Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Trojans, Alureon.a affecting System, MSE install, and more


  • This topic is locked This topic is locked
16 replies to this topic

#1 GFI3

GFI3

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:05:35 PM

Posted 26 January 2011 - 09:24 AM

Hi,

I previously was able to solve some issues with my PC not booting by clearing the Trojan Alureon virus with MSE. Afterwards I was able to boot but noticed many issues with my system, mainly:

1. Very slow start up time before and after log in.
2. WSE upgrade failed and now gives error code 0x80070005.
3. Noticeable lagging and freezing when opening explorer windows and saving files.

I am pretty sure there is still something lurking around.

I have run Malwarebytes multiple times as well as Spybot and they have both cleaned up things, but have found nothing more. I have also gone to windows updates and installed everything up to date.

When running DDS, my computer seems to reads it as an AutoCAD script and all I get is a notepad doc with garbage text.

When running GMER the scan begins, but then the window simply disappears and I cannot get it to complete a scan. Also nothing to post.

Thanks in advance for any help you can offer.

UPDATE:

I was able to run GMER scan and have attached the scan.

Thanks!

EDIT: Posts merged ~BP

Attached Files

  • Attached File  ark.txt   114.21KB   3 downloads

Edited by Budapest, 27 January 2011 - 05:19 PM.


BC AdBot (Login to Remove)

 


#2 RPMcMurphy

RPMcMurphy

    Bleeping *^#@%~


  • Malware Response Team
  • 3,970 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:35 PM

Posted 31 January 2011 - 11:12 PM

Hello and welcome. I apologize for the delay. If you no longer need help with this issue, we would appreciate you letting us know. Otherwise, please perform the following steps so I can have a look at the current condition of your machine. The DDS links I gave you are versions that should run for you.

Posted Image Please download DDS by sUBs from one of the following links and save it to your desktop.

DDS.com
DDS.pif
  • Disable any script blocking protection (How to Disable your Security Programs)
  • Double click DDS icon to run the tool (may take up to 3 minutes to run)
  • When done, DDS.txt will open.
  • After a few moments, attach.txt will open in a second window.
  • Save both reports to your desktop.
---------------------------------------------------
  • Post the contents of the DDS.txt report in your next reply
  • Attach the Attach.txt report to your post by scroling down to the Attachments area and then clicking Browse. Browse to where you saved the file, and click Open and then click UPLOAD.
Please include the following in your next post:
  • DDS.txt and Attach.txt logs

Edited by RPMcMurphy, 31 January 2011 - 11:14 PM.

Threads are closed after 5 days of inactivity.

ASAP & UNITE Member


The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif


#3 GFI3

GFI3
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:05:35 PM

Posted 01 February 2011 - 08:17 AM

Thanks. I ran the DDS scan with no issues.

Here is the DDS.txt


DDS (Ver_10-12-12.02) - NTFSx86
Run by gives at 8:06:20.27 on Tue 02/01/2011
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_20
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1554 [GMT -5:00]

AV: Microsoft Security Essentials *Enabled/Updated* {BCF43643-A118-4432-AEDE-D861FCBCFCDF}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
c:\Program Files\Microsoft Security Essentials\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
C:\Program Files\Dell\OpenManage\Client\Iap.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Transoft Solutions\License Server\TransoftLS.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Winamp\winampa.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\gives\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\Documents and Settings\gives\Local Settings\Application Data\Google\Update\1.2.183.39\GoogleCrashHandler.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Documents and Settings\gives\Desktop\dds.com

============== Pseudo HJT Report ===============

uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 6.0\acrobat\AcroIEFavClient.dll
uRun: [Google Update] "c:\documents and settings\gives\local settings\application data\google\update\GoogleUpdate.exe" /c
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [MSSE] "c:\program files\microsoft security essentials\msseces.exe" -hide -runkey
mRun: [WinampAgent] "c:\program files\winamp\winampa.exe"
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
mPolicies-explorer: NoWelcomeScreen = 1 (0x1)
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://www.apple.com/qtactivex/qtplugin.cab
DPF: {0DB074F0-617E-4EE9-912C-2965CF2AA5A4} - hxxp://download.microsoft.com/download/7/0/7/707a44ad-52ad-49af-b7ef-e21b6b0656e4/VirtualEarth3D.cab
DPF: {3BB1D69B-A780-4BE1-876E-F3D488877135} - hxxp://download.microsoft.com/download/3/B/E/3BE57995-8452-41F1-8297-DD75EF049853/VirtualEarth3D.cab
DPF: {428A9DEF-F057-402B-9F2D-A5887F4544ED} - hxxp://download.microsoft.com/download/f/0/2/f02b515c-7076-4cee-bc08-fd6fea594578/VirtualEarth3D.cab
DPF: {485D813E-EE26-4DF8-9FAF-DEDF2885306E} - hxxp://ntserver/connectcomputer/nshelp.dll
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {A3256902-51FA-45A0-8A97-FC1143C169D9} - hxxp://support.microsoft.com/mats/DiagWebControl.cab
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\gives\applic~1\mozilla\firefox\profiles\8fjjqeaj.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - plugin: c:\documents and settings\gives\local settings\application data\google\update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll
FF - plugin: c:\program files\virtual earth 3d\npVE3D.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\java\jre6\lib\deploy\jqs\ff
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}

============= SERVICES / DRIVERS ===============

R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2010-10-24 151216]
R1 MpKsl45ad4e30;MpKsl45ad4e30;c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{2c2c2632-c90c-464a-a32f-466cd27811f4}\MpKsl45ad4e30.sys [2011-2-1 28752]
R1 MpKsl51576718;MpKsl51576718;c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{2c2c2632-c90c-464a-a32f-466cd27811f4}\MpKsl51576718.sys [2011-2-1 28752]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-4-27 67656]
R2 Transoft Solutions License Server V1.4;Transoft Solutions License Server V1.4;c:\program files\transoft solutions\license server\TransoftLS.exe [2007-4-30 307200]
S0 Lbd;Lbd;c:\windows\system32\drivers\lbd.sys --> c:\windows\system32\drivers\Lbd.sys [?]
S0 TfFsMon;TfFsMon;c:\windows\system32\drivers\tffsmon.sys --> c:\windows\system32\drivers\TfFsMon.sys [?]
S0 TfSysMon;TfSysMon;c:\windows\system32\drivers\tfsysmon.sys --> c:\windows\system32\drivers\TfSysMon.sys [?]
S1 avgio;avgio;\??\c:\program files\avira\antivir personaledition classic\avgio.sys --> c:\program files\avira\antivir personaledition classic\avgio.sys [?]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-12-17 136176]
S3 avgntflt;avgntflt;\??\c:\program files\avira\antivir personaledition classic\avgntflt.sys --> c:\program files\avira\antivir personaledition classic\avgntflt.sys [?]
S3 pctplsg;pctplsg;\??\c:\windows\system32\drivers\pctplsg.sys --> c:\windows\system32\drivers\pctplsg.sys [?]
S3 TfNetMon;TfNetMon;\??\c:\windows\system32\drivers\tfnetmon.sys --> c:\windows\system32\drivers\TfNetMon.sys [?]
S4 AntiVirScheduler;Avira AntiVir Personal - Free Antivirus Scheduler;"c:\program files\avira\antivir personaledition classic\sched.exe" --> c:\program files\avira\antivir personaledition classic\sched.exe [?]
S4 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;"c:\program files\lavasoft\ad-aware\aawservice.exe" --> c:\program files\lavasoft\ad-aware\AAWService.exe [?]

=============== File Associations ===============

.scr=AutoCADScriptFile

=============== Created Last 30 ================

2011-02-01 13:00:24 28752 ----a-w- c:\docume~1\alluse~1\applic~1\microsoft\microsoft antimalware\definition updates\{2c2c2632-c90c-464a-a32f-466cd27811f4}\MpKsl45ad4e30.sys
2011-02-01 12:39:27 28752 ----a-w- c:\docume~1\alluse~1\applic~1\microsoft\microsoft antimalware\definition updates\{2c2c2632-c90c-464a-a32f-466cd27811f4}\MpKsl51576718.sys
2011-01-26 16:33:08 5890896 ----a-w- c:\docume~1\alluse~1\applic~1\microsoft\microsoft antimalware\definition updates\{2c2c2632-c90c-464a-a32f-466cd27811f4}\mpengine.dll
2011-01-26 16:13:28 -------- d-----w- c:\windows\system32\wbem\repository\FS
2011-01-26 16:13:28 -------- d-----w- c:\windows\system32\wbem\Repository
2011-01-26 16:11:54 -------- d-----w- c:\program files\DVD Shrink
2011-01-26 16:11:51 -------- d-----w- c:\program files\MP3 Cutter Plus
2011-01-26 16:11:51 -------- d-----w- c:\program files\MP3 Cutter
2011-01-26 16:11:48 -------- d-----w- C:\STOMP35
2011-01-26 16:11:48 -------- d-----w- c:\program files\MVAPPS
2011-01-26 16:11:47 -------- d-----w- c:\program files\Unlocker
2011-01-26 16:11:47 -------- d-----w- c:\program files\The Weather Channel FW
2011-01-26 16:11:37 -------- d-----w- c:\program files\ESET
2011-01-26 15:13:35 -------- d-----w- c:\program files\common files\Java(2)
2011-01-26 13:23:03 -------- dc----w- c:\windows\$968930Uinstall_KB968930$
2011-01-26 12:57:59 -------- d-----w- c:\program files\Microsoft Security Client
2011-01-20 19:43:25 89088 ----a-w- C:\mbr.exe

==================== Find3M ====================

2010-11-18 18:12:44 81920 ----a-w- c:\windows\system32\isign32.dll
2010-11-09 14:52:35 249856 ----a-w- c:\windows\system32\odbc32.dll
2010-11-08 06:20:24 89088 ----a-w- c:\windows\MBR.exe
2010-11-06 00:26:58 916480 ----a-w- c:\windows\system32\wininet.dll
2010-11-06 00:26:58 43520 ----a-w- c:\windows\system32\licmgr10.dll
2010-11-06 00:26:58 1469440 ------w- c:\windows\system32\inetcpl.cpl

============= FINISH: 8:08:11.58 ===============

Attached Files



#4 RPMcMurphy

RPMcMurphy

    Bleeping *^#@%~


  • Malware Response Team
  • 3,970 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:35 PM

Posted 01 February 2011 - 02:13 PM

GFI3:

Posted Image You have more than one antivirus (AV) program running. Your logs show both Avira and Microsoft Security Essentials (MSSE) running. Running more than one AV program does not offer any more protection and often causes conflicts and slow downs with your computer. Please uninstall eiher Avira or MSSE via Control Panel > Add/Remove Programs. Run the removal tool (links below) for whichever app you uninstall also:

Microsoft Security Essentials Removal Tool
Avira Removal Tool

Posted Image Download ComboFix from one of the following locations:
Link 1
Link 2

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop

* IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link
  • Double click on ComboFix.exe & follow the prompts.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image

  • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image

  • Click on Yes, to continue scanning for malware.
When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.


Please include the following in your next post:
  • ComboFix log

Threads are closed after 5 days of inactivity.

ASAP & UNITE Member


The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif


#5 GFI3

GFI3
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:05:35 PM

Posted 02 February 2011 - 10:23 AM

OK.

So neither of those antivirus programs show up in my add/remove programs list, so I ran both removal program links you listed. Still cannot seem to fully uninstall MSE as Combofix still detects it prior to running. I am not sure what else I can do to remove it?

Either way here is my Combofix log:

ComboFix 11-01-31.02 - gives 02/02/2011 9:44.6.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1585 [GMT -5:00]
Running from: c:\documents and settings\gives\Desktop\Combo-Fix.exe
AV: Microsoft Security Essentials *Enabled/Updated* {BCF43643-A118-4432-AEDE-D861FCBCFCDF}
.

((((((((((((((((((((((((( Files Created from 2011-01-02 to 2011-02-02 )))))))))))))))))))))))))))))))
.

2011-02-02 14:34 . 2011-02-02 14:34 -------- d-----w- c:\windows\LastGood
2011-02-02 14:24 . 2011-02-02 14:25 -------- d-----w- C:\WINSSLog
2011-02-01 14:32 . 2009-03-09 20:27 453456 ----a-w- c:\windows\system32\d3dx10_41.dll
2011-02-01 14:32 . 2009-03-09 20:27 1846632 ----a-w- c:\windows\system32\D3DCompiler_41.dll
2011-02-01 14:32 . 2009-03-09 20:27 4178264 ----a-w- c:\windows\system32\D3DX9_41.dll
2011-02-01 14:29 . 2011-02-01 14:29 -------- d-----w- C:\Autodesk
2011-01-26 16:13 . 2011-01-26 16:13 -------- d-----w- c:\windows\system32\wbem\Repository
2011-01-26 16:11 . 2011-01-26 16:11 -------- d-----w- c:\program files\DVD Shrink
2011-01-26 16:11 . 2011-01-26 16:11 -------- d-----w- c:\program files\ImgBurn
2011-01-26 16:11 . 2011-01-26 16:11 -------- d-----w- c:\documents and settings\gives\Application Data\ImgBurn
2011-01-26 16:11 . 2011-01-26 16:11 -------- d-----w- c:\program files\MP3 Cutter
2011-01-26 16:11 . 2011-01-26 16:11 -------- d-----w- c:\program files\MP3 Cutter Plus
2011-01-26 16:11 . 2011-01-26 16:11 -------- d-----w- C:\STOMP35
2011-01-26 16:11 . 2011-01-26 16:11 -------- d-----w- c:\program files\MVAPPS
2011-01-26 16:11 . 2011-01-26 16:11 -------- d-----w- c:\program files\Unlocker
2011-01-26 16:11 . 2011-01-26 16:11 -------- d-----w- c:\program files\The Weather Channel FW
2011-01-26 16:11 . 2011-01-26 16:11 -------- d-----w- c:\program files\ESET
2011-01-26 16:11 . 2011-01-26 16:11 -------- d-----w- c:\program files\Common Files\Java
2011-01-26 13:23 . 2011-01-26 16:12 -------- dc----w- c:\windows\$968930Uinstall_KB968930$
2011-01-26 12:57 . 2011-02-02 14:34 -------- d-----w- c:\program files\Microsoft Security Client
2011-01-20 19:43 . 2011-01-20 19:43 89088 ----a-w- C:\mbr.exe
2011-01-20 19:28 . 2011-01-20 19:28 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\PCHealth

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-12-20 23:09 . 2010-04-12 19:18 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-12-20 23:08 . 2010-04-12 19:18 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-11-18 18:12 . 2004-08-11 22:12 81920 ----a-w- c:\windows\system32\isign32.dll
2010-11-09 14:52 . 2004-08-11 22:00 249856 ----a-w- c:\windows\system32\odbc32.dll
2010-11-06 00:26 . 2004-08-11 22:00 916480 ----a-w- c:\windows\system32\wininet.dll
2010-11-06 00:26 . 2004-08-11 22:00 43520 ----a-w- c:\windows\system32\licmgr10.dll
2010-11-06 00:26 . 2004-08-11 22:00 1469440 ------w- c:\windows\system32\inetcpl.cpl
.

((((((((((((((((((((((((((((( SnapShot@2011-01-20_19.59.02 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-07-12 05:02 . 2009-07-12 05:02 51008 c:\windows\WinSxS\x86_Microsoft.VC90.OpenMP_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_f0ccd4aa\vcomp90.dll
+ 2009-07-12 05:02 . 2009-07-12 05:02 59728 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90rus.dll
+ 2009-07-12 05:02 . 2009-07-12 05:02 42832 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90kor.dll
+ 2009-07-12 05:02 . 2009-07-12 05:02 43344 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90jpn.dll
+ 2009-07-12 05:02 . 2009-07-12 05:02 61264 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90ita.dll
+ 2009-07-12 05:02 . 2009-07-12 05:02 62800 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90fra.dll
+ 2009-07-12 05:02 . 2009-07-12 05:02 61760 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90esp.dll
+ 2009-07-12 05:02 . 2009-07-12 05:02 61776 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90esn.dll
+ 2009-07-12 05:02 . 2009-07-12 05:02 53568 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90enu.dll
+ 2009-07-12 05:02 . 2009-07-12 05:02 63296 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90deu.dll
+ 2009-07-12 05:02 . 2009-07-12 05:02 36688 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90cht.dll
+ 2009-07-12 05:02 . 2009-07-12 05:02 35648 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90chs.dll
+ 2009-07-12 05:05 . 2009-07-12 05:05 59904 c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_a57c1f53\mfcm90u.dll
+ 2009-07-12 05:05 . 2009-07-12 05:05 59904 c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_a57c1f53\mfcm90.dll
+ 2011-02-02 14:29 . 2011-02-02 14:29 16384 c:\windows\temp\Perflib_Perfdata_58c.dat
+ 2004-08-11 22:00 . 2011-01-26 15:48 88344 c:\windows\system32\perfc009.dat
- 2007-10-09 17:03 . 2007-10-09 17:03 73752 c:\windows\system32\dxva2.dll
+ 2010-03-18 18:16 . 2007-10-09 17:03 73752 c:\windows\system32\dxva2.dll
+ 2010-02-10 01:48 . 2010-02-10 01:48 43232 c:\windows\system32\AcSignIcon.dll
+ 2010-02-10 01:48 . 2010-02-10 01:48 14560 c:\windows\system32\AcSignExtRes.dll
+ 2010-02-10 01:48 . 2010-02-10 01:48 29920 c:\windows\system32\AcSignExt.dll
- 2009-11-07 05:07 . 2009-11-07 05:07 13664 c:\windows\Microsoft.NET\Framework\sbs_wminet_utils.dll
+ 2010-03-18 18:16 . 2009-11-07 05:07 13664 c:\windows\Microsoft.NET\Framework\sbs_wminet_utils.dll
+ 2010-03-18 18:16 . 2009-11-07 05:07 13688 c:\windows\Microsoft.NET\Framework\sbs_system.enterpriseservices.dll
- 2009-11-07 05:07 . 2009-11-07 05:07 13688 c:\windows\Microsoft.NET\Framework\sbs_system.enterpriseservices.dll
- 2009-11-07 05:07 . 2009-11-07 05:07 13664 c:\windows\Microsoft.NET\Framework\sbs_system.data.dll
+ 2010-03-18 18:16 . 2009-11-07 05:07 13664 c:\windows\Microsoft.NET\Framework\sbs_system.data.dll
- 2009-11-07 05:07 . 2009-11-07 05:07 13696 c:\windows\Microsoft.NET\Framework\sbs_system.configuration.install.dll
+ 2010-03-18 18:16 . 2009-11-07 05:07 13696 c:\windows\Microsoft.NET\Framework\sbs_system.configuration.install.dll
+ 2010-03-18 18:16 . 2009-11-07 05:07 13656 c:\windows\Microsoft.NET\Framework\sbs_mscorsec.dll
- 2009-11-07 05:07 . 2009-11-07 05:07 13656 c:\windows\Microsoft.NET\Framework\sbs_mscorsec.dll
+ 2010-03-18 18:16 . 2009-11-07 05:07 13656 c:\windows\Microsoft.NET\Framework\sbs_mscorrc.dll
- 2009-11-07 05:07 . 2009-11-07 05:07 13656 c:\windows\Microsoft.NET\Framework\sbs_mscorrc.dll
- 2009-11-07 05:07 . 2009-11-07 05:07 13656 c:\windows\Microsoft.NET\Framework\sbs_mscordbi.dll
+ 2010-03-18 18:16 . 2009-11-07 05:07 13656 c:\windows\Microsoft.NET\Framework\sbs_mscordbi.dll
+ 2010-03-18 18:16 . 2009-11-07 05:07 13672 c:\windows\Microsoft.NET\Framework\sbs_microsoft.jscript.dll
- 2009-11-07 05:07 . 2009-11-07 05:07 13672 c:\windows\Microsoft.NET\Framework\sbs_microsoft.jscript.dll
- 2009-11-07 05:07 . 2009-11-07 05:07 13664 c:\windows\Microsoft.NET\Framework\sbs_diasymreader.dll
+ 2010-03-18 18:16 . 2009-11-07 05:07 13664 c:\windows\Microsoft.NET\Framework\sbs_diasymreader.dll
+ 2010-02-10 03:10 . 2010-02-10 03:10 20704 c:\windows\Installer\{5783F2D7-9028-0409-0000-0060B0CE6BBA}\CustomRes.dll
+ 2006-08-15 18:44 . 2006-08-15 18:44 15976 c:\windows\Installer\$PatchCache$\Managed\7D2F387580059040002000060BECB6AB\17.0.266\RDF_COMP_AcSignExtRes.dll
+ 2006-08-15 18:44 . 2006-08-15 18:44 15976 c:\windows\Installer\$PatchCache$\Managed\7D2F387500059040002000060BECB6AB\400.0.308\RDF_COMP_AcSignExtRes.dll
- 2006-09-06 18:39 . 2006-09-06 18:39 12800 c:\windows\assembly\GAC\Microsoft.DirectX.Diagnostics\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.Diagnostics.dll
+ 2011-02-01 14:32 . 2011-02-01 14:32 12800 c:\windows\assembly\GAC\Microsoft.DirectX.Diagnostics\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.Diagnostics.dll
+ 2011-02-01 14:32 . 2011-02-01 14:32 53248 c:\windows\assembly\GAC\Microsoft.DirectX.AudioVideoPlayback\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.AudioVideoPlayback.dll
- 2006-09-06 18:39 . 2006-09-06 18:39 53248 c:\windows\assembly\GAC\Microsoft.DirectX.AudioVideoPlayback\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.AudioVideoPlayback.dll
+ 2009-07-12 05:02 . 2009-07-12 05:02 653120 c:\windows\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_d495ac4e\msvcr90.dll
+ 2009-07-12 05:02 . 2009-07-12 05:02 569664 c:\windows\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_d495ac4e\msvcp90.dll
+ 2009-07-12 05:05 . 2009-07-12 05:05 225280 c:\windows\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_d495ac4e\msvcm90.dll
+ 2009-07-12 05:02 . 2009-07-12 05:02 159032 c:\windows\WinSxS\x86_Microsoft.VC90.ATL_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_353599c2\atl90.dll
+ 2004-08-11 22:00 . 2011-01-26 15:48 506990 c:\windows\system32\perfh009.dat
+ 2009-09-24 05:30 . 2008-07-25 15:16 158720 c:\windows\system32\mscorier.dll
- 2008-07-25 15:16 . 2008-07-25 15:16 158720 c:\windows\system32\mscorier.dll
- 2010-05-17 14:30 . 2010-05-17 14:30 153376 c:\windows\system32\javaws.exe
+ 2011-01-26 15:10 . 2010-05-17 14:30 153376 c:\windows\system32\javaws.exe
- 2010-05-17 14:30 . 2010-05-17 14:30 145184 c:\windows\system32\javaw.exe
+ 2011-01-26 15:10 . 2010-05-17 14:30 145184 c:\windows\system32\javaw.exe
+ 2011-01-26 15:10 . 2010-05-17 14:30 145184 c:\windows\system32\java.exe
- 2010-05-17 14:30 . 2010-05-17 14:30 145184 c:\windows\system32\java.exe
+ 2004-08-11 22:06 . 2011-02-01 14:38 277352 c:\windows\system32\FNTCACHE.DAT
- 2004-08-11 22:06 . 2010-12-15 17:50 277352 c:\windows\system32\FNTCACHE.DAT
- 2007-10-09 17:03 . 2007-10-09 17:03 493080 c:\windows\system32\evr.dll
+ 2010-03-18 18:16 . 2007-10-09 17:03 493080 c:\windows\system32\evr.dll
+ 2010-02-10 01:48 . 2010-02-10 01:48 429792 c:\windows\system32\AcSignOpt.exe
+ 2011-02-01 14:32 . 2006-03-31 16:27 578560 c:\windows\Microsoft.NET\DirectX for Managed Code\1.0.2911.0\Microsoft.DirectX.Direct3DX.dll
+ 2011-02-01 14:32 . 2006-02-03 12:40 578560 c:\windows\Microsoft.NET\DirectX for Managed Code\1.0.2910.0\Microsoft.DirectX.Direct3DX.dll
+ 2011-02-01 14:32 . 2005-12-05 22:20 577536 c:\windows\Microsoft.NET\DirectX for Managed Code\1.0.2909.0\Microsoft.DirectX.Direct3DX.dll
+ 2011-02-01 14:32 . 2005-09-28 19:11 577536 c:\windows\Microsoft.NET\DirectX for Managed Code\1.0.2908.0\Microsoft.DirectX.Direct3DX.dll
- 2006-09-06 18:31 . 2005-07-22 21:21 577024 c:\windows\Microsoft.NET\DirectX for Managed Code\1.0.2907.0\Microsoft.DirectX.Direct3DX.dll
+ 2006-09-06 18:31 . 2005-07-22 22:21 577024 c:\windows\Microsoft.NET\DirectX for Managed Code\1.0.2907.0\Microsoft.DirectX.Direct3DX.dll
+ 2011-02-01 14:32 . 2005-05-26 20:15 576000 c:\windows\Microsoft.NET\DirectX for Managed Code\1.0.2906.0\Microsoft.DirectX.Direct3DX.dll
+ 2011-02-01 14:32 . 2005-03-18 22:23 567296 c:\windows\Microsoft.NET\DirectX for Managed Code\1.0.2905.0\Microsoft.DirectX.Direct3DX.dll
+ 2011-02-01 14:32 . 2005-02-06 00:32 563712 c:\windows\Microsoft.NET\DirectX for Managed Code\1.0.2904.0\Microsoft.DirectX.Direct3DX.dll
+ 2011-02-02 14:34 . 2011-02-02 14:34 301056 c:\windows\Installer\4bd08.msi
+ 2011-02-01 14:31 . 2011-02-01 14:31 219648 c:\windows\Installer\1e3e34.msi
+ 2008-11-05 17:02 . 2008-11-05 17:02 119296 c:\windows\Installer\12bc9f.msp
+ 2010-02-10 03:10 . 2010-02-10 03:10 292576 c:\windows\Installer\{5783F2D7-9028-0409-0000-0060B0CE6BBA}\InstRes.dll
+ 2010-02-10 03:10 . 2010-02-10 03:10 253664 c:\windows\Installer\{5783F2D7-9028-0409-0000-0060B0CE6BBA}\InstBasicUI.dll
+ 2011-02-01 14:35 . 2011-02-01 14:35 880128 c:\windows\Installer\{5783F2D7-9028-0409-0000-0060B0CE6BBA}\Aoem162_icon.exe
+ 2006-08-15 18:44 . 2006-08-15 18:44 303208 c:\windows\Installer\$PatchCache$\Managed\7D2F387580059040002000060BECB6AB\17.0.266\RDF_COMP_AcSignOpt.exe
+ 2006-08-15 18:44 . 2006-08-15 18:44 185448 c:\windows\Installer\$PatchCache$\Managed\7D2F387580059040002000060BECB6AB\17.0.266\RDF_COMP_AcSignIcon.dll
+ 2006-08-15 18:44 . 2006-08-15 18:44 177768 c:\windows\Installer\$PatchCache$\Managed\7D2F387580059040002000060BECB6AB\17.0.266\RDF_COMP_AcSignExt.dll
+ 2006-08-15 18:44 . 2006-08-15 18:44 303208 c:\windows\Installer\$PatchCache$\Managed\7D2F387500059040002000060BECB6AB\400.0.308\RDF_COMP_AcSignOpt.exe
+ 2006-08-15 18:44 . 2006-08-15 18:44 185448 c:\windows\Installer\$PatchCache$\Managed\7D2F387500059040002000060BECB6AB\400.0.308\RDF_COMP_AcSignIcon.dll
+ 2006-08-15 18:44 . 2006-08-15 18:44 177768 c:\windows\Installer\$PatchCache$\Managed\7D2F387500059040002000060BECB6AB\400.0.308\RDF_COMP_AcSignExt.dll
+ 2011-02-01 14:34 . 2011-02-01 14:34 150896 c:\windows\assembly\GAC_MSIL\Autodesk.AutoCAD.Interop\18.1.0.0__eed84259d7cbf30b\Autodesk.AutoCAD.Interop.dll
+ 2011-02-01 14:34 . 2011-02-01 14:34 153336 c:\windows\assembly\GAC_MSIL\Autodesk.AutoCAD.Interop\17.1.51.0__eed84259d7cbf30b\Autodesk.AutoCAD.Interop.dll
- 2006-09-06 18:39 . 2006-09-06 18:39 223232 c:\windows\assembly\GAC\Microsoft.DirectX\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.dll
+ 2011-02-01 14:32 . 2011-02-01 14:32 223232 c:\windows\assembly\GAC\Microsoft.DirectX\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.dll
+ 2011-02-01 14:32 . 2011-02-01 14:32 178176 c:\windows\assembly\GAC\Microsoft.DirectX.DirectSound\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.DirectSound.dll
- 2006-09-06 18:39 . 2006-09-06 18:39 178176 c:\windows\assembly\GAC\Microsoft.DirectX.DirectSound\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.DirectSound.dll
+ 2011-02-01 14:32 . 2011-02-01 14:32 364544 c:\windows\assembly\GAC\Microsoft.DirectX.DirectPlay\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.DirectPlay.dll
- 2006-09-06 18:39 . 2006-09-06 18:39 364544 c:\windows\assembly\GAC\Microsoft.DirectX.DirectPlay\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.DirectPlay.dll
+ 2011-02-01 14:32 . 2011-02-01 14:32 159232 c:\windows\assembly\GAC\Microsoft.DirectX.DirectInput\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.DirectInput.dll
- 2006-09-06 18:39 . 2006-09-06 18:39 159232 c:\windows\assembly\GAC\Microsoft.DirectX.DirectInput\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.DirectInput.dll
- 2006-09-06 18:39 . 2006-09-06 18:39 145920 c:\windows\assembly\GAC\Microsoft.DirectX.DirectDraw\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.DirectDraw.dll
+ 2011-02-01 14:32 . 2011-02-01 14:32 145920 c:\windows\assembly\GAC\Microsoft.DirectX.DirectDraw\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.DirectDraw.dll
+ 2011-02-01 14:32 . 2011-02-01 14:32 578560 c:\windows\assembly\GAC\Microsoft.DirectX.Direct3DX\1.0.2911.0__31bf3856ad364e35\Microsoft.DirectX.Direct3DX.dll
+ 2011-02-01 14:32 . 2011-02-01 14:32 578560 c:\windows\assembly\GAC\Microsoft.DirectX.Direct3DX\1.0.2910.0__31bf3856ad364e35\Microsoft.DirectX.Direct3DX.dll
+ 2011-02-01 14:32 . 2011-02-01 14:32 577536 c:\windows\assembly\GAC\Microsoft.DirectX.Direct3DX\1.0.2909.0__31bf3856ad364e35\Microsoft.DirectX.Direct3DX.dll
+ 2011-02-01 14:32 . 2011-02-01 14:32 577536 c:\windows\assembly\GAC\Microsoft.DirectX.Direct3DX\1.0.2908.0__31bf3856ad364e35\Microsoft.DirectX.Direct3DX.dll
+ 2011-02-01 14:32 . 2011-02-01 14:32 577024 c:\windows\assembly\GAC\Microsoft.DirectX.Direct3DX\1.0.2907.0__31bf3856ad364e35\Microsoft.DirectX.Direct3DX.dll
- 2006-09-06 18:39 . 2006-09-06 18:39 577024 c:\windows\assembly\GAC\Microsoft.DirectX.Direct3DX\1.0.2907.0__31bf3856ad364e35\Microsoft.DirectX.Direct3DX.dll
+ 2011-02-01 14:32 . 2011-02-01 14:32 576000 c:\windows\assembly\GAC\Microsoft.DirectX.Direct3DX\1.0.2906.0__31bf3856ad364e35\Microsoft.DirectX.Direct3DX.dll
+ 2011-02-01 14:32 . 2011-02-01 14:32 567296 c:\windows\assembly\GAC\Microsoft.DirectX.Direct3DX\1.0.2905.0__31bf3856ad364e35\Microsoft.DirectX.Direct3DX.dll
+ 2011-02-01 14:32 . 2011-02-01 14:32 563712 c:\windows\assembly\GAC\Microsoft.DirectX.Direct3DX\1.0.2904.0__31bf3856ad364e35\Microsoft.DirectX.Direct3DX.dll
- 2006-09-06 18:39 . 2006-09-06 18:39 473600 c:\windows\assembly\GAC\Microsoft.DirectX.Direct3D\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.Direct3D.dll
+ 2011-02-01 14:32 . 2011-02-01 14:32 473600 c:\windows\assembly\GAC\Microsoft.DirectX.Direct3D\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.Direct3D.dll
+ 2009-07-12 05:02 . 2009-07-12 05:02 3780424 c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_a57c1f53\mfc90u.dll
+ 2009-07-12 05:02 . 2009-07-12 05:02 3765048 c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_a57c1f53\mfc90.dll
+ 2011-01-26 16:10 . 2011-01-26 16:14 2127544 c:\windows\system32\Restore\rstrlog.dat
+ 2011-02-01 14:32 . 2006-03-31 17:40 2388176 c:\windows\system32\d3dx9_30.dll
+ 2011-02-01 14:32 . 2004-12-01 20:53 2846720 c:\windows\Microsoft.NET\DirectX for Managed Code\1.0.2903.0\Microsoft.DirectX.Direct3DX.dll
+ 2011-02-01 14:32 . 2004-09-29 17:38 2676224 c:\windows\Microsoft.NET\DirectX for Managed Code\1.0.2902.0\Microsoft.DirectX.Direct3DX.dll
+ 2011-02-01 14:35 . 2011-02-01 14:35 5230080 c:\windows\Installer\1e3e72.msi
+ 2011-02-01 14:36 . 2011-02-01 14:36 4387328 c:\windows\assembly\NativeImages_v2.0.50727_32\AdWindows\9f37f7795b4e326e6625d7f3a45fd83a\AdWindows.ni.dll
+ 2011-02-01 14:36 . 2011-02-01 14:36 2205696 c:\windows\assembly\NativeImages_v2.0.50727_32\AcWindows\a7e10ab34a1a1987028be94d2c9aafad\AcWindows.ni.dll
+ 2011-02-01 14:36 . 2011-02-01 14:36 5229056 c:\windows\assembly\NativeImages_v2.0.50727_32\acmgd\51750116c9257dc4a0f74058d98a595c\acmgd.ni.dll
+ 2011-02-01 14:36 . 2011-02-01 14:36 1468928 c:\windows\assembly\NativeImages_v2.0.50727_32\AcLayer\58c924b1b3928f5f3bff0c568c04886e\AcLayer.ni.dll
+ 2011-02-01 14:36 . 2011-02-01 14:36 1598464 c:\windows\assembly\NativeImages_v2.0.50727_32\AcCui\3b274caef61d58e6accb5d67b0bbe3b7\AcCui.ni.dll
+ 2011-02-01 14:34 . 2011-02-01 14:34 1797488 c:\windows\assembly\GAC_MSIL\Autodesk.AutoCAD.Interop.Common\18.1.0.0__eed84259d7cbf30b\Autodesk.AutoCAD.Interop.Common.dll
+ 2011-02-01 14:34 . 2011-02-01 14:34 1103608 c:\windows\assembly\GAC_MSIL\Autodesk.AutoCAD.Interop.Common\17.1.51.0__eed84259d7cbf30b\Autodesk.AutoCAD.Interop.Common.dll
+ 2011-02-01 14:32 . 2011-02-01 14:32 2846720 c:\windows\assembly\GAC\Microsoft.DirectX.Direct3DX\1.0.2903.0__31bf3856ad364e35\Microsoft.DirectX.Direct3DX.dll
+ 2011-02-01 14:32 . 2011-02-01 14:32 2676224 c:\windows\assembly\GAC\Microsoft.DirectX.Direct3DX\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.Direct3DX.dll
+ 2011-02-01 14:36 . 2011-02-01 14:36 10113024 c:\windows\assembly\NativeImages_v2.0.50727_32\acdbmgd\50b45206926c76ea6f99dfec59679a83\acdbmgd.ni.dll
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Google Update"="c:\documents and settings\gives\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2010-05-25 136176]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2005-03-21 5537792]
"WinampAgent"="c:\program files\Winamp\winampa.exe" [2010-07-12 74752]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-09-01 421160]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-09-08 421888]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 437160]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoWelcomeScreen"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Acrobat Assistant.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Acrobat Assistant.lnk
backup=c:\windows\pss\Acrobat Assistant.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^AutoCAD Startup Accelerator.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\AutoCAD Startup Accelerator.lnk
backup=c:\windows\pss\AutoCAD Startup Accelerator.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Windows Search.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Windows Search.lnk
backup=c:\windows\pss\Windows Search.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BbInstallUser]
2008-04-24 18:12 49824 -c--a-w- c:\program files\Bluebeam Software\Pushbutton PDF\Bluebeam Admin User.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BbPrintMonitor]
2008-04-16 19:04 156320 -c--a-w- c:\program files\Common Files\Bluebeam Software\Brewery\V45\Printer Support\BBPrint.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
2010-05-25 12:55 136176 ----atw- c:\documents and settings\gives\Local Settings\Application Data\Google\Update\GoogleUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2006-02-19 07:41 49152 -c--a-w- c:\program files\HP\HP Software Update\hpwuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPDJ Taskbar Utility]
2002-11-05 18:34 188416 -c--a-w- c:\windows\system32\spool\drivers\w32x86\3\hpztsb07.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IAAnotif]
2005-04-25 13:50 139264 -c--a-w- c:\program files\Intel\Intel Matrix Storage Manager\IAAnotif.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
2004-08-09 11:03 221184 ----a-w- c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
2004-08-09 11:03 81920 -c--a-w- c:\program files\Common Files\InstallShield\UpdateService\issch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2010-09-01 12:32 421160 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Malwarebytes Anti-Malware (rootkit-scan)]
2010-12-20 23:08 963976 ----a-w- c:\program files\Malwarebytes' Anti-Malware\mbam.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
2005-03-21 22:21 5537792 ----a-w- c:\windows\system32\nvcpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-09-08 15:17 421888 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SigmatelSysTrayApp]
2006-02-10 23:17 282624 -c--a-w- c:\windows\stsystra.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2010-02-18 15:43 248040 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SUPERAntiSpyware]
2010-08-02 10:44 2403568 ----a-w- c:\program files\SUPERAntiSpyware\SUPERANTISPYWARE.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
2010-07-12 16:32 74752 ----a-w- c:\program files\Winamp\winampa.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\{0228e555-4f9c-4e35-a3ec-b109a192b4c2}]
2005-07-15 21:48 479232 ----a-w- c:\program files\Google\Gmail Notifier\gnotify.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WMPNetworkSvc"=3 (0x3)
"Lavasoft Ad-Aware Service"=2 (0x2)
"SPBBCSvc"=3 (0x3)
"SNDSrvc"=3 (0x3)
"ccPwdSvc"=3 (0x3)
"ccEvtMgr"=3 (0x3)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 10:25 AM 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [4/27/2010 4:30 PM 67656]
R2 Transoft Solutions License Server V1.4;Transoft Solutions License Server V1.4;c:\program files\Transoft Solutions\License Server\TransoftLS.exe [4/30/2007 4:19 PM 307200]
S0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys --> c:\windows\system32\DRIVERS\Lbd.sys [?]
S0 TfFsMon;TfFsMon;c:\windows\system32\drivers\TfFsMon.sys --> c:\windows\system32\drivers\TfFsMon.sys [?]
S0 TfSysMon;TfSysMon;c:\windows\system32\drivers\TfSysMon.sys --> c:\windows\system32\drivers\TfSysMon.sys [?]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [12/17/2010 3:56 PM 136176]
S3 pctplsg;pctplsg;\??\c:\windows\system32\drivers\pctplsg.sys --> c:\windows\system32\drivers\pctplsg.sys [?]
S3 TfNetMon;TfNetMon;\??\c:\windows\system32\drivers\TfNetMon.sys --> c:\windows\system32\drivers\TfNetMon.sys [?]
S4 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;"c:\program files\Lavasoft\Ad-Aware\AAWService.exe" --> c:\program files\Lavasoft\Ad-Aware\AAWService.exe [?]
.
Contents of the 'Scheduled Tasks' folder

2011-02-02 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-12-17 20:56]

2011-02-01 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-12-17 20:56]

2011-01-27 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1368161332-2723273657-3337644624-1172Core.job
- c:\documents and settings\gives\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-05-25 12:55]

2011-02-02 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1368161332-2723273657-3337644624-1172UA.job
- c:\documents and settings\gives\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-05-25 12:55]

2011-02-02 c:\windows\Tasks\User_Feed_Synchronization-{623B5B52-D672-4805-8FCD-90B357FC89C5}.job
- c:\windows\system32\msfeedssync.exe [2007-08-13 08:31]
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
FF - ProfilePath - c:\documents and settings\gives\Application Data\Mozilla\Firefox\Profiles\8fjjqeaj.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
.
.
------- File Associations -------
.
.scr=AutoCADScriptFile
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-02-02 09:52
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,26,3f,8d,93,e5,0e,c5,4c,9b,95,8c,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,26,3f,8d,93,e5,0e,c5,4c,9b,95,8c,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Control\Network]
@DACL=(02 0000)
"FilterClasses"=multi:"scheduler\00loadbalance\00failover\00\00"
"Config"=hex:00,00,00,00,1c,00,00,00,94,69,c6,01,8d,a3,44,4f,a0,68,b8,f3,45,50,
a7,20,04,00,00,00,28,00,00,00,6d,00,73,00,5f,00,77,00,7a,00,63,00,73,00,76,\

[HKEY_LOCAL_MACHINE\System\ControlSet001\Control\Network\Uninstalled]
@DACL=(02 0000)
@SACL=
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(676)
c:\windows\system32\WININET.dll
c:\windows\system32\AcSignIcon.dll
c:\program files\Common Files\Autodesk Shared\AcSignCore16.dll
c:\windows\system32\msi.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2011-02-02 10:17:11
ComboFix-quarantined-files.txt 2011-02-02 14:55
ComboFix2.txt 2011-01-20 20:09
ComboFix3.txt 2010-07-29 19:01

Pre-Run: 27,105,009,664 bytes free
Post-Run: 27,208,060,928 bytes free

- - End Of File - - 03F1A94437021D4AB1F3C606EFAB84F9

#6 RPMcMurphy

RPMcMurphy

    Bleeping *^#@%~


  • Malware Response Team
  • 3,970 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:35 PM

Posted 02 February 2011 - 01:31 PM

GFI3:

Posted Image Download TDSSKiller.zip and extract TDSSKiller.exe to your desktop
  • Execute TDSSKiller.exe by doubleclicking on it.
  • Press Start Scan
  • If Malicious objects are found then ensure Cure is selected. Important - If there is no option to "Cure" it is critical that you select "Skip"
  • Then click Continue > Reboot now
  • Once complete, a log will be produced in c:\. It will be named for example, TDSSKiller.2.4.0.0_24.07.2010_13.10.52_log.txt
  • Attach that log, please.
Posted Image Open Notepad Go to Start> All Programs> Accessories> Notepad ( this will only work with Notepad ) and copy all the text inside the Codebox by highlighting it all and pressing CTRL C on your keyboard, then paste it into Notepad, make sure there is no space before and above SecCenter::

SecCenter::
{BCF43643-A118-4432-AEDE-D861FCBCFCDF}

Save this as CFScript to your desktop.

Then disable your security programs and drag the CFScript into ComboFix.exe as you see in the screenshot below.

Posted Image


This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply.

Posted Image You have this program installed, Malwarebytes' Anti-Malware (MBAM). Please update it and run a scan.

Open MBAM
  • Click the Update tab
  • Click Check for Updates
  • If an update is found, it will download and install the latest version.
  • The program will close to update and reopen.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Uncheck any entries from C:\System Volume Information or C:\Qoobox
  • Make sure that everything else is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.

Please include the following in your next post:
  • TDSSKiller log
  • ComboFix log
  • MBAM log

Threads are closed after 5 days of inactivity.

ASAP & UNITE Member


The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif


#7 GFI3

GFI3
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:05:35 PM

Posted 02 February 2011 - 02:19 PM

OK. Everything went smooth...

TDSSKiller Log attached.


ComboFix Log:
ComboFix 11-01-31.02 - gives 02/02/2011 13:39:26.7.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1497 [GMT -5:00]
Running from: c:\documents and settings\gives\Desktop\Combo-Fix.exe
Command switches used :: c:\documents and settings\gives\Desktop\CFScript.txt
.

((((((((((((((((((((((((( Files Created from 2011-01-02 to 2011-02-02 )))))))))))))))))))))))))))))))
.

2011-02-02 15:44 . 2011-02-02 15:44 2210 ----a-w- C:\FixitRegBackup.reg
2011-02-02 14:24 . 2011-02-02 14:25 -------- d-----w- C:\WINSSLog
2011-02-01 14:32 . 2009-03-09 20:27 453456 ----a-w- c:\windows\system32\d3dx10_41.dll
2011-02-01 14:32 . 2009-03-09 20:27 1846632 ----a-w- c:\windows\system32\D3DCompiler_41.dll
2011-02-01 14:32 . 2009-03-09 20:27 4178264 ----a-w- c:\windows\system32\D3DX9_41.dll
2011-02-01 14:29 . 2011-02-01 14:29 -------- d-----w- C:\Autodesk
2011-01-26 16:13 . 2011-01-26 16:13 -------- d-----w- c:\windows\system32\wbem\Repository
2011-01-26 16:11 . 2011-01-26 16:11 -------- d-----w- c:\program files\DVD Shrink
2011-01-26 16:11 . 2011-01-26 16:11 -------- d-----w- c:\program files\ImgBurn
2011-01-26 16:11 . 2011-01-26 16:11 -------- d-----w- c:\documents and settings\gives\Application Data\ImgBurn
2011-01-26 16:11 . 2011-01-26 16:11 -------- d-----w- c:\program files\MP3 Cutter
2011-01-26 16:11 . 2011-01-26 16:11 -------- d-----w- c:\program files\MP3 Cutter Plus
2011-01-26 16:11 . 2011-01-26 16:11 -------- d-----w- C:\STOMP35
2011-01-26 16:11 . 2011-01-26 16:11 -------- d-----w- c:\program files\MVAPPS
2011-01-26 16:11 . 2011-01-26 16:11 -------- d-----w- c:\program files\Unlocker
2011-01-26 16:11 . 2011-01-26 16:11 -------- d-----w- c:\program files\The Weather Channel FW
2011-01-26 16:11 . 2011-01-26 16:11 -------- d-----w- c:\program files\Common Files\Java
2011-01-26 13:23 . 2011-01-26 16:12 -------- dc----w- c:\windows\$968930Uinstall_KB968930$
2011-01-26 12:57 . 2011-02-02 16:01 -------- d-----w- c:\program files\Microsoft Security Client
2011-01-20 19:43 . 2011-01-20 19:43 89088 ----a-w- C:\mbr.exe
2011-01-20 19:28 . 2011-01-20 19:28 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\PCHealth

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-12-20 23:09 . 2010-04-12 19:18 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-12-20 23:08 . 2010-04-12 19:18 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-11-18 18:12 . 2004-08-11 22:12 81920 ----a-w- c:\windows\system32\isign32.dll
2010-11-09 14:52 . 2004-08-11 22:00 249856 ----a-w- c:\windows\system32\odbc32.dll
2010-11-06 00:26 . 2004-08-11 22:00 916480 ----a-w- c:\windows\system32\wininet.dll
2010-11-06 00:26 . 2004-08-11 22:00 43520 ----a-w- c:\windows\system32\licmgr10.dll
2010-11-06 00:26 . 2004-08-11 22:00 1469440 ------w- c:\windows\system32\inetcpl.cpl
.

((((((((((((((((((((((((((((( SnapShot_2011-02-02_14.52.33 )))))))))))))))))))))))))))))))))))))))))
.
+ 2011-02-02 15:54 . 2011-02-02 15:54 16384 c:\windows\temp\Perflib_Perfdata_588.dat
+ 2011-02-02 16:00 . 2011-02-02 16:00 301056 c:\windows\Installer\6ab2c.msi
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Google Update"="c:\documents and settings\gives\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2010-05-25 136176]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2005-03-21 5537792]
"WinampAgent"="c:\program files\Winamp\winampa.exe" [2010-07-12 74752]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-09-01 421160]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-09-08 421888]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 437160]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoWelcomeScreen"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Acrobat Assistant.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Acrobat Assistant.lnk
backup=c:\windows\pss\Acrobat Assistant.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^AutoCAD Startup Accelerator.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\AutoCAD Startup Accelerator.lnk
backup=c:\windows\pss\AutoCAD Startup Accelerator.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Windows Search.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Windows Search.lnk
backup=c:\windows\pss\Windows Search.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BbInstallUser]
2008-04-24 18:12 49824 -c--a-w- c:\program files\Bluebeam Software\Pushbutton PDF\Bluebeam Admin User.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BbPrintMonitor]
2008-04-16 19:04 156320 -c--a-w- c:\program files\Common Files\Bluebeam Software\Brewery\V45\Printer Support\BBPrint.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
2010-05-25 12:55 136176 ----atw- c:\documents and settings\gives\Local Settings\Application Data\Google\Update\GoogleUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2006-02-19 07:41 49152 -c--a-w- c:\program files\HP\HP Software Update\hpwuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPDJ Taskbar Utility]
2002-11-05 18:34 188416 -c--a-w- c:\windows\system32\spool\drivers\w32x86\3\hpztsb07.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IAAnotif]
2005-04-25 13:50 139264 -c--a-w- c:\program files\Intel\Intel Matrix Storage Manager\IAAnotif.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
2004-08-09 11:03 221184 ----a-w- c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
2004-08-09 11:03 81920 -c--a-w- c:\program files\Common Files\InstallShield\UpdateService\issch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2010-09-01 12:32 421160 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Malwarebytes Anti-Malware (rootkit-scan)]
2010-12-20 23:08 963976 ----a-w- c:\program files\Malwarebytes' Anti-Malware\mbam.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
2005-03-21 22:21 5537792 ----a-w- c:\windows\system32\nvcpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-09-08 15:17 421888 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SigmatelSysTrayApp]
2006-02-10 23:17 282624 -c--a-w- c:\windows\stsystra.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2010-02-18 15:43 248040 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SUPERAntiSpyware]
2010-08-02 10:44 2403568 ----a-w- c:\program files\SUPERAntiSpyware\SUPERANTISPYWARE.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
2010-07-12 16:32 74752 ----a-w- c:\program files\Winamp\winampa.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WMPNetworkSvc"=3 (0x3)
"Lavasoft Ad-Aware Service"=2 (0x2)
"SPBBCSvc"=3 (0x3)
"SNDSrvc"=3 (0x3)
"ccPwdSvc"=3 (0x3)
"ccEvtMgr"=3 (0x3)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 10:25 AM 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [4/27/2010 4:30 PM 67656]
R2 Transoft Solutions License Server V1.4;Transoft Solutions License Server V1.4;c:\program files\Transoft Solutions\License Server\TransoftLS.exe [4/30/2007 4:19 PM 307200]
S0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys --> c:\windows\system32\DRIVERS\Lbd.sys [?]
S0 TfFsMon;TfFsMon;c:\windows\system32\drivers\TfFsMon.sys --> c:\windows\system32\drivers\TfFsMon.sys [?]
S0 TfSysMon;TfSysMon;c:\windows\system32\drivers\TfSysMon.sys --> c:\windows\system32\drivers\TfSysMon.sys [?]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [12/17/2010 3:56 PM 136176]
S3 pctplsg;pctplsg;\??\c:\windows\system32\drivers\pctplsg.sys --> c:\windows\system32\drivers\pctplsg.sys [?]
S3 TfNetMon;TfNetMon;\??\c:\windows\system32\drivers\TfNetMon.sys --> c:\windows\system32\drivers\TfNetMon.sys [?]
S4 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;"c:\program files\Lavasoft\Ad-Aware\AAWService.exe" --> c:\program files\Lavasoft\Ad-Aware\AAWService.exe [?]

--- Other Services/Drivers In Memory ---

*Deregistered* - klmd25
.
Contents of the 'Scheduled Tasks' folder

2011-02-02 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-12-17 20:56]

2011-02-02 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-12-17 20:56]

2011-01-27 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1368161332-2723273657-3337644624-1172Core.job
- c:\documents and settings\gives\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-05-25 12:55]

2011-02-02 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1368161332-2723273657-3337644624-1172UA.job
- c:\documents and settings\gives\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-05-25 12:55]

2011-02-02 c:\windows\Tasks\User_Feed_Synchronization-{623B5B52-D672-4805-8FCD-90B357FC89C5}.job
- c:\windows\system32\msfeedssync.exe [2007-08-13 08:31]
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
FF - ProfilePath - c:\documents and settings\gives\Application Data\Mozilla\Firefox\Profiles\8fjjqeaj.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
.
- - - - ORPHANS REMOVED - - - -

MSConfigStartUp-{0228e555-4f9c-4e35-a3ec-b109a192b4c2} - c:\program files\Google\Gmail Notifier\gnotify.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-02-02 13:49
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,26,3f,8d,93,e5,0e,c5,4c,9b,95,8c,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,26,3f,8d,93,e5,0e,c5,4c,9b,95,8c,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Control\Network]
@DACL=(02 0000)
"FilterClasses"=multi:"scheduler\00loadbalance\00failover\00\00"
"Config"=hex:00,00,00,00,1c,00,00,00,94,69,c6,01,8d,a3,44,4f,a0,68,b8,f3,45,50,
a7,20,04,00,00,00,28,00,00,00,6d,00,73,00,5f,00,77,00,7a,00,63,00,73,00,76,\

[HKEY_LOCAL_MACHINE\System\ControlSet001\Control\Network\Uninstalled]
@DACL=(02 0000)
@SACL=
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(528)
c:\windows\system32\WININET.dll
c:\windows\system32\AcSignIcon.dll
c:\program files\Common Files\Autodesk Shared\AcSignCore16.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\msi.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2011-02-02 14:03:02
ComboFix-quarantined-files.txt 2011-02-02 18:51
ComboFix2.txt 2011-02-02 15:17
ComboFix3.txt 2011-01-20 20:09
ComboFix4.txt 2010-07-29 19:01

Pre-Run: 28,559,335,424 bytes free
Post-Run: 28,542,185,472 bytes free

- - End Of File - - 311C552F5C846E1FBFF632AF266042CF



Mbam Log:

Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 5661

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

2/2/2011 2:12:04 PM
mbam-log-2011-02-02 (14-12-04).txt

Scan type: Quick scan
Objects scanned: 236238
Time elapsed: 4 minute(s), 9 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)



Thank you for all your help so far!

Attached Files



#8 RPMcMurphy

RPMcMurphy

    Bleeping *^#@%~


  • Malware Response Team
  • 3,970 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:35 PM

Posted 02 February 2011 - 07:59 PM

GFI3:

How is your computer running now? Please do this next:

Posted Image Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system.

Java™ 6 Update 20 can be updated from the Java control panel Start > Control Panel (Classic View) > Java (looks like a coffee cup) > Update Tab > Update Now. An update should begin; follow the prompts. If it does not, let me know.

Once the install is complete...

Go into the Control Panel and double-click the Java Icon. (looks like a coffee cup)
  • On the General tab, under Temporary Internet Files, click the Settings button.
  • Next, click on the Delete Files button
  • There are two options in the window to clear the cache - Leave BOTH Checked
    • Applications and Applets
    • Trace and Log Files
  • Click OK on Delete Temporary Files Window
Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.
  • Click OK to leave the Temporary Files Window
  • Click OK to leave the Java Control Panel.
Posted Image Please run ESET Online Scanner
  • Place a check mark in the box YES, I accept the Terms Of Use
  • Click the Start button.
  • Now click the Install button.
  • Click Start. The scanner engine will initialize and update.
  • Do Not place a check mark in the box beside Remove found threats.
  • Click the Scan button. The scan will now run, please be patient.
  • When the scan finishes click the Details tab.
  • Copy and paste the contents of the C:\ProgramFiles\EsetOnlineScanner\log.txt into your next reply.
Please include the following in your next post:
  • How is the computer running?
  • ESET log

Threads are closed after 5 days of inactivity.

ASAP & UNITE Member


The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif


#9 GFI3

GFI3
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:05:35 PM

Posted 03 February 2011 - 09:33 AM

So my computer seems to be running ok as far as speed and performance goes, however I still can not install MSE, which is my only AV protection. I have gone through all of the steps on Microsoft's site to fully remove and reinstall but have had no luck. Also I could not open Java from within the control panel. I double click the icon and nothing happens. Can I run and update directly from their website?

I ran the ESET Scan and there were no threats found - No details tab?

Thanks

Edited by GFI3, 03 February 2011 - 09:33 AM.


#10 RPMcMurphy

RPMcMurphy

    Bleeping *^#@%~


  • Malware Response Team
  • 3,970 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:35 PM

Posted 03 February 2011 - 10:03 AM

GFI3:

Posted Image Open Notepad Go to Start> All Programs> Accessories> Notepad ( this will only work with Notepad ) and copy all the text inside the Codebox by highlighting it all and pressing CTRL C on your keyboard, then paste it into Notepad, make sure there is no space before and above RegLock::

RegLock::
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]

Save this as CFScript to your desktop.

Then disable your security programs and drag the CFScript into ComboFix.exe as you see in the screenshot below.

Posted Image


This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply.

Posted Image Please follow these instructions to run System File Checker:
  • Click Start > Run or press the Windows Key + R, and enter the following command into the run box and click OK:
    sfc /scannow

    sfc<space>/scannow


    If that won't run in the normal mode, try in the Safe Mode.
Please include the following in your next post:
  • ComboFix log
  • How is the computer running?

Threads are closed after 5 days of inactivity.

ASAP & UNITE Member


The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif


#11 GFI3

GFI3
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:05:35 PM

Posted 03 February 2011 - 11:54 AM

Ran Combo-Fix, here is the log:

ComboFix 11-01-31.02 - gives 02/03/2011 11:01:04.8.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1586 [GMT -5:00]
Running from: c:\documents and settings\gives\Desktop\Combo-Fix.exe
Command switches used :: c:\documents and settings\gives\Desktop\CFScript.txt
.

((((((((((((((((((((((((( Files Created from 2011-01-03 to 2011-02-03 )))))))))))))))))))))))))))))))
.

2011-02-03 14:50 . 2003-06-25 21:05 266360 ----a-w- c:\windows\system32\TweakUI.exe
2011-02-02 15:44 . 2011-02-02 15:44 2210 ----a-w- C:\FixitRegBackup.reg
2011-02-02 14:24 . 2011-02-02 14:25 -------- d-----w- C:\WINSSLog
2011-02-01 14:32 . 2009-03-09 20:27 453456 ----a-w- c:\windows\system32\d3dx10_41.dll
2011-02-01 14:32 . 2009-03-09 20:27 1846632 ----a-w- c:\windows\system32\D3DCompiler_41.dll
2011-02-01 14:32 . 2009-03-09 20:27 4178264 ----a-w- c:\windows\system32\D3DX9_41.dll
2011-02-01 14:29 . 2011-02-01 14:29 -------- d-----w- C:\Autodesk
2011-01-26 16:13 . 2011-01-26 16:13 -------- d-----w- c:\windows\system32\wbem\Repository
2011-01-26 16:11 . 2011-01-26 16:11 -------- d-----w- c:\program files\DVD Shrink
2011-01-26 16:11 . 2011-01-26 16:11 -------- d-----w- c:\program files\MP3 Cutter
2011-01-26 16:11 . 2011-01-26 16:11 -------- d-----w- c:\program files\MP3 Cutter Plus
2011-01-26 16:11 . 2011-01-26 16:11 -------- d-----w- C:\STOMP35
2011-01-26 16:11 . 2011-01-26 16:11 -------- d-----w- c:\program files\MVAPPS
2011-01-26 16:11 . 2011-01-26 16:11 -------- d-----w- c:\program files\Unlocker
2011-01-26 16:11 . 2011-01-26 16:11 -------- d-----w- c:\program files\The Weather Channel FW
2011-01-26 16:11 . 2011-01-26 16:11 -------- d-----w- c:\program files\Common Files\Java
2011-01-26 13:23 . 2011-01-26 16:12 -------- dc----w- c:\windows\$968930Uinstall_KB968930$
2011-01-26 12:57 . 2011-02-02 16:01 -------- d-----w- c:\program files\Microsoft Security Client
2011-01-20 19:43 . 2011-01-20 19:43 89088 ----a-w- C:\mbr.exe
2011-01-20 19:28 . 2011-01-20 19:28 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\PCHealth

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-12-20 23:09 . 2010-04-12 19:18 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-12-20 23:08 . 2010-04-12 19:18 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-11-18 18:12 . 2004-08-11 22:12 81920 ----a-w- c:\windows\system32\isign32.dll
2010-11-09 14:52 . 2004-08-11 22:00 249856 ----a-w- c:\windows\system32\odbc32.dll
2010-11-06 00:26 . 2004-08-11 22:00 916480 ----a-w- c:\windows\system32\wininet.dll
2010-11-06 00:26 . 2004-08-11 22:00 43520 ----a-w- c:\windows\system32\licmgr10.dll
2010-11-06 00:26 . 2004-08-11 22:00 1469440 ------w- c:\windows\system32\inetcpl.cpl
.

((((((((((((((((((((((((((((( SnapShot_2011-02-02_14.52.33 )))))))))))))))))))))))))))))))))))))))))
.
+ 2011-02-03 14:41 . 2011-02-03 14:41 16384 c:\windows\temp\Perflib_Perfdata_580.dat
+ 2011-02-02 16:00 . 2011-02-02 16:00 301056 c:\windows\Installer\6ab2c.msi
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Google Update"="c:\documents and settings\gives\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2010-05-25 136176]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2005-03-21 5537792]
"WinampAgent"="c:\program files\Winamp\winampa.exe" [2010-07-12 74752]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-09-01 421160]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-09-08 421888]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 437160]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoWelcomeScreen"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Acrobat Assistant.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Acrobat Assistant.lnk
backup=c:\windows\pss\Acrobat Assistant.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^AutoCAD Startup Accelerator.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\AutoCAD Startup Accelerator.lnk
backup=c:\windows\pss\AutoCAD Startup Accelerator.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Windows Search.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Windows Search.lnk
backup=c:\windows\pss\Windows Search.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BbInstallUser]
2008-04-24 18:12 49824 -c--a-w- c:\program files\Bluebeam Software\Pushbutton PDF\Bluebeam Admin User.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BbPrintMonitor]
2008-04-16 19:04 156320 -c--a-w- c:\program files\Common Files\Bluebeam Software\Brewery\V45\Printer Support\BBPrint.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
2010-05-25 12:55 136176 ----atw- c:\documents and settings\gives\Local Settings\Application Data\Google\Update\GoogleUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2006-02-19 07:41 49152 -c--a-w- c:\program files\HP\HP Software Update\hpwuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPDJ Taskbar Utility]
2002-11-05 18:34 188416 -c--a-w- c:\windows\system32\spool\drivers\w32x86\3\hpztsb07.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IAAnotif]
2005-04-25 13:50 139264 -c--a-w- c:\program files\Intel\Intel Matrix Storage Manager\IAAnotif.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
2004-08-09 11:03 221184 ----a-w- c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
2004-08-09 11:03 81920 -c--a-w- c:\program files\Common Files\InstallShield\UpdateService\issch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2010-09-01 12:32 421160 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Malwarebytes Anti-Malware (rootkit-scan)]
2010-12-20 23:08 963976 ----a-w- c:\program files\Malwarebytes' Anti-Malware\mbam.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
2005-03-21 22:21 5537792 ----a-w- c:\windows\system32\nvcpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-09-08 15:17 421888 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SigmatelSysTrayApp]
2006-02-10 23:17 282624 -c--a-w- c:\windows\stsystra.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2010-02-18 15:43 248040 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SUPERAntiSpyware]
2010-08-02 10:44 2403568 ----a-w- c:\program files\SUPERAntiSpyware\SUPERANTISPYWARE.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
2010-07-12 16:32 74752 ----a-w- c:\program files\Winamp\winampa.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WMPNetworkSvc"=3 (0x3)
"Lavasoft Ad-Aware Service"=2 (0x2)
"SPBBCSvc"=3 (0x3)
"SNDSrvc"=3 (0x3)
"ccPwdSvc"=3 (0x3)
"ccEvtMgr"=3 (0x3)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 10:25 AM 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [4/27/2010 4:30 PM 67656]
R2 Transoft Solutions License Server V1.4;Transoft Solutions License Server V1.4;c:\program files\Transoft Solutions\License Server\TransoftLS.exe [4/30/2007 4:19 PM 307200]
S0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys --> c:\windows\system32\DRIVERS\Lbd.sys [?]
S0 TfFsMon;TfFsMon;c:\windows\system32\drivers\TfFsMon.sys --> c:\windows\system32\drivers\TfFsMon.sys [?]
S0 TfSysMon;TfSysMon;c:\windows\system32\drivers\TfSysMon.sys --> c:\windows\system32\drivers\TfSysMon.sys [?]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [12/17/2010 3:56 PM 136176]
S3 pctplsg;pctplsg;\??\c:\windows\system32\drivers\pctplsg.sys --> c:\windows\system32\drivers\pctplsg.sys [?]
S3 TfNetMon;TfNetMon;\??\c:\windows\system32\drivers\TfNetMon.sys --> c:\windows\system32\drivers\TfNetMon.sys [?]
S4 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;"c:\program files\Lavasoft\Ad-Aware\AAWService.exe" --> c:\program files\Lavasoft\Ad-Aware\AAWService.exe [?]
.
Contents of the 'Scheduled Tasks' folder

2011-02-03 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-12-17 20:56]

2011-02-03 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-12-17 20:56]

2011-01-27 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1368161332-2723273657-3337644624-1172Core.job
- c:\documents and settings\gives\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-05-25 12:55]

2011-02-03 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1368161332-2723273657-3337644624-1172UA.job
- c:\documents and settings\gives\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-05-25 12:55]

2011-02-03 c:\windows\Tasks\User_Feed_Synchronization-{623B5B52-D672-4805-8FCD-90B357FC89C5}.job
- c:\windows\system32\msfeedssync.exe [2007-08-13 08:31]
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
FF - ProfilePath - c:\documents and settings\gives\Application Data\Mozilla\Firefox\Profiles\8fjjqeaj.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-02-03 11:10
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Control\Network]
@DACL=(02 0000)
"FilterClasses"=multi:"scheduler\00loadbalance\00failover\00\00"
"Config"=hex:00,00,00,00,1c,00,00,00,94,69,c6,01,8d,a3,44,4f,a0,68,b8,f3,45,50,
a7,20,04,00,00,00,28,00,00,00,6d,00,73,00,5f,00,77,00,7a,00,63,00,73,00,76,\

[HKEY_LOCAL_MACHINE\System\ControlSet001\Control\Network\Uninstalled]
@DACL=(02 0000)
@SACL=
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3688)
c:\windows\system32\WININET.dll
c:\windows\system32\AcSignIcon.dll
c:\program files\Common Files\Autodesk Shared\AcSignCore16.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\msi.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2011-02-03 11:24:22
ComboFix-quarantined-files.txt 2011-02-03 16:12
ComboFix2.txt 2011-02-02 19:03
ComboFix3.txt 2011-02-02 15:17
ComboFix4.txt 2011-01-20 20:09
ComboFix5.txt 2011-02-03 16:00

Pre-Run: 28,528,222,208 bytes free
Post-Run: 28,508,393,472 bytes free

- - End Of File - - B0B52C565E689FDD2150C74DD3736A25



Also ran System File Checker and it scanned without any problems.

Computer seems fine. I will try to reinstall MSE again.

Thanks!!

#12 RPMcMurphy

RPMcMurphy

    Bleeping *^#@%~


  • Malware Response Team
  • 3,970 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:35 PM

Posted 03 February 2011 - 03:25 PM

OK, let me know if it installs now for you.

Threads are closed after 5 days of inactivity.

ASAP & UNITE Member


The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif


#13 GFI3

GFI3
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:05:35 PM

Posted 07 February 2011 - 07:49 AM

Sorry for my delayed response. I was away for the weekend and couldn't get on a computer.

Computer seems to be running fine, but still will not install MSE. Just says "an error occurred during installation and cannot continue"

#14 RPMcMurphy

RPMcMurphy

    Bleeping *^#@%~


  • Malware Response Team
  • 3,970 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:35 PM

Posted 07 February 2011 - 11:15 AM

GFI3:

Malware wise, your logs look good. I've got some very important cleanup for you to take care of, then I recommend that you work your way through the recommendations on this page for help with the MSSE issue.

Posted Image Uninstall ComboFix
  • Press the Windows key + R on your keyboard or click Start -> Run. Copy and past the following text into the run box that opens and press OK:
    Combofix /Uninstall
Posted Image

Posted Image Delete the following tools along with any other logs you saved from our work:
  • DDS
  • GMER
  • TDSSKiller
Posted Image Finally, I'd like to make a couple of suggestions to help you stay clean in the future:
  • Restart any anti-malware programs that we disabled while we were cleaning your machine.
  • Keep your antivirus application and MBAM current and updated. Scan with them at least weekly.
  • Please visit this forum and review this post for some helpful information.
Please post once more so I know you are all set and I can mark this thread resolved. Good luck and stay safe!

Threads are closed after 5 days of inactivity.

ASAP & UNITE Member


The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif


#15 GFI3

GFI3
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:05:35 PM

Posted 07 February 2011 - 11:27 AM

Thank you very much for all of you help with this!!




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users