BleepingComputer.com: possible root kit google redirecting and dialog box pop up noises constantly

Jump to content

Forum Guidelines

Posted Image Read the following topic before creating a new topic in this forum. It contains instructions on the what we would like you to post, which will enable us to help you more quickly.

Preparation Guide For Use Before Using Malware Removal Tools and Requesting Help


Posted Image Unfortunately, with the amount of logs we receive per day, the average response time is 5 days. I want to assure you, though, that your topic will be looked at and responded to. So please be patient.


Posted Image DO NOT RUN ComboFix unless requested to.


Posted Image Only members of the Malware Response Team or Moderators are allowed to help people with logs. Anyone else should refrain from posting to another user's log.


Posted Image When posting a log please put the type of infection you have in the topic title. IE: Winfixer, Virtumonde, WinTools, WebSearch, Home Search Assistant, etc.


Posted Image Do not bump your topic. We try to resolve logs on a first come/first served basis. By bumping your log you will be pushed back in line due to the new date of your bump.
  • 3 Pages +
  • 1
  • 2
  • 3
  • You cannot start a new topic
  • This topic is locked

possible root kit google redirecting and dialog box pop up noises constantly need help removing

#1 User is offline   ddt904 

  • Member
  • PipPip
  • Find Topics
  • Group: Members
  • Posts: 62
  • Joined: 16-January 11

Posted 13 October 2011 - 08:03 AM

Referred from here: http://www.bleepingcomputer.com/forums/topic422557.html ~ OB

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_23
Run by Administrator at 8:56:58 on 2011-10-13
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1790.751 [GMT -4:00]
.
AV: AVG Anti-Virus Free *Enabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\LxrSII1s.exe
C:\WINDOWS\system32\oodag.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\devldr32.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\internet explorer\iexplore.exe
.
============== Pseudo HJT Report ===============
.
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
uURLSearchHooks: uTorrentBar Toolbar: {bf7380fa-e3b4-4db2-af3e-9d8783a45bfc} - c:\program files\utorrentbar\prxtbuTo0.dll
BHO: uTorrentBar Toolbar: {bf7380fa-e3b4-4db2-af3e-9d8783a45bfc} - c:\program files\utorrentbar\prxtbuTo0.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: uTorrentBar Toolbar: {bf7380fa-e3b4-4db2-af3e-9d8783a45bfc} - c:\program files\utorrentbar\prxtbuTo0.dll
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar2.dll
TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File
uRun: [uTorrent] "c:\program files\utorrent\uTorrent.exe" /MINIMIZED
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [QuickTime Task] "c:\program files\quicktime alternative\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\micros~1\INetRepl.dll
IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\micros~1\INetRepl.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
TCP: DhcpNameServer = 68.87.74.166 68.87.68.166 192.168.1.1
TCP: Interfaces\{0B3DB58D-65BA-4130-ABE6-F41BBFEF8B73} : DhcpNameServer = 68.87.74.166 68.87.68.166 192.168.1.1
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\administrator\application data\mozilla\firefox\profiles\vu57tuf1.default\
FF - prefs.js: browser.search.selectedEngine - Bing
FF - prefs.js: browser.startup.homepage - hxxp://www.bing.com/?pc=ZUGO&form=ZGAPHP
FF - prefs.js: keyword.URL - hxxp://www.bing.com/search?pc=ZUGO&form=ZGAADF&q=
.
============= SERVICES / DRIVERS ===============
.
R2 LxrSII1d;Secure II Driver;c:\windows\system32\drivers\LxrSII1d.sys [2007-12-12 70016]
S3 F-Secure BlackLight Sensor;F-Secure BlackLight Sensor;c:\docume~1\admini~1\locals~1\temp\f-secure\anti-virus\fsblsrv.exe --> c:\docume~1\admini~1\locals~1\temp\f-secure\anti-virus\fsblsrv.exe [?]
S3 F-Secure Standalone Minifilter;F-Secure Standalone Minifilter;\??\c:\docume~1\admini~1\locals~1\temp\onlinescanner\anti-virus\fsgk.sys --> c:\docume~1\admini~1\locals~1\temp\onlinescanner\anti-virus\fsgk.sys [?]
S3 fsbl;F-Secure BlackLight Engine Driver;\??\c:\docume~1\admini~1\locals~1\temp\onlinescanner\anti-virus\fsbldrv.sys --> c:\docume~1\admini~1\locals~1\temp\onlinescanner\anti-virus\fsbldrv.sys [?]
S3 SASENUM;SASENUM;\??\c:\program files\superantispyware\sasenum.sys --> c:\program files\superantispyware\SASENUM.SYS [?]
S3 UnlockerDriver4;UnlockerDriver4 Driver;c:\windows\system32\UnlockerDriver4.sys [2007-11-26 3584]
.
=============== Created Last 30 ================
.
2011-10-06 22:35:22 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-09-24 13:14:36 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
.
==================== Find3M ====================
.
2011-09-09 09:12:13 599040 ----a-w- c:\windows\system32\crypt32.dll
2011-08-31 21:00:50 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-08-31 00:50:23 0 ----a-w- c:\windows\system32\ConduitEngine.tmp
2011-07-15 13:29:31 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
.
=================== ROOTKIT ====================
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: ST3320620A rev.3.AAE -> Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T1L0-12
.
device: opened successfully
user: MBR read successfully
.
Disk trace:
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x8A1F34C0]<<
_asm { MOV EAX, [ESP+0x4]; MOV ECX, [0x8a1fa8a4]; PUSH ESI; MOV ESI, [ESP+0xc]; PUSH EDI; MOV EDI, [ESI+0x60]; CMP EAX, [0x8a1fa730]; JNZ 0x1f; MOV [ESP+0xc], ECX; }
1 ntkrnlpa!IofCallDriver[0x804EF1A6] -> \Device\Harddisk0\DR0[0x8A4E2AB8]
3 CLASSPNP[0xBA0E8FD7] -> ntkrnlpa!IofCallDriver[0x804EF1A6] -> \Device\0000006d[0x8A4BE9E8]
5 ACPI[0xB9F7F620] -> ntkrnlpa!IofCallDriver[0x804EF1A6] -> [0x8A4BD940]
\Driver\atapi[0x8A286258] -> IRP_MJ_CREATE -> 0x8A1F34C0
error: Read A device attached to the system is not functioning.
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; STI ; PUSH AX; POP ES; PUSH AX; POP DS; CLD ; MOV SI, 0x7c1b; MOV DI, 0x61b; PUSH AX; PUSH DI; MOV CX, 0x1e5; REP MOVSB ; RETF ; MOV BP, 0x7be; MOV CL, 0x4; CMP [BP+0x0], CH; JL 0x2e; JNZ 0x3a; }
detected disk devices:
detected hooks:
\Driver\atapi DriverStartIo -> 0x8A1F32E0
user & kernel MBR OK
Warning: possible TDL3 rootkit infection !
.
============= FINISH: 8:57:53.54 ===============

defogger_disable by jpshortstuff (23.02.10.1)
Log created at 08:56 on 13/10/2011 (Administrator)

Checking for autostart values...
HKCU\~\Run values retrieved.
HKLM\~\Run values retrieved.

Checking for services/drivers...


-=E.O.F=-

Attached File  dd2attach.txt (17.42K)
Number of downloads: 1

Attached File  gmer.log (14.85K)
Number of downloads: 0

Merged 4 posts. ~ OB

This post has been edited by Orange Blossom: 13 October 2011 - 12:18 PM

#2 User is online   gringo_pr 

  • Bleepin Gringo
  • PipPipPipPipPipPip
  • Find Topics
  • Group: Malware Response Team
  • Posts: 85,509
  • Joined: 03-July 08
  • Gender:Male
  • Location:Puerto rico

Posted 16 October 2011 - 02:06 AM

Hello and Welcome to the forums!

My name is Gringo and I'll be glad to help you with your computer problems.

Somethings to remember while we are working together.

  • Do not run any other tool untill instructed to do so!
  • please Do not Attach logs or put in code boxes.
  • Tell me about any problems that have occurred during the fix.
  • Tell me of any other symptoms you may be having as these can help also.
  • Do not run anything while running a fix.
  • Do not run any other tool untill instructed to do so!


Click on the Watch Topic Button and select Immediate Notification and click on proceed, this will help you to get notified faster when I have replied and make the cleaning process faster.

Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

Run Combofix:

You may be asked to install or update the Recovery Console (Win XP Only) if this happens please allow it to do so (you will need to be connected to the internet for this)

Before you run Combofix I will need you to turn off any security software you have running, If you do not know how to do this you can find out >here< or >here<

Combofix may need to reboot your computer more than once to do its job this is normal.

You can download Combofix from one of these links.

1. Close any open browsers or any other programs that are open.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.

Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall

Note 2: If you recieve an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer

"information and logs"

    In your next post I need the following

  • Log from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now?


Gringo
I will be online from 5-31 to 6-4 in a limited amount

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic

Please Only Copy And Paste Reports Into Topic - Do Not Attach

My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->Posted Image<-- Don't worry every little bit helps.

#3 User is offline   ddt904 

  • Member
  • PipPip
  • Find Topics
  • Group: Members
  • Posts: 62
  • Joined: 16-January 11

Posted 18 October 2011 - 08:43 AM

ComboFix 11-10-17.02 - Administrator 10/17/2011 22:13:53.39.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1790.1389 [GMT -4:00]
Running from: c:\documents and settings\Administrator\Desktop\Cleaners\ComboFix.exe
AV: AVG Anti-Virus Free *Enabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
* Created a new restore point
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\system32\d3d9caps.dat
.
c:\windows\system32\calc.exe . . . is infected!!
.
Infected copy of c:\windows\system32\drivers\netbt.sys was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\netbt.sys
.
.
((((((((((((((((((((((((( Files Created from 2011-09-18 to 2011-10-18 )))))))))))))))))))))))))))))))
.
.
2011-10-13 17:44 . 2011-10-13 17:44 -------- d-----w- c:\program files\Google
2011-10-06 22:35 . 2011-10-13 17:45 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-09-24 13:14 . 2011-10-12 21:52 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-09-09 09:12 . 2002-12-31 12:00 599040 ----a-w- c:\windows\system32\crypt32.dll
2011-08-31 21:00 . 2008-11-16 03:44 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-08-31 00:50 . 2011-08-31 00:50 0 ----a-w- c:\windows\system32\ConduitEngine.tmp
2005-05-12 00:39 . 2007-11-27 01:08 41578 ----a-w- c:\program files\mozilla firefox\components\jar50.dll
2005-05-12 00:40 . 2007-11-27 01:08 48228 ----a-w- c:\program files\mozilla firefox\components\jsd3250.dll
2005-05-12 00:39 . 2007-11-27 01:08 159340 ----a-w- c:\program files\mozilla firefox\components\xpinstal.dll
.
<pre>
c:\program files\SUPERAntiSpyware\SUPERAntiSpyware .exe
</pre>

.
((((((((((((((((((((((((((((( SnapShot_2011-08-20_23.08.02 )))))))))))))))))))))))))))))))))))))))))
.
+ 2011-10-18 01:49 . 2011-10-18 01:49 16384 c:\windows\temp\Perflib_Perfdata_cc.dat
+ 2011-10-18 13:36 . 2011-10-18 13:36 16384 c:\windows\temp\Perflib_Perfdata_364.dat
- 2008-10-22 09:47 . 2010-11-03 13:12 46080 c:\windows\system32\tzchange.exe
+ 2008-10-22 09:47 . 2011-07-08 13:49 46080 c:\windows\system32\tzchange.exe
+ 2002-12-31 12:00 . 2010-08-17 13:17 58880 c:\windows\system32\dllcache\spoolsv.exe
- 2010-08-17 13:17 . 2010-08-17 13:17 58880 c:\windows\system32\dllcache\spoolsv.exe
+ 2011-10-13 17:45 . 2011-10-13 17:45 22016 c:\windows\Installer\adab61.msi
+ 2011-08-24 13:34 . 2010-11-03 13:12 46080 c:\windows\$NtUninstallKB2570791$\tzchange.exe
+ 2011-08-24 13:34 . 2011-07-09 00:32 16896 c:\windows\$NtUninstallKB2570791$\spuninst\tzchange.dll
+ 2011-09-14 01:54 . 2010-07-05 13:15 26488 c:\windows\$hf_mig$\KB2616676\update\spcustom.dll
+ 2011-09-14 01:54 . 2010-07-05 13:15 17272 c:\windows\$hf_mig$\KB2616676\spmsg.dll
+ 2011-09-08 00:23 . 2010-07-05 13:15 26488 c:\windows\$hf_mig$\KB2607712\update\spcustom.dll
+ 2011-09-08 00:23 . 2010-07-05 13:15 17272 c:\windows\$hf_mig$\KB2607712\spmsg.dll
+ 2011-09-14 01:52 . 2010-07-05 13:15 26488 c:\windows\$hf_mig$\KB2570947\update\spcustom.dll
+ 2011-09-14 01:52 . 2010-07-05 13:15 17272 c:\windows\$hf_mig$\KB2570947\spmsg.dll
+ 2011-10-06 22:35 . 2011-10-13 17:45 247968 c:\windows\system32\Macromed\Flash\FlashUtil11c_ActiveX.exe
+ 2011-10-06 22:35 . 2011-10-13 17:45 335520 c:\windows\system32\Macromed\Flash\FlashUtil11c_ActiveX.dll
+ 2011-09-03 10:17 . 2011-09-09 09:12 599040 c:\windows\system32\dllcache\crypt32.dll
+ 2011-08-31 02:30 . 2011-01-16 06:29 194842 c:\windows\pchealth\helpctr\Config\Cache\Professional_32_1033.dat
+ 2011-09-14 01:54 . 2010-07-05 13:16 382840 c:\windows\$NtUninstallKB2616676$\spuninst\updspapi.dll
+ 2011-09-14 01:54 . 2010-07-05 13:15 231288 c:\windows\$NtUninstallKB2616676$\spuninst\spuninst.exe
+ 2011-09-14 01:54 . 2011-09-03 10:17 599040 c:\windows\$NtUninstallKB2616676$\crypt32.dll
+ 2011-09-08 00:23 . 2010-07-05 13:16 382840 c:\windows\$NtUninstallKB2607712$\spuninst\updspapi.dll
+ 2011-09-08 00:23 . 2010-07-05 13:15 231288 c:\windows\$NtUninstallKB2607712$\spuninst\spuninst.exe
+ 2011-09-08 00:23 . 2008-04-14 00:11 599040 c:\windows\$NtUninstallKB2607712$\crypt32.dll
+ 2011-09-14 01:52 . 2010-07-05 13:16 382840 c:\windows\$NtUninstallKB2570947$\spuninst\updspapi.dll
+ 2011-09-14 01:52 . 2010-07-05 13:15 231288 c:\windows\$NtUninstallKB2570947$\spuninst\spuninst.exe
+ 2011-08-24 13:34 . 2010-07-05 13:16 382840 c:\windows\$NtUninstallKB2570791$\spuninst\updspapi.dll
+ 2011-08-24 13:34 . 2010-07-05 13:15 231288 c:\windows\$NtUninstallKB2570791$\spuninst\spuninst.exe
+ 2011-09-14 01:54 . 2010-07-05 13:16 382840 c:\windows\$hf_mig$\KB2616676\update\updspapi.dll
+ 2011-09-14 01:54 . 2010-07-05 13:15 755576 c:\windows\$hf_mig$\KB2616676\update\update.exe
+ 2011-09-14 01:54 . 2010-07-05 13:15 231288 c:\windows\$hf_mig$\KB2616676\spuninst.exe
+ 2011-09-09 09:11 . 2011-09-09 09:11 599552 c:\windows\$hf_mig$\KB2616676\SP3QFE\crypt32.dll
+ 2011-09-08 00:23 . 2010-07-05 13:16 382840 c:\windows\$hf_mig$\KB2607712\update\updspapi.dll
+ 2011-09-08 00:23 . 2010-07-05 13:15 755576 c:\windows\$hf_mig$\KB2607712\update\update.exe
+ 2011-09-08 00:23 . 2010-07-05 13:15 231288 c:\windows\$hf_mig$\KB2607712\spuninst.exe
+ 2011-09-03 10:16 . 2011-09-03 10:16 599552 c:\windows\$hf_mig$\KB2607712\SP3QFE\crypt32.dll
+ 2011-09-14 01:52 . 2010-07-05 13:16 382840 c:\windows\$hf_mig$\KB2570947\update\updspapi.dll
+ 2011-09-14 01:52 . 2010-07-05 13:15 755576 c:\windows\$hf_mig$\KB2570947\update\update.exe
+ 2011-09-14 01:52 . 2010-07-05 13:15 231288 c:\windows\$hf_mig$\KB2570947\spuninst.exe
+ 2009-09-08 22:01 . 2011-09-29 00:48 47369160 c:\windows\system32\MRT.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{bf7380fa-e3b4-4db2-af3e-9d8783a45bfc}"= "c:\program files\uTorrentBar\prxtbuTo0.dll" [2011-05-09 176936]
.
[HKEY_CLASSES_ROOT\clsid\{bf7380fa-e3b4-4db2-af3e-9d8783a45bfc}]
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{bf7380fa-e3b4-4db2-af3e-9d8783a45bfc}]
2011-05-09 09:49 176936 ----a-w- c:\program files\uTorrentBar\prxtbuTo0.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{bf7380fa-e3b4-4db2-af3e-9d8783a45bfc}"= "c:\program files\uTorrentBar\prxtbuTo0.dll" [2011-05-09 176936]
.
[HKEY_CLASSES_ROOT\clsid\{bf7380fa-e3b4-4db2-af3e-9d8783a45bfc}]
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{BF7380FA-E3B4-4DB2-AF3E-9D8783A45BFC}"= "c:\program files\uTorrentBar\prxtbuTo0.dll" [2011-05-09 176936]
.
[HKEY_CLASSES_ROOT\clsid\{bf7380fa-e3b4-4db2-af3e-9d8783a45bfc}]
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"uTorrent"="c:\program files\uTorrent\uTorrent.exe" [N/A]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="c:\program files\QuickTime Alternative\qttask.exe" [2010-11-29 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-03-07 421160]
.
[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
Source= c:\windows\system32\onhelp.htm
FriendlyName= tets
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0oodbs
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WudfSvc]
@="Service"
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Documents and Settings\\Administrator\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service
.
R2 LxrSII1d;Secure II Driver;c:\windows\system32\drivers\LxrSII1d.sys [12/12/2007 12:42 PM 70016]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [10/13/2011 1:44 PM 136176]
S3 F-Secure BlackLight Sensor;F-Secure BlackLight Sensor;c:\docume~1\ADMINI~1\LOCALS~1\Temp\F-Secure\Anti-Virus\fsblsrv.exe --> c:\docume~1\ADMINI~1\LOCALS~1\Temp\F-Secure\Anti-Virus\fsblsrv.exe [?]
S3 F-Secure Standalone Minifilter;F-Secure Standalone Minifilter;\??\c:\docume~1\ADMINI~1\LOCALS~1\Temp\OnlineScanner\Anti-Virus\fsgk.sys --> c:\docume~1\ADMINI~1\LOCALS~1\Temp\OnlineScanner\Anti-Virus\fsgk.sys [?]
S3 fsbl;F-Secure BlackLight Engine Driver;\??\c:\docume~1\ADMINI~1\LOCALS~1\Temp\OnlineScanner\Anti-Virus\fsbldrv.sys --> c:\docume~1\ADMINI~1\LOCALS~1\Temp\OnlineScanner\Anti-Virus\fsbldrv.sys [?]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [10/13/2011 1:44 PM 136176]
S3 SASENUM;SASENUM;\??\c:\program files\SUPERAntiSpyware\SASENUM.SYS --> c:\program files\SUPERAntiSpyware\SASENUM.SYS [?]
S3 UnlockerDriver4;UnlockerDriver4 Driver;c:\windows\system32\UnlockerDriver4.sys [11/26/2007 8:59 PM 3584]
.
Contents of the 'Scheduled Tasks' folder
.
2011-08-11 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-01 21:57]
.
2011-10-18 c:\windows\Tasks\GoogleUpdateTaskMachineCore1cc89cfdd83abb2.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-10-13 17:44]
.
2007-11-27 c:\windows\Tasks\Symantec NetDetect.job
- c:\program files\Symantec\LiveUpdate\NDETECT.EXE [2007-11-27 22:32]
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
TCP: DhcpNameServer = 68.87.74.166 68.87.68.166 192.168.1.1
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\vu57tuf1.default\
FF - prefs.js: browser.search.selectedEngine - Bing
FF - prefs.js: browser.startup.homepage - hxxp://www.bing.com/?pc=ZUGO&form=ZGAPHP
FF - prefs.js: keyword.URL - hxxp://www.bing.com/search?pc=ZUGO&form=ZGAADF&q=
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-10-18 09:37
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: ST3320620A rev.3.AAE -> Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T1L0-12
.
device: opened successfully
user: MBR read successfully
error: Read A device attached to the system is not functioning.
kernel: MBR read successfully
detected disk devices:
detected hooks:
\Driver\atapi DriverStartIo -> 0x8A22E2E0
user & kernel MBR OK
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,e6,7d,1c,05,c1,7f,ed,45,b7,71,60,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,e6,7d,1c,05,c1,7f,ed,45,b7,71,60,\
.
[HKEY_USERS\S-1-5-21-1482476501-1336601894-682003330-500\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (Administrator)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,75,f7,a6,c8,d3,d6,98,4a,87,3f,2c,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,d0,7e,00,e4,65,ca,0e,4a,b4,3a,9b,\
"6256FFB019F8FDFBD36745B06F4540E9AEAF222A25"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,75,f7,a6,c8,d3,d6,98,4a,87,3f,2c,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(2484)
c:\windows\system32\WININET.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\IEFRAME.dll
c:\windows\system32\mshtml.dll
c:\windows\system32\msls31.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\LxrSII1s.exe
c:\windows\system32\oodag.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2011-10-18 09:40:33 - machine was rebooted
ComboFix-quarantined-files.txt 2011-10-18 13:40
ComboFix2.txt 2011-09-06 01:32
ComboFix3.txt 2011-09-02 21:19
ComboFix4.txt 2011-08-28 18:23
ComboFix5.txt 2011-10-18 02:11
.
Pre-Run: 259,356,151,808 bytes free
Post-Run: 268,245,905,408 bytes free
.
- - End Of File - - E724F7A3292C65A20EA805FCF7CEA33A

#4 User is online   gringo_pr 

  • Bleepin Gringo
  • PipPipPipPipPipPip
  • Find Topics
  • Group: Malware Response Team
  • Posts: 85,509
  • Joined: 03-July 08
  • Gender:Male
  • Location:Puerto rico

Posted 18 October 2011 - 09:20 AM

Hello

I want you to run this tool for me next.

tdsskiller:

Please read carefully and follow these steps.
  • Download TDSSKiller and save it to your Desktop.
  • doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
  • If an infected file is detected, the default action will be Cure, click on Continue.
  • If a suspicious file is detected, the default action will be Skip, click on Continue.
  • It may ask you to reboot the computer to complete the process. Click on Reboot Now.
  • If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
  • If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.


Gringo
I will be online from 5-31 to 6-4 in a limited amount

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic

Please Only Copy And Paste Reports Into Topic - Do Not Attach

My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->Posted Image<-- Don't worry every little bit helps.

#5 User is offline   ddt904 

  • Member
  • PipPip
  • Find Topics
  • Group: Members
  • Posts: 62
  • Joined: 16-January 11

Posted 18 October 2011 - 09:49 AM

10:44:03.0521 3392 TDSS rootkit removing tool 2.6.10.0 Oct 17 2011 15:43:23
10:44:03.0802 3392 ============================================================
10:44:03.0802 3392 Current date / time: 2011/10/18 10:44:03.0802
10:44:03.0802 3392 SystemInfo:
10:44:03.0802 3392
10:44:03.0802 3392 OS Version: 5.1.2600 ServicePack: 3.0
10:44:03.0802 3392 Product type: Workstation
10:44:03.0802 3392 ComputerName: OYLER-162CDC254
10:44:03.0802 3392 UserName: Administrator
10:44:03.0802 3392 Windows directory: C:\WINDOWS
10:44:03.0802 3392 System windows directory: C:\WINDOWS
10:44:03.0802 3392 Processor architecture: Intel x86
10:44:03.0802 3392 Number of processors: 2
10:44:03.0802 3392 Page size: 0x1000
10:44:03.0802 3392 Boot type: Normal boot
10:44:03.0802 3392 ============================================================
10:44:04.0771 3392 Initialize success
10:44:06.0771 5140 ============================================================
10:44:06.0771 5140 Scan started
10:44:06.0771 5140 Mode: Manual;
10:44:06.0771 5140 ============================================================
10:44:07.0583 5140 Abiosdsk - ok
10:44:07.0615 5140 abp480n5 - ok
10:44:07.0693 5140 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
10:44:07.0693 5140 ACPI - ok
10:44:07.0771 5140 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
10:44:07.0771 5140 ACPIEC - ok
10:44:07.0802 5140 adpu160m - ok
10:44:07.0912 5140 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
10:44:07.0912 5140 aec - ok
10:44:07.0990 5140 AFD (355556d9e580915118cd7ef736653a89) C:\WINDOWS\System32\drivers\afd.sys
10:44:08.0037 5140 AFD - ok
10:44:08.0052 5140 Aha154x - ok
10:44:08.0099 5140 aic78u2 - ok
10:44:08.0115 5140 aic78xx - ok
10:44:08.0240 5140 AliIde - ok
10:44:08.0271 5140 amsint - ok
10:44:08.0365 5140 asc - ok
10:44:08.0396 5140 asc3350p - ok
10:44:08.0427 5140 asc3550 - ok
10:44:08.0584 5140 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
10:44:08.0584 5140 AsyncMac - ok
10:44:08.0646 5140 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
10:44:08.0646 5140 atapi - ok
10:44:08.0662 5140 Atdisk - ok
10:44:08.0724 5140 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
10:44:08.0724 5140 Atmarpc - ok
10:44:08.0787 5140 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
10:44:08.0787 5140 audstub - ok
10:44:08.0818 5140 Beep - ok
10:44:08.0880 5140 catchme - ok
10:44:08.0974 5140 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
10:44:08.0974 5140 cbidf2k - ok
10:44:08.0990 5140 CCDECODE (0be5aef125be881c4f854c554f2b025c) C:\WINDOWS\system32\DRIVERS\CCDECODE.sys
10:44:09.0005 5140 CCDECODE - ok
10:44:09.0021 5140 cd20xrnt - ok
10:44:09.0115 5140 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
10:44:09.0115 5140 Cdaudio - ok
10:44:09.0177 5140 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
10:44:09.0177 5140 Cdfs - ok
10:44:09.0209 5140 Cdrom (4b0a100eaf5c49ef3cca8c641431eacc) C:\WINDOWS\system32\DRIVERS\cdrom.sys
10:44:09.0224 5140 Cdrom - ok
10:44:09.0271 5140 Changer - ok
10:44:09.0334 5140 CmdIde - ok
10:44:09.0412 5140 Cpqarray - ok
10:44:09.0631 5140 ctljystk (71007bd2e1e26927fe3e4eb00c0beedf) C:\WINDOWS\system32\DRIVERS\ctljystk.sys
10:44:09.0631 5140 ctljystk - ok
10:44:09.0709 5140 dac2w2k - ok
10:44:09.0724 5140 dac960nt - ok
10:44:09.0802 5140 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
10:44:09.0802 5140 Disk - ok
10:44:09.0896 5140 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
10:44:09.0912 5140 dmboot - ok
10:44:09.0927 5140 dmio - ok
10:44:09.0959 5140 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
10:44:09.0959 5140 dmload - ok
10:44:10.0021 5140 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
10:44:10.0021 5140 DMusic - ok
10:44:10.0115 5140 dpti2o - ok
10:44:10.0146 5140 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
10:44:10.0146 5140 drmkaud - ok
10:44:10.0256 5140 EL90XBC (6e883bf518296a40959131c2304af714) C:\WINDOWS\system32\DRIVERS\el90xbc5.sys
10:44:10.0256 5140 EL90XBC - ok
10:44:10.0287 5140 emu10k (01f83e1b5dce05f5cb7d99113ca9e890) C:\WINDOWS\system32\drivers\emu10k1m.sys
10:44:10.0287 5140 emu10k - ok
10:44:10.0349 5140 emu10k1 (7ffa171cce6a8bfc774862a578ba39a2) C:\WINDOWS\system32\drivers\ctlfacem.sys
10:44:10.0349 5140 emu10k1 - ok
10:44:10.0490 5140 F-Secure Standalone Minifilter - ok
10:44:10.0584 5140 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
10:44:10.0584 5140 Fastfat - ok
10:44:10.0631 5140 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\DRIVERS\fdc.sys
10:44:10.0631 5140 Fdc - ok
10:44:10.0677 5140 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
10:44:10.0677 5140 Fips - ok
10:44:10.0693 5140 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\DRIVERS\flpydisk.sys
10:44:10.0709 5140 Flpydisk - ok
10:44:10.0740 5140 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys
10:44:10.0740 5140 FltMgr - ok
10:44:10.0771 5140 fsbl - ok
10:44:10.0849 5140 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
10:44:10.0849 5140 Fs_Rec - ok
10:44:10.0881 5140 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
10:44:10.0881 5140 Ftdisk - ok
10:44:10.0896 5140 gameenum (065639773d8b03f33577f6cdaea21063) C:\WINDOWS\system32\DRIVERS\gameenum.sys
10:44:10.0896 5140 gameenum - ok
10:44:10.0974 5140 GEARAspiWDM (8182ff89c65e4d38b2de4bb0fb18564e) C:\WINDOWS\system32\DRIVERS\GEARAspiWDM.sys
10:44:10.0974 5140 GEARAspiWDM - ok
10:44:10.0990 5140 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
10:44:10.0990 5140 Gpc - ok
10:44:11.0131 5140 hidusb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
10:44:11.0131 5140 hidusb - ok
10:44:11.0162 5140 hpn - ok
10:44:11.0224 5140 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
10:44:11.0224 5140 HTTP - ok
10:44:11.0256 5140 i2omgmt - ok
10:44:11.0287 5140 i2omp - ok
10:44:11.0334 5140 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
10:44:11.0334 5140 i8042prt - ok
10:44:11.0396 5140 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
10:44:11.0396 5140 Imapi - ok
10:44:11.0443 5140 ini910u - ok
10:44:11.0506 5140 IntelIde - ok
10:44:11.0553 5140 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys
10:44:11.0553 5140 intelppm - ok
10:44:11.0631 5140 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys
10:44:11.0631 5140 Ip6Fw - ok
10:44:11.0678 5140 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
10:44:11.0678 5140 IpFilterDriver - ok
10:44:11.0740 5140 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
10:44:11.0740 5140 IpInIp - ok
10:44:11.0771 5140 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
10:44:11.0771 5140 IpNat - ok
10:44:11.0803 5140 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
10:44:11.0803 5140 IPSec - ok
10:44:11.0818 5140 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
10:44:11.0818 5140 IRENUM - ok
10:44:11.0865 5140 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
10:44:11.0865 5140 isapnp - ok
10:44:11.0928 5140 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
10:44:11.0928 5140 Kbdclass - ok
10:44:11.0990 5140 kbdhid (9ef487a186dea361aa06913a75b3fa99) C:\WINDOWS\system32\DRIVERS\kbdhid.sys
10:44:12.0006 5140 kbdhid - ok
10:44:12.0037 5140 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
10:44:12.0037 5140 kmixer - ok
10:44:12.0084 5140 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
10:44:12.0100 5140 KSecDD - ok
10:44:12.0146 5140 lbrtfdc - ok
10:44:12.0225 5140 LxrSII1d (db7f488269290a8c1907602b7f4c213d) C:\WINDOWS\system32\Drivers\LxrSII1d.sys
10:44:12.0225 5140 LxrSII1d - ok
10:44:12.0287 5140 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
10:44:12.0287 5140 mnmdd - ok
10:44:12.0365 5140 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
10:44:12.0365 5140 Modem - ok
10:44:12.0381 5140 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
10:44:12.0381 5140 Mouclass - ok
10:44:12.0600 5140 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
10:44:12.0631 5140 mouhid - ok
10:44:12.0834 5140 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
10:44:12.0834 5140 MountMgr - ok
10:44:12.0943 5140 mraid35x - ok
10:44:13.0146 5140 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
10:44:13.0146 5140 MRxDAV - ok
10:44:13.0178 5140 MRxSmb (7d304a5eb4344ebeeab53a2fe3ffb9f0) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
10:44:13.0193 5140 MRxSmb - ok
10:44:13.0240 5140 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
10:44:13.0240 5140 Msfs - ok
10:44:13.0303 5140 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
10:44:13.0303 5140 MSKSSRV - ok
10:44:13.0318 5140 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
10:44:13.0318 5140 MSPCLOCK - ok
10:44:13.0350 5140 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
10:44:13.0350 5140 MSPQM - ok
10:44:13.0412 5140 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
10:44:13.0412 5140 mssmbios - ok
10:44:13.0443 5140 MSTEE (e53736a9e30c45fa9e7b5eac55056d1d) C:\WINDOWS\system32\drivers\MSTEE.sys
10:44:13.0443 5140 MSTEE - ok
10:44:13.0475 5140 Mup (de6a75f5c270e756c5508d94b6cf68f5) C:\WINDOWS\system32\drivers\Mup.sys
10:44:13.0475 5140 Mup - ok
10:44:13.0506 5140 NABTSFEC (5b50f1b2a2ed47d560577b221da734db) C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys
10:44:13.0506 5140 NABTSFEC - ok
10:44:13.0537 5140 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
10:44:13.0553 5140 NDIS - ok
10:44:13.0568 5140 NdisIP (7ff1f1fd8609c149aa432f95a8163d97) C:\WINDOWS\system32\DRIVERS\NdisIP.sys
10:44:13.0568 5140 NdisIP - ok
10:44:13.0662 5140 NdisTapi (0109c4f3850dfbab279542515386ae22) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
10:44:13.0662 5140 NdisTapi - ok
10:44:13.0693 5140 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
10:44:13.0693 5140 Ndisuio - ok
10:44:13.0709 5140 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
10:44:13.0709 5140 NdisWan - ok
10:44:13.0787 5140 NDProxy (9282bd12dfb069d3889eb3fcc1000a9b) C:\WINDOWS\system32\drivers\NDProxy.sys
10:44:13.0787 5140 NDProxy - ok
10:44:13.0834 5140 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
10:44:13.0834 5140 NetBIOS - ok
10:44:13.0897 5140 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
10:44:13.0897 5140 NetBT - ok
10:44:13.0990 5140 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
10:44:13.0990 5140 Npfs - ok
10:44:14.0037 5140 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
10:44:14.0053 5140 Ntfs - ok
10:44:14.0131 5140 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
10:44:14.0131 5140 Null - ok
10:44:14.0193 5140 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
10:44:14.0193 5140 NwlnkFlt - ok
10:44:14.0209 5140 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
10:44:14.0209 5140 NwlnkFwd - ok
10:44:14.0240 5140 NwlnkIpx (8b8b1be2dba4025da6786c645f77f123) C:\WINDOWS\system32\DRIVERS\nwlnkipx.sys
10:44:14.0256 5140 NwlnkIpx - ok
10:44:14.0272 5140 NwlnkNb (56d34a67c05e94e16377c60609741ff8) C:\WINDOWS\system32\DRIVERS\nwlnknb.sys
10:44:14.0287 5140 NwlnkNb - ok
10:44:14.0334 5140 NwlnkSpx (c0bb7d1615e1acbdc99757f6ceaf8cf0) C:\WINDOWS\system32\DRIVERS\nwlnkspx.sys
10:44:14.0350 5140 NwlnkSpx - ok
10:44:14.0381 5140 NWRDR (36b9b950e3d2e100970a48d8bad86740) C:\WINDOWS\system32\DRIVERS\nwrdr.sys
10:44:14.0397 5140 NWRDR - ok
10:44:14.0553 5140 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys
10:44:14.0553 5140 Parport - ok
10:44:14.0600 5140 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
10:44:14.0600 5140 PartMgr - ok
10:44:14.0631 5140 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
10:44:14.0631 5140 ParVdm - ok
10:44:14.0662 5140 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
10:44:14.0662 5140 PCI - ok
10:44:14.0678 5140 PCIDump - ok
10:44:14.0740 5140 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
10:44:14.0740 5140 PCIIde - ok
10:44:14.0803 5140 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys
10:44:14.0803 5140 Pcmcia - ok
10:44:14.0834 5140 PDCOMP - ok
10:44:14.0850 5140 PDFRAME - ok
10:44:14.0881 5140 PDRELI - ok
10:44:14.0912 5140 PDRFRAME - ok
10:44:14.0944 5140 perc2 - ok
10:44:14.0990 5140 perc2hib - ok
10:44:15.0115 5140 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
10:44:15.0115 5140 PptpMiniport - ok
10:44:15.0147 5140 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
10:44:15.0147 5140 PSched - ok
10:44:15.0178 5140 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
10:44:15.0178 5140 Ptilink - ok
10:44:15.0194 5140 QCDonner - ok
10:44:15.0256 5140 ql1080 - ok
10:44:15.0287 5140 Ql10wnt - ok
10:44:15.0319 5140 ql12160 - ok
10:44:15.0334 5140 ql1240 - ok
10:44:15.0397 5140 ql1280 - ok
10:44:15.0490 5140 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
10:44:15.0490 5140 RasAcd - ok
10:44:15.0553 5140 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
10:44:15.0553 5140 Rasl2tp - ok
10:44:15.0615 5140 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
10:44:15.0615 5140 RasPppoe - ok
10:44:15.0678 5140 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
10:44:15.0678 5140 Raspti - ok
10:44:15.0741 5140 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
10:44:15.0741 5140 Rdbss - ok
10:44:15.0787 5140 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
10:44:15.0787 5140 RDPCDD - ok
10:44:15.0834 5140 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
10:44:15.0834 5140 rdpdr - ok
10:44:15.0928 5140 RDPWD (fc105dd312ed64eb66bff111e8ec6eac) C:\WINDOWS\system32\drivers\RDPWD.sys
10:44:15.0944 5140 RDPWD - ok
10:44:15.0991 5140 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
10:44:15.0991 5140 redbook - ok
10:44:16.0162 5140 SASENUM - ok
10:44:16.0287 5140 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
10:44:16.0287 5140 Secdrv - ok
10:44:16.0366 5140 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys
10:44:16.0366 5140 serenum - ok
10:44:16.0381 5140 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys
10:44:16.0381 5140 Serial - ok
10:44:16.0475 5140 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
10:44:16.0491 5140 Sfloppy - ok
10:44:16.0537 5140 sfman (0b1a5e9cacb5cdd54a2815107bd7c772) C:\WINDOWS\system32\drivers\sfmanm.sys
10:44:16.0537 5140 sfman - ok
10:44:16.0584 5140 Simbad - ok
10:44:16.0647 5140 SLIP (866d538ebe33709a5c9f5c62b73b7d14) C:\WINDOWS\system32\DRIVERS\SLIP.sys
10:44:16.0647 5140 SLIP - ok
10:44:16.0678 5140 Sparrow - ok
10:44:16.0725 5140 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
10:44:16.0725 5140 splitter - ok
10:44:16.0756 5140 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
10:44:16.0756 5140 sr - ok
10:44:16.0866 5140 Srv (47ddfc2f003f7f9f0592c6874962a2e7) C:\WINDOWS\system32\DRIVERS\srv.sys
10:44:16.0866 5140 Srv - ok
10:44:16.0944 5140 streamip (77813007ba6265c4b6098187e6ed79d2) C:\WINDOWS\system32\DRIVERS\StreamIP.sys
10:44:16.0944 5140 streamip - ok
10:44:17.0006 5140 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
10:44:17.0022 5140 swenum - ok
10:44:17.0084 5140 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
10:44:17.0084 5140 swmidi - ok
10:44:17.0163 5140 symc810 - ok
10:44:17.0178 5140 symc8xx - ok
10:44:17.0209 5140 sym_hi - ok
10:44:17.0225 5140 sym_u3 - ok
10:44:17.0319 5140 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
10:44:17.0319 5140 sysaudio - ok
10:44:17.0413 5140 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
10:44:17.0428 5140 Tcpip - ok
10:44:17.0475 5140 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
10:44:17.0475 5140 TDPIPE - ok
10:44:17.0491 5140 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
10:44:17.0491 5140 TDTCP - ok
10:44:17.0553 5140 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
10:44:17.0553 5140 TermDD - ok
10:44:17.0616 5140 TosIde - ok
10:44:17.0694 5140 uagp35 (d85938f272d1bcf3db3a31fc0a048928) C:\WINDOWS\system32\DRIVERS\uagp35.sys
10:44:17.0694 5140 uagp35 - ok
10:44:17.0709 5140 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
10:44:17.0709 5140 Udfs - ok
10:44:17.0741 5140 ultra - ok
10:44:17.0850 5140 UnlockerDriver4 (f79ba52f6a1e65b674bea4f6c86ebb05) C:\WINDOWS\system32\UnlockerDriver4.sys
10:44:17.0850 5140 UnlockerDriver4 - ok
10:44:17.0913 5140 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
10:44:17.0913 5140 Update - ok
10:44:18.0038 5140 USBAAPL (d4fb6ecc60a428564ba8768b0e23c0fc) C:\WINDOWS\system32\Drivers\usbaapl.sys
10:44:18.0038 5140 USBAAPL - ok
10:44:18.0084 5140 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
10:44:18.0100 5140 usbccgp - ok
10:44:18.0116 5140 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
10:44:18.0116 5140 usbehci - ok
10:44:18.0178 5140 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
10:44:18.0178 5140 usbhub - ok
10:44:18.0210 5140 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys
10:44:18.0210 5140 usbprint - ok
10:44:18.0288 5140 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys
10:44:18.0288 5140 usbscan - ok
10:44:18.0319 5140 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
10:44:18.0319 5140 USBSTOR - ok
10:44:18.0428 5140 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
10:44:18.0428 5140 usbuhci - ok
10:44:18.0553 5140 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
10:44:18.0553 5140 VgaSave - ok
10:44:18.0585 5140 ViaIde (3b3efcda263b8ac14fdf9cbdd0791b2e) C:\WINDOWS\system32\DRIVERS\viaide.sys
10:44:18.0585 5140 ViaIde - ok
10:44:18.0616 5140 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
10:44:18.0616 5140 VolSnap - ok
10:44:18.0756 5140 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
10:44:18.0756 5140 Wanarp - ok
10:44:18.0803 5140 wceusbsh (46a247f6617526afe38b6f12f5512120) C:\WINDOWS\system32\DRIVERS\wceusbsh.sys
10:44:18.0803 5140 wceusbsh - ok
10:44:18.0850 5140 Wdf01000 (d918617b46457b9ac28027722e30f647) C:\WINDOWS\system32\Drivers\wdf01000.sys
10:44:18.0850 5140 Wdf01000 - ok
10:44:18.0881 5140 WDICA - ok
10:44:18.0960 5140 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
10:44:18.0960 5140 wdmaud - ok
10:44:19.0069 5140 WinUSB (fd600b032e741eb6aab509fc630f7c42) C:\WINDOWS\system32\DRIVERS\WinUSB.sys
10:44:19.0069 5140 WinUSB - ok
10:44:19.0163 5140 WpdUsb (cf4def1bf66f06964dc0d91844239104) C:\WINDOWS\system32\Drivers\wpdusb.sys
10:44:19.0178 5140 WpdUsb - ok
10:44:19.0241 5140 WSTCODEC (c98b39829c2bbd34e454150633c62c78) C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS
10:44:19.0241 5140 WSTCODEC - ok
10:44:19.0319 5140 WudfPf (eaa6324f51214d2f6718977ec9ce0def) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
10:44:19.0319 5140 WudfPf - ok
10:44:19.0335 5140 WudfRd (f91ff1e51fca30b3c3981db7d5924252) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
10:44:19.0350 5140 WudfRd - ok
10:44:19.0413 5140 zumbus - ok
10:44:19.0475 5140 MBR (0x1B8) (cdac57608c39097805c8c958f1f73d97) \Device\Harddisk0\DR0
10:44:19.0475 5140 \Device\Harddisk0\DR0 ( Rootkit.Boot.Pihar.a ) - infected
10:44:19.0475 5140 \Device\Harddisk0\DR0 - detected Rootkit.Boot.Pihar.a (0)
10:44:19.0491 5140 Boot (0x1200) (9cd45b85cfabc28dfa85503de31dad2e) \Device\Harddisk0\DR0\Partition0
10:44:19.0491 5140 \Device\Harddisk0\DR0\Partition0 - ok
10:44:19.0491 5140 ============================================================
10:44:19.0491 5140 Scan finished
10:44:19.0491 5140 ============================================================
10:44:19.0538 5132 Detected object count: 1
10:44:19.0538 5132 Actual detected object count: 1
10:44:29.0773 5132 \Device\Harddisk0\DR0 ( Rootkit.Boot.Pihar.a ) - will be cured on reboot
10:44:29.0773 5132 \Device\Harddisk0\DR0 - ok
10:44:29.0773 5132 \Device\Harddisk0\DR0 ( Rootkit.Boot.Pihar.a ) - User select action: Cure
10:44:39.0805 3604 Deinitialize success

#6 User is online   gringo_pr 

  • Bleepin Gringo
  • PipPipPipPipPipPip
  • Find Topics
  • Group: Malware Response Team
  • Posts: 85,509
  • Joined: 03-July 08
  • Gender:Male
  • Location:Puerto rico

Posted 18 October 2011 - 09:54 AM

Greetings

Good That cleaned up some bad guys but I see some other stuff that we need to go after, so I want you to run this custom script for me.

:Run CFScript:

Open Notepad and copy/paste the text in the box into the window:

ClearJavaCache::

File::
c:\windows\system32\ConduitEngine.tmp

RenV::
c:\program files\SUPERAntiSpyware\SUPERAntiSpyware .exe

Folder::
c:\program files\uTorrentBar


Save it to your desktop as CFScript.txt

Refering to the picture above, drag CFScript.txt into ComboFix.exe
Posted Image
This will let ComboFix run again.
Restart if you have to.
Save the produced logfile to your desktop.

Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

"information and logs"

    In your next post I need the following

    • report from Combofix
    • let me know of any problems you may have had
    • How is the computer doing now after running the script?


Gringo
I will be online from 5-31 to 6-4 in a limited amount

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic

Please Only Copy And Paste Reports Into Topic - Do Not Attach

My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->Posted Image<-- Don't worry every little bit helps.

#7 User is offline   ddt904 

  • Member
  • PipPip
  • Find Topics
  • Group: Members
  • Posts: 62
  • Joined: 16-January 11

Posted 18 October 2011 - 10:13 AM

ComboFix 11-10-18.02 - Administrator 10/18/2011 11:03:46.40.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1790.1262 [GMT -4:00]
Running from: c:\documents and settings\Administrator\Desktop\Cleaners\ComboFix.exe
Command switches used :: c:\documents and settings\Administrator\Desktop\cfscript.txt
AV: AVG Anti-Virus Free *Enabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.
FILE ::
"c:\windows\system32\ConduitEngine.tmp"
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\program files\Internet Explorer\SET1B.tmp
c:\program files\Internet Explorer\SET1C.tmp
c:\program files\uTorrentBar
c:\program files\uTorrentBar\GottenAppsContextMenu.xml
c:\program files\uTorrentBar\ldrtbuTo0.dll
c:\program files\uTorrentBar\ldrtbuTor.dll
c:\program files\uTorrentBar\OtherAppsContextMenu.xml
c:\program files\uTorrentBar\prxtbuTo0.dll
c:\program files\uTorrentBar\prxtbuTor.dll
c:\program files\uTorrentBar\SharedAppsContextMenu.xml
c:\program files\uTorrentBar\tbuTo0.dll
c:\program files\uTorrentBar\tbuTor.dll
c:\program files\uTorrentBar\toolbar.cfg
c:\program files\uTorrentBar\ToolbarContextMenu.xml
c:\program files\uTorrentBar\uninstall.exe
c:\program files\uTorrentBar\uTorrentBarToolbarHelper.exe
c:\program files\uTorrentBar\uTorrentBarToolbarHelper1.exe
c:\windows\system32\ConduitEngine.tmp
c:\windows\system32\d3d9caps.dat
.
c:\windows\system32\calc.exe . . . is infected!!
.
.
((((((((((((((((((((((((( Files Created from 2011-09-18 to 2011-10-18 )))))))))))))))))))))))))))))))
.
.
2011-10-18 14:47 . 2011-10-18 14:47 -------- d-----w- c:\windows\LastGood
2011-10-18 14:47 . 2011-08-22 23:48 602112 ----a-w- c:\windows\system32\SET12.tmp
2011-10-18 14:47 . 2011-08-22 23:48 55296 ----a-w- c:\windows\system32\SET11.tmp
2011-10-18 14:47 . 2011-08-22 23:48 206848 ----a-w- c:\windows\system32\SETD.tmp
2011-10-18 14:47 . 2011-08-22 23:48 184320 ----a-w- c:\windows\system32\SET17.tmp
2011-10-18 14:47 . 2011-08-22 23:48 916480 ----a-w- c:\windows\system32\SETA.tmp
2011-10-18 14:47 . 2011-08-22 23:48 105984 ----a-w- c:\windows\system32\SETC.tmp
2011-10-18 14:47 . 2011-08-22 23:48 2000384 ----a-w- c:\windows\system32\SET16.tmp
2011-10-18 14:47 . 2011-10-03 08:35 5971456 ----a-w- c:\windows\system32\SET10.tmp
2011-10-18 14:47 . 2011-08-22 23:48 1212416 ----a-w- c:\windows\system32\SETB.tmp
2011-10-13 17:44 . 2011-10-13 17:44 -------- d-----w- c:\program files\Google
2011-10-06 22:35 . 2011-10-13 17:45 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-09-24 13:14 . 2011-10-12 21:52 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-09-09 09:12 . 2002-12-31 12:00 599040 ----a-w- c:\windows\system32\crypt32.dll
2011-08-31 21:00 . 2008-11-16 03:44 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-08-23 21:48 . 2011-08-23 21:48 11081728 ----a-w- c:\windows\system32\SET18.tmp
2011-08-22 23:48 . 2002-12-31 12:00 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-08-22 23:48 . 2002-12-31 12:00 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2011-08-22 11:56 . 2002-12-31 12:00 385024 ----a-w- c:\windows\system32\html.iec
2011-08-17 13:49 . 2002-12-31 12:00 138496 ----a-w- c:\windows\system32\drivers\afd.sys
2005-05-12 00:39 . 2007-11-27 01:08 41578 ----a-w- c:\program files\mozilla firefox\components\jar50.dll
2005-05-12 00:40 . 2007-11-27 01:08 48228 ----a-w- c:\program files\mozilla firefox\components\jsd3250.dll
2005-05-12 00:39 . 2007-11-27 01:08 159340 ----a-w- c:\program files\mozilla firefox\components\xpinstal.dll
.
.
((((((((((((((((((((((((((((( SnapShot_2011-08-20_23.08.02 )))))))))))))))))))))))))))))))))))))))))
.
+ 2011-10-18 14:46 . 2011-10-18 14:46 16384 c:\windows\temp\Perflib_Perfdata_7f8.dat
- 2008-10-22 09:47 . 2010-11-03 13:12 46080 c:\windows\system32\tzchange.exe
+ 2008-10-22 09:47 . 2011-07-08 13:49 46080 c:\windows\system32\tzchange.exe
- 2002-12-31 12:00 . 2011-08-10 12:42 66172 c:\windows\system32\perfc009.dat
+ 2002-12-31 12:00 . 2011-10-18 14:53 66172 c:\windows\system32\perfc009.dat
+ 2002-12-31 12:00 . 2011-08-22 23:48 66560 c:\windows\system32\mshtmled.dll
- 2002-12-31 12:00 . 2011-06-23 18:36 66560 c:\windows\system32\mshtmled.dll
+ 2002-12-31 12:00 . 2011-08-22 23:48 25600 c:\windows\system32\jsproxy.dll
- 2002-12-31 12:00 . 2011-06-23 18:36 25600 c:\windows\system32\jsproxy.dll
- 2009-07-03 07:41 . 2011-06-23 18:36 12800 c:\windows\system32\dllcache\xpshims.dll
+ 2009-07-03 07:41 . 2011-08-22 23:48 12800 c:\windows\system32\dllcache\xpshims.dll
+ 2002-12-31 12:00 . 2010-08-17 13:17 58880 c:\windows\system32\dllcache\spoolsv.exe
- 2010-08-17 13:17 . 2010-08-17 13:17 58880 c:\windows\system32\dllcache\spoolsv.exe
- 2007-08-13 23:54 . 2011-06-23 18:36 66560 c:\windows\system32\dllcache\mshtmled.dll
+ 2007-08-13 23:54 . 2011-08-22 23:48 66560 c:\windows\system32\dllcache\mshtmled.dll
- 2009-07-28 20:26 . 2011-06-23 18:36 55296 c:\windows\system32\dllcache\msfeedsbs.dll
+ 2009-07-28 20:26 . 2011-08-22 23:48 55296 c:\windows\system32\dllcache\msfeedsbs.dll
- 2007-08-13 23:44 . 2011-06-23 18:36 43520 c:\windows\system32\dllcache\licmgr10.dll
+ 2007-08-13 23:44 . 2011-08-22 23:48 43520 c:\windows\system32\dllcache\licmgr10.dll
+ 2007-08-13 23:54 . 2011-08-22 23:48 25600 c:\windows\system32\dllcache\jsproxy.dll
- 2007-08-13 23:54 . 2011-06-23 18:36 25600 c:\windows\system32\dllcache\jsproxy.dll
+ 2011-10-13 17:45 . 2011-10-13 17:45 22016 c:\windows\Installer\adab61.msi
+ 2011-10-18 14:49 . 2011-06-23 18:36 12800 c:\windows\ie8updates\KB2586448-IE8\xpshims.dll
+ 2011-10-18 14:49 . 2011-06-23 18:36 66560 c:\windows\ie8updates\KB2586448-IE8\mshtmled.dll
+ 2011-10-18 14:49 . 2011-06-23 18:36 55296 c:\windows\ie8updates\KB2586448-IE8\msfeedsbs.dll
+ 2011-10-18 14:49 . 2011-06-23 18:36 43520 c:\windows\ie8updates\KB2586448-IE8\licmgr10.dll
+ 2011-10-18 14:49 . 2011-06-23 18:36 25600 c:\windows\ie8updates\KB2586448-IE8\jsproxy.dll
+ 2011-10-18 14:55 . 2011-10-18 14:55 60928 c:\windows\assembly\NativeImages_v2.0.50727_32\UIAutomationProvider\888b745ca99d39692c2e9af222e5eae8\UIAutomationProvider.ni.dll
+ 2011-10-18 14:54 . 2011-10-18 14:54 47104 c:\windows\assembly\NativeImages_v2.0.50727_32\PresentationFontCac#\66873b557d5c7013e4c630361473b0c2\PresentationFontCache.ni.exe
+ 2011-10-18 14:54 . 2011-10-18 14:54 39424 c:\windows\assembly\NativeImages_v2.0.50727_32\PresentationCFFRast#\5b30652a7b802199984f93b5e414260f\PresentationCFFRasterizer.ni.dll
- 2011-08-10 12:42 . 2011-08-10 12:42 77824 c:\windows\assembly\GAC_MSIL\System.Web.RegularExpressions\2.0.0.0__b03f5f7f11d50a3a\System.Web.RegularExpressions.dll
+ 2011-10-18 14:52 . 2011-10-18 14:52 77824 c:\windows\assembly\GAC_MSIL\System.Web.RegularExpressions\2.0.0.0__b03f5f7f11d50a3a\System.Web.RegularExpressions.dll
- 2011-08-10 12:42 . 2011-08-10 12:42 81920 c:\windows\assembly\GAC_MSIL\System.Drawing.Design\2.0.0.0__b03f5f7f11d50a3a\System.Drawing.Design.dll
+ 2011-10-18 14:52 . 2011-10-18 14:52 81920 c:\windows\assembly\GAC_MSIL\System.Drawing.Design\2.0.0.0__b03f5f7f11d50a3a\System.Drawing.Design.dll
- 2011-08-10 12:42 . 2011-08-10 12:42 81920 c:\windows\assembly\GAC_MSIL\System.Configuration.Install\2.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll
+ 2011-10-18 14:53 . 2011-10-18 14:53 81920 c:\windows\assembly\GAC_MSIL\System.Configuration.Install\2.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll
+ 2011-10-18 14:53 . 2011-10-18 14:53 32768 c:\windows\assembly\GAC_MSIL\Microsoft.Vsa\8.0.0.0__b03f5f7f11d50a3a\Microsoft.Vsa.dll
- 2011-08-10 12:42 . 2011-08-10 12:42 32768 c:\windows\assembly\GAC_MSIL\Microsoft.Vsa\8.0.0.0__b03f5f7f11d50a3a\Microsoft.Vsa.dll
+ 2011-10-18 14:53 . 2011-10-18 14:53 12800 c:\windows\assembly\GAC_MSIL\Microsoft.Vsa.Vb.CodeDOMProcessor\8.0.0.0__b03f5f7f11d50a3a\Microsoft.Vsa.Vb.CodeDOMProcessor.dll
- 2011-08-10 12:42 . 2011-08-10 12:42 12800 c:\windows\assembly\GAC_MSIL\Microsoft.Vsa.Vb.CodeDOMProcessor\8.0.0.0__b03f5f7f11d50a3a\Microsoft.Vsa.Vb.CodeDOMProcessor.dll
+ 2011-10-18 14:53 . 2011-10-18 14:53 28672 c:\windows\assembly\GAC_MSIL\Microsoft.VisualBasic.Vsa\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.Vsa.dll
- 2011-08-10 12:42 . 2011-08-10 12:42 28672 c:\windows\assembly\GAC_MSIL\Microsoft.VisualBasic.Vsa\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.Vsa.dll
+ 2011-10-18 14:53 . 2011-10-18 14:53 77824 c:\windows\assembly\GAC_MSIL\Microsoft.Build.Utilities\2.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Utilities.dll
- 2011-08-10 12:42 . 2011-08-10 12:42 77824 c:\windows\assembly\GAC_MSIL\Microsoft.Build.Utilities\2.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Utilities.dll
- 2011-08-10 12:42 . 2011-08-10 12:42 36864 c:\windows\assembly\GAC_MSIL\Microsoft.Build.Framework\2.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Framework.dll
+ 2011-10-18 14:53 . 2011-10-18 14:53 36864 c:\windows\assembly\GAC_MSIL\Microsoft.Build.Framework\2.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Framework.dll
+ 2011-10-18 14:53 . 2011-10-18 14:53 77824 c:\windows\assembly\GAC_MSIL\IEHost\2.0.0.0__b03f5f7f11d50a3a\IEHost.dll
- 2011-08-10 12:42 . 2011-08-10 12:42 77824 c:\windows\assembly\GAC_MSIL\IEHost\2.0.0.0__b03f5f7f11d50a3a\IEHost.dll
- 2011-08-10 12:42 . 2011-08-10 12:42 13312 c:\windows\assembly\GAC_MSIL\cscompmgd\8.0.0.0__b03f5f7f11d50a3a\cscompmgd.dll
+ 2011-10-18 14:53 . 2011-10-18 14:53 13312 c:\windows\assembly\GAC_MSIL\cscompmgd\8.0.0.0__b03f5f7f11d50a3a\cscompmgd.dll
+ 2011-10-18 14:53 . 2011-10-18 14:53 10752 c:\windows\assembly\GAC_MSIL\Accessibility\2.0.0.0__b03f5f7f11d50a3a\Accessibility.dll
- 2011-08-10 12:42 . 2011-08-10 12:42 10752 c:\windows\assembly\GAC_MSIL\Accessibility\2.0.0.0__b03f5f7f11d50a3a\Accessibility.dll
- 2011-08-10 12:42 . 2011-08-10 12:42 72192 c:\windows\assembly\GAC_32\ISymWrapper\2.0.0.0__b03f5f7f11d50a3a\ISymWrapper.dll
+ 2011-10-18 14:53 . 2011-10-18 14:53 72192 c:\windows\assembly\GAC_32\ISymWrapper\2.0.0.0__b03f5f7f11d50a3a\ISymWrapper.dll
+ 2011-10-18 14:53 . 2011-10-18 14:53 69120 c:\windows\assembly\GAC_32\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll
- 2011-08-10 12:42 . 2011-08-10 12:42 69120 c:\windows\assembly\GAC_32\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll
+ 2011-08-24 13:34 . 2010-11-03 13:12 46080 c:\windows\$NtUninstallKB2570791$\tzchange.exe
+ 2011-08-24 13:34 . 2011-07-09 00:32 16896 c:\windows\$NtUninstallKB2570791$\spuninst\tzchange.dll
+ 2011-09-14 01:54 . 2010-07-05 13:15 26488 c:\windows\$hf_mig$\KB2616676\update\spcustom.dll
+ 2011-09-14 01:54 . 2010-07-05 13:15 17272 c:\windows\$hf_mig$\KB2616676\spmsg.dll
+ 2011-09-08 00:23 . 2010-07-05 13:15 26488 c:\windows\$hf_mig$\KB2607712\update\spcustom.dll
+ 2011-09-08 00:23 . 2010-07-05 13:15 17272 c:\windows\$hf_mig$\KB2607712\spmsg.dll
+ 2011-09-14 01:52 . 2010-07-05 13:15 26488 c:\windows\$hf_mig$\KB2570947\update\spcustom.dll
+ 2011-09-14 01:52 . 2010-07-05 13:15 17272 c:\windows\$hf_mig$\KB2570947\spmsg.dll
+ 2011-10-18 14:53 . 2011-10-18 14:53 8192 c:\windows\WinSxS\MSIL_IEExecRemote_b03f5f7f11d50a3a_2.0.0.0_x-ww_6e57c34e\IEExecRemote.dll
- 2011-08-10 12:42 . 2011-08-10 12:42 8192 c:\windows\WinSxS\MSIL_IEExecRemote_b03f5f7f11d50a3a_2.0.0.0_x-ww_6e57c34e\IEExecRemote.dll
- 2011-08-10 12:42 . 2011-08-10 12:42 7168 c:\windows\assembly\GAC_MSIL\Microsoft_VsaVb\8.0.0.0__b03f5f7f11d50a3a\Microsoft_VsaVb.dll
+ 2011-10-18 14:53 . 2011-10-18 14:53 7168 c:\windows\assembly\GAC_MSIL\Microsoft_VsaVb\8.0.0.0__b03f5f7f11d50a3a\Microsoft_VsaVb.dll
- 2011-08-10 12:42 . 2011-08-10 12:42 5632 c:\windows\assembly\GAC_MSIL\Microsoft.VisualC\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualC.Dll
+ 2011-10-18 14:53 . 2011-10-18 14:53 5632 c:\windows\assembly\GAC_MSIL\Microsoft.VisualC\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualC.Dll
- 2011-08-10 12:42 . 2011-08-10 12:42 6656 c:\windows\assembly\GAC_MSIL\IIEHost\2.0.0.0__b03f5f7f11d50a3a\IIEHost.dll
+ 2011-10-18 14:53 . 2011-10-18 14:53 6656 c:\windows\assembly\GAC_MSIL\IIEHost\2.0.0.0__b03f5f7f11d50a3a\IIEHost.dll
- 2011-08-10 12:42 . 2011-08-10 12:42 8192 c:\windows\assembly\GAC_MSIL\IEExecRemote\2.0.0.0__b03f5f7f11d50a3a\IEExecRemote.dll
+ 2011-10-18 14:53 . 2011-10-18 14:53 8192 c:\windows\assembly\GAC_MSIL\IEExecRemote\2.0.0.0__b03f5f7f11d50a3a\IEExecRemote.dll
+ 2011-10-18 14:53 . 2011-10-18 14:53 113664 c:\windows\WinSxS\x86_System.EnterpriseServices_b03f5f7f11d50a3a_2.0.0.0_x-ww_7d5f3790\System.EnterpriseServices.Wrapper.dll
- 2011-08-10 12:42 . 2011-08-10 12:42 113664 c:\windows\WinSxS\x86_System.EnterpriseServices_b03f5f7f11d50a3a_2.0.0.0_x-ww_7d5f3790\System.EnterpriseServices.Wrapper.dll
- 2011-08-10 12:42 . 2011-08-10 12:42 258048 c:\windows\WinSxS\x86_System.EnterpriseServices_b03f5f7f11d50a3a_2.0.0.0_x-ww_7d5f3790\System.EnterpriseServices.dll
+ 2011-10-18 14:53 . 2011-10-18 14:53 258048 c:\windows\WinSxS\x86_System.EnterpriseServices_b03f5f7f11d50a3a_2.0.0.0_x-ww_7d5f3790\System.EnterpriseServices.dll
+ 2002-12-31 12:00 . 2011-10-18 14:53 429738 c:\windows\system32\perfh009.dat
- 2002-12-31 12:00 . 2011-08-10 12:42 429738 c:\windows\system32\perfh009.dat
- 2002-12-31 12:00 . 2011-06-23 18:36 611840 c:\windows\system32\mstime.dll
+ 2002-12-31 12:00 . 2011-08-22 23:48 611840 c:\windows\system32\mstime.dll
+ 2011-10-06 22:35 . 2011-10-13 17:45 247968 c:\windows\system32\Macromed\Flash\FlashUtil11c_ActiveX.exe
+ 2011-10-06 22:35 . 2011-10-13 17:45 335520 c:\windows\system32\Macromed\Flash\FlashUtil11c_ActiveX.dll
- 2002-12-31 12:00 . 2011-06-23 18:36 387584 c:\windows\system32\iedkcs32.dll
+ 2002-12-31 12:00 . 2011-08-22 23:48 387584 c:\windows\system32\iedkcs32.dll
+ 2002-12-31 12:00 . 2011-08-22 11:56 174080 c:\windows\system32\ie4uinit.exe
- 2007-08-13 23:54 . 2011-06-23 18:36 916480 c:\windows\system32\dllcache\wininet.dll
+ 2007-08-13 23:54 . 2011-08-22 23:48 916480 c:\windows\system32\dllcache\wininet.dll
- 2007-08-13 23:44 . 2011-06-23 18:36 105984 c:\windows\system32\dllcache\url.dll
+ 2007-08-13 23:44 . 2011-08-22 23:48 105984 c:\windows\system32\dllcache\url.dll
+ 2007-08-13 23:44 . 2011-08-22 23:48 206848 c:\windows\system32\dllcache\occache.dll
- 2007-08-13 23:44 . 2011-06-23 18:36 206848 c:\windows\system32\dllcache\occache.dll
- 2007-08-13 23:54 . 2011-06-23 18:36 611840 c:\windows\system32\dllcache\mstime.dll
+ 2007-08-13 23:54 . 2011-08-22 23:48 611840 c:\windows\system32\dllcache\mstime.dll
- 2009-07-28 20:26 . 2011-06-23 18:36 602112 c:\windows\system32\dllcache\msfeeds.dll
+ 2009-07-28 20:26 . 2011-08-22 23:48 602112 c:\windows\system32\dllcache\msfeeds.dll
+ 2009-07-03 07:41 . 2011-08-22 23:48 247808 c:\windows\system32\dllcache\ieproxy.dll
- 2009-07-03 07:41 . 2011-06-23 18:36 247808 c:\windows\system32\dllcache\ieproxy.dll
- 2007-08-13 23:54 . 2011-06-23 18:36 184320 c:\windows\system32\dllcache\iepeers.dll
+ 2007-08-13 23:54 . 2011-08-22 23:48 184320 c:\windows\system32\dllcache\iepeers.dll
- 2010-06-27 07:29 . 2011-06-23 18:36 743424 c:\windows\system32\dllcache\iedvtool.dll
+ 2010-06-27 07:29 . 2011-08-22 23:48 743424 c:\windows\system32\dllcache\iedvtool.dll
- 2007-08-13 23:39 . 2011-06-23 18:36 387584 c:\windows\system32\dllcache\iedkcs32.dll
+ 2007-08-13 23:39 . 2011-08-22 23:48 387584 c:\windows\system32\dllcache\iedkcs32.dll
+ 2007-08-13 23:39 . 2011-08-22 11:56 174080 c:\windows\system32\dllcache\ie4uinit.exe
+ 2011-09-03 10:17 . 2011-09-09 09:12 599040 c:\windows\system32\dllcache\crypt32.dll
+ 2008-06-20 11:40 . 2011-08-17 13:49 138496 c:\windows\system32\dllcache\afd.sys
- 2008-06-20 11:40 . 2011-02-16 13:22 138496 c:\windows\system32\dllcache\afd.sys
+ 2011-08-31 02:30 . 2011-01-16 06:29 194842 c:\windows\pchealth\helpctr\Config\Cache\Professional_32_1033.dat
- 2011-03-25 10:15 . 2011-03-25 10:15 388936 c:\windows\Microsoft.NET\Framework\v2.0.50727\SOS.dll
+ 2011-07-07 09:18 . 2011-07-07 09:18 388936 c:\windows\Microsoft.NET\Framework\v2.0.50727\SOS.dll
+ 2011-07-07 09:18 . 2011-07-07 09:18 989016 c:\windows\Microsoft.NET\Framework\v2.0.50727\mscordacwks.dll
- 2011-03-25 10:15 . 2011-03-25 10:15 989016 c:\windows\Microsoft.NET\Framework\v2.0.50727\mscordacwks.dll
+ 2011-10-18 14:49 . 2011-06-23 18:36 916480 c:\windows\ie8updates\KB2586448-IE8\wininet.dll
+ 2011-10-18 14:49 . 2011-06-23 18:36 105984 c:\windows\ie8updates\KB2586448-IE8\url.dll
+ 2011-10-18 14:49 . 2010-07-05 13:16 382840 c:\windows\ie8updates\KB2586448-IE8\spuninst\updspapi.dll
+ 2011-10-18 14:49 . 2010-07-05 13:15 231288 c:\windows\ie8updates\KB2586448-IE8\spuninst\spuninst.exe
+ 2011-10-18 14:49 . 2011-06-23 18:36 206848 c:\windows\ie8updates\KB2586448-IE8\occache.dll
+ 2011-10-18 14:49 . 2011-06-23 18:36 611840 c:\windows\ie8updates\KB2586448-IE8\mstime.dll
+ 2011-10-18 14:49 . 2011-06-23 18:36 602112 c:\windows\ie8updates\KB2586448-IE8\msfeeds.dll
+ 2011-10-18 14:49 . 2011-06-23 18:36 247808 c:\windows\ie8updates\KB2586448-IE8\ieproxy.dll
+ 2011-10-18 14:49 . 2011-06-23 18:36 184320 c:\windows\ie8updates\KB2586448-IE8\iepeers.dll
+ 2011-10-18 14:49 . 2011-06-23 18:36 743424 c:\windows\ie8updates\KB2586448-IE8\iedvtool.dll
+ 2011-10-18 14:49 . 2011-06-23 18:36 387584 c:\windows\ie8updates\KB2586448-IE8\iedkcs32.dll
+ 2011-10-18 14:49 . 2011-06-23 12:05 173568 c:\windows\ie8updates\KB2586448-IE8\ie4uinit.exe
+ 2011-10-18 14:55 . 2011-10-18 14:55 240128 c:\windows\assembly\NativeImages_v2.0.50727_32\WindowsFormsIntegra#\a2c1bb3c5b1447b398e72c56091ca571\WindowsFormsIntegration.ni.dll
+ 2011-10-18 14:55 . 2011-10-18 14:55 187904 c:\windows\assembly\NativeImages_v2.0.50727_32\UIAutomationTypes\f102afdffdbe2565bcedb7fa0626b865\UIAutomationTypes.ni.dll
+ 2011-10-18 14:55 . 2011-10-18 14:55 447488 c:\windows\assembly\NativeImages_v2.0.50727_32\UIAutomationClient\ba55240b7753047f8d1b03ef473bf74e\UIAutomationClient.ni.dll
+ 2011-10-18 14:55 . 2011-10-18 14:55 208384 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Drawing.Desi#\896eca06e2d9377b2dc4fad56ce49b07\System.Drawing.Design.ni.dll
+ 2011-10-18 14:54 . 2011-10-18 14:54 539648 c:\windows\assembly\NativeImages_v2.0.50727_32\PresentationFramewo#\c2ebcc8d60422f224b4088f3d7a2ac1f\PresentationFramework.Luna.ni.dll
+ 2011-10-18 14:54 . 2011-10-18 14:54 368128 c:\windows\assembly\NativeImages_v2.0.50727_32\PresentationFramewo#\94cfc00ad448575bfb0e67c53b514cd5\PresentationFramework.Aero.ni.dll
+ 2011-10-18 14:54 . 2011-10-18 14:54 224768 c:\windows\assembly\NativeImages_v2.0.50727_32\PresentationFramewo#\478d57d96f3d8d5fc15c7ac635a4a6a1\PresentationFramework.Classic.ni.dll
+ 2011-10-18 14:54 . 2011-10-18 14:54 258048 c:\windows\assembly\NativeImages_v2.0.50727_32\PresentationFramewo#\23c5852ff8ed973ff9b63ce9ba7f91f0\PresentationFramework.Royale.ni.dll
- 2011-08-10 12:42 . 2011-08-10 12:42 839680 c:\windows\assembly\GAC_MSIL\System.Web.Services\2.0.0.0__b03f5f7f11d50a3a\System.Web.Services.dll
+ 2011-10-18 14:52 . 2011-10-18 14:52 839680 c:\windows\assembly\GAC_MSIL\System.Web.Services\2.0.0.0__b03f5f7f11d50a3a\System.Web.Services.dll
+ 2011-10-18 14:52 . 2011-10-18 14:52 835584 c:\windows\assembly\GAC_MSIL\System.Web.Mobile\2.0.0.0__b03f5f7f11d50a3a\System.Web.Mobile.dll
- 2011-08-10 12:42 . 2011-08-10 12:42 835584 c:\windows\assembly\GAC_MSIL\System.Web.Mobile\2.0.0.0__b03f5f7f11d50a3a\System.Web.Mobile.dll
+ 2011-10-18 14:53 . 2011-10-18 14:53 114688 c:\windows\assembly\GAC_MSIL\System.ServiceProcess\2.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll
- 2011-08-10 12:42 . 2011-08-10 12:42 114688 c:\windows\assembly\GAC_MSIL\System.ServiceProcess\2.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll
- 2011-08-10 12:42 . 2011-08-10 12:42 258048 c:\windows\assembly\GAC_MSIL\System.Security\2.0.0.0__b03f5f7f11d50a3a\System.Security.dll
+ 2011-10-18 14:53 . 2011-10-18 14:53 258048 c:\windows\assembly\GAC_MSIL\System.Security\2.0.0.0__b03f5f7f11d50a3a\System.Security.dll
+ 2011-10-18 14:53 . 2011-10-18 14:53 131072 c:\windows\assembly\GAC_MSIL\System.Runtime.Serialization.Formatters.Soap\2.0.0.0__b03f5f7f11d50a3a\System.Runtime.Serialization.Formatters.Soap.dll
- 2011-08-10 12:42 . 2011-08-10 12:42 131072 c:\windows\assembly\GAC_MSIL\System.Runtime.Serialization.Formatters.Soap\2.0.0.0__b03f5f7f11d50a3a\System.Runtime.Serialization.Formatters.Soap.dll
- 2011-08-10 12:42 . 2011-08-10 12:42 303104 c:\windows\assembly\GAC_MSIL\System.Runtime.Remoting\2.0.0.0__b77a5c561934e089\System.Runtime.Remoting.dll
+ 2011-10-18 14:53 . 2011-10-18 14:53 303104 c:\windows\assembly\GAC_MSIL\System.Runtime.Remoting\2.0.0.0__b77a5c561934e089\System.Runtime.Remoting.dll
+ 2011-10-18 14:53 . 2011-10-18 14:53 258048 c:\windows\assembly\GAC_MSIL\System.Messaging\2.0.0.0__b03f5f7f11d50a3a\System.Messaging.dll
- 2011-08-10 12:42 . 2011-08-10 12:42 258048 c:\windows\assembly\GAC_MSIL\System.Messaging\2.0.0.0__b03f5f7f11d50a3a\System.Messaging.dll
+ 2011-10-18 14:53 . 2011-10-18 14:53 372736 c:\windows\assembly\GAC_MSIL\System.Management\2.0.0.0__b03f5f7f11d50a3a\System.Management.dll
- 2011-08-10 12:42 . 2011-08-10 12:42 372736 c:\windows\assembly\GAC_MSIL\System.Management\2.0.0.0__b03f5f7f11d50a3a\System.Management.dll
- 2011-08-10 12:42 . 2011-08-10 12:42 626688 c:\windows\assembly\GAC_MSIL\System.Drawing\2.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll
+ 2011-10-18 14:53 . 2011-10-18 14:53 626688 c:\windows\assembly\GAC_MSIL\System.Drawing\2.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll
- 2011-08-10 12:42 . 2011-08-10 12:42 401408 c:\windows\assembly\GAC_MSIL\System.DirectoryServices\2.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll
+ 2011-10-18 14:53 . 2011-10-18 14:53 401408 c:\windows\assembly\GAC_MSIL\System.DirectoryServices\2.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll
+ 2011-10-18 14:53 . 2011-10-18 14:53 188416 c:\windows\assembly\GAC_MSIL\System.DirectoryServices.Protocols\2.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.Protocols.dll
- 2011-08-10 12:42 . 2011-08-10 12:42 188416 c:\windows\assembly\GAC_MSIL\System.DirectoryServices.Protocols\2.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.Protocols.dll
+ 2011-10-18 14:53 . 2011-10-18 14:53 970752 c:\windows\assembly\GAC_MSIL\System.Deployment\2.0.0.0__b03f5f7f11d50a3a\System.Deployment.dll
- 2011-08-10 12:42 . 2011-08-10 12:42 970752 c:\windows\assembly\GAC_MSIL\System.Deployment\2.0.0.0__b03f5f7f11d50a3a\System.Deployment.dll
+ 2011-10-18 14:53 . 2011-10-18 14:53 745472 c:\windows\assembly\GAC_MSIL\System.Data.SqlXml\2.0.0.0__b77a5c561934e089\System.Data.SqlXml.dll
- 2011-08-10 12:42 . 2011-08-10 12:42 745472 c:\windows\assembly\GAC_MSIL\System.Data.SqlXml\2.0.0.0__b77a5c561934e089\System.Data.SqlXml.dll
- 2011-08-10 12:42 . 2011-08-10 12:42 425984 c:\windows\assembly\GAC_MSIL\System.Configuration\2.0.0.0__b03f5f7f11d50a3a\System.configuration.dll
+ 2011-10-18 14:53 . 2011-10-18 14:53 425984 c:\windows\assembly\GAC_MSIL\System.Configuration\2.0.0.0__b03f5f7f11d50a3a\System.configuration.dll
- 2011-08-10 12:42 . 2011-08-10 12:42 110592 c:\windows\assembly\GAC_MSIL\sysglobl\2.0.0.0__b03f5f7f11d50a3a\sysglobl.dll
+ 2011-10-18 14:53 . 2011-10-18 14:53 110592 c:\windows\assembly\GAC_MSIL\sysglobl\2.0.0.0__b03f5f7f11d50a3a\sysglobl.dll
+ 2011-10-18 14:53 . 2011-10-18 14:53 659456 c:\windows\assembly\GAC_MSIL\Microsoft.VisualBasic\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll
- 2011-08-10 12:42 . 2011-08-10 12:42 659456 c:\windows\assembly\GAC_MSIL\Microsoft.VisualBasic\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll
+ 2011-10-18 14:53 . 2011-10-18 14:53 372736 c:\windows\assembly\GAC_MSIL\Microsoft.VisualBasic.Compatibility\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.Compatibility.dll
- 2011-08-10 12:42 . 2011-08-10 12:42 372736 c:\windows\assembly\GAC_MSIL\Microsoft.VisualBasic.Compatibility\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.Compatibility.dll
+ 2011-10-18 14:53 . 2011-10-18 14:53 110592 c:\windows\assembly\GAC_MSIL\Microsoft.VisualBasic.Compatibility.Data\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.Compatibility.Data.dll
- 2011-08-10 12:42 . 2011-08-10 12:42 110592 c:\windows\assembly\GAC_MSIL\Microsoft.VisualBasic.Compatibility.Data\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.Compatibility.Data.dll
+ 2011-10-18 14:53 . 2011-10-18 14:53 749568 c:\windows\assembly\GAC_MSIL\Microsoft.JScript\8.0.0.0__b03f5f7f11d50a3a\Microsoft.JScript.dll
- 2011-08-10 12:42 . 2011-08-10 12:42 749568 c:\windows\assembly\GAC_MSIL\Microsoft.JScript\8.0.0.0__b03f5f7f11d50a3a\Microsoft.JScript.dll
+ 2011-10-18 14:53 . 2011-10-18 14:53 655360 c:\windows\assembly\GAC_MSIL\Microsoft.Build.Tasks\2.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Tasks.dll
- 2011-08-10 12:42 . 2011-08-10 12:42 655360 c:\windows\assembly\GAC_MSIL\Microsoft.Build.Tasks\2.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Tasks.dll
- 2011-08-10 12:42 . 2011-08-10 12:42 348160 c:\windows\assembly\GAC_MSIL\Microsoft.Build.Engine\2.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Engine.dll
+ 2011-10-18 14:53 . 2011-10-18 14:53 348160 c:\windows\assembly\GAC_MSIL\Microsoft.Build.Engine\2.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Engine.dll
+ 2011-10-18 14:52 . 2011-10-18 14:52 507904 c:\windows\assembly\GAC_MSIL\AspNetMMCExt\2.0.0.0__b03f5f7f11d50a3a\AspNetMMCExt.dll
- 2011-08-10 12:42 . 2011-08-10 12:42 507904 c:\windows\assembly\GAC_MSIL\AspNetMMCExt\2.0.0.0__b03f5f7f11d50a3a\AspNetMMCExt.dll
- 2011-08-10 12:42 . 2011-08-10 12:42 261632 c:\windows\assembly\GAC_32\System.Transactions\2.0.0.0__b77a5c561934e089\System.Transactions.dll
+ 2011-10-18 14:53 . 2011-10-18 14:53 261632 c:\windows\assembly\GAC_32\System.Transactions\2.0.0.0__b77a5c561934e089\System.Transactions.dll
- 2011-08-10 12:42 . 2011-08-10 12:42 113664 c:\windows\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll
+ 2011-10-18 14:53 . 2011-10-18 14:53 113664 c:\windows\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll
- 2011-08-10 12:42 . 2011-08-10 12:42 258048 c:\windows\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.dll
+ 2011-10-18 14:53 . 2011-10-18 14:53 258048 c:\windows\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.dll
- 2011-08-10 12:42 . 2011-08-10 12:42 486400 c:\windows\assembly\GAC_32\System.Data.OracleClient\2.0.0.0__b77a5c561934e089\System.Data.OracleClient.dll
+ 2011-10-18 14:53 . 2011-10-18 14:53 486400 c:\windows\assembly\GAC_32\System.Data.OracleClient\2.0.0.0__b77a5c561934e089\System.Data.OracleClient.dll
+ 2011-09-14 01:54 . 2010-07-05 13:16 382840 c:\windows\$NtUninstallKB2616676$\spuninst\updspapi.dll
+ 2011-09-14 01:54 . 2010-07-05 13:15 231288 c:\windows\$NtUninstallKB2616676$\spuninst\spuninst.exe
+ 2011-09-14 01:54 . 2011-09-03 10:17 599040 c:\windows\$NtUninstallKB2616676$\crypt32.dll
+ 2011-09-08 00:23 . 2010-07-05 13:16 382840 c:\windows\$NtUninstallKB2607712$\spuninst\updspapi.dll
+ 2011-09-08 00:23 . 2010-07-05 13:15 231288 c:\windows\$NtUninstallKB2607712$\spuninst\spuninst.exe
+ 2011-09-08 00:23 . 2008-04-14 00:11 599040 c:\windows\$NtUninstallKB2607712$\crypt32.dll
+ 2011-09-14 01:52 . 2010-07-05 13:16 382840 c:\windows\$NtUninstallKB2570947$\spuninst\updspapi.dll
+ 2011-09-14 01:52 . 2010-07-05 13:15 231288 c:\windows\$NtUninstallKB2570947$\spuninst\spuninst.exe
+ 2011-08-24 13:34 . 2010-07-05 13:16 382840 c:\windows\$NtUninstallKB2570791$\spuninst\updspapi.dll
+ 2011-08-24 13:34 . 2010-07-05 13:15 231288 c:\windows\$NtUninstallKB2570791$\spuninst\spuninst.exe
+ 2011-09-14 01:54 . 2010-07-05 13:16 382840 c:\windows\$hf_mig$\KB2616676\update\updspapi.dll
+ 2011-09-14 01:54 . 2010-07-05 13:15 755576 c:\windows\$hf_mig$\KB2616676\update\update.exe
+ 2011-09-14 01:54 . 2010-07-05 13:15 231288 c:\windows\$hf_mig$\KB2616676\spuninst.exe
+ 2011-09-09 09:11 . 2011-09-09 09:11 599552 c:\windows\$hf_mig$\KB2616676\SP3QFE\crypt32.dll
+ 2011-09-08 00:23 . 2010-07-05 13:16 382840 c:\windows\$hf_mig$\KB2607712\update\updspapi.dll
+ 2011-09-08 00:23 . 2010-07-05 13:15 755576 c:\windows\$hf_mig$\KB2607712\update\update.exe
+ 2011-09-08 00:23 . 2010-07-05 13:15 231288 c:\windows\$hf_mig$\KB2607712\spuninst.exe
+ 2011-09-03 10:16 . 2011-09-03 10:16 599552 c:\windows\$hf_mig$\KB2607712\SP3QFE\crypt32.dll
+ 2011-09-14 01:52 . 2010-07-05 13:16 382840 c:\windows\$hf_mig$\KB2570947\update\updspapi.dll
+ 2011-09-14 01:52 . 2010-07-05 13:15 755576 c:\windows\$hf_mig$\KB2570947\update\update.exe
+ 2011-09-14 01:52 . 2010-07-05 13:15 231288 c:\windows\$hf_mig$\KB2570947\spuninst.exe
- 2007-08-13 23:54 . 2011-06-23 18:36 1212416 c:\windows\system32\dllcache\urlmon.dll
+ 2007-08-13 23:54 . 2011-08-22 23:48 1212416 c:\windows\system32\dllcache\urlmon.dll
+ 2007-08-13 23:54 . 2011-10-03 08:35 5971456 c:\windows\system32\dllcache\mshtml.dll
+ 2009-07-03 07:41 . 2011-08-22 23:48 2000384 c:\windows\system32\dllcache\iertutil.dll
+ 2011-07-07 09:18 . 2011-07-07 09:18 5912400 c:\windows\Microsoft.NET\Framework\v2.0.50727\mscorwks.dll
- 2011-03-25 10:15 . 2011-03-25 10:15 5912400 c:\windows\Microsoft.NET\Framework\v2.0.50727\mscorwks.dll
+ 2011-07-07 09:18 . 2011-07-07 09:18 4550656 c:\windows\Microsoft.NET\Framework\v2.0.50727\mscorlib.dll
- 2011-03-25 10:15 . 2011-03-25 10:15 4550656 c:\windows\Microsoft.NET\Framework\v2.0.50727\mscorlib.dll
+ 2011-10-18 14:49 . 2011-06-23 18:36 1212416 c:\windows\ie8updates\KB2586448-IE8\urlmon.dll
+ 2011-10-18 14:49 . 2011-07-25 15:17 5969920 c:\windows\ie8updates\KB2586448-IE8\mshtml.dll
+ 2011-10-18 14:49 . 2011-06-23 18:36 1991680 c:\windows\ie8updates\KB2586448-IE8\iertutil.dll
+ 2011-10-18 14:54 . 2011-10-18 14:54 3325440 c:\windows\assembly\NativeImages_v2.0.50727_32\WindowsBase\1adc4ae51a5ac63e896a1402749ca495\WindowsBase.ni.dll
+ 2011-10-18 14:55 . 2011-10-18 14:55 1049600 c:\windows\assembly\NativeImages_v2.0.50727_32\UIAutomationClients#\55d4813580b1e5d268ff0564942cee9c\UIAutomationClientsideProviders.ni.dll
+ 2011-10-18 14:54 . 2011-10-18 14:54 7950848 c:\windows\assembly\NativeImages_v2.0.50727_32\System\af39f6e644af02873b9bae319f2bfb13\System.ni.dll
+ 2011-10-18 14:55 . 2011-10-18 14:55 5450752 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Xml\70cacc44f0b4257f6037eda7a59a0aeb\System.Xml.ni.dll
+ 2011-10-18 14:55 . 2011-10-18 14:55 1917952 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Speech\10d7daa3d1e62a0e40587cdc707be93f\System.Speech.ni.dll
+ 2011-10-18 14:55 . 2011-10-18 14:55 1035776 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Printing\0f8e14bfdb27645fb1a92ce26f9bf521\System.Printing.ni.dll
+ 2011-10-18 14:55 . 2011-10-18 14:55 1587200 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\c10bea3c4bb7ef654651141bf9419090\System.Drawing.ni.dll
+ 2011-10-18 14:55 . 2011-10-18 14:55 6616576 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Data\ec323cf1df697cc0a45f67de685db90c\System.Data.ni.dll
+ 2011-10-18 14:55 . 2011-10-18 14:55 2516480 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Data.Linq\d96a94076acb8e0c5a96a1b2de4b3a7a\System.Data.Linq.ni.dll
+ 2011-10-18 14:54 . 2011-10-18 14:54 2295296 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Core\d507b9e0e50e453793ee5e01c07a5485\System.Core.ni.dll
+ 2011-10-18 14:54 . 2011-10-18 14:54 2128896 c:\windows\assembly\NativeImages_v2.0.50727_32\ReachFramework\714e9504255565bd9076fe13628e104a\ReachFramework.ni.dll
+ 2011-10-18 14:54 . 2011-10-18 14:54 1657856 c:\windows\assembly\NativeImages_v2.0.50727_32\PresentationUI\7dc6ee14234b0686182ced75f7dae990\PresentationUI.ni.dll
+ 2011-10-18 14:54 . 2011-10-18 14:54 1451008 c:\windows\assembly\NativeImages_v2.0.50727_32\PresentationBuildTa#\b42ad515bb20ec1f1250c040371c6730\PresentationBuildTasks.ni.dll
+ 2011-10-18 14:53 . 2011-10-18 14:53 3182592 c:\windows\assembly\GAC_MSIL\System\2.0.0.0__b77a5c561934e089\System.dll
- 2011-08-10 12:42 . 2011-08-10 12:42 3182592 c:\windows\assembly\GAC_MSIL\System\2.0.0.0__b77a5c561934e089\System.dll
+ 2011-10-18 14:53 . 2011-10-18 14:53 2048000 c:\windows\assembly\GAC_MSIL\System.Xml\2.0.0.0__b77a5c561934e089\System.XML.dll
- 2011-08-10 12:42 . 2011-08-10 12:42 2048000 c:\windows\assembly\GAC_MSIL\System.Xml\2.0.0.0__b77a5c561934e089\System.XML.dll
+ 2011-10-18 14:52 . 2011-10-18 14:52 5025792 c:\windows\assembly\GAC_MSIL\System.Windows.Forms\2.0.0.0__b77a5c561934e089\System.Windows.Forms.dll
- 2011-08-10 12:42 . 2011-08-10 12:42 5025792 c:\windows\assembly\GAC_MSIL\System.Windows.Forms\2.0.0.0__b77a5c561934e089\System.Windows.Forms.dll
- 2011-08-10 12:42 . 2011-08-10 12:42 5062656 c:\windows\assembly\GAC_MSIL\System.Design\2.0.0.0__b03f5f7f11d50a3a\System.Design.dll
+ 2011-10-18 14:52 . 2011-10-18 14:52 5062656 c:\windows\assembly\GAC_MSIL\System.Design\2.0.0.0__b03f5f7f11d50a3a\System.Design.dll
+ 2011-10-18 14:52 . 2011-10-18 14:52 5242880 c:\windows\assembly\GAC_32\System.Web\2.0.0.0__b03f5f7f11d50a3a\System.Web.dll
- 2011-08-10 12:41 . 2011-08-10 12:41 5242880 c:\windows\assembly\GAC_32\System.Web\2.0.0.0__b03f5f7f11d50a3a\System.Web.dll
- 2011-08-10 12:42 . 2011-08-10 12:42 2933248 c:\windows\assembly\GAC_32\System.Data\2.0.0.0__b77a5c561934e089\System.Data.dll
+ 2011-10-18 14:53 . 2011-10-18 14:53 2933248 c:\windows\assembly\GAC_32\System.Data\2.0.0.0__b77a5c561934e089\System.Data.dll
- 2011-08-10 12:42 . 2011-08-10 12:42 4550656 c:\windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\mscorlib.dll
+ 2011-10-18 14:53 . 2011-10-18 14:53 4550656 c:\windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\mscorlib.dll
+ 2009-09-08 22:01 . 2011-10-18 14:50 48324552 c:\windows\system32\MRT.exe
- 2009-07-03 07:41 . 2011-06-23 18:36 11081728 c:\windows\system32\dllcache\ieframe.dll
+ 2009-07-03 07:41 . 2011-08-23 21:48 11081728 c:\windows\system32\dllcache\ieframe.dll
+ 2011-07-12 00:43 . 2011-07-12 00:43 11641344 c:\windows\Installer\56224.msp
+ 2011-10-18 14:49 . 2011-06-23 18:36 11081728 c:\windows\ie8updates\KB2586448-IE8\ieframe.dll
+ 2011-10-18 14:55 . 2011-10-18 14:55 12430848 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\71a2ae9ad561a62181cbd9fb11e9de7a\System.Windows.Forms.ni.dll
+ 2011-10-18 14:55 . 2011-10-18 14:55 10683392 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Design\c6374d32e4af7b7e3e46b32176f76558\System.Design.ni.dll
+ 2011-10-18 14:54 . 2011-10-18 14:54 14328320 c:\windows\assembly\NativeImages_v2.0.50727_32\PresentationFramewo#\054488924fcc579cce9fa0209dafe28b\PresentationFramework.ni.dll
+ 2011-10-18 14:54 . 2011-10-18 14:54 12215808 c:\windows\assembly\NativeImages_v2.0.50727_32\PresentationCore\b2f0318713eca304eaa9d86fc17edb96\PresentationCore.ni.dll
+ 2011-10-18 14:53 . 2011-10-18 14:53 11490816 c:\windows\assembly\NativeImages_v2.0.50727_32\mscorlib\ca87ba84221991839abbe7d4bc9c6721\mscorlib.ni.dll
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="c:\program files\QuickTime Alternative\qttask.exe" [2010-11-29 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-03-07 421160]
.
[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
Source= c:\windows\system32\onhelp.htm
FriendlyName= tets
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0oodbs
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WudfSvc]
@="Service"
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Documents and Settings\\Administrator\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service
.
R2 LxrSII1d;Secure II Driver;c:\windows\system32\drivers\LxrSII1d.sys [12/12/2007 12:42 PM 70016]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [10/13/2011 1:44 PM 136176]
S3 F-Secure BlackLight Sensor;F-Secure BlackLight Sensor;c:\docume~1\ADMINI~1\LOCALS~1\Temp\F-Secure\Anti-Virus\fsblsrv.exe --> c:\docume~1\ADMINI~1\LOCALS~1\Temp\F-Secure\Anti-Virus\fsblsrv.exe [?]
S3 F-Secure Standalone Minifilter;F-Secure Standalone Minifilter;\??\c:\docume~1\ADMINI~1\LOCALS~1\Temp\OnlineScanner\Anti-Virus\fsgk.sys --> c:\docume~1\ADMINI~1\LOCALS~1\Temp\OnlineScanner\Anti-Virus\fsgk.sys [?]
S3 fsbl;F-Secure BlackLight Engine Driver;\??\c:\docume~1\ADMINI~1\LOCALS~1\Temp\OnlineScanner\Anti-Virus\fsbldrv.sys --> c:\docume~1\ADMINI~1\LOCALS~1\Temp\OnlineScanner\Anti-Virus\fsbldrv.sys [?]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [10/13/2011 1:44 PM 136176]
S3 SASENUM;SASENUM;\??\c:\program files\SUPERAntiSpyware\SASENUM.SYS --> c:\program files\SUPERAntiSpyware\SASENUM.SYS [?]
S3 UnlockerDriver4;UnlockerDriver4 Driver;c:\windows\system32\UnlockerDriver4.sys [11/26/2007 8:59 PM 3584]
.
Contents of the 'Scheduled Tasks' folder
.
2011-08-11 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-01 21:57]
.
2011-10-18 c:\windows\Tasks\GoogleUpdateTaskMachineCore1cc89cfdd83abb2.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-10-13 17:44]
.
2007-11-27 c:\windows\Tasks\Symantec NetDetect.job
- c:\program files\Symantec\LiveUpdate\NDETECT.EXE [2007-11-27 22:32]
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
TCP: DhcpNameServer = 68.87.74.166 68.87.68.166 192.168.1.1
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\vu57tuf1.default\
FF - prefs.js: browser.search.selectedEngine - Bing
FF - prefs.js: browser.startup.homepage - hxxp://www.bing.com/?pc=ZUGO&form=ZGAPHP
FF - prefs.js: keyword.URL - hxxp://www.bing.com/search?pc=ZUGO&form=ZGAADF&q=
.
- - - - ORPHANS REMOVED - - - -
.
URLSearchHooks-{bf7380fa-e3b4-4db2-af3e-9d8783a45bfc} - c:\program files\uTorrentBar\prxtbuTo0.dll
BHO-{bf7380fa-e3b4-4db2-af3e-9d8783a45bfc} - c:\program files\uTorrentBar\prxtbuTo0.dll
Toolbar-{bf7380fa-e3b4-4db2-af3e-9d8783a45bfc} - c:\program files\uTorrentBar\prxtbuTo0.dll
WebBrowser-{BF7380FA-E3B4-4DB2-AF3E-9D8783A45BFC} - c:\program files\uTorrentBar\prxtbuTo0.dll
HKCU-Run-uTorrent - c:\program files\uTorrent\uTorrent.exe
AddRemove-uTorrentBar Toolbar - c:\program files\uTorrentBar\uninstall.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-10-18 11:10
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,e6,7d,1c,05,c1,7f,ed,45,b7,71,60,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,e6,7d,1c,05,c1,7f,ed,45,b7,71,60,\
.
[HKEY_USERS\S-1-5-21-1482476501-1336601894-682003330-500\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (Administrator)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,75,f7,a6,c8,d3,d6,98,4a,87,3f,2c,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,d0,7e,00,e4,65,ca,0e,4a,b4,3a,9b,\
"6256FFB019F8FDFBD36745B06F4540E9AEAF222A25"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,75,f7,a6,c8,d3,d6,98,4a,87,3f,2c,\
.
Completion time: 2011-10-18 11:11:54
ComboFix-quarantined-files.txt 2011-10-18 15:11
ComboFix2.txt 2011-10-18 13:40
ComboFix3.txt 2011-09-06 01:32
ComboFix4.txt 2011-09-02 21:19
ComboFix5.txt 2011-10-18 15:02
.
Pre-Run: 267,583,922,176 bytes free
Post-Run: 267,788,288,000 bytes free
.
- - End Of File - - 06E37F5636CC5619A99A9B84B8599D4E

#8 User is online   gringo_pr 

  • Bleepin Gringo
  • PipPipPipPipPipPip
  • Find Topics
  • Group: Malware Response Team
  • Posts: 85,509
  • Joined: 03-July 08
  • Gender:Male
  • Location:Puerto rico

Posted 18 October 2011 - 10:16 AM

SystemLook:

Please download SystemLook from one of the links below and save it to your Desktop.

Download Mirror #1
Download Mirror #2
  • Double-click SystemLook.exe to run it.
  • Copy the content of the following codebox into the main textfield:
:filefind
calc.exe

  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt
I will be online from 5-31 to 6-4 in a limited amount

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic

Please Only Copy And Paste Reports Into Topic - Do Not Attach

My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->Posted Image<-- Don't worry every little bit helps.

#9 User is offline   ddt904 

  • Member
  • PipPip
  • Find Topics
  • Group: Members
  • Posts: 62
  • Joined: 16-January 11

Posted 18 October 2011 - 10:29 AM

SystemLook 30.07.11 by jpshortstuff
Log created at 11:29 on 18/10/2011 by Administrator
Administrator - Elevation successful

========== filefind ==========

Searching for "calc.exe"
C:\WINDOWS\system32\calc.exe --a---- 946448 bytes [00:58 27/11/2007] [12:00 31/12/2002] 006728285A531498449FCB9B4AC8814E

-= EOF =-

#10 User is online   gringo_pr 

  • Bleepin Gringo
  • PipPipPipPipPipPip
  • Find Topics
  • Group: Malware Response Team
  • Posts: 85,509
  • Joined: 03-July 08
  • Gender:Male
  • Location:Puerto rico

Posted 19 October 2011 - 09:19 AM

Hello


do you have access to another win xp computer to copy this file


gringo
I will be online from 5-31 to 6-4 in a limited amount

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic

Please Only Copy And Paste Reports Into Topic - Do Not Attach

My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->Posted Image<-- Don't worry every little bit helps.

#11 User is offline   ddt904 

  • Member
  • PipPip
  • Find Topics
  • Group: Members
  • Posts: 62
  • Joined: 16-January 11

Posted 19 October 2011 - 07:28 PM

no my laptop has windows 7

#12 User is offline   ddt904 

  • Member
  • PipPip
  • Find Topics
  • Group: Members
  • Posts: 62
  • Joined: 16-January 11

Posted 22 October 2011 - 11:30 AM

hello?

#13 User is online   gringo_pr 

  • Bleepin Gringo
  • PipPipPipPipPipPip
  • Find Topics
  • Group: Malware Response Team
  • Posts: 85,509
  • Joined: 03-July 08
  • Gender:Male
  • Location:Puerto rico

Posted 22 October 2011 - 12:33 PM

do you have any friends with XP


You have an infected file on the computer that windows needs in order to run - we have to replace this file because we can't just delete it

we need to find a way to copy a good file from a clean computer and move it to the infected computer



gringo
I will be online from 5-31 to 6-4 in a limited amount

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic

Please Only Copy And Paste Reports Into Topic - Do Not Attach

My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->Posted Image<-- Don't worry every little bit helps.

#14 User is offline   ddt904 

  • Member
  • PipPip
  • Find Topics
  • Group: Members
  • Posts: 62
  • Joined: 16-January 11

Posted 24 October 2011 - 03:45 PM

ok i will see if i can find someone

#15 User is online   gringo_pr 

  • Bleepin Gringo
  • PipPipPipPipPipPip
  • Find Topics
  • Group: Malware Response Team
  • Posts: 85,509
  • Joined: 03-July 08
  • Gender:Male
  • Location:Puerto rico

Posted 24 October 2011 - 10:02 PM

Ok let me know


gringo
I will be online from 5-31 to 6-4 in a limited amount

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic

Please Only Copy And Paste Reports Into Topic - Do Not Attach

My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->Posted Image<-- Don't worry every little bit helps.

Share this topic:


  • 3 Pages +
  • 1
  • 2
  • 3
  • You cannot start a new topic
  • This topic is locked

1 User(s) are reading this topic
0 members, 1 guests, 0 anonymous users