Hello Folks
Cleaning my girlfriends mothers computer and having some difficulty. It had a fake virus scanner/phiser on it along with ping.exe that is giving me trouble. I have run trendmicro housecall along with hijackthis and malwarebytes. I also turned off windows fax as I discovered the outgoing connections were coming from that. I can't quite seem to kick this sucker. That is when I found this website, and looks like it is a fairly common problem around here. Windows malicous software removal tool found several instances of win32/sirefef.n virus. And following the sticky here are the results of my logs

GMER LOG
GMER 1.0.15.15641 - http://www.gmer.net
Rootkit quick scan 2012-01-02 19:39:19
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-0 Hitachi_ rev.FB2O
Running: 7keg6c2c.exe; Driver: C:\DOCUME~1\MAGGIE~1\LOCALS~1\Temp\fwdyrpow.sys


---- Devices - GMER 1.0.15 ----

Device \Driver\Tcpip \Device\Ip vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
Device \Driver\Tcpip \Device\Tcp vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)

AttachedDevice \Driver\Tcpip \Device\Tcp fssfltr_tdi.sys (Family Safety Filter Driver (TDI)/Microsoft Corporation)

Device \Driver\Tcpip \Device\Udp vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
Device \Driver\Tcpip \Device\RawIp vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)

AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 wdf01000.sys (WDF Dynamic/Microsoft Corporation)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 wdf01000.sys (WDF Dynamic/Microsoft Corporation)

---- EOF - GMER 1.0.15 ----

Malwarebytes Anti-Malware (Trial) 1.60.0.1800
www.malwarebytes.org

Database version: v2011.12.31.02

Windows XP Service Pack 3 x86 NTFS
Internet Explorer 8.0.6001.18702
Maggie Kissling :: ACER-330BB84976 [administrator]

Protection: Enabled

02/01/2012 7:40:22 PM
mbam-log-2012-01-02 (19-40-22).txt

Scan type: Full scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 204289
Time elapsed: 35 minute(s), 42 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)


.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_16
Run by Maggie Kissling at 20:23:51 on 2012-01-02
.
============== Running Processes ===============
.
c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Mozilla Firefox\firefox.exe
\\?\C:\WINDOWS\system32\WBEM\WMIADAP.EXE
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\Documents and Settings\Maggie Kissling\My Documents\Downloads\dds.scr
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://homepage.acer.com/rdr.aspx?b=ACAW&l=0409&s=0&o=xph&d=0909&m=aspire_one
uDefault_Page_URL = hxxp://homepage.acer.com/rdr.aspx?b=ACAW&l=0409&s=0&o=xph&d=0909&m=aspire_one
uInternet Connection Wizard,ShellNext = hxxp://homepage.acer.com/rdr.aspx?b=ACAW&l=0409&s=0&o=xph&d=0909&m=aspire_one
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SEPsearchhelperie.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: Windows Live Toolbar Helper: {e15a8dc0-8516-42a1-81ea-dc94ec1acf10} - c:\program files\windows live\toolbar\wltcore.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No File
TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - c:\program files\windows live\toolbar\wltcore.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray
mRun: [ZoneAlarm Client] "c:\program files\zone labs\zonealarm\zlclient.exe"
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
LSP: mswsock.dll
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
TCP: Interfaces\{7AC44BAD-D0BB-49F5-8314-EA79FEAD1815} : DhcpNameServer = 192.168.1.254 192.168.1.254
Notify: igfxcui - igfxdev.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\maggie kissling\application data\mozilla\firefox\profiles\mmgo6tv7.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.google.ca/
FF - prefs.js: keyword.URL - hxxp://ca.yhs.search.yahoo.com/avg/search?fr=yhs-avg&type=yahoo_avg_hs2-tb-web_ca&p=
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: United States English Spellchecker: en-US@dictionaries.addons.mozilla.org - %profile%\extensions\en-US@dictionaries.addons.mozilla.org
.
---- FIREFOX POLICIES ----
FF - user.js: extensions.BabylonToolbar_i.id - 58b67db500000000000000235af2cbb4
FF - user.js: extensions.BabylonToolbar_i.hardId - 58b67db500000000000000235af2cbb4
FF - user.js: extensions.BabylonToolbar_i.instlDay - 15318
FF - user.js: extensions.BabylonToolbar_i.vrsn - 1.5.3.17
FF - user.js: extensions.BabylonToolbar_i.vrsni - 1.5.3.17
FF - user.js: extensions.BabylonToolbar_i.vrsnTs - 1.5.3.1722:53:14
FF - user.js: extensions.BabylonToolbar_i.prtnrId - babylon
FF - user.js: extensions.BabylonToolbar_i.prdct - BabylonToolbar
FF - user.js: extensions.BabylonToolbar_i.aflt - babsst
FF - user.js: extensions.BabylonToolbar_i.smplGrp - none
FF - user.js: extensions.BabylonToolbar_i.tlbrId - base
FF - user.js: extensions.BabylonToolbar_i.newTab - false
FF - user.js: extensions.BabylonToolbar_i.babTrack - affID=17167
FF - user.js: extensions.BabylonToolbar_i.babExt -
FF - user.js: extensions.BabylonToolbar_i.srcExt - ss
FF - user.js: extensions.BabylonToolbar_i.instlRef - sst
.
.
============= SERVICES / DRIVERS ===============
.
R? Ambfilt;Ambfilt
R? fsssvc;Windows Live Family Safety Service
R? MpKslf8a56467;MpKslf8a56467
R? RS_Service;Raw Socket Service
R? RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader
R? Rts516xIR;Realtek IR Driver
R? vsmon;TrueVector Internet Monitor
S? fssfltr;fssfltr
S? L1c;NDIS Miniport Driver for Atheros AR8131/AR8132 PCI-E Ethernet Controller
S? MBAMProtector;MBAMProtector
S? MBAMService;MBAMService
S? MpFilter;Microsoft Malware Protection Driver
S? MpKsl3652ab4c;MpKsl3652ab4c
S? vsdatant;vsdatant
.
=============== Created Last 30 ================
.
2012-01-03 04:19:16 29904 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{bb466914-1a51-4218-917b-60c37baaa4c2}\MpKsl3652ab4c.sys
2012-01-03 04:19:09 56200 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{bb466914-1a51-4218-917b-60c37baaa4c2}\offreg.dll
2011-12-31 07:30:20 1238408 ----a-w- c:\windows\system32\zpeng25.dll
2011-12-31 07:30:14 -------- d-----w- c:\windows\system32\ZoneLabs
2011-12-31 07:30:01 -------- d-----w- c:\program files\Zone Labs
2011-12-31 07:28:02 -------- d-----w- c:\windows\Internet Logs
2011-12-31 05:08:00 -------- d-----w- c:\program files\RegCleaner
2011-12-31 04:25:09 -------- d-----w- c:\documents and settings\maggie kissling\local settings\application data\PCHealth
2011-12-31 04:09:26 -------- d-----w- c:\windows\pss
2011-12-31 02:04:25 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-12-31 02:04:24 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-12-30 23:33:36 6823496 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{bb466914-1a51-4218-917b-60c37baaa4c2}\mpengine.dll
2011-12-25 22:49:29 388096 ----a-r- c:\documents and settings\maggie kissling\application data\microsoft\installer\{45a66726-69bc-466b-a7a4-12fcba4883d7}\HiJackThis.exe
2011-12-25 22:49:26 -------- d-----w- c:\program files\Trend Micro
2011-12-25 04:17:00 22032 ----a-w- c:\windows\DCEBoot.exe
2011-12-25 04:16:47 102400 ----a-w- c:\windows\RegBootClean.exe
2011-12-10 06:53:30 -------- d-----w- c:\documents and settings\all users\application data\Tarma Installer
2011-12-10 06:53:08 -------- d-----w- c:\documents and settings\maggie kissling\local settings\application data\Babylon
2011-12-10 06:53:08 -------- d-----w- c:\documents and settings\all users\application data\Babylon
2011-12-10 06:53:07 -------- d-----w- c:\documents and settings\maggie kissling\application data\Babylon
.
==================== Find3M ====================
.
2011-11-23 13:25:32 1859584 ----a-w- c:\windows\system32\win32k.sys
2011-11-04 19:20:51 916992 ----a-w- c:\windows\system32\wininet.dll
2011-11-04 19:20:51 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-11-04 19:20:51 1469440 ------w- c:\windows\system32\inetcpl.cpl
2011-11-04 11:23:59 385024 ----a-w- c:\windows\system32\html.iec
2011-11-01 16:07:10 1288704 ----a-w- c:\windows\system32\ole32.dll
2011-10-28 05:31:48 33280 ----a-w- c:\windows\system32\csrsrv.dll
2011-10-25 13:37:08 2148864 ----a-w- c:\windows\system32\ntoskrnl.exe
2011-10-25 12:52:02 2027008 ----a-w- c:\windows\system32\ntkrnlpa.exe
2011-10-18 11:13:22 186880 ----a-w- c:\windows\system32\encdec.dll
2011-10-10 14:22:41 692736 ----a-w- c:\windows\system32\inetcomm.dll
.
============= FINISH: 20:24:59.67 ===============

Recommended Answers

All 16 Replies

k the link you posted was dead but I managed to track down the combofix file on the site. Going to post logs from both here now. Thinking techs are still enjoying the new years, don't blame them one bit. I am currently following the instructions found here

http://www.bleepingcomputer.com/forums/topic434837.html/page__p__2534912__hl__combofix__fromsearch__1#entry2534912

I have 2 combofix logs as the first wasn't an up to date file apparently... second was an up to date file. It found some rootkits tcp/ip stack one and several others not mentioned. Will update with results.

here is initial combofix
ComboFix 11-12-27.01 - Maggie Kissling 03/01/2012 15:16:46.1.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1014.589 [GMT -8:00]
Running from: D:\ComboFix.exe
AV: Microsoft Security Essentials *Disabled/Updated* {BCF43643-A118-4432-AEDE-D861FCBCFCDF}
AV: Microsoft Security Essentials *Disabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
.
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
- REDUCED FUNCTIONALITY MODE -
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\All Users\Application Data\Tarma Installer
c:\documents and settings\All Users\Application Data\Tarma Installer\{DE3B7BF9-0770-4104-BC0B-B1CCCCE2F053}\_Setup.dll
c:\documents and settings\All Users\Application Data\Tarma Installer\{DE3B7BF9-0770-4104-BC0B-B1CCCCE2F053}\Setup.dat
c:\documents and settings\All Users\Application Data\Tarma Installer\{DE3B7BF9-0770-4104-BC0B-B1CCCCE2F053}\Setup.exe
c:\documents and settings\All Users\Application Data\Tarma Installer\{DE3B7BF9-0770-4104-BC0B-B1CCCCE2F053}\Setup.ico
c:\windows\system32\Thumbs.db
.
----- File Replicators -----
.
c:\acer\Preload\Autorun\GUI\Acer Aspire Generic Guide\BG\CopyAcerLink.exe
c:\acer\Preload\Autorun\GUI\Acer Aspire Generic Guide\CS\CopyAcerLink.exe
c:\acer\Preload\Autorun\GUI\Acer Aspire Generic Guide\DA\CopyAcerLink.exe
c:\acer\Preload\Autorun\GUI\Acer Aspire Generic Guide\DE\CopyAcerLink.exe
c:\acer\Preload\Autorun\GUI\Acer Aspire Generic Guide\EL\CopyAcerLink.exe
c:\acer\Preload\Autorun\GUI\Acer Aspire Generic Guide\EN\CopyAcerLink.exe
c:\acer\Preload\Autorun\GUI\Acer Aspire Generic Guide\ES\CopyAcerLink.exe
c:\acer\Preload\Autorun\GUI\Acer Aspire Generic Guide\FI\CopyAcerLink.exe
c:\acer\Preload\Autorun\GUI\Acer Aspire Generic Guide\FR\CopyAcerLink.exe
c:\acer\Preload\Autorun\GUI\Acer Aspire Generic Guide\HR\CopyAcerLink.exe
c:\acer\Preload\Autorun\GUI\Acer Aspire Generic Guide\HU\CopyAcerLink.exe
c:\acer\Preload\Autorun\GUI\Acer Aspire Generic Guide\IT\CopyAcerLink.exe
c:\acer\Preload\Autorun\GUI\Acer Aspire Generic Guide\JA\CopyAcerLink.exe
c:\acer\Preload\Autorun\GUI\Acer Aspire Generic Guide\NL\CopyAcerLink.exe
c:\acer\Preload\Autorun\GUI\Acer Aspire Generic Guide\NO\CopyAcerLink.exe
c:\acer\Preload\Autorun\GUI\Acer Aspire Generic Guide\PL\CopyAcerLink.exe
c:\acer\Preload\Autorun\GUI\Acer Aspire Generic Guide\PT\CopyAcerLink.exe
c:\acer\Preload\Autorun\GUI\Acer Aspire Generic Guide\RO\CopyAcerLink.exe
c:\acer\Preload\Autorun\GUI\Acer Aspire Generic Guide\RU\CopyAcerLink.exe
c:\acer\Preload\Autorun\GUI\Acer Aspire Generic Guide\SC\CopyAcerLink.exe
c:\acer\Preload\Autorun\GUI\Acer Aspire Generic Guide\SK\CopyAcerLink.exe
c:\acer\Preload\Autorun\GUI\Acer Aspire Generic Guide\SL\CopyAcerLink.exe
c:\acer\Preload\Autorun\GUI\Acer Aspire Generic Guide\SV\CopyAcerLink.exe
c:\acer\Preload\Autorun\GUI\Acer Aspire Generic Guide\TC\CopyAcerLink.exe
c:\acer\Preload\Autorun\GUI\Acer Aspire Generic Guide\TR\CopyAcerLink.exe
c:\acer\Preload\Autorun\GUI\Acer Aspire Generic Guide\ZH\CopyAcerLink.exe
c:\acer\Preload\Autorun\GUI\Acer Quick Guide\BG\CopyAcerLink.exe
c:\acer\Preload\Autorun\GUI\Acer Quick Guide\CS\CopyAcerLink.exe
c:\acer\Preload\Autorun\GUI\Acer Quick Guide\DA\CopyAcerLink.exe
c:\acer\Preload\Autorun\GUI\Acer Quick Guide\DE\CopyAcerLink.exe
c:\acer\Preload\Autorun\GUI\Acer Quick Guide\EL\CopyAcerLink.exe
c:\acer\Preload\Autorun\GUI\Acer Quick Guide\EN\CopyAcerLink.exe
c:\acer\Preload\Autorun\GUI\Acer Quick Guide\ES\CopyAcerLink.exe
c:\acer\Preload\Autorun\GUI\Acer Quick Guide\FI\CopyAcerLink.exe
c:\acer\Preload\Autorun\GUI\Acer Quick Guide\FR\CopyAcerLink.exe
c:\acer\Preload\Autorun\GUI\Acer Quick Guide\HR\CopyAcerLink.exe
c:\acer\Preload\Autorun\GUI\Acer Quick Guide\HU\CopyAcerLink.exe
c:\acer\Preload\Autorun\GUI\Acer Quick Guide\IT\CopyAcerLink.exe
c:\acer\Preload\Autorun\GUI\Acer Quick Guide\JA\CopyAcerLink.exe
c:\acer\Preload\Autorun\GUI\Acer Quick Guide\NL\CopyAcerLink.exe
c:\acer\Preload\Autorun\GUI\Acer Quick Guide\NO\CopyAcerLink.exe
c:\acer\Preload\Autorun\GUI\Acer Quick Guide\PL\CopyAcerLink.exe
c:\acer\Preload\Autorun\GUI\Acer Quick Guide\PT\CopyAcerLink.exe
c:\acer\Preload\Autorun\GUI\Acer Quick Guide\RO\CopyAcerLink.exe
c:\acer\Preload\Autorun\GUI\Acer Quick Guide\RU\CopyAcerLink.exe
c:\acer\Preload\Autorun\GUI\Acer Quick Guide\SC\CopyAcerLink.exe
c:\acer\Preload\Autorun\GUI\Acer Quick Guide\SK\CopyAcerLink.exe
c:\acer\Preload\Autorun\GUI\Acer Quick Guide\SL\CopyAcerLink.exe
c:\acer\Preload\Autorun\GUI\Acer Quick Guide\SV\CopyAcerLink.exe
c:\acer\Preload\Autorun\GUI\Acer Quick Guide\TC\CopyAcerLink.exe
c:\acer\Preload\Autorun\GUI\Acer Quick Guide\TR\CopyAcerLink.exe
c:\acer\Preload\Autorun\GUI\Acer Quick Guide\ZH\CopyAcerLink.exe
c:\book\CopyAcerLink.exe
.
.
((((((((((((((((((((((((( Files Created from 2011-12-03 to 2012-01-03 )))))))))))))))))))))))))))))))
.
.
2012-01-03 23:07 . 2012-01-03 23:07 29904 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{BB466914-1A51-4218-917B-60C37BAAA4C2}\MpKsled65c39f.sys
2012-01-03 22:59 . 2012-01-03 22:59 29904 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{BB466914-1A51-4218-917B-60C37BAAA4C2}\MpKslfa638b40.sys
2012-01-03 22:48 . 2012-01-03 22:48 29904 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{BB466914-1A51-4218-917B-60C37BAAA4C2}\MpKslf879d33e.sys
2012-01-03 22:48 . 2012-01-03 23:06 56200 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{BB466914-1A51-4218-917B-60C37BAAA4C2}\offreg.dll
2012-01-03 04:36 . 2012-01-03 04:36 -------- d-----w- c:\program files\ESET
2011-12-31 07:30 . 2009-10-17 09:39 103816 ----a-w- c:\windows\system32\zlcommdb.dll
2011-12-31 07:30 . 2009-10-17 09:39 69000 ----a-w- c:\windows\system32\zlcomm.dll
2011-12-31 07:30 . 2009-10-17 09:39 1238408 ----a-w- c:\windows\system32\zpeng25.dll
2011-12-31 07:30 . 2011-12-31 07:31 -------- d-----w- c:\windows\system32\ZoneLabs
2011-12-31 07:30 . 2011-12-31 07:30 -------- d-----w- c:\program files\Zone Labs
2011-12-31 07:28 . 2012-01-03 23:08 -------- d-----w- c:\windows\Internet Logs
2011-12-31 05:08 . 2011-12-31 05:22 -------- d-----w- c:\program files\RegCleaner
2011-12-31 04:25 . 2011-12-31 04:25 -------- d-----w- c:\documents and settings\Maggie Kissling\Local Settings\Application Data\PCHealth
2011-12-31 02:04 . 2011-12-10 23:24 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-12-31 02:04 . 2011-12-31 02:04 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-12-31 01:11 . 2011-12-31 01:11 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\PCHealth
2011-12-30 23:33 . 2011-11-21 10:47 6823496 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{BB466914-1A51-4218-917B-60C37BAAA4C2}\mpengine.dll
2011-12-25 22:49 . 2011-12-25 22:49 388096 ----a-r- c:\documents and settings\Maggie Kissling\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2011-12-25 22:49 . 2011-12-25 22:49 -------- d-----w- c:\program files\Trend Micro
2011-12-25 22:47 . 2011-12-25 22:47 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2011-12-25 04:17 . 2011-12-25 04:17 22032 ----a-w- c:\windows\DCEBoot.exe
2011-12-25 04:16 . 2011-12-25 04:17 102400 ----a-w- c:\windows\RegBootClean.exe
2011-12-10 06:53 . 2011-12-10 06:53 236 ----a-w- C:\user.js
2011-12-10 06:53 . 2011-12-10 06:53 -------- d-----w- c:\documents and settings\Maggie Kissling\Local Settings\Application Data\Babylon
2011-12-10 06:53 . 2011-12-10 06:53 -------- d-----w- c:\documents and settings\All Users\Application Data\Babylon
2011-12-10 06:53 . 2011-12-10 06:53 -------- d-----w- c:\documents and settings\Maggie Kissling\Application Data\Babylon
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-11-23 13:25 . 2009-03-11 12:53 1859584 ----a-w- c:\windows\system32\win32k.sys
2011-11-21 10:47 . 2011-05-24 18:57 6823496 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2011-11-04 19:20 . 2009-03-11 12:53 916992 ----a-w- c:\windows\system32\wininet.dll
2011-11-04 19:20 . 2009-03-11 12:53 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-11-04 19:20 . 2009-03-11 12:53 1469440 ------w- c:\windows\system32\inetcpl.cpl
2011-11-04 11:23 . 2009-03-11 12:53 385024 ----a-w- c:\windows\system32\html.iec
2011-11-01 16:07 . 2009-03-11 12:53 1288704 ----a-w- c:\windows\system32\ole32.dll
2011-10-28 05:31 . 2009-03-11 12:52 33280 ----a-w- c:\windows\system32\csrsrv.dll
2011-10-25 13:37 . 2008-04-14 00:54 2148864 ----a-w- c:\windows\system32\ntoskrnl.exe
2011-10-25 12:52 . 2008-04-14 00:01 2027008 ----a-w- c:\windows\system32\ntkrnlpa.exe
2011-10-18 11:13 . 2009-03-11 12:53 186880 ----a-w- c:\windows\system32\encdec.dll
2011-10-10 14:22 . 2009-03-12 05:06 692736 ----a-w- c:\windows\system32\inetcomm.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2011-12-25 460872]
"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2009-10-17 1037192]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2008-11-04 435096]
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2010-09-21 18:37 932288 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2010-06-20 02:04 35760 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AzMixerSel]
2006-01-25 10:45 53248 ----a-w- c:\program files\Realtek\Audio\Drivers\AzMixerSel.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 12:00 15360 ----a-w- c:\windows\system32\ctfmon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
2008-02-28 01:00 166424 ----a-w- c:\windows\system32\hkcmd.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2010-03-12 20:08 49208 ----a-w- c:\program files\HP\HP Software Update\hpwuschd2.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IAAnotif]
2008-04-16 00:54 178712 ----a-w- c:\program files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
2008-02-28 01:00 141848 ----a-w- c:\windows\system32\igfxtray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IMJPMIG8.1]
2008-04-14 12:00 208952 ----a-w- c:\windows\ime\imjp8_1\imjpmig.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LManager]
2008-12-30 07:09 875016 ----a-w- c:\progra~1\LAUNCH~1\LManager.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSC]
2011-06-15 22:16 997920 ----a-w- c:\program files\Microsoft Security Client\msseces.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSPY2002]
2008-04-14 12:00 59392 ----a-w- c:\windows\system32\IME\PINTLGNT\IMSCINST.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002A]
2008-04-14 12:00 455168 ----a-w- c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002ASync]
2008-04-14 12:00 455168 ----a-w- c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PLFSetL]
2008-07-03 22:58 94208 ----a-w- c:\windows\PLFSetL.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\snp2uvc]
2009-02-17 01:32 196608 ----a-w- c:\windows\system32\csnp2uvc.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2009-09-03 23:06 149280 ----a-w- c:\program files\Java\jre6\bin\jusched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPEnh]
2009-02-05 10:32 1430824 ------w- c:\program files\Synaptics\SynTP\SynTPEnh.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"mnmsrvc"=3 (0x3)
"Fax"=2 (0x2)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
.
R1 MpKsled65c39f;MpKsled65c39f;c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{BB466914-1A51-4218-917B-60C37BAAA4C2}\MpKsled65c39f.sys [03/01/2012 3:07 PM 29904]
R1 MpKslf879d33e;MpKslf879d33e;c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{BB466914-1A51-4218-917B-60C37BAAA4C2}\MpKslf879d33e.sys [03/01/2012 2:48 PM 29904]
R1 MpKslfa638b40;MpKslfa638b40;c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{BB466914-1A51-4218-917B-60C37BAAA4C2}\MpKslfa638b40.sys [03/01/2012 2:59 PM 29904]
R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [30/12/2011 6:04 PM 652872]
R3 L1c;NDIS Miniport Driver for Atheros AR8131/AR8132 PCI-E Ethernet Controller;c:\windows\system32\drivers\l1c51x86.sys [03/03/2009 7:03 PM 38912]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [30/12/2011 6:04 PM 20464]
S1 MpKslf8a56467;MpKslf8a56467;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{BB466914-1A51-4218-917B-60C37BAAA4C2}\MpKslf8a56467.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{BB466914-1A51-4218-917B-60C37BAAA4C2}\MpKslf8a56467.sys [?]
S2 RS_Service;Raw Socket Service;c:\program files\Acer\Acer VCM\RS_Service.exe [11/03/2009 10:32 PM 237568]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [11/03/2009 9:56 PM 1684736]
S3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;c:\windows\system32\drivers\RtsUStor.sys [11/03/2009 9:54 PM 162816]
S3 Rts516xIR;Realtek IR Driver;c:\windows\system32\DRIVERS\Rts516xIR.sys --> c:\windows\system32\DRIVERS\Rts516xIR.sys [?]
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - MPKSLED65C39F
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a0c88e2e-a71d-11de-8538-00235af2cbb4}]
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe protect.ed 480 480
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://homepage.acer.com/rdr.aspx?b=ACAW&l=0409&s=0&o=xph&d=0909&m=aspire_one
uInternet Connection Wizard,ShellNext = hxxp://homepage.acer.com/rdr.aspx?b=ACAW&l=0409&s=0&o=xph&d=0909&m=aspire_one
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Maggie Kissling\Application Data\Mozilla\Firefox\Profiles\mmgo6tv7.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.google.ca/
FF - prefs.js: keyword.URL - hxxp://ca.yhs.search.yahoo.com/avg/search?fr=yhs-avg&type=yahoo_avg_hs2-tb-web_ca&p=
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: United States English Spellchecker: en-US@dictionaries.addons.mozilla.org - %profile%\extensions\en-US@dictionaries.addons.mozilla.org
FF - user.js: extensions.BabylonToolbar_i.id - 58b67db500000000000000235af2cbb4
FF - user.js: extensions.BabylonToolbar_i.hardId - 58b67db500000000000000235af2cbb4
FF - user.js: extensions.BabylonToolbar_i.instlDay - 15318
FF - user.js: extensions.BabylonToolbar_i.vrsn - 1.5.3.17
FF - user.js: extensions.BabylonToolbar_i.vrsni - 1.5.3.17
FF - user.js: extensions.BabylonToolbar_i.vrsnTs - 1.5.3.1722:53
FF - user.js: extensions.BabylonToolbar_i.prtnrId - babylon
FF - user.js: extensions.BabylonToolbar_i.prdct - BabylonToolbar
FF - user.js: extensions.BabylonToolbar_i.aflt - babsst
FF - user.js: extensions.BabylonToolbar_i.smplGrp - none
FF - user.js: extensions.BabylonToolbar_i.tlbrId - base
FF - user.js: extensions.BabylonToolbar_i.newTab - false
FF - user.js: extensions.BabylonToolbar_i.babTrack - affID=17167
FF - user.js: extensions.BabylonToolbar_i.babExt -
FF - user.js: extensions.BabylonToolbar_i.srcExt - ss
FF - user.js: extensions.BabylonToolbar_i.instlRef - sst
.
.
------- File Associations -------
.
.cmd=REG_SZ
.
- - - - ORPHANS REMOVED - - - -
.
WebBrowser-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-01-03 15:21
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
.
c:\windows\$NtUninstallKB32515$:SummaryInformation 0 bytes hidden from API
.
scan completed successfully
hidden files: 1
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'lsass.exe'(764)
c:\windows\system32\mswsock.dll
mswsock.dll 71a50000 258048 \\.\globalroot\systemroot\system32\mswsock.dll
c:\windows\system32\WININET.dll
.
Completion time: 2012-01-03 15:24:34
ComboFix-quarantined-files.txt 2012-01-03 23:24
.
Pre-Run: 125,078,642,688 bytes free
Post-Run: 126,058,856,448 bytes free
.
- - End Of File - - EDE11896E261F80BF1C06BDD44EDBF5E


here is updated one
ComboFix 12-01-03.07 - Maggie Kissling 03/01/2012 15:50:28.2.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1014.703 [GMT -8:00]
Running from: D:\ComboFix.exe
AV: Microsoft Security Essentials *Disabled/Updated* {BCF43643-A118-4432-AEDE-D861FCBCFCDF}
AV: Microsoft Security Essentials *Disabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
FW: ZoneAlarm Pro Firewall *Disabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\Maggie Kissling\g2mdlhlpx.exe
c:\documents and settings\Maggie Kissling\Recent\Thumbs.db
c:\windows\$NtUninstallKB32515$\2340156536\@
c:\windows\$NtUninstallKB32515$\2340156536\bckfg.tmp
c:\windows\$NtUninstallKB32515$\2340156536\cfg.ini
c:\windows\$NtUninstallKB32515$\2340156536\Desktop.ini
c:\windows\$NtUninstallKB32515$\2340156536\keywords
c:\windows\$NtUninstallKB32515$\2340156536\kwrd.dll
c:\windows\$NtUninstallKB32515$\2340156536\L\piigjsop
c:\windows\$NtUninstallKB32515$\2340156536\U\00000001.@
c:\windows\$NtUninstallKB32515$\2340156536\U\00000002.@
c:\windows\$NtUninstallKB32515$\2340156536\U\00000004.@
c:\windows\$NtUninstallKB32515$\2340156536\U\80000000.@
c:\windows\$NtUninstallKB32515$\2340156536\U\80000004.@
c:\windows\$NtUninstallKB32515$\2340156536\U\80000032.@
c:\windows\$NtUninstallKB32515$\2419666304
c:\windows\$NtUninstallKB32515$ . . . . Failed to delete
.
.
((((((((((((((((((((((((( Files Created from 2011-12-04 to 2012-01-04 )))))))))))))))))))))))))))))))
.
.
2012-01-04 00:00 . 2012-01-04 00:00 56200 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{FC13C0AE-E10E-4261-8CE2-4D0CC92DFEAB}\offreg.dll
2012-01-03 23:29 . 2012-01-03 23:29 29904 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{FC13C0AE-E10E-4261-8CE2-4D0CC92DFEAB}\MpKsl6d806ff2.sys
2012-01-03 23:29 . 2011-11-21 10:47 6823496 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{FC13C0AE-E10E-4261-8CE2-4D0CC92DFEAB}\mpengine.dll
2012-01-03 04:36 . 2012-01-03 04:36 -------- d-----w- c:\program files\ESET
2011-12-31 07:30 . 2009-10-17 09:39 103816 ----a-w- c:\windows\system32\zlcommdb.dll
2011-12-31 07:30 . 2009-10-17 09:39 69000 ----a-w- c:\windows\system32\zlcomm.dll
2011-12-31 07:30 . 2009-10-17 09:39 1238408 ----a-w- c:\windows\system32\zpeng25.dll
2011-12-31 07:30 . 2011-12-31 07:31 -------- d-----w- c:\windows\system32\ZoneLabs
2011-12-31 07:30 . 2011-12-31 07:30 -------- d-----w- c:\program files\Zone Labs
2011-12-31 07:28 . 2012-01-04 00:05 -------- d-----w- c:\windows\Internet Logs
2011-12-31 05:08 . 2011-12-31 05:22 -------- d-----w- c:\program files\RegCleaner
2011-12-31 04:25 . 2011-12-31 04:25 -------- d-----w- c:\documents and settings\Maggie Kissling\Local Settings\Application Data\PCHealth
2011-12-31 02:04 . 2011-12-10 23:24 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-12-31 02:04 . 2011-12-31 02:04 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-12-31 01:11 . 2011-12-31 01:11 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\PCHealth
2011-12-25 22:49 . 2011-12-25 22:49 388096 ----a-r- c:\documents and settings\Maggie Kissling\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2011-12-25 22:49 . 2011-12-25 22:49 -------- d-----w- c:\program files\Trend Micro
2011-12-25 22:47 . 2011-12-25 22:47 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2011-12-25 04:17 . 2011-12-25 04:17 22032 ----a-w- c:\windows\DCEBoot.exe
2011-12-25 04:16 . 2011-12-25 04:17 102400 ----a-w- c:\windows\RegBootClean.exe
2011-12-10 06:53 . 2011-12-10 06:53 236 ----a-w- C:\user.js
2011-12-10 06:53 . 2011-12-10 06:53 -------- d-----w- c:\documents and settings\Maggie Kissling\Local Settings\Application Data\Babylon
2011-12-10 06:53 . 2011-12-10 06:53 -------- d-----w- c:\documents and settings\All Users\Application Data\Babylon
2011-12-10 06:53 . 2011-12-10 06:53 -------- d-----w- c:\documents and settings\Maggie Kissling\Application Data\Babylon
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-11-23 13:25 . 2009-03-11 12:53 1859584 ----a-w- c:\windows\system32\win32k.sys
2011-11-21 10:47 . 2011-05-24 18:57 6823496 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2011-11-04 19:20 . 2009-03-11 12:53 916992 ----a-w- c:\windows\system32\wininet.dll
2011-11-04 19:20 . 2009-03-11 12:53 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-11-04 19:20 . 2009-03-11 12:53 1469440 ------w- c:\windows\system32\inetcpl.cpl
2011-11-04 11:23 . 2009-03-11 12:53 385024 ----a-w- c:\windows\system32\html.iec
2011-11-01 16:07 . 2009-03-11 12:53 1288704 ----a-w- c:\windows\system32\ole32.dll
2011-10-28 05:31 . 2009-03-11 12:52 33280 ----a-w- c:\windows\system32\csrsrv.dll
2011-10-25 13:37 . 2008-04-14 00:54 2148864 ----a-w- c:\windows\system32\ntoskrnl.exe
2011-10-25 12:52 . 2008-04-14 00:01 2027008 ----a-w- c:\windows\system32\ntkrnlpa.exe
2011-10-18 11:13 . 2009-03-11 12:53 186880 ----a-w- c:\windows\system32\encdec.dll
2011-10-10 14:22 . 2009-03-12 05:06 692736 ----a-w- c:\windows\system32\inetcomm.dll
.
.
((((((((((((((((((((((((((((( SnapShot@2012-01-03_23.21.43 )))))))))))))))))))))))))))))))))))))))))
.
+ 2012-01-04 00:00 . 2012-01-04 00:00 16384 c:\windows\Temp\Perflib_Perfdata_174.dat
+ 2009-03-11 12:53 . 2012-01-04 00:05 69200 c:\windows\system32\perfc009.dat
- 2009-03-11 12:53 . 2012-01-03 23:11 69200 c:\windows\system32\perfc009.dat
+ 2009-03-11 12:53 . 2012-01-04 00:05 435064 c:\windows\system32\perfh009.dat
- 2009-03-11 12:53 . 2012-01-03 23:11 435064 c:\windows\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2011-12-25 460872]
"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2009-10-17 1037192]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2008-11-04 435096]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2010-09-21 18:37 932288 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2010-06-20 02:04 35760 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AzMixerSel]
2006-01-25 10:45 53248 ----a-w- c:\program files\Realtek\Audio\Drivers\AzMixerSel.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 12:00 15360 ----a-w- c:\windows\system32\ctfmon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
2008-02-28 01:00 166424 ----a-w- c:\windows\system32\hkcmd.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2010-03-12 20:08 49208 ----a-w- c:\program files\HP\HP Software Update\hpwuschd2.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IAAnotif]
2008-04-16 00:54 178712 ----a-w- c:\program files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
2008-02-28 01:00 141848 ----a-w- c:\windows\system32\igfxtray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IMJPMIG8.1]
2008-04-14 12:00 208952 ----a-w- c:\windows\ime\imjp8_1\imjpmig.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LManager]
2008-12-30 07:09 875016 ----a-w- c:\progra~1\LAUNCH~1\LManager.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSC]
2011-06-15 22:16 997920 ----a-w- c:\program files\Microsoft Security Client\msseces.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSPY2002]
2008-04-14 12:00 59392 ----a-w- c:\windows\system32\IME\PINTLGNT\IMSCINST.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002A]
2008-04-14 12:00 455168 ----a-w- c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002ASync]
2008-04-14 12:00 455168 ----a-w- c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PLFSetL]
2008-07-03 22:58 94208 ----a-w- c:\windows\PLFSetL.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\snp2uvc]
2009-02-17 01:32 196608 ----a-w- c:\windows\system32\csnp2uvc.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2009-09-03 23:06 149280 ----a-w- c:\program files\Java\jre6\bin\jusched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPEnh]
2009-02-05 10:32 1430824 ------w- c:\program files\Synaptics\SynTP\SynTPEnh.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"mnmsrvc"=3 (0x3)
"Fax"=2 (0x2)
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"DisableNotifications"= 1 (0x1)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
.
R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [30/12/2011 6:04 PM 652872]
R2 RS_Service;Raw Socket Service;c:\program files\Acer\Acer VCM\RS_Service.exe [11/03/2009 10:32 PM 237568]
R3 L1c;NDIS Miniport Driver for Atheros AR8131/AR8132 PCI-E Ethernet Controller;c:\windows\system32\drivers\l1c51x86.sys [03/03/2009 7:03 PM 38912]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [30/12/2011 6:04 PM 20464]
S1 MpKslf879d33e;MpKslf879d33e;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{BB466914-1A51-4218-917B-60C37BAAA4C2}\MpKslf879d33e.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{BB466914-1A51-4218-917B-60C37BAAA4C2}\MpKslf879d33e.sys [?]
S1 MpKslf8a56467;MpKslf8a56467;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{BB466914-1A51-4218-917B-60C37BAAA4C2}\MpKslf8a56467.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{BB466914-1A51-4218-917B-60C37BAAA4C2}\MpKslf8a56467.sys [?]
S1 MpKslfa638b40;MpKslfa638b40;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{BB466914-1A51-4218-917B-60C37BAAA4C2}\MpKslfa638b40.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{BB466914-1A51-4218-917B-60C37BAAA4C2}\MpKslfa638b40.sys [?]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [11/03/2009 9:56 PM 1684736]
S3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;c:\windows\system32\drivers\RtsUStor.sys [11/03/2009 9:54 PM 162816]
S3 Rts516xIR;Realtek IR Driver;c:\windows\system32\DRIVERS\Rts516xIR.sys --> c:\windows\system32\DRIVERS\Rts516xIR.sys [?]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://homepage.acer.com/rdr.aspx?b=ACAW&l=0409&s=0&o=xph&d=0909&m=aspire_one
uInternet Connection Wizard,ShellNext = hxxp://homepage.acer.com/rdr.aspx?b=ACAW&l=0409&s=0&o=xph&d=0909&m=aspire_one
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Maggie Kissling\Application Data\Mozilla\Firefox\Profiles\mmgo6tv7.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.google.ca/
FF - prefs.js: keyword.URL - hxxp://ca.yhs.search.yahoo.com/avg/search?fr=yhs-avg&type=yahoo_avg_hs2-tb-web_ca&p=
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: United States English Spellchecker: en-US@dictionaries.addons.mozilla.org - %profile%\extensions\en-US@dictionaries.addons.mozilla.org
FF - user.js: extensions.BabylonToolbar_i.id - 58b67db500000000000000235af2cbb4
FF - user.js: extensions.BabylonToolbar_i.hardId - 58b67db500000000000000235af2cbb4
FF - user.js: extensions.BabylonToolbar_i.instlDay - 15318
FF - user.js: extensions.BabylonToolbar_i.vrsn - 1.5.3.17
FF - user.js: extensions.BabylonToolbar_i.vrsni - 1.5.3.17
FF - user.js: extensions.BabylonToolbar_i.vrsnTs - 1.5.3.1722:53
FF - user.js: extensions.BabylonToolbar_i.prtnrId - babylon
FF - user.js: extensions.BabylonToolbar_i.prdct - BabylonToolbar
FF - user.js: extensions.BabylonToolbar_i.aflt - babsst
FF - user.js: extensions.BabylonToolbar_i.smplGrp - none
FF - user.js: extensions.BabylonToolbar_i.tlbrId - base
FF - user.js: extensions.BabylonToolbar_i.newTab - false
FF - user.js: extensions.BabylonToolbar_i.babTrack - affID=17167
FF - user.js: extensions.BabylonToolbar_i.babExt -
FF - user.js: extensions.BabylonToolbar_i.srcExt - ss
FF - user.js: extensions.BabylonToolbar_i.instlRef - sst
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-01-03 16:03
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(2076)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Microsoft Security Client\Antimalware\MsMpEng.exe
c:\program files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\HPZipm12.exe
c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2012-01-03 16:07:45 - machine was rebooted
ComboFix-quarantined-files.txt 2012-01-04 00:07
ComboFix2.txt 2012-01-03 23:24
.
Pre-Run: 126,149,193,728 bytes free
Post-Run: 126,141,542,400 bytes free
.
WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect
.
- - End Of File - - 6503EFD0F8B8CC818AA80D7B7E531FBA

And combofix broke my net connection. Working on that now

And combofix broke my net connection. Working on that now

It'll do that when you have a rootkit in the TCP/IP stack. Combofix also deleted some legit Acer files - they don't look terribly important (except for perhaps the English language one), but I can't be certain.

-- To get back online, you'll need a flashdrive to transfer programs to and from the ill computer.
I will try to help you fix this, but I am really busy with work these days and don't have a lot of forum time.

I am sorry we didn't have a qualified volunteer available to assist you. It is not a good idea to run a powerful tool such as combofix without the assistance of someone familiar with its usage because they are not going to be around to get you out of trouble.
Another example of why this should not be an open forum, I suppose.

Anyhoo, please do the following:

-- Please download and run Farbar Service Scanner
-- Check ALL the boxes and hit scan. It should produce a log. Please post the FSS.txt for me.

-- Also, on the ill machine, please open a command prompt (Start > Run > Type CMD ENTER
Then type the command below and hit enter:
dir /a /s "C:\Qoobox\Quarantine\" >> C:\PEEK.txt
Please post the C:\PEEK.txt

Note the spaces:
dir <space>/a<space>/s<space> "C:\Qoobox\Quarantine\" <space>>> <space>C:\PEEK.txt

I will check back as time permits.

Cheers :)
PP

K ran the ffs and the first thing that happened was a microsoft security window came up notifying me of a win32/sirefef.n virus in one of the system32 drivers.

Log as follows:
Farbar Service Scanner 
Ran by Maggie Kissling (administrator) on 03-01-2012 at 22:38:34
Microsoft Windows XP Home Edition Service Pack 3 (X86)
Boot Mode: Normal
****************************************************************

Internet Services:
============

Connection Status:
==============
Localhost is accessible.
There is no connection to network.
Attempt to access Google IP returned error: Google IP is unreachable
Attempt to access Yahoo IP returend error: Yahoo IP is unreachable


Windows Firewall:
=============
sharedaccess Service is not running. Checking service configuration:
The start type of sharedaccess service is OK.
The ImagePath of sharedaccess service is OK.
The ServiceDll of sharedaccess service is OK.


Firewall Disabled Policy: 
==================


System Restore:
============

System Restore Disabled Policy: 
========================


Security Center:
============

Windows Update:
===========
wuauserv Service is not running. Checking service configuration:
The start type of wuauserv service is OK.
The ImagePath of wuauserv service is OK.
The ServiceDll of wuauserv: "C:\WINDOWS\system32\wuauserv.dll".

BITS Service is not running. Checking service configuration:
The start type of BITS service is set to Demand. The default start type is Auto.
The ImagePath of BITS service is OK.
The ServiceDll of BITS service is OK.


File Check:
========
C:\WINDOWS\system32\dhcpcsvc.dll => MD5 is legit
C:\WINDOWS\system32\Drivers\afd.sys
[2009-03-11 04:52] - [2011-08-17 05:49] - 0138496 ____A () D41D8CD98F00B204E9800998ECF8427E

C:\WINDOWS\system32\Drivers\netbt.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\tcpip.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\ipsec.sys => MD5 is legit
C:\WINDOWS\system32\dnsrslvr.dll => MD5 is legit
C:\WINDOWS\system32\ipnathlp.dll => MD5 is legit
C:\WINDOWS\system32\netman.dll => MD5 is legit
C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit
C:\WINDOWS\system32\srsvc.dll => MD5 is legit
C:\WINDOWS\system32\Drivers\sr.sys => MD5 is legit
C:\WINDOWS\system32\wscsvc.dll => MD5 is legit
C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit
C:\WINDOWS\system32\wuauserv.dll => MD5 is legit
C:\WINDOWS\system32\qmgr.dll => MD5 is legit
C:\WINDOWS\system32\es.dll => MD5 is legit
C:\WINDOWS\system32\cryptsvc.dll => MD5 is legit
C:\WINDOWS\system32\svchost.exe => MD5 is legit
C:\WINDOWS\system32\rpcss.dll => MD5 is legit
C:\WINDOWS\system32\services.exe => MD5 is legit

Extra List:
=======
fssfltr(9) Gpc(6) IPSec(4) NetBT(5) PSched(7) Tcpip(3) 
0x0B0000000400000001000000020000000300000008000000560000005A00000005000000060000000700000009000000
IpSec Tag value is correct.

**** End of log ****


PEEK.txt
 Volume in drive C is ACER
 Volume Serial Number is 58B6-7DB5

 Directory of C:\Qoobox\Quarantine

03/01/2012  03:18 PM    <DIR>          .
03/01/2012  03:18 PM    <DIR>          ..
03/01/2012  03:18 PM    <DIR>          C
03/01/2012  03:58 PM               918 catchme.log
03/01/2012  04:06 PM    <DIR>          Registry_backups
03/01/2012  03:18 PM    <DIR>          Replicators
               1 File(s)            918 bytes

 Directory of C:\Qoobox\Quarantine\C

03/01/2012  03:18 PM    <DIR>          .
03/01/2012  03:18 PM    <DIR>          ..
03/01/2012  03:57 PM    <DIR>          Documents and Settings
03/01/2012  03:40 PM    <DIR>          WINDOWS
               0 File(s)              0 bytes

 Directory of C:\Qoobox\Quarantine\C\Documents and Settings

03/01/2012  03:57 PM    <DIR>          .
03/01/2012  03:57 PM    <DIR>          ..
03/01/2012  03:18 PM    <DIR>          All Users
03/01/2012  03:57 PM    <DIR>          Maggie Kissling
               0 File(s)              0 bytes

 Directory of C:\Qoobox\Quarantine\C\Documents and Settings\All Users

03/01/2012  03:18 PM    <DIR>          .
03/01/2012  03:18 PM    <DIR>          ..
03/01/2012  03:18 PM    <DIR>          Application Data
               0 File(s)              0 bytes

 Directory of C:\Qoobox\Quarantine\C\Documents and Settings\All Users\Application Data

03/01/2012  03:18 PM    <DIR>          .
03/01/2012  03:18 PM    <DIR>          ..
03/01/2012  03:18 PM    <DIR>          Tarma Installer
               0 File(s)              0 bytes

 Directory of C:\Qoobox\Quarantine\C\Documents and Settings\All Users\Application Data\Tarma Installer

03/01/2012  03:18 PM    <DIR>          .
03/01/2012  03:18 PM    <DIR>          ..
03/01/2012  03:18 PM    <DIR>          {DE3B7BF9-0770-4104-BC0B-B1CCCCE2F053}
               0 File(s)              0 bytes

 Directory of C:\Qoobox\Quarantine\C\Documents and Settings\All Users\Application Data\Tarma Installer\{DE3B7BF9-0770-4104-BC0B-B1CCCCE2F053}

03/01/2012  03:18 PM    <DIR>          .
03/01/2012  03:18 PM    <DIR>          ..
09/12/2011  10:53 PM           102,020 Setup.dat.vir
09/08/2011  02:53 AM           228,496 Setup.exe.vir
18/11/2009  10:12 PM             4,846 Setup.ico.vir
17/11/2011  05:37 PM         2,419,712 _Setup.dll.vir
               4 File(s)      2,755,074 bytes

 Directory of C:\Qoobox\Quarantine\C\Documents and Settings\Maggie Kissling

03/01/2012  03:57 PM    <DIR>          .
03/01/2012  03:57 PM    <DIR>          ..
15/07/2010  03:53 PM            72,080 g2mdlhlpx.exe.vir
03/01/2012  03:57 PM    <DIR>          Recent
               1 File(s)         72,080 bytes

 Directory of C:\Qoobox\Quarantine\C\Documents and Settings\Maggie Kissling\Recent

03/01/2012  03:57 PM    <DIR>          .
03/01/2012  03:57 PM    <DIR>          ..
28/06/2010  09:52 AM           160,768 Thumbs.db.vir
               1 File(s)        160,768 bytes

 Directory of C:\Qoobox\Quarantine\C\WINDOWS

03/01/2012  03:40 PM    <DIR>          .
03/01/2012  03:40 PM    <DIR>          ..
03/01/2012  03:57 PM    <DIR>          $NtUninstallKB32515$
03/01/2012  03:18 PM    <DIR>          system32
               0 File(s)              0 bytes

 Directory of C:\Qoobox\Quarantine\C\WINDOWS\$NtUninstallKB32515$

03/01/2012  03:57 PM    <DIR>          .
03/01/2012  03:57 PM    <DIR>          ..
03/01/2012  03:57 PM    <DIR>          2340156536
03/01/2012  03:57 PM               222 _2419666304_.zip
               1 File(s)            222 bytes

 Directory of C:\Qoobox\Quarantine\C\WINDOWS\$NtUninstallKB32515$\2340156536

03/01/2012  03:57 PM    <DIR>          .
03/01/2012  03:57 PM    <DIR>          ..
16/12/2011  05:59 PM             2,048 @.vir
03/01/2012  03:36 PM               863 bckfg.tmp.vir
03/01/2012  03:42 PM                61 cfg.ini.vir
03/01/2012  03:33 PM             4,608 Desktop.ini.vir
31/12/2011  04:04 PM               146 keywords.vir
03/01/2012  03:33 PM           223,744 kwrd.dll.vir
03/01/2012  03:40 PM    <DIR>          L
03/01/2012  03:40 PM    <DIR>          U
               6 File(s)        231,470 bytes

 Directory of C:\Qoobox\Quarantine\C\WINDOWS\$NtUninstallKB32515$\2340156536\L

03/01/2012  03:40 PM    <DIR>          .
03/01/2012  03:40 PM    <DIR>          ..
16/12/2011  05:59 PM           138,496 piigjsop.vir
               1 File(s)        138,496 bytes

 Directory of C:\Qoobox\Quarantine\C\WINDOWS\$NtUninstallKB32515$\2340156536\U

03/01/2012  03:40 PM    <DIR>          .
03/01/2012  03:40 PM    <DIR>          ..
02/01/2012  03:33 PM             2,048 00000001.@.vir
24/12/2011  08:12 PM           224,768 00000002.@.vir
24/12/2011  08:12 PM             1,024 00000004.@.vir
31/12/2011  04:12 PM            11,264 80000000.@.vir
24/12/2011  08:12 PM            12,800 80000004.@.vir
30/12/2011  03:40 PM            77,312 80000032.@.vir
               6 File(s)        329,216 bytes

 Directory of C:\Qoobox\Quarantine\C\WINDOWS\system32

03/01/2012  03:18 PM    <DIR>          .
03/01/2012  03:18 PM    <DIR>          ..
25/12/2011  03:02 PM            23,040 Thumbs.db.vir
               1 File(s)         23,040 bytes

 Directory of C:\Qoobox\Quarantine\Registry_backups

03/01/2012  04:06 PM    <DIR>          .
03/01/2012  04:06 PM    <DIR>          ..
03/01/2012  03:55 PM             7,366 tcpip.reg
03/01/2012  03:22 PM               171 WebBrowser-{CCC7A320-B3CA-4199-B1A6-9F516DD69829}.reg.dat
               2 File(s)          7,537 bytes

 Directory of C:\Qoobox\Quarantine\Replicators

03/01/2012  03:18 PM    <DIR>          .
03/01/2012  03:18 PM    <DIR>          ..
12/06/2008  02:33 AM           126,976 182D4375A5019E69CFE59E6AE6B5C696
               1 File(s)        126,976 bytes

     Total Files Listed:
              25 File(s)      3,845,797 bytes
              50 Dir(s)  126,172,004,352 bytes free

K ran the ffs and the first thing that happened was a microsoft security window came up notifying me of a win32/sirefef.n virus in one of the system32 drivers.

Right. That's your variant of the zeroaccess rookit.
It looks like afd.sys is infected.

-- Usually this type of infection is a pretty high security risk. If you do online banking or financial transactions, you should change any passwords for those accounts using a clean computer.
If you can afford to lose the data on your machine, a reformat is the only way to assure yourself that the machine is 100% clean.
Otherwise, we can try to get it back online and finish cleaning it as best as possible.


Trouble is, the rest of the log looks OK. Usually that is good news - not this time because it means that the connection issues are probably going to be much more difficult to sort out. We will likely need a lot of trial and error testing to isolate the problem.

**Please run Farbar Service Scanner again and, in the box, type afd.sys and then hit Search Files and post that for me.

I will check back as time permits.

PP:)

O.k. talked to the owner of the comp and discussed it with her. She doesn't have any of the old CD's or install files for the comp so going to have to try to repair it. Many thanks for all your help by the way. Learning a lot about rootkit style virus' now... unfortunately.

FSS log
Farbar Service Scanner
Ran by Maggie Kissling (administrator) on 04-01-2012 at 21:43:19
Microsoft Windows XP Service Pack 3 (X86)

************************************************
================== Search: "afd.sys" ===================

C:\WINDOWS\system32\dllcache\afd.sys
[2009-03-11 04:52] - [2011-08-17 05:49] - 0138496 ___AC (Microsoft Corporation) 1E44BC1E83D8FD2305F8D452DB109CF9

C:\WINDOWS\$NtUninstallKB956803$\afd.sys
[2009-09-03 05:51] - [2008-06-20 03:40] - 0138496 ____C (Microsoft Corporation) E3049B90FE06F3F740B7CFDA44995E2C

C:\WINDOWS\$NtUninstallKB951748$\afd.sys
[2009-09-03 05:51] - [2008-04-14 04:00] - 0138112 ____C (Microsoft Corporation) 322D0E36693D6E24A2398BEE62A268CD

C:\WINDOWS\$NtUninstallKB2592799$\afd.sys
[2011-10-12 16:01] - [2011-02-16 05:22] - 0138496 ____C (Microsoft Corporation) 355556D9E580915118CD7EF736653A89

C:\WINDOWS\$NtUninstallKB2509553$\afd.sys
[2011-04-13 16:59] - [2008-08-14 02:04] - 0138496 ____C (Microsoft Corporation) 7E775010EF291DA96AD17CA4B17137D7

C:\WINDOWS\$NtUninstallKB2503665$\afd.sys
[2011-06-16 16:59] - [2008-10-16 06:43] - 0138496 ____C (Microsoft Corporation) 7618D5218F2A614672EC61A80D854A37

C:\WINDOWS\$hf_mig$\KB956803\SP3QFE\afd.sys
[2009-09-03 05:41] - [2008-08-14 02:34] - 0138496 ____A (Microsoft Corporation) 4D43E74F2A1239D53929B82600F1971C

C:\WINDOWS\$hf_mig$\KB951748\SP3QFE\afd.sys
[2008-06-20 03:48] - [2008-06-20 03:48] - 0138496 ____A (Microsoft Corporation) D6EE6014241D034E63C49A50CB2B442A

C:\WINDOWS\$hf_mig$\KB2592799\SP3QFE\afd.sys
[2011-10-12 15:40] - [2011-08-17 05:41] - 0138496 ____A (Microsoft Corporation) F6B7B1ECD7B41736BDB6FF4B092BCB79

C:\WINDOWS\$hf_mig$\KB2509553\SP3QFE\afd.sys
[2008-10-16 07:07] - [2008-10-16 07:07] - 0138496 ____A (Microsoft Corporation) 38D7B715504DA4741DF35E3594FE2099

C:\WINDOWS\$hf_mig$\KB2503665\SP3QFE\afd.sys
[2011-06-15 20:55] - [2011-02-16 05:25] - 0138496 ____A (Microsoft Corporation) 8D499B1276012EB907E7A9E0F4D8FDA4

====== End Of Search ======

Many thanks for all your help by the way. Learning a lot about rootkit style virus' now... unfortunately.

Happy to try to help!

Sorry for the delay - I fear this will be a bit of a drawn out process.
A lot of malware has killed internet connections over the years, but this new strain is the worst I've seen in the 8 years or so that I have been volunteering in forums. This one is particularly damaging to the TCP/IP stack and we may not be able to repair it.

Even as we proceed, you should probably get in touch with the computer manufacturer (OEM) and have them send you recovery disks. Or talk to Microsoft and get them. You should have a valid Product Key stuck on the compy somewhere and that should keep any costs to a minimum.


Let's try this first and hope we get lucky by throwing the kitchen sink at this:

-- Please download these and transfer them to the Desktop of ill computer:
1) The attached CFScript.txt

2) Option^Explicit's Winsock XP Fix

3) MiniToolBox


THEN:

Close ALL browser windows and then drag the CFScript.txt on the Desktop into ComboFix.exe just like this.

-- Let Combofix run and post the log in the next reply.

NEXT:
Open a command prompt (START > RUN > CMD) and enter the following one by one, hitting ENTER after each:

sc start dhcp
sc start netbt
sc start ipsec
sc start tcpip
sc start afd
netsh int ip reset C:\resetlog.txt
netsh winsock reset
ipconfig /release
ipconfig /renew
ipconfig /flushdns

Please type them EXACTLY as shown and mind the spaces or you'll get an error message.
For example, it is netsh<space>int<space> ip<space> reset<space> c:\resetlog.txt


THEN:
Run MiniToolBox and Check the Boxes for the following:

- Flush DNS
- Report IE Proxy Settings
- Reset IE Proxy Settings
- Report FF Proxy Settings
- Reset FF Proxy Settings
- List IP configuration
- List Winsock Entries
- List Devices select All
- List last 10 Event Viewer log

Hit GO and let it run. A log should pop up and also be saved to the Desktop. I'll need to see that.

REBOOT the computer and see if that fixes the connection issue.

Please post the requested logs and we'll go from there. I'd still like to see them, even if we get lucky with the above steps.

Cheers :)
PP

Hello Phillie
Sorry for the delay. Started my own workweek and haven't had time to look at the comp in a bit. Should be able to get to this in the next day or so.

Possibly a dumb question but what it to stop me from simply re-installing the MB network drivers from scratch?

Hello Phillie
Sorry for the delay. Started my own workweek and haven't had time to look at the comp in a bit. Should be able to get to this in the next day or so.

Possibly a dumb question but what it to stop me from simply re-installing the MB network drivers from scratch?

No worries - I'm in the same boat, free time-wise.

-- Nothing is stopping you from reinstalling the drivers. Whether that will work, I couldn't tell you. I doubt it, due to the nature of this malware and and the infected system drivers and registry changes.
Thing is, I've seen so many different variations on this infection that it makes my head spin. I don't have as much time as I used to to devote to keeping up to date on these baddies - these are so destructive that the repair processes are varied and difficult.

In some cases, removing and rebuilding TCP/IP is the only resort. Here is a good resource for that:
http://smokeys.wordpress.com/2008/07/20/how-to-recover-a-really-dead-windows-xp-sp2sp3-tcpip-stack/

-- Try the steps I posted and see if they help. Also, do try to get some restore disks. It is just a good idea to have them on hand - especially with all the rootkits we are seeing these days.

PP:)

Hello Phillie
Did as asked. Amusingly the first combofix script worked. However, it also shot back a few messages to me regarding rootkits. I ran it twice with much the same messages. Here is the first one to save space. I can post second too if you would like. I then followed remaining instructions as well anyway

Combofix
ComboFix 12-01-10.02 - Maggie Kissling 11/01/2012  11:15:53.3.2 - x86
Microsoft Windows XP Home Edition  5.1.2600.3.1252.1.1033.18.1014.663 [GMT -8:00]
Running from: c:\documents and settings\Maggie Kissling\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Maggie Kissling\Desktop\CFScript.txt
AV: Microsoft Security Essentials *Disabled/Updated* {BCF43643-A118-4432-AEDE-D861FCBCFCDF}
AV: Microsoft Security Essentials *Enabled/Outdated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
.
--------------- FCopy ---------------
.
c:\windows\system32\dllcache\afd.sys --> c:\windows\system32\Drivers\afd.sys
.
(((((((((((((((((((((((((   Files Created from 2011-12-11 to 2012-01-11  )))))))))))))))))))))))))))))))
.
.
2012-01-11 19:22 . 2012-01-11 19:22 29904   ----a-w-    c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{A37B6658-4CDD-455B-B7F1-823BD13C7552}\MpKsl54b1dea6.sys
2012-01-11 19:22 . 2012-01-11 19:22 56200   ----a-w-    c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{A37B6658-4CDD-455B-B7F1-823BD13C7552}\offreg.dll
2012-01-11 19:15 . 2011-08-17 13:49 138496  -c--a-w-    c:\windows\system32\dllcache\afd.sys
2012-01-11 19:15 . 2011-08-17 13:49 138496  ----a-w-    c:\windows\system32\drivers\afd.sys
2012-01-05 04:18 . 2012-01-05 04:28 --------    d-----w-    c:\documents and settings\Administrator
2012-01-04 01:17 . 2011-11-21 10:47 6823496 ----a-w-    c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{A37B6658-4CDD-455B-B7F1-823BD13C7552}\mpengine.dll
2012-01-03 04:36 . 2012-01-03 04:36 --------    d-----w-    c:\program files\ESET
2011-12-31 05:08 . 2011-12-31 05:22 --------    d-----w-    c:\program files\RegCleaner
2011-12-31 04:25 . 2011-12-31 04:25 --------    d-----w-    c:\documents and settings\Maggie Kissling\Local Settings\Application Data\PCHealth
2011-12-31 02:04 . 2011-12-10 23:24 20464   ----a-w-    c:\windows\system32\drivers\mbam.sys
2011-12-31 02:04 . 2011-12-31 02:04 --------    d-----w-    c:\program files\Malwarebytes' Anti-Malware
2011-12-31 01:11 . 2011-12-31 01:11 --------    d-----w-    c:\documents and settings\NetworkService\Local Settings\Application Data\PCHealth
2011-12-25 22:49 . 2011-12-25 22:49 388096  ----a-r-    c:\documents and settings\Maggie Kissling\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2011-12-25 22:49 . 2011-12-25 22:49 --------    d-----w-    c:\program files\Trend Micro
2011-12-25 22:47 . 2011-12-25 22:47 --------    d-sh--w-    c:\documents and settings\NetworkService\IETldCache
2011-12-25 04:17 . 2011-12-25 04:17 22032   ----a-w-    c:\windows\DCEBoot.exe
2011-12-25 04:16 . 2011-12-25 04:17 102400  ----a-w-    c:\windows\RegBootClean.exe
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-11-23 13:25 . 2009-03-11 12:53 1859584 ----a-w-    c:\windows\system32\win32k.sys
2011-11-21 10:47 . 2011-05-24 18:57 6823496 ----a-w-    c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2011-11-04 19:20 . 2009-03-11 12:53 916992  ----a-w-    c:\windows\system32\wininet.dll
2011-11-04 19:20 . 2009-03-11 12:53 43520   ----a-w-    c:\windows\system32\licmgr10.dll
2011-11-04 19:20 . 2009-03-11 12:53 1469440 ------w-    c:\windows\system32\inetcpl.cpl
2011-11-04 11:23 . 2009-03-11 12:53 385024  ----a-w-    c:\windows\system32\html.iec
2011-11-01 16:07 . 2009-03-11 12:53 1288704 ----a-w-    c:\windows\system32\ole32.dll
2011-10-28 05:31 . 2009-03-11 12:52 33280   ----a-w-    c:\windows\system32\csrsrv.dll
2011-10-25 13:37 . 2008-04-14 00:54 2148864 ----a-w-    c:\windows\system32\ntoskrnl.exe
2011-10-25 12:52 . 2008-04-14 00:01 2027008 ----a-w-    c:\windows\system32\ntkrnlpa.exe
2011-10-18 11:13 . 2009-03-11 12:53 186880  ----a-w-    c:\windows\system32\encdec.dll
.
.
(((((((((((((((((((((((((((((   SnapShot@2012-01-03_23.21.43   )))))))))))))))))))))))))))))))))))))))))
.
+ 2012-01-11 19:22 . 2012-01-11 19:22   16384              c:\windows\Temp\Perflib_Perfdata_5f4.dat
+ 2009-03-11 12:53 . 2012-01-11 19:25   69200              c:\windows\system32\perfc009.dat
- 2009-03-11 12:53 . 2012-01-03 23:11   69200              c:\windows\system32\perfc009.dat
+ 2009-03-11 12:53 . 2012-01-11 19:25   435064              c:\windows\system32\perfh009.dat
- 2009-03-11 12:53 . 2012-01-03 23:11   435064              c:\windows\system32\perfh009.dat
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2011-12-25 460872]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2008-11-04 435096]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2010-09-21 18:37    932288  ----a-w-    c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2010-06-20 02:04    35760   ----a-w-    c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AzMixerSel]
2006-01-25 10:45    53248   ----a-w-    c:\program files\Realtek\Audio\Drivers\AzMixerSel.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 12:00    15360   ----a-w-    c:\windows\system32\ctfmon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
2008-02-28 01:00    166424  ----a-w-    c:\windows\system32\hkcmd.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2010-03-12 20:08    49208   ----a-w-    c:\program files\HP\HP Software Update\hpwuschd2.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IAAnotif]
2008-04-16 00:54    178712  ----a-w-    c:\program files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
2008-02-28 01:00    141848  ----a-w-    c:\windows\system32\igfxtray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IMJPMIG8.1]
2008-04-14 12:00    208952  ----a-w-    c:\windows\ime\imjp8_1\imjpmig.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LManager]
2008-12-30 07:09    875016  ----a-w-    c:\progra~1\LAUNCH~1\LManager.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSC]
2011-06-15 22:16    997920  ----a-w-    c:\program files\Microsoft Security Client\msseces.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSPY2002]
2008-04-14 12:00    59392   ----a-w-    c:\windows\system32\IME\PINTLGNT\IMSCINST.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002A]
2008-04-14 12:00    455168  ----a-w-    c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002ASync]
2008-04-14 12:00    455168  ----a-w-    c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PLFSetL]
2008-07-03 22:58    94208   ----a-w-    c:\windows\PLFSetL.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\snp2uvc]
2009-02-17 01:32    196608  ----a-w-    c:\windows\system32\csnp2uvc.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2009-09-03 23:06    149280  ----a-w-    c:\program files\Java\jre6\bin\jusched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPEnh]
2009-02-05 10:32    1430824 ------w-    c:\program files\Synaptics\SynTP\SynTPEnh.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"mnmsrvc"=3 (0x3)
"Fax"=2 (0x2)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"DisableNotifications"= 1 (0x1)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
.
R1 MpKsl54b1dea6;MpKsl54b1dea6;c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{A37B6658-4CDD-455B-B7F1-823BD13C7552}\MpKsl54b1dea6.sys [11/01/2012 11:22 AM 29904]
R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [30/12/2011 6:04 PM 652872]
R2 RS_Service;Raw Socket Service;c:\program files\Acer\Acer VCM\RS_Service.exe [11/03/2009 10:32 PM 237568]
R3 L1c;NDIS Miniport Driver for Atheros AR8131/AR8132 PCI-E Ethernet Controller;c:\windows\system32\drivers\l1c51x86.sys [03/03/2009 7:03 PM 38912]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [30/12/2011 6:04 PM 20464]
S1 MpKslf879d33e;MpKslf879d33e;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{BB466914-1A51-4218-917B-60C37BAAA4C2}\MpKslf879d33e.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{BB466914-1A51-4218-917B-60C37BAAA4C2}\MpKslf879d33e.sys [?]
S1 MpKslf8a56467;MpKslf8a56467;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{BB466914-1A51-4218-917B-60C37BAAA4C2}\MpKslf8a56467.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{BB466914-1A51-4218-917B-60C37BAAA4C2}\MpKslf8a56467.sys [?]
S1 MpKslfa638b40;MpKslfa638b40;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{BB466914-1A51-4218-917B-60C37BAAA4C2}\MpKslfa638b40.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{BB466914-1A51-4218-917B-60C37BAAA4C2}\MpKslfa638b40.sys [?]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [11/03/2009 9:56 PM 1684736]
S3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;c:\windows\system32\drivers\RtsUStor.sys [11/03/2009 9:54 PM 162816]
S3 Rts516xIR;Realtek IR Driver;c:\windows\system32\DRIVERS\Rts516xIR.sys --> c:\windows\system32\DRIVERS\Rts516xIR.sys [?]
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - MPKSL54B1DEA6
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://homepage.acer.com/rdr.aspx?b=ACAW&l=0409&s=0&o=xph&d=0909&m=aspire_one
uInternet Connection Wizard,ShellNext = hxxp://homepage.acer.com/rdr.aspx?b=ACAW&l=0409&s=0&o=xph&d=0909&m=aspire_one
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Maggie Kissling\Application Data\Mozilla\Firefox\Profiles\mmgo6tv7.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.google.ca/
FF - prefs.js: keyword.URL - hxxp://ca.yhs.search.yahoo.com/avg/search?fr=yhs-avg&type=yahoo_avg_hs2-tb-web_ca&p=
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: United States English Spellchecker: [email]en-US@dictionaries.addons.mozilla.org[/email] - %profile%\extensions\en-US@dictionaries.addons.mozilla.org
FF - user.js: extensions.BabylonToolbar_i.id - 58b67db500000000000000235af2cbb4
FF - user.js: extensions.BabylonToolbar_i.hardId - 58b67db500000000000000235af2cbb4
FF - user.js: extensions.BabylonToolbar_i.instlDay - 15318
FF - user.js: extensions.BabylonToolbar_i.vrsn - 1.5.3.17
FF - user.js: extensions.BabylonToolbar_i.vrsni - 1.5.3.17
FF - user.js: extensions.BabylonToolbar_i.vrsnTs - 1.5.3.1722:53
FF - user.js: extensions.BabylonToolbar_i.prtnrId - babylon
FF - user.js: extensions.BabylonToolbar_i.prdct - BabylonToolbar
FF - user.js: extensions.BabylonToolbar_i.aflt - babsst
FF - user.js: extensions.BabylonToolbar_i.smplGrp - none
FF - user.js: extensions.BabylonToolbar_i.tlbrId - base
FF - user.js: extensions.BabylonToolbar_i.newTab - false
FF - user.js: extensions.BabylonToolbar_i.babTrack - affID=17167
FF - user.js: extensions.BabylonToolbar_i.babExt - 
FF - user.js: extensions.BabylonToolbar_i.srcExt - ss
FF - user.js: extensions.BabylonToolbar_i.instlRef - sst
.
- - - - ORPHANS REMOVED - - - -
.
MSConfigStartUp-ZoneAlarm Client - c:\program files\Zone Labs\ZoneAlarm\zlclient.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [url]http://www.gmer.net[/url]
Rootkit scan 2012-01-11 11:23
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...  
.
scanning hidden autostart entries ... 
.
scanning hidden files ...  
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(2840)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Microsoft Security Client\Antimalware\MsMpEng.exe
c:\program files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\HPZipm12.exe
c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2012-01-11  11:28:39 - machine was rebooted
ComboFix-quarantined-files.txt  2012-01-11 19:28
ComboFix2.txt  2012-01-04 00:07
ComboFix3.txt  2012-01-03 23:24
.
Pre-Run: 126,057,979,904 bytes free
Post-Run: 126,121,066,496 bytes free
.
- - End Of File - - A4BEF0616D47DFB6F47857712034FADB


Minitoolbox
MiniToolBox by Farbar 
Ran by Maggie Kissling (administrator) on 11-01-2012 at 12:06:33
Microsoft Windows XP Home Edition Service Pack 3 (X86)
Boot Mode: Normal
***************************************************************************

========================= Flush DNS: ===================================


Windows IP Configuration



Successfully flushed the DNS Resolver Cache.


========================= IE Proxy Settings: ============================== 

Proxy is not enabled.
No Proxy Server is set.

"Reset IE Proxy Settings": IE Proxy Settings were reset.

========================= FF Proxy Settings: ============================== 


"Reset FF Proxy Settings": Firefox Proxy settings were reset.

========================= IP Configuration: ================================

Atheros AR5B95 Wireless Network Adapter = Wireless Network Connection (Connected)
Atheros AR8132 PCI-E Fast Ethernet Controller = Local Area Connection (Media disconnected)


# ---------------------------------- 
# Interface IP Configuration         
# ---------------------------------- 
pushd interface ip


# Interface IP Configuration for "Local Area Connection"

set address name="Local Area Connection" source=dhcp 
set dns name="Local Area Connection" source=dhcp register=PRIMARY
set wins name="Local Area Connection" source=dhcp

# Interface IP Configuration for "Wireless Network Connection"

set address name="Wireless Network Connection" source=dhcp 
set dns name="Wireless Network Connection" source=dhcp register=PRIMARY
set wins name="Wireless Network Connection" source=dhcp


popd
# End of interface IP configuration




Windows IP Configuration



        Host Name . . . . . . . . . . . . : acer-330bb84976

        Primary Dns Suffix  . . . . . . . : 

        Node Type . . . . . . . . . . . . : Broadcast

        IP Routing Enabled. . . . . . . . : No

        WINS Proxy Enabled. . . . . . . . : No



Ethernet adapter Local Area Connection:



        Media State . . . . . . . . . . . : Media disconnected

        Description . . . . . . . . . . . : Atheros AR8132 PCI-E Fast Ethernet Controller

        Physical Address. . . . . . . . . : 00-23-5A-F2-CB-B4



Ethernet adapter Wireless Network Connection:



        Connection-specific DNS Suffix  . : 

        Description . . . . . . . . . . . : Atheros AR5B95 Wireless Network Adapter

        Physical Address. . . . . . . . . : 00-26-5E-35-C9-FE

        Dhcp Enabled. . . . . . . . . . . : Yes

        Autoconfiguration Enabled . . . . : Yes

        IP Address. . . . . . . . . . . . : 192.168.1.70

        Subnet Mask . . . . . . . . . . . : 255.255.255.0

        Default Gateway . . . . . . . . . : 192.168.1.254

        DHCP Server . . . . . . . . . . . : 192.168.1.254

        DNS Servers . . . . . . . . . . . : 192.168.1.254

                                            75.153.176.9

        Lease Obtained. . . . . . . . . . : January 11, 2012 12:04:59 PM

        Lease Expires . . . . . . . . . . : January 12, 2012 12:04:59 PM

Server:  
Address:  192.168.1.254

Name:    google.com
Addresses:  74.125.127.106, 74.125.127.147, 74.125.127.104, 74.125.127.99
      74.125.127.105, 74.125.127.103



Pinging google.com [74.125.127.105] with 32 bytes of data:



Reply from 74.125.127.105: bytes=32 time=20ms TTL=52

Reply from 74.125.127.105: bytes=32 time=20ms TTL=52



Ping statistics for 74.125.127.105:

    Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

    Minimum = 20ms, Maximum = 20ms, Average = 20ms

Server:  
Address:  192.168.1.254

Name:    yahoo.com
Addresses:  98.139.180.149, 209.191.122.70, 72.30.2.43, 98.137.149.56



Pinging yahoo.com [98.137.149.56] with 32 bytes of data:



Reply from 98.137.149.56: bytes=32 time=36ms TTL=53

Reply from 98.137.149.56: bytes=32 time=32ms TTL=53



Ping statistics for 98.137.149.56:

    Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

    Minimum = 32ms, Maximum = 36ms, Average = 34ms

Server:  
Address:  192.168.1.254

Name:    bleepingcomputer.com
Address:  208.43.87.2



Pinging bleepingcomputer.com [208.43.87.2] with 32 bytes of data:



Reply from 208.43.87.2: Destination host unreachable.

Reply from 208.43.87.2: Destination host unreachable.



Ping statistics for 208.43.87.2:

    Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

    Minimum = 0ms, Maximum = 0ms, Average = 0ms



Pinging 127.0.0.1 with 32 bytes of data:



Reply from 127.0.0.1: bytes=32 time<1ms TTL=128

Reply from 127.0.0.1: bytes=32 time<1ms TTL=128



Ping statistics for 127.0.0.1:

    Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

    Minimum = 0ms, Maximum = 0ms, Average = 0ms

===========================================================================
Interface List
0x1 ........................... MS TCP Loopback interface
0x2 ...00 23 5a f2 cb b4 ...... Atheros AR8132 PCI-E Fast Ethernet Controller - Packet Scheduler Miniport
0x10004 ...00 26 5e 35 c9 fe ...... Atheros AR5B95 Wireless Network Adapter
===========================================================================
===========================================================================
Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
          0.0.0.0          0.0.0.0    192.168.1.254    192.168.1.70   25
        127.0.0.0        255.0.0.0        127.0.0.1       127.0.0.1   1
      192.168.1.0    255.255.255.0     192.168.1.70    192.168.1.70   25
     192.168.1.70  255.255.255.255        127.0.0.1       127.0.0.1   25
    192.168.1.255  255.255.255.255     192.168.1.70    192.168.1.70   25
        224.0.0.0        240.0.0.0     192.168.1.70    192.168.1.70   25
  255.255.255.255  255.255.255.255     192.168.1.70    192.168.1.70   1
  255.255.255.255  255.255.255.255     192.168.1.70               2   1
Default Gateway:     192.168.1.254
===========================================================================
Persistent Routes:
  None
========================= Winsock entries =====================================

Catalog5 01 C:\Windows\System32\mswsock.dll [245248] (Microsoft Corporation)
Catalog5 02 C:\Windows\System32\winrnr.dll [16896] (Microsoft Corporation)
Catalog5 03 C:\Windows\System32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 01 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 02 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 03 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 04 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 05 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 06 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 07 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 08 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 09 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 10 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 11 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 12 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 13 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 14 C:\Windows\system32\rsvpsp.dll [92672] (Microsoft Corporation)
Catalog9 15 C:\Windows\system32\rsvpsp.dll [92672] (Microsoft Corporation)

========================= Event log errors: ===============================

Application errors:
==================
Error: (01/11/2012 11:55:00 AM) (Source: MPSampleSubmission) (User: )
Description: EventType mptelemetry, P1 8024402c, P2 endsearch, P3 search, P4 3.0.8402.0, P5 mpsigdwn.dll, P6 3.0.8402.0, P7 microsoft security essentials (edb4fa23-53b8-4afa-8c5d-99752cca7094), P8 NIL, P9 mptelemetry0, P10 mptelemetry1.

Error: (01/11/2012 11:32:59 AM) (Source: MPSampleSubmission) (User: )
Description: EventType mptelemetry, P1 8024402c, P2 endsearch, P3 search, P4 3.0.8402.0, P5 mpsigdwn.dll, P6 3.0.8402.0, P7 microsoft security essentials (edb4fa23-53b8-4afa-8c5d-99752cca7094), P8 NIL, P9 mptelemetry0, P10 mptelemetry1.

Error: (01/11/2012 11:14:36 AM) (Source: JavaQuickStarterService) (User: )
Description: Unable to create JQS API server: socket() failed (Socket error 10050)

Error: (01/11/2012 11:09:40 AM) (Source: MPSampleSubmission) (User: )
Description: EventType mptelemetry, P1 80080005, P2 beginsearch, P3 search, P4 3.0.8402.0, P5 mpsigdwn.dll, P6 3.0.8402.0, P7 microsoft security essentials (edb4fa23-53b8-4afa-8c5d-99752cca7094), P8 NIL, P9 mptelemetry0, P10 mptelemetry1.

Error: (01/11/2012 09:38:11 AM) (Source: MPSampleSubmission) (User: )
Description: EventType mptelemetry, P1 80080005, P2 beginsearch, P3 search, P4 3.0.8402.0, P5 mpsigdwn.dll, P6 3.0.8402.0, P7 microsoft security essentials (edb4fa23-53b8-4afa-8c5d-99752cca7094), P8 NIL, P9 mptelemetry0, P10 mptelemetry1.

Error: (01/11/2012 09:26:51 AM) (Source: JavaQuickStarterService) (User: )
Description: Unable to create JQS API server: socket() failed (Socket error 10050)

Error: (01/04/2012 09:48:59 PM) (Source: MPSampleSubmission) (User: )
Description: EventType mptelemetry, P1 80080005, P2 beginsearch, P3 search, P4 3.0.8402.0, P5 mpsigdwn.dll, P6 3.0.8402.0, P7 microsoft security essentials (edb4fa23-53b8-4afa-8c5d-99752cca7094), P8 NIL, P9 mptelemetry0, P10 mptelemetry1.

Error: (01/04/2012 09:37:41 PM) (Source: JavaQuickStarterService) (User: )
Description: Unable to create JQS API server: socket() failed (Socket error 10050)

Error: (01/04/2012 09:32:19 PM) (Source: JavaQuickStarterService) (User: )
Description: Unable to create JQS API server: socket() failed (Socket error 10050)

Error: (01/04/2012 08:28:12 PM) (Source: MPSampleSubmission) (User: )
Description: EventType mptelemetry, P1 8007043c, P2 beginsearch, P3 search, P4 3.0.8402.0, P5 mpsigdwn.dll, P6 3.0.8402.0, P7 microsoft security essentials (edb4fa23-53b8-4afa-8c5d-99752cca7094), P8 NIL, P9 mptelemetry0, P10 mptelemetry1.


System errors:
=============
Error: (01/11/2012 11:55:01 AM) (Source: Microsoft Antimalware) (User: )
Description: %NT AUTHORITY60 has encountered an error trying to update signatures.

    New Signature Version: 

    Previous Signature Version: 1.117.2020.0

    Update Source: %NT AUTHORITY51

    Update Stage: 3.0.8402.00

    Source Path: 3.0.8402.01

    Signature Type: %NT AUTHORITY602

    Update Type: %NT AUTHORITY604

    User: NT AUTHORITY\NETWORK SERVICE

    Current Engine Version: %NT AUTHORITY605

    Previous Engine Version: %NT AUTHORITY606

    Error code: %NT AUTHORITY607

    Error description: %NT AUTHORITY608

Error: (01/11/2012 11:55:01 AM) (Source: Microsoft Antimalware) (User: )
Description: %NT AUTHORITY60 has encountered an error trying to update signatures.

    New Signature Version: 

    Previous Signature Version: 1.117.2020.0

    Update Source: %NT AUTHORITY51

    Update Stage: 3.0.8402.00

    Source Path: 3.0.8402.01

    Signature Type: %NT AUTHORITY602

    Update Type: %NT AUTHORITY604

    User: NT AUTHORITY\NETWORK SERVICE

    Current Engine Version: %NT AUTHORITY605

    Previous Engine Version: %NT AUTHORITY606

    Error code: %NT AUTHORITY607

    Error description: %NT AUTHORITY608

Error: (01/11/2012 11:55:01 AM) (Source: Microsoft Antimalware) (User: )
Description: %NT AUTHORITY60 has encountered an error trying to update signatures.

    New Signature Version: 

    Previous Signature Version: 1.117.2020.0

    Update Source: %NT AUTHORITY51

    Update Stage: 3.0.8402.00

    Source Path: 3.0.8402.01

    Signature Type: %NT AUTHORITY602

    Update Type: %NT AUTHORITY604

    User: NT AUTHORITY\NETWORK SERVICE

    Current Engine Version: %NT AUTHORITY605

    Previous Engine Version: %NT AUTHORITY606

    Error code: %NT AUTHORITY607

    Error description: %NT AUTHORITY608

Error: (01/11/2012 11:55:01 AM) (Source: Microsoft Antimalware) (User: )
Description: %NT AUTHORITY60 has encountered an error trying to update signatures.

    New Signature Version: 

    Previous Signature Version: 1.117.2020.0

    Update Source: %NT AUTHORITY51

    Update Stage: 3.0.8402.00

    Source Path: 3.0.8402.01

    Signature Type: %NT AUTHORITY602

    Update Type: %NT AUTHORITY604

    User: NT AUTHORITY\NETWORK SERVICE

    Current Engine Version: %NT AUTHORITY605

    Previous Engine Version: %NT AUTHORITY606

    Error code: %NT AUTHORITY607

    Error description: %NT AUTHORITY608

Error: (01/11/2012 11:55:00 AM) (Source: Microsoft Antimalware) (User: )
Description: %NT AUTHORITY60 has encountered an error trying to update signatures.

    New Signature Version: 

    Previous Signature Version: 1.117.2020.0

    Update Source: %NT AUTHORITY59

    Update Stage: 3.0.8402.00

    Source Path: 3.0.8402.01

    Signature Type: %NT AUTHORITY602

    Update Type: %NT AUTHORITY604

    User: NT AUTHORITY\SYSTEM

    Current Engine Version: %NT AUTHORITY605

    Previous Engine Version: %NT AUTHORITY606

    Error code: %NT AUTHORITY607

    Error description: %NT AUTHORITY608

Error: (01/11/2012 11:33:00 AM) (Source: Microsoft Antimalware) (User: )
Description: %NT AUTHORITY60 has encountered an error trying to update signatures.

    New Signature Version: 

    Previous Signature Version: 1.117.2020.0

    Update Source: %NT AUTHORITY51

    Update Stage: 3.0.8402.00

    Source Path: 3.0.8402.01

    Signature Type: %NT AUTHORITY602

    Update Type: %NT AUTHORITY604

    User: NT AUTHORITY\NETWORK SERVICE

    Current Engine Version: %NT AUTHORITY605

    Previous Engine Version: %NT AUTHORITY606

    Error code: %NT AUTHORITY607

    Error description: %NT AUTHORITY608

Error: (01/11/2012 11:33:00 AM) (Source: Microsoft Antimalware) (User: )
Description: %NT AUTHORITY60 has encountered an error trying to update signatures.

    New Signature Version: 

    Previous Signature Version: 1.117.2020.0

    Update Source: %NT AUTHORITY51

    Update Stage: 3.0.8402.00

    Source Path: 3.0.8402.01

    Signature Type: %NT AUTHORITY602

    Update Type: %NT AUTHORITY604

    User: NT AUTHORITY\NETWORK SERVICE

    Current Engine Version: %NT AUTHORITY605

    Previous Engine Version: %NT AUTHORITY606

    Error code: %NT AUTHORITY607

    Error description: %NT AUTHORITY608

Error: (01/11/2012 11:33:00 AM) (Source: Microsoft Antimalware) (User: )
Description: %NT AUTHORITY60 has encountered an error trying to update signatures.

    New Signature Version: 

    Previous Signature Version: 1.117.2020.0

    Update Source: %NT AUTHORITY51

    Update Stage: 3.0.8402.00

    Source Path: 3.0.8402.01

    Signature Type: %NT AUTHORITY602

    Update Type: %NT AUTHORITY604

    User: NT AUTHORITY\NETWORK SERVICE

    Current Engine Version: %NT AUTHORITY605

    Previous Engine Version: %NT AUTHORITY606

    Error code: %NT AUTHORITY607

    Error description: %NT AUTHORITY608

Error: (01/11/2012 11:33:00 AM) (Source: Microsoft Antimalware) (User: )
Description: %NT AUTHORITY60 has encountered an error trying to update signatures.

    New Signature Version: 

    Previous Signature Version: 1.117.2020.0

    Update Source: %NT AUTHORITY51

    Update Stage: 3.0.8402.00

    Source Path: 3.0.8402.01

    Signature Type: %NT AUTHORITY602

    Update Type: %NT AUTHORITY604

    User: NT AUTHORITY\NETWORK SERVICE

    Current Engine Version: %NT AUTHORITY605

    Previous Engine Version: %NT AUTHORITY606

    Error code: %NT AUTHORITY607

    Error description: %NT AUTHORITY608

Error: (01/11/2012 11:32:58 AM) (Source: Microsoft Antimalware) (User: )
Description: %NT AUTHORITY60 has encountered an error trying to update signatures.

    New Signature Version: 

    Previous Signature Version: 1.117.2020.0

    Update Source: %NT AUTHORITY59

    Update Stage: 3.0.8402.00

    Source Path: 3.0.8402.01

    Signature Type: %NT AUTHORITY602

    Update Type: %NT AUTHORITY604

    User: NT AUTHORITY\SYSTEM

    Current Engine Version: %NT AUTHORITY605

    Previous Engine Version: %NT AUTHORITY606

    Error code: %NT AUTHORITY607

    Error description: %NT AUTHORITY608


Microsoft Office Sessions:
=========================

**** End of log ****


reset log
reset   SYSTEM\CurrentControlSet\Services\Dhcp\Parameters\Options\15\RegLocation
            old REG_MULTI_SZ =
                SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\?\DhcpDomain
                SYSTEM\CurrentControlSet\Services\TcpIp\Parameters\DhcpDomain

deleted SYSTEM\CurrentControlSet\Services\Dnscache\Parameters\MaxCacheEntryTtlLimit
added   SYSTEM\CurrentControlSet\Services\Netbt\Parameters\Interfaces\Tcpip_{0C27600A-2DBE-4153-BF95-7A9FA2097B0E}\NetbiosOptions
added   SYSTEM\CurrentControlSet\Services\Netbt\Parameters\Interfaces\Tcpip_{49BE636D-BA06-41BB-BA56-27802D1FE450}\NetbiosOptions
deleted SYSTEM\CurrentControlSet\Services\Netbt\Parameters\EnableLmhosts
added   SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{2C5B2C0A-C1B8-45B3-B8BC-BC62941E9696}\DisableDynamicUpdate
deleted SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{2C5B2C0A-C1B8-45B3-B8BC-BC62941E9696}\IpAutoconfigurationAddress
deleted SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{2C5B2C0A-C1B8-45B3-B8BC-BC62941E9696}\IpAutoconfigurationMask
deleted SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{2C5B2C0A-C1B8-45B3-B8BC-BC62941E9696}\IpAutoconfigurationSeed
reset   SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{2C5B2C0A-C1B8-45B3-B8BC-BC62941E9696}\RawIpAllowedProtocols
            old REG_MULTI_SZ =
                0

reset   SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{2C5B2C0A-C1B8-45B3-B8BC-BC62941E9696}\TcpAllowedPorts
            old REG_MULTI_SZ =
                0

reset   SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{2C5B2C0A-C1B8-45B3-B8BC-BC62941E9696}\UdpAllowedPorts
            old REG_MULTI_SZ =
                0

reset   SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{7AC44BAD-D0BB-49F5-8314-EA79FEAD1815}\AddressType
            old REG_DWORD = 1

added   SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{7AC44BAD-D0BB-49F5-8314-EA79FEAD1815}\DisableDynamicUpdate
deleted SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{7AC44BAD-D0BB-49F5-8314-EA79FEAD1815}\IpAutoconfigurationAddress
deleted SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{7AC44BAD-D0BB-49F5-8314-EA79FEAD1815}\IpAutoconfigurationMask
deleted SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{7AC44BAD-D0BB-49F5-8314-EA79FEAD1815}\IpAutoconfigurationSeed
reset   SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{7AC44BAD-D0BB-49F5-8314-EA79FEAD1815}\RawIpAllowedProtocols
            old REG_MULTI_SZ =
                0

reset   SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{7AC44BAD-D0BB-49F5-8314-EA79FEAD1815}\TcpAllowedPorts
            old REG_MULTI_SZ =
                0

reset   SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{7AC44BAD-D0BB-49F5-8314-EA79FEAD1815}\UdpAllowedPorts
            old REG_MULTI_SZ =
                0

added   SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{EE81C5F9-F481-487E-9EBC-A63A016304A0}\AddressType
added   SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{EE81C5F9-F481-487E-9EBC-A63A016304A0}\DisableDynamicUpdate
reset   SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{EE81C5F9-F481-487E-9EBC-A63A016304A0}\RawIpAllowedProtocols
            old REG_MULTI_SZ =
                0

reset   SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{EE81C5F9-F481-487E-9EBC-A63A016304A0}\TcpAllowedPorts
            old REG_MULTI_SZ =
                0

reset   SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{EE81C5F9-F481-487E-9EBC-A63A016304A0}\UdpAllowedPorts
            old REG_MULTI_SZ =
                0

deleted SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\DontAddDefaultGatewayDefault
added   SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\NameServer
deleted SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\SearchList
deleted SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\UseDomainNameDevolution
reset   Linkage\UpperBind for PCI\VEN_1969&DEV_1062&SUBSYS_022F1025&REV_C0\4&2803E7C1&0&00E2.  bad value was:
            REG_MULTI_SZ =
                PSched

reset   Linkage\UpperBind for PCI\VEN_168C&DEV_002B&SUBSYS_E016105B&REV_01\4&192AC53F&0&00E0.  bad value was:
            REG_MULTI_SZ =
                PSched

reset   Linkage\UpperBind for ROOT\MS_NDISWANIP\0000.  bad value was:
            REG_MULTI_SZ =
                PSched

<completed>

updated both the microsoft security center and malware bytes and running them now as well

Hey - sorry I missed your post.

-- Is the ill machine able to connect to the internet now?

-- Did all the runs of combofix use the cfscript? We'll probably need to update it and run it again without the last cfscript - But, it may bork the internet again.

-- Please post the results of the MBAM and MSE runs.

-- Please run aswMBR.exe as per the linky and post the log and let's see what that tells us.

--Likewise, if you are able to run a fresh GMER scan as per the Read Me First Sticky post, that would be cool too.
Let's see if we can pin this sucker down....

PP:)

Hello Phillie
The MBAM didn't detect anything, MSE ran into 29 infections all in the system restore files. The netbook can still connect to the net yes and all the previous combofix's were run using the script yes. I now ran combofix (no script) and the aswMBR and GMER.

Combofix
ComboFix 12-01-13.05 - Maggie Kissling 14/01/2012 13:46:06.5.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1014.692 [GMT -8:00]
Running from: c:\documents and settings\Maggie Kissling\Desktop\Brads diagnostics\ComboFix.exe
AV: Microsoft Security Essentials *Disabled/Updated* {BCF43643-A118-4432-AEDE-D861FCBCFCDF}
AV: Microsoft Security Essentials *Disabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
.
.
((((((((((((((((((((((((( Files Created from 2011-12-14 to 2012-01-14 )))))))))))))))))))))))))))))))
.
.
2012-01-14 21:40 . 2012-01-14 21:40 56200 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{FE6C14F5-94C0-45D4-8301-0D8DB237C2C0}\offreg.dll
2012-01-12 02:10 . 2012-01-12 04:36 -------- d-----w- c:\documents and settings\Maggie Kissling\Local Settings\Application Data\ApplicationHistory
2012-01-12 02:01 . 2012-01-12 02:01 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-01-12 01:29 . 2011-11-21 10:47 6823496 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{FE6C14F5-94C0-45D4-8301-0D8DB237C2C0}\mpengine.dll
2012-01-12 01:28 . 2012-01-12 01:28 -------- d-----w- c:\windows\system32\winrm
2012-01-12 01:28 . 2012-01-12 01:28 -------- d-----w- c:\windows\system32\GroupPolicy
2012-01-12 01:28 . 2012-01-12 01:28 -------- dc-h--w- c:\windows\$968930Uinstall_KB968930$
2012-01-12 01:26 . 2012-01-12 01:26 -------- d-----w- c:\program files\Windows Media Connect 2
2012-01-12 01:24 . 2012-01-12 01:25 -------- d-----w- c:\windows\system32\drivers\UMDF
2012-01-12 01:24 . 2012-01-12 01:24 -------- d-----w- c:\windows\system32\LogFiles
2012-01-12 01:21 . 2012-01-12 01:21 -------- d-----w- c:\windows\system32\URTTEMP
2012-01-11 19:15 . 2011-08-17 13:49 138496 -c--a-w- c:\windows\system32\dllcache\afd.sys
2012-01-11 19:15 . 2011-08-17 13:49 138496 ----a-w- c:\windows\system32\drivers\afd.sys
2012-01-05 04:18 . 2012-01-05 04:28 -------- d-----w- c:\documents and settings\Administrator
2012-01-03 04:36 . 2012-01-03 04:36 -------- d-----w- c:\program files\ESET
2011-12-31 05:08 . 2011-12-31 05:22 -------- d-----w- c:\program files\RegCleaner
2011-12-31 04:25 . 2011-12-31 04:25 -------- d-----w- c:\documents and settings\Maggie Kissling\Local Settings\Application Data\PCHealth
2011-12-31 02:04 . 2011-12-10 23:24 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-12-31 02:04 . 2011-12-31 02:04 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-12-31 01:11 . 2011-12-31 01:11 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\PCHealth
2011-12-25 22:49 . 2011-12-25 22:49 388096 ----a-r- c:\documents and settings\Maggie Kissling\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2011-12-25 22:49 . 2011-12-25 22:49 -------- d-----w- c:\program files\Trend Micro
2011-12-25 22:47 . 2011-12-25 22:47 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2011-12-25 04:17 . 2011-12-25 04:17 22032 ----a-w- c:\windows\DCEBoot.exe
2011-12-25 04:16 . 2011-12-25 04:17 102400 ----a-w- c:\windows\RegBootClean.exe
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-11-25 21:57 . 2009-03-11 12:53 293376 ----a-w- c:\windows\system32\winsrv.dll
2011-11-23 13:25 . 2009-03-11 12:53 1859584 ----a-w- c:\windows\system32\win32k.sys
2011-11-21 10:47 . 2011-05-24 18:57 6823496 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2011-11-18 12:35 . 2009-03-11 12:53 60416 ----a-w- c:\windows\system32\packager.exe
2011-11-16 14:21 . 2009-03-11 12:53 354816 ----a-w- c:\windows\system32\winhttp.dll
2011-11-16 14:21 . 2009-03-11 12:53 152064 ----a-w- c:\windows\system32\schannel.dll
2011-11-15 22:29 . 2010-11-12 18:01 222080 ------w- c:\windows\system32\MpSigStub.exe
2011-11-04 19:20 . 2009-03-11 12:53 916992 ----a-w- c:\windows\system32\wininet.dll
2011-11-04 19:20 . 2009-03-11 12:53 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-11-04 19:20 . 2009-03-11 12:53 1469440 ------w- c:\windows\system32\inetcpl.cpl
2011-11-04 11:23 . 2009-03-11 12:53 385024 ----a-w- c:\windows\system32\html.iec
2011-11-03 15:28 . 2009-03-11 12:53 386048 ----a-w- c:\windows\system32\qdvd.dll
2011-11-03 15:28 . 2009-03-11 12:53 1292288 ----a-w- c:\windows\system32\quartz.dll
2011-11-01 16:07 . 2009-03-11 12:53 1288704 ----a-w- c:\windows\system32\ole32.dll
2011-10-28 05:31 . 2009-03-11 12:52 33280 ----a-w- c:\windows\system32\csrsrv.dll
2011-10-25 13:37 . 2008-04-14 00:54 2148864 ----a-w- c:\windows\system32\ntoskrnl.exe
2011-10-25 12:52 . 2008-04-14 00:01 2027008 ----a-w- c:\windows\system32\ntkrnlpa.exe
2011-10-18 11:13 . 2009-03-11 12:53 186880 ----a-w- c:\windows\system32\encdec.dll
.
.
((((((((((((((((((((((((((((( SnapShot@2012-01-03_23.21.43 )))))))))))))))))))))))))))))))))))))))))
.
+ 2012-01-14 21:39 . 2012-01-14 21:39 16384 c:\windows\Temp\Perflib_Perfdata_550.dat
+ 2006-09-29 02:56 . 2006-09-29 02:56 55808 c:\windows\system32\WudfSvc.dll
+ 2006-09-29 04:13 . 2006-09-29 04:13 95344 c:\windows\system32\WUDFCoinstaller.dll
+ 2009-10-09 22:56 . 2009-10-09 22:56 14848 c:\windows\system32\wsmprovhost.exe
+ 2009-10-09 22:56 . 2009-10-09 22:56 12288 c:\windows\system32\wsmplpxy.dll
+ 2006-10-19 05:47 . 2006-10-19 05:47 38400 c:\windows\system32\wpdshextres.dll
+ 2006-10-19 04:00 . 2006-10-19 04:00 17408 c:\windows\system32\wpdshextautoplay.exe
+ 2006-10-19 05:47 . 2006-10-19 05:47 63488 c:\windows\system32\wpdmtpus.dll
+ 2006-10-19 05:47 . 2006-10-19 05:47 35840 c:\windows\system32\wpdconns.dll
+ 2009-03-11 12:53 . 2006-10-19 05:47 99840 c:\windows\system32\wmpshell.dll
+ 2009-03-11 12:53 . 2006-10-19 05:47 37376 c:\windows\system32\wmdmps.dll
+ 2009-03-11 12:53 . 2006-10-19 05:47 33792 c:\windows\system32\wmdmlog.dll
+ 2009-10-09 22:56 . 2009-10-09 22:56 12288 c:\windows\system32\winrssrv.dll
+ 2009-10-09 22:56 . 2009-10-09 22:56 22528 c:\windows\system32\winrshost.exe
+ 2009-10-10 00:22 . 2009-10-10 00:22 69632 c:\windows\system32\winrs.exe
+ 2009-10-09 22:56 . 2009-10-09 22:56 25088 c:\windows\system32\winrmprov.dll
+ 2009-10-09 22:56 . 2009-10-09 22:56 24064 c:\windows\system32\WindowsPowerShell\v1.0\pwrshsip.dll
+ 2003-02-21 13:16 . 2003-02-21 13:16 49152 c:\windows\system32\URTTEMP\regtlib.exe
+ 2009-03-12 06:02 . 2009-02-27 11:42 66440 c:\windows\system32\spool\drivers\w32x86\msonpui.dll
+ 2009-03-12 06:02 . 2009-02-27 11:42 66440 c:\windows\system32\spool\drivers\w32x86\3\msonpui.dll
+ 2012-01-12 01:27 . 2007-07-27 18:41 16760 c:\windows\system32\spmsg.dll
+ 2009-10-10 00:22 . 2009-10-10 00:22 42496 c:\windows\system32\pwrshplugin.dll
+ 2009-03-11 12:53 . 2012-01-14 21:44 81274 c:\windows\system32\perfc009.dat
+ 2009-03-11 12:53 . 2006-10-19 05:47 27136 c:\windows\system32\mspmsnsv.dll
+ 2009-03-12 06:02 . 2009-02-27 11:42 31640 c:\windows\system32\msonpmon.dll
+ 2009-03-11 12:53 . 2011-10-14 14:47 23040 c:\windows\system32\mciseq.dll
- 2009-03-11 12:53 . 2008-04-14 12:00 23040 c:\windows\system32\mciseq.dll
+ 2009-03-11 12:53 . 2006-10-19 05:47 11264 c:\windows\system32\LAPRXY.dll
+ 2010-03-18 21:16 . 2010-03-18 21:16 70472 c:\windows\system32\dxva2.dll
+ 2006-09-29 03:00 . 2006-09-29 03:00 82944 c:\windows\system32\drivers\WudfRd.sys
+ 2006-09-29 02:55 . 2006-09-29 02:55 77568 c:\windows\system32\drivers\WudfPf.sys
+ 2006-10-19 04:00 . 2006-10-19 04:00 38528 c:\windows\system32\drivers\wpdusb.sys
+ 2009-03-11 12:53 . 2006-10-19 05:47 99840 c:\windows\system32\dllcache\wmpshell.dll
+ 2009-03-12 05:06 . 2006-10-19 05:46 64000 c:\windows\system32\dllcache\wmplayer.exe
+ 2009-03-12 05:06 . 2006-10-19 05:47 96256 c:\windows\system32\dllcache\wmpband.dll
+ 2009-03-11 12:53 . 2006-10-19 05:47 37376 c:\windows\system32\dllcache\wmdmps.dll
+ 2009-03-11 12:53 . 2006-10-19 05:47 33792 c:\windows\system32\dllcache\wmdmlog.dll
+ 2009-03-11 12:53 . 2011-11-18 12:35 60416 c:\windows\system32\dllcache\packager.exe
+ 2009-03-11 12:53 . 2006-10-19 05:47 27136 c:\windows\system32\dllcache\mspmsnsv.dll
+ 2009-03-11 12:53 . 2011-10-14 14:47 23040 c:\windows\system32\dllcache\mciseq.dll
- 2009-03-11 12:53 . 2008-04-14 12:00 23040 c:\windows\system32\dllcache\mciseq.dll
+ 2009-03-11 12:53 . 2006-10-19 05:47 11264 c:\windows\system32\dllcache\LAPRXY.dll
+ 2010-03-18 21:16 . 2010-03-18 21:16 87408 c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WindowsFormsIntegration.dll
+ 2010-03-18 21:16 . 2010-03-18 21:16 93024 c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\UIAutomationTypes.dll
+ 2010-03-18 21:16 . 2010-03-18 21:16 35688 c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\UIAutomationProvider.dll
+ 2010-03-18 21:16 . 2010-03-18 21:16 17784 c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\System.Windows.Presentation.dll
+ 2010-03-18 21:16 . 2010-03-18 21:16 58240 c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\System.Windows.Input.Manipulations.dll
+ 2010-03-18 21:16 . 2010-03-18 21:16 67912 c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\PenIMC.dll
+ 2010-03-18 21:16 . 2010-03-18 21:16 31576 c:\windows\Microsoft.NET\Framework\v4.0.30319\WMINet_Utils.dll
+ 2010-03-18 21:16 . 2010-03-18 21:16 44920 c:\windows\Microsoft.NET\Framework\v4.0.30319\System.Web.ApplicationServices.dll
+ 2010-03-18 21:16 . 2010-03-18 21:16 37240 c:\windows\Microsoft.NET\Framework\v4.0.30319\System.ServiceModel.Channels.dll
+ 2010-03-18 21:16 . 2010-03-18 21:16 64352 c:\windows\Microsoft.NET\Framework\v4.0.30319\System.Numerics.dll
+ 2010-03-18 21:16 . 2010-03-18 21:16 45952 c:\windows\Microsoft.NET\Framework\v4.0.30319\System.EnterpriseServices.Thunk.dll
+ 2010-03-18 21:16 . 2010-03-18 21:16 51032 c:\windows\Microsoft.NET\Framework\v4.0.30319\System.Device.dll
+ 2010-03-18 21:16 . 2010-03-18 21:16 50552 c:\windows\Microsoft.NET\Framework\v4.0.30319\System.Data.DataSetExtensions.dll
+ 2010-03-18 21:16 . 2010-03-18 21:16 81784 c:\windows\Microsoft.NET\Framework\v4.0.30319\System.Configuration.Install.dll
+ 2010-03-18 21:16 . 2010-03-18 21:16 81800 c:\windows\Microsoft.NET\Framework\v4.0.30319\System.ComponentModel.DataAnnotations.dll
+ 2010-03-18 21:16 . 2010-03-18 21:16 39784 c:\windows\Microsoft.NET\Framework\v4.0.30319\System.AddIn.Contract.dll
+ 2010-03-18 21:16 . 2010-03-18 21:16 68952 c:\windows\Microsoft.NET\Framework\v4.0.30319\SMDiagnostics.dll
+ 2010-03-18 19:58 . 2010-03-18 19:58 96088 c:\windows\Microsoft.NET\Framework\v4.0.30319\SetupCache\Client\SetupUtility.exe
+ 2010-03-18 20:16 . 2010-03-18 20:16 78152 c:\windows\Microsoft.NET\Framework\v4.0.30319\SetupCache\Client\Setup.exe
+ 2010-03-18 20:16 . 2010-03-18 20:16 18776 c:\windows\Microsoft.NET\Framework\v4.0.30319\SetupCache\Client\3082\SetupResources.dll
+ 2010-03-18 20:16 . 2010-03-18 20:16 14168 c:\windows\Microsoft.NET\Framework\v4.0.30319\SetupCache\Client\3076\SetupResources.dll
+ 2010-03-18 20:16 . 2010-03-18 20:16 18776 c:\windows\Microsoft.NET\Framework\v4.0.30319\SetupCache\Client\2070\SetupResources.dll
+ 2010-03-18 20:16 . 2010-03-18 20:16 14168 c:\windows\Microsoft.NET\Framework\v4.0.30319\SetupCache\Client\2052\SetupResources.dll
+ 2010-03-18 20:16 . 2010-03-18 20:16 17752 c:\windows\Microsoft.NET\Framework\v4.0.30319\SetupCache\Client\1055\SetupResources.dll
+ 2010-03-18 20:16 . 2010-03-18 20:16 17752 c:\windows\Microsoft.NET\Framework\v4.0.30319\SetupCache\Client\1053\SetupResources.dll
+ 2010-03-18 20:16 . 2010-03-18 20:16 18264 c:\windows\Microsoft.NET\Framework\v4.0.30319\SetupCache\Client\1049\SetupResources.dll
+ 2010-03-18 20:16 . 2010-03-18 20:16 18264 c:\windows\Microsoft.NET\Framework\v4.0.30319\SetupCache\Client\1046\SetupResources.dll
+ 2010-03-18 20:16 . 2010-03-18 20:16 18264 c:\windows\Microsoft.NET\Framework\v4.0.30319\SetupCache\Client\1045\SetupResources.dll
+ 2010-03-18 20:16 . 2010-03-18 20:16 17752 c:\windows\Microsoft.NET\Framework\v4.0.30319\SetupCache\Client\1044\SetupResources.dll
+ 2010-03-18 20:16 . 2010-03-18 20:16 19288 c:\windows\Microsoft.NET\Framework\v4.0.30319\SetupCache\Client\1043\SetupResources.dll
+ 2010-03-18 20:16 . 2010-03-18 20:16 15192 c:\windows\Microsoft.NET\Framework\v4.0.30319\SetupCache\Client\1042\SetupResources.dll
+ 2010-03-18 20:16 . 2010-03-18 20:16 15704 c:\windows\Microsoft.NET\Framework\v4.0.30319\SetupCache\Client\1041\SetupResources.dll
+ 2010-03-18 20:16 . 2010-03-18 20:16 18264 c:\windows\Microsoft.NET\Framework\v4.0.30319\SetupCache\Client\1040\SetupResources.dll
+ 2010-03-18 20:16 . 2010-03-18 20:16 18776 c:\windows\Microsoft.NET\Framework\v4.0.30319\SetupCache\Client\1038\SetupResources.dll
+ 2010-03-18 20:16 . 2010-03-18 20:16 16728 c:\windows\Microsoft.NET\Framework\v4.0.30319\SetupCache\Client\1037\SetupResources.dll
+ 2010-03-18 20:16 . 2010-03-18 20:16 18776 c:\windows\Microsoft.NET\Framework\v4.0.30319\SetupCache\Client\1036\SetupResources.dll
+ 2010-03-18 20:16 . 2010-03-18 20:16 18264 c:\windows\Microsoft.NET\Framework\v4.0.30319\SetupCache\Client\1035\SetupResources.dll
+ 2010-03-18 20:16 . 2010-03-18 20:16 17240 c:\windows\Microsoft.NET\Framework\v4.0.30319\SetupCache\Client\1033\SetupResources.dll
+ 2010-03-18 20:16 . 2010-03-18 20:16 19288 c:\windows\Microsoft.NET\Framework\v4.0.30319\SetupCache\Client\1032\SetupResources.dll
+ 2010-03-18 20:16 . 2010-03-18 20:16 18776 c:\windows\Microsoft.NET\Framework\v4.0.30319\SetupCache\Client\1031\SetupResources.dll
+ 2010-03-18 20:16 . 2010-03-18 20:16 18264 c:\windows\Microsoft.NET\Framework\v4.0.30319\SetupCache\Client\1030\SetupResources.dll
+ 2010-03-18 20:16 . 2010-03-18 20:16 18264 c:\windows\Microsoft.NET\Framework\v4.0.30319\SetupCache\Client\1029\SetupResources.dll
+ 2010-03-18 20:16 . 2010-03-18 20:16 14168 c:\windows\Microsoft.NET\Framework\v4.0.30319\SetupCache\Client\1028\SetupResources.dll
+ 2010-03-18 20:16 . 2010-03-18 20:16 17240 c:\windows\Microsoft.NET\Framework\v4.0.30319\SetupCache\Client\1025\SetupResources.dll
+ 2010-03-18 21:16 . 2010-03-18 21:16 13648 c:\windows\Microsoft.NET\Framework\v4.0.30319\SbsNclPerf.dll
+ 2010-03-18 21:16 . 2010-03-18 21:16 58192 c:\windows\Microsoft.NET\Framework\v4.0.30319\regtlibv12.exe
+ 2010-03-18 21:16 . 2010-03-18 21:16 32592 c:\windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
+ 2010-03-18 21:16 . 2010-03-18 21:16 52040 c:\windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
+ 2010-03-18 21:16 . 2010-03-18 21:16 21336 c:\windows\Microsoft.NET\Framework\v4.0.30319\normalization.dll
+ 2011-07-09 17:30 . 2011-07-09 17:30 56656 c:\windows\Microsoft.NET\Framework\v4.0.30319\nlssorting.dll
+ 2010-03-18 21:16 . 2010-03-18 21:16 27984 c:\windows\Microsoft.NET\Framework\v4.0.30319\MUI\0409\mscorsecr.dll
+ 2010-03-18 21:16 . 2010-03-18 21:16 40784 c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorpe.dll
+ 2010-03-18 21:16 . 2010-03-18 21:16 20816 c:\windows\Microsoft.NET\Framework\v4.0.30319\mscoreeis.dll
+ 2010-03-18 21:16 . 2010-03-18 21:16 12128 c:\windows\Microsoft.NET\Framework\v4.0.30319\Microsoft.VisualC.Dll
+ 2010-03-18 21:16 . 2010-03-18 21:16 97680 c:\windows\Microsoft.NET\Framework\v4.0.30319\Microsoft.VisualBasic.Compatibility.Data.dll
+ 2010-03-18 21:16 . 2010-03-18 21:16 36168 c:\windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
+ 2010-03-18 21:16 . 2010-03-18 21:16 78168 c:\windows\Microsoft.NET\Framework\v4.0.30319\ISymWrapper.dll
+ 2010-03-18 21:16 . 2010-03-18 21:16 58200 c:\windows\Microsoft.NET\Framework\v4.0.30319\InstallUtilLib.dll
+ 2010-03-18 21:16 . 2010-03-18 21:16 27992 c:\windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
+ 2010-03-18 21:16 . 2010-03-18 21:16 42312 c:\windows\Microsoft.NET\Framework\v4.0.30319\fusion.dll
+ 2010-03-18 21:16 . 2010-03-18 21:16 11592 c:\windows\Microsoft.NET\Framework\v4.0.30319\dfsvc.exe
+ 2010-03-18 21:16 . 2010-03-18 21:16 88904 c:\windows\Microsoft.NET\Framework\v4.0.30319\dfdll.dll
+ 2010-03-18 21:16 . 2010-03-18 21:16 31048 c:\windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
+ 2010-03-18 21:16 . 2010-03-18 21:16 81248 c:\windows\Microsoft.NET\Framework\v4.0.30319\CustomMarshalers.dll
+ 2010-03-18 21:16 . 2010-03-18 21:16 44368 c:\windows\Microsoft.NET\Framework\v4.0.30319\Culture.dll
+ 2010-03-18 21:16 . 2010-03-18 21:16 95048 c:\windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
+ 2010-03-18 21:16 . 2010-03-18 21:16 29008 c:\windows\Microsoft.NET\Framework\v4.0.30319\AddInUtil.exe
+ 2010-03-18 21:16 . 2010-03-18 21:16 29528 c:\windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
+ 2010-03-18 21:16 . 2010-03-18 21:16 29016 c:\windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess.exe
+ 2010-03-18 21:16 . 2010-03-18 21:16 17240 c:\windows\Microsoft.NET\Framework\v4.0.30319\Accessibility.dll
+ 2010-03-18 21:16 . 2010-03-18 21:16 10064 c:\windows\Microsoft.NET\Framework\v4.0.30319\1033\CvtResUI.dll
+ 2010-03-18 21:16 . 2010-03-18 21:16 24400 c:\windows\Microsoft.NET\Framework\v4.0.30319\1033\alinkui.dll
+ 2011-12-25 11:49 . 2011-12-25 11:49 31504 c:\windows\Microsoft.NET\Framework\v2.0.50727\aspnet_wp.exe
+ 2004-07-15 10:11 . 2004-07-15 10:11 31744 c:\windows\Microsoft.NET\Framework\v1.1.4322\WMINet_Utils.dll
+ 2009-06-25 03:56 . 2009-06-25 03:56 73728 c:\windows\Microsoft.NET\Framework\v1.1.4322\Updates\hotfix.exe
+ 2004-07-15 22:28 . 2004-07-15 22:28 57344 c:\windows\Microsoft.NET\Framework\v1.1.4322\System.Web.RegularExpressions.dll
+ 2011-12-25 19:07 . 2011-12-25 19:07 81920 c:\windows\Microsoft.NET\Framework\v1.1.4322\System.Security.dll
+ 2004-07-15 08:35 . 2004-07-15 08:35 66560 c:\windows\Microsoft.NET\Framework\v1.1.4322\System.EnterpriseServices.Thunk.dll
+ 2003-02-21 15:26 . 2003-02-21 15:26 65536 c:\windows\Microsoft.NET\Framework\v1.1.4322\System.Drawing.Design.dll
+ 2004-07-15 22:28 . 2004-07-15 22:28 90112 c:\windows\Microsoft.NET\Framework\v1.1.4322\System.DirectoryServices.dll
+ 2003-02-21 15:26 . 2003-02-21 15:26 77824 c:\windows\Microsoft.NET\Framework\v1.1.4322\System.Configuration.Install.dll
+ 2003-02-21 15:25 . 2003-02-21 15:25 12288 c:\windows\Microsoft.NET\Framework\v1.1.4322\RegSvcs.exe
+ 2004-07-15 22:28 . 2004-07-15 22:28 32768 c:\windows\Microsoft.NET\Framework\v1.1.4322\RegCode.dll
+ 2003-02-21 15:25 . 2003-02-21 15:25 28672 c:\windows\Microsoft.NET\Framework\v1.1.4322\RegAsm.exe
+ 2004-07-15 08:34 . 2004-07-15 08:34 94208 c:\windows\Microsoft.NET\Framework\v1.1.4322\PerfCounter.dll
+ 2003-02-21 03:09 . 2003-02-21 03:09 73728 c:\windows\Microsoft.NET\Framework\v1.1.4322\ngen.exe
+ 2003-02-21 02:43 . 2003-02-21 02:43 22528 c:\windows\Microsoft.NET\Framework\v1.1.4322\MUI\0409\mscorsecr.dll
+ 2003-02-21 03:18 . 2003-02-21 03:18 20480 c:\windows\Microsoft.NET\Framework\v1.1.4322\mtxoci8.dll
+ 2011-12-25 06:55 . 2011-12-25 06:55 77824 c:\windows\Microsoft.NET\Framework\v1.1.4322\mscorsn.dll
+ 2004-07-15 08:33 . 2004-07-15 08:33 81920 c:\windows\Microsoft.NET\Framework\v1.1.4322\mscorsec.dll
+ 2003-02-21 03:06 . 2003-02-21 03:06 65536 c:\windows\Microsoft.NET\Framework\v1.1.4322\mscorpe.dll
+ 2011-12-25 06:55 . 2011-12-25 06:55 86016 c:\windows\Microsoft.NET\Framework\v1.1.4322\mscorie.dll
+ 2004-07-15 08:32 . 2004-07-15 08:32 86016 c:\windows\Microsoft.NET\Framework\v1.1.4322\mscordbc.dll
+ 2004-07-15 22:28 . 2004-07-15 22:28 49152 c:\windows\Microsoft.NET\Framework\v1.1.4322\MigPolWin.exe
+ 2004-07-15 22:28 . 2004-07-15 22:28 49152 c:\windows\Microsoft.NET\Framework\v1.1.4322\MigPol.exe
+ 2003-02-21 15:25 . 2003-02-21 15:25 11264 c:\windows\Microsoft.NET\Framework\v1.1.4322\Microsoft.Vsa.Vb.CodeDOMProcessor.dll
+ 2003-02-21 15:24 . 2003-02-21 15:24 32768 c:\windows\Microsoft.NET\Framework\v1.1.4322\Microsoft.Vsa.dll
+ 2003-02-21 15:24 . 2003-02-21 15:24 28672 c:\windows\Microsoft.NET\Framework\v1.1.4322\Microsoft.VisualBasic.Vsa.dll
+ 2003-02-21 15:24 . 2003-02-21 15:24 40960 c:\windows\Microsoft.NET\Framework\v1.1.4322\jsc.exe
+ 2003-02-21 15:24 . 2003-02-21 15:24 26112 c:\windows\Microsoft.NET\Framework\v1.1.4322\ISymWrapper.dll
+ 2003-02-21 03:22 . 2003-02-21 03:22 40960 c:\windows\Microsoft.NET\Framework\v1.1.4322\InstallUtilLib.dll
+ 2003-02-21 15:24 . 2003-02-21 15:24 15872 c:\windows\Microsoft.NET\Framework\v1.1.4322\InstallUtil.exe
+ 2004-07-15 22:31 . 2004-07-15 22:31 32768 c:\windows\Microsoft.NET\Framework\v1.1.4322\IEHost.dll
+ 2003-10-08 22:30 . 2003-10-08 22:30 81920 c:\windows\Microsoft.NET\Framework\v1.1.4322\gacutil.exe
+ 2003-02-21 12:12 . 2003-02-21 12:12 28672 c:\windows\Microsoft.NET\Framework\v1.1.4322\cvtres.exe
+ 2003-02-21 15:24 . 2003-02-21 15:24 33792 c:\windows\Microsoft.NET\Framework\v1.1.4322\CustomMarshalers.dll
+ 2003-02-21 15:24 . 2003-02-21 15:24 12288 c:\windows\Microsoft.NET\Framework\v1.1.4322\cscompmgd.dll
+ 2004-07-15 19:23 . 2004-07-15 19:23 49152 c:\windows\Microsoft.NET\Framework\v1.1.4322\csc.exe
+ 2011-12-25 06:55 . 2011-12-25 06:55 81920 c:\windows\Microsoft.NET\Framework\v1.1.4322\CORPerfMonExt.dll
+ 2003-02-21 15:24 . 2003-02-21 15:24 49152 c:\windows\Microsoft.NET\Framework\v1.1.4322\ConfigWizards.exe
+ 2003-02-21 15:24 . 2003-02-21 15:24 94208 c:\windows\Microsoft.NET\Framework\v1.1.4322\CasPol.exe
+ 2011-12-25 07:49 . 2011-12-25 07:49 32768 c:\windows\Microsoft.NET\Framework\v1.1.4322\aspnet_wp.exe
+ 2004-07-15 09:49 . 2004-07-15 09:49 32768 c:\windows\Microsoft.NET\Framework\v1.1.4322\aspnet_state.exe
+ 2004-07-15 09:49 . 2004-07-15 09:49 20480 c:\windows\Microsoft.NET\Framework\v1.1.4322\aspnet_regiis.exe
+ 2003-02-21 03:19 . 2003-02-21 03:19 40960 c:\windows\Microsoft.NET\Framework\v1.1.4322\aspnet_rc.dll
+ 2011-12-25 07:49 . 2011-12-25 07:49 24576 c:\windows\Microsoft.NET\Framework\v1.1.4322\aspnet_filter.dll
+ 2003-02-21 13:00 . 2003-02-21 13:00 98304 c:\windows\Microsoft.NET\Framework\v1.1.4322\alink.dll
+ 2003-02-21 11:55 . 2003-02-21 11:55 94208 c:\windows\Microsoft.NET\Framework\v1.1.4322\1033\cscompui.dll
+ 2003-02-21 10:59 . 2003-02-21 10:59 16896 c:\windows\Microsoft.NET\Framework\v1.1.4322\1033\alinkui.dll
+ 2010-03-18 21:16 . 2010-03-18 21:16 13648 c:\windows\Microsoft.NET\Framework\sbscmp20_mscorlib.dll
+ 2010-03-18 21:16 . 2010-03-18 21:16 13648 c:\windows\Microsoft.NET\Framework\sbs_wminet_utils.dll
+ 2010-03-18 21:16 . 2010-03-18 21:16 13648 c:\windows\Microsoft.NET\Framework\sbs_system.enterpriseservices.dll
+ 2010-03-18 21:16 . 2010-03-18 21:16 13648 c:\windows\Microsoft.NET\Framework\sbs_system.data.dll
+ 2010-03-18 21:16 . 2010-03-18 21:16 13648 c:\windows\Microsoft.NET\Framework\sbs_system.configuration.install.dll
+ 2010-03-18 21:16 . 2010-03-18 21:16 13648 c:\windows\Microsoft.NET\Framework\sbs_mscorsec.dll
+ 2010-03-18 21:16 . 2010-03-18 21:16 13648 c:\windows\Microsoft.NET\Framework\sbs_mscorrc.dll
+ 2010-03-18 21:16 . 2010-03-18 21:16 13648 c:\windows\Microsoft.NET\Framework\sbs_mscordbi.dll
+ 2010-03-18 21:16 . 2010-03-18 21:16 13648 c:\windows\Microsoft.NET\Framework\sbs_microsoft.jscript.dll
+ 2010-03-18 21:16 . 2010-03-18 21:16 13648 c:\windows\Microsoft.NET\Framework\sbs_diasymreader.dll
+ 2012-01-12 00:03 . 2012-01-12 00:03 87408 c:\windows\Microsoft.NET\assembly\GAC_MSIL\WindowsFormsIntegration\v4.0_4.0.0.0__31bf3856ad364e35\WindowsFormsIntegration.dll
+ 2012-01-12 00:03 . 2012-01-12 00:03 93024 c:\windows\Microsoft.NET\assembly\GAC_MSIL\UIAutomationTypes\v4.0_4.0.0.0__31bf3856ad364e35\UIAutomationTypes.dll
+ 2012-01-12 00:03 . 2012-01-12 00:03 35688 c:\windows\Microsoft.NET\assembly\GAC_MSIL\UIAutomationProvider\v4.0_4.0.0.0__31bf3856ad364e35\UIAutomationProvider.dll
+ 2012-01-12 00:03 . 2012-01-12 00:03 17784 c:\windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Presentation\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Presentation.dll
+ 2012-01-12 00:03 . 2012-01-12 00:03 58240 c:\windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Input.Manipulations\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Input.Manipulations.dll
+ 2012-01-12 00:03 . 2012-01-12 00:03 44920 c:\windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.ApplicationServices\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.ApplicationServices.dll
+ 2012-01-12 00:03 . 2012-01-12 00:03 37240 c:\windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Channels\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Channels.dll
+ 2012-01-12 00:02 . 2012-01-12 00:02 64352 c:\windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll
+ 2012-01-12 00:02 . 2012-01-12 00:02 51032 c:\windows\Microsoft.NET\assembly\GAC_MSIL\System.Device\v4.0_4.0.0.0__b77a5c561934e089\System.Device.dll
+ 2012-01-12 00:02 . 2012-01-12 00:02 50552 c:\windows\Microsoft.NET\assembly\GAC_MSIL\System.Data.DataSetExtensions\v4.0_4.0.0.0__b77a5c561934e089\System.Data.DataSetExtensions.dll
+ 2012-01-12 00:02 . 2012-01-12 00:02 81784 c:\windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll
+ 2012-01-12 00:02 . 2012-01-12 00:02 81800 c:\windows\Microsoft.NET\assembly\GAC_MSIL\System.ComponentModel.DataAnnotations\v4.0_4.0.0.0__31bf3856ad364e35\System.ComponentModel.DataAnnotations.dll
+ 2012-01-12 00:02 . 2012-01-12 00:02 39784 c:\windows\Microsoft.NET\assembly\GAC_MSIL\System.AddIn.Contract\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.AddIn.Contract.dll
+ 2012-01-12 00:03 . 2012-01-12 00:03 68952 c:\windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll
+ 2012-01-12 00:02 . 2012-01-12 00:02 12128 c:\windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualC\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualC.Dll
+ 2012-01-12 00:03 . 2012-01-12 00:03 97680 c:\windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic.Compatibility.Data\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.Compatibility.Data.dll
+ 2012-01-12 00:02 . 2012-01-12 00:02 17240 c:\windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll
+ 2012-01-12 00:02 . 2012-01-12 00:02 78168 c:\windows\Microsoft.NET\assembly\GAC_32\ISymWrapper\v4.0_4.0.0.0__b03f5f7f11d50a3a\ISymWrapper.dll
+ 2012-01-12 00:02 . 2012-01-12 00:02 81248 c:\windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll
+ 2012-01-11 23:17 . 2012-01-11 23:17 19968 c:\windows\Installer\acc10d.msi
- 2011-12-16 01:13 . 2011-12-16 01:13 49936 c:\windows\Installer\{95120000-00AF-0409-0000-0000000FF1CE}\ppvwicon.exe
+ 2012-01-11 23:47 . 2012-01-11 23:47 49936 c:\windows\Installer\{95120000-00AF-0409-0000-0000000FF1CE}\ppvwicon.exe
- 2009-03-12 06:02 . 2011-12-16 01:12 35088 c:\windows\Installer\{91120000-002F-0000-0000-0000000FF1CE}\oisicon.exe
+ 2009-03-12 06:02 . 2012-01-11 23:55 35088 c:\windows\Installer\{91120000-002F-0000-0000-0000000FF1CE}\oisicon.exe
+ 2009-03-12 06:02 . 2012-01-11 23:55 18704 c:\windows\Installer\{91120000-002F-0000-0000-0000000FF1CE}\mspicons.exe
- 2009-03-12 06:02 . 2011-12-16 01:12 18704 c:\windows\Installer\{91120000-002F-0000-0000-0000000FF1CE}\mspicons.exe
- 2009-03-12 06:02 . 2011-12-16 01:12 20240 c:\windows\Installer\{91120000-002F-0000-0000-0000000FF1CE}\cagicon.exe
+ 2009-03-12 06:02 . 2012-01-11 23:55 20240 c:\windows\Installer\{91120000-002F-0000-0000-0000000FF1CE}\cagicon.exe
- 2011-12-16 01:12 . 2011-12-16 01:12 35600 c:\windows\Installer\{90120000-0020-0409-0000-0000000FF1CE}\O12ConvIcon.exe
+ 2012-01-11 23:46 . 2012-01-11 23:46 35600 c:\windows\Installer\{90120000-0020-0409-0000-0000000FF1CE}\O12ConvIcon.exe
+ 2009-02-26 20:06 . 2009-02-26 20:06 16712 c:\windows\Installer\$PatchCache$\Managed\00002159FA0090400000000000F01FEC\12.0.6612\PXBPROXY.DLL
+ 2009-02-26 20:06 . 2009-02-26 20:06 68488 c:\windows\Installer\$PatchCache$\Managed\00002159FA0090400000000000F01FEC\12.0.6612\PXBCOM.EXE
+ 2009-02-26 20:09 . 2009-02-26 20:09 10120 c:\windows\Installer\$PatchCache$\Managed\00002119F20000000000000000F01FEC\12.0.6612\XLCALL32.DLL
+ 2009-02-27 01:43 . 2009-02-27 01:43 71520 c:\windows\Installer\$PatchCache$\Managed\00002119F20000000000000000F01FEC\12.0.6612\XL12CNVP.DLL
+ 2009-02-27 00:45 . 2009-02-27 00:45 20808 c:\windows\Installer\$PatchCache$\Managed\00002119F20000000000000000F01FEC\12.0.6612\WRD12EXE.EXE
+ 2006-07-24 17:50 . 2006-07-24 17:50 47920 c:\windows\Installer\$PatchCache$\Managed\00002119F20000000000000000F01FEC\12.0.6612\VBAME.DLL
+ 2009-02-26 22:24 . 2009-02-26 22:24 71536 c:\windows\Installer\$PatchCache$\Managed\00002119F20000000000000000F01FEC\12.0.6612\ONFILTER.DLL
+ 2009-02-26 22:24 . 2009-02-26 22:24 97680 c:\windows\Installer\$PatchCache$\Managed\00002119F20000000000000000F01FEC\12.0.6612\ONENOTEM.EXE
+ 2006-07-24 17:50 . 2006-07-24 17:50 92976 c:\windows\Installer\$PatchCache$\Managed\00002119F20000000000000000F01FEC\12.0.6612\MSADDNDR.DLL
+ 2006-10-27 03:13 . 2006-10-27 03:13 56192 c:\windows\Installer\$PatchCache$\Managed\00002119F20000000000000000F01FEC\12.0.4518\ACECNFLT.EXE
+ 2009-02-27 01:43 . 2009-02-27 01:43 71520 c:\windows\Installer\$PatchCache$\Managed\00002109020090400000000000F01FEC\12.0.6612\XL12CNVP.DLL
+ 2009-02-27 00:45 . 2009-02-27 00:45 20808 c:\windows\Installer\$PatchCache$\Managed\00002109020090400000000000F01FEC\12.0.6612\WRD12EXE.EXE
+ 2009-02-26 20:06 . 2009-02-26 20:06 16712 c:\windows\Installer\$PatchCache$\Managed\00002109020090400000000000F01FEC\12.0.6612\PXBPROXY.DLL
+ 2009-02-26 20:06 . 2009-02-26 20:06 68488 c:\windows\Installer\$PatchCache$\Managed\00002109020090400000000000F01FEC\12.0.6612\PXBCOM.EXE
+ 2012-01-12 04:35 . 2012-01-12 04:35 90112 c:\windows\assembly\NativeImages1_v1.1.4322\System.Drawing.Design\1.0.5000.0__b03f5f7f11d50a3a_135995c1\System.Drawing.Design.dll
+ 2012-01-12 04:35 . 2012-01-12 04:35 61440 c:\windows\assembly\NativeImages1_v1.1.4322\CustomMarshalers\1.0.5000.0__b03f5f7f11d50a3a_8b4c534b\CustomMarshalers.dll
+ 2012-01-12 00:20 . 2012-01-12 00:20 96768 c:\windows\assembly\NativeImages_v4.0.30319_32\UIAutomationProvider\8871f595a88025398e97f1a317d364c3\UIAutomationProvider.ni.dll
+ 2012-01-12 00:27 . 2012-01-12 00:27 35328 c:\windows\assembly\NativeImages_v4.0.30319_32\System.Windows.Pres#\f71f02f263f3d139bf5ab24790e6b85c\System.Windows.Presentation.ni.dll
+ 2012-01-12 00:26 . 2012-01-12 00:26 71680 c:\windows\assembly\NativeImages_v4.0.30319_32\System.Web.Applicat#\1427f7c0c042adc192b9ab1056d09768\System.Web.ApplicationServices.ni.dll
+ 2012-01-12 00:26 . 2012-01-12 00:26 82432 c:\windows\assembly\NativeImages_v4.0.30319_32\System.ServiceModel#\8d441af930cb17d9d881228130dd6cd2\System.ServiceModel.Channels.ni.dll
+ 2012-01-12 00:21 . 2012-01-12 00:21 78848 c:\windows\assembly\NativeImages_v4.0.30319_32\System.AddIn.Contra#\0ec1cad50012bd215c9aab99c76881c6\System.AddIn.Contract.ni.dll
+ 2012-01-12 00:19 . 2012-01-12 00:19 11776 c:\windows\assembly\NativeImages_v4.0.30319_32\Microsoft.VisualC\3b05815cd5795366e31588d9e3b3da88\Microsoft.VisualC.ni.dll
+ 2012-01-12 00:19 . 2012-01-12 00:19 44544 c:\windows\assembly\NativeImages_v4.0.30319_32\Accessibility\40a7b0f4a5539779c06591802ceb11ca\Accessibility.ni.dll
- 2011-10-14 23:28 . 2011-10-14 23:28 47616 c:\windows\assembly\NativeImages_v2.0.50727_32\WindowsLiveWriter\ebe9e217e830d2fe734f4a6753c6c021\WindowsLiveWriter.ni.exe
+ 2012-01-11 23:50 . 2012-01-11 23:50 47616 c:\windows\assembly\NativeImages_v2.0.50727_32\WindowsLiveWriter\ebe9e217e830d2fe734f4a6753c6c021\WindowsLiveWriter.ni.exe
- 2011-10-14 23:30 . 2011-10-14 23:30 99840 c:\windows\assembly\NativeImages_v2.0.50727_32\WindowsLive.Writer.#\7389eba462bed37a69130380bde8abc1\WindowsLive.Writer.Api.ni.dll
+ 2012-01-11 23:53 . 2012-01-11 23:53 99840 c:\windows\assembly\NativeImages_v2.0.50727_32\WindowsLive.Writer.#\7389eba462bed37a69130380bde8abc1\WindowsLive.Writer.Api.ni.dll
- 2011-10-13 04:06 . 2011-10-13 04:06 60928 c:\windows\assembly\NativeImages_v2.0.50727_32\UIAutomationProvider\888b745ca99d39692c2e9af222e5eae8\UIAutomationProvider.ni.dll
+ 2012-01-11 23:29 . 2012-01-11 23:29 60928 c:\windows\assembly\NativeImages_v2.0.50727_32\UIAutomationProvider\888b745ca99d39692c2e9af222e5eae8\UIAutomationProvider.ni.dll
+ 2012-01-12 00:00 . 2012-01-12 00:00 37888 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Pres#\6c334564da041df8fb75415f2d503224\System.Windows.Presentation.ni.dll
- 2011-10-14 23:41 . 2011-10-14 23:41 37888 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Pres#\6c334564da041df8fb75415f2d503224\System.Windows.Presentation.ni.dll
+ 2012-01-12 00:18 . 2012-01-12 00:18 36864 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Web.DynamicD#\750de53f30e516eb2c62de9bab7954e9\System.Web.DynamicData.Design.ni.dll
- 2011-10-14 23:31 . 2011-10-14 23:31 94208 c:\windows\assembly\NativeImages_v2.0.50727_32\System.ComponentMod#\ac92806d5bd508eb25f1b4b73a36b101\System.ComponentModel.DataAnnotations.ni.dll
+ 2012-01-11 23:55 . 2012-01-11 23:55 94208 c:\windows\assembly\NativeImages_v2.0.50727_32\System.ComponentMod#\ac92806d5bd508eb25f1b4b73a36b101\System.ComponentModel.DataAnnotations.ni.dll
+ 2012-01-11 23:55 . 2012-01-11 23:55 82944 c:\windows\assembly\NativeImages_v2.0.50727_32\System.AddIn.Contra#\e6a9cd66d11a21776dbf425e8e28099c\System.AddIn.Contract.ni.dll
- 2011-10-14 23:31 . 2011-10-14 23:31 82944 c:\windows\assembly\NativeImages_v2.0.50727_32\System.AddIn.Contra#\e6a9cd66d11a21776dbf425e8e28099c\System.AddIn.Contract.ni.dll
- 2011-10-13 04:02 . 2011-10-13 04:02 47104 c:\windows\assembly\NativeImages_v2.0.50727_32\PresentationFontCac#\66873b557d5c7013e4c630361473b0c2\PresentationFontCache.ni.exe
+ 2012-01-11 23:26 . 2012-01-11 23:26 47104 c:\windows\assembly\NativeImages_v2.0.50727_32\PresentationFontCac#\66873b557d5c7013e4c630361473b0c2\PresentationFontCache.ni.exe
- 2011-10-13 00:10 . 2011-10-13 00:10 39424 c:\windows\assembly\NativeImages_v2.0.50727_32\PresentationCFFRast#\5b30652a7b802199984f93b5e414260f\PresentationCFFRasterizer.ni.dll
+ 2012-01-11 23:25 . 2012-01-11 23:25 39424 c:\windows\assembly\NativeImages_v2.0.50727_32\PresentationCFFRast#\5b30652a7b802199984f93b5e414260f\PresentationCFFRasterizer.ni.dll
+ 2012-01-12 01:31 . 2012-01-12 01:31 17920 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.WSMan.Run#\a615508098c5f4f5a34e89d22527c9de\Microsoft.WSMan.Runtime.ni.dll
- 2011-10-14 23:40 . 2011-10-14 23:40 55296 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Vsa\eaa8d72317e5b8047e413939cc71ffba\Microsoft.Vsa.ni.dll
+ 2012-01-11 23:58 . 2012-01-11 23:58 55296 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Vsa\eaa8d72317e5b8047e413939cc71ffba\Microsoft.Vsa.ni.dll
+ 2012-01-11 23:52 . 2012-01-11 23:52 15872 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualC\a140509b1342934fc5e58ae22ac9696c\Microsoft.VisualC.ni.dll
- 2011-10-14 23:29 . 2011-10-14 23:29 15872 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualC\a140509b1342934fc5e58ae22ac9696c\Microsoft.VisualC.ni.dll
+ 2012-01-11 23:54 . 2012-01-11 23:54 74752 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Build.Fra#\aefe683674c97a998f4e908c1a7ee7c6\Microsoft.Build.Framework.ni.dll
- 2011-10-14 23:30 . 2011-10-14 23:30 74752 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Build.Fra#\aefe683674c97a998f4e908c1a7ee7c6\Microsoft.Build.Framework.ni.dll
+ 2012-01-11 23:54 . 2012-01-11 23:54 65024 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Build.Fra#\845eef4d09f28da6ee05d99f93c90f6e\Microsoft.Build.Framework.ni.dll
- 2011-10-14 23:31 . 2011-10-14 23:31 65024 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Build.Fra#\845eef4d09f28da6ee05d99f93c90f6e\Microsoft.Build.Framework.ni.dll
+ 2012-01-12 01:29 . 2012-01-12 01:29 91648 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Backgroun#\17fc30ccabf04ef1cf60a571067bc6dc\Microsoft.BackgroundIntelligentTransfer.Management.ni.dll
- 2011-10-14 23:30 . 2011-10-14 23:30 14336 c:\windows\assembly\NativeImages_v2.0.50727_32\dfsvc\ab7ce2d94ca725c3889a4e3c1ee88ece\dfsvc.ni.exe
+ 2012-01-11 23:53 . 2012-01-11 23:53 14336 c:\windows\assembly\NativeImages_v2.0.50727_32\dfsvc\ab7ce2d94ca725c3889a4e3c1ee88ece\dfsvc.ni.exe
+ 2012-01-11 23:47 . 2012-01-11 23:47 25600 c:\windows\assembly\NativeImages_v2.0.50727_32\Accessibility\d86a3346c3d90ff12d0df9d7726f3ece\Accessibility.ni.dll
- 2011-10-14 23:25 . 2011-10-14 23:25 25600 c:\windows\assembly\NativeImages_v2.0.50727_32\Accessibility\d86a3346c3d90ff12d0df9d7726f3ece\Accessibility.ni.dll
+ 2012-01-12 00:10 . 2012-01-12 00:10 77824 c:\windows\assembly\GAC_MSIL\System.Web.RegularExpressions\2.0.0.0__b03f5f7f11d50a3a\System.Web.RegularExpressions.dll
- 2011-10-13 00:07 . 2011-10-13 00:07 77824 c:\windows\assembly\GAC_MSIL\System.Web.RegularExpressions\2.0.0.0__b03f5f7f11d50a3a\System.Web.RegularExpressions.dll
- 2011-10-13 00:07 . 2011-10-13 00:07 81920 c:\windows\assembly\GAC_MSIL\System.Drawing.Design\2.0.0.0__b03f5f7f11d50a3a\System.Drawing.Design.dll
+ 2012-01-12 00:09 . 2012-01-12 00:09 81920 c:\windows\assembly\GAC_MSIL\System.Drawing.Design\2.0.0.0__b03f5f7f11d50a3a\System.Drawing.Design.dll
- 2011-10-13 00:07 . 2011-10-13 00:07 81920 c:\windows\assembly\GAC_MSIL\System.Configuration.Install\2.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll
+ 2012-01-12 00:10 . 2012-01-12 00:10 81920 c:\windows\assembly\GAC_MSIL\System.Configuration.Install\2.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll
+ 2012-01-12 01:28 . 2012-01-12 01:28 13824 c:\windows\assembly\GAC_MSIL\Microsoft.WSMan.Management.resources\1.0.0.0_en_31bf3856ad364e35\Microsoft.WSMan.Management.resources.dll
+ 2012-01-12 00:10 . 2012-01-12 00:10 32768 c:\windows\assembly\GAC_MSIL\Microsoft.Vsa\8.0.0.0__b03f5f7f11d50a3a\Microsoft.Vsa.dll
- 2011-10-13 00:07 . 2011-10-13 00:07 32768 c:\windows\assembly\GAC_MSIL\Microsoft.Vsa\8.0.0.0__b03f5f7f11d50a3a\Microsoft.Vsa.dll
- 2011-10-13 00:07 . 2011-10-13 00:07 12800 c:\windows\assembly\GAC_MSIL\Microsoft.Vsa.Vb.CodeDOMProcessor\8.0.0.0__b03f5f7f11d50a3a\Microsoft.Vsa.Vb.CodeDOMProcessor.dll
+ 2012-01-12 00:10 . 2012-01-12 00:10 12800 c:\windows\assembly\GAC_MSIL\Microsoft.Vsa.Vb.CodeDOMProcessor\8.0.0.0__b03f5f7f11d50a3a\Microsoft.Vsa.Vb.CodeDOMProcessor.dll
- 2011-10-13 00:07 . 2011-10-13 00:07 28672 c:\windows\assembly\GAC_MSIL\Microsoft.VisualBasic.Vsa\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.Vsa.dll
+ 2012-01-12 00:10 . 2012-01-12 00:10 28672 c:\windows\assembly\GAC_MSIL\Microsoft.VisualBasic.Vsa\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.Vsa.dll
+ 2012-01-12 01:28 . 2012-01-12 01:28 69632 c:\windows\assembly\GAC_MSIL\Microsoft.PowerShell.Security\1.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll
+ 2012-01-12 01:28 . 2012-01-12 01:28 16896 c:\windows\assembly\GAC_MSIL\Microsoft.PowerShell.GraphicalHost.resources\1.0.0.0_en_31bf3856ad364e35\Microsoft.PowerShell.GraphicalHost.resources.dll
+ 2012-01-12 01:28 . 2012-01-12 01:28 40960 c:\windows\assembly\GAC_MSIL\Microsoft.PowerShell.GPowerShell.resources\1.0.0.0_en_31bf3856ad364e35\Microsoft.PowerShell.GPowerShell.resources.dll
+ 2012-01-12 01:28 . 2012-01-12 01:28 69632 c:\windows\assembly\GAC_MSIL\Microsoft.PowerShell.Editor.resources\1.0.0.0_en_31bf3856ad364e35\Microsoft.PowerShell.Editor.resources.dll
+ 2012-01-12 01:28 . 2012-01-12 01:28 40960 c:\windows\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost.resources\1.0.0.0_en_31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.resources.dll
+ 2012-01-12 01:28 . 2012-01-12 01:28 49152 c:\windows\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility.resources\1.0.0.0_en_31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.resources.dll
+ 2012-01-12 01:28 . 2012-01-12 01:28 36864 c:\windows\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management.resources\1.0.0.0_en_31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.resources.dll
+ 2012-01-12 01:28 . 2012-01-12 01:28 10752 c:\windows\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Diagnostics.resources\1.0.0.0_en_31bf3856ad364e35\Microsoft.PowerShell.Commands.Diagnostics.resources.dll
+ 2012-01-12 00:10 . 2012-01-12 00:10 77824 c:\windows\assembly\GAC_MSIL\Microsoft.Build.Utilities\2.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Utilities.dll
- 2011-10-13 00:07 . 2011-10-13 00:07 77824 c:\windows\assembly\GAC_MSIL\Microsoft.Build.Utilities\2.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Utilities.dll
+ 2012-01-12 00:10 . 2012-01-12 00:10 36864 c:\windows\assembly\GAC_MSIL\Microsoft.Build.Framework\2.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Framework.dll
- 2011-10-13 00:07 . 2011-10-13 00:07 36864 c:\windows\assembly\GAC_MSIL\Microsoft.Build.Framework\2.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Framework.dll
+ 2012-01-12 01:28 . 2012-01-12 01:28 57344 c:\windows\assembly\GAC_MSIL\Microsoft.BackgroundIntelligentTransfer.Management\1.0.0.0__31bf3856ad364e35\Microsoft.BackgroundIntelligentTransfer.Management.dll
- 2011-10-13 00:07 . 2011-10-13 00:07 77824 c:\windows\assembly\GAC_MSIL\IEHost\2.0.0.0__b03f5f7f11d50a3a\IEHost.dll
+ 2012-01-12 00:10 . 2012-01-12 00:10 77824 c:\windows\assembly\GAC_MSIL\IEHost\2.0.0.0__b03f5f7f11d50a3a\IEHost.dll
+ 2012-01-12 00:10 . 2012-01-12 00:10 13312 c:\windows\assembly\GAC_MSIL\cscompmgd\8.0.0.0__b03f5f7f11d50a3a\cscompmgd.dll
- 2011-10-13 00:07 . 2011-10-13 00:07 13312 c:\windows\assembly\GAC_MSIL\cscompmgd\8.0.0.0__b03f5f7f11d50a3a\cscompmgd.dll
- 2011-10-13 00:07 . 2011-10-13 00:07 10752 c:\windows\assembly\GAC_MSIL\Accessibility\2.0.0.0__b03f5f7f11d50a3a\Accessibility.dll
+ 2012-01-12 00:10 . 2012-01-12 00:10 10752 c:\windows\assembly\GAC_MSIL\Accessibility\2.0.0.0__b03f5f7f11d50a3a\Accessibility.dll
- 2011-10-13 00:07 . 2011-10-13 00:07 72192 c:\windows\assembly\GAC_32\ISymWrapper\2.0.0.0__b03f5f7f11d50a3a\ISymWrapper.dll
+ 2012-01-12 00:10 . 2012-01-12 00:10 72192 c:\windows\assembly\GAC_32\ISymWrapper\2.0.0.0__b03f5f7f11d50a3a\ISymWrapper.dll
- 2011-10-13 00:07 . 2011-10-13 00:07 69120 c:\windows\assembly\GAC_32\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll
+ 2012-01-12 00:10 . 2012-01-12 00:10 69120 c:\windows\assembly\GAC_32\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll
+ 2012-01-12 02:10 . 2012-01-12 02:10 57344 c:\windows\assembly\GAC\System.Web.RegularExpressions\1.0.5000.0__b03f5f7f11d50a3a\System.Web.RegularExpressions.dll
+ 2012-01-12 04:35 . 2012-01-12 04:35 81920 c:\windows\assembly\GAC\System.Security\1.0.5000.0__b03f5f7f11d50a3a\System.Security.dll
+ 2012-01-12 02:10 . 2012-01-12 02:10 66560 c:\windows\assembly\GAC\System.EnterpriseServices\1.0.5000.0__b03f5f7f11d50a3a\System.EnterpriseServices.Thunk.dll
+ 2012-01-12 01:21 . 2012-01-12 01:21 65536 c:\windows\assembly\GAC\System.Drawing.Design\1.0.5000.0__b03f5f7f11d50a3a\System.Drawing.Design.dll
+ 2012-01-12 02:10 . 2012-01-12 02:10 90112 c:\windows\assembly\GAC\System.DirectoryServices\1.0.5000.0__b03f5f7f11d50a3a\System.DirectoryServices.dll
+ 2012-01-12 01:21 . 2012-01-12 01:21 77824 c:\windows\assembly\GAC\System.Configuration.Install\1.0.5000.0__b03f5f7f11d50a3a\System.Configuration.Install.dll
+ 2012-01-12 02:10 . 2012-01-12 02:10 32768 c:\windows\assembly\GAC\Regcode\1.0.5000.0__b03f5f7f11d50a3a\RegCode.dll
+ 2012-01-11 23:55 . 2012-01-11 23:55 11144 c:\windows\assembly\GAC\Policy.11.0.Microsoft.Office.Interop.Word\12.0.0.0__71e9bce111e9429c\Policy.11.0.Microsoft.Office.Interop.Word.dll
+ 2012-01-12 01:21 . 2012-01-12 01:21 32768 c:\windows\assembly\GAC\Microsoft.Vsa\7.0.5000.0__b03f5f7f11d50a3a\Microsoft.Vsa.dll
+ 2012-01-12 01:21 . 2012-01-12 01:21 11264 c:\windows\assembly\GAC\Microsoft.Vsa.Vb.CodeDOMProcessor\7.0.5000.0__b03f5f7f11d50a3a\Microsoft.Vsa.Vb.CodeDOMProcessor.dll
+ 2012-01-12 01:21 . 2012-01-12 01:21 28672 c:\windows\assembly\GAC\Microsoft.VisualBasic.Vsa\7.0.5000.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.Vsa.dll
- 2009-10-24 22:21 . 2009-10-24 22:21 63336 c:\windows\assembly\GAC\Microsoft.Vbe.Interop\12.0.0.0__71e9bce111e9429c\Microsoft.Vbe.Interop.dll
+ 2012-01-11 23:54 . 2012-01-11 23:54 63336 c:\windows\assembly\GAC\Microsoft.Vbe.Interop\12.0.0.0__71e9bce111e9429c\Microsoft.Vbe.Interop.dll
+ 2012-01-12 01:21 . 2012-01-12 01:21 26112 c:\windows\assembly\GAC\ISymWrapper\1.0.5000.0__b03f5f7f11d50a3a\ISymWrapper.dll
+ 2012-01-12 02:10 . 2012-01-12 02:10 32768 c:\windows\assembly\GAC\IEHost\1.0.5000.0__b03f5f7f11d50a3a\IEHost.dll
+ 2012-01-12 01:21 . 2012-01-12 01:21 33792 c:\windows\assembly\GAC\CustomMarshalers\1.0.5000.0__b03f5f7f11d50a3a\CustomMarshalers.dll
+ 2012-01-12 01:21 . 2012-01-12 01:21 12288 c:\windows\assembly\GAC\cscompmgd\7.0.5000.0__b03f5f7f11d50a3a\cscompmgd.dll
+ 2009-10-09 22:57 . 2009-10-09 22:57 20480 c:\windows\$968930Uinstall_KB968930$\PSCustomSetupUtil.exe
+ 2012-01-12 00:10 . 2012-01-12 00:10 8192 c:\windows\WinSxS\MSIL_IEExecRemote_b03f5f7f11d50a3a_2.0.0.0_x-ww_6e57c34e\IEExecRemote.dll
- 2011-10-13 00:07 . 2011-10-13 00:07 8192 c:\windows\WinSxS\MSIL_IEExecRemote_b03f5f7f11d50a3a_2.0.0.0_x-ww_6e57c34e\IEExecRemote.dll
+ 2009-03-11 12:53 . 2006-10-19 05:47 4096 c:\windows\system32\wmvdmoe2.dll
+ 2009-03-11 12:53 . 2006-10-19 05:47 4096 c:\windows\system32\wmvdmod.dll
+ 2006-10-19 05:47 . 2006-10-19 05:47 4096 c:\windows\system32\WMVADVE.DLL
+ 2006-10-19 05:47 . 2006-10-19 05:47 4096 c:\windows\system32\WMVADVD.dll
+ 2009-03-11 12:53 . 2006-10-19 05:47 4096 c:\windows\system32\wmsdmoe2.dll
+ 2009-03-11 12:53 . 2006-10-19 05:47 4096 c:\windows\system32\wmsdmod.dll
+ 2009-10-09 22:56 . 2009-10-09 22:56 2048 c:\windows\system32\winrsmgr.dll
+ 2009-10-10 00:23 . 2009-10-10 00:23 4608 c:\windows\system32\WindowsPowerShell\v1.0\pwrshmsg.dll
+ 2009-10-10 00:23 . 2009-10-10 00:23 4096 c:\windows\system32\WindowsPowerShell\v1.0\powershell_ise.resources.dll
+ 2006-10-19 05:58 . 2006-10-19 05:58 8704 c:\windows\system32\wdfmgr.exe
+ 2006-10-19 05:47 . 2006-10-19 05:47 4096 c:\windows\system32\wdfapi.dll
+ 2006-10-19 05:58 . 2006-10-19 05:58 8704 c:\windows\system32\uwdf.exe
+ 2003-02-21 02:43 . 2003-02-21 02:43 4096 c:\windows\system32\mui\0409\mscoreer.dll
+ 2009-03-11 12:53 . 2006-10-19 05:47 4096 c:\windows\system32\MPG4DMOD.dll
+ 2009-03-11 12:53 . 2006-10-19 05:47 4096 c:\windows\system32\MP4SDMOD.dll
+ 2009-03-11 12:53 . 2006-10-19 05:47 4096 c:\windows\system32\MP43DMOD.dll
+ 2009-03-11 12:53 . 2006-10-19 05:47 4096 c:\windows\system32\dllcache\wmvdmoe2.dll
+ 2009-03-11 12:53 . 2006-10-19 05:47 4096 c:\windows\system32\dllcache\wmvdmod.dll
+ 2009-03-11 12:53 . 2006-10-19 05:47 4096 c:\windows\system32\dllcache\wmsdmoe2.dll
+ 2009-03-11 12:53 . 2006-10-19 05:47 4096 c:\windows\system32\dllcache\wmsdmod.dll
+ 2009-03-11 12:53 . 2006-10-19 05:47 4096 c:\windows\system32\dllcache\MPG4DMOD.dll
+ 2009-03-11 12:53 . 2006-10-19 05:47 4096 c:\windows\system32\dllcache\MP4SDMOD.dll
+ 2009-03-11 12:53 . 2006-10-19 05:47 4096 c:\windows\system32\dllcache\MP43DMOD.dll
+ 2009-03-11 12:53 . 2006-10-19 05:47 7168 c:\windows\system32\dllcache\asferror.dll
+ 2009-03-11 12:53 . 2006-10-19 05:47 7168 c:\windows\system32\asferror.dll
+ 2010-03-18 21:16 . 2010-03-18 21:16 8536 c:\windows\Microsoft.NET\NETFXRepair.3082.dll
+ 2010-03-18 21:16 . 2010-03-18 21:16 8536 c:\windows\Microsoft.NET\NETFXRepair.3076.dll
+ 2010-03-18 21:16 . 2010-03-18 21:16 8536 c:\windows\Microsoft.NET\NETFXRepair.2070.dll
+ 2010-03-18 21:16 . 2010-03-18 21:16 8024 c:\windows\Microsoft.NET\NETFXRepair.2052.dll
+ 2010-03-18 21:16 . 2010-03-18 21:16 8536 c:\windows\Microsoft.NET\NETFXRepair.1055.dll
+ 2010-03-18 21:16 . 2010-03-18 21:16 8536 c:\windows\Microsoft.NET\NETFXRepair.1053.dll
+ 2010-03-18 21:16 . 2010-03-18 21:16 9048 c:\windows\Microsoft.NET\NETFXRepair.1049.dll
+ 2010-03-18 21:16 . 2010-03-18 21:16 8536 c:\windows\Microsoft.NET\NETFXRepair.1046.dll
+ 2010-03-18 21:16 . 2010-03-18 21:16 8536 c:\windows\Microsoft.NET\NETFXRepair.1045.dll
+ 2010-03-18 21:16 . 2010-03-18 21:16 8536 c:\windows\Microsoft.NET\NETFXRepair.1044.dll
+ 2010-03-18 21:16 . 2010-03-18 21:16 8536 c:\windows\Microsoft.NET\NETFXRepair.1043.dll
+ 2010-03-18 21:16 . 2010-03-18 21:16 8536 c:\windows\Microsoft.NET\NETFXRepair.1042.dll
+ 2010-03-18 21:16 . 2010-03-18 21:16 8536 c:\windows\Microsoft.NET\NETFXRepair.1041.dll
+ 2010-03-18 21:16 . 2010-03-18 21:16 8536 c:\windows\Microsoft.NET\NETFXRepair.1040.dll
+ 2010-03-18 21:16 . 2010-03-18 21:16 8536 c:\windows\Microsoft.NET\NETFXRepair.1038.dll
+ 2010-03-18 21:16 . 2010-03-18 21:16 8536 c:\windows\Microsoft.NET\NETFXRepair.1037.dll
+ 2010-03-18 21:16 . 2010-03-18 21:16 9048 c:\windows\Microsoft.NET\NETFXRepair.1036.dll
+ 2010-03-18 21:16 . 2010-03-18 21:16 9048 c:\windows\Microsoft.NET\NETFXRepair.1035.dll
+ 2010-03-18 21:16 . 2010-03-18 21:16 8536 c:\windows\Microsoft.NET\NETFXRepair.1033.dll
+ 2010-03-18 21:16 . 2010-03-18 21:16 9048 c:\windows\Microsoft.NET\NETFXRepair.1032.dll
+ 2010-03-18 21:16 . 2010-03-18 21:16 8536 c:\windows\Microsoft.NET\NETFXRepair.1031.dll
+ 2010-03-18 21:16 . 2010-03-18 21:16 8536 c:\windows\Microsoft.NET\NETFXRepair.1030.dll
+ 2010-03-18 21:16 . 2010-03-18 21:16 8536 c:\windows\Microsoft.NET\NETFXRepair.1029.dll
+ 2010-03-18 21:16 . 2010-03-18 21:16 8024 c:\windows\Microsoft.NET\NETFXRepair.1028.dll
+ 2010-03-18 21:16 . 2010-03-18 21:16 8536 c:\windows\Microsoft.NET\NETFXRepair.1025.dll
+ 2010-03-18 21:16 . 2010-03-18 21:16 8032 c:\windows\Microsoft.NET\Framework\v4.0.30319\ServiceModelRegUI.dll
+ 2010-03-18 21:16 . 2010-03-18 21:16 8040 c:\windows\Microsoft.NET\Framework\v4.0.30319\ServiceModelInstallRC.dll
+ 2010-03-18 21:16 . 2010-03-18 21:16 8032 c:\windows\Microsoft.NET\Framework\v4.0.30319\ServiceModelEvents.dll
+ 2003-02-21 03:09 . 2003-02-21 03:09 9216 c:\windows\Microsoft.NET\Framework\v1.1.4322\mscortim.dll
+ 2003-02-21 15:25 . 2003-02-21 15:25 6656 c:\windows\Microsoft.NET\Framework\v1.1.4322\Microsoft_VsaVb.dll
+ 2003-02-21 15:25 . 2003-02-21 15:25 6144 c:\windows\Microsoft.NET\Framework\v1.1.4322\Microsoft.VisualC.Dll
+ 2003-02-21 15:24 . 2003-02-21 15:24 4608 c:\windows\Microsoft.NET\Framework\v1.1.4322\IIEHost.dll
+ 2004-07-15 22:31 . 2004-07-15 22:31 8192 c:\windows\Microsoft.NET\Framework\v1.1.4322\IEExecRemote.dll
+ 2003-02-21 15:24 . 2003-02-21 15:24 7680 c:\windows\Microsoft.NET\Framework\v1.1.4322\IEExec.exe
+ 2003-02-21 15:24 . 2003-02-21 15:24 7680 c:\windows\Microsoft.NET\Framework\v1.1.4322\Accessibility.dll
+ 2012-01-12 00:19 . 2012-01-12 00:19 9728 c:\windows\assembly\NativeImages_v4.0.30319_32\dfsvc\c04acc6e5ecb2c3de680c1685f6730d4\dfsvc.ni.exe
+ 2012-01-12 00:10 . 2012-01-12 00:10 7168 c:\windows\assembly\GAC_MSIL\Microsoft_VsaVb\8.0.0.0__b03f5f7f11d50a3a\Microsoft_VsaVb.dll
- 2011-10-13 00:07 . 2011-10-13 00:07 7168 c:\windows\assembly\GAC_MSIL\Microsoft_VsaVb\8.0.0.0__b03f5f7f11d50a3a\Microsoft_VsaVb.dll
+ 2012-01-12 01:28 . 2012-01-12 01:28 7168 c:\windows\assembly\GAC_MSIL\Microsoft.WSMan.Runtime\1.0.0.0__31bf3856ad364e35\Microsoft.WSMan.Runtime.dll
+ 2012-01-12 00:10 . 2012-01-12 00:10 5632 c:\windows\assembly\GAC_MSIL\Microsoft.VisualC\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualC.Dll
- 2011-10-13 00:07 . 2011-10-13 00:07 5632 c:\windows\assembly\GAC_MSIL\Microsoft.VisualC\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualC.Dll
+ 2012-01-12 01:28 . 2012-01-12 01:28 9216 c:\windows\assembly\GAC_MSIL\Microsoft.PowerShell.Security.resources\1.0.0.0_en_31bf3856ad364e35\Microsoft.PowerShell.Security.resources.dll
+ 2012-01-12 01:28 . 2012-01-12 01:28 7168 c:\windows\assembly\GAC_MSIL\Microsoft.BackgroundIntelligentTransfer.Management.resources\1.0.0.0_en_31bf3856ad364e35\Microsoft.BackgroundIntelligentTransfer.Management.resources.dll
- 2011-10-13 00:07 . 2011-10-13 00:07 6656 c:\windows\assembly\GAC_MSIL\IIEHost\2.0.0.0__b03f5f7f11d50a3a\IIEHost.dll
+ 2012-01-12 00:10 . 2012-01-12 00:10 6656 c:\windows\assembly\GAC_MSIL\IIEHost\2.0.0.0__b03f5f7f11d50a3a\IIEHost.dll
+ 2012-01-12 00:10 . 2012-01-12 00:10 8192 c:\windows\assembly\GAC_MSIL\IEExecRemote\2.0.0.0__b03f5f7f11d50a3a\IEExecRemote.dll
- 2011-10-13 00:07 . 2011-10-13 00:07 8192 c:\windows\assembly\GAC_MSIL\IEExecRemote\2.0.0.0__b03f5f7f11d50a3a\IEExecRemote.dll
+ 2012-01-12 01:21 . 2012-01-12 01:21 6656 c:\windows\assembly\GAC\Microsoft_VsaVb\7.0.5000.0__b03f5f7f11d50a3a\Microsoft_VsaVb.dll
+ 2012-01-12 01:21 . 2012-01-12 01:21 6144 c:\windows\assembly\GAC\Microsoft.VisualC\7.0.5000.0__b03f5f7f11d50a3a\Microsoft.VisualC.dll
+ 2012-01-12 01:21 . 2012-01-12 01:21 4608 c:\windows\assembly\GAC\IIEHost\1.0.5000.0__b03f5f7f11d50a3a\IIEHost.dll
+ 2012-01-12 02:10 . 2012-01-12 02:10 8192 c:\windows\assembly\GAC\IEExecRemote\1.0.5000.0__b03f5f7f11d50a3a\IEExecRemote.dll
+ 2012-01-12 01:21 . 2012-01-12 01:21 7680 c:\windows\assembly\GAC\Accessibility\1.0.5000.0__b03f5f7f11d50a3a\Accessibility.dll
+ 2009-10-09 22:56 . 2009-10-09 22:56 9216 c:\windows\$968930Uinstall_KB968930$\PSSetupNativeUtils.exe
+ 2012-01-12 00:02 . 2012-01-12 00:02 109568 c:\windows\WinSxS\x86_System.EnterpriseServices_b03f5f7f11d50a3a_4.0.0.0_x-ww_29b51492\System.EnterpriseServices.Wrapper.dll
+ 2012-01-12 00:02 . 2012-01-12 00:02 246128 c:\windows\WinSxS\x86_System.EnterpriseServices_b03f5f7f11d50a3a_4.0.0.0_x-ww_29b51492\System.EnterpriseServices.dll
- 2011-10-13 00:07 . 2011-10-13 00:07 113664 c:\windows\WinSxS\x86_System.EnterpriseServices_b03f5f7f11d50a3a_2.0.0.0_x-ww_7d5f3790\System.EnterpriseServices.Wrapper.dll
+ 2012-01-12 00:10 . 2012-01-12 00:10 113664 c:\windows\WinSxS\x86_System.EnterpriseServices_b03f5f7f11d50a3a_2.0.0.0_x-ww_7d5f3790\System.EnterpriseServices.Wrapper.dll
+ 2012-01-12 00:10 . 2012-01-12 00:10 258048 c:\windows\WinSxS\x86_System.EnterpriseServices_b03f5f7f11d50a3a_2.0.0.0_x-ww_7d5f3790\System.EnterpriseServices.dll
- 2011-10-13 00:07 . 2011-10-13 00:07 258048 c:\windows\WinSxS\x86_System.EnterpriseServices_b03f5f7f11d50a3a_2.0.0.0_x-ww_7d5f3790\System.EnterpriseServices.dll
+ 2006-09-29 02:56 . 2006-09-29 02:56 316416 c:\windows\system32\WUDFx.dll
+ 2006-09-29 02:56 . 2006-09-29 02:56 165376 c:\windows\system32\WudfPlatform.dll
+ 2006-09-29 02:56 . 2006-09-29 02:56 146432

MSE ran into 29 infections all in the system restore files.

OK - You should flush system restore (turn it off and back on) and then try aswMBR again.

Also, please run http://www.eset.com/us/online-scanner/ and post the results.

-- Move combofix back to the Desktop and then follow the steps in the linky below to uninstall it.

http://www.bleepingcomputer.com/combofix/how-to-use-combofix#uninstall

Then, please give me an update on how things are working.

Cheers :)
PP

Hello Phillie
Again thank you for all the help.
Latest update is that combofix is uninstalled, the online scanner found no threats and here is the aswMBR log... actually looking clean finally... whatcha think?

aswMBR version 0.9.9.1297 Copyright(c) 2011 AVAST Software
Run date: 2012-01-18 17:53:27
-----------------------------
17:53:27.312 OS Version: Windows 5.1.2600 Service Pack 3
17:53:27.312 Number of processors: 2 586 0x1C02
17:53:27.312 ComputerName: ACER-330BB84976 UserName: Maggie Kissling
17:53:28.062 Initialize success
17:59:14.671 AVAST engine defs: 12011801
18:00:36.765 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-0
18:00:36.765 Disk 0 Vendor: Hitachi_ FB2O Size: 152627MB BusType: 3
18:00:36.984 Disk 0 MBR read successfully
18:00:36.984 Disk 0 MBR scan
18:00:37.093 Disk 0 Windows XP default MBR code
18:00:37.140 Disk 0 Partition 1 00 12 Compaq diag NTFS 7169 MB offset 63
18:00:37.187 Disk 0 Partition 2 80 (A) 07 HPFS/NTFS NTFS 145456 MB offset 14684160
18:00:37.265 Disk 0 scanning sectors +312578048
18:00:37.671 Disk 0 scanning C:\WINDOWS\system32\drivers
18:01:41.343 Service scanning
18:01:42.578 Modules scanning
18:03:15.484 Disk 0 trace - called modules:
18:03:15.562 ntoskrnl.exe catchme.sys CLASSPNP.SYS disk.sys ACPI.sys hal.dll iaStor.sys
18:03:15.562 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x865ed3d0]
18:03:15.578 3 CLASSPNP.SYS[f78fdfd7] -> nt!IofCallDriver -> \Device\00000094[0x86f553e0]
18:03:15.593 5 ACPI.sys[f77f4620] -> nt!IofCallDriver -> \Device\Ide\IAAStorageDevice-0[0x86f5e030]
18:03:16.312 AVAST engine scan C:\WINDOWS
18:05:03.921 AVAST engine scan C:\WINDOWS\system32
18:14:34.406 AVAST engine scan C:\WINDOWS\system32\drivers
18:16:20.140 AVAST engine scan C:\Documents and Settings\Maggie Kissling
18:23:20.250 AVAST engine scan C:\Documents and Settings\All Users
18:25:03.484 Scan finished successfully
18:31:35.906 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Maggie Kissling\Desktop\MBR.dat"
18:31:35.937 The log file has been saved successfully to "C:\Documents and Settings\Maggie Kissling\Desktop\aswMBR.txt"

Latest update is that combofix is uninstalled, the online scanner found no threats and here is the aswMBR log... actually looking clean finally... whatcha think?

Happy to help :)

I agree - looks good.
Though, with these baddies it is difficult to tell. You put rootkits and backdoors together - especially with the active defense mechanisms this particular family employs - and it becomes a bit of a crapshoot.

Normally, in cases such as this, I recommend wiping the HD and re-installing Windows - it's fastest and 100% effective.
But, since you'd already started, why not finish, right? Plus, reformat is not always a feasible option.

Anyhoo, I'll try to take a closer look at some of the previous logs just to be sure, but at quick glance everything looks OK.

Cheers :)
PP

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.