Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

infected with Internet Security 2011


  • This topic is locked This topic is locked
97 replies to this topic

#1 al504

al504

  • Members
  • 65 posts
  • OFFLINE
  •  
  • Local time:02:01 AM

Posted 04 January 2011 - 05:13 PM

I have the Internet Security 2011 malware as described here http://www.bleepingcomputer.com/virus-removal/remove-internet-security-2011 on my laptop. I am running windows vista (32 bit) with avast.Get this message on start up "Windows Security Alert Your computer is making unauthorized copies of your system and Internet files. You should immediately run full scanning of your system to prevent any unauthorized access to your data. Click YES to run Antivirus scanner right now." along with the internet security 2011 window, Which then starts to scan and finds a trojan or something and asks me to purchase full version. I know this malware so i have not purchaced anything, I just exit it on start up now.

When I try to remove it with malware bytes i.e start a full system scan it closes malware bytes, when I try to go back into it it says: "Windows cannot access the specified device, path, or file. You may not have the appropriate permissions to access the item." Tried following the guide in above link but cant find the file c:\windows\WinSxS\x86_Microsoft.Windows.Shell.HWEventDetector_6595b64144ccf1df_5.2.2.3_x-ww_5390e909\shsvcs.dll
on the laptop although I did find : c:\WINDOWS\system32\drivers\vbma92a1.sys .

I have a dds.txt and attach.txt log made using DDS no problems there. I think I only have partial ark.txt log (craeted using GMER) as when I click scan on the GMER window it just dissapears and when I try to go back into gmer.exe it says "Windows cannot access the specified device, path, or file. You may not have the appropriate permissions to access the item." The ark.txt log that I did make was what appears on the GMER window before you click scan i.e. what appears just after you double click on gmer.exe .

Attach.txt log and ark.txt log (partial- i think) are attatched to the post.

DDS.txt log follows:

DDS (Ver_10-12-12.02) - NTFSx86
Run by Owner at 21:13:45.92 on Tue 01/04/2011
Internet Explorer: 8.0.6001.18999 BrowserJavaVersion: 1.6.0_22
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.2037.960 [GMT 0:00]

AV: avast! antivirus *Enabled/Updated* {C37D8F93-0602-E43C-40AA-47DAD597F308}
SP: avast! antivirus *Enabled/Updated* {781C6E77-2038-EBB2-7A1A-7CA8AE10B9B5}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
"\\.\globalroot\Device\svchost.exe\svchost.exe"
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\agrsmsvc.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
c:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\TOSHIBA\TOSHIBA DVD PLAYER\TNaviSrv.exe
C:\Windows\system32\TODDSrv.exe
C:\Program Files\TOSHIBA\Power Saver\TosCoSrv.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe
C:\Program Files\TOSHIBA\Utilities\KeNotify.exe
C:\Program Files\Camera Assistant Software for Toshiba\traybar.exe
C:\Program Files\TOSHIBA\SmoothView\SmoothView.exe
C:\Program Files\TOSHIBA\FlashCards\TCrdMain.exe
C:\Program Files\ltmoh\ltmoh.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Windows\System32\igfxtray.exe
C:\Program Files\Apoint2K\ApMsgFwd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Alwil Software\Avast4\ashDisp.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\Camera Assistant Software for Toshiba\CEC_MAIN.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\TomTom HOME 2\HOMERunner.exe
C:\Program Files\OLYMPUS\OLYMPUS Master\Monitor.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\BBC iPlayer Desktop\BBC iPlayer Desktop.exe
C:\Program Files\Synaptics\SynTP\SynToshiba.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSwMgr.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Google\Google Toolbar\GoogleToolbarUser_32.exe
C:\Windows\system32\Macromed\Flash\FlashUtil10e.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Users\Owner\Desktop\dds.scr
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://news.bbc.co.uk/sport
uSearch Page = hxxp://search.bearshare.com/sidebar.html?src=ssb
uSearch Bar = hxxp://search.bearshare.com/sidebar.html?src=ssb
mStart Page = hxxp://www.yahoo.com
mDefault_Page_URL = hxxp://www.yahoo.com
uInternet Settings,ProxyServer = http=127.0.0.1:5555
uInternet Settings,ProxyOverride = *.local;<local>
uURLSearchHooks: UrlSearchHook Class: {00000000-6e41-4fd3-8538-502f5495e5fc} - c:\program files\ask.com\GenericAskToolbar.dll
uURLSearchHooks: CommentsBar 1 Toolbar: {23ec984e-464c-4a0c-a8df-f80cb8c090e1} - c:\program files\commentsbar_1\tbComm.dll
uURLSearchHooks: H - No File
mURLSearchHooks: CommentsBar 1 Toolbar: {23ec984e-464c-4a0c-a8df-f80cb8c090e1} - c:\program files\commentsbar_1\tbComm.dll
mWinlogon: Userinit=c:\windows\system32\userinit.exe
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: CommentsBar 1 Toolbar: {23ec984e-464c-4a0c-a8df-f80cb8c090e1} - c:\program files\commentsbar_1\tbComm.dll
BHO: ALOT Toolbar: {5aa2ba46-9913-4dc7-9620-69ab0fa17ae7} - c:\program files\alot\bin\alot.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Windows Live Messenger Companion Helper: {9fdde16b-836f-4806-ab1f-1455cbeff289} - c:\program files\windows live\companion\companioncore.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.6.5805.1910\swg.dll
BHO: Sopcast Ask Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: ALOT Toolbar: {5aa2ba46-9913-4dc7-9620-69ab0fa17ae7} - c:\program files\alot\bin\alot.dll
TB: CommentsBar 1 Toolbar: {23ec984e-464c-4a0c-a8df-f80cb8c090e1} - c:\program files\commentsbar_1\tbComm.dll
TB: Sopcast Ask Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: {D3DEE18F-DB64-4BEB-9FF1-E1F0A5033E4A} - No File
TB: {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - No File
TB: {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - No File
EB: {2AA2FBF8-9C76-4E97-A226-25C5F4AB6358} - No File
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
uRun: [MsnMsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
uRun: [TomTomHOME.exe] "c:\program files\tomtom home 2\HOMERunner.exe"
uRun: [OM_Monitor] c:\program files\olympus\olympus master\Monitor.exe
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [RtHDVCpl] RtHDVCpl.exe
mRun: [NDSTray.exe] NDSTray.exe
mRun: [KeNotify] c:\program files\toshiba\utilities\KeNotify.exe
mRun: [HWSetup] c:\program files\toshiba\utilities\HWSetup.exe hwSetUP
mRun: [SVPWUTIL] c:\program files\toshiba\utilities\SVPWUTIL.exe SVPwUTIL
mRun: [Camera Assistant Software] "c:\program files\camera assistant software for toshiba\traybar.exe"
mRun: [Apoint] c:\program files\apoint2k\Apoint.exe
mRun: [TPwrMain] %ProgramFiles%\TOSHIBA\Power Saver\TPwrMain.EXE
mRun: [HSON] %ProgramFiles%\TOSHIBA\TBS\HSON.exe
mRun: [SmoothView] %ProgramFiles%\Toshiba\SmoothView\SmoothView.exe
mRun: [00TCrdMain] %ProgramFiles%\TOSHIBA\FlashCards\TCrdMain.exe
mRun: [LtMoh] c:\program files\ltmoh\Ltmoh.exe
mRun: [IntelliPoint] "c:\program files\microsoft intellipoint\ipoint.exe"
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [OM_Monitor] c:\program files\olympus\olympus master\FirstStart.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [avast!] c:\progra~1\alwils~1\avast4\ashDisp.exe
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRunOnce: [Malwarebytes' Anti-Malware] c:\program files\malwarebytes' anti-malware\mbamgui.exe /install /silent
dRun: [LtMoh] c:\program files\ltmoh\Ltmoh.exe
StartupFolder: c:\users\owner\appdata\roaming\micros~1\windows\startm~1\programs\startup\adobem~1.lnk - c:\program files\adobe media player\Adobe Media Player.exe
StartupFolder: c:\users\owner\appdata\roaming\micros~1\windows\startm~1\programs\startup\bbcipl~1.lnk - c:\program files\bbc iplayer desktop\BBC iPlayer Desktop.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_E11712C84EA7E12B.dll/cmsidewiki.html
IE: {0000036B-C524-4050-81A0-243669A86B9F} - {B63DBA5F-523F-4B9C-A43D-65DF1977EAD3} - c:\program files\windows live\companion\companioncore.dll
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - c:\program files\windows live\photo gallery\AlbumDownloadProtocolHandler.dll
Notify: igfxcui - igfxdev.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll

================= FIREFOX ===================

FF - ProfilePath - c:\users\owner\appdata\roaming\mozilla\firefox\profiles\9tc4mwqw.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Ask.com
FF - prefs.js: browser.startup.homepage - hxxp://news.bbc.co.uk/sport
FF - prefs.js: keyword.URL - hxxp://websearch.ask.com/redirect?client=ff&src=kw&tb=SPC2&o=15004&locale=en_UK&apn_uid=726B83A5-46E8-44FD-A56A-DE0D03B127B5&apn_ptnrs=PW&apn_sauid=94EDE3C6-E4C2-458F-9DA6-13598D21B5C6&apn_dtid=YYYYYYYYGB&q=
FF - component: c:\users\owner\appdata\roaming\mozilla\firefox\profiles\9tc4mwqw.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\google updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\google\update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\microsoft\office live\npOLW.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdbplug.dll
FF - plugin: c:\program files\veetle\player\npvlc.dll
FF - plugin: c:\program files\veetle\plugins\npVeetle.dll
FF - plugin: c:\program files\veetle\vlcbroadcast\npvbp.dll
FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
FF - plugin: c:\users\owner\appdata\roaming\mozilla\firefox\profiles\9tc4mwqw.default\extensions\firefox@tvunetworks.com\plugins\npTVUAx.dll
FF - plugin: c:\windows\system32\tvuax\npTVUAx.dll
FF - Ext: Google Toolbar for Firefox: {3112ca9c-de6d-4884-a869-9855de68056c} - c:\program files\mozilla firefox\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
FF - Ext: Google Toolbar for Firefox: {3112ca9c-de6d-4884-a869-9855de68056c} - %profile%\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: Sopcast Ask Toolbar: toolbar@ask.com - %profile%\extensions\toolbar@ask.com
FF - Ext: TVU Web Player: firefox@tvunetworks.com - %profile%\extensions\firefox@tvunetworks.com
FF - Ext: vShare: vshare@toolbar - %profile%\extensions\vshare@toolbar
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension

============= SERVICES / DRIVERS ===============

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2010-1-7 114768]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2010-1-7 20560]
R2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2010-1-7 53328]
R3 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-6-13 21504]
R3 NETw5v32;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit;c:\windows\system32\drivers\NETw5v32.sys [2008-11-17 3668480]
S2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast4\ashServ.exe [2010-1-7 138680]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 gupdate1c9b6e7ef441047;Google Update Service (gupdate1c9b6e7ef441047);c:\program files\google\update\GoogleUpdate.exe [2009-4-6 133104]
S3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast4\ashMaiSv.exe [2010-1-7 254040]
S3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast4\ashWebSv.exe [2010-1-7 352920]
S3 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr.sys [2005-1-1 39272]
S3 fsssvc;Windows Live Family Safety Service;c:\program files\windows live\family safety\fsssvc.exe [2010-9-23 1493352]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
S4 MSSQLServerADHelper100;SQL Active Directory Helper Service;c:\program files\microsoft sql server\100\shared\sqladhlp.exe [2008-7-11 47128]
S4 RsFx0103;RsFx0103 Driver;c:\windows\system32\drivers\RsFx0103.sys [2009-3-30 239336]
S4 SQLAgent$SQLEXPRESS;SQL Server Agent (SQLEXPRESS);c:\program files\microsoft sql server\mssql10.sqlexpress\mssql\binn\SQLAGENT.EXE [2009-3-30 366936]
S4 wlcrasvc;Windows Live Mesh remote connections service;c:\program files\windows live\mesh\wlcrasvc.exe [2010-9-22 51040]

=============== Created Last 30 ================

2011-01-04 21:08:38 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-01-04 21:08:35 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-01-04 19:27:07 -------- d-----w- c:\progra~2\PC Tools
2011-01-04 18:38:12 -------- d-----w- c:\program files\GridinSoft Trojan Killer
2011-01-04 18:16:05 -------- d-----w- c:\progra~2\XoftSpySE
2011-01-04 18:16:03 -------- d-----w- c:\program files\XoftSpySE6
2011-01-04 15:00:40 6273872 ----a-w- c:\progra~2\microsoft\windows defender\definition updates\{76f68472-9a75-404f-a1d7-3cf6b3a902ee}\mpengine.dll
2010-12-17 08:29:55 2409784 ----a-w- c:\program files\windows mail\OESpamFilter.dat
2010-12-16 19:35:42 26600 ----a-w- c:\windows\system32\drivers\GEARAspiWDM.sys
2010-12-16 19:35:42 107368 ----a-w- c:\windows\system32\GEARAspi.dll
2010-12-16 19:34:34 -------- d-----w- c:\program files\iPod
2010-12-16 19:34:32 -------- d-----w- c:\program files\iTunes
2010-12-16 19:34:32 -------- d-----w- c:\progra~2\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
2010-12-16 19:23:49 -------- d-----w- c:\program files\Bonjour
2010-12-11 09:59:52 -------- d-----w- c:\users\owner\Tracing

==================== Find3M ====================

2010-11-29 17:38:30 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
2010-11-29 17:38:30 69632 ----a-w- c:\windows\system32\QuickTime.qts
2010-11-04 18:56:07 345600 ----a-w- c:\windows\system32\wmicmiplugin.dll
2010-11-04 18:55:38 352768 ----a-w- c:\windows\system32\taskschd.dll
2010-11-04 18:55:38 270336 ----a-w- c:\windows\system32\taskcomp.dll
2010-11-04 18:55:12 601600 ----a-w- c:\windows\system32\schedsvc.dll
2010-11-04 16:34:06 171520 ----a-w- c:\windows\system32\taskeng.exe
2010-11-02 06:01:54 916480 ----a-w- c:\windows\system32\wininet.dll
2010-11-02 05:57:41 43520 ----a-w- c:\windows\system32\licmgr10.dll
2010-11-02 05:57:27 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2010-11-02 05:57:11 71680 ----a-w- c:\windows\system32\iesetup.dll
2010-11-02 05:57:11 109056 ----a-w- c:\windows\system32\iesysprep.dll
2010-11-02 05:01:31 385024 ----a-w- c:\windows\system32\html.iec
2010-11-02 04:26:10 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2010-11-02 04:24:44 1638912 ----a-w- c:\windows\system32\mshtml.tlb
2010-10-28 15:44:56 34304 ----a-w- c:\windows\system32\atmlib.dll
2010-10-28 13:27:47 292352 ----a-w- c:\windows\system32\atmfd.dll
2010-10-28 13:20:12 2048 ----a-w- c:\windows\system32\tzres.dll
2010-10-19 10:41:44 222080 ------w- c:\windows\system32\MpSigStub.exe
2010-10-18 13:37:35 81920 ----a-w- c:\windows\system32\consent.exe
2010-10-18 13:31:24 2038272 ----a-w- c:\windows\system32\win32k.sys
2010-10-07 12:23:02 91424 ----a-w- c:\windows\system32\dnssd.dll
2010-10-07 12:23:02 197920 ----a-w- c:\windows\system32\dnssdX.dll
2010-10-07 12:23:02 107808 ----a-w- c:\windows\system32\dns-sd.exe

============= FINISH: 21:14:46.16 ===============

Just to give some extra details, which i forgot to mention in the previous post, I think the malware got onto the computer on the 30th December 2010, as this is when i first noticed it.

And today 4th jan i did download various malware removers/scanners to try and get rid of the malware. These included XoftSpySE (i tried this a couple of times), trojan killer and spy doctor (made by pc tools), none of these worked so I uninstalled all of them. The only one I have kept on there is malware bytes. I also tried using these applications in safe mode and changed there name to .exe files - still didnt work. I have also noticed in the control panel where the list of programmes are "Antivirus 2010" is listed.

Merged posts. ~ OB

Attached Files


Edited by Orange Blossom, 09 January 2011 - 12:19 AM.


BC AdBot (Login to Remove)

 


#2 B-boy/StyLe/

B-boy/StyLe/

    Bleepin' Freestyler


  • Malware Response Team
  • 8,307 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:05:01 AM

Posted 09 January 2011 - 06:38 PM

Hello and welcome to Bleeping Computer :welcome:

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review your topic an do their best to resolve your issues.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.

Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

We also need a new log from the GMER anti-rootkit scanner. Please first disable any CD emulation programs using the steps found in this topic:

Why we request you disable CD Emulation when receiving Malware Removal Advice

Then create another GMER log and post it as an attachment to the reply where you post your new DDS log. Instructions on how to properly create a GMER log can be found here:

How to create a GMER log



IMPORTANT NOTE: :exclame:

If the system has been used after topic creation time we need to take a look at fresh logs. So, please post fresh copies of dds.txt & attach.txt logs.



Regards,
Georgi :hello:

cXfZ4wS.png


#3 al504

al504
  • Topic Starter

  • Members
  • 65 posts
  • OFFLINE
  •  
  • Local time:02:01 AM

Posted 10 January 2011 - 10:33 AM

Computer same as before new logs follow. Again have only a partial GMER log (I only have partial ark.txt log (created using GMER) as when I click scan on the GMER window it just disappears and when I try to go back into gmer.exe it says "Windows cannot access the specified device, path, or file. You may not have the appropriate permissions to access the item." The ark.txt log that I did make was what appears on the GMER window before you click scan i.e. what appears just after you double click on gmer.exe). I have used command prompt and the cacls.exe to regain access to the GMER.exe programme.

Attach.txt log and ark.txt log (partial- i think) are attached to the post.

DDS.txt log follows:

DDS (Ver_10-12-12.02) - NTFSx86
Run by Owner at 14:59:32.73 on Mon 01/10/2011
Internet Explorer: 8.0.6001.18999 BrowserJavaVersion: 1.6.0_22
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.2037.944 [GMT 0:00]

AV: avast! antivirus *Enabled/Updated* {C37D8F93-0602-E43C-40AA-47DAD597F308}
SP: avast! antivirus *Enabled/Updated* {781C6E77-2038-EBB2-7A1A-7CA8AE10B9B5}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
"\\.\globalroot\Device\svchost.exe\svchost.exe"
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\agrsmsvc.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
c:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\TOSHIBA\TOSHIBA DVD PLAYER\TNaviSrv.exe
C:\Windows\system32\TODDSrv.exe
C:\Program Files\TOSHIBA\Power Saver\TosCoSrv.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
"C:\Windows\system32\svchost.exe"
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Camera Assistant Software for Toshiba\traybar.exe
C:\Program Files\TOSHIBA\SmoothView\SmoothView.exe
C:\Program Files\TOSHIBA\Power Saver\TPwrMain.exe
C:\Program Files\BBC iPlayer Desktop\BBC iPlayer Desktop.exe
C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\ltmoh\ltmoh.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\igfxpers.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Alwil Software\Avast4\ashDisp.exe
C:\Program Files\OLYMPUS\OLYMPUS Master\Monitor.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\TOSHIBA\FlashCards\TCrdMain.exe
C:\Program Files\TomTom HOME 2\HOMERunner.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Synaptics\SynTP\SynToshiba.exe
C:\Windows\system32\igfxsrvc.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\Camera Assistant Software for Toshiba\CEC_MAIN.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSwMgr.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\servicing\TrustedInstaller.exe
C:\Program Files\Internet Explorer\IELowutil.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Users\Owner\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://news.bbc.co.uk/sport
uSearch Page = hxxp://search.bearshare.com/sidebar.html?src=ssb
uSearch Bar = hxxp://search.bearshare.com/sidebar.html?src=ssb
mStart Page = hxxp://www.yahoo.com
mDefault_Page_URL = hxxp://www.yahoo.com
uInternet Settings,ProxyServer = http=127.0.0.1:5555
uInternet Settings,ProxyOverride = *.local;<local>
uURLSearchHooks: UrlSearchHook Class: {00000000-6e41-4fd3-8538-502f5495e5fc} - c:\program files\ask.com\GenericAskToolbar.dll
uURLSearchHooks: CommentsBar 1 Toolbar: {23ec984e-464c-4a0c-a8df-f80cb8c090e1} - c:\program files\commentsbar_1\tbComm.dll
uURLSearchHooks: H - No File
mURLSearchHooks: CommentsBar 1 Toolbar: {23ec984e-464c-4a0c-a8df-f80cb8c090e1} - c:\program files\commentsbar_1\tbComm.dll
mWinlogon: Userinit=c:\windows\system32\userinit.exe
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: CommentsBar 1 Toolbar: {23ec984e-464c-4a0c-a8df-f80cb8c090e1} - c:\program files\commentsbar_1\tbComm.dll
BHO: ALOT Toolbar: {5aa2ba46-9913-4dc7-9620-69ab0fa17ae7} - c:\program files\alot\bin\alot.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Windows Live Messenger Companion Helper: {9fdde16b-836f-4806-ab1f-1455cbeff289} - c:\program files\windows live\companion\companioncore.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.6.5805.1910\swg.dll
BHO: Sopcast Ask Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: ALOT Toolbar: {5aa2ba46-9913-4dc7-9620-69ab0fa17ae7} - c:\program files\alot\bin\alot.dll
TB: CommentsBar 1 Toolbar: {23ec984e-464c-4a0c-a8df-f80cb8c090e1} - c:\program files\commentsbar_1\tbComm.dll
TB: Sopcast Ask Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: {D3DEE18F-DB64-4BEB-9FF1-E1F0A5033E4A} - No File
TB: {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - No File
TB: {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - No File
EB: {2AA2FBF8-9C76-4E97-A226-25C5F4AB6358} - No File
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
uRun: [MsnMsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
uRun: [TomTomHOME.exe] "c:\program files\tomtom home 2\HOMERunner.exe"
uRun: [OM_Monitor] c:\program files\olympus\olympus master\Monitor.exe
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [RtHDVCpl] RtHDVCpl.exe
mRun: [NDSTray.exe] NDSTray.exe
mRun: [KeNotify] c:\program files\toshiba\utilities\KeNotify.exe
mRun: [HWSetup] c:\program files\toshiba\utilities\HWSetup.exe hwSetUP
mRun: [SVPWUTIL] c:\program files\toshiba\utilities\SVPWUTIL.exe SVPwUTIL
mRun: [Camera Assistant Software] "c:\program files\camera assistant software for toshiba\traybar.exe"
mRun: [Apoint] c:\program files\apoint2k\Apoint.exe
mRun: [TPwrMain] %ProgramFiles%\TOSHIBA\Power Saver\TPwrMain.EXE
mRun: [HSON] %ProgramFiles%\TOSHIBA\TBS\HSON.exe
mRun: [SmoothView] %ProgramFiles%\Toshiba\SmoothView\SmoothView.exe
mRun: [00TCrdMain] %ProgramFiles%\TOSHIBA\FlashCards\TCrdMain.exe
mRun: [LtMoh] c:\program files\ltmoh\Ltmoh.exe
mRun: [IntelliPoint] "c:\program files\microsoft intellipoint\ipoint.exe"
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [OM_Monitor] c:\program files\olympus\olympus master\FirstStart.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [avast!] c:\progra~1\alwils~1\avast4\ashDisp.exe
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
dRun: [LtMoh] c:\program files\ltmoh\Ltmoh.exe
StartupFolder: c:\users\owner\appdata\roaming\micros~1\windows\startm~1\programs\startup\adobem~1.lnk - c:\program files\adobe media player\Adobe Media Player.exe
StartupFolder: c:\users\owner\appdata\roaming\micros~1\windows\startm~1\programs\startup\bbcipl~1.lnk - c:\program files\bbc iplayer desktop\BBC iPlayer Desktop.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_E11712C84EA7E12B.dll/cmsidewiki.html
IE: {0000036B-C524-4050-81A0-243669A86B9F} - {B63DBA5F-523F-4B9C-A43D-65DF1977EAD3} - c:\program files\windows live\companion\companioncore.dll
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - c:\program files\windows live\photo gallery\AlbumDownloadProtocolHandler.dll
Notify: igfxcui - igfxdev.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll

================= FIREFOX ===================

FF - ProfilePath - c:\users\owner\appdata\roaming\mozilla\firefox\profiles\9tc4mwqw.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Ask.com
FF - prefs.js: browser.startup.homepage - hxxp://news.bbc.co.uk/sport
FF - prefs.js: keyword.URL - hxxp://websearch.ask.com/redirect?client=ff&src=kw&tb=SPC2&o=15004&locale=en_UK&apn_uid=726B83A5-46E8-44FD-A56A-DE0D03B127B5&apn_ptnrs=PW&apn_sauid=94EDE3C6-E4C2-458F-9DA6-13598D21B5C6&apn_dtid=YYYYYYYYGB&q=
FF - component: c:\users\owner\appdata\roaming\mozilla\firefox\profiles\9tc4mwqw.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\google updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\google\update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\microsoft\office live\npOLW.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdbplug.dll
FF - plugin: c:\program files\veetle\player\npvlc.dll
FF - plugin: c:\program files\veetle\plugins\npVeetle.dll
FF - plugin: c:\program files\veetle\vlcbroadcast\npvbp.dll
FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
FF - plugin: c:\users\owner\appdata\roaming\mozilla\firefox\profiles\9tc4mwqw.default\extensions\firefox@tvunetworks.com\plugins\npTVUAx.dll
FF - plugin: c:\windows\system32\tvuax\npTVUAx.dll
FF - Ext: Google Toolbar for Firefox: {3112ca9c-de6d-4884-a869-9855de68056c} - c:\program files\mozilla firefox\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
FF - Ext: Google Toolbar for Firefox: {3112ca9c-de6d-4884-a869-9855de68056c} - %profile%\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: Sopcast Ask Toolbar: toolbar@ask.com - %profile%\extensions\toolbar@ask.com
FF - Ext: TVU Web Player: firefox@tvunetworks.com - %profile%\extensions\firefox@tvunetworks.com
FF - Ext: vShare: vshare@toolbar - %profile%\extensions\vshare@toolbar
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension

============= SERVICES / DRIVERS ===============

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2010-1-7 114768]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2010-1-7 20560]
R2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2010-1-7 53328]
R3 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-6-13 21504]
R3 NETw5v32;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit;c:\windows\system32\drivers\NETw5v32.sys [2008-11-17 3668480]
S2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast4\ashServ.exe [2010-1-7 138680]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 gupdate1c9b6e7ef441047;Google Update Service (gupdate1c9b6e7ef441047);c:\program files\google\update\GoogleUpdate.exe [2009-4-6 133104]
S3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast4\ashMaiSv.exe [2010-1-7 254040]
S3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast4\ashWebSv.exe [2010-1-7 352920]
S3 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr.sys [2005-1-1 39272]
S3 fsssvc;Windows Live Family Safety Service;c:\program files\windows live\family safety\fsssvc.exe [2010-9-23 1493352]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
S4 MSSQLServerADHelper100;SQL Active Directory Helper Service;c:\program files\microsoft sql server\100\shared\sqladhlp.exe [2008-7-11 47128]
S4 RsFx0103;RsFx0103 Driver;c:\windows\system32\drivers\RsFx0103.sys [2009-3-30 239336]
S4 SQLAgent$SQLEXPRESS;SQL Server Agent (SQLEXPRESS);c:\program files\microsoft sql server\mssql10.sqlexpress\mssql\binn\SQLAGENT.EXE [2009-3-30 366936]
S4 wlcrasvc;Windows Live Mesh remote connections service;c:\program files\windows live\mesh\wlcrasvc.exe [2010-9-22 51040]

=============== File Associations ===============

exefile="exefile" /shell <%1> %*??.?

=============== Created Last 30 ================

2011-01-04 21:08:38 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-01-04 21:08:35 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-01-04 19:27:07 -------- d-----w- c:\progra~2\PC Tools
2011-01-04 18:38:12 -------- d-----w- c:\program files\GridinSoft Trojan Killer
2011-01-04 18:16:05 -------- d-----w- c:\progra~2\XoftSpySE
2011-01-04 18:16:03 -------- d-----w- c:\program files\XoftSpySE6
2011-01-04 15:00:40 6273872 ----a-w- c:\progra~2\microsoft\windows defender\definition updates\{76f68472-9a75-404f-a1d7-3cf6b3a902ee}\mpengine.dll
2010-12-17 08:29:55 2409784 ----a-w- c:\program files\windows mail\OESpamFilter.dat
2010-12-16 19:35:42 26600 ----a-w- c:\windows\system32\drivers\GEARAspiWDM.sys
2010-12-16 19:35:42 107368 ----a-w- c:\windows\system32\GEARAspi.dll
2010-12-16 19:34:34 -------- d-----w- c:\program files\iPod
2010-12-16 19:34:32 -------- d-----w- c:\program files\iTunes
2010-12-16 19:34:32 -------- d-----w- c:\progra~2\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
2010-12-16 19:23:49 -------- d-----w- c:\program files\Bonjour

==================== Find3M ====================

2010-11-29 17:38:30 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
2010-11-29 17:38:30 69632 ----a-w- c:\windows\system32\QuickTime.qts
2010-11-04 18:56:07 345600 ----a-w- c:\windows\system32\wmicmiplugin.dll
2010-11-04 18:55:38 352768 ----a-w- c:\windows\system32\taskschd.dll
2010-11-04 18:55:38 270336 ----a-w- c:\windows\system32\taskcomp.dll
2010-11-04 18:55:12 601600 ----a-w- c:\windows\system32\schedsvc.dll
2010-11-04 16:34:06 171520 ----a-w- c:\windows\system32\taskeng.exe
2010-11-02 06:01:54 916480 ----a-w- c:\windows\system32\wininet.dll
2010-11-02 05:57:41 43520 ----a-w- c:\windows\system32\licmgr10.dll
2010-11-02 05:57:27 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2010-11-02 05:57:11 71680 ----a-w- c:\windows\system32\iesetup.dll
2010-11-02 05:57:11 109056 ----a-w- c:\windows\system32\iesysprep.dll
2010-11-02 05:01:31 385024 ----a-w- c:\windows\system32\html.iec
2010-11-02 04:26:10 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2010-11-02 04:24:44 1638912 ----a-w- c:\windows\system32\mshtml.tlb
2010-10-28 15:44:56 34304 ----a-w- c:\windows\system32\atmlib.dll
2010-10-28 13:27:47 292352 ----a-w- c:\windows\system32\atmfd.dll
2010-10-28 13:20:12 2048 ----a-w- c:\windows\system32\tzres.dll
2010-10-19 10:41:44 222080 ------w- c:\windows\system32\MpSigStub.exe
2010-10-18 13:37:35 81920 ----a-w- c:\windows\system32\consent.exe
2010-10-18 13:31:24 2038272 ----a-w- c:\windows\system32\win32k.sys

============= FINISH: 15:03:56.52 ===============

Attached Files



#4 B-boy/StyLe/

B-boy/StyLe/

    Bleepin' Freestyler


  • Malware Response Team
  • 8,307 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:05:01 AM

Posted 10 January 2011 - 12:31 PM

Hi al504 and :welcome:

I will be handling your log to help you get cleaned up.
Please give me some time to look it over and I will get back to you as soon as possible.
See ya later, as I'm at work right now..stay tuned. :wink:


Regards,
Georgi :hello:

cXfZ4wS.png


#5 B-boy/StyLe/

B-boy/StyLe/

    Bleepin' Freestyler


  • Malware Response Team
  • 8,307 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:05:01 AM

Posted 11 January 2011 - 08:18 AM

Hello al504 ! Welcome to BleepingComputer Forums! :welcome:

My name is Georgi and and I will be helping you with your computer problems.

Sorry for the delay !


Before we begin, please note the following:
  • I will working be on your Malware issues, this may or may not, solve other issues you have with your machine.
  • The logs can take some time to research, so please be patient with me.
  • Stay with the topic until I tell you that your system is clean. Missing symptoms does not mean that everything is okay.
  • Instructions that I give are for your system only!
  • Please do not run any tools until requested ! The reason for this is so I know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.
  • Please perform all steps in the order received. If you can't understand something don't hesitate to ask.
  • Again I would like to remind you to make no further changes to your computer unless I direct you to do so. I will not help you if you do not follow my instructions.





IMPORTANT NOTE: One or more of the identified infections is related to the rootkit Agent component. Rootkits, backdoor Trojans, Botnets, and IRCBots are very dangerous because they compromise system integrity by making changes that allow it to be used be the attacker for malicious purposes. Rootkits are used be Trojans to conceal its presence (hide from view) in order to prevent detection of an attacker's software and make removal more difficult. Many rootkits can hook into the Windows 32-bit kernel, and patch several APIs to hide new registry keys and files they install. They can disable your anti-virus and security tools to prevent detection and removal. Remote attackers use backdoors as a means of accessing and taking control of a computer that bepasses security mechanisms. This type of exploit allows them to steal sensitive information like passwords, personal and financial data which is send back to the hacker. To learn more about these types of infections, you can refer to:If your computer was used for online banking, has credit card information or other sensitive data on it, you should stay disconnected from the Internet until your system is fully cleaned. All passwords should be changed immediately to include those used for banking, email, eBay, paypal and online forums. You should consider them to be compromised and change each password using a clean computer, not the infected one. If not, an attacker may get the new passwords and transaction information. If using a router, you need to reset it with a strong logon/password so the malware cannot gain control before connect again. Banking and credit card institutions should be notified of the possible security breach. Because your computer was compromised please read:Although the infection has been identified and may be removed, your PC has likely been compromised and there is no way to be sure the computer can ever be trusted again. It is dangerous and incorrect to assume the computer is secure even if the malware appears to have been removed. In some instances an infection may have caused so much damage to your system that it cannot be completely cleaned or repaired so you can never be sure that you have completely removed a rootkit. The malware may leave so many remnants behind that security tools cannot find them. Tools that claim to be able to remove rootkits cannot guarantee that all traces of it will be removed. Many experts in the security community believe that once infected with this type of malware, the best course of action is to wipe the drive clean, reformat and reinstall the OS. Please read:

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. If you decide to continue please do this:




Do you have Windows Vista installation DVD ?



You appear to be a competent user, so you shouldn't have too much trouble with it. I suggest printing out the instructions while you work through it for reference.



First, Boot from your Windows Vista installation DVD.

Wait for Windows Vista to Load Files

Next, the Language Screen will come up. Just click on Next.

Now you will see the Windows Vista Installation Screen.

DO NOT CHOOSE Install Now

Instead, towards the bottom left of the window you will see.

· What to know before installing Windows

· Repair your Computer

Choose and click on Repair your Computer

Posted Image

You will then come to the System Recovery Options. Choose Microsoft Windows Vista from the list. Then click Next.

You will now have the option to choose which Recovery Tools you wish to use.

This list provides details to the five tools that can help you repair your Windows Vista installation.

We need this one:

Command Prompt

Posted Image

Opens the Command Prompt window:

At the next prompt type in cd c:\windows\WinSxS\x86_Microsoft.Windows.Shell.HWEventDetector_6595b64144ccf1df_5.2.2.3_x-ww_5390e909 then hit Enter.
Then type ren shsvcs.dll shsvcs.old then hit Enter.
Then type cd c:\WINDOWS\system32\drivers then hit Enter.
Then type ren vbma92a1.sys vbma92a1.old then hit Enter.


Then it should go to the next prompt.

At this point type in exit.





IMPORTANT NOTE:
If you do not have an installation DVD please skip the steps above and let me know.






When you boot back into Widows:


Click "start" on the taskbar and then click on the "Control Panel" icon.
Please doubleclick the "Add or Remove Programs" icon
A list of programs installed will be "populated" this may take a bit of time.
If they exist, uninstall the following by clicking on the following entries and selecting "remove":

Antivirus 2010

Additional instructions can be found here if needed.



Next please download the following file.
Double click it and allow it to merge with the registry.



Now please:



Please download Malwarebytes Anti-Malware and save it to your desktop.
Download Link 1
Download Link 2MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
    For instructions with screenshots, please refer to the How to use Malwarebytes' Anti-Malware Guide.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.
On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
  • Exit MBAM when done.
Note: If MBAM encounters a file that is difficult to remove, you will be asked to reboot your computer so MBAM can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.


If you received a message like this: "Windows cannot access the specified device, path, or file. You may not have the appropriate permissions to access the item."

Please do this:

Click on the Start menu, then select All Programs, and then Accessories. You will now see a shortcut labeled Command Prompt. Right-click on it and select Run as administrator as shown below.

Posted Image

Now type the following command cacls "c:\program files\Malwarebytes' Anti-Malware\mbam.exe" /G Everyone:F and press enter on your keyboard.
This should give the Everyone group permission to use the file again.
Run a quick scan and remove anything it finds.





You will need to run DDS again to provide fresh dds.txt log.
I want to be sure that nothing reappeared.
Copy/paste both DDS.txt and Attach.txt reports in your next reply.



Regards,
Georgi

Edited by B-boy/StyLe/, 11 January 2011 - 08:19 AM.

cXfZ4wS.png


#6 al504

al504
  • Topic Starter

  • Members
  • 65 posts
  • OFFLINE
  •  
  • Local time:02:01 AM

Posted 11 January 2011 - 08:55 AM

Georgi thanks for the reply.

Regarding the MBAM steps; I already have MBAM installed on the computer so should I go straight to the quick scan step? Or should uninstall and then download a fresh MBAM first?

I have created my own recovery dvd from removed link as the laptop did not come with one (why are manufactureers so stingy?) this allows me to go into repair computer and command prompt is that ok?

Regarding rootkit and potentially compromised passwords. Since the laptop got infected I have not used it for any passwords, emails etc and I did delete all internet histeroy from IE and Firefox and have been using my other uninfected laptop. Do I still need to change all my paswwords etc?

Just to note I am using my other uninfected laptop to post here and do other things until the infected laptop is fixed - I will start to follow your steps shortly (In a couple of hours- after lunch).

Thanks again.

Edited by kahdah, 11 January 2011 - 12:34 PM.


#7 al504

al504
  • Topic Starter

  • Members
  • 65 posts
  • OFFLINE
  •  
  • Local time:02:01 AM

Posted 11 January 2011 - 10:45 AM

Georgi,

with the windows recovery dvd in the command prompt when i type in cd c:\windows\WinSxS\x86_Microsoft.Windows.Shell.HWEventDetector_6595b64144ccf1df_5.2.2.3_x-ww_5390e909 then hit Enter it says The system cannot find the path specified

When I move onto the next steps:

Then type cd c:\WINDOWS\system32\drivers then hit Enter.
Then type ren vbma92a1.sys vbma92a1.old then hit Enter.

after i type ren vbma92a1.sys vbma92a1.old then hit Enter it again says The system cannot find the file specified

I am just going to go to the next step is that ok?

Edited by al504, 11 January 2011 - 11:44 AM.


#8 B-boy/StyLe/

B-boy/StyLe/

    Bleepin' Freestyler


  • Malware Response Team
  • 8,307 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:05:01 AM

Posted 11 January 2011 - 12:02 PM

Hi al504, :)


My replies to you need to be checked by an instructor first, so there may be some delay.
Please be patient and do not take any further steps until requested because this could mess up the things.
Also please note the time difference between Bulgaria and the U.S.
Thanks for understanding on this. I'll answer you as soon as possible.


Regards,
Georgi

cXfZ4wS.png


#9 B-boy/StyLe/

B-boy/StyLe/

    Bleepin' Freestyler


  • Malware Response Team
  • 8,307 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:05:01 AM

Posted 11 January 2011 - 01:14 PM

Hi al504, :)


Please boot back into the Recovery environment again.

Once you get to the System Recovery Options screen, first take note of the drive letter assigned to the operating system, then select Command Prompt.
Posted Image

In the Command Prompt try the commands as before but make sure to choose the drive letter corresponding to the drive letter for the operating system... D:\ ; E:\ etc.
(until you find the drive letter Windows is installed on) and let me know if that make sense.


Regards,
Georgi

cXfZ4wS.png


#10 al504

al504
  • Topic Starter

  • Members
  • 65 posts
  • OFFLINE
  •  
  • Local time:02:01 AM

Posted 11 January 2011 - 01:39 PM

Once I get to the System Recovery Options screen, the drive letter assigned to the operating system is c: i.e. It says Operating system: Microsoft Windows Vista on (C:) Local Disk

So it is on c:\ like I have been trying before? I tried again by typing in

cd c:\windows\WinSxS\x86_Microsoft.Windows.Shell.HWEventDetector_6595b64144ccf1df_5.2.2.3_x-ww_5390e909 then hit Enter but it still comes up with The system cannot find the path specified

Edited by al504, 11 January 2011 - 01:47 PM.


#11 B-boy/StyLe/

B-boy/StyLe/

    Bleepin' Freestyler


  • Malware Response Team
  • 8,307 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:05:01 AM

Posted 11 January 2011 - 02:22 PM

Hi al504,


Ok let's check if the files are still there.
Boot back into Windows, then do the follows:


Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2

  • Double-click SystemLook.exe to run it.
  • Copy the content of the following codebox into the main textfield:

    :filefind
    vbma*.sys
    shsvcs.dll
    __AssemblyInfo__.ini
    
  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt



Regards,
Georgi

cXfZ4wS.png


#12 al504

al504
  • Topic Starter

  • Members
  • 65 posts
  • OFFLINE
  •  
  • Local time:02:01 AM

Posted 11 January 2011 - 02:50 PM

Georgi , The log follows:

SystemLook 04.09.10 by jpshortstuff
Log created at 19:29 on 11/01/2011 by Owner
Administrator - Elevation successful

========== filefind ==========

Searching for "vbma*.sys"
C:\Windows\System32\drivers\vbma92a1.sys --a---- 38272 bytes [01:18 08/01/2010] [06:27 11/04/2009] (Unable to calculate MD5)

Searching for "shsvcs.dll"
C:\Windows\System32\shsvcs.dll --a---- 247296 bytes [01:17 08/01/2010] [06:28 11/04/2009] C818C44C201898399BF999BB6B35D4E3
C:\Windows\winsxs\x86_microsoft-windows-shsvcs_31bf3856ad364e35_6.0.6000.16386_none_caf99b2e2002860e\shsvcs.dll --a---- 245248 bytes [08:46 02/11/2006] [09:46 02/11/2006] B264DFA21677728613267FE63802B332
C:\Windows\winsxs\x86_microsoft-windows-shsvcs_31bf3856ad364e35_6.0.6001.18000_none_cd305d2a1ced96e2\shsvcs.dll --a---- 247296 bytes [10:52 13/06/2008] [07:36 19/01/2008] 27F10F348E508243F6254846F8370D0D
C:\Windows\winsxs\x86_microsoft-windows-shsvcs_31bf3856ad364e35_6.0.6002.18005_none_cf1bd6361a0f622e\shsvcs.dll --a---- 247296 bytes [01:17 08/01/2010] [06:28 11/04/2009] C818C44C201898399BF999BB6B35D4E3
C:\Windows\winsxs\x86_Microsoft.Windows.Shell.HWEventDetector_6595b64144ccf1df_5.2.2.3_x-ww_5390e909\shsvcs.dll --a---- 8704 bytes [11:18 02/11/2006] [15:03 17/12/2010] A84E5F89AB81C273DBBA5747177E3E5E

Searching for "__AssemblyInfo__.ini"
C:\Windows\assembly\GAC\__AssemblyInfo__.ini --a---- 38272 bytes [01:43 31/12/2010] [19:24 11/01/2011] A2FEC28AD331C6A76BE9ECAC5063925F
C:\Windows\assembly\GAC\ADODB\7.0.3300.0__b03f5f7f11d50a3a\__AssemblyInfo__.ini --a---- 196 bytes [20:26 19/11/2008] [20:26 19/11/2008] 213E77DAAA7EE6F0D61692008680FC9B
C:\Windows\assembly\GAC\dao\10.0.4504.0__31bf3856ad364e35\__AssemblyInfo__.ini --a---- 195 bytes [20:21 25/11/2007] [20:21 25/11/2007] 19B3B194049ED86FA5D9F6EB31556E80
C:\Windows\assembly\GAC\EnvDTE\8.0.0.0__b03f5f7f11d50a3a\__AssemblyInfo__.ini --a---- 194 bytes [20:25 19/11/2008] [20:25 19/11/2008] 5C0507D4A1346613928ED69C2791FFD1
C:\Windows\assembly\GAC\EnvDTE80\8.0.0.0__b03f5f7f11d50a3a\__AssemblyInfo__.ini --a---- 196 bytes [20:25 19/11/2008] [20:25 19/11/2008] D5B22164E7EEC4C9802EDB4296BDB5C0
C:\Windows\assembly\GAC\EnvDTE90\9.0.0.0__b03f5f7f11d50a3a\__AssemblyInfo__.ini --a---- 196 bytes [20:25 19/11/2008] [20:25 19/11/2008] E7633A981D83942FEB1093559A9371A3
C:\Windows\assembly\GAC\EnvDTE90a\9.0.0.0__b03f5f7f11d50a3a\__AssemblyInfo__.ini --a---- 197 bytes [20:26 19/11/2008] [20:26 19/11/2008] 78EBB1BDEB1A69A578C45864B2D17505
C:\Windows\assembly\GAC\Extensibility\7.0.3300.0__b03f5f7f11d50a3a\__AssemblyInfo__.ini --a---- 204 bytes [20:25 19/11/2008] [20:25 19/11/2008] 89E94319A3126A292D0894A1FF82C913
C:\Windows\assembly\GAC\IACore\1.7.6223.0__31bf3856ad364e35\__AssemblyInfo__.ini --a---- 197 bytes [20:22 25/11/2007] [20:22 25/11/2007] 518608D6F97FAB45E5D610E3793EF228
C:\Windows\assembly\GAC\IALoader\1.7.6223.0__31bf3856ad364e35\__AssemblyInfo__.ini --a---- 199 bytes [20:22 25/11/2007] [20:22 25/11/2007] 3689B8AC7230590BB996DD400FA24139
C:\Windows\assembly\GAC\ipdmctrl\11.0.0.0__71e9bce111e9429c\__AssemblyInfo__.ini --a---- 197 bytes [20:22 25/11/2007] [20:22 25/11/2007] D4A0EA981874B9885745A2F6E62C273A
C:\Windows\assembly\GAC\Microsoft.DirectX\1.0.2902.0__31bf3856ad364e35\__AssemblyInfo__.ini --a---- 288 bytes [18:45 24/07/2008] [18:45 24/07/2008] A6535D0CC6B69E9E65974D87CB2ABB06
C:\Windows\assembly\GAC\Microsoft.DirectX.AudioVideoPlayback\1.0.2902.0__31bf3856ad364e35\__AssemblyInfo__.ini --a---- 326 bytes [18:45 24/07/2008] [18:45 24/07/2008] 70963F186EF06FCA45689ECB3A373155
C:\Windows\assembly\GAC\Microsoft.DirectX.Diagnostics\1.0.2902.0__31bf3856ad364e35\__AssemblyInfo__.ini --a---- 312 bytes [18:45 24/07/2008] [18:45 24/07/2008] FDA8C434AF47C4B2A20B51756E37C3CE
C:\Windows\assembly\GAC\Microsoft.DirectX.Direct3D\1.0.2902.0__31bf3856ad364e35\__AssemblyInfo__.ini --a---- 306 bytes [18:45 24/07/2008] [18:45 24/07/2008] 9B5B4001994F385892E192E8F12D5521
C:\Windows\assembly\GAC\Microsoft.DirectX.Direct3DX\1.0.2902.0__31bf3856ad364e35\__AssemblyInfo__.ini --a---- 308 bytes [18:45 24/07/2008] [18:45 24/07/2008] 50783A249674B5EA76275E46E1BEF13B
C:\Windows\assembly\GAC\Microsoft.DirectX.Direct3DX\1.0.2903.0__31bf3856ad364e35\__AssemblyInfo__.ini --a---- 308 bytes [18:45 24/07/2008] [18:45 24/07/2008] 86549D2D883D6EF6C8B3E47F7DDF95D4
C:\Windows\assembly\GAC\Microsoft.DirectX.Direct3DX\1.0.2904.0__31bf3856ad364e35\__AssemblyInfo__.ini --a---- 308 bytes [18:45 24/07/2008] [18:45 24/07/2008] 46C162E58134A566A27F56429005E724
C:\Windows\assembly\GAC\Microsoft.DirectX.Direct3DX\1.0.2905.0__31bf3856ad364e35\__AssemblyInfo__.ini --a---- 308 bytes [18:45 24/07/2008] [18:45 24/07/2008] 39807ADD46EB41E37B94AC484E781B12
C:\Windows\assembly\GAC\Microsoft.DirectX.Direct3DX\1.0.2906.0__31bf3856ad364e35\__AssemblyInfo__.ini --a---- 308 bytes [18:45 24/07/2008] [18:45 24/07/2008] 9FEF1033F60F74AAFF88D8B84A74781E
C:\Windows\assembly\GAC\Microsoft.DirectX.Direct3DX\1.0.2907.0__31bf3856ad364e35\__AssemblyInfo__.ini --a---- 308 bytes [18:45 24/07/2008] [18:45 24/07/2008] C7ED0C7C41334E97981472737CCF03A0
C:\Windows\assembly\GAC\Microsoft.DirectX.Direct3DX\1.0.2908.0__31bf3856ad364e35\__AssemblyInfo__.ini --a---- 308 bytes [18:45 24/07/2008] [18:45 24/07/2008] 338339AD96E83D18EE43EDFDDD6BA0DA
C:\Windows\assembly\GAC\Microsoft.DirectX.Direct3DX\1.0.2909.0__31bf3856ad364e35\__AssemblyInfo__.ini --a---- 308 bytes [18:45 24/07/2008] [18:45 24/07/2008] 37D22212F9BB345FD8B9DB26F62EFC61
C:\Windows\assembly\GAC\Microsoft.DirectX.Direct3DX\1.0.2910.0__31bf3856ad364e35\__AssemblyInfo__.ini --a---- 308 bytes [18:45 24/07/2008] [18:45 24/07/2008] C0F3693535311A6D6857A4E39C0C6F32
C:\Windows\assembly\GAC\Microsoft.DirectX.Direct3DX\1.0.2911.0__31bf3856ad364e35\__AssemblyInfo__.ini --a---- 308 bytes [18:45 24/07/2008] [18:45 24/07/2008] BF3C712EF6BD5341D10C3C56F41F5C99
C:\Windows\assembly\GAC\Microsoft.DirectX.DirectDraw\1.0.2902.0__31bf3856ad364e35\__AssemblyInfo__.ini --a---- 310 bytes [18:45 24/07/2008] [18:45 24/07/2008] C033043767B53A7550D1FF4027178A6B
C:\Windows\assembly\GAC\Microsoft.DirectX.DirectInput\1.0.2902.0__31bf3856ad364e35\__AssemblyInfo__.ini --a---- 312 bytes [18:45 24/07/2008] [18:45 24/07/2008] 90F0EAF3B4AE16DD762116FDA1101454
C:\Windows\assembly\GAC\Microsoft.DirectX.DirectPlay\1.0.2902.0__31bf3856ad364e35\__AssemblyInfo__.ini --a---- 310 bytes [18:45 24/07/2008] [18:45 24/07/2008] E2BF3D1104EA8133B6CBE5EEC8A3C07B
C:\Windows\assembly\GAC\Microsoft.DirectX.DirectSound\1.0.2902.0__31bf3856ad364e35\__AssemblyInfo__.ini --a---- 312 bytes [18:45 24/07/2008] [18:45 24/07/2008] FD17AEA8E3637083F0A5BD7F81184DB8
C:\Windows\assembly\GAC\Microsoft.Ink\1.0.2201.0__31bf3856ad364e35\__AssemblyInfo__.ini --a---- 325 bytes [12:56 02/11/2006] [12:56 02/11/2006] 54BDD8ACA1FFFA37AA2D9349AA2CDAE8
C:\Windows\assembly\GAC\Microsoft.Ink\1.7.2600.2180__31bf3856ad364e35\__AssemblyInfo__.ini --a---- 328 bytes [12:56 02/11/2006] [12:56 02/11/2006] 1BD3D6292A26F0454CB4FAF99FC6E660
C:\Windows\assembly\GAC\Microsoft.Internal.VisualStudio.Shell.Interop.9.0\9.0.0.0__b03f5f7f11d50a3a\__AssemblyInfo__.ini --a---- 237 bytes [20:25 19/11/2008] [20:25 19/11/2008] 5BB7294753F09C6D40FE55C01E5781AA
C:\Windows\assembly\GAC\Microsoft.mshtml\7.0.3300.0__b03f5f7f11d50a3a\__AssemblyInfo__.ini --a---- 207 bytes [20:21 25/11/2007] [20:21 25/11/2007] 1FF29DC2A2197D5984E5D418C904D3DF
C:\Windows\assembly\GAC\Microsoft.Office.InfoPath.Permission\12.0.0.0__71e9bce111e9429c\__AssemblyInfo__.ini --a---- 225 bytes [20:22 25/11/2007] [20:22 25/11/2007] 0C4DC2E9F3A0B42477BA5BFCA042ACF7
C:\Windows\assembly\GAC\Microsoft.Office.Interop.Access\12.0.0.0__71e9bce111e9429c\__AssemblyInfo__.ini --a---- 220 bytes [20:21 25/11/2007] [20:21 25/11/2007] BD77A7B56575BAF85941BF1AB5589890
C:\Windows\assembly\GAC\Microsoft.Office.Interop.Access.Dao\12.0.0.0__71e9bce111e9429c\__AssemblyInfo__.ini --a---- 224 bytes [20:22 25/11/2007] [20:22 25/11/2007] 553A1D17C8B2C73D599EC156ACA6CB7D
C:\Windows\assembly\GAC\Microsoft.Office.Interop.Excel\12.0.0.0__71e9bce111e9429c\__AssemblyInfo__.ini --a---- 219 bytes [23:04 07/01/2010] [23:04 07/01/2010] CD8D69E4C8617D7E104A8E368379D5AF
C:\Windows\assembly\GAC\Microsoft.Office.Interop.Graph\12.0.0.0__71e9bce111e9429c\__AssemblyInfo__.ini --a---- 219 bytes [23:04 07/01/2010] [23:04 07/01/2010] 36EFCB6A93C378D99C90C84EB0266A73
C:\Windows\assembly\GAC\Microsoft.Office.Interop.InfoPath\12.0.0.0__71e9bce111e9429c\__AssemblyInfo__.ini --a---- 222 bytes [20:22 25/11/2007] [20:22 25/11/2007] CCC7961EC6B4CEF20C4A41E1BFF5CF78
C:\Windows\assembly\GAC\Microsoft.Office.Interop.InfoPath.SemiTrust\11.0.0.0__71e9bce111e9429c\__AssemblyInfo__.ini --a---- 232 bytes [20:22 25/11/2007] [20:22 25/11/2007] 0AFFE8E498124664ADDFAB6632A93927
C:\Windows\assembly\GAC\Microsoft.Office.Interop.InfoPath.Xml\12.0.0.0__71e9bce111e9429c\__AssemblyInfo__.ini --a---- 226 bytes [20:22 25/11/2007] [20:22 25/11/2007] 0A56011D14E56BA6037C48FAE6064F2B
C:\Windows\assembly\GAC\Microsoft.Office.Interop.OneNote\12.0.0.0__71e9bce111e9429c\__AssemblyInfo__.ini --a---- 221 bytes [20:22 25/11/2007] [20:22 25/11/2007] 7C1C66BFBB15C0B3C1B9AFEEE2986CF8
C:\Windows\assembly\GAC\Microsoft.Office.Interop.Outlook\12.0.0.0__71e9bce111e9429c\__AssemblyInfo__.ini --a---- 221 bytes [20:22 25/11/2007] [20:22 25/11/2007] 6B6872FAF93931EA6EB4F2E1E30A37D4
C:\Windows\assembly\GAC\Microsoft.Office.Interop.OutlookViewCtl\12.0.0.0__71e9bce111e9429c\__AssemblyInfo__.ini --a---- 228 bytes [20:22 25/11/2007] [20:22 25/11/2007] FAB28F86C231FBF682420CC7C348EDCD
C:\Windows\assembly\GAC\Microsoft.Office.Interop.PowerPoint\12.0.0.0__71e9bce111e9429c\__AssemblyInfo__.ini --a---- 224 bytes [23:07 07/01/2010] [23:07 07/01/2010] 02C5B9C6F885977E8AA10B57452B5988
C:\Windows\assembly\GAC\Microsoft.Office.Interop.Publisher\12.0.0.0__71e9bce111e9429c\__AssemblyInfo__.ini --a---- 223 bytes [20:22 25/11/2007] [20:22 25/11/2007] 89274E3F135691355EBD73770EAFF34D
C:\Windows\assembly\GAC\Microsoft.Office.Interop.SmartTag\12.0.0.0__71e9bce111e9429c\__AssemblyInfo__.ini --a---- 222 bytes [23:04 07/01/2010] [23:04 07/01/2010] 3C3CC20ADA56EB38EAF363E7A6BEEE93
C:\Windows\assembly\GAC\Microsoft.Office.Interop.Word\12.0.0.0__71e9bce111e9429c\__AssemblyInfo__.ini --a---- 218 bytes [23:04 07/01/2010] [23:04 07/01/2010] D982145EBC461451B953DC6B2A61AEAE
C:\Windows\assembly\GAC\Microsoft.StdFormat\7.0.3300.0__b03f5f7f11d50a3a\__AssemblyInfo__.ini --a---- 210 bytes [20:26 19/11/2008] [20:26 19/11/2008] 5FF55305D8CD820F92311575C0B0172B
C:\Windows\assembly\GAC\Microsoft.Vbe.Interop\12.0.0.0__71e9bce111e9429c\__AssemblyInfo__.ini --a---- 210 bytes [23:04 07/01/2010] [23:04 07/01/2010] 34BF444AEFAC1BA06CC141DF350ABFFF
C:\Windows\assembly\GAC\Microsoft.Vbe.Interop.Forms\11.0.0.0__71e9bce111e9429c\__AssemblyInfo__.ini --a---- 216 bytes [20:22 25/11/2007] [20:22 25/11/2007] E9A3D4644D3B7C20C5EE60970BC5681C
C:\Windows\assembly\GAC\Microsoft.VisualStudio.CommandBars\8.0.0.0__b03f5f7f11d50a3a\__AssemblyInfo__.ini --a---- 222 bytes [20:25 19/11/2008] [20:25 19/11/2008] E30C3CB2E2CA0C4BEFA1D9A9D939CA8A
C:\Windows\assembly\GAC\Microsoft.VisualStudio.Debugger.Interop\8.0.1.0__b03f5f7f11d50a3a\__AssemblyInfo__.ini --a---- 227 bytes [20:25 19/11/2008] [20:25 19/11/2008] 4ED6AD711761F895464EC9948BCBE202
C:\Windows\assembly\GAC\Microsoft.VisualStudio.Debugger.InteropA\9.0.0.0__b03f5f7f11d50a3a\__AssemblyInfo__.ini --a---- 228 bytes [20:25 19/11/2008] [20:25 19/11/2008] 2B749D0F31D7F034BAC1100D3736F448
C:\Windows\assembly\GAC\Microsoft.VisualStudio.Designer.Interfaces\1.0.5000.0__b03f5f7f11d50a3a\__AssemblyInfo__.ini --a---- 233 bytes [20:25 19/11/2008] [20:25 19/11/2008] 8FEA10406D90B571E90E967F3E9491A5
C:\Windows\assembly\GAC\Microsoft.VisualStudio.OLE.Interop\7.1.40304.0__b03f5f7f11d50a3a\__AssemblyInfo__.ini --a---- 226 bytes [20:25 19/11/2008] [20:25 19/11/2008] A1B38FC2B55F0EFC38127850A3234A2F
C:\Windows\assembly\GAC\Microsoft.VisualStudio.Shell.Interop\7.1.40304.0__b03f5f7f11d50a3a\__AssemblyInfo__.ini --a---- 228 bytes [20:25 19/11/2008] [20:25 19/11/2008] B069987CD9A483A76D9F875DCD570229
C:\Windows\assembly\GAC\Microsoft.VisualStudio.Shell.Interop.8.0\8.0.0.0__b03f5f7f11d50a3a\__AssemblyInfo__.ini --a---- 228 bytes [20:25 19/11/2008] [20:25 19/11/2008] 4CFCBF0D9E9B0BA3F92D5A390E6B721A
C:\Windows\assembly\GAC\Microsoft.VisualStudio.Shell.Interop.9.0\9.0.0.0__b03f5f7f11d50a3a\__AssemblyInfo__.ini --a---- 228 bytes [20:25 19/11/2008] [20:25 19/11/2008] E87EA45C8E833978A49A75A1D3D2CF83
C:\Windows\assembly\GAC\Microsoft.VisualStudio.TextManager.Interop\7.1.40304.0__b03f5f7f11d50a3a\__AssemblyInfo__.ini --a---- 234 bytes [20:25 19/11/2008] [20:25 19/11/2008] EBDAE01B1A6E55591260DD0549BDD41B
C:\Windows\assembly\GAC\Microsoft.VisualStudio.TextManager.Interop.8.0\8.0.0.0__b03f5f7f11d50a3a\__AssemblyInfo__.ini --a---- 234 bytes [20:25 19/11/2008] [20:25 19/11/2008] F492469C61EC07CB769017674E74D6DB
C:\Windows\assembly\GAC\Microsoft.VisualStudio.TextManager.Interop.9.0\9.0.0.0__b03f5f7f11d50a3a\__AssemblyInfo__.ini --a---- 234 bytes [20:25 19/11/2008] [20:25 19/11/2008] 353281421B69D0E220C5A06041731560
C:\Windows\assembly\GAC\Microsoft.VisualStudio.VSHelp\7.0.3300.0__b03f5f7f11d50a3a\__AssemblyInfo__.ini --a---- 220 bytes [20:25 19/11/2008] [20:25 19/11/2008] C644432DF4EE857EE3C8F7227640CB2E
C:\Windows\assembly\GAC\Microsoft.VisualStudio.VSHelp80\8.0.0.0__b03f5f7f11d50a3a\__AssemblyInfo__.ini --a---- 219 bytes [20:25 19/11/2008] [20:25 19/11/2008] 28727FCE5280169DE2A13C7464B67772
C:\Windows\assembly\GAC\mscomctl\10.0.4504.0__31bf3856ad364e35\__AssemblyInfo__.ini --a---- 200 bytes [20:22 25/11/2007] [20:22 25/11/2007] 481E504FBEA25FBF5408DB65F44FA5FA
C:\Windows\assembly\GAC\MSDATASRC\7.0.3300.0__b03f5f7f11d50a3a\__AssemblyInfo__.ini --a---- 200 bytes [20:26 19/11/2008] [20:26 19/11/2008] 75F9D4C5791EA2CB9221F9EF48076770
C:\Windows\assembly\GAC\office\12.0.0.0__71e9bce111e9429c\__AssemblyInfo__.ini --a---- 195 bytes [23:04 07/01/2010] [23:04 07/01/2010] 7C4A765B5AC30DBD8B53CD071B73840C
C:\Windows\assembly\GAC\Policy.11.0.Microsoft.Office.Interop.Access\12.0.0.0__71e9bce111e9429c\__AssemblyInfo__.ini --a---- 232 bytes [20:21 25/11/2007] [20:21 25/11/2007] F14297FB0C6A046E4FB77263CBE167AF
C:\Windows\assembly\GAC\Policy.11.0.Microsoft.Office.Interop.Excel\12.0.0.0__71e9bce111e9429c\__AssemblyInfo__.ini --a---- 231 bytes [23:04 07/01/2010] [23:04 07/01/2010] 4B9F522E4B403A5B090681600D9070C2
C:\Windows\assembly\GAC\Policy.11.0.Microsoft.Office.Interop.Graph\12.0.0.0__71e9bce111e9429c\__AssemblyInfo__.ini --a---- 231 bytes [23:04 07/01/2010] [23:04 07/01/2010] 69CD87BB9C6DA0537CE63A53E7092F32
C:\Windows\assembly\GAC\Policy.11.0.Microsoft.Office.Interop.InfoPath\12.0.0.0__71e9bce111e9429c\__AssemblyInfo__.ini --a---- 234 bytes [20:22 25/11/2007] [20:22 25/11/2007] 8F1C69873B1ADCE21B3005A52A6921BA
C:\Windows\assembly\GAC\Policy.11.0.Microsoft.Office.Interop.InfoPath.Xml\12.0.0.0__71e9bce111e9429c\__AssemblyInfo__.ini --a---- 238 bytes [20:22 25/11/2007] [20:22 25/11/2007] 8352AC255CC3F25FDF9AF1FECC8BD6F3
C:\Windows\assembly\GAC\Policy.11.0.Microsoft.Office.Interop.Outlook\12.0.0.0__71e9bce111e9429c\__AssemblyInfo__.ini --a---- 233 bytes [20:22 25/11/2007] [20:22 25/11/2007] A1C0A9578F9D8E0FCA9A4440070F31B0
C:\Windows\assembly\GAC\Policy.11.0.Microsoft.Office.Interop.OutlookViewCtl\12.0.0.0__71e9bce111e9429c\__AssemblyInfo__.ini --a---- 240 bytes [20:22 25/11/2007] [20:22 25/11/2007] 47440CFB37970DEFA6E164D85EE5491B
C:\Windows\assembly\GAC\Policy.11.0.Microsoft.Office.Interop.PowerPoint\12.0.0.0__71e9bce111e9429c\__AssemblyInfo__.ini --a---- 236 bytes [23:04 07/01/2010] [23:04 07/01/2010] CC90EB2A26912AB4C5102CDEF753E91F
C:\Windows\assembly\GAC\Policy.11.0.Microsoft.Office.Interop.Publisher\12.0.0.0__71e9bce111e9429c\__AssemblyInfo__.ini --a---- 235 bytes [20:22 25/11/2007] [20:22 25/11/2007] B3B78A70350941D7D6992D5142275669
C:\Windows\assembly\GAC\Policy.11.0.Microsoft.Office.Interop.SmartTag\12.0.0.0__71e9bce111e9429c\__AssemblyInfo__.ini --a---- 234 bytes [23:04 07/01/2010] [23:04 07/01/2010] 79D81B7149BDC2CD7CB5B48D05D75F37
C:\Windows\assembly\GAC\Policy.11.0.Microsoft.Office.Interop.Word\12.0.0.0__71e9bce111e9429c\__AssemblyInfo__.ini --a---- 230 bytes [23:04 07/01/2010] [23:04 07/01/2010] CB81F6A460335CB35DD7FDB776BD149A
C:\Windows\assembly\GAC\Policy.11.0.Microsoft.Vbe.Interop\12.0.0.0__71e9bce111e9429c\__AssemblyInfo__.ini --a---- 222 bytes [23:04 07/01/2010] [23:04 07/01/2010] 122F7F6C517CFA276B874A7F20A796B4
C:\Windows\assembly\GAC\Policy.11.0.office\12.0.0.0__71e9bce111e9429c\__AssemblyInfo__.ini --a---- 207 bytes [23:04 07/01/2010] [23:04 07/01/2010] E7E59ABBFF65ED4C142D4006A6197E0E
C:\Windows\assembly\GAC\stdole\7.0.3300.0__b03f5f7f11d50a3a\__AssemblyInfo__.ini --a---- 197 bytes [20:26 19/11/2008] [20:26 19/11/2008] B369011B201A692896E0586EE52175FC
C:\Windows\assembly\GAC\VSLangProj\7.0.3300.0__b03f5f7f11d50a3a\__AssemblyInfo__.ini --a---- 201 bytes [20:25 19/11/2008] [20:25 19/11/2008] 6035152C04CC5C0E823CB84F403BC068
C:\Windows\assembly\GAC\VSLangProj2\7.0.5000.0__b03f5f7f11d50a3a\__AssemblyInfo__.ini --a---- 202 bytes [20:25 19/11/2008] [20:25 19/11/2008] 5C3FFB6AB30D2A0A3D90559331C64376
C:\Windows\assembly\GAC\VSLangProj80\8.0.0.0__b03f5f7f11d50a3a\__AssemblyInfo__.ini --a---- 200 bytes [20:25 19/11/2008] [20:25 19/11/2008] 7C976021D7A0617DE87D42127D35D59E
C:\Windows\assembly\GAC\VslangProj90\9.0.0.0__b03f5f7f11d50a3a\__AssemblyInfo__.ini --a---- 200 bytes [20:25 19/11/2008] [20:25 19/11/2008] 5BE390017060E350A224C7A38A669730
C:\Windows\assembly\GAC\VsWebSite.Interop\8.0.0.0__b03f5f7f11d50a3a\__AssemblyInfo__.ini --a---- 205 bytes [20:25 19/11/2008] [20:25 19/11/2008] F42F5FA9FB077210A3D635F8C201304D
C:\Windows\assembly\GAC\VsWebSite.Interop90\9.0.0.0__b03f5f7f11d50a3a\__AssemblyInfo__.ini --a---- 207 bytes [20:25 19/11/2008] [20:25 19/11/2008] CBE91F96F2AFACB8B3F2D232473EBABF

#13 al504

al504
  • Topic Starter

  • Members
  • 65 posts
  • OFFLINE
  •  
  • Local time:02:01 AM

Posted 11 January 2011 - 03:44 PM

Georgi I tried writing in the command prompt again this time exactly how it showed up in system look log i.e cd C:\Windows\winsxs\x86_Microsoft.Windows.Shell.HWEventDetector_6595b64144ccf1df_5.2.2.3_x-ww_5390e909 (it looks like it is case sensitve) this time it did not come up with The system cannot find the path specified. should I continue?

Edited by al504, 11 January 2011 - 03:44 PM.


#14 B-boy/StyLe/

B-boy/StyLe/

    Bleepin' Freestyler


  • Malware Response Team
  • 8,307 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:05:01 AM

Posted 11 January 2011 - 03:47 PM

Hi al504, :)


Seems the files are still there.
Ok let's try something else.


Please download ComboFix from the link below:

ComboFix

Save it to your Desktop, but do not run it yet <-- Important!!!

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. Please refer to this link for instructions.
  • Go to the start menu and in the search box type in run this code "%userprofile%\desktop\combofix.exe" /stepdel then hit ok.

  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed.
    Notes: Skip the Recovery Console part as you're running Vista. You can use the Windows DVD to boot into the Vista Recovery Environment if something goes awry.
  • Click on Yes, to continue scanning for malware.
  • If you receive a UAC prompt asking if you want to continue running the program, you should press the Continue button.
  • When finished, it will produce a log for you.
  • Please include the C:\ComboFix.txt in your next reply.
  • If you no longer have access to your Internet connection after running ComboFix, please reboot to restore it. If that does not restore the connection, then follow the instructions for Manually restoring the Internet connection provided in the "How to Guide" you printed out earlier.



-- Do not touch your mouse/keyboard until the ComboFix scan has completed, as this may cause the process to stall or the computer to lock.



Edit: Please proceed with the RC then and post a log from Combofix as described above. :)


Regards,
Georgi

Edited by B-boy/StyLe/, 11 January 2011 - 05:06 PM.

cXfZ4wS.png


#15 al504

al504
  • Topic Starter

  • Members
  • 65 posts
  • OFFLINE
  •  
  • Local time:02:01 AM

Posted 11 January 2011 - 05:18 PM

Georgi,

the command prompt route is not working so I will go to your ComboFix instructions.

I went onto your ComboFix instructions I get to typing "%userprofile%\desktop\combofix.exe" /stepdel in run. I click allow and then ComboFix begins to run i.e. ComboFix with a green bar but when this gets to the end (the green bar) it dissapears and ComboFix does not continue running. The ComboFix screen (the blue one) as seen on http://www.bleepingcomputer.com/combofix/how-to-use-combofix does not appear and run.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users