BleepingComputer.com: redirects and unwanted cookies (even with no browser open)

Jump to content

Forum Guidelines

Posted Image Read the following topic before creating a new topic in this forum. It contains instructions on the what we would like you to post, which will enable us to help you more quickly.

Preparation Guide For Use Before Using Malware Removal Tools and Requesting Help


Posted Image Unfortunately, with the amount of logs we receive per day, the average response time is 5 days. I want to assure you, though, that your topic will be looked at and responded to. So please be patient.


Posted Image DO NOT RUN ComboFix unless requested to.


Posted Image Only members of the Malware Response Team or Moderators are allowed to help people with logs. Anyone else should refrain from posting to another user's log.


Posted Image When posting a log please put the type of infection you have in the topic title. IE: Winfixer, Virtumonde, WinTools, WebSearch, Home Search Assistant, etc.


Posted Image Do not bump your topic. We try to resolve logs on a first come/first served basis. By bumping your log you will be pushed back in line due to the new date of your bump.
  • 2 Pages +
  • 1
  • 2
  • You cannot start a new topic
  • This topic is locked

redirects and unwanted cookies (even with no browser open)

#1 User is offline   dude1968 

  • New Member
  • Pip
  • Find Topics
  • Group: Members
  • Posts: 10
  • Joined: 12-January 12

Posted 12 January 2012 - 10:01 PM

I have been helping a neighbor's son with his netbook. It started out with the System Fix virus. He had no desktop or programs listed and something about click here to fix the problem. I loaded SEP and got to work on getting it clean. I was partially successful and was able to run SEP until it came up empty but Google searches seem to be redirected and cookie requests started appearing even if IE was not running. This included in safe mode.

I have run malwarebytes antimalwarebytes and it found things that SEP didn't and it now runs clean. As of now, every program I have tried runs clean but the problem persists. I have checked the hosts file, proxies settings, and a list of other things. This is obviously more stubborn and embedded than my skills and abilities can fix. Rogue.agent was one that was found and another was win32/1 or something like that (hard to read on the screen since it is a netbook and my eyes are getting older!).

After the last cleaning and reboot, i now get a new hardware wizard for unknown hardware. i have not installed any new hardware since i have had possession of the netbook.

the step of running dds initially locked the workstation. the second attempt took over 15 minutes...and then locked the workstation. I am still attempting to get the dds program to work.

when running gmer, i not have all the available options. most of them are greyed out for me. i only have services, registry, and files. c:\ and ads.

when the machine is done. i will post the log.

here is the gmer log. when i can get dds to run without locking up the computer, i will.Attached File  ark.txt (421bytes)
Number of downloads: 0

GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2012-01-13 21:39:47
Windows 5.1.2600 Service Pack 3
Running: h5shy0wx.exe; Driver: C:\DOCUME~1\User\LOCALS~1\Temp\aftdifob.sys


---- Registry - GMER 1.0.15 ----

Reg HKCU\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Persisted@C:\Acer\ScreenSaver\screensaver_lt_1024_gtw_1.1.0722.exe 1

---- EOF - GMER 1.0.15 ----

This post has been edited by dude1968: 13 January 2012 - 09:47 PM

#2 User is offline   HelpBot 

  • Bleepin' Binary Bot
  • PipPipPipPipPipPip
  • Find Topics
  • Group: Bots
  • Posts: 5,607
  • Joined: 05-October 07
  • Gender:Male

Posted 19 January 2012 - 02:15 AM

Hello and welcome to Bleeping Computer!

I am HelpBot: an automated program designed to help the Bleeping Computer Staff better assist you! This message contains very important information, so please read through all of it before doing anything.

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

To help Bleeping Computer better assist you please perform the following steps:

***************************************************

Posted Image In order to continue receiving help at BleepingComputer.com, YOU MUST tell me if you still need help or if your issue has already been resolved on your own or through another resource! To tell me this, please click on the following link and follow the instructions there.

CLICK THIS LINK >>> http://www.bleepingcomputer.com/logreply/437817 <<< CLICK THIS LINK

If you no longer need help, then all you needed to do was the previous instructions of telling me so. You can skip the rest of this post. If you do need help please continue with Step 2 below.

***************************************************

Posted Image If you still need help, I would like you to post a Reply to this topic (click the "Add Reply" button in the lower right hand of this page). In that reply, please include the following information:

  • If you have not done so already, include a clear description of the problems you're having, along with any steps you may have performed so far.
  • A new DDS and GMER log. For your convenience, you will find the instructions for generating these logs repeated at the bottom of this post.
    • Please do this even if you have previously posted logs for us.
    • If you were unable to produce the logs originally please try once more.
    • If you are unable to create a log please provide detailed information about your installed Windows Operating System including the Version, Edition and if it is a 32bit or a 64bit system.
    • If you are unsure about any of these characteristics just post what you can and we will guide you.

  • Please tell us if you have your original Windows CD/DVD available.
  • Upon completing the above steps and posting a reply, another staff member will review your topic and do their best to resolve your issues.


Thank you for your patience, and again sorry for the delay.

***************************************************

We need to see some information about what is happening in your machine. Please perform the following scan again:

  • Download DDS by sUBs from one of the following links if you no longer have it available. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE


We also need a new log from the GMER anti-rootkit Scanner.

Please note that if you are running a 64-bit version of Windows you will not be able to run GMER and you may skip this step.

Please first disable any CD emulation programs using the steps found in this topic:

Why we request you disable CD Emulation when receiving Malware Removal Advice

Then create another GMER log and post it as an attachment to the reply where you post your new DDS log. Instructions on how to properly create a GMER log can be found here:

How to create a GMER log


As I am just a silly little program running on the BleepingComputer.com servers, please do not send me private messages as I do not know how to read and reply to them! Thanks!

#3 User is offline   dude1968 

  • New Member
  • Pip
  • Find Topics
  • Group: Members
  • Posts: 10
  • Joined: 12-January 12

Posted 20 January 2012 - 12:06 AM

two new symptoms. i get a new hardware wizard upon boot. there is no new hardware connected to the netbook. also, when i try and start ie, safari, and other browsers i get a popup that Internet Explorer has encountered a problem and needs to close. blah blah blah...if i click send error report or don't send, the browser closes. if i leave it open and move it to the corner of the screen, i can type.

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702
Run by User at 17:48:11 on 2012-01-19
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1014.481 [GMT -5:00]
.
AV: Lavasoft Ad-Watch Live! Anti-Virus *Enabled/Updated* {A1C4F2E0-7FDE-4917-AFAE-013EFC3EDE33}
AV: Microsoft Security Essentials *Enabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
svchost.exe
c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\lg_fwupdate\fwupdate.exe
C:\WINDOWS\PLFSetL.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
C:\Program Files\Common Files\Nikon\Monitor\NkMonitor.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ArcCon.ac
C:\Program Files\Microsoft Security Client\msseces.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft Office\Office14\ONENOTEM.EXE
C:\Program Files\iPod\bin\iPodService.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.comcast.net/
mStart Page = hxxp://homepage.gateway.com/rdr.aspx?b=ACGW&l=0409&m=lt20&r=0xph1109x235l0314wu25a48i2t270
uInternet Settings,ProxyOverride = *.local
BHO: MRI_DISABLED - No File
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.6.5612.1312\swg.dll
BHO: Office Document Cache Handler: {b4f3a835-0e21-4959-ba22-42b3008e02ff} - c:\progra~1\micros~3\office14\URLREDIR.DLL
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC
mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName
mRun: [RemoteControl] "c:\program files\cyberlink\powerdvd\PDVDServ.exe"
mRun: [LanguageShortcut] "c:\program files\cyberlink\powerdvd\language\Language.exe"
mRun: [LGODDFU] "c:\program files\lg_fwupdate\fwupdate.exe" blrun
mRun: [PLFSetL] c:\windows\PLFSetL.exe
mRun: [snp2uvc] rundll32.exe c:\windows\system32\csnp2uvc.dll,ResetCIDS
mRun: [ArcSoft Connection Service] c:\program files\common files\arcsoft\connection service\bin\ACDaemon.exe
mRun: [Nikon Transfer Monitor] c:\program files\common files\nikon\monitor\NkMonitor.exe
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [APSDaemon] "c:\program files\common files\apple\apple application support\APSDaemon.exe"
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey
StartupFolder: c:\docume~1\user\startm~1\programs\startup\onenot~1.lnk - c:\program files\microsoft office\office14\ONENOTEM.EXE
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - c:\progra~1\micros~3\office14\ONBttnIE.dll/105
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\program files\microsoft office\office14\ONBttnIE.dll
IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - c:\program files\microsoft office\office14\ONBttnIELinkedNotes.dll
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
TCP: DhcpNameServer = 172.27.35.1
TCP: Interfaces\{5C77DB13-691F-4818-B2FD-9B3D1CFD4EEF} : NameServer = 8.8.8.8,8.8.4.4
TCP: Interfaces\{6696ACBA-640F-46D7-B119-97F5AB6FBB8F} : NameServer = 8.8.8.8,8.8.4.4
TCP: Interfaces\{6696ACBA-640F-46D7-B119-97F5AB6FBB8F} : DhcpNameServer = 172.27.35.1
Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - c:\program files\common files\microsoft shared\office14\MSOXMLMF.DLL
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
.
============= SERVICES / DRIVERS ===============
.
R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2011-4-18 165648]
R1 MpKsl49d18b96;MpKsl49d18b96;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{dbf251f1-6ccf-4ca1-a68f-46328456d584}\mpksl49d18b96.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{dbf251f1-6ccf-4ca1-a68f-46328456d584}\MpKsl49d18b96.sys [?]
R1 MpKsl61f6a9a1;MpKsl61f6a9a1;c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{0757cc67-06c4-4e38-9bee-68df5005ad72}\MpKsl61f6a9a1.sys [2012-1-15 29904]
S1 MpKsl1c740f66;MpKsl1c740f66;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{24d0158b-9672-4a4a-bcb6-4f1e685790cc}\mpksl1c740f66.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{24d0158b-9672-4a4a-bcb6-4f1e685790cc}\MpKsl1c740f66.sys [?]
S1 MpKslc17b2fb4;MpKslc17b2fb4;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{24d0158b-9672-4a4a-bcb6-4f1e685790cc}\mpkslc17b2fb4.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{24d0158b-9672-4a4a-bcb6-4f1e685790cc}\MpKslc17b2fb4.sys [?]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-2-13 135664]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [2009-7-27 1684736]
S3 GamesAppService;GamesAppService;c:\program files\wildtangent games\app\GamesAppService.exe [2010-10-12 206072]
S3 L1c;NDIS Miniport Driver for Atheros AR8131/AR8132 PCI-E Ethernet Controller;c:\windows\system32\drivers\l1c51x86.sys [2009-7-27 38912]
S3 Lavasoft Kernexplorer;Lavasoft helper driver;\??\c:\program files\lavasoft\ad-aware\kernexplorer.sys --> c:\program files\lavasoft\ad-aware\KernExplorer.sys [?]
S3 osppsvc;Office Software Protection Platform;c:\program files\common files\microsoft shared\officesoftwareprotectionplatform\OSPPSVC.EXE [2010-1-9 4640000]
S3 Partner Service;Partner Service;c:\documents and settings\all users\application data\partner\partner.exe [2009-11-20 111088]
S3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;c:\windows\system32\drivers\RtsUStor.sys [2009-7-27 162816]
S3 Rts516xIR;Realtek IR Driver;c:\windows\system32\drivers\rts516xir.sys --> c:\windows\system32\drivers\Rts516xIR.sys [?]
.
=============== Created Last 30 ================
.
2012-01-15 22:45:07 29904 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{0757cc67-06c4-4e38-9bee-68df5005ad72}\MpKsl61f6a9a1.sys
2012-01-15 22:44:39 56200 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{0757cc67-06c4-4e38-9bee-68df5005ad72}\offreg.dll
2012-01-15 22:44:35 6823496 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{0757cc67-06c4-4e38-9bee-68df5005ad72}\mpengine.dll
2012-01-13 02:23:57 6823496 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\backup\mpengine.dll
2012-01-11 04:12:49 -------- d-----w- C:\ComboFix
2012-01-11 03:54:14 222080 ------w- c:\windows\system32\MpSigStub.exe
2012-01-11 03:44:35 -------- d-----w- c:\program files\Microsoft Security Client
2012-01-11 03:43:40 -------- d-----w- c:\program files\CCleaner
2012-01-10 04:04:24 -------- d-sha-r- C:\cmdcons
2012-01-10 03:58:11 518144 ----a-w- c:\windows\SWREG.exe
2012-01-10 03:58:11 256000 ----a-w- c:\windows\PEV.exe
2012-01-10 03:58:11 208896 ----a-w- c:\windows\MBR.exe
2012-01-10 03:58:10 98816 ----a-w- c:\windows\sed.exe
2012-01-01 23:15:04 -------- d-----w- c:\documents and settings\user\application data\Malwarebytes
2012-01-01 23:14:42 -------- d-----w- c:\documents and settings\all users\application data\Malwarebytes
2012-01-01 23:14:39 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-01-01 23:14:39 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-12-30 05:18:55 -------- d-----w- c:\documents and settings\all users\application data\SUPERAntiSpyware.com
2011-12-30 04:28:22 -------- d-----w- c:\documents and settings\all users\application data\PC Tools
2011-12-30 04:27:57 -------- d-----w- c:\documents and settings\user\application data\TestApp
.
==================== Find3M ====================
.
2011-11-27 01:58:42 101720 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2011-11-25 21:57:19 293376 ----a-w- c:\windows\system32\winsrv.dll
2011-11-24 23:39:40 1008114 ----a-w- C:\rkill.exe
2011-11-23 13:25:32 1859584 ------w- c:\windows\system32\win32k.sys
2011-11-19 00:09:05 414368 ------w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-11-18 12:35:08 60416 ------w- c:\windows\system32\packager.exe
2011-11-16 14:21:44 354816 ----a-w- c:\windows\system32\winhttp.dll
2011-11-16 14:21:44 152064 ----a-w- c:\windows\system32\schannel.dll
2011-11-04 19:20:51 916992 ----a-w- c:\windows\system32\wininet.dll
2011-11-04 19:20:51 43520 ------w- c:\windows\system32\licmgr10.dll
2011-11-04 19:20:51 1469440 ------w- c:\windows\system32\inetcpl.cpl
2011-11-04 11:23:59 385024 ------w- c:\windows\system32\html.iec
2011-11-03 15:28:36 386048 ------w- c:\windows\system32\qdvd.dll
2011-11-03 15:28:36 1292288 ------w- c:\windows\system32\quartz.dll
2011-11-01 16:07:10 1288704 ----a-w- c:\windows\system32\ole32.dll
2011-10-28 05:31:48 33280 ------w- c:\windows\system32\csrsrv.dll
2011-10-24 19:29:02 94208 ------w- c:\windows\system32\QuickTimeVR.qtx
2011-10-24 19:29:02 69632 ------w- c:\windows\system32\QuickTime.qts
2011-10-21 23:01:12 73728 ------w- c:\windows\system32\javacpl.cpl
2011-10-21 23:01:12 472808 ------w- c:\windows\system32\deployJava1.dll
.
============= FINISH: 17:55:09.70 ===============

fyi...i leave for a business trip sunday morning jan 22 and will not return home until late jan 27. i will not have access to the problem computer during that time.

Attached File(s)

  • Attached File  dds.txt (12.06K)
    Number of downloads: 0
  • Attached File  attach.txt (20.5K)
    Number of downloads: 1

#4 User is online   m0le 

  • I know the drill!
  • PipPipPipPipPipPip
  • Find Topics
  • Group: Malware Response Instructor
  • Posts: 29,128
  • Joined: 24-July 08
  • Gender:Male
  • Location:London, UK

Posted 23 January 2012 - 09:11 PM

Hi,

Welcome to Bleeping Computer. My name is m0le and I will be helping you with your log.

  • Please subscribe to this topic, if you haven't already. Click the Watch This Topic button at the top on the right.


  • Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.


  • Please reply to this post so I know you are there.

The forum is busy and we need to have replies as soon as possible. If I haven't had a reply after 3 days I will bump the topic and if you do not reply by the following day after that then I will close the topic.

----------------------------------------------

I have noted that you will not be back until 27 January. :thumbup2:

When you return please run aswMBR

Please download aswMBR ( 511KB ) to your desktop.
  • Double click the aswMBR.exe icon to run it
  • Click the Scan button to start the scan
  • On completion of the scan, click the save log button, save it to your desktop and post it in your next reply.

If I have helped you fix your PC then please donate. Thanks

Posted Image
m0le is a proud member of UNITE (Unified Network of Instructors and Trusted Eliminators)

#5 User is offline   dude1968 

  • New Member
  • Pip
  • Find Topics
  • Group: Members
  • Posts: 10
  • Joined: 12-January 12

Posted 28 January 2012 - 04:28 PM

thanks for the reply. i returned late last night and just rant the program.

here is the text of the log file. if it is preferred for me to upload the file also, please let me know and thank you for your assistance.
aswMBR version 0.9.9.1532 Copyright© 2011 AVAST Software
Run date: 2012-01-28 16:20:26
-----------------------------
16:20:26.068 OS Version: Windows 5.1.2600 Service Pack 3
16:20:26.068 Number of processors: 2 586 0x1C02
16:20:26.068 ComputerName: GATEWAY-85565AE UserName: User
16:20:27.256 Initialize success
16:20:38.459 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-0
16:20:38.475 Disk 0 Vendor: WDC_WD16 11.0 Size: 152627MB BusType: 3
16:20:38.475 Disk 0 MBR read successfully
16:20:38.490 Disk 0 MBR scan
16:20:38.490 Disk 0 Windows VISTA default MBR code
16:20:38.490 Disk 0 Partition 1 00 12 Compaq diag NTFS 10244 MB offset 63
16:20:38.537 Disk 0 Partition 2 80 (A) 07 HPFS/NTFS NTFS 142381 MB offset 20981760
16:20:38.537 Disk 0 scanning sectors +312581792
16:20:38.943 Disk 0 scanning C:\WINDOWS\system32\drivers
16:21:04.131 Service scanning
16:21:05.318 Service MpKsl3c76081e c:\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{3D2941CA-55E3-453B-953F-0C1233359B41}\MpKsl3c76081e.sys **LOCKED** 32
16:21:06.256 Modules scanning
16:21:35.178 Disk 0 trace - called modules:
16:21:35.271 ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x865d3fa9]<<
16:21:35.303 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x86fce380]
16:21:35.334 3 CLASSPNP.SYS[f78fdfd7] -> nt!IofCallDriver -> \Device\00000095[0x86f3f1a8]
16:21:35.365 5 ACPI.sys[f77f4620] -> nt!IofCallDriver -> \Device\Ide\IAAStorageDevice-0[0x86f58030]
16:21:35.381 \Driver\iaStor[0x86f411d8] -> IRP_MJ_INTERNAL_DEVICE_CONTROL -> 0x865d3fa9
16:21:35.396 Scan finished successfully
16:25:11.881 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\User\Desktop\MBR.dat"
16:25:11.912 The log file has been saved successfully to "C:\Documents and Settings\User\Desktop\aswMBR.txt"

#6 User is online   m0le 

  • I know the drill!
  • PipPipPipPipPipPip
  • Find Topics
  • Group: Malware Response Instructor
  • Posts: 29,128
  • Joined: 24-July 08
  • Gender:Male
  • Location:London, UK

Posted 29 January 2012 - 08:07 PM

Can you now run TDSSKiller

  • Download TDSSKiller and save it to your Desktop.


  • Extract its contents to your desktop and make sure TDSSKiller.exe (the contents of the zipped file) is on the Desktop itself, not within a folder on the desktop.


  • Go to Start > Run (Or you can hold down your Windows key and press R) and copy and paste the following into the text field. (make sure you include the quote marks) Then press OK.

    "%userprofile%\Desktop\TDSSKiller.exe" -l report.txt


  • Now click Start Scan.

  • If Malicious objects are found, ensure Cure is selected then click Continue > Reboot now.

  • Click Close

  • Finally press Report and copy and paste the contents into your next reply. If you've rebooted then the log will be found at C:\

If I have helped you fix your PC then please donate. Thanks

Posted Image
m0le is a proud member of UNITE (Unified Network of Instructors and Trusted Eliminators)

#7 User is offline   dude1968 

  • New Member
  • Pip
  • Find Topics
  • Group: Members
  • Posts: 10
  • Joined: 12-January 12

Posted 29 January 2012 - 09:46 PM

here is the logfile text...it found something. i selected cure and rebooted. after first reboot, wifi would not work. now it does.

everytime i reboot, a new hardware wizard keeps appear at login. no new hardware has been attached that i know of to this netbook.

thank you for your assistance.


21:30:38.0906 3296 TDSS rootkit removing tool 2.7.7.0 Jan 24 2012 16:44:27
21:30:39.0421 3296 ============================================================
21:30:39.0421 3296 Current date / time: 2012/01/29 21:30:39.0421
21:30:39.0421 3296 SystemInfo:
21:30:39.0421 3296
21:30:39.0421 3296 OS Version: 5.1.2600 ServicePack: 3.0
21:30:39.0421 3296 Product type: Workstation
21:30:39.0421 3296 ComputerName: GATEWAY-85565AE
21:30:39.0421 3296 UserName: User
21:30:39.0421 3296 Windows directory: C:\WINDOWS
21:30:39.0421 3296 System windows directory: C:\WINDOWS
21:30:39.0421 3296 Processor architecture: Intel x86
21:30:39.0421 3296 Number of processors: 2
21:30:39.0421 3296 Page size: 0x1000
21:30:39.0421 3296 Boot type: Normal boot
21:30:39.0421 3296 ============================================================
21:30:41.0015 3296 Drive \Device\Harddisk0\DR0 - Size: 0x25433D6000 (149.05 Gb), SectorSize: 0x200, Cylinders: 0x4C01, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'K0', Flags 0x00000050
21:30:41.0078 3296 Initialize success
21:31:07.0718 0724 ============================================================
21:31:07.0718 0724 Scan started
21:31:07.0718 0724 Mode: Manual;
21:31:07.0718 0724 ============================================================
21:31:07.0953 0724 Abiosdsk - ok
21:31:08.0031 0724 abp480n5 (6abb91494fe6c59089b9336452ab2ea3) C:\WINDOWS\system32\DRIVERS\ABP480N5.SYS
21:31:08.0031 0724 abp480n5 - ok
21:31:08.0093 0724 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
21:31:08.0093 0724 ACPI - ok
21:31:08.0125 0724 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\DRIVERS\ACPIEC.sys
21:31:08.0125 0724 ACPIEC - ok
21:31:08.0156 0724 adpu160m (9a11864873da202c996558b2106b0bbc) C:\WINDOWS\system32\DRIVERS\adpu160m.sys
21:31:08.0171 0724 adpu160m - ok
21:31:08.0234 0724 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
21:31:08.0234 0724 aec - ok
21:31:08.0312 0724 AFD (1e44bc1e83d8fd2305f8d452db109cf9) C:\WINDOWS\System32\drivers\afd.sys
21:31:08.0312 0724 AFD - ok
21:31:08.0328 0724 agp440 (08fd04aa961bdc77fb983f328334e3d7) C:\WINDOWS\system32\DRIVERS\agp440.sys
21:31:08.0343 0724 agp440 - ok
21:31:08.0359 0724 agpCPQ (03a7e0922acfe1b07d5db2eeb0773063) C:\WINDOWS\system32\DRIVERS\agpCPQ.sys
21:31:08.0375 0724 agpCPQ - ok
21:31:08.0390 0724 Aha154x (c23ea9b5f46c7f7910db3eab648ff013) C:\WINDOWS\system32\DRIVERS\aha154x.sys
21:31:08.0390 0724 Aha154x - ok
21:31:08.0468 0724 aic78u2 (19dd0fb48b0c18892f70e2e7d61a1529) C:\WINDOWS\system32\DRIVERS\aic78u2.sys
21:31:08.0468 0724 aic78u2 - ok
21:31:08.0515 0724 aic78xx (b7fe594a7468aa0132deb03fb8e34326) C:\WINDOWS\system32\DRIVERS\aic78xx.sys
21:31:08.0531 0724 aic78xx - ok
21:31:08.0562 0724 AliIde (1140ab9938809700b46bb88e46d72a96) C:\WINDOWS\system32\DRIVERS\aliide.sys
21:31:08.0562 0724 AliIde - ok
21:31:08.0593 0724 alim1541 (cb08aed0de2dd889a8a820cd8082d83c) C:\WINDOWS\system32\DRIVERS\alim1541.sys
21:31:08.0609 0724 alim1541 - ok
21:31:08.0703 0724 Ambfilt (f6af59d6eee5e1c304f7f73706ad11d8) C:\WINDOWS\system32\drivers\Ambfilt.sys
21:31:08.0781 0724 Ambfilt - ok
21:31:08.0796 0724 amdagp (95b4fb835e28aa1336ceeb07fd5b9398) C:\WINDOWS\system32\DRIVERS\amdagp.sys
21:31:08.0796 0724 amdagp - ok
21:31:08.0828 0724 amsint (79f5add8d24bd6893f2903a3e2f3fad6) C:\WINDOWS\system32\DRIVERS\amsint.sys
21:31:08.0828 0724 amsint - ok
21:31:08.0890 0724 asc (62d318e9a0c8fc9b780008e724283707) C:\WINDOWS\system32\DRIVERS\asc.sys
21:31:08.0890 0724 asc - ok
21:31:08.0921 0724 asc3350p (69eb0cc7714b32896ccbfd5edcbea447) C:\WINDOWS\system32\DRIVERS\asc3350p.sys
21:31:08.0921 0724 asc3350p - ok
21:31:08.0953 0724 asc3550 (5d8de112aa0254b907861e9e9c31d597) C:\WINDOWS\system32\DRIVERS\asc3550.sys
21:31:08.0953 0724 asc3550 - ok
21:31:09.0046 0724 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
21:31:09.0046 0724 AsyncMac - ok
21:31:09.0062 0724 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
21:31:09.0078 0724 atapi - ok
21:31:09.0093 0724 Atdisk - ok
21:31:09.0140 0724 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
21:31:09.0156 0724 Atmarpc - ok
21:31:09.0218 0724 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
21:31:09.0218 0724 audstub - ok
21:31:09.0359 0724 BCM43XX (fe4ed785396eaa554c561992106a35fa) C:\WINDOWS\system32\DRIVERS\bcmwl5.sys
21:31:09.0453 0724 BCM43XX - ok
21:31:09.0468 0724 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
21:31:09.0484 0724 Beep - ok
21:31:09.0703 0724 catchme - ok
21:31:09.0781 0724 cbidf (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\DRIVERS\cbidf2k.sys
21:31:09.0796 0724 cbidf - ok
21:31:09.0812 0724 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
21:31:09.0812 0724 cbidf2k - ok
21:31:09.0859 0724 CCDECODE (0be5aef125be881c4f854c554f2b025c) C:\WINDOWS\system32\DRIVERS\CCDECODE.sys
21:31:09.0859 0724 CCDECODE - ok
21:31:09.0890 0724 cd20xrnt (f3ec03299634490e97bbce94cd2954c7) C:\WINDOWS\system32\DRIVERS\cd20xrnt.sys
21:31:09.0890 0724 cd20xrnt - ok
21:31:09.0921 0724 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
21:31:09.0921 0724 Cdaudio - ok
21:31:09.0968 0724 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
21:31:09.0968 0724 Cdfs - ok
21:31:10.0031 0724 Cdrom (4b0a100eaf5c49ef3cca8c641431eacc) C:\WINDOWS\system32\DRIVERS\cdrom.sys
21:31:10.0031 0724 Cdrom - ok
21:31:10.0046 0724 Changer - ok
21:31:10.0093 0724 CmBatt (0f6c187d38d98f8df904589a5f94d411) C:\WINDOWS\system32\DRIVERS\CmBatt.sys
21:31:10.0093 0724 CmBatt - ok
21:31:10.0109 0724 CmdIde (e5dcb56c533014ecbc556a8357c929d5) C:\WINDOWS\system32\DRIVERS\cmdide.sys
21:31:10.0109 0724 CmdIde - ok
21:31:10.0125 0724 Compbatt (6e4c9f21f0fae8940661144f41b13203) C:\WINDOWS\system32\DRIVERS\compbatt.sys
21:31:10.0125 0724 Compbatt - ok
21:31:10.0187 0724 Cpqarray (3ee529119eed34cd212a215e8c40d4b6) C:\WINDOWS\system32\DRIVERS\cpqarray.sys
21:31:10.0218 0724 Cpqarray - ok
21:31:10.0250 0724 dac2w2k (e550e7418984b65a78299d248f0a7f36) C:\WINDOWS\system32\DRIVERS\dac2w2k.sys
21:31:10.0250 0724 dac2w2k - ok
21:31:10.0265 0724 dac960nt (683789caa3864eb46125ae86ff677d34) C:\WINDOWS\system32\DRIVERS\dac960nt.sys
21:31:10.0265 0724 dac960nt - ok
21:31:10.0296 0724 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
21:31:10.0296 0724 Disk - ok
21:31:10.0343 0724 DKbFltr (060db81dfb79c8244eb65d10b6c7873f) C:\WINDOWS\system32\DRIVERS\DKbFltr.sys
21:31:10.0343 0724 DKbFltr - ok
21:31:10.0406 0724 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
21:31:10.0437 0724 dmboot - ok
21:31:10.0468 0724 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
21:31:10.0468 0724 dmio - ok
21:31:10.0500 0724 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
21:31:10.0500 0724 dmload - ok
21:31:10.0546 0724 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
21:31:10.0546 0724 DMusic - ok
21:31:10.0609 0724 dpti2o (40f3b93b4e5b0126f2f5c0a7a5e22660) C:\WINDOWS\system32\DRIVERS\dpti2o.sys
21:31:10.0609 0724 dpti2o - ok
21:31:10.0734 0724 DritekPortIO (5c918d413f5837e67a85775c9873775e) C:\PROGRA~1\LAUNCH~1\DPortIO.sys
21:31:10.0828 0724 DritekPortIO - ok
21:31:10.0843 0724 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
21:31:10.0843 0724 drmkaud - ok
21:31:10.0953 0724 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
21:31:10.0953 0724 Fastfat - ok
21:31:11.0046 0724 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\drivers\Fdc.sys
21:31:11.0046 0724 Fdc - ok
21:31:11.0062 0724 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
21:31:11.0062 0724 Fips - ok
21:31:11.0093 0724 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\drivers\Flpydisk.sys
21:31:11.0093 0724 Flpydisk - ok
21:31:11.0125 0724 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\DRIVERS\fltMgr.sys
21:31:11.0125 0724 FltMgr - ok
21:31:11.0156 0724 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
21:31:11.0156 0724 Fs_Rec - ok
21:31:11.0234 0724 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
21:31:11.0234 0724 Ftdisk - ok
21:31:11.0312 0724 GEARAspiWDM (8182ff89c65e4d38b2de4bb0fb18564e) C:\WINDOWS\system32\DRIVERS\GEARAspiWDM.sys
21:31:11.0312 0724 GEARAspiWDM - ok
21:31:11.0328 0724 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
21:31:11.0343 0724 Gpc - ok
21:31:11.0375 0724 HDAudBus (573c7d0a32852b48f3058cfd8026f511) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
21:31:11.0390 0724 HDAudBus - ok
21:31:11.0453 0724 HidUsb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
21:31:11.0453 0724 HidUsb - ok
21:31:11.0484 0724 hpn (b028377dea0546a5fcfba928a8aefae0) C:\WINDOWS\system32\DRIVERS\hpn.sys
21:31:11.0500 0724 hpn - ok
21:31:11.0546 0724 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
21:31:11.0546 0724 HTTP - ok
21:31:11.0609 0724 i2omgmt (9368670bd426ebea5e8b18a62416ec28) C:\WINDOWS\system32\drivers\i2omgmt.sys
21:31:11.0609 0724 i2omgmt - ok
21:31:11.0625 0724 i2omp (f10863bf1ccc290babd1a09188ae49e0) C:\WINDOWS\system32\DRIVERS\i2omp.sys
21:31:11.0625 0724 i2omp - ok
21:31:11.0656 0724 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
21:31:11.0656 0724 i8042prt - ok
21:31:11.0937 0724 ialm (48846b31be5a4fa662ccfde7a1ba86b9) C:\WINDOWS\system32\DRIVERS\igxpmp32.sys
21:31:12.0125 0724 ialm - ok
21:31:12.0171 0724 iaStor (db0cc620b27a928d968c1a1e9cd9cb87) C:\WINDOWS\system32\drivers\iaStor.sys
21:31:12.0171 0724 iaStor - ok
21:31:12.0234 0724 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
21:31:12.0250 0724 Imapi - ok
21:31:12.0265 0724 ini910u (4a40e045faee58631fd8d91afc620719) C:\WINDOWS\system32\DRIVERS\ini910u.sys
21:31:12.0281 0724 ini910u - ok
21:31:12.0562 0724 IntcAzAudAddService (cb1113029fae50c685198eabd9885161) C:\WINDOWS\system32\drivers\RtkHDAud.sys
21:31:12.0765 0724 IntcAzAudAddService - ok
21:31:12.0796 0724 IntelIde (b5466a9250342a7aa0cd1fba13420678) C:\WINDOWS\system32\DRIVERS\intelide.sys
21:31:12.0796 0724 IntelIde - ok
21:31:12.0843 0724 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys
21:31:12.0843 0724 intelppm - ok
21:31:12.0890 0724 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\DRIVERS\Ip6Fw.sys
21:31:12.0890 0724 Ip6Fw - ok
21:31:12.0921 0724 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
21:31:12.0921 0724 IpFilterDriver - ok
21:31:12.0937 0724 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
21:31:12.0937 0724 IpInIp - ok
21:31:12.0984 0724 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
21:31:13.0000 0724 IpNat - ok
21:31:13.0015 0724 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
21:31:13.0031 0724 IPSec - ok
21:31:13.0062 0724 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
21:31:13.0062 0724 IRENUM - ok
21:31:13.0125 0724 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
21:31:13.0125 0724 isapnp - ok
21:31:13.0156 0724 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
21:31:13.0156 0724 Kbdclass - ok
21:31:13.0203 0724 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
21:31:13.0203 0724 kmixer - ok
21:31:13.0250 0724 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
21:31:13.0250 0724 KSecDD - ok
21:31:13.0281 0724 L1c (6c8658587e91ea25b0fd2e71781ad228) C:\WINDOWS\system32\DRIVERS\l1c51x86.sys
21:31:13.0281 0724 L1c - ok
21:31:13.0328 0724 Lavasoft Kernexplorer - ok
21:31:13.0359 0724 lbrtfdc - ok
21:31:13.0421 0724 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
21:31:13.0421 0724 mnmdd - ok
21:31:13.0484 0724 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
21:31:13.0484 0724 Modem - ok
21:31:13.0562 0724 Monfilt (9fa7207d1b1adead88ae8eed9cdbbaa5) C:\WINDOWS\system32\drivers\Monfilt.sys
21:31:13.0609 0724 Monfilt - ok
21:31:13.0656 0724 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
21:31:13.0656 0724 Mouclass - ok
21:31:13.0718 0724 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
21:31:13.0718 0724 mouhid - ok
21:31:13.0781 0724 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
21:31:13.0781 0724 MountMgr - ok
21:31:13.0828 0724 MpFilter (fee0baded54222e9f1dae9541212aab1) C:\WINDOWS\system32\DRIVERS\MpFilter.sys
21:31:13.0828 0724 MpFilter - ok
21:31:13.0937 0724 MpKsl632501cb (a69630d039c38018689190234f866d77) c:\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{F8EE9A72-E3C6-42A5-B597-EE4BA440B570}\MpKsl632501cb.sys
21:31:13.0953 0724 MpKsl632501cb - ok
21:31:13.0984 0724 mraid35x (3f4bb95e5a44f3be34824e8e7caf0737) C:\WINDOWS\system32\DRIVERS\mraid35x.sys
21:31:13.0984 0724 mraid35x - ok
21:31:14.0031 0724 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
21:31:14.0031 0724 MRxDAV - ok
21:31:14.0109 0724 MRxSmb (7d304a5eb4344ebeeab53a2fe3ffb9f0) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
21:31:14.0125 0724 MRxSmb - ok
21:31:14.0171 0724 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
21:31:14.0171 0724 Msfs - ok
21:31:14.0234 0724 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
21:31:14.0250 0724 MSKSSRV - ok
21:31:14.0281 0724 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
21:31:14.0281 0724 MSPCLOCK - ok
21:31:14.0312 0724 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
21:31:14.0312 0724 MSPQM - ok
21:31:14.0375 0724 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
21:31:14.0375 0724 mssmbios - ok
21:31:14.0421 0724 MSTEE (e53736a9e30c45fa9e7b5eac55056d1d) C:\WINDOWS\system32\drivers\MSTEE.sys
21:31:14.0421 0724 MSTEE - ok
21:31:14.0453 0724 Mup (de6a75f5c270e756c5508d94b6cf68f5) C:\WINDOWS\system32\drivers\Mup.sys
21:31:14.0453 0724 Mup - ok
21:31:14.0484 0724 NABTSFEC (5b50f1b2a2ed47d560577b221da734db) C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys
21:31:14.0500 0724 NABTSFEC - ok
21:31:14.0546 0724 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
21:31:14.0562 0724 NDIS - ok
21:31:14.0609 0724 NdisIP (7ff1f1fd8609c149aa432f95a8163d97) C:\WINDOWS\system32\DRIVERS\NdisIP.sys
21:31:14.0609 0724 NdisIP - ok
21:31:14.0656 0724 NdisTapi (0109c4f3850dfbab279542515386ae22) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
21:31:14.0656 0724 NdisTapi - ok
21:31:14.0671 0724 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
21:31:14.0671 0724 Ndisuio - ok
21:31:14.0687 0724 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
21:31:14.0703 0724 NdisWan - ok
21:31:14.0765 0724 NDProxy (9282bd12dfb069d3889eb3fcc1000a9b) C:\WINDOWS\system32\drivers\NDProxy.sys
21:31:14.0765 0724 NDProxy - ok
21:31:14.0796 0724 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
21:31:14.0796 0724 NetBIOS - ok
21:31:14.0843 0724 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
21:31:14.0859 0724 NetBT - ok
21:31:14.0937 0724 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
21:31:14.0937 0724 Npfs - ok
21:31:15.0015 0724 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
21:31:15.0031 0724 Ntfs - ok
21:31:15.0078 0724 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
21:31:15.0078 0724 Null - ok
21:31:15.0109 0724 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
21:31:15.0109 0724 NwlnkFlt - ok
21:31:15.0140 0724 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
21:31:15.0156 0724 NwlnkFwd - ok
21:31:15.0218 0724 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\drivers\Parport.sys
21:31:15.0218 0724 Parport - ok
21:31:15.0234 0724 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
21:31:15.0234 0724 PartMgr - ok
21:31:15.0281 0724 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
21:31:15.0296 0724 ParVdm - ok
21:31:15.0328 0724 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
21:31:15.0328 0724 PCI - ok
21:31:15.0343 0724 PCIDump - ok
21:31:15.0375 0724 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
21:31:15.0375 0724 PCIIde - ok
21:31:15.0406 0724 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys
21:31:15.0421 0724 Pcmcia - ok
21:31:15.0421 0724 PDCOMP - ok
21:31:15.0453 0724 PDFRAME - ok
21:31:15.0468 0724 PDRELI - ok
21:31:15.0484 0724 PDRFRAME - ok
21:31:15.0515 0724 perc2 (6c14b9c19ba84f73d3a86dba11133101) C:\WINDOWS\system32\DRIVERS\perc2.sys
21:31:15.0515 0724 perc2 - ok
21:31:15.0531 0724 perc2hib (f50f7c27f131afe7beba13e14a3b9416) C:\WINDOWS\system32\DRIVERS\perc2hib.sys
21:31:15.0546 0724 perc2hib - ok
21:31:15.0625 0724 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
21:31:15.0625 0724 PptpMiniport - ok
21:31:15.0656 0724 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
21:31:15.0656 0724 PSched - ok
21:31:15.0671 0724 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
21:31:15.0671 0724 Ptilink - ok
21:31:15.0718 0724 ql1080 (0a63fb54039eb5662433caba3b26dba7) C:\WINDOWS\system32\DRIVERS\ql1080.sys
21:31:15.0718 0724 ql1080 - ok
21:31:15.0734 0724 Ql10wnt (6503449e1d43a0ff0201ad5cb1b8c706) C:\WINDOWS\system32\DRIVERS\ql10wnt.sys
21:31:15.0734 0724 Ql10wnt - ok
21:31:15.0765 0724 ql12160 (156ed0ef20c15114ca097a34a30d8a01) C:\WINDOWS\system32\DRIVERS\ql12160.sys
21:31:15.0765 0724 ql12160 - ok
21:31:15.0796 0724 ql1240 (70f016bebde6d29e864c1230a07cc5e6) C:\WINDOWS\system32\DRIVERS\ql1240.sys
21:31:15.0796 0724 ql1240 - ok
21:31:15.0812 0724 ql1280 (907f0aeea6bc451011611e732bd31fcf) C:\WINDOWS\system32\DRIVERS\ql1280.sys
21:31:15.0812 0724 ql1280 - ok
21:31:15.0859 0724 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
21:31:15.0875 0724 RasAcd - ok
21:31:15.0890 0724 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
21:31:15.0906 0724 Rasl2tp - ok
21:31:15.0921 0724 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
21:31:15.0937 0724 RasPppoe - ok
21:31:15.0953 0724 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
21:31:15.0953 0724 Raspti - ok
21:31:15.0984 0724 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
21:31:16.0000 0724 Rdbss - ok
21:31:16.0015 0724 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
21:31:16.0015 0724 RDPCDD - ok
21:31:16.0093 0724 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
21:31:16.0109 0724 rdpdr - ok
21:31:16.0171 0724 RDPWD (fc105dd312ed64eb66bff111e8ec6eac) C:\WINDOWS\system32\drivers\RDPWD.sys
21:31:16.0171 0724 RDPWD - ok
21:31:16.0250 0724 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
21:31:16.0250 0724 redbook - ok
21:31:16.0343 0724 RSUSBSTOR (7ffa9821b1c5e0e0667e0a2685cfb89f) C:\WINDOWS\system32\Drivers\RtsUStor.sys
21:31:16.0343 0724 RSUSBSTOR - ok
21:31:16.0375 0724 Rts516xIR - ok
21:31:16.0437 0724 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
21:31:16.0437 0724 Secdrv - ok
21:31:16.0500 0724 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\drivers\Serial.sys
21:31:16.0500 0724 Serial - ok
21:31:16.0546 0724 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
21:31:16.0546 0724 Sfloppy - ok
21:31:16.0593 0724 Simbad - ok
21:31:16.0625 0724 sisagp (6b33d0ebd30db32e27d1d78fe946a754) C:\WINDOWS\system32\DRIVERS\sisagp.sys
21:31:16.0625 0724 sisagp - ok
21:31:16.0671 0724 SLIP (866d538ebe33709a5c9f5c62b73b7d14) C:\WINDOWS\system32\DRIVERS\SLIP.sys
21:31:16.0671 0724 SLIP - ok
21:31:16.0796 0724 SNP2UVC (c792610f7d2009352721c1ae38da0619) C:\WINDOWS\system32\DRIVERS\snp2uvc.sys
21:31:16.0890 0724 SNP2UVC - ok
21:31:16.0921 0724 Sparrow (83c0f71f86d3bdaf915685f3d568b20e) C:\WINDOWS\system32\DRIVERS\sparrow.sys
21:31:16.0937 0724 Sparrow - ok
21:31:16.0984 0724 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
21:31:17.0000 0724 splitter - ok
21:31:17.0031 0724 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
21:31:17.0046 0724 sr - ok
21:31:17.0109 0724 Srv (47ddfc2f003f7f9f0592c6874962a2e7) C:\WINDOWS\system32\DRIVERS\srv.sys
21:31:17.0109 0724 Srv - ok
21:31:17.0171 0724 StillCam (a9573045baa16eab9b1085205b82f1ed) C:\WINDOWS\system32\DRIVERS\serscan.sys
21:31:17.0171 0724 StillCam - ok
21:31:17.0234 0724 streamip (77813007ba6265c4b6098187e6ed79d2) C:\WINDOWS\system32\DRIVERS\StreamIP.sys
21:31:17.0234 0724 streamip - ok
21:31:17.0265 0724 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
21:31:17.0265 0724 swenum - ok
21:31:17.0312 0724 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
21:31:17.0312 0724 swmidi - ok
21:31:17.0343 0724 symc810 (1ff3217614018630d0a6758630fc698c) C:\WINDOWS\system32\DRIVERS\symc810.sys
21:31:17.0343 0724 symc810 - ok
21:31:17.0375 0724 symc8xx (070e001d95cf725186ef8b20335f933c) C:\WINDOWS\system32\DRIVERS\symc8xx.sys
21:31:17.0375 0724 symc8xx - ok
21:31:17.0421 0724 sym_hi (80ac1c4abbe2df3b738bf15517a51f2c) C:\WINDOWS\system32\DRIVERS\sym_hi.sys
21:31:17.0421 0724 sym_hi - ok
21:31:17.0468 0724 sym_u3 (bf4fab949a382a8e105f46ebb4937058) C:\WINDOWS\system32\DRIVERS\sym_u3.sys
21:31:17.0484 0724 sym_u3 - ok
21:31:17.0500 0724 SynTP - ok
21:31:17.0531 0724 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
21:31:17.0531 0724 sysaudio - ok
21:31:17.0593 0724 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
21:31:17.0593 0724 Tcpip - ok
21:31:17.0640 0724 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
21:31:17.0640 0724 TDPIPE - ok
21:31:17.0671 0724 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
21:31:17.0671 0724 TDTCP - ok
21:31:17.0718 0724 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
21:31:17.0734 0724 TermDD - ok
21:31:17.0765 0724 TosIde (f2790f6af01321b172aa62f8e1e187d9) C:\WINDOWS\system32\DRIVERS\toside.sys
21:31:17.0781 0724 TosIde - ok
21:31:17.0843 0724 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
21:31:17.0843 0724 Udfs - ok
21:31:17.0859 0724 ultra (1b698a51cd528d8da4ffaed66dfc51b9) C:\WINDOWS\system32\DRIVERS\ultra.sys
21:31:17.0859 0724 ultra - ok
21:31:17.0906 0724 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
21:31:17.0921 0724 Update - ok
21:31:18.0000 0724 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
21:31:18.0000 0724 usbccgp - ok
21:31:18.0015 0724 USBCCID - ok
21:31:18.0062 0724 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
21:31:18.0062 0724 usbehci - ok
21:31:18.0078 0724 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
21:31:18.0093 0724 usbhub - ok
21:31:18.0140 0724 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys
21:31:18.0140 0724 usbprint - ok
21:31:18.0187 0724 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys
21:31:18.0187 0724 usbscan - ok
21:31:18.0218 0724 usbstor (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
21:31:18.0218 0724 usbstor - ok
21:31:18.0250 0724 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
21:31:18.0250 0724 usbuhci - ok
21:31:18.0296 0724 usbvideo (63bbfca7f390f4c49ed4b96bfb1633e0) C:\WINDOWS\system32\Drivers\usbvideo.sys
21:31:18.0296 0724 usbvideo - ok
21:31:18.0343 0724 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
21:31:18.0343 0724 VgaSave - ok
21:31:18.0421 0724 viaagp (754292ce5848b3738281b4f3607eaef4) C:\WINDOWS\system32\DRIVERS\viaagp.sys
21:31:18.0421 0724 viaagp - ok
21:31:18.0468 0724 ViaIde (3b3efcda263b8ac14fdf9cbdd0791b2e) C:\WINDOWS\system32\DRIVERS\viaide.sys
21:31:18.0468 0724 ViaIde - ok
21:31:18.0500 0724 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
21:31:18.0515 0724 VolSnap - ok
21:31:18.0578 0724 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
21:31:18.0593 0724 Wanarp - ok
21:31:18.0656 0724 Wdf01000 (bbcfeab7e871cddac2d397ee7fa91fdc) C:\WINDOWS\system32\Drivers\wdf01000.sys
21:31:18.0671 0724 Wdf01000 - ok
21:31:18.0687 0724 WDICA - ok
21:31:18.0750 0724 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
21:31:18.0750 0724 wdmaud - ok
21:31:18.0859 0724 WmiAcpi (c42584fd66ce9e17403aebca199f7bdb) C:\WINDOWS\system32\DRIVERS\wmiacpi.sys
21:31:18.0859 0724 WmiAcpi - ok
21:31:18.0906 0724 WS2IFSL (6abe6e225adb5a751622a9cc3bc19ce8) C:\WINDOWS\System32\drivers\ws2ifsl.sys
21:31:18.0921 0724 WS2IFSL - ok
21:31:18.0968 0724 WSTCODEC (c98b39829c2bbd34e454150633c62c78) C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS
21:31:18.0968 0724 WSTCODEC - ok
21:31:19.0015 0724 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
21:31:19.0015 0724 WudfPf - ok
21:31:19.0046 0724 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
21:31:19.0046 0724 WudfRd - ok
21:31:19.0125 0724 MBR (0x1B8) (5c616939100b85e558da92b899a0fc36) \Device\Harddisk0\DR0
21:31:19.0171 0724 \Device\Harddisk0\DR0 ( Rootkit.Boot.SST.b ) - infected
21:31:19.0171 0724 \Device\Harddisk0\DR0 - detected Rootkit.Boot.SST.b (0)
21:31:19.0203 0724 Boot (0x1200) (67d1bdbc86be1fdd6dc57d97bf500b28) \Device\Harddisk0\DR0\Partition0
21:31:19.0203 0724 \Device\Harddisk0\DR0\Partition0 - ok
21:31:19.0203 0724 ============================================================
21:31:19.0203 0724 Scan finished
21:31:19.0203 0724 ============================================================
21:31:19.0218 3456 Detected object count: 1
21:31:19.0218 3456 Actual detected object count: 1
21:32:22.0546 3456 \Device\Harddisk0\DR0 ( Rootkit.Boot.SST.b ) - will be cured on reboot
21:32:22.0546 3456 \Device\Harddisk0\DR0 - ok
21:32:22.0546 3456 \Device\Harddisk0\DR0 ( Rootkit.Boot.SST.b ) - User select action: Cure
21:32:26.0562 1552 Deinitialize success

#8 User is online   m0le 

  • I know the drill!
  • PipPipPipPipPipPip
  • Find Topics
  • Group: Malware Response Instructor
  • Posts: 29,128
  • Joined: 24-July 08
  • Gender:Male
  • Location:London, UK

Posted 30 January 2012 - 05:17 AM

That was a bootkit - a nastier form of a rootkit.


Please run Combofix now

Please download ComboFix from one of these locations:* IMPORTANT !!! Save ComboFix.exe to your Desktop making sure you rename it comfix.exe
  • Disable your AntiVirus and AntiSpyware applications including Firewalls, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on Comfix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
If I have helped you fix your PC then please donate. Thanks

Posted Image
m0le is a proud member of UNITE (Unified Network of Instructors and Trusted Eliminators)

#9 User is offline   dude1968 

  • New Member
  • Pip
  • Find Topics
  • Group: Members
  • Posts: 10
  • Joined: 12-January 12

Posted 30 January 2012 - 10:12 PM

i kept getting an error that lavasoft ad-aware was running but i can't find it in add/remove programs or any folder.

here is the logfile for comfix.exe


ComboFix 12-01-30.02 - User 01/30/2012 21:46:25.2.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1014.488 [GMT -5:00]
Running from: c:\documents and settings\User\Desktop\comfix.exe.exe
AV: Lavasoft Ad-Watch Live! Anti-Virus *Enabled/Updated* {A1C4F2E0-7FDE-4917-AFAE-013EFC3EDE33}
AV: Microsoft Security Essentials *Disabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\All Users\Application Data\TEMP
c:\documents and settings\User\Start Menu\Programs\System Fix
.
.
((((((((((((((((((((((((( Files Created from 2011-12-28 to 2012-01-31 )))))))))))))))))))))))))))))))
.
.
2012-01-30 02:50 . 2012-01-06 04:19 6557240 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{23DC3D74-1C67-4ECC-AE7F-9812A75CCAB2}\mpengine.dll
2012-01-13 02:23 . 2012-01-06 04:19 6557240 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2012-01-11 04:12 . 2012-01-31 02:44 -------- d-----w- C:\ComboFix
2012-01-11 03:54 . 2012-01-04 09:26 236576 ------w- c:\windows\system32\MpSigStub.exe
2012-01-11 03:44 . 2012-01-11 03:45 -------- d-----w- c:\program files\Microsoft Security Client
2012-01-11 03:43 . 2012-01-11 03:43 -------- d-----w- c:\program files\CCleaner
2012-01-01 23:15 . 2012-01-01 23:15 -------- d-----w- c:\documents and settings\User\Application Data\Malwarebytes
2012-01-01 23:14 . 2012-01-01 23:14 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2012-01-01 23:14 . 2012-01-01 23:14 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2012-01-01 23:14 . 2011-12-10 20:24 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-11-27 01:58 . 2011-11-27 01:59 101720 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2011-11-25 21:57 . 2009-07-27 18:25 293376 ----a-w- c:\windows\system32\winsrv.dll
2011-11-24 23:39 . 2011-11-27 01:43 1008114 ----a-w- C:\rkill.exe
2011-11-23 13:25 . 2009-07-27 18:25 1859584 ------w- c:\windows\system32\win32k.sys
2011-11-19 00:09 . 2011-06-01 00:32 414368 ------w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-11-18 12:35 . 2009-07-27 18:25 60416 ------w- c:\windows\system32\packager.exe
2011-11-16 14:21 . 2009-07-27 18:25 354816 ----a-w- c:\windows\system32\winhttp.dll
2011-11-16 14:21 . 2009-07-27 18:25 152064 ----a-w- c:\windows\system32\schannel.dll
2011-11-04 19:20 . 2009-07-27 18:25 916992 ----a-w- c:\windows\system32\wininet.dll
2011-11-04 19:20 . 2009-07-27 18:25 43520 ------w- c:\windows\system32\licmgr10.dll
2011-11-04 19:20 . 2009-07-27 18:25 1469440 ------w- c:\windows\system32\inetcpl.cpl
2011-11-04 11:23 . 2009-07-27 18:25 385024 ------w- c:\windows\system32\html.iec
2011-11-03 15:28 . 2009-07-27 18:25 386048 ------w- c:\windows\system32\qdvd.dll
2011-11-03 15:28 . 2009-07-27 18:25 1292288 ------w- c:\windows\system32\quartz.dll
.
.
((((((((((((((((((((((((((((( SnapShot@2012-01-11_04.53.13 )))))))))))))))))))))))))))))))))))))))))
.
+ 2012-01-31 02:34 . 2012-01-31 02:34 16384 c:\windows\Temp\Perflib_Perfdata_6f0.dat
+ 2009-07-27 18:25 . 2011-10-14 14:47 23040 c:\windows\system32\mciseq.dll
- 2009-07-27 18:25 . 2008-04-14 12:00 23040 c:\windows\system32\mciseq.dll
+ 2009-07-27 18:25 . 2011-11-18 12:35 60416 c:\windows\system32\dllcache\packager.exe
+ 2009-07-27 18:25 . 2011-10-14 14:47 23040 c:\windows\system32\dllcache\mciseq.dll
- 2009-07-27 18:25 . 2008-04-14 12:00 23040 c:\windows\system32\dllcache\mciseq.dll
- 2011-12-31 17:11 . 2010-07-05 13:15 26488 c:\windows\SoftwareDistribution\Download\bbdccbfd5870508d129e9b482b642cbf\update\spcustom.dll
- 2011-12-31 17:11 . 2011-10-26 10:50 16896 c:\windows\SoftwareDistribution\Download\bbdccbfd5870508d129e9b482b642cbf\update\mpsyschk.dll
- 2011-12-31 17:11 . 2010-07-05 13:15 17272 c:\windows\SoftwareDistribution\Download\bbdccbfd5870508d129e9b482b642cbf\spmsg.dll
+ 2011-12-25 08:49 . 2011-12-25 08:49 31504 c:\windows\Microsoft.NET\Framework\v2.0.50727\aspnet_wp.exe
- 2011-07-08 18:00 . 2011-07-08 18:00 81920 c:\windows\Microsoft.NET\Framework\v1.1.4322\System.Security.dll
+ 2011-12-25 16:07 . 2011-12-25 16:07 81920 c:\windows\Microsoft.NET\Framework\v1.1.4322\System.Security.dll
+ 2011-12-25 03:55 . 2011-12-25 03:55 77824 c:\windows\Microsoft.NET\Framework\v1.1.4322\mscorsn.dll
- 2011-07-07 16:04 . 2011-07-07 16:04 77824 c:\windows\Microsoft.NET\Framework\v1.1.4322\mscorsn.dll
+ 2011-12-25 03:55 . 2011-12-25 03:55 86016 c:\windows\Microsoft.NET\Framework\v1.1.4322\mscorie.dll
- 2011-07-07 16:04 . 2011-07-07 16:04 86016 c:\windows\Microsoft.NET\Framework\v1.1.4322\mscorie.dll
+ 2011-12-25 03:55 . 2011-12-25 03:55 81920 c:\windows\Microsoft.NET\Framework\v1.1.4322\CORPerfMonExt.dll
- 2011-07-07 16:03 . 2011-07-07 16:03 81920 c:\windows\Microsoft.NET\Framework\v1.1.4322\CORPerfMonExt.dll
+ 2011-12-25 04:49 . 2011-12-25 04:49 32768 c:\windows\Microsoft.NET\Framework\v1.1.4322\aspnet_wp.exe
- 2011-07-07 17:09 . 2011-07-07 17:09 32768 c:\windows\Microsoft.NET\Framework\v1.1.4322\aspnet_wp.exe
+ 2011-12-25 04:49 . 2011-12-25 04:49 24576 c:\windows\Microsoft.NET\Framework\v1.1.4322\aspnet_filter.dll
- 2011-07-07 17:09 . 2011-07-07 17:09 24576 c:\windows\Microsoft.NET\Framework\v1.1.4322\aspnet_filter.dll
+ 2010-12-26 14:01 . 2012-01-11 12:18 34144 c:\windows\Installer\{90140000-003D-0000-0000-0000000FF1CE}\oisicon.exe
- 2010-12-26 14:01 . 2012-01-01 08:13 34144 c:\windows\Installer\{90140000-003D-0000-0000-0000000FF1CE}\oisicon.exe
- 2010-12-26 14:01 . 2012-01-01 08:13 42848 c:\windows\Installer\{90140000-003D-0000-0000-0000000FF1CE}\msouc.exe
+ 2010-12-26 14:01 . 2012-01-11 12:18 42848 c:\windows\Installer\{90140000-003D-0000-0000-0000000FF1CE}\msouc.exe
+ 2010-12-26 14:01 . 2012-01-11 12:18 19296 c:\windows\Installer\{90140000-003D-0000-0000-0000000FF1CE}\cagicon.exe
- 2010-12-26 14:01 . 2012-01-01 08:13 19296 c:\windows\Installer\{90140000-003D-0000-0000-0000000FF1CE}\cagicon.exe
+ 2012-01-11 12:11 . 2012-01-11 12:11 90112 c:\windows\assembly\NativeImages1_v1.1.4322\System.Drawing.Design\1.0.5000.0__b03f5f7f11d50a3a_2b7c0c91\System.Drawing.Design.dll
+ 2012-01-11 12:11 . 2012-01-11 12:11 61440 c:\windows\assembly\NativeImages1_v1.1.4322\CustomMarshalers\1.0.5000.0__b03f5f7f11d50a3a_bddf2cfc\CustomMarshalers.dll
+ 2012-01-11 12:18 . 2012-01-11 12:18 36864 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Web.DynamicD#\750de53f30e516eb2c62de9bab7954e9\System.Web.DynamicData.Design.ni.dll
- 2011-10-13 10:21 . 2011-10-13 10:21 77824 c:\windows\assembly\GAC_MSIL\System.Web.RegularExpressions\2.0.0.0__b03f5f7f11d50a3a\System.Web.RegularExpressions.dll
+ 2012-01-11 12:09 . 2012-01-11 12:09 77824 c:\windows\assembly\GAC_MSIL\System.Web.RegularExpressions\2.0.0.0__b03f5f7f11d50a3a\System.Web.RegularExpressions.dll
- 2011-10-13 10:21 . 2011-10-13 10:21 81920 c:\windows\assembly\GAC_MSIL\System.Drawing.Design\2.0.0.0__b03f5f7f11d50a3a\System.Drawing.Design.dll
+ 2012-01-11 12:09 . 2012-01-11 12:09 81920 c:\windows\assembly\GAC_MSIL\System.Drawing.Design\2.0.0.0__b03f5f7f11d50a3a\System.Drawing.Design.dll
+ 2012-01-11 12:09 . 2012-01-11 12:09 81920 c:\windows\assembly\GAC_MSIL\System.Configuration.Install\2.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll
- 2011-10-13 10:21 . 2011-10-13 10:21 81920 c:\windows\assembly\GAC_MSIL\System.Configuration.Install\2.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll
+ 2012-01-11 12:09 . 2012-01-11 12:09 32768 c:\windows\assembly\GAC_MSIL\Microsoft.Vsa\8.0.0.0__b03f5f7f11d50a3a\Microsoft.Vsa.dll
- 2011-10-13 10:21 . 2011-10-13 10:21 32768 c:\windows\assembly\GAC_MSIL\Microsoft.Vsa\8.0.0.0__b03f5f7f11d50a3a\Microsoft.Vsa.dll
+ 2012-01-11 12:09 . 2012-01-11 12:09 12800 c:\windows\assembly\GAC_MSIL\Microsoft.Vsa.Vb.CodeDOMProcessor\8.0.0.0__b03f5f7f11d50a3a\Microsoft.Vsa.Vb.CodeDOMProcessor.dll
- 2011-10-13 10:21 . 2011-10-13 10:21 12800 c:\windows\assembly\GAC_MSIL\Microsoft.Vsa.Vb.CodeDOMProcessor\8.0.0.0__b03f5f7f11d50a3a\Microsoft.Vsa.Vb.CodeDOMProcessor.dll
- 2011-10-13 10:21 . 2011-10-13 10:21 28672 c:\windows\assembly\GAC_MSIL\Microsoft.VisualBasic.Vsa\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.Vsa.dll
+ 2012-01-11 12:09 . 2012-01-11 12:09 28672 c:\windows\assembly\GAC_MSIL\Microsoft.VisualBasic.Vsa\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.Vsa.dll
- 2011-10-13 10:21 . 2011-10-13 10:21 77824 c:\windows\assembly\GAC_MSIL\Microsoft.Build.Utilities\2.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Utilities.dll
+ 2012-01-11 12:09 . 2012-01-11 12:09 77824 c:\windows\assembly\GAC_MSIL\Microsoft.Build.Utilities\2.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Utilities.dll
- 2011-10-13 10:21 . 2011-10-13 10:21 36864 c:\windows\assembly\GAC_MSIL\Microsoft.Build.Framework\2.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Framework.dll
+ 2012-01-11 12:09 . 2012-01-11 12:09 36864 c:\windows\assembly\GAC_MSIL\Microsoft.Build.Framework\2.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Framework.dll
+ 2012-01-11 12:09 . 2012-01-11 12:09 77824 c:\windows\assembly\GAC_MSIL\IEHost\2.0.0.0__b03f5f7f11d50a3a\IEHost.dll
- 2011-10-13 10:21 . 2011-10-13 10:21 77824 c:\windows\assembly\GAC_MSIL\IEHost\2.0.0.0__b03f5f7f11d50a3a\IEHost.dll
- 2011-10-13 10:21 . 2011-10-13 10:21 13312 c:\windows\assembly\GAC_MSIL\cscompmgd\8.0.0.0__b03f5f7f11d50a3a\cscompmgd.dll
+ 2012-01-11 12:09 . 2012-01-11 12:09 13312 c:\windows\assembly\GAC_MSIL\cscompmgd\8.0.0.0__b03f5f7f11d50a3a\cscompmgd.dll
+ 2012-01-11 12:09 . 2012-01-11 12:09 10752 c:\windows\assembly\GAC_MSIL\Accessibility\2.0.0.0__b03f5f7f11d50a3a\Accessibility.dll
- 2011-10-13 10:21 . 2011-10-13 10:21 10752 c:\windows\assembly\GAC_MSIL\Accessibility\2.0.0.0__b03f5f7f11d50a3a\Accessibility.dll
- 2011-10-13 10:21 . 2011-10-13 10:21 72192 c:\windows\assembly\GAC_32\ISymWrapper\2.0.0.0__b03f5f7f11d50a3a\ISymWrapper.dll
+ 2012-01-11 12:09 . 2012-01-11 12:09 72192 c:\windows\assembly\GAC_32\ISymWrapper\2.0.0.0__b03f5f7f11d50a3a\ISymWrapper.dll
+ 2012-01-11 12:09 . 2012-01-11 12:09 69120 c:\windows\assembly\GAC_32\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll
- 2011-10-13 10:21 . 2011-10-13 10:21 69120 c:\windows\assembly\GAC_32\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll
+ 2012-01-11 12:11 . 2012-01-11 12:11 81920 c:\windows\assembly\GAC\System.Security\1.0.5000.0__b03f5f7f11d50a3a\System.Security.dll
- 2011-10-13 10:14 . 2011-10-13 10:14 81920 c:\windows\assembly\GAC\System.Security\1.0.5000.0__b03f5f7f11d50a3a\System.Security.dll
+ 2012-01-30 22:04 . 2010-07-05 13:15 26488 c:\windows\$hf_mig$\KB2633171\update\spcustom.dll
+ 2012-01-30 02:44 . 2011-10-26 10:50 16896 c:\windows\$hf_mig$\KB2633171\update\mpsyschk.dll
+ 2012-01-30 22:04 . 2010-07-05 13:15 17272 c:\windows\$hf_mig$\KB2633171\spmsg.dll
+ 2012-01-11 12:09 . 2012-01-11 12:09 8192 c:\windows\WinSxS\MSIL_IEExecRemote_b03f5f7f11d50a3a_2.0.0.0_x-ww_6e57c34e\IEExecRemote.dll
- 2011-10-13 10:21 . 2011-10-13 10:21 8192 c:\windows\WinSxS\MSIL_IEExecRemote_b03f5f7f11d50a3a_2.0.0.0_x-ww_6e57c34e\IEExecRemote.dll
+ 2012-01-11 12:09 . 2012-01-11 12:09 7168 c:\windows\assembly\GAC_MSIL\Microsoft_VsaVb\8.0.0.0__b03f5f7f11d50a3a\Microsoft_VsaVb.dll
- 2011-10-13 10:21 . 2011-10-13 10:21 7168 c:\windows\assembly\GAC_MSIL\Microsoft_VsaVb\8.0.0.0__b03f5f7f11d50a3a\Microsoft_VsaVb.dll
+ 2012-01-11 12:09 . 2012-01-11 12:09 5632 c:\windows\assembly\GAC_MSIL\Microsoft.VisualC\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualC.Dll
- 2011-10-13 10:21 . 2011-10-13 10:21 5632 c:\windows\assembly\GAC_MSIL\Microsoft.VisualC\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualC.Dll
+ 2012-01-11 12:09 . 2012-01-11 12:09 6656 c:\windows\assembly\GAC_MSIL\IIEHost\2.0.0.0__b03f5f7f11d50a3a\IIEHost.dll
- 2011-10-13 10:21 . 2011-10-13 10:21 6656 c:\windows\assembly\GAC_MSIL\IIEHost\2.0.0.0__b03f5f7f11d50a3a\IIEHost.dll
- 2011-10-13 10:21 . 2011-10-13 10:21 8192 c:\windows\assembly\GAC_MSIL\IEExecRemote\2.0.0.0__b03f5f7f11d50a3a\IEExecRemote.dll
+ 2012-01-11 12:09 . 2012-01-11 12:09 8192 c:\windows\assembly\GAC_MSIL\IEExecRemote\2.0.0.0__b03f5f7f11d50a3a\IEExecRemote.dll
- 2011-10-13 10:21 . 2011-10-13 10:21 113664 c:\windows\WinSxS\x86_System.EnterpriseServices_b03f5f7f11d50a3a_2.0.0.0_x-ww_7d5f3790\System.EnterpriseServices.Wrapper.dll
+ 2012-01-11 12:09 . 2012-01-11 12:09 113664 c:\windows\WinSxS\x86_System.EnterpriseServices_b03f5f7f11d50a3a_2.0.0.0_x-ww_7d5f3790\System.EnterpriseServices.Wrapper.dll
+ 2012-01-11 12:09 . 2012-01-11 12:09 258048 c:\windows\WinSxS\x86_System.EnterpriseServices_b03f5f7f11d50a3a_2.0.0.0_x-ww_7d5f3790\System.EnterpriseServices.dll
- 2011-10-13 10:21 . 2011-10-13 10:21 258048 c:\windows\WinSxS\x86_System.EnterpriseServices_b03f5f7f11d50a3a_2.0.0.0_x-ww_7d5f3790\System.EnterpriseServices.dll
+ 2009-07-27 18:25 . 2011-10-14 14:47 176128 c:\windows\system32\winmm.dll
- 2009-07-27 18:25 . 2008-04-14 12:00 176128 c:\windows\system32\winmm.dll
+ 2009-07-27 18:25 . 2012-01-13 02:15 558760 c:\windows\system32\perfc009.dat
+ 2009-07-27 18:25 . 2011-11-25 21:57 293376 c:\windows\system32\dllcache\winsrv.dll
- 2009-07-27 18:25 . 2011-06-20 17:44 293376 c:\windows\system32\dllcache\winsrv.dll
+ 2009-07-27 18:25 . 2011-10-14 14:47 176128 c:\windows\system32\dllcache\winmm.dll
- 2009-07-27 18:25 . 2008-04-14 12:00 176128 c:\windows\system32\dllcache\winmm.dll
+ 2009-07-27 18:25 . 2011-11-16 14:21 354816 c:\windows\system32\dllcache\winhttp.dll
- 2009-07-27 18:25 . 2009-08-25 09:17 354816 c:\windows\system32\dllcache\winhttp.dll
+ 2009-07-27 18:25 . 2011-11-16 14:21 152064 c:\windows\system32\dllcache\schannel.dll
- 2009-07-27 18:25 . 2008-04-14 12:00 386048 c:\windows\system32\dllcache\qdvd.dll
+ 2009-07-27 18:25 . 2011-11-03 15:28 386048 c:\windows\system32\dllcache\qdvd.dll
- 2011-12-31 17:11 . 2010-07-05 13:16 382840 c:\windows\SoftwareDistribution\Download\bbdccbfd5870508d129e9b482b642cbf\update\updspapi.dll
- 2011-12-31 17:11 . 2010-07-05 13:15 755576 c:\windows\SoftwareDistribution\Download\bbdccbfd5870508d129e9b482b642cbf\update\update.exe
- 2011-12-31 17:11 . 2010-07-05 13:15 231288 c:\windows\SoftwareDistribution\Download\bbdccbfd5870508d129e9b482b642cbf\spuninst.exe
+ 2011-12-25 08:49 . 2011-12-25 08:49 436496 c:\windows\Microsoft.NET\Framework\v2.0.50727\webengine.dll
- 2011-07-07 16:04 . 2011-07-07 16:04 102400 c:\windows\Microsoft.NET\Framework\v1.1.4322\mscorld.dll
+ 2011-12-25 03:55 . 2011-12-25 03:55 102400 c:\windows\Microsoft.NET\Framework\v1.1.4322\mscorld.dll
- 2011-07-07 16:01 . 2011-07-07 16:01 315392 c:\windows\Microsoft.NET\Framework\v1.1.4322\mscorjit.dll
+ 2011-12-25 03:53 . 2011-12-25 03:53 315392 c:\windows\Microsoft.NET\Framework\v1.1.4322\mscorjit.dll
- 2011-07-07 17:09 . 2011-07-07 17:09 258048 c:\windows\Microsoft.NET\Framework\v1.1.4322\aspnet_isapi.dll
+ 2011-12-25 04:49 . 2011-12-25 04:49 258048 c:\windows\Microsoft.NET\Framework\v1.1.4322\aspnet_isapi.dll
+ 2011-12-25 10:40 . 2011-12-25 10:40 819200 c:\windows\Installer\255a807.msp
- 2010-12-26 14:01 . 2012-01-01 08:13 415584 c:\windows\Installer\{90140000-003D-0000-0000-0000000FF1CE}\pubs.exe
+ 2010-12-26 14:01 . 2012-01-11 12:18 415584 c:\windows\Installer\{90140000-003D-0000-0000-0000000FF1CE}\pubs.exe
+ 2010-12-26 14:01 . 2012-01-11 12:18 303456 c:\windows\Installer\{90140000-003D-0000-0000-0000000FF1CE}\outicon.exe
- 2010-12-26 14:01 . 2012-01-01 08:13 303456 c:\windows\Installer\{90140000-003D-0000-0000-0000000FF1CE}\outicon.exe
- 2010-12-26 14:01 . 2012-01-01 08:13 571232 c:\windows\Installer\{90140000-003D-0000-0000-0000000FF1CE}\misc.exe
+ 2010-12-26 14:01 . 2012-01-11 12:18 571232 c:\windows\Installer\{90140000-003D-0000-0000-0000000FF1CE}\misc.exe
+ 2010-12-26 14:01 . 2012-01-11 12:18 326496 c:\windows\Installer\{90140000-003D-0000-0000-0000000FF1CE}\joticon.exe
- 2010-12-26 14:01 . 2012-01-01 08:13 326496 c:\windows\Installer\{90140000-003D-0000-0000-0000000FF1CE}\joticon.exe
+ 2012-01-11 12:12 . 2012-01-11 12:12 835584 c:\windows\assembly\NativeImages1_v1.1.4322\System.Drawing\1.0.5000.0__b03f5f7f11d50a3a_bb0c5f97\System.Drawing.dll
+ 2012-01-11 12:12 . 2012-01-11 12:12 192512 c:\windows\assembly\NativeImages1_v1.1.4322\System.Drawing.Design\1.0.5000.0__b03f5f7f11d50a3a_f1e192fc\System.Drawing.Design.dll
+ 2012-01-11 12:12 . 2012-01-11 12:12 118784 c:\windows\assembly\NativeImages1_v1.1.4322\CustomMarshalers\1.0.5000.0__b03f5f7f11d50a3a_f747d0e7\CustomMarshalers.dll
+ 2012-01-11 12:16 . 2012-01-11 12:16 627712 c:\windows\assembly\NativeImages_v2.0.50727_32\WindowsLiveLocal.Wr#\3edefe707adc650aff771c3994081a35\WindowsLiveLocal.WriterPlugin.ni.dll
+ 2012-01-11 12:16 . 2012-01-11 12:16 851968 c:\windows\assembly\NativeImages_v2.0.50727_32\WindowsLive.Writer.#\7489f5b1448bf79f27988379f4fbdf5e\WindowsLive.Writer.BlogClient.ni.dll
+ 2012-01-11 12:15 . 2012-01-11 12:15 152064 c:\windows\assembly\NativeImages_v2.0.50727_32\WindowsLive.Writer.#\4055f8d2111a71a32ec8a92455ac0a0c\WindowsLive.Writer.HtmlParser.ni.dll
+ 2012-01-11 12:16 . 2012-01-11 12:16 594944 c:\windows\assembly\NativeImages_v2.0.50727_32\WindowsLive.Writer.#\26e422cef426e67d699800f054c19206\WindowsLive.Writer.HtmlEditor.ni.dll
+ 2012-01-11 12:18 . 2012-01-11 12:18 129536 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Web.Routing\0bda7bdfaf440d5dd4bc6a1dea7ffa39\System.Web.Routing.ni.dll
+ 2012-01-11 12:18 . 2012-01-11 12:18 859648 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Web.Extensio#\6e29f9faa74a48b83a13a3413b826295\System.Web.Extensions.Design.ni.dll
+ 2012-01-11 12:18 . 2012-01-11 12:18 328704 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Web.Entity\be8965fe859bc53dff61579bf626858b\System.Web.Entity.ni.dll
+ 2012-01-11 12:18 . 2012-01-11 12:18 301056 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Web.Entity.D#\8441b3eb247e0344fede848337ee911c\System.Web.Entity.Design.ni.dll
+ 2012-01-11 12:18 . 2012-01-11 12:18 547328 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Web.DynamicD#\09c6a41f187ba483486cdb92dad714a1\System.Web.DynamicData.ni.dll
+ 2012-01-11 12:17 . 2012-01-11 12:17 141312 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Web.Abstract#\5efb726d424b9712632eff749411fa89\System.Web.Abstractions.ni.dll
+ 2012-01-11 12:16 . 2012-01-11 12:16 771584 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Runtime.Remo#\3c272cad7afb127e2a2bdb8a5a808512\System.Runtime.Remoting.ni.dll
+ 2012-01-11 12:17 . 2012-01-11 12:17 756736 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Data.Entity.#\f374e8e7849a72d1470b4a6a0771a137\System.Data.Entity.Design.ni.dll
+ 2012-01-11 12:16 . 2012-01-11 12:16 320512 c:\windows\assembly\NativeImages_v2.0.50727_32\ServiceModelReg\439732479756e0f6df88d29e50a402bf\ServiceModelReg.ni.exe
+ 2012-01-11 12:13 . 2012-01-11 12:13 842240 c:\windows\assembly\NativeImages_v2.0.50727_32\AspNetMMCExt\bfcea15c95909860c4f4ac19bd7a2d6c\AspNetMMCExt.ni.dll
+ 2012-01-11 12:09 . 2012-01-11 12:09 839680 c:\windows\assembly\GAC_MSIL\System.Web.Services\2.0.0.0__b03f5f7f11d50a3a\System.Web.Services.dll
- 2011-10-13 10:21 . 2011-10-13 10:21 839680 c:\windows\assembly\GAC_MSIL\System.Web.Services\2.0.0.0__b03f5f7f11d50a3a\System.Web.Services.dll
- 2011-10-13 10:21 . 2011-10-13 10:21 835584 c:\windows\assembly\GAC_MSIL\System.Web.Mobile\2.0.0.0__b03f5f7f11d50a3a\System.Web.Mobile.dll
+ 2012-01-11 12:09 . 2012-01-11 12:09 835584 c:\windows\assembly\GAC_MSIL\System.Web.Mobile\2.0.0.0__b03f5f7f11d50a3a\System.Web.Mobile.dll
+ 2012-01-11 12:09 . 2012-01-11 12:09 114688 c:\windows\assembly\GAC_MSIL\System.ServiceProcess\2.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll
- 2011-10-13 10:21 . 2011-10-13 10:21 114688 c:\windows\assembly\GAC_MSIL\System.ServiceProcess\2.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll
- 2011-10-13 10:21 . 2011-10-13 10:21 258048 c:\windows\assembly\GAC_MSIL\System.Security\2.0.0.0__b03f5f7f11d50a3a\System.Security.dll
+ 2012-01-11 12:09 . 2012-01-11 12:09 258048 c:\windows\assembly\GAC_MSIL\System.Security\2.0.0.0__b03f5f7f11d50a3a\System.Security.dll
+ 2012-01-11 12:09 . 2012-01-11 12:09 131072 c:\windows\assembly\GAC_MSIL\System.Runtime.Serialization.Formatters.Soap\2.0.0.0__b03f5f7f11d50a3a\System.Runtime.Serialization.Formatters.Soap.dll
- 2011-10-13 10:21 . 2011-10-13 10:21 131072 c:\windows\assembly\GAC_MSIL\System.Runtime.Serialization.Formatters.Soap\2.0.0.0__b03f5f7f11d50a3a\System.Runtime.Serialization.Formatters.Soap.dll
+ 2012-01-11 12:09 . 2012-01-11 12:09 303104 c:\windows\assembly\GAC_MSIL\System.Runtime.Remoting\2.0.0.0__b77a5c561934e089\System.Runtime.Remoting.dll
- 2011-10-13 10:21 . 2011-10-13 10:21 303104 c:\windows\assembly\GAC_MSIL\System.Runtime.Remoting\2.0.0.0__b77a5c561934e089\System.Runtime.Remoting.dll
- 2011-10-13 10:21 . 2011-10-13 10:21 258048 c:\windows\assembly\GAC_MSIL\System.Messaging\2.0.0.0__b03f5f7f11d50a3a\System.Messaging.dll
+ 2012-01-11 12:09 . 2012-01-11 12:09 258048 c:\windows\assembly\GAC_MSIL\System.Messaging\2.0.0.0__b03f5f7f11d50a3a\System.Messaging.dll
+ 2012-01-11 12:09 . 2012-01-11 12:09 372736 c:\windows\assembly\GAC_MSIL\System.Management\2.0.0.0__b03f5f7f11d50a3a\System.Management.dll
- 2011-10-13 10:21 . 2011-10-13 10:21 372736 c:\windows\assembly\GAC_MSIL\System.Management\2.0.0.0__b03f5f7f11d50a3a\System.Management.dll
- 2011-10-13 10:21 . 2011-10-13 10:21 626688 c:\windows\assembly\GAC_MSIL\System.Drawing\2.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll
+ 2012-01-11 12:09 . 2012-01-11 12:09 626688 c:\windows\assembly\GAC_MSIL\System.Drawing\2.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll
- 2011-10-13 10:21 . 2011-10-13 10:21 401408 c:\windows\assembly\GAC_MSIL\System.DirectoryServices\2.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll
+ 2012-01-11 12:09 . 2012-01-11 12:09 401408 c:\windows\assembly\GAC_MSIL\System.DirectoryServices\2.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll
+ 2012-01-11 12:09 . 2012-01-11 12:09 188416 c:\windows\assembly\GAC_MSIL\System.DirectoryServices.Protocols\2.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.Protocols.dll
- 2011-10-13 10:21 . 2011-10-13 10:21 188416 c:\windows\assembly\GAC_MSIL\System.DirectoryServices.Protocols\2.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.Protocols.dll
+ 2012-01-11 12:09 . 2012-01-11 12:09 970752 c:\windows\assembly\GAC_MSIL\System.Deployment\2.0.0.0__b03f5f7f11d50a3a\System.Deployment.dll
- 2011-10-13 10:21 . 2011-10-13 10:21 970752 c:\windows\assembly\GAC_MSIL\System.Deployment\2.0.0.0__b03f5f7f11d50a3a\System.Deployment.dll
+ 2012-01-11 12:09 . 2012-01-11 12:09 745472 c:\windows\assembly\GAC_MSIL\System.Data.SqlXml\2.0.0.0__b77a5c561934e089\System.Data.SqlXml.dll
- 2011-10-13 10:21 . 2011-10-13 10:21 745472 c:\windows\assembly\GAC_MSIL\System.Data.SqlXml\2.0.0.0__b77a5c561934e089\System.Data.SqlXml.dll
- 2011-10-13 10:21 . 2011-10-13 10:21 425984 c:\windows\assembly\GAC_MSIL\System.Configuration\2.0.0.0__b03f5f7f11d50a3a\System.configuration.dll
+ 2012-01-11 12:09 . 2012-01-11 12:09 425984 c:\windows\assembly\GAC_MSIL\System.Configuration\2.0.0.0__b03f5f7f11d50a3a\System.configuration.dll
+ 2012-01-11 12:09 . 2012-01-11 12:09 110592 c:\windows\assembly\GAC_MSIL\sysglobl\2.0.0.0__b03f5f7f11d50a3a\sysglobl.dll
- 2011-10-13 10:21 . 2011-10-13 10:21 110592 c:\windows\assembly\GAC_MSIL\sysglobl\2.0.0.0__b03f5f7f11d50a3a\sysglobl.dll
+ 2012-01-11 12:09 . 2012-01-11 12:09 659456 c:\windows\assembly\GAC_MSIL\Microsoft.VisualBasic\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll
- 2011-10-13 10:21 . 2011-10-13 10:21 659456 c:\windows\assembly\GAC_MSIL\Microsoft.VisualBasic\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll
+ 2012-01-11 12:09 . 2012-01-11 12:09 372736 c:\windows\assembly\GAC_MSIL\Microsoft.VisualBasic.Compatibility\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.Compatibility.dll
- 2011-10-13 10:21 . 2011-10-13 10:21 372736 c:\windows\assembly\GAC_MSIL\Microsoft.VisualBasic.Compatibility\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.Compatibility.dll
+ 2012-01-11 12:09 . 2012-01-11 12:09 110592 c:\windows\assembly\GAC_MSIL\Microsoft.VisualBasic.Compatibility.Data\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.Compatibility.Data.dll
- 2011-10-13 10:21 . 2011-10-13 10:21 110592 c:\windows\assembly\GAC_MSIL\Microsoft.VisualBasic.Compatibility.Data\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.Compatibility.Data.dll
- 2011-10-13 10:21 . 2011-10-13 10:21 749568 c:\windows\assembly\GAC_MSIL\Microsoft.JScript\8.0.0.0__b03f5f7f11d50a3a\Microsoft.JScript.dll
+ 2012-01-11 12:09 . 2012-01-11 12:09 749568 c:\windows\assembly\GAC_MSIL\Microsoft.JScript\8.0.0.0__b03f5f7f11d50a3a\Microsoft.JScript.dll
- 2011-10-13 10:21 . 2011-10-13 10:21 655360 c:\windows\assembly\GAC_MSIL\Microsoft.Build.Tasks\2.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Tasks.dll
+ 2012-01-11 12:09 . 2012-01-11 12:09 655360 c:\windows\assembly\GAC_MSIL\Microsoft.Build.Tasks\2.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Tasks.dll
- 2011-10-13 10:21 . 2011-10-13 10:21 348160 c:\windows\assembly\GAC_MSIL\Microsoft.Build.Engine\2.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Engine.dll
+ 2012-01-11 12:09 . 2012-01-11 12:09 348160 c:\windows\assembly\GAC_MSIL\Microsoft.Build.Engine\2.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Engine.dll
- 2011-10-13 10:21 . 2011-10-13 10:21 507904 c:\windows\assembly\GAC_MSIL\AspNetMMCExt\2.0.0.0__b03f5f7f11d50a3a\AspNetMMCExt.dll
+ 2012-01-11 12:09 . 2012-01-11 12:09 507904 c:\windows\assembly\GAC_MSIL\AspNetMMCExt\2.0.0.0__b03f5f7f11d50a3a\AspNetMMCExt.dll
- 2011-10-13 10:21 . 2011-10-13 10:21 261632 c:\windows\assembly\GAC_32\System.Transactions\2.0.0.0__b77a5c561934e089\System.Transactions.dll
+ 2012-01-11 12:09 . 2012-01-11 12:09 261632 c:\windows\assembly\GAC_32\System.Transactions\2.0.0.0__b77a5c561934e089\System.Transactions.dll
+ 2012-01-11 12:09 . 2012-01-11 12:09 113664 c:\windows\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll
- 2011-10-13 10:21 . 2011-10-13 10:21 113664 c:\windows\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll
- 2011-10-13 10:21 . 2011-10-13 10:21 258048 c:\windows\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.dll
+ 2012-01-11 12:09 . 2012-01-11 12:09 258048 c:\windows\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.dll
- 2011-10-13 10:21 . 2011-10-13 10:21 486400 c:\windows\assembly\GAC_32\System.Data.OracleClient\2.0.0.0__b77a5c561934e089\System.Data.OracleClient.dll
+ 2012-01-11 12:09 . 2012-01-11 12:09 486400 c:\windows\assembly\GAC_32\System.Data.OracleClient\2.0.0.0__b77a5c561934e089\System.Data.OracleClient.dll
+ 2012-01-30 22:04 . 2010-07-05 13:16 382840 c:\windows\$hf_mig$\KB2633171\update\updspapi.dll
+ 2012-01-30 22:04 . 2010-07-05 13:15 755576 c:\windows\$hf_mig$\KB2633171\update\update.exe
+ 2012-01-30 22:04 . 2010-07-05 13:15 231288 c:\windows\$hf_mig$\KB2633171\spuninst.exe
+ 2009-07-27 18:25 . 2012-01-13 02:15 1291856 c:\windows\system32\perfh009.dat
- 2008-04-14 00:54 . 2010-12-09 13:42 2148864 c:\windows\system32\ntoskrnl.exe
+ 2008-04-14 00:54 . 2011-10-25 13:37 2148864 c:\windows\system32\ntoskrnl.exe
+ 2008-04-14 00:01 . 2011-10-25 12:52 2027008 c:\windows\system32\ntkrnlpa.exe
- 2008-04-14 00:01 . 2010-12-09 13:07 2027008 c:\windows\system32\ntkrnlpa.exe
+ 2009-07-27 18:25 . 2011-11-03 15:28 1292288 c:\windows\system32\dllcache\quartz.dll
- 2009-07-27 18:25 . 2010-12-09 13:38 2192768 c:\windows\system32\dllcache\ntoskrnl.exe
+ 2009-07-27 18:25 . 2011-10-25 13:33 2192768 c:\windows\system32\dllcache\ntoskrnl.exe
+ 2009-07-27 18:25 . 2011-10-25 12:52 2027008 c:\windows\system32\dllcache\ntkrpamp.exe
- 2009-07-27 18:25 . 2010-12-09 13:07 2027008 c:\windows\system32\dllcache\ntkrpamp.exe
- 2009-07-27 18:25 . 2010-12-09 13:07 2069376 c:\windows\system32\dllcache\ntkrnlpa.exe
+ 2009-07-27 18:25 . 2011-10-25 12:52 2069376 c:\windows\system32\dllcache\ntkrnlpa.exe
+ 2009-07-27 18:25 . 2011-10-25 13:37 2148864 c:\windows\system32\dllcache\ntkrnlmp.exe
- 2009-07-27 18:25 . 2010-12-09 13:42 2148864 c:\windows\system32\dllcache\ntkrnlmp.exe
- 2011-10-25 13:34 . 2011-10-25 13:34 2192768 c:\windows\SoftwareDistribution\Download\bbdccbfd5870508d129e9b482b642cbf\sp3qfe\ntoskrnl.exe
- 2011-10-25 12:52 . 2011-10-25 12:52 2027008 c:\windows\SoftwareDistribution\Download\bbdccbfd5870508d129e9b482b642cbf\sp3qfe\ntkrpamp.exe
- 2011-10-25 12:52 . 2011-10-25 12:52 2069376 c:\windows\SoftwareDistribution\Download\bbdccbfd5870508d129e9b482b642cbf\sp3qfe\ntkrnlpa.exe
- 2011-10-25 13:38 . 2011-10-25 13:38 2148864 c:\windows\SoftwareDistribution\Download\bbdccbfd5870508d129e9b482b642cbf\sp3qfe\ntkrnlmp.exe
- 2011-10-25 13:33 . 2011-10-25 13:33 2192768 c:\windows\SoftwareDistribution\Download\bbdccbfd5870508d129e9b482b642cbf\sp3gdr\ntoskrnl.exe
- 2011-10-25 12:52 . 2011-10-25 12:52 2027008 c:\windows\SoftwareDistribution\Download\bbdccbfd5870508d129e9b482b642cbf\sp3gdr\ntkrpamp.exe
- 2011-10-25 12:52 . 2011-10-25 12:52 2069376 c:\windows\SoftwareDistribution\Download\bbdccbfd5870508d129e9b482b642cbf\sp3gdr\ntkrnlpa.exe
- 2011-10-25 13:37 . 2011-10-25 13:37 2148864 c:\windows\SoftwareDistribution\Download\bbdccbfd5870508d129e9b482b642cbf\sp3gdr\ntkrnlmp.exe
+ 2011-12-25 08:50 . 2011-12-25 08:50 5246976 c:\windows\Microsoft.NET\Framework\v2.0.50727\System.Web.dll
+ 2011-12-25 16:07 . 2011-12-25 16:07 2064384 c:\windows\Microsoft.NET\Framework\v1.1.4322\System.Windows.Forms.dll
+ 2011-12-25 16:06 . 2011-12-25 16:06 1269760 c:\windows\Microsoft.NET\Framework\v1.1.4322\System.Web.dll
- 2011-07-08 17:59 . 2011-07-08 17:59 1232896 c:\windows\Microsoft.NET\Framework\v1.1.4322\System.dll
+ 2011-12-25 16:06 . 2011-12-25 16:06 1232896 c:\windows\Microsoft.NET\Framework\v1.1.4322\System.dll
- 2011-07-07 16:02 . 2011-07-07 16:02 2514944 c:\windows\Microsoft.NET\Framework\v1.1.4322\mscorwks.dll
+ 2011-12-25 03:54 . 2011-12-25 03:54 2514944 c:\windows\Microsoft.NET\Framework\v1.1.4322\mscorwks.dll
+ 2011-12-25 03:53 . 2011-12-25 03:53 2527232 c:\windows\Microsoft.NET\Framework\v1.1.4322\mscorsvr.dll
- 2011-07-07 16:02 . 2011-07-07 16:02 2527232 c:\windows\Microsoft.NET\Framework\v1.1.4322\mscorsvr.dll
+ 2011-12-25 16:06 . 2011-12-25 16:06 2142208 c:\windows\Microsoft.NET\Framework\v1.1.4322\mscorlib.dll
- 2011-07-08 17:59 . 2011-07-08 17:59 2142208 c:\windows\Microsoft.NET\Framework\v1.1.4322\mscorlib.dll
+ 2011-12-12 21:13 . 2011-12-12 21:13 3461120 c:\windows\Installer\255a81c.msp
+ 2011-12-26 14:59 . 2011-12-26 14:59 4368896 c:\windows\Installer\255a7e8.msp
- 2010-12-26 14:01 . 2012-01-01 08:13 1479520 c:\windows\Installer\{90140000-003D-0000-0000-0000000FF1CE}\xlicons.exe
+ 2010-12-26 14:01 . 2012-01-11 12:18 1479520 c:\windows\Installer\{90140000-003D-0000-0000-0000000FF1CE}\xlicons.exe
+ 2010-12-26 14:01 . 2012-01-11 12:18 1858400 c:\windows\Installer\{90140000-003D-0000-0000-0000000FF1CE}\wordicon.exe
- 2010-12-26 14:01 . 2012-01-01 08:13 1858400 c:\windows\Installer\{90140000-003D-0000-0000-0000000FF1CE}\wordicon.exe
- 2010-12-26 14:01 . 2012-01-01 08:13 4525408 c:\windows\Installer\{90140000-003D-0000-0000-0000000FF1CE}\promoicon.exe
+ 2010-12-26 14:01 . 2012-01-11 12:18 4525408 c:\windows\Installer\{90140000-003D-0000-0000-0000000FF1CE}\promoicon.exe
+ 2010-12-26 14:01 . 2012-01-11 12:18 3792736 c:\windows\Installer\{90140000-003D-0000-0000-0000000FF1CE}\pptico.exe
- 2010-12-26 14:01 . 2012-01-01 08:13 3792736 c:\windows\Installer\{90140000-003D-0000-0000-0000000FF1CE}\pptico.exe
- 2010-12-26 14:01 . 2012-01-01 08:13 1449312 c:\windows\Installer\{90140000-003D-0000-0000-0000000FF1CE}\accicons.exe
+ 2010-12-26 14:01 . 2012-01-11 12:18 1449312 c:\windows\Installer\{90140000-003D-0000-0000-0000000FF1CE}\accicons.exe
+ 2012-01-11 12:11 . 2012-01-11 12:11 1966080 c:\windows\assembly\NativeImages1_v1.1.4322\System\1.0.5000.0__b77a5c561934e089_feff7e95\System.dll
+ 2012-01-11 12:12 . 2012-01-11 12:12 4792320 c:\windows\assembly\NativeImages1_v1.1.4322\System\1.0.5000.0__b77a5c561934e089_128f9e82\System.dll
+ 2012-01-11 12:11 . 2012-01-11 12:11 2088960 c:\windows\assembly\NativeImages1_v1.1.4322\System.Xml\1.0.5000.0__b77a5c561934e089_c1099e32\System.Xml.dll
+ 2012-01-11 12:13 . 2012-01-11 12:13 5513216 c:\windows\assembly\NativeImages1_v1.1.4322\System.Xml\1.0.5000.0__b77a5c561934e089_750a8667\System.Xml.dll
+ 2012-01-11 12:12 . 2012-01-11 12:12 7917568 c:\windows\assembly\NativeImages1_v1.1.4322\System.Windows.Forms\1.0.5000.0__b77a5c561934e089_fba1f39b\System.Windows.Forms.dll
+ 2012-01-11 12:11 . 2012-01-11 12:11 3035136 c:\windows\assembly\NativeImages1_v1.1.4322\System.Windows.Forms\1.0.5000.0__b77a5c561934e089_7ad3be9d\System.Windows.Forms.dll
+ 2012-01-11 12:13 . 2012-01-11 12:13 2244608 c:\windows\assembly\NativeImages1_v1.1.4322\System.Drawing\1.0.5000.0__b03f5f7f11d50a3a_ef76e66c\System.Drawing.dll
+ 2012-01-11 12:12 . 2012-01-11 12:12 1470464 c:\windows\assembly\NativeImages1_v1.1.4322\System.Design\1.0.5000.0__b03f5f7f11d50a3a_23ab42f2\System.Design.dll
+ 2012-01-11 12:13 . 2012-01-11 12:13 3395584 c:\windows\assembly\NativeImages1_v1.1.4322\System.Design\1.0.5000.0__b03f5f7f11d50a3a_039ae35d\System.Design.dll
+ 2012-01-11 12:12 . 2012-01-11 12:12 3391488 c:\windows\assembly\NativeImages1_v1.1.4322\mscorlib\1.0.5000.0__b77a5c561934e089_dd23c8f4\mscorlib.dll
+ 2012-01-11 12:13 . 2012-01-11 12:13 8908800 c:\windows\assembly\NativeImages1_v1.1.4322\mscorlib\1.0.5000.0__b77a5c561934e089_abc9239c\mscorlib.dll
+ 2012-01-11 12:15 . 2012-01-11 12:15 2002432 c:\windows\assembly\NativeImages_v2.0.50727_32\WindowsLive.Writer.#\28af1ac7830124e2c311a985eae8e2cb\WindowsLive.Writer.CoreServices.ni.dll
+ 2012-01-11 12:15 . 2012-01-11 12:15 6392832 c:\windows\assembly\NativeImages_v2.0.50727_32\WindowsLive.Writer.#\005e0daf7e0fedbcae23b6e8756f18a3\WindowsLive.Writer.PostEditor.ni.dll
+ 2012-01-11 12:19 . 2012-01-11 12:19 1356288 c:\windows\assembly\NativeImages_v2.0.50727_32\System.WorkflowServ#\05c29118462056cf810df0b6aa660d05\System.WorkflowServices.ni.dll
+ 2012-01-11 12:19 . 2012-01-11 12:19 1908224 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Workflow.Run#\26b3258c559dc0ab6bdce481ffd458b3\System.Workflow.Runtime.ni.dll
+ 2012-01-11 12:18 . 2012-01-11 12:18 4514304 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Workflow.Com#\1642d1b72cd84caf24cbe7c5e8fd8368\System.Workflow.ComponentModel.ni.dll
+ 2012-01-11 12:18 . 2012-01-11 12:18 2992640 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Workflow.Act#\32ce12c3c2049f2df94c44c94b052e16\System.Workflow.Activities.ni.dll
+ 2012-01-11 12:16 . 2012-01-11 12:16 1840640 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Web.Services\f63ae1310e004777e880f28377bcddd2\System.Web.Services.ni.dll
+ 2012-01-11 12:18 . 2012-01-11 12:18 2209280 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Web.Mobile\c99b02434e71ca9898bebbc08d63e885\System.Web.Mobile.ni.dll
+ 2012-01-11 12:18 . 2012-01-11 12:18 2405888 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Web.Extensio#\c8f78b9e94857fdf6c2a378dd1629ee0\System.Web.Extensions.ni.dll
+ 2012-01-11 12:17 . 2012-01-11 12:17 1706496 c:\windows\assembly\NativeImages_v2.0.50727_32\System.ServiceModel#\ae749b024162e9ac79110c633b5ce6be\System.ServiceModel.Web.ni.dll
+ 2012-01-11 12:13 . 2012-01-11 12:13 1070080 c:\windows\assembly\NativeImages_v2.0.50727_32\System.IdentityModel\23eb4618c9d171be9fb551a13a475a32\System.IdentityModel.ni.dll
+ 2012-01-11 12:17 . 2012-01-11 12:17 1328128 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Data.Services\f35064c125799df650c1a959d8fa450b\System.Data.Services.ni.dll
+ 2012-01-11 12:17 . 2012-01-11 12:17 1712128 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualBas#\a86c12788293105a0d9fda1bc90c90bc\Microsoft.VisualBasic.ni.dll
+ 2012-01-11 12:16 . 2012-01-11 12:16 3237376 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Office.Bu#\91b75a482fd67405900f32c96a43c9df\Microsoft.Office.BusinessData.ni.dll
+ 2012-01-11 12:09 . 2012-01-11 12:09 3182592 c:\windows\assembly\GAC_MSIL\System\2.0.0.0__b77a5c561934e089\System.dll
- 2011-10-13 10:21 . 2011-10-13 10:21 3182592 c:\windows\assembly\GAC_MSIL\System\2.0.0.0__b77a5c561934e089\System.dll
- 2011-10-13 10:21 . 2011-10-13 10:21 2048000 c:\windows\assembly\GAC_MSIL\System.Xml\2.0.0.0__b77a5c561934e089\System.XML.dll
+ 2012-01-11 12:09 . 2012-01-11 12:09 2048000 c:\windows\assembly\GAC_MSIL\System.Xml\2.0.0.0__b77a5c561934e089\System.XML.dll
+ 2012-01-11 12:09 . 2012-01-11 12:09 5025792 c:\windows\assembly\GAC_MSIL\System.Windows.Forms\2.0.0.0__b77a5c561934e089\System.Windows.Forms.dll
- 2011-10-13 10:21 . 2011-10-13 10:21 5025792 c:\windows\assembly\GAC_MSIL\System.Windows.Forms\2.0.0.0__b77a5c561934e089\System.Windows.Forms.dll
- 2010-10-06 11:12 . 2010-10-06 11:12 1277952 c:\windows\assembly\GAC_MSIL\System.Web.Extensions\3.5.0.0__31bf3856ad364e35\System.Web.Extensions.dll
+ 2012-01-11 12:11 . 2012-01-11 12:11 1277952 c:\windows\assembly\GAC_MSIL\System.Web.Extensions\3.5.0.0__31bf3856ad364e35\System.Web.Extensions.dll
+ 2012-01-11 12:09 . 2012-01-11 12:09 5062656 c:\windows\assembly\GAC_MSIL\System.Design\2.0.0.0__b03f5f7f11d50a3a\System.Design.dll
- 2011-10-13 10:21 . 2011-10-13 10:21 5062656 c:\windows\assembly\GAC_MSIL\System.Design\2.0.0.0__b03f5f7f11d50a3a\System.Design.dll
+ 2012-01-11 12:09 . 2012-01-11 12:09 5246976 c:\windows\assembly\GAC_32\System.Web\2.0.0.0__b03f5f7f11d50a3a\System.Web.dll
+ 2012-01-11 12:09 . 2012-01-11 12:09 2933248 c:\windows\assembly\GAC_32\System.Data\2.0.0.0__b77a5c561934e089\System.Data.dll
- 2011-10-13 10:21 . 2011-10-13 10:21 2933248 c:\windows\assembly\GAC_32\System.Data\2.0.0.0__b77a5c561934e089\System.Data.dll
+ 2012-01-11 12:09 . 2012-01-11 12:09 4550656 c:\windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\mscorlib.dll
- 2011-10-13 10:21 . 2011-10-13 10:21 4550656 c:\windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\mscorlib.dll
- 2011-10-13 10:14 . 2011-10-13 10:15 1232896 c:\windows\assembly\GAC\System\1.0.5000.0__b77a5c561934e089\System.dll
+ 2012-01-11 12:11 . 2012-01-11 12:11 1232896 c:\windows\assembly\GAC\System\1.0.5000.0__b77a5c561934e089\System.dll
+ 2012-01-11 12:11 . 2012-01-11 12:11 2064384 c:\windows\assembly\GAC\System.Windows.Forms\1.0.5000.0__b77a5c561934e089\System.Windows.Forms.dll
+ 2012-01-11 12:11 . 2012-01-11 12:11 1269760 c:\windows\assembly\GAC\System.Web\1.0.5000.0__b03f5f7f11d50a3a\System.Web.dll
+ 2012-01-30 02:44 . 2011-10-25 13:34 2192768 c:\windows\$hf_mig$\KB2633171\SP3QFE\ntoskrnl.exe
+ 2012-01-30 02:44 . 2011-10-25 12:52 2027008 c:\windows\$hf_mig$\KB2633171\SP3QFE\ntkrpamp.exe
+ 2012-01-30 02:44 . 2011-10-25 12:52 2069376 c:\windows\$hf_mig$\KB2633171\SP3QFE\ntkrnlpa.exe
+ 2012-01-30 02:44 . 2011-10-25 13:38 2148864 c:\windows\$hf_mig$\KB2633171\SP3QFE\ntkrnlmp.exe
+ 2009-11-21 03:33 . 2012-01-11 12:12 52128560 c:\windows\system32\MRT.exe
+ 2011-12-26 22:02 . 2011-12-26 22:02 12482048 c:\windows\Microsoft.NET\Framework\v1.1.4322\Updates\M2656353\M2656353Uninstall.msp
+ 2011-12-26 14:02 . 2011-12-26 14:02 19677184 c:\windows\Installer\255a801.msp
+ 2012-01-11 12:16 . 2012-01-11 12:16 11817472 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Web\62e34cfb5a8b233667c7c5a47a32ad93\System.Web.ni.dll
+ 2012-01-11 12:15 . 2012-01-11 12:15 17403904 c:\windows\assembly\NativeImages_v2.0.50727_32\System.ServiceModel\2dac4fc006596760cd4988d0bfd52ff0\System.ServiceModel.ni.dll
+ 2012-01-11 12:11 . 2012-01-11 12:11 10683392 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Design\9e15d80ffb037e9171fa4bd2e0233497\System.Design.ni.dll
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-11-20 39408]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2008-04-14 208952]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2008-04-14 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2008-04-14 455168]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2007-03-15 71216]
"LanguageShortcut"="c:\program files\CyberLink\PowerDVD\Language\Language.exe" [2007-01-09 52256]
"LGODDFU"="c:\program files\lg_fwupdate\fwupdate.exe" [2011-01-10 557056]
"PLFSetL"="c:\windows\PLFSetL.exe" [2008-07-03 94208]
"snp2uvc"="c:\windows\system32\csnp2uvc.dll" [2009-02-17 196608]
"ArcSoft Connection Service"="c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe" [2010-10-27 207424]
"Nikon Transfer Monitor"="c:\program files\Common Files\Nikon\Monitor\NkMonitor.exe" [2009-09-15 479232]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-06-09 254696]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2011-09-27 59240]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-11-13 421736]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2011-10-24 421888]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2011-06-15 997920]
.
c:\documents and settings\User\Start Menu\Programs\Startup\
OneNote 2010 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office14\ONENOTEM.EXE [2011-9-2 227712]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2008-06-12 09:38 34672 ------w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]
2008-06-19 08:20 57344 ------w- c:\windows\ALCMTR.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AzMixerSel]
2006-07-17 14:40 53248 ------w- c:\program files\Realtek\Audio\Drivers\AzMixerSel.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
2008-02-28 07:00 166424 ------w- c:\windows\system32\hkcmd.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IAAnotif]
2008-04-16 00:54 178712 ------w- c:\program files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
2008-02-28 07:00 141848 ------w- c:\windows\system32\igfxtray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LManager]
2009-02-12 04:20 862728 ------w- c:\progra~1\LAUNCH~1\LManager.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSPY2002]
2008-04-14 12:00 59392 ------w- c:\windows\system32\IME\PINTLGNT\IMSCINST.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Persistence]
2008-02-28 07:00 137752 ------w- c:\windows\system32\igfxpers.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PLFSetL]
2008-07-03 23:58 94208 ------w- c:\windows\PLFSetL.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
2009-02-24 07:40 17529856 ------w- c:\windows\RTHDCPL.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\snp2uvc]
2009-02-17 02:32 196608 ------w- c:\windows\system32\csnp2uvc.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VideoWebCamera]
2009-05-20 06:30 1552501 ------w- c:\program files\VideoWebCamera\VideoWebCamera.exe
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\Microsoft Office\\Office14\\ONENOTE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office14\\OUTLOOK.EXE"=
"c:\\Program Files\\Common Files\\Apple\\Apple Application Support\\WebKit2WebProcess.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
.
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2/13/2010 6:39 PM 135664]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [7/27/2009 2:34 PM 1684736]
S3 GamesAppService;GamesAppService;c:\program files\WildTangent Games\App\GamesAppService.exe [10/12/2010 12:59 PM 206072]
S3 L1c;NDIS Miniport Driver for Atheros AR8131/AR8132 PCI-E Ethernet Controller;c:\windows\system32\drivers\l1c51x86.sys [7/27/2009 1:25 PM 38912]
S3 Lavasoft Kernexplorer;Lavasoft helper driver;\??\c:\program files\Lavasoft\Ad-Aware\KernExplorer.sys --> c:\program files\Lavasoft\Ad-Aware\KernExplorer.sys [?]
S3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [1/9/2010 9:37 PM 4640000]
S3 Partner Service;Partner Service;c:\documents and settings\All Users\Application Data\Partner\partner.exe [11/20/2009 12:11 PM 111088]
S3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;c:\windows\system32\drivers\RtsUStor.sys [7/27/2009 2:29 PM 162816]
S3 Rts516xIR;Realtek IR Driver;c:\windows\system32\DRIVERS\Rts516xIR.sys --> c:\windows\system32\DRIVERS\Rts516xIR.sys [?]
.
Contents of the 'Scheduled Tasks' folder
.
2012-01-25 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-01 22:57]
.
2012-01-31 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-13 23:39]
.
2012-01-30 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-13 23:39]
.
2012-01-31 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Microsoft Security Client\Antimalware\MpCmdRun.exe [2011-04-27 20:39]
.
2012-01-02 c:\windows\Tasks\Norton Security Scan for User.job
- c:\progra~1\NORTON~2\Engine\301~1.8\Nss.exe [2011-01-27 04:47]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.comcast.net/
mStart Page = hxxp://homepage.gateway.com/rdr.aspx?b=ACGW&l=0409&m=lt20&r=0xph1109x235l0314wu25a48i2t270
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - c:\progra~1\MICROS~3\Office14\ONBttnIE.dll/105
TCP: DhcpNameServer = 172.27.35.1
TCP: Interfaces\{5C77DB13-691F-4818-B2FD-9B3D1CFD4EEF}: NameServer = 8.8.8.8,8.8.4.4
TCP: Interfaces\{6696ACBA-640F-46D7-B119-97F5AB6FBB8F}: NameServer = 8.8.8.8,8.8.4.4
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-01-30 21:53
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(3560)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2012-01-30 21:56:19
ComboFix-quarantined-files.txt 2012-01-31 02:56
ComboFix2.txt 2012-01-11 05:09
.
Pre-Run: 118,994,231,296 bytes free
Post-Run: 119,047,847,936 bytes free
.
- - End Of File - - E3AEF8CE1344660CB7A413BCDB92D924

#10 User is online   m0le 

  • I know the drill!
  • PipPipPipPipPipPip
  • Find Topics
  • Group: Malware Response Instructor
  • Posts: 29,128
  • Joined: 24-July 08
  • Gender:Male
  • Location:London, UK

Posted 31 January 2012 - 07:10 PM

That looks fine, please run OTM which should remove the Ad-Aware program which you've been trying to do.

We need to execute an OTM script
  • Please download OTM by OldTimer and save it to your desktop.
  • Double click the Posted Image icon on your desktop.
  • Paste the following code under the Posted Image area.
    :Files
c:\program files\Lavasoft

  • Push the large Posted Image button.
  • OTM may ask to reboot the machine. Please do so if asked.
  • Copy/Paste the contents under the Posted Image line here in your next reply.
  • If you are unable to copy/paste from this window (as will be the case if the machine was rebooted), open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTM\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.
Post the OTM log.


Then please run ESET to mop up

I'd like us to scan your machine with ESET OnlineScan
  • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  • Click the Posted Image button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on Posted Image to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the Posted Image icon on your desktop.

  • Check Posted Image
  • Click the Posted Image button.
  • Accept any security warnings from your browser.
  • Under scan settings, check Posted Image and check Remove found threats
  • Click Advanced settings and select the following:
    • Scan potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth technology

  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • Copy and paste the resulting log in your next reply

If no log is generated that means nothing was found. Please let me know if this happens.
If I have helped you fix your PC then please donate. Thanks

Posted Image
m0le is a proud member of UNITE (Unified Network of Instructors and Trusted Eliminators)

#11 User is offline   dude1968 

  • New Member
  • Pip
  • Find Topics
  • Group: Members
  • Posts: 10
  • Joined: 12-January 12

Posted 31 January 2012 - 11:52 PM

otm results

========== FILES ==========
File/Folder c:\program files\Lavasoft not found.

OTM by OldTimer - Version 3.1.19.0 log created on 01312012_211811

copy from clipboard from eset


C:\System Volume Information\_restore{61938420-D437-4027-9F5D-8BD98A8F7C98}\RP212\A0159591.exe a variant of Win32/1AntiVirus application cleaned by deleting - quarantined

#12 User is online   m0le 

  • I know the drill!
  • PipPipPipPipPipPip
  • Find Topics
  • Group: Malware Response Instructor
  • Posts: 29,128
  • Joined: 24-July 08
  • Gender:Male
  • Location:London, UK

Posted 01 February 2012 - 02:28 PM

We'll have a look for other remnants of Ad-Aware

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2
  • Double-click SystemLook.exe to run it.
  • Copy the content of the following codebox into the main textfield:
    :filefind
*ad-watch*
*ad-aware*
*lavasoft*
:folderfind
*ad-watch*
*ad-aware*
*lavasoft*
:regfind
*ad-watch*
*ad-aware*
*lavasoft*


  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt
If I have helped you fix your PC then please donate. Thanks

Posted Image
m0le is a proud member of UNITE (Unified Network of Instructors and Trusted Eliminators)

#13 User is offline   dude1968 

  • New Member
  • Pip
  • Find Topics
  • Group: Members
  • Posts: 10
  • Joined: 12-January 12

Posted 01 February 2012 - 11:59 PM

i keep getting an error about systemlook. one of those windows has encountered and error...tell ms or not tell ms. here is the log from the point where it stops...

i am going to shut her down and try again tomorrow after work and kids lacrosse practice. maybe the computer needs some time in the corner.

SystemLook 30.07.11 by jpshortstuff
Log created at 23:54 on 01/02/2012 by User
Administrator - Elevation successful

========== filefind ==========

Searching for "*ad-watch*"
No files found.

Searching for "*ad-aware*"
No files found.

Searching for "*lavasoft*"
No files found.

========== folderfind ==========

Searching for "*ad-watch*"
No folders found.

Searching for "*ad-aware*"
No folders found.

Searching for "*lavasoft*"
C:\Documents and Settings\All Users\Application Data\Lavasoft d------ [01:22 27/11/2011]

========== regfind ==========

Searching for "*ad-watch*"

#14 User is online   m0le 

  • I know the drill!
  • PipPipPipPipPipPip
  • Find Topics
  • Group: Malware Response Instructor
  • Posts: 29,128
  • Joined: 24-July 08
  • Gender:Male
  • Location:London, UK

Posted 02 February 2012 - 02:40 PM

That was a large search and we are using a special tool so occasional shutdowns are not completely surprisig.

I think we found the folder

Backup Your Registry with ERUNT
  • Please use the following link and scroll down to ERUNT and download it.
    http://aumha.org/freeware/freeware.php
  • For version with the Installer:
    Use the setup program to install ERUNT on your computer
  • For the zipped version:
    Unzip all the files into a folder of your choice.
Click Erunt.exe to backup your registry to the folder of your choice.

Note: to restore your registry, go to the folder and start ERDNT.exe

We need to execute an OTM script
  • Please download OTM by OldTimer and save it to your desktop.
  • Double click the Posted Image icon on your desktop.
  • Paste the following code under the Posted Image area.
    :Files
C:\Documents and Settings\All Users\Application Data\Lavasoft 
:Commands
[EmptyTemp]
[Reboot]

  • Push the large Posted Image button.
  • OTM may ask to reboot the machine. Please do so if asked.
  • Copy/Paste the contents under the Posted Image line here in your next reply.
  • If you are unable to copy/paste from this window (as will be the case if the machine was rebooted), open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTM\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.
Post the OTM log.

So, how is the machine doing?
If I have helped you fix your PC then please donate. Thanks

Posted Image
m0le is a proud member of UNITE (Unified Network of Instructors and Trusted Eliminators)

#15 User is offline   dude1968 

  • New Member
  • Pip
  • Find Topics
  • Group: Members
  • Posts: 10
  • Joined: 12-January 12

Posted 02 February 2012 - 11:10 PM

no more popups and haven't seen any redirects. i will put it thru the paces now. there is still the new hardware found thing. haven't figured it out. it comes up as 'unknown'. an icon or two has changed to a basic windows icon instead of the one that came with the program (chrome).

i tried a search in ie for 'how to remove a rootkit'. i didn't get redirected but a few sites wouldn't come up. the MS ones did, kapersky loaded but a few of the articles still wouldn't load.

i think its good. it looks like i need to put a good anti-virus on it and put a firewall on it for him.

thanks a lot for your help. i may work in tech stuff but when i keep running stuff and getting clean scans and there are still obvious problems i know i am over my head.



All processes killed
========== FILES ==========
C:\Documents and Settings\All Users\Application Data\Lavasoft\License folder moved successfully.
C:\Documents and Settings\All Users\Application Data\Lavasoft folder moved successfully.
========== COMMANDS ==========

[EMPTYTEMP]

User: All Users

User: Default User
->Temp folder emptied: 17444694 bytes
->Temporary Internet Files folder emptied: 33170 bytes
->Flash cache emptied: 396 bytes

User: LocalService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 32902 bytes

User: NetworkService
->Temp folder emptied: 6194 bytes
->Temporary Internet Files folder emptied: 33170 bytes

User: User
->Temp folder emptied: 50701 bytes
->Temporary Internet Files folder emptied: 3719369 bytes
->Java cache emptied: 61277 bytes
->Google Chrome cache emptied: 0 bytes
->Apple Safari cache emptied: 8581120 bytes
->Flash cache emptied: 2610 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 1337 bytes
%systemroot%\System32 .tmp files removed: 2577 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 47882 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 33438 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 29.00 mb


OTM by OldTimer - Version 3.1.19.0 log created on 02022012_225432

Files moved on Reboot...

Registry entries deleted on Reboot...

Share this topic:


  • 2 Pages +
  • 1
  • 2
  • You cannot start a new topic
  • This topic is locked

1 User(s) are reading this topic
0 members, 1 guests, 0 anonymous users