Inactive PC being Monitored? Can't update anti virus

I overlooked a file with hidden and system attributes .... might be the cause of acovcnt.exe returning. The following should remedy that.

Once again, disable any realtime protection applications. Highlight and copy the contents of the code box below and paste it into a blank notepad, then save it to your desktop as;

Filename: CFScript.txt
Save As Type: All Files (*.*)

Code:

File::
c:\windows\neoqaz2.dll
Folder::
C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\TD98J79G

Close all other windows and programs. Now drag the CFScript.txt onto ComboFix.exe and drop it, using the left mouse button. Combofix should run and may reboot the computer when it's done. A log will open when it's complete. Post the contents of that log.

Please do not click on the ComboFix window while it is running a scan. This can cause it to stall.

**NOTE - Allow ComboFix to update if prompted.



The cf** files you mention are from ComboFix, the nppt* files are associated with INCA Gameguard, SDDEVMGR.dll with Toshiba SD Card manager. ocx files are fine. Not sure what you mean by 'at the top of system32', unless your view setting is to display details by date (modified date).

 

I'm in Safe Mode as I can't run MBAM and ComboFix properly in normal windows. I hope that the latest files that were deleted will fix it. Thank you again for your time. I really appreciate it

EDIT: Nope. It's not running properly in normal windows. But what the heck? It's in safe mode. It's safer to remove malware there, right? Same goes to MBAM. Sadly, I can't do everyday scans.

ComboFix 09-02-14.01 - Chris 2009-02-15 17:31:10.4 - NTFSx86 NETWORK
Running from: c:\users\Chris\Desktop\ComboFix.exe
Command switches used :: c:\users\Chris\Desktop\CFScript.txt

FILE ::
c:\windows\neoqaz2.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\neoqaz2.dll
c:\windows\system32\acovcnt.exe
c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\TD98J79G
c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\TD98J79G\743674[1].txt
c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\TD98J79G\74372433[1].txt
c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\TD98J79G\config-prod[2].xml
c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\TD98J79G\consumer$20norton$20security$20scan$2032bit_microdefsb.oct_symalllanguages_livetri[1].zip
c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\TD98J79G\crossdomain[1].xml
c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\TD98J79G\crossdomain[2].xml
c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\TD98J79G\crossdomain[3].xml
c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\TD98J79G\desktop.ini
c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\TD98J79G\guide_opendns_com[1].htm
c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\TD98J79G\HBConfig[2].xml
c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\TD98J79G\PC_Checkup[1].exe
c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\TD98J79G\symproducts[1].xml

.
((((((((((((((((((((((((( Files Created from 2009-01-15 to 2009-02-15 )))))))))))))))))))))))))))))))
.

2009-02-13 00:22 . 2009-02-13 00:22 <DIR> d-------- c:\program files\Common Files\xing shared
2009-02-11 18:02 . 2009-02-11 18:02 <DIR> d-------- c:\program files\Ashampoo
2009-02-11 11:41 . 2009-01-15 11:36 1,383,424 --a------ c:\windows\System32\mshtml.tlb
2009-02-11 11:41 . 2009-01-15 14:11 827,392 --a------ c:\windows\System32\wininet.dll
2009-02-09 19:19 . 2003-07-19 23:17 5,174 --a------ c:\windows\System32\nppt9x.vxd
2009-02-09 19:19 . 2005-01-03 14:43 4,682 --a------ c:\windows\System32\npptNT2.sys
2009-02-09 19:18 . 2009-02-09 19:18 <DIR> d-------- c:\program files\Common Files\INCA Shared
2009-02-07 23:04 . 2009-02-07 23:04 <DIR> d-------- c:\program files\DivXLand
2009-02-07 23:04 . 1999-12-17 10:13 86,016 --a------ c:\windows\unvise32.exe
2009-02-05 21:00 . 2008-06-20 09:14 781,344 --a------ c:\windows\System32\PresentationNative_v0300.dll
2009-02-05 21:00 . 2008-06-20 09:14 622,080 --a------ c:\windows\System32\icardagt.exe
2009-02-05 21:00 . 2008-06-20 09:14 326,160 --a------ c:\windows\System32\PresentationHost.exe
2009-02-05 21:00 . 2008-06-20 09:14 105,016 --a------ c:\windows\System32\PresentationCFFRasterizerNative_v0300.dll
2009-02-05 21:00 . 2008-06-20 09:14 97,800 --a------ c:\windows\System32\infocardapi.dll
2009-02-05 21:00 . 2008-06-20 09:14 43,544 --a------ c:\windows\System32\PresentationHostProxy.dll
2009-02-05 21:00 . 2008-06-20 09:14 37,384 --a------ c:\windows\System32\infocardcpl.cpl
2009-02-05 21:00 . 2008-06-20 09:14 11,264 --a------ c:\windows\System32\icardres.dll
2009-02-05 20:50 . 2008-07-28 02:03 282,112 --a------ c:\windows\System32\mscoree.dll
2009-02-05 20:50 . 2008-07-28 02:03 158,720 --a------ c:\windows\System32\mscorier.dll
2009-02-05 20:50 . 2008-07-28 02:03 96,760 --a------ c:\windows\System32\dfshim.dll
2009-02-05 20:50 . 2008-07-28 02:03 83,968 --a------ c:\windows\System32\mscories.dll
2009-02-05 20:50 . 2008-07-28 02:03 41,984 --a------ c:\windows\System32\netfxperf.dll
2009-02-04 21:05 . 2009-02-11 13:36 <DIR> d--h----- C:\$AVG8.VAULT$
2009-02-04 10:06 . 2009-02-04 10:06 <DIR> d-------- c:\windows\Sun
2009-02-04 09:59 . 2009-02-15 17:10 <DIR> d-------- c:\windows\System32\drivers\Avg
2009-02-04 09:59 . 2009-02-04 09:59 325,128 --a------ c:\windows\System32\drivers\avgldx86.sys
2009-02-04 09:59 . 2009-02-04 09:59 107,272 --a------ c:\windows\System32\drivers\avgtdix.sys
2009-02-04 09:59 . 2009-02-04 09:59 10,520 --a------ c:\windows\System32\avgrsstx.dll
2009-02-04 08:07 . 2009-02-04 08:07 <DIR> d--hs---- C:\found.000
2009-02-03 21:39 . 2008-06-19 16:24 28,544 --a------ c:\windows\System32\drivers\pavboot.sys
2009-02-03 21:35 . 2009-02-03 21:35 <DIR> d-------- c:\program files\Panda Security
2009-02-03 21:11 . 2009-02-03 21:11 <DIR> d-------- c:\program files\Trend Micro
2009-02-01 15:27 . 2009-02-04 21:21 <DIR> d-------- c:\program files\Opera 10 Preview
2009-01-30 14:53 . 2009-01-30 15:07 19,170,816 --a------ c:\windows\System32\imageres.dll
2009-01-27 19:44 . 2009-01-27 19:54 <DIR> d-------- C:\My Recordings
2009-01-27 19:43 . 2009-01-27 19:43 <DIR> d-------- c:\program files\FREE Hi-Q Recorder
2009-01-27 19:43 . 2004-08-10 05:00 1,355,776 --a------ c:\windows\System32\msvbvm50.dll
2009-01-25 11:43 . 2009-01-25 11:43 <DIR> d-------- c:\program files\Panasonic
2009-01-25 11:43 . 2006-02-27 11:45 36,864 --a------ c:\windows\System32\SDDEVMGR.dll
2009-01-23 20:51 . 2009-01-23 20:51 <DIR> d-------- c:\program files\Common Files\PCSuite
2009-01-23 20:49 . 2009-01-23 20:49 <DIR> d-------- c:\program files\PC Connectivity Solution
2009-01-23 20:49 . 2008-08-26 09:26 18,816 --a------ c:\windows\System32\drivers\pccsmcfd.sys
2009-01-19 22:29 . 2009-01-19 22:30 <DIR> d-------- c:\program files\Direct MIDI to MP3 Converter
2009-01-19 21:26 . 2009-01-19 21:26 <DIR> d-------- c:\program files\feng
2009-01-17 22:58 . 2009-01-17 22:58 <DIR> d-------- c:\windows\Replay Video Capture
2009-01-17 20:42 . 2008-11-08 14:42 642,048 --a------ c:\windows\System32\calc.exe
2009-01-17 20:39 . 2008-11-04 21:07 1,152,000 --a------ c:\windows\System32\themecpl.dll
2009-01-17 14:36 . 2009-01-17 14:36 <DIR> d-------- c:\users\All Users\Stardock
2009-01-17 14:36 . 2009-01-17 14:36 <DIR> d-------- c:\programdata\Stardock
2009-01-17 14:36 . 2009-01-17 14:36 <DIR> d-------- c:\program files\Stardock
2009-01-17 14:36 . 2007-06-05 11:26 567,040 --a------ c:\windows\System32\wbocx.ocx
2009-01-17 14:36 . 2007-06-05 11:26 56,496 --a------ c:\windows\System32\wbhelp2.dll
2009-01-17 14:24 . 2009-01-17 14:24 <DIR> d-------- c:\users\Chris\AppData\Roaming\TuneUp Software
2009-01-17 14:24 . 2009-01-17 14:24 603,904 --a------ c:\windows\System32\TUProgSt.exe
2009-01-17 14:24 . 2009-01-17 14:24 362,240 --a------ c:\windows\System32\TuneUpDefragService.exe
2009-01-17 14:24 . 2008-11-12 16:44 27,904 --a------ c:\windows\System32\uxtuneup.dll
2009-01-17 14:24 . 2008-11-12 16:44 17,152 --a------ c:\windows\System32\authuitu.dll
2009-01-17 14:23 . 2009-01-17 14:23 <DIR> d-------- c:\users\All Users\TuneUp Software
2009-01-17 14:23 . 2009-01-17 14:23 <DIR> d--hs---- c:\users\All Users\{55A29068-F2CE-456C-9148-C869879E2357}
2009-01-17 14:23 . 2009-01-17 14:23 <DIR> d-------- c:\programdata\TuneUp Software
2009-01-17 14:23 . 2009-01-17 14:23 <DIR> d--hs---- c:\programdata\{55A29068-F2CE-456C-9148-C869879E2357}
2009-01-17 14:23 . 2009-01-17 14:24 <DIR> d-------- c:\program files\TuneUp Utilities 2009
2009-01-17 13:34 . 2009-01-25 09:29 201,048,984 --a------ c:\windows\MEMORY.DMP
2009-01-17 10:58 . 2009-01-17 10:58 <DIR> d-------- c:\program files\PowerISO
2009-01-15 12:39 . 2009-01-15 12:39 <DIR> d-------- c:\program files\AskBarDis
2009-01-15 12:36 . 2009-02-04 09:58 <DIR> d-------- c:\users\All Users\avg8
2009-01-15 12:36 . 2009-02-04 09:58 <DIR> d-------- c:\programdata\avg8
2009-01-15 12:36 . 2009-01-15 12:36 <DIR> d-------- c:\program files\AVG
2009-01-15 12:31 . 2009-01-15 12:31 <DIR> d-------- c:\windows\E80F62FF5D3C4A1984099721F2928206.TMP

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-13 04:51 --------- d-----w c:\users\Chris\AppData\Roaming\Vso
2009-02-13 04:51 --------- d-----w c:\users\Chris\AppData\Roaming\CopyToDvd
2009-02-12 21:06 --------- d-----w c:\program files\Google
2009-02-12 16:21 --------- d-----w c:\program files\Common Files\Real
2009-02-12 15:01 --------- d-----w c:\users\Chris\AppData\Roaming\dvdcss
2009-02-12 05:17 --------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-02-11 13:08 --------- d-----w c:\program files\Opera
2009-02-11 02:19 38,496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-02-11 02:19 15,504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-02-05 12:26 --------- d-----w c:\programdata\P4G
2009-02-05 12:26 --------- d-----w c:\programdata\FLEXnet
2009-02-03 05:03 --------- d-----w c:\program files\ATKOSD2
2009-01-25 03:43 --------- d--h--w c:\program files\InstallShield Installation Information
2009-01-23 12:51 --------- d-----w c:\program files\Common Files\Nokia
2009-01-23 12:46 --------- d-----w c:\program files\Nokia
2009-01-23 12:35 --------- d-----w c:\programdata\Installations
2009-01-23 07:01 --------- d-----w c:\programdata\PC Suite
2009-01-18 05:21 319,456 ----a-w c:\windows\DIFxAPI.dll
2009-01-18 05:21 --------- d-----w c:\program files\Realtek
2009-01-17 16:14 --------- d-----w c:\program files\Common Files\LightScribe
2009-01-15 05:53 --------- d-----w c:\program files\Bonjour
2009-01-15 05:53 --------- d-----w c:\program files\ATKGFNEX
2009-01-15 05:53 --------- d-----w c:\program files\ATK Hotkey
2009-01-15 05:46 --------- d-----w c:\program files\Wireless Console 2
2009-01-15 05:46 --------- d-----w c:\program files\Windows Sidebar
2009-01-15 05:46 --------- d-----w c:\program files\Windows Defender
2009-01-15 05:46 --------- d-----w c:\program files\P4G
2009-01-15 04:34 --------- d-----w c:\program files\Common Files\Symantec Shared
2009-01-15 04:31 --------- d-----w c:\programdata\Symantec
2009-01-15 04:31 --------- d-----w c:\program files\Symantec
2009-01-14 13:33 --------- d-----w c:\program files\Windows Mail
2009-01-11 11:17 --------- d-----w c:\programdata\CyberLink
2009-01-08 05:08 --------- d-----w c:\users\Chris\AppData\Roaming\CyberLink
2008-12-31 17:21 --------- d-----w c:\program files\VSO
2008-12-27 03:47 --------- d-----w c:\users\Chris\AppData\Roaming\Nokia
2008-12-23 07:53 --------- d-----w c:\program files\WinAce
2008-12-16 02:42 288,768 ----a-w c:\windows\system32\drivers\srv.sys
2008-12-15 09:24 --------- d-----w c:\programdata\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-12-15 09:24 --------- d-----w c:\program files\iTunes
2008-12-15 09:23 --------- d-----w c:\programdata\Apple Computer
2008-12-15 09:23 --------- d-----w c:\program files\iPod
2008-12-15 09:23 --------- d-----w c:\program files\Common Files\Apple
2008-12-15 09:22 --------- d-----w c:\program files\QuickTime
2008-12-15 09:21 --------- d-----w c:\program files\QuickTime Alternative
2008-12-12 03:18 87,336 ----a-w c:\windows\System32\dns-sd.exe
2008-12-12 03:11 61,440 ----a-w c:\windows\System32\dnssd.dll
2008-11-25 02:35 84 ---ha-w c:\users\All Users\aspg.dat
2008-11-25 02:35 84 ---ha-w c:\programdata\aspg.dat
2008-10-19 11:05 456,272 ----a-w c:\users\All Users\pswi_preloaded.exe
2008-10-19 11:05 456,272 ----a-w c:\programdata\pswi_preloaded.exe
2008-10-18 07:34 81,920 ----a-w c:\users\Chris\AppData\Roaming\ezpinst.exe
2008-10-18 07:34 47,360 ----a-w c:\users\Chris\AppData\Roaming\pcouffin.sys
2008-01-21 02:57 174 --sha-w c:\program files\desktop.ini
2009-02-02 19:50 67,688 ----a-w c:\program files\mozilla firefox\components\jar50.dll
2009-02-02 19:50 54,368 ----a-w c:\program files\mozilla firefox\components\jsd3250.dll
2009-02-02 19:50 34,944 ----a-w c:\program files\mozilla firefox\components\myspell.dll
2009-02-02 19:50 46,712 ----a-w c:\program files\mozilla firefox\components\spellchk.dll
2009-02-02 19:50 172,136 ----a-w c:\program files\mozilla firefox\components\xpinstal.dll
2008-10-20 05:54 88 --sha-r c:\windows\System32\7A81B36C98.sys
2008-10-20 05:55 2,828 --sha-w c:\windows\System32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((( SnapShot_2009-02-05_23.22.44.98 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-02-06 13:44:25 842,240 ----a-w c:\windows\assembly\NativeImages_v2.0.50727_32\AspNetMMCExt\660850afa77bfd5145eab2d362859404\AspNetMMCExt.ni.dll
+ 2009-02-06 13:42:07 410,112 ----a-w c:\windows\assembly\NativeImages_v2.0.50727_32\ComSvcConfig\700b8218bf42b9c34c1202806960fc4e\ComSvcConfig.ni.exe
+ 2009-02-06 13:44:32 220,672 ----a-w c:\windows\assembly\NativeImages_v2.0.50727_32\CustomMarshalers\227b6533d7f1fdfb94558e22f83d7159\CustomMarshalers.ni.dll
+ 2009-02-06 13:44:33 14,336 ----a-w c:\windows\assembly\NativeImages_v2.0.50727_32\dfsvc\79f0864babc826355d3642420230abad\dfsvc.ni.exe
+ 2009-02-06 13:44:36 543,744 ----a-w c:\windows\assembly\NativeImages_v2.0.50727_32\EventViewer\9d3bbd186caa7d4838248d7ea0abf867\EventViewer.ni.dll
+ 2009-02-06 13:44:50 222,720 ----a-w c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Build.Con#\300b894f5f93950e037a3e965f18d19a\Microsoft.Build.Conversion.v3.5.ni.dll
+ 2009-02-06 13:44:52 839,680 ----a-w c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Build.Eng#\469f74b1a5c04d4d122298419a78ee5a\Microsoft.Build.Engine.ni.dll
+ 2009-02-06 13:44:31 1,888,768 ----a-w c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Build.Eng#\6be4f17a5301e550b4ba72e8c0954951\Microsoft.Build.Engine.ni.dll
+ 2009-02-06 13:44:53 65,024 ----a-w c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Build.Fra#\0b3322dd033251dbfeb5ffaa63628e2b\Microsoft.Build.Framework.ni.dll
+ 2009-02-06 13:44:28 74,752 ----a-w c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Build.Fra#\d05258f88517512acc1ba5ad8d0c44ff\Microsoft.Build.Framework.ni.dll
+ 2009-02-06 13:45:01 1,966,080 ----a-w c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Build.Tas#\158f491d14b18b2c84dea624fa16f97e\Microsoft.Build.Tasks.v3.5.ni.dll
+ 2009-02-06 13:44:57 1,620,992 ----a-w c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Build.Tas#\51998ee525859b487f792fa991b578e0\Microsoft.Build.Tasks.ni.dll
+ 2009-02-06 13:45:03 175,104 ----a-w c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Build.Uti#\141d01ee47d7293ff827c087bebc8f80\Microsoft.Build.Utilities.v3.5.ni.dll
+ 2009-02-06 13:45:02 144,384 ----a-w c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Build.Uti#\fb6b64d9951841d62e4a7fdb69773753\Microsoft.Build.Utilities.ni.dll
+ 2009-02-06 13:45:05 1,356,288 ----a-w c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Ink\77c72d8ae1eb97866124ff94944eba65\Microsoft.Ink.ni.dll
+ 2009-02-06 13:44:20 2,332,160 ----a-w c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.JScript\d0c457bb6166af76d39e30b872b98680\Microsoft.JScript.ni.dll
+ 2009-02-06 13:44:38 550,912 ----a-w c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Managemen#\ae044af516de3b58071f06237f346f08\Microsoft.ManagementConsole.ni.dll
+ 2009-02-06 13:44:01 386,560 ----a-w c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Transacti#\d64dd85d512244087920e240e2ead636\Microsoft.Transactions.Bridge.Dtc.ni.dll
+ 2009-02-06 13:43:57 1,093,120 ----a-w c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Transacti#\f19fe1d203e18c2002cc0a7cfbcc8000\Microsoft.Transactions.Bridge.ni.dll
+ 2009-02-06 13:45:10 1,712,128 ----a-w c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualBas#\10fc12b6bf6510f0b967d20a2b04c476\Microsoft.VisualBasic.ni.dll
+ 2009-02-06 13:44:21 55,296 ----a-w c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Vsa\e20de95af9baeabe4d076fef079e1765\Microsoft.Vsa.ni.dll
+ 2009-02-06 13:45:12 372,224 ----a-w c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Web.Admin#\21f364b0af89c4da4d15afc9d0a7104d\Microsoft.Web.Administration.ni.dll
+ 2009-02-06 13:44:48 6,338,560 ----a-w c:\windows\assembly\NativeImages_v2.0.50727_32\MIGUIControls\7ea0a047d6a73d97d2d7c0d5477c59e2\MIGUIControls.ni.dll
+ 2009-02-06 13:45:18 1,534,464 ----a-w c:\windows\assembly\NativeImages_v2.0.50727_32\MMCEx\9251d1eb8b2439954bc2f18ea4268ed2\MMCEx.ni.dll
+ 2009-02-06 13:44:38 283,648 ----a-w c:\windows\assembly\NativeImages_v2.0.50727_32\MMCFxCommon\683027751803820e53367579ad1c025c\MMCFxCommon.ni.dll
+ 2009-02-06 13:44:27 133,632 ----a-w c:\windows\assembly\NativeImages_v2.0.50727_32\MSBuild\a6f1ced3df616396a4980276ce9324be\MSBuild.ni.exe
+ 2009-02-06 13:45:19 79,872 ----a-w c:\windows\assembly\NativeImages_v2.0.50727_32\napcrypt\53285198805a96a48fddfd0179dadfc9\napcrypt.ni.dll
+ 2009-02-06 13:45:20 115,712 ----a-w c:\windows\assembly\NativeImages_v2.0.50727_32\naphlpr\c9fcddbf15afb72d7bc8ac081f9b2a8a\naphlpr.ni.dll
+ 2009-02-06 13:45:22 110,080 ----a-w c:\windows\assembly\NativeImages_v2.0.50727_32\napinit\73112fe6d1ba98baec29bb6a54af81ff\napinit.ni.dll
+ 2009-02-06 13:45:24 724,992 ----a-w c:\windows\assembly\NativeImages_v2.0.50727_32\napsnap\414c80f21207fd50457c33c7be16fba4\napsnap.ni.dll
+ 2009-02-06 13:45:28 2,538,496 ----a-w c:\windows\assembly\NativeImages_v2.0.50727_32\Narrator\155b02ef85edc0b1bce415aa278494c2\Narrator.ni.exe
+ 2009-02-06 13:45:33 1,451,008 ----a-w c:\windows\assembly\NativeImages_v2.0.50727_32\PresentationBuildTa#\291b46ea56e2487200a16d5f8c4f4e7b\PresentationBuildTasks.ni.dll
+ 2009-02-06 13:45:48 1,657,856 ----a-w c:\windows\assembly\NativeImages_v2.0.50727_32\PresentationUI\bdc87c67f45de6c8798344e2625d3801\PresentationUI.ni.dll
+ 2009-02-06 13:45:56 2,128,896 ----a-w c:\windows\assembly\NativeImages_v2.0.50727_32\ReachFramework\bbab0671945f6dfb330735832b8db69c\ReachFramework.ni.dll
+ 2009-02-06 13:44:04 329,728 ----a-w c:\windows\assembly\NativeImages_v2.0.50727_32\ServiceModelReg\9ce9591b4507e4c93eccda6d04f6bbed\ServiceModelReg.ni.exe
+ 2009-02-06 13:43:42 256,000 ----a-w c:\windows\assembly\NativeImages_v2.0.50727_32\SMDiagnostics\fe38867d2e5f029a61369d60cb366db6\SMDiagnostics.ni.dll
+ 2009-02-06 13:44:07 366,080 ----a-w c:\windows\assembly\NativeImages_v2.0.50727_32\SMSvcHost\58de8d4959e4d79d8f992dd3ab045a72\SMSvcHost.ni.exe
+ 2009-02-06 13:47:56 232,448 ----a-w c:\windows\assembly\NativeImages_v2.0.50727_32\sysglobl\559a52145a3500b9be72f13c1a3e1018\sysglobl.ni.dll
+ 2009-02-06 13:46:01 82,944 ----a-w c:\windows\assembly\NativeImages_v2.0.50727_32\System.AddIn.Contra#\995b89ec2f32e0c5989f84a8a96ceb28\System.AddIn.Contract.ni.dll
+ 2009-02-06 13:46:00 633,856 ----a-w c:\windows\assembly\NativeImages_v2.0.50727_32\System.AddIn\e40798cf217d051ccb60ce51df76608a\System.AddIn.ni.dll
+ 2009-02-06 13:46:03 94,208 ----a-w c:\windows\assembly\NativeImages_v2.0.50727_32\System.ComponentMod#\8e4110e20bba40ee1fe7f23aaff7d2ee\System.ComponentModel.DataAnnotations.ni.dll
+ 2009-02-06 13:46:05 135,680 ----a-w c:\windows\assembly\NativeImages_v2.0.50727_32\System.Data.DataSet#\ae6e232c6323706a525ea09110674d84\System.Data.DataSetExtensions.ni.dll
+ 2009-02-06 13:47:23 756,736 ----a-w c:\windows\assembly\NativeImages_v2.0.50727_32\System.Data.Entity.#\959bf3a05aa862385201a0fc7ff82b7c\System.Data.Entity.Design.ni.dll
+ 2009-02-06 13:47:18 9,924,096 ----a-w c:\windows\assembly\NativeImages_v2.0.50727_32\System.Data.Entity\c17219ce79b8df5966381230bd9e2130\System.Data.Entity.ni.dll
+ 2009-02-06 13:42:53 1,115,136 ----a-w c:\windows\assembly\NativeImages_v2.0.50727_32\System.Data.OracleC#\aff131554aeba820851285057b7c73c5\System.Data.OracleClient.ni.dll
+ 2009-02-06 13:47:34 939,008 ----a-w c:\windows\assembly\NativeImages_v2.0.50727_32\System.Data.Service#\66e561a2111eb84b814de5ee29acfe6e\System.Data.Services.Client.ni.dll
+ 2009-02-06 13:47:35 354,816 ----a-w c:\windows\assembly\NativeImages_v2.0.50727_32\System.Data.Service#\d14d5cbf6da54f47fa2480aabc3287a4\System.Data.Services.Design.ni.dll
+ 2009-02-06 13:47:31 1,328,128 ----a-w c:\windows\assembly\NativeImages_v2.0.50727_32\System.Data.Services\58408e7157a149ee82d88687489d61ed\System.Data.Services.ni.dll
+ 2009-02-06 13:47:38 881,152 ----a-w c:\windows\assembly\NativeImages_v2.0.50727_32\System.DirectorySer#\4c8a9e6f92e1274ad537e52cbbfe63b1\System.DirectoryServices.AccountManagement.ni.dll
+ 2009-02-06 13:42:55 455,680 ----a-w c:\windows\assembly\NativeImages_v2.0.50727_32\System.DirectorySer#\8921bfdd4653796b3f71c0f55064bef2\System.DirectoryServices.Protocols.ni.dll
+ 2009-02-06 13:42:17 1,116,672 ----a-w c:\windows\assembly\NativeImages_v2.0.50727_32\System.DirectorySer#\c59a8a0f03578ceb0eadd3bd8ac20876\System.DirectoryServices.ni.dll
+ 2009-02-06 13:42:10 627,712 ----a-w c:\windows\assembly\NativeImages_v2.0.50727_32\System.EnterpriseSe#\7895f580432cd243f19aa40db58d38bc\System.EnterpriseServices.ni.dll
+ 2009-02-06 13:42:10 280,064 ----a-w c:\windows\assembly\NativeImages_v2.0.50727_32\System.EnterpriseSe#\7895f580432cd243f19aa40db58d38bc\System.EnterpriseServices.Wrapper.dll
+ 2009-02-06 13:43:55 212,992 ----a-w c:\windows\assembly\NativeImages_v2.0.50727_32\System.IdentityMode#\b3e2a96dff5a63aaf7d7d974cdf40dcb\System.IdentityModel.Selectors.ni.dll
+ 2009-02-06 13:43:51 1,056,768 ----a-w c:\windows\assembly\NativeImages_v2.0.50727_32\System.IdentityModel\63d1eb27f55bfa47a1a9328172bfb604\System.IdentityModel.ni.dll
+ 2009-02-06 13:44:11 381,440 ----a-w c:\windows\assembly\NativeImages_v2.0.50727_32\System.IO.Log\2e19d1e42380f35043e0a6083de30852\System.IO.Log.ni.dll
+ 2009-02-06 13:47:40 330,752 ----a-w c:\windows\assembly\NativeImages_v2.0.50727_32\System.Management.I#\9c1bbc7a8431ba14f3138a9b9d0b2758\System.Management.Instrumentation.ni.dll
+ 2009-02-06 13:44:16 998,400 ----a-w c:\windows\assembly\NativeImages_v2.0.50727_32\System.Management\31729b33207d1093721f9e943302b900\System.Management.ni.dll
+ 2009-02-06 13:43:54 593,408 ----a-w c:\windows\assembly\NativeImages_v2.0.50727_32\System.Messaging\11312bae768c4e69dfd6d9a3f34c1e62\System.Messaging.ni.dll
+ 2009-02-06 13:47:43 621,056 ----a-w c:\windows\assembly\NativeImages_v2.0.50727_32\System.Net\892f786ce75bd2e0ca400a8dae347a58\System.Net.ni.dll
+ 2009-02-06 13:45:51 1,035,264 ----a-w c:\windows\assembly\NativeImages_v2.0.50727_32\System.Printing\9def64da16f075e10ce1b0cb97e44646\System.Printing.ni.dll
+ 2009-02-06 13:42:20 771,584 ----a-w c:\windows\assembly\NativeImages_v2.0.50727_32\System.Runtime.Remo#\a4fd3b000abfd4712b02ec223df3e9dd\System.Runtime.Remoting.ni.dll
+ 2009-02-06 13:43:47 2,338,304 ----a-w c:\windows\assembly\NativeImages_v2.0.50727_32\System.Runtime.Seri#\19ca73856f91e0fd4d5353a9373f8b6a\System.Runtime.Serialization.ni.dll
+ 2009-02-06 13:47:50 1,706,496 ----a-w c:\windows\assembly\NativeImages_v2.0.50727_32\System.ServiceModel#\463d79ec2065b26873bffcd35615d00b\System.ServiceModel.Web.ni.dll
+ 2009-02-06 13:43:40 17,317,888 ----a-w c:\windows\assembly\NativeImages_v2.0.50727_32\System.ServiceModel\550d497e3f4cc73b5e323711edb1b592\System.ServiceModel.ni.dll
+ 2009-02-06 13:47:55 1,917,440 ----a-w c:\windows\assembly\NativeImages_v2.0.50727_32\System.Speech\a4524eb304ba9694838780c3d707bb6e\System.Speech.ni.dll
+ 2009-02-06 13:42:13 627,200 ----a-w c:\windows\assembly\NativeImages_v2.0.50727_32\System.Transactions\9a01d9b5c7b5509bbc964881ce2be5a1\System.Transactions.ni.dll
+ 2009-02-06 13:47:58 141,312 ----a-w c:\windows\assembly\NativeImages_v2.0.50727_32\System.Web.Abstract#\3b49817ad348c94fc41bbf26fdde9eec\System.Web.Abstractions.ni.dll
+ 2009-02-06 13:48:10 36,864 ----a-w c:\windows\assembly\NativeImages_v2.0.50727_32\System.Web.DynamicD#\40591112ed6a3fac4dbfa337c00d2122\System.Web.DynamicData.Design.ni.dll
+ 2009-02-06 13:48:07 547,328 ----a-w c:\windows\assembly\NativeImages_v2.0.50727_32\System.Web.DynamicD#\6f2bb0a35c228aba6e3a02a1238beb20\System.Web.DynamicData.ni.dll
+ 2009-02-06 13:48:14 301,056 ----a-w c:\windows\assembly\NativeImages_v2.0.50727_32\System.Web.Entity.D#\c52120bb862d84082d917c4bb0a738c5\System.Web.Entity.Design.ni.dll
+ 2009-02-06 13:48:12 328,704 ----a-w c:\windows\assembly\NativeImages_v2.0.50727_32\System.Web.Entity\1ecd0493d33f74af1d96570662979a66\System.Web.Entity.ni.dll
+ 2009-02-06 13:48:05 2,403,328 ----a-w c:\windows\assembly\NativeImages_v2.0.50727_32\System.Web.Extensio#\060fca61fc10971f381204ccb623fc58\System.Web.Extensions.ni.dll
+ 2009-02-06 13:48:18 859,648 ----a-w c:\windows\assembly\NativeImages_v2.0.50727_32\System.Web.Extensio#\40b16dc65e32c4b7800bbde94fd4f9b7\System.Web.Extensions.Design.ni.dll
+ 2009-02-06 13:48:22 2,209,280 ----a-w c:\windows\assembly\NativeImages_v2.0.50727_32\System.Web.Mobile\50dbb91ff2cd5f634b7cc56fb2125d55\System.Web.Mobile.ni.dll
+ 2009-02-06 13:42:54 202,240 ----a-w c:\windows\assembly\NativeImages_v2.0.50727_32\System.Web.RegularE#\dc555eb256a646332b3154bc91bbdb27\System.Web.RegularExpressions.ni.dll
+ 2009-02-06 13:48:00 129,536 ----a-w c:\windows\assembly\NativeImages_v2.0.50727_32\System.Web.Routing\71e9648c03c18a69e85293da03413183\System.Web.Routing.ni.dll
+ 2009-02-06 13:42:50 1,840,640 ----a-w c:\windows\assembly\NativeImages_v2.0.50727_32\System.Web.Services\2e2615fe0b5497263891553e13b697c6\System.Web.Services.ni.dll
+ 2009-02-06 13:42:44 11,796,992 ----a-w c:\windows\assembly\NativeImages_v2.0.50727_32\System.Web\47b2e1d9030f551f685dfea0b618e7fd\System.Web.ni.dll
+ 2009-02-06 13:48:26 37,888 ----a-w c:\windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Pres#\ade62baef300f037ae756f801663f9c5\System.Windows.Presentation.ni.dll
+ 2009-02-06 13:48:34 1,356,288 ----a-w c:\windows\assembly\NativeImages_v2.0.50727_32\System.WorkflowServ#\770bd1f92877fcca1e7d5520deb1524b\System.WorkflowServices.ni.dll
+ 2009-02-06 13:48:35 400,896 ----a-w c:\windows\assembly\NativeImages_v2.0.50727_32\System.Xml.Linq\85e2233bc3d7c5cf8fc07f9a8ce241cd\System.Xml.Linq.ni.dll
+ 2009-02-06 13:48:37 235,520 ----a-w c:\windows\assembly\NativeImages_v2.0.50727_32\TaskScheduler\514f3a2e1240411c66b5809b99ecb0e4\TaskScheduler.ni.dll
+ 2009-02-06 13:48:39 447,488 ----a-w c:\windows\assembly\NativeImages_v2.0.50727_32\UIAutomationClient\50adf5948f698ac2a6fd66a05c77fa6b\UIAutomationClient.ni.dll
+ 2009-02-06 13:48:41 1,049,600 ----a-w c:\windows\assembly\NativeImages_v2.0.50727_32\UIAutomationClients#\bf4b41f6504f6e0bb9ebfe81ee898f41\UIAutomationClientsideProviders.ni.dll
+ 2009-02-06 13:48:44 240,128 ----a-w c:\windows\assembly\NativeImages_v2.0.50727_32\WindowsFormsIntegra#\41dcf4e0061193634534f67cea2d360e\WindowsFormsIntegration.ni.dll
+ 2009-02-06 13:44:15 321,536 ----a-w c:\windows\assembly\NativeImages_v2.0.50727_32\WsatConfig\a3811d1d99a4643e21362276281045a7\WsatConfig.ni.exe
- 2009-02-02 10:35:42 51,200 ----a-w c:\windows\inf\infpub.dat
+ 2009-02-13 10:17:54 51,200 ----a-w c:\windows\inf\infpub.dat
- 2009-02-02 10:35:42 143,360 ----a-w c:\windows\inf\infstrng.dat
+ 2009-02-13 10:17:53 143,360 ----a-w c:\windows\inf\infstrng.dat
- 2009-02-05 15:16:41 262,144 --sha-w c:\windows\ServiceProfiles\LocalService\NTUSER.DAT
+ 2009-02-15 09:26:00 262,144 --sha-w c:\windows\ServiceProfiles\LocalService\NTUSER.DAT
- 2009-02-05 15:16:36 262,144 --sha-w c:\windows\ServiceProfiles\NetworkService\NTUSER.DAT
+ 2009-02-15 09:26:00 262,144 --sha-w c:\windows\ServiceProfiles\NetworkService\NTUSER.DAT
+ 2009-02-15 09:26:00 262,144 ---ha-w c:\windows\ServiceProfiles\NetworkService\ntuser.dat.LOG1
- 2009-02-05 13:37:00 16,384 --sha-w c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2009-02-14 12:42:02 16,384 --sha-w c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2009-02-05 13:37:00 49,152 --sha-w c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2009-02-14 12:42:02 49,152 --sha-w c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2009-02-05 13:37:00 32,768 --sha-w c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2009-02-14 12:42:02 32,768 --sha-w c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2009-02-05 15:17:55 262,144 ----a-w c:\windows\System32\config\systemprofile\ntuser.dat
+ 2009-02-15 09:30:33 262,144 ----a-w c:\windows\System32\config\systemprofile\ntuser.dat
- 2008-10-16 04:47:29 6,068,736 ----a-w c:\windows\System32\ieframe.dll
+ 2009-01-15 06:07:53 6,069,248 ----a-w c:\windows\System32\ieframe.dll
- 2008-10-16 04:47:29 270,336 ----a-w c:\windows\System32\iertutil.dll
+ 2009-01-15 06:07:53 270,336 ----a-w c:\windows\System32\iertutil.dll
- 2008-10-16 04:47:30 28,160 ----a-w c:\windows\System32\jsproxy.dll
+ 2009-01-15 06:08:05 28,160 ----a-w c:\windows\System32\jsproxy.dll
- 2009-01-10 01:35:28 20,853,704 ----a-w c:\windows\System32\mrt.exe
+ 2009-02-03 23:21:12 21,244,864 ----a-w c:\windows\System32\mrt.exe
- 2008-01-21 02:33:42 458,240 ----a-w c:\windows\System32\msfeeds.dll
+ 2009-01-15 06:08:34 458,240 ----a-w c:\windows\System32\msfeeds.dll
- 2008-12-12 05:52:52 3,578,880 ----a-w c:\windows\System32\mshtml.dll
+ 2009-01-15 06:08:35 3,580,416 ----a-w c:\windows\System32\mshtml.dll
- 2008-10-16 04:47:32 671,232 ----a-w c:\windows\System32\mstime.dll
+ 2009-01-15 06:08:50 671,232 ----a-w c:\windows\System32\mstime.dll
- 2009-02-04 06:19:54 121,572 ----a-w c:\windows\System32\perfc009.dat
+ 2009-02-15 09:13:07 121,572 ----a-w c:\windows\System32\perfc009.dat
- 2009-02-04 06:19:54 648,278 ----a-w c:\windows\System32\perfh009.dat
+ 2009-02-15 09:13:07 648,278 ----a-w c:\windows\System32\perfh009.dat
- 2008-10-19 09:34:37 278,528 ----a-w c:\windows\System32\pncrt.dll
+ 2009-02-12 16:21:30 278,528 ----a-w c:\windows\System32\pncrt.dll
- 2008-10-19 09:34:38 6,656 ----a-w c:\windows\System32\pndx5016.dll
+ 2009-02-12 16:21:32 6,656 ----a-w c:\windows\System32\pndx5016.dll
- 2008-10-19 09:34:38 5,632 ----a-w c:\windows\System32\pndx5032.dll
+ 2009-02-12 16:21:32 5,632 ----a-w c:\windows\System32\pndx5032.dll
- 2008-10-19 09:34:46 185,944 ----a-w c:\windows\System32\rmoc3260.dll
+ 2009-02-12 16:21:51 185,920 ----a-w c:\windows\System32\rmoc3260.dll
- 2009-02-05 13:17:55 6,291,456 ----a-w c:\windows\System32\SMI\Store\Machine\schema.dat
+ 2009-02-11 10:13:50 6,291,456 ----a-w c:\windows\System32\SMI\Store\Machine\schema.dat
- 2008-10-16 04:47:34 1,166,336 ----a-w c:\windows\System32\urlmon.dll
+ 2009-01-15 06:11:05 1,166,336 ----a-w c:\windows\System32\urlmon.dll
- 2009-02-05 13:22:03 12,530 ----a-w c:\windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-2604780666-1855635130-1160332280-1000_UserData.bin
+ 2009-02-15 09:10:29 12,726 ----a-w c:\windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-2604780666-1855635130-1160332280-1000_UserData.bin
- 2009-02-05 13:22:02 99,842 ----a-w c:\windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
+ 2009-02-15 09:10:29 100,766 ----a-w c:\windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
- 2009-02-05 06:58:04 3,032 ----a-w c:\windows\System32\WDI\ERCQueuedResolutions.dat
+ 2009-02-10 06:48:43 3,032 ----a-w c:\windows\System32\WDI\ERCQueuedResolutions.dat
- 2009-02-05 13:21:52 55,428 ----a-w c:\windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2009-02-15 09:10:26 55,796 ----a-w c:\windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
- 2009-02-05 13:07:36 32,427,874 ----a-w c:\windows\winsxs\ManifestCache\6.0.6001.18000_001c50b5_blobs.bin
+ 2009-02-11 03:42:07 72,422,121 ----a-w c:\windows\winsxs\ManifestCache\6.0.6001.18000_001c50b5_blobs.bin
+ 2009-01-15 04:15:58 124,928 ----a-w c:\windows\winsxs\x86_microsoft-windows-advpack_31bf3856ad364e35_6.0.6000.16809_none_a9ee2d39f5a1db5c\advpack.dll
+ 2009-01-15 04:14:44 124,928 ----a-w c:\windows\winsxs\x86_microsoft-windows-advpack_31bf3856ad364e35_6.0.6000.20996_none_aa1379db0f0b2a9a\advpack.dll
+ 2009-01-15 04:16:02 44,544 ----a-w c:\windows\winsxs\x86_microsoft-windows-i..ablenetworkgraphics_31bf3856ad364e35_6.0.6000.16809_none_ebe936e9163ac15b\pngfilt.dll
+ 2009-01-15 04:18:35 44,544 ----a-w c:\windows\winsxs\x86_microsoft-windows-i..ablenetworkgraphics_31bf3856ad364e35_6.0.6000.20996_none_ec0e838a2fa41099\pngfilt.dll
+ 2009-01-15 04:16:03 1,160,192 ----a-w c:\windows\winsxs\x86_microsoft-windows-i..ersandsecurityzones_31bf3856ad364e35_6.0.6000.16809_none_b305df9bd99b38bf\urlmon.dll
+ 2009-01-15 04:19:06 1,163,264 ----a-w c:\windows\winsxs\x86_microsoft-windows-i..ersandsecurityzones_31bf3856ad364e35_6.0.6000.20996_none_b32b2c3cf30487fd\urlmon.dll
+ 2009-01-15 06:11:05 1,166,336 ----a-w c:\windows\winsxs\x86_microsoft-windows-i..ersandsecurityzones_31bf3856ad364e35_6.0.6001.18203_none_b4e61c85d6c731a6\urlmon.dll
+ 2009-01-16 04:59:50 1,166,848 ----a-w c:\windows\winsxs\x86_microsoft-windows-i..ersandsecurityzones_31bf3856ad364e35_6.0.6001.22355_none_b53baa48f00b8fd3\urlmon.dll
+ 2009-01-15 04:16:01 671,232 ----a-w c:\windows\winsxs\x86_microsoft-windows-i..mlrenderingadvanced_31bf3856ad364e35_6.0.6000.16809_none_dee86e647f43f82e\mstime.dll
+ 2009-01-15 04:17:12 671,232 ----a-w c:\windows\winsxs\x86_microsoft-windows-i..mlrenderingadvanced_31bf3856ad364e35_6.0.6000.20996_none_df0dbb0598ad476c\mstime.dll
+ 2009-01-15 06:08:50 671,232 ----a-w c:\windows\winsxs\x86_microsoft-windows-i..mlrenderingadvanced_31bf3856ad364e35_6.0.6001.18203_none_e0c8ab4e7c6ff115\mstime.dll
+ 2009-01-16 04:57:07 671,232 ----a-w c:\windows\winsxs\x86_microsoft-windows-i..mlrenderingadvanced_31bf3856ad364e35_6.0.6001.22355_none_e11e391195b44f42\mstime.dll
+ 2009-01-15 04:16:00 27,648 ----a-w c:\windows\winsxs\x86_microsoft-windows-i..tocolimplementation_31bf3856ad364e35_6.0.6000.16809_none_000bbb3da4a45f52\jsproxy.dll
+ 2009-01-15 04:16:03 826,368 ----a-w c:\windows\winsxs\x86_microsoft-windows-i..tocolimplementation_31bf3856ad364e35_6.0.6000.16809_none_000bbb3da4a45f52\wininet.dll
+ 2009-01-15 04:16:03 64,512 ----a-w c:\windows\winsxs\x86_microsoft-windows-i..tocolimplementation_31bf3856ad364e35_6.0.6000.16809_none_000bbb3da4a45f52\WininetPlugin.dll
+ 2009-01-15 04:16:04 27,648 ----a-w c:\windows\winsxs\x86_microsoft-windows-i..tocolimplementation_31bf3856ad364e35_6.0.6000.20996_none_003107debe0dae90\jsproxy.dll
+ 2009-01-15 04:19:13 827,904 ----a-w c:\windows\winsxs\x86_microsoft-windows-i..tocolimplementation_31bf3856ad364e35_6.0.6000.20996_none_003107debe0dae90\wininet.dll
+ 2009-01-15 04:19:13 64,512 ----a-w c:\windows\winsxs\x86_microsoft-windows-i..tocolimplementation_31bf3856ad364e35_6.0.6000.20996_none_003107debe0dae90\WininetPlugin.dll
+ 2009-01-15 06:08:05 28,160 ----a-w c:\windows\winsxs\x86_microsoft-windows-i..tocolimplementation_31bf3856ad364e35_6.0.6001.18203_none_01ebf827a1d05839\jsproxy.dll
+ 2009-01-15 06:11:16 827,392 ----a-w c:\windows\winsxs\x86_microsoft-windows-i..tocolimplementation_31bf3856ad364e35_6.0.6001.18203_none_01ebf827a1d05839\wininet.dll
+ 2008-02-22 05:01:41 64,512 ----a-w c:\windows\winsxs\x86_microsoft-windows-i..tocolimplementation_31bf3856ad364e35_6.0.6001.18203_none_01ebf827a1d05839\WininetPlugin.dll
+ 2009-01-16 04:56:01 28,160 ----a-w c:\windows\winsxs\x86_microsoft-windows-i..tocolimplementation_31bf3856ad364e35_6.0.6001.22355_none_024185eabb14b666\jsproxy.dll
+ 2009-01-16 05:00:04 827,904 ----a-w c:\windows\winsxs\x86_microsoft-windows-i..tocolimplementation_31bf3856ad364e35_6.0.6001.22355_none_024185eabb14b666\wininet.dll
+ 2009-01-16 05:00:04 64,512 ----a-w c:\windows\winsxs\x86_microsoft-windows-i..tocolimplementation_31bf3856ad364e35_6.0.6001.22355_none_024185eabb14b666\WininetPlugin.dll
+ 2008-01-21 02:34:01 2,455,488 ----a-w c:\windows\winsxs\x86_microsoft-windows-ie-antiphishfilter_31bf3856ad364e35_6.0.6000.16809_none_f9b4de176e8fd9a5\ieapfltr.dat
+ 2009-01-15 04:16:00 383,488 ----a-w c:\windows\winsxs\x86_microsoft-windows-ie-antiphishfilter_31bf3856ad364e35_6.0.6000.16809_none_f9b4de176e8fd9a5\ieapfltr.dll
+ 2008-01-21 02:34:01 2,455,488 ----a-w c:\windows\winsxs\x86_microsoft-windows-ie-antiphishfilter_31bf3856ad364e35_6.0.6000.20996_none_f9da2ab887f928e3\ieapfltr.dat
+ 2009-01-15 04:15:42 380,928 ----a-w c:\windows\winsxs\x86_microsoft-windows-ie-antiphishfilter_31bf3856ad364e35_6.0.6000.20996_none_f9da2ab887f928e3\ieapfltr.dll
+ 2009-01-15 04:15:59 347,136 ----a-w c:\windows\winsxs\x86_microsoft-windows-ie-directxtransforms_31bf3856ad364e35_6.0.6000.16809_none_95e916cf84755fd3\dxtmsft.dll
+ 2009-01-15 04:15:59 214,528 ----a-w c:\windows\winsxs\x86_microsoft-windows-ie-directxtransforms_31bf3856ad364e35_6.0.6000.16809_none_95e916cf84755fd3\dxtrans.dll
+ 2009-01-15 04:15:22 347,136 ----a-w c:\windows\winsxs\x86_microsoft-windows-ie-directxtransforms_31bf3856ad364e35_6.0.6000.20996_none_960e63709ddeaf11\dxtmsft.dll
+ 2009-01-15 04:15:22 214,528 ----a-w c:\windows\winsxs\x86_microsoft-windows-ie-directxtransforms_31bf3856ad364e35_6.0.6000.20996_none_960e63709ddeaf11\dxtrans.dll
+ 2009-01-15 04:16:00 459,264 ----a-w c:\windows\winsxs\x86_microsoft-windows-ie-feeds-platform_31bf3856ad364e35_6.0.6000.16809_none_5e09520c3d47b20a\msfeeds.dll
+ 2009-01-15 04:16:41 459,264 ----a-w c:\windows\winsxs\x86_microsoft-windows-ie-feeds-platform_31bf3856ad364e35_6.0.6000.20996_none_5e2e9ead56b10148\msfeeds.dll
+ 2009-01-15 06:08:34 458,240 ----a-w c:\windows\winsxs\x86_microsoft-windows-ie-feeds-platform_31bf3856ad364e35_6.0.6001.18203_none_5fe98ef63a73aaf1\msfeeds.dll
+ 2009-01-16 04:56:39 458,240 ----a-w c:\windows\winsxs\x86_microsoft-windows-ie-feeds-platform_31bf3856ad364e35_6.0.6001.22355_none_603f1cb953b8091e\msfeeds.dll
+ 2009-01-15 04:16:00 477,696 ----a-w c:\windows\winsxs\x86_microsoft-windows-ie-htmlediting_31bf3856ad364e35_6.0.6000.16809_none_464bb12746361260\mshtmled.dll
+ 2009-01-15 04:16:46 477,696 ----a-w c:\windows\winsxs\x86_microsoft-windows-ie-htmlediting_31bf3856ad364e35_6.0.6000.20996_none_4670fdc85f9f619e\mshtmled.dll
+ 2009-01-15 04:16:00 3,594,752 ----a-w c:\windows\winsxs\x86_microsoft-windows-ie-htmlrendering_31bf3856ad364e35_6.0.6000.16809_none_1165da5c24fac888\mshtml.dll
+ 2009-01-15 04:16:45 3,596,288 ----a-w c:\windows\winsxs\x86_microsoft-windows-ie-htmlrendering_31bf3856ad364e35_6.0.6000.20996_none_118b26fd3e6417c6\mshtml.dll
+ 2009-01-15 06:08:35 3,580,416 ----a-w c:\windows\winsxs\x86_microsoft-windows-ie-htmlrendering_31bf3856ad364e35_6.0.6001.18203_none_134617462226c16f\mshtml.dll
+ 2009-01-16 04:56:43 3,580,928 ----a-w c:\windows\winsxs\x86_microsoft-windows-ie-htmlrendering_31bf3856ad364e35_6.0.6001.22355_none_139ba5093b6b1f9c\mshtml.dll
+ 2009-01-15 04:16:00 63,488 ----a-w c:\windows\winsxs\x86_microsoft-windows-ie-infocard_31bf3856ad364e35_6.0.6000.16809_none_58be4726670f5491\icardie.dll
+ 2009-01-15 04:15:42 63,488 ----a-w c:\windows\winsxs\x86_microsoft-windows-ie-infocard_31bf3856ad364e35_6.0.6000.20996_none_58e393c78078a3cf\icardie.dll
+ 2009-01-15 04:15:30 26,624 ----a-w c:\windows\winsxs\x86_microsoft-windows-ie-internetexplorer_31bf3856ad364e35_6.0.6000.16809_none_2d84c7c91ccfce35\ieUnatt.exe
+ 2009-01-15 04:14:36 634,024 ----a-w c:\windows\winsxs\x86_microsoft-windows-ie-internetexplorer_31bf3856ad364e35_6.0.6000.16809_none_2d84c7c91ccfce35\iexplore.exe
+ 2009-01-15 02:05:46 26,624 ----a-w c:\windows\winsxs\x86_microsoft-windows-ie-internetexplorer_31bf3856ad364e35_6.0.6000.20996_none_2daa146a36391d73\ieUnatt.exe
+ 2009-01-15 04:18:47 634,024 ----a-w c:\windows\winsxs\x86_microsoft-windows-ie-internetexplorer_31bf3856ad364e35_6.0.6000.20996_none_2daa146a36391d73\iexplore.exe
+ 2009-01-15 04:16:00 267,776 ----a-w c:\windows\winsxs\x86_microsoft-windows-ie-runtimeutilities_31bf3856ad364e35_6.0.6000.16809_none_45c672198f557daf\iertutil.dll
+ 2009-01-15 04:16:02 134,144 ----a-w c:\windows\winsxs\x86_microsoft-windows-ie-runtimeutilities_31bf3856ad364e35_6.0.6000.16809_none_45c672198f557daf\sqmapi.dll
+ 2009-01-15 04:15:44 267,776 ----a-w c:\windows\winsxs\x86_microsoft-windows-ie-runtimeutilities_31bf3856ad364e35_6.0.6000.20996_none_45ebbebaa8becced\iertutil.dll
+ 2009-01-15 04:18:57 134,144 ----a-w c:\windows\winsxs\x86_microsoft-windows-ie-runtimeutilities_31bf3856ad364e35_6.0.6000.20996_none_45ebbebaa8becced\sqmapi.dll
+ 2009-01-15 06:07:53 270,336 ----a-w c:\windows\winsxs\x86_microsoft-windows-ie-runtimeutilities_31bf3856ad364e35_6.0.6001.18203_none_47a6af038c817696\iertutil.dll
+ 2008-01-21 02:34:16 129,536 ----a-w c:\windows\winsxs\x86_microsoft-windows-ie-runtimeutilities_31bf3856ad364e35_6.0.6001.18203_none_47a6af038c817696\sqmapi.dll
+ 2009-01-16 04:55:51 270,848 ----a-w c:\windows\winsxs\x86_microsoft-windows-ie-runtimeutilities_31bf3856ad364e35_6.0.6001.22355_none_47fc3cc6a5c5d4c3\iertutil.dll
+ 2009-01-16 04:59:31 129,536 ----a-w c:\windows\winsxs\x86_microsoft-windows-ie-runtimeutilities_31bf3856ad364e35_6.0.6001.22355_none_47fc3cc6a5c5d4c3\sqmapi.dll
+ 2009-01-15 04:15:30 70,656 ----a-w c:\windows\winsxs\x86_microsoft-windows-ie-setup-support_31bf3856ad364e35_6.0.6000.16809_none_c3f37ce4614a96da\ie4uinit.exe
+ 2009-01-15 04:16:00 44,544 ----a-w c:\windows\winsxs\x86_microsoft-windows-ie-setup-support_31bf3856ad364e35_6.0.6000.16809_none_c3f37ce4614a96da\iernonce.dll
+ 2009-01-15 04:16:00 56,320 ----a-w c:\windows\winsxs\x86_microsoft-windows-ie-setup-support_31bf3856ad364e35_6.0.6000.16809_none_c3f37ce4614a96da\iesetup.dll
+ 2009-01-15 02:05:40 70,656 ----a-w c:\windows\winsxs\x86_microsoft-windows-ie-setup-support_31bf3856ad364e35_6.0.6000.20996_none_c418c9857ab3e618\ie4uinit.exe
+ 2009-01-15 04:15:44 44,544 ----a-w c:\windows\winsxs\x86_microsoft-windows-ie-setup-support_31bf3856ad364e35_6.0.6000.20996_none_c418c9857ab3e618\iernonce.dll
+ 2009-01-15 04:15:44 56,320 ----a-w c:\windows\winsxs\x86_microsoft-windows-ie-setup-support_31bf3856ad364e35_6.0.6000.20996_none_c418c9857ab3e618\iesetup.dll
+ 2009-01-15 04:16:00 52,736 ----a-w c:\windows\winsxs\x86_microsoft-windows-iebrshim_31bf3856ad364e35_6.0.6000.16809_none_2a18935467fa6c37\iebrshim.dll
+ 2009-01-15 04:15:42 52,736 ----a-w c:\windows\winsxs\x86_microsoft-windows-iebrshim_31bf3856ad364e35_6.0.6000.20996_none_2a3ddff58163bb75\iebrshim.dll
+ 2009-01-15 04:16:00 6,066,688 ----a-w c:\windows\winsxs\x86_microsoft-windows-ieframe_31bf3856ad364e35_6.0.6000.16809_none_62c5345fb0f056b5\ieframe.dll
+ 2009-01-15 04:16:00 180,736 ----a-w c:\windows\winsxs\x86_microsoft-windows-ieframe_31bf3856ad364e35_6.0.6000.16809_none_62c5345fb0f056b5\ieui.dll
+ 2009-01-15 04:15:44 6,068,736 ----a-w c:\windows\winsxs\x86_microsoft-windows-ieframe_31bf3856ad364e35_6.0.6000.20996_none_62ea8100ca59a5f3\ieframe.dll
+ 2009-01-15 04:15:44 180,736 ----a-w c:\windows\winsxs\x86_microsoft-windows-ieframe_31bf3856ad364e35_6.0.6000.20996_none_62ea8100ca59a5f3\ieui.dll
+ 2009-01-15 06:07:53 6,069,248 ----a-w c:\windows\winsxs\x86_microsoft-windows-ieframe_31bf3856ad364e35_6.0.6001.18203_none_64a57149ae1c4f9c\ieframe.dll
+ 2008-01-21 02:34:25 180,736 ----a-w c:\windows\winsxs\x86_microsoft-windows-ieframe_31bf3856ad364e35_6.0.6001.18203_none_64a57149ae1c4f9c\ieui.dll
+ 2009-01-16 04:55:51 6,070,784 ----a-w c:\windows\winsxs\x86_microsoft-windows-ieframe_31bf3856ad364e35_6.0.6001.22355_none_64faff0cc760adc9\ieframe.dll
+ 2009-01-16 04:55:51 180,736 ----a-w c:\windows\winsxs\x86_microsoft-windows-ieframe_31bf3856ad364e35_6.0.6001.22355_none_64faff0cc760adc9\ieui.dll
+ 2009-01-15 04:15:30 263,168 ----a-w c:\windows\winsxs\x86_microsoft-windows-ieinstal_31bf3856ad364e35_6.0.6000.16809_none_e6bea0de9473aaed\ieinstal.exe
+ 2009-01-15 02:05:59 263,168 ----a-w c:\windows\winsxs\x86_microsoft-windows-ieinstal_31bf3856ad364e35_6.0.6000.20996_none_e6e3ed7faddcfa2b\ieinstal.exe
+ 2009-01-15 04:15:30 301,568 ----a-w c:\windows\winsxs\x86_microsoft-windows-ieuser_31bf3856ad364e35_6.0.6000.16809_none_0b66d5fad6ee6a9f\ieuser.exe
+ 2009-01-15 02:06:01 301,568 ----a-w c:\windows\winsxs\x86_microsoft-windows-ieuser_31bf3856ad364e35_6.0.6000.20996_none_0b8c229bf057b9dd\ieuser.exe
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\ADSMOverlayIcon1]
@= "{A8D448F4-0431-45AC-9F5E-E1B434AB2249} "
[HKEY_CLASSES_ROOT\CLSID\{A8D448F4-0431-45AC-9F5E-E1B434AB2249}]
2007-06-02 08:08 143360 --a------ c:\program files\ASUS\ASUS Data Security Manager\OverlayIconShlExt1.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar "= "c:\program files\Windows Sidebar\sidebar.exe" [2008-01-21 1233920]
"LightScribe Control Panel "= "c:\program files\Common Files\LightScribe\LightScribeControlPanel.exe" [2008-12-06 2387968]
"Messenger (Yahoo!) "= "c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2008-09-20 4347120]
"PC Suite Tray "= "c:\program files\Nokia\Nokia PC Suite 7\PCSuite.exe" [2008-12-03 1205760]
"WMPNSCFG "= "c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-21 202240]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Microsoft Pinyin IME Migration "= "c:\progra~1\COMMON~1\MICROS~1\IME12\IMESC\IMSCMIG.EXE" [2006-10-27 32560]
"HControlUser "= "c:\program files\ATK Hotkey\HcontrolUser.exe" [2008-01-12 98304]
"ATKOSD2 "= "c:\program files\ATKOSD2\ATKOSD2.exe" [2008-01-24 7766016]
"IgfxTray "= "c:\windows\system32\igfxtray.exe" [2008-02-22 141848]
"HotKeysCmds "= "c:\windows\system32\hkcmd.exe" [2008-02-22 166424]
"Persistence "= "c:\windows\system32\igfxpers.exe" [2008-02-22 133656]
"SynTPEnh "= "c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-12-06 1029416]
"ASUS Camera ScreenSaver "= "c:\windows\ASScrProlog.exe" [2008-08-25 37232]
"ASUS Screen Saver Protector "= "c:\windows\ASScrPro.exe" [2008-08-25 33136]
"AVG8_TRAY "= "c:\progra~1\AVG\AVG8\avgtray.exe" [2009-02-04 1601304]
"TkBellExe "= "c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-02-13 185872]
"RtHDVCpl "= "RtHDVCpl.exe" [2007-11-23 c:\windows\RtHDVCpl.exe]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"GrpConv "= "grpconv -o" [X]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Sidebar "= "c:\program files\Windows Sidebar\sidebar.exe" [2008-01-21 1233920]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2008-04-11 752168]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA "= 0 (0x0)
"EnableUIADesktopToggle "= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs "=avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.l3codecp "= l3codecp.acm
"msacm.avis "= ff_acm.acm

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk /r \??\i:\0autocheck autochk /r \??\H:\0autocheck autochk *

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^WinZip Quick Pick.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\WinZip Quick Pick.lnk
backup=c:\windows\pss\WinZip Quick Pick.lnk.CommonStartup
backupExtension=.CommonStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2008-01-12 13:16 39792 c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BDRegion]
-r------- 2007-11-17 11:20 91432 c:\program files\CyberLink\Shared Files\brs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CLMLServer]
--a------ 2008-07-19 10:52 104936 c:\program files\CyberLink\Power2Go\CLMLSvc.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
--a------ 2006-10-27 15:47 31016 c:\program files\Microsoft Office\Office12\GrooveMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-11-20 13:20 290088 c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LanguageShortcut]
--------- 2007-10-11 12:06 62760 c:\program files\CyberLink\PowerDVD\Language\Language.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\P2Go_Menu]
--a------ 2008-06-14 09:11 210216 c:\program files\CyberLink\Power2Go\MUITransfer\MUIStartMenu.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PWRISOVM.EXE]
--a------ 2008-07-07 15:34 167936 c:\program files\PowerISO\PWRISOVM.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-11-04 10:30 413696 c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
--------- 2007-10-28 09:35 72736 c:\program files\CyberLink\PowerDVD\PDVDServ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2008-10-18 16:24 136600 c:\program files\Java\jre6\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2009-02-13 00:21 185872 c:\program files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UnlockerAssistant]
--a------ 2006-09-08 01:19 15872 c:\program files\Unlocker\UnlockerAssistant.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdatePPShortCut]
--------- 2008-01-05 02:02 222504 c:\program files\CyberLink\PowerProducer\MUITransfer\MUIStartMenu.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring "=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring "=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring "=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-2604780666-1855635130-1160332280-1000]
"EnableNotificationsRef "=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{E6D5117B-3B59-4AD3-8131-89637E355324} "= TCP:6004|c:\program files\Microsoft Office\Office12\outlook.exe:Microsoft Office Outlook
"{9CE88676-B457-421D-BB8B-94858452D8BF} "= c:\program files\Cyberlink\PowerDirector\PDR.EXE:CyberLink PowerDirector
"{ADD9768A-B85E-4F2F-9051-F04001D47C94} "= UDP:c:\program files\Yahoo!\Messenger\YahooMessenger.exe:Yahoo! Messenger
"{0F1526F2-698A-4EC8-AD75-A50D789FAC0E} "= TCP:c:\program files\Yahoo!\Messenger\YahooMessenger.exe:Yahoo! Messenger
"{7603A25D-882D-4C67-BBE9-E13B47081310} "= UDP:c:\program files\Microsoft Office\Office12\GROOVE.EXE:Microsoft Office Groove
"{C223190F-67DF-44B6-843E-B814852C9E30} "= TCP:c:\program files\Microsoft Office\Office12\GROOVE.EXE:Microsoft Office Groove
"{5DDFBBA9-2D8F-4FA6-A664-8693C3A7B7B0} "= UDP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{EDF86280-60E8-4FD2-92CE-80673B1ABFF5} "= TCP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{3F1C817B-AAEF-42ED-B4C2-3F71D9750568} "= c:\program files\Cyberlink\PowerDVD\PowerDVD.EXE:CyberLink PowerDVD
"TCP Query User{1D9CF969-4B70-41C0-A067-7BDC0C2DCAE1}c:\\program files\\yahoo!\\messenger\\yahoomessenger.exe "= UDP:c:\program files\yahoo!\messenger\yahoomessenger.exe:Yahoo! Messenger
"UDP Query User{C0B8E7EF-B475-41EB-BA5A-18BCA13B6219}c:\\program files\\yahoo!\\messenger\\yahoomessenger.exe "= TCP:c:\program files\yahoo!\messenger\yahoomessenger.exe:Yahoo! Messenger
"{3DDBCAB7-B44E-4CA5-9319-1567406E6C9B} "= UDP:c:\program files\iTunes\iTunes.exe:iTunes
"{E228A32D-5C8C-4C72-8282-B824569F0669} "= TCP:c:\program files\iTunes\iTunes.exe:iTunes
"{21AB7F65-718D-4B69-9468-03065D39B3B5} "= UDP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{AEB28633-F226-4753-9CB4-056573A2BE9E} "= TCP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{DA354452-5B8C-4700-8C0A-1470459F18AA} "= c:\program files\AVG\AVG8\avgupd.exe:avgupd.exe
"{F5BCCFD2-9972-4A8F-AA07-A24DA725DB92} "= c:\program files\AVG\AVG8\avgnsx.exe:avgnsx.exe
"TCP Query User{4C0E4E2E-C1BC-4777-96B6-7612D3B95D22}c:\\program files\\mozilla firefox\\firefox.exe "= UDP:c:\program files\mozilla firefox\firefox.exe:Firefox
"UDP Query User{691488C3-E5A0-458C-97B7-D0FA59125057}c:\\program files\\mozilla firefox\\firefox.exe "= TCP:c:\program files\mozilla firefox\firefox.exe:Firefox
"TCP Query User{81AB6F39-85E8-4737-8D0A-95DB9D999745}c:\\program files\\mozilla firefox\\firefox.exe "= UDP:c:\program files\mozilla firefox\firefox.exe:Firefox
"UDP Query User{FB21594E-55DC-4C7B-A18A-7258EC7E0F73}c:\\program files\\mozilla firefox\\firefox.exe "= TCP:c:\program files\mozilla firefox\firefox.exe:Firefox
"{2BD64F00-D9C8-45EC-8EEE-EB3B7F1056DE} "= UDP:8888:Win2DS
"{80D75A46-3365-4924-855C-A9947BB04F72} "= UDP:g:\level up! games\Grand Chase PH\main.exe:GrandChase
"{8575A2BA-4849-45A5-B0AD-6C6DFC9F2001} "= TCP:g:\level up! games\Grand Chase PH\main.exe:GrandChase

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile]
"DoNotAllowExceptions "= 0 (0x0)

R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\System32\drivers\avgtdix.sys [2009-02-04 107272]
R3 CRFILTER;USB Mass Storage Filter;c:\windows\System32\drivers\CRFILTER.sys [2008-04-07 6656]
S0 pavboot;pavboot;c:\windows\System32\drivers\pavboot.sys [2009-02-03 28544]
S1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\System32\drivers\avgldx86.sys [2009-02-04 325128]
S2 {95808DC4-FA4A-4C74-92FE-5B863F82066B};{95808DC4-FA4A-4C74-92FE-5B863F82066B};c:\program files\CyberLink\PowerDVD\000.fcl [2007-11-03 00:12:32 41456]
S2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2009-02-04 298264]
S2 gupdate1c96116a681bcde;Google Update Service (gupdate1c96116a681bcde);c:\program files\Google\Update\GoogleUpdate.exe [2008-12-18 133104]
S2 TuneUp.ProgramStatisticsSvc;TuneUp Program Statistics Service;c:\windows\System32\TUProgSt.exe [2009-01-17 603904]
S3 btwl2cap;Bluetooth L2CAP Service;c:\windows\System32\drivers\btwl2cap.sys [2008-08-25 29736]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceNoNetwork REG_MULTI_SZ PLA DPS BFE mpssvc
bthsvcs REG_MULTI_SZ BthServ

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
"c:\program files\Common Files\LightScribe\LSRunOnce.exe "
.
Contents of the 'Scheduled Tasks' folder

2009-02-15 c:\windows\Tasks\1-Click Maintenance.job
- c:\program files\TuneUp Utilities 2009\OneClickStarter.exe [2008-11-20 16:28]

2009-02-15 c:\windows\Tasks\GoogleUpdateTaskMachine.job
- c:\program files\Google\Update\GoogleUpdate.exe [2008-12-18 21:43]

2009-02-15 c:\windows\Tasks\User_Feed_Synchronization-{CC929265-66CD-41B1-8FA6-F9C1E6663B87}.job
- c:\windows\system32\msfeedssync.exe [2008-01-21 10:34]
.
- - - - ORPHANS REMOVED - - - -

HKLM-RunOnce-<NO NAME> - (no file)


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com
mStart Page = hxxp://www.yahoo.com/
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
uInternet Settings,ProxyOverride = <local>
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\users\Chris\AppData\Roaming\Mozilla\Firefox\Profiles\lwk7zeyx.default\
FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll
FF - component: c:\program files\AVG\AVG8\ToolbarFF\components\vmAVGConnector.dll
FF - component: c:\program files\Mozilla Firefox\components\xpinstal.dll
FF - component: c:\program files\Real\RealPlayer\browserrecord\components\nprpbrowserrecordplugin.dll

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref( "ui.allow_platform_file_picker ", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref( "network.cookie.p3plevel ", 1); // 0=low, 1=medium, 2=high, 3=custom
c:\program files\Mozilla Firefox\greprefs\all.js - pref( "network.enablePad ", false); // Allow client to do proxy autodiscovery
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref( "security.remember_cert_checkbox_default_setting ", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "browser.urlbar.hideGoButton ", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "browser.search.param.Google.1.default ", "chrome://branding/content/searchconfig.properties ");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "browser.search.param.Google.1.custom ", "chrome://branding/content/searchconfig.properties ");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "signon.prefillForms ", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "browser.safebrowsing.enabled ", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "browser.safebrowsing.remoteLookups ", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "browser.safebrowsing.provider.0.updateURL ", "http://sb.google.com/safebrowsing/update?client={moz:client}&appver={moz:version}& ");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "browser.safebrowsing.provider.0.lookupURL ", "http://sb.google.com/safebrowsing/lookup?sourceid=firefox-antiphish&features=TrustRank&client={moz:client}&appver={moz:version}& ");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "browser.safebrowsing.provider.0.reportURL ", "http://sb.google.com/safebrowsing/report? ");
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-15 17:34:18
Windows 6.0.6001 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


C:\ADSM_PData_0150

scan completed successfully
hidden files: 1

**************************************************************************
.
Completion time: 2009-02-15 17:36:52
ComboFix-quarantined-files.txt 2009-02-15 09:36:45
ComboFix2.txt 2009-02-05 15:24:00
ComboFix3.txt 2009-02-05 06:00:33
ComboFix4.txt 2009-02-04 00:34:26

Pre-Run: 6,075,273,216 bytes free
Post-Run: 6,024,458,240 bytes free

578 --- E O F --- 2009-02-11 03:46:56

 

Download GMER Rootkit Scanner from here.

• Extract the contents of the zipped file to desktop.
• Double click GMER.exe. If asked to allow gmer.sys driver to load, please consent .
• If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO.

• In the right panel, you will see several boxes that have been checked. Uncheck the following ...
  • Sections
  • IAT/EAT
  • Drives/Partition other than Systemdrive (typically C:\)
  • Show All (don't miss this one)
• Then click the Scan button & wait for it to finish.
• Once done click on the [Save..] button, and in the File name area, type in ark.txt

Save it where you can easily find it, such as your desktop then post the contents here.

**Caution**
Rootkit scans often produce false positives. Do NOT take action on any <---- ROOKIT entries

Note - Please close all other programs, and all open browser windows prior to starting the scan.

 

Posting the whole thing is very hard to ommit.

EDIT after posting in 5 posts:

Posting the whole thing will take forever to do and take up so much server bandwidth and it's too long. I'll post this on my webpage.

http://uk.geocities.com/vaporeon_william2008/ark.txt

 

Please delete the ComboFix.exe file you currently have and download a fresh copy from here, saving it to your desktop.

Once again, disable any realtime protection applications. Highlight and copy the contents of the code box below and paste it into a blank notepad, then save it to your desktop as;

Filename: CFScript.txt
Save As Type: All Files (*.*)

Code:

FixCSet::
RegLockDel::
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\gaopdxserv.sys]

Close all other windows and programs. Now drag the CFScript.txt onto ComboFix.exe and drop it, using the left mouse button. Combofix should run and may reboot the computer when it's done. A log will open when it's complete. Post the contents of that log.

Please do not click on the ComboFix window while it is running a scan. This can cause it to stall.


Next, highlight and copy the contents of the code box below.

Code:

reg query HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot>safe.txt
reg query  "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Environment ">>safe.txt
reg query HKCU\Environment>>safe.txt
start notepad safe.txt
exit
cls

Click Start>Run and type cmd then hit enter to open a command window.
Right click in the command window and select paste.
The command window will close on it's own and safe.txt will open.
Post it's contents here.

 

It seems the acovcnt keeps on appearing. Should I ignore and leave it to be?

ComboFix 09-02-21.01 - Chris 2009-02-23 13:20:54.6 - NTFSx86 NETWORK
Running from: c:\users\Chris\Desktop\ComboFix.exe
Command switches used :: c:\users\Chris\Desktop\CFScript.txt
.

((((((((((((((((((((((((( Files Created from 2009-01-23 to 2009-02-23 )))))))))))))))))))))))))))))))
.

2009-02-23 13:25 . 2009-02-23 13:25 45,056 --a------ c:\windows\System32\acovcnt.exe
2009-02-18 12:52 . 2009-02-18 12:52 250 --a------ c:\windows\gmer.ini
2009-02-13 00:22 . 2009-02-13 00:22 <DIR> d-------- c:\program files\Common Files\xing shared
2009-02-11 18:02 . 2009-02-11 18:02 <DIR> d-------- c:\program files\Ashampoo
2009-02-11 11:41 . 2009-01-15 11:36 1,383,424 --a------ c:\windows\System32\mshtml.tlb
2009-02-11 11:41 . 2009-01-15 14:11 827,392 --a------ c:\windows\System32\wininet.dll
2009-02-09 19:19 . 2003-07-19 23:17 5,174 --a------ c:\windows\System32\nppt9x.vxd
2009-02-09 19:19 . 2005-01-03 14:43 4,682 --a------ c:\windows\System32\npptNT2.sys
2009-02-09 19:18 . 2009-02-09 19:18 <DIR> d-------- c:\program files\Common Files\INCA Shared
2009-02-07 23:04 . 2009-02-07 23:04 <DIR> d-------- c:\program files\DivXLand
2009-02-07 23:04 . 1999-12-17 10:13 86,016 --a------ c:\windows\unvise32.exe
2009-02-05 21:00 . 2008-06-20 09:14 781,344 --a------ c:\windows\System32\PresentationNative_v0300.dll
2009-02-05 21:00 . 2008-06-20 09:14 622,080 --a------ c:\windows\System32\icardagt.exe
2009-02-05 21:00 . 2008-06-20 09:14 326,160 --a------ c:\windows\System32\PresentationHost.exe
2009-02-05 21:00 . 2008-06-20 09:14 105,016 --a------ c:\windows\System32\PresentationCFFRasterizerNative_v0300.dll
2009-02-05 21:00 . 2008-06-20 09:14 97,800 --a------ c:\windows\System32\infocardapi.dll
2009-02-05 21:00 . 2008-06-20 09:14 43,544 --a------ c:\windows\System32\PresentationHostProxy.dll
2009-02-05 21:00 . 2008-06-20 09:14 37,384 --a------ c:\windows\System32\infocardcpl.cpl
2009-02-05 21:00 . 2008-06-20 09:14 11,264 --a------ c:\windows\System32\icardres.dll
2009-02-05 20:50 . 2008-07-28 02:03 282,112 --a------ c:\windows\System32\mscoree.dll
2009-02-05 20:50 . 2008-07-28 02:03 158,720 --a------ c:\windows\System32\mscorier.dll
2009-02-05 20:50 . 2008-07-28 02:03 96,760 --a------ c:\windows\System32\dfshim.dll
2009-02-05 20:50 . 2008-07-28 02:03 83,968 --a------ c:\windows\System32\mscories.dll
2009-02-05 20:50 . 2008-07-28 02:03 41,984 --a------ c:\windows\System32\netfxperf.dll
2009-02-04 21:05 . 2009-02-22 13:37 <DIR> d--h----- C:\$AVG8.VAULT$
2009-02-04 10:06 . 2009-02-04 10:06 <DIR> d-------- c:\windows\Sun
2009-02-04 09:59 . 2009-02-23 12:25 <DIR> d-------- c:\windows\System32\drivers\Avg
2009-02-04 09:59 . 2009-02-04 09:59 325,128 --a------ c:\windows\System32\drivers\avgldx86.sys
2009-02-04 09:59 . 2009-02-04 09:59 107,272 --a------ c:\windows\System32\drivers\avgtdix.sys
2009-02-04 09:59 . 2009-02-04 09:59 10,520 --a------ c:\windows\System32\avgrsstx.dll
2009-02-04 08:07 . 2009-02-04 08:07 <DIR> d--hs---- C:\found.000
2009-02-03 21:39 . 2008-06-19 16:24 28,544 --a------ c:\windows\System32\drivers\pavboot.sys
2009-02-03 21:35 . 2009-02-03 21:35 <DIR> d-------- c:\program files\Panda Security
2009-02-03 21:11 . 2009-02-03 21:11 <DIR> d-------- c:\program files\Trend Micro
2009-02-01 15:27 . 2009-02-04 21:21 <DIR> d-------- c:\program files\Opera 10 Preview
2009-01-30 14:53 . 2009-01-30 15:07 19,170,816 --a------ c:\windows\System32\imageres.dll
2009-01-27 19:44 . 2009-01-27 19:54 <DIR> d-------- C:\My Recordings
2009-01-27 19:43 . 2009-01-27 19:43 <DIR> d-------- c:\program files\FREE Hi-Q Recorder
2009-01-27 19:43 . 2004-08-10 05:00 1,355,776 --a------ c:\windows\System32\msvbvm50.dll
2009-01-25 11:43 . 2009-01-25 11:43 <DIR> d-------- c:\program files\Panasonic
2009-01-25 11:43 . 2006-02-27 11:45 36,864 --a------ c:\windows\System32\SDDEVMGR.dll
2009-01-23 20:51 . 2009-01-23 20:51 <DIR> d-------- c:\program files\Common Files\PCSuite
2009-01-23 20:49 . 2009-01-23 20:49 <DIR> d-------- c:\program files\PC Connectivity Solution
2009-01-23 20:49 . 2008-08-26 09:26 18,816 --a------ c:\windows\System32\drivers\pccsmcfd.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-22 14:39 --------- d-----w c:\program files\VSO
2009-02-13 04:51 --------- d-----w c:\users\Chris\AppData\Roaming\Vso
2009-02-13 04:51 --------- d-----w c:\users\Chris\AppData\Roaming\CopyToDvd
2009-02-12 21:06 --------- d-----w c:\program files\Google
2009-02-12 16:21 --------- d-----w c:\program files\Common Files\Real
2009-02-12 15:01 --------- d-----w c:\users\Chris\AppData\Roaming\dvdcss
2009-02-12 05:17 --------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-02-11 13:08 --------- d-----w c:\program files\Opera
2009-02-11 02:19 38,496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-02-11 02:19 15,504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-02-05 12:26 --------- d-----w c:\programdata\P4G
2009-02-05 12:26 --------- d-----w c:\programdata\FLEXnet
2009-02-04 01:58 --------- d-----w c:\programdata\avg8
2009-02-03 05:03 --------- d-----w c:\program files\ATKOSD2
2009-01-25 03:43 --------- d--h--w c:\program files\InstallShield Installation Information
2009-01-23 12:51 --------- d-----w c:\program files\Common Files\Nokia
2009-01-23 12:46 --------- d-----w c:\program files\Nokia
2009-01-23 12:35 --------- d-----w c:\programdata\Installations
2009-01-23 07:01 --------- d-----w c:\programdata\PC Suite
2009-01-19 14:30 --------- d-----w c:\program files\Direct MIDI to MP3 Converter
2009-01-19 13:26 --------- d-----w c:\program files\feng
2009-01-18 05:21 319,456 ----a-w c:\windows\DIFxAPI.dll
2009-01-18 05:21 --------- d-----w c:\program files\Realtek
2009-01-17 16:14 --------- d-----w c:\program files\Common Files\LightScribe
2009-01-17 06:36 --------- d-----w c:\programdata\Stardock
2009-01-17 06:36 --------- d-----w c:\program files\Stardock
2009-01-17 06:24 --------- d-----w c:\users\Chris\AppData\Roaming\TuneUp Software
2009-01-17 06:24 --------- d-----w c:\program files\TuneUp Utilities 2009
2009-01-17 06:23 --------- d-sh--w c:\programdata\{55A29068-F2CE-456C-9148-C869879E2357}
2009-01-17 06:23 --------- d-----w c:\programdata\TuneUp Software
2009-01-17 02:58 --------- d-----w c:\program files\PowerISO
2009-01-15 05:53 --------- d-----w c:\program files\Bonjour
2009-01-15 05:53 --------- d-----w c:\program files\ATKGFNEX
2009-01-15 05:53 --------- d-----w c:\program files\ATK Hotkey
2009-01-15 05:46 --------- d-----w c:\program files\Wireless Console 2
2009-01-15 05:46 --------- d-----w c:\program files\Windows Sidebar
2009-01-15 05:46 --------- d-----w c:\program files\Windows Defender
2009-01-15 05:46 --------- d-----w c:\program files\P4G
2009-01-15 04:39 --------- d-----w c:\program files\AskBarDis
2009-01-15 04:36 --------- d-----w c:\program files\AVG
2009-01-15 04:34 --------- d-----w c:\program files\Common Files\Symantec Shared
2009-01-15 04:31 --------- d-----w c:\programdata\Symantec
2009-01-15 04:31 --------- d-----w c:\program files\Symantec
2009-01-14 13:33 --------- d-----w c:\program files\Windows Mail
2009-01-11 11:17 --------- d-----w c:\programdata\CyberLink
2009-01-08 05:08 --------- d-----w c:\users\Chris\AppData\Roaming\CyberLink
2008-12-27 03:47 --------- d-----w c:\users\Chris\AppData\Roaming\Nokia
2008-12-23 07:53 --------- d-----w c:\program files\WinAce
2008-11-25 02:35 84 ---ha-w c:\users\All Users\aspg.dat
2008-11-25 02:35 84 ---ha-w c:\programdata\aspg.dat
2008-10-19 11:05 456,272 ----a-w c:\users\All Users\pswi_preloaded.exe
2008-10-19 11:05 456,272 ----a-w c:\programdata\pswi_preloaded.exe
2008-10-18 07:34 81,920 ----a-w c:\users\Chris\AppData\Roaming\ezpinst.exe
2008-10-18 07:34 47,360 ----a-w c:\users\Chris\AppData\Roaming\pcouffin.sys
2008-01-21 02:57 174 --sha-w c:\program files\desktop.ini
2009-02-02 19:50 67,688 ----a-w c:\program files\mozilla firefox\components\jar50.dll
2009-02-02 19:50 54,368 ----a-w c:\program files\mozilla firefox\components\jsd3250.dll
2009-02-02 19:50 34,944 ----a-w c:\program files\mozilla firefox\components\myspell.dll
2009-02-02 19:50 46,712 ----a-w c:\program files\mozilla firefox\components\spellchk.dll
2009-02-02 19:50 172,136 ----a-w c:\program files\mozilla firefox\components\xpinstal.dll
2008-10-20 05:54 88 --sha-r c:\windows\System32\7A81B36C98.sys
2008-10-20 05:55 2,828 --sha-w c:\windows\System32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((( SnapShot_2009-02-22_21.35.49.18 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-02-23 05:25:01 2,048 --sha-w c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
- 2009-02-22 03:09:18 262,144 --sha-w c:\windows\ServiceProfiles\LocalService\NTUSER.DAT
+ 2009-02-23 05:25:29 262,144 --sha-w c:\windows\ServiceProfiles\LocalService\NTUSER.DAT
- 2009-02-22 13:27:26 262,144 --sha-w c:\windows\ServiceProfiles\NetworkService\NTUSER.DAT
+ 2009-02-23 05:25:28 262,144 --sha-w c:\windows\ServiceProfiles\NetworkService\NTUSER.DAT
+ 2009-02-23 05:25:28 262,144 ---ha-w c:\windows\ServiceProfiles\NetworkService\ntuser.dat.LOG1
- 2009-02-22 10:59:08 16,384 --sha-w c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2009-02-23 04:41:20 16,384 --sha-w c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2009-02-22 10:59:08 49,152 --sha-w c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2009-02-23 04:41:20 49,152 --sha-w c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2009-02-22 10:59:08 32,768 --sha-w c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2009-02-23 04:41:20 32,768 --sha-w c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2009-02-22 03:09:17 12,886 ----a-w c:\windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-2604780666-1855635130-1160332280-1000_UserData.bin
+ 2009-02-23 05:27:01 12,918 ----a-w c:\windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-2604780666-1855635130-1160332280-1000_UserData.bin
- 2009-02-22 03:09:17 100,926 ----a-w c:\windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
+ 2009-02-23 05:27:01 100,934 ----a-w c:\windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
- 2009-02-22 03:09:15 56,086 ----a-w c:\windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2009-02-23 05:26:57 56,246 ----a-w c:\windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\ADSMOverlayIcon1]
@= "{A8D448F4-0431-45AC-9F5E-E1B434AB2249} "
[HKEY_CLASSES_ROOT\CLSID\{A8D448F4-0431-45AC-9F5E-E1B434AB2249}]
2007-06-02 08:08 143360 --a------ c:\program files\ASUS\ASUS Data Security Manager\OverlayIconShlExt1.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar "= "c:\program files\Windows Sidebar\sidebar.exe" [2008-01-21 1233920]
"LightScribe Control Panel "= "c:\program files\Common Files\LightScribe\LightScribeControlPanel.exe" [2008-12-06 2387968]
"Messenger (Yahoo!) "= "c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2008-09-20 4347120]
"PC Suite Tray "= "c:\program files\Nokia\Nokia PC Suite 7\PCSuite.exe" [2008-12-03 1205760]
"WMPNSCFG "= "c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-21 202240]
"AdobeUpdater "= "c:\program files\Common Files\Adobe\Updater5\AdobeUpdater.exe" [2009-01-03 2356088]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Microsoft Pinyin IME Migration "= "c:\progra~1\COMMON~1\MICROS~1\IME12\IMESC\IMSCMIG.EXE" [2006-10-27 32560]
"HControlUser "= "c:\program files\ATK Hotkey\HcontrolUser.exe" [2008-01-12 98304]
"ATKOSD2 "= "c:\program files\ATKOSD2\ATKOSD2.exe" [2008-01-24 7766016]
"IgfxTray "= "c:\windows\system32\igfxtray.exe" [2008-02-22 141848]
"HotKeysCmds "= "c:\windows\system32\hkcmd.exe" [2008-02-22 166424]
"Persistence "= "c:\windows\system32\igfxpers.exe" [2008-02-22 133656]
"SynTPEnh "= "c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-12-06 1029416]
"ASUS Camera ScreenSaver "= "c:\windows\ASScrProlog.exe" [2008-08-25 37232]
"ASUS Screen Saver Protector "= "c:\windows\ASScrPro.exe" [2008-08-25 33136]
"AVG8_TRAY "= "c:\progra~1\AVG\AVG8\avgtray.exe" [2009-02-04 1601304]
"TkBellExe "= "c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-02-13 185872]
"RtHDVCpl "= "RtHDVCpl.exe" [2007-11-23 c:\windows\RtHDVCpl.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Sidebar "= "c:\program files\Windows Sidebar\sidebar.exe" [2008-01-21 1233920]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2008-04-11 752168]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA "= 0 (0x0)
"EnableUIADesktopToggle "= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs "=avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.l3codecp "= l3codecp.acm
"msacm.avis "= ff_acm.acm

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk /r \??\i:\0autocheck autochk /r \??\H:\0autocheck autochk *

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^WinZip Quick Pick.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\WinZip Quick Pick.lnk
backup=c:\windows\pss\WinZip Quick Pick.lnk.CommonStartup
backupExtension=.CommonStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2008-01-12 13:16 39792 c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BDRegion]
-r------- 2007-11-17 11:20 91432 c:\program files\CyberLink\Shared Files\brs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CLMLServer]
--a------ 2008-07-19 10:52 104936 c:\program files\CyberLink\Power2Go\CLMLSvc.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
--a------ 2006-10-27 15:47 31016 c:\program files\Microsoft Office\Office12\GrooveMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-11-20 13:20 290088 c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LanguageShortcut]
--------- 2007-10-11 12:06 62760 c:\program files\CyberLink\PowerDVD\Language\Language.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\P2Go_Menu]
--a------ 2008-06-14 09:11 210216 c:\program files\CyberLink\Power2Go\MUITransfer\MUIStartMenu.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PWRISOVM.EXE]
--a------ 2008-07-07 15:34 167936 c:\program files\PowerISO\PWRISOVM.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-11-04 10:30 413696 c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
--------- 2007-10-28 09:35 72736 c:\program files\CyberLink\PowerDVD\PDVDServ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2008-10-18 16:24 136600 c:\program files\Java\jre6\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2009-02-13 00:21 185872 c:\program files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UnlockerAssistant]
--a------ 2006-09-08 01:19 15872 c:\program files\Unlocker\UnlockerAssistant.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdatePPShortCut]
--------- 2008-01-05 02:02 222504 c:\program files\CyberLink\PowerProducer\MUITransfer\MUIStartMenu.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring "=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring "=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring "=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-2604780666-1855635130-1160332280-1000]
"EnableNotificationsRef "=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{E6D5117B-3B59-4AD3-8131-89637E355324} "= TCP:6004|c:\program files\Microsoft Office\Office12\outlook.exe:Microsoft Office Outlook
"{9CE88676-B457-421D-BB8B-94858452D8BF} "= c:\program files\Cyberlink\PowerDirector\PDR.EXE:CyberLink PowerDirector
"{ADD9768A-B85E-4F2F-9051-F04001D47C94} "= UDP:c:\program files\Yahoo!\Messenger\YahooMessenger.exe:Yahoo! Messenger
"{0F1526F2-698A-4EC8-AD75-A50D789FAC0E} "= TCP:c:\program files\Yahoo!\Messenger\YahooMessenger.exe:Yahoo! Messenger
"{7603A25D-882D-4C67-BBE9-E13B47081310} "= UDP:c:\program files\Microsoft Office\Office12\GROOVE.EXE:Microsoft Office Groove
"{C223190F-67DF-44B6-843E-B814852C9E30} "= TCP:c:\program files\Microsoft Office\Office12\GROOVE.EXE:Microsoft Office Groove
"{5DDFBBA9-2D8F-4FA6-A664-8693C3A7B7B0} "= UDP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{EDF86280-60E8-4FD2-92CE-80673B1ABFF5} "= TCP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{3F1C817B-AAEF-42ED-B4C2-3F71D9750568} "= c:\program files\Cyberlink\PowerDVD\PowerDVD.EXE:CyberLink PowerDVD
"TCP Query User{1D9CF969-4B70-41C0-A067-7BDC0C2DCAE1}c:\\program files\\yahoo!\\messenger\\yahoomessenger.exe "= UDP:c:\program files\yahoo!\messenger\yahoomessenger.exe:Yahoo! Messenger
"UDP Query User{C0B8E7EF-B475-41EB-BA5A-18BCA13B6219}c:\\program files\\yahoo!\\messenger\\yahoomessenger.exe "= TCP:c:\program files\yahoo!\messenger\yahoomessenger.exe:Yahoo! Messenger
"{3DDBCAB7-B44E-4CA5-9319-1567406E6C9B} "= UDP:c:\program files\iTunes\iTunes.exe:iTunes
"{E228A32D-5C8C-4C72-8282-B824569F0669} "= TCP:c:\program files\iTunes\iTunes.exe:iTunes
"{21AB7F65-718D-4B69-9468-03065D39B3B5} "= UDP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{AEB28633-F226-4753-9CB4-056573A2BE9E} "= TCP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{DA354452-5B8C-4700-8C0A-1470459F18AA} "= c:\program files\AVG\AVG8\avgupd.exe:avgupd.exe
"{F5BCCFD2-9972-4A8F-AA07-A24DA725DB92} "= c:\program files\AVG\AVG8\avgnsx.exe:avgnsx.exe
"TCP Query User{4C0E4E2E-C1BC-4777-96B6-7612D3B95D22}c:\\program files\\mozilla firefox\\firefox.exe "= UDP:c:\program files\mozilla firefox\firefox.exe:Firefox
"UDP Query User{691488C3-E5A0-458C-97B7-D0FA59125057}c:\\program files\\mozilla firefox\\firefox.exe "= TCP:c:\program files\mozilla firefox\firefox.exe:Firefox
"TCP Query User{A6EB96DF-E777-4313-B816-11D589AAA94D}c:\\program files\\utorrent\\utorrent.exe "= UDP:c:\program files\utorrent\utorrent.exe:μTorrent
"UDP Query User{779B8D8D-3F75-418A-AD5D-CBE79AA48FF8}c:\\program files\\utorrent\\utorrent.exe "= TCP:c:\program files\utorrent\utorrent.exe:μTorrent
"TCP Query User{81AB6F39-85E8-4737-8D0A-95DB9D999745}c:\\program files\\mozilla firefox\\firefox.exe "= UDP:c:\program files\mozilla firefox\firefox.exe:Firefox
"UDP Query User{FB21594E-55DC-4C7B-A18A-7258EC7E0F73}c:\\program files\\mozilla firefox\\firefox.exe "= TCP:c:\program files\mozilla firefox\firefox.exe:Firefox
"{2BD64F00-D9C8-45EC-8EEE-EB3B7F1056DE} "= UDP:8888:Win2DS
"{80D75A46-3365-4924-855C-A9947BB04F72} "= UDP:g:\level up! games\Grand Chase PH\main.exe:GrandChase
"{8575A2BA-4849-45A5-B0AD-6C6DFC9F2001} "= TCP:g:\level up! games\Grand Chase PH\main.exe:GrandChase

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile]
"DoNotAllowExceptions "= 0 (0x0)

R0 pavboot;pavboot;c:\windows\System32\drivers\pavboot.sys [2009-02-03 28544]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\System32\drivers\avgldx86.sys [2009-02-04 325128]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\System32\drivers\avgtdix.sys [2009-02-04 107272]
R2 {95808DC4-FA4A-4C74-92FE-5B863F82066B};{95808DC4-FA4A-4C74-92FE-5B863F82066B};c:\program files\CyberLink\PowerDVD\000.fcl [2007-11-03 00:12:32 41456]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2009-02-04 298264]
R2 TuneUp.ProgramStatisticsSvc;TuneUp Program Statistics Service;c:\windows\System32\TUProgSt.exe [2009-01-17 603904]
R3 CRFILTER;USB Mass Storage Filter;c:\windows\System32\drivers\CRFILTER.sys [2008-04-07 6656]
S2 gupdate1c96116a681bcde;Google Update Service (gupdate1c96116a681bcde);c:\program files\Google\Update\GoogleUpdate.exe [2008-12-18 133104]
S3 btwl2cap;Bluetooth L2CAP Service;c:\windows\System32\drivers\btwl2cap.sys [2008-08-25 29736]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceNoNetwork REG_MULTI_SZ PLA DPS BFE mpssvc
bthsvcs REG_MULTI_SZ BthServ

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
"c:\program files\Common Files\LightScribe\LSRunOnce.exe "
.
Contents of the 'Scheduled Tasks' folder

2009-02-23 c:\windows\Tasks\1-Click Maintenance.job
- c:\program files\TuneUp Utilities 2009\OneClickStarter.exe [2008-11-20 16:28]

2009-02-23 c:\windows\Tasks\GoogleUpdateTaskMachine.job
- c:\program files\Google\Update\GoogleUpdate.exe [2008-12-18 21:43]

2009-02-22 c:\windows\Tasks\User_Feed_Synchronization-{CC929265-66CD-41B1-8FA6-F9C1E6663B87}.job
- c:\windows\system32\msfeedssync.exe [2008-01-21 10:34]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com
mStart Page = hxxp://www.yahoo.com/
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
uInternet Settings,ProxyOverride = <local>
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\users\Chris\AppData\Roaming\Mozilla\Firefox\Profiles\lwk7zeyx.default\
FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll
FF - component: c:\program files\AVG\AVG8\ToolbarFF\components\vmAVGConnector.dll
FF - component: c:\program files\Mozilla Firefox\components\xpinstal.dll
FF - component: c:\program files\Real\RealPlayer\browserrecord\components\nprpbrowserrecordplugin.dll

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref( "ui.allow_platform_file_picker ", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref( "network.cookie.p3plevel ", 1); // 0=low, 1=medium, 2=high, 3=custom
c:\program files\Mozilla Firefox\greprefs\all.js - pref( "network.enablePad ", false); // Allow client to do proxy autodiscovery
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref( "security.remember_cert_checkbox_default_setting ", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "browser.urlbar.hideGoButton ", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "browser.search.param.Google.1.default ", "chrome://branding/content/searchconfig.properties ");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "browser.search.param.Google.1.custom ", "chrome://branding/content/searchconfig.properties ");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "signon.prefillForms ", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "browser.safebrowsing.enabled ", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "browser.safebrowsing.remoteLookups ", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "browser.safebrowsing.provider.0.updateURL ", "http://sb.google.com/safebrowsing/update?client={moz:client}&appver={moz:version}& ");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "browser.safebrowsing.provider.0.lookupURL ", "http://sb.google.com/safebrowsing/lookup?sourceid=firefox-antiphish&features=TrustRank&client={moz:client}&appver={moz:version}& ");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "browser.safebrowsing.provider.0.reportURL ", "http://sb.google.com/safebrowsing/report? ");
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-23 13:25:43
Windows 6.0.6001 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


C:\ADSM_PData_0150

scan completed successfully
hidden files: 1

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'Explorer.exe'(5212)
c:\program files\ASUS\ASUS Data Security Manager\OverlayIconShlExt.dll
c:\program files\ASUS\ASUS Data Security Manager\OverlayIconShlExt1.dll
c:\windows\system32\btmmhook.dll
c:\windows\system32\pnidui.dll
c:\program files\Nokia\Nokia PC Suite 7\PhoneBrowser.dll
c:\program files\Nokia\Nokia PC Suite 7\NGSCM.DLL
c:\program files\Nokia\Nokia PC Suite 7\Lang\PhoneBrowser_eng.nlr
c:\program files\Nokia\Nokia PC Suite 7\Resource\PhoneBrowser_Nokia.ngr
蘒rtableDeviceApi.dll 6fee0000 253952 蘒\Windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\System32\audiodg.exe
c:\program files\asus\ASUS Data Security Manager\ADSMSrv.exe
c:\program files\ATK Hotkey\AsLdrSrv.exe
c:\program files\ATKGFNEX\GFNEXSrv.exe
c:\windows\System32\wlanext.exe
c:\program files\asus\SmartLogon\sensorsrv.exe
c:\program files\ATK Hotkey\HControl.exe
c:\program files\ATK Hotkey\MsgTranAgt.exe
c:\program files\asus\ASUS CopyProtect\ASPG.exe
c:\program files\P4G\BatteryLife.exe
c:\program files\asus\Splendid\ACMON.exe
c:\windows\System32\agrsmsvc.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
c:\windows\System32\conime.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe
c:\progra~1\AVG\AVG8\avgrsx.exe
c:\progra~1\AVG\AVG8\avgnsx.exe
c:\windows\System32\ACEngSvr.exe
c:\windows\System32\PSIService.exe
c:\program files\CyberLink\Shared Files\RichVideo.exe
c:\program files\ATK Hotkey\ATKOSD.exe
c:\program files\asus\NB Probe\SPM\spmgr.exe
c:\program files\ATK Hotkey\KBFiltr.exe
c:\program files\ATK Hotkey\WDC.exe
c:\windows\System32\WUDFHost.exe
c:\windows\servicing\TrustedInstaller.exe
c:\windows\System32\igfxsrvc.exe
c:\program files\AVG\AVG8\avgtray.exe
c:\windows\System32\wbem\unsecapp.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\program files\Symantec\LiveUpdate\AluSchedulerSvc.exe
c:\program files\Synaptics\SynTP\SynTPHelper.exe
c:\program files\PC Connectivity Solution\ServiceLayer.exe
c:\program files\PC Connectivity Solution\Transports\NclUSBSrv.exe
c:\program files\PC Connectivity Solution\Transports\NclRSSrv.exe
c:\program files\PC Connectivity Solution\Transports\NclMSBTSrv.exe
.
**************************************************************************
.
Completion time: 2009-02-23 13:34:21 - machine was rebooted
ComboFix-quarantined-files.txt 2009-02-23 05:34:05
ComboFix2.txt 2009-02-22 13:36:55
ComboFix3.txt 2009-02-15 09:36:53
ComboFix4.txt 2009-02-05 15:24:00
ComboFix5.txt 2009-02-23 05:20:10

Pre-Run: 6,323,589,120 bytes free
Post-Run: 6,286,626,816 bytes free

385 --- E O F --- 2009-02-11 03:46:56

The Safe.txt log


HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot
AlternateShell REG_SZ cmd.exe

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Environment
ComSpec REG_EXPAND_SZ %SystemRoot%\system32\cmd.exe
FP_NO_HOST_CHECK REG_SZ NO
OS REG_SZ Windows_NT
Path REG_EXPAND_SZ %systemroot%\system32;%systemroot%;%systemroot%\system32\wbem;C:\Program Files\PC Connectivity Solution;C:\Program Files\QuickTime\QTSystem
PATHEXT REG_SZ .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC
PROCESSOR_ARCHITECTURE REG_SZ x86
TEMP REG_EXPAND_SZ %SystemRoot%\TEMP
TMP REG_EXPAND_SZ %SystemRoot%\TEMP
USERNAME REG_SZ SYSTEM
windir REG_EXPAND_SZ %SystemRoot%
PROCESSOR_LEVEL REG_SZ 6
PROCESSOR_IDENTIFIER REG_SZ x86 Family 6 Model 15 Stepping 13, GenuineIntel
PROCESSOR_REVISION REG_SZ 0f0d
NUMBER_OF_PROCESSORS REG_SZ 2
TRACE_FORMAT_SEARCH_PATH REG_EXPAND_SZ \\NTREL202.ntdev.corp.microsoft.com\4F18C3A5-CA09-4DBD-B6FC-219FDD4C6BE0\TraceFormat
DFSTRACINGON REG_EXPAND_SZ FALSE
configsetroot REG_EXPAND_SZ %SystemRoot%\ConfigSetRoot
CLASSPATH REG_SZ .;C:\Program Files\Java\jre6\lib\ext\QTJava.zip
QTJAVA REG_SZ C:\Program Files\Java\jre6\lib\ext\QTJava.zip


HKEY_CURRENT_USER\Environment
TEMP REG_EXPAND_SZ %USERPROFILE%\AppData\Local\Temp
TMP REG_EXPAND_SZ %USERPROFILE%\AppData\Local\Temp

 

I'd like to get a sample of that file. Please upload c:\windows\System32\acovcnt.exe to my submission channel for analysis. Leave a link back to this topic.

 

By the way, is it normal for a computer to browse a webpage and then it automatically reloads it or was it just my internet connection that activates the reloading of that certain webpage.

It gives me the chill that the "reloading" action is being cause by a third party.

let's say I open this page, and then a little seconds later, it reloads as if I pressed the refresh button. It happens all the time. But I can now update my AVG.

 

I believe that is a legitimate file related to Asus Chameleon Engine. Do you have Asus hardware. Is there Asus software listed in the Add/Remove programs list?

 

Oh...So it was an Asus file. Silly me. I didn't noticed it since the malware strikes. And the size is very suspicious since I met a lot of 44KB EXE files from the past. It's the only one that has the size file. It's also an EXE file. The last file I know it has the file size was the files created by brontok.b virus back in 2005.

This is an Asus F80L Santa Rosa 1.66 Ghz T5450 laptop I'm using. It was for my mom that I'm using for the moment. I'll see what an Asus Chameleon Engine is.

I now believe it's an Asus Chameleon Engine file. I just saw it from a spanish site.

According to an Asus forum that I checked. It is associated in Splendid Video Technology using the Chameleon Engine.

So I have to ignore this file because it's an Asus file. Thank you for the analysis of the file.

Regards,
Chris

 

Whew .... glad we got that figured out.

Provided everything is working normally now, we should be done and ready to cleanup our tools. I need sleep and will check in tomorrow evening.

 

I just want to make sure everything is clean, what are the things I need to do or run in order to make sure nothing is now in my mom's laptop? Should I do ComboFix for the last time? Run a Kasperky Online scan? Just one more scan and it's time to clean things up.

Sorry if I haven't post recently as there's no e-mail that I receive from windowsbbs team.

--

I wonder why avocnt was detected? I know I saw one in the quarantine section of the Qoobox *checks name* (yup, it's qoobox) that the name avocnt.exe.vr. Was it a mis-interpretation? It's in the quarantine folder.

--

Anyways, I'll run the last thing you asked me so I want to make sure my mom's laptop is clean. *checks the last thing scan*

Regards,
Chris Claveria

--

Here's a ComboFix from today. It has deleted the avcont.exe file. If it was from Asus then it's no big deal, isn't it? I think it's time to clean up now or do I have to do something? Just take your time there and come with me if you have time. I can wait.

ComboFix 09-03-06.02 - Chris 2009-03-08 23:05:39.7 - NTFSx86 NETWORK
Running from: c:\users\Chris\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\acovcnt.exe

.
((((((((((((((((((((((((( Files Created from 2009-02-08 to 2009-03-08 )))))))))))))))))))))))))))))))
.

No new files created in this timespan

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-03-07 04:48 --------- d-----w c:\users\Chris\AppData\Roaming\dvdcss
2009-03-03 14:42 --------- d-----w c:\program files\IrfanView
2009-02-26 09:50 --------- d-----w c:\programdata\CyberLink
2009-02-22 14:39 --------- d-----w c:\program files\VSO
2009-02-13 04:51 --------- d-----w c:\users\Chris\AppData\Roaming\Vso
2009-02-13 04:51 --------- d-----w c:\users\Chris\AppData\Roaming\CopyToDvd
2009-02-12 21:06 --------- d-----w c:\program files\Google
2009-02-12 16:22 --------- d-----w c:\program files\Common Files\xing shared
2009-02-12 16:21 --------- d-----w c:\program files\Common Files\Real
2009-02-12 05:17 --------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-02-11 13:08 --------- d-----w c:\program files\Opera
2009-02-11 10:02 --------- d-----w c:\program files\Ashampoo
2009-02-11 02:19 38,496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-02-11 02:19 15,504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-02-09 11:18 --------- d-----w c:\program files\Common Files\INCA Shared
2009-02-07 15:04 --------- d-----w c:\program files\DivXLand
2009-02-05 12:26 --------- d-----w c:\programdata\P4G
2009-02-05 12:26 --------- d-----w c:\programdata\FLEXnet
2009-02-04 13:21 --------- d-----w c:\program files\Opera 10 Preview
2009-02-04 01:59 325,128 ----a-w c:\windows\system32\drivers\avgldx86.sys
2009-02-04 01:59 107,272 ----a-w c:\windows\system32\drivers\avgtdix.sys
2009-02-04 01:59 10,520 ----a-w c:\windows\System32\avgrsstx.dll
2009-02-04 01:58 --------- d-----w c:\programdata\avg8
2009-02-03 13:35 --------- d-----w c:\program files\Panda Security
2009-02-03 13:11 --------- d-----w c:\program files\Trend Micro
2009-02-03 05:03 --------- d-----w c:\program files\ATKOSD2
2009-01-30 07:07 19,170,816 ----a-w c:\windows\System32\imageres.dll
2009-01-27 11:43 --------- d-----w c:\program files\FREE Hi-Q Recorder
2009-01-25 03:43 --------- d--h--w c:\program files\InstallShield Installation Information
2009-01-25 03:43 --------- d-----w c:\program files\Panasonic
2009-01-23 12:51 --------- d-----w c:\program files\Common Files\PCSuite
2009-01-23 12:51 --------- d-----w c:\program files\Common Files\Nokia
2009-01-23 12:49 --------- d-----w c:\program files\PC Connectivity Solution
2009-01-23 12:46 --------- d-----w c:\program files\Nokia
2009-01-23 12:35 --------- d-----w c:\programdata\Installations
2009-01-23 07:01 --------- d-----w c:\programdata\PC Suite
2009-01-19 14:30 --------- d-----w c:\program files\Direct MIDI to MP3 Converter
2009-01-19 13:26 --------- d-----w c:\program files\feng
2009-01-18 05:21 319,456 ----a-w c:\windows\DIFxAPI.dll
2009-01-18 05:21 --------- d-----w c:\program files\Realtek
2009-01-17 16:14 --------- d-----w c:\program files\Common Files\LightScribe
2009-01-17 06:36 --------- d-----w c:\programdata\Stardock
2009-01-17 06:36 --------- d-----w c:\program files\Stardock
2009-01-17 06:24 603,904 ----a-w c:\windows\System32\TUProgSt.exe
2009-01-17 06:24 362,240 ----a-w c:\windows\System32\TuneUpDefragService.exe
2009-01-17 06:24 --------- d-----w c:\users\Chris\AppData\Roaming\TuneUp Software
2009-01-17 06:24 --------- d-----w c:\program files\TuneUp Utilities 2009
2009-01-17 06:23 --------- d-sh--w c:\programdata\{55A29068-F2CE-456C-9148-C869879E2357}
2009-01-17 06:23 --------- d-----w c:\programdata\TuneUp Software
2009-01-17 02:58 --------- d-----w c:\program files\PowerISO
2009-01-15 06:11 827,392 ----a-w c:\windows\System32\wininet.dll
2009-01-15 05:53 --------- d-----w c:\program files\Bonjour
2009-01-15 05:53 --------- d-----w c:\program files\ATKGFNEX
2009-01-15 05:53 --------- d-----w c:\program files\ATK Hotkey
2009-01-15 05:46 --------- d-----w c:\program files\Wireless Console 2
2009-01-15 05:46 --------- d-----w c:\program files\Windows Sidebar
2009-01-15 05:46 --------- d-----w c:\program files\Windows Defender
2009-01-15 05:46 --------- d-----w c:\program files\P4G
2009-01-15 04:39 --------- d-----w c:\program files\AskBarDis
2009-01-15 04:36 --------- d-----w c:\program files\AVG
2009-01-15 04:34 --------- d-----w c:\program files\Common Files\Symantec Shared
2009-01-15 04:31 --------- d-----w c:\programdata\Symantec
2009-01-15 04:31 --------- d-----w c:\program files\Symantec
2009-01-14 13:33 --------- d-----w c:\program files\Windows Mail
2009-01-08 05:08 --------- d-----w c:\users\Chris\AppData\Roaming\CyberLink
2008-12-12 03:18 87,336 ----a-w c:\windows\System32\dns-sd.exe
2008-12-12 03:11 61,440 ----a-w c:\windows\System32\dnssd.dll
2008-11-25 02:35 84 ---ha-w c:\users\All Users\aspg.dat
2008-11-25 02:35 84 ---ha-w c:\programdata\aspg.dat
2008-10-19 11:05 456,272 ----a-w c:\users\All Users\pswi_preloaded.exe
2008-10-19 11:05 456,272 ----a-w c:\programdata\pswi_preloaded.exe
2008-10-18 07:34 81,920 ----a-w c:\users\Chris\AppData\Roaming\ezpinst.exe
2008-10-18 07:34 47,360 ----a-w c:\users\Chris\AppData\Roaming\pcouffin.sys
2008-01-21 02:57 174 --sha-w c:\program files\desktop.ini
2009-02-02 19:50 67,688 ----a-w c:\program files\mozilla firefox\components\jar50.dll
2009-02-02 19:50 54,368 ----a-w c:\program files\mozilla firefox\components\jsd3250.dll
2009-02-02 19:50 34,944 ----a-w c:\program files\mozilla firefox\components\myspell.dll
2009-02-02 19:50 46,712 ----a-w c:\program files\mozilla firefox\components\spellchk.dll
2009-02-02 19:50 172,136 ----a-w c:\program files\mozilla firefox\components\xpinstal.dll
2008-10-20 05:54 88 --sha-r c:\windows\System32\7A81B36C98.sys
2008-10-20 05:55 2,828 --sha-w c:\windows\System32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((( SnapShot_2009-02-22_21.35.49.18 )))))))))))))))))))))))))))))))))))))))))
.
- 2009-02-22 03:09:18 262,144 --sha-w c:\windows\ServiceProfiles\LocalService\NTUSER.DAT
+ 2009-03-08 14:21:23 262,144 --sha-w c:\windows\ServiceProfiles\LocalService\NTUSER.DAT
- 2009-02-22 13:27:26 262,144 --sha-w c:\windows\ServiceProfiles\NetworkService\NTUSER.DAT
+ 2009-03-08 15:01:21 262,144 --sha-w c:\windows\ServiceProfiles\NetworkService\NTUSER.DAT
- 2009-02-22 10:59:08 16,384 --sha-w c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2009-03-08 14:36:53 16,384 --sha-w c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2009-02-22 10:59:08 49,152 --sha-w c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2009-03-08 14:36:53 49,152 --sha-w c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2009-02-22 10:59:08 32,768 --sha-w c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2009-03-08 14:36:53 32,768 --sha-w c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2009-02-22 13:31:10 262,144 ----a-w c:\windows\System32\config\systemprofile\ntuser.dat
+ 2009-03-08 15:05:19 262,144 ----a-w c:\windows\System32\config\systemprofile\ntuser.dat
- 2009-02-17 10:07:11 121,572 ----a-w c:\windows\System32\perfc009.dat
+ 2009-03-08 14:24:05 121,572 ----a-w c:\windows\System32\perfc009.dat
- 2009-02-17 10:07:11 648,278 ----a-w c:\windows\System32\perfh009.dat
+ 2009-03-08 14:24:05 648,278 ----a-w c:\windows\System32\perfh009.dat
- 2009-02-22 03:09:17 12,886 ----a-w c:\windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-2604780666-1855635130-1160332280-1000_UserData.bin
+ 2009-03-08 14:21:26 12,942 ----a-w c:\windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-2604780666-1855635130-1160332280-1000_UserData.bin
- 2009-02-22 03:09:17 100,926 ----a-w c:\windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
+ 2009-03-08 14:21:26 100,950 ----a-w c:\windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
- 2009-02-17 06:17:59 3,032 ----a-w c:\windows\System32\WDI\ERCQueuedResolutions.dat
+ 2009-02-27 05:31:52 3,032 ----a-w c:\windows\System32\WDI\ERCQueuedResolutions.dat
- 2009-02-22 03:09:15 56,086 ----a-w c:\windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2009-03-08 14:21:24 56,534 ----a-w c:\windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\ADSMOverlayIcon1]
@= "{A8D448F4-0431-45AC-9F5E-E1B434AB2249} "
[HKEY_CLASSES_ROOT\CLSID\{A8D448F4-0431-45AC-9F5E-E1B434AB2249}]
2007-06-02 08:08 143360 --a------ c:\program files\ASUS\ASUS Data Security Manager\OverlayIconShlExt1.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar "= "c:\program files\Windows Sidebar\sidebar.exe" [2008-01-21 1233920]
"LightScribe Control Panel "= "c:\program files\Common Files\LightScribe\LightScribeControlPanel.exe" [2008-12-06 2387968]
"Messenger (Yahoo!) "= "c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2008-09-20 4347120]
"PC Suite Tray "= "c:\program files\Nokia\Nokia PC Suite 7\PCSuite.exe" [2008-12-03 1205760]
"WMPNSCFG "= "c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-21 202240]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Microsoft Pinyin IME Migration "= "c:\progra~1\COMMON~1\MICROS~1\IME12\IMESC\IMSCMIG.EXE" [2006-10-27 32560]
"HControlUser "= "c:\program files\ATK Hotkey\HcontrolUser.exe" [2008-01-12 98304]
"ATKOSD2 "= "c:\program files\ATKOSD2\ATKOSD2.exe" [2008-01-24 7766016]
"IgfxTray "= "c:\windows\system32\igfxtray.exe" [2008-02-22 141848]
"HotKeysCmds "= "c:\windows\system32\hkcmd.exe" [2008-02-22 166424]
"Persistence "= "c:\windows\system32\igfxpers.exe" [2008-02-22 133656]
"SynTPEnh "= "c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-12-06 1029416]
"ASUS Camera ScreenSaver "= "c:\windows\ASScrProlog.exe" [2008-08-25 37232]
"ASUS Screen Saver Protector "= "c:\windows\ASScrPro.exe" [2008-08-25 33136]
"AVG8_TRAY "= "c:\progra~1\AVG\AVG8\avgtray.exe" [2009-02-04 1601304]
"TkBellExe "= "c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-02-13 185872]
"RtHDVCpl "= "RtHDVCpl.exe" [2007-11-23 c:\windows\RtHDVCpl.exe]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"GrpConv "= "grpconv -o" [X]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Sidebar "= "c:\program files\Windows Sidebar\sidebar.exe" [2008-01-21 1233920]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2008-04-11 752168]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA "= 0 (0x0)
"EnableUIADesktopToggle "= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs "=avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.l3codecp "= l3codecp.acm
"msacm.avis "= ff_acm.acm

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk /r \??\i:\0autocheck autochk /r \??\H:\0autocheck autochk *

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^WinZip Quick Pick.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\WinZip Quick Pick.lnk
backup=c:\windows\pss\WinZip Quick Pick.lnk.CommonStartup
backupExtension=.CommonStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2008-01-12 13:16 39792 c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BDRegion]
-r------- 2007-11-17 11:20 91432 c:\program files\CyberLink\Shared Files\brs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CLMLServer]
--a------ 2008-07-19 10:52 104936 c:\program files\CyberLink\Power2Go\CLMLSvc.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
--a------ 2006-10-27 15:47 31016 c:\program files\Microsoft Office\Office12\GrooveMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-11-20 13:20 290088 c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LanguageShortcut]
--------- 2007-10-11 12:06 62760 c:\program files\CyberLink\PowerDVD\Language\Language.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\P2Go_Menu]
--a------ 2008-06-14 09:11 210216 c:\program files\CyberLink\Power2Go\MUITransfer\MUIStartMenu.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PWRISOVM.EXE]
--a------ 2008-07-07 15:34 167936 c:\program files\PowerISO\PWRISOVM.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-11-04 10:30 413696 c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
--------- 2007-10-28 09:35 72736 c:\program files\CyberLink\PowerDVD\PDVDServ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2008-10-18 16:24 136600 c:\program files\Java\jre6\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2009-02-13 00:21 185872 c:\program files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UnlockerAssistant]
--a------ 2006-09-08 01:19 15872 c:\program files\Unlocker\UnlockerAssistant.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdatePPShortCut]
--------- 2008-01-05 02:02 222504 c:\program files\CyberLink\PowerProducer\MUITransfer\MUIStartMenu.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring "=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring "=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring "=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-2604780666-1855635130-1160332280-1000]
"EnableNotificationsRef "=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{E6D5117B-3B59-4AD3-8131-89637E355324} "= TCP:6004|c:\program files\Microsoft Office\Office12\outlook.exe:Microsoft Office Outlook
"{9CE88676-B457-421D-BB8B-94858452D8BF} "= c:\program files\Cyberlink\PowerDirector\PDR.EXE:CyberLink PowerDirector
"{ADD9768A-B85E-4F2F-9051-F04001D47C94} "= UDP:c:\program files\Yahoo!\Messenger\YahooMessenger.exe:Yahoo! Messenger
"{0F1526F2-698A-4EC8-AD75-A50D789FAC0E} "= TCP:c:\program files\Yahoo!\Messenger\YahooMessenger.exe:Yahoo! Messenger
"{7603A25D-882D-4C67-BBE9-E13B47081310} "= UDP:c:\program files\Microsoft Office\Office12\GROOVE.EXE:Microsoft Office Groove
"{C223190F-67DF-44B6-843E-B814852C9E30} "= TCP:c:\program files\Microsoft Office\Office12\GROOVE.EXE:Microsoft Office Groove
"{5DDFBBA9-2D8F-4FA6-A664-8693C3A7B7B0} "= UDP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{EDF86280-60E8-4FD2-92CE-80673B1ABFF5} "= TCP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{F5BC9398-A989-4210-A84B-6CFE1F74991E} "= UDP:c:\program files\uTorrent\uTorrent.exe:μTorrent (TCP-In)
"{2A4240D2-F502-4FBC-8FA8-5504385E9928} "= TCP:c:\program files\uTorrent\uTorrent.exe:μTorrent (UDP-In)
"{3F1C817B-AAEF-42ED-B4C2-3F71D9750568} "= c:\program files\Cyberlink\PowerDVD\PowerDVD.EXE:CyberLink PowerDVD
"TCP Query User{1D9CF969-4B70-41C0-A067-7BDC0C2DCAE1}c:\\program files\\yahoo!\\messenger\\yahoomessenger.exe "= UDP:c:\program files\yahoo!\messenger\yahoomessenger.exe:Yahoo! Messenger
"UDP Query User{C0B8E7EF-B475-41EB-BA5A-18BCA13B6219}c:\\program files\\yahoo!\\messenger\\yahoomessenger.exe "= TCP:c:\program files\yahoo!\messenger\yahoomessenger.exe:Yahoo! Messenger
"{3DDBCAB7-B44E-4CA5-9319-1567406E6C9B} "= UDP:c:\program files\iTunes\iTunes.exe:iTunes
"{E228A32D-5C8C-4C72-8282-B824569F0669} "= TCP:c:\program files\iTunes\iTunes.exe:iTunes
"{21AB7F65-718D-4B69-9468-03065D39B3B5} "= UDP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{AEB28633-F226-4753-9CB4-056573A2BE9E} "= TCP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{DA354452-5B8C-4700-8C0A-1470459F18AA} "= c:\program files\AVG\AVG8\avgupd.exe:avgupd.exe
"{F5BCCFD2-9972-4A8F-AA07-A24DA725DB92} "= c:\program files\AVG\AVG8\avgnsx.exe:avgnsx.exe
"TCP Query User{4C0E4E2E-C1BC-4777-96B6-7612D3B95D22}c:\\program files\\mozilla firefox\\firefox.exe "= UDP:c:\program files\mozilla firefox\firefox.exe:Firefox
"UDP Query User{691488C3-E5A0-458C-97B7-D0FA59125057}c:\\program files\\mozilla firefox\\firefox.exe "= TCP:c:\program files\mozilla firefox\firefox.exe:Firefox
"TCP Query User{81AB6F39-85E8-4737-8D0A-95DB9D999745}c:\\program files\\mozilla firefox\\firefox.exe "= UDP:c:\program files\mozilla firefox\firefox.exe:Firefox
"UDP Query User{FB21594E-55DC-4C7B-A18A-7258EC7E0F73}c:\\program files\\mozilla firefox\\firefox.exe "= TCP:c:\program files\mozilla firefox\firefox.exe:Firefox
"{2BD64F00-D9C8-45EC-8EEE-EB3B7F1056DE} "= UDP:8888:Win2DS
"{80D75A46-3365-4924-855C-A9947BB04F72} "= UDP:g:\level up! games\Grand Chase PH\main.exe:GrandChase
"{8575A2BA-4849-45A5-B0AD-6C6DFC9F2001} "= TCP:g:\level up! games\Grand Chase PH\main.exe:GrandChase

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile]
"DoNotAllowExceptions "= 0 (0x0)

R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\System32\drivers\avgtdix.sys [2009-02-04 107272]
R3 CRFILTER;USB Mass Storage Filter;c:\windows\System32\drivers\CRFILTER.sys [2008-04-07 6656]
S0 pavboot;pavboot;c:\windows\System32\drivers\pavboot.sys [2009-02-03 28544]
S1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\System32\drivers\avgldx86.sys [2009-02-04 325128]
S2 {95808DC4-FA4A-4C74-92FE-5B863F82066B};{95808DC4-FA4A-4C74-92FE-5B863F82066B};c:\program files\CyberLink\PowerDVD\000.fcl [2007-11-03 00:12:32 41456]
S2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2009-02-04 298264]
S2 gupdate1c96116a681bcde;Google Update Service (gupdate1c96116a681bcde);c:\program files\Google\Update\GoogleUpdate.exe [2008-12-18 133104]
S2 TuneUp.ProgramStatisticsSvc;TuneUp Program Statistics Service;c:\windows\System32\TUProgSt.exe [2009-01-17 603904]
S3 btwl2cap;Bluetooth L2CAP Service;c:\windows\System32\drivers\btwl2cap.sys [2008-08-25 29736]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - ECACHE

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceNoNetwork REG_MULTI_SZ PLA DPS BFE mpssvc
bthsvcs REG_MULTI_SZ BthServ

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
"c:\program files\Common Files\LightScribe\LSRunOnce.exe "
.
Contents of the 'Scheduled Tasks' folder

2009-03-08 c:\windows\Tasks\1-Click Maintenance.job
- c:\program files\TuneUp Utilities 2009\OneClickStarter.exe [2008-11-20 16:28]

2009-03-08 c:\windows\Tasks\GoogleUpdateTaskMachine.job
- c:\program files\Google\Update\GoogleUpdate.exe [2008-12-18 21:43]

2009-03-08 c:\windows\Tasks\User_Feed_Synchronization-{CC929265-66CD-41B1-8FA6-F9C1E6663B87}.job
- c:\windows\system32\msfeedssync.exe [2008-01-21 10:34]
.
- - - - ORPHANS REMOVED - - - -

HKLM-RunOnce-<NO NAME> - (no file)


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com
mStart Page = hxxp://www.yahoo.com/
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
uInternet Settings,ProxyOverride = <local>
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\users\Chris\AppData\Roaming\Mozilla\Firefox\Profiles\lwk7zeyx.default\
FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll
FF - component: c:\program files\AVG\AVG8\ToolbarFF\components\vmAVGConnector.dll
FF - component: c:\program files\Mozilla Firefox\components\xpinstal.dll
FF - component: c:\program files\Real\RealPlayer\browserrecord\components\nprpbrowserrecordplugin.dll

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref( "ui.allow_platform_file_picker ", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref( "network.cookie.p3plevel ", 1); // 0=low, 1=medium, 2=high, 3=custom
c:\program files\Mozilla Firefox\greprefs\all.js - pref( "network.enablePad ", false); // Allow client to do proxy autodiscovery
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref( "security.remember_cert_checkbox_default_setting ", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "browser.urlbar.hideGoButton ", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "browser.search.param.Google.1.default ", "chrome://branding/content/searchconfig.properties ");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "browser.search.param.Google.1.custom ", "chrome://branding/content/searchconfig.properties ");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "signon.prefillForms ", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "browser.safebrowsing.enabled ", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "browser.safebrowsing.remoteLookups ", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "browser.safebrowsing.provider.0.updateURL ", "http://sb.google.com/safebrowsing/update?client={moz:client}&appver={moz:version}& ");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "browser.safebrowsing.provider.0.lookupURL ", "http://sb.google.com/safebrowsing/lookup?sourceid=firefox-antiphish&features=TrustRank&client={moz:client}&appver={moz:version}& ");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "browser.safebrowsing.provider.0.reportURL ", "http://sb.google.com/safebrowsing/report? ");
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-03-08 23:09:05
Windows 6.0.6001 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


C:\ADSM_PData_0150

scan completed successfully
hidden files: 1

**************************************************************************
.
Completion time: 2009-03-08 23:11:35
ComboFix-quarantined-files.txt 2009-03-08 15:11:33
ComboFix2.txt 2009-02-23 05:43:16
ComboFix3.txt 2009-02-22 13:36:55
ComboFix4.txt 2009-02-15 09:36:53
ComboFix5.txt 2009-03-08 15:04:57

Pre-Run: The system cannot find message text for message number 0x2379 in the message file for Application.
Post-Run: 942,743,552 bytes free

319 --- E O F --- 2009-03-06 12:08:24