|
|
|
|
|||||
|
|
|
|
|
|
|||
| Welcome
to Tech Support Forum home to more then 136,000 problems solved. Issues
have included: Spyware, Malware, Virus Issues, Windows, Microsoft,
Linux, Networking, Security, Hardware, and Gaming Getting your
problem solved is as easy as: 1. Registering for a free account 2. Asking your question 3. Receiving an answer Registered members: * See fewer ads. * And much more..
|
| Want to know how to post a question? click here | Having problems with spyware and pop-ups? First Steps |
|
|||||||
| Resolved HJT Threads Resolved spyware and popup issues. |
|
|
LinkBack | Thread Tools |
06-08-2008, 10:15 PM
|
#1 (permalink) |
|
Registered User
Join Date: Jun 2008
Posts: 26
OS: xp sp2
|
Possible Malware Issue
When I logged onto my computer a few days ago, I found that the icons on my desktop had been alphabetized and rearranged -- the recycle bin in the bottom right corner, "My Computer" and "My Documents" gone -- none of them were where they used to be. The taskbar was missing the quick links tool bar I always used, and my Norton Internet Security icon missing from the system tray. The title bar of windows seem smaller than normal, and the Minimize/Full screen/Close buttons are really small. All of the shortcuts above "All Programs" are gone. The entire Windows theme is oddly gray, noticeable on explorer windows and when I highlight folders in the startmenu. My desktop background is a greyish blue color.
I change the THEME under Display Properties to "Windows XP" and the "greyness" goes away, but when I open up the display properties again, it has reverted back to a "Modified Theme" and the buttons in the title bar remain small. When I try to change the background, the mouse flickers, and nothing happens. When I use Windows Explorer, and progress through the directories, I get an odd message: "These files are hidden. This folder contains files that keep your system working properly. You should not modify its contents.", with the option to "Show the contents of this folder" The message appears when accessing C:, Program Files, Windows, and I assume other "important" directories. When I try to "Show hidden files and folders" under "Folder Options" in TOOLS, once again the mouse flickers, but nothing happens. Another abnormality I have noticed is that when deleting files, I am no longer given the option to send anything to the Recycle Bin. If I right-click the recycle bin and click Properties, I get an error: "The properties for this item are not available." If I logout/login or restart the computer, the desktop reverts back to the initial condition described above. This very well may be but a separate issue related to the program, but I might as well mention that every time I open an audio/video file with Zoom Player, I get video but no sound, and any changes I make to the settings are defaulted when I close and open the player. I was thinking there may just be a codec issue or something re installation could fix, but I'm not one to see how all of this could or could not be related :D. I have taken the following action: Update Norton virus definitions, full system scan, Trojan.Wimad fully removed, failed to removed Trojan.Adclicker and Trojan Horse (I found nothing in the registry related to this) Scan with Spybot Search and Destroy, and FIX Scan with Ad-Aware SE Personal, and FIX Full system scan with Norton in SAFEMODE, the same two Trojans could not be removed. ~I've also followed the five steps recommended and attached/posted the logs. Thank-you, I would greatly appreciate any assistance. Deckard's System Scanner v20071014.68 Run by HP_Owner on 2008-06-08 23:00:44 Computer is in Normal Mode. -------------------------------------------------------------------------------- -- System Restore -------------------------------------------------------------- Successfully created a Deckard's System Scanner Restore Point. -- Last 5 Restore Point(s) -- 105: 2008-06-09 05:01:09 UTC - RP437 - Deckard's System Scanner Restore Point 104: 2008-06-09 02:46:36 UTC - RP436 - Installed overland 103: 2008-06-09 02:41:49 UTC - RP435 - Removed Suitcase 102: 2008-06-09 02:26:23 UTC - RP434 - Removed Sony Ericsson PC Suite 1.20.173 101: 2008-06-09 02:18:21 UTC - RP433 - Removed Star Wars®: Knights of the Old Republic (TM) -- First Restore Point -- 1: 2008-03-09 10:01:10 UTC - RP333 - Software Distribution Service 3.0 Backed up registry hives. Performed disk cleanup. -- HijackThis (run as HP_Owner.exe) -------------------------------------------- Logfile of HijackThis v1.99.1 Scan saved at 11:04:08 PM, on 6/8/2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Canon\CAL\CALMAIN.exe C:\Program Files\iPod\bin\iPodService.exe C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe C:\WINDOWS\system32\ctfmon.exe C:\WINDOWS\explorer.exe C:\Documents and Settings\HP_Owner.AE066C3A9B\Desktop\dss.exe C:\PROGRA~1\HJT\HP_Owner.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TY...ion&pf=desktop R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TY...ion&pf=desktop R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TY...ion&pf=desktop R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://ie.redirect.hp.com/svs/rdr?TY...ion&pf=desktop R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TY...ion&pf=desktop R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://search.alot.com/sidebar?pr=as....1.200&q=Write smething&url=http://home.alot.com?client_id=DADB3D8001C8B00721386ABC&install_time=07-05-2008:00:02&src_id=11015&tb_version=1.2.1.200 (obfuscated) R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = R3 - Default URLSearchHook is missing O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: ALOT Toolbar - {5AA2BA46-9913-4dc7-9620-69AB0FA17AE7} - C:\Program Files\alot\bin\alot.dll (file missing) O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.0\coIEPlg.dll O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file) O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll O3 - Toolbar: Show Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.0\CoIEPlg.dll O3 - Toolbar: ALOT Toolbar - {5AA2BA46-9913-4dc7-9620-69AB0FA17AE7} - C:\Program Files\alot\bin\alot.dll (file missing) O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe" O4 - HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKLM\..\RunOnce: [SymLnch] "C:\Documents and Settings\HP_Owner.AE066C3A9B\Application Data\Symantec\Layouts\Norton Internet Security\15.0\SymAllLanguages\NIS_RETAIL\20070826\Support\SymLnch\SymLnch.exe" "C:\Documents and Settings\HP_Owner.AE066C3A9B\Application Data\Symantec\Layouts\Norton Internet Security\15.0\SymAllLanguages\NIS_RETAIL\20070826\Setup.exe" "/REALUPREBOOT /temp /patched" O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll O15 - ProtocolDefaults: '@ivt' protocol is in My Computer Zone, should be Intranet Zone O15 - ProtocolDefaults: 'file' protocol is in My Computer Zone, should be Internet Zone O15 - ProtocolDefaults: 'ftp' protocol is in My Computer Zone, should be Internet Zone O15 - ProtocolDefaults: 'http' protocol is in My Computer Zone, should be Internet Zone O15 - ProtocolDefaults: 'https' protocol is in My Computer Zone, should be Internet Zone O16 - DPF: {001EE746-A1F9-460E-80AD-269E088D6A01} (Infotl Control) - http://site.ebrary.com.ezproxy.lrc.m.../ebraryRdr.cab O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813 O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w2/resources/MSNPUpld.cab O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-CA/.../GAME_UNO1.cab O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/...toUploader.cab O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab56907.cab O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary...r.cab56986.cab O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\WI1F86~1\MESSEN~1\MSGRAP~1.DLL O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\WI1F86~1\MESSEN~1\MSGRAP~1.DLL O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe O23 - Service: Symantec Event Manager (ccEvtMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing) O23 - Service: Symantec Settings Manager (ccSetMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing) O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing) O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe O23 - Service: Print Spooler Service (iim9cotmohu) - Unknown owner - C:\WINDOWS\system32\fplljkduj.exe (file missing) O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe O23 - Service: Symantec Core LC - Unknown owner - C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe -- HijackThis Fixed Entries (C:\PROGRA~1\HJT\backups\) ------------------------- backup-20060518-202751-101 O1 - Hosts: 127.0.0.5 www.autoescrowpay.com backup-20060518-202751-102 O1 - Hosts: 127.0.0.5 www.allcount.net backup-20060518-202751-105 O1 - Hosts: 127.0.0.5 n-glx.s-redirect.com backup-20060518-202751-113 O1 - Hosts: 127.0.0.5 www.pizdato.biz backup-20060518-202751-119 O1 - Hosts: 127.0.0.5 txiframe.biz backup-20060518-202751-153 O1 - Hosts: 127.0.0.5 sexfiles.nu backup-20060518-202751-180 O1 - Hosts: 127.0.0.5 onedayoffer.biz backup-20060518-202751-186 O1 - Hosts: 127.0.0.5 awmcash.biz backup-20060518-202751-197 O1 - Hosts: 127.0.0.5 counter.sexmaniack.com backup-20060518-202751-267 O1 - Hosts: 127.0.0.5 www.awmdabest.com backup-20060518-202751-279 O1 - Hosts: 127.0.0.5 trafficbest.net backup-20060518-202751-290 O1 - Hosts: 127.0.0.5 www.procounter.biz backup-20060518-202751-299 O1 - Hosts: 127.0.0.5 vparivalka.com backup-20060518-202751-302 O1 - Hosts: 127.0.0.5 www.besthvac.com backup-20060518-202751-303 O1 - Hosts: 127.0.0.5 www.sp2******.biz backup-20060518-202751-320 O1 - Hosts: 127.0.0.5 www.toolbarpartner.com backup-20060518-202751-331 O1 - Hosts: 127.0.0.5 sp2******.biz backup-20060518-202751-335 O1 - Hosts: 127.0.0.5 advadmin.biz backup-20060518-202751-340 O1 - Hosts: 127.0.0.5 slutmania.biz backup-20060518-202751-346 O1 - Hosts: 127.0.0.5 loadcash.biz backup-20060518-202751-352 O1 - Hosts: 127.0.0.5 topsearch10.com backup-20060518-202751-360 O1 - Hosts: 127.0.0.5 iframe.biz backup-20060518-202751-367 O1 - Hosts: 127.0.0.5 www.trafficbest.net backup-20060518-202751-369 O1 - Hosts: 127.0.0.5 crazy-toolbar.com backup-20060518-202751-373 O1 - Hosts: 127.0.0.5 allcount.net backup-20060518-202751-382 O1 - Hosts: 127.0.0.5 www.crazy-toolbar.com backup-20060518-202751-394 O1 - Hosts: 127.0.0.5 www.tracktraff.cc backup-20060518-202751-398 O1 - Hosts: 127.0.0.5 awmdabest.com backup-20060518-202751-413 O1 - Hosts: 127.0.0.5 www.allforadult.com backup-20060518-202751-453 O1 - Hosts: 127.0.0.5 topcash.biz backup-20060518-202751-455 O1 - Hosts: 127.0.0.5 www.ambush-script.com backup-20060518-202751-472 O1 - Hosts: 127.0.0.5 www.newiframe.biz backup-20060518-202751-481 O1 - Hosts: 127.0.0.5 www.buldog-stats.com backup-20060518-202751-506 O1 - Hosts: 127.0.0.5 www.topcash.biz backup-20060518-202751-512 O1 - Hosts: 127.0.0.5 greg-tut.com backup-20060518-202751-536 O1 - Hosts: 127.0.0.5 www.vesbiz.biz backup-20060518-202751-539 O1 - Hosts: 127.0.0.5 buldog-stats.com backup-20060518-202751-544 O1 - Hosts: 127.0.0.5 www.megapornix.com backup-20060518-202751-606 O1 - Hosts: 127.0.0.5 megapornix.com backup-20060518-202751-615 O1 - Hosts: 127.0.0.5 vesbiz.biz backup-20060518-202751-634 O1 - Hosts: 127.0.0.5 besthvac.com backup-20060518-202751-637 O1 - Hosts: 127.0.0.5 nylonsexy.com backup-20060518-202751-638 O1 - Hosts: 127.0.0.5 procounter.biz backup-20060518-202751-646 O1 - Hosts: 127.0.0.5 vxiframe.biz backup-20060518-202751-678 O1 - Hosts: 127.0.0.5 www.onedayoffer.biz backup-20060518-202751-686 O1 - Hosts: 127.0.0.5 www.vparivalka.com backup-20060518-202751-702 O1 - Hosts: 127.0.0.5 www.greg-tut.com backup-20060518-202751-705 O1 - Hosts: 127.0.0.5 traff4.com backup-20060518-202751-718 O1 - Hosts: 127.0.0.5 ambush-script.com backup-20060518-202751-730 O1 - Hosts: 127.0.0.5 www.advadmin.biz backup-20060518-202751-744 O1 - Hosts: 127.0.0.5 www.iframeprofit.com backup-20060518-202751-781 O1 - Hosts: 127.0.0.5 www.statscash.biz backup-20060518-202751-785 O1 - Hosts: 127.0.0.5 www.vxiframe.biz backup-20060518-202751-802 O1 - Hosts: 127.0.0.5 x.full-tgp.net backup-20060518-202751-807 O1 - Hosts: 127.0.0.5 newiframe.biz backup-20060518-202751-813 O1 - Hosts: 127.0.0.5 www.slutmania.biz backup-20060518-202751-827 O1 - Hosts: 127.0.0.5 www.loadcash.biz backup-20060518-202751-834 O1 - Hosts: 127.0.0.5 autoescrowpay.com backup-20060518-202751-835 O1 - Hosts: 127.0.0.5 www.awmcash.biz backup-20060518-202751-843 O1 - Hosts: 127.0.0.5 www.iframe.biz backup-20060518-202751-853 O1 - Hosts: 127.0.0.5 tracktraff.cc backup-20060518-202751-877 O1 - Hosts: 127.0.0.5 www.beehappyy.biz backup-20060518-202751-884 O1 - Hosts: 127.0.0.5 pizdato.biz backup-20060518-202751-890 O1 - Hosts: 127.0.0.5 allforadult.com backup-20060518-202751-919 O1 - Hosts: 127.0.0.5 fregat.drocherway.com backup-20060518-202751-926 O1 - Hosts: 127.0.0.5 toolbarpartner.com backup-20060518-202751-936 O1 - Hosts: 127.0.0.5 www.sexfiles.nu backup-20060518-202751-938 O1 - Hosts: 127.0.0.5 www.nylonsexy.com backup-20060518-202751-947 O1 - Hosts: 127.0.0.5 iframeprofit.com backup-20060518-202751-964 O1 - Hosts: 127.0.0.5 www.traff4.com backup-20060518-202751-973 O1 - Hosts: 127.0.0.5 statscash.biz backup-20060518-202751-976 O1 - Hosts: 127.0.0.5 www.txiframe.biz backup-20060518-202751-979 O1 - Hosts: 127.0.0.5 beehappyy.biz backup-20060518-202751-995 O1 - Hosts: 127.0.0.5 www.topsearch10.com backup-20060518-202927-266 O9 - Extra button: Poker.com - {6FDD5236-C9F0-49ef-935D-385F5E21991A} - C:\Program Files\Poker.com\poker.exe (file missing) (HKCU) backup-20060518-204049-255 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html backup-20060518-204049-425 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/ backup-20060518-204049-454 R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1 backup-20060518-204049-635 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = c:\secure32.html backup-20060518-204049-645 R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TY...ion&pf=desktop backup-20060518-204049-728 R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32.html backup-20060518-204049-820 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TY...ion&pf=desktop backup-20060518-204049-988 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html backup-20060518-204900-400 O2 - BHO: Nothing - {f79fd28e-36ee-4989-aa61-9dd8e30a82fa} - C:\WINDOWS\system32\hpF877.tmp backup-20060606-201513-522 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = c:\secure32.html backup-20060606-201513-688 O4 - HKLM\..\Run: [SpywareQuake.com] C:\Program Files\SpywareQuake.com\Spyware-Quake.exe /h backup-20060606-201513-720 O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE12\MSOXMLMF.DLL backup-20060606-201513-897 O4 - HKCU\..\Run: [Srro] "C:\DOCUME~1\HP_Owner\MYDOCU~1\CROSOF~1.NET\csrss.exe" -vt yazr backup-20060606-201513-908 R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file) backup-20060606-201816-590 O2 - BHO: Nothing - {6ab7158b-4bff-4160-ad7d-4d622df548cf} - C:\WINDOWS\system32\hp100.tmp (file missing) backup-20060810-195118-701 O16 - DPF: {1842B0EE-B597-11D4-8997-00104BD12D94} (iCC Class) - http://www.pcpitstop.com/internet/pcpConnCheck.cab backup-20060810-195118-921 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://securityresponse.symantec.com.../fix_homepage/ backup-20060811-122711-815 O16 - DPF: {3A7FE611-1994-4EF1-A09F-99456752289D} - http://install.wildtangent.com/Activ...veLauncher.cab backup-20060811-122711-960 O3 - Toolbar: HP view - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\HP\Digital Imaging\bin\HPDTLK02.dll backup-20060811-122712-487 O20 - Winlogon Notify: wintfj32 - wintfj32.dll (file missing) backup-20060821-161141-186 O23 - Service: Remote Administration Service - Unknown owner - C:\WINDOWS\system32\UMGR32.EXE backup-20060905-094544-225 O4 - HKLM\..\Run: [stonedrv] c:\windows\system32\stonedrv.exe backup-20060905-094544-516 O4 - HKLM\..\RunServices: [stonedrv] c:\windows\system32\stonedrv.exe backup-20060905-094544-732 O4 - HKCU\..\Run: [stonedrv] c:\windows\system32\stonedrv.exe backup-20060905-132211-276 O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/ca...C_1_0_0_44.cab -- File Associations ----------------------------------------------------------- .js - unable to read key .js - unable to read key .scr - scrfile - shell\open\command - "%1" %* .txt - unable to read key .txt - unable to read key -- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------- R0 fasttx2k - c:\windows\system32\drivers\fasttx2k.sys <Not Verified; Promise Technology, Inc.; Promise FastTrak Series Driver> R1 AFS2K - c:\windows\system32\drivers\afs2k.sys <Not Verified; Oak Technology Inc.; AFS> R1 SiSkp - c:\windows\system32\drivers\srvkp.sys <Not Verified; Silicon Integrated Systems Corporation; SiS (R) WindowsXP Display Manager> R3 AgereSoftModem (Agere Systems Soft Modem) - c:\windows\system32\drivers\agrsm.sys <Not Verified; Agere Systems; Agere SoftModem Driver> R3 Iviaspi (IVI ASPI Shell) - c:\windows\system32\drivers\iviaspi.sys <Not Verified; InterVideo, Inc.; InterVideo ASPI Shell> R3 Pfc (Padus ASPI Shell) - c:\windows\system32\drivers\pfc.sys <Not Verified; Padus, Inc.; Padus(R) ASPI Shell> R3 Ps2 - c:\windows\system32\drivers\ps2.sys <Not Verified; Hewlett-Packard Company; Hewlett-Packard Company PS2 SYS> R3 WmBEnum (Logitech Virtual Bus Enumerator Driver) - c:\windows\system32\drivers\wmbenum.sys <Not Verified; Logitech Inc.; Logitech WingMan Software> R3 WmFilter (Logitech WingMan HID Filter Driver) - c:\windows\system32\drivers\wmfilter.sys <Not Verified; Logitech Inc.; Logitech WingMan Software> R3 WmXlCore (Logitech WingMan Translation Layer Driver) - c:\windows\system32\drivers\wmxlcore.sys <Not Verified; Logitech Inc.; Logitech WingMan Software> S3 ialm - c:\windows\system32\drivers\ialmnt5.sys <Not Verified; Intel Corporation; Intel Graphics Accelerator Drivers for Windows NT(R)> S3 nm (Network Monitor Driver) - c:\windows\system32\drivers\nmnt.sys <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System> S3 pcouffin (VSO Software pcouffin) - c:\windows\system32\drivers\pcouffin.sys <Not Verified; VSO Software; Patin couffin engine> S3 SiS315 - c:\windows\system32\drivers\sisgrp.sys <Not Verified; Silicon Integrated Systems Corporation; SiS (R) Compatible Super VGA Miniport Driver for Windows XP> S3 USBAAPL (Apple Mobile USB Driver) - c:\windows\system32\drivers\usbaapl.sys <Not Verified; Apple, Inc.; Apple Mobile Device USB Driver> S3 viagfx - c:\windows\system32\drivers\vtmini.sys <Not Verified; Copyright (C) VIA/S3 Graphics Co, Ltd.; UniChrome(Pro) IGP Driver> S3 w810bus (Sony Ericsson W810 Driver driver (WDM)) - c:\windows\system32\drivers\w810bus.sys (file missing) S3 w810mdfl (Sony Ericsson W810 USB WMC Modem Filter) - c:\windows\system32\drivers\w810mdfl.sys (file missing) S3 w810mdm (Sony Ericsson W810 USB WMC Modem Driver) - c:\windows\system32\drivers\w810mdm.sys (file missing) S3 w810mgmt (Sony Ericsson W810 USB WMC Device Management Drivers (WDM)) - c:\windows\system32\drivers\w810mgmt.sys (file missing) S3 w810obex (Sony Ericsson W810 USB WMC OBEX Interface) - c:\windows\system32\drivers\w810obex.sys (file missing) S3 WmVirHid (Logitech Virtual Hid Device Driver) - c:\windows\system32\drivers\wmvirhid.sys <Not Verified; Logitech Inc.; Logitech WingMan Software> -- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled -------------------- R2 CCALib8 (Canon Camera Access Library 8) - c:\program files\canon\cal\calmain.exe <Not Verified; Canon Inc.; > R2 FLEXnet Licensing Service - "c:\program files\common files\macrovision shared\flexnet publisher\fnplicensingservice.exe" <Not Verified; Macrovision Europe Ltd.; FLEXnet Publisher (32 bit)> S2 iim9cotmohu (Print Spooler Service) - c:\windows\system32\fplljkduj.exe /service (file missing) S3 p2pgasvc (Peer Networking Group Authentication) - c:\windows\system32\svchost.exe -k p2psvc <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System> S4 Apple Mobile Device - "c:\program files\common files\apple\mobile device support\bin\applemobiledeviceservice.exe" <Not Verified; Apple, Inc.; Apple Mobile Device Service> S4 Bonjour Service (##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762##) - "c:\program files\bonjour\mdnsresponder.exe" <Not Verified; Apple Computer, Inc.; Bonjour> -- Device Manager: Disabled ---------------------------------------------------- No disabled devices found. -- Scheduled Tasks ------------------------------------------------------------- 2008-06-02 20:09:11 628 --a------ C:\WINDOWS\Tasks\Norton Internet Security - Run Full System Scan - HP_Owner.job 2008-05-28 08:08:01 284 --a------ C:\WINDOWS\Tasks\AppleSoftwareUpdate.job -- Files created between 2008-05-08 and 2008-06-08 ----------------------------- 2008-06-07 22:10:11 0 d-------- C:\WINDOWS\LastGood 2008-06-07 22:09:30 0 d-------- C:\Program Files\Panda Security 2008-06-07 13:02:32 0 d-------- C:\Program Files\SpywareBlaster 2008-06-06 08:27:33 0 d-------- C:\WINDOWS\system32\CatRoot 2008-06-06 08:27:14 0 d-------- C:\WINDOWS\system32\com 2008-06-06 08:23:40 0 d--hs---- C:\found.000 2008-06-01 17:18:54 0 d-------- C:\Program Files\Common Files\Canon 2008-05-31 12:18:10 0 d-------- C:\WINDOWS\system32\Adobe 2008-05-25 17:02:03 66336 --ah----- C:\BBACADEM 2008-05-22 19:54:22 14848 --a------ C:\WINDOWS\system32\drivers\kbdhid.sys <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System> 2008-05-22 17:01:31 92208 --a------ C:\WINDOWS\system32\WING.DLL <Not Verified; Microsoft Corporation; WinG> -- Find3M Report --------------------------------------------------------------- 2008-06-08 23:04:08 0 d-------- C:\Program Files\HJT 2008-06-08 23:03:07 0 d-------- C:\Program Files\Common Files\Symantec Shared 2008-06-08 21:11:05 0 d---s---- C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft 2008-06-08 20:41:51 0 d--h----- C:\Program Files\InstallShield Installation Information 2008-06-08 20:29:43 0 d-------- C:\Program Files\VSO 2008-06-08 20:27:39 0 d-------- C:\Program Files\Common Files\Teleca Shared 2008-06-08 20:21:56 0 d-------- C:\Program Files\LucasArts 2008-06-08 17:07:13 0 d-------- C:\Program Files\Zoom Player 2008-06-07 21:48:55 0 d-------- C:\Program Files\Windows Live 2008-06-07 13:02:46 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard 2008-06-07 12:53:32 0 d-------- C:\Program Files\Winamp 2008-06-07 01:13:53 0 d-------- C:\Program Files\LimeWire 2008-06-07 00:39:04 0 d-------- C:\Program Files\Symantec 2008-06-01 17:26:20 0 d-------- C:\Program Files\Canon 2008-06-01 17:18:54 0 d-------- C:\Program Files\Common Files 2008-05-29 21:41:54 0 d-------- C:\Program Files\Incomplete 2008-04-25 15:22:00 0 d-------- C:\Program Files\QuickTime 2008-04-25 15:08:51 0 d-------- C:\Program Files\Apple Software Update 2008-04-23 23:35:55 0 d-------- C:\Program Files\Common Files\DVDVideoSoft 2008-04-23 23:35:52 0 d-------- C:\Program Files\DVDVideoSoft 2008-04-16 23:42:43 0 d-------- C:\Program Files\Azureus 2008-04-15 23:29:59 0 d-------- C:\Program Files\Chessmaster 8000 2008-04-12 00:30:04 664 --a------ C:\WINDOWS\system32\d3d9caps.dat 2008-04-10 22:43:18 0 d-------- C:\Program Files\Common Files\Control Panels 2008-04-10 22:42:55 0 d-------- C:\Program Files\Common Files\Adobe 2008-03-27 02:12:54 151583 --a------ C:\WINDOWS\system32\msjint40.dll <Not Verified; Microsoft Corporation; Microsoft (R) Jet> 2008-03-19 03:47:00 1845248 --a------ C:\WINDOWS\system32\win32k.sys <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System> 2008-03-18 21:49:47 335 --a------ C:\WINDOWS\mozregistry.dat -- Registry Dump --------------------------------------------------------------- *Note* empty entries & legit default entries are not shown [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5AA2BA46-9913-4dc7-9620-69AB0FA17AE7}] C:\Program Files\alot\bin\alot.dll [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{602ADB0E-4AFF-4217-8AA1-95DAC4DFA408}] 08/24/2007 09:51 PM 316784 --a------ C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.0\coIEPlg.dll [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6D53EC84-6AAE-4787-AEEE-F4628F01010C}] 03/20/2008 08:16 PM 116088 --a------ C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "osCheck"="C:\Program Files\Norton Internet Security\osCheck.exe" [08/24/2007 10:53 PM] "ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [02/14/2008 11:01 AM] "iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [12/11/2007 01:10 PM] [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runonce] "SymLnch"="C:\Documents and Settings\HP_Owner.AE066C3A9B\Application Data\Symantec\Layouts\Norton Internet Security\15.0\SymAllLanguages\NIS_RETAIL\20070826\Support\SymLnch\SymLnch.exe" "C:\Documents and Settings\HP_Owner.AE066C3A9B\Application Data\Symantec\Layouts\Norton Internet Security\15.0\SymAllLanguages\NIS_RETAIL\20070826\Setup.exe" "/REALUPREBOOT /temp /patched" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Acrobat Speed Launcher.lnk] path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Acrobat Speed Launcher.lnk backup=C:\WINDOWS\pss\Adobe Acrobat Speed Launcher.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Acrobat Synchronizer.lnk] path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Acrobat Synchronizer.lnk backup=C:\WINDOWS\pss\Adobe Acrobat Synchronizer.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk] path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Synchronizer.lnk] path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Synchronizer.lnk backup=C:\WINDOWS\pss\Adobe Reader Synchronizer.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk] path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk backup=C:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Suitcase Startup.lnk] path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Suitcase Startup.lnk backup=C:\WINDOWS\pss\Suitcase Startup.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Updates from HP.lnk] path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Updates from HP.lnk backup=C:\WINDOWS\pss\Updates from HP.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^HP_Owner.AE066C3A9B^Start Menu^Programs^Startup^Adobe Gamma.lnk] path=C:\Documents and Settings\HP_Owner.AE066C3A9B\Start Menu\Programs\Startup\Adobe Gamma.lnk backup=C:\WINDOWS\pss\Adobe Gamma.lnkStartup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeUpdater] C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe_ID0EYTHM] C:\PROGRA~1\COMMON~1\Adobe\ADOBEV~1\Server\bin\VERSIO~2.EXE [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AGRSMMSG] AGRSMMSG.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr] ALCMTR.EXE [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlcWzrd] ALCWZRD.EXE [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AutoTBar] c:\Program Files\HP\Digital Imaging\bin\AUTOTBAR.EXE [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033 [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DXDllRegExe] dxdllreg.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\fplljkduj] C:\WINDOWS\system32\fplljkduj.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd.exe" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPHmon06] C:\WINDOWS\system32\hphmon06.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPHUPD06] c:\Program Files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hpsysdrv] c:\windows\system\hpsysdrv.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KBD] C:\HP\KBD\KBD.EXE [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PS2] C:\WINDOWS\system32\ps2.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sony Ericsson PC Suite] "C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan] SOUNDMAN.EXE [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Uniblue SpeedUpMyPC] C:\Program Files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe -s [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_0 -reboot 1 [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UVS11 Preload] C:\Program Files\Ulead Systems\Ulead VideoStudio 11\uvPL.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VTTimer] VTTimer.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services] "ATI Smart"=2 (0x2) "Ati HotKey Poller"=2 (0x2) "MDM"=2 (0x2) "ISPwdSvc"=3 (0x3) "UleadBurningHelper"=2 (0x2) "Capture Device Service"=2 (0x2) "usnjsvc"=3 (0x3) "ose"=3 (0x3) "Adobe LM Service"=3 (0x3) "Apple Mobile Device"=2 (0x2) "LiveUpdate Notice"=2 (0x2) "LiveUpdate"=3 (0x3) "Automatic LiveUpdate Scheduler"=2 (0x2) "Bonjour Service"=2 (0x2) "Adobe Version Cue CS3"=3 (0x3) "WLSetupSvc"=3 (0x3) "comHost"=3 (0x3) "rpcapd"=3 (0x3) [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost] p2psvc p2psvc p2pimsvc p2pgasvc PNRPSvc *Newly Created Service* - COMHOST *Newly Created Service* - RKPAVPROC -- End of Deckard's System Scanner: finished at 2008-06-08 23:05:02 ------------ |
|
     |
| Sponsored Links |
|
06-11-2008, 08:14 PM
|
#2 (permalink) | |
|
Moderator, Analyst, Security Team; Rangemaster, TSF Academy
Join Date: Oct 2007
Location: Georgia
Posts: 8,678
OS: XP SP3
|
Re: Possible Malware Issue
Hello and Welcome to TSF.
Please Subscribe to this Thread to get immediate notification of replies as soon as they are posted. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant notification by email, then click Add Subscription. Please save this page to Notepad in order to assist you when carrying out the following instructions. Before beginning the fix, read this post completely. If there's anything that you do not understand, kindly ask your questions before proceeding. Ensure that there aren't any opened browsers when you are carrying out the procedures below. It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence. ------------------------------------------------------ Please note that these fixes are not instantaneous. Most infections require more than one round to properly eradicate. Please stay with me until given the 'all clear' even if symptoms seemingly abate. Kindly follow my instructions and please do no fixing on your own or running of scanners unless requested by a helper. ------------------------------------------------------ Quote:
------------------------------------------------------ Please run Deckard's System Scanner again, this time using these instructions(this assumes dss.exe is on your desktop): Click Start >> Run then Copy/Paste the following single-line command into the Run box & click OK "%userprofile%\desktop\dss.exe" /daft
I see you have P2P software ( Azureus Vuze ) installed on your machine. We are not here to pass judgment on file-sharing as a concept. However, we will warn you that engaging in this activity and having this kind of software installed on your machine will always make you more susceptible to re-infections. It may be contributing to your current situation. This page will give you further information. Please note: Even if you are using a "safe" P2P program, it is only the program that is safe. You will be sharing files from uncertified sources, and these are often infected. The bad guys use P2P filesharing as a major conduit to spread their wares. References for the risk of these programs are here, here, and here. I would strongly recommend that you uninstall it, however that choice is up to you. If you choose to remove this program, you can do so via Control Panel >> Add or Remove Programs. If you decide to uninstall Azureus Vuze, also delete these Folders if they still exist: C:\Program Files\Azureus ------------------------------------------------------ Please visit this webpage for instructions on downloading and running ComboFix: http://www.bleepingcomputer.com/comb...o-use-combofix Please ensure you read this guide carefully and install the Recovery Console first. The Windows Recovery Console will allow you to boot up into a special recovery(repair) mode, if needed. This allows us to help you in the case that your computer has a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time. As part of installing the Recovery Console, ComboFix will begin to run. Follow the prompts to install the Recovery Console. Your desktop may disappear. This is normal. It will return. Once the Recovery Console is installed, this blue window will appear:  Please continue as follows:
Please post that log, ComboFix.txt along with a new HijackThis log so we may continue cleansing the system. ------------------------------------------------------ You are using an outdated version of HijackThis. Please uninstall HijackThis 1.99.1 in the Add or Remove Programs section of your Control Panel and delete your current version. Please download HijackThis and Save it to your Desktop. Alternate link This program will help us determine if there are any spyware/malware on your computer. Double-click on the file you just downloaded. Click on the "Unzip" button to install. It will by default install to the directory - C:\Program Files\Trend Micro\HijackThis Upon install, HijackThis should open for you. Should it not open, navigate to C:\Program Files\Trend Micro\HijackThis and double-click on HijackThis.exe 1. If it gives you an intro screen, just choose 'Do a system scan and save a logfile'. 2. If you don't get the intro screen, just hit Scan and then click on Save log. 3. Please post the HijackThis log in your next reply. Do not fix anything in HijackThis since they may be harmless. ------------------------------------------------------ Please post the following in your next reply: daft.txt C:\ComboFix.txt new HijackThis log If you have any questions along the way...STOP and ask them before proceeding. Last edited by chemist; 06-11-2008 at 08:35 PM. |
|
|
|
|
|
06-11-2008, 11:47 PM
|
#3 (permalink) |
|
Registered User
Join Date: Jun 2008
Posts: 26
OS: xp sp2
|
Re: Possible Malware Issue
I was told that I already had the Recovery Console so the installation aborted. I then clicked on the ComboFix icon to run the scan and it proceeded, finished, and re-booted by systerm. There does not appear to be a useful log "ComboFix.txt" in C: or in C:\ComboFix (the latter directory contains a txt with two lines of text)
ComboFix 08-06-10.5 - HP_Owner 06/12/2008 0:14:55.1 - NTFSx86 Running from: C:\Documents and Settings\HP_Owner.AE066C3A9B\Desktop\ComboFix.exe . I shall post the other two logs and upon your further instruction I can just edit this post to include the ComboFix log. How should I proceed? DAFT Log saved on 2008-06-12 00:00:54 ----------------------------------------------------------------------- All associations okay! Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 12:37:21 AM, on 6/12/2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Canon\CAL\CALMAIN.exe C:\WINDOWS\system32\wscntfy.exe C:\WINDOWS\system32\wuauclt.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TY...ion&pf=desktop R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TY...ion&pf=desktop R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = R3 - Default URLSearchHook is missing O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: ALOT Toolbar - {5AA2BA46-9913-4dc7-9620-69AB0FA17AE7} - C:\Program Files\alot\bin\alot.dll (file missing) O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.0\coIEPlg.dll O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll O3 - Toolbar: Show Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.0\CoIEPlg.dll O3 - Toolbar: ALOT Toolbar - {5AA2BA46-9913-4dc7-9620-69AB0FA17AE7} - C:\Program Files\alot\bin\alot.dll (file missing) O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe" O4 - HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe O4 - HKLM\..\Run: [combofix] C:\WINDOWS\system32\CF22076.exe /c C:\ComboFix\Combobatch.bat O4 - HKLM\..\RunOnce: [SymLnch] "C:\Documents and Settings\HP_Owner.AE066C3A9B\Application Data\Symantec\Layouts\Norton Internet Security\15.0\SymAllLanguages\NIS_RETAIL\20070826\Support\SymLnch\SymLnch.exe" "C:\Documents and Settings\HP_Owner.AE066C3A9B\Application Data\Symantec\Layouts\Norton Internet Security\15.0\SymAllLanguages\NIS_RETAIL\20070826\Setup.exe" "/REALUPREBOOT /temp /patched" O4 - HKLM\..\RunOnce: [combofix] C:\WINDOWS\system32\CF22076.exe /c C:\ComboFix\\Combobatch.bat O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O15 - ProtocolDefaults: '@ivt' protocol is in My Computer Zone, should be Intranet Zone O15 - ProtocolDefaults: 'file' protocol is in My Computer Zone, should be Internet Zone O15 - ProtocolDefaults: 'ftp' protocol is in My Computer Zone, should be Internet Zone O15 - ProtocolDefaults: 'http' protocol is in My Computer Zone, should be Internet Zone O15 - ProtocolDefaults: 'https' protocol is in My Computer Zone, should be Internet Zone O16 - DPF: {001EE746-A1F9-460E-80AD-269E088D6A01} (Infotl Control) - http://site.ebrary.com.ezproxy.lrc.m.../ebraryRdr.cab O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813 O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w2/resources/MSNPUpld.cab O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-CA/.../GAME_UNO1.cab O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/...toUploader.cab O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab56907.cab O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary...r.cab56986.cab O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe O23 - Service: Print Spooler Service (iim9cotmohu) - Unknown owner - C:\WINDOWS\system32\fplljkduj.exe (file missing) O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe O23 - Service: Symantec Core LC - Unknown owner - C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe -- End of file - 7415 bytes |
|
|
|
|
06-12-2008, 03:26 AM
|
#4 (permalink) |
|
Moderator, Analyst, Security Team; Rangemaster, TSF Academy
Join Date: Oct 2007
Location: Georgia
Posts: 8,678
OS: XP SP3
|
Re: Possible Malware Issue
Hello Kiranous. Sorry you are having trouble.
Double-click on combofix.exe and run it again. Post the ComboFix.txt that is produced. Thanks. |
|
|
|
|
06-12-2008, 01:42 PM
|
#5 (permalink) |
|
Registered User
Join Date: Jun 2008
Posts: 26
OS: xp sp2
|
Re: Possible Malware Issue
ComboFix 08-06-10.5 - HP_Owner 06/12/2008 14:23:51.2 - NTFSx86
Running from: C:\Documents and Settings\HP_Owner.AE066C3A9B\Desktop\ComboFix.exe . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . . ---- Previous Run ------- . C:\Documents and Settings\HP_Owner.AE066C3A9B\Application Data\inst.exe C:\Program Files\Common Files\{1C370~1 C:\Program Files\Common Files\{3C370~1 C:\Program Files\Common Files\{3C370~1\Uninst.exe . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\Legacy_NPF ((((((((((((((((((((((((( Files Created from 2008-05-12 to 2008-06-12 ))))))))))))))))))))))))))))))) . No new files created in this timespan . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-06-12 20:22 --------- d-----w C:\Program Files\Common Files\Symantec Shared 2008-06-12 19:50 --------- d-----w C:\Program Files\LimeWire 2008-06-12 19:50 --------- d-----w C:\Program Files\Incomplete 2008-06-12 06:37 --------- d-----w C:\Program Files\Trend Micro 2008-06-10 21:49 --------- d-----w C:\Program Files\Winamp 2008-06-10 05:13 --------- d-----w C:\Documents and Settings\HP_Owner.AE066C3A9B\Application Data\Azureus 2008-06-10 02:24 --------- d-----w C:\Documents and Settings\HP_Owner.AE066C3A9B\Application Data\Media Player Classic 2008-06-10 02:16 --------- d-----w C:\Program Files\AC3Filter 2008-06-09 23:36 --------- d-----w C:\Program Files\MP3Parse 2008-06-09 23:22 --------- d-----w C:\Program Files\Xvid 2008-06-09 22:51 --------- d-----w C:\Program Files\ffdshow 2008-06-09 22:50 --------- d-----w C:\Program Files\SHOUTcast Source 2008-06-09 22:50 --------- d-----w C:\Program Files\DSP-worx 2008-06-09 22:49 49,604 ----a-w C:\WINDOWS\system32\RadLightOFRUninstall.exe 2008-06-09 22:49 --------- d-----w C:\Program Files\OpenSource OGG Splitter 2008-06-09 22:49 --------- d-----w C:\Program Files\CDXA Image Reader Filter (SVCDXCD) 2008-06-09 22:36 --------- d-----w C:\Program Files\CD Audio Reader Filter 2008-06-09 22:33 33,533 ----a-w C:\WINDOWS\system32\CoreVorbis-uninstall.exe 2008-06-09 22:33 --------- d-----w C:\Program Files\DirectVobSub 2008-06-09 21:28 --------- d-----w C:\Program Files\OpenSource Flash Video Splitter 2008-06-09 02:41 --------- d--h--w C:\Program Files\InstallShield Installation Information 2008-06-09 02:29 47,360 ----a-w C:\Documents and Settings\HP_Owner.AE066C3A9B\Application Data\pcouffin.sys 2008-06-09 02:29 --------- d-----w C:\Documents and Settings\HP_Owner.AE066C3A9B\Application Data\Vso 2008-06-09 02:27 --------- d-----w C:\Program Files\Common Files\Teleca Shared 2008-06-09 02:21 --------- d-----w C:\Program Files\LucasArts 2008-06-09 02:04 --------- d-----w C:\Documents and Settings\HP_Owner.AE066C3A9B\Application Data\SSH 2008-06-08 04:10 --------- d-----w C:\Program Files\Panda Security 2008-06-08 03:48 --------- d-----w C:\Program Files\Windows Live 2008-06-07 21:00 --------- d-----w C:\Program Files\SpywareBlaster 2008-06-07 21:00 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy 2008-06-07 19:04 --------- d-----w C:\Documents and Settings\HP_Owner.AE066C3A9B\Application Data\Lavasoft 2008-06-07 19:02 --------- d-----w C:\Program Files\Spybot - Search & Destroy 2008-06-07 19:02 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard 2008-06-07 17:44 --------- d-----w C:\Documents and Settings\Natalia.AE066C3A9B\Application Data\alot 2008-06-07 06:40 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec 2008-06-07 06:39 805 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.INF 2008-06-07 06:39 60,800 ----a-w C:\WINDOWS\system32\S32EVNT1.DLL 2008-06-07 06:39 123,952 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.SYS 2008-06-07 06:39 10,671 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.CAT 2008-06-07 06:39 --------- d-----w C:\Program Files\Symantec 2008-06-06 13:58 27,136 ----a-w C:\WINDOWS\CYK36.tmp 2008-06-04 02:47 --------- d-----w C:\Documents and Settings\HP_Owner.AE066C3A9B\Application Data\ZoomBrowser EX 2008-06-04 02:47 --------- d-----w C:\Documents and Settings\All Users\Application Data\ZoomBrowser 2008-06-04 01:48 27,136 ----a-w C:\WINDOWS\CYK3B.tmp 2008-06-01 23:26 --------- d-----w C:\Program Files\Canon 2008-06-01 23:18 --------- d-----w C:\Program Files\Common Files\Canon 2008-05-29 04:32 27,136 ----a-w C:\WINDOWS\CYK139.tmp 2008-05-25 23:19 --------- d-----w C:\Documents and Settings\HP_Owner.AE066C3A9B\Application Data\PE Explorer 2008-05-16 02:16 27,136 ----a-w C:\WINDOWS\CYK51.tmp 2008-05-12 00:50 --------- d-----w C:\Documents and Settings\HP_Owner.AE066C3A9B\Application Data\alot 2008-05-08 03:25 --------- d-----w C:\Documents and Settings\Mom and Dad.AE066C3A9B\Application Data\alot 2008-04-30 22:52 --------- d-----w C:\Documents and Settings\Natalia.AE066C3A9B\Application Data\LimeWire 2008-04-25 21:22 --------- d-----w C:\Program Files\QuickTime 2008-04-25 21:08 --------- d-----w C:\Program Files\Apple Software Update 2008-04-24 05:53 27,136 ----a-w C:\WINDOWS\CYK97F.tmp 2008-04-24 05:40 27,136 ----a-w C:\WINDOWS\CYK97D.tmp 2008-04-24 05:35 --------- d-----w C:\Program Files\DVDVideoSoft 2008-04-24 05:35 --------- d-----w C:\Program Files\Common Files\DVDVideoSoft 2008-04-22 05:15 --------- d-----w C:\Documents and Settings\HP_Owner.AE066C3A9B\Application Data\LimeWire 2008-04-17 05:42 --------- d-----w C:\Program Files\Azureus 2008-04-16 05:29 --------- d-----w C:\Program Files\Chessmaster 8000 2008-04-09 13:17 27,136 ----a-w C:\WINDOWS\CYK3A.tmp 2008-04-05 02:12 27,136 ----a-w C:\WINDOWS\CYK3C.tmp 2008-04-01 04:34 27,136 ----a-w C:\WINDOWS\CYK39.tmp 2008-03-30 20:09 27,136 ----a-w C:\WINDOWS\CYK125.tmp 2008-03-27 08:12 151,583 ----a-w C:\WINDOWS\system32\msjint40.dll 2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys 2005-01-09 22:46 0 -csha-w C:\WINDOWS\SMINST\HPCD.sys . ------- Sigcheck ------- 08/04/2004 01:00 PM 14336 8f078ae4ed187aaabc0a305146de6716 C:\WINDOWS\system32\svchost.exe 08/04/2004 01:00 PM 14336 8f078ae4ed187aaabc0a305146de6716 C:\WINDOWS\system32\dllcache\svchost.exe 03/02/2005 12:19 PM 577024 1800f293bccc8ede8a70e12b88d80036 C:\WINDOWS\$hf_mig$\KB890859\SP2QFE\user32.dll 03/08/2007 09:48 AM 578048 7aa4f6c00405dfc4b70ed4214e7d687b C:\WINDOWS\$hf_mig$\KB925902\SP2QFE\user32.dll 08/04/2004 01:00 PM 577024 c72661f8552ace7c5c85e16a3cf505c4 C:\WINDOWS\$NtUninstallKB890859$\user32.dll 03/02/2005 12:09 PM 577024 de2db164bbb35db061af0997e4499054 C:\WINDOWS\$NtUninstallKB925902$\user32.dll 03/08/2007 09:36 AM 577536 b409909f6e2e8a7067076ed748abf1e7 C:\WINDOWS\system32\user32.dll 03/08/2007 09:36 AM 577536 b409909f6e2e8a7067076ed748abf1e7 C:\WINDOWS\system32\dllcache\user32.dll 08/04/2004 01:00 PM 82944 2ed0b7f12a60f90092081c50fa0ec2b2 C:\WINDOWS\system32\ws2_32.dll 08/04/2004 01:00 PM 82944 2ed0b7f12a60f90092081c50fa0ec2b2 C:\WINDOWS\system32\dllcache\ws2_32.dll 09/29/2004 12:27 PM 656896 2c07195588d69a067c2afdaa31759295 C:\WINDOWS\$hf_mig$\KB834707\SP2QFE\wininet.dll 01/27/2005 11:08 AM 657920 a8eac5330876548e9966a7d13025d196 C:\WINDOWS\$hf_mig$\KB867282\SP2QFE\wininet.dll 05/02/2005 02:57 PM 658944 e1e18136f9dd3df1ad9c82193a5898a6 C:\WINDOWS\$hf_mig$\KB883939\SP2QFE\wininet.dll 03/10/2005 01:43 AM 657920 c8663b488996e89a84c3d17c1d12b79e C:\WINDOWS\$hf_mig$\KB890923\SP2QFE\wininet.dll 09/02/2005 05:53 PM 660480 97a6fd7cafd688cf2c78939ebaf0cd0c C:\WINDOWS\$hf_mig$\KB896688\SP2QFE\wininet.dll 07/02/2005 08:09 PM 659456 6e533d155b259eb2363d3e04b5be309f C:\WINDOWS\$hf_mig$\KB896727\SP2QFE\wininet.dll 10/20/2005 09:38 PM 661504 af785c4947676a7fc1673fdc5c8d0b5b C:\WINDOWS\$hf_mig$\KB905915\SP2QFE\wininet.dll 03/03/2006 09:58 PM 663552 c0845ecbf4f9164e618ee381b79c9032 C:\WINDOWS\$hf_mig$\KB912812\SP2QFE\wininet.dll 05/09/2006 11:25 PM 663552 d94cffdb53e7ac867438e2dfd50e7cbc C:\WINDOWS\$hf_mig$\KB916281\SP2QFE\wininet.dll 06/23/2006 05:25 AM 664576 64ce26db72810b30f7855ea51e1df836 C:\WINDOWS\$hf_mig$\KB918899\SP2QFE\wininet.dll 09/14/2006 02:31 AM 664576 d207370287cf769aebebf03837784963 C:\WINDOWS\$hf_mig$\KB922760\SP2QFE\wininet.dll 10/23/2006 09:34 AM 664576 231ef4179acabe486376b5ca893f1076 C:\WINDOWS\$hf_mig$\KB925454\SP2QFE\wininet.dll 01/04/2007 08:05 AM 665088 3ffa1573fc274e5aa7467d03941c45ee C:\WINDOWS\$hf_mig$\KB928090\SP2QFE\wininet.dll 02/20/2007 03:52 AM 665600 b258c922d22deec880b60720531d7627 C:\WINDOWS\$hf_mig$\KB931768\SP2QFE\wininet.dll 04/18/2007 06:46 AM 665600 4261ba03afd659de04f0a17dfbdd454d C:\WINDOWS\$hf_mig$\KB933566\SP2QFE\wininet.dll 06/26/2007 08:35 AM 665600 e1a3dd68b5380b360a7310a64d9bb188 C:\WINDOWS\$hf_mig$\KB937143\SP2QFE\wininet.dll 08/22/2007 06:55 AM 665600 a1bc17eb3758d73c3938b2318820f5b4 C:\WINDOWS\$hf_mig$\KB939653\SP2QFE\wininet.dll 10/10/2007 11:57 PM 666112 80d660a49e0d118144423099b2a9f5da C:\WINDOWS\$hf_mig$\KB942615\SP2QFE\wininet.dll 12/06/2007 06:44 PM 666112 085a7c37f9c6ede1ba870b7dbec06399 C:\WINDOWS\$hf_mig$\KB944533\SP2QFE\wininet.dll 02/16/2008 03:32 AM 666112 bb1eacd6ab47e78ebca02eb781550d55 C:\WINDOWS\$hf_mig$\KB947864\SP2QFE\wininet.dll 08/04/2004 01:00 PM 656384 c0823fc5469663ba63e7db88f9919d70 C:\WINDOWS\$NtUninstallKB834707$\wininet.dll 09/29/2004 12:47 PM 656896 cba65b573c66fe23f647ff96e3a10994 C:\WINDOWS\$NtUninstallKB867282$\wininet.dll 03/10/2005 02:02 AM 656896 6f018d6319be4f96426ea829b79e05d5 C:\WINDOWS\$NtUninstallKB883939$\wininet.dll 01/27/2005 11:13 AM 656896 b5e043e440b210014e021b24cf0a72e3 C:\WINDOWS\$NtUninstallKB890923$\wininet.dll 07/02/2005 08:11 PM 658432 5b5ff992c0fa762ccf8655fc290e6e52 C:\WINDOWS\$NtUninstallKB896688$\wininet.dll 05/02/2005 02:52 PM 657920 1a078af3f85d10ba56444c23b3a18e74 C:\WINDOWS\$NtUninstallKB896727$\wininet.dll 09/02/2005 05:52 PM 658432 af61ebb1f550175eff406d545d6ab086 C:\WINDOWS\$NtUninstallKB905915$\wininet.dll 10/20/2005 09:39 PM 658432 e7b27b6b6e06ce34ea019fd8b858c613 C:\WINDOWS\$NtUninstallKB912812$\wininet.dll 03/03/2006 09:33 PM 658432 1c0979c7a489bee573cd0bf4ad94bb06 C:\WINDOWS\$NtUninstallKB916281$\wininet.dll 05/09/2006 11:23 PM 658432 38ab7a56f566d9aaad31812494944824 C:\WINDOWS\$NtUninstallKB918899$\wininet.dll 06/23/2006 05:02 AM 658944 2b4db890936430c71419037039502752 C:\WINDOWS\$NtUninstallKB922760$\wininet.dll 09/14/2006 02:39 AM 658944 621af3f6174a3f60677f5230e28bcc07 C:\WINDOWS\$NtUninstallKB925454$\wininet.dll 10/23/2006 09:17 AM 658944 6b2735adff5a5d3b9130ca4a794722f0 C:\WINDOWS\$NtUninstallKB928090$\wininet.dll 01/04/2007 07:37 AM 658944 8c393df5234cbcbff1ee31902d6b40ae C:\WINDOWS\$NtUninstallKB931768$\wininet.dll 08/04/2004 01:00 PM 656384 c0823fc5469663ba63e7db88f9919d70 C:\WINDOWS\$NtUninstallKB933566$\wininet.dll 04/18/2007 06:31 AM 658944 b7156cd97e739f3014bc4d61758f868a C:\WINDOWS\$NtUninstallKB937143$\wininet.dll 06/26/2007 08:09 AM 658944 184e47c8f7b331025e6dc92740db188f C:\WINDOWS\$NtUninstallKB939653$\wininet.dll 08/22/2007 07:12 AM 658944 1901ad51da8be9f8b38d5d526e5d1788 C:\WINDOWS\$NtUninstallKB942615$\wininet.dll 10/11/2007 12:13 AM 659456 2005ad86a22aee68e21ee59f9ccb77f2 C:\WINDOWS\$NtUninstallKB944533$\wininet.dll 12/06/2007 07:07 PM 659456 57d1b5150cf6331fac6b3e04c1fcb966 C:\WINDOWS\$NtUninstallKB947864$\wininet.dll 02/16/2008 02:59 AM 659456 0c690e77c0e924c45b4d7045b182fff1 C:\WINDOWS\system32\wininet.dll 02/16/2008 02:59 AM 659456 0c690e77c0e924c45b4d7045b182fff1 C:\WINDOWS\system32\dllcache\wininet.dll 05/25/2005 01:07 PM 359936 63fdfea54eb53de2d863ee454937ce1e C:\WINDOWS\$hf_mig$\KB893066\SP2QFE\tcpip.sys 01/13/2006 11:07 AM 360448 5562cc0a47b2aef06d3417b733f3c195 C:\WINDOWS\$hf_mig$\KB913446\SP2QFE\tcpip.sys 04/20/2006 06:18 AM 360576 b2220c618b42a2212a59d91ebd6fc4b4 C:\WINDOWS\$hf_mig$\KB917953\SP2QFE\tcpip.sys 10/30/2007 10:53 AM 360832 64798ecfa43d78c7178375fcdd16d8c8 C:\WINDOWS\$hf_mig$\KB941644\SP2QFE\tcpip.sys 08/04/2004 01:00 PM 359040 9f4b36614a0fc234525ba224957de55c C:\WINDOWS\$NtUninstallKB893066$\tcpip.sys 05/25/2005 01:04 PM 359808 88763a98a4c26c409741b4aa162720c9 C:\WINDOWS\$NtUninstallKB913446$\tcpip.sys 08/04/2004 01:00 PM 359040 9f4b36614a0fc234525ba224957de55c C:\WINDOWS\$NtUninstallKB917953$\tcpip.sys 04/20/2006 05:51 AM 359808 1dbf125862891817f374f407626967f4 C:\WINDOWS\$NtUninstallKB941644$\tcpip.sys 10/30/2007 11:20 AM 360064 90caff4b094573449a0872a0f919b178 C:\WINDOWS\system32\dllcache\tcpip.sys 10/30/2007 11:20 AM 360064 90caff4b094573449a0872a0f919b178 C:\WINDOWS\system32\drivers\tcpip.sys 08/04/2004 01:00 PM 502272 01c3346c241652f43aed8e2149881bfe C:\WINDOWS\system32\winlogon.exe 08/04/2004 01:00 PM 502272 01c3346c241652f43aed8e2149881bfe C:\WINDOWS\system32\dllcache\winlogon.exe 08/04/2004 01:00 PM 182912 558635d3af1c7546d26067d5d9b6959e C:\WINDOWS\system32\dllcache\ndis.sys 08/04/2004 01:00 PM 182912 558635d3af1c7546d26067d5d9b6959e C:\WINDOWS\system32\drivers\ndis.sys 08/04/2004 01:00 PM 29056 4448006b6bc60e6c027932cfc38d6855 C:\WINDOWS\system32\dllcache\ip6fw.sys 08/04/2004 01:00 PM 29056 4448006b6bc60e6c027932cfc38d6855 C:\WINDOWS\system32\drivers\ip6fw.sys 03/01/2005 06:36 PM 2056832 d8aba3eab509627e707a3b14f00fbb6b C:\WINDOWS\$hf_mig$\KB890859\SP2QFE\ntkrnlpa.exe 12/19/2006 10:12 AM 2059392 ba4b97c00a437c1cc3da365d93ee1e9d C:\WINDOWS\$hf_mig$\KB929338\SP2QFE\ntkrnlpa.exe 02/28/2007 03:15 AM 2059392 4d3dbdccbf97f5ba1e74f322b155c3ba C:\WINDOWS\$hf_mig$\KB931784\SP2QFE\ntkrnlpa.exe 03/01/2005 06:34 PM 2015232 3cd941e472ddf3534e53038535719771 C:\WINDOWS\$NtUninstallKB929338$\ntkrnlpa.exe 12/19/2006 06:55 AM 2015744 bbb2322eb14ad9ad55b1024ffd4d88bf C:\WINDOWS\$NtUninstallKB931784$\ntkrnlpa.exe 02/28/2007 02:38 AM 2057600 515d30e2c90a3665a2739309334c9283 C:\WINDOWS\Driver Cache\i386\ntkrnlpa.exe 02/28/2007 02:38 AM 2015744 a58ac1c6199ef34228abee7fc057ae09 C:\WINDOWS\system32\ntkrnlpa.exe 08/04/2004 01:00 PM 2056832 947fb1d86d14afcffdb54bf837ec25d0 C:\WINDOWS\system32\ReinstallBackups\0009\DriverFiles\i386\ntkrnlpa.exe 03/01/2005 07:04 PM 2179456 28187802b7c368c0d3aef7d4c382aabb C:\WINDOWS\$hf_mig$\KB890859\SP2QFE\ntoskrnl.exe 12/19/2006 10:51 AM 2182016 cef243f6defd20be4adde26c7ecacb54 C:\WINDOWS\$hf_mig$\KB929338\SP2QFE\ntoskrnl.exe 02/28/2007 03:55 AM 2182144 5a5c8db4aa962c714c8371fbdf189fc9 C:\WINDOWS\$hf_mig$\KB931784\SP2QFE\ntoskrnl.exe 03/01/2005 06:57 PM 2135552 48b3e89af7074cee0314a3e0c7faffdb C:\WINDOWS\$NtUninstallKB929338$\ntoskrnl.exe 12/19/2006 08:15 AM 2136064 8318ed54797f3e513fd5817a1d4bbd18 C:\WINDOWS\$NtUninstallKB931784$\ntoskrnl.exe 02/28/2007 03:10 AM 2180352 582a8dbaa58c3b1f176eb2817daee77c C:\WINDOWS\Driver Cache\i386\ntoskrnl.exe 02/28/2007 03:08 AM 2136064 1220faf071dea8653ee21de7dcda8bfd C:\WINDOWS\system32\ntoskrnl.exe 08/04/2004 01:00 PM 2180992 ce218bc7088681faa06633e218596ca7 C:\WINDOWS\system32\ReinstallBackups\0009\DriverFiles\i386\ntoskrnl.exe 06/13/2007 04:23 AM 1033216 97bd6515465659ff8f3b7be375b2ea87 C:\WINDOWS\explorer.exe 06/13/2007 05:26 AM 1033216 7712df0cdde3a5ac89843e61cd5b3658 C:\WINDOWS\$hf_mig$\KB938828\SP2QFE\explorer.exe 08/04/2004 01:00 PM 1032192 a0732187050030ae399b241436565e64 C:\WINDOWS\$NtUninstallKB938828$\explorer.exe 06/13/2007 04:23 AM 1033216 97bd6515465659ff8f3b7be375b2ea87 C:\WINDOWS\system32\dllcache\explorer.exe 08/04/2004 01:00 PM 108032 c6ce6eec82f187615d1002bb3bb50ed4 C:\WINDOWS\system32\services.exe 08/04/2004 01:00 PM 108032 c6ce6eec82f187615d1002bb3bb50ed4 C:\WINDOWS\system32\dllcache\services.exe 08/04/2004 01:00 PM 13312 84885f9b82f4d55c6146ebf6065d75d2 C:\WINDOWS\system32\lsass.exe 08/04/2004 01:00 PM 13312 84885f9b82f4d55c6146ebf6065d75d2 C:\WINDOWS\system32\dllcache\lsass.exe 08/04/2004 01:00 PM 15360 24232996a38c0b0cf151c2140ae29fc8 C:\WINDOWS\system32\ctfmon.exe 08/04/2004 01:00 PM 15360 24232996a38c0b0cf151c2140ae29fc8 C:\WINDOWS\system32\dllcache\ctfmon.exe . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5AA2BA46-9913-4dc7-9620-69AB0FA17AE7}] C:\Program Files\alot\bin\alot.dll [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{602ADB0E-4AFF-4217-8AA1-95DAC4DFA408}] 08/24/2007 09:51 PM 316784 --a------ C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.0\coIEPlg.dll [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6D53EC84-6AAE-4787-AEEE-F4628F01010C}] 03/20/2008 08:16 PM 116088 --a------ C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar] "{5AA2BA46-9913-4DC7-9620-69AB0FA17AE7}"= "C:\Program Files\alot\bin\alot.dll" [ ] [HKEY_CLASSES_ROOT\clsid\{5aa2ba46-9913-4dc7-9620-69ab0fa17ae7}] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "osCheck"="C:\Program Files\Norton Internet Security\osCheck.exe" [08/24/2007 10:53 PM 714608] "ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [02/14/2008 11:01 AM 51048] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce] "SymLnch"="C:\Documents and Settings\HP_Owner.AE066C3A9B\Application Data\Symantec\Layouts\Norton Internet Security\15.0\SymAllLanguages\NIS_RETAIL\20070826\Support\SymLnch\SymLnch.exe" [08/26/2007 06:04 PM 687976] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32] "vidc.I420"= i420vfw.dll "vidc.yv12"= yv12vfw.dll "msacm.ac3filter"= ac3filter.acm [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Acrobat Speed Launcher.lnk] path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Acrobat Speed Launcher.lnk backup=C:\WINDOWS\pss\Adobe Acrobat Speed Launcher.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Acrobat Synchronizer.lnk] path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Acrobat Synchronizer.lnk backup=C:\WINDOWS\pss\Adobe Acrobat Synchronizer.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk] path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Synchronizer.lnk] path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Synchronizer.lnk backup=C:\WINDOWS\pss\Adobe Reader Synchronizer.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk] path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk backup=C:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Suitcase Startup.lnk] path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Suitcase Startup.lnk backup=C:\WINDOWS\pss\Suitcase Startup.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Updates from HP.lnk] path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Updates from HP.lnk backup=C:\WINDOWS\pss\Updates from HP.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^HP_Owner.AE066C3A9B^Start Menu^Programs^Startup^Adobe Gamma.lnk] path=C:\Documents and Settings\HP_Owner.AE066C3A9B\Start Menu\Programs\Startup\Adobe Gamma.lnk backup=C:\WINDOWS\pss\Adobe Gamma.lnkStartup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 8.0] C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader] --a------ 06/06/2005 11:46 PM 57344 C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher] --a------ 01/11/2008 11:16 PM 39792 C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeUpdater] --a------ 02/28/2007 11:06 PM 2321600 C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe_ID0EYTHM] --a------ 03/20/2007 05:40 PM 1884160 C:\PROGRA~1\COMMON~1\Adobe\ADOBEV~1\Server\bin\VERSIO~2.EXE [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AGRSMMSG] --a------ 06/29/2004 06:06 PM 88363 C:\WINDOWS\AGRSMMSG.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr] --a------ 07/03/2004 03:49 AM 57344 C:\WINDOWS\ALCMTR.EXE [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlcWzrd] --a------ 07/06/2004 02:05 AM 2550272 C:\WINDOWS\ALCWZRD.EXE [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATICCC] -----c--- 05/10/2006 12:12 PM 90112 C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AutoTBar] c:\Program Files\HP\Digital Imaging\bin\AUTOTBAR.EXE [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp] --a------ 02/14/2008 11:01 AM 51048 C:\Program Files\Common Files\Symantec Shared\ccApp.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools] --a------ 04/03/2007 04:29 PM 165784 C:\Program Files\DAEMON Tools\daemon.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DXDllRegExe] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\fplljkduj] C:\WINDOWS\system32\fplljkduj.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Component Manager] C:\Program Files\HP\hpcoretech\hpcmpmgr.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update] --a------ 08/04/2003 05:28 PM 49152 C:\Program Files\HP\HP Software Update\HPWuSchd.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPHmon06] --a------ 06/07/2004 07:42 PM 659456 C:\WINDOWS\system32\hphmon06.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPHUPD06] --a------ 06/07/2004 07:53 PM 49152 c:\Program Files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hpsysdrv] --a------ 05/07/1998 05:04 PM 52736 c:\windows\system\hpsysdrv.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper] --a------ 12/11/2007 01:10 PM 267048 C:\Program Files\iTunes\iTunesHelper.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KBD] C:\HP\KBD\KBD.EXE [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS] ---hs---- 10/13/2004 10:24 AM 1694208 C:\Program Files\Messenger\msmsgs.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr] C:\Program Files\MSN Messenger\msnmsgr.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PS2] --a------ 10/16/2002 05:57 PM 81920 C:\WINDOWS\system32\ps2.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task] --a------ 03/28/2008 11:37 PM 413696 C:\Program Files\QuickTime\qttask.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Recguard] --a------ 04/14/2004 09:43 PM 233472 C:\WINDOWS\SMINST\RECGUARD.EXE [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sony Ericsson PC Suite] C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan] --a------ 07/01/2004 07:58 PM 73728 C:\WINDOWS\SOUNDMAN.EXE [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched] --a------ 03/14/2007 03:43 AM 83608 C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe] --a------ 08/07/2004 03:03 PM 180269 C:\Program Files\Common Files\Real\Update_OB\realsched.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Uniblue SpeedUpMyPC] C:\Program Files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UVS11 Preload] C:\Program Files\Ulead Systems\Ulead VideoStudio 11\uvPL.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VTTimer] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services] "ATI Smart"=2 (0x2) "Ati HotKey Poller"=2 (0x2) "MDM"=2 (0x2) "ISPwdSvc"=3 (0x3) "UleadBurningHelper"=2 (0x2) "Capture Device Service"=2 (0x2) "usnjsvc"=3 (0x3) "ose"=3 (0x3) "Adobe LM Service"=3 (0x3) "Apple Mobile Device"=2 (0x2) "LiveUpdate Notice"=2 (0x2) "LiveUpdate"=3 (0x3) "Automatic LiveUpdate Scheduler"=2 (0x2) "Bonjour Service"=2 (0x2) "Adobe Version Cue CS3"=3 (0x3) "WLSetupSvc"=3 (0x3) "comHost"=3 (0x3) "rpcapd"=3 (0x3) [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "C:\\Program Files\\Updates from HP\\309731\\Program\\Updates from HP.exe"= "C:\\Program Files\\LimeWire\\LimeWire.exe"= "C:\\Program Files\\Bonjour\\mDNSResponder.exe"= "C:\\Program Files\\iTunes\\iTunes.exe"= [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost] p2psvc REG_MULTI_SZ p2psvc p2pimsvc p2pgasvc PNRPSvc *Newly Created Service* - COMHOST . Contents of the 'Scheduled Tasks' folder "2008-05-28 14:08:01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job" - C:\Program Files\Apple Software Update\SoftwareUpdate.exe "2008-06-10 04:18:29 C:\WINDOWS\Tasks\Norton Internet Security - Run Full System Scan - HP_Owner.job" - C:\Program Files\Norton Internet Security\Norton AntiVirus\Navw32.exeh/TASK: . ************************************************************************** catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-06-12 14:28:24 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . Completion time: 06/12/2008 14:33:05 ComboFix-quarantined-files.txt 2008-06-12 20:32:12 Pre-Run: 106,810,941,440 bytes free Post-Run: 106,807,549,952 bytes free 358 --- E O F --- 2008-06-12 09:00:57 |
|
|
|
|
06-12-2008, 09:05 PM
|
#6 (permalink) | |
|
Moderator, Analyst, Security Team; Rangemaster, TSF Academy
Join Date: Oct 2007
Location: Georgia
Posts: 8,678
OS: XP SP3
|
Re: Possible Malware Issue
Hello again, kiranous.
Please save this page to Notepad in order to assist you when carrying out the following instructions. Before beginning the fix, read this post completely. If there's anything that you do not understand, kindly ask your questions before proceeding. Ensure that there aren't any opened browsers when you are carrying out the procedures below. It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence. ------------------------------------------------------ Disable your antivirus and antispyware applications, usually via a right-click on the System Tray icon. They may otherwise interfere with HijackThis. ------------------------------------------------------ Open HijackThis and click on 'Do a System Scan Only'. Check the following entries if they still exist: (Make sure you do not miss any) R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = R3 - Default URLSearchHook is missing Please remember to close all other windows, including browsers then click Fix checked. Please close HijackThis now. ------------------------------------------------------ Close any open browsers. Disable your antivirus and antispyware applications, usually via a right-click on the System Tray icon. They may otherwise interfere with ComboFix. Open Notepad and copy/paste all the text in the quotebox below into Notepad: Quote:
 Referring to the picture above, drag CFScript into ComboFix.exe Your desktop may go blank. This is normal. It will return when ComboFix is done. ComboFix may reboot your machine. This is normal. When finished, it shall produce a log for you. Please post that log, ComboFix.txt in your next reply. Note: Do not mouseclick ComboFix's window whilst it's running. That may cause it to stall. ------------------------------------------------------ Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update.
Please run this online scan to help look for remnants. Establish an internet connection & perform an online scan with Internet Explorer at Kaspersky Online Scanner Click Accept, when prompted to download and install the program files and database of malware definitions.
To optimize scanning time and produce a more sensible report for review:
------------------------------------------------------ Open HijackThis and click on 'Do a System Scan and Save a Logfile'. Save the logfile and post it here. ------------------------------------------------------ Please post the following in your next reply: C:\ComboFix.txt Kaspersky report new HijackThis log report on system behavior Last edited by chemist; 06-12-2008 at 09:09 PM. |
|
|
|
|
|
06-14-2008, 09:47 AM
|
#7 (permalink) |
|
Registered User
Join Date: Jun 2008
Posts: 26
OS: xp sp2
|
Re: Possible Malware Issue
Nothing has really improved; the same conditions exist as initially described.
ComboFix 08-06-10.5 - HP_Owner 06/13/2008 14:10:29.4 - NTFSx86 Running from: C:\Documents and Settings\HP_Owner.AE066C3A9B\Desktop\ComboFix.exe . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . . ---- Previous Run ------- . C:\Documents and Settings\HP_Owner.AE066C3A9B\Application Data\alot C:\Documents and Settings\Mom and Dad.AE066C3A9B\Application Data\alot C:\Documents and Settings\Natalia.AE066C3A9B\Application Data\alot C:\Documents and Settings\Natalia.AE066C3A9B\Application Data\alot\BrowserSearch\BrowserSearch.xml C:\Documents and Settings\Natalia.AE066C3A9B\Application Data\alot\BrowserSearch\BrowserSearch.xml.backup C:\Documents and Settings\Natalia.AE066C3A9B\Application Data\alot\Button_0\Button_0.xml C:\Documents and Settings\Natalia.AE066C3A9B\Application Data\alot\Button_0\Button_0.xml.backup C:\Documents and Settings\Natalia.AE066C3A9B\Application Data\alot\Button_1\Button_1.xml C:\Documents and Settings\Natalia.AE066C3A9B\Application Data\alot\Button_1\Button_1.xml.backup C:\Documents and Settings\Natalia.AE066C3A9B\Application Data\alot\Button_10\Button_10.xml C:\Documents and Settings\Natalia.AE066C3A9B\Application Data\alot\Button_10\Button_10.xml.backup C:\Documents and Settings\Natalia.AE066C3A9B\Application Data\alot\Button_11\Button_11.xml C:\Documents and Settings\Natalia.AE066C3A9B\Application Data\alot\Button_11\Button_11.xml.backup C:\Documents and Settings\Natalia.AE066C3A9B\Application Data\alot\Button_2\Button_2.xml C:\Documents and Settings\Natalia.AE066C3A9B\Application Data\alot\Button_2\Button_2.xml.backup C:\Documents and Settings\Natalia.AE066C3A9B\Application Data\alot\Button_3\Button_3.xml C:\Documents and Settings\Natalia.AE066C3A9B\Application Data\alot\Button_3\Button_3.xml.backup C:\Documents and Settings\Natalia.AE066C3A9B\Application Data\alot\Button_4\Button_4.xml C:\Documents and Settings\Natalia.AE066C3A9B\Application Data\alot\Button_4\Button_4.xml.backup C:\Documents and Settings\Natalia.AE066C3A9B\Application Data\alot\Button_5\Button_5.xml C:\Documents and Settings\Natalia.AE066C3A9B\Application Data\alot\Button_5\Button_5.xml.backup C:\Documents and Settings\Natalia.AE066C3A9B\Application Data\alot\Button_6\Button_6.xml C:\Documents and Settings\Natalia.AE066C3A9B\Application Data\alot\Button_6\Button_6.xml.backup C:\Documents and Settings\Natalia.AE066C3A9B\Application Data\alot\Button_7\Button_7.xml C:\Documents and Settings\Natalia.AE066C3A9B\Application Data\alot\Button_7\Button_7.xml.backup C:\Documents and Settings\Natalia.AE066C3A9B\Application Data\alot\Button_8\Button_8.xml C:\Documents and Settings\Natalia.AE066C3A9B\Application Data\alot\Button_8\Button_8.xml.backup C:\Documents and Settings\Natalia.AE066C3A9B\Application Data\alot\Button_9\Button_9.xml C:\Documents and Settings\Natalia.AE066C3A9B\Application Data\alot\Button_9\Button_9.xml.backup C:\Documents and Settings\Natalia.AE066C3A9B\Application Data\alot\configurator\configurator.xml C:\Documents and Settings\Natalia.AE066C3A9B\Application Data\alot\configurator\configurator.xml.backup C:\Documents and Settings\Natalia.AE066C3A9B\Application Data\alot\ErrorSearch\ErrorSearch.xml C:\Documents and Settings\Natalia.AE066C3A9B\Application Data\alot\ErrorSearch\ErrorSearch.xml.backup C:\Documents and Settings\Natalia.AE066C3A9B\Application Data\alot\postInstallLayout\postInstallLayout.xml C:\Documents and Settings\Natalia.AE066C3A9B\Application Data\alot\postInstallLayout\postInstallLayout.xml.backup C:\Documents and Settings\Natalia.AE066C3A9B\Application Data\alot\products\products.xml C:\Documents and Settings\Natalia.AE066C3A9B\Application Data\alot\products\products.xml.backup C:\Documents and Settings\Natalia.AE066C3A9B\Application Data\alot\Resources\Button_0\images\alot_icon_35x16.bmp C:\Documents and Settings\Natalia.AE066C3A9B\Application Data\alot\Resources\Button_1\images\alot_search_24x16.bmp C:\Documents and Settings\Natalia.AE066C3A9B\Application Data\alot\Resources\Button_2\images\default_296_alot_hea_heasearch.bmp C:\Documents and Settings\Natalia.AE066C3A9B\Application Data\alot\Resources\Button_3\images\active_default_297_alot_hea_news.bmp C:\Documents and Settings\Natalia.AE066C3A9B\Application Data\alot\Resources\Button_3\images\default_297_alot_hea_news.bmp C:\Documents and Settings\Natalia.AE066C3A9B\Application Data\alot\Resources\Button_4\images\default_298_alot_hea_fitness.bmp C:\Documents and Settings\Natalia.AE066C3A9B\Application Data\alot\Resources\Button_5\images\default_299_alot_mrkt_firstaid.bmp C:\Documents and Settings\Natalia.AE066C3A9B\Application Data\alot\Resources\Button_5\images\default_299_alot_mrkt_readers_digest3.bmp C:\Documents and Settings\Natalia.AE066C3A9B\Application Data\alot\Resources\Button_5\images\default_299_alot_mrkt_readersdigestorange.bmp C:\Documents and Settings\Natalia.AE066C3A9B\Application Data\alot\Resources\Shared\images\alot_brand.png C:\Documents and Settings\Natalia.AE066C3A9B\Application Data\alot\TimerManager\TimerManager.xml C:\Documents and Settings\Natalia.AE066C3A9B\Application Data\alot\TimerManager\TimerManager.xml.backup C:\Documents and Settings\Natalia.AE066C3A9B\Application Data\alot\toolbar.xml C:\Documents and Settings\Natalia.AE066C3A9B\Application Data\alot\ToolbarSearch\ToolbarSearch.xml C:\Documents and Settings\Natalia.AE066C3A9B\Application Data\alot\ToolbarSearch\ToolbarSearch.xml.backup C:\Documents and Settings\Natalia.AE066C3A9B\Application Data\alot\Updater\Updater.xml C:\Documents and Settings\Natalia.AE066C3A9B\Application Data\alot\Updater\Updater.xml.backup C:\Documents and Settings\Natalia.AE066C3A9B\Local Settings\Application Data\Mozilla\Firefox\Profiles\cp5fpd5o.default\Cache\3A802488d01 C:\Documents and Settings\Natalia.AE066C3A9B\Local Settings\Application Data\Mozilla\Firefox\Profiles\cp5fpd5o.default\Cache\3A912488d01 c:\windows\hh.ico . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\Legacy_IIM9COTMOHU -------\Service_iim9cotmohu ((((((((((((((((((((((((( Files Created from 2008-05-13 to 2008-06-13 ))))))))))))))))))))))))))))))) . No new files created in this timespan . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-06-13 20:07 --------- d-----w C:\Program Files\Common Files\Symantec Shared 2008-06-12 19:50 --------- d-----w C:\Program Files\LimeWire 2008-06-12 19:50 --------- d-----w C:\Program Files\Incomplete 2008-06-12 06:37 --------- d-----w C:\Program Files\Trend Micro 2008-06-10 21:49 --------- d-----w C:\Program Files\Winamp 2008-06-10 05:13 --------- d-----w C:\Documents and Settings\HP_Owner.AE066C3A9B\Application Data\Azureus 2008-06-10 02:24 --------- d-----w C:\Documents and Settings\HP_Owner.AE066C3A9B\Application Data\Media Player Classic 2008-06-10 02:16 --------- d-----w C:\Program Files\AC3Filter 2008-06-09 23:36 --------- d-----w C:\Program Files\MP3Parse 2008-06-09 23:22 --------- d-----w C:\Program Files\Xvid 2008-06-09 22:51 --------- d-----w C:\Program Files\ffdshow 2008-06-09 22:50 --------- d-----w C:\Program Files\SHOUTcast Source 2008-06-09 22:50 --------- d-----w C:\Program Files\DSP-worx 2008-06-09 22:49 49,604 ----a-w C:\WINDOWS\system32\RadLightOFRUninstall.exe 2008-06-09 22:49 --------- d-----w C:\Program Files\OpenSource OGG Splitter 2008-06-09 22:49 --------- d-----w C:\Program Files\CDXA Image Reader Filter (SVCDXCD) 2008-06-09 22:36 --------- d-----w C:\Program Files\CD Audio Reader Filter 2008-06-09 22:33 33,533 ----a-w C:\WINDOWS\system32\CoreVorbis-uninstall.exe 2008-06-09 22:33 --------- d-----w C:\Program Files\DirectVobSub 2008-06-09 21:28 --------- d-----w C:\Program Files\OpenSource Flash Video Splitter 2008-06-09 02:41 --------- d--h--w C:\Program Files\InstallShield Installation Information 2008-06-09 02:29 47,360 ----a-w C:\Documents and Settings\HP_Owner.AE066C3A9B\Application Data\pcouffin.sys 2008-06-09 02:29 --------- d-----w C:\Documents and Settings\HP_Owner.AE066C3A9B\Application Data\Vso 2008-06-09 02:27 --------- d-----w C:\Program Files\Common Files\Teleca Shared 2008-06-09 02:21 --------- d-----w C:\Program Files\LucasArts 2008-06-09 02:04 --------- d-----w C:\Documents and Settings\HP_Owner.AE066C3A9B\Application Data\SSH 2008-06-08 04:10 --------- d-----w C:\Program Files\Panda Security 2008-06-08 03:48 --------- d-----w C:\Program Files\Windows Live 2008-06-07 21:00 --------- d-----w C:\Program Files\SpywareBlaster 2008-06-07 21:00 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy 2008-06-07 19:04 --------- d-----w C:\Documents and Settings\HP_Owner.AE066C3A9B\Application Data\Lavasoft 2008-06-07 19:02 --------- d-----w C:\Program Files\Spybot - Search & Destroy 2008-06-07 19:02 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard 2008-06-07 06:40 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec 2008-06-07 06:39 805 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.INF 2008-06-07 06:39 60,800 ----a-w C:\WINDOWS\system32\S32EVNT1.DLL 2008-06-07 06:39 123,952 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.SYS 2008-06-07 06:39 10,671 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.CAT 2008-06-07 06:39 --------- d-----w C:\Program Files\Symantec 2008-06-06 13:58 27,136 ----a-w C:\WINDOWS\CYK36.tmp 2008-06-04 02:47 --------- d-----w C:\Documents and Settings\HP_Owner.AE066C3A9B\Application Data\ZoomBrowser EX 2008-06-04 02:47 --------- d-----w C:\Documents and Settings\All Users\Application Data\ZoomBrowser 2008-06-04 01:48 27,136 ----a-w C:\WINDOWS\CYK3B.tmp 2008-06-01 23:26 --------- d-----w C:\Program Files\Canon 2008-06-01 23:18 --------- d-----w C:\Program Files\Common Files\Canon 2008-05-29 04:32 27,136 ----a-w C:\WINDOWS\CYK139.tmp 2008-05-25 23:19 --------- d-----w C:\Documents and Settings\HP_Owner.AE066C3A9B\Application Data\PE Explorer 2008-05-16 02:16 27,136 ----a-w C:\WINDOWS\CYK51.tmp 2008-04-30 22:52 --------- d-----w C:\Documents and Settings\Natalia.AE066C3A9B\Application Data\LimeWire 2008-04-25 21:22 --------- d-----w C:\Program Files\QuickTime 2008-04-25 21:08 --------- d-----w C:\Program Files\Apple Software Update 2008-04-24 05:53 27,136 ----a-w C:\WINDOWS\CYK97F.tmp 2008-04-24 05:40 27,136 ----a-w C:\WINDOWS\CYK97D.tmp 2008-04-24 05:35 --------- d-----w C:\Program Files\DVDVideoSoft 2008-04-24 05:35 --------- d-----w C:\Program Files\Common Files\DVDVideoSoft 2008-04-22 05:15 --------- d-----w C:\Documents and Settings\HP_Owner.AE066C3A9B\Application Data\LimeWire 2008-04-17 05:42 --------- d-----w C:\Program Files\Azureus 2008-04-16 05:29 --------- d-----w C:\Program Files\Chessmaster 8000 2008-04-09 13:17 27,136 ----a-w C:\WINDOWS\CYK3A.tmp 2008-04-05 02:12 27,136 ----a-w C:\WINDOWS\CYK3C.tmp 2008-04-01 04:34 27,136 ----a-w C:\WINDOWS\CYK39.tmp 2008-03-30 20:09 27,136 ----a-w C:\WINDOWS\CYK125.tmp 2008-03-27 08:12 151,583 ----a-w C:\WINDOWS\system32\msjint40.dll 2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys 2005-01-09 22:46 0 -csha-w C:\WINDOWS\SMINST\HPCD.sys . ------- Sigcheck ------- 08/04/2004 01:00 PM 14336 8f078ae4ed187aaabc0a305146de6716 C:\WINDOWS\system32\svchost.exe 08/04/2004 01:00 PM 14336 8f078ae4ed187aaabc0a305146de6716 C:\WINDOWS\system32\dllcache\svchost.exe 03/02/2005 12:19 PM 577024 1800f293bccc8ede8a70e12b88d80036 C:\WINDOWS\$hf_mig$\KB890859\SP2QFE\user32.dll 03/08/2007 09:48 AM 578048 7aa4f6c00405dfc4b70ed4214e7d687b C:\WINDOWS\$hf_mig$\KB925902\SP2QFE\user32.dll 08/04/2004 01:00 PM 577024 c72661f8552ace7c5c85e16a3cf505c4 C:\WINDOWS\$NtUninstallKB890859$\user32.dll 03/02/2005 12:09 PM 577024 de2db164bbb35db061af0997e4499054 C:\WINDOWS\$NtUninstallKB925902$\user32.dll 03/08/2007 09:36 AM 577536 b409909f6e2e8a7067076ed748abf1e7 C:\WINDOWS\system32\user32.dll 03/08/2007 09:36 AM 577536 b409909f6e2e8a7067076ed748abf1e7 C:\WINDOWS\system32\dllcache\user32.dll 08/04/2004 01:00 PM 82944 2ed0b7f12a60f90092081c50fa0ec2b2 C:\WINDOWS\system32\ws2_32.dll 08/04/2004 01:00 PM 82944 2ed0b7f12a60f90092081c50fa0ec2b2 C:\WINDOWS\system32\dllcache\ws2_32.dll 09/29/2004 12:27 PM 656896 2c07195588d69a067c2afdaa31759295 C:\WINDOWS\$hf_mig$\KB834707\SP2QFE\wininet.dll 01/27/2005 11:08 AM 657920 a8eac5330876548e9966a7d13025d196 C:\WINDOWS\$hf_mig$\KB867282\SP2QFE\wininet.dll 05/02/2005 02:57 PM 658944 e1e18136f9dd3df1ad9c82193a5898a6 C:\WINDOWS\$hf_mig$\KB883939\SP2QFE\wininet.dll 03/10/2005 01:43 AM 657920 c8663b488996e89a84c3d17c1d12b79e C:\WINDOWS\$hf_mig$\KB890923\SP2QFE\wininet.dll 09/02/2005 05:53 PM 660480 97a6fd7cafd688cf2c78939ebaf0cd0c C:\WINDOWS\$hf_mig$\KB896688\SP2QFE\wininet.dll 07/02/2005 08:09 PM 659456 6e533d155b259eb2363d3e04b5be309f C:\WINDOWS\$hf_mig$\KB896727\SP2QFE\wininet.dll 10/20/2005 09:38 PM 661504 af785c4947676a7fc1673fdc5c8d0b5b C:\WINDOWS\$hf_mig$\KB905915\SP2QFE\wininet.dll 03/03/2006 09:58 PM 663552 c0845ecbf4f9164e618ee381b79c9032 C:\WINDOWS\$hf_mig$\KB912812\SP2QFE\wininet.dll 05/09/2006 11:25 PM 663552 d94cffdb53e7ac867438e2dfd50e7cbc C:\WINDOWS\$hf_mig$\KB916281\SP2QFE\wininet.dll 06/23/2006 05:25 AM 664576 64ce26db72810b30f7855ea51e1df836 C:\WINDOWS\$hf_mig$\KB918899\SP2QFE\wininet.dll 09/14/2006 02:31 AM 664576 d207370287cf769aebebf03837784963 C:\WINDOWS\$hf_mig$\KB922760\SP2QFE\wininet.dll 10/23/2006 09:34 AM 664576 231ef4179acabe486376b5ca893f1076 C:\WINDOWS\$hf_mig$\KB925454\SP2QFE\wininet.dll 01/04/2007 08:05 AM 665088 3ffa1573fc274e5aa7467d03941c45ee C:\WINDOWS\$hf_mig$\KB928090\SP2QFE\wininet.dll 02/20/2007 03:52 AM 665600 b258c922d22deec880b60720531d7627 C:\WINDOWS\$hf_mig$\KB931768\SP2QFE\wininet.dll 04/18/2007 06:46 AM 665600 4261ba03afd659de04f0a17dfbdd454d C:\WINDOWS\$hf_mig$\KB933566\SP2QFE\wininet.dll 06/26/2007 08:35 AM 665600 e1a3dd68b5380b360a7310a64d9bb188 C:\WINDOWS\$hf_mig$\KB937143\SP2QFE\wininet.dll 08/22/2007 06:55 AM 665600 a1bc17eb3758d73c3938b2318820f5b4 C:\WINDOWS\$hf_mig$\KB939653\SP2QFE\wininet.dll 10/10/2007 11:57 PM 666112 80d660a49e0d118144423099b2a9f5da C:\WINDOWS\$hf_mig$\KB942615\SP2QFE\wininet.dll 12/06/2007 06:44 PM 666112 085a7c37f9c6ede1ba870b7dbec06399 C:\WINDOWS\$hf_mig$\KB944533\SP2QFE\wininet.dll 02/16/2008 03:32 AM 666112 bb1eacd6ab47e78ebca02eb781550d55 C:\WINDOWS\$hf_mig$\KB947864\SP2QFE\wininet.dll 08/04/2004 01:00 PM 656384 c0823fc5469663ba63e7db88f9919d70 C:\WINDOWS\$NtUninstallKB834707$\wininet.dll 09/29/2004 12:47 PM 656896 cba65b573c66fe23f647ff96e3a10994 C:\WINDOWS\$NtUninstallKB867282$\wininet.dll 03/10/2005 02:02 AM 656896 6f018d6319be4f96426ea829b79e05d5 C:\WINDOWS\$NtUninstallKB883939$\wininet.dll 01/27/2005 11:13 AM 656896 b5e043e440b210014e021b24cf0a72e3 C:\WINDOWS\$NtUninstallKB890923$\wininet.dll 07/02/2005 08:11 PM 658432 5b5ff992c0fa762ccf8655fc290e6e52 C:\WINDOWS\$NtUninstallKB896688$\wininet.dll 05/02/2005 02:52 PM 657920 1a078af3f85d10ba56444c23b3a18e74 C:\WINDOWS\$NtUninstallKB896727$\wininet.dll 09/02/2005 05:52 PM 658432 af61ebb1f550175eff406d545d6ab086 C:\WINDOWS\$NtUninstallKB905915$\wininet.dll 10/20/2005 09:39 PM 658432 e7b27b6b6e06ce34ea019fd8b858c613 C:\WINDOWS\$NtUninstallKB912812$\wininet.dll 03/03/2006 09:33 PM 658432 1c0979c7a489bee573cd0bf4ad94bb06 C:\WINDOWS\$NtUninstallKB916281$\wininet.dll 05/09/2006 11:23 PM 658432 38ab7a56f566d9aaad31812494944824 C:\WINDOWS\$NtUninstallKB918899$\wininet.dll 06/23/2006 05:02 AM 658944 2b4db890936430c71419037039502752 C:\WINDOWS\$NtUninstallKB922760$\wininet.dll 09/14/2006 02:39 AM 658944 621af3f6174a3f60677f5230e28bcc07 C:\WINDOWS\$NtUninstallKB925454$\wininet.dll 10/23/2006 09:17 AM 658944 6b2735adff5a5d3b9130ca4a794722f0 C:\WINDOWS\$NtUninstallKB928090$\wininet.dll 01/04/2007 07:37 AM 658944 8c393df5234cbcbff1ee31902d6b40ae C:\WINDOWS\$NtUninstallKB931768$\wininet.dll 08/04/2004 01:00 PM 656384 c0823fc5469663ba63e7db88f9919d70 C:\WINDOWS\$NtUninstallKB933566$\wininet.dll 04/18/2007 06:31 AM 658944 b7156cd97e739f3014bc4d61758f868a C:\WINDOWS\$NtUninstallKB937143$\wininet.dll 06/26/2007 08:09 AM 658944 184e47c8f7b331025e6dc92740db188f C:\WINDOWS\$NtUninstallKB939653$\wininet.dll 08/22/2007 07:12 AM 658944 1901ad51da8be9f8b38d5d526e5d1788 C:\WINDOWS\$NtUninstallKB942615$\wininet.dll 10/11/2007 12:13 AM 659456 2005ad86a22aee68e21ee59f9ccb77f2 C:\WINDOWS\$NtUninstallKB944533$\wininet.dll 12/06/2007 07:07 PM 659456 57d1b5150cf6331fac6b3e04c1fcb966 C:\WINDOWS\$NtUninstallKB947864$\wininet.dll 02/16/2008 02:59 AM 659456 0c690e77c0e924c45b4d7045b182fff1 C:\WINDOWS\system32\wininet.dll 02/16/2008 02:59 AM 659456 0c690e77c0e924c45b4d7045b182fff1 C:\WINDOWS\system32\dllcache\wininet.dll 05/25/2005 01:07 PM 359936 63fdfea54eb53de2d863ee454937ce1e C:\WINDOWS\$hf_mig$\KB893066\SP2QFE\tcpip.sys 01/13/2006 11:07 AM 360448 5562cc0a47b2aef06d3417b733f3c195 C:\WINDOWS\$hf_mig$\KB913446\SP2QFE\tcpip.sys 04/20/2006 06:18 AM 360576 b2220c618b42a2212a59d91ebd6fc4b4 C:\WINDOWS\$hf_mig$\KB917953\SP2QFE\tcpip.sys 10/30/2007 10:53 AM 360832 64798ecfa43d78c7178375fcdd16d8c8 C:\WINDOWS\$hf_mig$\KB941644\SP2QFE\tcpip.sys 08/04/2004 01:00 PM 359040 9f4b36614a0fc234525ba224957de55c C:\WINDOWS\$NtUninstallKB893066$\tcpip.sys 05/25/2005 01:04 PM 359808 88763a98a4c26c409741b4aa162720c9 C:\WINDOWS\$NtUninstallKB913446$\tcpip.sys 08/04/2004 01:00 PM 359040 9f4b36614a0fc234525ba224957de55c C:\WINDOWS\$NtUninstallKB917953$\tcpip.sys 04/20/2006 05:51 AM 359808 1dbf125862891817f374f407626967f4 C:\WINDOWS\$NtUninstallKB941644$\tcpip.sys 10/30/2007 11:20 AM 360064 90caff4b094573449a0872a0f919b178 C:\WINDOWS\system32\dllcache\tcpip.sys 10/30/2007 11:20 AM 360064 90caff4b094573449a0872a0f919b178 C:\WINDOWS\system32\drivers\tcpip.sys 08/04/2004 01:00 PM 502272 01c3346c241652f43aed8e2149881bfe C:\WINDOWS\system32\winlogon.exe 08/04/2004 01:00 PM 502272 01c3346c241652f43aed8e2149881bfe C:\WINDOWS\system32\dllcache\winlogon.exe 08/04/2004 01:00 PM 182912 558635d3af1c7546d26067d5d9b6959e C:\WINDOWS\system32\dllcache\ndis.sys 08/04/2004 01:00 PM 182912 558635d3af1c7546d26067d5d9b6959e C:\WINDOWS\system32\drivers\ndis.sys 08/04/2004 01:00 PM 29056 4448006b6bc60e6c027932cfc38d6855 C:\WINDOWS\system32\dllcache\ip6fw.sys 08/04/2004 01:00 PM 29056 4448006b6bc60e6c027932cfc38d6855 C:\WINDOWS\system32\drivers\ip6fw.sys 03/01/2005 06:36 PM 2056832 d8aba3eab509627e707a3b14f00fbb6b C:\WINDOWS\$hf_mig$\KB890859\SP2QFE\ntkrnlpa.exe 12/19/2006 10:12 AM 2059392 ba4b97c00a437c1cc3da365d93ee1e9d C:\WINDOWS\$hf_mig$\KB929338\SP2QFE\ntkrnlpa.exe 02/28/2007 03:15 AM 2059392 4d3dbdccbf97f5ba1e74f322b155c3ba C:\WINDOWS\$hf_mig$\KB931784\SP2QFE\ntkrnlpa.exe 03/01/2005 06:34 PM 2015232 3cd941e472ddf3534e53038535719771 C:\WINDOWS\$NtUninstallKB929338$\ntkrnlpa.exe 12/19/2006 06:55 AM 2015744 bbb2322eb14ad9ad55b1024ffd4d88bf C:\WINDOWS\$NtUninstallKB931784$\ntkrnlpa.exe 02/28/2007 02:38 AM 2057600 515d30e2c90a3665a2739309334c9283 C:\WINDOWS\Driver Cache\i386\ntkrnlpa.exe 02/28/2007 02:38 AM 2015744 a58ac1c6199ef34228abee7fc057ae09 C:\WINDOWS\system32\ntkrnlpa.exe 08/04/2004 01:00 PM 2056832 947fb1d86d14afcffdb54bf837ec25d0 C:\WINDOWS\system32\ReinstallBackups\0009\DriverFiles\i386\ntkrnlpa.exe 03/01/2005 07:04 PM 2179456 28187802b7c368c0d3aef7d4c382aabb C:\WINDOWS\$hf_mig$\KB890859\SP2QFE\ntoskrnl.exe 12/19/2006 10:51 AM 2182016 cef243f6defd20be4adde26c7ecacb54 C:\WINDOWS\$hf_mig$\KB929338\SP2QFE\ntoskrnl.exe 02/28/2007 03:55 AM 2182144 5a5c8db4aa962c714c8371fbdf189fc9 C:\WINDOWS\$hf_mig$\KB931784\SP2QFE\ntoskrnl.exe 03/01/2005 06:57 PM 2135552 48b3e89af7074cee0314a3e0c7faffdb C:\WINDOWS\$NtUninstallKB929338$\ntoskrnl.exe 12/19/2006 08:15 AM 2136064 8318ed54797f3e513fd5817a1d4bbd18 C:\WINDOWS\$NtUninstallKB931784$\ntoskrnl.exe 02/28/2007 03:10 AM 2180352 582a8dbaa58c3b1f176eb2817daee77c C:\WINDOWS\Driver Cache\i386\ntoskrnl.exe 02/28/2007 03:08 AM 2136064 1220faf071dea8653ee21de7dcda8bfd C:\WINDOWS\system32\ntoskrnl.exe 08/04/2004 01:00 PM 2180992 ce218bc7088681faa06633e218596ca7 C:\WINDOWS\system32\ReinstallBackups\0009\DriverFiles\i386\ntoskrnl.exe 06/13/2007 04:23 AM 1033216 97bd6515465659ff8f3b7be375b2ea87 C:\WINDOWS\explorer.exe 06/13/2007 05:26 AM 1033216 7712df0cdde3a5ac89843e61cd5b3658 C:\WINDOWS\$hf_mig$\KB938828\SP2QFE\explorer.exe 08/04/2004 01:00 PM 1032192 a0732187050030ae399b241436565e64 C:\WINDOWS\$NtUninstallKB938828$\explorer.exe 06/13/2007 04:23 AM 1033216 97bd6515465659ff8f3b7be375b2ea87 C:\WINDOWS\system32\dllcache\explorer.exe 08/04/2004 01:00 PM 108032 c6ce6eec82f187615d1002bb3bb50ed4 C:\WINDOWS\system32\services.exe 08/04/2004 01:00 PM 108032 c6ce6eec82f187615d1002bb3bb50ed4 C:\WINDOWS\system32\dllcache\services.exe 08/04/2004 01:00 PM 13312 84885f9b82f4d55c6146ebf6065d75d2 C:\WINDOWS\system32\lsass.exe 08/04/2004 01:00 PM 13312 84885f9b82f4d55c6146ebf6065d75d2 C:\WINDOWS\system32\dllcache\lsass.exe 08/04/2004 01:00 PM 15360 24232996a38c0b0cf151c2140ae29fc8 C:\WINDOWS\system32\ctfmon.exe 08/04/2004 01:00 PM 15360 24232996a38c0b0cf151c2140ae29fc8 C:\WINDOWS\system32\dllcache\ctfmon.exe . ((((((((((((((((((((((((((((( snapshot@Thu 06-12-2008_14.32.02.79 ))))))))))))))))))))))))))))))))))))))))) . - 2008-06-12 06:29:13 2,048 --s-a-w C:\WINDOWS\bootstat.dat + 2008-06-13 20  58 2,048 --s-a-w C:\WINDOWS\bootstat.dat- 2008-02-27 02:37:01 295,606 ----a-r C:\WINDOWS\Installer\{AC76BA86-7AD7-1033-7B44-A81200000003}\SC_Reader.exe + 2008-06-13 02:54:58 295,606 ----a-r C:\WINDOWS\Installer\{AC76BA86-7AD7-1033-7B44-A81200000003}\SC_Reader.exe - 2008-06-12 20:28:16 53,248 ----a-w C:\WINDOWS\Temp\catchme.dll + 2008-06-13 20:14:27 53,248 ----a-w C:\WINDOWS\Temp\catchme.dll . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{602ADB0E-4AFF-4217-8AA1-95DAC4DFA408}] 08/24/2007 09:51 PM 316784 --a------ C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.0\coIEPlg.dll [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6D53EC84-6AAE-4787-AEEE-F4628F01010C}] 03/20/2008 08:16 PM 116088 --a------ C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "osCheck"="C:\Program Files\Norton Internet Security\osCheck.exe" [08/24/2007 10:53 PM 714608] "ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [02/14/2008 11:01 AM 51048] "Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [01/11/2008 10:16 PM 39792] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce] "SymLnch"="C:\Documents and Settings\HP_Owner.AE066C3A9B\Application Data\Symantec\Layouts\Norton Internet Security\15.0\SymAllLanguages\NIS_RETAIL\20070826\Support\SymLnch\SymLnch.exe" [08/26/2007 06:04 PM 687976] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32] "vidc.I420"= i420vfw.dll "vidc.yv12"= yv12vfw.dll "msacm.ac3filter"= ac3filter.acm [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Acrobat Speed Launcher.lnk] path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Acrobat Speed Launcher.lnk backup=C:\WINDOWS\pss\Adobe Acrobat Speed Launcher.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Acrobat Synchronizer.lnk] path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Acrobat Synchronizer.lnk backup=C:\WINDOWS\pss\Adobe Acrobat Synchronizer.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk] path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Synchronizer.lnk] path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Synchronizer.lnk backup=C:\WINDOWS\pss\Adobe Reader Synchronizer.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk] path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk backup=C:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Suitcase Startup.lnk] path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Suitcase Startup.lnk backup=C:\WINDOWS\pss\Suitcase Startup.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Updates from HP.lnk] path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Updates from HP.lnk backup=C:\WINDOWS\pss\Updates from HP.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^HP_Owner.AE066C3A9B^Start Menu^Programs^Startup^Adobe Gamma.lnk] path=C:\Documents and Settings\HP_Owner.AE066C3A9B\Start Menu\Programs\Startup\Adobe Gamma.lnk backup=C:\WINDOWS\pss\Adobe Gamma.lnkStartup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 8.0] C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader] --a------ 06/06/2005 11:46 PM 57344 C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher] --a------ 01/11/2008 10:16 PM 39792 C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeUpdater] --a------ 02/28/2007 11:06 PM 2321600 C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe_ID0EYTHM] --a------ 03/20/2007 05:40 PM 1884160 C:\PROGRA~1\COMMON~1\Adobe\ADOBEV~1\Server\bin\VERSIO~2.EXE [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AGRSMMSG] --a------ 06/29/2004 06:06 PM 88363 C:\WINDOWS\AGRSMMSG.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr] --a------ 07/03/2004 03:49 AM 57344 C:\WINDOWS\ALCMTR.EXE [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlcWzrd] --a------ 07/06/2004 02:05 AM 2550272 C:\WINDOWS\ALCWZRD.EXE [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATICCC] -----c--- 05/10/2006 12:12 PM 90112 C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AutoTBar] c:\Program Files\HP\Digital Imaging\bin\AUTOTBAR.EXE [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp] --a------ 02/14/2008 11:01 AM 51048 C:\Program Files\Common Files\Symantec Shared\ccApp.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools] --a------ 04/03/2007 04:29 PM 165784 C:\Program Files\DAEMON Tools\daemon.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DXDllRegExe] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Component Manager] C:\Program Files\HP\hpcoretech\hpcmpmgr.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update] --a------ 08/04/2003 05:28 PM 49152 C:\Program Files\HP\HP Software Update\HPWuSchd.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPHmon06] --a------ 06/07/2004 07:42 PM 659456 C:\WINDOWS\system32\hphmon06.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPHUPD06] --a------ 06/07/2004 07:53 PM 49152 c:\Program Files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hpsysdrv] --a------ 05/07/1998 05:04 PM 52736 c:\windows\system\hpsysdrv.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper] --a------ 12/11/2007 01:10 PM 267048 C:\Program Files\iTunes\iTunesHelper.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KBD] C:\HP\KBD\KBD.EXE [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS] ---hs---- 10/13/2004 10:24 AM 1694208 C:\Program Files\Messenger\msmsgs.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr] C:\Program Files\MSN Messenger\msnmsgr.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PS2] --a------ 10/16/2002 05:57 PM 81920 C:\WINDOWS\system32\ps2.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task] --a------ 03/28/2008 11:37 PM 413696 C:\Program Files\QuickTime\qttask.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Recguard] --a------ 04/14/2004 09:43 PM 233472 C:\WINDOWS\SMINST\RECGUARD.EXE [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sony Ericsson PC Suite] C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan] --a------ 07/01/2004 07:58 PM 73728 C:\WINDOWS\SOUNDMAN.EXE [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched] --a------ 03/14/2007 03:43 AM 83608 C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe] --a------ 08/07/2004 03:03 PM 180269 C:\Program Files\Common Files\Real\Update_OB\realsched.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UVS11 Preload] C:\Program Files\Ulead Systems\Ulead VideoStudio 11\uvPL.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VTTimer] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services] "ATI Smart"=2 (0x2) "Ati HotKey Poller"=2 (0x2) "MDM"=2 (0x2) "ISPwdSvc"=3 (0x3) "UleadBurningHelper"=2 (0x2) "Capture Device Service"=2 (0x2) "usnjsvc"=3 (0x3) "ose"=3 (0x3) "Adobe LM Service"=3 (0x3) "Apple Mobile Device"=2 (0x2) "LiveUpdate Notice"=2 (0x2) "LiveUpdate"=3 (0x3) "Automatic LiveUpdate Scheduler"=2 (0x2) "Bonjour Service"=2 (0x2) "Adobe Version Cue CS3"=3 (0x3) "WLSetupSvc"=3 (0x3) "comHost"=3 (0x3) "rpcapd"=3 (0x3) [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "C:\\Program Files\\Updates from HP\\309731\\Program\\Updates from HP.exe"= "C:\\Program Files\\LimeWire\\LimeWire.exe"= "C:\\Program Files\\Bonjour\\mDNSResponder.exe"= "C:\\Program Files\\iTunes\\iTunes.exe"= [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost] p2psvc REG_MULTI_SZ p2psvc p2pimsvc p2pgasvc PNRPSvc *Newly Created Service* - CATCHME *Newly Created Service* - COMHOST . Contents of the 'Scheduled Tasks' folder "2008-05-28 14:08:01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job" - C:\Program Files\Apple Software Update\SoftwareUpdate.exe "2008-06-10 04:18:29 C:\WINDOWS\Tasks\Norton Internet Security - Run Full System Scan - HP_Owner.job" - C:\Program Files\Norton Internet Security\Norton AntiVirus\Navw32.exeh/TASK: . ************************************************************************** catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-06-13 14:14:28 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . Completion time: 06/13/2008 14:18:47 ComboFix-quarantined-files.txt 2008-06-13 20:17:52 ComboFix2.txt 2008-06-12 20:33:06 Pre-Run: 107,630,186,496 bytes free Post-Run: 107,616,980,992 bytes free 412 --- E O F --- 2008-06-13 09:00:46 -------------------------------------------------------------------------------- KASPERSKY ONLINE SCANNER 7 REPORT Saturday, June 14, 2008 Operating System: Microsoft Windows XP Home Edition Service Pack 2 (build 2600) Kaspersky Online Scanner 7 version: 7.0.25.0 Program database last update: Saturday, June 14, 2008 03:05:40 Records in database: 862537 -------------------------------------------------------------------------------- Scan settings: Scan using the following database: extended Scan archives: yes Scan mail databases: yes Scan area - My Computer: C:\ D:\ E:\ F:\ G:\ H:\ I:\ J:\ K:\ L:\ Scan statistics: Files scanned: 142344 Threat name: 6 Infected objects: 6 Suspicious objects: 0 Duration of the scan: 04:36:47 File name / Threat name / Threats count C:\Program Files\mIRC\mirc.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.616 1 C:\Program Files\Windows Live\Messenger\msimg32.dll Infected: not-a-virus:AdTool.Win32.MyWebSearch.cg 1 C:\Program Files\Windows Live\Messenger\riched20.dll Infected: not-a-virus:AdTool.Win32.MyWebSearch.cj 1 C:\QooBox\Quarantine\C\Documents and Settings\Natalia.AE066C3A9B\Local Settings\Application Data\Mozilla\Firefox\Profiles\cp5fpd5o.default\Cache\3A802488d01.vir Infected: Trojan-Downloader.Win32.FraudLoad.gen 1 C:\QooBox\Quarantine\C\Documents and Settings\Natalia.AE066C3A9B\Local Settings\Application Data\Mozilla\Firefox\Profiles\cp5fpd5o.default\Cache\3A912488d01.vir Infected: Trojan-Downloader.Win32.FraudLoad.alt 1 C:\temp\srbndl.exe Infected: not-a-virus:AdWare.Win32.EShoper.p 1 The selected area was scanned. Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 10:44:17 AM, on 6/14/2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Canon\CAL\CALMAIN.exe C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe C:\WINDOWS\system32\wuauclt.exe C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TY...ion&pf=desktop R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TY...ion&pf=desktop R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = R3 - Default URLSearchHook is missing O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (file missing) O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.0\coIEPlg.dll O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll O3 - Toolbar: Show Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.0\CoIEPlg.dll O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe" O4 - HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe" O4 - HKLM\..\RunOnce: [SymLnch] "C:\Documents and Settings\HP_Owner.AE066C3A9B\Application Data\Symantec\Layouts\Norton Internet Security\15.0\SymAllLanguages\NIS_RETAIL\20070826\Support\SymLnch\SymLnch.exe" "C:\Documents and Settings\HP_Owner.AE066C3A9B\Application Data\Symantec\Layouts\Norton Internet Security\15.0\SymAllLanguages\NIS_RETAIL\20070826\Setup.exe" "/REALUPREBOOT /temp /patched" O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O15 - ProtocolDefaults: '@ivt' protocol is in My Computer Zone, should be Intranet Zone O15 - ProtocolDefaults: 'file' protocol is in My Computer Zone, should be Internet Zone O15 - ProtocolDefaults: 'ftp' protocol is in My Computer Zone, should be Internet Zone O15 - ProtocolDefaults: 'http' protocol is in My Computer Zone, should be Internet Zone O15 - ProtocolDefaults: 'https' protocol is in My Computer Zone, should be Internet Zone O16 - DPF: {001EE746-A1F9-460E-80AD-269E088D6A01} (Infotl Control) - http://site.ebrary.com.ezproxy.lrc.m.../ebraryRdr.cab O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813 O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w2/resources/MSNPUpld.cab O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-CA/.../GAME_UNO1.cab O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/...toUploader.cab O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab56907.cab O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary...r.cab56986.cab O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe O23 - Service: Symantec Core LC - Unknown owner - C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe -- End of file - 7161 bytes |
|
|
|
|
06-14-2008, 12:26 PM
|
#8 (permalink) | |
|
Moderator, Analyst, Security Team; Rangemaster, TSF Academy
Join Date: Oct 2007
Location: Georgia
Posts: 8,678
OS: XP SP3
|
Re: Possible Malware Issue
Hello kiranaus.
Quote:
I will recommend expert advice with those issues in our XP forum when we are finished. Did you fix those HijackThis entries? They are still in your log. Please deactivate Spyware Doctor's OnGuard Tools as it may hinder the removal of some entries.
Open HijackThis and click on 'Do a System Scan Only'. Check the following entries if they still exist: (Make sure you do not miss any) R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = R3 - Default URLSearchHook is missing O15 - ProtocolDefaults: '@ivt' protocol is in My Computer Zone, should be Intranet Zone O15 - ProtocolDefaults: 'file' protocol is in My Computer Zone, should be Internet Zone O15 - ProtocolDefaults: 'ftp' protocol is in My Computer Zone, should be Internet Zone O15 - ProtocolDefaults: 'http' protocol is in My Computer Zone, should be Internet Zone O15 - ProtocolDefaults: 'https' protocol is in My Computer Zone, should be Internet Zone Please remember to close all other windows, including browsers then click Fix checked. Please close HijackThis now. ------------------------------------------------------ Please delete the following Files if they still exist: C:\Program Files\Windows Live\Messenger\msimg32.dll C:\Program Files\Windows Live\Messenger\riched20.dll C:\temp\srbndl.exe If any file resists deletion, please reboot your computer in Safe Mode and delete it. Please let me know if you had trouble. ------------------------------------------------------ From Normal Mode... Please go to: VirusTotal
Please download Dial-a-fix and Save it to your Desktop.
Please double-click combofix.exe and follow the prompts to run it. Post the ComboFix.txt it produces in your next reply. ------------------------------------------------------ Open HijackThis and click on 'Do a System Scan and Save a Logfile'. Save the logfile and post it here. ------------------------------------------------------ Please post the following in your next reply: VirusTotal results Dial-a-fix log C:\ComboFix.txt new HijackThis log |
|
|
|
|
|
06-15-2008, 07:05 PM
|
#9 (permalink) |
|
Registered User
Join Date: Jun 2008
Posts: 26
OS: xp sp2
|
Re: Possible Malware Issue
Combofix wasn't giving me a log, so after trying numerous times and reinstalling it I just gave up and decided to post something. That should explain any timestamp discrepencies.
The items I "fixed" in Highjackthis reappear when I scan again. When I do fix them, the scan results just disappear, and I'm not sure If I'm supposed to be getting a message of some kind that says if they were fixed or not, like a "Process Complete" type. The following error displayed when I ran Dial-a-fix: An error occurred during registration of the file: C:\WINDOWS\system32\initpki.dll (version 5.131.2600.2180) Error 5 was encountered while trying to register C:\WINDOWS\system32\initpki.dll. The error text is: Access is denied. Dial-a-fix currently has no suggestions for this error code. ---------------------------------------------------------------------- Antivirus Version Last Update Result AhnLab-V3 2008.6.13.1 2008.06.13 - AntiVir 7.8.0.55 2008.06.14 - Authentium 5.1.0.4 2008.06.14 - Avast 4.8.1195.0 2008.06.14 - AVG 7.5.0.516 2008.06.14 - BitDefender 7.2 2008.06.14 - CAT-QuickHeal 9.50 2008.06.14 - ClamAV 0.92.1 2008.06.14 - DrWeb 4.44.0.09170 2008.06.14 - eSafe 7.0.15.0 2008.06.12 - eTrust-Vet 31.6.5873 2008.06.14 - Ewido 4.0 2008.06.14 - F-Prot 4.4.4.56 2008.06.12 - F-Secure 6.70.13260.0 2008.06.14 - Fortinet 3.14.0.0 2008.06.14 - GData 2.0.7306.1023 2008.06.14 - Ikarus T3.1.1.26.0 2008.06.14 - Kaspersky 7.0.0.125 2008.06.14 - McAfee 5317 2008.06.13 - Microsoft 1.3604 2008.06.14 - NOD32v2 3186 2008.06.13 - Norman 5.80.02 2008.06.13 - Panda 9.0.0.4 2008.06.14 - Prevx1 V2 2008.06.14 - Rising 20.48.52.00 2008.06.14 - Sophos 4.30.0 2008.06.14 - Sunbelt 3.0.1145.1 2008.06.05 - Symantec 10 2008.06.14 - TheHacker 6.2.92.350 2008.06.14 - VBA32 3.12.6.7 2008.06.14 - VirusBuster 4.3.26:9 2008.06.12 - Webwasher-Gateway 6.6.2 2008.06.14 - Additional information File size: 818688 bytes MD5...: a4a0fc92358f39538a6494c42ef99fe9 SHA1..: 35fb52e6e9346b73942116f6b25f4019aa927293 SHA256: 2fc9747abaee997de1c2e5ab5a194e75c18f3e3d56920fe5368bb043b637576e SHA512: b4aac48b1d77fa5855ae397e04d0fc221538f54b588449df37edfa0ad3c49d1e f275d99befb99635799f6c19cc95c1a2f05ae715e6e329dbd4a8741613b3684a PEiD..: - PEInfo: PE Structure information ( base data ) entrypointaddress.: 0x771b1678 timedatestamp.....: 0x46c10b41 (Tue Aug 14 01:54:09 2007) machinetype.......: 0x14c (I386) ( 4 sections ) name viradd virsiz rawdsiz ntrpy md5 .text 0x1000 0x9932c 0x99400 6.61 603665e5cd2dfffb0e7d1674a76ceacf .data 0x9b000 0x7708 0x4200 1.40 940cbbb0ffa382573fadc329f757ee9c .rsrc 0xa3000 0x24d58 0x24e00 4.73 3c5af6e048b396645ffd4ddf3f31c263 .reloc 0xc8000 0x55e0 0x5600 6.76 b0f8e074d3276d8ea35e95b6be276dcb ( 8 imports ) > msvcrt.dll: _isatty, _write, _lseeki64, _fileno, __pioinfo, __badioinfo, wctomb, _itoa, _snprintf, _iob, isleadbyte, _onexit, _lock, __dllonexit, _unlock, _adjust_fdiv, _amsg_exit, _initterm, _XcptFilter, islower, __isascii, strtol, memmove, strrchr, atoi, realloc, free, malloc, _vsnprintf, _wcsnicmp, memcpy, memset, _vsnwprintf, wcstok, bsearch, _wtoi, _wcsicmp, isupper, strncmp, wcsstr, _purecall, _mbstok, iscntrl, ispunct, strtoul, time, iswdigit, isalpha, atol, isalnum, _errno, isspace, strpbrk, isdigit, isxdigit, memchr > ntdll.dll: RtlMoveMemory, RtlUnwind, RtlConvertSidToUnicodeString > SHLWAPI.dll: SHRegGetValueW, PathAddBackslashW, -, SHRegGetValueA, StrRChrW, PathRemoveBackslashA, PathRemoveFileSpecA, -, PathRemoveBlanksA, PathAddBackslashA, -, PathAppendA, -, PathUnExpandEnvStringsA, PathRenameExtensionA, SHDeleteKeyA, SHDeleteValueW, StrCmpNIW, StrCmpNIA, StrStrA, -, StrChrW, StrChrA, -, -, UrlCombineW, UrlCanonicalizeW, -, PathCreateFromUrlW, UrlUnescapeA, UrlCombineA, UrlCanonicalizeA, StrToIntW, StrCmpW, StrCmpNA, StrRChrA, StrToIntA, StrStrIW, SHGetValueA, SHSetValueA, SHGetValueW, SHSetValueW, -, -, PathCombineW, PathFindFileNameW, StrStrIA > ADVAPI32.dll: RegDeleteKeyA, RegCreateKeyExW, RegDeleteValueW, RegSetValueExW, RegQueryValueExW, CryptAcquireContextA, CryptGenRandom, CryptReleaseContext, RegOpenKeyA, RegEnumKeyA, TraceEvent, DuplicateTokenEx, ConvertStringSidToSidA, GetLengthSid, SetTokenInformation, CreateProcessAsUserA, ConvertStringSecurityDescriptorToSecurityDescriptorA, GetSidSubAuthorityCount, GetSidSubAuthority, AllocateAndInitializeSid, CheckTokenMembership, FreeSid, RegDeleteValueA, OpenThreadToken, OpenProcessToken, GetTokenInformation, RegOpenKeyExW, UnregisterTraceGuids, RegQueryInfoKeyW, RegisterTraceGuidsA, GetTraceLoggerHandle, GetTraceEnableLevel, GetTraceEnableFlags, RegCreateKeyExA, RegSetValueExA, RegOpenKeyExA, RegQueryValueExA, RegQueryInfoKeyA, RegEnumKeyExA, RegCloseKey, GetUserNameA, OpenSCManagerA, OpenServiceA, CloseServiceHandle, QueryServiceStatus > KERNEL32.dll: GetShortPathNameA, GetShortPathNameW, FindFirstFileA, RemoveDirectoryA, FindNextFileA, FindClose, GetDiskFreeSpaceExA, CopyFileA, SetFileTime, CreateDirectoryA, GetWindowsDirectoryA, GetSystemDirectoryA, GetPrivateProfileStringA, GetFileAttributesA, SetFileAttributesA, GetFileAttributesExA, FileTimeToDosDateTime, GetFileSizeEx, lstrcmpW, RaiseException, MoveFileExA, MoveFileA, LocalFileTimeToFileTime, CreateSemaphoreA, ReleaseSemaphore, GetCurrentProcessId, GetFileTime, lstrcmpA, GetModuleHandleExA, ResumeThread, FreeLibraryAndExitThread, ExpandEnvironmentStringsA, GetSystemTimeAsFileTime, DeleteFileW, GetACP, InterlockedExchangeAdd, CreateThread, Sleep, OpenMutexA, GetModuleHandleA, FormatMessageA, SetErrorMode, IsDBCSLeadByteEx, SystemTimeToFileTime, GetEnvironmentVariableA, TlsFree, TlsGetValue, GetCurrentThreadId, TlsSetValue, TlsAlloc, GetDateFormatA, GetTimeFormatA, GlobalAlloc, InterlockedCompareExchange, GetCurrentThread, GetCurrentProcess, IsDBCSLeadByte, IsValidCodePage, GlobalFree, lstrlenW, DeleteFileA, FormatMessageW, GetSystemTime, WritePrivateProfileStringA, GetVersionExA, GetModuleFileNameA, WriteFile, SetFilePointer, CreateFileW, CreateFileA, GetFileSize, ReadFile, FileTimeToSystemTime, LocalReAlloc, InitializeCriticalSection, InterlockedDecrement, lstrlenA, lstrcmpiA, InterlockedIncrement, DeleteCriticalSection, LocalAlloc, LocalFree, ReleaseMutex, CompareStringA, CreateMutexA, CreateEventA, MultiByteToWideChar, WideCharToMultiByte, WaitForSingleObject, CompareStringW, LeaveCriticalSection, DosDateTimeToFileTime, FlushViewOfFile, OutputDebugStringA, UnmapViewOfFile, SetEndOfFile, MapViewOfFileEx, CreateFileMappingA, OpenFileMappingA, LoadLibraryW, HeapFree, HeapAlloc, GetProcessHeap, GetTimeFormatW, GetDateFormatW, GetUserDefaultLCID, GetModuleFileNameW, LoadResource, ResetEvent, FindResourceExW, LoadLibraryExW, MapViewOfFile, CreateFileMappingW, GetVersionExW, GetSystemDefaultUILanguage, GetUserDefaultUILanguage, FindResourceW, SearchPathW, CreateActCtxW, ReleaseActCtx, ActivateActCtx, DeactivateActCtx, SetFileAttributesW, InitializeCriticalSectionAndSpinCount, WritePrivateProfileStringW, GetFileAttributesW, GetComputerNameA, GetModuleHandleW, GlobalUnlock, GlobalLock, QueryPerformanceCounter, TerminateProcess, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetTickCount, GetProcAddress, LoadLibraryA, FreeLibrary, SetEvent, InterlockedExchange, CloseHandle, GetLastError, SetLastError, EnterCriticalSection > USER32.dll: EndDialog, CheckDlgButton, SendMessageW, SendMessageA, IsDlgButtonChecked, DefWindowProcA, SetWindowLongA, GetWindowLongA, RegisterClassW, CreateWindowExW, SetTimer, GetWindowTextW, MessageBoxW, CharNextA, GetWindowInfo, CharToOemA, CharUpperA, CharLowerW, IsCharAlphaNumericA, GetWindowThreadProcessId, EnumChildWindows, IsWindowVisible, GetAncestor, EnumWindows, PostMessageA, IsWindow, CharNextExA, SetWindowPos, SetDlgItemTextW, DestroyIcon, SetForegroundWindow, GetWindow, GetWindowRect, EqualRect, IntersectRect, SetFocus, GetDlgItem, SetWindowTextW, EnableWindow, KillTimer, DestroyWindow, FindWindowW, RegisterWindowMessageW, PostMessageW, CharLowerA, LoadStringW, DialogBoxParamW, GetDesktopWindow, SendDlgItemMessageA, LoadIconA, LoadImageA, LoadStringA > Normaliz.dll: IdnToUnicode, IdnToAscii > iertutil.dll: -, -, -, - ( 229 exports ) CommitUrlCacheEntryA, CommitUrlCacheEntryW, CreateMD5SSOHash, CreateUrlCacheContainerA, CreateUrlCacheContainerW, CreateUrlCacheEntryA, CreateUrlCacheEntryW, CreateUrlCacheGroup, DeleteIE3Cache, DeleteUrlCacheContainerA, DeleteUrlCacheContainerW, DeleteUrlCacheEntry, DeleteUrlCacheEntryA, DeleteUrlCacheEntryW, DeleteUrlCacheGroup, DetectAutoProxyUrl, DispatchAPICall, DllInstall, FindCloseUrlCache, FindFirstUrlCacheContainerA, FindFirstUrlCacheContainerW, FindFirstUrlCacheEntryA, FindFirstUrlCacheEntryExA, FindFirstUrlCacheEntryExW, FindFirstUrlCacheEntryW, FindFirstUrlCacheGroup, FindNextUrlCacheContainerA, FindNextUrlCacheContainerW, FindNextUrlCacheEntryA, FindNextUrlCacheEntryExA, FindNextUrlCacheEntryExW, FindNextUrlCacheEntryW, FindNextUrlCacheGroup, ForceNexusLookup, ForceNexusLookupExW, FreeUrlCacheSpaceA, FreeUrlCacheSpaceW, FtpCommandA, FtpCommandW, FtpCreateDirectoryA, FtpCreateDirectoryW, FtpDeleteFileA, FtpDeleteFileW, FtpFindFirstFileA, FtpFindFirstFileW, FtpGetCurrentDirectoryA, FtpGetCurrentDirectoryW, FtpGetFileA, FtpGetFileEx, FtpGetFileSize, FtpGetFileW, FtpOpenFileA, FtpOpenFileW, FtpPutFileA, FtpPutFileEx, FtpPutFileW, FtpRemoveDirectoryA, FtpRemoveDirectoryW, FtpRenameFileA, FtpRenameFileW, FtpSetCurrentDirectoryA, FtpSetCurrentDirectoryW, GetUrlCacheConfigInfoA, GetUrlCacheConfigInfoW, GetUrlCacheEntryInfoA, GetUrlCacheEntryInfoExA, GetUrlCacheEntryInfoExW, GetUrlCacheEntryInfoW, GetUrlCacheGroupAttributeA, GetUrlCacheGroupAttributeW, GetUrlCacheHeaderData, GopherCreateLocatorA, GopherCreateLocatorW, GopherFindFirstFileA, GopherFindFirstFileW, GopherGetAttributeA, GopherGetAttributeW, GopherGetLocatorTypeA, GopherGetLocatorTypeW, GopherOpenFileA, GopherOpenFileW, HttpAddRequestHeadersA, HttpAddRequestHeadersW, HttpCheckDavCompliance, HttpEndRequestA, HttpEndRequestW, HttpOpenRequestA, HttpOpenRequestW, HttpQueryInfoA, HttpQueryInfoW, HttpSendRequestA, HttpSendRequestExA, HttpSendRequestExW, HttpSendRequestW, IncrementUrlCacheHeaderData, InternetAlgIdToStringA, InternetAlgIdToStringW, InternetAttemptConnect, InternetAutodial, InternetAutodialCallback, InternetAutodialHangup, InternetCanonicalizeUrlA, InternetCanonicalizeUrlW, InternetCheckConnectionA, InternetCheckConnectionW, InternetClearAllPerSiteCookieDecisions, InternetCloseHandle, InternetCombineUrlA, InternetCombineUrlW, InternetConfirmZoneCrossing, InternetConfirmZoneCrossingA, InternetConfirmZoneCrossingW, InternetConnectA, InternetConnectW, InternetCrackUrlA, InternetCrackUrlW, InternetCreateUrlA, InternetCreateUrlW, InternetDial, InternetDialA, InternetDialW, InternetEnumPerSiteCookieDecisionA, InternetEnumPerSiteCookieDecisionW, InternetErrorDlg, InternetFindNextFileA, InternetFindNextFileW, InternetFortezzaCommand, InternetGetCertByURL, InternetGetCertByURLA, InternetGetConnectedState, InternetGetConnectedStateEx, InternetGetConnectedStateExA, InternetGetConnectedStateExW, InternetGetCookieA, InternetGetCookieExA, InternetGetCookieExW, InternetGetCookieW, InternetGetLastResponseInfoA, InternetGetLastResponseInfoW, InternetGetPerSiteCookieDecisionA, InternetGetPerSiteCookieDecisionW, InternetGetSecurityInfoByURL, InternetGetSecurityInfoByURLA, InternetGetSecurityInfoByURLW, InternetGoOnline, InternetGoOnlineA, InternetGoOnlineW, InternetHangUp, InternetInitializeAutoProxyDll, InternetLockRequestFile, InternetOpenA, InternetOpenUrlA, InternetOpenUrlW, InternetOpenW, InternetQueryDataAvailable, InternetQueryFortezzaStatus, InternetQueryOptionA, InternetQueryOptionW, InternetReadFile, InternetReadFileExA, InternetReadFileExW, InternetSecurityProtocolToStringA, InternetSecurityProtocolToStringW, InternetSetCookieA, InternetSetCookieExA, InternetSetCookieExW, InternetSetCookieW, InternetSetDialState, InternetSetDialStateA, InternetSetDialStateW, InternetSetFilePointer, InternetSetOptionA, InternetSetOptionExA, InternetSetOptionExW, InternetSetOptionW, InternetSetPerSiteCookieDecisionA, InternetSetPerSiteCookieDecisionW, InternetSetStatusCallback, InternetSetStatusCallbackA, InternetSetStatusCallbackW, InternetShowSecurityInfoByURL, InternetShowSecurityInfoByURLA, InternetShowSecurityInfoByURLW, InternetTimeFromSystemTime, InternetTimeFromSystemTimeA, InternetTimeFromSystemTimeW, InternetTimeToSystemTime, InternetTimeToSystemTimeA, InternetTimeToSystemTimeW, InternetUnlockRequestFile, InternetWriteFile, InternetWriteFileExA, InternetWriteFileExW, IsHostInProxyBypassList, IsUrlCacheEntryExpiredA, IsUrlCacheEntryExpiredW, LoadUrlCacheContent, ParseX509EncodedCertificateForListBoxEntry, PrivacyGetZonePreferenceW, PrivacySetZonePreferenceW, ReadUrlCacheEntryStream, RegisterUrlCacheNotification, ResumeSuspendedDownload, RetrieveUrlCacheEntryFileA, RetrieveUrlCacheEntryFileW, RetrieveUrlCacheEntryStreamA, RetrieveUrlCacheEntryStreamW, RunOnceUrlCache, SetUrlCacheConfigInfoA, SetUrlCacheConfigInfoW, SetUrlCacheEntryGroup, SetUrlCacheEntryGroupA, SetUrlCacheEntryGroupW, SetUrlCacheEntryInfoA, SetUrlCacheEntryInfoW, SetUrlCacheGroupAttributeA, SetUrlCacheGroupAttributeW, SetUrlCacheHeaderData, ShowCertificate, ShowClientAuthCerts, ShowSecurityInfo, ShowX509EncodedCertificate, UnlockUrlCacheEntryFile, UnlockUrlCacheEntryFileA, UnlockUrlCacheEntryFileW, UnlockUrlCacheEntryStream, UpdateUrlCacheContentPath, UrlZonesDetach, _GetFileExtensionFromUrl --------------------------------------------------------------------- Antivirus Version Last Update Result AhnLab-V3 2008.6.13.1 2008.06.13 - AntiVir 7.8.0.55 2008.06.14 - Authentium 5.1.0.4 2008.06.14 - Avast 4.8.1195.0 2008.06.14 - AVG 7.5.0.516 2008.06.14 - BitDefender 7.2 2008.06.14 - CAT-QuickHeal 9.50 2008.06.14 - ClamAV 0.92.1 2008.06.14 - DrWeb 4.44.0.09170 2008.06.14 - eSafe 7.0.15.0 2008.06.12 - eTrust-Vet 31.6.5873 2008.06.14 - Ewido 4.0 2008.06.14 - F-Prot 4.4.4.56 2008.06.12 - F-Secure 6.70.13260.0 2008.06.14 - Fortinet 3.14.0.0 2008.06.14 - GData 2.0.7306.1023 2008.06.14 - Ikarus T3.1.1.26.0 2008.06.14 - Kaspersky 7.0.0.125 2008.06.14 - McAfee 5317 2008.06.13 - Microsoft 1.3604 2008.06.14 - NOD32v2 3186 2008.06.13 - Norman 5.80.02 2008.06.13 - Panda 9.0.0.4 2008.06.14 - Prevx1 V2 2008.06.14 - Rising 20.48.52.00 2008.06.14 - Sophos 4.30.0 2008.06.14 - Sunbelt 3.0.1145.1 2008.06.05 - Symantec 10 2008.06.14 - TheHacker 6.2.92.350 2008.06.14 - VBA32 3.12.6.7 2008.06.14 - VirusBuster 4.3.26:9 2008.06.12 - Webwasher-Gateway 6.6.2 2008.06.14 - Additional information File size: 1033216 bytes MD5...: 97bd6515465659ff8f3b7be375b2ea87 SHA1..: 972307a3ef93680afdd03603df20f2241047a934 SHA256: 8b48dd5eb2a7f8ec8b607b1b0c9cbf7278b401024347971cbb6d0c9530d1c295 SHA512: 780c42f6aa8fce6826059bf892b1b10dbe9380aec3155dd72506c965355bf10b 4e8a43d7132a90f5c99ecfab3d42127a5e836d9b39b80b806ba00d038bc3f1d1 PEiD..: - PEInfo: PE Structure information ( base data ) entrypointaddress.: 0x101a8ce timedatestamp.....: 0x466fc588 (Wed Jun 13 10:23:04 2007) machinetype.......: 0x14c (I386) ( 4 sections ) name viradd virsiz rawdsiz ntrpy md5 .text 0x1000 0x44ad9 0x44c00 6.36 7de882aa0da62b155286cb91c8f0fbd9 .data 0x46000 0x1db4 0x1800 1.30 25fdde5ea7a06e94390eb8773b825a55 .rsrc 0x48000 0xb2278 0xb2400 6.63 b82ace172bfa53b11b99e63c7ac67c26 .reloc 0xfb000 0x3720 0x3800 6.76 924c25a2a1584ac973811d65894c44fa ( 13 imports ) > ADVAPI32.dll: RegSetValueW, RegEnumKeyExW, GetUserNameW, RegNotifyChangeKeyValue, RegEnumValueW, RegQueryValueExA, RegOpenKeyExA, RegEnumKeyW, RegCloseKey, RegCreateKeyW, RegQueryInfoKeyW, RegOpenKeyExW, RegQueryValueExW, RegCreateKeyExW, RegSetValueExW, RegDeleteValueW, RegQueryValueW > BROWSEUI.dll: -, -, -, - > GDI32.dll: GetStockObject, CreatePatternBrush, OffsetViewportOrgEx, GetLayout, CombineRgn, CreateDIBSection, GetTextExtentPoint32W, StretchBlt, SetTextColor, CreateRectRgn, GetClipRgn, IntersectClipRect, GetViewportOrgEx, SetViewportOrgEx, SelectClipRgn, PatBlt, GetBkColor, CreateCompatibleDC, CreateCompatibleBitmap, OffsetWindowOrgEx, DeleteDC, SetBkColor, BitBlt, ExtTextOutW, GetTextExtentPointW, GetClipBox, GetObjectW, CreateRectRgnIndirect, SetBkMode, CreateFontIndirectW, DeleteObject, GetTextMetricsW, SelectObject, GetDeviceCaps, TranslateCharsetInfo, SetStretchBltMode > KERNEL32.dll: GetSystemDirectoryW, CreateThread, CreateJobObjectW, ExitProcess, SetProcessShutdownParameters, ReleaseMutex, CreateMutexW, SetPriorityClass, GetCurrentProcess, GetStartupInfoW, GetCommandLineW, SetErrorMode, LeaveCriticalSection, EnterCriticalSection, ResetEvent, LoadLibraryExA, CompareFileTime, GetSystemTimeAsFileTime, SetThreadPriority, GetCurrentThreadId, GetThreadPriority, GetCurrentThread, GetUserDefaultLangID, Sleep, GetBinaryTypeW, GetModuleHandleExW, SystemTimeToFileTime, GetLocalTime, GetCurrentProcessId, GetEnvironmentVariableW, UnregisterWait, GlobalGetAtomNameW, GetFileAttributesW, MoveFileW, lstrcmpW, LoadLibraryExW, FindClose, FindNextFileW, FindFirstFileW, lstrcmpiA, SetEvent, AssignProcessToJobObject, GetDateFormatW, GetTimeFormatW, FlushInstructionCache, lstrcpynW, GetSystemWindowsDirectoryW, SetLastError, GetProcessHeap, HeapFree, HeapReAlloc, HeapSize, HeapAlloc, GetUserDefaultLCID, ReadProcessMemory, OpenProcess, InterlockedCompareExchange, LoadLibraryA, QueryPerformanceCounter, UnhandledExceptionFilter, SetUnhandledExceptionFilter, VirtualFree, VirtualAlloc, ResumeThread, TerminateProcess, TerminateThread, GetSystemDefaultLCID, GetLocaleInfoW, CreateEventW, GetLastError, RegisterWaitForSingleObject, OpenEventW, WaitForSingleObject, GetTickCount, ExpandEnvironmentStringsW, GetModuleFileNameW, GetPrivateProfileStringW, lstrcmpiW, CreateProcessW, FreeLibrary, GetWindowsDirectoryW, LocalAlloc, CreateFileW, DeviceIoControl, LocalFree, GetQueuedCompletionStatus, CreateIoCompletionPort, SetInformationJobObject, CloseHandle, LoadLibraryW, GetModuleHandleW, ActivateActCtx, DeactivateActCtx, DelayLoadFailureHook, GetProcAddress, DeleteCriticalSection, CreateEventA, HeapDestroy, InitializeCriticalSection, GetFileAttributesExW, MulDiv, lstrlenW, InterlockedDecrement, InterlockedIncrement, GlobalAlloc, InterlockedExchange, GetModuleHandleA, GetVersionExA, GlobalFree, GetProcessTimes, lstrcpyW, GetLongPathNameW, InitializeCriticalSectionAndSpinCount > msvcrt.dll: _itow, free, memmove, realloc, _except_handler3, malloc, _ftol, _vsnwprintf > ntdll.dll: RtlNtStatusToDosError, NtQueryInformationProcess > ole32.dll: CoFreeUnusedLibraries, RegisterDragDrop, CreateBindCtx, RevokeDragDrop, CoInitializeEx, CoUninitialize, OleInitialize, CoRevokeClassObject, CoRegisterClassObject, CoMarshalInterThreadInterfaceInStream, CoCreateInstance, OleUninitialize, DoDragDrop > OLEAUT32.dll: -, - > SHDOCVW.dll: -, -, - > SHELL32.dll: -, SHGetFolderPathW, -, -, -, -, -, ExtractIconExW, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, ShellExecuteExW, -, -, -, -, -, -, -, SHBindToParent, -, -, -, SHParseDisplayName, -, -, -, -, -, -, SHGetSpecialFolderLocation, -, -, -, -, SHGetSpecialFolderPathW, -, -, -, -, -, SHChangeNotify, SHGetDesktopFolder, SHAddToRecentDocs, -, -, -, DuplicateIcon, -, -, -, -, -, -, -, -, SHUpdateRecycleBinIcon, SHGetFolderLocation, SHGetPathFromIDListA, -, -, -, -, -, -, -, SHGetPathFromIDListW, -, -, - > SHLWAPI.dll: StrCpyNW, -, -, -, -, StrRetToBufW, StrRetToStrW, -, -, -, -, SHQueryValueExW, PathIsNetworkPathW, -, AssocCreate, -, -, -, -, -, StrCatW, StrCpyW, -, -, -, -, -, -, -, SHGetValueW, -, StrCmpNIW, PathRemoveBlanksW, PathRemoveArgsW, PathFindFileNameW, StrStrIW, PathGetArgsW, -, StrToIntW, SHRegGetBoolUSValueW, SHRegWriteUSValueW, SHRegCloseUSKey, SHRegCreateUSKeyW, SHRegGetUSValueW, SHSetValueW, -, PathAppendW, PathUnquoteSpacesW, -, -, PathQuoteSpacesW, -, SHSetThreadRef, SHCreateThreadRef, -, -, -, PathCombineW, -, -, -, SHStrDupW, PathIsPrefixW, PathParseIconLocationW, AssocQueryKeyW, -, AssocQueryStringW, StrCmpW, -, -, -, -, -, -, -, -, SHRegQueryUSValueW, SHRegOpenUSKeyW, SHRegSetUSValueW, PathIsDirectoryW, PathFileExistsW, PathGetDriveNumberW, -, StrChrW, PathFindExtensionW, -, -, PathRemoveFileSpecW, PathStripToRootW, -, -, -, SHOpenRegStream2W, -, -, -, StrDupW, SHDeleteValueW, StrCatBuffW, SHDeleteKeyW, StrCmpIW, -, -, wnsprintfW, -, StrCmpNW, -, - > USER32.dll: TileWindows, GetDoubleClickTime, GetSystemMetrics, GetSysColorBrush, AllowSetForegroundWindow, LoadMenuW, GetSubMenu, RemoveMenu, SetParent, GetMessagePos, CheckDlgButton, EnableWindow, GetDlgItemInt, SetDlgItemInt, CopyIcon, AdjustWindowRectEx, DrawFocusRect, DrawEdge, ExitWindowsEx, WindowFromPoint, SetRect, AppendMenuW, LoadAcceleratorsW, LoadBitmapW, SendNotifyMessageW, SetWindowPlacement, CheckMenuItem, EndDialog, SendDlgItemMessageW, MessageBeep, GetActiveWindow, PostQuitMessage, MoveWindow, GetDlgItem, RemovePropW, GetClassNameW, GetDCEx, SetCursorPos, ChildWindowFromPoint, ChangeDisplaySettingsW, RegisterHotKey, UnregisterHotKey, SetCursor, SendMessageTimeoutW, GetWindowPlacement, LoadImageW, SetWindowRgn, IntersectRect, OffsetRect, EnumDisplayMonitors, RedrawWindow, SubtractRect, TranslateAcceleratorW, WaitMessage, InflateRect, CallWindowProcW, GetDlgCtrlID, SetCapture, LockSetForegroundWindow, CopyRect, SystemParametersInfoW, FindWindowW, CreatePopupMenu, GetMenuDefaultItem, DestroyMenu, GetShellWindow, EnumChildWindows, GetWindowLongW, SendMessageW, RegisterWindowMessageW, GetKeyState, MonitorFromRect, MonitorFromPoint, RegisterClassW, SetPropW, GetWindowLongA, SetWindowLongW, FillRect, GetCursorPos, PtInRect, MessageBoxW, LoadStringW, ReleaseDC, GetDC, EnumDisplaySettingsExW, EnumDisplayDevicesW, PostMessageW, DispatchMessageW, TranslateMessage, GetMessageW, PeekMessageW, BeginPaint, EndPaint, SetWindowTextW, GetAsyncKeyState, InvalidateRect, GetWindow, ShowWindowAsync, TrackPopupMenuEx, UpdateWindow, DestroyIcon, IsRectEmpty, SetActiveWindow, GetSysColor, DrawTextW, IsHungAppWindow, SetTimer, GetMenuItemID, TrackPopupMenu, EndTask, SendMessageCallbackW, GetClassLongW, LoadIconW, OpenInputDesktop, CloseDesktop, SetScrollPos, ShowWindow, BringWindowToTop, GetDesktopWindow, CascadeWindows, CharUpperBuffW, SwitchToThisWindow, InternalGetWindowText, GetScrollInfo, GetMenuItemCount, ModifyMenuW, CreateWindowExW, DialogBoxParamW, MsgWaitForMultipleObjects, CharNextA, RegisterClipboardFormatW, EndDeferWindowPos, DeferWindowPos, BeginDeferWindowPos, PrintWindow, SetClassLongW, GetPropW, GetNextDlgGroupItem, GetNextDlgTabItem, ChildWindowFromPointEx, IsChild, NotifyWinEvent, TrackMouseEvent, GetCapture, GetAncestor, CharUpperW, SetWindowLongA, DrawCaption, InsertMenuW, IsWindowEnabled, GetMenuState, LoadCursorW, GetParent, IsDlgButtonChecked, DestroyWindow, EnumWindows, IsWindowVisible, GetClientRect, UnionRect, EqualRect, GetWindowThreadProcessId, GetForegroundWindow, KillTimer, GetClassInfoExW, DefWindowProcW, RegisterClassExW, GetIconInfo, SetScrollInfo, GetLastActivePopup, SetForegroundWindow, IsWindow, GetSystemMenu, IsIconic, IsZoomed, EnableMenuItem, SetMenuDefaultItem, MonitorFromWindow, GetMonitorInfoW, GetWindowInfo, GetFocus, SetFocus, MapWindowPoints, ScreenToClient, ClientToScreen, GetWindowRect, SetWindowPos, DeleteMenu, GetMenuItemInfoW, SetMenuItemInfoW, CharNextW > UxTheme.dll: GetThemeBackgroundContentRect, GetThemeBool, GetThemePartSize, DrawThemeParentBackground, OpenThemeData, DrawThemeBackground, GetThemeTextExtent, DrawThemeText, CloseThemeData, SetWindowTheme, GetThemeBackgroundRegion, -, GetThemeMargins, GetThemeColor, GetThemeFont, GetThemeRect, IsAppThemed ---------------------------------------------------------------------- Antivirus Version Last Update Result AhnLab-V3 2008.6.13.1 2008.06.13 - AntiVir 7.8.0.55 2008.06.14 - Authentium 5.1.0.4 2008.06.14 - Avast 4.8.1195.0 2008.06.14 - AVG 7.5.0.516 2008.06.14 - BitDefender 7.2 2008.06.14 - CAT-QuickHeal 9.50 2008.06.14 - ClamAV 0.92.1 2008.06.14 - DrWeb 4.44.0.09170 2008.06.14 - eSafe 7.0.15.0 2008.06.12 - eTrust-Vet 31.6.5873 2008.06.14 - Ewido 4.0 2008.06.14 - F-Prot 4.4.4.56 2008.06.12 - F-Secure 6.70.13260.0 2008.06.14 - Fortinet 3.14.0.0 2008.06.14 - GData 2.0.7306.1023 2008.06.14 - Ikarus T3.1.1.26.0 2008.06.14 - Kaspersky 7.0.0.125 2008.06.14 - McAfee 5317 2008.06.13 - Microsoft 1.3604 2008.06.14 - NOD32v2 3186 2008.06.13 - Norman 5.80.02 2008.06.13 - Panda 9.0.0.4 2008.06.14 - Prevx1 V2 2008.06.14 - Rising 20.48.52.00 2008.06.14 - Sophos 4.30.0 2008.06.14 - Sunbelt 3.0.1145.1 2008.06.05 - Symantec 10 2008.06.14 - TheHacker 6.2.92.350 2008.06.14 - VBA32 3.12.6.7 2008.06.14 - VirusBuster 4.3.26:9 2008.06.12 - Webwasher-Gateway 6.6.2 2008.06.14 - Additional information File size: 360064 bytes MD5...: 90caff4b094573449a0872a0f919b178 SHA1..: 01c29459e70719163d78add6b7098b8550292824 SHA256: 1fa27d86ab46b211af665c24aa11e86511d179319cece0bcbf87026da853b1ad SHA512: 16a838a7d846f0c8df5ba3800be5001aab0e6b0516583dd2cec1696c55cda157 1cc8afe1787e07cfe94d6c49d969cda67c6636b6608be7025bbfb5d52416e188 PEiD..: - PEInfo: PE Structure information ( base data ) entrypointaddress.: 0x61516 timedatestamp.....: 0x472767f4 (Tue Oct 30 17:20:52 2007) machinetype.......: 0x14c (I386) ( 10 sections ) name viradd virsiz rawdsiz ntrpy md5 .text 0x380 0x3ec36 0x3ec80 6.59 bf3727cc30fc9381405d704fc48cf298 .rdata 0x3f000 0x57c 0x580 4.44 8e59e52de3e5dbcbceb5a3ef5f649f6e .data 0x3f580 0xa4a4 0xa500 0.06 b9a573e33adfdced8dd26084f4c34980 PAGE 0x49a80 0x1f2b 0x1f80 6.39 62835585c6d5d5460c7937ca9a24a666 PAGELK 0x4ba00 0x6f2 0x700 6.23 b006a6a497bb9c46495fbf448e59f7d0 PAGEIPMc 0x4c100 0x2781 0x2800 6.43 f388ecb2e9459286d1f285da46acd63e .edata 0x4e900 0x341 0x380 5.22 8712af1a96dac3a5cc93d8600aeab255 INIT 0x4ec80 0x5836 0x5880 6.21 d418f2ad2c8c445226ca75e45cb62f48 .rsrc 0x54500 0x3f0 0x400 3.41 f7e220f2cc645366d35917b1d898d5a1 .reloc 0x54900 0x3554 0x3580 6.80 70106385f23ac6f4e01fd4b1e2558fad ( 4 imports ) > HAL.dll: KfLowerIrql, KeRaiseIrqlToDpcLevel, KfReleaseSpinLock, KfAcquireSpinLock, KfRaiseIrql, KeGetCurrentIrql, KeQueryPerformanceCounter, ExAcquireFastMutex, ExReleaseFastMutex > NDIS.SYS: NdisCloseAdapter, NdisCancelSendPackets, NdisFreePacket, NdisUnchainBufferAtFront, NdisCompletePnPEvent, NdisFreePacketPool, NdisRequest, NdisAllocatePacket, NdisFreeMemory, NdisQueryAdapterInstanceName, NdisGetDriverHandle, NdisOpenAdapter, NdisAllocatePacketPoolEx, NdisGetReceivedPacket, NdisRegisterProtocol, NdisAllocateBuffer, NdisSetPacketPoolProtocolId, NdisReturnPackets, NdisCopyBuffer, NdisAllocateBufferPool, NdisFreeBufferPool, NdisReEnumerateProtocolBindings, NdisCompleteBindAdapter > ntoskrnl.exe: IoCreateDevice, _wcsicmp, wcscpy, wcsncpy, wcschr, ZwSetInformationThread, KeLeaveCriticalRegion, KeEnterCriticalRegion, KeQueryTimeIncrement, KeSetEvent, IoDeleteSymbolicLink, ExDeleteNPagedLookasideList, KeDelayExecutionThread, ZwOpenKey, KeSetTimerEx, KeInitializeTimer, KeInitializeDpc, ExInitializeNPagedLookasideList, MmLockPagableSectionByHandle, ZwQueryValueKey, ZwSetValueKey, InterlockedPopEntrySList, InterlockedPushEntrySList, ExIsProcessorFeaturePresent, RtlAddAccessAllowedAce, RtlCreateAcl, RtlLengthSid, SeExports, RtlMapGenericMask, IoGetFileObjectGenericMapping, ObReleaseObjectSecurity, SeSetSecurityDescriptorInfo, RtlLengthSecurityDescriptor, RtlSetDaclSecurityDescriptor, RtlCreateSecurityDescriptor, ObGetObjectSecurity, IofCallDriver, IoBuildDeviceIoControlRequest, IoGetDeviceObjectPointer, ObfDereferenceObject, RtlAddAce, RtlGetAce, IoCreateSymbolicLink, RtlInitializeSid, RtlLengthRequiredSid, ObSetSecurityObjectByPointer, RtlSelfRelativeToAbsoluteSD, RtlGetSaclSecurityDescriptor, RtlGetGroupSecurityDescriptor, RtlGetOwnerSecurityDescriptor, RtlGetDaclSecurityDescriptor, RtlVerifyVersionInfo, VerSetConditionMask, IoWMIRegistrationControl, IoGetCurrentProcess, KeInitializeTimerEx, RtlExtendedIntegerMultiply, KeQueryInterruptTime, _aulldiv, DbgBreakPoint, KeSetTargetProcessorDpc, RtlSetBit, SeUnlockSubjectContext, SeAccessCheck, SeLockSubjectContext, ObDereferenceSecurityDescriptor, PsGetCurrentProcessId, RtlWalkFrameChain, _aulldvrm, ExNotifyCallback, ExCreateCallback, ObReferenceObjectByHandle, MmUnlockPages, SeFreePrivileges, SeAppendPrivileges, ObLogSecurityDescriptor, SeAssignSecurity, IoFileObjectType, MmProbeAndLockPages, IoAllocateMdl, _except_handler3, ProbeForWrite, ObfReferenceObject, PsGetCurrentProcess, RtlPrefetchMemoryNonTemporal, KeInitializeMutex, MmIsThisAnNtAsSystem, KeWaitForSingleObject, KeReleaseMutex, KeReadStateEvent, IoDeleteDevice, ZwEnumerateValueKey, RtlUnicodeStringToInteger, RtlIpv4StringToAddressW, RtlTimeToTimeFields, ExLocalTimeToSystemTime, RtlExtendedMagicDivide, RtlAppendUnicodeToString, ZwClose, _allmul, MmQuerySystemSize, RtlCompareUnicodeString, RtlInitializeBitMap, RtlClearAllBits, RtlSetBits, wcslen, RtlAreBitsSet, RtlClearBits, RtlFindClearBitsAndSet, RtlFindClearRuns, DbgPrint, memmove, RtlCopyUnicodeString, RtlAppendUnicodeStringToString, ZwLoadDriver, KeResetEvent, IoAcquireCancelSpinLock, IoReleaseCancelSpinLock, IofCompleteRequest, ExfInterlockedAddUlong, MmMapLockedPagesSpecifyCache, IoFreeMdl, ExfInterlockedInsertTailList, RtlInitUnicodeString, MmMapLockedPages, KeNumberProcessors, RtlUnicodeStringToAnsiString, MmLockPagableDataSection, MmUnlockPagableImageSection, RtlCompareMemory, ExAllocatePoolWithTag, KeCancelTimer, KeClearEvent, RtlAnsiStringToUnicodeString, IoRaiseInformationalHardError, KeInitializeEvent, ExFreePoolWithTag, ExAllocatePoolWithTagPriority, KeInitializeSpinLock, _alldiv, KeQuerySystemTime, KefAcquireSpinLockAtDpcLevel, KefReleaseSpinLockFromDpcLevel, KeBugCheckEx, RtlSubAuthoritySid, KeTickCount, MmBuildMdlForNonPagedPool, ZwDeviceIoControlFile, ZwCreateFile > TDI.SYS: CTESystemUpTime, CTEBlock, CTELogEvent, CTESignal, CTEBlockWithTracker, CTEStartTimer, CTEInitEvent, CTEScheduleDelayedEvent, CTEInitTimer, TdiProviderReady, CTEInitialize, TdiDeregisterNetAddress, TdiRegisterNetAddress, TdiDeregisterDeviceObject, TdiRegisterDeviceObject, TdiDeregisterProvider, TdiRegisterProvider, TdiPnPPowerRequest, TdiCopyMdlChainToMdlChain, TdiInitialize, TdiDeregisterPnPHandlers, TdiRegisterPnPHandlers, CTEScheduleEvent, TdiCopyBufferToMdl, CTERemoveBlockTracker, CTEInsertBlockTracker, TdiMapUserRequest, TdiCopyBufferToMdlWithReservedMappingAtDpcLevel ( 31 exports ) ARPRcv, ARPRcvPacket, FreeIprBuff, GetIFAndLink, IPAddInterface, IPAllocBuff, IPDelInterface, IPDelayedNdisReEnumerateBindings, IPDeregisterARP, IPDisableSniffer, IPEnableSniffer, IPFreeBuff, IPGetAddrType, IPGetBestInterface, IPGetInfo, IPInjectPkt, IPProxyNdisRequest, IPRcvComplete, IPRcvPacket, IPRegisterARP, IPRegisterProtocol, IPSetIPSecStatus, IPTransmit, LookupRoute, LookupRouteInformation, LookupRouteInformationWithBuffer, SendICMPErr, SetIPSecPtr, UnSetIPSecPtr, UnSetIPSecSendPtr, tcpxsum ---------------------------------------------------------------------- Notes about this log: 1) "->" denotes an external command being executed, and "-> (number)" indicates the return code from the previous command 2) Not all external command return codes are accurate, or useful 3) Sometimes commands return 0 (no error) even when they fail or crash 4) If an error occurs while registering an object, please send an email to: dial-a-fix@DjLizard.net and include a copy of this log DAF version: v0.60.0.24 --- System info --- OS: Microsoft Windows XP Service Pack 2 IE version: 7.0.5730.13 MPC: 76477-OEM CPU: Intel(R) Pentium(R) 4 CPU 3.00GHz (~2880MHz) CPU: 2 CPU cores present BIOS: 8/27/2004 Memory (approx): 1535MB Uptime: 4 hour(s) Current directory: C:\Documents and Settings\HP_Owner.AE066C3A9B\Desktop\Dial-a-fix-v0.60.0.24 --- 6/14/2008 3:48:48 PM -- Dial-a-fix : [v0.60.0.24] -- started 3:48:48 PM | Policy scan started 3:48:48 PM | Policy scan ended - no restrictive policies were found --- SSL/HTTPS/Cryptography --- 3:49:00 PM | Executed 'cmd.exe /c rmdir /q /s C:\WINDOWS\system32\Catroot2' --- Registration: SSL/HTTPS/Cryptography --- 3:49:05 PM | Unregistered: C:\WINDOWS\system32\cryptdlg.dll 3:49:05 PM | Registered: C:\WINDOWS\system32\cryptdlg.dll 3:49:05 PM | Unregistered: C:\WINDOWS\system32\cryptui.dll 3:49:05 PM | Registered: C:\WINDOWS\system32\cryptui.dll 3:49:05 PM | Unregistered: C:\WINDOWS\system32\cryptext.dll 3:49:05 PM | Registered: C:\WINDOWS\system32\cryptext.dll 3:49:05 PM | Unregistered: C:\WINDOWS\system32\dssenh.dll 3:49:05 PM | Registered: C:\WINDOWS\system32\dssenh.dll 3:49:05 PM | Unregistered: C:\WINDOWS\system32\gpkcsp.dll 3:49:05 PM | Registered: C:\WINDOWS\system32\gpkcsp.dll 3:49:05 PM | Unregistered: C:\WINDOWS\system32\initpki.dll 3:51:44 PM | Error during registration of C:\WINDOWS\system32\initpki.dll - version: 5.131.2600.2180. The error returned is: Access is denied. (5) 3:51:44 PM | Unregistered: C:\WINDOWS\system32\licdll.dll 3:51:44 PM | Registered: C:\WINDOWS\system32\licdll.dll 3:51:44 PM | Unregistered: C:\WINDOWS\system32\mssign32.dll 3:51:44 PM | Registered: C:\WINDOWS\system32\mssign32.dll 3:51:44 PM | Unregistered: C:\WINDOWS\system32\mssip32.dll 3:51:44 PM | Registered: C:\WINDOWS\system32\mssip32.dll 3:51:45 PM | Unregistered: C:\WINDOWS\system32\scardssp.dll 3:51:45 PM | Registered: C:\WINDOWS\system32\scardssp.dll 3:51:45 PM | Unregistered: C:\WINDOWS\system32\sccbase.dll 3:51:45 PM | Registered: C:\WINDOWS\system32\sccbase.dll 3:51:45 PM | Unregistered: C:\WINDOWS\system32\scecli.dll 3:51:46 PM | Registered: C:\WINDOWS\system32\scecli.dll 3:51:46 PM | Unregistered: C:\WINDOWS\system32\softpub.dll 3:51:46 PM | Registered: C:\WINDOWS\system32\softpub.dll 3:51:46 PM | Unregistered: C:\WINDOWS\system32\slbcsp.dll 3:51:46 PM | Registered: C:\WINDOWS\system32\slbcsp.dll 3:51:46 PM | Unregistered: C:\WINDOWS\system32\regwizc.dll 3:51:46 PM | Registered: C:\WINDOWS\system32\regwizc.dll 3:51:46 PM | Unregistered: C:\WINDOWS\system32\rsaenh.dll 3:51:46 PM | Registered: C:\WINDOWS\system32\rsaenh.dll 3:51:46 PM | Unregistered: C:\WINDOWS\system32\winhttp.dll 3:51:46 PM | Registered: C:\WINDOWS\system32\winhttp.dll 3:51:46 PM | Unregistered: C:\WINDOWS\system32\wintrust.dll 3:51:46 PM | Registered: C:\WINDOWS\system32\wintrust.dll Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 7:58:44 PM, on 6/15/2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16674) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Canon\CAL\CALMAIN.exe C:\WINDOWS\system32\wscntfy.exe C:\WINDOWS\system32\wuauclt.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TY...ion&pf=desktop R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = R3 - Default URLSearchHook is missing O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (file missing) O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.0\coIEPlg.dll O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll O3 - Toolbar: Show Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.0\CoIEPlg.dll O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe" O4 - HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe" O4 - HKLM\..\Run: [combofix] C:\WINDOWS\system32\CF17172.exe /c C:\ComboFix\Combobatch.bat O4 - HKLM\..\RunOnce: [SymLnch] "C:\Documents and Settings\HP_Owner.AE066C3A9B\Application Data\Symantec\Layouts\Norton Internet Security\15.0\SymAllLanguages\NIS_RETAIL\20070826\Support\SymLnch\SymLnch.exe" "C:\Documents and Settings\HP_Owner.AE066C3A9B\Application Data\Symantec\Layouts\Norton Internet Security\15.0\SymAllLanguages\NIS_RETAIL\20070826\Setup.exe" "/REALUPREBOOT /temp /patched" O4 - HKLM\..\RunOnce: [combofix] C:\WINDOWS\system32\CF17172.exe /c C:\ComboFix\\Combobatch.bat O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O15 - ProtocolDefaults: '@ivt' protocol is in My Computer Zone, should be Intranet Zone O15 - ProtocolDefaults: 'file' protocol is in My Computer Zone, should be Internet Zone O15 - ProtocolDefaults: 'ftp' protocol is in My Computer Zone, should be Internet Zone O15 - ProtocolDefaults: 'http' protocol is in My Computer Zone, should be Internet Zone O15 - ProtocolDefaults: 'https' protocol is in My Computer Zone, should be Internet Zone O16 - DPF: {001EE746-A1F9-460E-80AD-269E088D6A01} (Infotl Control) - http://site.ebrary.com.ezproxy.lrc.m.../ebraryRdr.cab O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813 O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w2/resources/MSNPUpld.cab O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-CA/.../GAME_UNO1.cab O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/...toUploader.cab O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab56907.cab O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary...r.cab56986.cab O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe O23 - Service: Symantec Core LC - Unknown owner - C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe -- End of file - 7218 bytes |
|
|
|
|
06-16-2008, 01:42 PM
|
#10 (permalink) | |
|
Moderator, Analyst, Security Team; Rangemaster, TSF Academy
Join Date: Oct 2007
Location: Georgia
Posts: 8,678
OS: XP SP3
|
Re: Possible Malware Issue
Hello kiranaus.
Quote:
Are you logging in the same way you usually do? Did you successfully delete those three files listed for deletion above? Please do the following:
Please download ATF-Cleaner by Atribune and Save it to your Desktop. This program is for XP and Windows 2000 only
For Technical Support, double-click the e-mail address located at the bottom of each menu. ------------------------------------------------------ Download ResetProtocolDefaults.reg >> http://www.mvps.org/winhelp2002/Rese...olDefaults.reg and Save it to your Desktop. It should look like this:  Double-click on ResetProtocolDefaults.reg and choose Yes to merge/add it to the registry. You may delete the file afterwards. Please restart your computer. ------------------------------------------------------ Try fixing those entries in HijackThis just as before: Open HijackThis and click on 'Do a System Scan Only'. Check the following entries if they still exist: (Make sure you do not miss any) R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = R3 - Default URLSearchHook is missing O15 - ProtocolDefaults: '@ivt' protocol is in My Computer Zone, should be Intranet Zone O15 - ProtocolDefaults: 'file' protocol is in My Computer Zone, should be Internet Zone O15 - ProtocolDefaults: 'ftp' protocol is in My Computer Zone, should be Internet Zone O15 - ProtocolDefaults: 'http' protocol is in My Computer Zone, should be Internet Zone O15 - ProtocolDefaults: 'https' protocol is in My Computer Zone, should be Internet Zone Please remember to close all other windows, including browsers then click Fix checked. Click Scan and then Save log and post the HijackThis log in your next reply. ------------------------------------------------------ Please post the following in your next reply: Dial-a-fix log new HijackThis log |
|
|
|
|
|
06-16-2008, 06:11 PM
|
#11 (permalink) | |
|
Registered User
Join Date: Jun 2008
Posts: 26
OS: xp sp2
|
Re: Possible Malware Issue
The three files you suggested for deletion were removed earlier.
I always log onto HP_Owner.AE066C3A9B/Mike and I believe that only this user account is exhibiting these problems simply by a lack of any negative feedback from other users. Ever so often when I log off or switch users the password I type in doesn't work despite it being the correct one. All of the accounts require a password. Looking at the net user description for this account even now, it says 'No' under password required -.- Once again, this seems more of an issue for another thread. Back to your suggestions: The same error occurred under Dialafix as before, even after repairing permissions. Quote:
Once again, HiJackThis items remain after "fixing" Logs are as follows: --------------------------------------------------------------------------------------------------------------------------------------- Notes about this log: 1) "->" denotes an external command being executed, and "-> (number)" indicates the return code from the previous command 2) Not all external command return codes are accurate, or useful 3) Sometimes commands return 0 (no error) even when they fail or crash 4) If an error occurs while registering an object, please send an email to: dial-a-fix@DjLizard.net and include a copy of this log DAF version: v0.60.0.24 --- System info --- OS: Microsoft Windows XP Service Pack 2 IE version: 7.0.5730.13 MPC: 76477-OEM CPU: Intel(R) Pentium(R) 4 CPU 3.00GHz (~2920MHz) CPU: 2 CPU cores present BIOS: 8/27/2004 Memory (approx): 1535MB Uptime: 8 hour(s) Current directory: C:\Documents and Settings\HP_Owner.AE066C3A9B\Desktop\Dial-a-fix-v0.60.0.24 --- 6/16/2008 6:35:37 PM -- Dial-a-fix : [v0.60.0.24] -- started 6:35:37 PM | Policy scan started 6:35:37 PM | Policy scan ended - no restrictive policies were found --- Repair permissions --- --- SSL/HTTPS/Cryptography --- 6:53:17 PM | Executed 'cmd.exe /c rmdir /q /s C:\WINDOWS\system32\Catroot2' --- Registration: SSL/HTTPS/Cryptography --- 6:53:21 PM | Unregistered: C:\WINDOWS\system32\cryptdlg.dll 6:53:21 PM | Registered: C:\WINDOWS\system32\cryptdlg.dll 6:53:21 PM | Unregistered: C:\WINDOWS\system32\cryptui.dll 6:53:21 PM | Registered: C:\WINDOWS\system32\cryptui.dll 6:53:22 PM | Unregistered: C:\WINDOWS\system32\cryptext.dll 6:53:22 PM | Registered: C:\WINDOWS\system32\cryptext.dll 6:53:22 PM | Unregistered: C:\WINDOWS\system32\dssenh.dll 6:53:22 PM | Registered: C:\WINDOWS\system32\dssenh.dll 6:53:22 PM | Unregistered: C:\WINDOWS\system32\gpkcsp.dll 6:53:22 PM | Registered: C:\WINDOWS\system32\gpkcsp.dll 6:53:22 PM | Unregistered: C:\WINDOWS\system32\initpki.dll 6:53:45 PM | Error during registration of C:\WINDOWS\system32\initpki.dll - version: 5.131.2600.2180. The error returned is: Access is denied. (5) 6:53:46 PM | Unregistered: C:\WINDOWS\system32\licdll.dll 6:53:46 PM | Registered: C:\WINDOWS\system32\licdll.dll 6:53:46 PM | Unregistered: C:\WINDOWS\system32\mssign32.dll 6:53:46 PM | Registered: C:\WINDOWS\system32\mssign32.dll 6:53:46 PM | Unregistered: C:\WINDOWS\system32\mssip32.dll 6:53:46 PM | Registered: C:\WINDOWS\system32\mssip32.dll 6:53:47 PM | Unregistered: C:\WINDOWS\system32\scardssp.dll 6:53:47 PM | Registered: C:\WINDOWS\system32\scardssp.dll 6:53:47 PM | Unregistered: C:\WINDOWS\system32\sccbase.dll 6:53:47 PM | Registered: C:\WINDOWS\system32\sccbase.dll 6:53:47 PM | Unregistered: C:\WINDOWS\system32\scecli.dll 6:53:47 PM | Registered: C:\WINDOWS\system32\scecli.dll 6:53:47 PM | Unregistered: C:\WINDOWS\system32\softpub.dll 6:53:47 PM | Registered: C:\WINDOWS\system32\softpub.dll 6:53:47 PM | Unregistered: C:\WINDOWS\system32\slbcsp.dll 6:53:47 PM | Registered: C:\WINDOWS\system32\slbcsp.dll 6:53:47 PM | Unregistered: C:\WINDOWS\system32\regwizc.dll 6:53:47 PM | Registered: C:\WINDOWS\system32\regwizc.dll 6:53:47 PM | Unregistered: C:\WINDOWS\system32\rsaenh.dll 6:53:48 PM | Registered: C:\WINDOWS\system32\rsaenh.dll 6:53:48 PM | Unregistered: C:\WINDOWS\system32\winhttp.dll 6:53:48 PM | Registered: C:\WINDOWS\system32\winhttp.dll 6:53:48 PM | Unregistered: C:\WINDOWS\system32\wintrust.dll 6:53:48 PM | Registered: C:\WINDOWS\system32\wintrust.dll Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 6:58:21 PM, on 6/16/2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16674) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Canon\CAL\CALMAIN.exe C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe C:\Program Files\iPod\bin\iPodService.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe C:\WINDOWS\system32\wuauclt.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TY...ion&pf=desktop R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = R3 - Default URLSearchHook is missing O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (file missing) O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.0\coIEPlg.dll O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll O3 - Toolbar: Show Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.0\CoIEPlg.dll O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe" O4 - HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe" O4 - HKLM\..\Run: [combofix] C:\WINDOWS\system32\CF17172.exe /c C:\ComboFix\Combobatch.bat O4 - HKLM\..\RunOnce: [SymLnch] "C:\Documents and Settings\HP_Owner.AE066C3A9B\Application Data\Symantec\Layouts\Norton Internet Security\15.0\SymAllLanguages\NIS_RETAIL\20070826\Support\SymLnch\SymLnch.exe" "C:\Documents and Settings\HP_Owner.AE066C3A9B\Application Data\Symantec\Layouts\Norton Internet Security\15.0\SymAllLanguages\NIS_RETAIL\20070826\Setup.exe" "/REALUPREBOOT /temp /patched" O4 - HKUS\S-1-5-21-2331652603-1797162650-1282392798-1011\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'Natalia') O4 - HKUS\S-1-5-21-2331652603-1797162650-1282392798-1011\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background (User 'Natalia') O4 - HKUS\S-1-5-21-2331652603-1797162650-1282392798-1011\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime (User 'Natalia') O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O15 - ProtocolDefaults: '@ivt' protocol is in My Computer Zone, should be Intranet Zone O15 - ProtocolDefaults: 'file' protocol is in My Computer Zone, should be Internet Zone O15 - ProtocolDefaults: 'ftp' protocol is in My Computer Zone, should be Internet Zone O15 - ProtocolDefaults: 'http' protocol is in My Computer Zone, should be Internet Zone O15 - ProtocolDefaults: 'https' protocol is in My Computer Zone, should be Internet Zone O16 - DPF: {001EE746-A1F9-460E-80AD-269E088D6A01} (Infotl Control) - http://site.ebrary.com.ezproxy.lrc.m.../ebraryRdr.cab O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813 O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w2/resources/MSNPUpld.cab O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-CA/.../GAME_UNO1.cab O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/...toUploader.cab O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab56907.cab O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary...r.cab56986.cab O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe O23 - Service: Symantec Core LC - Unknown owner - C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe -- End of file - 7715 bytes Last edited by kiranaus; 06-16-2008 at 06:14 PM. |
|
|
|
|
|
06-17-2008, 02:49 PM
|
#12 (permalink) | |
|
Moderator, Analyst, Security Team; Rangemaster, TSF Academy
Join Date: Oct 2007
Location: Georgia
Posts: 8,678
OS: XP SP3
|
Re: Possible Malware Issue
Hello kiranaus.
Quote:
------------------------------------------------------ Let's try another approach. Have you tried System Restore? This may or may not fix all of your issues. Go to Start > All Programs > Accessories > System Tools > System Restore and choose to Restore my computer to an earlier time. Pick a date that is previous to when your known problems started. Report back with how that went and an update on system behavior. |
|
|
|
|
|
06-17-2008, 03:33 PM
|
#13 (permalink) |
|
Registered User
Join Date: Jun 2008
Posts: 26
OS: xp sp2
|
Re: Possible Malware Issue
I can't recall precisely what happened when these problems first started. The utility shows that I did a system restore on the 6th at approximately 2:13pm.
That time, as well as today (I attempted to rollback to june 1 then may 26 as suggested), I never got a confirmation that the restore worked, or that the restore did not work. System performance has not been altered. |
|
|
|
|
06-17-2008, 04:26 PM
|
#14 (permalink) |
|
Moderator, Analyst, Security Team; Rangemaster, TSF Academy
Join Date: Oct 2007
Location: Georgia
Posts: 8,678
OS: XP SP3
|
Re: Possible Malware Issue
Did you get a System Restore box that said Restoring settings? Did it restart your computer? You should have gotten a Restoration Complete box where you had to click OK. How far does it get?
|
|
|
|
|
06-17-2008, 07:14 PM
|
#16 (permalink) |
|
Moderator, Analyst, Security Team; Rangemaster, TSF Academy
Join Date: Oct 2007
Location: Georgia
Posts: 8,678
OS: XP SP3
|
Re: Possible Malware Issue
Hello kiranaus. Your logs are clean but you have several corrupted system files.
I can and will continue to try to fix your system, but it will take several more rounds of fixes and I cannot guarantee success. Would you like me to continue or explore other options? Please let us know. |
|
|
|
|
06-17-2008, 07:16 PM
|
#17 (permalink) |
|
Registered User
Join Date: Jun 2008
Posts: 26
OS: xp sp2
|
Re: Possible Malware Issue
I value your expertise so by all means continue, please.
Besides if the issue was easily fixed, I wouldn't be here. I'll stand by your advise for as long as it takes. Last edited by kiranaus; 06-17-2008 at 07:18 PM. |
|
|
|
|
06-18-2008, 01:29 PM
|
#18 (permalink) |
|
Moderator, Analyst, Security Team; Rangemaster, TSF Academy
Join Date: Oct 2007
Location: Georgia
Posts: 8,678
OS: XP SP3
|
Re: Possible Malware Issue
Please download the following file and save it to your desktop.
http://download.bleepingcomputer.com...ofile-Peek.exe Double-click on it to run it. It shall produce a log. Please post the log in your next reply. |
|
|
|
|
06-18-2008, 03:34 PM
|
#19 (permalink) |
|
Registered User
Join Date: Jun 2008
Posts: 26
OS: xp sp2
|
Re: Possible Malware Issue
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\profilelist\S-1-5-21-2331652603-1797162650-1282392798-1009
ProfileImagePath REG_EXPAND_SZ %SystemDrive%\Documents and Settings\HP_Owner.AE066C3A9B HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\profilelist\S-1-5-21-2331652603-1797162650-1282392798-1010 ProfileImagePath REG_EXPAND_SZ %SystemDrive%\Documents and Settings\Mom and Dad.AE066C3A9B HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\profilelist\S-1-5-21-2331652603-1797162650-1282392798-1011 ProfileImagePath REG_EXPAND_SZ %SystemDrive%\Documents and Settings\Natalia.AE066C3A9B HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\profilelist\S-1-5-21-2331652603-1797162650-1282392798-500 ProfileImagePath REG_EXPAND_SZ %SystemDrive%\Documents and Settings\Administrator.AE066C3A9B ======================= -c--a-w 4,452,352 2008-03-21 08:40:48 C:\System Volume Information\_restore{E7B21304-9105-4D9D-AFAC-E7088FDCC6A0}\RP346\snapshot\_REGISTRY_USER_NTUSER_S-1-5-21-2331652603-1797162650-1282392798-1009 -c-ha-w 2,883,584 2008-03-20 22:10:23 C:\System Volume Information\_restore{E7B21304-9105-4D9D-AFAC-E7088FDCC6A0}\RP346\snapshot\_REGISTRY_USER_NTUSER_S-1-5-21-2331652603-1797162650-1282392798-1010 -c-ha-w 3,670,016 2008-03-20 21:37:55 C:\System Volume Information\_restore{E7B21304-9105-4D9D-AFAC-E7088FDCC6A0}\RP346\snapshot\_REGISTRY_USER_NTUSER_S-1-5-21-2331652603-1797162650-1282392798-1011 -c-ha-w 1,048,576 2007-09-09 18:41:58 C:\System Volume Information\_restore{E7B21304-9105-4D9D-AFAC-E7088FDCC6A0}\RP346\snapshot\_REGISTRY_USER_NTUSER_S-1-5-21-2331652603-1797162650-1282392798-500 -c--a-w 4,452,352 2008-03-21 09:00:55 C:\System Volume Information\_restore{E7B21304-9105-4D9D-AFAC-E7088FDCC6A0}\RP347\snapshot\_REGISTRY_USER_NTUSER_S-1-5-21-2331652603-1797162650-1282392798-1009 -c-ha-w 2,883,584 2008-03-20 22:10:23 C:\System Volume Information\_restore{E7B21304-9105-4D9D-AFAC-E7088FDCC6A0}\RP347\snapshot\_REGISTRY_USER_NTUSER_S-1-5-21-2331652603-1797162650-1282392798-1010 -c-ha-w 3,670,016 2008-03-20 21:37:55 C:\System Volume Information\_restore{E7B21304-9105-4D9D-AFAC-E7088FDCC6A0}\RP347\snapshot\_REGISTRY_USER_NTUSER_S-1-5-21-2331652603-1797162650-1282392798-1011 -c-ha-w 1,048,576 2007-09-09 18:41:58 C:\System Volume Information\_restore{E7B21304-9105-4D9D-AFAC-E7088FDCC6A0}\RP347\snapshot\_REGISTRY_USER_NTUSER_S-1-5-21-2331652603-1797162650-1282392798-500 -c--a-w 4,452,352 2008-03-22 09:01:22 C:\System Volume Information\_restore{E7B21304-9105-4D9D-AFAC-E7088FDCC6A0}\RP348\snapshot\_REGISTRY_USER_NTUSER_S-1-5-21-2331652603-1797162650-1282392798-1009 -c-ha-w 2,883,584 2008-03-22 03:22:26 C:\System Volume Information\_restore{E7B21304-9105-4D9D-AFAC-E7088FDCC6A0}\RP348\snapshot\_REGISTRY_USER_NTUSER_S-1-5-21-2331652603-1797162650-1282392798-1010 -c-ha-w 3,670,016 2008-03-21 16:34:11 C:\System Volume Information\_restore{E7B21304-9105-4D9D-AFAC-E7088FDCC6A0}\RP348\snapshot\_REGISTRY_USER_NTUSER_S-1-5-21-2331652603-1797162650-1282392798-1011 -c-ha-w 1,048,576 2007-09-09 18:41:58 C:\System Volume Information\_restore{E7B21304-9105-4D9D-AFAC-E7088FDCC6A0}\RP348\snapshot\_REGISTRY_USER_NTUSER_S-1-5-21-2331652603-1797162650-1282392798-500 -c-ha-w 4,456,448 2008-03-23 08:00:26 C:\System Volume Information\_restore{E7B21304-9105-4D9D-AFAC-E7088FDCC6A0}\RP349\snapshot\_REGISTRY_USER_NTUSER_S-1-5-21-2331652603-1797162650-1282392798-1009 -c-ha-w 2,883,584 2008-03-23 04:17:18 C:\System Volume Information\_restore{E7B21304-9105-4D9D-AFAC-E7088FDCC6A0}\RP349\snapshot\_REGISTRY_USER_NTUSER_S-1-5-21-2331652603-1797162650-1282392798-1010 -c--a-w 3,534,848 2008-03-23 17:14:45 C:\System Volume Information\_restore{E7B21304-9105-4D9D-AFAC-E7088FDCC6A0}\RP349\snapshot\_REGISTRY_USER_NTUSER_S-1-5-21-2331652603-1797162650-1282392798-1011 -c-ha-w 1,048,576 2007-09-09 18:41:58 C:\System Volume Information\_restore{E7B21304-9105-4D9D-AFAC-E7088FDCC6A0}\RP349\snapshot\_REGISTRY_USER_NTUSER_S-1-5-21-2331652603-1797162650-1282392798-500 -c--a-w 4,452,352 2008-03-24 20:54:37 C:\System Volume Information\_restore{E7B21304-9105-4D9D-AFAC-E7088FDCC6A0}\RP350\snapshot\_REGISTRY_USER_NTUSER_S-1-5-21-2331652603-1797162650-1282392798-1009 -c-ha-w 2,883,584 2008-03-24 16:29:52 C:\System Volume Information\_restore{E7B21304-9105-4D9D-AFAC-E7088FDCC6A0}\RP350\snapshot\_REGISTRY_USER_NTUSER_S-1-5-21-2331652603-1797162650-1282392798-1010 -c--a-w 3,534,848 2008-03-24 20:54:37 C:\System Volume Information\_restore{E7B21304-9105-4D9D-AFAC-E7088FDCC6A0}\RP350\snapshot\_REGISTRY_USER_NTUSER_S-1-5-21-2331652603-1797162650-1282392798-1011 -c-ha-w 1,048,576 2007-09-09 18:41:58 C:\System Volume Information\_restore{E7B21304-9105-4D9D-AFAC-E7088FDCC6A0}\RP350\snapshot\_REGISTRY_USER_NTUSER_S-1-5-21-2331652603-1797162650-1282392798-500 -c--a-w 4,452,352 2008-03-26 04:20:58 C:\System Volume Information\_restore{E7B21304-9105-4D9D-AFAC-E7088FDCC6A0}\RP351\snapshot\_REGISTRY_USER_NTUSER_S-1-5-21-2331652603-1797162650-1282392798-1009 -c-ha-w 2,883,584 2008-03-25 00:10:38 C:\System Volume Information\_restore{E7B21304-9105-4D9D-AFAC-E7088FDCC6A0}\RP351\snapshot\_REGISTRY_USER_NTUSER_S-1-5-21-2331652603-1797162650-1282392798-1010 -c--a-w 3,551,232 2008-03-26 04:20:59 C:\System Volume Information\_restore{E7B21304-9105-4D9D-AFAC-E7088FDCC6A0}\RP351\snapshot\_REGISTRY_USER_NTUSER_S-1-5-21-2331652603-1797162650-1282392798-1011 -c-ha-w 1,048,576 2007-09-09 18:41:58 C:\System Volume Information\_restore{E7B21304-9105-4D9D-AFAC-E7088FDCC6A0}\RP351\snapshot\_REGISTRY_USER_NTUSER_S-1-5-21-2331652603-1797162650-1282392798-500 -c--a-w 4,452,352 2008-03-27 04:42:19 C:\System Volume Information\_restore{E7B21304-9105-4D9D-AFAC-E7088FDCC6A0}\RP352\snapshot\_REGISTRY_USER_NTUSER_S-1-5-21-2331652603-1797162650-1282392798-1009 -c-ha-w 2,883,584 2008-03-27 01:39:30 C:\System Volume Information\_restore{E7B21304-9105-4D9D-AFAC-E7088FDCC6A0}\RP352\snapshot\_REGISTRY_USER_NTUSER_S-1-5-21-2331652603-1797162650-1282392798-1010 -c-ha-w 3,670,016 2008-03-26 05:47:08 C:\System Volume Information\_restore{E7B21304-9105-4D9D-AFAC-E7088FDCC6A0}\RP352\snapshot\_REGISTRY_USER_NTUSER_S-1-5-21-2331652603-1797162650-1282392798-1011 -c-ha-w 1,048,576 2007-09-09 18:41:58 C:\System Volume Information\_restore{E7B21304-9105-4D9D-AFAC-E7088FDCC6A0}\RP352\snapshot\_REGISTRY_USER_NTUSER_S-1-5-21-2331652603-1797162650-1282392798-500 -c--a-w 4,452,352 2008-03-28 06:03:44 C:\System Volume Information\_restore{E7B21304-9105-4D9D-AFAC-E7088FDCC6A0}\RP353\snapshot\_REGISTRY_USER_NTUSER_S-1-5-21-2331652603-1797162650-1282392798-1009 -c--a-w 2,863,104 2008-03-28 06:03:44 C:\System Volume Information\_restore{E7B21304-9105-4D9D-AFAC-E7088FDCC6A0}\RP353\snapshot\_REGISTRY_USER_NTUSER_S-1-5-21-2331652603-1797162650-1282392798-1010 -c-ha-w 3,670,016 2008-03-27 15:24:52 C:\System Volume Information\_restore{E7B21304-9105-4D9D-AFAC-E7088FDCC6A0}\RP353\snapshot\_REGISTRY_USER_NTUSER_S-1-5-21-2331652603-1797162650-1282392798-1011 -c-ha-w 1,048,576 2007-09-09 18:41:58 C:\System Volume Information\_restore{E7B21304-9105-4D9D-AFAC-E7088FDCC6A0}\RP353\snapshot\_REGISTRY_USER_NTUSER_S-1-5-21-2331652603-1797162650-1282392798-500 -c--a-w 4,452,352 2008-03-29 08:31:19 C:\System Volume Information\_restore{E7B21304-9105-4D9D-AFAC-E7088FDCC6A0}\RP354\snapshot\_REGISTRY_USER_NTUSER_S-1-5-21-2331652603-1797162650-1282392798-1009 -c--a-w 2,863,104 2008-03-29 08:31:20 C:\System Volume Information\_restore{E7B21304-9105-4D9D-AFAC-E7088FDCC6A0}\RP354\snapshot\_REGISTRY_USER_NTUSER_S-1-5-21-2331652603-1797162650-1282392798-1010 -c-ha-w 3,670,016 2008-03-28 20:55:25 C:\System Volume Information\_restore{E7B21304-9105-4D9D-AFAC-E7088FDCC6A0}\RP354\snapshot\_REGISTRY_USER_NTUSER_S-1-5-21-2331652603-1797162650-1282392798-1011 -c-ha-w 1,048,576 2007-09-09 18:41:58 C:\System Volume Information\_restore{E7B21304-9105-4D9D-AFAC-E7088FDCC6A0}\RP354\snapshot\_REGISTRY_USER_NTUSER_S-1-5-21-2331652603-1797162650-1282392798-500 -c--a-w 4,452,352 2008-03-30 09:34:05 C:\System Volume Information\_restore{E7B21304-9105-4D9D-AFAC-E7088FDCC6A0}\RP355\snapshot\_REGISTRY_USER_NTUSER_S-1-5-21-2331652603-1797162650-1282392798-1009 -c--a-w 2,863,104 2008-03-30 09:34:06 C:\System Volume Information\_restore{E7B21304-9105-4D9D-AFAC-E7088FDCC6A0}\RP355\snapshot\_REGISTRY_USER_NTUSER_S-1-5-21-2331652603-1797162650-1282392798-1010 -c-ha-w 3,670,016 2008-03-30 01:54:05 C:\System Volume Information\_restore{E7B21304-9105-4D9D-AFAC-E7088FDCC6A0}\RP355\snapshot\_REGISTRY_USER_NTUSER_S-1-5-21-2331652603-1797162650-1282392798-1011 -c-ha-w 1,048,576 2007-09-09 18:41:58 C:\System Volume Information\_restore{E7B21304-9105-4D9D-AFAC-E7088FDCC6A0}\RP355\snapshot\_REGISTRY_USER_NTUSER_S-1-5-21-2331652603-1797162650-1282392798-500 -c--a-w 4,452,352 2008-03-31 09:59:28 C:\System Volume Information\_restore{E7B21304-9105-4D9D-AFAC-E7088FDCC6A0}\RP356\snapshot\_REGISTRY_USER_NTUSER_S-1-5-21-2331652603-1797162650-1282392798-1009 -c-ha-w 2,883,584 2008-03-27 01:39:30 C:\System Volume Information\_restore{E7B21304-9105-4D9D-AFAC-E7088FDCC6A0}\RP356\snapshot\_REGISTRY_USER_NTUSER_S-1-5-21-2331652603-1797162650-1282392798-1010 -c--a-w 3,952,640 2008-03-31 09:59:29 C:\System Volume Information\_restore{E7B21304-9105-4D9D-AFAC-E7088FDCC6A0}\RP356\snapshot\_REGISTRY_USER_NTUSER_S-1-5-21-2331652603-1797162650-1282392798-1011 -c-ha-w 1,048,576 2007-09-09 18:41:58 C:\System Volume Information\_restore{E7B21304-9105-4D9D-AFAC-E7088FDCC6A0}\RP356\snapshot\_REGISTRY_USER_NTUSER_S-1-5-21-2331652603-1797162650-1282392798-500 -c--a-w 4,452,352 2008-04-01 10:40:14 C:\System Volume Information\_restore{E7B21304-9105-4D9D-AFAC-E7088FDCC6A0}\RP357\snapshot\_REGISTRY_USER_NTUSER_S-1-5-21-2331652603-1797162650-1282392798-1009 -c-ha-w 2,883,584 2008-04-01 03:51:41 C:\System Volume Information\_restore{E7B21304-9105-4D9D-AFAC-E7088FDCC6A0}\RP357\snapshot\_REGISTRY_USER_NTUSER_S-1-5-21-2331652603-1797162650-1282392798-1010 -c--a-w 3,952,640 2008-04-01 10:40:14 C:\System Volume Information\_restore{E7B21304-9105-4D9D-AFAC-E7088FDCC6A0}\RP357\snapshot\_REGISTRY_USER_NTUSER_S-1-5-21-2331652603-1797162650-1282392798-1011 -c-ha-w 1,048,576 2007-09-09 18:41:58 C:\System Volume Information\_restore{E7B21304-9105-4D9D-AFAC-E7088FDCC6A0}\RP357\snapshot\_REGISTRY_USER_NTUSER_S-1-5-21-2331652603-1797162650-1282392798-500 -c--a-w 4,452,352 2008-04-02 11:04:24 C:\System Volume Information\_restore{E7B21304-9105-4D9D-AFAC-E7088FDCC6A0}\RP358\snapshot\_REGISTRY_USER_NTUSER_S-1-5-21-2331652603-1797162650-1282392798-1009 -c-ha-w 2,883,584 2008-04-02 03:05:06 C:\System Volume Information\_restore{E7B21304-9105-4D9D-AFAC-E7088FDCC6A0}\RP358\snapshot\_REGISTRY_USER_NTUSER_S-1-5-21-2331652603-1797162650-1282392798-1010 -c--a-w 3,952,640 2008-04-02 11:04:25 C:\System Volume Information\_restore{E7B21304-9105-4D9D-AFAC-E7088FDCC6A0}\RP358\snapshot\_REGISTRY_USER_NTUSER_S-1-5-21-2331652603-1797162650-1282392798-1011 -c-ha-w 1,048,576 2007-09-09 18:41:58 C:\System Volume Information\_restore{E7B21304-9105-4D9D-AFAC-E7088FDCC6A0}\RP358\snapshot\_REGISTRY_USER_NTUSER_S-1-5-21-2331652603-1797162650-1282392798-500 -c--a-w 4,468,736 2008-04-03 12:04:24 C:\System Volume Information\_restore{E7B21304-9105-4D9D-AFAC-E7088FDCC6A0}\RP359\snapshot\_REGISTRY_USER_NTUSER_S-1-5-21-2331652603-1797162650-1282392798-1009 -c-ha-w 2,883,584 2008-04-02 03:05:06 C:\System Volume Information\_restore{E7B21304-9105-4D9D-AFAC-E7088FDCC6A0}\RP359\snapshot\_REGISTRY_USER_NTUSER_S-1-5-21-2331652603-1797162650-1282392798-1010 -c--a-w 3,952,640 2008-04-03 12:04:25 C:\System Volume Information\_restore{E7B21304-9105-4D9D-AFAC-E7088FDCC6A0}\RP359\snapshot\_REGISTRY_USER_NTUSER_S-1-5-21-2331652603-1797162650-1282392798-1011 -c-ha-w 1,048,576 2007-09-09 18:41:58 C:\System Volume Information\_restore{E7B21304-9105-4D9D-AFAC-E7088FDCC6A0}\RP359\snapshot\_REGISTRY_USER_NTUSER_S-1-5-21-2331652603-1797162650-1282392798-500 -c-ha-w 4,718,592 2008-04-04 06:25:10 C:\System Volume Information\_restore{E7B21304-9105-4D9D-AFAC-E7088FDCC6A0}\RP360\snapshot\_REGISTRY_USER_NTUSER_S-1-5-21-2331652603-1797162650-1282392798-1009 -c--a-w 2,863,104 2008-04-04 12:41:18 C:\System Volume Information\_restore{E7B21304-9105-4D9D-AFAC-E7088FDCC6A0}\RP360\snapshot\_REGISTRY_USER_NTUSER_S-1-5-21-2331652603-1797162650-1282392798-1010 -c-ha-w 4,194,304 2008-04-04 06:16:30 C:\System Volume Information\_restore{E7B21304-9105-4D9D-AFAC-E7088FDCC6A0}\RP360\snapshot\_REGISTRY_USER_NTUSER_S-1-5-21-2331652603-1797162650-1282392798-1011 -c-ha-w 1,048,576 2007-09-09 18:41:58 C:\System Volume Information\_restore{E7B21304-9105-4D9D-AFAC-E7088FDCC6A0}\RP360\snapshot\_REGISTRY_USER_NTUSER_S-1-5-21-2331652603-1797162650-1282392798-500 -c--a-w 4,501,504 2008-04-04 23:39:10 C:\System Volume Information\_restore{E7B21304-9105-4D9D-AFAC-E7088FDCC6A0}\RP361\snapshot\_REGISTRY_USER_NTUSER_S-1-5-21-2331652603-1797162650-1282392798-1009 -c--a-w 2,863,104 2008-04-04 23:39:10 C:\System Volume Information\_restore{E7B21304-9105-4D9D-AFAC-E7088FDCC6A0}\RP361\snapshot\_REGISTRY_USER_NTUSER_S-1-5-21-2331652603-1797162650-1282392798-1010 -c-ha-w 4,194,304 2008-04-04 06:16:30 C:\System Volume Information\_restore{E7B21304-9105-4D9D-AFAC-E7088FDCC6A0}\RP361\snapshot\_REGISTRY_USER_NTUSER_S-1-5-21-2331652603-1797162650-1282392798-1011 -c-ha-w 1,048,576 2007-09-09 18:41:58 C:\System Volume Information\_restore{E7B21304-9105-4D9D-AFAC-E7088FDCC6A0}\RP361\snapshot\_REGISTRY_USER_NTUSER_S-1-5-21-2331652603-1797162650-1282392798-500 -c--a-w 5,554,176 2008-04-05 23:43:59 C:\System Volume Information\_restore{E7B21304-9105-4D9D-AFAC-E7088FDCC6A0}\RP362\snapshot\_REGISTRY_USER_NTUSER_S-1-5-21-2331652603-1797162650-1282392798-1009 -c-ha-w 2,883,584 2008-04-05 15:47:58 C:\System Volume Information\_restore{E7B21304-9105-4D9D-AFAC-E7088FDCC6A0}\RP362\snapshot\_REGISTRY_USER_NTUSER_S-1-5-21-2331652603-1797162650-1282392798-1010 -c-ha-w 4,194,304 2008-04-04 06:16:30 C:\System Volume Information\_restore{E7B21304-9105-4D9D-AFAC-E7088FDCC6A0}\RP362\snapshot\_REGISTRY_USER_NTUSER_S-1-5-21-2331652603-1797162650-1282392798-1011 -c-ha-w 1,048,576 2007-09-09 18:41:58 C:\System Volume Information\_restore{E7B21304-9105-4D9D-AFAC-E7088FDCC6A0}\RP362\snapshot\_REGISTRY_USER_NTUSER_S-1-5-21-2331652603-1797162650-1282392798-500 -c--a-w 5,554,176 2008-04-06 06:46:06 C:\System Volume Information\_restore{E7B21304-9105-4D9D-AFAC-E7088FDCC6A0}\RP363\snapshot\_REGISTRY_USER_NTUSER_S-1-5-21-2331652603-1797162650-1282392798-1009 -c-ha-w 2,883,584 2008-04-06 04:46:35 C:\System Volume Information\_restore{E7B21304-9105-4D9D-AFAC-E7088FDCC6A0}\RP363\snapshot\_REGISTRY_USER_NTUSER_S-1-5-21-2331652603-1797162650-1282392798-1010 -c-ha-w 4,194,304 2008-04-04 06:16:30 C:\System Volume Information\_restore{E7B21304-9105-4D9D-AFAC-E7088FDCC6A0}\RP363\snapshot\_REGISTRY_USER_NTUSER_S-1-5-21-2331652603-1797162650-1282392798-1011 -c-ha-w 1,048,576 2007-09-09 18:41:58 C:\System Volume Information\_restore{E7B21304-9105-4D9D-AFAC-E7088FDCC6A0}\RP363\snapshot\_REGISTRY_USER_NTUSER_S-1-5-21-2331652603-1797162650-1282392798-500 -c--a-w 5,554,176 2008-04-07 07:47:09 C:\System Volume Information\_restore{E7B21304-9105-4D9D-AFAC-E7088FDCC6A0}\RP364\snapshot\_REGISTRY_USER_NTUSER_S-1-5-21-2331652603-1797162650-1282392798-1009 -c-ha-w 2,883,584 2008-04-06 21:36:08 C:\System Volume Information\_restore{E7B21304-9105-4D9D-AFAC-E7088FDCC6A0}\RP364\snapshot\_REGISTRY_USER_NTUSER_S-1-5-21-2331652603-1797162650-1282392798-1010 -c-ha-w 4,194,304 2008-04-06 06:46:22 C:\System Volume Information\_restore{E7B21304-9105-4D9D-AFAC-E7088FDCC6A0}\RP364\snapshot\_REGISTRY_USER_NTUSER_S-1-5-21-2331652603-1797162650-1282392798-1011 -c-ha-w 1,048,576 2007-09-09 18:41:58 C:\System Volume Information\_restore{E7B21304-9105-4D9D-AFAC-E7088FDCC6A0}\RP364\snapshot\_REGISTRY_USER_NTUSER_S-1-5-21-2331652603-1797162650-1282392798-500 -c--a-w 5,554,176 2008-04-08 08:47:09 C:\System Volume Information\_restore{E7B21304-9105-4D9D-AFAC-E7088FDCC6A0}\RP365\snapshot\_REGISTRY_USER_NTUSER_S-1-5-21-2331652603-1797162650-1282392798-1009 -c-ha-w 2,883,584 2008-04-07 22:45:57 C:\System Volume Information\_restore{E7B21304-9105-4D9D-AFAC-E7088FDCC6A0}\RP365\snapshot\_REGISTRY_USER_NTUSER_S-1-5-21-2331652603-1797162650-1282392798-1010 -c-ha-w 4,194,304 2008-04-07 22:47:47 C:\System Volume Information\_restore{E7B21304-9105-4D9D-AFAC-E7088FDCC6A0}\RP365\snapshot\_REGISTRY_USER_NTUSER_S-1-5-21-2331652603-1797162650-1282392798-1011 -c-ha-w 1,048,576 2007-09-09 18:41:58 C:\System Volume Information\_restore{E7B21304-9105-4D9D-AFAC-E7088FDCC6A0}\RP365\snapshot\_REGISTRY_USER_NTUSER_S-1-5-21-2331652603-1797162650-1282392798-500 -c--a-w 5,554,176 2008-04-09 08:57:14 C:\System Volume Information\_restore{E7B21304-9105-4D9D-AFAC-E7088FDCC6A0}\RP366\snapshot\_REGISTRY_USER_NTUSER_S-1-5-21-2331652603-1797162650-1282392798-1009 -c-ha-w 2,883,584 2008-04-09 04:02:34 C:\System Volume Information\_restore{E7B21304-9105-4D9D-AFAC-E7088FDCC6A0}\RP366\snapshot\_REGISTRY_USER_NTUSER_S-1-5-21-2331652603-1797162650-1282392798-1010 -c-ha-w 4,194,304 2008-04-09 04:55:12 C:\System Volume Information\_restore{E7B21304-9105-4D9D-AFAC-E7088FDCC6A0}\RP366\snapshot\_REGISTRY_USER_NTUSER_S-1-5-21-2331652603-1797162650-1282392798-1011 -c-ha-w 1,048,576 2007-09-09 18:41:58 C:\System Volume Information\_restore{E7B21304-9105-4D9D-AFAC-E7088FDCC6A0}\RP366\snapshot\_REGISTRY_USER_NTUSER_S-1-5-21-2331652603-1797162650-1282392798-500 -c--a-w 5,554,176 2008-04-09 09:00:52 C:\System Volume Information\_restore{E7B21304-9105-4D9D-AFAC-E7088FDCC6A0}\RP367\snapshot\_REGISTRY_USER_NTUSER_S-1-5-21-2331652603-1797162650-1282392798-1009 -c-ha-w 2,883,584 2008-04-09 04:02:34 C:\System Volume Information\_restore{E7B21304-9105-4D9D-AFAC-E7088FDCC6A0}\RP367\snapshot\_REGISTRY_USER_NTUSER_S-1-5-21-2331652603-1797162650-1282392798-1010 -c-ha-w 4,194,304 2008-04-09 04:55:12 C:\System Volume Information\_restore{E7B21304-9105-4D9D-AFAC-E7088FDCC6A0}\RP367\snapshot\_REGISTRY_USER_NTUSER_S-1-5-21-2331652603-1797162650-1282392798-1011 -c-ha-w 1,048,576 2007-09-09 18:41:58 C:\System Volume Information\_restore{E7B21304-9105-4D9D-AFAC-E7088FDCC6A0}\RP367\snapshot\_REGISTRY_USER_NTUSER_S-1-5-21-2331652603-1797162650-1282392798-500 -c--a-w 5,554,176 2008-04-10 09:00:58 C:\System Volume Information\_restore{E7B21304-9105-4D9D-AFAC-E7088FDCC6A0}\RP368\snapshot\_REGISTRY_USER_NTUSER_S-1-5-21-2331652603-1797162650-1282392798-1009 -c-ha-w 2,883,584 2008-04-10 03:16:31 C:\System Volume Information\_restore{E7B21304-9105-4D9D-AFAC-E7088FDCC6A0}\RP368\snapshot\_REGISTRY_USER_NTUSER_S-1-5-21-2331652603-1797162650-1282392798-1010 -c-ha-w 4,194,304 2008-04-10 05:40:56 C:\System Volume Information\_restore{E7B21304-9105-4D9D-AFAC-E7088FDCC6A0}\RP368\snapshot\_REGISTRY_USER_NTUSER_S-1-5-21-2331652603-1797162650-1282392798-1011 -c-ha-w 1,048,576 2007-09-09 18:41:58 C:\System Volume Information\_restore{E7B21304-9105-4D9D-AFAC-E7088FDCC6A0}\RP368\snapshot\_REGISTRY_USER_NTUSER_S-1-5-21-2331652603-1797162650-1282392798-500 -c--a-w 5,554,176 2008-04-11 09:00:52 C:\System Volume Information\_restore{E7B21304-9105-4D9D-AFAC-E7088FDCC6A0}\RP369\snapshot\_REGISTRY_USER_NTUSER_S-1-5-21-2331652603-1797162650-1282392798-1009 -c-ha-w 2,883,584 2008-04-11 01:58:49 C:\System Volume Information\_restore{E7B21304-9105-4D9D-AFAC-E7088FDCC6A0}\RP369\snapshot\_REGISTRY_USER_NTUSER_S-1-5-21-2331652603-1797162650-1282392798-1010 -c-ha-w 4,194,304 2008-04-11 03:43:19 C:\System Volume Information\_restore{E7B21304-9105-4D9D-AFAC-E7088FDCC6A0}\RP369\snapshot\_REGISTRY_USER_NTUSER_S-1-5-21-2331652603-1797162650-1282392798-1011 -c-ha-w 1,048,576 2007-09-09 18:41:58 C:\System Volume Information\_restore{E7B21304-9105-4D9D-AFAC-E7088FDCC6A0}\RP369\snapshot\_REGISTRY_USER_NTUSER_S-1-5-21-2331652603-1797162650-1282392798-500 -c--a-w 5,554,176 2008-04-12 09:00:54 C:\System Volume Information\_restore{E7B21304-9105-4D9D-AFAC-E7088FDCC6A0}\RP370\snapshot\_REGISTRY_USER_NTUSER_S-1-5-21-2331652603-1797162650-1282392798-1009 -c-ha-w 2,883,584 2008-04-12 03:59:29 C:\System Volume Information\_restore{E7B21304-9105-4D9D-AFAC-E7088FDCC6A0}\RP370\snapshot\_REGISTRY_USER_NTUSER_S-1-5-21-2331652603-1797162650-1282392798-1010 -c-ha-w 4,194,304 2008-04-11 03:43:19 C:\System Volume Information\_restore{E7B21304-9105-4D9D-AFAC-E7088FDCC6A0}\RP370\snapshot\_REGISTRY_USER_NTUSER_S-1-5-21-2331652603-1797162650-1282392798-1011 -c-ha-w 1,048,576 2007-09-09 18:41:58 C:\System Volume Information\_restore{E7B21304-9105-4D9D-AFAC-E7088FDCC6A0}\RP370\snapshot\_REGISTRY_USER_NTUSER_S-1-5-21-2331652603-1797162650-1282392798-500 -c--a-w 5,554,176 2008-04-13 09:00:52 C:\System Volume Information\_restore{E7B21304-9105-4D9D-AFAC-E7088FDCC6A0}\RP371\snapshot\_REGISTRY_USER_NTUSER_S-1-5-21-2331652603-1797162650-1282392798-1009 -c-ha-w 2,883,584 2008-04-13 01:50:55 C:\System Volume Information\_restore{E7B21304-9105-4D9D-AFAC-E7088FDCC6A0}\RP371\snapshot\_REGISTRY_USER_NTUSER_S-1-5-21-2331652603-1797162650-1282392798-1010 -c-ha-w 4,194,304 2008-04-12 23:01:19 C:\System Volume Information\_restore{E7B21304-9105-4D9D-AFAC-E7088FDCC6A0}\RP371\snapshot\_REGISTRY_USER_NTUSER_S-1-5-21-2331652603-1797162650-1282392798-1011 -c-ha-w 1,048,576 2007-09-09 18:41:58 C:\System Volume Information\_restore{E7B21304-9105-4D9D-AFAC-E7088FDCC6A0}\RP371\snapshot\_REGISTRY_USER_NTUSER_S-1-5-21-2331652603-1797162650-1282392798-500 -c-ha-w 5,767,168 2008-04-13 19:15:21 C:\System Volume Information\_restore{E7B21304-9105-4D9D-AFAC-E7088FDCC6A0}\RP372\snapshot\_REGISTRY_USER_NTUSER_S-1-5-21-2331652603-1797162650-1282392798-1009 -c-ha-w 2,883,584 2008-04-14 04:47:41 C:\System Volume Information\_restore{E7B21304-9105-4D9D-AFAC-E7088FDCC6A0}\RP372\snapshot\_REGISTRY_USER_NTUSER_S-1-5-21-2331652603-1797162650-1282392798-1010 -c--a-w 3,952,640 2008-04-14 09:00:58 C:\System Volume Information\_restore{E7B21304-9105-4D9D-AFAC-E7088FDCC6A0}\RP372\snapshot\_REGISTRY_USER_NTUSER_S-1-5-21-2331652603-1797162650-1282392798-1011 -c-ha-w 1,048,576 2007-09-09 18:41:58 C:\System Volume Information\_restore{E7B21304-9105-4D9D-AFAC-E7088FDCC6A0}\RP372\snapshot\_REGISTRY_USER_NTUSER_S-1-5-21-2331652603-1797162650-1282392798-500 -c--a-w 5,554,176 2008-04-15 05:56:46 C:\System Volume Information\_restore{E7B21304-9105-4D9D-AFAC-E7088FDCC6A0}\RP373\snapshot\_REGISTRY_USER_NTUSER_S-1-5-21-2331652603-1797162650-1282392798-1009 -c--a-w 2,891,776 2008-04-15 05:56:46 C:\System Volume Information\_restore{E7B21304-9105-4D9D-AFAC-E7088FDCC6A0}\RP373\snapshot\_REGISTRY_USER_NTUSER_S-1-5-21-2331652603-1797162650-1282392798-1010 -c--a-w 3,952,640 2008-04-15 05:56:47 C:\System Volume Information\_restore{E7B21304-9105-4D9D-AFAC-E7088FDCC6A0}\RP373\snapshot\_REGISTRY_USER_NTUSER_S-1-5-21-2331652603-1797162650-1282392798-1011 -c-ha-w 1,048,576 2007-09-09 18:41:58 C:\System Volume Information\_restore{E7B21304-9105-4D9D-AFAC-E7088FDCC6A0}\RP373\snapshot\_REGISTRY_USER_NTUSER_S-1-5-21-2331652603-1797162650-1282392798-500 -c--a-w 5,554,176 2008-04-15 09:03:04 C:\System Volume Information\_restore{E7B21304-9105-4D9D-AFAC-E7088FDCC6A0}\RP374\snapshot\_REGISTRY_USER_NTUSER_S-1-5-21-2331652603-1797162650-1282392798-1009 -c--a-w 2,891,776 2008-04-15 09:03:04 C:\System Volume Information\_restore{E7B21304-9105-4D9D-AFAC-E7088FDCC6A0}\RP374\snapshot\_REGISTRY_USER_NTUSER_S-1-5-21-2331652603-1797162650-1282392798-1010 -c--a-w 3,952,640 2008-04-15 09:03:05 C:\System Volume Information\_restore{E7B21304-9105-4D9D-AFAC-E7088FDCC6A0}\RP374\snapshot\_REGISTRY_USER_NTUSER_S-1-5-21-2331652603-1797162650-1282392798-1011 -c-ha-w 1,048,576 2007-09-09 18:41:58 C:\System Volume Information\_restore{E7B21304-9105-4D9D-AFAC-E7088FDCC6A0}\RP374\snapshot\_REGISTRY_USER_NTUSER_S-1-5-21-2331652603-1797162650-1282392798-500 -c--a-w 5,554,176 2008-04-16 09:00:54 C:\System Volume Information\_restore{E7B21304-9105-4D9D-AFAC-E7088FDCC6A0}\RP375\snapshot\_REGISTRY_USER_NTUSER_S-1-5-21-2331652603-1797162650-1282392798-1009 -c-ha-w 3,145,728 2008-04-16 04:29:57 C:\System Volume Information\_restore{E7B21304-9105-4D9D-AFAC-E7088FDCC6A0}\RP375\snapshot\_REGISTRY_USER_NTUSER_S-1-5-21-2331652603-1797162650-1282392798-1010 -c--a-w 3,952,640 2008-04-16 09:00:55 C:\System Volume Information\_restore{E7B21304-9105-4D9D-AFAC-E7088FDCC6A0}\RP375\snapshot\_REGISTRY_USER_NTUSER_S-1-5-21-2331652603-1797162650-1282392798-1011 -c-ha-w 1,048,576 2007-09-09 18:41:58 C:\System Volume Information\_restore{E7B21304-9105-4D9D-AFAC-E7088FDCC6A0}\RP375\snapshot\_REGISTRY_USER_NTUSER_S-1-5-21-2331652603-1797162650-1282392798-500 -c--a-w 5,554,176 2008-04-17 09:01:23 C:\System Volume Information\_restore{E7B21304-9105-4D9D-AFAC-E7088FDCC6A0}\RP376\snapshot\_REGISTRY_USER_NTUSER_S-1-5-21-2331652603-1797162650-1282392798-1009 -c-ha-w 3,145,728 2008-04-17 04:09:46 C:\System Volume Information\_restore{E7B21304-9105-4D9D-AFAC-E7088FDCC6A0}\RP376\snapshot\_REGISTRY_USER_NTUSER_S-1-5-21-2331652603-1797162650-1282392798-1010 -c--a-w 3,952,640 2008-04-17 09:01:26 C:\System Volume Information\_restore{E7B21304-9105-4D9D-AFAC-E7088FDCC6A0}\RP376\snapshot\_REGISTRY_USER_NTUSER_S-1-5-21-2331652603-1797162650-1282392798-1011 -c-ha-w 1,048,576 2007-09-09 18:41:58 C:\System Volume Information\_restore{E7B21304-9105-4D9D-AFAC-E7088FDCC6A0}\RP376\snapshot\_REGISTRY_USER_NTUSER_S-1-5-21-2331652603-1797162650-1282392798-500 -c--a-w 5,554,176 2008-04-18 09:00:51 C:\System Volume Information\_restore{E7B21304-9105-4D9D-AFAC-E7088FDCC6A0}\RP377\snapshot\_REGISTRY_USER_NTUSER_S-1-5-21-2331652603-1797162650-1282392798-1009 -c-ha-w 3,145,728 2008-04-18 04:05:54 C:\System Volume Information\_restore{E7B21304-9105-4D9D-AFAC-E7088FDCC6A0}\RP377\snapshot\_REGISTRY_USER_NTUSER_S-1-5-21-2331652603-1797162650-1282392798-1010 -c--a-w 3,952,640 2008-04-18 09:00:52 C:\System Volume Information\_restore{E7B21304-9105-4D9D-AFAC-E7088FDCC6A0}\RP377\snapshot\_REGISTRY_USER_NTUSER_S-1-5-21-2331652603-1797162650-1282392798-1011 -c-ha-w 1,048,576 2007-09-09 18:41:58 C:\System Volume Information\_restore{E7B21304-9105-4D9D-AFAC-E7088FDCC6A0}\RP377\snapshot\_REGISTRY_USER_NTUSER_S-1-5-21-2331652603-1797162650-1282392798-500 -c--a-w 5,554,176 2008-04-19 09:00:52 C:\System Volume Information\_restore{E7B21304-9105-4D9D-AFAC-E7088FDCC6A0}\RP378\snapshot\_REGISTRY_USER_NTUSER_S-1-5-21-2331652603-1797162650-1282392798-1009 -c-ha-w 2,883,584 2008-04-19 04:08:04 C:\System Volume Information\_restore{E7B21304-9105-4D9D-AFAC-E7088FDCC6A0}\RP378\snapshot\_REGISTRY_USER_NTUSER_S-1-5-21-2331652603-1797162650-1282392798-1010 -c--a-w 3,952,640 2008-04-19 09:00:52 C:\System Volume Information\_restore{E7B21304-9105-4D9D-AFAC-E7088FDCC6A0}\RP378\snapshot\_REGISTRY_USER_NTUSER_S-1-5-21-2331652603-1797162650-1282392798-1011 -c-ha-w 1,048,576 2007-09-09 18:41:58 C:\System Volume Information\_restore{E7B21304-9105-4D9D-AFAC-E7088FDCC6A0}\RP378\snapshot\_REGISTRY_USER_NTUSER_S-1-5-21-2331652603-1797162650-1282392798-500 -c--a-w 5,554,176 2008-04-20 09:00:52 C:\System Volume Information\_restore{E7B21304-9105-4D9D-AFAC-E7088FDCC6A0}\RP379\snapshot\_REGISTRY_USER_NTUSER_S-1-5-21-2331652603-1797162650-1282392798-1009 -c-ha-w 2,883,584 2008-04-20 04:18:08 C:\System Volume Information\_restore{E7B21304-9105-4D9D-AFAC-E7088FDCC6A0}\RP379\snapshot\_REGISTRY_USER_NTUSER_S-1-5-21-2331652603-1797162650-1282392798-1010 -c--a-w 3,952,640 2008-04-20 09:00:53 C:\System Volume Information\_restore{E7B21304-9105-4D9D-AFAC-E7088FDCC6A0}\RP379\snapshot\_REGISTRY_USER_NTUSER_S-1-5-21-2331652603-1797162650-1282392798-1011 -c-ha-w 1,048,576 2007-09-09 18:41:58 C:\System Volume Information\_restore{E7B21304-9105-4D9D-AFAC-E7088FDCC6A0}\RP379\snapshot\_REGISTRY_USER_NTUSER_S-1-5-21-2331652603-1797162650-1282392798-500 -c--a-w 5,554,176 2008-04-21 09:00:51 C:\System Volume Information\_restore{E7B21304-9105-4D9D-AFAC-E7088FDCC6A0}\RP380\snapshot\_REGISTRY_USER_NTUSER_S-1-5-21-2331652603-1797162650-1282392798-1009 -c-ha-w 2,883,584 2008-04-21 03:34:57 C:\System Volume Information\_restore{E7B21304-9105-4D9D-AFAC-E7088FDCC6A0}\RP380\snapshot\_REGISTRY_USER_NTUSER_S-1-5-21-2331652603-1797162650-1282392798-1010 -c--a-w 3,952,640 2008-04-21 09:00:52 C:\System Volume Information\_restore{E7B21304-9105-4D9D-AFAC-E7088FDCC6A0}\RP380\snapshot\_REGISTRY_USER_NTUSER_S-1-5-21-2331652603-1797162650-1282392798-1011 -c-ha-w 1,048,576 2007-09-09 18:41:58 C:\System Volume Information\_restore{E7B21304-9105-4D9D-AFAC-E7088FDCC6A0}\RP380\snapshot\_REGISTRY_USER_NTUSER_S-1-5-21-2331652603-1797162650-1282392798-500 -c--a-w 5,554,176 2008-04-22 09:00:54 C:\System Volume Information\_restore{E7B21304-9105-4D9D-AFAC-E7088FDCC6A0}\RP381\snapshot\_REGISTRY_USER_NTUSER_S-1-5-21-2331652603-1797162650-1282392798-1009 -c-ha-w 3,145,728 2008-04-22 02:03:04 C:\System Volume Information\_restore{E7B21304-9105-4D9D-AFAC-E7088FDCC6A0}\RP381\snapshot\_REGISTRY_USER_NTUSER_S-1-5-21-2331652603-1797162650-1282392798-1010 -c--a-w 3,952,640 2008-04-22 09:00:55 C:\System Volume Information\_restore{E7B21304-9105-4D9D-AFAC-E7088FDCC6A0}\RP381\snapshot\_REGISTRY_USER_NTUSER_S-1-5-21-2331652603-1797162650-1282392798-1011 -c-ha-w 1,048,576 2007-09-09 18:41:58 C:\System Volume Information\_restore{E7B21304-9105-4D9D-AFAC-E7088FDCC6A0}\RP381\snapshot\_REGISTRY_USER_NTUSER_S-1-5-21-2331652603-1797162650-1282392798-500 -c--a-w 5,554,176 2008-04-23 09:00:51 C:\System Volume Information\_restore{E7B21304-9105-4D9D-AFAC-E7088FDCC6A0}\RP382\snapshot\_REGISTRY_USER_NTUSER_S-1-5-21-2331652603-1797162650-1282392798-1009 -c-ha-w 3,145,728 2008-04-23 03:39:07 C:\System Volume Information\_restore{E7B21304-9105-4D9D-AFAC-E7088FDCC6A0}\RP382\snapshot\_REGISTRY_USER_NTUSER_S-1-5-21-2331652603-1797162650-1282392798-1010 -c--a-w 3,952,640 2008-04-23 09:00:52 C:\System Volume Information\_restore{E7B21304-9105-4D9D-AFAC-E7088FDCC6A0}\RP382\snapshot\_REGISTRY_USER_NTUSER_S-1-5-21-2331652603-1797162650-1282392798-1011 -c-ha-w 1,048,576 2007-09-09 18:41:58 C:\System Volume Information\_restore{E7B21304-9105-4D9D-AFAC-E7088FDCC6A0}\RP382\snapshot\_REGISTRY_USER_NTUSER_S-1-5-21-2331652603-1797162650-1282392798-500 -c--a-w 5,554,176 2008-04-24 09:00:59 C:\System Volume Information\_restore{E7B21304-9105-4D9D-AFAC-E7088FDCC6A0}\RP383\snapshot\_REGISTRY_USER_NTUSER_S-1-5-21-2331652603-1797162650-1282392798-1009 -c-ha-w 3,145,728 2008-04-24 03:36:46 C:\System Volume Information\_restore{E7B21304-9105-4D9D-AFAC-E7088FDCC6A0}\RP383\snapshot\_REGISTRY_USER_NTUSER_S-1-5-21-2331652603-1797162650-1282392798-1010 -c-ha-w 4,194,304 2008-04-16 18:26:30 C:\System Volume Information\_restore{E7B21304-9105-4D9D-AFAC-E7088FDCC6A0}\RP383\snapshot\_REGISTRY_USER_NTUSER_S-1-5-21-2331652603-1797162650-1282392798-1011 -c-ha-w 1,048,576 2007-09-09 18:41:58 C:\System Volume Information\_restore{E7B21304-9105-4D9D-AFAC-E7088FDCC6A0}\RP383\snapshot\_REGISTRY_USER_NTUSER_S-1-5-21-2331652603-1797162650-1282392798-500 -c--a-w 5,554,176 2008-04-25 09:00:57 C:\System Volume Information\_restore{E7B21304-9105-4D9D-AFAC-E7088FDCC6A0}\RP384\snapshot\_REGISTRY_USER_NTUSER_S-1-5-21-2331652603-1797162650-1282392798-1009 -c-ha-w 3,145,728 2008-04-25 02:01:18 C:\System Volume Information\_restore{E7B21304-9105-4D9D-AFAC-E7088FDCC6A0}\RP384\snapshot\_REGISTRY_USER_NTUSER_S-1-5-21-2331652603-1797162650-1282392798-1010 -c-ha-w 4,194,304 2008-04-25 06:30:01 C:\System Volume Information\_restore{E7B21304-9105-4D9D-AFAC-E7088FDCC6A0}\RP384\snapshot\_REGISTRY_USER_NTUSER_S-1-5-21-2331652603-1797162650-1282392798-1011 -c-ha-w 1,048,576 2007-09-09 18:41:58 C:\System Volume Information\_restore{E7B21304-9105-4D9D-AFAC-E7088FDCC6A0}\RP384\snapshot\_REGISTRY_USER_NTUSER_S-1-5-21-2331652603-1797162650-1282392798-500 -c--a-w 5,554,176 2008-04-26 09:00:53 C:\System Volume Information\_restore{E7B21304-9105-4D9D-AFAC-E7088FDCC6A0}\RP385\snapshot\_REGISTRY_USER_NTUSER_S-1-5-21-2331652603-1797162650-1282392798-1009 -c-ha-w 3,145,728 2008-04-26 05:36:27 C:\System Volume Information\_restore{E7B21304-9105-4D9D-AFAC-E7088FDCC6A0}\RP385\snapshot\_REGISTRY_USER_NTUSER_S-1-5-21-2331652603-1797162650-1282392798-1010 -c--a-w 3,952,640 2008-04-26 09:00:53 C:\System Volume Information\_restore{E7B21304-9105-4D9D-AFAC-E7088FDCC6A0}\RP385\snapshot\_REGISTRY_USER_NTUSER_S-1-5-21-2331652603-1797162650-1282392798-1011 -c-ha-w 1,048,576 2007-09-09 18:41:58 C:\System Volume Information\_restore{E7B21304-9105-4D9D-AFAC-E7088FDCC6A0}\RP385\snapshot\_REGISTRY_USER_NTUSER_S-1-5-21-2331652603-1797162650-1282392798-500 -c--a-w 5,554,176 2008-04-27 09:00:52 C:\System Volume Information\_restore{E7B21304-9105-4D9D-AFAC-E7088FDCC6A0}\RP386\snapshot\_REGISTRY_USER_NTUSER_S-1-5-21-2331652603-1797162650-1282392798-1009 -c-ha-w 3,145,728 2008-04-27 05:02:54 C:\System Volume Information\_restore{E7B21304-9105-4D9D-AFAC-E7088FDCC6A0}\RP386\snapshot\_REGISTRY_USER_NTUSER_S-1-5-21-2331652603-1797162650-1282392798-1010 -c-ha-w 4,194,304 2008-04-27 00:35:24 C:\System Volume Information\_restore{E7B21304-9105-4D9D-AFAC-E7088FDCC6A0}\RP386\snapshot\_REGISTRY_USER_NTUSER_S-1-5-21-2331652603-1797162650-1282392798-1011 -c-ha-w 1,048,576 2007-09-09 18:41:58 C:\System Volume Information\_restore{E7B21304-9105-4D9D-AFAC-E7088FDCC6A0}\RP386\snapshot\_REGISTRY_USER_NTUSER_S-1-5-21-2331652603-1797162650-1282392798-500 -c--a-w 5,554,176 2008-04-28 09:00:52 C:\System Volume Information\_restore{E7B21304-9105-4D9D-AFAC-E7088FDCC6A0}\RP387\snapshot\_REGISTRY_USER_NTUSER_S-1-5-21-2331652603-1797162650-1282392798-1009 -c-ha-w 3,145,728 2008-04-28 02:42:40 C:\System Volume Information\_restore{E7B21304-9105-4D9D-AFAC-E7088FDCC6A0}\RP387\snapshot\_REGISTRY_USER_NTUSER_S-1-5-21-2331652603-1797162650-1282392798-1010 -c-ha-w 4,194,304 2008-04-28 08:07:53 C:\System Volume Information\_restore{E7B21304-9105-4D9D-AFAC-E7088FDCC6A0}\RP387\snapshot\_REGISTRY_USER_NTUSER_S-1-5-21-2331652603-1797162650-1282392798-1011 -c-ha-w 1,048,576 2007-09-09 18:41:58 C:\System Volume Information\_restore{E7B21304-9105-4D9D-AFAC-E7088FDCC6A0}\RP387\snapshot\_REGISTRY_USER_NTUSER_S-1-5-21-2331652603-1797162650-1282392798-500 -c--a-w 5,554,176 2008-04-29 09:00:56 C:\System Volume Information\_restore{E7B21304-9105-4D9D-AFAC-E7088FDCC6A0}\RP388\snapshot\_REGISTRY_USER_NTUSER_S-1-5-21-2331652603-1797162650-1282392798-1009 -c-ha-w 3,145,728 2008-04-29 03:13:45 C:\System Volume Information\_restore{E7B21304-9105-4D9D-AFAC-E7088FDCC6A0}\RP388\snapshot\_REGISTRY_USER_NTUSER_S-1-5-21-2331652603-1797162650-1282392798-1010 -c-ha-w 4,194,304 2008-04-28 21:35:18 C:\System Volume Information\_restore{E7B21304-9105-4D9D-AFAC-E7088FDCC6A0}\RP388\snapshot\_REGISTRY_USER_NTUSER_S-1-5-21-2331652603-1797162650-1282392798-1011 -c-ha-w 1,048,576 2007-09-09 18:41:58 C:\System Volume Information\_restore{E7B21304-9105-4D9D-AFAC-E7088FDCC6A0}\RP388\snapshot\_REGISTRY_USER_NTUSER_S-1-5-21-2331652603-1797162650-1282392798-500 -c--a-w 5,554,176 2008-04-30 09:00:55 C:\System Volume Information\_restore{E7B21304-9105-4D9D-AFAC-E7088FDCC6A0}\RP389\snapshot\_REGISTRY_USER_NTUSER_S-1-5-21-2331652603-1797162650-1282392798-1009 -c-ha-w 3,145,728 2008-04-29 03:13:45 C:\System Volume Information\_restore{E7B21304-9105-4D9D-AFAC-E7088FDCC6A0}\RP389\snapshot\_REGISTRY_USER_NTUSER_S-1-5-21-2331652603-1797162650-1282392798-1010 -c-ha-w 4,194,304 2008-04-30 07:30:02 C:\System Volume Information\_restore{E7B21304-9105-4D9D-AFAC-E7088FDCC6A0}\RP389\snapshot\_REGISTRY_USER_NTUSER_S-1-5-21-2331652603-1797162650-1282392798-1011 -c-ha-w 1,048,576 2007-09-09 18:41:58 C:\System Volume Information\_restore{E7B21304-9105-4D9D-AFAC-E7088FDCC6A0}\RP389\snapshot\_REGISTRY_USER_NTUSER_S-1-5-21-2331652603-1797162650-1282392798-500 -c--a-w 5,554,176 2008-05-01 09:00:53 C:\System Volume Information\_restore{E7B21304-9105-4D9D-AFAC-E7088FDCC6A0}\RP390\snapshot\_REGISTRY_USER_NTUSER_S-1-5-21-2331652603-1797162650-1282392798-1009 -c-ha-w 3,145,728 2008-04-30 19:11:29 C:\System Volume Information\_restore{E7B21304-9105-4D9D-AFAC-E7088FDCC6A0}\RP390\snapshot\_REGISTRY_USER_NTUSER_S-1-5-21-2331652603-1797162650-1282392798-1010 -c-ha-w 4,194,304 2008-05-01 07:38:23 C:\System Volume Information\_restore{E7B21304-9105-4D9D-AFAC-E7088FDCC6A0}\RP390\snapshot\_REGISTRY_USER_NTUSER_S-1-5-21-2331652603-1797162650-1282392798-1011 -c-ha-w 1,048,576 2007-09-09 18:41:58 C:\System Volume Information\_restore{E7B21304-9105-4D9D-AFAC-E7088FDCC6A0}\RP390\snapshot\_REGISTRY_USER_NTUSER_S-1-5-21-2331652603-1797162650-1282392798-500 -c--a-w 5,554,176 2008-05-02 09:00:54 C:\System Volume Information\_restore{E7B21304-9105-4D9D-AFAC-E7088FDCC6A0}\RP391\snapshot\_REGISTRY_USER_NTUSER_S-1-5-21-2331652603-1797162650-1282392798-1009 -c-ha-w 3,145,728 2008-04-30 19:11:29 C:\System Volume Information\_restore{E7B21304-9105-4D9D-AFAC-E7088FDCC6A0}\RP391\snapshot\_REGISTRY_USER_NTUSER_S-1-5-21-2331652603-1797162650-1282392798-1010 -c-ha-w 4,194,304 2008-05-02 06:39:55 C:\System Volume Information\_restore{E7B21304-9105-4D9D-AFAC-E7088FDCC6A0}\RP391\snapshot\_REGISTRY_USER_NTUSER_S-1-5-21-2331652603-1797162650-1282392798-1011 -c-ha-w 1,048,576 2007-09-09 18:41:58 C:\System Volume Information\_restore{E7B21304-9105-4D9D-AFAC-E7088FDCC6A0}\RP391\snapshot\_REGISTRY_USER_NTUSER_S-1-5-21-2331652603-1797162650-1282392798-500 -c--a-w 5,554,176 2008-05-03 09:00:53 C:\System Volume Information\_restore{E7B21304-9105-4D9D-AFAC-E7088FDCC6A0}\RP392\snapshot\_REGISTRY_USER_NTUSER_S-1-5-21-2331652603-1797162650-1282392798-1009 -c-ha-w 3,145,728 2008-04-30 19:11:29 C:\System Volume Information\_restore{E7B21304-9105-4D9D-AFAC-E7088FDCC6A0}\RP392\snapshot\_REGISTRY_USER_NTUSER_S-1-5-21-2331652603-1797162650-1282392798-1010 -c-ha-w 4,194,304 2008-05-03 06:04:04 C:\System Volume Information\_restore{E7B21304-9105-4D9D-AFAC-E7088FDCC6A0}\RP392\snapshot\_REGISTRY_USER_NTUSER_S-1-5-21-2331652603-1797162650-1282392798-1011 -c-ha-w 1,048,576 2007-09-09 18:41:58 C:\System Volume Information\_restore{E7B21304-9105-4D9D-AFAC-E7088FDCC6A0}\RP392\snapshot\_REGISTRY_USER_NTUSER_S-1-5-21-2331652603-1797162650-1282392798-500 -c--a-w 5,554,176 2008-05-04 09:00:52 C:\System Volume Information\_restore{E7B21304-9105-4D9D-AFAC-E7088FDCC6A0}\RP393\snapshot\_REGISTRY_USER_NTUSER_S-1-5-21-2331652603-1797162650-1282392798-1009 -c-ha-w 3,145,728 2008-04-30 19:11:29 C:\System Volume Information\_restore{E7B21304-9105-4D9D-AFAC-E7088FDCC6A0}\RP393\snapshot\_REGISTRY_USER_NTUSER_S-1-5-21-2331652603-1797162650-1282392798-1010 -c--a-w 3,952,640 2008-05-04 09:00:53 C:\System Volume Information\_restore{E7B21304-9105-4D9D-AFAC-E7088FDCC6A0}\RP393\snapshot\_REGISTRY_USER_NTUSER_S-1-5-21-2331652603-1797162650-1282392798-1011 -c-ha-w 1,048,576 2007-09-09 18:41:58 C:\System Volume Information\_restore{E7B21304-9105-4D9D-AFAC-E7088FDCC6A0}\RP393\snapshot\_REGISTRY_USER_NTUSER_S-1-5-21-2331652603-1797162650-1282392798-500 -c--a-w 5,554,176 2008-05-05 09:00:52 C:\System Volume Information\_restore{E7B21304-9105-4D9D-AFAC-E7088FDCC6A0}\RP394\snapshot\_REGISTRY_USER_NTUSER_S-1-5-21-2331652603-1797162650-1282392798-1009 -c-ha-w 3,145,728 2008-05-05 00:27:21 C:\System Volume Information\_restore{E7B21304-9105-4D9D-AFAC-E7088FDCC6A0}\RP394\snapshot\_REGISTRY_USER_NTUSER_S-1-5-21-2331652603-1797162650-1282392798-1010 -c--a-w 3,952,640 2008-05-05 09:00:53 C:\System Volume Information\_restore{E7B21304-9105-4D9D-AFAC-E7088FDCC6A0}\RP394\snapshot\_REGISTRY_USER_NTUSER_S-1-5-21-2331652603-1797162650-1282392798-1011 -c-ha-w 1,048,576 2007-09-09 18:41:58 C:\System Volume Information\_restore{E7B21304-9105-4D9D-AFAC-E7088FDCC6A0}\RP394\snapshot\_REGISTRY_USER_NTUSER_S-1-5-21-2331652603-1797162650-1282392798-500 -c--a-w 5,554,176 2008-05-06 09:00:52 C:\System Volume Information\_restore{E7B21304-9105-4D9D-AFAC-E7088FDCC6A0}\RP395\snapshot\_REGISTRY_USER_NTUSER_S-1-5-21-2331652603-1797162650-1282392798-1009 -c-ha-w 3,145,728 2008-05-05 00:27:21 C:\System Volume Information\_restore{E7B21304-9105-4D9D-AFAC-E7088FDCC6A0}\RP395\snapshot\_REGISTRY_USER_NTUSER_S-1-5-21-2331652603-1797162650-1282392798-1010 -c--a-w 3,952,640 2008-05-06 09:00:53 C:\System Volume Information\_restore{E7B21304-9105-4D9D-AFAC-E7088FDCC6A0}\RP395\snapshot\_REGISTRY_USER_NTUSER_S-1-5-21-2331652603-1797162650-1282392798-1011 -c-ha-w 1,048,576 2007-09-09 18:41:58 C:\System Volume Information\_restore{E7B21304-9105-4D9D-AFAC-E7088FDCC6A0}\RP395\snapshot\_REGISTRY_USER_NTUSER_S-1-5-21-2331652603-1797162650-1282392798-500 -c--a-w 5,554,176 2008-05-07 09:00:51 C:\System Volume Information\_restore{E7B21304-9105-4D9D-AFAC-E7088FDCC6A0}\RP396\snapshot\_REGISTRY_USER_NTUSER_S-1-5-21-2331652603-1797162650-1282392798-1009 -c-ha-w 3,145,728 2008-05-07 03:35:27 C:\System Volume Information\_restore{E7B21304-9105-4D9D-AFAC-E7088FDCC6A0}\RP396\snapshot\_REGISTRY_USER_NTUSER_S-1-5-21-2331652603-1797162650-1282392798-1010 -c--a-w 3,952,640 2008-05-07 09:00:52 C:\System Volume Information\_restore{E7B21304-9105-4D9D-AFAC-E7088FDCC6A0}\RP396\snapshot\_REGISTRY_USER_NTUSER_S-1-5-21-2331652603-1797162650-1282392798-1011 -c-ha-w 1,048,576 2007-09-09 18:41:58 C:\System Volume Information\_restore{E7B21304-9105-4D9D-AFAC-E7088FDCC6A0}\RP396\snapshot\_REGISTRY_USER_NTUSER_S-1-5-21-2331652603-1797162650-1282392798-500 -c--a-w 5,554,176 2008-05-08 09:00:52 C:\System Volume Information\_restore{E7B21304-9105-4D9D-AFAC-E7088FDCC6A0}\RP397\snapshot\_REGISTRY_USER_NTUSER_S-1-5-21-2331652603-1797162650-1282392798-1009 -c--a-w 2,899,968 2008-05-08 09:00:52 C:\System Volume Information\_restore{E7B21304-9105-4D9D-AFAC-E7088FDCC6A0}\RP397\snapshot\_REGISTRY_USER_NTUSER_S-1-5-21-2331652603-1797162650-1282392798-1010 -c-ha-w 4,194,304 2008-05-08 05:13:24 C:\System Volume Information\_restore{E7B21304-9105-4D9D-AFAC-E7088FDCC6A0}\RP397\snapshot\_REGISTRY_USER_NTUSER_S-1-5-21-2331652603-1797162650-1282392798-1011 -c-ha-w 1,048,576 2007-09-09 18:41:58 C:\System Volume Information\_restore{E7B21304-9105-4D9D-AFAC-E7088FDCC6A0}\RP397\snapshot\_REGISTRY_USER_NTUSER_S-1-5-21-2331652603-1797162650-1282392798-500 -c--a-w 5,554,176 2008-05-09 09:00:52 C:\System Volume Information\_restore{E7B21304-9105-4D9D-AFAC-E7088FDCC6A0}\RP398\snapshot\_REGISTRY_USER_NTUSER_S-1-5-21-2331652603-1797162650-1282392798-1009 -c-ha-w 3,145,728 2008-05-09 03:30:30 C:\System Volume Information\_restore{E7B21304-9105-4D9D-AFAC-E7088FDCC6A0}\RP398\snapshot\_REGISTRY_USER_NTUSER_S-1-5-21-2331652603-1797162650-1282392798-1010 -c--a-w 3,952,640 2008-05-09 09:00:52 C:\System Volume Information\_restore{E7B21304-9105-4D9D-AFAC-E7088FDCC6A0}\RP398\snapshot\_REGISTRY_USER_NTUSER_S-1-5-21-2331652603-1797162650-1282392798-1011 -c-ha-w 1,048,576 2007-09-09 18:41:58 C:\System Volume Information\_restore{E7B21304-9105-4D9D-AFAC-E7088FDCC6A0}\RP398\snapshot\_REGISTRY_USER_NTUSER_S-1-5-21-2331652603-1797162650-1282392798-500 -c--a-w 5,554,176 2008-05-10 09:00:52 C:\System Volume Information\_restore{E7B21304-9105-4D9D-AFAC-E7088FDCC6A0}\RP399\snapshot\_REGISTRY_USER_NTUSER_S-1-5-21-2331652603-1797162650-1282392798-1009 -c-ha-w 3,145,728 2008-05-10 04:27:51 C:\System Volume Information\_restore{E7B21304-9105-4D9D-AFAC-E7088FDCC6A0}\RP399\snapshot\_REGISTRY_USER_NTUSER_S-1-5-21-2331652603-1797162650-1282392798-1010 -c--a-w 3,952,640 2008-05-10 09:00:53 C:\System Volume Information\_restore{E7B21304-9105-4D9D-AFAC-E7088FDCC6A0}\RP399\snapshot\_REGISTRY_USER_NTUSER_S-1-5-21-2331652603-1797162650-1282392798-1011 -c-ha-w 1,048,576 2007-09-09 18:41:58 C:\System Volume Information\_restore{E7B21304-9105-4D9D-AFAC-E7088FDCC6A0}\RP399\snapshot\_REGISTRY_USER_NTUSER_S-1-5-21-2331652603-1797162650-1282392798-500 -c--a-w 5,554,176 2008-05-11 09:00:50 C:\System Volume Information\_restore{E7B21304-9105-4D9D-AFAC-E7088FDCC6A0}\RP400\snapshot\_REGISTRY_USER_NTUSER_S-1-5-21-2331652603-1797162650-1282392798-1009 -c-ha-w 3,145,728 2008-05-10 22:46:44 C:\System Volume Information\_restore{E7B21304-9105-4D9D-AFAC-E7088FDCC6A0}\RP400\snapshot\_REGISTRY_USER_NTUSER_S-1-5-21-2331652603-1797162650-1282392798-1010 -c--a-w 3,952,640 2008-05-11 09:00:51 C:\System Volume Information\_restore{E7B21304-9105-4D9D-AFAC-E7088FDCC6A0}\RP400\snapshot\_REGISTRY_USER_NTUSER_S-1-5-21-2331652603-1797162650-1282392798-1011 -c-ha-w 1,048,576 2007-09-09 18:41:58 C:\System Volume Information\_restore{E7B21304-9105-4D9D-AFAC-E7088FDCC6A0}\RP400\snapshot\_REGISTRY_USER_NTUSER_S-1-5-21-2331652603-1797162650-1282392798-500 -c--a-w 5,554,176 2008-05-12 09:00:56 C:\System Volume Information\_restore{E7B21304-9105-4D9D-AFAC-E7088FDCC6A0}\RP401\snapshot\_REGISTRY_USER_NTUSER_S-1-5-21-2331652603-1797162650-1282392798-1009 -c-ha-w 3,145,728 2008-05-12 02:04:30 C:\System Volume Information\_restore{E7B21304-9105-4D9D-AFAC-E7088FDCC6A0}\RP401\snapshot\_REGISTRY_USER_NTUSER_S-1-5-21-2331652603-1797162650-1282392798-1010 -c--a-w 3,952,640 2008-05-12 09:00:56 C:\System Volume Information\_restore{E7B21304-9105-4D9D-AFAC-E7088FDCC6A0}\RP401\snapshot\_REGISTRY_USER_NTUSER_S-1-5-21-2331652603-1797162650-1282392798-1011 -c-ha-w 1,048,576 2007-09-09 18:41:58 C:\System Volume Information\_restore{E7B21304-9105-4D9D-AFAC-E7088FDCC6A0}\RP401\snapshot\_REGISTRY_USER_NTUSER_S-1-5-21-2331652603-1797162650-1282392798-500 -c--a-w 5,554,176 2008-05-13 06:10:28 C:\System Volume Information\_restore{E7B21304-9105-4D9D-AFAC-E7088FDCC6A0}\RP402\snapshot\_REGISTRY_USER_NTUSER_S-1-5-21-2331652603-1797162650-1282392798-1009 -c-ha-w 3,145,728 2008-05-13 01:10:11 C:\System Volume Information\_restore{E7B21304-9105-4D9D-AFAC-E7088FDCC6A0}\RP402\snapshot\_REGISTRY_USER_NTUSER_S-1-5-21-2331652603-1797162650-1282392798-1010 -c--a-w 3,952,640 2008-05-13 06:10:28 C:\System Volume Information\_restore{E7B21304-9105-4D9D-AFAC-E7088FDCC6A0}\RP402\snapshot\_REGISTRY_USER_NTUSER_S-1-5-21-2331652603-1797162650-1282392798-1011 -c-ha-w 1,048,576 2007-09-09 18:41:58 C:\System Volume Information\_restore{E7B21304-9105-4D9D-AFAC-E7088FDCC6A0}\RP402\snapshot\_REGISTRY_USER_NTUSER_S-1-5-21-2331652603-1797162650-1282392798-500 -c-ha-w 5,767,168 2008-05-14 05:57:05 C:\System Volume Information\_restore{E7B21304-9105-4D9D-AFAC-E7088FDCC6A0}\RP403\snapshot\_REGISTRY_USER_NTUSER_S-1-5-21-2331652603-1797162650-1282392798-1009 -c-ha-w 3,145,728 2008-05-14 03:07:22 C:\System Volume Information\_restore{E7B21304-9105-4D9D-AFAC-E7088FDCC6A0}\RP403\snapshot\_REGISTRY_USER_NTUSER_S-1-5-21-2331652603-1797162650-1282392798-1010 -c-ha-w 4,194,304 2008-05-14 00:50:21 C:\System Volume Information\_restore{E7B21304-9105-4D9D-AFAC-E7088FDCC6A0}\RP403\snapshot\_REGISTRY_USER_NTUSER_S-1-5-21-2331652603-1797162650-1282392798-1011 -c-ha-w 1,048,576 2007-09-09 18:41:58 C:\System Volume Information\_restore{E7B21304-9105-4D9D-AFAC-E7088FDCC6A0}\RP403\snapshot\_REGISTRY_USER_NTUSER_S-1-5-21-2331652603-1797162650-1282392798-500 -c-ha-w 5,767,168 2008-05-15 05:33:38 C:\System Volume Information\_restore{E7B21304-9105-4D9D-AFAC-E7088FDCC6A0}\RP404\snapshot\_REGISTRY_USER_NTUSER_S-1-5-21-2331652603-1797162650-1282392798-1009 -c-ha-w 3,145,728 2008-05-15 02:26:35 C:\System Volume Information\_restore{E7B21304-9105-4D9D-AFAC-E7088FDCC6A0}\RP404\snapshot\_REGISTRY_USER_NTUSER_S-1-5-21-2331652603-1797162650-1282392798-1010 -c--a-w 3,952,640 2008-05-15 09:00:53 C:\System Volume Information\_restore{E7B21304-9105-4D9D-AFAC-E7088FDCC6A0}\RP404\snapshot\_REGISTRY_USER_NTUSER_S-1-5-21-2331652603-1797162650-1282392798-1011 -c-ha-w 1,048,576 2007-09-09 18:41:58 C:\System Volume Information\_restore{E7B21304-9105-4D9D-AFAC-E7088FDCC6A0}\RP404\snapshot\_REGISTRY_USER_NTUSER_S-1-5-21-2331652603-1797162650-1282392798-500 -c--a-w 5,554,176 2008-05-16 09:00:54 C:\System Volume Information\_restore{E7B21304-9105-4D9D-AFAC-E7088FDCC6A0}\RP405\snapshot\_REGISTRY_USER_NTUSER_S-1-5-21-2331652603-1797162650-1282392798-1009 -c-ha-w 3,145,728 2008-05-16 05:04:24 C:\System Volume Information\_restore{E7B21304-9105-4D9D-AFAC-E7088FDCC6A0}\RP405\snapshot\_REGISTRY_USER_NTUSER_S-1-5-21-2331652603-1797162650-1282392798-1010 -c-ha-w 4,194,304 2008-05-15 15:20:26 C:\System Volume Information\_restore{E7B21304-9105-4D9D-AFAC-E7088FDCC6A0}\RP405\snapshot\_REGISTRY_USER_NTUSER_S-1-5-21-2331652603-1797162650-1282392798-1011 -c-ha-w 1,048,576 2007-09-09 18:41:58 C:\System Volume Information\_restore{E7B21304-9105-4D9D-AFAC-E7088FDCC6A0}\RP405\snapshot\_REGISTRY_USER_NTUSER_S-1-5-21-2331652603-1797162650-1282392798-500 -c--a-w 5,554,176 2008-05-17 09:38:03 C:\System Volume Information\_restore{E7B21304-9105-4D9D-AFAC-E7088FDCC6A0}\RP406\snapshot\_REGISTRY_USER_NTUSER_S-1-5-21-2331652603-1797162650-1282392798-1009 -c-ha-w 3,145,728 2008-05-17 04:30:20 C:\System Volume Information\_restore{E7B21304-9105-4D9D-AFAC-E7088FDCC6A0}\RP406\snapshot\_REGISTRY_USER_NTUSER_S-1-5-21-2331652603-1797162650-1282392798-1010 -c-ha-w 4,194,304 2008-05-15 15:20:26 C:\System Volume Information\_restore{E7B21304-9105-4D9D-AFAC-E7088FDCC6A0}\RP406\snapshot\_REGISTRY_USER_NTUSER_S-1-5-21-2331652603-1797162650-1282392798-1011 -c-ha-w 1,048,576 2007-09-09 18:41:58 C:\System Volume Information\_restore{E7B21304-9105-4D9D-AFAC-E7088FDCC6A0}\RP406\snapshot\_REGISTRY_USER_NTUSER_S-1-5-21-2331652603-1797162650-1282392798-500 -c--a-w 5,554,176 2008-05-18 09:04:40 C:\System Volume Information\_restore{E7B21304-9105-4D9D-AFAC-E7088FDCC6A0}\RP407\snapshot\_REGISTRY_USER_NTUSER_S-1-5-21-2331652603-1797162650-1282392798-1009 -c-ha-w 3,145,728 2008-05-17 04:30:20 C:\System Volume Information\_restore{E7B21304-9105-4D9D-AFAC-E7088FDCC6A0}\RP407\snapshot\_REGISTRY_USER_NTUSER_S-1-5-21-2331652603-1797162650-1282392798-1010 -c-ha-w 4,194,304 2008-05-15 15:20:26 C:\System Volume Information\_restore{E7B21304-9105-4D9D-AFAC-E7088FDCC6A0}\RP407\snapshot\_REGISTRY_USER_NTUSER_S-1-5-21-2331652603-1797162650-1282392798-1011 -c-ha-w 1,048,576 2007-09-09 18:41:58 C:\System Volume Information\_restore{E7B21304-9105-4D9D-AFAC-E7088FDCC6A0}\RP407\snapshot\_REGISTRY_USER_NTUSER_S-1-5-21-2331652603-1797162650-1282392798-500 -c--a-w 5,554,176 2008-05-19 09:00:52 C:\System Volume Information\_restore{E7B21304-9105-4D9D-AFAC-E7088FDCC6A0}\RP408\snapshot\_REGISTRY_USER_NTUSER_S-1-5-21-2331652603-1797162650-1282392798-1009 -c-ha-w 3,145,728 2008-05-19 02:48:06 C:\System Volume Information\_restore{E7B21304-9105-4D9D-AFAC-E7088FDCC6A0}\RP408\snapshot\_REGISTRY_USER_NTUSER_S-1-5-21-2331652603-1797162650-1282392798-1010 -c-ha-w 4,194,304 2008-05-19 05:38:06 C:\System Volume Information\_restore{E7B21304-9105-4D9D-AFAC-E7088FDCC6A0}\RP408\snapshot\_REGISTRY_USER_NTUSER_S-1-5-21-2331652603-1797162650-1282392798-1011 -c-ha-w 1,048,576 2007-09-09 18:41:58 C:\System Volume Information\_restore{E7B21304-9105-4D9D-AFAC-E7088FDCC6A0}\RP408\snapshot\_REGISTRY_USER_NTUSER_S-1-5-21-2331652603-1797162650-1282392798-500 -c--a-w 5,554,176 2008-05-20 09:00:54 C:\System Volume Information\_restore{E7B21304-9105-4D9D-AFAC-E7088FDCC6A0}\RP409\snapshot\_REGISTRY_USER_NTUSER_S-1-5-21-2331652603-1797162650-1282392798-1009 -c-ha-w 3,145,728 2008-05-20 03:00:16 C:\System Volume Information\_restore{E7B21304-9105-4D9D-AFAC-E7088FDCC6A0}\RP409\snapshot\_REGISTRY_USER_NTUSER_S-1-5-21-2331652603-1797162650-1282392798-1010 -c--a-w 3,952,640 2008-05-20 09:00:54 C:\System Volume Information\_restore{E7B21304-9105-4D9D-AFAC-E7088FDCC6A0}\RP409\snapshot\_REGISTRY_USER_NTUSER_S-1-5-21-2331652603-1797162650-1282392798-1011 -c-ha-w 1,048,576 2007-09-09 18:41:58 C:\System Volume Information\_restore{E7B21304-9105-4D9D-AFAC-E7088FDCC6A0}\RP409\snapshot\_REGISTRY_USER_NTUSER_S-1-5-21-2331652603-1797162650-1282392798-500 -c--a-w 5,554,176 2008-05-21 09:00:53 C:\System Volume Information\_restore{E7B21304-9105-4D9D-AFAC-E7088FDCC6A0}\RP410\snapshot\_REGISTRY_USER_NTUSER_S-1-5-21-2331652603-1797162650-1282392798-1009 -c-ha-w 3,145,728 2008-05-21 03:24:58 C:\System Volume Information\_restore{E7B21304-9105-4D9D-AFAC-E7088FDCC6A0}\RP410\snapshot\_REGISTRY_USER_NTUSER_S-1-5-21-2331652603-1797162650-1282392798-1010 -c--a-w 3,952,640 2008-05-21 09:00:53 C:\System Volume Information\_restore{E7B21304-9105-4D9D-AFAC-E7088FDCC6A0}\RP410\snapshot\_REGISTRY_USER_NTUSER_S-1-5-21-2331652603-1797162650-1282392798-1011 -c-ha-w 1,048,576 2007-09-09 18:41:58 C:\System Volume Information\_restore{E7B21304-9105-4D9D-AFAC-E7088FDCC6A0}\RP410\snapshot\_REGISTRY_USER_NTUSER_S-1-5-21-2331652603-1797162650-1282392798-500 -c--a-w 5,554,176 2008-05-22 09:17:34 C:\System Volume Information\_restore{E7B21304-9105-4D9D-AFAC-E7088FDCC6A0}\RP411\snapshot\_REGISTRY_USER_NTUSER_S-1-5-21-2331652603-1797162650-1282392798-1009 -c-ha-w 3,145,728 2008-05-22 03:46:08 C:\System Volume Information\_restore{E7B21304-9105-4D9D-AFAC-E7088FDCC6A0}\RP411\snapshot\_REGISTRY_USER_NTUSER_S-1-5-21-2331652603-1797162650-1282392798-1010 -c-ha-w 4,194,304 2008-05-21 21:13:26 C:\System Volume Information\_restore{E7B21304-9105-4D9D-AFAC-E7088FDCC6A0}\RP411\snapshot\_REGISTRY_USER_NTUSER_S-1-5-21-2331652603-1797162650-1282392798-1011 -c-ha-w 1,048,576 2007-09-09 18:41:58 C:\System Volume Information\_restore{E7B21304-9105-4D9D-AFAC-E7088FDCC6A0}\RP411\snapshot\_REGISTRY_USER_NTUSER_S-1-5-21-2331652603-1797162650-1282392798-500 -c--a-w 5,554,176 2008-05-23 01:51:45 C:\System Volume Information\_restore{E7B21304-9105-4D9D-AFAC-E7088FDCC6A0}\RP412\snapshot\_REGISTRY_USER_NTUSER_S-1-5-21-2331652603-1797162650-1282392798-1009 -c-ha-w 3,145,728 2008-05-22 03:46:08 C:\System Volume Information\_restore{E7B21304-9105-4D9D-AFAC-E7088FDCC6A0}\RP412\snapshot\_REGISTRY_USER_NTUSER_S-1-5-21-2331652603-1797162650-1282392798-1010 -c-ha-w 4,194,304 2008-05-22 22:05:40 C:\System Volume Information\_restore{E7B21304-9105-4D9D-AFAC-E7088FDCC6A0}\RP412\snapshot\_REGISTRY_USER_NTUSER_S-1-5-21-2331652603-1797162650-1282392798-1011 -c-ha-w 1,048,576 2007-09-09 18:41:58 C:\System Volume Information\_restore{E7B21304-9105-4D9D-AFAC-E7088FDCC6A0}\RP412\snapshot\_REGISTRY_USER_NTUSER_S-1-5-21-2331652603-1797162650-1282392798-500 -c--a-w 5,554,176 2008-05-24 02:03:54 C:\System Volume Information\_restore{E7B21304-9105-4D9D-AFAC-E7088FDCC6A0}\RP413\snapshot\_REGISTRY_USER_NTUSER_S-1-5-21-2331652603-1797162650-1282392798-1009 -c-ha-w 3,145,728 2008-05-23 04:14:11 C:\System Volume Information\_restore{E7B21304-9105-4D9D-AFAC-E7088FDCC6A0}\RP413\snapshot\_REGISTRY_USER_NTUSER_S-1-5-21-2331652603-1797162650-1282392798-1010 -c-ha-w 4,194,304 2008-05-23 16:05:40 C:\System Volume Information\_restore{E7B21304-9105-4D9D-AFAC-E7088FDCC6A0}\RP413\snapshot\_REGISTRY_USER_NTUSER_S-1-5-21-2331652603-1797162650-1282392798-1011 -c-ha-w 1,048,576 2007-09-09 18:41:58 C:\System Volume Information\_restore{E7B21304-9105-4D9D-AFAC-E7088FDCC6A0}\RP413\snapshot\_REGISTRY_USER_NTUSER_S-1-5-21-2331652603-1797162650-1282392798-500 -c--a-w 5,554,176 2008-05-25 02:38:17 C:\System Volume Information\_restore{E7B21304-9105-4D9D-AFAC-E7088FDCC6A0}\RP414\snapshot\_REGISTRY_USER_NTUSER_S-1-5-21-2331652603-1797162650-1282392798-1009 -c-ha-w 3,145,728 2008-05-24 06:01:20 C:\System Volume Information\_restore{E7B21304-9105-4D9D-AFAC-E7088FDCC6A0}\RP414\snapshot\_REGISTRY_USER_NTUSER_S-1-5-21-2331652603-1797162650-1282392798-1010 -c-ha-w 4,194,304 2008-05-24 23:38:42 C:\System Volume Information\_restore{E7B21304-9105-4D9D-AFAC-E7088FDCC6A0}\RP414\snapshot\_REGISTRY_USER_NTUSER_S-1-5-21-2331652603-1797162650-1282392798-1011 -c-ha-w 1,048,576 2007-09-09 18:41:58 C:\System Volume Information\_restore{E7B21304-9105-4D9D-AFAC-E7088FDCC6A0}\RP414\snapshot\_REGISTRY_USER_NTUSER_S-1-5-21-2331652603-1797162650-1282392798-500 -c--a-w 5,554,176 2008-05-26 04:30:41 C:\System Volume Information\_restore{E7B21304-9105-4D9D-AFAC-E7088FDCC6A0}\RP415\snapshot\_REGISTRY_USER_NTUSER_S-1-5-21-2331652603-1797162650-1282392798-1009 -c-ha-w 3,145,728 2008-05-26 02:39:01 C:\System Volume Information\_restore{E7B21304-9105-4D9D-AFAC-E7088FDCC6A0}\RP415\snapshot\_REGISTRY_USER_NTUSER_S-1-5-21-2331652603-1797162650-1282392798-1010 -c-ha-w 4,194,304 2008-05-25 19:30:02 C:\System Volume Information\_restore{E7B21304-9105-4D9D-AFAC-E7088FDCC6A0}\RP415\snapshot\_REGISTRY_USER_NTUSER_S-1-5-21-2331652603-1797162650-1282392798-1011 -c-ha-w 1,048,576 2007-09-09 18:41:58 C:\System Volume Information\_restore{E7B21304-9105-4D9D-AFAC-E7088FDCC6A0}\RP415\snapshot\_REGISTRY_USER_NTUSER_S-1-5-21-2331652603-1797162650-1282392798-500 -c--a-w 5,554,176 2008-05-27 05:04:18 C:\System Volume Information\_restore{E7B21304-9105-4D9D-AFAC-E7088FDCC6A0}\RP416\snapshot\_REGISTRY_USER_NTUSER_S-1-5-21-2331652603-1797162650-1282392798-1009 -c-ha-w 3,145,728 2008-05-27 03:21:06 C:\System Volume Information\_restore{E7B21304-9105-4D9D-AFAC-E7088FDCC6A0}\RP416\snapshot\_REGISTRY_USER_NTUSER_S-1-5-21-2331652603-1797162650-1282392798-1010 -c-ha-w 4,194,304 2008-05-26 22:08:19 C:\System Volume Information\_restore{E7B21304-9105-4D9D-AFAC-E7088FDCC6A0}\RP416\snapshot\_REGISTRY_USER_NTUSER_S-1-5-21-2331652603-1797162650-1282392798-1011 -c-ha-w 1,048,576 2007-09-09 18:41:58 C:\System Volume Information\_restore{E7B21304-9105-4D9D-AFAC-E7088FDCC6A0}\RP416\snapshot\_REGISTRY_USER_NTUSER_S-1-5-21-2331652603-1797162650-1282392798-500 -c--a-w 5,554,176 2008-05-28 05:34:11 C:\System Volume Information\_restore{E7B21304-9105-4D9D-AFAC-E7088FDCC6A0}\RP417\snapshot\_REGISTRY_USER_NTUSER_S-1-5-21-2331652603-1797162650-1282392798-1009 -c-ha-w 3,145,728 2008-05-28 04:43:38 C:\System Volume Information\_restore{E7B21304-9105-4D9D-AFAC-E7088FDCC6A0}\RP417\snapshot\_REGISTRY_USER_NTUSER_S-1-5-21-2331652603-1797162650-1282392798-1010 -c-ha-w 4,194,304 2008-05-27 17:14:57 C:\System Volume Information\_restore{E7B21304-9105-4D9D-AFAC-E7088FDCC6A0}\RP417\snapshot\_REGISTRY_USER_NTUSER_S-1-5-21-2331652603-1797162650-1282392798-1011 -c-ha-w 1,048,576 2007-09-09 18:41:58 C:\System Volume Information\_restore{E7B21304-9105-4D9D-AFAC-E7088FDCC6A0}\RP417\snapshot\_REGISTRY_USER_NTUSER_S-1-5-21-2331652603-1797162650-1282392798-500 -c--a-w 5,554,176 2008-05-29 05:51:17 C:\System Volume Information\_restore{E7B21304-9105-4D9D-AFAC-E7088FDCC6A0}\RP418\snapshot\_REGISTRY_USER_NTUSER_S-1-5-21-2331652603-1797162650-1282392798-1009 -c-ha-w 3,145,728 2008-05-29 01:07:50 C:\System Volume Information\_restore{E7B21304-9105-4D9D-AFAC-E7088FDCC6A0}\RP418\snapshot\_REGISTRY_USER_NTUSER_S-1-5-21-2331652603-1797162650-1282392798-1010 -c-ha-w 4,194,304 2008-05-28 21:05:45 C:\System Volume Information\_restore{E7B21304-9105-4D9D-AFAC-E7088FDCC6A0}\RP418\snapshot\_REGISTRY_USER_NTUSER_S-1-5-21-2331652603-1797162650-1282392798-1011 -c-ha-w 1,048,576 2007-09-09 18:41:58 C:\System Volume Information\_restore{E7B21304-9105-4D9D-AFAC-E7088FDCC6A0}\RP418\snapshot\_REGISTRY_USER_NTUSER_S-1-5-21-2331652603-1797162650-1282392798-500 -c--a-w 5,554,176 2008-05-30 05:58:48 C:\System Volume Information\_restore{E7B21304-9105-4D9D-AFAC-E7088FDCC6A0}\RP419\snapshot\_REGISTRY_USER_NTUSER_S-1-5-21-2331652603-1797162650-1282392798-1009 -c-ha-w 3,145,728 2008-05-30 02:03:08 C:\System Volume Information\_restore{E7B21304-9105-4D9D-AFAC-E7088FDCC6A0}\RP419\snapshot\_REGISTRY_USER_NTUSER_S-1-5-21-2331652603-1797162650-1282392798-1010 -c-ha-w 4,194,304 2008-05-30 03:42:27 C:\System Volume Information\_restore{E7B21304-9105-4D9D-AFAC-E7088FDCC6A0}\RP419\snapshot\_REGISTRY_USER_NTUSER_S-1-5-21-2331652603-1797162650-1282392798-1011 -c-ha-w 1,048,576 2007-09-09 18:41:58 C:\System Volume Information\_restore{E7B21304-9105-4D9D-AFAC-E7088FDCC6A0}\RP419\snapshot\_REGISTRY_USER_NTUSER_S-1-5-21-2331652603-1797162650-1282392798-500 -c--a-w 5,689,344 2008-05-31 21:19:55 C:\System Volume Information\_restore{E7B21304-9105-4D9D-AFAC-E7088FDCC6A0}\RP420\snapshot\_REGISTRY_USER_NTUSER_S-1-5-21-2331652603-1797162650-1282392798-1009 -c-ha-w 3,145,728 2008-05-31 18:24:46 C:\System Volume Information\_restore{E7B21304-9105-4D9D-AFAC-E7088FDCC6A0}\RP420\snapshot\_REGISTRY_USER_NTUSER_S-1-5-21-2331652603-1797162650-1282392798-1010 -c-ha-w 4,194,304 2008-05-31 20:56:19 C:\System Volume Information\_restore{E7B21304-9105-4D9D-AFAC-E7088FDCC6A0}\RP420\snapshot\_REGISTRY_USER_NTUSER_S-1-5-21-2331652603-1797162650-1282392798-1011 -c-ha-w 1,048,576 2007-09-09 18:41:58 C:\System Volume Information\_restore{E7B21304-9105-4D9D-AFAC-E7088FDCC6A0}\RP420\snapshot\_REGISTRY_USER_NTUSER_S-1-5-21-2331652603-1797162650-1282392798-500 -c--a-w 5,689,344 2008-06-01 21:39:53 C:\System Volume Information\_restore{E7B21304-9105-4D9D-AFAC-E7088FDCC6A0}\RP421\snapshot\_REGISTRY_USER_NTUSER_S-1-5-21-2331652603-1797162650-1282392798-1009 -c-ha-w 3,145,728 2008-06-01 18:44:40 C:\System Volume Information\_restore{E7B21304-9105-4D9D-AFAC-E7088FDCC6A0}\RP421\snapshot\_REGISTRY_USER_NTUSER_S-1-5-21-2331652603-1797162650-1282392798-1010 -c-ha-w 4,194,304 2008-06-01 21:19:53 C:\System Volume Information\_restore{E7B21304-9105-4D9D-AFAC-E7088FDCC6A0}\RP421\snapshot\_REGISTRY_USER_NTUSER_S-1-5-21-2331652603-1797162650-1282392798-1011 -c-ha-w 1,048,576 2007-09-09 18:41:58 C:\System Volume Information\_restore{E7B21304-9105-4D9D-AFAC-E7088FDCC6A0}\RP421\snapshot\_REGISTRY_USER_NTUSER_S-1-5-21-2331652603-1797162650-1282392798-500 -c--a-w 5,689,344 2008-06-02 22:31:56 C:\System Volume Information\_restore{E7B21304-9105-4D9D-AFAC-E7088FDCC6A0}\RP422\snapshot\_REGISTRY_USER_NTUSER_S-1-5-21-2331652603-1797162650-1282392798-1009 -c-ha-w 3,145,728 2008-06-02 03:14:42 C:\System Volume Information\_restore{E7B21304-9105-4D9D-AFAC-E7088FDCC6A0}\RP422\snapshot\_REGISTRY_USER_NTUSER_S-1-5-21-2331652603-1797162650-1282392798-1010 -c--a-w 3,952,640 2008-06-02 22:31:57 C:\System Volume Information\_restore{E7B21304-9105-4D9D-AFAC-E7088FDCC6A0}\RP422\snapshot\_REGISTRY_USER_NTUSER_S-1-5-21-2331652603-1797162650-1282392798-1011 -c-ha-w 1,048,576 2007-09-09 18:41:58 C:\System Volume Information\_restore{E7B21304-9105-4D9D-AFAC-E7088FDCC6A0}\RP422\snapshot\_REGISTRY_USER_NTUSER_S-1-5-21-2331652603-1797162650-1282392798-500 -c--a-w 5,689,344 2008-06-05 02:17:30 C:\System Volume Information\_restore{E7B21304-9105-4D9D-AFAC-E7088FDCC6A0}\RP423\snapshot\_REGISTRY_USER_NTUSER_S-1-5-21-2331652603-1797162650-1282392798-1009 -c-ha-w 3,145,728 2008-06-04 04:02:37 C:\System Volume Information\_restore{E7B21304-9105-4D9D-AFAC-E7088FDCC6A0}\RP423\snapshot\_REGISTRY_USER_NTUSER_S-1-5-21-2331652603-1797162650-1282392798-1010 -c-ha-w 4,194,304 2008-06-02 23:26:39 C:\System Volume Information\_restore{E7B21304-9105-4D9D-AFAC-E7088FDCC6A0}\RP423\snapshot\_REGISTRY_USER_NTUSER_S-1-5-21-2331652603-1797162650-1282392798-1011 -c-ha-w 1,048,576 2007-09-09 18:41:58 C:\System Volume Information\_restore{E7B21304-9105-4D9D-AFAC-E7088FDCC6A0}\RP423\snapshot\_REGISTRY_USER_NTUSER_S-1-5-21-2331652603-1797162650-1282392798-500 -c--a-w 5,554,176 2008-06-06 00:26:57 C:\System Volume Information\_restore{E7B21304-9105-4D9D-AFAC-E7088FDCC6A0}\RP424\snapshot\_REGISTRY_USER_NTUSER_S-1-5-21-2331652603-1797162650-1282392798-1009 -c-ha-w 3,145,728 2008-06-04 04:02:37 C:\System Volume Information\_restore{E7B21304-9105-4D9D-AFAC-E7088FDCC6A0}\RP424\snapshot\_REGISTRY_USER_NTUSER_S-1-5-21-2331652603-1797162650-1282392798-1010 -c--a-w 3,952,640 2008-06-06 00:27:00 C:\System Volume Information\_restore{E7B21304-9105-4D9D-AFAC-E7088FDCC6A0}\RP424\snapshot\_REGISTRY_USER_NTUSER_S-1-5-21-2331652603-1797162650-1282392798-1011 -c-ha-w 1,048,576 2007-09-09 18:41:58 C:\System Volume Information\_restore{E7B21304-9105-4D9D-AFAC-E7088FDCC6A0}\RP424\snapshot\_REGISTRY_USER_NTUSER_S-1-5-21-2331652603-1797162650-1282392798-500 -c--a-w 5,554,176 2008-06-06 00:31:23 C:\System Volume Information\_restore{E7B21304-9105-4D9D-AFAC-E7088FDCC6A0}\RP425\snapshot\_REGISTRY_USER_NTUSER_S-1-5-21-2331652603-1797162650-1282392798-1009 -c-ha-w 3,145,728 2008-06-04 04:02:37 C:\System Volume Information\_restore{E7B21304-9105-4D9D-AFAC-E7088FDCC6A0}\RP425\snapshot\_REGISTRY_USER_NTUSER_S-1-5-21-2331652603-1797162650-1282392798-1010 -c--a-w 3,952,640 2008-06-06 00:31:24 C:\System Volume Information\_restore{E7B21304-9105-4D9D-AFAC-E7088FDCC6A0}\RP425\snapshot\_REGISTRY_USER_NTUSER_S-1-5-21-2331652603-1797162650-1282392798-1011 -c-ha-w 1,048,576 2007-09-09 18:41:58 C:\System Volume Information\_restore{E7B21304-9105-4D9D-AFAC-E7088FDCC6A0}\RP425\snapshot\_REGISTRY_USER_NTUSER_S-1-5-21-2331652603-1797162650-1282392798-500 -c--a-w 49,152 2008-06-06 20:13:33 C:\System Volume Information\_restore{E7B21304-9105-4D9D-AFAC-E7088FDCC6A0}\RP426\snapshot\_REGISTRY_USER_NTUSER_S-1-5-21-2331652603-1797162650-1282392798-1009 -c-ha-w 3,145,728 2008-06-04 04:02:37 C:\System Volume Information\_restore{E7B21304-9105-4D9D-AFAC-E7088FDCC6A0}\RP426\snapshot\_REGISTRY_USER_NTUSER_S-1-5-21-2331652603-1797162650-1282392798-1010 -c-ha-w 4,194,304 2008-06-06 19:05:14 C:\System Volume Information\_restore{E7B21304-9105-4D9D-AFAC-E7088FDCC6A0}\RP426\snapshot\_REGISTRY_USER_NTUSER_S-1-5-21-2331652603-1797162650-1282392798-1011 -c-ha-w 1,048,576 2007-09-09 18:41:58 C:\System Volume Information\_restore{E7B21304-9105-4D9D-AFAC-E7088FDCC6A0}\RP426\snapshot\_REGISTRY_USER_NTUSER_S-1-5-21-2331652603-1797162650-1282392798-500 -c--a-w 53,248 2008-06-07 19:03:54 C:\System Volume Information\_restore{E7B21304-9105-4D9D-AFAC-E7088FDCC6A0}\RP429\snapshot\_REGISTRY_USER_NTUSER_S-1-5-21-2331652603-1797162650-1282392798-1009 -c-ha-w 3,145,728 2008-06-07 14:24:22 C:\System Volume Information\_restore{E7B21304-9105-4D9D-AFAC-E7088FDCC6A0}\RP429\snapshot\_REGISTRY_USER_NTUSER_S-1-5-21-2331652603-1797162650-1282392798-1010 -c-ha-w 4,194,304 2008-06-07 17:44:27 C:\System Volume Information\_restore{E7B21304-9105-4D9D-AFAC-E7088FDCC6A0}\RP429\snapshot\_REGISTRY_USER_NTUSER_S-1-5-21-2331652603-1797162650-1282392798-1011 -c-ha-w 1,048,576 2007-09-09 18:41:58 C:\System Volume Information\_restore{E7B21304-9105-4D9D-AFAC-E7088FDCC6A0}\RP429\snapshot\_REGISTRY_USER_NTUSER_S-1-5-21-2331652603-1797162650-1282392798-500 -c--a-w 57,344 2008-06-08 03:48:34 C:\System Volume Information\_restore{E7B21304-9105-4D9D-AFAC-E7088FDCC6A0}\RP430\snapshot\_REGISTRY_USER_NTUSER_S-1-5-21-2331652603-1797162650-1282392798-1009 -c-ha-w 3,145,728 2008-06-08 03:42:04 C:\System Volume Information\_restore{E7B21304-9105-4D9D-AFAC-E7088FDCC6A0}\RP430\snapshot\_REGISTRY_USER_NTUSER_S-1-5-21-2331652603-1797162650-1282392798-1010 -c-ha-w 4,456,448 2008-06-08 03:44:35 C:\System Volume Information\_restore{E7B21304-9105-4D9D-AFAC-E7088FDCC6A0}\RP430\snapshot\_REGISTRY_USER_NTUSER_S-1-5-21-2331652603-1797162650-1282392798-1011 -c-ha-w 1,048,576 2007-09-09 18:41:58 C:\System Volume Information\_restore{E7B21304-9105-4D9D-AFAC-E7088FDCC6A0}\RP430\snapshot\_REGISTRY_USER_NTUSER_S-1-5-21-2331652603-1797162650-1282392798-500 -c--a-w 57,344 2008-06-09 02:03:32 C:\System Volume Information\_restore{E7B21304-9105-4D9D-AFAC-E7088FDCC6A0}\RP432\snapshot\_REGISTRY_USER_NTUSER_S-1-5-21-2331652603-1797162650-1282392798-1009 -c-ha-w 3,145,728 2008-06-08 03:42:04 C:\System Volume Information\_restore{E7B21304-9105-4D9D-AFAC-E7088FDCC6A0}\RP432\snapshot\_REGISTRY_USER_NTUSER_S-1-5-21-2331652603-1797162650-1282392798-1010 -c-ha-w 4,456,448 2008-06-08 20:09:03 C:\System Volume Information\_restore{E7B21304-9105-4D9D-AFAC-E7088FDCC6A0}\RP432\snapshot\_REGISTRY_USER_NTUSER_S-1-5-21-2331652603-1797162650-1282392798-1011 -c-ha-w 1,048,576 2007-09-09 18:41:58 C:\System Volume Information\_restore{E7B21304-9105-4D9D-AFAC-E7088FDCC6A0}\RP432\snapshot\_REGISTRY_USER_NTUSER_S-1-5-21-2331652603-1797162650-1282392798-500 -c--a-w 57,344 2008-06-09 02:18:01 C:\System Volume Information\_restore{E7B21304-9105-4D9D-AFAC-E7088FDCC6A0}\RP433\snapshot\_REGISTRY_USER_NTUSER_S-1-5-21-2331652603-1797162650-1282392798-1009 -c-ha-w 3,145,728 2008-06-08 03:42:04 C:\System Volume Information\_restore{E7B21304-9105-4D9D-AFAC-E7088FDCC6A0}\RP433\snapshot\_REGISTRY_USER_NTUSER_S-1-5-21-2331652603-1797162650-1282392798-1010 -c-ha-w 4,456,448 2008-06-08 20:09:03 C:\System Volume Information\_restore{E7B21304-9105-4D9D-AFAC-E7088FDCC6A0}\RP433\snapshot\_REGISTRY_USER_NTUSER_S-1-5-21-2331652603-1797162650-1282392798-1011 -c-ha-w 1,048,576 2007-09-09 18:41:58 C:\System Volume Information\_restore{E7B21304-9105-4D9D-AFAC-E7088FDCC6A0}\RP433\snapshot\_REGISTRY_USER_NTUSER_S-1-5-21-2331652603-1797162650-1282392798-500 -c--a-w 57,344 2008-06-09 02:25:53 C:\System Volume Information\_restore{E7B21304-9105-4D9D-AFAC-E7088FDCC6A0}\RP434\snapshot\_REGISTRY_USER_NTUSER_S-1-5-21-2331652603-1797162650-1282392798-1009 -c-ha-w 3,145,728 2008-06-08 03:42:04 C:\System Volume Information\_restore{E7B21304-9105-4D9D-AFAC-E7088FDCC6A0}\RP434\snapshot\_REGISTRY_USER_NTUSER_S-1-5-21-2331652603-1797162650-1282392798-1010 -c-ha-w 4,456,448 2008-06-08 20:09:03 C:\System Volume Information\_restore{E7B21304-9105-4D9D-AFAC-E7088FDCC6A0}\RP434\snapshot\_REGISTRY_USER_NTUSER_S-1-5-21-2331652603-1797162650-1282392798-1011 -c-ha-w 1,048,576 2007-09-09 18:41:58 C:\System Volume Information\_restore{E7B21304-9105-4D9D-AFAC-E7088FDCC6A0}\RP434\snapshot\_REGISTRY_USER_NTUSER_S-1-5-21-2331652603-1797162650-1282392798-500 -c--a-w 57,344 2008-06-09 02:41:25 C:\System Volume Information\_restore{E7B21304-9105-4D9D-AFAC-E7088FDCC6A0}\RP435\snapshot\_REGISTRY_USER_NTUSER_S-1-5-21-2331652603-1797162650-1282392798-1009 -c-ha-w 3,145,728 2008-06-08 03:42:04 C:\System Volume Information\_restore{E7B21304-9105-4D9D-AFAC-E7088FDCC6A0}\RP435\snapshot\_REGISTRY_USER_NTUSER_S-1-5-21-2331652603-1797162650-1282392798-1010 -c-ha-w 4,456,448 2008-06-08 20:09:03 C:\System Volume Information\_restore{E7B21304-9105-4D9D-AFAC-E7088FDCC6A0}\RP435\snapshot\_REGISTRY_USER_NTUSER_S-1-5-21-2331652603-1797162650-1282392798-1011 -c-ha-w 1,048,576 2007-09-09 18:41:58 C:\System Volume Information\_restore{E7B21304-9105-4D9D-AFAC-E7088FDCC6A0}\RP435\snapshot\_REGISTRY_USER_NTUSER_S-1-5-21-2331652603-1797162650-1282392798-500 -c--a-w 57,344 2008-06-09 05:00:47 C:\System Volume Information\_restore{E7B21304-9105-4D9D-AFAC-E7088FDCC6A0}\RP437\snapshot\_REGISTRY_USER_NTUSER_S-1-5-21-2331652603-1797162650-1282392798-1009 -c-ha-w 3,145,728 2008-06-08 03:42:04 C:\System Volume Information\_restore{E7B21304-9105-4D9D-AFAC-E7088FDCC6A0}\RP437\snapshot\_REGISTRY_USER_NTUSER_S-1-5-21-2331652603-1797162650-1282392798-1010 -c-ha-w 4,456,448 2008-06-08 20:09:03 C:\System Volume Information\_restore{E7B21304-9105-4D9D-AFAC-E7088FDCC6A0}\RP437\snapshot\_REGISTRY_USER_NTUSER_S-1-5-21-2331652603-1797162650-1282392798-1011 -c-ha-w 1,048,576 2007-09-09 18:41:58 C:\System Volume Information\_restore{E7B21304-9105-4D9D-AFAC-E7088FDCC6A0}\RP437\snapshot\_REGISTRY_USER_NTUSER_S-1-5-21-2331652603-1797162650-1282392798-500 -c--a-w 57,344 2008-06-09 21:29:09 C:\System Volume Information\_restore{E7B21304-9105-4D9D-AFAC-E7088FDCC6A0}\RP438\snapshot\_REGISTRY_USER_NTUSER_S-1-5-21-2331652603-1797162650-1282392798-1009 -c-ha-w 3,145,728 2008-06-08 03:42:04 C:\System Volume Information\_restore{E7B21304-9105-4D9D-AFAC-E7088FDCC6A0}\RP438\snapshot\_REGISTRY_USER_NTUSER_S-1-5-21-2331652603-1797162650-1282392798-1010 -c-ha-w 4,456,448 2008-06-09 05:41:31 C:\System Volume Information\_restore{E7B21304-9105-4D9D-AFAC-E7088FDCC6A0}\RP438\snapshot\_REGISTRY_USER_NTUSER_S-1-5-21-2331652603-1797162650-1282392798-1011 -c-ha-w 1,048,576 2007-09-09 18:41:58 C:\System Volume Information\_restore{E7B21304-9105-4D9D-AFAC-E7088FDCC6A0}\RP438\snapshot\_REGISTRY_USER_NTUSER_S-1-5-21-2331652603-1797162650-1282392798-500 -c--a-w 57,344 2008-06-09 21:49:48 C:\System Volume Information\_restore{E7B21304-9105-4D9D-AFAC-E7088FDCC6A0}\RP439\snapshot\_REGISTRY_USER_NTUSER_S-1-5-21-2331652603-1797162650-1282392798-1009 -c-ha-w 3,145,728 2008-06-08 03:42:04 C:\System Volume Information\_restore{E7B21304-9105-4D9D-AFAC-E7088FDCC6A0}\RP439\snapshot\_REGISTRY_USER_NTUSER_S-1-5-21-2331652603-1797162650-1282392798-1010 -c-ha-w 4,456,448 2008-06-09 05:41:31 C:\System Volume Information\_restore{E7B21304-9105-4D9D-AFAC-E7088FDCC6A0}\RP439\snapshot\_REGISTRY_USER_NTUSER_S-1-5-21-2331652603-1797162650-1282392798-1011 -c-ha-w 1,048,576 2007-09-09 18:41:58 C:\System Volume Information\_restore{E7B21304-9105-4D9D-AFAC-E7088FDCC6A0}\RP439\snapshot\_REGISTRY_USER_NTUSER_S-1-5-21-2331652603-1797162650-1282392798-500 -c--a-w 57,344 2008-06-10 04:22:13 C:\System Volume Information\_restore{E7B21304-9105-4D9D-AFAC-E7088FDCC6A0}\RP440\snapshot\_REGISTRY_USER_NTUSER_S-1-5-21-2331652603-1797162650-1282392798-1009 -c-ha-w 3,145,728 2008-06-08 03:42:04 C:\System Volume Information\_restore{E7B21304-9105-4D9D-AFAC-E7088FDCC6A0}\RP440\snapshot\_REGISTRY_USER_NTUSER_S-1-5-21-2331652603-1797162650-1282392798-1010 -c-ha-w 4,456,448 2008-06-09 05:41:31 C:\System Volume Information\_restore{E7B21304-9105-4D9D-AFAC-E7088FDCC6A0}\RP440\snapshot\_REGISTRY_USER_NTUSER_S-1-5-21-2331652603-1797162650-1282392798-1011 -c-ha-w 1,048,576 2007-09-09 18:41:58 C:\System Volume Information\_restore{E7B21304-9105-4D9D-AFAC-E7088FDCC6A0}\RP440\snapshot\_REGISTRY_USER_NTUSER_S-1-5-21-2331652603-1797162650-1282392798-500 -c--a-w 57,344 2008-06-11 09:00:58 C:\System Volume Information\_restore{E7B21304-9105-4D9D-AFAC-E7088FDCC6A0}\RP442\snapshot\_REGISTRY_USER_NTUSER_S-1-5-21-2331652603-1797162650-1282392798-1009 -c-ha-w 3,145,728 2008-06-11 03:20:21 C:\System Volume Information\_restore{E7B21304-9105-4D9D-AFAC-E7088FDCC6A0}\RP442\snapshot\_REGISTRY_USER_NTUSER_S-1-5-21-2331652603-1797162650-1282392798-1010 -c-ha-w 4,456,448 2008-06-11 01:36:36 C:\System Volume Information\_restore{E7B21304-9105-4D9D-AFAC-E7088FDCC6A0}\RP442\snapshot\_REGISTRY_USER_NTUSER_S-1-5-21-2331652603-1797162650-1282392798-1011 -c-ha-w 1,048,576 2007-09-09 18:41:58 C:\System Volume Information\_restore{E7B21304-9105-4D9D-AFAC-E7088FDCC6A0}\RP442\snapshot\_REGISTRY_USER_NTUSER_S-1-5-21-2331652603-1797162650-1282392798-500 -c-ha-w 262,144 2008-06-11 20:12:02 C:\System Volume Information\_restore{E7B21304-9105-4D9D-AFAC-E7088FDCC6A0}\RP443\snapshot\_REGISTRY_USER_NTUSER_S-1-5-21-2331652603-1797162650-1282392798-1009 -c-ha-w 3,145,728 2008-06-11 20:09:07 C:\System Volume Information\_restore{E7B21304-9105-4D9D-AFAC-E7088FDCC6A0}\RP443\snapshot\_REGISTRY_USER_NTUSER_S-1-5-21-2331652603-1797162650-1282392798-1010 -c-ha-w 4,456,448 2008-06-11 19:39:27 C:\System Volume Information\_restore{E7B21304-9105-4D9D-AFAC-E7088FDCC6A0}\RP443\snapshot\_REGISTRY_USER_NTUSER_S-1-5-21-2331652603-1797162650-1282392798-1011 -c-ha-w 1,048,576 2007-09-09 18:41:58 C:\System Volume Information\_restore{E7B21304-9105-4D9D-AFAC-E7088FDCC6A0}\RP443\snapshot\_REGISTRY_USER_NTUSER_S-1-5-21-2331652603-1797162650-1282392798-500 -c--a-w 57,344 2008-06-12 09:00:28 C:\System Volume Information\_restore{E7B21304-9105-4D9D-AFAC-E7088FDCC6A0}\RP444\snapshot\_REGISTRY_USER_NTUSER_S-1-5-21-2331652603-1797162650-1282392798-1009 -c-ha-w 3,145,728 2008-06-12 03:38:13 C:\System Volume Information\_restore{E7B21304-9105-4D9D-AFAC-E7088FDCC6A0}\RP444\snapshot\_REGISTRY_USER_NTUSER_S-1-5-21-2331652603-1797162650-1282392798-1010 -c-ha-w 4,456,448 2008-06-11 19:39:27 C:\System Volume Information\_restore{E7B21304-9105-4D9D-AFAC-E7088FDCC6A0}\RP444\snapshot\_REGISTRY_USER_NTUSER_S-1-5-21-2331652603-1797162650-1282392798-1011 -c-ha-w 1,048,576 2007-09-09 18:41:58 C:\System Volume Information\_restore{E7B21304-9105-4D9D-AFAC-E7088FDCC6A0}\RP444\snapshot\_REGISTRY_USER_NTUSER_S-1-5-21-2331652603-1797162650-1282392798-500 -c--a-w 57,344 2008-06-13 02:47:41 C:\System Volume Information\_restore{E7B21304-9105-4D9D-AFAC-E7088FDCC6A0}\RP445\snapshot\_REGISTRY_USER_NTUSER_S-1-5-21-2331652603-1797162650-1282392798-1009 -c-ha-w 3,145,728 2008-06-12 03:38:13 C:\System Volume Information\_restore{E7B21304-9105-4D9D-AFAC-E7088FDCC6A0}\RP445\snapshot\_REGISTRY_USER_NTUSER_S-1-5-21-2331652603-1797162650-1282392798-1010 -c-ha-w 4,456,448 2008-06-12 19:59:14 C:\System Volume Information\_restore{E7B21304-9105-4D9D-AFAC-E7088FDCC6A0}\RP445\snapshot\_REGISTRY_USER_NTUSER_S-1-5-21-2331652603-1797162650-1282392798-1011 -c-ha-w 1,048,576 2007-09-09 18:41:58 C:\System Volume Information\_restore{E7B21304-9105-4D9D-AFAC-E7088FDCC6A0}\RP445\snapshot\_REGISTRY_USER_NTUSER_S-1-5-21-2331652603-1797162650-1282392798-500 -c--a-w 57,344 2008-06-13 02:52:43 C:\System Volume Information\_restore{E7B21304-9105-4D9D-AFAC-E7088FDCC6A0}\RP446\snapshot\_REGISTRY_USER_NTUSER_S-1-5-21-2331652603-1797162650-1282392798-1009 -c-ha-w 3,145,728 2008-06-12 03:38:13 C:\System Volume Information\_restore{E7B21304-9105-4D9D-AFAC-E7088FDCC6A0}\RP446\snapshot\_REGISTRY_USER_NTUSER_S-1-5-21-2331652603-1797162650-1282392798-1010 -c-ha-w 4,456,448 2008-06-12 19:59:14 C:\System Volume Information\_restore{E7B21304-9105-4D9D-AFAC-E7088FDCC6A0}\RP446\snapshot\_REGISTRY_USER_NTUSER_S-1-5-21-2331652603-1797162650-1282392798-1011 -c-ha-w 1,048,576 2007-09-09 18:41:58 C:\System Volume Information\_restore{E7B21304-9105-4D9D-AFAC-E7088FDCC6A0}\RP446\snapshot\_REGISTRY_USER_NTUSER_S-1-5-21-2331652603-1797162650-1282392798-500 -c--a-w 61,440 2008-06-13 09:00:26 C:\System Volume Information\_restore{E7B21304-9105-4D9D-AFAC-E7088FDCC6A0}\RP447\snapshot\_REGISTRY_USER_NTUSER_S-1-5-21-2331652603-1797162650-1282392798-1009 -c-ha-w 3,145,728 2008-06-12 03:38:13 C:\System Volume Information\_restore{E7B21304-9105-4D9D-AFAC-E7088FDCC6A0}\RP447\snapshot\_REGISTRY_USER_NTUSER_S-1-5-21-2331652603-1797162650-1282392798-1010 -c-ha-w 4,456,448 2008-06-12 19:59:14 C:\System Volume Information\_restore{E7B21304-9105-4D9D-AFAC-E7088FDCC6A0}\RP447\snapshot\_REGISTRY_USER_NTUSER_S-1-5-21-2331652603-1797162650-1282392798-1011 -c-ha-w 1,048,576 2007-09-09 18:41:58 C:\System Volume Information\_restore{E7B21304-9105-4D9D-AFAC-E7088FDCC6A0}\RP447\snapshot\_REGISTRY_USER_NTUSER_S-1-5-21-2331652603-1797162650-1282392798-500 -c--a-w 61,440 2008-06-13 20:28:22 C:\System Volume Information\_restore{E7B21304-9105-4D9D-AFAC-E7088FDCC6A0}\RP448\snapshot\_REGISTRY_USER_NTUSER_S-1-5-21-2331652603-1797162650-1282392798-1009 -c-ha-w 3,145,728 2008-06-12 03:38:13 C:\System Volume Information\_restore{E7B21304-9105-4D9D-AFAC-E7088FDCC6A0}\RP448\snapshot\_REGISTRY_USER_NTUSER_S-1-5-21-2331652603-1797162650-1282392798-1010 -c-ha-w 4,456,448 2008-06-12 19:59:14 C:\System Volume Information\_restore{E7B21304-9105-4D9D-AFAC-E7088FDCC6A0}\RP448\snapshot\_REGISTRY_USER_NTUSER_S-1-5-21-2331652603-1797162650-1282392798-1011 -c-ha-w 1,048,576 2007-09-09 18:41:58 C:\System Volume Information\_restore{E7B21304-9105-4D9D-AFAC-E7088FDCC6A0}\RP448\snapshot\_REGISTRY_USER_NTUSER_S-1-5-21-2331652603-1797162650-1282392798-500 -c--a-w 61,440 2008-06-13 21:08:26 C:\System Volume Information\_restore{E7B21304-9105-4D9D-AFAC-E7088FDCC6A0}\RP449\snapshot\_REGISTRY_USER_NTUSER_S-1-5-21-2331652603-1797162650-1282392798-1009 -c-ha-w 3,145,728 2008-06-13 21:05:17 C:\System Volume Information\_restore{E7B21304-9105-4D9D-AFAC-E7088FDCC6A0}\RP449\snapshot\_REGISTRY_USER_NTUSER_S-1-5-21-2331652603-1797162650-1282392798-1010 -c-ha-w 4,456,448 2008-06-12 19:59:14 C:\System Volume Information\_restore{E7B21304-9105-4D9D-AFAC-E7088FDCC6A0}\RP449\snapshot\_REGISTRY_USER_NTUSER_S-1-5-21-2331652603-1797162650-1282392798-1011 -c-ha-w 1,048,576 2007-09-09 18:41:58 C:\System Volume Information\_restore{E7B21304-9105-4D9D-AFAC-E7088FDCC6A0}\RP449\snapshot\_REGISTRY_USER_NTUSER_S-1-5-21-2331652603-1797162650-1282392798-500 -c--a-w 61,440 2008-06-14 09:00:48 C:\System Volume Information\_restore{E7B21304-9105-4D9D-AFAC-E7088FDCC6A0}\RP450\snapshot\_REGISTRY_USER_NTUSER_S-1-5-21-2331652603-1797162650-1282392798-1009 -c-ha-w 3,145,728 2008-06-14 03:58:55 C:\System Volume Information\_restore{E7B21304-9105-4D9D-AFAC-E7088FDCC6A0}\RP450\snapshot\_REGISTRY_USER_NTUSER_S-1-5-21-2331652603-1797162650-1282392798-1010 -c-ha-w 4,456,448 2008-06-12 19:59:14 C:\System Volume Information\_restore{E7B21304-9105-4D9D-AFAC-E7088FDCC6A0}\RP450\snapshot\_REGISTRY_USER_NTUSER_S-1-5-21-2331652603-1797162650-1282392798-1011 -c-ha-w 1,048,576 2007-09-09 18:41:58 C:\System Volume Information\_restore{E7B21304-9105-4D9D-AFAC-E7088FDCC6A0}\RP450\snapshot\_REGISTRY_USER_NTUSER_S-1-5-21-2331652603-1797162650-1282392798-500 -c--a-w 61,440 2008-06-14 16:50:31 C:\System Volume Information\_restore{E7B21304-9105-4D9D-AFAC-E7088FDCC6A0}\RP451\snapshot\_REGISTRY_USER_NTUSER_S-1-5-21-2331652603-1797162650-1282392798-1009 -c-ha-w 3,145,728 2008-06-14 03:58:55 C:\System Volume Information\_restore{E7B21304-9105-4D9D-AFAC-E7088FDCC6A0}\RP451\snapshot\_REGISTRY_USER_NTUSER_S-1-5-21-2331652603-1797162650-1282392798-1010 -c-ha-w 4,456,448 2008-06-12 19:59:14 C:\System Volume Information\_restore{E7B21304-9105-4D9D-AFAC-E7088FDCC6A0}\RP451\snapshot\_REGISTRY_USER_NTUSER_S-1-5-21-2331652603-1797162650-1282392798-1011 -c-ha-w 1,048,576 2007-09-09 18:41:58 C:\System Volume Information\_restore{E7B21304-9105-4D9D-AFAC-E7088FDCC6A0}\RP451\snapshot\_REGISTRY_USER_NTUSER_S-1-5-21-2331652603-1797162650-1282392798-500 -c-ha-w 262,144 2008-06-15 01 02 C:\System Volume Information\_restore{E7B21304-9105-4D9D-AFAC-E7088FDCC6A0}\RP452\snapshot\_REGISTRY_USER_NTUSER_S-1-5-21-2331652603-1797162650-1282392798-1009-c-ha-w 3,145,728 2008-06-14 03:58:55 C:\System Volume Information\_restore{E7B21304-9105-4D9D-AFAC-E7088FDCC6A0}\RP452\snapshot\_REGISTRY_USER_NTUSER_S-1-5-21-2331652603-1797162650-1282392798-1010 -c-ha-w 4,456,448 2008-06-15 00:44:52 C:\System Volume Information\_restore{E7B21304-9105-4D9D-AFAC-E7088FDCC6A0}\RP452\snapshot\_REGISTRY_USER_NTUSER_S-1-5-21-2331652603-1797162650-1282392798-1011 -c-ha-w 1,048,576 2007-09-09 18:41:58 C:\System Volume Information\_restore{E7B21304-9105-4D9D-AFAC-E7088FDCC6A0}\RP452\snapshot\_REGISTRY_USER_NTUSER_S-1-5-21-2331652603-1797162650-1282392798-500 -c-ha-w 262,144 2008-06-16 03:58:32 C:\System Volume Information\_restore{E7B21304-9105-4D9D-AFAC-E7088FDCC6A0}\RP453\snapshot\_REGISTRY_USER_NTUSER_S-1-5-21-2331652603-1797162650-1282392798-1009 -c-ha-w 3,145,728 2008-06-16 03:45:07 C:\System Volume Information\_restore{E7B21304-9105-4D9D-AFAC-E7088FDCC6A0}\RP453\snapshot\_REGISTRY_USER_NTUSER_S-1-5-21-2331652603-1797162650-1282392798-1010 -c--a-w 4,354,048 2008-06-16 17:09:18 C:\System Volume Information\_restore{E7B21304-9105-4D9D-AFAC-E7088FDCC6A0}\RP453\snapshot\_REGISTRY_USER_NTUSER_S-1-5-21-2331652603-1797162650-1282392798-1011 -c-ha-w 1,048,576 2007-09-09 18:41:58 C:\System Volume Information\_restore{E7B21304-9105-4D9D-AFAC-E7088FDCC6A0}\RP453\snapshot\_REGISTRY_USER_NTUSER_S-1-5-21-2331652603-1797162650-1282392798-500 -c--a-w 69,632 2008-06-17 22:20:06 C:\System Volume Information\_restore{E7B21304-9105-4D9D-AFAC-E7088FDCC6A0}\RP454\snapshot\_REGISTRY_USER_NTUSER_S-1-5-21-2331652603-1797162650-1282392798-1009 -c-ha-w 3,145,728 2008-06-17 21:37:19 C:\System Volume Information\_restore{E7B21304-9105-4D9D-AFAC-E7088FDCC6A0}\RP454\snapshot\_REGISTRY_USER_NTUSER_S-1-5-21-2331652603-1797162650-1282392798-1010 -c-ha-w 4,456,448 2008-06-17 05:07:08 C:\System Volume Information\_restore{E7B21304-9105-4D9D-AFAC-E7088FDCC6A0}\RP454\snapshot\_REGISTRY_USER_NTUSER_S-1-5-21-2331652603-1797162650-1282392798-1011 -c-ha-w 1,048,576 2007-09-09 18:41:58 C:\System Volume Information\_restore{E7B21304-9105-4D9D-AFAC-E7088FDCC6A0}\RP454\snapshot\_REGISTRY_USER_NTUSER_S-1-5-21-2331652603-1797162650-1282392798-500 -c--a-w 69,632 2008-06-17 23:34:36 C:\System Volume Information\_restore{E7B21304-9105-4D9D-AFAC-E7088FDCC6A0}\RP456\snapshot\_REGISTRY_USER_NTUSER_S-1-5-21-2331652603-1797162650-1282392798-1009 -c-ha-w 3,145,728 2008-06-17 21:37:19 C:\System Volume Information\_restore{E7B21304-9105-4D9D-AFAC-E7088FDCC6A0}\RP456\snapshot\_REGISTRY_USER_NTUSER_S-1-5-21-2331652603-1797162650-1282392798-1010 -c-ha-w 4,456,448 2008-06-17 05:07:08 C:\System Volume Information\_restore{E7B21304-9105-4D9D-AFAC-E7088FDCC6A0}\RP456\snapshot\_REGISTRY_USER_NTUSER_S-1-5-21-2331652603-1797162650-1282392798-1011 -c-ha-w 1,048,576 2007-09-09 18:41:58 C:\System Volume Information\_restore{E7B21304-9105-4D9D-AFAC-E7088FDCC6A0}\RP456\snapshot\_REGISTRY_USER_NTUSER_S-1-5-21-2331652603-1797162650-1282392798-500 -c--a-w 69,632 2008-06-18 00:08:11 C:\System Volume Information\_restore{E7B21304-9105-4D9D-AFAC-E7088FDCC6A0}\RP457\snapshot\_REGISTRY_USER_NTUSER_S-1-5-21-2331652603-1797162650-1282392798-1009 -c-ha-w 3,145,728 2008-06-17 21:37:19 C:\System Volume Information\_restore{E7B21304-9105-4D9D-AFAC-E7088FDCC6A0}\RP457\snapshot\_REGISTRY_USER_NTUSER_S-1-5-21-2331652603-1797162650-1282392798-1010 -c-ha-w 4,456,448 2008-06-17 05:07:08 C:\System Volume Information\_restore{E7B21304-9105-4D9D-AFAC-E7088FDCC6A0}\RP457\snapshot\_REGISTRY_USER_NTUSER_S-1-5-21-2331652603-1797162650-1282392798-1011 -c-ha-w 1,048,576 2007-09-09 18:41:58 C:\System Volume Information\_restore{E7B21304-9105-4D9D-AFAC-E7088FDCC6A0}\RP457\snapshot\_REGISTRY_USER_NTUSER_S-1-5-21-2331652603-1797162650-1282392798-500 Entries: 424 (141) Directories: 0 Files: 424 Bytes: 1,303,908,352 Blocks: 2,546,696 |
|
|
|
|
06-18-2008, 08:48 PM
|
#20 (permalink) | |
|
Moderator, Analyst, Security Team; Rangemaster, TSF Academy
Join Date: Oct 2007
Location: Georgia
Posts: 8,678
OS: XP SP3
|
Re: Possible Malware Issue
Hello kiranaus.
Uninstall Spybot - Search & Destroy via Add or Remove Programs in your Control Panel. It is outdated. Restart your computer. ------------------------------------------------------ Delete all instances of combofix.exe from your computer. ------------------------------------------------------ Download Combofix and Save it to your Desktop. **Note: It is important that it is saved directly to your desktop** ------------------------------------------------------ Close any open browsers. Close/disable all antivirus and antimalware programs so they do not interfere with the running of ComboFix. Get help here ------------------------------------------------------ Open Notepad and copy/paste all the text in the quotebox below into Notepad: Quote:
Referring to the picture above, drag CFScript into ComboFix.exe Your desktop may go blank. This is normal. It will return when ComboFix is done. ComboFix may reboot your machine. This is normal. When finished, it shall produce a log for you. Please post that log, ComboFix.txt in your next reply. Note: Do not mouseclick ComboFix's window whilst it's running. That may cause it to stall. ------------------------------------------------------ Please double-click on UserProfile-Peek.exe to run it and post the log it produces in your next reply. Last edited by sUBs; 06-18-2008 at 08:51 PM. |
|
|
|
|
| Thread Tools | |
|
|
