Author Topic: PowerKord 's vundo  (Read 54590 times)

0 Members and 1 Guest are viewing this topic.

PowerKord

  • Guest
Re: PowerKord 's vundo
« Reply #90 on: January 29, 2008, 02:40:11 AM »
Well take a look at my capture--at least one of those detections listed is a bona fide virus: Win32:trojan-gen.

BTW, my system just rebooted for some reason.

I'm scanning again now with Avast. I was going to try the Kaspersky online scanner, but you have to enable ActiveX to do it!

After Avast detected those for the first time, I moved them to the chest, but I think it detected them again after that. This new scan will confirm that, or not. The listings in my capture aren't Avast detecting viruses in its own chest, right?

This is unbelievable. F*cking Home Keylogger!

----------------------

I tried to do a system restore, to move back to before I acquired this latest virus. But the restore failed!

Now, the space on my C drive is essentiallly gone!

Before I tried the Restore I ran cleanup, since Avast detected one or more instances of a virus in one or more temp files.

What is going on here, and what do I do? Below is a new HJT log.

HELP!


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:28:40 AM, on 1/29/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\ibmpmsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\LTSMMSG.exe
C:\Program Files\ThinkPad\Utilities\TpKmapMn.exe
C:\WINDOWS\System32\tp4serv.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Java\j2re1.4.2_01\bin\jusched.exe
C:\WINDOWS\System32\RunDll32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Comodo\Firewall\cmdagent.exe
C:\Program Files\Olympus\DeviceDetector\DM1Service.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\System32\QCONSVC.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Comodo\Firewall\CPF.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Olympus\DeviceDetector\DevDtct2.exe
C:\Program Files\HyperSnap 6\HprSnap6.exe
C:\Program Files\mozilla.org\SeaMonkey\seamonkey.exe
C:\WINDOWS\system32\cleanmgr.exe
C:\WINDOWS\explorer.exe
E:\Files That Change Infrequently\Software Backups\Hijack This\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://messageofhope.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy.integrity.com:80
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [LTSMMSG] LTSMMSG.exe
O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
O4 - HKLM\..\Run: [TPKMAPMN] C:\Program Files\ThinkPad\Utilities\TpKmapMn.exe
O4 - HKLM\..\Run: [trackPointSrv] tp4serv.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_01\bin\jusched.exe
O4 - HKLM\..\Run: [BMMGAG] RunDll32 C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll,StartPwrMonitor
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\Comodo\Firewall\CPF.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [ACDSee] C:\Program Files\ACD Systems\ACDSee\9.0\ACDSee9.exe /tray
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Device Detector 3.lnk = C:\Program Files\Olympus\DeviceDetector\DevDtct2.exe
O4 - Global Startup: HyperSnap 6.lnk = C:\Program Files\HyperSnap 6\HprSnap6.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm (file missing)
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm (file missing)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: http://*.windowsupdate.com
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1201498085982
O17 - HKLM\System\CCS\Services\Tcpip\..\{622850C9-2536-4A0E-9F3D-49149C1237F8}: NameServer = 64.136.173.5 64.136.164.77
O17 - HKLM\System\CCS\Services\Tcpip\..\{D14F581C-AD5C-4482-9892-2D28DEA465B2}: NameServer = 69.57.146.14,69.57.147.175
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Comodo Application Agent (CmdAgent) - COMODO - C:\Program Files\Comodo\Firewall\cmdagent.exe
O23 - Service: DM1Service - OLYMPUS Corporation - C:\Program Files\Olympus\DeviceDetector\DM1Service.exe
O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\System32\ibmpmsvc.exe
O23 - Service: QCONSVC - Unknown owner - C:\WINDOWS\System32\QCONSVC.EXE

--
End of file - 5295 bytes
« Last Edit: January 29, 2008, 06:30:23 AM by PowerKord »

1975maggie

  • Guest
Re: PowerKord 's vundo
« Reply #91 on: January 29, 2008, 06:50:10 AM »
Hi

One thing to remember about system restore, is that it is not a drive image. It is only a protion of the registry and files. SR may or may not change the things you are trying to change.

Did you try submitting any of the files avast detected to virustotal? Just because avast says they are infected, doesn't mean they are. Especially in the case of a keylogger. Looking at the avast log only says what avast detects it as. Other avs probably have a different name, if they even detect it.

Because of the below, some avs don't detect commercial keyloggers.

Keyloggers are usually detected as tools and because of the stealth methods they use. Afterall that is their purpose. As mentioned they can be used for good or evil. A legitamate keylogger is different from a trojan that has keylogging ability, though their operating methods are the same.

My suggestion is extract one or more files from the avast chest to a temp location and submit them and see what other avs detect. You may find either no detection or a tool detection.

If it turns out to be a truely infected file, then at least you will know what it is.

Nothing in the log jumps out, except old java.

 Kaspersky , go ahead and do it, you can reset the active x after you do the scan and befor you leave their site.


PowerKord

  • Guest
Re: PowerKord 's vundo
« Reply #92 on: January 29, 2008, 07:47:58 AM »
Maggie, Hi,

...a temp location like where?

Would a folder on my desktop do it?

Thx.

vince

1975maggie

  • Guest
Re: PowerKord 's vundo
« Reply #93 on: January 29, 2008, 07:56:37 AM »
Yes, just create a folder on your desktop, easy to find and remember.  :)

Use right click, extract when you move the file(s)

PowerKord

  • Guest
Re: PowerKord 's vundo
« Reply #94 on: January 29, 2008, 09:02:08 AM »
Maggies, after uploading the files, how do I safely delete them from the folder I just created?

VT seems conflicted about these two files. Some scanners flag them as malware and high-risk; others do not.

PowerKord

  • Guest
Re: PowerKord 's vundo
« Reply #95 on: January 29, 2008, 09:11:46 AM »
Ok, the plot is thickening considerably; Avast just detected Win32:Agent-PSG.

And SuperAntiSpyware has detected, so far, three trojans (including a Vundo), a rootkit, and 224 adware cookies.

essexboy? oldman? essexboy? oldman?

HELP !!!

(Don't get me wrong, Maggie, I very much appreciate your help, as well.)

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33980
  • malware fighter
Re: PowerKord 's vundo
« Reply #96 on: January 29, 2008, 12:32:18 PM »
Hi PowerKord,

If you have previously downloaded ComboFix,please delete that version now.
Warning
You should NOT use Combofix unless you have been instructed to do so by a Malware Removal Expert.
It is intended by its creator to be used under the guidance and supervision of an expert,NOT for private use.
Using this tool incorrectly could render your system/pc inoperable.

Now download Combofix http://www.techsupportforum.com/sectools/sUBs/ComboFix.exe by sUBs and save to your desktop.
Alternative Combofix download link HERE.
Note
It is important that it is saved directly to your desktop
Close any open browsers.
Double click on combofix.exe and follow the prompts.
When it's finished it will produce a log.
Post the entire contents of C:\ComboFix.txt into your next reply.
Note
Do not mouseclick combofix's window while it's running.
That may cause the program to freeze/hang.
Do NOT post the ComboFix-quarantined-files.txt unless I ask.
Note
In case your Antivirus or any other realtime scanner is displaying an alert after you downloaded Combofix or while you use Combofix,please disable your scanner and redownload Combofix again.
Some scanners may see some combofix related components as suspicious and block or delete them while there's nothing wrong with them.

Also post a new Hijackthis log please.

polonus
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: PowerKord 's vundo
« Reply #97 on: January 29, 2008, 09:15:11 PM »
There was nothing apparent in your log, and as previously stated a keylogger can be good or bad there is no way of knowing for sure from an AV's point of view.  As for the rootkit that may be related to your keylogger as they work at low level so as to be undetectable.  The Vundo files/registry entries, this is dependant on the location,,, are they orphan registry entries/files.  Cookies you will allways get when you connect to the internet, you cannot avoid them..    Win32:Agent-PSG. this is a keylogger, the one you downloaded ?

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: PowerKord 's vundo
« Reply #98 on: January 29, 2008, 09:17:28 PM »
Ooops forgot..  Spywareblaster is passive it just prevents certain registry entries being made, it has no warning or alert facility

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33980
  • malware fighter
Re: PowerKord 's vundo
« Reply #99 on: January 29, 2008, 09:26:24 PM »
Hi essexboy,

Let the man download Keyscrambler from here: http://www.qfxsoftware.com/Download.htm and install it.
Whatever he has there or not, keyscrambler will prevent his keystrokes to be watched by a third party or in a browser. Never had any trouble using it,

polonus
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

PowerKord

  • Guest
Re: PowerKord 's vundo
« Reply #100 on: January 29, 2008, 09:27:29 PM »
ESSEXBOY

(polonus, see below)

hi. thanks.

THe two files avast flagged are:

win32:trojan-gen
win32:agent-iy

arent these actual virii? the first def seems to be, from what i read.

then later, sas flagged the rootkit, psg, etc. four in all. i removed them all anyway.

i thought a system restore would help. but windows reported that the restore failed, and right after that my C drive was devoid of all memory. about 1.5 gig has coem back after running that 3rd party cleanup,  but i thought i had more mem initially on C.

How did the failed restore cause the memory loss, and how can i get it all back?

ive had windows cleanup running now for like, maybe 8 or 10 hours. it just sits there saying calculating, scanning to compress old files. is this thing working? maybe it is but taking so long bec my drive is 18 gb full?

i ran that 3rd party cleanup and it cleared a bunch of files. i deleted ie temp files and cookies.  i also now have comodo firewall running.

i then tried to install 007 keylogger, no reports on download.com of malware in it, but the install was missing a file and failed. now i cant launch the program and thus cant deinstall it. it's not listedin add/remove.

and in all, my system operation has slowed to a crawl.

wtf is going on here? my system was perfect after your help but has now utterly imploded!

POLONUS--

ok, downloading cf

bad time for all this as i need my pc to do medical research for  my dads surgery, 80 yo, tomorrow.

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33980
  • malware fighter
Re: PowerKord 's vundo
« Reply #101 on: January 29, 2008, 09:34:54 PM »
Hi Powerkord,

Also test what is on your box with this proggie, kldetector!
http://dewasoft.com/privacy/kldetector.htm

cheers,

polonus
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33980
  • malware fighter
Re: PowerKord 's vundo
« Reply #102 on: January 29, 2008, 09:40:37 PM »
Hi PowerKord,

007 keylogger is SPYWARE. Get rid of it in the way described below, and follow the instructions to the dot or print them out and put them beside your box to do this meticulously as described, http://www.spywareremove.com/remove007SpySoftware.html (Only use the instructions from this page, do not download anything from there!).

polonus
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

PowerKord

  • Guest
Re: PowerKord 's vundo
« Reply #103 on: January 30, 2008, 02:51:13 AM »
Hi, polonus,

I should probably make clear that I installed 007 deliberately, as I'm trying--in vain apparently--to find a small, well-designed, safe, keylogger for text backup in case of crashes. Do you know of one?

I'm going to remove 007, but when you say it's spyware, do you mean it installs malware or something on my system? I know its purpose is to spy on people; I was just trying it because it also happens to have a keylogger function, as I want, and none of the download.com reviewes indicated spyware or malware.

Rather than go through the elaborate removal instructions, what if I just email them, tell them the problem, and see if they have a way for me to remove the program, then I can just do further HJT/CF scans or whatever afterward to see if there are any remnants left.

And yes, this does assume that they'll tell me truth, *and* did not deposit any malware on my system.

Back soon after I run CF, at least.

BTW, I just don't get it. The company that publishes 007 seems completely legit, they charge $40 for the product--isn't that the way they make money? Why would they endanger the reputation of their product by hiding malware in it, assuming they are?

vince
« Last Edit: January 30, 2008, 02:59:50 AM by PowerKord »

PowerKord

  • Guest
Re: PowerKord 's vundo
« Reply #104 on: January 30, 2008, 04:26:58 AM »
ComboFix 08-01-30.1 - Vincent Christopher 2008-01-29 22:04:01.7 - NTFSx86
Microsoft Windows XP Professional  5.1.2600.1.1252.1.1033.18.135 [GMT -5:00]
Running from: C:\Documents and Settings\Vincent Christopher\Desktop\ComboFix.exe
 * Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

(((((((((((((((((((((((((   Files Created from 2007-12-28 to 2008-01-30  )))))))))))))))))))))))))))))))
.

2008-01-28 21:56 . 2008-01-28 21:56   <DIR>   d--------   C:\Documents and Settings\Vincent Christopher\Application Data\Comodo
2008-01-28 21:55 . 2008-01-28 21:55   <DIR>   d--------   C:\WINDOWS\system32\bits
2008-01-28 15:46 . 2001-08-17 22:36   112,640   --a------   C:\WINDOWS\system32\dllcache\xrxwiadr.dll
2008-01-28 15:46 . 2001-08-17 22:37   99,865   --a------   C:\WINDOWS\system32\dllcache\xlog.exe
2008-01-28 15:46 . 2001-08-17 22:37   27,648   --a------   C:\WINDOWS\system32\dllcache\xrxftplt.exe
2008-01-28 15:46 . 2001-08-17 22:36   23,040   --a------   C:\WINDOWS\system32\dllcache\xrxwbtmp.dll
2008-01-28 15:46 . 2001-08-17 12:49   18,688   --a------   C:\WINDOWS\system32\dllcache\wvchntxx.sys
2008-01-28 15:46 . 2001-08-17 22:36   17,408   --a------   C:\WINDOWS\system32\dllcache\xrxscnui.dll
2008-01-28 15:46 . 2001-08-17 12:11   16,970   --a------   C:\WINDOWS\system32\dllcache\xem336n5.sys
2008-01-28 15:46 . 2001-08-17 22:37   4,608   --a------   C:\WINDOWS\system32\dllcache\xrxflnch.exe
2008-01-28 15:44 . 2001-08-17 13:28   794,654   --a------   C:\WINDOWS\system32\dllcache\usr1801.sys
2008-01-28 15:43 . 2001-08-17 12:18   285,760   --a------   C:\WINDOWS\system32\dllcache\stlnata.sys
2008-01-28 15:42 . 2001-08-17 22:36   495,616   --a------   C:\WINDOWS\system32\dllcache\sblfx.dll
2008-01-28 15:41 . 2001-08-17 13:28   899,146   --a------   C:\WINDOWS\system32\dllcache\r2mdkxga.sys
2008-01-28 15:40 . 2001-08-17 14:05   351,616   --a------   C:\WINDOWS\system32\dllcache\ovcodek2.sys
2008-01-28 15:39 . 2001-08-18 08:00   1,875,968   --a------   C:\WINDOWS\system32\dllcache\msir3jp.lex
2008-01-28 15:38 . 2001-08-17 13:28   797,500   --a------   C:\WINDOWS\system32\dllcache\ltsmt.sys
2008-01-28 15:37 . 2001-08-18 08:00   1,158,818   --a------   C:\WINDOWS\system32\dllcache\korwbrkr.lex
2008-01-28 15:36 . 2001-08-18 08:00   13,463,552   --a------   C:\WINDOWS\system32\dllcache\hwxjpn.dll
2008-01-28 15:35 . 2001-08-18 08:00   10,096,640   --a------   C:\WINDOWS\system32\dllcache\hwxcht.dll
2008-01-28 15:34 . 2001-08-17 13:28   634,134   --a------   C:\WINDOWS\system32\dllcache\el656ct5.sys
2008-01-28 15:33 . 2001-08-17 12:14   952,007   --a------   C:\WINDOWS\system32\dllcache\diwan.sys
2008-01-28 15:32 . 2001-08-18 08:00   1,677,824   --a------   C:\WINDOWS\system32\dllcache\chsbrkr.dll
2008-01-28 15:31 . 2001-08-17 13:28   871,388   --a------   C:\WINDOWS\system32\dllcache\bcmdm.sys
2008-01-28 15:30 . 2001-08-17 13:28   762,780   --a------   C:\WINDOWS\system32\dllcache\3cwmcru.sys
2008-01-28 15:29 . 2001-08-17 14:56   66,048   --a------   C:\WINDOWS\system32\dllcache\s3legacy.dll
2008-01-28 14:13 . 2008-01-28 21:56   <DIR>   d--------   C:\Program Files\SpywareBlaster
2008-01-28 04:52 . 2008-01-28 04:52   <DIR>   d--------   C:\Documents and Settings\All Users\Application Data\Comodo
2008-01-28 04:48 . 2008-01-28 04:48   <DIR>   d--------   C:\Program Files\Comodo
2008-01-28 01:45 . 2005-02-24 22:35   22,752   --a------   C:\WINDOWS\system32\spupdsvc.exe
2008-01-28 01:44 . 2008-01-28 01:44   <DIR>   d--h-----   C:\WINDOWS\$hf_mig$
2008-01-28 01:15 . 2004-07-01 17:08   331,776   --a------   C:\WINDOWS\system32\winhttp.dll
2008-01-28 01:15 . 2004-07-01 17:08   331,776   --a------   C:\WINDOWS\system32\dllcache\winhttp.dll
2008-01-28 01:15 . 2004-06-30 18:59   158,720   ---------   C:\WINDOWS\system32\xpob2res.dll
2008-01-28 01:15 . 2004-07-01 17:08   17,408   --a------   C:\WINDOWS\system32\qmgrprxy.dll
2008-01-28 01:15 . 2004-07-01 17:08   17,408   --a------   C:\WINDOWS\system32\dllcache\qmgrprxy.dll
2008-01-28 01:15 . 2004-07-01 17:08   7,680   ---------   C:\WINDOWS\system32\dllcache\bitsprx2.dll
2008-01-28 01:15 . 2004-07-01 17:08   7,680   ---------   C:\WINDOWS\system32\bitsprx2.dll
2008-01-28 01:15 . 2004-07-01 17:08   7,168   ---------   C:\WINDOWS\system32\dllcache\bitsprx3.dll
2008-01-28 01:15 . 2004-07-01 17:08   7,168   ---------   C:\WINDOWS\system32\bitsprx3.dll
2008-01-28 00:33 . 2007-07-30 19:19   549,720   --a------   C:\WINDOWS\system32\wuapi.dll
2008-01-28 00:33 . 2007-07-30 19:19   325,976   --a------   C:\WINDOWS\system32\wucltui.dll
2008-01-28 00:33 . 2007-07-30 19:19   216,408   --a------   C:\WINDOWS\system32\wuaucpl.cpl
2008-01-28 00:33 . 2007-07-30 19:19   43,352   --a------   C:\WINDOWS\system32\wups2.dll
2008-01-28 00:33 . 2007-07-30 19:18   34,136   --a------   C:\WINDOWS\system32\wucltui.dll.mui
2008-01-28 00:33 . 2007-07-30 19:18   33,624   --a------   C:\WINDOWS\system32\wups.dll
2008-01-28 00:33 . 2007-07-30 19:19   25,944   --a------   C:\WINDOWS\system32\wuaucpl.cpl.mui
2008-01-28 00:33 . 2007-07-30 19:19   25,944   --a------   C:\WINDOWS\system32\wuapi.dll.mui
2008-01-28 00:33 . 2007-07-30 19:18   20,312   --a------   C:\WINDOWS\system32\wuaueng.dll.mui
2008-01-18 01:51 . 2008-01-18 01:51   <DIR>   d--------   C:\Documents and Settings\Administrator\Application Data\SUPERAntiSpyware.com
2008-01-18 01:30 . 2008-01-18 01:30   <DIR>   d--------   C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-01-18 01:29 . 2008-01-29 00:57   <DIR>   d--------   C:\Program Files\SUPERAntiSpyware
2008-01-18 01:29 . 2008-01-18 01:29   <DIR>   d--------   C:\Documents and Settings\Vincent Christopher\Application Data\SUPERAntiSpyware.com
2008-01-18 01:25 . 2008-01-18 01:25   <DIR>   d--------   C:\Program Files\Common Files\Wise Installation Wizard
2008-01-10 04:28 . 2008-01-10 07:00   189   --a------   C:\WINDOWS\wininit.ini
2008-01-09 22:37 . 2008-01-10 07:26   155,648   --a------   C:\WINDOWS\system32\igfxtray.exe
2008-01-09 22:37 . 2008-01-10 07:26   114,688   --a------   C:\WINDOWS\system32\hkcmd.exe
2007-12-13 15:07 . 2007-12-13 15:07   3,856   --a------   C:\WINDOWS\crmtemp1.dat

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-29 02:56   ---------   d-----w   C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-01-28 06:11   ---------   d-----w   C:\Program Files\NoteTab Pro
2008-01-12 05:48   ---------   d-----w   C:\Program Files\Yahoo!
2007-12-26 16:17   ---------   d-----w   C:\Documents and Settings\Vincent Christopher\Application Data\Aim
2007-12-04 14:56   93,264   ----a-w   C:\WINDOWS\system32\drivers\aswmon.sys
2007-12-04 14:55   94,544   ----a-w   C:\WINDOWS\system32\drivers\aswmon2.sys
2007-12-04 14:53   23,152   ----a-w   C:\WINDOWS\system32\drivers\aswRdr.sys
2007-12-04 14:51   42,912   ----a-w   C:\WINDOWS\system32\drivers\aswTdi.sys
2007-12-04 14:49   26,624   ----a-w   C:\WINDOWS\system32\drivers\aavmker4.sys
2007-12-04 13:04   837,496   ----a-w   C:\WINDOWS\system32\aswBoot.exe
2007-12-04 12:54   95,608   ----a-w   C:\WINDOWS\system32\AvastSS.scr
2007-10-19 07:19   118,784   ----a-w   C:\WINDOWS\SeaMonkeyUninstall.exe
2007-10-19 07:19   118,784   ----a-w   C:\WINDOWS\GREUninstall.exe
2007-10-10 21:47   58,728   ----a-w   C:\Documents and Settings\Vincent Christopher\Application Data\GDIPFONTCACHEV1.DAT
2006-03-20 22:17   1,971,010   ----a-w   C:\Documents and Settings\Vincent Christopher\mr_corporation.zip
.