.dll
    [-] 2008-06-20 . FCEE5FCB99F7C724593365C706D28388 . 245248 . . [5.1.2600.5625] . . c:\windows\$hf_mig$\KB951748\SP3QFE\mswsock.dll
    [-] 2008-04-14 . B4138E99236F0F57D4CF49BAE98A0746 . 245248 . . [5.1.2600.5512] . . c:\windows\$NtUninstallKB951748$\mswsock.dll
    [-] 2008-04-14 . 1B7F071C51B77C272875C3A23E1E4550 . 407040 . . [5.1.2600.5512] . . c:\windows\system32\netlogon.dll
    [-] 2008-04-14 . 1B7F071C51B77C272875C3A23E1E4550 . 407040 . . [5.1.2600.5512] . . c:\windows\system32\dllcache\netlogon.dll
    [-] 2008-04-14 . 50A166237A0FA771261275A405646CC0 . 17408 . . [6.00.2900.5512] . . c:\windows\system32\powrprof.dll
    [-] 2008-04-14 . 50A166237A0FA771261275A405646CC0 . 17408 . . [6.00.2900.5512] . . c:\windows\system32\dllcache\powrprof.dll
    [-] 2008-04-14 . A86BB5E61BF3E39B62AB4C7E7085A084 . 181248 . . [5.1.2600.5512] . . c:\windows\system32\scecli.dll
    [-] 2008-04-14 . A86BB5E61BF3E39B62AB4C7E7085A084 . 181248 . . [5.1.2600.5512] . . c:\windows\system32\dllcache\scecli.dll
    [-] 2008-04-14 . 96E1C926F22EE1BFBAE82901A35F6BF3 . 5120 . . [5.1.2600.5512] . . c:\windows\system32\sfc.dll
    [-] 2008-04-14 . 96E1C926F22EE1BFBAE82901A35F6BF3 . 5120 . . [5.1.2600.5512] . . c:\windows\system32\dllcache\sfc.dll
    [-] 2008-04-14 . 27C6D03BCDB8CFEB96B716F3D8BE3E18 . 14336 . . [5.1.2600.5512] . . c:\windows\system32\svchost.exe
    [-] 2008-04-14 . 27C6D03BCDB8CFEB96B716F3D8BE3E18 . 14336 . . [5.1.2600.5512] . . c:\windows\system32\dllcache\svchost.exe
    [-] 2008-04-14 . 3CB78C17BB664637787C9A1C98F79C38 . 249856 . . [5.1.2600.5512] . . c:\windows\system32\tapisrv.dll
    [-] 2008-04-14 . 3CB78C17BB664637787C9A1C98F79C38 . 249856 . . [5.1.2600.5512] . . c:\windows\system32\dllcache\tapisrv.dll
    [-] 2008-04-14 . B26B135FF1B9F60C9388B4A7D16F600B . 578560 . . [5.1.2600.5512] . . c:\windows\system32\user32.dll
    [-] 2008-04-14 . B26B135FF1B9F60C9388B4A7D16F600B . 578560 . . [5.1.2600.5512] . . c:\windows\system32\dllcache\user32.dll
    [-] 2008-04-14 . A93AEE1928A9D7CE3E16D24EC7380F89 . 26112 . . [5.1.2600.5512] . . c:\windows\system32\userinit.exe
    [-] 2008-04-14 . A93AEE1928A9D7CE3E16D24EC7380F89 . 26112 . . [5.1.2600.5512] . . c:\windows\system32\dllcache\userinit.exe
    [-] 2008-04-14 . 2CCC474EB85CEAA3E1FA1726580A3E5A . 82432 . . [5.1.2600.5512] . . c:\windows\system32\ws2_32.dll
    [-] 2008-04-14 . 2CCC474EB85CEAA3E1FA1726580A3E5A . 82432 . . [5.1.2600.5512] . . c:\windows\system32\dllcache\ws2_32.dll
    [-] 2008-04-14 . 9789E95E1D88EEB4B922BF3EA7779C28 . 19968 . . [5.1.2600.5512] . . c:\windows\system32\ws2help.dll
    [-] 2008-04-14 . 9789E95E1D88EEB4B922BF3EA7779C28 . 19968 . . [5.1.2600.5512] . . c:\windows\system32\dllcache\ws2help.dll
    [-] 2008-04-14 . 12896823FB95BFB3DC9B46BCAEDC9923 . 1033728 . . [6.00.2900.5512] . . c:\windows\explorer.exe
    [-] 2008-04-14 . 12896823FB95BFB3DC9B46BCAEDC9923 . 1033728 . . [6.00.2900.5512] . . c:\windows\system32\dllcache\explorer.exe
    [-] 2010-07-16 . 7A6A7900B5E322763430BA6FD9A31224 . 1288192 . . [5.1.2600.6010] . . c:\windows\system32\ole32.dll
    [-] 2010-07-16 . 7A6A7900B5E322763430BA6FD9A31224 . 1288192 . . [5.1.2600.6010] . . c:\windows\system32\dllcache\ole32.dll
    [-] 2010-07-16 . 8D51FB47062F2A1A9EFECCEF338A4C46 . 1289216 . . [5.1.2600.6010] . . c:\windows\$hf_mig$\KB979687\SP3QFE\ole32.dll
    [-] 2008-04-14 . ECCE74BC6168375016450A86A164D976 . 1287168 . . [5.1.2600.5512] . . c:\windows\$NtUninstallKB979687$\ole32.dll
    [-] 2010-04-16 . 9E03DC5AB51CFD0190541CE2038D819D . 406016 . . [1.0420.2600.5969] . . c:\windows\system32\usp10.dll
    [-] 2010-04-16 . 9E03DC5AB51CFD0190541CE2038D819D . 406016 . . [1.0420.2600.5969] . . c:\windows\system32\dllcache\usp10.dll
    [-] 2010-04-16 . F8894BCC961D461674002B4BAE7AECC1 . 406016 . . [1.0420.2600.5969] . . c:\windows\$hf_mig$\KB981322\SP3QFE\usp10.dll
    [-] 2008-04-14 . 7D7D8501F3CB45D0408CDEFA08CDAEFF . 406016 . . [1.0420.2600.5512] . . c:\windows\$NtUninstallKB981322$\usp10.dll
    [-] 2008-04-14 . 3805DF0AC4296A34BA4BF93B346CC378 . 171008 . . [5.1.2600.5512] . . c:\windows\system32\srsvc.dll
    [-] 2008-04-14 . 3805DF0AC4296A34BA4BF93B346CC378 . 171008 . . [5.1.2600.5512] . . c:\windows\system32\dllcache\srsvc.dll
    [-] 2008-04-14 . F92E1076C42FCD6DB3D72D8CFE9816D5 . 13824 . . [5.1.2600.5512] . . c:\windows\system32\wscntfy.exe
    [-] 2008-04-14 . F92E1076C42FCD6DB3D72D8CFE9816D5 . 13824 . . [5.1.2600.5512] . . c:\windows\system32\dllcache\wscntfy.exe
    [-] 2008-04-14 . 295D21F14C335B53CB8154E5B1F892B9 . 129024 . . [5.1.2600.5512] . . c:\windows\system32\xmlprov.dll
    [-] 2008-04-14 . 295D21F14C335B53CB8154E5B1F892B9 . 129024 . . [5.1.2600.5512] . . c:\windows\system32\dllcache\xmlprov.dll
    [-] 2008-04-14 . 6D4FEB43EE538FC5428CC7F0565AA656 . 56320 . . [5.1.2600.5512] . . c:\windows\system32\eventlog.dll
    [-] 2008-04-14 . 6D4FEB43EE538FC5428CC7F0565AA656 . 56320 . . [5.1.2600.5512] . . c:\windows\system32\dllcache\eventlog.dll
    [-] 2008-04-14 . 9DD07AF82244867CA36681EA2D29CE79 . 1614848 . . [5.1.2600.5512] . . c:\windows\system32\sfcfiles.dll
    [-] 2008-04-14 . 9DD07AF82244867CA36681EA2D29CE79 . 1614848 . . [5.1.2600.5512] . . c:\windows\system32\dllcache\sfcfiles.dll
    [-] 2008-04-14 . 5F1D5F88303D4A4DBC8E5F97BA967CC3 . 15360 . . [5.1.2600.5512] . . c:\windows\system32\ctfmon.exe
    [-] 2008-04-14 . 5F1D5F88303D4A4DBC8E5F97BA967CC3 . 15360 . . [5.1.2600.5512] . . c:\windows\system32\dllcache\ctfmon.exe
    [-] 2008-04-14 . 1926899BF9FFE2602B63074971700412 . 135168 . . [6.00.2900.5512] . . c:\windows\system32\shsvcs.dll
    [-] 2008-04-14 . 1926899BF9FFE2602B63074971700412 . 135168 . . [6.00.2900.5512] . . c:\windows\system32\dllcache\shsvcs.dll
    [-] 2008-04-14 . 5B19B557B0C188210A56A6B699D90B8F . 59904 . . [5.1.2600.5512] . . c:\windows\system32\regsvc.dll
    [-] 2008-04-14 . 5B19B557B0C188210A56A6B699D90B8F . 59904 . . [5.1.2600.5512] . . c:\windows\system32\dllcache\regsvc.dll
    [-] 2008-04-14 . 0A9A7365A1CA4319AA7C1D6CD8E4EAFA . 192512 . . [5.1.2600.5512] . . c:\windows\system32\schedsvc.dll
    [-] 2008-04-14 . 0A9A7365A1CA4319AA7C1D6CD8E4EAFA . 192512 . . [5.1.2600.5512] . . c:\windows\system32\dllcache\schedsvc.dll
    [-] 2008-04-14 . 0A5679B3714EDAB99E357057EE88FCA6 . 71680 . . [5.1.2600.5512] . . c:\windows\system32\ssdpsrv.dll
    [-] 2008-04-14 . 0A5679B3714EDAB99E357057EE88FCA6 . 71680 . . [5.1.2600.5512] . . c:\windows\system32\dllcache\ssdpsrv.dll
    [-] 2008-04-14 . FF3477C03BE7201C294C35F684B3479F . 295424 . . [5.1.2600.5512] . . c:\windows\system32\termsrv.dll
    [-] 2008-04-14 . FF3477C03BE7201C294C35F684B3479F . 295424 . . [5.1.2600.5512] . . c:\windows\system32\dllcache\termsrv.dll
    [-] 2008-04-14 . 3CB32D3B8CBE79899D63280BB7A83CD9 . 344064 . . [5.1.2600.5512] . . c:\windows\system32\hnetcfg.dll
    [-] 2008-04-14 . 3CB32D3B8CBE79899D63280BB7A83CD9 . 344064 . . [5.1.2600.5512] . . c:\windows\system32\dllcache\hnetcfg.dll
    [-] 2008-04-14 . 9859C0F6936E723E4892D7141B1327D5 . 11648 . . [5.1.2600.0] . . c:\windows\system32\drivers\acpiec.sys
    [-] 2008-04-14 . 3BB22519A194418D5FEC05D800A19AD0 . 36608 . . [5.1.2600.5512] . . c:\windows\system32\dllcache\ip6fw.sys
    [-] 2008-04-14 . 3BB22519A194418D5FEC05D800A19AD0 . 36608 . . [5.1.2600.5512] . . c:\windows\system32\drivers\ip6fw.sys
    [-] 2008-04-14 . 986B1FF5814366D71E0AC5755C88F2D3 . 33792 . . [5.1.2600.5512] . . c:\windows\system32\msgsvc.dll
    [-] 2008-04-14 . 986B1FF5814366D71E0AC5755C88F2D3 . 33792 . . [5.1.2600.5512] . . c:\windows\system32\dllcache\msgsvc.dll
    [-] 2008-04-14 12:00 . C7E39EA41233E9F5B86C8DA3A9F1E4A8 . 52224 . . [9.0.1.56] . . c:\windows\system32\mspmsnsv.dll
    [-] 2008-04-14 12:00 . C7E39EA41233E9F5B86C8DA3A9F1E4A8 . 52224 . . [9.0.1.56] . . c:\windows\system32\dllcache\mspmsnsv.dll
    [-] 2010-04-27 . 756362706DE8BC92F11E197C98A73844 . 2066944 . . [5.1.2600.5973] . . c:\windows\$hf_mig$\KB981852\SP3QFE\ntkrnlpa.exe
    [-] 2010-04-27 . DC57ABED7BDE1487E658968B4423BED7 . 2066816 . . [5.1.2600.5973] . . c:\windows\Driver Cache\i386\ntkrnlpa.exe
    [-] 2010-04-27 . DC57ABED7BDE1487E658968B4423BED7 . 2066816 . . [5.1.2600.5973] . . c:\windows\system32\ntkrnlpa.exe
    [-] 2010-04-27 . DC57ABED7BDE1487E658968B4423BED7 . 2066816 . . [5.1.2600.5973] . . c:\windows\system32\dllcache\ntkrnlpa.exe
    [-] 2010-02-16 . A046C627EC20456E2959B7BD628E1FD0 . 2066816 . . [5.1.2600.5938] . . c:\windows\$NtUninstallKB981852$\ntkrnlpa.exe
    [-] 2010-02-16 . DED8B5A89B085284634502E9D75AC78C . 2066944 . . [5.1.2600.5938] . . c:\windows\$hf_mig$\KB979683\SP3QFE\ntkrnlpa.exe
    [-] 2009-02-06 . 607352B9CB3D708C67F6039097801B5A . 2066176 . . [5.1.2600.5755] . . c:\windows\$hf_mig$\KB956572\SP3QFE\ntkrnlpa.exe
    [-] 2008-04-14 . 109F8E3E3C82E337BB71B6BC9B895D61 . 2065792 . . [5.1.2600.5512] . . c:\windows\$NtUninstallKB979683$\ntkrnlpa.exe
    [-] 2008-04-14 12:00 . 156F64A3345BD23C600655FB4D10BC08 . 435200 . . [5.1.2400.5512] . . c:\windows\system32\ntmssvc.dll
    [-] 2008-04-14 12:00 . 156F64A3345BD23C600655FB4D10BC08 . 435200 . . [5.1.2400.5512] . . c:\windows\system32\dllcache\ntmssvc.dll
    [-] 2008-04-14 . 1EBAFEB9A3FBDC41B8D9C7F0F687AD91 . 185856 . . [5.1.2600.5512] . . c:\windows\system32\upnphost.dll
    [-] 2008-04-14 . 1EBAFEB9A3FBDC41B8D9C7F0F687AD91 . 185856 . . [5.1.2600.5512] . . c:\windows\system32\dllcache\upnphost.dll
    [-] 2008-04-14 . 4D83ED8BDDEC431FC8AD907B47CFB6E3 . 367616 . . [5.3.2600.5512] . . c:\windows\system32\dsound.dll
    [-] 2008-04-14 . 4D83ED8BDDEC431FC8AD907B47CFB6E3 . 367616 . . [5.3.2600.5512] . . c:\windows\system32\dllcache\dsound.dll
    [-] 2008-04-14 . 0607CBC6FA20114CB491EFE4B2F9EFAD . 1689088 . . [5.03.2600.5512] . . c:\windows\system32\d3d9.dll
    [-] 2008-04-14 . 0607CBC6FA20114CB491EFE4B2F9EFAD . 1689088 . . [5.03.2600.5512] . . c:\windows\system32\dllcache\d3d9.dll
    [-] 2008-04-14 . A340CD71EB535A3DD751B5F28723E50C . 279552 . . [5.03.2600.5512] . . c:\windows\system32\ddraw.dll
    [-] 2008-04-14 . A340CD71EB535A3DD751B5F28723E50C . 279552 . . [5.03.2600.5512] . . c:\windows\system32\dllcache\ddraw.dll
    [-] 2008-04-14 12:00 . 5652F6CE1D9E9D8068B9D29BC21B5409 . 84992 . . [5.1.2600.5512] . . c:\windows\system32\olepro32.dll
    [-] 2008-04-14 12:00 . 5652F6CE1D9E9D8068B9D29BC21B5409 . 84992 . . [5.1.2600.5512] . . c:\windows\system32\dllcache\olepro32.dll
    [-] 2008-04-14 . DBE2B62353660ECCA0D75EA307A717E9 . 39936 . . [5.1.2600.5512] . . c:\windows\system32\perfctrs.dll
    [-] 2008-04-14 . DBE2B62353660ECCA0D75EA307A717E9 . 39936 . . [5.1.2600.5512] . . c:\windows\system32\dllcache\perfctrs.dll
    [-] 2008-04-14 . C7CE131408739B0B3A318BE2D0032719 . 18944 . . [5.1.2600.5512] . . c:\windows\system32\version.dll
    [-] 2008-04-14 . C7CE131408739B0B3A318BE2D0032719 . 18944 . . [5.1.2600.5512] . . c:\windows\system32\dllcache\version.dll
    [-] 2008-04-14 . 55794B97A7FAABD2910873C85274F409 . 93184 . . [6.00.2900.5512] . . c:\windows\system32\dllcache\iexplore.exe
    [-] 2010-04-28 . 472059774023F80EB7227EAF9A7ACDA1 . 2189952 . . [5.1.2600.5973] . . c:\windows\Driver Cache\i386\ntoskrnl.exe
    [-] 2010-04-28 . 472059774023F80EB7227EAF9A7ACDA1 . 2189952 . . [5.1.2600.5973] . . c:\windows\system32\ntoskrnl.exe
    [-] 2010-04-28 . 472059774023F80EB7227EAF9A7ACDA1 . 2189952 . . [5.1.2600.5973] . . c:\windows\system32\dllcache\ntoskrnl.exe
    [-] 2010-04-27 . A2ABBEC40CDB57454645D06B7EBD22F5 . 2190080 . . [5.1.2600.5973] . . c:\windows\$hf_mig$\KB981852\SP3QFE\ntoskrnl.exe
    [-] 2010-02-17 . D41C3CBAD0E1C0728D1CDFD541F60CFA . 2189952 . . [5.1.2600.5938] . . c:\windows\$NtUninstallKB981852$\ntoskrnl.exe
    [-] 2010-02-16 . E1F653A542449D54FA2D27463D99B6B6 . 2190080 . . [5.1.2600.5938] . . c:\windows\$hf_mig$\KB979683\SP3QFE\ntoskrnl.exe
    [-] 2009-02-07 . EFE8EACE83EAAD5849A7A548FB75B584 . 2189184 . . [5.1.2600.5755] . . c:\windows\$hf_mig$\KB956572\SP3QFE\ntoskrnl.exe
    [-] 2008-04-14 . 0C89243C7C3EE199B96FCC16990E0679 . 2188928 . . [5.1.2600.5512] . . c:\windows\$NtUninstallKB979683$\ntoskrnl.exe
    [-] 2008-04-14 . 3805DF0AC4296A34BA4BF93B346CC378 . 171008 . . [5.1.2600.5512] . . c:\windows\system32\srsvc.dll
    [-] 2008-04-14 . 3805DF0AC4296A34BA4BF93B346CC378 . 171008 . . [5.1.2600.5512] . . c:\windows\system32\dllcache\srsvc.dll
    [-] 2008-04-14 . 54AF4B1D5459500EF0937F6D33B1914F . 175104 . . [5.1.2600.5512] . . c:\windows\system32\w32time.dll
    [-] 2008-04-14 . 54AF4B1D5459500EF0937F6D33B1914F . 175104 . . [5.1.2600.5512] . . c:\windows\system32\dllcache\w32time.dll
    [-] 2008-04-14 . 8BAD69CBAC032D4BBACFCE0306174C30 . 333824 . . [5.1.2600.5512] . . c:\windows\system32\wiaservc.dll
    [-] 2008-04-14 . 8BAD69CBAC032D4BBACFCE0306174C30 . 333824 . . [5.1.2600.5512] . . c:\windows\system32\dllcache\wiaservc.dll
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "igfxtray"="c:\windows\system32\igfxtray.exe" [2005-09-20 94208]
    "igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-09-20 77824]
    "igfxpers"="c:\windows\system32\igfxpers.exe" [2005-09-20 114688]
    "avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]
    c:\documents and settings\All Users\Start Menu\Programs\Startup\
    Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-2-17 65588]
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "%windir%\\system32\\sessmgr.exe"=
    "\\\\Bki-mkt\\CIS\\CIS\\Transfer\\wsftp.exe"=
    R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [11-Jan-2011 11:26 AM 108289]
    S3 acfva;acfva;c:\windows\system32\drivers\ACFVA32.sys [07-Jun-2010 5:41 PM 86784]
    S3 dgcfltr;DGC Filter Driver;c:\windows\system32\drivers\ACFDCP32.sys [07-Jun-2010 5:41 PM 29056]
    S3 hwusbdev;Huawei DataCard USB PNP Device;c:\windows\system32\DRIVERS\ewusbdev.sys --> c:\windows\system32\DRIVERS\ewusbdev.sys [?]
    .
    Contents of the 'Scheduled Tasks' folder
    .
    .
    ------- Supplementary Scan -------
    .
    TCP: {2B712EA6-5A76-4B33-AE99-15ED1AB271C1} = 22.174.2.3,202.188.0.133
    .
    **************************************************************************
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2011-01-24 12:46
    Windows 5.1.2600 Service Pack 3 NTFS
    scanning hidden processes ...
    scanning hidden autostart entries ...
    scanning hidden files ...
    scan completed successfully
    hidden files: 0
    **************************************************************************
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
    @Denied: (A 2) (Everyone)
    @="FlashBroker"
    "LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe,-101"
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
    "Enabled"=dword:00000001
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
    @="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe"
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
    @Denied: (A 2) (Everyone)
    @="IFlashBroker4"
    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
    @="{00020424-0000-0000-C000-000000000046}"
    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    "Version"="1.0"
    .
    Completion time: 2011-01-24 12:48:38
    ComboFix-quarantined-files.txt 2011-01-24 04:48
    Pre-Run: 37,939,167,232 bytes free
    Post-Run: 37,930,594,304 bytes free
    WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
    [boot loader]
    timeout=2
    default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
    [operating systems]
    c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
    UnsupportedDebug="do not select this" /debug
    multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect
    - - End Of File - - 445B34837CDFBB6827D373575CDA774A
     
  15. kgrsbh

    kgrsbh Thread Starter

    Joined:
    Jan 11, 2011
    Messages:
    12
    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 12:52:56 PM, on 24-Jan-2011
    Platform: Windows XP SP3 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
    Boot mode: Normal
    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Avira\AntiVir Desktop\sched.exe
    C:\Program Files\Avira\AntiVir Desktop\avguard.exe
    C:\WINDOWS\system32\hkcmd.exe
    C:\WINDOWS\system32\igfxpers.exe
    C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
    C:\WINDOWS\system32\wscntfy.exe
    C:\WINDOWS\explorer.exe
    C:\WINDOWS\system32\NOTEPAD.EXE
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
    O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
    O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
    O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O17 - HKLM\System\CCS\Services\Tcpip\..\{2B712EA6-5A76-4B33-AE99-15ED1AB271C1}: NameServer = 22.174.2.3,202.188.0.133
    O17 - HKLM\System\CS1\Services\Tcpip\..\{2B712EA6-5A76-4B33-AE99-15ED1AB271C1}: NameServer = 22.174.2.3,202.188.0.133
    O17 - HKLM\System\CS2\Services\Tcpip\..\{2B712EA6-5A76-4B33-AE99-15ED1AB271C1}: NameServer = 22.174.2.3,202.188.0.133
    O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
    O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
    --
    End of file - 2952 bytes
     
  16. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/975301