BleepingComputer.com: Conhost, DWM, CSRSS Redirect Trojan

Jump to content

Forum Guidelines

Posted Image Read the following topic before creating a new topic in this forum. It contains instructions on the what we would like you to post, which will enable us to help you more quickly.

Preparation Guide For Use Before Using Malware Removal Tools and Requesting Help


Posted Image Unfortunately, with the amount of logs we receive per day, the average response time is 5 days. I want to assure you, though, that your topic will be looked at and responded to. So please be patient.


Posted Image DO NOT RUN ComboFix unless requested to.


Posted Image Only members of the Malware Response Team or Moderators are allowed to help people with logs. Anyone else should refrain from posting to another user's log.


Posted Image When posting a log please put the type of infection you have in the topic title. IE: Winfixer, Virtumonde, WinTools, WebSearch, Home Search Assistant, etc.


Posted Image Do not bump your topic. We try to resolve logs on a first come/first served basis. By bumping your log you will be pushed back in line due to the new date of your bump.
  • 2 Pages +
  • 1
  • 2
  • You cannot start a new topic
  • This topic is locked

Conhost, DWM, CSRSS Redirect Trojan Virus redirects Google links

#1 User is offline   KazF 

  • New Member
  • Pip
  • Find Topics
  • Group: Members
  • Posts: 12
  • Joined: 09-July 11

Posted 10 July 2011 - 11:53 PM

I got this virus after a legit-looking pop-up asked me to update Adobe Flash, then McAffe blocked Conhost.exe as a "risky connection." McAffe deleted some trojans after a full scan but didn't fix it. It keeps blocking Conhost, DWM (and something with a similar name), and CSRSS from connecting to the internet (I know it's a fake Conhost.exe since it's in C:\documents and settings\administrator\application data\microsoft\). I also tried System Restore a few times, but whenever the computer restarted, it would say that it only worked partially, so I guess it failed. I can still access Google if I double click links, but any single click redirects to ads. I also only have internet on the Administrator profile. Please help.
Here is my DDS log:

.
DDS (Ver_2011-06-23.01) - NTFSx86
Internet Explorer: 6.0.2900.2180 BrowserJavaVersion: 1.6.0_21
Run by Administrator at 18:29:18 on 2011-07-10
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2302.1310 [GMT -4:00]
.
AV: McAfee Anti-Virus and Anti-Spyware *Enabled/Updated* {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Firewall *Enabled*
.
============== Running Processes ===============
.
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Documents and Settings\Administrator\Application Data\dwm.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\WINDOWS\System32\svchost.exe -k Akamai
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Common Files\McAfee\SystemCore\mfevtps.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\WINDOWS\system32\Wacom_Tablet.exe
C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe
C:\WINDOWS\system32\WTablet\Wacom_TabletUser.exe
C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe
C:\WINDOWS\system32\Wacom_Tablet.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
C:\Program Files\Hewlett-Packard\Toolbox\StatusClient\StatusClient.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
C:\Program Files\Logitech\Video\LogiTray.exe
C:\Program Files\Logitech\ImageStudio\LogiTray.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\Program Files\Common Files\AOL\1133033090\ee\AOLSoftware.exe
C:\WINDOWS\system32\LVComS.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Comcast\Desktop Doctor\bin\sprtcmd.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\OLYMPUS\DeviceDetector\DevDtct2.exe
C:\Program Files\McAfee Security Scan\2.0.181\SSScheduler.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\WISPTIS.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
c:\PROGRA~1\mcafee\mpf\mpfalert.exe
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\csrss.exe
C:\Documents and Settings\Administrator\Application Data\Microsoft\conhost.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.dell4me.com/myway
uDefault_Page_URL = hxxp://www.dell4me.com/myway
mStart Page = hxxp://www.xfinity.com/?cid=xfstart_eg_self_main
mSearch Bar = hxxp://server224.smartbotpro.net/7search/?new-hklm
mWindow Title = Windows Internet Explorer provided by Comcast
uInternet Connection Wizard,ShellNext = hxxp://www.avg.com/ww.special-uninstallation-feedback-appf?lic=NFVZOVgtTlNWVkwtTzRCWlEtUUlNQ0wtUVREQ0gtNElKTUg&inst=NzctNjAxOTE3OTU0LUZMMTArMS1YTzEwKzExLUxJQysy&prod=90&ver=10.0.1321
uInternet Settings,ProxyServer = http=127.0.0.1:54323
uWinlogon: Shell=explorer.exe,c:\documents and settings\administrator\application data\dwm.exe
uWindows: Load=c:\docume~1\admini~1\locals~1\temp\csrss.exe
BHO: SOFTWARE - No File
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\common files\mcafee\systemcore\ScriptSn.20110601100219.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {F0F8ECBE-D460-4B34-B007-56A92E8F84A7} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [mcui_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [TomcatStartup 2.5] c:\program files\hewlett-packard\toolbox\hpbpsttp.exe
mRun: [StorageGuard] "c:\program files\common files\sonic\update manager\sgtray.exe" /r
mRun: [StatusClient 2.6] c:\program files\hewlett-packard\toolbox\statusclient\StatusClient.exe /auto
mRun: [PCMService] "c:\program files\dell\media experience\PCMService.exe"
mRun: [Omnipage] c:\program files\scansoft\omnipagese\opware32.exe
mRun: [LogitechVideoTray] c:\program files\logitech\video\LogiTray.exe
mRun: [LogitechVideoRepair] c:\program files\logitech\video\ISStart.exe
mRun: [LogitechImageStudioTray] c:\program files\logitech\imagestudio\LogiTray.exe
mRun: [LogitechGalleryRepair] c:\program files\logitech\imagestudio\ISStart.exe
mRun: [IPHSend] c:\program files\common files\aol\iphsend\IPHSend.exe
mRun: [HP Software Update] "c:\program files\hewlett-packard\hp software update\HPWuSchd2.exe"
mRun: [HostManager] c:\program files\common files\aol\1133033090\ee\AOLSoftware.exe
mRun: [dla] c:\windows\system32\dla\tfswctrl.exe
mRun: [ddoctorv2] "c:\program files\comcast\desktop doctor\bin\sprtcmd.exe" /P ddoctorv2
mRun: [BCMSMMSG] BCMSMMSG.exe
mRun: [AdobeCS4ServiceManager] "c:\program files\common files\adobe\cs4servicemanager\CS4ServiceManager.exe" -launchedbylogin
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [AdobeAAMUpdater-1.0] "c:\program files\common files\adobe\oobe\pdapp\uwa\UpdaterStartupUtility.exe"
mRun: [AdobeCS5ServiceManager] "c:\program files\common files\adobe\cs5servicemanager\CS5ServiceManager.exe" -launchedbylogin
mRun: [SwitchBoard] c:\program files\common files\adobe\switchboard\SwitchBoard.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] c:\program files\nvidia corporation\nview\nwiz.exe /installquiet
mRun: [conhost] c:\documents and settings\administrator\application data\microsoft\conhost.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\device~1.lnk - c:\program files\olympus\devicedetector\DevDtct2.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\mcafee~1.lnk - c:\program files\mcafee security scan\2.0.181\SSScheduler.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\winzip~1.lnk - c:\program files\winzip\WZQKPICK.EXE
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office11\EXCEL.EXE/3000
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE}
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {459E93B6-150E-45D5-8D4B-45C66FC035FE} - hxxp://apps.corel.com/nos_dl_manager_dev/plugin/IEGetPlugin.ocx
DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} - hxxp://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.5.0.cab
DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - hxxp://download.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,83/mcinsctl.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1104691069187
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - hxxp://download.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,19/mcgdmgr.cab
DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
TCP: DhcpNameServer = 68.87.71.230 68.87.73.246
TCP: Interfaces\{772597DB-8828-4E7C-BA6D-0A7E8F74CD8E} : DhcpNameServer = 68.87.71.230 68.87.73.246
Filter: application/x-mfe-ipt - {3EF5086B-5478-4598-A054-786C45D75692} - c:\progra~1\mcafee\msc\McSnIePl.dll
Handler: belarc - {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - c:\program files\belarc\advisor\system\BAVoilaX.dll
Notify: igfxcui - igfxsrvc.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - No File
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\administrator\application data\mozilla\firefox\profiles\aydoxx7q.default\
FF - prefs.js: network.proxy.http - 127.0.0.1
FF - prefs.js: network.proxy.http_port - 54323
FF - prefs.js: network.proxy.type - 1
FF - plugin: c:\documents and settings\ali\application data\move networks\plugins\npqmp071503000010.dll
FF - plugin: c:\progra~1\mcafee\msc\npMcSnFFPl.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\microsoft silverlight\4.0.60310.0\npctrlui.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
.
============= SERVICES / DRIVERS ===============
.
R0 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2010-4-29 459728]
R0 sonyhcb;Sony Digital Imaging Base;c:\windows\system32\drivers\sonyhcb.sys [2005-7-7 6097]
R1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\system32\drivers\mfetdi2k.sys [2010-4-29 89368]
R2 Akamai;Akamai NetSession Interface;c:\windows\system32\svchost.exe -k Akamai [2005-10-10 14336]
R2 McMPFSvc;McAfee Personal Firewall Service;c:\program files\common files\mcafee\mcsvchost\McSvHost.exe [2010-4-29 214904]
R2 McNaiAnn;McAfee VirusScan Announcer;c:\program files\common files\mcafee\mcsvchost\McSvHost.exe [2010-4-29 214904]
R2 McProxy;McAfee Proxy Service;c:\program files\common files\mcafee\mcsvchost\McSvHost.exe [2010-4-29 214904]
R2 McShield;McAfee McShield;c:\program files\common files\mcafee\systemcore\mcshield.exe [2010-4-29 165000]
R2 mfefire;McAfee Firewall Core Service;c:\program files\common files\mcafee\systemcore\mfefire.exe [2010-4-29 159832]
R2 mfevtp;McAfee Validation Trust Protection Service;c:\program files\common files\mcafee\systemcore\mfevtps.exe [2010-4-29 148520]
R3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [2010-4-29 57432]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2010-4-29 179248]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2006-12-18 59288]
R3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [2010-4-29 337912]
R3 mfendiskmp;mfendiskmp;c:\windows\system32\drivers\mfendisk.sys [2010-4-29 83688]
R3 wacmoumonitor;Wacom Mode Helper;c:\windows\system32\drivers\wacmoumonitor.sys [2011-5-17 15656]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2011-4-26 38224]
S3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\mcafee security scan\2.0.181\McCHSvc.exe [2010-1-15 227232]
S3 mfendisk;McAfee Core NDIS Intermediate Filter;c:\windows\system32\drivers\mfendisk.sys [2010-4-29 83688]
S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [2010-4-29 85984]
S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2006-12-18 34248]
S3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2006-12-18 40552]
S3 sonyhcs;Sony Digital Imaging Video;c:\windows\system32\drivers\sonyhcs.sys [2005-7-7 299923]
.
=============== Created Last 30 ================
.
2011-07-10 21:58:29 186368 ----a-w- c:\documents and settings\administrator\application data\microsoft\conhost.exe
2011-07-09 19:54:26 179712 ----a-w- c:\documents and settings\administrator\application data\dwmu.exe
2011-07-09 11:58:35 179712 ----a-w- c:\documents and settings\administrator\application data\dwm.exe
2011-06-29 11:40:19 2106216 ----a-w- c:\program files\mozilla firefox\D3DCompiler_43.dll
2011-06-29 11:40:18 1998168 ----a-w- c:\program files\mozilla firefox\d3dx9_43.dll
.
==================== Find3M ====================
.
2011-07-08 06:07:54 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-04-30 03:39:18 252080 ----a-w- c:\windows\system32\nvdrsdb0.bin
2011-04-30 03:39:18 1 ----a-w- c:\windows\system32\nvdrssel.bin
2011-04-30 03:39:09 252080 ----a-w- c:\windows\system32\nvdrsdb1.bin
2006-08-27 13:50:26 740719 ----a-w- c:\program files\Setupfull.exe
.
============= FINISH: 18:32:29.62 ===============

Attached File(s)

  • Attached File  attach.txt (18.13K)
    Number of downloads: 2
  • Attached File  ark.txt (70.92K)
    Number of downloads: 2

#2 User is offline   CatByte 

  • Bleepin' curls!
  • PipPipPipPipPipPip
  • Find Topics
  • Group: Malware Response Team
  • Posts: 7,857
  • Joined: 09-November 08
  • Gender:Not Telling
  • Location:Canada

Posted 13 July 2011 - 02:18 PM

Hi,

Please do the following:

Download ComboFix from either of these locations:
Link 1
Link 2


VERY IMPORTANT !!! Save ComboFix.exe to your Desktop

* IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here
  • Double click on ComboFix.exe & follow the prompts.

As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image

  • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:


Posted Image

  • Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.
The help you receive here is free. If you wish to show your appreciation, then you may Posted Image
Microsoft MVP - 2010, 2011

#3 User is offline   KazF 

  • New Member
  • Pip
  • Find Topics
  • Group: Members
  • Posts: 12
  • Joined: 09-July 11

Posted 14 July 2011 - 08:03 PM

I'm having trouble attaching my log file. Firefox freezes when I click browse, and Explorer came up with a runtime error. The virus started acting different even before I used it--my Google results are fine now, and the windows talking about conhost.exe etc trying to connect came up much less frequently (maybe hitting Block so many times finally did something?). I got internet running on the non-Admin side, however, sometimes I have to go under Tools, Network Settings and check Auto-detect proxy settings to make it work (I think this happens on restart).

My scanner McAffe doesn't have a simple off button, so I disabled the firewall and real-time scanning when I ran Combofix. I got scared when it tried to delete my Windows folder (several programs and functions I'm not familiar with started crashing), so I clicked No when it asked me if I wanted to delete it.

#4 User is offline   KazF 

  • New Member
  • Pip
  • Find Topics
  • Group: Members
  • Posts: 12
  • Joined: 09-July 11

Posted 14 July 2011 - 08:04 PM

Attached File  log.txt (13.27K)
Number of downloads: 4

Okay, it's working with Basic uploader in Explorer.

#5 User is offline   CatByte 

  • Bleepin' curls!
  • PipPipPipPipPipPip
  • Find Topics
  • Group: Malware Response Team
  • Posts: 7,857
  • Joined: 09-November 08
  • Gender:Not Telling
  • Location:Canada

Posted 14 July 2011 - 08:50 PM

Hi

Please do the following:

  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below.
  • They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".

Copy/paste the text inside the Codebox below into notepad:

Here's how to do that:
Click Start > Run type Notepad click OK.
This will open an empty notepad file:

Copy all the text inside of the code box - Press Ctrl+C (or right click on the highlighted section and choose 'copy')

script removed


Now paste the copied text into the open notepad - press CTRL+V (or right click and choose 'paste')

Save this file to your desktop, Save this as "CFScript"

Here's how to do that:

1.Click File;
2.Click Save As... Change the directory to your desktop;
3.Change the Save as type to "All Files";
4.Type in the file name: CFScript
5.Click Save ...

Posted Image
  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  • When finished, it shall produce a log for you.
  • Copy and paste the contents of the log in your next reply.


CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.



NEXT


  • Please open your MalwareBytes AntiMalware Program
  • Click the Update Tab and search for updates
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish, so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected. <-- very important
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.


Extra Note:If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.



NEXT


Go here to run an online scanner from ESET.
  • Turn off the real time scanner of any existing antivirus program while performing the online scan
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the activeX control to install
  • Click Start
  • Make sure that the option Remove found threats is unticked and the Scan Archives option is ticked.
  • Click on Advanced Settings, ensure the options Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.
  • Click Scan
  • Wait for the scan to finish
  • When the scan completes, press the LIST OF THREATS FOUND button
  • Press EXPORT TO TEXT FILE , name the file ESETSCAN and save it to your desktop
  • Include the contents of this report in your next reply.
  • Press the BACK button.
  • Press Finish

This post has been edited by CatByte: 17 July 2011 - 09:23 AM

The help you receive here is free. If you wish to show your appreciation, then you may Posted Image
Microsoft MVP - 2010, 2011

#6 User is offline   KazF 

  • New Member
  • Pip
  • Find Topics
  • Group: Members
  • Posts: 12
  • Joined: 09-July 11

Posted 17 July 2011 - 08:40 AM

Here are my new logs.
Attached File  ESETScan.txt (2.73K)
Number of downloads: 4
Attached File  combofixlog.txt (12.88K)
Number of downloads: 3
Attached File  mbam-log-2011-07-16 (10-54-58).txt (1.02K)
Number of downloads: 2

#7 User is offline   CatByte 

  • Bleepin' curls!
  • PipPipPipPipPipPip
  • Find Topics
  • Group: Malware Response Team
  • Posts: 7,857
  • Joined: 09-November 08
  • Gender:Not Telling
  • Location:Canada

Posted 17 July 2011 - 09:22 AM

Hi,

Please do the following:

  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below.
  • They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".

Copy/paste the text inside the Codebox below into notepad:

Here's how to do that:
Click Start > Run type Notepad click OK.
This will open an empty notepad file:

Copy all the text inside of the code box - Press Ctrl+C (or right click on the highlighted section and choose 'copy')

http://www.bleepingcomputer.com/forums/topic408888.html/page__pid__2329704#entry2329704

Collect::
C:\WINDOWS\SYSTEM32\craasjmlin.dll	

DDS::
uInternet Settings,ProxyServer = http=127.0.0.1:51758

FireFox::
FF - ProfilePath - c:\documents and settings\Ali\Application Data\Mozilla\Firefox\Profiles\lfly03lb.default\
FF - prefs.js: network.proxy.http_port - 51758

File::
C:\Documents and Settings\Ali\Application Data\Sun\Java\Deployment\cache\6.0\12\743f084c-786982df	
C:\Documents and Settings\Ali\Application Data\Sun\Java\Deployment\cache\6.0\13\162bb24d-386e6e8a	
C:\Documents and Settings\Ali\Application Data\Sun\Java\Deployment\cache\6.0\14\29cf8d4e-5541d204	
C:\Documents and Settings\Ali\Application Data\Sun\Java\Deployment\cache\6.0\16\4ea56e90-6e3ce04d	
C:\Documents and Settings\Ali\Application Data\Sun\Java\Deployment\cache\6.0\19\6d4ae953-32d3910c	
C:\Documents and Settings\Ali\Application Data\Sun\Java\Deployment\cache\6.0\32\6d287860-77b4c5db	
C:\Documents and Settings\Ali\Application Data\Sun\Java\Deployment\cache\6.0\36\72490024-76b313f0	
C:\Documents and Settings\Ali\Application Data\Sun\Java\Deployment\cache\6.0\42\2ad0976a-5b002e4f	
C:\Documents and Settings\Ali\Application Data\Sun\Java\Deployment\cache\6.0\43\917dd6b-78f8da16	
C:\Documents and Settings\Ali\Application Data\Sun\Java\Deployment\cache\6.0\45\72d1aa6d-4582a6ee	
C:\Documents and Settings\Ali\Application Data\Sun\Java\Deployment\cache\6.0\6\6d829546-201a9ea3	
C:\Documents and Settings\Ali\Application Data\Sun\Java\Deployment\cache\6.0\6\7788bc6-7089668d	
C:\Documents and Settings\Ali\Application Data\Sun\Java\Deployment\cache\6.0\61\20649b3d-4477d8eb


Now paste the copied text into the open notepad - press CTRL+V (or right click and choose 'paste')

Save this file to your desktop, Save this as "CFScript"

Here's how to do that:

1.Click File;
2.Click Save As... Change the directory to your desktop;
3.Change the Save as type to "All Files";
4.Type in the file name: CFScript
5.Click Save ...

Posted Image
  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  • When finished, it shall produce a log for you.
  • Copy and paste the contents of the log in your next reply.


CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.



NEXT



Visit ADOBEand download the latest version of Acrobat Reader (version X)
Having the latest updates ensures there are no security vulnerabilities in your system.

NEXT

Posted Image Your Java is out of date.
Java™ 6 Update 21 can be updated from the Java control panel Start > Control Panel (Classic View) > Java (looks like a coffee cup) > Update Tab > Update Now.
An update should begin; > follow the prompts.


Clear Java cache

Go into the Control Panel and double-click the Java Icon. (looks like a coffee cup) If you do not see the icon, look to your left and click 'Switch to Classic View'.
  • On the General tab, under Temporary Internet Files, click the Settings button.
  • Next, click on the Delete Files button
  • There are two options in the window to clear the cache - Leave BOTH Checked
      Applications and Applets
      Trace and Log Files

  • Click OK on Delete Temporary Files Window
    Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.
  • Click OK to leave the Temporary Files Window
  • Click OK to leave the Java Control Panel.




NEXT


Please advise how your computer is running now and if there are any outstanding issues
The help you receive here is free. If you wish to show your appreciation, then you may Posted Image
Microsoft MVP - 2010, 2011

#8 User is offline   KazF 

  • New Member
  • Pip
  • Find Topics
  • Group: Members
  • Posts: 12
  • Joined: 09-July 11

Posted 19 July 2011 - 01:02 PM

The computer seems okay-- Firefox is no longer giving me that proxy nonsense, although to download the new Adobe Reader I had to switch to Explorer since it froze. Here's the latest log:

ComboFix 10-08-17.02 - Ali 08/17/2010 23:40:29.1.1 - x86
Running from: c:\documents and settings\Ali\Desktop\ComboFix.exe
AV: McAfee Anti-Virus and Anti-Spyware *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Firewall *disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Ali\Application Data\{2CF0B992-5EEB-4143-99C0-5297EF71F444}
c:\documents and settings\Ali\Application Data\Dyga
c:\documents and settings\Ali\Application Data\Dyga\egbiy.exe
c:\documents and settings\Ali\Application Data\Ecimg
c:\documents and settings\Ali\Application Data\Ecimg\yqen.exe
c:\documents and settings\Ali\Local Settings\Application Data\Windows Server
c:\documents and settings\Ali\Local Settings\Application Data\Windows Server\flags.ini
c:\documents and settings\Ali\Local Settings\Application Data\Windows Server\uses32.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\documents and settings\LocalService\Local Settings\Application Data\Windows Server
c:\documents and settings\NetworkService\Local Settings\Application Data\Windows Server
C:\feed.txt
c:\program files\Common Files\fqzz
c:\program files\Common Files\fqzz\fqzza.lck
c:\program files\Common Files\fqzz\fqzzd\class-barrel
c:\program files\Common Files\fqzz\fqzzd\vocabulary
c:\program files\Common Files\fqzz\fqzzh
c:\program files\Common Files\fqzz\fqzzl.lck
c:\program files\Common Files\fqzz\fqzzm.lck
c:\program files\Common Files\fqzz\fqzzp.cfg
c:\program files\Common Files\fqzz\fqzzp.lck
c:\program files\CxtPls
c:\windows\system32\GgMmWvut.ini
c:\windows\SYSTEM32\GgMmWvut.ini2
c:\windows\SYSTEM32\hgjjQqru.ini
c:\windows\system32\hgjjQqru.ini2
c:\windows\system32\stlbdist.XML
c:\windows\system32\XHgMmUtv.ini
c:\windows\system32\XHgMmUtv.ini2
G:\autorun.inf

----- BITS: Possible infected sites -----

hxxp://goldencaravela.net
Infected copy of c:\windows\system32\drivers\imapi.sys was found and disinfected
Restored copy from - Kitty had a snack :P
Infected copy of c:\windows\system32\userinit.exe was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\userinit.exe

.
((((((((((((((((((((((((( Files Created from 2010-07-18 to 2010-08-18 )))))))))))))))))))))))))))))))
.

2010-08-18 01:38 . 2010-04-29 19:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-08-18 01:38 . 2010-04-29 19:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-08-17 21:10 . 2010-08-17 21:10 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2010-08-17 21:10 . 2010-08-17 21:10 -------- d-----w- c:\documents and settings\Ali\Application Data\SUPERAntiSpyware.com
2010-08-17 21:09 . 2010-08-17 21:10 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-08-17 21:05 . 2010-08-17 21:05 2398955 ----a-w- C:\MGtools.exe
2010-08-17 20:59 . 2010-08-17 21:09 -------- d-----w- C:\Cleaningstuff
2010-08-17 04:53 . 2010-08-17 04:53 -------- d--h--w- c:\windows\system32\GroupPolicy
2010-08-17 04:17 . 2010-08-17 04:27 -------- d-----w- c:\program files\CCleaner
2010-08-17 03:12 . 2010-08-17 03:12 -------- d-----w- c:\program files\Trend Micro
2010-07-31 16:08 . 2010-07-31 16:14 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2010-07-28 02:51 . 2010-07-28 02:51 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee Security Scan
2010-07-28 02:51 . 2010-07-28 02:51 -------- d-----w- c:\program files\McAfee Security Scan
2010-07-28 02:46 . 2010-07-28 02:46 -------- d-----w- c:\program files\NOS

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-08-18 04:02 . 2003-12-25 22:07 42298 ----a-w- c:\windows\system32\wacom.dat
2010-08-18 02:40 . 2003-11-06 04:02 -------- d-----w- c:\documents and settings\Ali\Application Data\Esymin
2010-08-18 02:27 . 2005-11-04 12:30 -------- d-----w- c:\documents and settings\Ali\Application Data\Cayw
2010-08-18 02:24 . 2009-11-20 19:56 -------- d-----w- c:\documents and settings\Ali\Application Data\Obibhi
2010-08-18 02:24 . 2004-05-06 10:45 -------- d-----w- c:\documents and settings\Ali\Application Data\Ucnye
2010-08-18 01:38 . 2010-06-16 01:57 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-08-17 20:38 . 2003-12-25 21:25 -------- d-----w- c:\program files\Common Files\Adobe
2010-08-17 18:54 . 2005-07-11 18:24 -------- d-----w- c:\documents and settings\All Users\Application Data\Viewpoint
2010-08-17 18:54 . 2003-12-06 11:43 -------- d-----w- c:\program files\Viewpoint
2010-08-17 05:05 . 2003-12-25 21:54 -------- d-----w- c:\documents and settings\All Users\Application Data\Kodak
2010-08-17 05:04 . 2005-09-25 20:58 -------- d-----w- c:\documents and settings\Ali\Application Data\Naody
2010-08-17 03:53 . 2003-12-06 11:16 -------- d-----w- c:\program files\Java
2010-08-17 03:39 . 2005-05-15 18:27 -------- d-----w- c:\program files\Ahead
2010-08-17 03:39 . 2005-05-15 18:27 -------- d-----w- c:\program files\Common Files\Ahead
2010-08-17 03:33 . 2003-12-25 21:53 -------- d-----w- c:\program files\Kodak
2010-08-17 02:26 . 2003-12-25 21:31 -------- d-----w- c:\documents and settings\Ali\Application Data\Canon
2010-08-16 14:23 . 2009-02-06 00:50 1324 ----a-w- c:\windows\system32\d3d9caps.dat
2010-07-28 02:47 . 2009-08-15 23:33 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2010-07-17 09:00 . 2010-05-26 01:17 423656 ----a-w- c:\windows\system32\deployJava1.dll
2010-07-01 03:12 . 2008-04-13 03:28 -------- d-----w- c:\program files\Amazon
2010-06-15 21:34 . 2006-05-13 01:51 107888 ----a-w- c:\windows\system32\CmdLineExt.dll
2010-06-15 21:32 . 2008-07-18 18:11 3038 ----a-w- c:\windows\system32\ealregsnapshot1.reg
2010-06-02 08:55 . 2010-06-16 02:43 74072 ----a-w- c:\windows\system32\XAPOFX1_5.dll
2010-06-02 08:55 . 2010-06-16 02:43 527192 ----a-w- c:\windows\system32\XAudio2_7.dll
2010-06-02 08:55 . 2010-06-16 02:43 239960 ----a-w- c:\windows\system32\xactengine3_7.dll
2010-05-26 15:41 . 2010-06-16 02:43 2106216 ----a-w- c:\windows\system32\D3DCompiler_43.dll
2010-05-26 15:41 . 2010-06-16 02:43 1868128 ----a-w- c:\windows\system32\d3dcsx_43.dll
2010-05-26 15:41 . 2010-06-16 02:43 470880 ----a-w- c:\windows\system32\d3dx10_43.dll
2010-05-26 15:41 . 2010-06-16 02:43 248672 ----a-w- c:\windows\system32\d3dx11_43.dll
2010-05-26 15:41 . 2010-06-16 02:43 1998168 ----a-w- c:\windows\system32\D3DX9_43.dll
2008-12-09 16:29 . 2008-12-09 16:29 169232 ----a-w- c:\program files\Spore De-Authorization Tool.exe
2006-08-27 13:50 . 2006-08-27 13:50 740719 ----a-w- c:\program files\Setupfull.exe
2006-06-21 04:40 . 2005-11-24 18:00 5632 --sha-w- c:\program files\Thumbs.db
2010-04-27 21:16 . 2010-05-26 00:43 24376 ----a-w- c:\program files\mozilla firefox\components\Scriptff.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupport"="c:\program files\DellSupport\DSAgnt.exe" [2007-03-15 460784]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2009-12-18 40368]
"mcui_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2010-06-25 1193848]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2003-04-24 49152]
"NvCplDaemon"="c:\windows\System32\NvCpl.dll" [2003-04-24 4616192]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-12-11 948672]
"TomcatStartup 2.5"="c:\program files\Hewlett-Packard\Toolbox\hpbpsttp.exe" [2004-02-12 163840]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2006-12-19 185896]
"StorageGuard"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-02-13 155648]
"StatusClient 2.6"="c:\program files\Hewlett-Packard\Toolbox\StatusClient\StatusClient.exe" [2004-02-11 61440]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-09-01 282624]
"PCMService"="c:\program files\Dell\Media Experience\PCMService.exe" [2003-08-27 204800]
"Omnipage"="c:\program files\ScanSoft\OmniPageSE\opware32.exe" [2002-06-03 49152]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2010-06-25 1193848]
"LogitechVideoTray"="c:\program files\Logitech\Video\LogiTray.exe" [2003-08-29 77824]
"LogitechVideoRepair"="c:\program files\Logitech\Video\ISStart.exe" [2003-08-29 188416]
"LogitechImageStudioTray"="c:\program files\Logitech\ImageStudio\LogiTray.exe" [2003-07-03 57344]
"LogitechGalleryRepair"="c:\program files\Logitech\ImageStudio\ISStart.exe" [2003-07-03 155648]
"IPHSend"="c:\program files\Common Files\AOL\IPHSend\IPHSend.exe" [2006-02-17 124520]
"HP Software Update"="c:\program files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe" [2004-01-07 49152]
"HostManager"="c:\program files\Common Files\AOL\1133033090\ee\AOLSoftware.exe" [2006-05-10 50760]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2003-08-06 114741]
"ddoctorv2"="c:\program files\Comcast\Desktop Doctor\bin\sprtcmd.exe" [2008-04-24 202560]
"BCMSMMSG"="BCMSMMSG.exe" [2003-08-29 122880]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"symPCCheckup"="c:\windows\system32\Adobe\Shockwave 11\symcheckupstub.exe" [2008-11-12 234872]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Device Detector 2.lnk - c:\program files\OLYMPUS\DeviceDetector\DevDtct2.exe [2005-9-26 114688]
McAfee Security Scan Plus.lnk - c:\program files\McAfee Security Scan\2.0.181\SSScheduler.exe [2010-1-15 255536]
TabUserW.lnk - c:\program files\Wacom\TabUserW.exe [2003-12-25 77824]
WinZip Quick Pick.lnk - c:\program files\WinZip\WZQKPICK.EXE [2005-3-29 118784]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 22:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0ntdel.exe mad.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\aol\\Loader\\aolload.exe"=
"c:\\Program Files\\Common Files\\aol\\1133033090\\ee\\aolsoftware.exe"=
"c:\\Program Files\\Common Files\\aol\\1133033090\\ee\\aim6.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\WINDOWS\\SYSTEM32\\dwwin.exe"=
"c:\\WINDOWS\\SYSTEM32\\DRWTSN32.EXE"=
"c:\\Program Files\\Common Files\\Microsoft Shared\\DW\\DW20.EXE"=
"c:\\WINDOWS\\SYSTEM32\\spoolsv.exe"=
"c:\\Program Files\\Common Files\\McAfee\\McSvcHost\\McSvHost.exe"=

R0 sonyhcb;Sony Digital Imaging Base;c:\windows\SYSTEM32\DRIVERS\sonyhcb.sys [7/7/2005 9:00 PM 6097]
R1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\SYSTEM32\DRIVERS\mfetdi2k.sys [4/29/2010 8:34 PM 82952]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 2:25 PM 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/10/2010 2:41 PM 67656]
R2 McMPFSvc;McAfee Personal Firewall Service;"c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [4/29/2010 8:33 PM 271480]
R2 McNaiAnn;McAfee VirusScan Announcer;"c:\program files\Common Files\McAfee\McSvcHost\McSvHost.exe" /McCoreSvc [4/29/2010 8:33 PM 271480]
R2 mfefire;McAfee Firewall Core Service;c:\program files\Common Files\McAfee\SystemCore\mfefire.exe [4/29/2010 8:36 PM 188136]
R2 mfevtp;McAfee Validation Trust Protection Service;c:\program files\Common Files\McAfee\SystemCore\mfevtps.exe [4/29/2010 8:34 PM 141792]
R3 cfwids;McAfee Inc. cfwids;c:\windows\SYSTEM32\DRIVERS\cfwids.sys [4/29/2010 8:34 PM 55456]
R3 mfefirek;McAfee Inc. mfefirek;c:\windows\SYSTEM32\DRIVERS\mfefirek.sys [4/29/2010 8:34 PM 312616]
R3 mfendiskmp;mfendiskmp;c:\windows\SYSTEM32\DRIVERS\mfendisk.sys [4/29/2010 8:34 PM 88480]
S3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\McAfee Security Scan\2.0.181\McCHSvc.exe [1/15/2010 8:49 AM 227232]
S3 mfendisk;McAfee Core NDIS Intermediate Filter;c:\windows\SYSTEM32\DRIVERS\mfendisk.sys [4/29/2010 8:34 PM 88480]
S3 mferkdet;McAfee Inc. mferkdet;c:\windows\SYSTEM32\DRIVERS\mferkdet.sys [4/29/2010 8:34 PM 83496]
S3 nosGetPlusHelper;getPlus® Helper 3004;c:\windows\System32\svchost.exe -k nosGetPlusHelper [10/10/2005 11:44 PM 14336]
S3 sonyhcs;Sony Digital Imaging Video;c:\windows\SYSTEM32\DRIVERS\sonyhcs.sys [7/7/2005 9:00 PM 299923]

--- Other Services/Drivers In Memory ---

*Deregistered* - mfeavfk01

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
nosGetPlusHelper REG_MULTI_SZ nosGetPlusHelper
.
Contents of the 'Scheduled Tasks' folder

2010-08-18 c:\windows\Tasks\Norton PC Checkup Setup.job
- c:\windows\system32\Adobe\Shockwave 11\symcheckupstub.exe [2008-11-12 03:49]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
mStart Page = hxxp://www.comcast.net/
mSearch Bar = hxxp://server224.smartbotpro.net/7search/?new-hklm
mWindow Title = Windows Internet Explorer provided by Comcast
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://my.netzero.net/s/search?r=minisearch
IE: &WordWeb... - c:\windows\wweb32.dll/lookup.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Ali\Application Data\Mozilla\Firefox\Profiles\lfly03lb.default\
FF - plugin: c:\documents and settings\Ali\Application Data\Move Networks\plugins\npqmp071503000010.dll
FF - plugin: c:\documents and settings\Ali\Application Data\Mozilla\Firefox\Profiles\lfly03lb.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}\plugins\np_gp.dll
FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll

---- FIREFOX POLICIES ----
FF - user.js: network.cookie.cookieBehavior - 0
FF - user.js: privacy.clearOnShutdown.cookies - false
FF - user.js: security.warn_viewing_mixed - false
FF - user.js: security.warn_viewing_mixed.show_once - false
FF - user.js: security.warn_submit_insecure - false
FF - user.js: security.warn_submit_insecure.show_once - false
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.proxy.type", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.buffer.cache.count", 24);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.buffer.cache.size", 4096);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.
- - - - ORPHANS REMOVED - - - -

BHO-{07476AC9-877B-4DCC-8F58-5FCB2DD631D1} - (no file)
BHO-{3D8472AF-B7C9-4171-97CA-FC3DAF29A436} - (no file)
BHO-{407EEEF3-D2CF-41E6-87B3-1FA1CD10ADD2} - (no file)
BHO-{45F3DE6E-5682-4E06-A552-2EE74928780B} - (no file)
BHO-{5BD53257-A4DC-4B7F-80ED-0B11C58DBA57} - (no file)
BHO-{64F00E8D-D783-4DDD-9D76-658D2750CB58} - (no file)
BHO-{68daa555-e5d2-4d0a-a48b-2d5a485a53a5} - (no file)
BHO-{6BD29DEC-7198-4596-91B2-EA116B41FD1F} - (no file)
BHO-{6F97B5EA-8DF4-4617-862B-ED2484C0C344} - (no file)
BHO-{787B0AF7-66F2-4EE5-9591-E174AE803993} - (no file)
BHO-{92F5C07F-AE17-46E8-8339-26C2511768CB} - (no file)
BHO-{9EF64556-660E-4627-9826-4E7A05261710} - (no file)
BHO-{AB693A8E-145D-484C-9DBA-9538E4EA1057} - (no file)
BHO-{AF8680A1-7A44-4F04-A6E7-9D7A538A71BC} - (no file)
BHO-{DDA8798C-4EF6-4203-8566-C5DEF548F7CF} - (no file)
BHO-{DDAED33C-C5EC-4FF9-8EE3-FE3706171BAD} - (no file)
BHO-{F7EF9490-91FF-4C63-A68B-9EFBD59A5827} - (no file)
HKCU-Run-spc_w - c:\program files\NZSearch\nzspc.exe
HKCU-Run-EA Core - c:\program files\Electronic Arts\EADM\Core.exe
HKCU-Run-AdobeBridge - (no file)
HKCU-Run-{5BAB6E26-84AF-7E96-A608-5379263DE69F} - c:\documents and settings\Ali\Application Data\Ecimg\yqen.exe
HKCU-Run-Sonic RecordNow! - (no file)
HKLM-Run-SunJavaUpdateSched - c:\program files\Java\jre6\bin\jusched.exe
HKLM-Run-NeroFilterCheck - c:\windows\system32\NeroCheck.exe
Notify-vtUkheDU - vtUkheDU.dll
AddRemove-189 - c:\program files\7hp2oa1m\44529184.exe
AddRemove-370 - c:\program files\7hp2oa1m\44529184.exe
AddRemove-719 - c:\program files\7hp2oa1m\44529184.exe
AddRemove-952 - c:\program files\7hp2oa1m\44529184.exe
AddRemove-Cakewalk Media Mixer - c:\progra~1\Cakewalk\MEDIAM~1\UNWISE.EXE
AddRemove-ComcastHSI - c:\program files\support.com\uninstall\chsi_uninstaller.exe
AddRemove-ContextSidebar - c:\program files\ClearSearch\FNuninstaller.EXE
AddRemove-Manga Studio EX 3.0 - c:\program files\e frontier\Manga Studio3 EX\MS_EX3.isu
AddRemove-RonSidebar - c:\program files\ClearSearch\FNuninstaller.EXE
AddRemove-UrlSidebar - c:\program files\ClearSearch\FNuninstaller.EXE
AddRemove-{6c651250-2eb2-11d5-8e33-0050dad72ac2} - c:\program files\NetZero\uninst.exe
AddRemove-{E2883E8F-472F-4fb0-9522-AC9BF37916A7} - c:\program files\NOS\bin\getPlus_Helper_3004.dll



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-08-18 00:05
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-458591397-4007700802-1518888132-1007\Software\SecuROM\License information*]
"datasecu"=hex:04,fa,ec,15,b9,3c,ea,e2,75,54,3b,e5,1c,f2,92,68,ff,30,f5,10,ef,
46,b5,28,a6,f1,02,ba,a7,19,40,ef,fe,a9,4a,7e,ee,74,bd,fd,bf,88,41,ed,2a,62,\
"rkeysecu"=hex:cb,bd,f2,61,5a,4e,c6,95,f2,29,8b,82,ba,6b,3d,44

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
@DACL=(02 0000)
"Installed"="1"
@=""

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
@DACL=(02 0000)
"NoChange"="1"
"Installed"="1"
@=""

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
@DACL=(02 0000)
"Installed"="1"
@=""
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1072)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL

- - - - - - - > 'explorer.exe'(2264)
c:\program files\ScanSoft\OmniPageSE\ophook32.dll
c:\windows\System32\tabhook.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\windows\System32\Tablet.exe
c:\program files\Common Files\McAfee\SystemCore\mcshield.exe
c:\windows\system32\wscntfy.exe
c:\progra~1\mcafee.com\agent\mcagent.exe
c:\windows\BCMSMMSG.exe
c:\windows\system32\LVComS.exe
.
**************************************************************************
.
Completion time: 2010-08-18 00:29:44 - machine was rebooted
ComboFix-quarantined-files.txt 2010-08-18 04:29

Pre-Run: 21,080,477,696 bytes free
Post-Run: 23,690,735,616 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn

- - End Of File - - 96856AED283BFD42C3F192A09DD57D4C

#9 User is offline   CatByte 

  • Bleepin' curls!
  • PipPipPipPipPipPip
  • Find Topics
  • Group: Malware Response Team
  • Posts: 7,857
  • Joined: 09-November 08
  • Gender:Not Telling
  • Location:Canada

Posted 19 July 2011 - 02:06 PM

Hi,

Please do the following:

  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below.
  • They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".

Copy/paste the text inside the Codebox below into notepad:

Here's how to do that:
Click Start > Run type Notepad click OK.
This will open an empty notepad file:

Copy all the text inside of the code box - Press Ctrl+C (or right click on the highlighted section and choose 'copy')

Folder::
c:\documents and settings\Ali\Application Data\Esymin
c:\documents and settings\Ali\Application Data\Cayw
c:\documents and settings\Ali\Application Data\Obibhi
c:\documents and settings\Ali\Application Data\Ucnye
c:\documents and settings\Ali\Application Data\Naody

RegLock::
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]


Now paste the copied text into the open notepad - press CTRL+V (or right click and choose 'paste')

Save this file to your desktop, Save this as "CFScript"

Here's how to do that:

1.Click File;
2.Click Save As... Change the directory to your desktop;
3.Change the Save as type to "All Files";
4.Type in the file name: CFScript
5.Click Save ...

Posted Image

  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  • When finished, it shall produce a log for you.
  • Copy and paste the contents of the log in your next reply.


CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.
The help you receive here is free. If you wish to show your appreciation, then you may Posted Image
Microsoft MVP - 2010, 2011

#10 User is offline   KazF 

  • New Member
  • Pip
  • Find Topics
  • Group: Members
  • Posts: 12
  • Joined: 09-July 11

Posted 21 July 2011 - 12:35 PM

At this point, is it safe to email files to people yet? Firefox still freezes on downloads. Should I just reinstall it? Here is the log:

ComboFix 11-07-20.05 - Ali 07/21/2011 4:31.4.1 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2302.1684 [GMT -4:00]
Running from: c:\documents and settings\Ali\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Ali\Desktop\CFScript.txt
AV: McAfee Anti-Virus and Anti-Spyware *Disabled/Updated* {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Firewall *Disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\Ali\Application Data\Cayw
c:\documents and settings\Ali\Application Data\Esymin
c:\documents and settings\Ali\Application Data\Esymin\ogtu.abw
c:\documents and settings\Ali\Application Data\Esymin\ogtu.tmp
c:\documents and settings\Ali\Application Data\Naody
c:\documents and settings\Ali\Application Data\Naody\umow.niv
c:\documents and settings\Ali\Application Data\Obibhi
c:\documents and settings\Ali\Application Data\Ucnye
.
---- Previous Run -------
.
c:\documents and settings\Ali\Application Data\Sun\Java\Deployment\cache\6.0\12\743f084c-786982df
c:\documents and settings\Ali\Application Data\Sun\Java\Deployment\cache\6.0\13\162bb24d-386e6e8a
c:\documents and settings\Ali\Application Data\Sun\Java\Deployment\cache\6.0\14\29cf8d4e-5541d204
c:\documents and settings\Ali\Application Data\Sun\Java\Deployment\cache\6.0\16\4ea56e90-6e3ce04d
c:\documents and settings\Ali\Application Data\Sun\Java\Deployment\cache\6.0\19\6d4ae953-32d3910c
c:\documents and settings\Ali\Application Data\Sun\Java\Deployment\cache\6.0\32\6d287860-77b4c5db
c:\documents and settings\Ali\Application Data\Sun\Java\Deployment\cache\6.0\36\72490024-76b313f0
c:\documents and settings\Ali\Application Data\Sun\Java\Deployment\cache\6.0\42\2ad0976a-5b002e4f
c:\documents and settings\Ali\Application Data\Sun\Java\Deployment\cache\6.0\43\917dd6b-78f8da16
c:\documents and settings\Ali\Application Data\Sun\Java\Deployment\cache\6.0\45\72d1aa6d-4582a6ee
c:\documents and settings\Ali\Application Data\Sun\Java\Deployment\cache\6.0\6\6d829546-201a9ea3
c:\documents and settings\Ali\Application Data\Sun\Java\Deployment\cache\6.0\6\7788bc6-7089668d
c:\documents and settings\Ali\Application Data\Sun\Java\Deployment\cache\6.0\61\20649b3d-4477d8eb
c:\windows\SYSTEM32\craasjmlin.dll
.
.
((((((((((((((((((((((((( Files Created from 2011-06-21 to 2011-07-21 )))))))))))))))))))))))))))))))
.
.
2011-07-19 17:58 . 2011-07-19 17:58 -------- d-----w- c:\program files\Common Files\Java
2011-07-19 17:34 . 2011-07-19 17:34 -------- d-----w- c:\documents and settings\Ali\Local Settings\Application Data\Solid State Networks
2011-07-16 14:59 . 2011-07-16 14:59 -------- d-----w- c:\program files\ESET
2011-07-16 13:58 . 2011-07-16 13:58 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2011-07-16 13:52 . 2011-07-16 13:52 -------- d-s---w- c:\documents and settings\Administrator\UserData
2011-07-14 01:30 . 2010-06-30 08:27 49904 ----a-r- c:\windows\system32\drivers\BVRPMPR5.SYS
2011-07-14 01:27 . 2011-07-14 01:38 -------- d-----w- C:\Netgear
2011-07-12 19:57 . 2011-07-12 19:57 179 ----a-w- c:\documents and settings\Administrator\Application Data\Microsoft\gb_111400546.bat
2011-07-11 20:38 . 2011-07-11 20:54 -------- d-----w- c:\documents and settings\Administrator\Application Data\gtk-2.0
2011-07-11 20:38 . 2011-07-11 20:38 -------- d-----w- c:\documents and settings\Administrator\.thumbnails
2011-07-11 20:34 . 2011-07-11 21:20 -------- d-----w- c:\documents and settings\Administrator\.gimp-2.6
2011-07-11 04:59 . 2011-07-11 04:59 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\FOMM
2011-06-29 11:40 . 2011-06-29 11:40 2106216 ----a-w- c:\program files\Mozilla Firefox\D3DCompiler_43.dll
2011-06-29 11:40 . 2011-06-29 11:40 1998168 ----a-w- c:\program files\Mozilla Firefox\d3dx9_43.dll
2011-06-24 11:10 . 2011-06-24 11:10 -------- d-----w- c:\documents and settings\Administrator\Application Data\Move Networks
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-07-17 02:14 . 2011-05-20 14:00 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-07-06 23:52 . 2011-04-26 14:45 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-07-06 23:52 . 2011-04-26 14:44 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-05-04 08:52 . 2010-05-26 01:17 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-05-04 06:25 . 2009-03-15 02:12 73728 ----a-w- c:\windows\system32\javacpl.cpl
2006-08-27 13:50 . 2006-08-27 13:50 740719 ----a-w- c:\program files\Setupfull.exe
2011-06-29 11:40 . 2011-03-26 05:08 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
2011-04-14 18:01 . 2010-05-26 00:43 24376 ----a-w- c:\program files\mozilla firefox\components\Scriptff.dll
.
.
((((((((((((((((((((((((((((( SnapShot@2011-07-15_00.01.21 )))))))))))))))))))))))))))))))))))))))))
.
+ 2011-07-20 13:08 . 2011-07-20 13:08 16384 c:\windows\Temp\Perflib_Perfdata_f8.dat
+ 2011-07-20 13:07 . 2011-07-20 13:07 16384 c:\windows\Temp\Perflib_Perfdata_7ec.dat
+ 2005-10-11 03:44 . 2006-03-01 19:42 11776 c:\windows\SYSTEM32\DLLCACHE\xolehlp.dll
+ 2002-08-29 11:00 . 2002-08-29 11:00 13312 c:\windows\SYSTEM32\DLLCACHE\win87em.dll
+ 2005-10-11 03:44 . 2004-08-04 07:56 75776 c:\windows\SYSTEM32\DLLCACHE\wiascr.dll
+ 2002-08-29 11:00 . 2002-08-29 11:00 13600 c:\windows\SYSTEM32\DLLCACHE\wfwnet.drv
+ 2004-08-04 07:56 . 2004-08-04 07:56 15872 c:\windows\SYSTEM32\DLLCACHE\w3ssl.dll
+ 2004-08-04 07:56 . 2004-08-04 07:56 11325 c:\windows\SYSTEM32\DLLCACHE\vchnt5.dll
+ 2005-10-11 03:44 . 2006-10-04 13:33 35840 c:\windows\SYSTEM32\DLLCACHE\umandlg.dll
- 2006-10-04 13:33 . 2006-10-04 13:33 35840 c:\windows\SYSTEM32\DLLCACHE\umandlg.dll
+ 2002-08-29 11:00 . 2002-08-29 11:00 40960 c:\windows\SYSTEM32\DLLCACHE\trialoc.dll
+ 2002-08-29 11:00 . 2002-08-29 11:00 13888 c:\windows\SYSTEM32\DLLCACHE\toolhelp.dll
- 2009-06-12 11:50 . 2009-06-12 11:50 80896 c:\windows\SYSTEM32\DLLCACHE\tlntsess.exe
+ 2005-10-11 03:47 . 2009-06-12 11:50 80896 c:\windows\SYSTEM32\DLLCACHE\tlntsess.exe
+ 2005-10-11 03:44 . 2009-06-12 11:50 76288 c:\windows\SYSTEM32\DLLCACHE\telnet.exe
- 2009-06-12 11:50 . 2009-06-12 11:50 76288 c:\windows\SYSTEM32\DLLCACHE\telnet.exe
- 2009-10-21 06:00 . 2009-10-21 06:00 75776 c:\windows\SYSTEM32\DLLCACHE\strmfilt.dll
+ 2004-08-04 07:56 . 2009-10-21 06:00 75776 c:\windows\SYSTEM32\DLLCACHE\strmfilt.dll
+ 2005-10-11 03:44 . 2004-08-04 07:56 25088 c:\windows\SYSTEM32\DLLCACHE\slayerxp.dll
+ 2005-10-11 03:44 . 2004-08-04 07:56 42496 c:\windows\SYSTEM32\DLLCACHE\shmgrate.exe
+ 2005-10-11 03:45 . 2004-08-04 07:56 50176 c:\windows\SYSTEM32\DLLCACHE\reg.exe
+ 2005-10-11 03:45 . 2004-08-04 07:56 62464 c:\windows\SYSTEM32\DLLCACHE\rdpclip.exe
+ 2005-10-11 03:44 . 2004-08-04 07:56 89088 c:\windows\SYSTEM32\DLLCACHE\rasauto.dll
+ 2004-08-04 07:56 . 2004-08-04 07:56 48640 c:\windows\SYSTEM32\DLLCACHE\pnrpnsp.dll
+ 2002-08-29 11:00 . 2002-08-29 11:00 46592 c:\windows\SYSTEM32\DLLCACHE\pmspl.dll
+ 2002-08-29 11:00 . 2002-08-29 11:00 69120 c:\windows\SYSTEM32\DLLCACHE\olethk32.dll
+ 2002-08-29 11:00 . 2002-08-29 11:00 22016 c:\windows\SYSTEM32\DLLCACHE\olesvr32.dll
+ 2002-08-29 11:00 . 2002-08-29 11:00 24064 c:\windows\SYSTEM32\DLLCACHE\olesvr.dll
+ 2005-10-11 04:11 . 2005-07-26 04:39 37888 c:\windows\SYSTEM32\DLLCACHE\olecnv32.dll
+ 2005-07-26 04:31 . 2005-07-26 04:39 74752 c:\windows\SYSTEM32\DLLCACHE\olecli32.dll
+ 2002-08-29 11:00 . 2002-08-29 11:00 82944 c:\windows\SYSTEM32\DLLCACHE\olecli.dll
+ 2002-08-29 11:00 . 2002-08-29 11:00 39744 c:\windows\SYSTEM32\DLLCACHE\ole2.dll
+ 2005-10-11 03:47 . 2006-10-13 12:35 65536 c:\windows\SYSTEM32\DLLCACHE\nwwks.dll
- 2006-10-13 12:35 . 2006-10-13 12:35 65536 c:\windows\SYSTEM32\DLLCACHE\nwwks.dll
+ 2002-08-29 11:00 . 2006-10-13 12:35 64000 c:\windows\SYSTEM32\DLLCACHE\nwapi32.dll
- 2006-10-13 12:35 . 2006-10-13 12:35 64000 c:\windows\SYSTEM32\DLLCACHE\nwapi32.dll
+ 2002-08-29 11:00 . 2002-08-29 11:00 31744 c:\windows\SYSTEM32\DLLCACHE\ntsd.exe
+ 2005-10-11 03:44 . 2004-08-04 07:56 91136 c:\windows\SYSTEM32\DLLCACHE\ntprint.dll
+ 2002-08-29 11:00 . 2002-08-29 11:00 14336 c:\windows\SYSTEM32\DLLCACHE\ntlanui2.dll
- 2008-06-12 14:16 . 2008-06-12 14:16 91648 c:\windows\SYSTEM32\DLLCACHE\mtxoci.dll
+ 2005-07-26 04:31 . 2008-06-12 14:16 91648 c:\windows\SYSTEM32\DLLCACHE\mtxoci.dll
+ 2002-08-29 11:00 . 2002-08-29 11:00 60416 c:\windows\SYSTEM32\DLLCACHE\msratelc.dll
+ 2004-09-23 00:45 . 2006-10-19 02:47 27136 c:\windows\SYSTEM32\DLLCACHE\mspmsnsv.dll
- 2008-03-25 04:50 . 2008-03-25 04:50 60192 c:\windows\SYSTEM32\DLLCACHE\msjter40.dll
+ 2005-10-11 03:45 . 2008-03-25 04:50 60192 c:\windows\SYSTEM32\DLLCACHE\msjter40.dll
+ 2005-10-11 03:45 . 2004-08-04 07:56 56832 c:\windows\SYSTEM32\DLLCACHE\mshtmler.dll
+ 2005-10-11 03:44 . 2004-08-04 07:56 33792 c:\windows\SYSTEM32\DLLCACHE\msgsvc.dll
- 2008-06-12 14:16 . 2008-06-12 14:16 58880 c:\windows\SYSTEM32\DLLCACHE\msdtclog.dll
+ 2005-10-11 03:45 . 2008-06-12 14:16 58880 c:\windows\SYSTEM32\DLLCACHE\msdtclog.dll
+ 2005-10-11 03:45 . 2004-08-04 07:56 69120 c:\windows\SYSTEM32\DLLCACHE\msctfp.dll
+ 2002-08-29 11:00 . 2002-08-29 11:00 61168 c:\windows\SYSTEM32\DLLCACHE\msacm.dll
- 2007-07-06 12:46 . 2009-06-25 18:36 48640 c:\windows\SYSTEM32\DLLCACHE\mqupgrd.dll
+ 2005-10-11 03:47 . 2009-06-25 18:36 48640 c:\windows\SYSTEM32\DLLCACHE\mqupgrd.dll
+ 2005-10-11 03:47 . 2009-06-25 18:36 95744 c:\windows\SYSTEM32\DLLCACHE\mqsec.dll
- 2007-07-06 12:46 . 2009-06-25 18:36 95744 c:\windows\SYSTEM32\DLLCACHE\mqsec.dll
- 2007-07-06 12:46 . 2009-06-25 18:36 16896 c:\windows\SYSTEM32\DLLCACHE\mqise.dll
+ 2005-10-11 03:47 . 2009-06-25 18:36 16896 c:\windows\SYSTEM32\DLLCACHE\mqise.dll
+ 2005-10-11 03:47 . 2009-06-25 18:36 47104 c:\windows\SYSTEM32\DLLCACHE\mqdscli.dll
- 2007-07-06 12:46 . 2009-06-25 18:36 47104 c:\windows\SYSTEM32\DLLCACHE\mqdscli.dll
- 2009-06-22 11:49 . 2009-06-22 11:49 19968 c:\windows\SYSTEM32\DLLCACHE\mqbkup.exe
+ 2005-10-11 03:47 . 2009-06-22 11:49 19968 c:\windows\SYSTEM32\DLLCACHE\mqbkup.exe
+ 2002-08-29 11:00 . 2002-08-29 11:00 49152 c:\windows\SYSTEM32\DLLCACHE\mprdim.dll
+ 2005-10-11 03:45 . 2004-08-04 05:51 68768 c:\windows\SYSTEM32\DLLCACHE\mmsystem.dll
+ 2002-08-29 11:00 . 2002-08-29 11:00 28160 c:\windows\SYSTEM32\DLLCACHE\mciwave.drv
+ 2002-08-29 11:00 . 2002-08-29 11:00 25264 c:\windows\SYSTEM32\DLLCACHE\mciseq.drv
+ 2002-08-29 11:00 . 2002-08-29 11:00 73376 c:\windows\SYSTEM32\DLLCACHE\mciavi.drv
+ 2005-10-11 03:45 . 2010-04-16 15:36 16384 c:\windows\SYSTEM32\DLLCACHE\jsproxy.dll
- 2006-05-10 05:22 . 2010-04-16 15:36 16384 c:\windows\SYSTEM32\DLLCACHE\jsproxy.dll
+ 2002-08-29 11:00 . 2002-08-29 11:00 16384 c:\windows\SYSTEM32\DLLCACHE\isignup.exe
+ 2005-10-11 03:45 . 2010-04-16 15:36 96256 c:\windows\SYSTEM32\DLLCACHE\inseng.dll
- 2006-05-10 05:22 . 2010-04-16 15:36 96256 c:\windows\SYSTEM32\DLLCACHE\inseng.dll
+ 2005-10-11 03:46 . 2004-08-04 07:56 20480 c:\windows\SYSTEM32\DLLCACHE\inetwiz.exe
- 2010-04-16 15:36 . 2010-04-16 15:36 81920 c:\windows\SYSTEM32\DLLCACHE\ieencode.dll
+ 2004-08-04 07:56 . 2010-04-16 15:36 81920 c:\windows\SYSTEM32\DLLCACHE\ieencode.dll
- 2006-05-09 11:00 . 2010-04-16 13:36 18432 c:\windows\SYSTEM32\DLLCACHE\iedw.exe
+ 2004-08-04 07:56 . 2010-04-16 13:36 18432 c:\windows\SYSTEM32\DLLCACHE\iedw.exe
+ 2005-10-11 03:45 . 2004-08-04 07:56 34304 c:\windows\SYSTEM32\DLLCACHE\ie4uinit.exe
+ 2005-10-11 03:46 . 2004-08-04 07:56 49152 c:\windows\SYSTEM32\DLLCACHE\icwutil.dll
+ 2002-08-29 11:00 . 2002-08-29 11:00 73728 c:\windows\SYSTEM32\DLLCACHE\icwtutor.exe
+ 2005-10-11 03:46 . 2004-08-04 07:56 24576 c:\windows\SYSTEM32\DLLCACHE\icwrmind.exe
+ 2005-10-11 03:46 . 2004-08-04 07:56 32768 c:\windows\SYSTEM32\DLLCACHE\icwdl.dll
+ 2005-10-11 03:46 . 2004-08-04 07:56 86016 c:\windows\SYSTEM32\DLLCACHE\icwconn2.exe
+ 2005-10-11 03:46 . 2004-08-04 07:56 61440 c:\windows\SYSTEM32\DLLCACHE\icwconn.dll
+ 2004-08-04 07:56 . 2009-10-21 06:00 25088 c:\windows\SYSTEM32\DLLCACHE\httpapi.dll
- 2009-10-21 06:00 . 2009-10-21 06:00 25088 c:\windows\SYSTEM32\DLLCACHE\httpapi.dll
+ 2005-10-11 03:46 . 2004-08-04 07:56 38912 c:\windows\SYSTEM32\DLLCACHE\hmmapi.dll
+ 2004-08-04 07:56 . 2006-08-21 09:14 23040 c:\windows\SYSTEM32\DLLCACHE\fltmc.exe
- 2006-12-21 08:07 . 2006-08-21 09:14 23040 c:\windows\SYSTEM32\DLLCACHE\fltmc.exe
+ 2004-08-04 07:56 . 2006-08-21 12:21 16896 c:\windows\SYSTEM32\DLLCACHE\fltlib.dll
- 2006-12-21 08:07 . 2006-08-21 12:21 16896 c:\windows\SYSTEM32\DLLCACHE\fltlib.dll
- 2006-05-10 05:22 . 2010-04-16 15:36 55808 c:\windows\SYSTEM32\DLLCACHE\extmgr.dll
+ 2004-08-04 07:56 . 2010-04-16 15:36 55808 c:\windows\SYSTEM32\DLLCACHE\extmgr.dll
+ 2005-10-11 03:45 . 2004-08-04 07:56 51200 c:\windows\SYSTEM32\DLLCACHE\dssec.dll
+ 2002-08-29 11:00 . 2002-08-29 11:00 45083 c:\windows\SYSTEM32\DLLCACHE\dispex.dll
+ 2002-08-29 11:00 . 2002-08-29 11:00 18432 c:\windows\SYSTEM32\DLLCACHE\deskperf.dll
+ 2002-08-29 11:00 . 2002-08-29 11:00 16896 c:\windows\SYSTEM32\DLLCACHE\deskmon.dll
+ 2002-08-29 11:00 . 2002-08-29 11:00 16384 c:\windows\SYSTEM32\DLLCACHE\deskadp.dll
+ 2002-08-29 11:00 . 2002-08-29 11:00 39424 c:\windows\SYSTEM32\DLLCACHE\ddeml.dll
+ 2002-08-29 11:00 . 2002-08-29 11:00 27200 c:\windows\SYSTEM32\DLLCACHE\ctl3dv2.dll
+ 2005-10-11 03:46 . 2004-08-04 07:56 35328 c:\windows\SYSTEM32\DLLCACHE\corpol.dll
+ 2002-08-29 11:00 . 2005-07-26 04:39 97792 c:\windows\SYSTEM32\DLLCACHE\comrepl.dll
+ 2002-08-29 11:00 . 2002-08-29 11:00 30160 c:\windows\SYSTEM32\DLLCACHE\compobj.dll
+ 2002-08-29 11:00 . 2002-08-29 11:00 32816 c:\windows\SYSTEM32\DLLCACHE\commdlg.dll
+ 2004-08-04 07:56 . 2004-08-04 07:56 15423 c:\windows\SYSTEM32\DLLCACHE\ch7xxnt5.dll
- 2010-01-13 14:10 . 2010-01-13 14:10 85504 c:\windows\SYSTEM32\DLLCACHE\cabview.dll
+ 2005-10-11 03:46 . 2010-01-13 14:10 85504 c:\windows\SYSTEM32\DLLCACHE\cabview.dll
+ 2002-08-29 11:00 . 2002-08-29 11:00 69584 c:\windows\SYSTEM32\DLLCACHE\avicap.dll
+ 2004-08-04 07:56 . 2004-08-04 07:56 17279 c:\windows\SYSTEM32\DLLCACHE\atv10nt5.dll
+ 2004-08-04 07:56 . 2004-08-04 07:56 14143 c:\windows\SYSTEM32\DLLCACHE\atv06nt5.dll
+ 2004-08-04 07:56 . 2004-08-04 07:56 25471 c:\windows\SYSTEM32\DLLCACHE\atv04nt5.dll
+ 2004-08-04 07:56 . 2004-08-04 07:56 11359 c:\windows\SYSTEM32\DLLCACHE\atv02nt5.dll
+ 2004-08-04 07:56 . 2004-08-04 07:56 21183 c:\windows\SYSTEM32\DLLCACHE\atv01nt5.dll
- 2010-03-05 14:57 . 2010-03-05 14:57 65536 c:\windows\SYSTEM32\DLLCACHE\asycfilt.dll
+ 2005-10-11 03:46 . 2010-03-05 14:57 65536 c:\windows\SYSTEM32\DLLCACHE\asycfilt.dll
+ 2005-10-11 03:46 . 2004-08-04 07:56 17408 c:\windows\SYSTEM32\DLLCACHE\alrsvc.dll
+ 2005-10-11 03:46 . 2004-08-04 07:56 24064 c:\windows\SYSTEM32\DLLCACHE\agentpsh.dll
- 2003-10-16 21:50 . 2011-07-14 19:14 32768 c:\windows\SYSTEM32\CONFIG\systemprofile\Local Settings\History\History.IE5\INDEX.DAT
+ 2003-10-16 21:50 . 2011-07-21 06:57 32768 c:\windows\SYSTEM32\CONFIG\systemprofile\Local Settings\History\History.IE5\INDEX.DAT
+ 2011-07-16 20:52 . 2011-07-21 06:57 16384 c:\windows\SYSTEM32\CONFIG\systemprofile\Cookies\index.dat
- 2003-12-06 11:50 . 2011-04-23 12:28 23040 c:\windows\Installer\{91130409-6000-11D3-8CFE-0150048383C9}\unbndico.exe
+ 2003-12-06 11:50 . 2011-07-15 07:13 23040 c:\windows\Installer\{91130409-6000-11D3-8CFE-0150048383C9}\unbndico.exe
- 2003-12-06 11:50 . 2011-04-23 12:28 27136 c:\windows\Installer\{91130409-6000-11D3-8CFE-0150048383C9}\oisicon.exe
+ 2003-12-06 11:50 . 2011-07-15 07:13 27136 c:\windows\Installer\{91130409-6000-11D3-8CFE-0150048383C9}\oisicon.exe
- 2003-12-06 11:50 . 2011-04-23 12:28 11264 c:\windows\Installer\{91130409-6000-11D3-8CFE-0150048383C9}\mspicons.exe
+ 2003-12-06 11:50 . 2011-07-15 07:13 11264 c:\windows\Installer\{91130409-6000-11D3-8CFE-0150048383C9}\mspicons.exe
+ 2003-12-06 11:50 . 2011-07-15 07:13 12288 c:\windows\Installer\{91130409-6000-11D3-8CFE-0150048383C9}\cagicon.exe
- 2003-12-06 11:50 . 2011-04-23 12:28 12288 c:\windows\Installer\{91130409-6000-11D3-8CFE-0150048383C9}\cagicon.exe
- 2011-04-15 07:17 . 2011-04-15 07:17 38240 c:\windows\Installer\{90120000-0020-0409-0000-0000000FF1CE}\O12ConvIcon.exe
+ 2011-07-15 07:02 . 2011-07-15 07:02 38240 c:\windows\Installer\{90120000-0020-0409-0000-0000000FF1CE}\O12ConvIcon.exe
+ 2010-10-17 02:25 . 2011-07-15 07:15 49152 c:\windows\Installer\{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}\ConfigIcon.dll
- 2010-10-17 02:25 . 2010-04-22 07:05 49152 c:\windows\Installer\{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}\ConfigIcon.dll
+ 2005-10-11 03:47 . 2004-08-04 07:56 6656 c:\windows\SYSTEM32\DLLCACHE\wuauserv.dll
+ 2002-08-29 11:00 . 2002-08-29 11:00 2736 c:\windows\SYSTEM32\DLLCACHE\wowdeb.exe
+ 2002-08-29 11:00 . 2002-08-29 11:00 2112 c:\windows\SYSTEM32\DLLCACHE\winspool.exe
+ 2002-08-29 11:00 . 2002-08-29 11:00 2176 c:\windows\SYSTEM32\DLLCACHE\vga.drv
+ 2002-08-29 11:00 . 2002-08-29 11:00 4048 c:\windows\SYSTEM32\DLLCACHE\timer.drv
+ 2002-08-29 11:00 . 2002-08-29 11:00 3072 c:\windows\SYSTEM32\DLLCACHE\systray.exe
+ 2002-08-29 11:00 . 2002-08-29 11:00 3360 c:\windows\SYSTEM32\DLLCACHE\system.drv
+ 2002-08-29 11:00 . 2002-08-29 11:00 4208 c:\windows\SYSTEM32\DLLCACHE\storage.dll
+ 2002-08-29 11:00 . 2002-08-29 11:00 1744 c:\windows\SYSTEM32\DLLCACHE\sound.drv
+ 2004-08-04 07:56 . 2004-08-04 07:56 3901 c:\windows\SYSTEM32\DLLCACHE\siint5.dll
+ 2002-08-29 11:00 . 2002-08-29 11:00 5120 c:\windows\SYSTEM32\DLLCACHE\shell.dll
- 2009-06-22 11:49 . 2009-06-22 11:49 4608 c:\windows\SYSTEM32\DLLCACHE\mqsvc.exe
+ 2005-10-11 03:47 . 2009-06-22 11:49 4608 c:\windows\SYSTEM32\DLLCACHE\mqsvc.exe
+ 2005-10-11 03:46 . 2004-08-04 07:56 4639 c:\windows\SYSTEM32\DLLCACHE\mplayer2.exe
+ 2002-08-29 11:00 . 2002-08-29 11:00 2032 c:\windows\SYSTEM32\DLLCACHE\mouse.drv
+ 2002-08-29 11:00 . 2002-08-29 11:00 2000 c:\windows\SYSTEM32\DLLCACHE\keyboard.drv
+ 2002-08-29 11:00 . 2002-08-29 11:00 3584 c:\windows\SYSTEM32\DLLCACHE\iprop.dll
+ 2004-08-04 07:56 . 2004-08-04 07:56 3775 c:\windows\SYSTEM32\DLLCACHE\adv11nt5.dll
+ 2004-08-04 07:56 . 2004-08-04 07:56 3711 c:\windows\SYSTEM32\DLLCACHE\adv09nt5.dll
+ 2004-08-04 07:56 . 2004-08-04 07:56 3135 c:\windows\SYSTEM32\DLLCACHE\adv08nt5.dll
+ 2004-08-04 07:56 . 2004-08-04 07:56 3647 c:\windows\SYSTEM32\DLLCACHE\adv07nt5.dll
+ 2004-08-04 07:56 . 2004-08-04 07:56 3615 c:\windows\SYSTEM32\DLLCACHE\adv05nt5.dll
+ 2004-08-04 07:56 . 2004-08-04 07:56 3967 c:\windows\SYSTEM32\DLLCACHE\adv02nt5.dll
+ 2004-08-04 07:56 . 2004-08-04 07:56 4255 c:\windows\SYSTEM32\DLLCACHE\adv01nt5.dll
+ 2009-02-06 00:50 . 2011-07-16 08:39 1984 c:\windows\SYSTEM32\d3d9caps.dat
+ 2003-12-06 11:50 . 2011-07-15 07:13 4096 c:\windows\Installer\{91130409-6000-11D3-8CFE-0150048383C9}\opwicon.exe
- 2003-12-06 11:50 . 2011-04-23 12:28 4096 c:\windows\Installer\{91130409-6000-11D3-8CFE-0150048383C9}\opwicon.exe
+ 2011-07-17 02:14 . 2011-07-17 02:14 243360 c:\windows\SYSTEM32\Macromed\Flash\FlashUtil10u_ActiveX.exe
+ 2011-07-17 02:14 . 2011-07-17 02:14 328864 c:\windows\SYSTEM32\Macromed\Flash\FlashUtil10u_ActiveX.dll
+ 2011-07-19 17:57 . 2011-05-04 08:52 157472 c:\windows\SYSTEM32\javaws.exe
+ 2011-07-19 17:57 . 2011-05-04 08:52 145184 c:\windows\SYSTEM32\javaw.exe
- 2010-08-17 03:54 . 2010-07-17 09:00 145184 c:\windows\SYSTEM32\javaw.exe
+ 2011-07-19 17:57 . 2011-05-04 08:52 145184 c:\windows\SYSTEM32\java.exe
- 2010-08-17 03:54 . 2010-07-17 09:00 145184 c:\windows\SYSTEM32\java.exe
+ 2004-08-04 07:56 . 2004-08-04 07:56 129536 c:\windows\SYSTEM32\DLLCACHE\xmlprov.dll
+ 2004-09-23 00:46 . 2009-07-14 04:43 286208 c:\windows\SYSTEM32\DLLCACHE\wmpdxm.dll
- 2009-07-14 04:43 . 2009-07-14 04:43 286208 c:\windows\SYSTEM32\DLLCACHE\wmpdxm.dll
+ 2005-10-11 03:47 . 2004-08-04 07:56 358912 c:\windows\SYSTEM32\DLLCACHE\wmic.exe
+ 2005-10-11 03:47 . 2004-08-04 07:56 937984 c:\windows\SYSTEM32\DLLCACHE\winbrand.dll
+ 2005-10-11 03:46 . 2007-06-26 15:13 851968 c:\windows\SYSTEM32\DLLCACHE\vgx.dll
- 2006-09-18 14:15 . 2007-06-26 15:13 851968 c:\windows\SYSTEM32\DLLCACHE\vgx.dll
+ 2002-08-29 11:00 . 2002-08-29 11:00 177856 c:\windows\SYSTEM32\DLLCACHE\typelib.dll
+ 2005-10-11 03:44 . 2005-07-26 04:39 101376 c:\windows\SYSTEM32\DLLCACHE\txflog.dll
- 2010-12-31 02:50 . 2009-06-21 22:04 153088 c:\windows\SYSTEM32\DLLCACHE\triedit.dll
+ 2005-10-11 03:46 . 2009-06-21 22:04 153088 c:\windows\SYSTEM32\DLLCACHE\triedit.dll
- 2006-08-21 14:52 . 2009-08-26 08:16 247326 c:\windows\SYSTEM32\DLLCACHE\strmdll.dll
+ 2005-10-11 03:44 . 2009-08-26 08:16 247326 c:\windows\SYSTEM32\DLLCACHE\strmdll.dll
+ 2004-08-04 07:56 . 2004-08-04 07:56 757248 c:\windows\SYSTEM32\DLLCACHE\sprb041b.dll
+ 2005-10-11 03:47 . 2004-08-04 07:56 188416 c:\windows\SYSTEM32\DLLCACHE\spra041e.dll
+ 2005-10-11 03:46 . 2004-08-04 07:56 130048 c:\windows\SYSTEM32\DLLCACHE\softkbd.dll
+ 2002-08-29 11:00 . 2002-08-29 11:00 753236 c:\windows\SYSTEM32\DLLCACHE\rvseres.dll
+ 2005-10-11 03:45 . 2004-08-04 07:56 109568 c:\windows\SYSTEM32\DLLCACHE\progman.exe
+ 2002-08-29 11:00 . 2002-08-29 11:00 153008 c:\windows\SYSTEM32\DLLCACHE\ole2nls.dll
+ 2002-08-29 11:00 . 2002-08-29 11:00 169520 c:\windows\SYSTEM32\DLLCACHE\ole2disp.dll
+ 2002-08-29 11:00 . 2002-08-29 11:00 108464 c:\windows\SYSTEM32\DLLCACHE\netapi.dll
- 2008-03-25 04:50 . 2008-03-25 04:50 355104 c:\windows\SYSTEM32\DLLCACHE\msxbde40.dll
+ 2005-10-11 03:45 . 2008-03-25 04:50 355104 c:\windows\SYSTEM32\DLLCACHE\msxbde40.dll
+ 2005-10-11 03:45 . 2008-03-25 04:50 621344 c:\windows\SYSTEM32\DLLCACHE\mswstr10.dll
- 2008-03-25 04:50 . 2008-03-25 04:50 621344 c:\windows\SYSTEM32\DLLCACHE\mswstr10.dll
- 2009-08-05 09:11 . 2009-08-05 09:11 204800 c:\windows\SYSTEM32\DLLCACHE\mswebdvd.dll
+ 2005-10-11 03:45 . 2009-08-05 09:11 204800 c:\windows\SYSTEM32\DLLCACHE\mswebdvd.dll
- 2008-03-25 04:50 . 2008-03-25 04:50 838432 c:\windows\SYSTEM32\DLLCACHE\mswdat10.dll
+ 2005-10-11 03:45 . 2008-03-25 04:50 838432 c:\windows\SYSTEM32\DLLCACHE\mswdat10.dll
+ 2002-08-29 11:00 . 2002-08-29 11:00 126912 c:\windows\SYSTEM32\DLLCACHE\msvideo.dll
+ 2005-10-11 03:45 . 2009-06-05 07:42 655872 c:\windows\SYSTEM32\DLLCACHE\mstscax.dll
- 2010-12-31 02:36 . 2009-06-05 07:42 655872 c:\windows\SYSTEM32\DLLCACHE\mstscax.dll
+ 2005-10-11 03:45 . 2010-04-16 15:36 532480 c:\windows\SYSTEM32\DLLCACHE\mstime.dll
- 2006-05-10 05:23 . 2010-04-16 15:36 532480 c:\windows\SYSTEM32\DLLCACHE\mstime.dll
- 2008-03-25 04:50 . 2008-03-25 04:50 264992 c:\windows\SYSTEM32\DLLCACHE\mstext40.dll
+ 2005-10-11 03:45 . 2008-03-25 04:50 264992 c:\windows\SYSTEM32\DLLCACHE\mstext40.dll
+ 2005-10-11 03:45 . 2008-03-25 04:50 559904 c:\windows\SYSTEM32\DLLCACHE\msrepl40.dll
- 2008-03-25 04:50 . 2008-03-25 04:50 559904 c:\windows\SYSTEM32\DLLCACHE\msrepl40.dll
+ 2005-10-11 03:45 . 2008-03-25 04:50 322336 c:\windows\SYSTEM32\DLLCACHE\msrd3x40.dll
- 2008-03-25 04:50 . 2008-03-25 04:50 322336 c:\windows\SYSTEM32\DLLCACHE\msrd3x40.dll
- 2008-03-25 04:50 . 2008-03-25 04:50 432928 c:\windows\SYSTEM32\DLLCACHE\msrd2x40.dll
+ 2005-10-11 03:45 . 2008-03-25 04:50 432928 c:\windows\SYSTEM32\DLLCACHE\msrd2x40.dll
- 2008-03-25 04:50 . 2008-03-25 04:50 355104 c:\windows\SYSTEM32\DLLCACHE\mspbde40.dll
+ 2005-10-11 03:45 . 2008-03-25 04:50 355104 c:\windows\SYSTEM32\DLLCACHE\mspbde40.dll
+ 2005-10-11 03:46 . 2004-08-04 07:56 561664 c:\windows\SYSTEM32\DLLCACHE\msobmain.dll
+ 2005-10-11 03:47 . 2009-06-25 18:36 169472 c:\windows\SYSTEM32\DLLCACHE\msmqocm.dll
- 2009-06-25 18:36 . 2009-06-25 18:36 169472 c:\windows\SYSTEM32\DLLCACHE\msmqocm.dll
- 2008-03-25 04:50 . 2008-03-25 04:50 219936 c:\windows\SYSTEM32\DLLCACHE\msltus40.dll
+ 2005-10-11 03:45 . 2008-03-25 04:50 219936 c:\windows\SYSTEM32\DLLCACHE\msltus40.dll
- 2008-03-25 04:50 . 2008-03-25 04:50 248608 c:\windows\SYSTEM32\DLLCACHE\msjtes40.dll
+ 2005-10-11 03:45 . 2008-03-25 04:50 248608 c:\windows\SYSTEM32\DLLCACHE\msjtes40.dll
+ 2005-10-11 03:46 . 2006-12-26 13:07 102400 c:\windows\SYSTEM32\DLLCACHE\msjro.dll
- 2006-12-26 13:07 . 2006-12-26 13:07 102400 c:\windows\SYSTEM32\DLLCACHE\msjro.dll
- 2008-03-27 08:12 . 2008-03-27 08:12 151583 c:\windows\SYSTEM32\DLLCACHE\msjint40.dll
+ 2005-10-11 03:45 . 2008-03-27 08:12 151583 c:\windows\SYSTEM32\DLLCACHE\msjint40.dll
- 2008-03-25 04:50 . 2008-03-25 04:50 355112 c:\windows\SYSTEM32\DLLCACHE\msjetol1.dll
+ 2005-10-11 03:45 . 2008-03-25 04:50 355112 c:\windows\SYSTEM32\DLLCACHE\msjetol1.dll
+ 2002-08-29 11:00 . 2005-05-04 18:45 271360 c:\windows\SYSTEM32\DLLCACHE\msihnd.dll
+ 2005-10-11 03:45 . 2004-08-04 07:56 248832 c:\windows\SYSTEM32\DLLCACHE\msieftp.dll
- 2008-03-25 04:50 . 2008-03-25 04:50 326432 c:\windows\SYSTEM32\DLLCACHE\msexcl40.dll
+ 2005-10-11 03:45 . 2008-03-25 04:50 326432 c:\windows\SYSTEM32\DLLCACHE\msexcl40.dll
- 2008-03-25 04:50 . 2008-03-25 04:50 518944 c:\windows\SYSTEM32\DLLCACHE\msexch40.dll
+ 2005-10-11 03:45 . 2008-03-25 04:50 518944 c:\windows\SYSTEM32\DLLCACHE\msexch40.dll
- 2008-06-12 14:16 . 2008-06-12 14:16 161792 c:\windows\SYSTEM32\DLLCACHE\msdtcuiu.dll
+ 2005-10-11 03:45 . 2008-06-12 14:16 161792 c:\windows\SYSTEM32\DLLCACHE\msdtcuiu.dll
- 2008-06-12 14:16 . 2008-06-12 14:16 956928 c:\windows\SYSTEM32\DLLCACHE\msdtctm.dll
+ 2005-10-11 03:45 . 2008-06-12 14:16 956928 c:\windows\SYSTEM32\DLLCACHE\msdtctm.dll
- 2008-06-12 14:16 . 2008-06-12 14:16 428032 c:\windows\SYSTEM32\DLLCACHE\msdtcprx.dll
+ 2005-10-11 03:45 . 2008-06-12 14:16 428032 c:\windows\SYSTEM32\DLLCACHE\msdtcprx.dll
+ 2005-10-11 03:46 . 2004-08-04 07:56 220160 c:\windows\SYSTEM32\DLLCACHE\mscandui.dll
- 2006-12-26 13:07 . 2006-12-26 13:07 180224 c:\windows\SYSTEM32\DLLCACHE\msadomd.dll
+ 2005-10-11 03:46 . 2006-12-26 13:07 180224 c:\windows\SYSTEM32\DLLCACHE\msadomd.dll
- 2006-12-26 13:07 . 2006-12-26 13:07 536576 c:\windows\SYSTEM32\DLLCACHE\msado15.dll
+ 2005-10-11 03:46 . 2006-12-26 13:07 536576 c:\windows\SYSTEM32\DLLCACHE\msado15.dll
+ 2005-10-11 03:46 . 2006-03-23 05:44 143360 c:\windows\SYSTEM32\DLLCACHE\msadco.dll
+ 2005-10-11 03:46 . 2008-05-01 14:30 331776 c:\windows\SYSTEM32\DLLCACHE\msadce.dll
- 2008-08-13 00:40 . 2008-05-01 14:30 331776 c:\windows\SYSTEM32\DLLCACHE\msadce.dll
- 2007-07-06 12:46 . 2009-06-25 18:36 471552 c:\windows\SYSTEM32\DLLCACHE\mqutil.dll
+ 2005-10-11 03:47 . 2009-06-25 18:36 471552 c:\windows\SYSTEM32\DLLCACHE\mqutil.dll
+ 2005-10-11 03:47 . 2009-06-25 18:36 186880 c:\windows\SYSTEM32\DLLCACHE\mqtrig.dll
- 2009-06-25 18:36 . 2009-06-25 18:36 186880 c:\windows\SYSTEM32\DLLCACHE\mqtrig.dll
+ 2005-10-11 03:47 . 2009-06-22 11:49 117248 c:\windows\SYSTEM32\DLLCACHE\mqtgsvc.exe
- 2009-06-22 11:49 . 2009-06-22 11:49 117248 c:\windows\SYSTEM32\DLLCACHE\mqtgsvc.exe
- 2009-06-25 18:36 . 2009-06-25 18:36 517120 c:\windows\SYSTEM32\DLLCACHE\mqsnap.dll
+ 2005-10-11 03:47 . 2009-06-25 18:36 517120 c:\windows\SYSTEM32\DLLCACHE\mqsnap.dll
+ 2005-10-11 03:47 . 2009-06-25 18:36 123392 c:\windows\SYSTEM32\DLLCACHE\mqrtdep.dll
- 2009-06-25 18:36 . 2009-06-25 18:36 123392 c:\windows\SYSTEM32\DLLCACHE\mqrtdep.dll
- 2007-07-06 12:46 . 2009-06-25 18:36 177152 c:\windows\SYSTEM32\DLLCACHE\mqrt.dll
+ 2005-10-11 03:47 . 2009-06-25 18:36 177152 c:\windows\SYSTEM32\DLLCACHE\mqrt.dll
+ 2005-10-11 03:47 . 2009-06-25 18:36 661504 c:\windows\SYSTEM32\DLLCACHE\mqqm.dll
- 2007-07-06 12:46 . 2009-06-25 18:36 661504 c:\windows\SYSTEM32\DLLCACHE\mqqm.dll
- 2009-06-25 18:36 . 2009-06-25 18:36 225280 c:\windows\SYSTEM32\DLLCACHE\mqoa.dll
+ 2005-10-11 03:47 . 2009-06-25 18:36 225280 c:\windows\SYSTEM32\DLLCACHE\mqoa.dll
- 2007-07-06 12:46 . 2009-06-25 18:36 138240 c:\windows\SYSTEM32\DLLCACHE\mqad.dll
+ 2005-10-11 03:47 . 2009-06-25 18:36 138240 c:\windows\SYSTEM32\DLLCACHE\mqad.dll
+ 2002-08-29 11:00 . 2006-11-01 19:17 927504 c:\windows\SYSTEM32\DLLCACHE\mfc40u.dll
- 2006-11-01 19:17 . 2006-11-01 19:17 927504 c:\windows\SYSTEM32\DLLCACHE\mfc40u.dll
+ 2005-10-11 03:45 . 2004-08-04 07:56 514560 c:\windows\SYSTEM32\DLLCACHE\logonui.exe
+ 2005-10-11 03:45 . 2004-08-04 07:56 399872 c:\windows\SYSTEM32\DLLCACHE\lmrt.dll
+ 2005-10-11 03:45 . 2005-05-27 02:04 155136 c:\windows\SYSTEM32\DLLCACHE\itircl.dll
+ 2002-08-29 11:00 . 2002-08-29 11:00 110592 c:\windows\SYSTEM32\DLLCACHE\inetcplc.dll
+ 2005-10-11 03:45 . 2010-04-16 15:36 251392 c:\windows\SYSTEM32\DLLCACHE\iepeers.dll
- 2006-05-10 05:22 . 2010-04-16 15:36 251392 c:\windows\SYSTEM32\DLLCACHE\iepeers.dll
+ 2005-10-11 03:45 . 2004-08-04 07:56 323584 c:\windows\SYSTEM32\DLLCACHE\iedkcs32.dll
+ 2005-10-11 03:46 . 2004-08-04 07:56 172032 c:\windows\SYSTEM32\DLLCACHE\icwhelp.dll
+ 2005-10-11 03:46 . 2004-08-04 07:56 132608 c:\windows\SYSTEM32\DLLCACHE\fxsocm.dll
- 2006-08-22 09:05 . 2006-08-22 09:05 498742 c:\windows\SYSTEM32\DLLCACHE\dxmasf.dll
+ 2005-10-11 03:45 . 2006-08-22 09:05 498742 c:\windows\SYSTEM32\DLLCACHE\dxmasf.dll
+ 2005-10-11 03:45 . 2004-08-04 07:56 113152 c:\windows\SYSTEM32\DLLCACHE\dsuiext.dll
+ 2002-08-29 11:00 . 2002-08-29 11:00 144384 c:\windows\SYSTEM32\DLLCACHE\dskquoui.dll
- 2008-03-25 04:50 . 2008-03-25 04:50 554008 c:\windows\SYSTEM32\DLLCACHE\dao360.dll
+ 2005-10-11 03:46 . 2008-03-25 04:50 554008 c:\windows\SYSTEM32\DLLCACHE\dao360.dll
+ 2005-10-11 03:46 . 2005-07-26 04:39 540160 c:\windows\SYSTEM32\DLLCACHE\comuid.dll
+ 2005-10-11 03:46 . 2005-07-26 04:39 195072 c:\windows\SYSTEM32\DLLCACHE\comadmin.dll
+ 2005-10-11 03:46 . 2005-07-26 04:39 110080 c:\windows\SYSTEM32\DLLCACHE\clbcatex.dll
+ 2002-08-29 11:00 . 2002-08-29 11:00 780885 c:\windows\SYSTEM32\DLLCACHE\chkrres.dll
+ 2002-08-29 11:00 . 2002-08-29 11:00 109456 c:\windows\SYSTEM32\DLLCACHE\avifile.dll
+ 2005-10-11 03:44 . 2004-08-04 07:56 588800 c:\windows\SYSTEM32\DLLCACHE\autochk.exe
+ 2005-10-11 03:47 . 2004-08-04 07:56 167936 c:\windows\SYSTEM32\DLLCACHE\appmgmts.dll
- 2006-10-12 11:09 . 2006-10-12 11:09 256512 c:\windows\SYSTEM32\DLLCACHE\agentsvr.exe
+ 2005-10-11 03:46 . 2006-10-12 11:09 256512 c:\windows\SYSTEM32\DLLCACHE\agentsvr.exe
+ 2005-10-11 03:46 . 2010-02-12 04:47 100864 c:\windows\SYSTEM32\DLLCACHE\6to4svc.dll
- 2006-08-16 11:58 . 2010-02-12 04:47 100864 c:\windows\SYSTEM32\DLLCACHE\6to4svc.dll
+ 2011-07-19 17:58 . 2011-07-19 17:58 203776 c:\windows\Installer\d841e.msi
- 2003-12-06 11:50 . 2011-04-23 12:28 409600 c:\windows\Installer\{91130409-6000-11D3-8CFE-0150048383C9}\xlicons.exe
+ 2003-12-06 11:50 . 2011-07-15 07:13 409600 c:\windows\Installer\{91130409-6000-11D3-8CFE-0150048383C9}\xlicons.exe
+ 2003-12-06 11:50 . 2011-07-15 07:13 286720 c:\windows\Installer\{91130409-6000-11D3-8CFE-0150048383C9}\wordicon.exe
- 2003-12-06 11:50 . 2011-04-23 12:28 286720 c:\windows\Installer\{91130409-6000-11D3-8CFE-0150048383C9}\wordicon.exe
+ 2003-12-06 11:50 . 2011-07-15 07:13 794624 c:\windows\Installer\{91130409-6000-11D3-8CFE-0150048383C9}\outicon.exe
- 2003-12-06 11:50 . 2011-04-23 12:28 794624 c:\windows\Installer\{91130409-6000-11D3-8CFE-0150048383C9}\outicon.exe
+ 2003-12-06 11:50 . 2011-07-15 07:13 135168 c:\windows\Installer\{91130409-6000-11D3-8CFE-0150048383C9}\misc.exe
- 2003-12-06 11:50 . 2011-04-23 12:28 135168 c:\windows\Installer\{91130409-6000-11D3-8CFE-0150048383C9}\misc.exe
+ 2007-06-06 14:53 . 2007-06-06 14:53 1193832 c:\windows\SYSTEM32\FM20.DLL
+ 2002-08-29 11:00 . 2002-08-29 11:00 2178131 c:\windows\SYSTEM32\DLLCACHE\shvlres.dll
- 2006-06-22 05:06 . 2009-07-17 16:27 1435648 c:\windows\SYSTEM32\DLLCACHE\query.dll
+ 2005-10-11 03:45 . 2009-07-17 16:27 1435648 c:\windows\SYSTEM32\DLLCACHE\query.dll
+ 2005-10-11 03:44 . 2010-02-16 12:39 2058368 c:\windows\SYSTEM32\DLLCACHE\ntkrnlpa.exe
- 2006-12-19 12:55 . 2010-02-16 12:39 2058368 c:\windows\SYSTEM32\DLLCACHE\ntkrnlpa.exe
+ 2005-10-11 03:45 . 2004-08-04 07:56 1428480 c:\windows\SYSTEM32\DLLCACHE\msvidctl.dll
+ 2005-10-11 03:45 . 2008-03-25 04:50 1516568 c:\windows\SYSTEM32\DLLCACHE\msjet40.dll
- 2008-03-25 04:50 . 2008-03-25 04:50 1516568 c:\windows\SYSTEM32\DLLCACHE\msjet40.dll
+ 2002-08-29 11:00 . 2002-08-29 11:00 1175635 c:\windows\SYSTEM32\DLLCACHE\hrtzres.dll
- 2006-05-10 05:22 . 2010-04-16 15:36 1054208 c:\windows\SYSTEM32\DLLCACHE\danim.dll
+ 2005-10-11 03:46 . 2010-04-16 15:36 1054208 c:\windows\SYSTEM32\DLLCACHE\danim.dll
+ 2005-10-11 03:46 . 2005-09-10 01:53 2067968 c:\windows\SYSTEM32\DLLCACHE\cdosys.dll
+ 2002-08-29 11:00 . 2002-08-29 11:00 1817687 c:\windows\SYSTEM32\DLLCACHE\bckgres.dll
- 2011-04-23 07:01 . 2009-03-18 23:23 1615240 c:\windows\SoftwareDistribution\Download\Install\WindowsXP-KB905474-ENU-x86.exe
+ 2009-08-20 09:02 . 2009-08-20 09:02 5204992 c:\windows\Installer\6cab8.msp
+ 2011-04-27 23:51 . 2011-04-27 23:51 6825472 c:\windows\Installer\1761319.msp
+ 2011-05-20 21:31 . 2011-05-20 21:31 5518848 c:\windows\Installer\1761307.msp
+ 2011-05-17 22:28 . 2011-05-17 22:28 6862848 c:\windows\Installer\17612f5.msp
+ 2011-04-29 16:33 . 2011-04-29 16:33 8173568 c:\windows\Installer\17612e3.msp
+ 2011-05-23 18:15 . 2011-05-23 18:15 3617792 c:\windows\Installer\17612da.msp
+ 2011-04-29 16:30 . 2011-04-29 16:30 1197056 c:\windows\Installer\17612c8.msp
+ 2011-07-19 17:40 . 2011-07-19 17:40 2295808 c:\windows\Installer\137e04a.msi
+ 2007-04-19 18:09 . 2007-04-19 18:09 1061720 c:\windows\Installer\$PatchCache$\Managed\9040311900063D11C8EF10054038389C\11.0.8173\OMFC.DLL
+ 2007-06-06 14:53 . 2007-06-06 14:53 1195888 c:\windows\Installer\$PatchCache$\Managed\9040311900063D11C8EF10054038389C\11.0.8173\FM20.DLL
+ 2011-06-21 19:25 . 2011-06-21 19:25 3123872 c:\windows\Downloaded Program Files\CONFLICT.1\FP_AX_CAB_INSTALLER.exe
+ 2010-12-31 08:07 . 2011-07-01 13:54 49089992 c:\windows\SYSTEM32\MRT.exe
+ 2011-02-24 13:38 . 2011-02-24 13:38 10984448 c:\windows\Installer\6caa6.msp
+ 2011-07-15 07:13 . 2011-07-15 07:13 20333056 c:\windows\Installer\1761325.msp
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Steam"="g:\steam\steam.exe" [2011-04-01 1242448]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"mcui_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2011-05-02 1306216]
"TomcatStartup 2.5"="c:\program files\Hewlett-Packard\Toolbox\hpbpsttp.exe" [2004-02-12 163840]
"StorageGuard"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-02-13 155648]
"StatusClient 2.6"="c:\program files\Hewlett-Packard\Toolbox\StatusClient\StatusClient.exe" [2004-02-11 61440]
"PCMService"="c:\program files\Dell\Media Experience\PCMService.exe" [2003-08-27 204800]
"Omnipage"="c:\program files\ScanSoft\OmniPageSE\opware32.exe" [2002-06-03 49152]
"LogitechVideoTray"="c:\program files\Logitech\Video\LogiTray.exe" [2003-08-29 77824]
"LogitechVideoRepair"="c:\program files\Logitech\Video\ISStart.exe" [2003-08-29 188416]
"LogitechImageStudioTray"="c:\program files\Logitech\ImageStudio\LogiTray.exe" [2003-07-03 57344]
"LogitechGalleryRepair"="c:\program files\Logitech\ImageStudio\ISStart.exe" [2003-07-03 155648]
"IPHSend"="c:\program files\Common Files\AOL\IPHSend\IPHSend.exe" [2006-02-17 124520]
"HP Software Update"="c:\program files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe" [2004-01-07 49152]
"HostManager"="c:\program files\Common Files\AOL\1133033090\ee\AOLSoftware.exe" [2006-05-10 50760]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2003-08-06 114741]
"ddoctorv2"="c:\program files\Comcast\Desktop Doctor\bin\sprtcmd.exe" [2008-04-24 202560]
"BCMSMMSG"="BCMSMMSG.exe" [2003-08-29 122880]
"AdobeCS4ServiceManager"="c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" [2008-08-14 611712]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-11-29 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-01-25 421160]
"AdobeAAMUpdater-1.0"="c:\program files\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe" [2010-03-06 500208]
"AdobeCS5ServiceManager"="c:\program files\Common Files\Adobe\CS5ServiceManager\CS5ServiceManager.exe" [2010-02-22 406992]
"SwitchBoard"="c:\program files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe" [2010-02-19 517096]
"IgfxTray"="c:\windows\System32\igfxtray.exe" [2003-04-07 155648]
"HotKeysCmds"="c:\windows\System32\hkcmd.exe" [2003-04-07 114688]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2011-01-07 111208]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2011-01-07 13880424]
"nwiz"="c:\program files\NVIDIA Corporation\nView\nwiz.exe" [2010-11-04 1753192]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-06-06 937920]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-04-08 254696]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Device Detector 2.lnk - c:\program files\OLYMPUS\DeviceDetector\DevDtct2.exe [2005-9-26 114688]
McAfee Security Scan Plus.lnk - c:\program files\McAfee Security Scan\2.0.181\SSScheduler.exe [2010-1-15 255536]
WinZip Quick Pick.lnk - c:\program files\WinZip\WZQKPICK.EXE [2005-3-29 118784]
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0ntdel.exe mad.dll
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"DisableNotifications"= 1 (0x1)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\aol\\Loader\\aolload.exe"=
"c:\\Program Files\\Common Files\\aol\\1133033090\\ee\\aolsoftware.exe"=
"c:\\Program Files\\Common Files\\aol\\1133033090\\ee\\aim6.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\WINDOWS\\SYSTEM32\\dwwin.exe"=
"c:\\WINDOWS\\SYSTEM32\\DRWTSN32.EXE"=
"c:\\Program Files\\Common Files\\Microsoft Shared\\DW\\DW20.EXE"=
"c:\\Program Files\\Common Files\\McAfee\\McSvcHost\\McSvHost.exe"=
"c:\\Program Files\\Rosetta Stone\\Rosetta Stone Version 3\\support\\bin\\win\\RosettaStoneLtdServices.exe"=
"c:\\Program Files\\Rosetta Stone\\Rosetta Stone Version 3\\RosettaStoneVersion3.exe"=
"c:\\Program Files\\Common Files\\Adobe\\CS4ServiceManager\\CS4ServiceManager.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"g:\\steam\\Steam.exe"=
"g:\\steam\\SteamApps\\common\\fallout new vegas\\FalloutNVLauncher.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5353:TCP"= 5353:TCP:Adobe CSI CS4
.
R0 sonyhcb;Sony Digital Imaging Base;c:\windows\SYSTEM32\DRIVERS\sonyhcb.sys [7/7/2005 9:00 PM 6097]
R1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\SYSTEM32\DRIVERS\mfetdi2k.sys [4/29/2010 8:34 PM 89368]
R2 Akamai;Akamai NetSession Interface;c:\windows\System32\svchost.exe -k Akamai [10/10/2005 11:44 PM 14336]
R2 McMPFSvc;McAfee Personal Firewall Service;"c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [4/29/2010 8:33 PM 214904]
R2 McNaiAnn;McAfee VirusScan Announcer;"c:\program files\Common Files\McAfee\McSvcHost\McSvHost.exe" /McCoreSvc [4/29/2010 8:33 PM 214904]
R2 mfefire;McAfee Firewall Core Service;c:\program files\Common Files\McAfee\SystemCore\mfefire.exe [4/29/2010 8:36 PM 159832]
R2 mfevtp;McAfee Validation Trust Protection Service;c:\program files\Common Files\McAfee\SystemCore\mfevtps.exe [4/29/2010 8:34 PM 148520]
R2 TabletServiceWacom;TabletServiceWacom;c:\windows\SYSTEM32\Wacom_Tablet.exe [5/17/2011 12:08 AM 3406120]
R3 cfwids;McAfee Inc. cfwids;c:\windows\SYSTEM32\DRIVERS\cfwids.sys [4/29/2010 8:34 PM 57432]
R3 mfefirek;McAfee Inc. mfefirek;c:\windows\SYSTEM32\DRIVERS\mfefirek.sys [4/29/2010 8:34 PM 337912]
R3 mfendiskmp;mfendiskmp;c:\windows\SYSTEM32\DRIVERS\mfendisk.sys [4/29/2010 8:34 PM 83688]
R3 wacmoumonitor;Wacom Mode Helper;c:\windows\SYSTEM32\DRIVERS\wacmoumonitor.sys [5/17/2011 12:08 AM 15656]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\SYSTEM32\DRIVERS\mbamswissarmy.sys [4/26/2011 10:45 AM 41272]
S3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\McAfee Security Scan\2.0.181\McCHSvc.exe [1/15/2010 8:49 AM 227232]
S3 mfendisk;McAfee Core NDIS Intermediate Filter;c:\windows\SYSTEM32\DRIVERS\mfendisk.sys [4/29/2010 8:34 PM 83688]
S3 mferkdet;McAfee Inc. mferkdet;c:\windows\SYSTEM32\DRIVERS\mferkdet.sys [4/29/2010 8:34 PM 85984]
S3 sonyhcs;Sony Digital Imaging Video;c:\windows\SYSTEM32\DRIVERS\sonyhcs.sys [7/7/2005 9:00 PM 299923]
S3 SwitchBoard;Adobe SwitchBoard;c:\program files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [2/19/2010 2:37 PM 517096]
.
--- Other Services/Drivers In Memory ---
.
*Deregistered* - mfeavfk01
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
Akamai REG_MULTI_SZ Akamai
.
Contents of the 'Scheduled Tasks' folder
.
2011-07-21 c:\windows\Tasks\AdobeAAMUpdater-1.0-ALIANDER-Ali.job
- c:\program files\Common Files\Adobe\OOBE\PDApp\UWA\updaterstartuputility.exe [2011-02-15 08:44]
.
2011-07-21 c:\windows\Tasks\WGASetup.job
- c:\windows\system32\KB905474\wgasetup.exe [2010-12-31 02:18]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
mStart Page = hxxp://www.xfinity.com/?cid=xfstart_eg_self_main
mSearch Bar = hxxp://server224.smartbotpro.net/7search/?new-hklm
mWindow Title = Windows Internet Explorer provided by Comcast
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://my.netzero.net/s/search?r=minisearch
IE: &WordWeb... - c:\windows\wweb32.dll/lookup.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\aydoxx7q.default\
FF - prefs.js: network.proxy.http - 127.0.0.1
FF - prefs.js: network.proxy.http_port - 54323
FF - prefs.js: network.proxy.type - 1
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-07-21 04:52
Windows 5.1.2600 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-458591397-4007700802-1518888132-1007\Software\SecuROM\License information*]
"datasecu"=hex:04,fa,ec,15,b9,3c,ea,e2,75,54,3b,e5,1c,f2,92,68,ff,30,f5,10,ef,
46,b5,28,a6,f1,02,ba,a7,19,40,ef,fe,a9,4a,7e,ee,74,bd,fd,bf,88,41,ed,2a,62,\
"rkeysecu"=hex:cb,bd,f2,61,5a,4e,c6,95,f2,29,8b,82,ba,6b,3d,44
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(1016)
c:\program files\Common Files\Adobe\Adobe Drive CS4\AdobeDriveCS4_NP.dll
.
Completion time: 2011-07-21 04:57:29
ComboFix-quarantined-files.txt 2011-07-21 08:57
ComboFix2.txt 2011-07-16 13:44
ComboFix3.txt 2011-07-15 00:05
ComboFix4.txt 2010-08-18 16:40
ComboFix5.txt 2011-07-19 11:32
.
Pre-Run: 6,856,708,096 bytes free
Post-Run: 6,847,172,608 bytes free
.
- - End Of File - - 455F18C9DCF0FBD41AD4DDAE774E0711

#11 User is offline   CatByte 

  • Bleepin' curls!
  • PipPipPipPipPipPip
  • Find Topics
  • Group: Malware Response Team
  • Posts: 7,857
  • Joined: 09-November 08
  • Gender:Not Telling
  • Location:Canada

Posted 21 July 2011 - 04:33 PM

Hi

Please do the following:

  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below.
  • They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".

Copy/paste the text inside the Codebox below into notepad:

Here's how to do that:
Click Start > Run type Notepad click OK.
This will open an empty notepad file:

Copy all the text inside of the code box - Press Ctrl+C (or right click on the highlighted section and choose 'copy')

FireFox::
FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\aydoxx7q.default\
FF - prefs.js: network.proxy.http_port - 54323
FF - prefs.js: network.proxy.type - 1
.


Now paste the copied text into the open notepad - press CTRL+V (or right click and choose 'paste')

Save this file to your desktop, Save this as "CFScript"

Here's how to do that:

1.Click File;
2.Click Save As... Change the directory to your desktop;
3.Change the Save as type to "All Files";
4.Type in the file name: CFScript
5.Click Save ...

Posted Image
  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  • When finished, it shall produce a log for you.
  • Copy and paste the contents of the log in your next reply.


CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.


You should be fine to use your email now, if you don't see a difference in firefox after running this latest script, then uninstall it and download and install the latest version and see if that makes a difference

let me know if there are any other outstanding issues.
The help you receive here is free. If you wish to show your appreciation, then you may Posted Image
Microsoft MVP - 2010, 2011

#12 User is offline   KazF 

  • New Member
  • Pip
  • Find Topics
  • Group: Members
  • Posts: 12
  • Joined: 09-July 11

Posted 23 July 2011 - 10:22 PM

I'm still having trouble with Firefox, even after Combofix and uninstalling and reinstalling it. When I click on the option to download something or see the download list, it freezes. That's the only problem I have left, so I don't know if it's related to the virus, or something else. Here's the latest log:

ComboFix 11-07-23.04 - Ali 07/23/2011 16:11:53.5.1 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2302.1633 [GMT -4:00]
Running from: c:\documents and settings\Ali\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Ali\Desktop\CFScript.txt
AV: McAfee Anti-Virus and Anti-Spyware *Disabled/Updated* {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Firewall *Disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
.
.
((((((((((((((((((((((((( Files Created from 2011-06-23 to 2011-07-23 )))))))))))))))))))))))))))))))
.
.
2011-07-19 17:58 . 2011-07-19 17:58 -------- d-----w- c:\program files\Common Files\Java
2011-07-19 17:34 . 2011-07-19 17:34 -------- d-----w- c:\documents and settings\Ali\Local Settings\Application Data\Solid State Networks
2011-07-16 14:59 . 2011-07-16 14:59 -------- d-----w- c:\program files\ESET
2011-07-16 13:58 . 2011-07-16 13:58 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2011-07-16 13:52 . 2011-07-16 13:52 -------- d-s---w- c:\documents and settings\Administrator\UserData
2011-07-14 01:30 . 2010-06-30 08:27 49904 ----a-r- c:\windows\system32\drivers\BVRPMPR5.SYS
2011-07-14 01:27 . 2011-07-14 01:38 -------- d-----w- C:\Netgear
2011-07-12 19:57 . 2011-07-12 19:57 179 ----a-w- c:\documents and settings\Administrator\Application Data\Microsoft\gb_111400546.bat
2011-07-11 20:38 . 2011-07-11 20:54 -------- d-----w- c:\documents and settings\Administrator\Application Data\gtk-2.0
2011-07-11 20:38 . 2011-07-11 20:38 -------- d-----w- c:\documents and settings\Administrator\.thumbnails
2011-07-11 20:34 . 2011-07-11 21:20 -------- d-----w- c:\documents and settings\Administrator\.gimp-2.6
2011-07-11 04:59 . 2011-07-11 04:59 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\FOMM
2011-06-29 11:40 . 2011-06-29 11:40 2106216 ----a-w- c:\program files\Mozilla Firefox\D3DCompiler_43.dll
2011-06-29 11:40 . 2011-06-29 11:40 1998168 ----a-w- c:\program files\Mozilla Firefox\d3dx9_43.dll
2011-06-24 11:10 . 2011-06-24 11:10 -------- d-----w- c:\documents and settings\Administrator\Application Data\Move Networks
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-07-17 02:14 . 2011-05-20 14:00 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-07-06 23:52 . 2011-04-26 14:45 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-07-06 23:52 . 2011-04-26 14:44 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-05-04 08:52 . 2010-05-26 01:17 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-05-04 06:25 . 2009-03-15 02:12 73728 ----a-w- c:\windows\system32\javacpl.cpl
2006-08-27 13:50 . 2006-08-27 13:50 740719 ----a-w- c:\program files\Setupfull.exe
2011-06-29 11:40 . 2011-03-26 05:08 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
2011-04-14 18:01 . 2010-05-26 00:43 24376 ----a-w- c:\program files\mozilla firefox\components\Scriptff.dll
.
.
((((((((((((((((((((((((((((( SnapShot_2011-07-21_08.52.42 )))))))))))))))))))))))))))))))))))))))))
.
+ 2011-07-23 12:53 . 2011-07-23 12:53 16384 c:\windows\Temp\Perflib_Perfdata_7b8.dat
+ 2011-07-23 12:53 . 2011-07-23 12:53 16384 c:\windows\Temp\Perflib_Perfdata_124.dat
- 2003-12-06 11:30 . 2011-04-15 07:39 76358 c:\windows\SYSTEM32\PERFC009.DAT
+ 2003-12-06 11:30 . 2011-07-21 20:54 76358 c:\windows\SYSTEM32\PERFC009.DAT
+ 2002-08-29 11:00 . 2002-08-29 11:00 11776 c:\windows\SYSTEM32\DLLCACHE\rasctrs.dll
+ 2002-08-29 11:00 . 2002-08-29 11:00 10752 c:\windows\SYSTEM32\DLLCACHE\pschdprf.dll
+ 2002-08-29 11:00 . 2002-08-29 11:00 12288 c:\windows\SYSTEM32\DLLCACHE\perfts.dll
+ 2002-08-29 11:00 . 2002-08-29 11:00 16896 c:\windows\SYSTEM32\DLLCACHE\perfnet.dll
+ 2005-10-11 03:44 . 2004-08-04 07:56 39936 c:\windows\SYSTEM32\DLLCACHE\perfctrs.dll
+ 2005-10-11 03:45 . 2004-08-04 07:56 97280 c:\windows\SYSTEM32\DLLCACHE\loadperf.dll
+ 2003-10-16 21:50 . 2011-07-23 19:14 32768 c:\windows\SYSTEM32\CONFIG\systemprofile\Local Settings\History\History.IE5\INDEX.DAT
- 2003-10-16 21:50 . 2011-07-21 06:57 32768 c:\windows\SYSTEM32\CONFIG\systemprofile\Local Settings\History\History.IE5\INDEX.DAT
+ 2011-07-21 15:52 . 2011-07-23 19:14 32768 c:\windows\SYSTEM32\CONFIG\systemprofile\Cookies\index.dat
+ 2002-08-29 11:00 . 2002-08-29 11:00 5632 c:\windows\SYSTEM32\DLLCACHE\tapiperf.dll
+ 2002-08-29 11:00 . 2002-08-29 11:00 9728 c:\windows\SYSTEM32\DLLCACHE\rsvpperf.dll
- 2003-12-06 11:30 . 2011-04-15 07:39 453966 c:\windows\SYSTEM32\PERFH009.DAT
+ 2003-12-06 11:30 . 2011-07-21 20:54 453966 c:\windows\SYSTEM32\PERFH009.DAT
+ 2005-10-11 03:46 . 2004-08-04 07:56 196608 c:\windows\SYSTEM32\DLLCACHE\wmiadap.exe
+ 2002-09-03 19:42 . 2011-07-22 11:37 2241840 c:\windows\SYSTEM32\FNTCACHE.DAT
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Steam"="g:\steam\steam.exe" [2011-04-01 1242448]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"mcui_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2011-05-02 1306216]
"TomcatStartup 2.5"="c:\program files\Hewlett-Packard\Toolbox\hpbpsttp.exe" [2004-02-12 163840]
"StorageGuard"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-02-13 155648]
"StatusClient 2.6"="c:\program files\Hewlett-Packard\Toolbox\StatusClient\StatusClient.exe" [2004-02-11 61440]
"PCMService"="c:\program files\Dell\Media Experience\PCMService.exe" [2003-08-27 204800]
"Omnipage"="c:\program files\ScanSoft\OmniPageSE\opware32.exe" [2002-06-03 49152]
"LogitechVideoTray"="c:\program files\Logitech\Video\LogiTray.exe" [2003-08-29 77824]
"LogitechVideoRepair"="c:\program files\Logitech\Video\ISStart.exe" [2003-08-29 188416]
"LogitechImageStudioTray"="c:\program files\Logitech\ImageStudio\LogiTray.exe" [2003-07-03 57344]
"LogitechGalleryRepair"="c:\program files\Logitech\ImageStudio\ISStart.exe" [2003-07-03 155648]
"IPHSend"="c:\program files\Common Files\AOL\IPHSend\IPHSend.exe" [2006-02-17 124520]
"HP Software Update"="c:\program files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe" [2004-01-07 49152]
"HostManager"="c:\program files\Common Files\AOL\1133033090\ee\AOLSoftware.exe" [2006-05-10 50760]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2003-08-06 114741]
"ddoctorv2"="c:\program files\Comcast\Desktop Doctor\bin\sprtcmd.exe" [2008-04-24 202560]
"BCMSMMSG"="BCMSMMSG.exe" [2003-08-29 122880]
"AdobeCS4ServiceManager"="c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" [2008-08-14 611712]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-11-29 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-01-25 421160]
"AdobeAAMUpdater-1.0"="c:\program files\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe" [2010-03-06 500208]
"AdobeCS5ServiceManager"="c:\program files\Common Files\Adobe\CS5ServiceManager\CS5ServiceManager.exe" [2010-02-22 406992]
"SwitchBoard"="c:\program files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe" [2010-02-19 517096]
"IgfxTray"="c:\windows\System32\igfxtray.exe" [2003-04-07 155648]
"HotKeysCmds"="c:\windows\System32\hkcmd.exe" [2003-04-07 114688]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2011-01-07 111208]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2011-01-07 13880424]
"nwiz"="c:\program files\NVIDIA Corporation\nView\nwiz.exe" [2010-11-04 1753192]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-06-06 937920]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-04-08 254696]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Device Detector 2.lnk - c:\program files\OLYMPUS\DeviceDetector\DevDtct2.exe [2005-9-26 114688]
McAfee Security Scan Plus.lnk - c:\program files\McAfee Security Scan\2.0.181\SSScheduler.exe [2010-1-15 255536]
WinZip Quick Pick.lnk - c:\program files\WinZip\WZQKPICK.EXE [2005-3-29 118784]
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0ntdel.exe mad.dll
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"DisableNotifications"= 1 (0x1)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\aol\\Loader\\aolload.exe"=
"c:\\Program Files\\Common Files\\aol\\1133033090\\ee\\aolsoftware.exe"=
"c:\\Program Files\\Common Files\\aol\\1133033090\\ee\\aim6.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\WINDOWS\\SYSTEM32\\dwwin.exe"=
"c:\\WINDOWS\\SYSTEM32\\DRWTSN32.EXE"=
"c:\\Program Files\\Common Files\\Microsoft Shared\\DW\\DW20.EXE"=
"c:\\Program Files\\Common Files\\McAfee\\McSvcHost\\McSvHost.exe"=
"c:\\Program Files\\Rosetta Stone\\Rosetta Stone Version 3\\support\\bin\\win\\RosettaStoneLtdServices.exe"=
"c:\\Program Files\\Rosetta Stone\\Rosetta Stone Version 3\\RosettaStoneVersion3.exe"=
"c:\\Program Files\\Common Files\\Adobe\\CS4ServiceManager\\CS4ServiceManager.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"g:\\steam\\Steam.exe"=
"g:\\steam\\SteamApps\\common\\fallout new vegas\\FalloutNVLauncher.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5353:TCP"= 5353:TCP:Adobe CSI CS4
.
R0 sonyhcb;Sony Digital Imaging Base;c:\windows\SYSTEM32\DRIVERS\sonyhcb.sys [7/7/2005 9:00 PM 6097]
R1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\SYSTEM32\DRIVERS\mfetdi2k.sys [4/29/2010 8:34 PM 89368]
R2 Akamai;Akamai NetSession Interface;c:\windows\System32\svchost.exe -k Akamai [10/10/2005 11:44 PM 14336]
R2 McMPFSvc;McAfee Personal Firewall Service;"c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [4/29/2010 8:33 PM 214904]
R2 McNaiAnn;McAfee VirusScan Announcer;"c:\program files\Common Files\McAfee\McSvcHost\McSvHost.exe" /McCoreSvc [4/29/2010 8:33 PM 214904]
R2 mfefire;McAfee Firewall Core Service;c:\program files\Common Files\McAfee\SystemCore\mfefire.exe [4/29/2010 8:36 PM 159832]
R2 mfevtp;McAfee Validation Trust Protection Service;c:\program files\Common Files\McAfee\SystemCore\mfevtps.exe [4/29/2010 8:34 PM 148520]
R2 TabletServiceWacom;TabletServiceWacom;c:\windows\SYSTEM32\Wacom_Tablet.exe [5/17/2011 12:08 AM 3406120]
R3 cfwids;McAfee Inc. cfwids;c:\windows\SYSTEM32\DRIVERS\cfwids.sys [4/29/2010 8:34 PM 57432]
R3 mfefirek;McAfee Inc. mfefirek;c:\windows\SYSTEM32\DRIVERS\mfefirek.sys [4/29/2010 8:34 PM 337912]
R3 mfendiskmp;mfendiskmp;c:\windows\SYSTEM32\DRIVERS\mfendisk.sys [4/29/2010 8:34 PM 83688]
R3 wacmoumonitor;Wacom Mode Helper;c:\windows\SYSTEM32\DRIVERS\wacmoumonitor.sys [5/17/2011 12:08 AM 15656]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\SYSTEM32\DRIVERS\mbamswissarmy.sys [4/26/2011 10:45 AM 41272]
S3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\McAfee Security Scan\2.0.181\McCHSvc.exe [1/15/2010 8:49 AM 227232]
S3 mfendisk;McAfee Core NDIS Intermediate Filter;c:\windows\SYSTEM32\DRIVERS\mfendisk.sys [4/29/2010 8:34 PM 83688]
S3 mferkdet;McAfee Inc. mferkdet;c:\windows\SYSTEM32\DRIVERS\mferkdet.sys [4/29/2010 8:34 PM 85984]
S3 sonyhcs;Sony Digital Imaging Video;c:\windows\SYSTEM32\DRIVERS\sonyhcs.sys [7/7/2005 9:00 PM 299923]
S3 SwitchBoard;Adobe SwitchBoard;c:\program files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [2/19/2010 2:37 PM 517096]
.
--- Other Services/Drivers In Memory ---
.
*Deregistered* - mfeavfk01
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
Akamai REG_MULTI_SZ Akamai
.
Contents of the 'Scheduled Tasks' folder
.
2011-07-22 c:\windows\Tasks\AdobeAAMUpdater-1.0-ALIANDER-Ali.job
- c:\program files\Common Files\Adobe\OOBE\PDApp\UWA\updaterstartuputility.exe [2011-02-15 08:44]
.
2011-07-23 c:\windows\Tasks\WGASetup.job
- c:\windows\system32\KB905474\wgasetup.exe [2010-12-31 02:18]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
mStart Page = hxxp://www.xfinity.com/?cid=xfstart_eg_self_main
mSearch Bar = hxxp://server224.smartbotpro.net/7search/?new-hklm
mWindow Title = Windows Internet Explorer provided by Comcast
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://my.netzero.net/s/search?r=minisearch
IE: &WordWeb... - c:\windows\wweb32.dll/lookup.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
TCP: DhcpNameServer = 192.168.1.1
FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\aydoxx7q.default\
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-07-23 16:31
Windows 5.1.2600 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-458591397-4007700802-1518888132-1007\Software\SecuROM\License information*]
"datasecu"=hex:04,fa,ec,15,b9,3c,ea,e2,75,54,3b,e5,1c,f2,92,68,ff,30,f5,10,ef,
46,b5,28,a6,f1,02,ba,a7,19,40,ef,fe,a9,4a,7e,ee,74,bd,fd,bf,88,41,ed,2a,62,\
"rkeysecu"=hex:cb,bd,f2,61,5a,4e,c6,95,f2,29,8b,82,ba,6b,3d,44
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(1004)
c:\program files\Common Files\Adobe\Adobe Drive CS4\AdobeDriveCS4_NP.dll
.
- - - - - - - > 'explorer.exe'(1800)
c:\program files\NVIDIA Corporation\nView\nview.dll
c:\program files\ScanSoft\OmniPageSE\ophook32.dll
c:\program files\Common Files\Adobe\Adobe Drive CS4\AdobeDriveCS4_NP.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2011-07-23 16:35:31
ComboFix-quarantined-files.txt 2011-07-23 20:35
ComboFix2.txt 2011-07-21 08:57
ComboFix3.txt 2011-07-16 13:44
ComboFix4.txt 2011-07-15 00:05
ComboFix5.txt 2011-07-23 20:10
.
Pre-Run: 6,462,631,936 bytes free
Post-Run: 6,492,262,400 bytes free
.
- - End Of File - - 2172F32C66A4AE18EA9AAE71D6B25F08

#13 User is offline   CatByte 

  • Bleepin' curls!
  • PipPipPipPipPipPip
  • Find Topics
  • Group: Malware Response Team
  • Posts: 7,857
  • Joined: 09-November 08
  • Gender:Not Telling
  • Location:Canada

Posted 23 July 2011 - 10:37 PM

I don't see any remaining malware, if the issues with FireFox continue, I suggest starting a new thread in the browser forum and seeing if any of the techs can tweak the performance,

in the meantime, we need to clean up our tools


You can delete the DDS and GMER logs and programs from your desktop.


NEXT

Follow these steps to uninstall Combofix

  • Make sure your security programs are totally disabled.
  • Click START then RUN
  • Now copy/paste Combofix /uninstall into the runbox and click OK. Note the space between the ..X and the /U, it needs to be there.


Posted Image


If there are any logs/tools remaining on your desktop > right click and delete them.


NEXT


Below I have included a number of recommendations for how to protect your computer against malware infections.

  • It is good security practice to change your passwords to all your online accounts on a fairly regular basis, this is especially true after an infection. Refer to this Microsoft article
    Strong passwords: How to create and use them     Then consider a password keeper, to keep all your passwords safe. KeePass is a small utility that allows you to manage all your passwords.


  • Keep Windows updated by regularly checking their website at :
    http://windowsupdate.microsoft.com/
    This will ensure your computer has always the latest security updates available installed on your computer.


  • Make Internet Explorer more secure
    • Click Start > Run
    • Type Inetcpl.cpl & click OK
    • Click on the Security tab
    • Click Reset all zones to default level
    • Make sure the Internet Zone is selected & Click Custom level
    • In the ActiveX section, set the first two options ("Download signed and unsigned ActiveX controls) to "Prompt", and ("Initialize and Script ActiveX controls not marked as safe") to "Disable".
    • Next Click OK, then Apply button and then OK to exit the Internet Properties page.



  • Download TFC to your desktop
    • Close any open windows.
    • Double click the TFC icon to run the program
    • TFC will close all open programs itself in order to run,
    • Click the Start button to begin the process.
    • Allow TFC to run uninterrupted.
    • The program should not take long to finish it's job
    • Once its finished it should automatically reboot your machine,
    • if it doesn't, manually reboot to ensure a complete clean

    It's normal after running TFC cleaner that the PC will be slower to boot the first time.


  • WOT, Web of Trust, warns you about risky websites that try to scam visitors, deliver malware or send spam. Protect your computer against online threats by using WOT as your front-line layer of protection when browsing or searching in unfamiliar territory. WOT's color-coded icons show you ratings for 21 million websites, helping you avoid the dangerous sites:
    • Green to go
    • Yellow for caution
    • Red to stop
    WOT has an addon available for both Firefox and IE


  • Keep a backup of your important files - Now, more than ever, it's especially important to protect your digital files and memories. This article is full of good information on alternatives for home backup solutions.


  • ERUNT (Emergency Recovery Utility NT) allows you to keep a complete backup of your registry and restore it when needed. The standard registry backup options that come with Windows back up most of the registry but not all of it. ERUNT however creates a complete backup set, including the Security hive and user related sections. ERUNT is easy to use and since it creates a full backup, there are no options or choices other than to select the location of the backup files. The backup set includes a small executable that will launch the registry restore if needed.


  • In light of your recent issue, I'm sure you'd like to avoid any future infections. Please take a look at this well written article:
    PC Safety and Security--What Do I Need?.



**Be very wary with any security software that is advertised in popups or in other ways. They are not only usually of no use, but often have malware in them.


Thank you for your patience, and performing all of the procedures requested.

Please respond one last time so we can consider the thread resolved and close it, thank-you.
The help you receive here is free. If you wish to show your appreciation, then you may Posted Image
Microsoft MVP - 2010, 2011

#14 User is offline   KazF 

  • New Member
  • Pip
  • Find Topics
  • Group: Members
  • Posts: 12
  • Joined: 09-July 11

Posted 27 July 2011 - 11:09 AM

Thanks!

Just one more question. Mcaffe keeps popping up (usually once, some time after booting) a PUP called tool-cir, asking me if I want to delete it, which I do. Is this a problem?

#15 User is offline   CatByte 

  • Bleepin' curls!
  • PipPipPipPipPipPip
  • Find Topics
  • Group: Malware Response Team
  • Posts: 7,857
  • Joined: 09-November 08
  • Gender:Not Telling
  • Location:Canada

Posted 27 July 2011 - 12:11 PM

Let McAfee remove it for you if you don't want it, but first, look in your add/remove programs to see if it is listed, remove it from there first, then allow McAfee to delete it.
The help you receive here is free. If you wish to show your appreciation, then you may Posted Image
Microsoft MVP - 2010, 2011

Share this topic:


  • 2 Pages +
  • 1
  • 2
  • You cannot start a new topic
  • This topic is locked

1 User(s) are reading this topic
0 members, 1 guests, 0 anonymous users