Hi,

I can't get malewarebytes to start. I tried installing nod32 also and that won't install. Something is keeping the programs from starting up. Ive tried renaming the mbam.exe to another name and that has not worked. I used that avira antivirus and it scanned and did not allow me to start up malewarebytes in safe mode. Spybot is allowed to start though, which is wierd. I scan and it finds some stuff and deletes it but does not seem to have any affect on me getting malewarebytes to work or nod32. I also can't go to websites for nod32 or malewarebytes...etc. Seems to be blocking sites like that. I believe I have had antivirus2009 installed but I deleted it I believe and spybot deleted it too I think. Ive run out of ideas so I am posting here. I am about ready to format but thought id give this a try first. Any help would be greatly appreciated. Thanks in advance.

Hi and Welcome to the Malwarebytes' forum.

Please state what operating system and service pack version you have installed (Example: XP SP3). Also, what is your default browser, and what version of Internet Explorer do you have installed (Example Internet Explorer 8).

Please download ATF Cleaner by Atribune

• Close Internet Explorer and any other open browsers
• Double-click ATF-Cleaner.exe to run the program.
• Under Main choose: Select All
• Click the Empty Selected button.

If you use Firefox browser

• Click Firefox at the top and choose: Select All
• Click the Empty Selected button.
• NOTE: If you would like to keep your saved passwords, please click
• No at the prompt.

If you use Opera browser

• Click Opera at the top and choose: Select All
• Click the Empty Selected button.
• NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main menu to close the program.

Reboot

Next, download this Antirootkit Program to a folder that you create such as C:\ARK, by choosing the "Download EXE" button on the webpage.

Disable the active protection component of your antivirus by following the directions that apply here:
http://www.bleepingcomputer.com/forums/topic114351.html

Next, please perform a rootkit scan:

• Double-click the randomly name EXE located in the C:\ARK folder that you just downloaded to run the program.
• When the program opens, it will automatically initiate a very fast scan of common rootkit hiding places.
• After the automatic "quick" scan is finished (a few seconds), click the Rootkit/Malware tab,and then select the Scan button.
• Leave your system completely idle while this longer scan is in progress.
• When the scan is done, save the scan log to the Windows clipboard
• Open Notepad or a similar text editor
• Paste the clipboard contents into a text file by clicking Edit | Paste or Ctl V
• Exit the Program
• Save the Scan log as ARK.txt and post it in your next reply. If the log is very long attach it please.
• Re-enable your antivirus and any antimalware programs you disabled before running the scan

Note: If you have trouble completing a complete Rootkit/Malware scan with the ARK program then just copy/paste the "Quick scan" results into your reply. Often that alone provides enough information.


Please download Combofix from one of these locations:
HERE or HERE

I want you to rename Combofix.exe as you download it to a name of your choice such as fixit.exe

Notes:

• It is very important that save the newly renamed EXE file to your desktop.
• You must rename Combofixe.exe as you download it and not after it is on your computer.
  
  You may have to modify your browser settings if you use Firefox, so you can rename Combofix.exe as you download it. To do that:
• For Firefox
  • Open Firefox and click Tools -> Options -> Main
  • Under the downloads section check the button that says "Always ask me where to save files".
  • Click OK
• For Internet Explorer:
  • When downloading, choose to save, not open the file
  • When prompted - save the file to your desktop, and rename it anything with an .exe extension on the end.

Here is a tutorial that describes how to download, install and run Combofix more thoroughly. Please review it and follow the prompts to install Recovery Console if you have not done that already:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Very Important! Temporarily disable your antivirus and antimalware real-time protection and any script blocking components of them or your firewall before performing a scan. They can interfere with ComboFix and even remove onboard components so it is rendered ineffective:
http://www.bleepingcomputer.com/forums/topic114351.html

Also, disable your firewall!
You can enable the Window firewall in the interim, until the scan is complete.

Note: The above tutorial does not tell you to rename Combofix as I have instructed you to do in the above instructions, so make sure you complete the renaming step before launching Combofix.

Running Combofix

In the event you already have Combofix, please delete it as this is a new version.

• Close any open browsers.
• Close/disable all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix.

1. Double click on the renamed combofix.exe (fixit.exe) & follow the prompts.
2. When finished, it will produce a logfile located at C:\ComboFix.txt
3. Post the contents of that log in your next reply with a new hijackthis log.

Note: Do not mouseclick combofix's window while it is running. That may cause your system to stall/hang.

Re-eable all anti-virus and anti-malware programs.

Please post back ARK.txt and C:\Combofix.txt

Hi and thanks!

OS: XP Home SP3
IE7 and Firefox is the default browser


Here is ARK.txt


GMER 1.0.15.14972 - http://www.gmer.net
Rootkit scan 2009-06-25 05:38:52
Windows 5.1.2600 Service Pack 3


---- System - GMER 1.0.15 ----

Code 4b63c2aff10254dae185d1bbe7c1a4a5.sys (ckmd/Noves Inc)

ZwCreateKey [0xF8575C8E]
Code 4b63c2aff10254dae185d1bbe7c1a4a5.sys (ckmd/Noves Inc)

ZwEnumerateKey [0xF8575D13]
Code 4b63c2aff10254dae185d1bbe7c1a4a5.sys (ckmd/Noves Inc)

ZwOpenKey [0xF8575C10]
Code 4b63c2aff10254dae185d1bbe7c1a4a5.sys (ckmd/Noves Inc)

ZwQueryDirectoryFile

[0xF8575999]
Code 4b63c2aff10254dae185d1bbe7c1a4a5.sys (ckmd/Noves Inc)

IoCreateFile
Code 4b63c2aff10254dae185d1bbe7c1a4a5.sys (ckmd/Noves Inc)

NtQueryDirectoryFile

---- Kernel code sections - GMER 1.0.15 ----

PAGE ntoskrnl.exe!ZwOpenKey

80568D59 3 Bytes JMP

F8575C14 4b63c2aff10254dae185d1bbe7c1a4a5.sys (ckmd/Noves Inc)
PAGE ntoskrnl.exe!ZwOpenKey + 4

80568D5D 1 Byte [78]
PAGE ntoskrnl.exe!IoCreateFile

8056CC6B 5 Bytes JMP

F8575872 4b63c2aff10254dae185d1bbe7c1a4a5.sys (ckmd/Noves Inc)
PAGE ntoskrnl.exe!ZwCreateKey

8057065D 3 Bytes JMP

F8575C92 4b63c2aff10254dae185d1bbe7c1a4a5.sys (ckmd/Noves Inc)
PAGE ntoskrnl.exe!ZwCreateKey + 4

80570661 1 Byte [78]
PAGE ntoskrnl.exe!ZwEnumerateKey

80570D64 7 Bytes JMP

F8575D17 4b63c2aff10254dae185d1bbe7c1a4a5.sys (ckmd/Noves Inc)
PAGE ntoskrnl.exe!NtQueryDirectoryFile

80572111 5 Bytes JMP

F857599D 4b63c2aff10254dae185d1bbe7c1a4a5.sys (ckmd/Noves Inc)

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\Program Files\AIM6\aim6.exe[1628] @

C:\WINDOWS\system32\ADVAPI32.dll [KERNEL32.dll!LoadLibraryExW]

[6BFA9DE1] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL

Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aim6.exe[1628] @

C:\WINDOWS\system32\ADVAPI32.dll [KERNEL32.dll!SetUnhandledExceptionFilter]

[6BFA9E6E] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL

Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aim6.exe[1628] @

C:\WINDOWS\system32\ADVAPI32.dll [KERNEL32.dll!LoadLibraryW]

[6BFA9CCD] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL

Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aim6.exe[1628] @

C:\WINDOWS\system32\ADVAPI32.dll [KERNEL32.dll!LoadLibraryA]

[6BFA9C46] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL

Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aim6.exe[1628] @ C:\WINDOWS\system32\RPCRT4.dll

[KERNEL32.dll!LoadLibraryA] [6BFA9C46] C:\Program

Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aim6.exe[1628] @ C:\WINDOWS\system32\RPCRT4.dll

[KERNEL32.dll!LoadLibraryW] [6BFA9CCD] C:\Program

Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aim6.exe[1628] @ C:\WINDOWS\system32\RPCRT4.dll

[KERNEL32.dll!SetUnhandledExceptionFilter] [6BFA9E6E] C:\Program

Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aim6.exe[1628] @ C:\WINDOWS\system32\Secur32.dll

[KERNEL32.dll!SetUnhandledExceptionFilter] [6BFA9E6E] C:\Program

Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aim6.exe[1628] @ C:\WINDOWS\system32\Secur32.dll

[KERNEL32.dll!LoadLibraryA] [6BFA9C46] C:\Program

Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aim6.exe[1628] @ C:\WINDOWS\system32\Secur32.dll

[KERNEL32.dll!LoadLibraryW] [6BFA9CCD] C:\Program

Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aim6.exe[1628] @ C:\WINDOWS\system32\MSVCRT.dll

[KERNEL32.dll!SetUnhandledExceptionFilter] [6BFA9E6E] C:\Program

Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aim6.exe[1628] @ C:\WINDOWS\system32\MSVCRT.dll

[KERNEL32.dll!LoadLibraryA] [6BFA9C46] C:\Program

Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aim6.exe[1628] @ C:\WINDOWS\system32\USER32.dll

[KERNEL32.dll!LoadLibraryExW] [6BFA9DE1] C:\Program

Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aim6.exe[1628] @ C:\WINDOWS\system32\USER32.dll

[KERNEL32.dll!LoadLibraryA] [6BFA9C46] C:\Program

Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aim6.exe[1628] @ C:\WINDOWS\system32\USER32.dll

[KERNEL32.dll!SetUnhandledExceptionFilter] [6BFA9E6E] C:\Program

Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aim6.exe[1628] @ C:\WINDOWS\system32\USER32.dll

[KERNEL32.dll!LoadLibraryW] [6BFA9CCD] C:\Program

Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aim6.exe[1628] @ C:\WINDOWS\system32\GDI32.dll

[KERNEL32.dll!SetUnhandledExceptionFilter] [6BFA9E6E] C:\Program

Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aim6.exe[1628] @ C:\WINDOWS\system32\GDI32.dll

[KERNEL32.dll!LoadLibraryExW] [6BFA9DE1] C:\Program

Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aim6.exe[1628] @ C:\WINDOWS\system32\GDI32.dll

[KERNEL32.dll!LoadLibraryA] [6BFA9C46] C:\Program

Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aim6.exe[1628] @ C:\WINDOWS\system32\GDI32.dll

[KERNEL32.dll!LoadLibraryW] [6BFA9CCD] C:\Program

Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aim6.exe[1628] @ C:\WINDOWS\system32\ole32.dll

[KERNEL32.dll!LoadLibraryA] [6BFA9C46] C:\Program

Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aim6.exe[1628] @ C:\WINDOWS\system32\ole32.dll

[KERNEL32.dll!LoadLibraryW] [6BFA9CCD] C:\Program

Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aim6.exe[1628] @ C:\WINDOWS\system32\ole32.dll

[KERNEL32.dll!LoadLibraryExW] [6BFA9DE1] C:\Program

Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aim6.exe[1628] @ C:\WINDOWS\system32\ole32.dll

[KERNEL32.dll!LoadLibraryExA] [6BFA9D54] C:\Program

Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aim6.exe[1628] @ C:\WINDOWS\system32\ole32.dll

[KERNEL32.dll!SetUnhandledExceptionFilter] [6BFA9E6E] C:\Program

Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aim6.exe[1628] @ C:\WINDOWS\system32\SHLWAPI.dll

[KERNEL32.dll!SetUnhandledExceptionFilter] [6BFA9E6E] C:\Program

Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aim6.exe[1628] @ C:\WINDOWS\system32\SHLWAPI.dll

[KERNEL32.dll!LoadLibraryExA] [6BFA9D54] C:\Program

Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aim6.exe[1628] @ C:\WINDOWS\system32\SHLWAPI.dll

[KERNEL32.dll!LoadLibraryExW] [6BFA9DE1] C:\Program

Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aim6.exe[1628] @ C:\WINDOWS\system32\SHLWAPI.dll

[KERNEL32.dll!LoadLibraryW] [6BFA9CCD] C:\Program

Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aim6.exe[1628] @ C:\WINDOWS\system32\SHLWAPI.dll

[KERNEL32.dll!LoadLibraryA] [6BFA9C46] C:\Program

Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aolsoftware.exe[1972] @

C:\WINDOWS\system32\ADVAPI32.dll [KERNEL32.dll!LoadLibraryExW]

[6BFA9DE1] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL

Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aolsoftware.exe[1972] @

C:\WINDOWS\system32\ADVAPI32.dll [KERNEL32.dll!SetUnhandledExceptionFilter]

[6BFA9E6E] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL

Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aolsoftware.exe[1972] @

C:\WINDOWS\system32\ADVAPI32.dll [KERNEL32.dll!LoadLibraryW]

[6BFA9CCD] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL

Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aolsoftware.exe[1972] @

C:\WINDOWS\system32\ADVAPI32.dll [KERNEL32.dll!LoadLibraryA]

[6BFA9C46] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL

Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aolsoftware.exe[1972] @

C:\WINDOWS\system32\RPCRT4.dll [KERNEL32.dll!LoadLibraryA]

[6BFA9C46] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL

Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aolsoftware.exe[1972] @

C:\WINDOWS\system32\RPCRT4.dll [KERNEL32.dll!LoadLibraryW]

[6BFA9CCD] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL

Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aolsoftware.exe[1972] @

C:\WINDOWS\system32\RPCRT4.dll [KERNEL32.dll!SetUnhandledExceptionFilter]

[6BFA9E6E] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL

Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aolsoftware.exe[1972] @

C:\WINDOWS\system32\Secur32.dll [KERNEL32.dll!SetUnhandledExceptionFilter]

[6BFA9E6E] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL

Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aolsoftware.exe[1972] @

C:\WINDOWS\system32\Secur32.dll [KERNEL32.dll!LoadLibraryA]

[6BFA9C46] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL

Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aolsoftware.exe[1972] @

C:\WINDOWS\system32\Secur32.dll [KERNEL32.dll!LoadLibraryW]

[6BFA9CCD] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL

Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aolsoftware.exe[1972] @

C:\WINDOWS\system32\MSVCRT.dll [KERNEL32.dll!SetUnhandledExceptionFilter]

[6BFA9E6E] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL

Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aolsoftware.exe[1972] @

C:\WINDOWS\system32\MSVCRT.dll [KERNEL32.dll!LoadLibraryA]

[6BFA9C46] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL

Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aolsoftware.exe[1972] @

C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!LoadLibraryExW]

[6BFA9DE1] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL

Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aolsoftware.exe[1972] @

C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!LoadLibraryA]

[6BFA9C46] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL

Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aolsoftware.exe[1972] @

C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!SetUnhandledExceptionFilter]

[6BFA9E6E] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL

Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aolsoftware.exe[1972] @

C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!LoadLibraryW]

[6BFA9CCD] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL

Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aolsoftware.exe[1972] @

C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!SetUnhandledExceptionFilter]

[6BFA9E6E] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL

Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aolsoftware.exe[1972] @

C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!LoadLibraryExW]

[6BFA9DE1] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL

Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aolsoftware.exe[1972] @

C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!LoadLibraryA]

[6BFA9C46] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL

Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aolsoftware.exe[1972] @

C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!LoadLibraryW]

[6BFA9CCD] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL

Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aolsoftware.exe[1972] @

C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!LoadLibraryA]

[6BFA9C46] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL

Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aolsoftware.exe[1972] @

C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!LoadLibraryW]

[6BFA9CCD] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL

Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aolsoftware.exe[1972] @

C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!LoadLibraryExW]

[6BFA9DE1] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL

Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aolsoftware.exe[1972] @

C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!LoadLibraryExA]

[6BFA9D54] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL

Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aolsoftware.exe[1972] @

C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!SetUnhandledExceptionFilter]

[6BFA9E6E] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL

Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aolsoftware.exe[1972] @

C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!SetUnhandledExceptionFilter]

[6BFA9E6E] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL

Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aolsoftware.exe[1972] @

C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryExA]

[6BFA9D54] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL

Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aolsoftware.exe[1972] @

C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryExW]

[6BFA9DE1] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL

Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aolsoftware.exe[1972] @

C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryW]

[6BFA9CCD] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL

Diagnostics/AOL LLC)
IAT C:\Program Files\AIM6\aolsoftware.exe[1972] @

C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryA]

[6BFA9C46] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL

Diagnostics/AOL LLC)

---- Services - GMER 1.0.15 ----

Service C:\WINDOWS\system32\099f7efc868878f48d536500a0e0000d.sys (*** hidden

*** ) [BOOT]

099f7efc868878f48d536500a0e0000d











<-- ROOTKIT !!!
Service C:\WINDOWS\system32\4b63c2aff10254dae185d1bbe7c1a4a5.sys (*** hidden

*** ) [BOOT]

4b63c2aff10254dae185d1bbe7c1a4a5











<-- ROOTKIT !!!

---- Registry - GMER 1.0.15 ----

Reg

HKLM\SYSTEM\CurrentControlSet\Services\099f7efc868878f48d536500a0e0000d


Reg

HKLM\SYSTEM\CurrentControlSet\Services\099f7efc868878f48d536500a0e0000d@c



&registry_path=\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\099f7efc868878f4

8d536500a0e0000d&download_period=846000&first_download_delay=180&version=2&ip_0

=586742989&port_0=7000&max_fails_0=5&ip_1=704183501&port_1=8300&max_fails_1=5&i

p_2=2241985741&port_2=9002&max_fails_2=2&ip_3=1512966353&port_3=11234&max_fails

_3=2&ips_count=4&name=099f7efc868878f48d536500a0e0000d&path=system32\099f7efc86

8878f48d536500a0e0000d.sys&wmid=Dnr001&idate=2009-02-21

12:18:44:953&last_download_time=2009-6-20

16:23:18.0&first_skip=1&last_update_ip_pos=0&fails_0=3
Reg

HKLM\SYSTEM\CurrentControlSet\Services\099f7efc868878f48d536500a0e0000d@Type

1
Reg

HKLM\SYSTEM\CurrentControlSet\Services\099f7efc868878f48d536500a0e0000d@Start

0
Reg

HKLM\SYSTEM\CurrentControlSet\Services\099f7efc868878f48d536500a0e0000d@ErrorCo

ntrol 0
Reg

HKLM\SYSTEM\CurrentControlSet\Services\099f7efc868878f48d536500a0e0000d@Tag

7
Reg

HKLM\SYSTEM\CurrentControlSet\Services\099f7efc868878f48d536500a0e0000d@ImagePa

th

system32\099f7efc868878f48d536500a0e0000d.sys
Reg

HKLM\SYSTEM\CurrentControlSet\Services\099f7efc868878f48d536500a0e0000d@Display

Name 099f7efc868878f48d536500a0e0000d
Reg

HKLM\SYSTEM\CurrentControlSet\Services\099f7efc868878f48d536500a0e0000d@Group

System Bus Extender
Reg

HKLM\SYSTEM\CurrentControlSet\Services\099f7efc868878f48d536500a0e0000d\Securit

y
Reg

HKLM\SYSTEM\CurrentControlSet\Services\099f7efc868878f48d536500a0e0000d\Securit

y@Security 0x01 0x00 0x14 0x80 ...
Reg

HKLM\SYSTEM\CurrentControlSet\Services\4b63c2aff10254dae185d1bbe7c1a4a5


Reg

HKLM\SYSTEM\CurrentControlSet\Services\4b63c2aff10254dae185d1bbe7c1a4a5@c



&registry_path=\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\4b63c2aff10254da

e185d1bbe7c1a4a5&download_period=846000&first_download_delay=180&version=2&ip_0

=586742989&port_0=7000&max_fails_0=5&ip_1=704183501&port_1=8300&max_fails_1=5&i

p_2=2241985741&port_2=9002&max_fails_2=2&ip_3=1512966353&port_3=11234&max_fails

_3=2&ips_count=4&name=4b63c2aff10254dae185d1bbe7c1a4a5&path=system32\4b63c2aff1

0254dae185d1bbe7c1a4a5.sys&wmid=Dep005&idate=2009-02-08

21:49:13:454&last_download_time=2009-6-20

16:23:18.15&first_skip=1&last_update_ip_pos=0&fails_0=2
Reg

HKLM\SYSTEM\CurrentControlSet\Services\4b63c2aff10254dae185d1bbe7c1a4a5@Type

1
Reg

HKLM\SYSTEM\CurrentControlSet\Services\4b63c2aff10254dae185d1bbe7c1a4a5@Start

0
Reg

HKLM\SYSTEM\CurrentControlSet\Services\4b63c2aff10254dae185d1bbe7c1a4a5@ErrorCo

ntrol 0
Reg

HKLM\SYSTEM\CurrentControlSet\Services\4b63c2aff10254dae185d1bbe7c1a4a5@Tag

6
Reg

HKLM\SYSTEM\CurrentControlSet\Services\4b63c2aff10254dae185d1bbe7c1a4a5@ImagePa

th

system32\4b63c2aff10254dae185d1bbe7c1a4a5.sys
Reg

HKLM\SYSTEM\CurrentControlSet\Services\4b63c2aff10254dae185d1bbe7c1a4a5@Display

Name 4b63c2aff10254dae185d1bbe7c1a4a5
Reg

HKLM\SYSTEM\CurrentControlSet\Services\4b63c2aff10254dae185d1bbe7c1a4a5@Group

System Bus Extender
Reg

HKLM\SYSTEM\CurrentControlSet\Services\4b63c2aff10254dae185d1bbe7c1a4a5\Securit

y
Reg

HKLM\SYSTEM\CurrentControlSet\Services\4b63c2aff10254dae185d1bbe7c1a4a5\Securit

y@Security 0x01 0x00 0x14 0x80 ...
Reg HKLM\SYSTEM\ControlSet002\Services\099f7efc868878f48d536500a0e0000d


Reg HKLM\SYSTEM\ControlSet002\Services\099f7efc868878f48d536500a0e0000d@c



&registry_path=\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\099f7efc868878f4

8d536500a0e0000d&download_period=846000&first_download_delay=180&version=2&ip_0

=586742989&port_0=7000&max_fails_0=5&ip_1=704183501&port_1=8300&max_fails_1=5&i

p_2=2241985741&port_2=9002&max_fails_2=2&ip_3=1512966353&port_3=11234&max_fails

_3=2&ips_count=4&name=099f7efc868878f48d536500a0e0000d&path=system32\099f7efc86

8878f48d536500a0e0000d.sys&wmid=Dnr001&idate=2009-02-21

12:18:44:953&last_download_time=2009-6-20

16:23:18.0&first_skip=1&last_update_ip_pos=0&fails_0=3
Reg

HKLM\SYSTEM\ControlSet002\Services\099f7efc868878f48d536500a0e0000d@Type

1
Reg

HKLM\SYSTEM\ControlSet002\Services\099f7efc868878f48d536500a0e0000d@Start

0
Reg

HKLM\SYSTEM\ControlSet002\Services\099f7efc868878f48d536500a0e0000d@ErrorContro

l 0
Reg

HKLM\SYSTEM\ControlSet002\Services\099f7efc868878f48d536500a0e0000d@Tag

7
Reg

HKLM\SYSTEM\ControlSet002\Services\099f7efc868878f48d536500a0e0000d@ImagePath



system32\099f7efc868878f48d536500a0e0000d.sys
Reg

HKLM\SYSTEM\ControlSet002\Services\099f7efc868878f48d536500a0e0000d@DisplayName

099f7efc868878f48d536500a0e0000d
Reg

HKLM\SYSTEM\ControlSet002\Services\099f7efc868878f48d536500a0e0000d@Group

System Bus Extender
Reg

HKLM\SYSTEM\ControlSet002\Services\099f7efc868878f48d536500a0e0000d\Security


Reg

HKLM\SYSTEM\ControlSet002\Services\099f7efc868878f48d536500a0e0000d\Security@Se

curity 0x01 0x00 0x14 0x80 ...
Reg HKLM\SYSTEM\ControlSet002\Services\4b63c2aff10254dae185d1bbe7c1a4a5


Reg HKLM\SYSTEM\ControlSet002\Services\4b63c2aff10254dae185d1bbe7c1a4a5@c



&registry_path=\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\4b63c2aff10254da

e185d1bbe7c1a4a5&download_period=846000&first_download_delay=180&version=2&ip_0

=586742989&port_0=7000&max_fails_0=5&ip_1=704183501&port_1=8300&max_fails_1=5&i

p_2=2241985741&port_2=9002&max_fails_2=2&ip_3=1512966353&port_3=11234&max_fails

_3=2&ips_count=4&name=4b63c2aff10254dae185d1bbe7c1a4a5&path=system32\4b63c2aff1

0254dae185d1bbe7c1a4a5.sys&wmid=Dep005&idate=2009-02-08

21:49:13:454&last_download_time=2009-6-20

16:23:18.15&first_skip=1&last_update_ip_pos=0&fails_0=2
Reg

HKLM\SYSTEM\ControlSet002\Services\4b63c2aff10254dae185d1bbe7c1a4a5@Type

1
Reg

HKLM\SYSTEM\ControlSet002\Services\4b63c2aff10254dae185d1bbe7c1a4a5@Start

0
Reg

HKLM\SYSTEM\ControlSet002\Services\4b63c2aff10254dae185d1bbe7c1a4a5@ErrorContro

l 0
Reg

HKLM\SYSTEM\ControlSet002\Services\4b63c2aff10254dae185d1bbe7c1a4a5@Tag

6
Reg

HKLM\SYSTEM\ControlSet002\Services\4b63c2aff10254dae185d1bbe7c1a4a5@ImagePath



system32\4b63c2aff10254dae185d1bbe7c1a4a5.sys
Reg

HKLM\SYSTEM\ControlSet002\Services\4b63c2aff10254dae185d1bbe7c1a4a5@DisplayName

4b63c2aff10254dae185d1bbe7c1a4a5
Reg

HKLM\SYSTEM\ControlSet002\Services\4b63c2aff10254dae185d1bbe7c1a4a5@Group

System Bus Extender
Reg

HKLM\SYSTEM\ControlSet002\Services\4b63c2aff10254dae185d1bbe7c1a4a5\Security


Reg

HKLM\SYSTEM\ControlSet002\Services\4b63c2aff10254dae185d1bbe7c1a4a5\Security@Se

curity 0x01 0x00 0x14 0x80 ...

---- Files - GMER 1.0.15 ----

File C:\WINDOWS\system32\099f7efc868878f48d536500a0e0000d.sys

39936 bytes executable













<-- ROOTKIT !!!
File C:\WINDOWS\system32\4b63c2aff10254dae185d1bbe7c1a4a5.sys

39936 bytes executable













<-- ROOTKIT !!!

---- EOF - GMER 1.0.15 ----



===============================================================================

Here is the combofix


ComboFix 09-06-24.04 - KP 06/25/2009 5:45.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.503.261 [GMT -4:00]
Running from: c:\documents and settings\KP\Desktop\fixfix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\becfdefafbfbcebf.dll
c:\windows\system32\caeabaafbabae.dll
c:\windows\system32\fadbefdadd.dll
c:\windows\reged.exe
c:\windows\sys.com
c:\windows\system32\kdpini.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_MYWEBSEARCHSERVICE


((((((((((((((((((((((((( Files Created from 2009-05-25 to 2009-06-25 )))))))))))))))))))))))))))))))
.

No new files created in this timespan

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-06-25 00:25 . 2009-02-12 22:17 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-06-25 00:23 . 2009-02-12 22:31 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-06-07 03:46 . 2009-06-07 03:46 312847 ------w- c:\windows\system32\c545a1b00e143396eb1753fe738c832d.TMP
2009-06-06 23:19 . 2009-05-18 16:14 205840 ----a-w- c:\windows\system32\kusers.dll
2009-06-04 16:36 . 2009-02-12 22:17 -------- d-----w- c:\program files\SpywareBlaster
2009-05-11 20:34 . 2009-05-11 20:33 -------- d-----w- c:\program files\EsetOnlineScanner
2009-05-07 15:32 . 2001-08-23 12:00 345600 ----a-w- c:\windows\system32\localspl.dll
2009-04-29 04:56 . 2001-08-23 12:00 827392 ----a-w- c:\windows\system32\wininet.dll
2009-04-29 04:55 . 2004-08-04 07:56 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-04-17 12:26 . 2001-08-23 12:00 1847168 ----a-w- c:\windows\system32\win32k.sys
2009-04-15 14:51 . 2008-11-09 00:27 585216 ----a-w- c:\windows\system32\rpcrt4.dll
2009-04-17 09:14 . 2009-04-05 17:42 66576 ----a-w- c:\program files\mozilla firefox\components\fadbefdadd.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
"Aim6"="c:\program files\AIM6\aim6.exe" [2008-10-21 50472]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"SpybotDeletingD7526"="del" [X]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\System32\igfxtray.exe" [2004-08-20 155648]
"HotKeysCmds"="c:\windows\System32\hkcmd.exe" [2004-08-20 118784]
"AlcxMonitor"="ALCXMNTR.EXE" - c:\windows\ALCXMNTR.EXE [2004-09-07 57344]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-2-17 65588]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\Ares\\Ares.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [12/3/2008 10:33 PM 24652]
.
Contents of the 'Scheduled Tasks' folder
.
- - - - ORPHANS REMOVED - - - -

BHO-{F70F6880-3A4B-11DE-8230-0B7C55D89593} - (no file)
HKCU-Run-DriverCure - c:\program files\ParetoLogic\DriverCure\DriverCure.exe
HKLM-Run-systemguard - c:\program files\System Guard 2009\systemguard.exe
Notify-caeabaafbabae - (no file)


.
------- Supplementary Scan -------
.
uLocal Page = \blank.htm
uStart Page = hxxp://www.google.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: &AIM Toolbar Search - c:\documents and settings\All Users\Application Data\AIM Toolbar\ieToolbar\resources\en-US\local\search.html
IE: &Search - ?p=ZKxdm021QUUS
FF - ProfilePath -
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-06-25 05:50
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


c:\windows\system32\099f7efc868878f48d536500a0e0000d.sys 39936 bytes executable
c:\windows\system32\_099f7efc868878f48d536500a0e0000d.sys_.vir 39936 bytes executable
c:\windows\system32\_4b63c2aff10254dae185d1bbe7c1a4a5.sys_.vir 39936 bytes executable
c:\windows\system32\4b63c2aff10254dae185d1bbe7c1a4a5.sys 39936 bytes executable

scan completed successfully
hidden files: 4

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\099f7efc868878f48d536500a0e0000d]
"ImagePath"="system32\099f7efc868878f48d536500a0e0000d.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\4b63c2aff10254dae185d1bbe7c1a4a5]
"ImagePath"="system32\4b63c2aff10254dae185d1bbe7c1a4a5.sys"
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\wscntfy.exe
c:\program files\AIM6\aolsoftware.exe
.
**************************************************************************
.
Completion time: 2009-06-25 5:54 - machine was rebooted
ComboFix-quarantined-files.txt 2009-06-25 09:54

Pre-Run: 74,055,819,264 bytes free
Post-Run: 73,980,219,392 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn

117 --- E O F --- 2009-06-25 09:10

• Open a command prompt by doing the following:
  • Click Start -> run
  • type cmd
  • Hit Enter
• Copy and paste the following onto the command line:
  REG QUERY HKLM\SYSTEM\select > C:\CCS.txt && notepad C:\CCS.txt
• Then hit Enter
• Post back the log that opens C:\CCS.txt

We have some more files, folders and registry entries to clean up that we will manually specify for deletion by using a Combofix script.

It is important that you follow the next set of instructions precisely.

Open Notepad by hitting Start -> run, typing notepad into the Open: box, and then clicking OK.
On the Notepad menu, choose "Format" and make sure that Word Wrap is unchecked (disabled).
Copy/paste the text in the code box below into Notepad.



Save this to your desktop as CFScript.txt by selecting File -> Save as.



Very Important: Disable ALL security program active protection components at this time including any and all antispyware and antivirus monitor/guards you have running!! Make sure Teatimer is disabled and do NOT turn it back on until we're finished!

Also, disable any task(s)scheduled to run automatically upon reboot, such as chkdsk or any scanners. Then re-enable after you get the new Combofix report.

Referring to the picture above, drag CFScript.txt into your renamed ComboFix.exe (fixfix.exe)

This will cause ComboFix to run again.

Please post back the log that is opens when it finishes.

! REG.EXE VERSION 3.0

HKEY_LOCAL_MACHINE\SYSTEM\select
Current REG_DWORD 0x1
Default REG_DWORD 0x1
Failed REG_DWORD 0x0
LastKnownGood REG_DWORD 0x2







ComboFix 09-06-24.04 - KP 06/25/2009 14:27.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.503.308 [GMT -4:00]
Running from: c:\documents and settings\KP\Desktop\fixfix.exe
Command switches used :: c:\documents and settings\KP\Desktop\CFScript.txt
.

((((((((((((((((((((((((( Files Created from 2009-05-25 to 2009-06-25 )))))))))))))))))))))))))))))))
.

2009-06-25 09:53 . 2009-06-25 09:53 -------- dc----w- c:\windows\system32\dllcache\cache

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-06-25 00:25 . 2009-02-12 22:17 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-06-25 00:23 . 2009-02-12 22:31 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-06-07 03:46 . 2009-06-07 03:46 312847 ------w- c:\windows\system32\c545a1b00e143396eb1753fe738c832d.TMP
2009-06-06 23:19 . 2009-05-18 16:14 205840 ----a-w- c:\windows\system32\kusers.dll
2009-06-04 16:36 . 2009-02-12 22:17 -------- d-----w- c:\program files\SpywareBlaster
2009-05-11 20:34 . 2009-05-11 20:33 -------- d-----w- c:\program files\EsetOnlineScanner
2009-05-07 15:32 . 2001-08-23 12:00 345600 ----a-w- c:\windows\system32\localspl.dll
2009-04-29 04:56 . 2001-08-23 12:00 827392 ----a-w- c:\windows\system32\wininet.dll
2009-04-29 04:55 . 2004-08-04 07:56 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-04-17 12:26 . 2001-08-23 12:00 1847168 ----a-w- c:\windows\system32\win32k.sys
2009-04-15 14:51 . 2008-11-09 00:27 585216 ----a-w- c:\windows\system32\rpcrt4.dll
.

------- Sigcheck -------

[7] 2004-08-04 07:56 14336 8F078AE4ED187AAABC0A305146DE6716 c:\windows\$NtServicePackUninstall$\svchost.exe
[7] 2008-04-14 00:12 14336 27C6D03BCDB8CFEB96B716F3D8BE3E18 c:\windows\ServicePackFiles\i386\svchost.exe
[7] 2008-04-14 00:12 14336 27C6D03BCDB8CFEB96B716F3D8BE3E18 c:\windows\system32\svchost.exe
[7] 2008-04-14 00:12 14336 27C6D03BCDB8CFEB96B716F3D8BE3E18 c:\windows\system32\dllcache\cache\svchost.exe

[-] 2004-06-17 17:58 560128 31FB2D788A9AA618452C02E8375B6DCD c:\windows\$hf_mig$\KB840987\SP1QFE\user32.dll
[7] 2004-08-04 07:56 577024 C72661F8552ACE7C5C85E16A3CF505C4 c:\windows\$NtServicePackUninstall$\user32.dll
[-] 2001-08-23 12:00 561152 BE57A5C3ABD240514B98F6BCA872FB21 c:\windows\$NtUninstallKB840987$\user32.dll
[7] 2008-04-14 00:12 578560 B26B135FF1B9F60C9388B4A7D16F600B c:\windows\ServicePackFiles\i386\user32.dll
[7] 2008-04-14 00:12 578560 B26B135FF1B9F60C9388B4A7D16F600B c:\windows\system32\user32.dll
[7] 2008-04-14 00:12 578560 B26B135FF1B9F60C9388B4A7D16F600B c:\windows\system32\dllcache\cache\user32.dll

[7] 2004-08-04 07:56 82944 2ED0B7F12A60F90092081C50FA0EC2B2 c:\windows\$NtServicePackUninstall$\ws2_32.dll
[7] 2008-04-14 00:12 82432 2CCC474EB85CEAA3E1FA1726580A3E5A c:\windows\ServicePackFiles\i386\ws2_32.dll
[7] 2008-04-14 00:12 82432 2CCC474EB85CEAA3E1FA1726580A3E5A c:\windows\system32\ws2_32.dll
[7] 2008-04-14 00:12 82432 2CCC474EB85CEAA3E1FA1726580A3E5A c:\windows\system32\dllcache\cache\ws2_32.dll

[7] 2008-08-20 05:33 667648 C91E3A6EF094202F6B5CA8960DFCF243 c:\windows\$hf_mig$\KB956390\SP2QFE\wininet.dll
[7] 2008-08-20 05:30 666112 9AF5F25124FBDC36E2B510729CBA2674 c:\windows\$hf_mig$\KB956390\SP3GDR\wininet.dll
[7] 2008-08-20 04:58 666624 94418F53D2612C26DBADC04DAFBC197C c:\windows\$hf_mig$\KB956390\SP3QFE\wininet.dll
[7] 2008-08-26 09:08 827904 77C192FE56A70D7FA0247BA0A6201C32 c:\windows\$hf_mig$\KB956390-IE7\SP2QFE\wininet.dll
[7] 2008-10-16 10:20 667648 93C9D0A216498EE14EB9B26119BB95EE c:\windows\$hf_mig$\KB958215\SP2QFE\wininet.dll
[7] 2008-10-16 01:00 666112 1576318BF08D28CC61D1278114AD8D5B c:\windows\$hf_mig$\KB958215\SP3GDR\wininet.dll
[7] 2008-10-16 01:04 667136 E8FCE58A470999350F64C591557F9E42 c:\windows\$hf_mig$\KB958215\SP3QFE\wininet.dll
[7] 2008-10-16 20:24 827904 0D5B75171FF51775B630A431B6C667E8 c:\windows\$hf_mig$\KB958215-IE7\SP2QFE\wininet.dll
[7] 2008-12-20 23:56 827904 044E0A4E9FE97C0FB9AFE9C89E2A82E6 c:\windows\$hf_mig$\KB961260-IE7\SP2QFE\wininet.dll
[7] 2009-03-03 00:17 828416 C8667854873938CA13C986F16B0CD183 c:\windows\$hf_mig$\KB963027-IE7\SP3QFE\wininet.dll
[7] 2009-04-29 04:49 828928 62CCA075F44015147B8971DAFFBCFF76 c:\windows\$hf_mig$\KB969897-IE7\SP3QFE\wininet.dll
[7] 2004-08-04 07:56 656384 C0823FC5469663BA63E7DB88F9919D70 c:\windows\$NtServicePackUninstall$\wininet.dll
[7] 2004-08-04 07:56 656384 C0823FC5469663BA63E7DB88F9919D70 c:\windows\$NtUninstallKB956390$\wininet.dll
[7] 2008-08-20 05:38 659456 87E694D09893978F22024FEEEDF35342 c:\windows\$NtUninstallKB958215$\wininet.dll
[-] 2001-08-23 12:00 593920 CF9F1EEF71F42EDE71B6F4AA05D5CA1A c:\windows\$NtUninstallQ309521$\wininet.dll
[7] 2008-10-16 10:37 659456 6F1E4BFD78C4E0D05FF3725D59B72925 c:\windows\ie7\wininet.dll
[7] 2007-08-13 23:54 818688 A4A0FC92358F39538A6494C42EF99FE9 c:\windows\ie7updates\KB956390-IE7\wininet.dll
[7] 2008-08-26 07:24 826368 EF8EBA98145BFA44E80D17A3B3453300 c:\windows\ie7updates\KB958215-IE7\wininet.dll
[7] 2008-10-16 20:38 826368 6741EAF7B7F110E803A6E38F6E5FA6B0 c:\windows\ie7updates\KB961260-IE7\wininet.dll
[7] 2008-12-20 23:15 826368 A82935D32D0672E8FF4E91AE398E901C c:\windows\ie7updates\KB963027-IE7\wininet.dll
[7] 2009-03-03 00:18 826368 28775945CCD53DEE280EF58DEA1A94C4 c:\windows\ie7updates\KB969897-IE7\wininet.dll
[7] 2008-04-14 00:12 666112 7A4F775ABB2F1C97DEF3E73AFA2FAEDD c:\windows\ServicePackFiles\i386\wininet.dll
[7] 2008-08-26 07:24 826368 EF8EBA98145BFA44E80D17A3B3453300 c:\windows\SoftwareDistribution\Download\5d9d48823dca01f9929a959c29f5edc4\SP2GDR\wininet.dll
[7] 2008-08-26 09:08 827904 77C192FE56A70D7FA0247BA0A6201C32 c:\windows\SoftwareDistribution\Download\5d9d48823dca01f9929a959c29f5edc4\SP2QFE\wininet.dll
[7] 2009-04-29 04:56 827392 8E2D471157B0DF329D8D0EA5D83B0DDB c:\windows\SoftwareDistribution\Download\82c738ec00f0f07f8ea182bc95439593\sp3gdr\wininet.dll
[7] 2009-04-29 04:49 828928 62CCA075F44015147B8971DAFFBCFF76 c:\windows\SoftwareDistribution\Download\82c738ec00f0f07f8ea182bc95439593\sp3qfe\wininet.dll
[7] 2008-10-16 20:38 826368 6741EAF7B7F110E803A6E38F6E5FA6B0 c:\windows\SoftwareDistribution\Download\c74979a750f473b6d9d8ef0bba9b356c\SP2GDR\wininet.dll
[7] 2008-10-16 20:24 827904 0D5B75171FF51775B630A431B6C667E8 c:\windows\SoftwareDistribution\Download\c74979a750f473b6d9d8ef0bba9b356c\SP2QFE\wininet.dll
[7] 2009-04-29 04:56 827392 8E2D471157B0DF329D8D0EA5D83B0DDB c:\windows\system32\wininet.dll
[7] 2009-04-29 04:56 827392 8E2D471157B0DF329D8D0EA5D83B0DDB c:\windows\system32\dllcache\wininet.dll
[7] 2009-04-29 04:56 827392 8E2D471157B0DF329D8D0EA5D83B0DDB c:\windows\system32\dllcache\cache\wininet.dll

[7] 2008-06-20 11:59 361600 AD978A1B783B5719720CFF204B666C8E c:\windows\$hf_mig$\KB951748\SP3QFE\tcpip.sys
[7] 2004-08-04 06:14 359040 9F4B36614A0FC234525BA224957DE55C c:\windows\$NtServicePackUninstall$\tcpip.sys
[7] 2008-04-13 19:20 361344 93EA8D04EC73A85DB02EB8805988F733 c:\windows\$NtUninstallKB951748$\tcpip.sys
[7] 2008-04-13 19:20 361344 93EA8D04EC73A85DB02EB8805988F733 c:\windows\ServicePackFiles\i386\tcpip.sys
[7] 2008-06-20 11:51 361600 9AEFA14BD6B182D61E3119FA5F436D3D c:\windows\system32\dllcache\tcpip.sys
[7] 2008-06-20 11:51 361600 9AEFA14BD6B182D61E3119FA5F436D3D c:\windows\system32\dllcache\cache\tcpip.sys
[7] 2008-06-20 11:51 361600 9AEFA14BD6B182D61E3119FA5F436D3D c:\windows\system32\drivers\tcpip.sys

[-] 2004-05-27 01:38 483328 E7F9D2E4E4A94A6F58014E5FFA16A65E c:\windows\$hf_mig$\KB840987\SP1QFE\winlogon.exe
[-] 2004-05-27 01:38 483328 E7F9D2E4E4A94A6F58014E5FFA16A65E c:\windows\$hf_mig$\KB841533\SP1QFE\winlogon.exe
[7] 2004-08-04 07:56 502272 01C3346C241652F43AED8E2149881BFE c:\windows\$NtServicePackUninstall$\winlogon.exe
[-] 2001-08-23 12:00 430080 2B0E480E975EE51F2D5CE5F068FED6E2 c:\windows\$NtUninstallKB841533$\winlogon.exe
[7] 2008-04-14 00:12 507904 ED0EF0A136DEC83DF69F04118870003E c:\windows\ServicePackFiles\i386\winlogon.exe
[7] 2008-04-14 00:12 507904 ED0EF0A136DEC83DF69F04118870003E c:\windows\system32\winlogon.exe
[7] 2008-04-14 00:12 507904 ED0EF0A136DEC83DF69F04118870003E c:\windows\system32\dllcache\cache\winlogon.exe

[7] 2004-08-04 06:14 182912 558635D3AF1C7546D26067D5D9B6959E c:\windows\$NtServicePackUninstall$\ndis.sys
[7] 2008-04-13 19:20 182656 1DF7F42665C94B825322FAE71721130D c:\windows\ServicePackFiles\i386\ndis.sys
[7] 2008-04-13 19:20 182656 1DF7F42665C94B825322FAE71721130D c:\windows\system32\dllcache\cache\ndis.sys
[7] 2008-04-13 19:20 182656 1DF7F42665C94B825322FAE71721130D c:\windows\system32\drivers\ndis.sys

[7] 2004-08-04 06:00 29056 4448006B6BC60E6C027932CFC38D6855 c:\windows\$NtServicePackUninstall$\ip6fw.sys
[7] 2008-04-13 18:53 36608 3BB22519A194418D5FEC05D800A19AD0 c:\windows\ServicePackFiles\i386\ip6fw.sys
[7] 2008-04-13 18:53 36608 3BB22519A194418D5FEC05D800A19AD0 c:\windows\system32\dllcache\cache\ip6fw.sys
[7] 2008-04-13 18:53 36608 3BB22519A194418D5FEC05D800A19AD0 c:\windows\system32\drivers\ip6fw.sys

[-] 2004-06-17 08:03 1954688 ED0D7A5F1138CCFD3ECAF8F6AC691F13 c:\windows\$hf_mig$\KB840987\SP1QFE\ntkrnlpa.exe
[7] 2009-02-06 10:30 2066176 607352B9CB3D708C67F6039097801B5A c:\windows\$hf_mig$\KB956572\SP3QFE\ntkrnlpa.exe
[7] 2008-08-14 09:18 2062976 63EC865DFF6CCFC7BEF94B5C50297CAD c:\windows\$hf_mig$\KB956841\SP2QFE\ntkrnlpa.exe
[7] 2008-08-14 09:33 2066048 4AC58F03EB94A72809949D757FC39D80 c:\windows\$hf_mig$\KB956841\SP3GDR\ntkrnlpa.exe
[7] 2008-08-14 20:39 2066048 A25E9B86EFFB2AF33BF51E676B68BFB0 c:\windows\$hf_mig$\KB956841\SP3QFE\ntkrnlpa.exe
[7] 2008-08-14 09:22 2057728 BA002228743B6824D87F0551DBC86D45 c:\windows\$NtServicePackUninstall$\ntkrnlpa.exe
[7] 2002-02-25 20:33 1897856 01FD1F7C82B263F1667A1CEA095756C5 c:\windows\$NtUninstallKB840987$\ntkrnlpa.exe
[7] 2008-08-14 09:33 2066048 4AC58F03EB94A72809949D757FC39D80 c:\windows\$NtUninstallKB956572$\ntkrnlpa.exe
[7] 2008-04-13 18:31 2065792 109F8E3E3C82E337BB71B6BC9B895D61 c:\windows\$NtUninstallKB956841$\ntkrnlpa.exe
[7] 2004-08-04 05:58 2056832 947FB1D86D14AFCFFDB54BF837EC25D0 c:\windows\$NtUninstallKB956841_0$\ntkrnlpa.exe
[-] 2001-08-23 12:00 1896704 46E2E3DCF54B819CFB2EBFE48A22B5C9 c:\windows\$NtUninstallQ317277$\ntkrnlpa.exe
[7] 2009-02-07 23:02 2066048 5BA7F2141BC6DB06100D0E5A732C617A c:\windows\Driver Cache\i386\ntkrnlpa.exe
[7] 2008-04-13 18:31 2065792 109F8E3E3C82E337BB71B6BC9B895D61 c:\windows\ServicePackFiles\i386\ntkrnlpa.exe
[7] 2009-02-07 23:02 2066048 5BA7F2141BC6DB06100D0E5A732C617A c:\windows\system32\ntkrnlpa.exe
[7] 2009-02-07 23:02 2066048 5BA7F2141BC6DB06100D0E5A732C617A c:\windows\system32\dllcache\ntkrnlpa.exe
[7] 2009-02-07 23:02 2066048 5BA7F2141BC6DB06100D0E5A732C617A c:\windows\system32\dllcache\cache\ntkrnlpa.exe

[-] 2004-06-17 17:22 2051584 F240DC474F8EDB2D95514D831DF069E5 c:\windows\$hf_mig$\KB840987\SP1QFE\ntoskrnl.exe
[7] 2009-02-07 23:35 2189184 EFE8EACE83EAAD5849A7A548FB75B584 c:\windows\$hf_mig$\KB956572\SP3QFE\ntoskrnl.exe
[7] 2008-08-14 09:57 2185984 CE69DBD54221F2D40E49FF6DB77C6507 c:\windows\$hf_mig$\KB956841\SP2QFE\ntoskrnl.exe
[7] 2008-08-14 10:11 2189184 EEAF32F8E15A24F62BECB1BD403BB5C5 c:\windows\$hf_mig$\KB956841\SP3GDR\ntoskrnl.exe
[7] 2008-08-14 21:11 2189184 31914172342BFF330063F343AC6958FE c:\windows\$hf_mig$\KB956841\SP3QFE\ntoskrnl.exe
[7] 2008-08-14 10:00 2180352 21C91DA9CB53AA8A37041BA9684A8458 c:\windows\$NtServicePackUninstall$\ntoskrnl.exe
[7] 2002-02-25 20:33 1875584 257AAFD1F77990355BB6E83650D52680 c:\windows\$NtUninstallKB840987$\ntoskrnl.exe
[7] 2008-08-14 10:11 2189184 EEAF32F8E15A24F62BECB1BD403BB5C5 c:\windows\$NtUninstallKB956572$\ntoskrnl.exe
[7] 2008-04-13 19:27 2188928 0C89243C7C3EE199B96FCC16990E0679 c:\windows\$NtUninstallKB956841$\ntoskrnl.exe
[7] 2004-08-04 06:19 2180992 CE218BC7088681FAA06633E218596CA7 c:\windows\$NtUninstallKB956841_0$\ntoskrnl.exe
[-] 2001-08-23 12:00 1982208 A29222D5281056E497408FCC9062F749 c:\windows\$NtUninstallQ317277$\ntoskrnl.exe
[7] 2009-02-06 11:08 2189056 7A95B10A73737EBF24139AAA63F5212B c:\windows\Driver Cache\i386\ntoskrnl.exe
[7] 2008-04-13 19:27 2188928 0C89243C7C3EE199B96FCC16990E0679 c:\windows\ServicePackFiles\i386\ntoskrnl.exe
[7] 2009-02-06 11:08 2189056 7A95B10A73737EBF24139AAA63F5212B c:\windows\system32\ntoskrnl.exe
[7] 2009-02-06 11:08 2189056 7A95B10A73737EBF24139AAA63F5212B c:\windows\system32\dllcache\ntoskrnl.exe
[7] 2009-02-06 11:08 2189056 7A95B10A73737EBF24139AAA63F5212B c:\windows\system32\dllcache\cache\ntoskrnl.exe

[7] 2008-04-14 00:12 1033728 12896823FB95BFB3DC9B46BCAEDC9923 c:\windows\explorer.exe
[7] 2004-08-04 07:56 1032192 A0732187050030AE399B241436565E64 c:\windows\$NtServicePackUninstall$\explorer.exe
[7] 2008-04-14 00:12 1033728 12896823FB95BFB3DC9B46BCAEDC9923 c:\windows\ServicePackFiles\i386\explorer.exe
[7] 2008-04-14 00:12 1033728 12896823FB95BFB3DC9B46BCAEDC9923 c:\windows\system32\dllcache\cache\explorer.exe

[7] 2009-02-06 11:06 110592 020CEAAEDC8EB655B6506B8C70D53BB6 c:\windows\$hf_mig$\KB956572\SP3QFE\services.exe
[7] 2004-08-04 07:56 108032 C6CE6EEC82F187615D1002BB3BB50ED4 c:\windows\$NtServicePackUninstall$\services.exe
[7] 2008-04-14 00:12 108544 0E776ED5F7CC9F94299E70461B7B8185 c:\windows\$NtUninstallKB956572$\services.exe
[7] 2008-04-14 00:12 108544 0E776ED5F7CC9F94299E70461B7B8185 c:\windows\ServicePackFiles\i386\services.exe
[7] 2009-02-06 11:11 110592 65DF52F5B8B6E9BBD183505225C37315 c:\windows\system32\services.exe
[7] 2009-02-06 11:11 110592 65DF52F5B8B6E9BBD183505225C37315 c:\windows\system32\dllcache\services.exe
[7] 2009-02-06 11:11 110592 65DF52F5B8B6E9BBD183505225C37315 c:\windows\system32\dllcache\cache\services.exe

[7] 2004-08-04 07:56 13312 84885F9B82F4D55C6146EBF6065D75D2 c:\windows\$NtServicePackUninstall$\lsass.exe
[7] 2008-04-14 00:12 13312 BF2466B3E18E970D8A976FB95FC1CA85 c:\windows\ServicePackFiles\i386\lsass.exe
[7] 2008-04-14 00:12 13312 BF2466B3E18E970D8A976FB95FC1CA85 c:\windows\system32\lsass.exe
[7] 2008-04-14 00:12 13312 BF2466B3E18E970D8A976FB95FC1CA85 c:\windows\system32\dllcache\cache\lsass.exe

[7] 2004-08-04 07:56 15360 24232996A38C0B0CF151C2140AE29FC8 c:\windows\$NtServicePackUninstall$\ctfmon.exe
[7] 2008-04-14 00:12 15360 5F1D5F88303D4A4DBC8E5F97BA967CC3 c:\windows\ServicePackFiles\i386\ctfmon.exe
[7] 2008-04-14 00:12 15360 5F1D5F88303D4A4DBC8E5F97BA967CC3 c:\windows\system32\ctfmon.exe
[7] 2008-04-14 00:12 15360 5F1D5F88303D4A4DBC8E5F97BA967CC3 c:\windows\system32\dllcache\cache\ctfmon.exe

[7] 2004-08-04 07:56 57856 7435B108B935E42EA92CA94F59C8E717 c:\windows\$NtServicePackUninstall$\spoolsv.exe
[7] 2008-04-14 00:12 57856 D8E14A61ACC1D4A6CD0D38AEBAC7FA3B c:\windows\ServicePackFiles\i386\spoolsv.exe
[7] 2008-04-14 00:12 57856 D8E14A61ACC1D4A6CD0D38AEBAC7FA3B c:\windows\system32\spoolsv.exe
[7] 2008-04-14 00:12 57856 D8E14A61ACC1D4A6CD0D38AEBAC7FA3B c:\windows\system32\dllcache\cache\spoolsv.exe

[7] 2004-08-04 07:56 111104 4126D27CECE4471E00E425411F7306B5 c:\windows\$NtServicePackUninstall$\wuauclt.exe
[7] 2008-04-14 00:12 111104 ED7262E52C31CF1625B65039102BC16C c:\windows\ServicePackFiles\i386\wuauclt.exe
[7] 2008-10-16 19:09 51224 E654B78D2F1D791B30D0ED9A8195EC22 c:\windows\system32\wuauclt.exe
[7] 2008-10-16 19:09 51224 E654B78D2F1D791B30D0ED9A8195EC22 c:\windows\system32\dllcache\wuauclt.exe
[7] 2008-10-16 19:09 51224 E654B78D2F1D791B30D0ED9A8195EC22 c:\windows\system32\dllcache\cache\wuauclt.exe

[7] 2004-08-04 07:56 24576 39B1FFB03C2296323832ACBAE50D2AFF c:\windows\$NtServicePackUninstall$\userinit.exe
[7] 2008-04-14 00:12 26112 A93AEE1928A9D7CE3E16D24EC7380F89 c:\windows\ServicePackFiles\i386\userinit.exe
[7] 2008-04-14 00:12 26112 A93AEE1928A9D7CE3E16D24EC7380F89 c:\windows\system32\userinit.exe
[7] 2008-04-14 00:12 26112 A93AEE1928A9D7CE3E16D24EC7380F89 c:\windows\system32\dllcache\cache\userinit.exe

[7] 2004-08-04 07:56 295424 B60C877D16D9C880B952FDA04ADF16E6 c:\windows\$NtServicePackUninstall$\termsrv.dll
[-] 2001-08-23 12:00 197632 458635D2E4559526CF9C895340A38702 c:\windows\$NtUninstallQ311889$\termsrv.dll
[7] 2008-04-14 00:12 295424 FF3477C03BE7201C294C35F684B3479F c:\windows\ServicePackFiles\i386\termsrv.dll
[7] 2008-04-14 00:12 295424 FF3477C03BE7201C294C35F684B3479F c:\windows\system32\termsrv.dll
[7] 2008-04-14 00:12 295424 FF3477C03BE7201C294C35F684B3479F c:\windows\system32\dllcache\cache\termsrv.dll

[-] 2004-06-17 17:58 930816 FCA73DE7B988A2F7837FFBFFCFBED088 c:\windows\$hf_mig$\KB840987\SP1QFE\kernel32.dll
[7] 2009-03-21 13:59 991744 DA11D9D6ECBDF0F93436A4B7C13F7BEC c:\windows\$hf_mig$\KB959426\SP3QFE\kernel32.dll
[7] 2004-08-04 07:56 983552 888190E31455FAD793312F8D087146EB c:\windows\$NtServicePackUninstall$\kernel32.dll
[-] 2001-08-23 12:00 926720 379B0B31D7F8D2C9F7FF302B454A6C54 c:\windows\$NtUninstallKB840987$\kernel32.dll
[7] 2008-04-14 00:11 989696 C24B983D211C34DA8FCC1AC38477971D c:\windows\$NtUninstallKB959426$\kernel32.dll
[7] 2008-04-14 00:11 989696 C24B983D211C34DA8FCC1AC38477971D c:\windows\ServicePackFiles\i386\kernel32.dll
[7] 2009-03-21 14:06 989696 B921FB870C9AC0D509B2CCABBBBE95F3 c:\windows\system32\kernel32.dll
[7] 2009-03-21 14:06 989696 B921FB870C9AC0D509B2CCABBBBE95F3 c:\windows\system32\dllcache\kernel32.dll
[7] 2009-03-21 14:06 989696 B921FB870C9AC0D509B2CCABBBBE95F3 c:\windows\system32\dllcache\cache\kernel32.dll

[7] 2004-08-04 07:56 17408 1B5F6923ABB450692E9FE0672C897AED c:\windows\$NtServicePackUninstall$\powrprof.dll
[7] 2008-04-14 00:12 17408 50A166237A0FA771261275A405646CC0 c:\windows\ServicePackFiles\i386\powrprof.dll
[7] 2008-04-14 00:12 17408 50A166237A0FA771261275A405646CC0 c:\windows\system32\powrprof.dll
[7] 2008-04-14 00:12 17408 50A166237A0FA771261275A405646CC0 c:\windows\system32\dllcache\cache\powrprof.dll

[7] 2004-08-04 07:56 110080 87CA7CE6469577F059297B9D6556D66D c:\windows\$NtServicePackUninstall$\imm32.dll
[7] 2008-04-14 00:11 110080 0DA85218E92526972A821587E6A8BF8F c:\windows\ServicePackFiles\i386\imm32.dll
[7] 2008-04-14 00:11 110080 0DA85218E92526972A821587E6A8BF8F c:\windows\system32\imm32.dll
[7] 2008-04-14 00:11 110080 0DA85218E92526972A821587E6A8BF8F c:\windows\system32\dllcache\cache\imm32.dll

[7] 2004-08-04 07:56 1580544 30A609E00BD1D4FFC49D6B5A432BE7F2 c:\windows\$NtServicePackUninstall$\sfcfiles.dll
[-] 2001-08-23 12:00 1562112 9E415EFDF50F26BCBC97C80F4E6C30CC c:\windows\$NtUninstallQ309521$\sfcfiles.dll
[7] 2008-04-14 00:12 1614848 9DD07AF82244867CA36681EA2D29CE79 c:\windows\ServicePackFiles\i386\sfcfiles.dll
[7] 2008-04-14 00:12 1614848 9DD07AF82244867CA36681EA2D29CE79 c:\windows\system32\sfcfiles.dll
[7] 2008-04-14 00:12 1614848 9DD07AF82244867CA36681EA2D29CE79 c:\windows\system32\dllcache\cache\sfcfiles.dll


[7] 2004-08-04 05:58 24576 EBDEE8A2EE5393890A1ACEE971C4C246 c:\windows\$NtServicePackUninstall$\kbdclass.sys
[7] 2008-04-13 18:39 24576 463C1EC80CD17420A542B7F36A36F128 c:\windows\ServicePackFiles\i386\kbdclass.sys
[7] 2008-04-13 18:39 24576 463C1EC80CD17420A542B7F36A36F128 c:\windows\system32\dllcache\cache\kbdclass.sys
[7] 2008-04-13 18:39 24576 463C1EC80CD17420A542B7F36A36F128 c:\windows\system32\drivers\kbdclass.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"Aim6"="c:\program files\AIM6\aim6.exe" [2008-10-21 50472]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-12-05 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\System32\igfxtray.exe" [2004-08-20 155648]
"HotKeysCmds"="c:\windows\System32\hkcmd.exe" [2004-08-20 118784]
"systemguard"="c:\program files\System Guard 2009\systemguard.exe" [BU]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-2-17 65588]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\caeabaafbabae]
[BU]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\Ares\\Ares.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [12/3/2008 10:33 PM 24652]
S0 099f7efc868878f48d536500a0e0000d;099f7efc868878f48d536500a0e0000d;c:\windows\system32\099f7efc868878f48d536500a0e0000d.sys --> c:\windows\system32\099f7efc868878f48d536500a0e0000d.sys [?]
S0 4b63c2aff10254dae185d1bbe7c1a4a5;4b63c2aff10254dae185d1bbe7c1a4a5;c:\windows\system32\4b63c2aff10254dae185d1bbe7c1a4a5.sys --> c:\windows\system32\4b63c2aff10254dae185d1bbe7c1a4a5.sys [?]
.
.
------- Supplementary Scan -------
.
uLocal Page = \blank.htm
uStart Page = hxxp://www.google.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: &AIM Toolbar Search - c:\documents and settings\All Users\Application Data\AIM Toolbar\ieToolbar\resources\en-US\local\search.html
IE: &Search - ?p=ZKxdm021QUUS
FF - ProfilePath -
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-06-25 14:31
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\program files\AIM6\aolsoftware.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-06-25 14:36 - machine was rebooted
ComboFix-quarantined-files.txt 2009-06-25 18:36

Pre-Run: 73,983,549,440 bytes free
Post-Run: 73,973,960,704 bytes free

249 --- E O F --- 2009-06-25 09:10

I am able to start malwarebytes now!!!

Should I update and do a full scan and fix then post results?

That's great!!

Uninstall Viewpoint Manager from Add/Remove Programs.

Update Malwarebytes, run a scan and remove all threats found. Save the log and post it in your next reply.

Please perform a scan with the ESET online virus scanner. You can expect some detections in Combofix's quarantine (Qoobox) and system volume information. They will not represent active malware so don't worry:
http://www.eset.com/onlinescan/index.php

• ESET recommends disabling your resident antivirus's auto-protection feature before beginning the scan to avoid conflicts and system hangs. Please disable your antivirus's Guard and any antispyware or HIPS programs you are running.
• Use Internet Explorer to navigate to the scanner website because you must approve install an ActiveX add-on to complete the scan.
• Check the "Yes, I accept the terms of use" box.
• Click "Start"
• Check the boxes the following two boxes:
  • enable "Remove found threats"
  • Scan unwanted applications
• Click the Scan button to begin scanning.
• When the scan is done the log is automatically saved. To retrieve it
  • Close the ESET scan Window.
  • Now open a run line by clicking Start >> Run...
  • Copy/paste "C:\Program Files\EsetOnlineScanner\log.txt" ino the Open box:
  • The Scan results will now display in Notepad
• Please copy and paste the ESET scan report that can be found in this location
  C:\Program Files\EsetOnlineScanner\log.txt into your next reply

Note to Vista users and anyone with restrictive IE security settings: Depending on your security settings, you may have to allow cookies and put the ESET website, www.eset.com, into the trusted zone of Internet Explorer if the scan has problems starting (in Vista this is a necessity as IE runs in Protected mode).

To do that, on the Internet Explorer menu click Tools => Internet Options => Security => Trusted Sites => Sites. Then uncheck "Require server verification for all sites in this zone" checkbox at the bottom of the dialog. Add the above www.eset.com url to the list of trusted sites, by inserting it in the blank box and clicking the Add button, then click Close. For cookies, choose the IE7 Privacy tab and add the above eset.com url to the exceptions list for cookie blocking.

Please post back the Eset scan report and a new MBAM log.

Malwarebytes' Anti-Malware 1.38
Database version: 2335
Windows 5.1.2600 Service Pack 3

6/26/2009 2:37:06 PM
mbam-log-2009-06-26 (14-37-06).txt

Scan type: Full Scan (C:\|)
Objects scanned: 106762
Time elapsed: 20 minute(s), 20 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 9
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 2
Files Infected: 12

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\apar (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\intermplug (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\parttimeb (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{6246ff85-1da0-4486-9b1d-95c0fd31158e} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{6494b9be-3a4c-11de-91d2-bd8055d89593} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{41699f6b-014e-46e5-a097-3d52f79cab65} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{5303e828-3a4c-11de-ac1c-f77f55d89593} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\RunDll32Policy\f3ScrCtr.dll (Adware.MyWay) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\Schemes\f3pss (Adware.MyWebSearch) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
c:\documents and settings\All Users\Application Data\Microsoft\Network\DLLs (Rogue.SystemGuard2009) -> Quarantined and deleted successfully.
C:\Program Files\NoAdware (Rogue.NoAdware) -> Quarantined and deleted successfully.

Files Infected:
C:\WINDOWS\system32\kusers.dll (Trojan.BHO) -> Quarantined and deleted successfully.
c:\Qoobox\quarantine\C\WINDOWS\system32\becfdefafbfbcebf.dll.vir (Worm.AutoRun) -> Quarantined and deleted successfully.
c:\Qoobox\quarantine\C\WINDOWS\system32\fadbefdadd.dll.vir (Worm.AutoRun) -> Quarantined and deleted successfully.
c:\Qoobox\quarantine\C\WINDOWS\system32\kdpini.dll.vir (Trojan.BHO) -> Quarantined and deleted successfully.
c:\system volume information\_restore{66243962-2ba4-48e6-8796-8797b8e8991e}\RP1\A0000015.dll (Trojan.BHO) -> Quarantined and deleted successfully.
c:\system volume information\_restore{66243962-2ba4-48e6-8796-8797b8e8991e}\RP1\A0000025.dll (Worm.AutoRun) -> Quarantined and deleted successfully.
c:\system volume information\_restore{66243962-2ba4-48e6-8796-8797b8e8991e}\RP1\A0000027.dll (Worm.AutoRun) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\15ada7cb4de13805db514a03f5c7be48.TMP (Worm.AutoRun) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\c545a1b00e143396eb1753fe738c832d.TMP (Worm.AutoRun) -> Quarantined and deleted successfully.
c:\documents and settings\all users\application data\microsoft\Network\DLLs\c.cgm (Rogue.SystemGuard2009) -> Quarantined and deleted successfully.
c:\program files\NoAdware\noadware4_020809.na (Rogue.NoAdware) -> Quarantined and deleted successfully.
c:\documents and settings\All Users\Application Data\Microsoft\Network\track.sys (Trojan.FakeAlert) -> Quarantined and deleted successfully.



# version=4
# OnlineScanner.ocx=1.0.0.635
# OnlineScannerDLLA.dll=1, 0, 0, 79
# OnlineScannerDLLW.dll=1, 0, 0, 78
# OnlineScannerUninstaller.exe=1, 0, 0, 49
# vers_standard_module=4065 (20090511)
# vers_arch_module=1.064 (20080214)
# vers_adv_heur_module=1.066 (20070917)
# EOSSerial=05f33e87b4ad4842b2b3326a0b379a9d
# end=finished
# remove_checked=true
# unwanted_checked=false
# utc_time=2009-05-11 08:53:14
# local_time=2009-05-11 04:53:14 (-0500, Eastern Daylight Time)
# country="United States"
# osver=5.1.2600 NT Service Pack 3
# scanned=85090
# found=12
# scan_time=1110
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\FraudSpywareGuard.zip Win32/Bagle.gen.zip worm (unable to clean - deleted) 00000000000000000000000000000000
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\FraudSpywareGuard1.zip Win32/Bagle.gen.zip worm (unable to clean - deleted) 00000000000000000000000000000000
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\FraudSpywareGuard2.zip Win32/Bagle.gen.zip worm (unable to clean - deleted) 00000000000000000000000000000000
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\FraudSpywareGuard3.zip Win32/Bagle.gen.zip worm (unable to clean - deleted) 00000000000000000000000000000000
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MyWayMyWebSearch1.zip Win32/Bagle.gen.zip worm (unable to clean - deleted) 00000000000000000000000000000000
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MyWayMyWebSearch5.zip Win32/Bagle.gen.zip worm (unable to clean - deleted) 00000000000000000000000000000000
C:\Documents and Settings\KP\Local Settings\Temporary Internet Files\Content.IE5\08UJK75O\g748[1].mp4 Win32/BHO.NNZ trojan (unable to clean - deleted) 00000000000000000000000000000000
C:\Documents and Settings\KP\Local Settings\Temporary Internet Files\Content.IE5\08UJK75O\g890[1].mp4 Win32/BHO.NNZ trojan (unable to clean - deleted) 00000000000000000000000000000000
C:\Documents and Settings\KP\Local Settings\Temporary Internet Files\Content.IE5\1OUFF4MU\g210[1].mp4 Win32/BHO.NNZ trojan (unable to clean - deleted) 00000000000000000000000000000000
C:\Documents and Settings\KP\Local Settings\Temporary Internet Files\Content.IE5\1OUFF4MU\u644[1].ini Win32/BHO.NNZ trojan (unable to clean - deleted) 00000000000000000000000000000000
C:\Documents and Settings\KP\Local Settings\Temporary Internet Files\Content.IE5\9T7HMVE7\u332[1].ini Win32/BHO.NNZ trojan (unable to clean - deleted) 00000000000000000000000000000000
C:\WINDOWS\system32\kusers.dll a variant of Win32/BHO.NKS trojan (unable to clean - deleted (after the next restart)) 00000000000000000000000000000000



Malwarebytes' Anti-Malware 1.38
Database version: 2339
Windows 5.1.2600 Service Pack 3

6/26/2009 3:43:08 PM
mbam-log-2009-06-26 (15-43-08).txt

Scan type: Full Scan (C:\|)
Objects scanned: 107358
Time elapsed: 20 minute(s), 8 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Good job!

Many of the detections were found in quarantine stores such as Qoobox, Spybot's Recovery, or in temp internet files or system volume information (system restore data which we'll purge later).

Download CCleaner by clicking the Latest Version arrow on the right.
http://www.filehippo.com/download_ccleaner/Download

Double-click CC setup file to launch the installer

1. Note: CCleaner may attempt to install the Yahoo Toolbar as an option which IS checkmarked by default during the installation. IF you do NOT want it, When the install options are presented, UNCHECK the last install option to "Add CCleaner Yahoo! Toolbar and use CCLeaner from your browser".

2. Before first use, select Options > Advanced and UNCHECK "Only delete files in Windows Temp folder older than 48 hours"

3. Then select the items you wish to clean up.
In the Windows Tab:

* Clean all entries in the "Internet Explorer" section except Cookies if you want to keep those.
* Clean all the entries in the "Windows Explorer" section.
* Clean all entries in the "System" section.
* Clean all entries in the "Advanced" section.
* Clean any others that you choose.

In the Applications Tab:

* Clean all except cookies in the Firefox/Mozilla section if you use it.
* Clean all in the Opera section if you use it.
* Clean Sun Java in the Internet Section.
* Clean any others that you choose.

4. Click the "Run Cleaner" button.
5. A pop up box will appear advising this process will permanently delete files from your system.
6. Click "OK" and it will scan and clean your system.
7. Click "exit" when done.

Run a scan with Dr. Web CureIt!. This scanner is an downloaded as a randomly named executable file that is ready to go with no extracting and no updating. It does take a while to scan, so be patient. It also detects a lot of malware that other scanners miss and can repair damaged files that are essential for your computer.

1. Please download DrWeb-CureIt by clicking the "CureIt! Download" button on the right-side of the page. Save the randomly named executable file to your desktop, but DO NOT perform a scan yet.
2. Next, please reboot your computer in Safe Mode by doing the following:

• Restart your computer
• After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
• Instead of Windows loading as normal, an Advanced Options Menu should appear
• Select the first option, to run Windows in Safe Mode.

3. Double-click on randomly named EXE file you just downloaded to start the program. An "Express Scan of your PC" notice will appear.
4. Under "Start the Express Scan Now", Click "OK" to start. This is a short scan that will scan the files currently running in memory and when something is found, click the Yes button when it asks you if you want to "cure it".
5. Once the short scan has finished, Click Options --> Change settings
6. Choose the "Scan tab" and UNcheck "Heuristic analysis"
7. Back at the main window, click "Complete Scan"
8. Then click the "Start/Stop Scanning" button (green triangular "play" button on the right), and the scan will start.
9. When done, a message will be displayed at the bottom advising if any threats were found.
10. Click "Yes to all" if it asks if you want to cure/move the file.
11. When the scan has finished, see if you can locate the icon next to the files found. If so, click it, then click the next icon right below and select "Move incurable".
(This will move it to the C:\Documents and Settings\userprofile\DoctorWeb\Quarantine folder if it can't be cured)
12. Next, in the Dr.Web CureIt menu on top, click File and then choose Save report.
13. Save the DrWeb.csv report to your desktop.
14. Exit Dr.Web Cureit when done.
15. Important! Reboot your computer so any targeted files that were in use can be moved/deleted during reboot.
16. After reboot, post the contents of the log from Dr.Web in your next reply. (You can use Notepad to open the DrWeb.cvs report by right-clicking the file and selecting "Open With" -> Notepad.

In your next reply, please include the Dr.Web Log

RegUBP2b-KP.reg;C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Snapshots2;Trojan.StartPage.1505;Deleted.;
A0000162.reg;C:\System Volume Information\_restore{66243962-2BA4-48E6-8796-8797B8E8991E}\RP1;Trojan.StartPage.1505;Deleted.;
A0000368.reg;C:\System Volume Information\_restore{66243962-2BA4-48E6-8796-8797B8E8991E}\RP1;Trojan.StartPage.1505;Deleted.;

Those detections are nothing to worry about. We're ready to wrap it up now.

Good job!

If I asked you to download and run an ARK (Antirootkit program), then uninstall it by doing the following:

• Click on START - RUN
• Type in or copy/paste %windir%\gmer_uninstall.cmd in the open box
• Click OK

We have a few steps to finish up now.

Let's remove Combofix and all its associated files including those in quarantine:
Click start -> run, then copy and paste the following line into the Open box and click OK.

"%userprofile%\desktop\fixfix.exe" /u

This will do the following:

• Uninstall Combofix and all its associated files and folders.
• It will flush your system restore points (where you are getting some detections) and create a new restore point.
• It will rehide your system files and folders
• Reset your system clock

Here are some additional measures you should take to keep your system in good working order and ensure your continued security.

1. Scan your system for outdated versions of commonly used software applications that may also cause your PC be vulnerable, using the Secunia Online Software Inspector (OSI)

Just click the "Start Scanner" button to get a listing of all outdated and possibly insecure resident programs.

Note: If your firewall prompts you about access, allow it.

2. Keep MBAM as an on demand scanner because I highly recommend it, and the quick scan will find most all active malware in minutes.

3. You can reduce your startups by downloading Malwarebyte's StartUp Lite and saving it to a convenient location. Just double-click StartUpLite.exe. Then, check the options you would like based on the descriptions provided, then select continue. This will free up system resources because nonessential background programs will no longer be running when you start up your computer.

4. Download and install SpywareBlaster:
http://www.javacoolsoftware.com/spywareblaster.html
Update it and the enable protection for all unprotected items.
You will have to update the free version manually about once a month by clicking the Updates button. You can refer to the
Calendar of Updates Website to see whenSpywareBlaster and other programs that do not autoupdate have new definitions or program updates available.

You should visit the Windows Updates website, and obtain the most current Operating System updates/patches, and Internet Explorer released versions.
The easiest and fastest way to obtain Windows Updates is by clicking Control Panel -> Windows Updates.

Finally, please follow the suggestions offered by Tony Klein in How did I get infected in the first place. so you can maintain a safe and secure computing environment.

Happy Surfing!

Just wanted to say thanks for everything! You were very helpful.

Also, for some reason the right click is not working on folders. Could that be a virus/malware? nothing was found when we did our scans.

Thanks!

Let's try this to enable your context menu

Go to Start -> Run and type in notepad and hit OK. Then copy and paste the following into Notepad.
In Notepad under Format -> Wordwrap - make sure Wordwrap is unchecked



Save the file to your desktop as fixpol.reg

Close Notepad.

Double click on the fixpol.reg file on your desktop and choose Yes to add the information to the registry.

You should get a message that say says the information was successfully added to the registry.

Let me know if that worked please.

Nope it did not work. I can right click on the bottom where the bar is? I forget what its called. Or I can right click on the icons on the bottom right but anything in the desktop is no good and nothing in folders either. Kind of weird. I didn't check if it works in a browser but I can if you think it will help. Let me know. Thanks again

Try this:

Download FixPolicies, a self-extracting ZIP file, and save it to your desktop:
http://downloads.malwareremoval.com/BillCa...FixPolicies.exe

• Double-click FixPolicies.exe
  
• Click the "Install" button on the bottom toolbar of the box that opens.
  
• The program will create a new Folder called FixPolicies.
  
• Double-click to open the new Folder, and then double-click the file Fix_Policies.cmd located within this folder.
  
• A black box (command Window) will briefly appear and then close.

I guess the previous thing worked. I started up the computer to do the next step and it was working. Thanks!

Thanks again for all your help, you were very helpful!

You're welcome Kaz. I'm glad the fix worked.