TDL4@MBR..the day I upgraded to Avast pro 5

[dellsux]

Good evening, I ran GMER and found the TDL4@MBR rootkit under value, and under name it was found was "\Device/harddisk0\DR0". My laptop uses win xp pro, bought in 2009, iNSPIRON 1545 core duo 2 processor, 260 GB. I am posting on my emergency laptop.

The bad part was that there was NO option to Kill OR DELETE FILE which I found strange. Ran MBYTES, AVAST in safe mode, quick search, nothing found. TDSSkiller under both safe and windows mode, nothing was found. On the day I upgrade from version 4.8 to pro for avast, this happens...thanks for reading. Any help would be greatly appreciated.

I forgot to add, I cant even update. It reads "fail to connect to server' when avast pops up that window on the bottom right telling me to update..

[magna86]

Hi...

Please download MBRCheck.exe to your desktop.

• Be sure to disable your security programs
• Double click on the file to run it (Vista and Windows 7 users will have to confirm the UAC prompt)
• A small window should open on your desktop
• if an unknown bootcode is found you will have further options available to you, at this time press N then press Enter twice.
  
• If nothing unusual is found just press Enter
  
• A .txt file named MBRCheck_mm.dd.yy_hh.mm.ss should appear on your deskop. Please post the contents of that file.

[SafeSurf]

bump

[essexboy]

aswMBR would be a simpler solution

Download aswMBR.exe ( 511KB ) to your desktop.

Double click the aswMBR.exe to run it


Click the "Scan" button to start scan

[dellsux]

to magna and essexboy, I used essexboy's answmbx.exe and this was found:

aswMBR version 0.9.4 Copyright(c) 2011 AVAST Software
Run date: 2011-03-26 16:16:43
-----------------------------
16:16:43.484    OS Version: Windows 5.1.2600 Service Pack 3
16:16:43.484    Number of processors: 2 586 0x170A
16:16:43.484    ComputerName:   UserName: lov
16:16:44.390    Initialize success
16:16:57.531    Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\iaStor0
16:16:57.531    Disk 0 Vendor: WDC_WD25 11.0 Size: 238475MB BusType: 3
16:16:57.531    Device \Device\Ide\IAAStorageDevice-1 -> \??\IDE#DiskWDC_WD2500BEVT-75ZCT2___________________11.01A11#4&3c2934d&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} not found
16:16:57.562    Disk 0 MBR read successfully
16:16:57.562    Disk 0 MBR scan
16:16:57.578    Disk 0 TDL4@MBR code has been found
16:16:57.578    Disk 0 MBR hidden
16:16:57.578    Disk 0 MBR [TDL4]  **ROOTKIT**
16:16:57.578    Disk 0 trace - called modules:
16:16:57.578    ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x8ae1f439]<<
16:16:57.578    1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8adb0ab8]
16:16:57.578    3 CLASSPNP.SYS[ba0e8fd7] -> nt!IofCallDriver -> [0x8adff4b8]
16:16:57.578    \Driver\iaStor[0x8adae458] -> IRP_MJ_CREATE -> 0x8ae1f439
16:16:57.578    Scan finished successfully

As instructed, i shut down my avast 5 temporarily...

[dellsux]

Am I supposed to press FIX? or just hand you the log details when I got the results?
****

UPDATE: I have 2 laptops, I used the old TDSSKILLER version 2.4.0, and downloaded the 2.4.7 version and apparently (I think) it worked...it found the TLD4 rootkit, fast forward to reboot, and it's "not there"

Here is the ANSMBR.EXE results AFTER THE TLD4 was rid by TDSSKILLER (i dont have any Google mis-directions so far)..

aswMBR version 0.9.4 Copyright(c) 2011 AVAST Software
Run date: 2011-03-26 16:33:21
-----------------------------
16:33:21.031    OS Version: Windows 5.1.2600 Service Pack 3
16:33:21.031    Number of processors: 2 586 0x170A
16:33:21.031    ComputerName: ********  UserName: lov
16:33:21.734    Initialize success
16:33:24.687    Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1
16:33:24.687    Disk 0 Vendor: WDC_WD25 11.0 Size: 238475MB BusType: 3
16:33:24.750    Disk 0 MBR read successfully
16:33:24.750    Disk 0 MBR scan
16:33:24.796    Disk 0 scanning sectors +488392065
16:33:24.828    Disk 0 scanning C:\WINDOWS\system32\drivers
16:33:29.312    Service scanning
16:33:30.468    Disk 0 trace - called modules:
16:33:30.515    ntkrnlpa.exe CLASSPNP.SYS disk.sys iaStor.sys hal.dll
16:33:30.515    1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8ae75ab8]
16:33:30.515    3 CLASSPNP.SYS[ba0e8fd7] -> nt!IofCallDriver -> \Device\Ide\IAAStorageDevice-1[0x8a851028]
16:33:30.515    Scan finished successfully

NOW HERE'S THE GMER RESULTS as well..

GMER 1.0.15.15570 - http://www.gmer.net
Rootkit quick scan 2011-03-26 16:41:56
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 WDC_WD25 rev.11.0
Running: bfjz7yhz.exe; Driver: C:\DOCUME~1\lov\LOCALS~1\Temp\uwdyapod.sys


---- System - GMER 1.0.15 ----

SSDT            \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)  ZwEnumerateKey [0x99FCFED6]
SSDT            \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)  ZwEnumerateValueKey [0x99FCFD41]

Code            \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software)  ZwCreateProcessEx [0x9A00FBAE]
Code            \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software)  ObInsertObject
Code            \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software)  ObMakeTemporaryObject

---- Devices - GMER 1.0.15 ----

Device          \FileSystem\Ntfs \Ntfs                                                                 aswSP.SYS (avast! self protection module/AVAST Software)

AttachedDevice  \FileSystem\Ntfs \Ntfs                                                                 aswMon2.SYS (avast! File System Filter Driver for Windows XP/AVAST Software)
AttachedDevice  \Driver\Tcpip \Device\Ip                                                               aswTdi.SYS (avast! TDI Filter Driver/AVAST Software)
AttachedDevice  \Driver\Tcpip \Device\Tcp                                                              aswTdi.SYS (avast! TDI Filter Driver/AVAST Software)
AttachedDevice  \Driver\Tcpip \Device\Udp                                                              aswTdi.SYS (avast! TDI Filter Driver/AVAST Software)
AttachedDevice  \Driver\Tcpip \Device\RawIp                                                            aswTdi.SYS (avast! TDI Filter Driver/AVAST Software)

---- EOF - GMER 1.0.15 ----

....what am I looking at? Thanks

[Pondus]

16:16:57.578    Disk 0 TDL4@MBR code has been found
16:16:57.578    Disk 0 MBR hidden
16:16:57.578    Disk 0 MBR [TDL4]  **ROOTKIT**

Scan click "FIX" and reboot, then do a new scan, click "save log" and post it

[dellsux]

16:16:57.578    Disk 0 TDL4@MBR code has been found
16:16:57.578    Disk 0 MBR hidden
16:16:57.578    Disk 0 MBR [TDL4]  **ROOTKIT**

Scan click "FIX" and reboot, then do a new scan, click "save log" and post it

Pondus...thank you, the results I updated on the post before yours....what am I looking at? Thank you. I dont know what this techie stuff is that;s why I'm here.

I tried updating my virus definitions but "cannot connect to server' is still the same, but one probloem at a time I guess

[Pondus]

the new aswMBR log you posted looks clean

now do this


Follow this guide from our expert malware remover Essexboy
http://forum.avast.com/index.php?topic=53253.0
(post the logs here in this topic and not in the guide)


To avoid using multiple post with copy and paste you have to attach the log`s
Lower left corner: Additional Options > Attach ( Malwarebytes log / OTS log )


Essexboy will look at the log`s when he is back tomorrow

[magna86]

@dellsux
If you wish...
Download DDS and save it to your Desktop from here:
http://download.bleepingcomputer.com/sUBs/dds.scr

Double click dds.scr to run the tool.

    * When done, DDS will open two (2) logs:
         1. DDS.txt
         2. Attach.txt

Save both reports to your desktop. Attach DDS.txt back to topic.

[dellsux]

Ok I did the MBAM thing and the OTS thing as per your instructions..

MBAM:

Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 6179

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

3/26/2011 5:05:24 PM
mbam-log-2011-03-26 (17-05-24).txt

Scan type: Quick scan
Objects scanned: 152826
Time elapsed: 3 minute(s), 12 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

[dellsux]

Pondus...the OTS results is more than 10,000 characters so I cant post the results...is there a way to post them?

[dellsux]

To MAGNA86, here are the results for the DDS thingy..
*****
DDS (Ver_11-03-05.01) - NTFSx86  
Run by lov at 17:25:17.48 on Sat 03/26/2011
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_24
Microsoft Windows XP Professional  5.1.2600.3.1252.1.1033.18.3032.2401 [GMT -7:00]
.
AV: avast! Antivirus *Enabled/Outdated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
C:\WINDOWS\system32\spoolsv.exe
c:\drivers\audio\r215959\STacSV.exe
svchost.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\DellTPad\Apoint.exe
C:\WINDOWS\system32\AESTFltr.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Dell DataSafe Online\DataSafeOnline.exe
C:\Program Files\DellTPad\ApMsgFwd.exe
C:\Program Files\DellTPad\HidFind.exe
C:\Program Files\DellTPad\Apntex.exe
C:\Program Files\Alwil Software\Avast5\avastUI.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\lov\Desktop\dds.scr
.
============== Pseudo HJT Report ===============
.
uDefault_Search_URL = hxxp://www.google.com/ie
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
uURLSearchHooks: uTorrentBar Toolbar: {bf7380fa-e3b4-4db2-af3e-9d8783a45bfc} - c:\program files\utorrentbar\tbuTor.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Conduit Engine: {30f9b915-b755-4826-820b-08fba6bd249d} - c:\program files\conduitengine\ConduitEngine.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SearchHelper.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: uTorrentBar Toolbar: {bf7380fa-e3b4-4db2-af3e-9d8783a45bfc} - c:\program files\utorrentbar\tbuTor.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: Windows Live Toolbar Helper: {e15a8dc0-8516-42a1-81ea-dc94ec1acf10} - c:\program files\windows live\toolbar\wltcore.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - c:\program files\windows live\toolbar\wltcore.dll
TB: uTorrentBar Toolbar: {bf7380fa-e3b4-4db2-af3e-9d8783a45bfc} - c:\program files\utorrentbar\tbuTor.dll
TB: Conduit Engine: {30f9b915-b755-4826-820b-08fba6bd249d} - c:\program files\conduitengine\ConduitEngine.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRunOnce: [FlashPlayerUpdate] c:\windows\system32\macromed\flash\FlashUtil10l_Plugin.exe -update plugin
mRun: [Apoint] c:\program files\delltpad\Apoint.exe
mRun: [AESTFltr] %SystemRoot%\system32\AESTFltr.exe /NoDlg
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [Broadcom Wireless Manager UI] c:\windows\system32\WLTRAY.exe
mRun: [Dell DataSafe Online] "c:\program files\dell datasafe online\DataSafeOnline.exe" /m
mRun: [dellsupportcenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P dellsupportcenter
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray
mRun: [avast5] "c:\program files\alwil software\avast5\avastUI.exe" /nogui
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\mi1933~1\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

...1ST HALF OF THE DDS RESULTS...

[Asyn]

Pondus...the OTS results is more than 10,000 characters so I cant post the results...is there a way to post them?

Use the attach function.

[dellsux]

...2ND HALF OF THE DDS REPORT..

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\mi1933~1\office11\REFIEBAR.DLL
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
Notify: GoToAssist - c:\program files\citrix\gotoassist\514\G2AWinLogon.dll
Notify: igfxcui - igfxdev.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\docume~1\lov\applic~1\mozilla\firefox\profiles\0naa42n2.default\
FF - component: c:\documents and settings\lov\application data\mozilla\firefox\profiles\0naa42n2.default\extensions\{bf7380fa-e3b4-4db2-af3e-9d8783a45bfc}\components\RadioWMPCoreGecko19.dll
FF - component: c:\documents and settings\lov\application data\mozilla\firefox\profiles\0naa42n2.default\extensions\engine@conduit.com\components\RadioWMPCoreGecko19.dll
FF - plugin: c:\program files\google\picasa3\npPicasa3.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\java\jre6\lib\deploy\jqs\ff
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: uTorrentBar Community Toolbar: {bf7380fa-e3b4-4db2-af3e-9d8783a45bfc} - %profile%\extensions\{bf7380fa-e3b4-4db2-af3e-9d8783a45bfc}
FF - Ext: Conduit Engine : engine@conduit.com - %profile%\extensions\engine@conduit.com
.
============= SERVICES / DRIVERS ===============
.
R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [2011-3-25 340048]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2010-7-26 165584]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2010-7-26 17744]
R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast5\AvastSvc.exe [2011-3-25 40384]
R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2010-11-11 363344]
R2 yksvc;Marvell Yukon Service;RUNDLL32.EXE ykx32coinst,serviceStartProc --> RUNDLL32.EXE ykx32coinst,serviceStartProc [?]
R3 AESTAud;AE Audio Service;c:\windows\system32\drivers\AESTAud.sys [2009-8-1 113024]
R3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2011-3-25 40384]
R3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2011-3-25 40384]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2010-11-11 20952]
R3 RSUSBSTOR;RTS5121.Sys Realtek USB Card Reader;c:\windows\system32\drivers\RTS5121.sys [2009-8-1 160256]
S3 AMBFilt;Creative AMB Service;c:\windows\system32\drivers\AMBFilt.sys [2009-8-1 1656960]
.
=============== Created Last 30 ================
.
2011-03-26 02:31:20   --------   d-sha-r-   C:\cmdcons
2011-03-26 02:28:52   98816   ----a-w-   c:\windows\sed.exe
2011-03-26 02:28:52   89088   ----a-w-   c:\windows\MBR.exe
2011-03-26 02:28:52   256512   ----a-w-   c:\windows\PEV.exe
2011-03-26 02:28:52   161792   ----a-w-   c:\windows\SWREG.exe
2011-03-26 00:18:53   340048   ----a-w-   c:\windows\system32\drivers\aswSnx.sys
2011-03-26 00:18:39   38848   ----a-w-   c:\windows\avastSS.scr
2011-03-26 00:18:20   --------   d-----w-   c:\docume~1\alluse~1\applic~1\Alwil Software
2011-03-25 15:04:51   0   ----a-w-   c:\windows\Ofifowohone.bin
2011-03-20 20:48:45   --------   d-----w-   c:\docume~1\alluse~1\applic~1\oDmIfDmImHe05200
2011-03-12 19:28:40   103864   ----a-w-   c:\program files\mozilla firefox\plugins\nppdf32.dll
2011-03-09 23:40:38   --------   d-----w-   c:\windows\system32\wbem\repository\FS
2011-03-09 23:40:38   --------   d-----w-   c:\windows\system32\wbem\Repository
2011-03-03 07:05:03   --------   d-----w-   c:\docume~1\lov\applic~1\PCDr
.
==================== Find3M  ====================
.
2011-02-09 13:53:52   270848   ----a-w-   c:\windows\system32\sbe.dll
2011-02-09 13:53:52   186880   ----a-w-   c:\windows\system32\encdec.dll
2011-02-03 04:40:23   472808   ----a-w-   c:\windows\system32\deployJava1.dll
2011-02-03 02:19:39   73728   ----a-w-   c:\windows\system32\javacpl.cpl
2011-02-02 07:58:35   2067456   ----a-w-   c:\windows\system32\mstscax.dll
2011-01-27 11:57:06   677888   ----a-w-   c:\windows\system32\mstsc.exe
2011-01-21 14:44:37   439296   ----a-w-   c:\windows\system32\shimgvw.dll
2011-01-07 14:09:02   290048   ----a-w-   c:\windows\system32\atmfd.dll
2010-12-31 13:14:45   1864064   ----a-w-   c:\windows\system32\win32k.sys
.
============= FINISH: 17:31:13.76 ===============