Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Virus Scan Freezes Computer Before Completion


  • This topic is locked This topic is locked
20 replies to this topic

#1 mccarmic20

mccarmic20

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:07:10 PM

Posted 29 June 2009 - 03:00 PM

When attempting virus scans (I've tried multiple scans using multiple virus protection programs), the computer freezes before scan completes. It freezes at a file in the C:\Windows\winsxs folder. The file is "system.servicemodel.install.dll". There are 5 different files in winsxs all with that same name. I've read in some forums that you should not touch the winsxs folder, but I did try to delete this file (even after changing permissions on the folder) and Vista will not let me. It's telling me that "Destination Folder Access Denied". "You need permission to perform this action". I'm wondering if this is the remnants of virus as one virus scan did find a virus called "ffmpeg.exe".

Vista Home Premium
Version 6.0.6001 Service Pack 1 Build 6001
Trend Micro Internet Security 2008 is the primary virus protection software that I'm using.

I've used CCleaner, CHKDSK, disk defragment and other fixes suggested in the forums to no avail.

DDS.txt
DDS (Ver_09-06-26.01) - NTFSx86
Run by Crissy at 15:48:31.89 on Mon 06/29/2009
Internet Explorer: 7.0.6001.18000 BrowserJavaVersion: 1.6.0_14
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.3061.1691 [GMT -4:00]

AV: Trend Micro Internet Security *On-access scanning enabled* (Updated) {7D2296BC-32CC-4519-917E-52E652474AF5}
SP: Windows Defender *disabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
FW: Trend Micro Personal Firewall *enabled* {3E790E9E-6A5D-4303-A7F9-185EC20F3EB6}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\WLTRYSVC.EXE
C:\Windows\system32\WLANExt.exe
C:\Windows\System32\bcmwltry.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\aestsrv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\Program Files\Linksys\Linksys Updater\bin\LinksysUpdater.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\Windows\system32\STacSV.exe
C:\Windows\system32\java.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\DRIVERS\xaudio.exe
C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
C:\Program Files\Trend Micro\BM\TMBMSRV.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\DellTPad\Apoint.exe
C:\Windows\OEM02Mon.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Dell\Dell Webcam Manager\DellWMgr.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
C:\Windows\System32\WLTRAY.EXE
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Dell\MediaDirect\PCMService.exe
C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
C:\Program Files\Sigmatel\C-Major Audio\WDM\sttray.exe
C:\Program Files\Linksys\Linksys EasyLink Advisor\Linksys EasyLink Advisor.exe
C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe
C:\Program Files\Dell DataSafe Online\DataSafeOnline.exe
C:\Program Files\DellTPad\ApMsgFwd.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\DellTPad\HidFind.exe
C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\system32\igfxsrvc.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Program Files\DellTPad\Apntex.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
C:\Users\Crissy\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uWindow Title = Internet Explorer provided by Dell
uInternet Settings,ProxyOverride = *.local
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Skype add-on (mastermind): {22bf413b-c6d2-4d91-82a9-a0f997ba588c} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\program files\dell\bae\BAE.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
uRun: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter
uRun: [DellSupportCenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P DellSupportCenter
uRun: [Skype] "c:\program files\skype\phone\Skype.exe" /nosplash /minimized
uRun: [ISUSPM] "c:\program files\common files\installshield\updateservice\ISUSPM.exe" -scheduler
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [ECenter] c:\dell\e-center\EULALauncher.exe
mRun: [Apoint] c:\program files\delltpad\Apoint.exe
mRun: [OEM02Mon.exe] c:\windows\OEM02Mon.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [DELL Webcam Manager] "c:\program files\dell\dell webcam manager\DellWMgr.exe" /s
mRun: [IAAnotif] "c:\program files\intel\intel matrix storage manager\Iaanotif.exe"
mRun: [Broadcom Wireless Manager UI] c:\windows\system32\WLTRAY.exe
mRun: [Google Desktop Search] "c:\program files\google\google desktop search\GoogleDesktop.exe" /startup
mRun: [dscactivate] "c:\program files\dell support center\gs_agent\custom\dsca.exe"
mRun: [PCMService] "c:\program files\dell\mediadirect\PCMService.exe"
mRun: [DellSupportCenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P DellSupportCenter
mRun: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [SigmatelSysTrayApp] %ProgramFiles%\SigmaTel\C-Major Audio\WDM\sttray.exe
mRun: [LELA] "c:\program files\linksys\linksys easylink advisor\Linksys EasyLink Advisor.exe" /minimized
mRun: [nmctxth] "c:\program files\common files\pure networks shared\platform\nmctxth.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [UfSeAgnt.exe] "c:\program files\trend micro\internet security\UfSeAgnt.exe"
mRun: [Dell DataSafe Online] "c:\program files\dell datasafe online\DataSafeOnline.exe" /m
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\logite~1.lnk - c:\program files\logitech\setpoint\SetPoint.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\quickset.lnk - c:\program files\dell\quickset\quickset.exe
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: {77BF5300-1474-4EC7-9980-D32B190E9B07} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
DPF: {74C861A1-D548-4916-BC8A-FDE92EDFF62C} - hxxp://mediaplayer.walmart.com/installer/install.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} -
Handler: pure-go - {4746C79A-2042-4332-8650-48966E44ABA8} - c:\program files\common files\pure networks shared\platform\puresp3.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: GoToAssist - c:\program files\citrix\gotoassist\514\G2AWinLogon.dll
Notify: igfxcui - igfxdev.dll
AppInit_DLLs: c:\progra~1\google\google~2\GOEC62~1.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\users\crissy\appdata\roaming\mozilla\firefox\profiles\0x5o32te.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}

============= SERVICES / DRIVERS ===============

R1 tmlwf;Trend Micro NDIS 6.0 Filter Driver;c:\windows\system32\drivers\tmlwf.sys [2008-2-18 142352]
R2 AESTFilters;Andrea ST Filters Service;c:\windows\system32\AEstSrv.exe [2008-5-28 73728]
R2 LinksysUpdater;Linksys Updater;c:\program files\linksys\linksys updater\bin\LinksysUpdater.exe [2008-4-18 204800]
R2 tmevtmgr;tmevtmgr;c:\windows\system32\drivers\tmevtmgr.sys [2008-2-18 52624]
R2 tmpreflt;tmpreflt;c:\windows\system32\drivers\tmpreflt.sys [2008-2-18 36368]
R2 tmwfp;Trend Micro WFP Callout Driver;c:\windows\system32\drivers\tmwfp.sys [2008-2-18 234512]
R3 IntcHdmiAddService;Intel® High Definition Audio HDMI Service;c:\windows\system32\drivers\IntcHdmi.sys [2008-5-28 111616]
R3 OEM02Dev;Creative Camera OEM002 Driver;c:\windows\system32\drivers\OEM02Dev.sys [2008-5-28 235648]
R3 OEM02Vfx;Creative Camera OEM002 Video VFX Driver;c:\windows\system32\drivers\OEM02Vfx.sys [2008-5-28 7424]

=============== Created Last 30 ================

2009-06-28 21:08 <DIR> --d----- c:\program files\CCleaner
2009-06-27 17:12 <DIR> --d----- C:\deleteme
2009-06-27 16:30 <DIR> --d----- c:\users\crissy\appdata\roaming\DataSafeOnline
2009-06-27 13:26 <DIR> --d----- c:\users\crissy\appdata\roaming\TweakNow RegCleaner
2009-06-27 13:26 <DIR> --d----- c:\program files\TweakNow RegCleaner
2009-06-27 09:47 <DIR> --d----- c:\program files\WinASO
2009-06-27 09:31 <DIR> --d----- c:\programdata\Iomatic
2009-06-27 09:31 <DIR> --d----- c:\progra~2\Iomatic
2009-06-25 21:02 <DIR> --d----- c:\program files\Trend Micro
2009-06-23 00:28 <DIR> --d----- c:\users\crissy\.housecall6.6
2009-06-21 22:46 719,872 a------- c:\windows\system32\devil.dll
2009-06-21 22:46 308,224 a------- c:\windows\system32\avisynth.dll
2009-06-21 22:38 <DIR> --d----- c:\program files\WMR11
2009-06-21 22:19 237,568 a------- c:\windows\system32\rmc_rtspdl.dll
2009-06-21 22:19 156,672 a------- c:\windows\system32\rmc_fixasf.exe
2009-06-21 22:17 <DIR> --d----- c:\program files\Replay Media Catcher
2009-06-21 22:02 323,584 a------- c:\windows\system32\AUDIOGENIE2.DLL
2009-06-21 22:01 <DIR> --d----- c:\windows\Replay Media Catcher
2009-06-14 14:34 107,368 a------- c:\windows\system32\GEARAspi.dll
2009-06-14 14:34 23,400 a------- c:\windows\system32\drivers\GEARAspiWDM.sys
2009-06-14 14:34 <DIR> --d----- c:\program files\iPod
2009-06-14 14:33 <DIR> --d----- c:\programdata\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
2009-06-14 14:33 <DIR> --d----- c:\program files\iTunes
2009-06-14 14:33 <DIR> --d----- c:\progra~2\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
2009-06-14 14:31 <DIR> --d----- c:\program files\Bonjour
2009-06-14 10:25 428,544 a------- c:\windows\system32\EncDec.dll
2009-06-14 10:25 293,376 a------- c:\windows\system32\psisdecd.dll
2009-06-14 10:25 217,088 a------- c:\windows\system32\psisrndr.ax
2009-06-14 10:25 177,664 a------- c:\windows\system32\mpg2splt.ax
2009-06-14 10:25 80,896 a------- c:\windows\system32\MSNP.ax
2009-06-12 09:24 636,928 a------- c:\windows\system32\localspl.dll
2009-06-12 09:24 2,033,152 a------- c:\windows\system32\win32k.sys
2009-06-12 09:24 784,896 a------- c:\windows\system32\rpcrt4.dll

==================== Find3M ====================

2009-06-25 21:05 51,200 a------- c:\windows\inf\infpub.dat
2009-06-25 21:05 143,360 a------- c:\windows\inf\infstrng.dat
2009-06-25 21:05 86,016 a------- c:\windows\inf\infstor.dat
2009-05-21 11:33 410,984 a------- c:\windows\system32\deploytk.dll
2009-04-24 12:05 827,904 a------- c:\windows\system32\wininet.dll
2009-04-24 12:02 78,336 a------- c:\windows\system32\ieencode.dll
2009-04-24 09:44 26,624 a------- c:\windows\system32\ieUnatt.exe
2009-03-28 12:17 122 a------- c:\users\crissy\appdata\roaming\wklnhst.dat
2008-06-12 13:13 174 a--sh--- c:\program files\desktop.ini
2008-06-12 13:06 665,600 a------- c:\windows\inf\drvindex.dat
2006-11-02 08:42 287,440 a------- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 08:42 287,440 a------- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 08:42 30,674 a------- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 08:42 30,674 a------- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 05:20 287,440 a------- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 05:20 287,440 a------- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 05:20 30,674 a------- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 05:20 30,674 a------- c:\windows\inf\perflib\0000\perfc.dat
2008-05-28 03:53 76 ---shr-- c:\windows\CT4CET.bin
1997-07-21 19:30 1,045,776 a--sh--- c:\windows\system32\Msjet35.dll
1997-06-23 03:00 123,664 a--sh--- c:\windows\system32\Msjint35.dll
1997-06-23 12:06 24,848 a--sh--- c:\windows\system32\Msjter35.dll
1997-06-23 12:06 252,176 a--sh--- c:\windows\system32\Msrd2x35.dll
1997-06-23 12:06 287,504 a--sh--- c:\windows\system32\Msxbse35.dll
2008-05-28 11:25 8,192 a--sh--- c:\windows\users\default\NTUSER.DAT

============= FINISH: 15:50:49.87 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,512 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:05:10 PM

Posted 02 July 2009 - 08:25 PM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.


Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#3 mccarmic20

mccarmic20
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:07:10 PM

Posted 03 July 2009 - 05:13 PM

DDS (Ver_09-06-26.01) - NTFSx86
Run by Crissy at 18:09:10.99 on Fri 07/03/2009
Internet Explorer: 7.0.6001.18000 BrowserJavaVersion: 1.6.0_14
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.3061.1740 [GMT -4:00]

AV: Trend Micro Internet Security *On-access scanning disabled* (Updated) {7D2296BC-32CC-4519-917E-52E652474AF5}
SP: Windows Defender *disabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
FW: Trend Micro Personal Firewall *enabled* {3E790E9E-6A5D-4303-A7F9-185EC20F3EB6}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\WLTRYSVC.EXE
C:\Windows\System32\bcmwltry.exe
C:\Windows\system32\WLANExt.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\aestsrv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\Program Files\Linksys\Linksys Updater\bin\LinksysUpdater.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\Windows\system32\java.exe
C:\Windows\system32\STacSV.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\DRIVERS\xaudio.exe
C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Program Files\DellTPad\Apoint.exe
C:\Windows\OEM02Mon.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Dell\Dell Webcam Manager\DellWMgr.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
C:\Windows\System32\WLTRAY.EXE
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Dell\MediaDirect\PCMService.exe
C:\Program Files\Sigmatel\C-Major Audio\WDM\sttray.exe
C:\Program Files\Linksys\Linksys EasyLink Advisor\Linksys EasyLink Advisor.exe
C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Dell DataSafe Online\DataSafeOnline.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Windows\system32\igfxsrvc.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\DellTPad\ApMsgFwd.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\DellTPad\HidFind.exe
C:\Program Files\DellTPad\Apntex.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Windows\system32\wuauclt.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\Windows\servicing\TrustedInstaller.exe
C:\Program Files\Internet Explorer\ieuser.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\Macromed\Flash\FlashUtil10b.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Users\Crissy\Desktop\dds.scr
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uWindow Title = Internet Explorer provided by Dell
uInternet Settings,ProxyOverride = *.local
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Skype add-on (mastermind): {22bf413b-c6d2-4d91-82a9-a0f997ba588c} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\program files\dell\bae\BAE.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
uRun: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter
uRun: [DellSupportCenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P DellSupportCenter
uRun: [Skype] "c:\program files\skype\phone\Skype.exe" /nosplash /minimized
uRun: [ISUSPM] "c:\program files\common files\installshield\updateservice\ISUSPM.exe" -scheduler
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [ECenter] c:\dell\e-center\EULALauncher.exe
mRun: [Apoint] c:\program files\delltpad\Apoint.exe
mRun: [OEM02Mon.exe] c:\windows\OEM02Mon.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [DELL Webcam Manager] "c:\program files\dell\dell webcam manager\DellWMgr.exe" /s
mRun: [IAAnotif] "c:\program files\intel\intel matrix storage manager\Iaanotif.exe"
mRun: [Broadcom Wireless Manager UI] c:\windows\system32\WLTRAY.exe
mRun: [Google Desktop Search] "c:\program files\google\google desktop search\GoogleDesktop.exe" /startup
mRun: [dscactivate] "c:\program files\dell support center\gs_agent\custom\dsca.exe"
mRun: [PCMService] "c:\program files\dell\mediadirect\PCMService.exe"
mRun: [DellSupportCenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P DellSupportCenter
mRun: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [SigmatelSysTrayApp] %ProgramFiles%\SigmaTel\C-Major Audio\WDM\sttray.exe
mRun: [LELA] "c:\program files\linksys\linksys easylink advisor\Linksys EasyLink Advisor.exe" /minimized
mRun: [nmctxth] "c:\program files\common files\pure networks shared\platform\nmctxth.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [UfSeAgnt.exe] "c:\program files\trend micro\internet security\UfSeAgnt.exe"
mRun: [Dell DataSafe Online] "c:\program files\dell datasafe online\DataSafeOnline.exe" /m
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\logite~1.lnk - c:\program files\logitech\setpoint\SetPoint.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\quickset.lnk - c:\program files\dell\quickset\quickset.exe
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: {77BF5300-1474-4EC7-9980-D32B190E9B07} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
DPF: {74C861A1-D548-4916-BC8A-FDE92EDFF62C} - hxxp://mediaplayer.walmart.com/installer/install.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} -
Handler: pure-go - {4746C79A-2042-4332-8650-48966E44ABA8} - c:\program files\common files\pure networks shared\platform\puresp3.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: GoToAssist - c:\program files\citrix\gotoassist\514\G2AWinLogon.dll
Notify: igfxcui - igfxdev.dll
AppInit_DLLs: c:\progra~1\google\google~2\GOEC62~1.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\users\crissy\appdata\roaming\mozilla\firefox\profiles\0x5o32te.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}

============= SERVICES / DRIVERS ===============

R1 tmlwf;Trend Micro NDIS 6.0 Filter Driver;c:\windows\system32\drivers\tmlwf.sys [2008-2-18 142352]
R2 AESTFilters;Andrea ST Filters Service;c:\windows\system32\AEstSrv.exe [2008-5-28 73728]
R2 LinksysUpdater;Linksys Updater;c:\program files\linksys\linksys updater\bin\LinksysUpdater.exe [2008-4-18 204800]
R2 tmpreflt;tmpreflt;c:\windows\system32\drivers\tmpreflt.sys [2008-2-18 36368]
R2 tmwfp;Trend Micro WFP Callout Driver;c:\windows\system32\drivers\tmwfp.sys [2008-2-18 234512]
R3 IntcHdmiAddService;Intel® High Definition Audio HDMI Service;c:\windows\system32\drivers\IntcHdmi.sys [2008-5-28 111616]
R3 OEM02Dev;Creative Camera OEM002 Driver;c:\windows\system32\drivers\OEM02Dev.sys [2008-5-28 235648]
R3 OEM02Vfx;Creative Camera OEM002 Video VFX Driver;c:\windows\system32\drivers\OEM02Vfx.sys [2008-5-28 7424]
S2 tmevtmgr;tmevtmgr;c:\windows\system32\drivers\tmevtmgr.sys [2008-2-18 52624]
S3 TmPfw;Trend Micro Personal Firewall;c:\progra~1\trendm~1\intern~1\TmPfw.exe [2009-6-25 488768]
S3 tmproxy;Trend Micro Proxy Service;c:\program files\trend micro\internet security\TmProxy.exe [2009-6-25 648456]

=============== Created Last 30 ================

2009-06-28 21:08 <DIR> --d----- c:\program files\CCleaner
2009-06-27 17:12 <DIR> --d----- C:\deleteme
2009-06-27 16:30 <DIR> --d----- c:\users\crissy\appdata\roaming\DataSafeOnline
2009-06-27 13:26 <DIR> --d----- c:\users\crissy\appdata\roaming\TweakNow RegCleaner
2009-06-27 13:26 <DIR> --d----- c:\program files\TweakNow RegCleaner
2009-06-27 09:47 <DIR> --d----- c:\program files\WinASO
2009-06-27 09:31 <DIR> --d----- c:\programdata\Iomatic
2009-06-27 09:31 <DIR> --d----- c:\progra~2\Iomatic
2009-06-25 21:02 <DIR> --d----- c:\program files\Trend Micro
2009-06-23 00:28 <DIR> --d----- c:\users\crissy\.housecall6.6
2009-06-21 22:46 719,872 a------- c:\windows\system32\devil.dll
2009-06-21 22:46 308,224 a------- c:\windows\system32\avisynth.dll
2009-06-21 22:38 <DIR> --d----- c:\program files\WMR11
2009-06-21 22:19 237,568 a------- c:\windows\system32\rmc_rtspdl.dll
2009-06-21 22:19 156,672 a------- c:\windows\system32\rmc_fixasf.exe
2009-06-21 22:17 <DIR> --d----- c:\program files\Replay Media Catcher
2009-06-21 22:02 323,584 a------- c:\windows\system32\AUDIOGENIE2.DLL
2009-06-21 22:01 <DIR> --d----- c:\windows\Replay Media Catcher
2009-06-14 14:34 107,368 a------- c:\windows\system32\GEARAspi.dll
2009-06-14 14:34 23,400 a------- c:\windows\system32\drivers\GEARAspiWDM.sys
2009-06-14 14:34 <DIR> --d----- c:\program files\iPod
2009-06-14 14:33 <DIR> --d----- c:\programdata\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
2009-06-14 14:33 <DIR> --d----- c:\program files\iTunes
2009-06-14 14:33 <DIR> --d----- c:\progra~2\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
2009-06-14 14:31 <DIR> --d----- c:\program files\Bonjour
2009-06-14 10:25 428,544 a------- c:\windows\system32\EncDec.dll
2009-06-14 10:25 293,376 a------- c:\windows\system32\psisdecd.dll
2009-06-14 10:25 217,088 a------- c:\windows\system32\psisrndr.ax
2009-06-14 10:25 177,664 a------- c:\windows\system32\mpg2splt.ax
2009-06-14 10:25 80,896 a------- c:\windows\system32\MSNP.ax
2009-06-12 09:24 636,928 a------- c:\windows\system32\localspl.dll
2009-06-12 09:24 2,033,152 a------- c:\windows\system32\win32k.sys
2009-06-12 09:24 784,896 a------- c:\windows\system32\rpcrt4.dll

==================== Find3M ====================

2009-06-25 21:05 51,200 a------- c:\windows\inf\infpub.dat
2009-06-25 21:05 143,360 a------- c:\windows\inf\infstrng.dat
2009-06-25 21:05 86,016 a------- c:\windows\inf\infstor.dat
2009-05-21 11:33 410,984 a------- c:\windows\system32\deploytk.dll
2009-04-24 12:05 827,904 a------- c:\windows\system32\wininet.dll
2009-04-24 12:02 78,336 a------- c:\windows\system32\ieencode.dll
2009-04-24 09:44 26,624 a------- c:\windows\system32\ieUnatt.exe
2009-03-28 12:17 122 a------- c:\users\crissy\appdata\roaming\wklnhst.dat
2008-06-12 13:13 174 a--sh--- c:\program files\desktop.ini
2008-06-12 13:06 665,600 a------- c:\windows\inf\drvindex.dat
2006-11-02 08:42 287,440 a------- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 08:42 287,440 a------- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 08:42 30,674 a------- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 08:42 30,674 a------- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 05:20 287,440 a------- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 05:20 287,440 a------- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 05:20 30,674 a------- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 05:20 30,674 a------- c:\windows\inf\perflib\0000\perfc.dat
2008-05-28 03:53 76 ---shr-- c:\windows\CT4CET.bin
1997-07-21 19:30 1,045,776 a--sh--- c:\windows\system32\Msjet35.dll
1997-06-23 03:00 123,664 a--sh--- c:\windows\system32\Msjint35.dll
1997-06-23 12:06 24,848 a--sh--- c:\windows\system32\Msjter35.dll
1997-06-23 12:06 252,176 a--sh--- c:\windows\system32\Msrd2x35.dll
1997-06-23 12:06 287,504 a--sh--- c:\windows\system32\Msxbse35.dll
2008-05-28 11:25 8,192 a--sh--- c:\windows\users\default\NTUSER.DAT

============= FINISH: 18:10:27.31 ===============

Attached Files



#4 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:10 PM

Posted 06 July 2009 - 01:57 PM

Hello.

I'm not sure if that is being caused by an infection. Let's take a closer look at that file.

Download and Run OTListIt
Please download OTListIt by OldTimer to your desktop.
Open OTListIt by double clicking its icon. If you are using Windows Vista, right click OTL.exe and select Run As Administrator.
Copy the contents of the codebox below into the "Custom Scans" box.
c:\system.servicemodel.install.dll /s /md5

Click Run Scan without changing any settings. When the scan is complete, a logfile will open.
Copy the contents of the log into your next reply. It will be saved as OTL.txt where OTL.exe is located.

With Regards,
The Panda

#5 mccarmic20

mccarmic20
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:07:10 PM

Posted 07 July 2009 - 08:20 AM

Hi. Thanks in advance for your help!

I tried to run the scan in OTL.exe using the contents of the code box you gave. However, it freezes at the file:

C:\windows\winsxs\msil_system.servicemodel.install_b77a5c561934e089_6

#6 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:10 PM

Posted 07 July 2009 - 08:26 AM

Hello.

Let's try SystemLook.

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2
  • Double-click SystemLook.exe to run it.
  • Copy the content of the following codebox into the main textfield:
    :file
    C:\windows\winsxs\msil_system.servicemodel.*
  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt

With Regards,
The Panda

#7 mccarmic20

mccarmic20
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:07:10 PM

Posted 07 July 2009 - 08:33 AM

SystemLook v1.0 by jpshortstuff (22.05.09)
Log created at 09:32 on 07/07/2009 by Crissy (Administrator - Elevation successful)

========== file ==========

C:\Windows\winsxs\msil_system.servicemodel.* - Unable to find/read file.

-=End Of File=-

#8 mccarmic20

mccarmic20
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:07:10 PM

Posted 07 July 2009 - 08:39 AM

Also, there are 6 folders with similiar names--since they're so long, it's hard to tell which is the culprit.

C:\Windows\winsxs\msil_system.servicemodel.install_b77a5c561934e089_6.0.6000.16386_none_6bcdb31436867bef
C:\Windows\winsxs\msil_system.servicemodel.install_b77a5c561934e089_6.0.6000.16708_none_6bc582a4368de5bd
C:\Windows\winsxs\msil_system.servicemodel.install_b77a5c561934e089_6.0.6000.20864_none_54fe38c0502f7749
C:\Windows\winsxs\msil_system.servicemodel.install_b77a5c561934e089_6.0.6001.18000_none_6ba234d036de24bb
C:\Windows\winsxs\msil_system.servicemodel.install_b77a5c561934e089_6.0.6001.18096_none_6baaaeba36d6a290
C:\Windows\winsxs\msil_system.servicemodel.install_b77a5c561934e089_6.0.6001.22208_none_54d3d7ac5086521a

#9 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:10 PM

Posted 07 July 2009 - 08:59 AM

Hello.

Those look like folders rather than files.

Please run this script with SystemLook.

:dir /s /md5
C:\Windows\winsxs\msil_system.servicemodel.install_b77a5c561934e089_6.0.6000.16386_none_6bcdb31436867bef
C:\Windows\winsxs\msil_system.servicemodel.install_b77a5c561934e089_6.0.6000.16708_none_6bc582a4368de5bd
C:\Windows\winsxs\msil_system.servicemodel.install_b77a5c561934e089_6.0.6000.20864_none_54fe38c0502f7749
C:\Windows\winsxs\msil_system.servicemodel.install_b77a5c561934e089_6.0.6001.18000_none_6ba234d036de24bb
C:\Windows\winsxs\msil_system.servicemodel.install_b77a5c561934e089_6.0.6001.18096_none_6baaaeba36d6a290
C:\Windows\winsxs\msil_system.servicemodel.install_b77a5c561934e089_6.0.6001.22208_none_54d3d7ac5086521a
With Regards,
The Panda

Edited by PropagandaPanda, 07 July 2009 - 09:00 AM.


#10 mccarmic20

mccarmic20
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:07:10 PM

Posted 07 July 2009 - 09:48 AM

Hi:

I attempted the code above and received:
Invalid Context: dir /s /md5


However, I was able to find the file names in each of the six folders above, and ran SystemLook on each file. I've posted below the results. Please note that I was unsuccessful in running SystemLook on the final file (the sixth). The scan never completed and froze the computer.





(1)
SystemLook v1.0 by jpshortstuff (22.05.09)
Log created at 10:25 on 07/07/2009 by Crissy (Administrator - Elevation successful)

========== file ==========

C:\Windows\winsxs\msil_system.servicemodel.install_b77a5c561934e089_6.0.6000.16386_none_6bcdb31436867bef\System.ServiceModel.Install.dll - File found and opened.
MD5: 77652A963B13BFB382EFA7AEBED15E3B
Created at 12:36 on 02/11/2006
Modified at 12:36 on 02/11/2006
Size: 159744 bytes
Attributes: --a---
FileDescription: System.ServiceModel.Install.dll
FileVersion: 3.0.4506.25 (WAPRTM.004506-0026)
ProductVersion: 3.0.4506.25
OriginalFilename: System.ServiceModel.Install.dll
InternalName: System.ServiceModel.Install.dll
ProductName: Microsoft® .NET Framework
CompanyName: Microsoft Corporation
LegalCopyright: © Microsoft Corporation. All rights reserved.
Comments: Flavor=Retail

-=End Of File=-

************
************
(2)
SystemLook v1.0 by jpshortstuff (22.05.09)
Log created at 10:26 on 07/07/2009 by Crissy (Administrator - Elevation successful)

========== file ==========

C:\Windows\winsxs\msil_system.servicemodel.install_b77a5c561934e089_6.0.6000.16708_none_6bc582a4368de5bd\System.ServiceModel.Install.dll - File found and opened.
MD5: 8A18FDED2E75C9F918B7B08D792CEC37
Created at 00:13 on 15/02/2009
Modified at 01:17 on 20/06/2008
Size: 73728 bytes
Attributes: --a---
FileDescription: System.ServiceModel.Install.dll
FileVersion: 3.0.4506.2123 (NetFX.030618-0000)
ProductVersion: 3.0.4506.2123
OriginalFilename: System.ServiceModel.Install.dll
InternalName: System.ServiceModel.Install.dll
ProductName: Microsoft® .NET Framework
CompanyName: Microsoft Corporation
LegalCopyright: © Microsoft Corporation. All rights reserved.
Comments: Flavor=Retail

-=End Of File=-

************
************
(3)
SystemLook v1.0 by jpshortstuff (22.05.09)
Log created at 10:27 on 07/07/2009 by Crissy (Administrator - Elevation successful)

========== file ==========

C:\Windows\winsxs\msil_system.servicemodel.install_b77a5c561934e089_6.0.6000.20864_none_54fe38c0502f7749\System.ServiceModel.Install.dll - File found and opened.
MD5: 8A18FDED2E75C9F918B7B08D792CEC37
Created at 00:13 on 15/02/2009
Modified at 01:12 on 20/06/2008
Size: 73728 bytes
Attributes: --a---
FileDescription: System.ServiceModel.Install.dll
FileVersion: 3.0.4506.2123 (NetFX.030618-0000)
ProductVersion: 3.0.4506.2123
OriginalFilename: System.ServiceModel.Install.dll
InternalName: System.ServiceModel.Install.dll
ProductName: Microsoft® .NET Framework
CompanyName: Microsoft Corporation
LegalCopyright: © Microsoft Corporation. All rights reserved.
Comments: Flavor=Retail

-=End Of File=-

************
************
(4)
SystemLook v1.0 by jpshortstuff (22.05.09)
Log created at 10:28 on 07/07/2009 by Crissy (Administrator - Elevation successful)

========== file ==========

C:\Windows\winsxs\msil_system.servicemodel.install_b77a5c561934e089_6.0.6001.18000_none_6ba234d036de24bb\System.ServiceModel.Install.dll - File found and opened.
MD5: D9881D753D488AD6143E122B8D3CAD86
Created at 15:41 on 12/06/2008
Modified at 11:21 on 05/01/2008
Size: 159744 bytes
Attributes: --a---
FileDescription: System.ServiceModel.Install.dll
FileVersion: 3.0.4506.648 (Winfxred.004506-0648)
ProductVersion: 3.0.4506.648
OriginalFilename: System.ServiceModel.Install.dll
InternalName: System.ServiceModel.Install.dll
ProductName: Microsoft® .NET Framework
CompanyName: Microsoft Corporation
LegalCopyright: © Microsoft Corporation. All rights reserved.
Comments: Flavor=Retail

-=End Of File=-

************
************
(5)
SystemLook v1.0 by jpshortstuff (22.05.09)
Log created at 10:29 on 07/07/2009 by Crissy (Administrator - Elevation successful)

========== file ==========

C:\Windows\winsxs\msil_system.servicemodel.install_b77a5c561934e089_6.0.6001.18096_none_6baaaeba36d6a290\System.ServiceModel.Install.dll - File found and opened.
MD5: 8A18FDED2E75C9F918B7B08D792CEC37
Created at 00:13 on 15/02/2009
Modified at 01:14 on 20/06/2008
Size: 73728 bytes
Attributes: --a---
FileDescription: System.ServiceModel.Install.dll
FileVersion: 3.0.4506.2123 (NetFX.030618-0000)
ProductVersion: 3.0.4506.2123
OriginalFilename: System.ServiceModel.Install.dll
InternalName: System.ServiceModel.Install.dll
ProductName: Microsoft® .NET Framework
CompanyName: Microsoft Corporation
LegalCopyright: © Microsoft Corporation. All rights reserved.
Comments: Flavor=Retail

-=End Of File=-

************
************
(6)
System look freezes when scanning:
C:\Windows\winsxs\msil_system.servicemodel.install_b77a5c561934e089_6.0.6001.22208_none_54d3d7ac5086521a\System.ServiceModel.Install.dll

#11 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:10 PM

Posted 07 July 2009 - 10:14 AM

Hello.

Let's see what we can do about that.

Open the Explorer to this folder.
C:\Windows\winsxs\msil_system.servicemodel.install_b77a5c561934e089_6.0.6001.22208_none_54d3d
7ac5086521a

Right click it and select Properties.
Click the Security tab -> Advanced button near the bottom.
Click the Owner tab -> Edit.
Change the owner to yourself and click Apply.
Now try moving (cut and paste) the file out of the folder.

Do not delete the file.

Tell me how it goes.

With Regards,
The Panda

Edited by PropagandaPanda, 07 July 2009 - 10:15 AM.


#12 mccarmic20

mccarmic20
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:07:10 PM

Posted 07 July 2009 - 12:17 PM

I'm not able to click on the folder now....it freezes the computer. I've tried about 10 times.

#13 mccarmic20

mccarmic20
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:07:10 PM

Posted 07 July 2009 - 12:35 PM

Ok, finally attempted without freezing computer. I changed the owner to myself and hit ok. I then attempted to cut/paste to the desktop and it tells me that I don't have permission.

Also, there are now 10 folders in the winsxs directory titled
c:\windows\winsxs\msil_system.servicemodel.install*

Edited by mccarmic20, 07 July 2009 - 12:44 PM.


#14 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:10 PM

Posted 07 July 2009 - 01:14 PM

Hello.

After taking ownership, you should be able to give yourself full permissions to the item.

In the secutiy tab, select yourself in the Group or usernames and click Edit.
In the Permissions for *user*, click Full control and hit apply.

Are you able to move the file after?

With Regards,
The Panda

#15 mccarmic20

mccarmic20
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:07:10 PM

Posted 07 July 2009 - 03:42 PM

Ok, that worked. I was able to cut/paste System.ServiceModel.Install.dll to my desktop




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users