Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Google redirect, scvhost and more


  • This topic is locked This topic is locked
9 replies to this topic

#1 Tommynumber

Tommynumber

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Stafford UK
  • Local time:12:50 AM

Posted 22 June 2010 - 05:25 AM

Hey all (:

First off recently I have been having problems with pop-ups and having links redirected to several sites. Avast keep quarantining a suspicious looking svchost.exe file in my temps folder. My main concern has come today as I have been a victim of credit card fraud.

I've been unable to run GMER as I keep getting a Windows Write Delay error telling me it was unable to save.

Here is my DSS log:

DDS (Ver_10-03-17.01) - NTFSx86
Run by Thomas at 9:59:44.05 on 22/06/2010
Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_20
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1791.433 [GMT 1:00]

AV: avast! Antivirus *On-access scanning enabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

============== Running Processes ===============

C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\Thomas\Application Data\Dropbox\bin\Dropbox.exe
C:\WINDOWS\usb-audio.deAAVersaPort\CONTROLVERSAPORT.EXE
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Winamp\winamp.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\uTorrent\uTorrent.exe
C:\Program Files\VideoLAN\VLC\vlc.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\SoulseekNS\slsk.exe
C:\Documents and Settings\Thomas\My Documents\Downloads\HijackThis.exe
C:\Program Files\Apple Software Update\SoftwareUpdate.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Documents and Settings\Thomas\My Documents\Downloads\dds.scr

============== Pseudo HJT Report ===============

uInternet Settings,ProxyOverride = *.local
uURLSearchHooks: H - No File
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: CAB Class: {c6a91056-83e0-4c6e-8dcc-43fc0dfe7a0a} - c:\windows\system32\Txx3A5Fi.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File
uRun: [DAEMON Tools Lite] "c:\program files\daemon tools lite\DTLite.exe" -autorun
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [WinampAgent] "c:\program files\winamp\winampa.exe"
mRun: [DSS] c:\windows\bbstore\dss\dssagent.exe
mRun: [Anti Mosquito] e:\appz\anti_mosquito\Anti Mosquito.exe
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask .exe" -atboottime
mRun: [avast5] c:\progra~1\alwils~1\avast5\avastUI.exe /nogui
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
dRun: [ctfmon.exe] c:\windows\system32\CTFMON.EXE
dRunOnce: [FlashPlayerUpdate] c:\windows\system32\macromed\flash\FlashUtil10e.exe
StartupFolder: c:\docume~1\thomas\startm~1\programs\startup\dropbox.lnk - c:\documents and settings\thomas\application data\dropbox\bin\Dropbox.exe
StartupFolder: c:\docume~1\thomas\startm~1\programs\startup\versap~1.lnk - c:\windows\usb-audio.deaaversaport\CONTROLVERSAPORT.EXE
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
TCP: {2DA4003D-E0A6-4A37-81F5-9E3CEA40912C} = 194.168.4.100,194.168.8.100
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: cbssreg - c:\documents and settings\all users\documents\settings\cbss.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\thomas\applic~1\mozilla\firefox\profiles\67sa55tu.rusty\
FF - prefs.js: browser.search.selectedEngine - Wikipedia (en)
FF - prefs.js: browser.search.selectedengine - YouTube Video Search
FF - component: c:\documents and settings\thomas\application data\mozilla\firefox\profiles\67sa55tu.rusty\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdnu.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdnupdater2.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npwachk.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
FF - user.js: network.protocol-handler.warn-external.dnupdate - false);user_pref(network.protocol-handler.warn-external.dnupdate, falsec:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2010-6-12 64288]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2010-6-12 164048]
R1 mapledxp;mapledxp;c:\windows\system32\drivers\mapledxp.sys [2010-1-15 24720]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2010-6-12 19024]
R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast5\AvastSvc.exe [2010-6-12 40384]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2010-2-4 1352832]
R3 AA_VERSAPORT;usb-audio.de driver for American Audio VersaPort;c:\windows\system32\drivers\aavportu.sys [2010-6-12 366592]
R3 AA_VERSAPORT_A_WDM;VersaPort WDM Audio;c:\windows\system32\drivers\aavporta.sys [2010-6-12 33792]
R3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2010-6-12 40384]
R3 GETND5BV;VIA Velocity Family Gigabit Ethernet Adapter Driver;c:\windows\system32\drivers\getnd5bv.sys [2010-1-14 49152]
S3 cpuz130;cpuz130;\??\c:\docume~1\thomas\locals~1\temp\cpuz130\cpuz_x32.sys --> c:\docume~1\thomas\locals~1\temp\cpuz130\cpuz_x32.sys [?]
S3 CtPmFilt;CtPmFilt;c:\windows\system32\drivers\CtPmFilt.sys [2010-1-15 18176]
S3 MatSvc;Microsoft Automated Troubleshooting Service;c:\program files\microsoft fix it center\Matsvc.exe [2010-4-10 266544]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\wpffontcache_v0400.exe --> c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [?]

=============== Created Last 30 ================

2010-06-22 08:47:27 0 d-----w- c:\program files\iPod
2010-06-21 09:00:06 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-06-20 20:52:25 0 d-----w- c:\program files\Microsoft
2010-06-20 20:37:45 0 d-----w- c:\documents and settings\thomas\Contacts
2010-06-20 20:36:29 0 d-----w- c:\program files\MSN Messenger
2010-06-17 15:56:38 45056 ----a-w- c:\windows\system32\Txx3A5Fi.dll
2010-06-17 14:31:23 112 ----a-w- c:\docume~1\alluse~1\applic~1\3d2w8p1y4.dat
2010-06-17 08:28:46 59904 ----a-w- c:\windows\system32\klgd.bmp
2010-06-17 08:28:46 1822 ----a-w- c:\windows\system32\batcgr
2010-06-12 21:18:55 15880 ----a-w- c:\windows\system32\lsdelete.exe
2010-06-12 15:37:17 46 ----a-w- c:\windows\CONTROLVERSAPORT.INI
2010-06-12 15:22:06 366592 ----a-r- c:\windows\system32\drivers\aavportu.sys
2010-06-12 15:22:06 33792 ----a-r- c:\windows\system32\drivers\aavporta.sys
2010-06-12 15:17:22 60032 -c--a-w- c:\windows\system32\dllcache\usbaudio.sys
2010-06-12 15:17:22 60032 ----a-w- c:\windows\system32\drivers\USBAUDIO.sys
2010-06-12 15:08:11 0 d-----w- c:\docume~1\alluse~1\applic~1\Alwil Software
2010-06-12 15:06:30 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2010-06-12 15:06:25 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2010-06-12 15:00:37 0 d-----w- c:\documents and settings\all users\Uniblue
2010-06-12 14:51:08 0 d-----w- c:\windows\system32\wbem\Repository
2010-06-12 00:50:13 0 dc-h--w- c:\docume~1\alluse~1\applic~1\{74D08EB8-01D1-4BAE-91E3-F30C1B031AC6}
2010-06-12 00:49:54 0 d-----w- c:\program files\Lavasoft
2010-06-11 22:46:40 120 ----a-w- c:\windows\Yveyi.dat
2010-06-11 22:46:40 0 ----a-w- c:\windows\Wpuzeyakiwi.bin
2010-06-11 19:06:50 0 d-----w- c:\windows\usb-audio.deAAVersaPort
2010-06-11 18:54:44 0 d-----w- c:\program files\ASIO4ALL v2
2010-06-10 23:36:28 0 d-----w- c:\docume~1\alluse~1\applic~1\2DBoy
2010-05-24 12:36:41 0 d-----w- c:\program files\Karen's Power Tools
2010-05-24 12:36:32 0 d-----w- c:\docume~1\alluse~1\applic~1\Karen's Power Tools

==================== Find3M ====================

2010-05-18 15:35:16 91424 ----a-w- c:\windows\system32\dnssd.dll
2010-05-18 15:35:16 107808 ----a-w- c:\windows\system32\dns-sd.exe
2010-05-02 05:22:50 1851264 ----a-w- c:\windows\system32\win32k.sys
2010-04-20 05:30:08 285696 ----a-w- c:\windows\system32\atmfd.dll
2010-04-16 21:12:18 48464 ----a-w- c:\windows\system32\sirenacm.dll
2010-04-16 16:09:09 667136 ----a-w- c:\windows\system32\wininet.dll
2010-04-16 16:09:05 81920 ----a-w- c:\windows\system32\ieencode.dll
2010-04-16 07:33:36 3003680 ----a-w- c:\windows\system32\usbaaplrc.dll
2010-04-12 16:29:19 411368 ----a-w- c:\windows\system32\deployJava1.dll

============= FINISH: 10:00:44.33 ===============

I have also attached the Attach.txt file. Attached File  Attach.txt   14.12KB   5 downloads

Thank you in advance for any help given thumbup2.gif

Just so you know I'm running Windows XP.

Merged 2 posts and removed codebox coding for ease of reading. ~ OB

Edited by Orange Blossom, 26 June 2010 - 03:05 PM.


BC AdBot (Login to Remove)

 


#2 Tommynumber

Tommynumber
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Stafford UK
  • Local time:12:50 AM

Posted 24 June 2010 - 03:56 AM

Bump

EDIT: Please be patient. There are over 290 unanswered topics in this forum at present at the current average wait time to receive help is 7 days. ~BP

Edited by Budapest, 24 June 2010 - 04:40 PM.


#3 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,708 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:01:50 AM

Posted 26 June 2010 - 07:08 PM

Hi Tommynumber,

Welcome to Malware Removal (VTSMR) forum. I am going to assist you with your problem.

Please refrain from making any changes to your system (scanning or running other tools, updating Windows, installing applications, removing files, etc.) from now on as it might interfere with our fixes. In case of making changes I shall assume my assistance is not needed any more.

If the issue is not resolved please update me on the current condition of your computer.

#4 Tommynumber

Tommynumber
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Stafford UK
  • Local time:12:50 AM

Posted 28 June 2010 - 04:21 AM

Hey farbar!

Thanks for the response. The issue remains the same as in my original post. Still having Google redirected, occasional pop-ups and Avast still frequently waning me about scvhost.exe in a temp folder.

#5 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,708 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:01:50 AM

Posted 28 June 2010 - 04:26 AM

Your log(s) show that you are using so called peer-to-peer or file-sharing programs. These programs allow to share files between users as the name(s) suggest. In today's world the cyber crime has come to an enormous dimension and any means is used to infect personal computers to make use of their stored data or machine power for further propagation of the malware files. A popular means is the use of file-sharing tools as a tremendous amount of prospective victims can be reached through it.

It is therefore possible to be infected by downloading manipulated files via peer-to-peer tools and thus suggested to be used with intense care. Some further readings on this subject, along the included links, are as follows: "File-Sharing, otherwise known as Peer To Peer" and "Risks of File-Sharing Technology."


Removal Instructions
  1. I see uTorrent is set to start with Windows, please unintall it or configure it no to run with Windows. Empty all p2p download folders. They might contain infected files. Please avoid using these p2p applications until the system is clean. Using these applications at this stage might lead to reinfection or infecting other users.

  2. You need to disable your Avast Antivirus before running ComboFix and enable it after ComboFix produced its log.
    • Open Avast.
    • Under avast! settings... windows select Troubleshooting.
    • Check avast! self-defense module.
    • Click OK.

  3. Download ComboFix from one of these locations:

    Link 1
    Link 2
    Link 3

    * IMPORTANT !!! Save ComboFix.exe to your Desktop

    • Disable your AntiVirus and AntiSpyware applications. They may otherwise interfere with the tool. (Information on A/V control HERE)
    • Double click on ComboFix.exe & follow the prompts.
    • You will get a warning about the not trusted download sites for ComboFix, click Yes.
    • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
    • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

    **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.



    Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



    Click on Yes, to continue scanning for malware.

    When finished, it shall produce a log for you. Please copy and paste the C:\ComboFix.txt in your next reply.


#6 Tommynumber

Tommynumber
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Stafford UK
  • Local time:12:50 AM

Posted 30 June 2010 - 03:53 AM

Okay I think I've followed the steps correctly thumbup2.gif

Here's what I got:

ComboFix 10-06-29.03 - Thomas 30/06/2010 9:27.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1791.1426 [GMT 1:00]
Running from: c:\documents and settings\Thomas\Desktop\ComboFix.exe
AV: avast! Antivirus *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users.\documents\settings
c:\documents and settings\All Users.\documents\settings\cbss.dll
c:\documents and settings\All Users\Documents\Settings\cbss.dll
c:\documents and settings\Thomas\Application Data\logs.dat
c:\documents and settings\Thomas\Local Settings\Application Data\{7D7EC57B-BB86-4C5A-8F15-5836907D4F85}
c:\documents and settings\Thomas\Local Settings\Application Data\{7D7EC57B-BB86-4C5A-8F15-5836907D4F85}\chrome\content\_cfg.js
c:\documents and settings\Thomas\Local Settings\Application Data\{7D7EC57B-BB86-4C5A-8F15-5836907D4F85}\chrome\content\overlay.xul
c:\documents and settings\Thomas\Local Settings\Application Data\{7D7EC57B-BB86-4C5A-8F15-5836907D4F85}\install.rdf
c:\windows\system32\fsc.txt
c:\windows\system32\ide.txt
c:\windows\system32\klgd.bmp
c:\windows\system32\lrg.txt
c:\windows\system32\qks.txt
c:\windows\system32\TxX3a5fi.dll
D:\install.exe

Infected copy of c:\windows\system32\drivers\ftdisk.sys was found and disinfected
Restored copy from - Kitty had a snack tongue.gif
.
((((((((((((((((((((((((( Files Created from 2010-05-28 to 2010-06-30 )))))))))))))))))))))))))))))))
.

2010-06-29 14:40 . 2010-06-29 14:40 -------- d-----w- c:\program files\drahtwerk
2010-06-22 21:58 . 2003-01-31 14:41 22912 ----a-w- c:\windows\system32\drivers\ScratchAmp.sys
2010-06-22 21:56 . 2010-06-22 21:56 -------- d-----w- c:\program files\DAMN NFO Viewer
2010-06-22 12:29 . 2010-06-22 12:29 -------- d-----w- c:\program files\Common Files\Skype
2010-06-22 08:47 . 2010-06-22 08:47 -------- d-----w- c:\program files\iPod
2010-06-22 08:38 . 2010-06-22 08:38 72504 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.2.0.61\SetupAdmin.exe
2010-06-21 09:00 . 2010-06-21 09:00 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2010-06-21 09:00 . 2010-06-21 09:00 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-06-20 20:52 . 2010-06-20 20:52 -------- d-----w- c:\program files\Microsoft
2010-06-20 20:37 . 2010-06-20 20:41 -------- d-----w- c:\documents and settings\Thomas\Contacts
2010-06-20 20:36 . 2010-06-20 20:48 -------- d-----w- c:\program files\MSN Messenger
2010-06-20 20:28 . 2010-06-20 20:28 -------- d-----w- c:\documents and settings\All Users\Application Data\WLInstaller
2010-06-12 21:18 . 2010-06-12 15:06 15880 ----a-w- c:\windows\system32\lsdelete.exe
2010-06-12 15:22 . 2008-08-15 07:44 33792 ----a-r- c:\windows\system32\drivers\aavporta.sys
2010-06-12 15:22 . 2008-08-15 07:44 366592 ----a-r- c:\windows\system32\drivers\aavportu.sys
2010-06-12 15:17 . 2008-04-13 23:15 60032 -c--a-w- c:\windows\system32\dllcache\usbaudio.sys
2010-06-12 15:17 . 2008-04-13 23:15 60032 ----a-w- c:\windows\system32\drivers\USBAUDIO.sys
2010-06-12 15:09 . 2010-05-06 20:39 164048 ----a-w- c:\windows\system32\drivers\aswSP.sys
2010-06-12 15:09 . 2010-05-06 20:33 19024 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2010-06-12 15:09 . 2010-05-06 20:34 23376 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2010-06-12 15:09 . 2010-05-06 20:39 46672 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2010-06-12 15:09 . 2010-05-06 20:33 100432 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2010-06-12 15:09 . 2010-05-06 20:33 94800 ----a-w- c:\windows\system32\drivers\aswmon.sys
2010-06-12 15:09 . 2010-05-06 20:33 28880 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2010-06-12 15:08 . 2010-05-06 20:59 38848 ----a-w- c:\windows\system32\avastSS.scr
2010-06-12 15:08 . 2010-05-06 20:59 165032 ----a-w- c:\windows\system32\aswBoot.exe
2010-06-12 15:08 . 2010-06-12 15:08 -------- d-----w- c:\program files\Alwil Software
2010-06-12 15:08 . 2010-06-12 15:08 -------- d-----w- c:\documents and settings\All Users\Application Data\Alwil Software
2010-06-12 15:06 . 2010-06-12 15:06 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2010-06-12 15:06 . 2010-06-12 15:06 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2010-06-12 15:05 . 2010-02-04 15:53 2954656 -c--a-w- c:\documents and settings\All Users\Application Data\{74D08EB8-01D1-4BAE-91E3-F30C1B031AC6}\Ad-AwareInstaller.exe
2010-06-12 15:00 . 2010-06-12 15:00 -------- d-----w- c:\documents and settings\All Users\Uniblue
2010-06-12 14:55 . 2010-06-12 14:56 8258496 ----a-w- c:\documents and settings\Thomas\Application Data\Uniblue\DriverScanner\LatestUpdate.exe
2010-06-12 14:51 . 2010-06-12 14:51 -------- d-----w- c:\windows\system32\wbem\Repository
2010-06-12 00:50 . 2010-06-12 15:05 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{74D08EB8-01D1-4BAE-91E3-F30C1B031AC6}
2010-06-12 00:49 . 2010-06-12 00:50 -------- d-----w- c:\program files\Lavasoft
2010-06-11 23:27 . 2010-06-13 04:47 -------- d-s---w- c:\documents and settings\NetworkService\UserData
2010-06-11 22:46 . 2010-06-11 23:04 0 ----a-w- c:\windows\Wpuzeyakiwi.bin
2010-06-11 22:46 . 2010-06-11 22:46 120 ----a-w- c:\windows\Yveyi.dat
2010-06-11 19:06 . 2010-06-12 15:27 -------- d-----w- c:\windows\usb-audio.deAAVersaPort
2010-06-11 18:54 . 2010-06-12 14:51 -------- d-----w- c:\program files\ASIO4ALL v2
2010-06-10 23:36 . 2010-06-10 23:36 -------- d-----w- c:\documents and settings\All Users\Application Data\2DBoy
2010-06-10 10:58 . 2010-06-10 10:58 -------- d-----w- c:\documents and settings\Thomas\Local Settings\Application Data\Temp

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-06-30 08:39 . 2010-01-21 22:00 -------- d-----w- c:\documents and settings\Thomas\Application Data\Dropbox
2010-06-30 08:06 . 2010-01-21 04:46 -------- d-----w- c:\documents and settings\Thomas\Application Data\uTorrent
2010-06-30 08:04 . 2010-03-04 20:24 -------- d-----w- c:\documents and settings\Thomas\Application Data\vlc
2010-06-29 14:18 . 2010-01-14 20:15 -------- d-----w- c:\documents and settings\All Users\Application Data\Soulseek
2010-06-28 12:01 . 2010-01-17 14:29 15872 ----a-w- c:\documents and settings\Thomas\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-06-28 11:44 . 2010-01-14 23:27 -------- d-----w- c:\program files\Common Files\Adobe
2010-06-23 13:36 . 2010-01-21 13:00 -------- d-----w- c:\documents and settings\Thomas\Application Data\Skype
2010-06-23 11:37 . 2010-01-21 13:03 -------- d-----w- c:\documents and settings\Thomas\Application Data\skypePM
2010-06-22 21:55 . 2010-05-07 17:26 -------- d-----w- c:\program files\Native Instruments
2010-06-22 08:48 . 2010-05-02 08:02 -------- d-----w- c:\program files\iTunes
2010-06-22 08:47 . 2010-01-16 23:20 -------- d-----w- c:\program files\Common Files\Apple
2010-06-22 08:41 . 2010-01-16 23:21 -------- d-----w- c:\program files\Bonjour
2010-06-21 17:33 . 2010-01-14 20:42 -------- d-----w- c:\documents and settings\Thomas\Application Data\dvdcss
2010-06-20 20:52 . 2010-01-19 11:55 -------- d-----w- c:\program files\Windows Live
2010-06-20 18:55 . 2010-01-14 20:11 -------- d-----w- c:\program files\DAEMON Tools Lite
2010-06-20 14:28 . 2010-06-17 14:31 112 ----a-w- c:\documents and settings\All Users\Application Data\3d2w8p1y4.dat
2010-06-19 16:24 . 2010-03-09 12:42 -------- d-----w- c:\program files\Recycle
2010-06-19 16:23 . 2010-02-09 11:38 -------- d-----w- c:\program files\QuickTime
2010-06-17 21:44 . 2010-01-14 18:43 -------- d-----w- c:\program files\Winamp
2010-06-12 18:57 . 2010-01-17 09:28 -------- d-----w- c:\program files\POL
2010-06-12 14:58 . 2010-04-30 22:35 -------- d-----w- c:\documents and settings\All Users\Application Data\DriverScanner
2010-06-12 14:50 . 2010-01-14 18:46 -------- d-----w- c:\program files\VirtualDJ
2010-06-12 00:49 . 2010-02-07 01:30 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2010-06-11 19:29 . 2010-01-21 04:46 -------- d-----w- c:\program files\uTorrent
2010-05-25 11:33 . 2010-01-21 13:19 -------- d-----w- c:\program files\Steam
2010-05-25 07:39 . 2010-05-13 14:59 -------- d-----w- c:\program files\Defraggler
2010-05-25 07:39 . 2010-01-14 18:31 -------- d-----w- c:\program files\CCleaner
2010-05-24 12:36 . 2010-05-24 12:36 -------- d-----w- c:\program files\Karen's Power Tools
2010-05-24 12:36 . 2010-05-24 12:36 -------- d-----w- c:\documents and settings\All Users\Application Data\Karen's Power Tools
2010-05-22 02:58 . 2010-05-22 02:58 61440 ----a-w- c:\documents and settings\Thomas\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-6361d1bd-n\decora-sse.dll
2010-05-22 02:58 . 2010-05-22 02:58 503808 ----a-w- c:\documents and settings\Thomas\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-4a91dc04-n\msvcp71.dll
2010-05-22 02:58 . 2010-05-22 02:58 499712 ----a-w- c:\documents and settings\Thomas\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-4a91dc04-n\jmc.dll
2010-05-22 02:58 . 2010-05-22 02:58 348160 ----a-w- c:\documents and settings\Thomas\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-4a91dc04-n\msvcr71.dll
2010-05-22 02:58 . 2010-05-22 02:58 12800 ----a-w- c:\documents and settings\Thomas\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-6361d1bd-n\decora-d3d.dll
2010-05-18 15:35 . 2010-05-18 15:35 91424 ----a-w- c:\windows\system32\dnssd.dll
2010-05-18 15:35 . 2010-05-18 15:35 107808 ----a-w- c:\windows\system32\dns-sd.exe
2010-05-14 03:18 . 2010-05-14 03:18 -------- d-----w- c:\program files\Winamp Detect
2010-05-13 16:13 . 2010-01-15 11:56 -------- d-----w- c:\program files\Creative
2010-05-13 14:55 . 2010-05-13 14:55 -------- d-----w- c:\program files\FileHippo.com
2010-05-13 14:53 . 2010-05-13 14:47 -------- d-----w- c:\program files\SpeedFan
2010-05-08 19:44 . 2010-03-25 10:33 -------- d-----w- c:\program files\Yahoo!
2010-05-07 17:46 . 2010-05-07 17:44 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2010-05-07 17:26 . 2010-05-07 17:26 -------- d-----w- c:\program files\Common Files\Digidesign
2010-05-07 17:26 . 2010-05-07 17:26 -------- d-----w- c:\program files\Common Files\Native Instruments
2010-05-07 15:55 . 2010-05-06 13:00 -------- d-----w- c:\program files\Simple Port Forwarding
2010-05-07 13:30 . 2010-05-07 13:30 -------- d-----w- c:\program files\Microsoft Fix it Center
2010-05-06 23:26 . 2010-02-08 18:24 -------- d-----w- c:\documents and settings\Thomas\Application Data\NoNameScript
2010-05-06 23:26 . 2010-02-08 18:17 -------- d-----w- c:\program files\mIRC
2010-05-05 12:18 . 2010-02-02 23:43 -------- d-----w- c:\program files\Java
2010-05-02 08:03 . 2010-05-02 08:02 -------- d-----w- c:\documents and settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
2010-05-02 05:22 . 2008-04-14 00:00 1851264 ----a-w- c:\windows\system32\win32k.sys
2010-04-20 05:30 . 2008-04-14 04:39 285696 ----a-w- c:\windows\system32\atmfd.dll
2010-04-16 21:12 . 2010-04-16 21:12 48464 ----a-w- c:\windows\system32\sirenacm.dll
2010-04-16 16:09 . 2008-04-14 04:42 667136 ----a-w- c:\windows\system32\wininet.dll
2010-04-16 16:09 . 2008-04-14 04:41 81920 ----a-w- c:\windows\system32\ieencode.dll
2010-04-16 07:33 . 2010-01-16 23:20 41472 ----a-w- c:\windows\system32\drivers\usbaapl.sys
2010-04-16 07:33 . 2010-01-16 23:20 3003680 ----a-w- c:\windows\system32\usbaaplrc.dll
2010-04-12 16:29 . 2010-05-05 12:18 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-04-12 11:01 . 2010-06-12 14:49 171276 ----a-w- c:\windows\pchealth\helpctr\Config\Cache\Professional_32_1033.dat
2010-04-10 16:05 . 2010-04-10 16:05 65328 ----a-w- c:\windows\AppPatch\matsshim.dll
.
CODE
<pre>
c:\program files\Adobe\Reader 9.0\Reader\Reader_sl .exe
c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM .exe
c:\program files\Common Files\Java\Java Update\jusched .exe
c:\program files\DAEMON Tools Lite\DTLite .exe
c:\program files\iTunes\iTunesHelper .exe
c:\program files\QuickTime\QTTask    .exe
c:\program files\Recycle\ReCyclePatch .exe
c:\program files\Winamp\winampa .exe
c:\program files\Windows Live\Messenger\msnmsgr .exe
c:\windows\BBStore\DSS\dssagent .exe
</pre>


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2009-12-09 01:19 94208 ----a-w- c:\documents and settings\Thomas\Application Data\Dropbox\bin\DropboxExt.13.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2009-12-09 01:19 94208 ----a-w- c:\documents and settings\Thomas\Application Data\Dropbox\bin\DropboxExt.13.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2009-12-09 01:19 94208 ----a-w- c:\documents and settings\Thomas\Application Data\Dropbox\bin\DropboxExt.13.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\DTLite.exe" [N/A]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2010-04-16 3872080]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="c:\program files\QuickTime\QTTask .exe -atboottime" [X]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-11-20 110184]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-11-20 12669544]
"WinampAgent"="c:\program files\Winamp\winampa.exe" [N/A]
"Anti Mosquito"="e:\appz\anti_mosquito\Anti Mosquito.exe" [N/A]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-06-15 141624]
"AdobeCS4ServiceManager"="c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" [2008-08-14 611712]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"FlashPlayerUpdate"="c:\windows\system32\Macromed\Flash\FlashUtil10e.exe" [2010-01-27 256280]

c:\documents and settings\Thomas\Start Menu\Programs\Startup\
Dropbox.lnk - c:\documents and settings\Thomas\Application Data\Dropbox\bin\Dropbox.exe [2010-2-26 21979992]
VersaPort Control Panel.lnk - c:\windows\usb-audio.deAAVersaPort\CONTROLVERSAPORT.EXE [2010-6-12 638976]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim]
2010-03-08 21:04 3972440 begin_of_the_skype_highlighting              04 3972440      end_of_the_skype_highlighting ----a-w- c:\program files\AIM\aim.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Messenger (Yahoo!)]
2010-03-19 17:27 5248312 ----a-w- c:\progra~1\Yahoo!\Messenger\YahooMessenger.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
2010-04-16 21:12 3872080 ----a-w- c:\program files\Windows Live\Messenger\msnmsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
nwiz.exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
2010-05-13 15:12 26192168 ----a-r- c:\program files\Skype\Phone\Skype.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
2006-08-03 05:12 577536 ----a-w- c:\windows\soundman.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
2010-04-05 13:23 1217872 ----a-w- c:\program files\Steam\Steam.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [12/06/2010 16:06 64288]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [12/06/2010 16:09 164048]
R1 mapledxp;mapledxp;c:\windows\system32\drivers\mapledxp.sys [15/01/2010 01:07 24720]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [12/06/2010 16:09 19024]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [04/02/2010 16:52 1352832]
R3 AA_VERSAPORT;usb-audio.de driver for American Audio VersaPort;c:\windows\system32\drivers\aavportu.sys [12/06/2010 16:22 366592]
R3 AA_VERSAPORT_A_WDM;VersaPort WDM Audio;c:\windows\system32\drivers\aavporta.sys [12/06/2010 16:22 33792]
R3 GETND5BV;VIA Velocity Family Gigabit Ethernet Adapter Driver;c:\windows\system32\drivers\getnd5bv.sys [14/01/2010 18:27 49152]
S3 cpuz130;cpuz130;\??\c:\docume~1\Thomas\LOCALS~1\Temp\cpuz130\cpuz_x32.sys --> c:\docume~1\Thomas\LOCALS~1\Temp\cpuz130\cpuz_x32.sys [?]
S3 CtPmFilt;CtPmFilt;c:\windows\system32\drivers\CtPmFilt.sys [15/01/2010 12:55 18176]
S3 MatSvc;Microsoft Automated Troubleshooting Service;c:\program files\Microsoft Fix it Center\Matsvc.exe [10/04/2010 17:05 266544]
S3 ScratchAmp;ScratchAmp Driver (ScratchAmp.sys);c:\windows\system32\drivers\ScratchAmp.sys [22/06/2010 22:58 22912]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe --> c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [?]
S4 sptd;sptd;c:\windows\system32\drivers\sptd.sys [14/01/2010 21:11 691696]
.
Contents of the 'Scheduled Tasks' folder

2010-06-30 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2010-02-04 21:46]

2010-06-29 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = *.local
TCP: {2DA4003D-E0A6-4A37-81F5-9E3CEA40912C} = 194.168.4.100,194.168.8.100
FF - ProfilePath - c:\documents and settings\Thomas\Application Data\Mozilla\Firefox\Profiles\67sa55tu.Rusty\
FF - prefs.js: browser.search.selectedEngine - YouTube Video Search
FF - prefs.js: browser.search.selectedengine - YouTube Video Search
FF - component: c:\documents and settings\Thomas\Application Data\Mozilla\Firefox\Profiles\67sa55tu.Rusty\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
FF - component: c:\program files\Mozilla Firefox\extensions\{AB2CE124-6272-4b12-94A9-7303C7397BD1}\components\SkypeFfComponent.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npdnupdater2.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npwachk.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: network.protocol-handler.warn-external.dnupdate - false);user_pref(network.protocol-handler.warn-external.dnupdate, falsec:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.proxy.type", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-06-30 09:44
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Anti Mosquito = e:\appz\anti_mosquito\Anti Mosquito.exe????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3088)
c:\documents and settings\Thomas\Application Data\Dropbox\bin\DropboxExt.13.dll
c:\program files\Common Files\Adobe\Adobe Drive CS4\AdobeDriveCS4_NP.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\nvsvc32.exe
c:\program files\Alwil Software\Avast5\AvastSvc.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\wdfmgr.exe
c:\program files\Yahoo!\SoftwareUpdate\YahooAUService.exe
c:\windows\system32\wbem\unsecapp.exe
c:\windows\system32\wscntfy.exe
c:\program files\drahtwerk\iWebcamera\iWebcameraApp.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\Lavasoft\Ad-Aware\AAWTray.exe
.
**************************************************************************
.
Completion time: 2010-06-30 09:47:43 - machine was rebooted
ComboFix-quarantined-files.txt 2010-06-30 08:47

Pre-Run: 46,330,200,064 bytes free
Post-Run: 46,383,431,680 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - 5031E71DD6C85EF22BA876CA6F7B4E87


#7 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,708 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:01:50 AM

Posted 30 June 2010 - 04:43 AM

Well done. thumbup2.gif

Close any open browsers.

Open notepad (start > All Programs > Accessories > Notepad) and copy/paste the text in the code box below into it:

CODE
File::
c:\windows\Wpuzeyakiwi.bin
c:\windows\Yveyi.dat
RenV::
c:\program files\Adobe\Reader 9.0\Reader\Reader_sl .exe
c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM .exe
c:\program files\Common Files\Java\Java Update\jusched .exe
c:\program files\DAEMON Tools Lite\DTLite .exe
c:\program files\iTunes\iTunesHelper .exe
c:\program files\QuickTime\QTTask    .exe
c:\program files\Recycle\ReCyclePatch .exe
c:\program files\Winamp\winampa .exe
c:\program files\Windows Live\Messenger\msnmsgr .exe
c:\windows\BBStore\DSS\dssagent .exe


Save this as CFScript.txt, in the same location as ComboFix.exe




Referring to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you ( "C:\ComboFix.txt"). Please copy and paste the log to your reply.

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall


#8 Tommynumber

Tommynumber
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Stafford UK
  • Local time:12:50 AM

Posted 01 July 2010 - 07:11 AM

Thanks for all your clear instructions! Here is the results from the log:

ComboFix 10-06-30.03 - Thomas 01/07/2010 11:13:55.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1791.1208 [GMT 1:00]
Running from: c:\documents and settings\Thomas\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Thomas\Desktop\CFScript.txt
AV: avast! Antivirus *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

FILE ::
"c:\windows\Wpuzeyakiwi.bin"
"c:\windows\Yveyi.dat"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\Wpuzeyakiwi.bin
c:\windows\Yveyi.dat

.
((((((((((((((((((((((((( Files Created from 2010-06-01 to 2010-07-01 )))))))))))))))))))))))))))))))
.

2010-06-29 14:40 . 2010-06-29 14:40 -------- d-----w- c:\program files\drahtwerk
2010-06-22 21:58 . 2003-01-31 14:41 22912 ----a-w- c:\windows\system32\drivers\ScratchAmp.sys
2010-06-22 21:56 . 2010-06-22 21:56 -------- d-----w- c:\program files\DAMN NFO Viewer
2010-06-22 12:29 . 2010-06-22 12:29 -------- d-----w- c:\program files\Common Files\Skype
2010-06-22 08:47 . 2010-06-22 08:47 -------- d-----w- c:\program files\iPod
2010-06-22 08:38 . 2010-06-22 08:38 72504 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.2.0.61\SetupAdmin.exe
2010-06-21 09:00 . 2010-06-21 09:00 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2010-06-21 09:00 . 2010-06-21 09:00 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-06-20 20:52 . 2010-06-20 20:52 -------- d-----w- c:\program files\Microsoft
2010-06-20 20:37 . 2010-06-20 20:41 -------- d-----w- c:\documents and settings\Thomas\Contacts
2010-06-20 20:36 . 2010-06-20 20:48 -------- d-----w- c:\program files\MSN Messenger
2010-06-20 20:28 . 2010-06-20 20:28 -------- d-----w- c:\documents and settings\All Users\Application Data\WLInstaller
2010-06-12 21:18 . 2010-06-12 15:06 15880 ----a-w- c:\windows\system32\lsdelete.exe
2010-06-12 15:22 . 2008-08-15 07:44 33792 ----a-r- c:\windows\system32\drivers\aavporta.sys
2010-06-12 15:22 . 2008-08-15 07:44 366592 ----a-r- c:\windows\system32\drivers\aavportu.sys
2010-06-12 15:17 . 2008-04-13 23:15 60032 -c--a-w- c:\windows\system32\dllcache\usbaudio.sys
2010-06-12 15:17 . 2008-04-13 23:15 60032 ----a-w- c:\windows\system32\drivers\USBAUDIO.sys
2010-06-12 15:09 . 2010-05-06 20:39 164048 ----a-w- c:\windows\system32\drivers\aswSP.sys
2010-06-12 15:09 . 2010-05-06 20:33 19024 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2010-06-12 15:09 . 2010-05-06 20:34 23376 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2010-06-12 15:09 . 2010-05-06 20:39 46672 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2010-06-12 15:09 . 2010-05-06 20:33 100432 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2010-06-12 15:09 . 2010-05-06 20:33 94800 ----a-w- c:\windows\system32\drivers\aswmon.sys
2010-06-12 15:09 . 2010-05-06 20:33 28880 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2010-06-12 15:08 . 2010-05-06 20:59 38848 ----a-w- c:\windows\system32\avastSS.scr
2010-06-12 15:08 . 2010-05-06 20:59 165032 ----a-w- c:\windows\system32\aswBoot.exe
2010-06-12 15:08 . 2010-06-12 15:08 -------- d-----w- c:\program files\Alwil Software
2010-06-12 15:08 . 2010-06-12 15:08 -------- d-----w- c:\documents and settings\All Users\Application Data\Alwil Software
2010-06-12 15:06 . 2010-06-12 15:06 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2010-06-12 15:06 . 2010-06-12 15:06 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2010-06-12 15:05 . 2010-02-04 15:53 2954656 -c--a-w- c:\documents and settings\All Users\Application Data\{74D08EB8-01D1-4BAE-91E3-F30C1B031AC6}\Ad-AwareInstaller.exe
2010-06-12 15:00 . 2010-06-12 15:00 -------- d-----w- c:\documents and settings\All Users\Uniblue
2010-06-12 14:55 . 2010-06-12 14:56 8258496 ----a-w- c:\documents and settings\Thomas\Application Data\Uniblue\DriverScanner\LatestUpdate.exe
2010-06-12 14:51 . 2010-06-12 14:51 -------- d-----w- c:\windows\system32\wbem\Repository
2010-06-12 00:50 . 2010-06-12 15:05 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{74D08EB8-01D1-4BAE-91E3-F30C1B031AC6}
2010-06-12 00:49 . 2010-06-12 00:50 -------- d-----w- c:\program files\Lavasoft
2010-06-11 23:27 . 2010-06-13 04:47 -------- d-s---w- c:\documents and settings\NetworkService\UserData
2010-06-11 19:06 . 2010-06-12 15:27 -------- d-----w- c:\windows\usb-audio.deAAVersaPort
2010-06-11 18:54 . 2010-06-12 14:51 -------- d-----w- c:\program files\ASIO4ALL v2
2010-06-10 23:36 . 2010-06-10 23:36 -------- d-----w- c:\documents and settings\All Users\Application Data\2DBoy
2010-06-10 10:58 . 2010-06-10 10:58 -------- d-----w- c:\documents and settings\Thomas\Local Settings\Application Data\Temp

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-07-01 10:13 . 2010-05-02 08:02 -------- d-----w- c:\program files\iTunes
2010-07-01 10:13 . 2010-03-09 12:42 -------- d-----w- c:\program files\Recycle
2010-07-01 10:13 . 2010-02-09 11:38 -------- d-----w- c:\program files\QuickTime
2010-07-01 10:13 . 2010-01-14 20:11 -------- d-----w- c:\program files\DAEMON Tools Lite
2010-07-01 10:13 . 2010-01-14 18:43 -------- d-----w- c:\program files\Winamp
2010-07-01 10:10 . 2010-01-21 22:00 -------- d-----w- c:\documents and settings\Thomas\Application Data\Dropbox
2010-07-01 09:53 . 2010-01-21 04:46 -------- d-----w- c:\documents and settings\Thomas\Application Data\uTorrent
2010-06-30 12:21 . 2010-01-14 20:15 -------- d-----w- c:\documents and settings\All Users\Application Data\Soulseek
2010-06-30 08:04 . 2010-03-04 20:24 -------- d-----w- c:\documents and settings\Thomas\Application Data\vlc
2010-06-28 12:01 . 2010-01-17 14:29 15872 ----a-w- c:\documents and settings\Thomas\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-06-28 11:44 . 2010-01-14 23:27 -------- d-----w- c:\program files\Common Files\Adobe
2010-06-23 13:36 . 2010-01-21 13:00 -------- d-----w- c:\documents and settings\Thomas\Application Data\Skype
2010-06-23 11:37 . 2010-01-21 13:03 -------- d-----w- c:\documents and settings\Thomas\Application Data\skypePM
2010-06-22 21:55 . 2010-05-07 17:26 -------- d-----w- c:\program files\Native Instruments
2010-06-22 08:47 . 2010-01-16 23:20 -------- d-----w- c:\program files\Common Files\Apple
2010-06-22 08:41 . 2010-01-16 23:21 -------- d-----w- c:\program files\Bonjour
2010-06-21 17:33 . 2010-01-14 20:42 -------- d-----w- c:\documents and settings\Thomas\Application Data\dvdcss
2010-06-20 20:52 . 2010-01-19 11:55 -------- d-----w- c:\program files\Windows Live
2010-06-20 14:28 . 2010-06-17 14:31 112 ----a-w- c:\documents and settings\All Users\Application Data\3d2w8p1y4.dat
2010-06-12 18:57 . 2010-01-17 09:28 -------- d-----w- c:\program files\POL
2010-06-12 14:58 . 2010-04-30 22:35 -------- d-----w- c:\documents and settings\All Users\Application Data\DriverScanner
2010-06-12 14:50 . 2010-01-14 18:46 -------- d-----w- c:\program files\VirtualDJ
2010-06-12 00:49 . 2010-02-07 01:30 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2010-06-11 19:29 . 2010-01-21 04:46 -------- d-----w- c:\program files\uTorrent
2010-05-25 11:33 . 2010-01-21 13:19 -------- d-----w- c:\program files\Steam
2010-05-25 07:39 . 2010-05-13 14:59 -------- d-----w- c:\program files\Defraggler
2010-05-25 07:39 . 2010-01-14 18:31 -------- d-----w- c:\program files\CCleaner
2010-05-24 12:36 . 2010-05-24 12:36 -------- d-----w- c:\program files\Karen's Power Tools
2010-05-24 12:36 . 2010-05-24 12:36 -------- d-----w- c:\documents and settings\All Users\Application Data\Karen's Power Tools
2010-05-22 02:58 . 2010-05-22 02:58 61440 ----a-w- c:\documents and settings\Thomas\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-6361d1bd-n\decora-sse.dll
2010-05-22 02:58 . 2010-05-22 02:58 503808 ----a-w- c:\documents and settings\Thomas\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-4a91dc04-n\msvcp71.dll
2010-05-22 02:58 . 2010-05-22 02:58 499712 ----a-w- c:\documents and settings\Thomas\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-4a91dc04-n\jmc.dll
2010-05-22 02:58 . 2010-05-22 02:58 348160 ----a-w- c:\documents and settings\Thomas\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-4a91dc04-n\msvcr71.dll
2010-05-22 02:58 . 2010-05-22 02:58 12800 ----a-w- c:\documents and settings\Thomas\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-6361d1bd-n\decora-d3d.dll
2010-05-18 15:35 . 2010-05-18 15:35 91424 ----a-w- c:\windows\system32\dnssd.dll
2010-05-18 15:35 . 2010-05-18 15:35 107808 ----a-w- c:\windows\system32\dns-sd.exe
2010-05-14 03:18 . 2010-05-14 03:18 -------- d-----w- c:\program files\Winamp Detect
2010-05-13 16:13 . 2010-01-15 11:56 -------- d-----w- c:\program files\Creative
2010-05-13 14:55 . 2010-05-13 14:55 -------- d-----w- c:\program files\FileHippo.com
2010-05-13 14:53 . 2010-05-13 14:47 -------- d-----w- c:\program files\SpeedFan
2010-05-08 19:44 . 2010-03-25 10:33 -------- d-----w- c:\program files\Yahoo!
2010-05-07 17:46 . 2010-05-07 17:44 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2010-05-07 17:26 . 2010-05-07 17:26 -------- d-----w- c:\program files\Common Files\Digidesign
2010-05-07 17:26 . 2010-05-07 17:26 -------- d-----w- c:\program files\Common Files\Native Instruments
2010-05-07 15:55 . 2010-05-06 13:00 -------- d-----w- c:\program files\Simple Port Forwarding
2010-05-07 13:30 . 2010-05-07 13:30 -------- d-----w- c:\program files\Microsoft Fix it Center
2010-05-06 23:26 . 2010-02-08 18:24 -------- d-----w- c:\documents and settings\Thomas\Application Data\NoNameScript
2010-05-06 23:26 . 2010-02-08 18:17 -------- d-----w- c:\program files\mIRC
2010-05-05 12:18 . 2010-02-02 23:43 -------- d-----w- c:\program files\Java
2010-05-02 05:22 . 2008-04-14 00:00 1851264 ----a-w- c:\windows\system32\win32k.sys
2010-04-20 05:30 . 2008-04-14 04:39 285696 ----a-w- c:\windows\system32\atmfd.dll
2010-04-16 21:12 . 2010-04-16 21:12 48464 ----a-w- c:\windows\system32\sirenacm.dll
2010-04-16 16:09 . 2008-04-14 04:42 667136 ----a-w- c:\windows\system32\wininet.dll
2010-04-16 16:09 . 2008-04-14 04:41 81920 ----a-w- c:\windows\system32\ieencode.dll
2010-04-16 07:33 . 2010-01-16 23:20 41472 ----a-w- c:\windows\system32\drivers\usbaapl.sys
2010-04-16 07:33 . 2010-01-16 23:20 3003680 ----a-w- c:\windows\system32\usbaaplrc.dll
2010-04-12 16:29 . 2010-05-05 12:18 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-04-12 11:01 . 2010-06-12 14:49 171276 ----a-w- c:\windows\pchealth\helpctr\Config\Cache\Professional_32_1033.dat
2010-04-10 16:05 . 2010-04-10 16:05 65328 ----a-w- c:\windows\AppPatch\matsshim.dll
.

((((((((((((((((((((((((((((( SnapShot@2010-06-30_08.39.12 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-07-01 10:08 . 2010-07-01 10:08 16384 c:\windows\Temp\Perflib_Perfdata_7c.dat
+ 2010-03-30 23:16 . 2010-03-30 23:16 99176 c:\windows\system32\PresentationHostProxy.dll
+ 2001-08-23 11:00 . 2010-06-30 09:40 73596 c:\windows\system32\perfc009.dat
- 2001-08-23 11:00 . 2010-06-10 14:26 73596 c:\windows\system32\perfc009.dat
+ 2009-11-07 00:07 . 2009-11-07 00:07 49488 c:\windows\system32\netfxperf.dll
+ 2009-11-07 00:07 . 2009-11-07 00:07 13648 c:\windows\Microsoft.NET\Framework\v2.0.50727\sbscmp20_mscorlib.dll
+ 2009-11-07 00:07 . 2009-11-07 00:07 13648 c:\windows\Microsoft.NET\Framework\SharedReg12.dll
+ 2009-11-07 00:07 . 2009-11-07 00:07 13648 c:\windows\Microsoft.NET\Framework\sbscmp20_perfcounter.dll
+ 2009-11-07 00:07 . 2009-11-07 00:07 13648 c:\windows\Microsoft.NET\Framework\sbscmp20_mscorwks.dll
+ 2009-11-07 00:07 . 2009-11-07 00:07 13648 c:\windows\Microsoft.NET\Framework\sbscmp10.dll
+ 2009-11-07 00:07 . 2009-11-07 00:07 13664 c:\windows\Microsoft.NET\Framework\sbs_wminet_utils.dll
+ 2009-11-07 00:07 . 2009-11-07 00:07 13688 c:\windows\Microsoft.NET\Framework\sbs_system.enterpriseservices.dll
+ 2009-11-07 00:07 . 2009-11-07 00:07 13664 c:\windows\Microsoft.NET\Framework\sbs_system.data.dll
+ 2009-11-07 00:07 . 2009-11-07 00:07 13696 c:\windows\Microsoft.NET\Framework\sbs_system.configuration.install.dll
+ 2009-11-07 00:07 . 2009-11-07 00:07 13656 c:\windows\Microsoft.NET\Framework\sbs_mscorsec.dll
+ 2009-11-07 00:07 . 2009-11-07 00:07 13656 c:\windows\Microsoft.NET\Framework\sbs_mscorrc.dll
+ 2009-11-07 00:07 . 2009-11-07 00:07 13656 c:\windows\Microsoft.NET\Framework\sbs_mscordbi.dll
+ 2009-11-07 00:07 . 2009-11-07 00:07 13672 c:\windows\Microsoft.NET\Framework\sbs_microsoft.jscript.dll
+ 2009-11-07 00:07 . 2009-11-07 00:07 13664 c:\windows\Microsoft.NET\Framework\sbs_diasymreader.dll
+ 2009-11-07 00:07 . 2009-11-07 00:07 86864 c:\windows\Microsoft.NET\Framework\NETFXSBS10.exe
+ 2010-06-30 09:42 . 2010-06-30 09:42 60928 c:\windows\assembly\NativeImages_v2.0.50727_32\UIAutomationProvider\ea1b4fbde0e772748c6ac42d627cf684\UIAutomationProvider.ni.dll
+ 2010-06-30 11:00 . 2010-06-30 11:00 37888 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Pres#\f46915dfc57bc7e49c5402e9b8f7ec18\System.Windows.Presentation.ni.dll
+ 2010-06-30 09:41 . 2010-06-30 09:41 47104 c:\windows\assembly\NativeImages_v2.0.50727_32\PresentationFontCac#\18729514178d458aa1225dd068718d4e\PresentationFontCache.ni.exe
+ 2010-06-30 09:41 . 2010-06-30 09:41 39424 c:\windows\assembly\NativeImages_v2.0.50727_32\PresentationCFFRast#\0375dfa28e2f6ef7e89df9edede4b83d\PresentationCFFRasterizer.ni.dll
+ 2010-06-30 09:39 . 2010-06-30 09:39 77824 c:\windows\assembly\GAC_MSIL\System.Web.RegularExpressions\2.0.0.0__b03f5f7f11d50a3a\System.Web.RegularExpressions.dll
- 2010-06-10 14:25 . 2010-06-10 14:25 77824 c:\windows\assembly\GAC_MSIL\System.Web.RegularExpressions\2.0.0.0__b03f5f7f11d50a3a\System.Web.RegularExpressions.dll
- 2010-06-10 14:25 . 2010-06-10 14:25 81920 c:\windows\assembly\GAC_MSIL\System.Drawing.Design\2.0.0.0__b03f5f7f11d50a3a\System.Drawing.Design.dll
+ 2010-06-30 09:39 . 2010-06-30 09:39 81920 c:\windows\assembly\GAC_MSIL\System.Drawing.Design\2.0.0.0__b03f5f7f11d50a3a\System.Drawing.Design.dll
- 2010-06-10 14:26 . 2010-06-10 14:26 81920 c:\windows\assembly\GAC_MSIL\System.Configuration.Install\2.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll
+ 2010-06-30 09:39 . 2010-06-30 09:39 81920 c:\windows\assembly\GAC_MSIL\System.Configuration.Install\2.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll
+ 2010-06-30 09:39 . 2010-06-30 09:39 32768 c:\windows\assembly\GAC_MSIL\Microsoft.Vsa\8.0.0.0__b03f5f7f11d50a3a\Microsoft.Vsa.dll
- 2010-06-10 14:25 . 2010-06-10 14:25 32768 c:\windows\assembly\GAC_MSIL\Microsoft.Vsa\8.0.0.0__b03f5f7f11d50a3a\Microsoft.Vsa.dll
- 2010-06-10 14:25 . 2010-06-10 14:25 12800 c:\windows\assembly\GAC_MSIL\Microsoft.Vsa.Vb.CodeDOMProcessor\8.0.0.0__b03f5f7f11d50a3a\Microsoft.Vsa.Vb.CodeDOMProcessor.dll
+ 2010-06-30 09:39 . 2010-06-30 09:39 12800 c:\windows\assembly\GAC_MSIL\Microsoft.Vsa.Vb.CodeDOMProcessor\8.0.0.0__b03f5f7f11d50a3a\Microsoft.Vsa.Vb.CodeDOMProcessor.dll
+ 2010-06-30 09:39 . 2010-06-30 09:39 28672 c:\windows\assembly\GAC_MSIL\Microsoft.VisualBasic.Vsa\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.Vsa.dll
- 2010-06-10 14:25 . 2010-06-10 14:25 28672 c:\windows\assembly\GAC_MSIL\Microsoft.VisualBasic.Vsa\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.Vsa.dll
+ 2010-06-30 09:39 . 2010-06-30 09:39 77824 c:\windows\assembly\GAC_MSIL\Microsoft.Build.Utilities\2.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Utilities.dll
- 2010-06-10 14:26 . 2010-06-10 14:26 77824 c:\windows\assembly\GAC_MSIL\Microsoft.Build.Utilities\2.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Utilities.dll
+ 2010-06-30 09:39 . 2010-06-30 09:39 36864 c:\windows\assembly\GAC_MSIL\Microsoft.Build.Framework\2.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Framework.dll
- 2010-06-10 14:26 . 2010-06-10 14:26 36864 c:\windows\assembly\GAC_MSIL\Microsoft.Build.Framework\2.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Framework.dll
+ 2010-06-30 09:39 . 2010-06-30 09:39 77824 c:\windows\assembly\GAC_MSIL\IEHost\2.0.0.0__b03f5f7f11d50a3a\IEHost.dll
- 2010-06-10 14:25 . 2010-06-10 14:25 77824 c:\windows\assembly\GAC_MSIL\IEHost\2.0.0.0__b03f5f7f11d50a3a\IEHost.dll
- 2010-06-10 14:25 . 2010-06-10 14:25 13312 c:\windows\assembly\GAC_MSIL\cscompmgd\8.0.0.0__b03f5f7f11d50a3a\cscompmgd.dll
+ 2010-06-30 09:39 . 2010-06-30 09:39 13312 c:\windows\assembly\GAC_MSIL\cscompmgd\8.0.0.0__b03f5f7f11d50a3a\cscompmgd.dll
+ 2010-06-30 09:39 . 2010-06-30 09:39 10752 c:\windows\assembly\GAC_MSIL\Accessibility\2.0.0.0__b03f5f7f11d50a3a\Accessibility.dll
- 2010-06-10 14:25 . 2010-06-10 14:25 10752 c:\windows\assembly\GAC_MSIL\Accessibility\2.0.0.0__b03f5f7f11d50a3a\Accessibility.dll
+ 2010-06-30 09:39 . 2010-06-30 09:39 72192 c:\windows\assembly\GAC_32\ISymWrapper\2.0.0.0__b03f5f7f11d50a3a\ISymWrapper.dll
- 2010-06-10 14:25 . 2010-06-10 14:25 72192 c:\windows\assembly\GAC_32\ISymWrapper\2.0.0.0__b03f5f7f11d50a3a\ISymWrapper.dll
+ 2010-06-30 09:39 . 2010-06-30 09:39 69120 c:\windows\assembly\GAC_32\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll
- 2010-06-10 14:25 . 2010-06-10 14:25 69120 c:\windows\assembly\GAC_32\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll
- 2010-06-10 14:25 . 2010-06-10 14:25 8192 c:\windows\WinSxS\MSIL_IEExecRemote_b03f5f7f11d50a3a_2.0.0.0_x-ww_6e57c34e\IEExecRemote.dll
+ 2010-06-30 09:39 . 2010-06-30 09:39 8192 c:\windows\WinSxS\MSIL_IEExecRemote_b03f5f7f11d50a3a_2.0.0.0_x-ww_6e57c34e\IEExecRemote.dll
- 2010-06-10 14:25 . 2010-06-10 14:25 7168 c:\windows\assembly\GAC_MSIL\Microsoft_VsaVb\8.0.0.0__b03f5f7f11d50a3a\Microsoft_VsaVb.dll
+ 2010-06-30 09:39 . 2010-06-30 09:39 7168 c:\windows\assembly\GAC_MSIL\Microsoft_VsaVb\8.0.0.0__b03f5f7f11d50a3a\Microsoft_VsaVb.dll
- 2010-06-10 14:26 . 2010-06-10 14:26 5632 c:\windows\assembly\GAC_MSIL\Microsoft.VisualC\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualC.Dll
+ 2010-06-30 09:39 . 2010-06-30 09:39 5632 c:\windows\assembly\GAC_MSIL\Microsoft.VisualC\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualC.Dll
+ 2010-06-30 09:39 . 2010-06-30 09:39 6656 c:\windows\assembly\GAC_MSIL\IIEHost\2.0.0.0__b03f5f7f11d50a3a\IIEHost.dll
- 2010-06-10 14:25 . 2010-06-10 14:25 6656 c:\windows\assembly\GAC_MSIL\IIEHost\2.0.0.0__b03f5f7f11d50a3a\IIEHost.dll
- 2010-06-10 14:25 . 2010-06-10 14:25 8192 c:\windows\assembly\GAC_MSIL\IEExecRemote\2.0.0.0__b03f5f7f11d50a3a\IEExecRemote.dll
+ 2010-06-30 09:39 . 2010-06-30 09:39 8192 c:\windows\assembly\GAC_MSIL\IEExecRemote\2.0.0.0__b03f5f7f11d50a3a\IEExecRemote.dll
- 2010-06-10 14:25 . 2010-06-10 14:25 113664 c:\windows\WinSxS\x86_System.EnterpriseServices_b03f5f7f11d50a3a_2.0.0.0_x-ww_7d5f3790\System.EnterpriseServices.Wrapper.dll
+ 2010-06-30 09:39 . 2010-06-30 09:39 113664 c:\windows\WinSxS\x86_System.EnterpriseServices_b03f5f7f11d50a3a_2.0.0.0_x-ww_7d5f3790\System.EnterpriseServices.Wrapper.dll
- 2010-06-10 14:25 . 2010-06-10 14:25 258048 c:\windows\WinSxS\x86_System.EnterpriseServices_b03f5f7f11d50a3a_2.0.0.0_x-ww_7d5f3790\System.EnterpriseServices.dll
+ 2010-06-30 09:39 . 2010-06-30 09:39 258048 c:\windows\WinSxS\x86_System.EnterpriseServices_b03f5f7f11d50a3a_2.0.0.0_x-ww_7d5f3790\System.EnterpriseServices.dll
+ 2010-03-30 23:10 . 2010-03-30 23:10 295264 c:\windows\system32\PresentationHost.exe
+ 2001-08-23 11:00 . 2010-06-30 09:40 447614 c:\windows\system32\perfh009.dat
- 2001-08-23 11:00 . 2010-06-10 14:26 447614 c:\windows\system32\perfh009.dat
+ 2009-11-07 00:07 . 2009-11-07 00:07 297808 c:\windows\system32\mscoree.dll
+ 2010-03-30 23:16 . 2010-03-30 23:16 130408 c:\windows\Microsoft.NET\Framework\v3.0\WPF\PresentationHostDLL.dll
+ 2010-02-25 23:46 . 1998-11-24 13:21 546304 c:\windows\BBStore\DSS\dssagent.exe
+ 2010-06-30 09:42 . 2010-06-30 09:42 240128 c:\windows\assembly\NativeImages_v2.0.50727_32\WindowsFormsIntegra#\b3a9fac9aea3ad913781fafbdcbb0cae\WindowsFormsIntegration.ni.dll
+ 2010-06-30 09:42 . 2010-06-30 09:42 447488 c:\windows\assembly\NativeImages_v2.0.50727_32\UIAutomationClient\4131a3627fec69291dbaed236f30dc65\UIAutomationClient.ni.dll
+ 2010-06-30 09:42 . 2010-06-30 09:42 368128 c:\windows\assembly\NativeImages_v2.0.50727_32\PresentationFramewo#\a10c2c7e38291c3ada631ad13e762818\PresentationFramework.Aero.ni.dll
+ 2010-06-30 09:42 . 2010-06-30 09:42 539648 c:\windows\assembly\NativeImages_v2.0.50727_32\PresentationFramewo#\7579c76fa81eb309d3170b62467be58d\PresentationFramework.Luna.ni.dll
+ 2010-06-30 09:42 . 2010-06-30 09:42 224768 c:\windows\assembly\NativeImages_v2.0.50727_32\PresentationFramewo#\3bef0992fb684e71dbfab5c0a99316af\PresentationFramework.Classic.ni.dll
+ 2010-06-30 09:42 . 2010-06-30 09:42 258048 c:\windows\assembly\NativeImages_v2.0.50727_32\PresentationFramewo#\2f6687d394813d760496f60acf046384\PresentationFramework.Royale.ni.dll
- 2010-06-10 14:25 . 2010-06-10 14:25 839680 c:\windows\assembly\GAC_MSIL\System.Web.Services\2.0.0.0__b03f5f7f11d50a3a\System.Web.Services.dll
+ 2010-06-30 09:39 . 2010-06-30 09:39 839680 c:\windows\assembly\GAC_MSIL\System.Web.Services\2.0.0.0__b03f5f7f11d50a3a\System.Web.Services.dll
- 2010-06-10 14:25 . 2010-06-10 14:25 835584 c:\windows\assembly\GAC_MSIL\System.Web.Mobile\2.0.0.0__b03f5f7f11d50a3a\System.Web.Mobile.dll
+ 2010-06-30 09:39 . 2010-06-30 09:39 835584 c:\windows\assembly\GAC_MSIL\System.Web.Mobile\2.0.0.0__b03f5f7f11d50a3a\System.Web.Mobile.dll
+ 2010-06-30 09:39 . 2010-06-30 09:39 114688 c:\windows\assembly\GAC_MSIL\System.ServiceProcess\2.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll
- 2010-06-10 14:25 . 2010-06-10 14:25 114688 c:\windows\assembly\GAC_MSIL\System.ServiceProcess\2.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll
- 2010-06-10 14:25 . 2010-06-10 14:25 258048 c:\windows\assembly\GAC_MSIL\System.Security\2.0.0.0__b03f5f7f11d50a3a\System.Security.dll
+ 2010-06-30 09:39 . 2010-06-30 09:39 258048 c:\windows\assembly\GAC_MSIL\System.Security\2.0.0.0__b03f5f7f11d50a3a\System.Security.dll
+ 2010-06-30 09:39 . 2010-06-30 09:39 131072 c:\windows\assembly\GAC_MSIL\System.Runtime.Serialization.Formatters.Soap\2.0.0.0__b03f5f7f11d50a3a\System.Runtime.Serialization.Formatters.Soap.dll
- 2010-06-10 14:25 . 2010-06-10 14:25 131072 c:\windows\assembly\GAC_MSIL\System.Runtime.Serialization.Formatters.Soap\2.0.0.0__b03f5f7f11d50a3a\System.Runtime.Serialization.Formatters.Soap.dll
+ 2010-06-30 09:39 . 2010-06-30 09:39 303104 c:\windows\assembly\GAC_MSIL\System.Runtime.Remoting\2.0.0.0__b77a5c561934e089\System.Runtime.Remoting.dll
- 2010-06-10 14:25 . 2010-06-10 14:25 303104 c:\windows\assembly\GAC_MSIL\System.Runtime.Remoting\2.0.0.0__b77a5c561934e089\System.Runtime.Remoting.dll
- 2010-06-10 14:26 . 2010-06-10 14:26 258048 c:\windows\assembly\GAC_MSIL\System.Messaging\2.0.0.0__b03f5f7f11d50a3a\System.Messaging.dll
+ 2010-06-30 09:39 . 2010-06-30 09:39 258048 c:\windows\assembly\GAC_MSIL\System.Messaging\2.0.0.0__b03f5f7f11d50a3a\System.Messaging.dll
- 2010-06-10 14:26 . 2010-06-10 14:26 372736 c:\windows\assembly\GAC_MSIL\System.Management\2.0.0.0__b03f5f7f11d50a3a\System.Management.dll
+ 2010-06-30 09:39 . 2010-06-30 09:39 372736 c:\windows\assembly\GAC_MSIL\System.Management\2.0.0.0__b03f5f7f11d50a3a\System.Management.dll
+ 2010-06-30 09:39 . 2010-06-30 09:39 626688 c:\windows\assembly\GAC_MSIL\System.Drawing\2.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll
- 2010-06-10 14:25 . 2010-06-10 14:25 626688 c:\windows\assembly\GAC_MSIL\System.Drawing\2.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll
+ 2010-06-30 09:39 . 2010-06-30 09:39 401408 c:\windows\assembly\GAC_MSIL\System.DirectoryServices\2.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll
- 2010-06-10 14:25 . 2010-06-10 14:25 401408 c:\windows\assembly\GAC_MSIL\System.DirectoryServices\2.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll
+ 2010-06-30 09:39 . 2010-06-30 09:39 188416 c:\windows\assembly\GAC_MSIL\System.DirectoryServices.Protocols\2.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.Protocols.dll
- 2010-06-10 14:25 . 2010-06-10 14:25 188416 c:\windows\assembly\GAC_MSIL\System.DirectoryServices.Protocols\2.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.Protocols.dll
- 2010-06-10 14:26 . 2010-06-10 14:26 970752 c:\windows\assembly\GAC_MSIL\System.Deployment\2.0.0.0__b03f5f7f11d50a3a\System.Deployment.dll
+ 2010-06-30 09:40 . 2010-06-30 09:40 970752 c:\windows\assembly\GAC_MSIL\System.Deployment\2.0.0.0__b03f5f7f11d50a3a\System.Deployment.dll
- 2010-06-10 14:26 . 2010-06-10 14:26 745472 c:\windows\assembly\GAC_MSIL\System.Data.SqlXml\2.0.0.0__b77a5c561934e089\System.Data.SqlXml.dll
+ 2010-06-30 09:39 . 2010-06-30 09:39 745472 c:\windows\assembly\GAC_MSIL\System.Data.SqlXml\2.0.0.0__b77a5c561934e089\System.Data.SqlXml.dll
+ 2010-06-30 09:39 . 2010-06-30 09:39 425984 c:\windows\assembly\GAC_MSIL\System.Configuration\2.0.0.0__b03f5f7f11d50a3a\System.configuration.dll
- 2010-06-10 14:26 . 2010-06-10 14:26 425984 c:\windows\assembly\GAC_MSIL\System.Configuration\2.0.0.0__b03f5f7f11d50a3a\System.configuration.dll
- 2010-06-10 14:26 . 2010-06-10 14:26 110592 c:\windows\assembly\GAC_MSIL\sysglobl\2.0.0.0__b03f5f7f11d50a3a\sysglobl.dll
+ 2010-06-30 09:39 . 2010-06-30 09:39 110592 c:\windows\assembly\GAC_MSIL\sysglobl\2.0.0.0__b03f5f7f11d50a3a\sysglobl.dll
- 2010-06-10 14:25 . 2010-06-10 14:25 659456 c:\windows\assembly\GAC_MSIL\Microsoft.VisualBasic\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll
+ 2010-06-30 09:39 . 2010-06-30 09:39 659456 c:\windows\assembly\GAC_MSIL\Microsoft.VisualBasic\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll
+ 2010-06-30 09:39 . 2010-06-30 09:39 372736 c:\windows\assembly\GAC_MSIL\Microsoft.VisualBasic.Compatibility\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.Compatibility.dll
- 2010-06-10 14:25 . 2010-06-10 14:25 372736 c:\windows\assembly\GAC_MSIL\Microsoft.VisualBasic.Compatibility\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.Compatibility.dll
- 2010-06-10 14:25 . 2010-06-10 14:25 110592 c:\windows\assembly\GAC_MSIL\Microsoft.VisualBasic.Compatibility.Data\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.Compatibility.Data.dll
+ 2010-06-30 09:39 . 2010-06-30 09:39 110592 c:\windows\assembly\GAC_MSIL\Microsoft.VisualBasic.Compatibility.Data\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.Compatibility.Data.dll
- 2010-06-10 14:25 . 2010-06-10 14:25 749568 c:\windows\assembly\GAC_MSIL\Microsoft.JScript\8.0.0.0__b03f5f7f11d50a3a\Microsoft.JScript.dll
+ 2010-06-30 09:39 . 2010-06-30 09:39 749568 c:\windows\assembly\GAC_MSIL\Microsoft.JScript\8.0.0.0__b03f5f7f11d50a3a\Microsoft.JScript.dll
+ 2010-06-30 09:39 . 2010-06-30 09:39 655360 c:\windows\assembly\GAC_MSIL\Microsoft.Build.Tasks\2.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Tasks.dll
- 2010-06-10 14:26 . 2010-06-10 14:26 655360 c:\windows\assembly\GAC_MSIL\Microsoft.Build.Tasks\2.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Tasks.dll
- 2010-06-10 14:25 . 2010-06-10 14:25 348160 c:\windows\assembly\GAC_MSIL\Microsoft.Build.Engine\2.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Engine.dll
+ 2010-06-30 09:39 . 2010-06-30 09:39 348160 c:\windows\assembly\GAC_MSIL\Microsoft.Build.Engine\2.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Engine.dll
- 2010-06-10 14:25 . 2010-06-10 14:25 507904 c:\windows\assembly\GAC_MSIL\AspNetMMCExt\2.0.0.0__b03f5f7f11d50a3a\AspNetMMCExt.dll
+ 2010-06-30 09:39 . 2010-06-30 09:39 507904 c:\windows\assembly\GAC_MSIL\AspNetMMCExt\2.0.0.0__b03f5f7f11d50a3a\AspNetMMCExt.dll
- 2010-06-10 14:25 . 2010-06-10 14:25 261632 c:\windows\assembly\GAC_32\System.Transactions\2.0.0.0__b77a5c561934e089\System.Transactions.dll
+ 2010-06-30 09:39 . 2010-06-30 09:39 261632 c:\windows\assembly\GAC_32\System.Transactions\2.0.0.0__b77a5c561934e089\System.Transactions.dll
+ 2010-06-30 09:39 . 2010-06-30 09:39 113664 c:\windows\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll
- 2010-06-10 14:25 . 2010-06-10 14:25 113664 c:\windows\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll
- 2010-06-10 14:25 . 2010-06-10 14:25 258048 c:\windows\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.dll
+ 2010-06-30 09:39 . 2010-06-30 09:39 258048 c:\windows\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.dll
- 2010-06-10 14:26 . 2010-06-10 14:26 486400 c:\windows\assembly\GAC_32\System.Data.OracleClient\2.0.0.0__b77a5c561934e089\System.Data.OracleClient.dll
+ 2010-06-30 09:39 . 2010-06-30 09:39 486400 c:\windows\assembly\GAC_32\System.Data.OracleClient\2.0.0.0__b77a5c561934e089\System.Data.OracleClient.dll
+ 2009-11-07 00:06 . 2009-11-07 00:06 1130824 c:\windows\system32\dfshim.dll
+ 2009-11-08 23:25 . 2009-11-08 23:25 1935360 c:\windows\Installer\38309f.msp
+ 2010-06-30 09:41 . 2010-06-30 09:41 3325440 c:\windows\assembly\NativeImages_v2.0.50727_32\WindowsBase\d63164ac4ed5adabc6a1b0fdf07eee05\WindowsBase.ni.dll
+ 2010-06-30 09:42 . 2010-06-30 09:42 1049600 c:\windows\assembly\NativeImages_v2.0.50727_32\UIAutomationClients#\d8549ce90b26cdc3071224ab6f020189\UIAutomationClientsideProviders.ni.dll
+ 2010-06-30 09:42 . 2010-06-30 09:42 1035264 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Printing\af217ef58e5558991f331d482c2bdba6\System.Printing.ni.dll
+ 2010-06-30 09:42 . 2010-06-30 09:42 2128896 c:\windows\assembly\NativeImages_v2.0.50727_32\ReachFramework\57abb757c1f38586390dcc63bf056322\ReachFramework.ni.dll
+ 2010-06-30 09:42 . 2010-06-30 09:42 1657856 c:\windows\assembly\NativeImages_v2.0.50727_32\PresentationUI\0095ba60255d4addaf5b8ebee697a027\PresentationUI.ni.dll
+ 2010-06-30 09:40 . 2010-06-30 09:40 1249280 c:\windows\assembly\GAC_MSIL\WindowsBase\3.0.0.0__31bf3856ad364e35\WindowsBase.dll
- 2010-06-10 14:26 . 2010-06-10 14:26 3182592 c:\windows\assembly\GAC_MSIL\System\2.0.0.0__b77a5c561934e089\System.dll
+ 2010-06-30 09:40 . 2010-06-30 09:40 3182592 c:\windows\assembly\GAC_MSIL\System\2.0.0.0__b77a5c561934e089\System.dll
- 2010-06-10 14:26 . 2010-06-10 14:26 2048000 c:\windows\assembly\GAC_MSIL\System.Xml\2.0.0.0__b77a5c561934e089\System.XML.dll
+ 2010-06-30 09:40 . 2010-06-30 09:40 2048000 c:\windows\assembly\GAC_MSIL\System.Xml\2.0.0.0__b77a5c561934e089\System.XML.dll
- 2010-06-10 14:25 . 2010-06-10 14:25 5025792 c:\windows\assembly\GAC_MSIL\System.Windows.Forms\2.0.0.0__b77a5c561934e089\System.Windows.Forms.dll
+ 2010-06-30 09:39 . 2010-06-30 09:39 5025792 c:\windows\assembly\GAC_MSIL\System.Windows.Forms\2.0.0.0__b77a5c561934e089\System.Windows.Forms.dll
- 2010-06-10 14:25 . 2010-06-10 14:25 5062656 c:\windows\assembly\GAC_MSIL\System.Design\2.0.0.0__b03f5f7f11d50a3a\System.Design.dll
+ 2010-06-30 09:39 . 2010-06-30 09:39 5062656 c:\windows\assembly\GAC_MSIL\System.Design\2.0.0.0__b03f5f7f11d50a3a\System.Design.dll
+ 2010-06-30 09:40 . 2010-06-30 09:40 5279744 c:\windows\assembly\GAC_MSIL\PresentationFramework\3.0.0.0__31bf3856ad364e35\PresentationFramework.dll
+ 2010-06-30 09:39 . 2010-06-30 09:39 5242880 c:\windows\assembly\GAC_32\System.Web\2.0.0.0__b03f5f7f11d50a3a\System.Web.dll
- 2010-06-10 14:25 . 2010-06-10 14:25 5242880 c:\windows\assembly\GAC_32\System.Web\2.0.0.0__b03f5f7f11d50a3a\System.Web.dll
- 2010-06-10 14:26 . 2010-06-10 14:26 2933248 c:\windows\assembly\GAC_32\System.Data\2.0.0.0__b77a5c561934e089\System.Data.dll
+ 2010-06-30 09:39 . 2010-06-30 09:39 2933248 c:\windows\assembly\GAC_32\System.Data\2.0.0.0__b77a5c561934e089\System.Data.dll
- 2010-04-20 10:35 . 2010-04-20 10:35 4210688 c:\windows\assembly\GAC_32\PresentationCore\3.0.0.0__31bf3856ad364e35\PresentationCore.dll
+ 2010-06-30 09:40 . 2010-06-30 09:40 4210688 c:\windows\assembly\GAC_32\PresentationCore\3.0.0.0__31bf3856ad364e35\PresentationCore.dll
+ 2010-06-30 09:39 . 2010-06-30 09:39 4546560 c:\windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\mscorlib.dll
- 2010-06-10 14:26 . 2010-06-10 14:26 4546560 c:\windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\mscorlib.dll
+ 2010-03-31 00:23 . 2010-03-31 00:23 15638528 c:\windows\Installer\3830ae.msp
+ 2010-06-30 09:42 . 2010-06-30 09:42 14328320 c:\windows\assembly\NativeImages_v2.0.50727_32\PresentationFramewo#\560662ada034afb6ec78a152bd9a47b5\PresentationFramework.ni.dll
+ 2010-06-30 09:41 . 2010-06-30 09:41 12215808 c:\windows\assembly\NativeImages_v2.0.50727_32\PresentationCore\9f5dff344ac6ac923b5ade8ba1ab9382\PresentationCore.ni.dll
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2009-12-09 01:19 94208 ----a-w- c:\documents and settings\Thomas\Application Data\Dropbox\bin\DropboxExt.13.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2009-12-09 01:19 94208 ----a-w- c:\documents and settings\Thomas\Application Data\Dropbox\bin\DropboxExt.13.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2009-12-09 01:19 94208 ----a-w- c:\documents and settings\Thomas\Application Data\Dropbox\bin\DropboxExt.13.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\DTLite.exe" [2009-10-30 369200]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2010-04-16 3872080]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="c:\program files\QuickTime\QTTask .exe -atboottime" [X]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-11-20 110184]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-11-20 12669544]
"WinampAgent"="c:\program files\Winamp\winampa.exe" [2010-01-13 37888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-04-28 142120]
"AdobeCS4ServiceManager"="c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" [2008-08-14 611712]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"FlashPlayerUpdate"="c:\windows\system32\Macromed\Flash\FlashUtil10e.exe" [2010-01-27 256280]

c:\documents and settings\Thomas\Start Menu\Programs\Startup\
Dropbox.lnk - c:\documents and settings\Thomas\Application Data\Dropbox\bin\Dropbox.exe [2010-2-26 21979992]
VersaPort Control Panel.lnk - c:\windows\usb-audio.deAAVersaPort\CONTROLVERSAPORT.EXE [2010-6-12 638976]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim]
2010-03-08 21:04 3972440 ----a-w- c:\program files\AIM\aim.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Messenger (Yahoo!)]
2010-03-19 17:27 5248312 ----a-w- c:\progra~1\Yahoo!\Messenger\YahooMessenger.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
2010-04-16 21:12 3872080 ----a-w- c:\program files\Windows Live\Messenger\msnmsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
2010-05-13 15:12 26192168 ----a-r- c:\program files\Skype\Phone\Skype.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
2006-08-03 05:12 577536 ----a-w- c:\windows\soundman.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
2010-04-05 13:23 1217872 ----a-w- c:\program files\Steam\Steam.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\SoulseekNS\\slsk.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\drahtwerk\\iWebcamera\\iWebcameraApp.exe"=
"c:\\Program Files\\AIM\\aim.exe"=

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [12/06/2010 16:06 64288]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [12/06/2010 16:09 164048]
R1 mapledxp;mapledxp;c:\windows\system32\drivers\mapledxp.sys [15/01/2010 01:07 24720]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [12/06/2010 16:09 19024]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [04/02/2010 16:52 1352832]
R3 AA_VERSAPORT;usb-audio.de driver for American Audio VersaPort;c:\windows\system32\drivers\aavportu.sys [12/06/2010 16:22 366592]
R3 AA_VERSAPORT_A_WDM;VersaPort WDM Audio;c:\windows\system32\drivers\aavporta.sys [12/06/2010 16:22 33792]
R3 GETND5BV;VIA Velocity Family Gigabit Ethernet Adapter Driver;c:\windows\system32\drivers\getnd5bv.sys [14/01/2010 18:27 49152]
S3 cpuz130;cpuz130;\??\c:\docume~1\Thomas\LOCALS~1\Temp\cpuz130\cpuz_x32.sys --> c:\docume~1\Thomas\LOCALS~1\Temp\cpuz130\cpuz_x32.sys [?]
S3 CtPmFilt;CtPmFilt;c:\windows\system32\drivers\CtPmFilt.sys [15/01/2010 12:55 18176]
S3 MatSvc;Microsoft Automated Troubleshooting Service;c:\program files\Microsoft Fix it Center\Matsvc.exe [10/04/2010 17:05 266544]
S3 ScratchAmp;ScratchAmp Driver (ScratchAmp.sys);c:\windows\system32\drivers\ScratchAmp.sys [22/06/2010 22:58 22912]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe --> c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [?]
S4 sptd;sptd;c:\windows\system32\drivers\sptd.sys [14/01/2010 21:11 691696]
.
Contents of the 'Scheduled Tasks' folder

2010-07-01 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2010-02-04 21:46]

2010-06-29 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = *.local
TCP: {2DA4003D-E0A6-4A37-81F5-9E3CEA40912C} = 194.168.4.100,194.168.8.100
FF - ProfilePath - c:\documents and settings\Thomas\Application Data\Mozilla\Firefox\Profiles\67sa55tu.Rusty\
FF - prefs.js: browser.search.selectedEngine - YouTube Video Search
FF - prefs.js: browser.search.selectedengine - YouTube Video Search
FF - component: c:\documents and settings\Thomas\Application Data\Mozilla\Firefox\Profiles\67sa55tu.Rusty\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
FF - component: c:\program files\Mozilla Firefox\extensions\{AB2CE124-6272-4b12-94A9-7303C7397BD1}\components\SkypeFfComponent.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npdnupdater2.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npwachk.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: network.protocol-handler.warn-external.dnupdate - false);user_pref(network.protocol-handler.warn-external.dnupdate, falsec:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.proxy.type", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-Anti Mosquito - e:\appz\anti_mosquito\Anti Mosquito.exe
MSConfigStartUp-nwiz - nwiz.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-07-01 11:21
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Anti Mosquito = e:\appz\anti_mosquito\Anti Mosquito.exe????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2010-07-01 11:22:45
ComboFix-quarantined-files.txt 2010-07-01 10:22
ComboFix2.txt 2010-06-30 08:47

Pre-Run: 46,107,029,504 bytes free
Post-Run: 46,122,500,096 bytes free

- - End Of File - - A0E976245D0D1AA15D6428F360177180


#9 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,708 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:01:50 AM

Posted 01 July 2010 - 12:49 PM

Good job. thumbup2.gif

We have taken care of the multiple infection. But since the system was heavily infected we want to make sure there is nothing left that can potentially reinfect the computer.

I'd like us to scan your machine with ESET OnlineScan
  • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  • Click the button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the icon on your desktop.
  • Check
  • Click the button.
  • Accept any security warnings from your browser.
  • Check
  • Push the Start button.
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, push
  • Push , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Push the button.
  • Push

A log file will be saved here: C:\Program Files\ESET\ESET Online Scanner\log.txt

#10 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,708 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:01:50 AM

Posted 05 July 2010 - 07:28 PM



This thread will now be closed since the issue seems to be resolved.

If you need this topic reopened, please send me a PM and I will reopen it for you.

If you should have a new issue, please start a new topic.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users