Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Search engine results are being re-directed


  • This topic is locked This topic is locked
23 replies to this topic

#1 gnaag

gnaag

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:02:47 PM

Posted 16 May 2011 - 08:17 PM

Referred to this section of the forum from here: http://www.bleepingcomputer.com/forums/topic397493.html

Website links from search engine results (specifically Google) are being randomly re-directed when clicked. This does not happen every single time; it happens a little less than 50% of the time. I ran Malwarebytes Anti-Malware PRO when the re-directs began and managed to remove some 20 trojans, however this did not solve the issue. I have followed the Preparation Guide and posted the DDS and GMER logs, both produced this evening, below.

Any help in resolving this problem would be greatly appreciated. My system is running Windows XP Media Center Edition with Service Pack 3. I use two web browsers: Firefox (version 4) and Google Chrome. The re-direct issue seems to be less frequent with Google Chrome.


DDS Log:

.
DDS (Ver_11-03-05.01) - NTFSx86
Run by Scott at 20:17:41.03 on Mon 05/16/2011
Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_22
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.373 [GMT -4:00]
.
.
============== Running Processes ===============
.
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
svchost.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
svchost.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Documents and Settings\Scott\Desktop\o8cu40v6.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Documents and Settings\Scott\Desktop\dds.scr
.
============== Pseudo HJT Report ===============
.
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
mDefault_Search_URL = hxxp://www.google.com/ie
mSearch Bar = hxxp://www.google.com/ie
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\googletoolbar1.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.6.5612.1312\swg.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar1.dll
TB: {4B3803EA-5230-4DC3-A7FC-33638F3D3542} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Registry Reviver] c:\program files\reviversoft\registry reviver\RegistryReviver.exe
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [ATICCC] "c:\program files\ati technologies\ati.ace\cli.exe" runtime -Delay
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
DPF: {31435657-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/e/2/f/e2fcec4b-6c8b-48b7-adab-ab9c403a978f/wvc1dmo.cab
DPF: {33564D57-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/D/0/D/D0DD87DA-994F-4334-8B55-AF2E4D98ED0C/wmv9dmo.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Notify: AtiExtEvent - Ati2evxx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
Hosts: 209.172.52.73 www.google.com
Hosts: 209.172.52.74 search.yahoo.com
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\docume~1\scott\applic~1\mozilla\firefox\profiles\6p0y76xk.default\
FF - plugin: c:\program files\divx\divx ovs helper\npovshelper.dll
FF - plugin: c:\program files\divx\divx plus web player\npdivx32.dll
FF - plugin: c:\program files\google\update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\microsoft silverlight\4.0.60310.0\npctrlui.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
.
---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true
.
============= SERVICES / DRIVERS ===============
.
R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2011-3-31 363344]
R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2011-3-31 20952]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2011-4-26 136176]
S3 FileObjInfo;STFileDriver;c:\documents and settings\all users\application data\spyware terminator\fileobjinfo.sys [2009-10-31 5632]
S3 IKFileSec;File Security Driver;c:\windows\system32\drivers\ikfilesec.sys [2011-3-31 42376]
S3 IKSysFlt;System Filter Driver;c:\windows\system32\drivers\iksysflt.sys [2011-3-31 66952]
S3 IKSysSec;System Security Driver;c:\windows\system32\drivers\iksyssec.sys [2011-3-31 81288]
S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\10.tmp --> c:\windows\system32\10.tmp [?]
S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\spyware doctor\pctsAuxs.exe [2011-3-31 356920]
S3 sdCoreService;PC Tools Security Service;c:\program files\spyware doctor\pctsSvc.exe [2011-3-31 1072008]
.
=============== Created Last 30 ================
.
2011-05-15 15:35:01 190032 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2011-05-15 15:24:14 -------- d-----w- c:\program files\Sophos
2011-05-15 13:19:06 -------- d-----w- c:\docume~1\scott\applic~1\FixCleaner
2011-05-15 13:17:40 -------- d-----w- c:\program files\FixCleaner
2011-04-26 14:06:55 17480 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
2011-04-26 14:06:32 -------- d-----w- c:\docume~1\alluse~1\applic~1\Hitman Pro
2011-04-26 13:21:58 -------- d-----w- c:\program files\Sophos Anti-Rootkit
2011-04-26 04:53:02 -------- d-----w- c:\program files\CCleaner
2011-04-26 04:51:46 -------- d-----w- c:\docume~1\scott\locals~1\applic~1\Temp
2011-04-26 04:48:12 -------- d-----w- c:\docume~1\scott\applic~1\Reviversoft
2011-04-26 04:47:46 16704 ----a-w- c:\windows\system32\roboot.exe
2011-04-26 02:22:42 89048 ----a-w- c:\program files\mozilla firefox\libEGL.dll
2011-04-26 02:22:42 781272 ----a-w- c:\program files\mozilla firefox\mozsqlite3.dll
2011-04-26 02:22:42 465880 ----a-w- c:\program files\mozilla firefox\libGLESv2.dll
2011-04-26 02:22:42 1974616 ----a-w- c:\program files\mozilla firefox\D3DCompiler_42.dll
2011-04-26 02:22:42 1892184 ----a-w- c:\program files\mozilla firefox\d3dx9_42.dll
2011-04-26 02:22:42 1874904 ----a-w- c:\program files\mozilla firefox\mozjs.dll
2011-04-26 02:22:42 15832 ----a-w- c:\program files\mozilla firefox\mozalloc.dll
2011-04-26 02:22:42 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
==================== Find3M ====================
.
2011-04-10 14:35:57 0 ----a-w- c:\windows\Eyavocedofibuji.bin
2011-03-07 05:33:50 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-03-04 06:45:07 434176 ----a-w- c:\windows\system32\vbscript.dll
2011-03-03 13:21:11 1857920 ----a-w- c:\windows\system32\win32k.sys
2011-02-17 13:51:57 81920 ----a-w- c:\windows\system32\ieencode.dll
2011-02-17 13:51:57 667136 ----a-w- c:\windows\system32\wininet.dll
2011-02-17 13:51:57 61952 ----a-w- c:\windows\system32\tdc.ocx
2011-02-17 12:37:38 369664 ----a-w- c:\windows\system32\html.iec
2011-02-17 12:32:12 5120 ----a-w- c:\windows\system32\xpsp4res.dll
2009-07-10 18:39:00 350720 ----a-w- c:\program files\hjsplit.exe
.
============= FINISH: 20:18:41.15 ===============



GMER Log:


GMER 1.0.15.15627 - http://www.gmer.net
Rootkit scan 2011-05-16 20:50:20
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdePort0 FUJITSU_MHW2120BH rev.00850012
Running: o8cu40v6.exe; Driver: C:\DOCUME~1\Scott\LOCALS~1\Temp\kwpdikow.sys


---- System - GMER 1.0.15 ----

SSDT sptd.sys ZwCreateKey [0xF73B7FA0]
SSDT sptd.sys ZwEnumerateKey [0xF73EC018]
SSDT sptd.sys ZwEnumerateValueKey [0xF73EC3A6]
SSDT sptd.sys ZwOpenKey [0xF73B7F80]
SSDT sptd.sys ZwQueryKey [0xF73EC47E]
SSDT sptd.sys ZwQueryValueKey [0xF73EC2FE]
SSDT sptd.sys ZwSetValueKey [0xF73EC510]

INT 0x62 ? 86FCDCB8
INT 0x82 ? 86FCDCB8
INT 0x84 ? 86F9DCB8
INT 0x94 ? 86F9DCB8
INT 0xB4 ? 86F9DCB8

---- Kernel code sections - GMER 1.0.15 ----

.text sptd.sys F737B000 28 Bytes [30, 78, 6E, 80, A6, CB, 6E, ...]
.text sptd.sys F737B01D 3 Bytes [79, 6E, 80]
.text sptd.sys F737B024 120 Bytes [D8, 52, 53, 80, 68, B9, 54, ...]
.text sptd.sys F737B09D 124 Bytes [97, 53, 80, A0, 98, 53, 80, ...]
.text sptd.sys F737B11A 178 Bytes [4F, 80, 82, F8, 4E, 80, 3E, ...]
.text ...
.sptd2 C:\WINDOWS\system32\drivers\sptd.sys entry point in ".sptd2" section [0xF74259E3]
? C:\WINDOWS\system32\drivers\sptd.sys The process cannot access the file because it is being used by another process.
.text USBPORT.SYS!DllUnload F687B8AC 5 Bytes JMP 86F9D1C8
? C:\DOCUME~1\Scott\LOCALS~1\Temp\mbr.sys The system cannot find the file specified. !

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\Mozilla Firefox\firefox.exe[576] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 00401410 C:\Program Files\Mozilla Firefox\firefox.exe (Firefox/Mozilla Corporation)
.text C:\Program Files\Mozilla Firefox\plugin-container.exe[3064] USER32.dll!SetWindowLongA 7E42C29D 5 Bytes JMP 10698DD9 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation)
.text C:\Program Files\Mozilla Firefox\plugin-container.exe[3064] USER32.dll!SetWindowLongW 7E42C2BB 5 Bytes JMP 10698D6B C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation)
.text C:\Program Files\Mozilla Firefox\plugin-container.exe[3064] USER32.dll!GetWindowInfo 7E42C49C 5 Bytes JMP 104C7187 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation)
.text C:\Program Files\Mozilla Firefox\plugin-container.exe[3064] USER32.dll!TrackPopupMenu 7E46531E 5 Bytes JMP 104C7781 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation)

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs 86F9C1E8

AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)

Device \Driver\usbuhci \Device\USBPDO-0 86E1F1E8
Device \Driver\usbuhci \Device\USBPDO-1 86E1F1E8
Device \Driver\usbuhci \Device\USBPDO-2 86E1F1E8
Device \Driver\usbuhci \Device\USBPDO-3 86E1F1E8
Device \Driver\usbehci \Device\USBPDO-4 86E05360
Device \Driver\Cdrom \Device\CdRom0 86DC11E8
Device \Driver\atapi \Device\Ide\IdePort0 [F72E7B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 [F72E7B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\atapi \Device\Ide\IdePort1 [F72E7B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-e [F72E7B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\NetBT \Device\NetBt_Wins_Export 866591E8
Device \Driver\NetBT \Device\NetBT_Tcpip_{63848BFA-5DB4-47DE-9F10-81BD3818F1D0} 866591E8
Device \Driver\NetBT \Device\NetbiosSmb 866591E8
Device \Driver\NetBT \Device\NetBT_Tcpip_{BAF04CE3-01B9-4B33-8AC8-B63BD54CDE43} 866591E8
Device \Driver\usbuhci \Device\USBFDO-0 86E1F1E8
Device \Driver\usbuhci \Device\USBFDO-1 86E1F1E8
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver 869B6430
Device \Driver\usbuhci \Device\USBFDO-2 86E1F1E8
Device \FileSystem\MRxSmb \Device\LanmanRedirector 869B6430
Device \Driver\usbuhci \Device\USBFDO-3 86E1F1E8
Device \Driver\usbehci \Device\USBFDO-4 86E05360
Device \FileSystem\Cdfs \Cdfs 8694A430

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1 -451310008
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2 1556113635
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@h0 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x61 0xE4 0xAC 0xDF ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools\
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x3F 0x45 0xC9 0xDF ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0x74 0x53 0x1A 0x77 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0xDA 0xD2 0x05 0xDE ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools\
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x3F 0x45 0xC9 0xDF ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0x74 0x53 0x1A 0x77 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0x20 0xBA 0xD0 0xBF ...

---- Disk sectors - GMER 1.0.15 ----

Disk \Device\Harddisk0\DR0 MBR read error
Disk \Device\Harddisk0\DR0 MBR BIOS signature not found 0

---- EOF - GMER 1.0.15 ----

Attached Files



BC AdBot (Login to Remove)

 


#2 heir

heir

  • Malware Response Team
  • 763 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:47 PM

Posted 17 May 2011 - 07:22 AM

I need some more information.

Did you do step 6 in the preparation guide. IF not do so to disable the CD-emulation softwares.

Step 0.
CKScanner:

Download CKScanner from here

Important : Save it to your desktop.
  • Doubleclick CKScanner.exe and click Search For Files.
  • After a very short time, when the cursor hourglass disappears, click Save List To File.
  • A message box will verify that the file is saved.
  • Double-click the CKFiles.txt icon on your desktop and copy/paste the contents in your next reply.


Step 1.
RootKit Unhooker:

  • Please Download Rootkit Unhooker Save it to your desktop.
  • Now double-click on RKUnhookerLE.exe to run it.
  • Click the Report tab, then click Scan.
  • Check (Tick) Drivers, Stealth. Uncheck the rest. then Click OK.
  • Wait till the scanner has finished and then click File, Save Report.
  • Save the report somewhere where you can find it. Click Close.
Copy the entire contents of the report and paste it in a reply here.

Note** you may get the following warning, just click OK and continue.

"Rootkit Unhooker has detected a parasite inside itself!
It is recommended to remove parasite, okay?"


Step 2.
aswMBR:

Download aswMBR.exe ( 511KB ) to your desktop.

Double click the aswMBR.exe to run it

Posted Image

Click the "Scan" button to start scan

Posted Image

On completion of the scan click save log, save it to your desktop and post in your next reply


Step 3.
Things I would like to see in your reply:

  • The content of CKFiles.txt from step 0 pasted in.
  • The content of the log from RKU in step 1 pasted in.
  • The content of the log from aswMBR in step 2 pasted in.

Edited by heir, 17 May 2011 - 07:27 AM.

Please do not PM me asking for support. Post on the forums instead.
Please post the final results, good or bad. We like to know!
Posted Image
Unified Network of Instructors and Trained Eliminators
My help is always free, but if you want to donate to help me continue my fight against malware then click Posted Image


#3 gnaag

gnaag
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:02:47 PM

Posted 17 May 2011 - 10:48 AM

I did have CD emulation software (DAEMON Toos), but I uninstalled it prior to producing the those logs. I hadn't used it in months anyway.

Now I'm getting the feeling I may have had a second CD emulator. I will check when I return home from work. If that's the case, should I produce the DDS and GMER logs again? Let me know.

#4 heir

heir

  • Malware Response Team
  • 763 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:47 PM

Posted 17 May 2011 - 10:54 AM

If that's the case, should I produce the DDS and GMER logs again?

Please redo only GMER. Any how, please also do the steps in my previous post as well.

Please do not PM me asking for support. Post on the forums instead.
Please post the final results, good or bad. We like to know!
Posted Image
Unified Network of Instructors and Trained Eliminators
My help is always free, but if you want to donate to help me continue my fight against malware then click Posted Image


#5 gnaag

gnaag
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:02:47 PM

Posted 17 May 2011 - 10:11 PM

No other CD emulation software was installed.

Here are the logs you requested:



CKScanner:

CKScanner - Additional Security Risks - These are not necessarily bad
c:\documents and settings\scott\my documents\xilisoft corporation\video to audio converter\crack.js
c:\program files\xilisoft video to audio converter\crack.exe
c:\program files\xilisoft video to audio converter\script\crack.js
scanner sequence 3.CP.11
----- EOF -----



Rootkit Unhooker:

RkU Version: 3.8.388.590, Type LE (SR2)
==============================================
OS Name: Windows XP
Version 5.1.2600 (Service Pack 3)
Number of processors #2
==============================================
>Drivers
==============================================
0xBF0DC000 C:\WINDOWS\System32\ati3duag.dll 2756608 bytes (ATI Technologies Inc. , ati3duag.dll)
0x804D7000 C:\WINDOWS\system32\ntkrnlpa.exe 2154496 bytes (Microsoft Corporation, NT Kernel & System)
0x804D7000 PnpManager 2154496 bytes
0x804D7000 RAW 2154496 bytes
0x804D7000 WMIxWDM 2154496 bytes
0xBF800000 Win32k 1859584 bytes
0xBF800000 C:\WINDOWS\System32\win32k.sys 1859584 bytes (Microsoft Corporation, Multi-User Win32 Driver)
0xBF37D000 C:\WINDOWS\System32\ativvaxx.dll 1753088 bytes (ATI Technologies Inc. , Radeon Video Acceleration Universal Driver)
0xF6EDA000 C:\WINDOWS\system32\DRIVERS\ati2mtag.sys 1638400 bytes (ATI Technologies Inc., ATI Radeon WindowsNT Miniport Driver)
0xF737A000 PCI_PNP5582 1138688 bytes
0xF737A000 sptd.sys 1138688 bytes
0xF2A99000 C:\WINDOWS\system32\drivers\sthda.sys 1114112 bytes (SigmaTel, Inc., NDRC)
0xF2946000 C:\WINDOWS\system32\DRIVERS\HSF_DPV.sys 1036288 bytes (Conexant Systems, Inc., HSF_DP driver)
0xF2896000 C:\WINDOWS\system32\DRIVERS\HSF_CNXT.sys 720896 bytes (Conexant Systems, Inc., HSF_CNXT driver)
0xF71DD000 Ntfs.sys 577536 bytes (Microsoft Corporation, NT File System Driver)
0xF2687000 C:\WINDOWS\system32\DRIVERS\mrxsmb.sys 458752 bytes (Microsoft Corporation, Windows NT SMB Minirdr)
0xF6E36000 C:\WINDOWS\system32\DRIVERS\bcmwl5.sys 425984 bytes (Broadcom Corporation, Broadcom 802.11 Network Adapter wireless driver)
0xF6BC9000 C:\WINDOWS\system32\DRIVERS\update.sys 385024 bytes (Microsoft Corporation, Update Driver)
0xF27BA000 C:\WINDOWS\system32\DRIVERS\tcpip.sys 364544 bytes (Microsoft Corporation, TCP/IP Protocol Driver)
0xEFBA5000 C:\WINDOWS\system32\DRIVERS\srv.sys 360448 bytes (Microsoft Corporation, Server driver)
0xF6D99000 C:\WINDOWS\system32\DRIVERS\rixdptsk.sys 331776 bytes (REDC, RICOH XD SM Driver)
0xBF529000 C:\WINDOWS\System32\ATMFD.DLL 290816 bytes (Adobe Systems Incorporated, Windows NT OpenType/Type 1 Font Driver)
0xBF055000 C:\WINDOWS\System32\ati2cqag.dll 282624 bytes (ATI Technologies Inc., Central Memory Manager / Queue Server Module)
0xBF012000 C:\WINDOWS\System32\ati2dvag.dll 274432 bytes (ATI Technologies Inc., ATI Radeon WindowsNT Display Driver)
0xBF09A000 C:\WINDOWS\System32\atikvmag.dll 270336 bytes (ATI Technologies Inc., Virtual Command And Memory Manager)
0xEFC25000 C:\WINDOWS\System32\Drivers\HTTP.sys 266240 bytes (Microsoft Corporation, HTTP Protocol Stack)
0xF2A43000 C:\WINDOWS\system32\DRIVERS\HSFHWAZL.sys 204800 bytes (Conexant Systems, Inc., HSF_HWAZL WDM driver)
0xF6C4F000 C:\WINDOWS\system32\DRIVERS\rdpdr.sys 196608 bytes (Microsoft Corporation, Microsoft RDP Device redirector)
0xF6D6A000 C:\WINDOWS\system32\DRIVERS\SynTP.sys 192512 bytes (Synaptics, Inc., Synaptics Touchpad Driver)
0xF734C000 ACPI.sys 188416 bytes (Microsoft Corporation, ACPI Driver for NT)
0xEFD7E000 C:\WINDOWS\system32\DRIVERS\mrxdav.sys 184320 bytes (Microsoft Corporation, Windows NT WebDav Minirdr)
0xF71B0000 NDIS.sys 184320 bytes (Microsoft Corporation, NDIS 5.1 wrapper driver)
0xEF3D2000 C:\WINDOWS\system32\drivers\kmixer.sys 176128 bytes (Microsoft Corporation, Kernel Mode Audio Mixer)
0xF271F000 C:\WINDOWS\system32\DRIVERS\rdbss.sys 176128 bytes (Microsoft Corporation, Redirected Drive Buffering SubSystem Driver)
0xF6E9E000 C:\WINDOWS\system32\DRIVERS\HDAudBus.sys 163840 bytes (Windows ® Server 2003 DDK provider, High Definition Audio Bus Driver v1.0a)
0xF2792000 C:\WINDOWS\system32\DRIVERS\netbt.sys 163840 bytes (Microsoft Corporation, MBT Transport driver)
0xF72F6000 dmio.sys 155648 bytes (Microsoft Corp., Veritas Software, NT Disk Manager I/O Driver)
0xF276C000 C:\WINDOWS\system32\DRIVERS\ipnat.sys 155648 bytes (Microsoft Corporation, IP Network Address Translator)
0xF2A75000 C:\WINDOWS\system32\drivers\portcls.sys 147456 bytes (Microsoft Corporation, Port Class (Class Driver for Port/Miniport Devices))
0xF6E12000 C:\WINDOWS\system32\DRIVERS\USBPORT.SYS 147456 bytes (Microsoft Corporation, USB 1.1 & 2.0 Port Driver)
0xF6D47000 C:\WINDOWS\system32\DRIVERS\ks.sys 143360 bytes (Microsoft Corporation, Kernel CSA Library)
0xF274A000 C:\WINDOWS\System32\drivers\afd.sys 139264 bytes (Microsoft Corporation, Ancillary Function Driver for WinSock)
0x806E5000 ACPI_HAL 134400 bytes
0x806E5000 C:\WINDOWS\system32\hal.dll 134400 bytes (Microsoft Corporation, Hardware Abstraction Layer DLL)
0xF72A6000 fltmgr.sys 131072 bytes (Microsoft Corporation, Microsoft Filesystem Filter Manager)
0xF731C000 ftdisk.sys 126976 bytes (Microsoft Corporation, FT Disk Driver)
0xF7196000 Mup.sys 106496 bytes (Microsoft Corporation, Multiple UNC Provider driver)
0xF72DE000 atapi.sys 98304 bytes (Microsoft Corporation, IDE/ATAPI Port Driver)
0xF2596000 C:\WINDOWS\System32\Drivers\dump_atapi.sys 98304 bytes
0xF72C6000 C:\WINDOWS\System32\Drivers\SCSIPORT.SYS 98304 bytes (Microsoft Corporation, SCSI Port Driver)
0xF727D000 KSecDD.sys 94208 bytes (Microsoft Corporation, Kernel Security Support Provider Interface)
0xF6D30000 C:\WINDOWS\system32\DRIVERS\ndiswan.sys 94208 bytes (Microsoft Corporation, MS PPP Framing Driver (Strong Encryption))
0xF0149000 C:\WINDOWS\system32\drivers\wdmaud.sys 86016 bytes (Microsoft Corporation, MMSYSTEM Wave/Midi API mapper)
0xF6DEA000 C:\WINDOWS\system32\DRIVERS\rimsptsk.sys 81920 bytes (REDC, RICOH MS Driver)
0xF6DFE000 C:\WINDOWS\system32\DRIVERS\sdbus.sys 81920 bytes (Microsoft Corporation, SecureDigital Bus Driver)
0xF6EC6000 C:\WINDOWS\system32\DRIVERS\VIDEOPRT.SYS 81920 bytes (Microsoft Corporation, Video Port Driver)
0xF2813000 C:\WINDOWS\system32\DRIVERS\ipsec.sys 77824 bytes (Microsoft Corporation, IPSec Driver)
0xF726A000 WudfPf.sys 77824 bytes (Microsoft Corporation, Windows Driver Foundation - User-mode Driver Framework Platform Driver)
0xBF000000 C:\WINDOWS\System32\drivers\dxg.sys 73728 bytes (Microsoft Corporation, DirectX Graphics Driver)
0xF7294000 sr.sys 73728 bytes (Microsoft Corporation, System Restore Filesystem Filter Driver)
0xF733B000 pci.sys 69632 bytes (Microsoft Corporation, NT Plug and Play PCI Enumerator)
0xF6C7F000 C:\WINDOWS\system32\DRIVERS\psched.sys 69632 bytes (Microsoft Corporation, MS QoS Packet Scheduler)
0xF25AE000 C:\WINDOWS\System32\Drivers\Udfs.SYS 69632 bytes (Microsoft Corporation, UDF File System Driver)
0xF77D1000 C:\WINDOWS\system32\DRIVERS\bcm4sbxp.sys 65536 bytes (Broadcom Corporation, Broadcom Corporation NDIS 5.1 ethernet driver)
0xF7631000 C:\WINDOWS\system32\DRIVERS\cdrom.sys 65536 bytes (Microsoft Corporation, SCSI CD-ROM Driver)
0xF77E1000 C:\WINDOWS\system32\DRIVERS\nic1394.sys 65536 bytes (Microsoft Corporation, IEEE1394 Ndis Miniport and Call Manager)
0xF7591000 ohci1394.sys 65536 bytes (Microsoft Corporation, 1394 OpenHCI Port Driver)
0xF6D00000 C:\WINDOWS\system32\DRIVERS\arp1394.sys 61440 bytes (Microsoft Corporation, IP/1394 Arp Client)
0xF7701000 C:\WINDOWS\system32\drivers\drmk.sys 61440 bytes (Microsoft Corporation, Microsoft Kernel DRM Descrambler Filter)
0xF7641000 C:\WINDOWS\system32\DRIVERS\redbook.sys 61440 bytes (Microsoft Corporation, Redbook Audio Filter Driver)
0xF029E000 C:\WINDOWS\system32\drivers\sysaudio.sys 61440 bytes (Microsoft Corporation, System Audio WDM Filter)
0xF7711000 C:\WINDOWS\system32\DRIVERS\usbhub.sys 61440 bytes (Microsoft Corporation, Default Hub Driver for USB)
0xF75A1000 C:\WINDOWS\system32\DRIVERS\1394BUS.SYS 57344 bytes (Microsoft Corporation, 1394 Bus Device Driver)
0xF77F1000 C:\WINDOWS\system32\DRIVERS\rimmptsk.sys 57344 bytes (REDC, RICOH MMC Driver)
0xF75F1000 C:\WINDOWS\system32\DRIVERS\CLASSPNP.SYS 53248 bytes (Microsoft Corporation, SCSI Class System Dll)
0xF7801000 C:\WINDOWS\system32\DRIVERS\i8042prt.sys 53248 bytes (Microsoft Corporation, i8042 Port Driver)
0xF7661000 C:\WINDOWS\system32\DRIVERS\rasl2tp.sys 53248 bytes (Microsoft Corporation, RAS L2TP mini-port/call-manager driver)
0xF75D1000 VolSnap.sys 53248 bytes (Microsoft Corporation, Volume Shadow Copy Driver)
0xF7681000 C:\WINDOWS\system32\DRIVERS\raspptp.sys 49152 bytes (Microsoft Corporation, Peer-to-Peer Tunneling Protocol)
0xF7771000 C:\WINDOWS\System32\Drivers\Fips.SYS 45056 bytes (Microsoft Corporation, FIPS Crypto Driver)
0xF7621000 C:\WINDOWS\system32\DRIVERS\imapi.sys 45056 bytes (Microsoft Corporation, IMAPI Kernel Driver)
0xF75C1000 MountMgr.sys 45056 bytes (Microsoft Corporation, Mount Manager)
0xF7671000 C:\WINDOWS\system32\DRIVERS\raspppoe.sys 45056 bytes (Microsoft Corporation, RAS PPPoE mini-port/call-manager driver)
0xF75B1000 isapnp.sys 40960 bytes (Microsoft Corporation, PNP ISA Bus Driver)
0xF76D1000 C:\WINDOWS\System32\Drivers\NDProxy.SYS 40960 bytes (Microsoft Corporation, NDIS Proxy)
0xF76A1000 C:\WINDOWS\System32\Drivers\Pcouffin.sys 40960 bytes (VSO Software, Patin-Couffin low level access layer for CD devices)
0xF7601000 PxHelp20.sys 40960 bytes (Sonic Solutions, Px Engine Device Driver for Windows 2000/XP)
0xF76B1000 C:\WINDOWS\system32\DRIVERS\termdd.sys 40960 bytes (Microsoft Corporation, Terminal Server Driver)
0xF75E1000 disk.sys 36864 bytes (Microsoft Corporation, PnP Disk Driver)
0xF77B1000 C:\WINDOWS\system32\DRIVERS\HIDCLASS.SYS 36864 bytes (Microsoft Corporation, Hid Class Library)
0xF77C1000 C:\WINDOWS\system32\DRIVERS\intelppm.sys 36864 bytes (Microsoft Corporation, Processor Device Driver)
0xEF60D000 C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys 36864 bytes (Microsoft Corporation, IP FILTER DRIVER)
0xF7691000 C:\WINDOWS\system32\DRIVERS\msgpc.sys 36864 bytes (Microsoft Corporation, MS General Packet Classifier)
0xF7721000 C:\WINDOWS\system32\DRIVERS\netbios.sys 36864 bytes (Microsoft Corporation, NetBIOS interface driver)
0xEF56D000 C:\WINDOWS\System32\Drivers\Normandy.SYS 36864 bytes (RKU Driver)
0xF6D10000 C:\WINDOWS\system32\DRIVERS\wanarp.sys 36864 bytes (Microsoft Corporation, MS Remote Access and Routing ARP Driver)
0xF7821000 cercsr6.sys 32768 bytes (Adaptec, Inc., DELL CERC SATA1.5/6ch Miniport Driver)
0xF7919000 C:\WINDOWS\System32\Drivers\Modem.SYS 32768 bytes (Microsoft Corporation, Modem Device Driver)
0xF7949000 C:\WINDOWS\System32\Drivers\Npfs.SYS 32768 bytes (Microsoft Corporation, NPFS Driver)
0xF78E1000 C:\WINDOWS\system32\DRIVERS\usbehci.sys 32768 bytes (Microsoft Corporation, EHCI eUSB Miniport Driver)
0xF7969000 C:\WINDOWS\system32\DRIVERS\HIDPARSE.SYS 28672 bytes (Microsoft Corporation, Hid Parsing Library)
0xF7951000 C:\WINDOWS\system32\Drivers\nvport.sys 28672 bytes (NVIDIA Corporation., Port Driver)
0xF7811000 C:\WINDOWS\system32\DRIVERS\PCIIDEX.SYS 28672 bytes (Microsoft Corporation, PCI IDE Bus Driver Extension)
0xF78F1000 C:\WINDOWS\system32\DRIVERS\kbdclass.sys 24576 bytes (Microsoft Corporation, Keyboard Class Driver)
0xF78E9000 C:\WINDOWS\system32\DRIVERS\mouclass.sys 24576 bytes (Microsoft Corporation, Mouse Class Driver)
0xF78D9000 C:\WINDOWS\system32\DRIVERS\usbuhci.sys 24576 bytes (Microsoft Corporation, UHCI USB Miniport Driver)
0xF7939000 C:\WINDOWS\System32\drivers\vga.sys 24576 bytes (Microsoft Corporation, VGA/Super VGA Video Driver)
0xF7941000 C:\WINDOWS\System32\Drivers\Msfs.SYS 20480 bytes (Microsoft Corporation, Mailslot driver)
0xF7819000 PartMgr.sys 20480 bytes (Microsoft Corporation, Partition Manager)
0xF7901000 C:\WINDOWS\system32\DRIVERS\ptilink.sys 20480 bytes (Parallel Technologies, Inc., Parallel Technologies DirectParallel IO Library)
0xF7909000 C:\WINDOWS\system32\DRIVERS\raspti.sys 20480 bytes (Microsoft Corporation, PTI DirectParallel® mini-port/call-manager driver)
0xF78F9000 C:\WINDOWS\system32\DRIVERS\TDI.SYS 20480 bytes (Microsoft Corporation, TDI Wrapper)
0xF7991000 C:\WINDOWS\System32\watchdog.sys 20480 bytes (Microsoft Corporation, Watchdog Driver)
0xF79A9000 C:\WINDOWS\system32\DRIVERS\BATTC.SYS 16384 bytes (Microsoft Corporation, Battery Class Driver)
0xF7172000 C:\WINDOWS\system32\DRIVERS\CmBatt.sys 16384 bytes (Microsoft Corporation, Control Method Battery Driver)
0xF04DE000 C:\WINDOWS\system32\drivers\mbam.sys 16384 bytes (Malwarebytes Corporation, Malwarebytes' Anti-Malware)
0xF7076000 C:\WINDOWS\system32\DRIVERS\mssmbios.sys 16384 bytes (Microsoft Corporation, System Management BIOS Driver)
0xF047E000 C:\WINDOWS\system32\DRIVERS\ndisuio.sys 16384 bytes (Microsoft Corporation, NDIS User mode I/O Driver)
0xF79A1000 C:\WINDOWS\system32\BOOTVID.dll 12288 bytes (Microsoft Corporation, VGA Boot Driver)
0xF79A5000 compbatt.sys 12288 bytes (Microsoft Corporation, Composite Battery Driver)
0xF2717000 C:\WINDOWS\System32\drivers\Dxapi.sys 12288 bytes (Microsoft Corporation, DirectX API Driver)
0xF288E000 C:\WINDOWS\system32\DRIVERS\hidusb.sys 12288 bytes (Microsoft Corporation, USB Miniport Driver for Input Devices)
0xEFD5A000 C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys 12288 bytes (Conexant, Diagnostic Interface DRIVER)
0xF2886000 C:\WINDOWS\system32\DRIVERS\mouhid.sys 12288 bytes (Microsoft Corporation, HID Mouse Filter Driver)
0xF715A000 C:\WINDOWS\system32\DRIVERS\ndistapi.sys 12288 bytes (Microsoft Corporation, NDIS 3.0 connection wrapper driver)
0xF7162000 C:\WINDOWS\system32\drivers\pfc.sys 12288 bytes (Padus, Inc., Padus® ASPI Shell)
0xF7A85000 C:\WINDOWS\system32\DRIVERS\rasacd.sys 12288 bytes (Microsoft Corporation, RAS Automatic Connection Driver)
0xF7A8D000 C:\WINDOWS\system32\DRIVERS\wmiacpi.sys 12288 bytes (Microsoft Corporation, Windows Management Interface for ACPI)
0xF7ACF000 C:\WINDOWS\System32\Drivers\Beep.SYS 8192 bytes (Microsoft Corporation, BEEP Driver)
0xF7A95000 dmload.sys 8192 bytes (Microsoft Corp., Veritas Software., NT Disk Manager Startup Driver)
0xF7B0B000 C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS 8192 bytes
0xF7ACD000 C:\WINDOWS\System32\Drivers\Fs_Rec.SYS 8192 bytes (Microsoft Corporation, File System Recognizer Driver)
0xF7A91000 C:\WINDOWS\system32\KDCOM.DLL 8192 bytes (Microsoft Corporation, Kernel Debugger HW Extension DLL)
0xF7AD1000 C:\WINDOWS\System32\Drivers\mnmdd.SYS 8192 bytes (Microsoft Corporation, Frame buffer simulator)
0xF7AD3000 C:\WINDOWS\System32\DRIVERS\RDPCDD.sys 8192 bytes (Microsoft Corporation, RDP Miniport)
0xF7ABB000 C:\WINDOWS\system32\DRIVERS\swenum.sys 8192 bytes (Microsoft Corporation, Plug and Play Software Device Enumerator)
0xF7AB7000 C:\WINDOWS\system32\DRIVERS\USBD.SYS 8192 bytes (Microsoft Corporation, Universal Serial Bus Driver)
0xF7A93000 C:\WINDOWS\system32\DRIVERS\WMILIB.SYS 8192 bytes (Microsoft Corporation, WMILIB WMI support library Dll)
0xF7C7F000 C:\WINDOWS\system32\DRIVERS\audstub.sys 4096 bytes (Microsoft Corporation, AudStub Driver)
0xF7C5B000 C:\WINDOWS\System32\drivers\dxgthk.sys 4096 bytes (Microsoft Corporation, DirectX Graphics Driver Thunk)
0xF7CB8000 C:\WINDOWS\System32\Drivers\Null.SYS 4096 bytes (Microsoft Corporation, NULL Driver)
0xF7B59000 pciide.sys 4096 bytes (Microsoft Corporation, Generic PCI IDE Bus Driver)
0x86F9C1E8 unknown_irp_handler 3608 bytes
0x86DCF1E8 unknown_irp_handler 3608 bytes
0x86D2A1E8 unknown_irp_handler 3608 bytes
0x86E301E8 unknown_irp_handler 3608 bytes
0x86E021E8 unknown_irp_handler 3608 bytes
0x86D851E8 unknown_irp_handler 3608 bytes
0x86A5D430 unknown_irp_handler 3024 bytes
==============================================
>Stealth
==============================================
WARNING: File locked for read access [C:\WINDOWS\system32\drivers\sptd.sys]



aswMBR:

aswMBR version 0.9.5.256 Copyright© 2011 AVAST Software
Run date: 2011-05-17 22:09:17
-----------------------------
22:09:17.796 OS Version: Windows 5.1.2600 Service Pack 3
22:09:17.796 Number of processors: 2 586 0xF06
22:09:17.796 ComputerName: SCOTT-03B312696 UserName: Scott
22:09:18.562 Initialize success
22:09:25.500 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
22:09:25.500 Disk 0 Vendor: FUJITSU_MHW2120BH 00850012 Size: 114473MB BusType: 3
22:09:25.500 Disk 0 MBR read error 0
22:09:25.500 Disk 0 MBR scan
22:09:25.500 Disk 0 unknown MBR code
22:09:25.500 MBR BIOS signature not found 0
22:09:25.500 Disk 0 scanning sectors +234436545
22:09:25.500 Disk 0 scanning C:\WINDOWS\system32\drivers
22:09:33.140 Service scanning
22:09:34.546 Disk 0 trace - called modules:
22:09:34.593 ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys sptd.sys pciide.sys PCIIDEX.SYS
22:09:34.593 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x86f34ab8]
22:09:34.593 3 CLASSPNP.SYS[f75f1fd7] -> nt!IofCallDriver -> \Device\0000006e[0x86f66510]
22:09:34.593 5 ACPI.sys[f7352620] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-3[0x86f39940]
22:09:34.593 Scan finished successfully
22:10:22.875 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Scott\Desktop\MBR.dat"
22:10:22.875 The log file has been saved successfully to "C:\Documents and Settings\Scott\Desktop\aswMBR.txt"

#6 heir

heir

  • Malware Response Team
  • 763 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:47 PM

Posted 18 May 2011 - 02:40 AM

No other CD emulation software was installed.

Did you run Defogger and click Disable-button?
If so post the content of the log, defogger_disable.log on your desktop.


c:\documents and settings\scott\my documents\xilisoft corporation\video to audio converter\crack.js
c:\program files\xilisoft video to audio converter\crack.exe
c:\program files\xilisoft video to audio converter\script\crack.js

The source of infections is likely related to cracks and keygens. If you are truly interested in staying clean in the future, I strongly recommend that you stay away from Cracks and Keygens. Failure to heed my warning may result in the reinfection of your computer. If you choose to continue down this path, we may not be able to help you here in the future.



Download OTL to your Desktop
Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
  • Under the Custom Scans/Fixes box at the bottom, paste in the following

    :Files
    c:\documents and settings\scott\my documents\xilisoft corporation\video to audio converter\crack.js
    c:\program files\xilisoft video to audio converter\crack.exe
    c:\program files\xilisoft video to audio converter\script\crack.js
    :Commands
    [purity]
    [Reboot]
  • Then click the Run Fix button at the top
  • Let the program run unhindered, reboot when it is done
  • Then post the OTL fixlog

Please do not PM me asking for support. Post on the forums instead.
Please post the final results, good or bad. We like to know!
Posted Image
Unified Network of Instructors and Trained Eliminators
My help is always free, but if you want to donate to help me continue my fight against malware then click Posted Image


#7 gnaag

gnaag
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:02:47 PM

Posted 18 May 2011 - 05:54 AM

I will heed the warning, though it's been four to eight weeks since I've used a crack or keygen. The software that showed up on the CKScanner log was actually installed on January 9, 2010. Would an infection remain dormant for that long? In any case, I suppose this is a good lesson for me.

Here are the Defogger and OTL logs, as requested. Thanks for your help. It's greatly appreciated. The re-directs still occur, but I'm sure this wasn't the end of the process anyway.


Defogger log:

defogger_disable by jpshortstuff (23.02.10.1)
Log created at 06:10 on 18/05/2011 (Scott)

Checking for autostart values...
HKCU\~\Run values retrieved.
HKLM\~\Run values retrieved.

Checking for services/drivers...
Unable to read sptd.sys
SPTD -> Disabled (Service running -> reboot required)


-=E.O.F=-



OTL log:

========== FILES ==========
c:\documents and settings\scott\my documents\xilisoft corporation\video to audio converter\crack.js moved successfully.
c:\program files\xilisoft video to audio converter\Crack.exe moved successfully.
c:\program files\xilisoft video to audio converter\script\crack.js moved successfully.
========== COMMANDS ==========

OTL by OldTimer - Version 3.2.22.3 log created on 05182011_062411

#8 heir

heir

  • Malware Response Team
  • 763 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:47 PM

Posted 18 May 2011 - 06:12 AM

The re-directs still occur, but I'm sure this wasn't the end of the process anyway.

No, just want to rule out some things and the CD-emulation driver interfere with the tools.

Now let's see what those scanners brings us.

Step 1.
RKU:

  • Now double-click on RKUnhookerLE.exe to run it.
  • Click the Report tab, then click Scan.
  • Check (Tick) Drivers, Stealth. Uncheck the rest. then Click OK.
  • Wait till the scanner has finished and then click File, Save Report.
  • Save the report somewhere where you can find it. Click Close.
Copy the entire contents of the report and paste it in a reply here.

Note** you may get the following warning, just click OK and continue.

"Rootkit Unhooker has detected a parasite inside itself!
It is recommended to remove parasite, okay?"


Step 2.
aswMBR:


Double click the aswMBR.exe to run it

Posted Image

Click the "Scan" button to start scan

Posted Image

On completion of the scan click save log, save it to your desktop and post in your next reply


Step 3.
Things I would like to see in your reply:

  • The content of the log from RKU in step 1.
  • The content of the log from aswMBR in step 2.

Please do not PM me asking for support. Post on the forums instead.
Please post the final results, good or bad. We like to know!
Posted Image
Unified Network of Instructors and Trained Eliminators
My help is always free, but if you want to donate to help me continue my fight against malware then click Posted Image


#9 gnaag

gnaag
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:02:47 PM

Posted 18 May 2011 - 07:18 PM

Here are the logs from those scans.


RKUnhooker:

RkU Version: 3.8.388.590, Type LE (SR2)
==============================================
OS Name: Windows XP
Version 5.1.2600 (Service Pack 3)
Number of processors #2
==============================================
>Drivers
==============================================
0xBF0DC000 C:\WINDOWS\System32\ati3duag.dll 2756608 bytes (ATI Technologies Inc. , ati3duag.dll)
0x804D7000 C:\WINDOWS\system32\ntkrnlpa.exe 2154496 bytes (Microsoft Corporation, NT Kernel & System)
0x804D7000 PnpManager 2154496 bytes
0x804D7000 RAW 2154496 bytes
0x804D7000 WMIxWDM 2154496 bytes
0xBF800000 Win32k 1859584 bytes
0xBF800000 C:\WINDOWS\System32\win32k.sys 1859584 bytes (Microsoft Corporation, Multi-User Win32 Driver)
0xBF37D000 C:\WINDOWS\System32\ativvaxx.dll 1753088 bytes (ATI Technologies Inc. , Radeon Video Acceleration Universal Driver)
0xF6E5D000 C:\WINDOWS\system32\DRIVERS\ati2mtag.sys 1638400 bytes (ATI Technologies Inc., ATI Radeon WindowsNT Miniport Driver)
0xF2A1C000 C:\WINDOWS\system32\drivers\sthda.sys 1114112 bytes (SigmaTel, Inc., NDRC)
0xF28C9000 C:\WINDOWS\system32\DRIVERS\HSF_DPV.sys 1036288 bytes (Conexant Systems, Inc., HSF_DP driver)
0xF2819000 C:\WINDOWS\system32\DRIVERS\HSF_CNXT.sys 720896 bytes (Conexant Systems, Inc., HSF_CNXT driver)
0xF72F3000 Ntfs.sys 577536 bytes (Microsoft Corporation, NT File System Driver)
0xF2632000 C:\WINDOWS\system32\DRIVERS\mrxsmb.sys 458752 bytes (Microsoft Corporation, Windows NT SMB Minirdr)
0xF6DB9000 C:\WINDOWS\system32\DRIVERS\bcmwl5.sys 425984 bytes (Broadcom Corporation, Broadcom 802.11 Network Adapter wireless driver)
0xF6B74000 C:\WINDOWS\system32\DRIVERS\update.sys 385024 bytes (Microsoft Corporation, Update Driver)
0xF2765000 C:\WINDOWS\system32\DRIVERS\tcpip.sys 364544 bytes (Microsoft Corporation, TCP/IP Protocol Driver)
0xEFB00000 C:\WINDOWS\system32\DRIVERS\srv.sys 360448 bytes (Microsoft Corporation, Server driver)
0xF6D1C000 C:\WINDOWS\system32\DRIVERS\rixdptsk.sys 331776 bytes (REDC, RICOH XD SM Driver)
0xBF529000 C:\WINDOWS\System32\ATMFD.DLL 290816 bytes (Adobe Systems Incorporated, Windows NT OpenType/Type 1 Font Driver)
0xBF055000 C:\WINDOWS\System32\ati2cqag.dll 282624 bytes (ATI Technologies Inc., Central Memory Manager / Queue Server Module)
0xBF012000 C:\WINDOWS\System32\ati2dvag.dll 274432 bytes (ATI Technologies Inc., ATI Radeon WindowsNT Display Driver)
0xBF09A000 C:\WINDOWS\System32\atikvmag.dll 270336 bytes (ATI Technologies Inc., Virtual Command And Memory Manager)
0xEFB80000 C:\WINDOWS\System32\Drivers\HTTP.sys 266240 bytes (Microsoft Corporation, HTTP Protocol Stack)
0xF29C6000 C:\WINDOWS\system32\DRIVERS\HSFHWAZL.sys 204800 bytes (Conexant Systems, Inc., HSF_HWAZL WDM driver)
0xF6BD2000 C:\WINDOWS\system32\DRIVERS\rdpdr.sys 196608 bytes (Microsoft Corporation, Microsoft RDP Device redirector)
0xF6CED000 C:\WINDOWS\system32\DRIVERS\SynTP.sys 192512 bytes (Synaptics, Inc., Synaptics Touchpad Driver)
0xF7462000 ACPI.sys 188416 bytes (Microsoft Corporation, ACPI Driver for NT)
0xEFD79000 C:\WINDOWS\system32\DRIVERS\mrxdav.sys 184320 bytes (Microsoft Corporation, Windows NT WebDav Minirdr)
0xF72C6000 NDIS.sys 184320 bytes (Microsoft Corporation, NDIS 5.1 wrapper driver)
0xF26A2000 C:\WINDOWS\system32\DRIVERS\rdbss.sys 176128 bytes (Microsoft Corporation, Redirected Drive Buffering SubSystem Driver)
0xF6E21000 C:\WINDOWS\system32\DRIVERS\HDAudBus.sys 163840 bytes (Windows ® Server 2003 DDK provider, High Definition Audio Bus Driver v1.0a)
0xF2715000 C:\WINDOWS\system32\DRIVERS\netbt.sys 163840 bytes (Microsoft Corporation, MBT Transport driver)
0xF740C000 dmio.sys 155648 bytes (Microsoft Corp., Veritas Software, NT Disk Manager I/O Driver)
0xF26EF000 C:\WINDOWS\system32\DRIVERS\ipnat.sys 155648 bytes (Microsoft Corporation, IP Network Address Translator)
0xF29F8000 C:\WINDOWS\system32\drivers\portcls.sys 147456 bytes (Microsoft Corporation, Port Class (Class Driver for Port/Miniport Devices))
0xF6D95000 C:\WINDOWS\system32\DRIVERS\USBPORT.SYS 147456 bytes (Microsoft Corporation, USB 1.1 & 2.0 Port Driver)
0xF6CCA000 C:\WINDOWS\system32\DRIVERS\ks.sys 143360 bytes (Microsoft Corporation, Kernel CSA Library)
0xF26CD000 C:\WINDOWS\System32\drivers\afd.sys 139264 bytes (Microsoft Corporation, Ancillary Function Driver for WinSock)
0x806E5000 ACPI_HAL 134400 bytes
0x806E5000 C:\WINDOWS\system32\hal.dll 134400 bytes (Microsoft Corporation, Hardware Abstraction Layer DLL)
0xF73BC000 fltmgr.sys 131072 bytes (Microsoft Corporation, Microsoft Filesystem Filter Manager)
0xF7432000 ftdisk.sys 126976 bytes (Microsoft Corporation, FT Disk Driver)
0xF72AC000 Mup.sys 106496 bytes (Microsoft Corporation, Multiple UNC Provider driver)
0xF73F4000 atapi.sys 98304 bytes (Microsoft Corporation, IDE/ATAPI Port Driver)
0xF2541000 C:\WINDOWS\System32\Drivers\dump_atapi.sys 98304 bytes
0xF73DC000 C:\WINDOWS\System32\Drivers\SCSIPORT.SYS 98304 bytes (Microsoft Corporation, SCSI Port Driver)
0xF7393000 KSecDD.sys 94208 bytes (Microsoft Corporation, Kernel Security Support Provider Interface)
0xF6CB3000 C:\WINDOWS\system32\DRIVERS\ndiswan.sys 94208 bytes (Microsoft Corporation, MS PPP Framing Driver (Strong Encryption))
0xF00CC000 C:\WINDOWS\system32\drivers\wdmaud.sys 86016 bytes (Microsoft Corporation, MMSYSTEM Wave/Midi API mapper)
0xF6D6D000 C:\WINDOWS\system32\DRIVERS\rimsptsk.sys 81920 bytes (REDC, RICOH MS Driver)
0xF6D81000 C:\WINDOWS\system32\DRIVERS\sdbus.sys 81920 bytes (Microsoft Corporation, SecureDigital Bus Driver)
0xF6E49000 C:\WINDOWS\system32\DRIVERS\VIDEOPRT.SYS 81920 bytes (Microsoft Corporation, Video Port Driver)
0xF27BE000 C:\WINDOWS\system32\DRIVERS\ipsec.sys 77824 bytes (Microsoft Corporation, IPSec Driver)
0xF7380000 WudfPf.sys 77824 bytes (Microsoft Corporation, Windows Driver Foundation - User-mode Driver Framework Platform Driver)
0xBF000000 C:\WINDOWS\System32\drivers\dxg.sys 73728 bytes (Microsoft Corporation, DirectX Graphics Driver)
0xF73AA000 sr.sys 73728 bytes (Microsoft Corporation, System Restore Filesystem Filter Driver)
0xF7451000 pci.sys 69632 bytes (Microsoft Corporation, NT Plug and Play PCI Enumerator)
0xF6CA2000 C:\WINDOWS\system32\DRIVERS\psched.sys 69632 bytes (Microsoft Corporation, MS QoS Packet Scheduler)
0xF2559000 C:\WINDOWS\System32\Drivers\Udfs.SYS 69632 bytes (Microsoft Corporation, UDF File System Driver)
0xF7791000 C:\WINDOWS\system32\DRIVERS\bcm4sbxp.sys 65536 bytes (Broadcom Corporation, Broadcom Corporation NDIS 5.1 ethernet driver)
0xF77E1000 C:\WINDOWS\system32\DRIVERS\cdrom.sys 65536 bytes (Microsoft Corporation, SCSI CD-ROM Driver)
0xF77A1000 C:\WINDOWS\system32\DRIVERS\nic1394.sys 65536 bytes (Microsoft Corporation, IEEE1394 Ndis Miniport and Call Manager)
0xF7591000 ohci1394.sys 65536 bytes (Microsoft Corporation, 1394 OpenHCI Port Driver)
0xF6C92000 C:\WINDOWS\system32\DRIVERS\arp1394.sys 61440 bytes (Microsoft Corporation, IP/1394 Arp Client)
0xF76B1000 C:\WINDOWS\system32\drivers\drmk.sys 61440 bytes (Microsoft Corporation, Microsoft Kernel DRM Descrambler Filter)
0xF77F1000 C:\WINDOWS\system32\DRIVERS\redbook.sys 61440 bytes (Microsoft Corporation, Redbook Audio Filter Driver)
0xF6C32000 C:\WINDOWS\system32\drivers\sysaudio.sys 61440 bytes (Microsoft Corporation, System Audio WDM Filter)
0xF76C1000 C:\WINDOWS\system32\DRIVERS\usbhub.sys 61440 bytes (Microsoft Corporation, Default Hub Driver for USB)
0xF75A1000 C:\WINDOWS\system32\DRIVERS\1394BUS.SYS 57344 bytes (Microsoft Corporation, 1394 Bus Device Driver)
0xF77B1000 C:\WINDOWS\system32\DRIVERS\rimmptsk.sys 57344 bytes (REDC, RICOH MMC Driver)
0xF75F1000 C:\WINDOWS\system32\DRIVERS\CLASSPNP.SYS 53248 bytes (Microsoft Corporation, SCSI Class System Dll)
0xF77C1000 C:\WINDOWS\system32\DRIVERS\i8042prt.sys 53248 bytes (Microsoft Corporation, i8042 Port Driver)
0xF7801000 C:\WINDOWS\system32\DRIVERS\rasl2tp.sys 53248 bytes (Microsoft Corporation, RAS L2TP mini-port/call-manager driver)
0xF75D1000 VolSnap.sys 53248 bytes (Microsoft Corporation, Volume Shadow Copy Driver)
0xF7631000 C:\WINDOWS\system32\DRIVERS\raspptp.sys 49152 bytes (Microsoft Corporation, Peer-to-Peer Tunneling Protocol)
0xF7721000 C:\WINDOWS\System32\Drivers\Fips.SYS 45056 bytes (Microsoft Corporation, FIPS Crypto Driver)
0xF77D1000 C:\WINDOWS\system32\DRIVERS\imapi.sys 45056 bytes (Microsoft Corporation, IMAPI Kernel Driver)
0xF75C1000 MountMgr.sys 45056 bytes (Microsoft Corporation, Mount Manager)
0xF7621000 C:\WINDOWS\system32\DRIVERS\raspppoe.sys 45056 bytes (Microsoft Corporation, RAS PPPoE mini-port/call-manager driver)
0xF75B1000 isapnp.sys 40960 bytes (Microsoft Corporation, PNP ISA Bus Driver)
0xF7681000 C:\WINDOWS\System32\Drivers\NDProxy.SYS 40960 bytes (Microsoft Corporation, NDIS Proxy)
0xF7651000 C:\WINDOWS\System32\Drivers\Pcouffin.sys 40960 bytes (VSO Software, Patin-Couffin low level access layer for CD devices)
0xF7601000 PxHelp20.sys 40960 bytes (Sonic Solutions, Px Engine Device Driver for Windows 2000/XP)
0xF7661000 C:\WINDOWS\system32\DRIVERS\termdd.sys 40960 bytes (Microsoft Corporation, Terminal Server Driver)
0xF75E1000 disk.sys 36864 bytes (Microsoft Corporation, PnP Disk Driver)
0xF7741000 C:\WINDOWS\system32\DRIVERS\HIDCLASS.SYS 36864 bytes (Microsoft Corporation, Hid Class Library)
0xF7781000 C:\WINDOWS\system32\DRIVERS\intelppm.sys 36864 bytes (Microsoft Corporation, Processor Device Driver)
0xEF510000 C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys 36864 bytes (Microsoft Corporation, IP FILTER DRIVER)
0xF7641000 C:\WINDOWS\system32\DRIVERS\msgpc.sys 36864 bytes (Microsoft Corporation, MS General Packet Classifier)
0xF76D1000 C:\WINDOWS\system32\DRIVERS\netbios.sys 36864 bytes (Microsoft Corporation, NetBIOS interface driver)
0xF25F2000 C:\WINDOWS\System32\Drivers\Normandy.SYS 36864 bytes (RKU Driver)
0xF7771000 C:\WINDOWS\system32\DRIVERS\wanarp.sys 36864 bytes (Microsoft Corporation, MS Remote Access and Routing ARP Driver)
0xF7821000 cercsr6.sys 32768 bytes (Adaptec, Inc., DELL CERC SATA1.5/6ch Miniport Driver)
0xF7911000 C:\WINDOWS\System32\Drivers\Modem.SYS 32768 bytes (Microsoft Corporation, Modem Device Driver)
0xF7949000 C:\WINDOWS\System32\Drivers\Npfs.SYS 32768 bytes (Microsoft Corporation, NPFS Driver)
0xF78E1000 C:\WINDOWS\system32\DRIVERS\usbehci.sys 32768 bytes (Microsoft Corporation, EHCI eUSB Miniport Driver)
0xF7959000 C:\WINDOWS\system32\DRIVERS\HIDPARSE.SYS 28672 bytes (Microsoft Corporation, Hid Parsing Library)
0xF7951000 C:\WINDOWS\system32\Drivers\nvport.sys 28672 bytes (NVIDIA Corporation., Port Driver)
0xF7811000 C:\WINDOWS\system32\DRIVERS\PCIIDEX.SYS 28672 bytes (Microsoft Corporation, PCI IDE Bus Driver Extension)
0xF78F1000 C:\WINDOWS\system32\DRIVERS\kbdclass.sys 24576 bytes (Microsoft Corporation, Keyboard Class Driver)
0xF78E9000 C:\WINDOWS\system32\DRIVERS\mouclass.sys 24576 bytes (Microsoft Corporation, Mouse Class Driver)
0xF78D9000 C:\WINDOWS\system32\DRIVERS\usbuhci.sys 24576 bytes (Microsoft Corporation, UHCI USB Miniport Driver)
0xF7939000 C:\WINDOWS\System32\drivers\vga.sys 24576 bytes (Microsoft Corporation, VGA/Super VGA Video Driver)
0xF7941000 C:\WINDOWS\System32\Drivers\Msfs.SYS 20480 bytes (Microsoft Corporation, Mailslot driver)
0xF7819000 PartMgr.sys 20480 bytes (Microsoft Corporation, Partition Manager)
0xF7901000 C:\WINDOWS\system32\DRIVERS\ptilink.sys 20480 bytes (Parallel Technologies, Inc., Parallel Technologies DirectParallel IO Library)
0xF7909000 C:\WINDOWS\system32\DRIVERS\raspti.sys 20480 bytes (Microsoft Corporation, PTI DirectParallel® mini-port/call-manager driver)
0xF78F9000 C:\WINDOWS\system32\DRIVERS\TDI.SYS 20480 bytes (Microsoft Corporation, TDI Wrapper)
0xF7979000 C:\WINDOWS\System32\watchdog.sys 20480 bytes (Microsoft Corporation, Watchdog Driver)
0xF79A9000 C:\WINDOWS\system32\DRIVERS\BATTC.SYS 16384 bytes (Microsoft Corporation, Battery Class Driver)
0xF7A79000 C:\WINDOWS\system32\DRIVERS\CmBatt.sys 16384 bytes (Microsoft Corporation, Control Method Battery Driver)
0xF0475000 C:\WINDOWS\system32\drivers\mbam.sys 16384 bytes (Malwarebytes Corporation, Malwarebytes' Anti-Malware)
0xF726C000 C:\WINDOWS\system32\DRIVERS\mssmbios.sys 16384 bytes (Microsoft Corporation, System Management BIOS Driver)
0xF0409000 C:\WINDOWS\system32\DRIVERS\ndisuio.sys 16384 bytes (Microsoft Corporation, NDIS User mode I/O Driver)
0xF79A1000 C:\WINDOWS\system32\BOOTVID.dll 12288 bytes (Microsoft Corporation, VGA Boot Driver)
0xF79A5000 compbatt.sys 12288 bytes (Microsoft Corporation, Composite Battery Driver)
0xF273D000 C:\WINDOWS\System32\drivers\Dxapi.sys 12288 bytes (Microsoft Corporation, DirectX API Driver)
0xF7268000 C:\WINDOWS\system32\DRIVERS\hidusb.sys 12288 bytes (Microsoft Corporation, USB Miniport Driver for Input Devices)
0xEFC91000 C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys 12288 bytes (Conexant, Diagnostic Interface DRIVER)
0xF7011000 C:\WINDOWS\system32\DRIVERS\mouhid.sys 12288 bytes (Microsoft Corporation, HID Mouse Filter Driver)
0xF7288000 C:\WINDOWS\system32\DRIVERS\ndistapi.sys 12288 bytes (Microsoft Corporation, NDIS 3.0 connection wrapper driver)
0xF7A89000 C:\WINDOWS\system32\drivers\pfc.sys 12288 bytes (Padus, Inc., Padus® ASPI Shell)
0xF7A5D000 C:\WINDOWS\system32\DRIVERS\rasacd.sys 12288 bytes (Microsoft Corporation, RAS Automatic Connection Driver)
0xF7A75000 C:\WINDOWS\system32\DRIVERS\wmiacpi.sys 12288 bytes (Microsoft Corporation, Windows Management Interface for ACPI)
0xF7AC1000 C:\WINDOWS\System32\Drivers\Beep.SYS 8192 bytes (Microsoft Corporation, BEEP Driver)
0xF7A95000 dmload.sys 8192 bytes (Microsoft Corp., Veritas Software., NT Disk Manager Startup Driver)
0xF7AF7000 C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS 8192 bytes
0xF7ABF000 C:\WINDOWS\System32\Drivers\Fs_Rec.SYS 8192 bytes (Microsoft Corporation, File System Recognizer Driver)
0xF7A91000 C:\WINDOWS\system32\KDCOM.DLL 8192 bytes (Microsoft Corporation, Kernel Debugger HW Extension DLL)
0xF7AC3000 C:\WINDOWS\System32\Drivers\mnmdd.SYS 8192 bytes (Microsoft Corporation, Frame buffer simulator)
0xF7AC5000 C:\WINDOWS\System32\DRIVERS\RDPCDD.sys 8192 bytes (Microsoft Corporation, RDP Miniport)
0xF7AB1000 C:\WINDOWS\system32\DRIVERS\swenum.sys 8192 bytes (Microsoft Corporation, Plug and Play Software Device Enumerator)
0xF7AAF000 C:\WINDOWS\system32\DRIVERS\USBD.SYS 8192 bytes (Microsoft Corporation, Universal Serial Bus Driver)
0xF7A93000 C:\WINDOWS\system32\DRIVERS\WMILIB.SYS 8192 bytes (Microsoft Corporation, WMILIB WMI support library Dll)
0xF7BDF000 C:\WINDOWS\system32\DRIVERS\audstub.sys 4096 bytes (Microsoft Corporation, AudStub Driver)
0xF7B6C000 C:\WINDOWS\System32\drivers\dxgthk.sys 4096 bytes (Microsoft Corporation, DirectX Graphics Driver Thunk)
0xF7BCA000 C:\WINDOWS\System32\Drivers\Null.SYS 4096 bytes (Microsoft Corporation, NULL Driver)
0xF7B59000 pciide.sys 4096 bytes (Microsoft Corporation, Generic PCI IDE Bus Driver)
==============================================
>Stealth
==============================================


aswMBR:


aswMBR version 0.9.5.256 Copyright© 2011 AVAST Software
Run date: 2011-05-17 22:09:17
-----------------------------
22:09:17.796 OS Version: Windows 5.1.2600 Service Pack 3
22:09:17.796 Number of processors: 2 586 0xF06
22:09:17.796 ComputerName: SCOTT-03B312696 UserName: Scott
22:09:18.562 Initialize success
22:09:25.500 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
22:09:25.500 Disk 0 Vendor: FUJITSU_MHW2120BH 00850012 Size: 114473MB BusType: 3
22:09:25.500 Disk 0 MBR read error 0
22:09:25.500 Disk 0 MBR scan
22:09:25.500 Disk 0 unknown MBR code
22:09:25.500 MBR BIOS signature not found 0
22:09:25.500 Disk 0 scanning sectors +234436545
22:09:25.500 Disk 0 scanning C:\WINDOWS\system32\drivers
22:09:33.140 Service scanning
22:09:34.546 Disk 0 trace - called modules:
22:09:34.593 ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys sptd.sys pciide.sys PCIIDEX.SYS
22:09:34.593 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x86f34ab8]
22:09:34.593 3 CLASSPNP.SYS[f75f1fd7] -> nt!IofCallDriver -> \Device\0000006e[0x86f66510]
22:09:34.593 5 ACPI.sys[f7352620] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-3[0x86f39940]
22:09:34.593 Scan finished successfully
22:10:22.875 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Scott\Desktop\MBR.dat"
22:10:22.875 The log file has been saved successfully to "C:\Documents and Settings\Scott\Desktop\aswMBR.txt"


aswMBR version 0.9.5.256 Copyright© 2011 AVAST Software
Run date: 2011-05-18 20:16:05
-----------------------------
20:16:05.703 OS Version: Windows 5.1.2600 Service Pack 3
20:16:05.703 Number of processors: 2 586 0xF06
20:16:05.703 ComputerName: SCOTT-03B312696 UserName: Scott
20:16:06.500 Initialize success
20:16:07.562 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
20:16:07.562 Disk 0 Vendor: FUJITSU_MHW2120BH 00850012 Size: 114473MB BusType: 3
20:16:09.562 Disk 0 MBR read successfully
20:16:09.562 Disk 0 MBR scan
20:16:09.562 Disk 0 Windows XP default MBR code
20:16:11.578 Disk 0 scanning sectors +234436545
20:16:11.765 Disk 0 scanning C:\WINDOWS\system32\drivers
20:16:23.437 Service scanning
20:16:24.937 Disk 0 trace - called modules:
20:16:24.984 ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys pciide.sys PCIIDEX.SYS
20:16:24.984 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x86f65ab8]
20:16:24.984 3 CLASSPNP.SYS[f75f1fd7] -> nt!IofCallDriver -> \Device\0000006d[0x86f6bf18]
20:16:24.984 5 ACPI.sys[f7468620] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-3[0x86f6a940]
20:16:24.984 Scan finished successfully
20:16:41.546 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Scott\Desktop\MBR.dat"
20:16:41.546 The log file has been saved successfully to "C:\Documents and Settings\Scott\Desktop\aswMBR.txt"

#10 heir

heir

  • Malware Response Team
  • 763 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:47 PM

Posted 19 May 2011 - 03:17 AM

Something I should point out, regarding CCleaner, Registry Mechanic, Registry Reviver, FixCleaner, Glary Utilities, TuneUp Utilities and similar products

It's not recommended to use of registry cleaners. These often cause more problems than they fix. One of my colleagues, miekiemoes has an excellent writeup here
Another excellent article by Bill Castner is located here.




Please visit this webpage for download links, and instructions for running the tool:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Please include the C:\ComboFix.txt in your next reply for further review.

Please do not PM me asking for support. Post on the forums instead.
Please post the final results, good or bad. We like to know!
Posted Image
Unified Network of Instructors and Trained Eliminators
My help is always free, but if you want to donate to help me continue my fight against malware then click Posted Image


#11 gnaag

gnaag
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:02:47 PM

Posted 19 May 2011 - 08:07 AM

Something I should point out, regarding CCleaner, Registry Mechanic, Registry Reviver, FixCleaner, Glary Utilities, TuneUp Utilities and similar products

It's not recommended to use of registry cleaners. These often cause more problems than they fix.


I appreciate the tip. I never would have thought they'd cause problems rather than fix them.

Here is the Combofix log:


ComboFix 11-05-18.03 - Scott 05/19/2011 8:56.8.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.600 [GMT -4:00]
Running from: c:\documents and settings\Scott\My Documents\Downloads\ComboFix.exe
.
.
((((((((((((((((((((((((( Files Created from 2011-04-19 to 2011-05-19 )))))))))))))))))))))))))))))))
.
.
2011-05-18 10:24 . 2011-05-18 10:24 -------- d-----w- C:\_OTL
2011-05-15 15:35 . 2011-05-15 15:35 190032 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2011-05-15 15:24 . 2011-05-15 15:24 -------- d-----w- c:\program files\Sophos
2011-05-15 13:19 . 2011-05-15 16:00 -------- d-----w- c:\documents and settings\Scott\Application Data\FixCleaner
2011-05-15 13:17 . 2011-05-16 00:49 -------- d-----w- c:\program files\FixCleaner
2011-04-26 14:06 . 2011-05-15 13:11 17480 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
2011-04-26 14:06 . 2011-04-26 14:06 -------- d-----w- c:\documents and settings\All Users\Application Data\Hitman Pro
2011-04-26 13:21 . 2011-04-26 13:21 -------- d-----w- c:\program files\Sophos Anti-Rootkit
2011-04-26 04:53 . 2011-04-26 04:53 -------- d-----w- c:\program files\CCleaner
2011-04-26 04:51 . 2011-05-17 10:16 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Google
2011-04-26 04:51 . 2011-05-17 00:56 -------- d-----w- c:\documents and settings\Scott\Local Settings\Application Data\Temp
2011-04-26 04:48 . 2011-04-26 04:48 -------- d-----w- c:\documents and settings\Scott\Application Data\Reviversoft
2011-04-26 04:47 . 2011-03-16 17:28 16704 ----a-w- c:\windows\system32\roboot.exe
2011-04-26 02:22 . 2011-04-30 03:08 781272 ----a-w- c:\program files\Mozilla Firefox\mozsqlite3.dll
2011-04-26 02:22 . 2011-04-30 03:08 1874904 ----a-w- c:\program files\Mozilla Firefox\mozjs.dll
2011-04-26 02:22 . 2011-04-30 03:08 15832 ----a-w- c:\program files\Mozilla Firefox\mozalloc.dll
2011-04-26 02:22 . 2011-04-30 03:08 89048 ----a-w- c:\program files\Mozilla Firefox\libEGL.dll
2011-04-26 02:22 . 2011-04-30 03:08 465880 ----a-w- c:\program files\Mozilla Firefox\libGLESv2.dll
2011-04-26 02:22 . 2011-04-30 03:08 1892184 ----a-w- c:\program files\Mozilla Firefox\d3dx9_42.dll
2011-04-26 02:22 . 2011-04-30 03:08 142296 ----a-w- c:\program files\Mozilla Firefox\components\browsercomps.dll
2011-04-26 02:22 . 2011-04-30 03:08 1974616 ----a-w- c:\program files\Mozilla Firefox\D3DCompiler_42.dll
2011-04-22 19:23 . 2011-05-16 01:11 -------- d-----w- c:\documents and settings\Scott\Application Data\Media Player Classic
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-04-26 05:57 . 2004-08-03 22:58 23040 ----a-w- c:\windows\system32\drivers\mouclass.sys
2011-04-26 04:30 . 2009-10-31 18:01 443448 ----a-w- c:\windows\system32\drivers\sptd.sys
2011-04-07 21:44 . 2011-04-07 21:44 388096 ----a-r- c:\documents and settings\Scott\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2011-03-07 05:33 . 2009-10-29 00:12 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-03-04 06:45 . 2004-08-10 11:00 434176 ----a-w- c:\windows\system32\vbscript.dll
2011-03-03 13:21 . 2004-08-10 11:00 1857920 ----a-w- c:\windows\system32\win32k.sys
2009-07-10 18:39 . 2009-12-27 22:58 350720 ----a-w- c:\program files\hjsplit.exe
2011-04-30 03:08 . 2011-04-26 02:22 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((( SnapShot@2011-04-20_11.17.12 )))))))))))))))))))))))))))))))))))))))))
.
+ 2011-01-11 14:59 . 2011-01-11 14:59 51024 c:\windows\WinSxS\x86_Microsoft.VC90.OpenMP_1fc8b3b9a1e18e3b_9.0.30729.5570_x-ww_214ee422\vcomp90.dll
+ 2011-01-11 14:59 . 2011-01-11 14:59 59728 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.5570_x-ww_467ea28b\mfc90rus.dll
+ 2011-01-11 14:59 . 2011-01-11 14:59 42832 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.5570_x-ww_467ea28b\mfc90kor.dll
+ 2011-01-11 14:59 . 2011-01-11 14:59 43344 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.5570_x-ww_467ea28b\mfc90jpn.dll
+ 2011-01-11 14:59 . 2011-01-11 14:59 61264 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.5570_x-ww_467ea28b\mfc90ita.dll
+ 2011-01-11 14:59 . 2011-01-11 14:59 62800 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.5570_x-ww_467ea28b\mfc90fra.dll
+ 2011-01-11 14:59 . 2011-01-11 14:59 61776 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.5570_x-ww_467ea28b\mfc90esp.dll
+ 2011-01-11 14:59 . 2011-01-11 14:59 61776 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.5570_x-ww_467ea28b\mfc90esn.dll
+ 2011-01-11 14:59 . 2011-01-11 14:59 53584 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.5570_x-ww_467ea28b\mfc90enu.dll
+ 2011-01-11 14:59 . 2011-01-11 14:59 63312 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.5570_x-ww_467ea28b\mfc90deu.dll
+ 2011-01-11 14:59 . 2011-01-11 14:59 36688 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.5570_x-ww_467ea28b\mfc90cht.dll
+ 2011-01-11 14:59 . 2011-01-11 14:59 35664 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.5570_x-ww_467ea28b\mfc90chs.dll
+ 2011-01-11 14:59 . 2011-01-11 14:59 59904 c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.5570_x-ww_d5fe2ecb\mfcm90u.dll
+ 2011-01-11 14:59 . 2011-01-11 14:59 59904 c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.5570_x-ww_d5fe2ecb\mfcm90.dll
+ 2011-01-11 03:03 . 2011-01-11 03:03 65536 c:\windows\WinSxS\x86_Microsoft.VC80.OpenMP_1fc8b3b9a1e18e3b_8.0.50727.5592_x-ww_189d6662\vcomp.dll
+ 2011-01-11 02:32 . 2011-01-11 02:32 49152 c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.5592_x-ww_3dcd24cb\mfc80KOR.dll
+ 2011-01-11 02:32 . 2011-01-11 02:32 49152 c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.5592_x-ww_3dcd24cb\mfc80JPN.dll
+ 2011-01-11 02:32 . 2011-01-11 02:32 61440 c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.5592_x-ww_3dcd24cb\mfc80ITA.dll
+ 2011-01-11 02:32 . 2011-01-11 02:32 61440 c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.5592_x-ww_3dcd24cb\mfc80FRA.dll
+ 2011-01-11 02:32 . 2011-01-11 02:32 61440 c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.5592_x-ww_3dcd24cb\mfc80ESP.dll
+ 2011-01-11 02:32 . 2011-01-11 02:32 57344 c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.5592_x-ww_3dcd24cb\mfc80ENU.dll
+ 2011-01-11 02:32 . 2011-01-11 02:32 65536 c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.5592_x-ww_3dcd24cb\mfc80DEU.dll
+ 2011-01-11 02:32 . 2011-01-11 02:32 45056 c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.5592_x-ww_3dcd24cb\mfc80CHT.dll
+ 2011-01-11 02:32 . 2011-01-11 02:32 40960 c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.5592_x-ww_3dcd24cb\mfc80CHS.dll
+ 2011-01-11 08:05 . 2011-01-11 08:05 57856 c:\windows\WinSxS\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.5592_x-ww_e87e0bcd\mfcm80u.dll
+ 2011-01-11 08:23 . 2011-01-11 08:23 69632 c:\windows\WinSxS\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.5592_x-ww_e87e0bcd\mfcm80.dll
+ 2011-01-11 01:21 . 2011-01-11 01:21 97280 c:\windows\WinSxS\x86_Microsoft.VC80.ATL_1fc8b3b9a1e18e3b_8.0.50727.5592_x-ww_7837863c\ATL80.dll
+ 2011-05-19 12:51 . 2011-05-19 12:51 16384 c:\windows\Temp\Perflib_Perfdata_7e4.dat
- 2004-08-10 11:00 . 2011-04-20 11:12 72306 c:\windows\system32\perfc009.dat
+ 2004-08-10 11:00 . 2011-04-26 15:06 72306 c:\windows\system32\perfc009.dat
- 2004-08-10 11:00 . 2010-12-20 22:15 81920 c:\windows\system32\ieencode.dll
+ 2004-08-10 11:00 . 2011-02-17 13:51 81920 c:\windows\system32\ieencode.dll
+ 2004-08-10 11:00 . 2009-04-20 17:17 45568 c:\windows\system32\dnsrslvr.dll
- 2004-08-10 11:00 . 2008-04-14 10:41 45568 c:\windows\system32\dnsrslvr.dll
- 2004-08-10 11:00 . 2010-12-20 22:15 81920 c:\windows\system32\dllcache\ieencode.dll
+ 2004-08-10 11:00 . 2011-02-17 13:51 81920 c:\windows\system32\dllcache\ieencode.dll
+ 2009-04-20 17:17 . 2009-04-20 17:17 45568 c:\windows\system32\dllcache\dnsrslvr.dll
+ 2011-05-17 00:56 . 2011-05-17 00:56 21504 c:\windows\Installer\3218b9.msi
+ 2009-10-31 18:12 . 2011-05-13 10:49 35088 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\oisicon.exe
- 2009-10-31 18:12 . 2011-03-11 02:08 35088 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\oisicon.exe
- 2009-10-31 18:12 . 2011-03-11 02:08 18704 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\mspicons.exe
+ 2009-10-31 18:12 . 2011-05-13 10:49 18704 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\mspicons.exe
- 2009-10-31 18:12 . 2011-03-11 02:08 20240 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\cagicon.exe
+ 2009-10-31 18:12 . 2011-05-13 10:49 20240 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\cagicon.exe
- 2010-11-06 18:40 . 2011-03-11 11:38 49152 c:\windows\Installer\{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}\ConfigIcon.dll
+ 2010-11-06 18:40 . 2011-04-26 15:09 49152 c:\windows\Installer\{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}\ConfigIcon.dll
+ 2011-04-27 01:23 . 2011-04-27 01:23 60928 c:\windows\assembly\NativeImages_v2.0.50727_32\UIAutomationProvider\368187bcb570d202a019fc7c53b1df4c\UIAutomationProvider.ni.dll
+ 2011-04-28 01:53 . 2011-04-28 01:53 37888 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Pres#\3f621b90371e67197bd4d0b86aa6f21d\System.Windows.Presentation.ni.dll
+ 2011-04-28 01:52 . 2011-04-28 01:52 36864 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Web.DynamicD#\577b049541803541e6b00e2c36c00852\System.Web.DynamicData.Design.ni.dll
+ 2011-04-28 01:02 . 2011-04-28 01:02 94208 c:\windows\assembly\NativeImages_v2.0.50727_32\System.ComponentMod#\636ed65b7e5481320e3010b78a5e6cfa\System.ComponentModel.DataAnnotations.ni.dll
+ 2011-04-28 01:02 . 2011-04-28 01:02 82944 c:\windows\assembly\NativeImages_v2.0.50727_32\System.AddIn.Contra#\f83b1e8dd8c90490c8d924826c8b107d\System.AddIn.Contract.ni.dll
+ 2011-04-26 15:07 . 2011-04-26 15:07 47104 c:\windows\assembly\NativeImages_v2.0.50727_32\PresentationFontCac#\2740ba673b1040f1995f13c6044da64c\PresentationFontCache.ni.exe
+ 2011-04-26 15:07 . 2011-04-26 15:07 39424 c:\windows\assembly\NativeImages_v2.0.50727_32\PresentationCFFRast#\8514e7de63d46b6f8232ef70d93a1650\PresentationCFFRasterizer.ni.dll
+ 2011-04-28 01:04 . 2011-04-28 01:04 55296 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Vsa\108426b4dc654100c9a99bfa71f69886\Microsoft.Vsa.ni.dll
+ 2011-04-27 01:55 . 2011-04-27 01:55 74752 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Build.Fra#\8905268997c77a27c7f9c54aeba37f24\Microsoft.Build.Framework.ni.dll
+ 2011-04-27 01:57 . 2011-04-27 01:57 65024 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Build.Fra#\11bb8ef375848eb1c074da1afd5cecdc\Microsoft.Build.Framework.ni.dll
+ 2011-04-27 01:53 . 2011-04-27 01:53 14336 c:\windows\assembly\NativeImages_v2.0.50727_32\dfsvc\6d74b9308a1517bfe959e597c3dd2427\dfsvc.ni.exe
+ 2011-04-27 01:49 . 2011-04-27 01:49 25600 c:\windows\assembly\NativeImages_v2.0.50727_32\Accessibility\fdf7f1404f4a5c7f5a0463d8e7a442e4\Accessibility.ni.dll
+ 2011-04-26 15:05 . 2011-04-26 15:05 77824 c:\windows\assembly\GAC_MSIL\System.Web.RegularExpressions\2.0.0.0__b03f5f7f11d50a3a\System.Web.RegularExpressions.dll
- 2010-10-04 10:57 . 2010-10-04 10:57 77824 c:\windows\assembly\GAC_MSIL\System.Web.RegularExpressions\2.0.0.0__b03f5f7f11d50a3a\System.Web.RegularExpressions.dll
+ 2011-04-26 15:05 . 2011-04-26 15:05 81920 c:\windows\assembly\GAC_MSIL\System.Drawing.Design\2.0.0.0__b03f5f7f11d50a3a\System.Drawing.Design.dll
- 2010-10-04 10:57 . 2010-10-04 10:57 81920 c:\windows\assembly\GAC_MSIL\System.Drawing.Design\2.0.0.0__b03f5f7f11d50a3a\System.Drawing.Design.dll
- 2010-10-04 10:58 . 2010-10-04 10:58 81920 c:\windows\assembly\GAC_MSIL\System.Configuration.Install\2.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll
+ 2011-04-26 15:05 . 2011-04-26 15:05 81920 c:\windows\assembly\GAC_MSIL\System.Configuration.Install\2.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll
+ 2011-04-26 15:05 . 2011-04-26 15:05 32768 c:\windows\assembly\GAC_MSIL\Microsoft.Vsa\8.0.0.0__b03f5f7f11d50a3a\Microsoft.Vsa.dll
- 2010-10-04 10:57 . 2010-10-04 10:57 32768 c:\windows\assembly\GAC_MSIL\Microsoft.Vsa\8.0.0.0__b03f5f7f11d50a3a\Microsoft.Vsa.dll
+ 2011-04-26 15:05 . 2011-04-26 15:05 12800 c:\windows\assembly\GAC_MSIL\Microsoft.Vsa.Vb.CodeDOMProcessor\8.0.0.0__b03f5f7f11d50a3a\Microsoft.Vsa.Vb.CodeDOMProcessor.dll
- 2010-10-04 10:57 . 2010-10-04 10:57 12800 c:\windows\assembly\GAC_MSIL\Microsoft.Vsa.Vb.CodeDOMProcessor\8.0.0.0__b03f5f7f11d50a3a\Microsoft.Vsa.Vb.CodeDOMProcessor.dll
- 2010-10-04 10:57 . 2010-10-04 10:57 28672 c:\windows\assembly\GAC_MSIL\Microsoft.VisualBasic.Vsa\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.Vsa.dll
+ 2011-04-26 15:05 . 2011-04-26 15:05 28672 c:\windows\assembly\GAC_MSIL\Microsoft.VisualBasic.Vsa\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.Vsa.dll
+ 2011-04-26 15:05 . 2011-04-26 15:05 77824 c:\windows\assembly\GAC_MSIL\Microsoft.Build.Utilities\2.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Utilities.dll
- 2010-10-04 10:58 . 2010-10-04 10:58 77824 c:\windows\assembly\GAC_MSIL\Microsoft.Build.Utilities\2.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Utilities.dll
+ 2011-04-26 15:05 . 2011-04-26 15:05 36864 c:\windows\assembly\GAC_MSIL\Microsoft.Build.Framework\2.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Framework.dll
- 2010-10-04 10:57 . 2010-10-04 10:57 36864 c:\windows\assembly\GAC_MSIL\Microsoft.Build.Framework\2.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Framework.dll
+ 2011-04-26 15:05 . 2011-04-26 15:05 77824 c:\windows\assembly\GAC_MSIL\IEHost\2.0.0.0__b03f5f7f11d50a3a\IEHost.dll
- 2010-10-04 10:57 . 2010-10-04 10:57 77824 c:\windows\assembly\GAC_MSIL\IEHost\2.0.0.0__b03f5f7f11d50a3a\IEHost.dll
+ 2011-04-26 15:05 . 2011-04-26 15:05 13312 c:\windows\assembly\GAC_MSIL\cscompmgd\8.0.0.0__b03f5f7f11d50a3a\cscompmgd.dll
- 2010-10-04 10:57 . 2010-10-04 10:57 13312 c:\windows\assembly\GAC_MSIL\cscompmgd\8.0.0.0__b03f5f7f11d50a3a\cscompmgd.dll
- 2010-10-04 10:57 . 2010-10-04 10:57 10752 c:\windows\assembly\GAC_MSIL\Accessibility\2.0.0.0__b03f5f7f11d50a3a\Accessibility.dll
+ 2011-04-26 15:05 . 2011-04-26 15:05 10752 c:\windows\assembly\GAC_MSIL\Accessibility\2.0.0.0__b03f5f7f11d50a3a\Accessibility.dll
- 2010-10-04 10:57 . 2010-10-04 10:57 72192 c:\windows\assembly\GAC_32\ISymWrapper\2.0.0.0__b03f5f7f11d50a3a\ISymWrapper.dll
+ 2011-04-26 15:05 . 2011-04-26 15:05 72192 c:\windows\assembly\GAC_32\ISymWrapper\2.0.0.0__b03f5f7f11d50a3a\ISymWrapper.dll
+ 2011-04-26 15:05 . 2011-04-26 15:05 69120 c:\windows\assembly\GAC_32\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll
- 2010-10-04 10:57 . 2010-10-04 10:57 69120 c:\windows\assembly\GAC_32\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll
+ 2011-04-26 15:05 . 2011-04-26 15:05 8192 c:\windows\WinSxS\MSIL_IEExecRemote_b03f5f7f11d50a3a_2.0.0.0_x-ww_6e57c34e\IEExecRemote.dll
- 2010-10-04 10:57 . 2010-10-04 10:57 8192 c:\windows\WinSxS\MSIL_IEExecRemote_b03f5f7f11d50a3a_2.0.0.0_x-ww_6e57c34e\IEExecRemote.dll
- 2009-11-01 08:04 . 2010-08-26 12:52 5120 c:\windows\system32\xpsp4res.dll
+ 2009-11-01 08:04 . 2011-02-17 12:32 5120 c:\windows\system32\xpsp4res.dll
- 2010-10-04 10:57 . 2010-10-04 10:57 7168 c:\windows\assembly\GAC_MSIL\Microsoft_VsaVb\8.0.0.0__b03f5f7f11d50a3a\Microsoft_VsaVb.dll
+ 2011-04-26 15:05 . 2011-04-26 15:05 7168 c:\windows\assembly\GAC_MSIL\Microsoft_VsaVb\8.0.0.0__b03f5f7f11d50a3a\Microsoft_VsaVb.dll
+ 2011-04-26 15:05 . 2011-04-26 15:05 5632 c:\windows\assembly\GAC_MSIL\Microsoft.VisualC\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualC.Dll
- 2010-10-04 10:58 . 2010-10-04 10:58 5632 c:\windows\assembly\GAC_MSIL\Microsoft.VisualC\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualC.Dll
+ 2011-04-26 15:05 . 2011-04-26 15:05 6656 c:\windows\assembly\GAC_MSIL\IIEHost\2.0.0.0__b03f5f7f11d50a3a\IIEHost.dll
- 2010-10-04 10:57 . 2010-10-04 10:57 6656 c:\windows\assembly\GAC_MSIL\IIEHost\2.0.0.0__b03f5f7f11d50a3a\IIEHost.dll
+ 2011-04-26 15:05 . 2011-04-26 15:05 8192 c:\windows\assembly\GAC_MSIL\IEExecRemote\2.0.0.0__b03f5f7f11d50a3a\IEExecRemote.dll
- 2010-10-04 10:57 . 2010-10-04 10:57 8192 c:\windows\assembly\GAC_MSIL\IEExecRemote\2.0.0.0__b03f5f7f11d50a3a\IEExecRemote.dll
- 2010-10-04 10:57 . 2010-10-04 10:57 113664 c:\windows\WinSxS\x86_System.EnterpriseServices_b03f5f7f11d50a3a_2.0.0.0_x-ww_7d5f3790\System.EnterpriseServices.Wrapper.dll
+ 2011-04-26 15:05 . 2011-04-26 15:05 113664 c:\windows\WinSxS\x86_System.EnterpriseServices_b03f5f7f11d50a3a_2.0.0.0_x-ww_7d5f3790\System.EnterpriseServices.Wrapper.dll
- 2010-10-04 10:57 . 2010-10-04 10:57 258048 c:\windows\WinSxS\x86_System.EnterpriseServices_b03f5f7f11d50a3a_2.0.0.0_x-ww_7d5f3790\System.EnterpriseServices.dll
+ 2011-04-26 15:05 . 2011-04-26 15:05 258048 c:\windows\WinSxS\x86_System.EnterpriseServices_b03f5f7f11d50a3a_2.0.0.0_x-ww_7d5f3790\System.EnterpriseServices.dll
+ 2011-01-11 14:59 . 2011-01-11 14:59 653136 c:\windows\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.5570_x-ww_0517bbc6\msvcr90.dll
+ 2011-01-11 14:59 . 2011-01-11 14:59 569680 c:\windows\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.5570_x-ww_0517bbc6\msvcp90.dll
+ 2011-01-11 14:59 . 2011-01-11 14:59 225280 c:\windows\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.5570_x-ww_0517bbc6\msvcm90.dll
+ 2011-01-11 14:59 . 2011-01-11 14:59 159048 c:\windows\WinSxS\x86_Microsoft.VC90.ATL_1fc8b3b9a1e18e3b_9.0.30729.5570_x-ww_65b7a93a\atl90.dll
+ 2011-01-11 08:27 . 2011-01-11 08:27 632656 c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.5592_x-ww_179798c8\msvcr80.dll
+ 2011-01-11 08:24 . 2011-01-11 08:24 554832 c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.5592_x-ww_179798c8\msvcp80.dll
+ 2011-01-11 08:08 . 2011-01-11 08:08 479232 c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.5592_x-ww_179798c8\msvcm80.dll
- 2006-03-04 03:33 . 2010-12-20 22:15 667136 c:\windows\system32\wininet.dll
+ 2006-03-04 03:33 . 2011-02-17 13:51 667136 c:\windows\system32\wininet.dll
- 2006-03-18 11:09 . 2010-12-20 22:15 629760 c:\windows\system32\urlmon.dll
+ 2006-03-18 11:09 . 2011-02-17 13:51 629760 c:\windows\system32\urlmon.dll
+ 2004-08-10 11:00 . 2011-04-26 15:06 444596 c:\windows\system32\perfh009.dat
- 2004-08-10 11:00 . 2011-04-20 11:12 444596 c:\windows\system32\perfh009.dat
- 2004-08-10 11:00 . 2008-06-20 17:46 245248 c:\windows\system32\mswsock.dll
+ 2004-08-10 11:00 . 2008-06-20 16:02 245248 c:\windows\system32\mswsock.dll
+ 2006-03-04 03:33 . 2011-02-17 13:51 532480 c:\windows\system32\mstime.dll
- 2006-03-04 03:33 . 2010-12-20 22:15 532480 c:\windows\system32\mstime.dll
- 2006-03-04 03:33 . 2010-12-20 22:15 449024 c:\windows\system32\mshtmled.dll
+ 2006-03-04 03:33 . 2011-02-17 13:51 449024 c:\windows\system32\mshtmled.dll
- 2004-08-10 11:00 . 2010-09-18 16:23 974848 c:\windows\system32\mfc42u.dll
+ 2004-08-10 11:00 . 2011-02-08 13:33 974848 c:\windows\system32\mfc42u.dll
+ 2004-08-10 11:00 . 2011-02-08 13:33 978944 c:\windows\system32\mfc42.dll
+ 2004-08-10 11:00 . 2011-03-04 06:45 512000 c:\windows\system32\jscript.dll
- 2004-08-10 11:00 . 2009-08-13 15:16 512000 c:\windows\system32\jscript.dll
+ 2006-03-04 03:33 . 2011-02-17 13:51 251904 c:\windows\system32\iepeers.dll
- 2006-03-04 03:33 . 2010-12-20 22:15 251904 c:\windows\system32\iepeers.dll
+ 2004-08-10 11:00 . 2011-02-17 13:18 357888 c:\windows\system32\drivers\srv.sys
+ 2004-08-10 11:00 . 2011-02-17 13:18 455936 c:\windows\system32\drivers\mrxsmb.sys
+ 2004-08-10 11:00 . 2008-10-16 14:43 138496 c:\windows\system32\drivers\afd.sys
- 2004-08-10 11:00 . 2008-08-14 10:04 138496 c:\windows\system32\drivers\afd.sys
+ 2004-08-10 11:00 . 2011-03-03 06:55 149504 c:\windows\system32\dnsapi.dll
- 2009-11-01 08:19 . 2010-12-20 22:15 667136 c:\windows\system32\dllcache\wininet.dll
+ 2009-11-01 08:19 . 2011-02-17 13:51 667136 c:\windows\system32\dllcache\wininet.dll
+ 2008-05-09 10:53 . 2011-03-04 06:45 434176 c:\windows\system32\dllcache\vbscript.dll
+ 2009-11-01 08:19 . 2011-02-17 13:51 629760 c:\windows\system32\dllcache\urlmon.dll
- 2009-11-01 08:19 . 2010-12-20 22:15 629760 c:\windows\system32\dllcache\urlmon.dll
+ 2009-11-01 07:42 . 2011-02-17 13:18 357888 c:\windows\system32\dllcache\srv.sys
- 2009-11-01 07:37 . 2008-06-20 17:46 245248 c:\windows\system32\dllcache\mswsock.dll
+ 2009-11-01 07:37 . 2008-06-20 16:02 245248 c:\windows\system32\dllcache\mswsock.dll
- 2010-11-05 05:05 . 2010-12-20 22:15 532480 c:\windows\system32\dllcache\mstime.dll
+ 2010-11-05 05:05 . 2011-02-17 13:51 532480 c:\windows\system32\dllcache\mstime.dll
- 2010-09-09 14:16 . 2010-12-20 22:15 449024 c:\windows\system32\dllcache\mshtmled.dll
+ 2010-09-09 14:16 . 2011-02-17 13:51 449024 c:\windows\system32\dllcache\mshtmled.dll
+ 2009-11-01 07:42 . 2011-02-17 13:18 455936 c:\windows\system32\dllcache\mrxsmb.sys
+ 2010-09-18 16:23 . 2011-02-08 13:33 974848 c:\windows\system32\dllcache\mfc42u.dll
- 2010-09-18 16:23 . 2010-09-18 16:23 974848 c:\windows\system32\dllcache\mfc42u.dll
+ 2010-10-19 17:10 . 2011-02-08 13:33 978944 c:\windows\system32\dllcache\mfc42.dll
+ 2009-11-06 06:23 . 2011-03-04 06:45 512000 c:\windows\system32\dllcache\jscript.dll
- 2009-11-06 06:23 . 2009-08-13 15:16 512000 c:\windows\system32\dllcache\jscript.dll
- 2009-11-01 07:41 . 2010-06-09 07:43 692736 c:\windows\system32\dllcache\inetcomm.dll
+ 2009-11-01 07:41 . 2011-03-07 05:33 692736 c:\windows\system32\dllcache\inetcomm.dll
+ 2010-02-26 05:43 . 2011-02-17 13:51 251904 c:\windows\system32\dllcache\iepeers.dll
- 2010-02-26 05:43 . 2010-12-20 22:15 251904 c:\windows\system32\dllcache\iepeers.dll
+ 2009-11-01 07:37 . 2011-03-03 06:55 149504 c:\windows\system32\dllcache\dnsapi.dll
+ 2010-04-20 05:30 . 2011-02-15 12:56 290432 c:\windows\system32\dllcache\atmfd.dll
+ 2009-11-01 07:37 . 2008-10-16 14:43 138496 c:\windows\system32\dllcache\afd.sys
- 2009-11-01 07:37 . 2008-08-14 10:04 138496 c:\windows\system32\dllcache\afd.sys
+ 2004-08-10 11:00 . 2011-02-15 12:56 290432 c:\windows\system32\atmfd.dll
+ 2011-01-18 08:39 . 2011-01-18 08:39 388936 c:\windows\Microsoft.NET\Framework\v2.0.50727\SOS.dll
- 2010-05-11 10:40 . 2010-05-11 10:40 388936 c:\windows\Microsoft.NET\Framework\v2.0.50727\SOS.dll
+ 2011-01-18 08:39 . 2011-01-18 08:39 363856 c:\windows\Microsoft.NET\Framework\v2.0.50727\mscorjit.dll
- 2010-05-11 10:40 . 2010-05-11 10:40 989016 c:\windows\Microsoft.NET\Framework\v2.0.50727\mscordacwks.dll
+ 2011-01-18 08:39 . 2011-01-18 08:39 989016 c:\windows\Microsoft.NET\Framework\v2.0.50727\mscordacwks.dll
+ 2011-04-27 03:17 . 2011-04-27 03:17 459264 c:\windows\Installer\62752e.msi
+ 2011-04-27 03:17 . 2011-04-27 03:17 223232 c:\windows\Installer\627528.msi
+ 2009-10-31 18:12 . 2011-05-13 10:49 888080 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\wordicon.exe
- 2009-10-31 18:12 . 2011-03-11 02:08 888080 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\wordicon.exe
- 2009-10-31 18:12 . 2011-03-11 02:08 272648 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\pubs.exe
+ 2009-10-31 18:12 . 2011-05-13 10:49 272648 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\pubs.exe
+ 2009-10-31 18:12 . 2011-05-13 10:49 922384 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\pptico.exe
- 2009-10-31 18:12 . 2011-03-11 02:08 922384 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\pptico.exe
- 2009-10-31 18:12 . 2011-03-11 02:08 845584 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\outicon.exe
+ 2009-10-31 18:12 . 2011-05-13 10:49 845584 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\outicon.exe
+ 2009-10-31 18:12 . 2011-05-13 10:49 217864 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\misc.exe
- 2009-10-31 18:12 . 2011-03-11 02:08 217864 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\misc.exe
+ 2009-10-31 18:12 . 2011-05-13 10:49 184080 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\joticon.exe
- 2009-10-31 18:12 . 2011-03-11 02:08 184080 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\joticon.exe
+ 2009-10-31 18:12 . 2011-05-13 10:49 159504 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\inficon.exe
- 2009-10-31 18:12 . 2011-03-11 02:08 159504 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\inficon.exe
+ 2009-11-01 07:42 . 2011-02-17 13:18 455936 c:\windows\Driver Cache\i386\mrxsmb.sys
+ 2011-04-27 01:55 . 2011-04-27 01:55 321536 c:\windows\assembly\NativeImages_v2.0.50727_32\WsatConfig\95de80b860252231b46014f58226e473\WsatConfig.ni.exe
+ 2011-04-27 01:24 . 2011-04-27 01:24 240128 c:\windows\assembly\NativeImages_v2.0.50727_32\WindowsFormsIntegra#\715710f5a31a494ed5c0ec0874dafe3e\WindowsFormsIntegration.ni.dll
+ 2011-04-27 01:23 . 2011-04-27 01:23 187904 c:\windows\assembly\NativeImages_v2.0.50727_32\UIAutomationTypes\017be0e6c5f1810f15a696157cd5e2c2\UIAutomationTypes.ni.dll
+ 2011-04-27 01:23 . 2011-04-27 01:23 447488 c:\windows\assembly\NativeImages_v2.0.50727_32\UIAutomationClient\bec5b0a93df12eb26c02c877a4eae678\UIAutomationClient.ni.dll
+ 2011-04-28 01:53 . 2011-04-28 01:53 400896 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Xml.Linq\3d8f787002439f4942c33f376cfd8555\System.Xml.Linq.ni.dll
+ 2011-04-28 01:52 . 2011-04-28 01:52 129536 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Web.Routing\4b746fea8062a10ccc6e5331914e7dad\System.Web.Routing.ni.dll
+ 2011-04-28 01:52 . 2011-04-28 01:52 202240 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Web.RegularE#\103956fdb019bce8a173fe9cb9da3e02\System.Web.RegularExpressions.ni.dll
+ 2011-04-28 01:52 . 2011-04-28 01:52 859648 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Web.Extensio#\c0a156fbf46ad272ac262e45eaa998f4\System.Web.Extensions.Design.ni.dll
+ 2011-04-28 01:52 . 2011-04-28 01:52 328704 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Web.Entity\e3651e13567ce4e3fa7bb2fbab737d9a\System.Web.Entity.ni.dll
+ 2011-04-28 01:52 . 2011-04-28 01:52 301056 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Web.Entity.D#\834d7769f39e4d937eda1ad3707d4716\System.Web.Entity.Design.ni.dll
+ 2011-04-28 01:52 . 2011-04-28 01:52 547328 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Web.DynamicD#\032c96c6206b53bca122d1fbaf5f8ca2\System.Web.DynamicData.ni.dll
+ 2011-04-28 01:52 . 2011-04-28 01:52 141312 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Web.Abstract#\6ce0e4fb33afcfcce43c427e82b987db\System.Web.Abstractions.ni.dll
+ 2011-04-28 01:51 . 2011-04-28 01:51 627200 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Transactions\990d96810a21e0fa95f916ffc66f3a94\System.Transactions.ni.dll
+ 2011-04-28 01:51 . 2011-04-28 01:51 212992 c:\windows\assembly\NativeImages_v2.0.50727_32\System.ServiceProce#\e0d56c0582316e9ecb4c18186e37217c\System.ServiceProcess.ni.dll
+ 2011-04-27 01:56 . 2011-04-27 01:56 679936 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Security\9e91cca51a5ed6fb13b67558109d2726\System.Security.ni.dll
+ 2011-04-28 01:04 . 2011-04-28 01:04 311296 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Runtime.Seri#\fa6a58394a1f162eecce4cd8af0875c3\System.Runtime.Serialization.Formatters.Soap.ni.dll
+ 2011-04-28 01:41 . 2011-04-28 01:41 621056 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Net\6194eb4bc1e0133d0183d086b747f512\System.Net.ni.dll
+ 2011-04-28 01:04 . 2011-04-28 01:04 998400 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Management\042658de519bb1e22ec5925092061892\System.Management.ni.dll
+ 2011-04-28 01:04 . 2011-04-28 01:04 330752 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Management.I#\d6ae8171ae6fd4fe83add34e6d70e5b5\System.Management.Instrumentation.ni.dll
+ 2011-04-27 01:51 . 2011-04-27 01:51 381440 c:\windows\assembly\NativeImages_v2.0.50727_32\System.IO.Log\abd5a61d39e474f12b30ccbbe6277667\System.IO.Log.ni.dll
+ 2011-04-27 01:51 . 2011-04-27 01:51 212992 c:\windows\assembly\NativeImages_v2.0.50727_32\System.IdentityMode#\12c4dba6d4ff0278d208c283d9ed7670\System.IdentityModel.Selectors.ni.dll
+ 2011-04-28 01:04 . 2011-04-28 01:04 280064 c:\windows\assembly\NativeImages_v2.0.50727_32\System.EnterpriseSe#\ff5c7a52497d892f3a3206384d46b5e7\System.EnterpriseServices.Wrapper.dll
+ 2011-04-28 01:04 . 2011-04-28 01:04 627712 c:\windows\assembly\NativeImages_v2.0.50727_32\System.EnterpriseSe#\ff5c7a52497d892f3a3206384d46b5e7\System.EnterpriseServices.ni.dll
+ 2011-04-26 15:10 . 2011-04-26 15:10 208384 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Drawing.Desi#\e6b7128278d8c0e8382a5685f5b196c6\System.Drawing.Design.ni.dll
+ 2011-04-28 01:03 . 2011-04-28 01:03 881152 c:\windows\assembly\NativeImages_v2.0.50727_32\System.DirectorySer#\8ef56bf47fc2fc4204e0fcc1f32bab01\System.DirectoryServices.AccountManagement.ni.dll
+ 2011-04-28 01:04 . 2011-04-28 01:04 455680 c:\windows\assembly\NativeImages_v2.0.50727_32\System.DirectorySer#\447d7b4a7d0add13f8d2086088bcc41c\System.DirectoryServices.Protocols.ni.dll
+ 2011-04-28 01:03 . 2011-04-28 01:03 354816 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Data.Service#\ce2afe8854ee9cdc834b6f392348c882\System.Data.Services.Design.ni.dll
+ 2011-04-28 01:03 . 2011-04-28 01:03 939008 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Data.Service#\03d4658290e300e437e745ef4a613b59\System.Data.Services.Client.ni.dll
+ 2011-04-28 01:03 . 2011-04-28 01:03 756736 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Data.Entity.#\7ce21a2855bb7731de4dab797e69f3f6\System.Data.Entity.Design.ni.dll
+ 2011-04-28 01:02 . 2011-04-28 01:02 135680 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Data.DataSet#\ea57694aea47c05853516c9bb2ad54b4\System.Data.DataSetExtensions.ni.dll
+ 2011-04-27 01:56 . 2011-04-27 01:56 971264 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Configuration\3d6b4509225efde2a4e3db77205f8a51\System.Configuration.ni.dll
+ 2011-04-28 01:04 . 2011-04-28 01:04 141312 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Configuratio#\f312bb844670ebc7458fec9e6b2568b3\System.Configuration.Install.ni.dll
+ 2011-04-28 01:02 . 2011-04-28 01:02 633856 c:\windows\assembly\NativeImages_v2.0.50727_32\System.AddIn\afd9595f07a8c68b26e81cf995957f56\System.AddIn.ni.dll
+ 2011-04-27 01:55 . 2011-04-27 01:55 366080 c:\windows\assembly\NativeImages_v2.0.50727_32\SMSvcHost\3a42b2fbafe93d7b9395e328bea35afa\SMSvcHost.ni.exe
+ 2011-04-27 01:55 . 2011-04-27 01:55 256000 c:\windows\assembly\NativeImages_v2.0.50727_32\SMDiagnostics\97ff96d3fc8d0b10ea294f320acf821e\SMDiagnostics.ni.dll
+ 2011-04-27 01:54 . 2011-04-27 01:54 320512 c:\windows\assembly\NativeImages_v2.0.50727_32\ServiceModelReg\28ed0e9efd938b05b4f53e0d90046701\ServiceModelReg.ni.exe
+ 2011-04-26 15:08 . 2011-04-26 15:08 368128 c:\windows\assembly\NativeImages_v2.0.50727_32\PresentationFramewo#\ffe13679e6b3e36e5cb6c47f8c4faf9c\PresentationFramework.Aero.ni.dll
+ 2011-04-26 15:08 . 2011-04-26 15:08 224768 c:\windows\assembly\NativeImages_v2.0.50727_32\PresentationFramewo#\dbb40299379f2009c140ddadb04231b4\PresentationFramework.Classic.ni.dll
+ 2011-04-26 15:08 . 2011-04-26 15:08 258048 c:\windows\assembly\NativeImages_v2.0.50727_32\PresentationFramewo#\a34cd33cec1bdfebe4a3910bceb8723b\PresentationFramework.Royale.ni.dll
+ 2011-04-26 15:08 . 2011-04-26 15:08 539648 c:\windows\assembly\NativeImages_v2.0.50727_32\PresentationFramewo#\689bb394bcb437ed085c22a43aba30c6\PresentationFramework.Luna.ni.dll
+ 2011-04-27 01:55 . 2011-04-27 01:55 133632 c:\windows\assembly\NativeImages_v2.0.50727_32\MSBuild\5670e74887ef1025c6a8c056ffe86b38\MSBuild.ni.exe
+ 2011-04-27 01:54 . 2011-04-27 01:54 386560 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Transacti#\653732002ebf5c68f69150a60e145e6a\Microsoft.Transactions.Bridge.Dtc.ni.dll
+ 2011-04-27 02:11 . 2011-04-27 02:11 175104 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Build.Uti#\cc62770393640302bd4d7e442b1e49a4\Microsoft.Build.Utilities.v3.5.ni.dll
+ 2011-04-27 02:11 . 2011-04-27 02:11 144384 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Build.Uti#\352bff1ee71ce114e225f849038dc48d\Microsoft.Build.Utilities.ni.dll
+ 2011-04-27 01:57 . 2011-04-27 01:57 839680 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Build.Eng#\7345f4d2d7157bf49de4158e8f2b6847\Microsoft.Build.Engine.ni.dll
+ 2011-04-27 01:56 . 2011-04-27 01:56 222720 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Build.Con#\d7dba901ddd410ca1a0156d0f2a27533\Microsoft.Build.Conversion.v3.5.ni.dll
+ 2011-04-27 01:56 . 2011-04-27 01:56 220672 c:\windows\assembly\NativeImages_v2.0.50727_32\CustomMarshalers\010552e529d130ce914765b0801e2367\CustomMarshalers.ni.dll
+ 2011-04-27 01:54 . 2011-04-27 01:54 410112 c:\windows\assembly\NativeImages_v2.0.50727_32\ComSvcConfig\6861f639b13967e9b014b44bbb7c5d4c\ComSvcConfig.ni.exe
+ 2011-04-27 01:50 . 2011-04-27 01:50 842240 c:\windows\assembly\NativeImages_v2.0.50727_32\AspNetMMCExt\800da7dec567fadf3392091e9f01ecb9\AspNetMMCExt.ni.dll
- 2010-10-04 10:57 . 2010-10-04 10:57 839680 c:\windows\assembly\GAC_MSIL\System.Web.Services\2.0.0.0__b03f5f7f11d50a3a\System.Web.Services.dll
+ 2011-04-26 15:05 . 2011-04-26 15:05 839680 c:\windows\assembly\GAC_MSIL\System.Web.Services\2.0.0.0__b03f5f7f11d50a3a\System.Web.Services.dll
+ 2011-04-26 15:05 . 2011-04-26 15:05 835584 c:\windows\assembly\GAC_MSIL\System.Web.Mobile\2.0.0.0__b03f5f7f11d50a3a\System.Web.Mobile.dll
- 2010-10-04 10:57 . 2010-10-04 10:57 835584 c:\windows\assembly\GAC_MSIL\System.Web.Mobile\2.0.0.0__b03f5f7f11d50a3a\System.Web.Mobile.dll
+ 2011-04-26 15:05 . 2011-04-26 15:05 114688 c:\windows\assembly\GAC_MSIL\System.ServiceProcess\2.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll
- 2010-10-04 10:57 . 2010-10-04 10:57 114688 c:\windows\assembly\GAC_MSIL\System.ServiceProcess\2.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll
+ 2011-04-26 15:05 . 2011-04-26 15:05 258048 c:\windows\assembly\GAC_MSIL\System.Security\2.0.0.0__b03f5f7f11d50a3a\System.Security.dll
- 2010-10-04 10:57 . 2010-10-04 10:57 258048 c:\windows\assembly\GAC_MSIL\System.Security\2.0.0.0__b03f5f7f11d50a3a\System.Security.dll
+ 2011-04-26 15:05 . 2011-04-26 15:05 131072 c:\windows\assembly\GAC_MSIL\System.Runtime.Serialization.Formatters.Soap\2.0.0.0__b03f5f7f11d50a3a\System.Runtime.Serialization.Formatters.Soap.dll
- 2010-10-04 10:57 . 2010-10-04 10:57 131072 c:\windows\assembly\GAC_MSIL\System.Runtime.Serialization.Formatters.Soap\2.0.0.0__b03f5f7f11d50a3a\System.Runtime.Serialization.Formatters.Soap.dll
- 2010-10-04 10:57 . 2010-10-04 10:57 303104 c:\windows\assembly\GAC_MSIL\System.Runtime.Remoting\2.0.0.0__b77a5c561934e089\System.Runtime.Remoting.dll
+ 2011-04-26 15:05 . 2011-04-26 15:05 303104 c:\windows\assembly\GAC_MSIL\System.Runtime.Remoting\2.0.0.0__b77a5c561934e089\System.Runtime.Remoting.dll
- 2010-10-04 10:57 . 2010-10-04 10:57 258048 c:\windows\assembly\GAC_MSIL\System.Messaging\2.0.0.0__b03f5f7f11d50a3a\System.Messaging.dll
+ 2011-04-26 15:05 . 2011-04-26 15:05 258048 c:\windows\assembly\GAC_MSIL\System.Messaging\2.0.0.0__b03f5f7f11d50a3a\System.Messaging.dll
- 2010-10-04 10:58 . 2010-10-04 10:58 372736 c:\windows\assembly\GAC_MSIL\System.Management\2.0.0.0__b03f5f7f11d50a3a\System.Management.dll
+ 2011-04-26 15:05 . 2011-04-26 15:05 372736 c:\windows\assembly\GAC_MSIL\System.Management\2.0.0.0__b03f5f7f11d50a3a\System.Management.dll
+ 2011-04-26 15:05 . 2011-04-26 15:05 626688 c:\windows\assembly\GAC_MSIL\System.Drawing\2.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll
- 2010-10-04 10:57 . 2010-10-04 10:57 626688 c:\windows\assembly\GAC_MSIL\System.Drawing\2.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll
+ 2011-04-26 15:05 . 2011-04-26 15:05 401408 c:\windows\assembly\GAC_MSIL\System.DirectoryServices\2.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll
- 2010-10-04 10:57 . 2010-10-04 10:57 401408 c:\windows\assembly\GAC_MSIL\System.DirectoryServices\2.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll
+ 2011-04-26 15:05 . 2011-04-26 15:05 188416 c:\windows\assembly\GAC_MSIL\System.DirectoryServices.Protocols\2.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.Protocols.dll
- 2010-10-04 10:57 . 2010-10-04 10:57 188416 c:\windows\assembly\GAC_MSIL\System.DirectoryServices.Protocols\2.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.Protocols.dll
+ 2011-04-26 15:05 . 2011-04-26 15:05 970752 c:\windows\assembly\GAC_MSIL\System.Deployment\2.0.0.0__b03f5f7f11d50a3a\System.Deployment.dll
- 2010-10-04 10:58 . 2010-10-04 10:58 970752 c:\windows\assembly\GAC_MSIL\System.Deployment\2.0.0.0__b03f5f7f11d50a3a\System.Deployment.dll
+ 2011-04-26 15:05 . 2011-04-26 15:05 745472 c:\windows\assembly\GAC_MSIL\System.Data.SqlXml\2.0.0.0__b77a5c561934e089\System.Data.SqlXml.dll
- 2010-10-04 10:58 . 2010-10-04 10:58 745472 c:\windows\assembly\GAC_MSIL\System.Data.SqlXml\2.0.0.0__b77a5c561934e089\System.Data.SqlXml.dll
+ 2011-04-26 15:05 . 2011-04-26 15:05 425984 c:\windows\assembly\GAC_MSIL\System.Configuration\2.0.0.0__b03f5f7f11d50a3a\System.configuration.dll
- 2010-10-04 10:58 . 2010-10-04 10:58 425984 c:\windows\assembly\GAC_MSIL\System.Configuration\2.0.0.0__b03f5f7f11d50a3a\System.configuration.dll
- 2010-10-04 10:58 . 2010-10-04 10:58 110592 c:\windows\assembly\GAC_MSIL\sysglobl\2.0.0.0__b03f5f7f11d50a3a\sysglobl.dll
+ 2011-04-26 15:05 . 2011-04-26 15:05 110592 c:\windows\assembly\GAC_MSIL\sysglobl\2.0.0.0__b03f5f7f11d50a3a\sysglobl.dll
+ 2011-04-26 15:05 . 2011-04-26 15:05 659456 c:\windows\assembly\GAC_MSIL\Microsoft.VisualBasic\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll
- 2010-10-04 10:57 . 2010-10-04 10:57 659456 c:\windows\assembly\GAC_MSIL\Microsoft.VisualBasic\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll
- 2010-10-04 10:57 . 2010-10-04 10:57 372736 c:\windows\assembly\GAC_MSIL\Microsoft.VisualBasic.Compatibility\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.Compatibility.dll
+ 2011-04-26 15:05 . 2011-04-26 15:05 372736 c:\windows\assembly\GAC_MSIL\Microsoft.VisualBasic.Compatibility\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.Compatibility.dll
+ 2011-04-26 15:05 . 2011-04-26 15:05 110592 c:\windows\assembly\GAC_MSIL\Microsoft.VisualBasic.Compatibility.Data\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.Compatibility.Data.dll
- 2010-10-04 10:57 . 2010-10-04 10:57 110592 c:\windows\assembly\GAC_MSIL\Microsoft.VisualBasic.Compatibility.Data\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.Compatibility.Data.dll
+ 2011-04-26 15:05 . 2011-04-26 15:05 749568 c:\windows\assembly\GAC_MSIL\Microsoft.JScript\8.0.0.0__b03f5f7f11d50a3a\Microsoft.JScript.dll
- 2010-10-04 10:57 . 2010-10-04 10:57 749568 c:\windows\assembly\GAC_MSIL\Microsoft.JScript\8.0.0.0__b03f5f7f11d50a3a\Microsoft.JScript.dll
+ 2011-04-26 15:05 . 2011-04-26 15:05 655360 c:\windows\assembly\GAC_MSIL\Microsoft.Build.Tasks\2.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Tasks.dll
- 2010-10-04 10:57 . 2010-10-04 10:57 655360 c:\windows\assembly\GAC_MSIL\Microsoft.Build.Tasks\2.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Tasks.dll
- 2010-10-04 10:57 . 2010-10-04 10:57 348160 c:\windows\assembly\GAC_MSIL\Microsoft.Build.Engine\2.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Engine.dll
+ 2011-04-26 15:05 . 2011-04-26 15:05 348160 c:\windows\assembly\GAC_MSIL\Microsoft.Build.Engine\2.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Engine.dll
- 2010-10-04 10:57 . 2010-10-04 10:57 507904 c:\windows\assembly\GAC_MSIL\AspNetMMCExt\2.0.0.0__b03f5f7f11d50a3a\AspNetMMCExt.dll
+ 2011-04-26 15:05 . 2011-04-26 15:05 507904 c:\windows\assembly\GAC_MSIL\AspNetMMCExt\2.0.0.0__b03f5f7f11d50a3a\AspNetMMCExt.dll
+ 2011-04-26 15:05 . 2011-04-26 15:05 261632 c:\windows\assembly\GAC_32\System.Transactions\2.0.0.0__b77a5c561934e089\System.Transactions.dll
- 2010-10-04 10:57 . 2010-10-04 10:57 261632 c:\windows\assembly\GAC_32\System.Transactions\2.0.0.0__b77a5c561934e089\System.Transactions.dll
- 2010-10-04 10:57 . 2010-10-04 10:57 113664 c:\windows\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll
+ 2011-04-26 15:05 . 2011-04-26 15:05 113664 c:\windows\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll
+ 2011-04-26 15:05 . 2011-04-26 15:05 258048 c:\windows\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.dll
- 2010-10-04 10:57 . 2010-10-04 10:57 258048 c:\windows\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.dll
- 2010-10-04 10:58 . 2010-10-04 10:58 486400 c:\windows\assembly\GAC_32\System.Data.OracleClient\2.0.0.0__b77a5c561934e089\System.Data.OracleClient.dll
+ 2011-04-26 15:05 . 2011-04-26 15:05 486400 c:\windows\assembly\GAC_32\System.Data.OracleClient\2.0.0.0__b77a5c561934e089\System.Data.OracleClient.dll
+ 2011-04-26 12:00 . 2010-10-23 00:51 1748992 c:\windows\WinSxS\x86_Microsoft.Windows.GdiPlus_6595b64144ccf1df_1.0.6002.22509_x-ww_c7dad023\GdiPlus.dll
+ 2011-01-11 14:59 . 2011-01-11 14:59 3780936 c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.5570_x-ww_d5fe2ecb\mfc90u.dll
+ 2011-01-11 14:59 . 2011-01-11 14:59 3766088 c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.5570_x-ww_d5fe2ecb\mfc90.dll
+ 2011-01-11 02:50 . 2011-01-11 02:50 1093120 c:\windows\WinSxS\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.5592_x-ww_e87e0bcd\mfc80u.dll
+ 2011-01-11 02:50 . 2011-01-11 02:50 1101824 c:\windows\WinSxS\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.5592_x-ww_e87e0bcd\mfc80.dll
- 2006-03-30 09:16 . 2010-12-20 22:15 1510400 c:\windows\system32\shdocvw.dll
+ 2006-03-30 09:16 . 2011-02-17 13:51 1510400 c:\windows\system32\shdocvw.dll
+ 2006-03-23 17:32 . 2011-02-17 13:51 3078656 c:\windows\system32\mshtml.dll
- 2009-10-28 18:50 . 2011-02-11 05:59 1557456 c:\windows\system32\FNTCACHE.DAT
+ 2009-10-28 18:50 . 2011-04-27 01:22 1557456 c:\windows\system32\FNTCACHE.DAT
+ 2009-11-01 08:05 . 2011-03-03 13:21 1857920 c:\windows\system32\dllcache\win32k.sys
- 2009-11-01 08:19 . 2010-12-20 22:15 1510400 c:\windows\system32\dllcache\shdocvw.dll
+ 2009-11-01 08:19 . 2011-02-17 13:51 1510400 c:\windows\system32\dllcache\shdocvw.dll
+ 2009-11-01 08:19 . 2011-02-17 13:51 3078656 c:\windows\system32\dllcache\mshtml.dll
+ 2010-03-10 04:33 . 2011-02-17 13:51 1025024 c:\windows\system32\dllcache\browseui.dll
- 2010-03-10 04:33 . 2010-12-20 22:15 1025024 c:\windows\system32\dllcache\browseui.dll
+ 2006-03-04 03:33 . 2011-02-17 13:51 1025024 c:\windows\system32\browseui.dll
- 2006-03-04 03:33 . 2010-12-20 22:15 1025024 c:\windows\system32\browseui.dll
+ 2011-01-18 08:39 . 2011-01-18 08:39 5813072 c:\windows\Microsoft.NET\Framework\v2.0.50727\mscorwks.dll
+ 2011-01-18 08:39 . 2011-01-18 08:39 4550656 c:\windows\Microsoft.NET\Framework\v2.0.50727\mscorlib.dll
- 2010-05-11 10:40 . 2010-05-11 10:40 4550656 c:\windows\Microsoft.NET\Framework\v2.0.50727\mscorlib.dll
+ 2011-03-18 00:05 . 2011-03-18 00:05 4989440 c:\windows\Installer\a879dc.msp
+ 2011-01-11 21:49 . 2011-01-11 21:49 9003008 c:\windows\Installer\a879c6.msp
+ 2010-11-21 03:32 . 2010-11-21 03:32 4165120 c:\windows\Installer\a879a7.msp
+ 2011-03-18 00:01 . 2011-03-18 00:01 9563648 c:\windows\Installer\a87985.msp
+ 2011-01-11 21:50 . 2011-01-11 21:50 8177152 c:\windows\Installer\a8796f.msp
+ 2010-11-21 03:33 . 2010-11-21 03:33 1980928 c:\windows\Installer\a87959.msp
+ 2011-04-29 16:27 . 2011-04-29 16:27 4158464 c:\windows\Installer\2d3325.msp
+ 2011-04-28 09:42 . 2011-04-28 09:42 4990976 c:\windows\Installer\2d330f.msp
+ 2009-10-31 18:12 . 2011-05-13 10:49 1172240 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\xlicons.exe
- 2009-10-31 18:12 . 2011-03-11 02:08 1172240 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\xlicons.exe
- 2009-10-31 18:12 . 2011-03-11 02:08 1165584 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\accicons.exe
+ 2009-10-31 18:12 . 2011-05-13 10:49 1165584 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\accicons.exe
+ 2011-04-26 15:07 . 2011-04-26 15:07 3325440 c:\windows\assembly\NativeImages_v2.0.50727_32\WindowsBase\76e431fde1b252312b331f7108259fda\WindowsBase.ni.dll
+ 2011-04-27 01:23 . 2011-04-27 01:23 1049600 c:\windows\assembly\NativeImages_v2.0.50727_32\UIAutomationClients#\9e022c95e79f2b6f383a501ad99f08a9\UIAutomationClientsideProviders.ni.dll
+ 2011-04-26 15:07 . 2011-04-26 15:07 7949824 c:\windows\assembly\NativeImages_v2.0.50727_32\System\f02cf6430a9fc77908a74ab6925cb73c\System.ni.dll
+ 2011-04-27 01:23 . 2011-04-27 01:23 5450752 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Xml\b06e49ed8cbe07dbb90e313fa634b27b\System.Xml.ni.dll
+ 2011-04-28 01:53 . 2011-04-28 01:53 1356288 c:\windows\assembly\NativeImages_v2.0.50727_32\System.WorkflowServ#\6346221cecf631e5c0b754d842aad102\System.WorkflowServices.ni.dll
+ 2011-04-28 01:53 . 2011-04-28 01:53 1908224 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Workflow.Run#\1fbcd203ff8d77d561df8bf806417ab6\System.Workflow.Runtime.ni.dll
+ 2011-04-28 01:53 . 2011-04-28 01:53 4514304 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Workflow.Com#\efbaf3696c44fd7d4b3cd925e0437b36\System.Workflow.ComponentModel.ni.dll
+ 2011-04-28 01:53 . 2011-04-28 01:53 2992640 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Workflow.Act#\52a9bc5dd1fa497af7c7f4600bd8e6d1\System.Workflow.Activities.ni.dll
+ 2011-04-28 01:53 . 2011-04-28 01:53 1840640 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Web.Services\f5ebeeb0a8aaba9db15ec3df591339ba\System.Web.Services.ni.dll
+ 2011-04-28 01:52 . 2011-04-28 01:52 2209280 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Web.Mobile\92d6b75e3b63b528d4069bf4ee01983a\System.Web.Mobile.ni.dll
+ 2011-04-28 01:52 . 2011-04-28 01:52 2405376 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Web.Extensio#\02d53154634c8000382942e0f43ead41\System.Web.Extensions.ni.dll
+ 2011-04-26 15:10 . 2011-04-26 15:10 1917952 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Speech\dd128c8e21e7fa14c12b71df9892d046\System.Speech.ni.dll
+ 2011-04-28 01:51 . 2011-04-28 01:51 1706496 c:\windows\assembly\NativeImages_v2.0.50727_32\System.ServiceModel#\8b0bb430bb6af96c18b43e3c54cfafe8\System.ServiceModel.Web.ni.dll
+ 2011-04-27 01:51 . 2011-04-27 01:51 2345472 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Runtime.Seri#\85090bd451617e204ffda625b8d9fc30\System.Runtime.Serialization.ni.dll
+ 2011-04-26 15:10 . 2011-04-26 15:10 1035776 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Printing\85a7a7aace114e78fc6c9b219bcd5551\System.Printing.ni.dll
+ 2011-04-27 01:51 . 2011-04-27 01:51 1070080 c:\windows\assembly\NativeImages_v2.0.50727_32\System.IdentityModel\86c59378e9a43bf101a10ad452a4bb8e\System.IdentityModel.ni.dll
+ 2011-04-26 15:09 . 2011-04-26 15:09 1587200 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\d912066086a59f09424c7c69f95e2c55\System.Drawing.ni.dll
+ 2011-04-28 01:03 . 2011-04-28 01:03 1116672 c:\windows\assembly\NativeImages_v2.0.50727_32\System.DirectorySer#\c05d9332116964104c721e97f7ce1058\System.DirectoryServices.ni.dll
+ 2011-04-28 01:03 . 2011-04-28 01:03 1801216 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Deployment\0118c0c73ea5c77bda7b10b188102ab6\System.Deployment.ni.dll
+ 2011-04-26 15:09 . 2011-04-26 15:09 6616576 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Data\1337829e3df6888464a17aab78bb9b8f\System.Data.ni.dll
+ 2011-04-27 01:56 . 2011-04-27 01:56 2510336 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Data.SqlXml\ba3ca7a93e227c32ce7b50d0a7ba935f\System.Data.SqlXml.ni.dll
+ 2011-04-28 01:03 . 2011-04-28 01:03 1328128 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Data.Services\2de52be5da96059651b5bec800cb4605\System.Data.Services.ni.dll
+ 2011-04-26 15:09 . 2011-04-26 15:09 2516480 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Data.Linq\11f1306e0e311a0d0cbd139fb2fa4c36\System.Data.Linq.ni.dll
+ 2011-04-28 01:03 . 2011-04-28 01:03 9924096 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Data.Entity\c91e83e85c030bc914ecc302fa9b2c60\System.Data.Entity.ni.dll
+ 2011-04-26 15:09 . 2011-04-26 15:09 2295296 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Core\684fe21837d3cf3e5935bbd0a7f53141\System.Core.ni.dll
+ 2011-04-26 15:09 . 2011-04-26 15:09 2128896 c:\windows\assembly\NativeImages_v2.0.50727_32\ReachFramework\12efddabe6fe35be21246c88ed9bf8ab\ReachFramework.ni.dll
+ 2011-04-26 15:08 . 2011-04-26 15:08 1657856 c:\windows\assembly\NativeImages_v2.0.50727_32\PresentationUI\257c9327ba9cc5cd87f58de224aa2e0d\PresentationUI.ni.dll
+ 2011-04-26 15:07 . 2011-04-26 15:07 1451008 c:\windows\assembly\NativeImages_v2.0.50727_32\PresentationBuildTa#\b117bf63daa7e587f1bb2d975dccb4af\PresentationBuildTasks.ni.dll
+ 2011-04-27 02:13 . 2011-04-27 02:13 1712128 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualBas#\269103939243ec6929739c8b9a645c0d\Microsoft.VisualBasic.ni.dll
+ 2011-04-27 01:54 . 2011-04-27 01:54 1093120 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Transacti#\bf7bd26d2828e35156814018939ce4f6\Microsoft.Transactions.Bridge.ni.dll
+ 2011-04-28 01:04 . 2011-04-28 01:04 2332160 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.JScript\6594c17d7e112b0507b701d5b8a67bba\Microsoft.JScript.ni.dll
+ 2011-04-27 02:11 . 2011-04-27 02:11 1620992 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Build.Tas#\f5eb1e42ccd0f67f7496b94a31949cd0\Microsoft.Build.Tasks.ni.dll
+ 2011-04-27 02:11 . 2011-04-27 02:11 1966080 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Build.Tas#\cc7f05675a5cd8014222be1483d6beaf\Microsoft.Build.Tasks.v3.5.ni.dll
+ 2011-04-27 01:55 . 2011-04-27 01:55 1888768 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Build.Eng#\41cf95aa4ff5765b515d3252abc6353b\Microsoft.Build.Engine.ni.dll
+ 2011-04-26 15:05 . 2011-04-26 15:05 3182592 c:\windows\assembly\GAC_MSIL\System\2.0.0.0__b77a5c561934e089\System.dll
- 2010-10-04 10:58 . 2010-10-04 10:58 3182592 c:\windows\assembly\GAC_MSIL\System\2.0.0.0__b77a5c561934e089\System.dll
+ 2011-04-26 15:05 . 2011-04-26 15:05 2048000 c:\windows\assembly\GAC_MSIL\System.Xml\2.0.0.0__b77a5c561934e089\System.XML.dll
- 2010-10-04 10:58 . 2010-10-04 10:58 2048000 c:\windows\assembly\GAC_MSIL\System.Xml\2.0.0.0__b77a5c561934e089\System.XML.dll
+ 2011-04-26 15:05 . 2011-04-26 15:05 5025792 c:\windows\assembly\GAC_MSIL\System.Windows.Forms\2.0.0.0__b77a5c561934e089\System.Windows.Forms.dll
- 2010-10-04 10:57 . 2010-10-04 10:57 5025792 c:\windows\assembly\GAC_MSIL\System.Windows.Forms\2.0.0.0__b77a5c561934e089\System.Windows.Forms.dll
- 2010-10-04 10:57 . 2010-10-04 10:57 5062656 c:\windows\assembly\GAC_MSIL\System.Design\2.0.0.0__b03f5f7f11d50a3a\System.Design.dll
+ 2011-04-26 15:05 . 2011-04-26 15:05 5062656 c:\windows\assembly\GAC_MSIL\System.Design\2.0.0.0__b03f5f7f11d50a3a\System.Design.dll
+ 2011-04-26 15:05 . 2011-04-26 15:05 5242880 c:\windows\assembly\GAC_32\System.Web\2.0.0.0__b03f5f7f11d50a3a\System.Web.dll
- 2010-10-04 10:57 . 2010-10-04 10:57 5242880 c:\windows\assembly\GAC_32\System.Web\2.0.0.0__b03f5f7f11d50a3a\System.Web.dll
- 2010-10-04 10:58 . 2010-10-04 10:58 2933248 c:\windows\assembly\GAC_32\System.Data\2.0.0.0__b77a5c561934e089\System.Data.dll
+ 2011-04-26 15:05 . 2011-04-26 15:05 2933248 c:\windows\assembly\GAC_32\System.Data\2.0.0.0__b77a5c561934e089\System.Data.dll
+ 2011-04-26 15:05 . 2011-04-26 15:05 4550656 c:\windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\mscorlib.dll
- 2010-10-04 10:58 . 2010-10-04 10:58 4550656 c:\windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\mscorlib.dll
+ 2009-11-04 01:37 . 2011-05-13 10:46 42829768 c:\windows\system32\MRT.exe
+ 2011-04-26 15:08 . 2011-04-26 15:08 20314624 c:\windows\Installer\a879b1.msp
+ 2011-02-12 00:47 . 2011-02-12 00:47 12028928 c:\windows\Installer\a87990.msp
+ 2011-04-22 23:41 . 2011-04-22 23:41 11507712 c:\windows\Installer\2d3341.msp
+ 2011-04-26 15:10 . 2011-04-26 15:10 12430848 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\ed2bf0d86229128c194a872f70fe15ee\System.Windows.Forms.ni.dll
+ 2011-04-28 01:52 . 2011-04-28 01:52 11800576 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Web\d7b7ee04166212533ae21eaeb584fb0d\System.Web.ni.dll
+ 2011-04-27 01:53 . 2011-04-27 01:53 17403904 c:\windows\assembly\NativeImages_v2.0.50727_32\System.ServiceModel\b5f24d96334ea08b99350421450d3ba4\System.ServiceModel.ni.dll
+ 2011-04-26 15:09 . 2011-04-26 15:09 10683392 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Design\5aeadb9ff9a86f49130de5976a9f1744\System.Design.ni.dll
+ 2011-04-26 15:08 . 2011-04-26 15:08 14328320 c:\windows\assembly\NativeImages_v2.0.50727_32\PresentationFramewo#\1a5d89d569e2e12842daf4d87c57361a\PresentationFramework.ni.dll
+ 2011-04-26 15:07 . 2011-04-26 15:07 12215808 c:\windows\assembly\NativeImages_v2.0.50727_32\PresentationCore\46c57d845e55232a89e98101075cd455\PresentationCore.ni.dll
+ 2011-04-26 15:06 . 2011-04-26 15:06 11490816 c:\windows\assembly\NativeImages_v2.0.50727_32\mscorlib\62d5f089dd51f18472a7caf1593d9f6b\mscorlib.ni.dll
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-12-17 39408]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-08 761947]
"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\cli.exe" [2006-01-02 45056]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2010-12-20 443728]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice]
@=""
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\CyberLink\\PowerDVD9\\PowerDVD9.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
.
R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [3/31/2011 12:19 PM 363344]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [3/31/2011 12:19 PM 20952]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [4/26/2011 12:51 AM 136176]
S3 FileObjInfo;STFileDriver;c:\documents and settings\All Users\Application Data\Spyware Terminator\fileobjinfo.sys [10/31/2009 2:16 PM 5632]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [4/26/2011 12:51 AM 136176]
S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\10.tmp --> c:\windows\system32\10.tmp [?]
S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [3/31/2011 11:48 AM 356920]
S4 sptd;sptd;\SystemRoot\\SystemRoot\System32\Drivers\sptd.sys --> \SystemRoot\\SystemRoot\System32\Drivers\sptd.sys [?]
.
Contents of the 'Scheduled Tasks' folder
.
2011-05-19 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]
.
2011-05-19 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-04-26 04:51]
.
2011-05-19 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-04-26 04:51]
.
.
------- Supplementary Scan -------
.
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
mSearch Bar = hxxp://www.google.com/ie
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Scott\Application Data\Mozilla\Firefox\Profiles\6p0y76xk.default\
FF - user.js: yahoo.homepage.dontask - true
.
- - - - ORPHANS REMOVED - - - -
.
HKCU-Run-Registry Reviver - c:\program files\Reviversoft\Registry Reviver\RegistryReviver.exe
SafeBoot-klmdb.sys
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-05-19 09:01
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MEMSWEEP2]
"ImagePath"="\??\c:\windows\system32\10.tmp"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-1343024091-113007714-839522115-1003\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:48,a5,3a,54,7e,e3,46,42,49,de,09,22,85,83,79,78,b2,a1,90,69,68,10,99,
d8,86,30,0d,ee,c8,2d,9b,30,27,57,50,00,d6,04,07,d9,1d,18,c8,59,f4,4f,f9,40,\
"??"=hex:f4,e1,fa,03,1d,9a,72,f1,8f,d2,61,9c,66,04,e9,ee
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10o_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10o_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(876)
c:\windows\system32\Ati2evxx.dll
c:\windows\System32\BCMLogon.dll
.
- - - - - - - > 'explorer.exe'(272)
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2011-05-19 09:03:53
ComboFix-quarantined-files.txt 2011-05-19 13:03
ComboFix2.txt 2011-04-26 03:17
ComboFix3.txt 2011-04-21 02:19
ComboFix4.txt 2011-04-21 00:54
ComboFix5.txt 2011-04-26 03:57
.
Pre-Run: 81,506,926,592 bytes free
Post-Run: 81,515,507,712 bytes free
.
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect
.
- - End Of File - - BD099064F48776DA6B1BB84287B56B1A

#12 heir

heir

  • Malware Response Team
  • 763 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:47 PM

Posted 19 May 2011 - 08:28 AM

ComboFix2.txt 2011-04-26 03:17
ComboFix3.txt 2011-04-21 02:19
ComboFix4.txt 2011-04-21 00:54
ComboFix5.txt 2011-04-26 03:57


On who's supervision have you ran Combofix several times?

Running powerful tools like ComboFix unsupervised isn't recommended. Doing so can be dangerous. Please refrain from doing that

The author of the tool has stated this

ComboFix is a very powerful tool which when improperly used may render your machine to a doorstop.

We first need to verify if there's any rootkits present and how they could affect our tools. DDS & GMER are preliminary scans. We use their logs to map our strategy for attack.

With these logs we can determine the infections present & decide whether to deploy ComboFix.


Please zip these files and attach the zipped file in your reply.

C:\Qoobox\ComboFix-quarantined-files.txt
C:\Qoobox\ComboFix2.txt
C:\Qoobox\ComboFix3.txt
C:\Qoobox\ComboFix4.txt
C:\Qoobox\ComboFix5.txt


Edited by heir, 19 May 2011 - 08:28 AM.

Please do not PM me asking for support. Post on the forums instead.
Please post the final results, good or bad. We like to know!
Posted Image
Unified Network of Instructors and Trained Eliminators
My help is always free, but if you want to donate to help me continue my fight against malware then click Posted Image


#13 gnaag

gnaag
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:02:47 PM

Posted 19 May 2011 - 08:53 AM

A friend sent me the link to download it last time I had an issue, since it worked for him. It was another browser re-direct issue, which he had also encountered. I wasn't aware of the risks, however. I was just sent the link and didn't ask where he'd got it. Obviously not a smart move on my part.

I can't seem to zip the files, so I've attached the txt files. Hope that's okay...

Attached Files



#14 heir

heir

  • Malware Response Team
  • 763 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:47 PM

Posted 19 May 2011 - 09:42 AM

A friend sent me the link to download it last time I had an issue, since it worked for him. It was another browser re-direct issue, which he had also encountered. I wasn't aware of the risks, however. I was just sent the link and didn't ask where he'd got it. Obviously not a smart move on my part.

:nono:


Step 1.
Uninstall programs:

Please go to Start > Control Panel > Add/Remove Programs and remove the following (if present):

CCleaner
Registry Mechanic 6.0



Optional removals
CCleaner, Registry Mechanic 6.0 <<<--- Registrycleaners as stated before.
It's up to you if you want to remove the above programs, however I strongly recommend you do.


Step 2.
Install Antivirus:

Please install avast! Free Edition an excellent free AV.
Please make sure it's updated and run a full scan with it.

Step 3.
CFSCript:

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the codebox below into it:

File::
c:\windows\system32\10.tmp
Folder::
c:\documents and settings\Scott\Application Data\FixCleaner
c:\program files\FixCleaner
Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000000
"FirewallOverride"=dword:00000000
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= dword:00000001
"DisableNotifications"=-
Driver::
MEMSWEEP2
DDS::
Hosts: 209.172.52.73 www.google.com
Hosts: 209.172.52.74 search.yahoo.com

Save this as CFScript.txt, in the same location as ComboFix.exe


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.


Step 4.
Things I would like to see in your reply:

  • Which programs were uninstalled in step 1.
  • The content of C:\ComboFix.txt from step 3.
  • Are you still re-directed?

Please do not PM me asking for support. Post on the forums instead.
Please post the final results, good or bad. We like to know!
Posted Image
Unified Network of Instructors and Trained Eliminators
My help is always free, but if you want to donate to help me continue my fight against malware then click Posted Image


#15 gnaag

gnaag
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:02:47 PM

Posted 19 May 2011 - 07:32 PM

I've removed Registry Mechanic, CCleaner and Fix Cleaner. Also, I've installed avast FREE EDITION.

I've pasted the results from Combofix below. After a couple hours of internet use this evening I've had zero re-directions. But obviously I need to correct my computer habits to ensure this doesn't happen again. This has been a good learning experience. I assume there are probably a few more steps you'd like to be done? Again, I really appreciate the assistance.


Combofix log:


ComboFix 11-05-18.03 - Scott 05/19/2011 11:25:48.9.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.548 [GMT -4:00]
Running from: c:\documents and settings\Scott\My Documents\Downloads\ComboFix.exe
Command switches used :: c:\documents and settings\Scott\My Documents\Downloads\CFScript.txt
AV: avast! Antivirus *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
.
FILE ::
"c:\windows\system32\10.tmp"
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\Scott\Application Data\FixCleaner
c:\documents and settings\Scott\Application Data\FixCleaner\Logs\2011-05-15 09-19-060.log
c:\documents and settings\Scott\Application Data\FixCleaner\Logs\2011-05-15 09-41-440.log
c:\documents and settings\Scott\Application Data\FixCleaner\Logs\2011-05-15 11-17-420.log
c:\documents and settings\Scott\Application Data\FixCleaner\Logs\2011-05-15 12-00-180.log
c:\documents and settings\Scott\Application Data\FixCleaner\Logs\2011-05-15 12-00-230.log
c:\documents and settings\Scott\Application Data\FixCleaner\Logs\2011-05-15 20-48-210.log
c:\documents and settings\Scott\Application Data\FixCleaner\PCOBackups\2011-05-15 09-37-46.db
c:\documents and settings\Scott\Application Data\FixCleaner\QuarantineW\2011-05-15 09-37-360\filelist.db
c:\documents and settings\Scott\Application Data\FixCleaner\QuarantineW\2011-05-15 09-37-360\regb-0.db
c:\documents and settings\Scott\Application Data\FixCleaner\QuarantineW\2011-05-15 09-37-360\regb-1.db
c:\documents and settings\Scott\Application Data\FixCleaner\QuarantineW\2011-05-15 09-37-360\regb-10.db
c:\documents and settings\Scott\Application Data\FixCleaner\QuarantineW\2011-05-15 09-37-360\regb-100.db
c:\documents and settings\Scott\Application Data\FixCleaner\QuarantineW\2011-05-15 09-37-360\regb-101.db
c:\documents and settings\Scott\Application Data\FixCleaner\QuarantineW\2011-05-15 09-37-360\regb-102.db
c:\documents and settings\Scott\Application Data\FixCleaner\QuarantineW\2011-05-15 09-37-360\regb-103.db
c:\documents and settings\Scott\Application Data\FixCleaner\QuarantineW\2011-05-15 09-37-360\regb-104.db
c:\documents and settings\Scott\Application Data\FixCleaner\QuarantineW\2011-05-15 09-37-360\regb-105.db
c:\documents and settings\Scott\Application Data\FixCleaner\QuarantineW\2011-05-15 09-37-360\regb-106.db
c:\documents and settings\Scott\Application Data\FixCleaner\QuarantineW\2011-05-15 09-37-360\regb-107.db
c:\documents and settings\Scott\Application Data\FixCleaner\QuarantineW\2011-05-15 09-37-360\regb-108.db
c:\documents and settings\Scott\Application Data\FixCleaner\QuarantineW\2011-05-15 09-37-360\regb-109.db
c:\documents and settings\Scott\Application Data\FixCleaner\QuarantineW\2011-05-15 09-37-360\regb-11.db
c:\documents and settings\Scott\Application Data\FixCleaner\QuarantineW\2011-05-15 09-37-360\regb-110.db
c:\documents and settings\Scott\Application Data\FixCleaner\QuarantineW\2011-05-15 09-37-360\regb-111.db
c:\documents and settings\Scott\Application Data\FixCleaner\QuarantineW\2011-05-15 09-37-360\regb-112.db
c:\documents and settings\Scott\Application Data\FixCleaner\QuarantineW\2011-05-15 09-37-360\regb-113.db
c:\documents and settings\Scott\Application Data\FixCleaner\QuarantineW\2011-05-15 09-37-360\regb-114.db
c:\documents and settings\Scott\Application Data\FixCleaner\QuarantineW\2011-05-15 09-37-360\regb-115.db
c:\documents and settings\Scott\Application Data\FixCleaner\QuarantineW\2011-05-15 09-37-360\regb-116.db
c:\documents and settings\Scott\Application Data\FixCleaner\QuarantineW\2011-05-15 09-37-360\regb-117.db
c:\documents and settings\Scott\Application Data\FixCleaner\QuarantineW\2011-05-15 09-37-360\regb-118.db
c:\documents and settings\Scott\Application Data\FixCleaner\QuarantineW\2011-05-15 09-37-360\regb-119.db
c:\documents and settings\Scott\Application Data\FixCleaner\QuarantineW\2011-05-15 09-37-360\regb-12.db
c:\documents and settings\Scott\Application Data\FixCleaner\QuarantineW\2011-05-15 09-37-360\regb-120.db
c:\documents and settings\Scott\Application Data\FixCleaner\QuarantineW\2011-05-15 09-37-360\regb-121.db
c:\documents and settings\Scott\Application Data\FixCleaner\QuarantineW\2011-05-15 09-37-360\regb-122.db
c:\documents and settings\Scott\Application Data\FixCleaner\QuarantineW\2011-05-15 09-37-360\regb-123.db
c:\documents and settings\Scott\Application Data\FixCleaner\QuarantineW\2011-05-15 09-37-360\regb-124.db
c:\documents and settings\Scott\Application Data\FixCleaner\QuarantineW\2011-05-15 09-37-360\regb-125.db
c:\documents and settings\Scott\Application Data\FixCleaner\QuarantineW\2011-05-15 09-37-360\regb-126.db
c:\documents and settings\Scott\Application Data\FixCleaner\QuarantineW\2011-05-15 09-37-360\regb-127.db
c:\documents and settings\Scott\Application Data\FixCleaner\QuarantineW\2011-05-15 09-37-360\regb-128.db
c:\documents and settings\Scott\Application Data\FixCleaner\QuarantineW\2011-05-15 09-37-360\regb-129.db
c:\documents and settings\Scott\Application Data\FixCleaner\QuarantineW\2011-05-15 09-37-360\regb-13.db
c:\documents and settings\Scott\Application Data\FixCleaner\QuarantineW\2011-05-15 09-37-360\regb-130.db
c:\documents and settings\Scott\Application Data\FixCleaner\QuarantineW\2011-05-15 09-37-360\regb-131.db
c:\documents and settings\Scott\Application Data\FixCleaner\QuarantineW\2011-05-15 09-37-360\regb-132.db
c:\documents and settings\Scott\Application Data\FixCleaner\QuarantineW\2011-05-15 09-37-360\regb-133.db
c:\documents and settings\Scott\Application Data\FixCleaner\QuarantineW\2011-05-15 09-37-360\regb-134.db
c:\documents and settings\Scott\Application Data\FixCleaner\QuarantineW\2011-05-15 09-37-360\regb-135.db
c:\documents and settings\Scott\Application Data\FixCleaner\QuarantineW\2011-05-15 09-37-360\regb-136.db
c:\documents and settings\Scott\Application Data\FixCleaner\QuarantineW\2011-05-15 09-37-360\regb-137.db
c:\documents and settings\Scott\Application Data\FixCleaner\QuarantineW\2011-05-15 09-37-360\regb-138.db
c:\documents and settings\Scott\Application Data\FixCleaner\QuarantineW\2011-05-15 09-37-360\regb-139.db
c:\documents and settings\Scott\Application Data\FixCleaner\QuarantineW\2011-05-15 09-37-360\regb-14.db
c:\documents and settings\Scott\Application Data\FixCleaner\QuarantineW\2011-05-15 09-37-360\regb-140.db
c:\documents and settings\Scott\Application Data\FixCleaner\QuarantineW\2011-05-15 09-37-360\regb-15.db
c:\documents and settings\Scott\Application Data\FixCleaner\QuarantineW\2011-05-15 09-37-360\regb-16.db
c:\documents and settings\Scott\Application Data\FixCleaner\QuarantineW\2011-05-15 09-37-360\regb-17.db
c:\documents and settings\Scott\Application Data\FixCleaner\QuarantineW\2011-05-15 09-37-360\regb-18.db
c:\documents and settings\Scott\Application Data\FixCleaner\QuarantineW\2011-05-15 09-37-360\regb-19.db
c:\documents and settings\Scott\Application Data\FixCleaner\QuarantineW\2011-05-15 09-37-360\regb-2.db
c:\documents and settings\Scott\Application Data\FixCleaner\QuarantineW\2011-05-15 09-37-360\regb-20.db
c:\documents and settings\Scott\Application Data\FixCleaner\QuarantineW\2011-05-15 09-37-360\regb-21.db
c:\documents and settings\Scott\Application Data\FixCleaner\QuarantineW\2011-05-15 09-37-360\regb-22.db
c:\documents and settings\Scott\Application Data\FixCleaner\QuarantineW\2011-05-15 09-37-360\regb-23.db
c:\documents and settings\Scott\Application Data\FixCleaner\QuarantineW\2011-05-15 09-37-360\regb-24.db
c:\documents and settings\Scott\Application Data\FixCleaner\QuarantineW\2011-05-15 09-37-360\regb-25.db
c:\documents and settings\Scott\Application Data\FixCleaner\QuarantineW\2011-05-15 09-37-360\regb-26.db
c:\documents and settings\Scott\Application Data\FixCleaner\QuarantineW\2011-05-15 09-37-360\regb-27.db
c:\documents and settings\Scott\Application Data\FixCleaner\QuarantineW\2011-05-15 09-37-360\regb-28.db
c:\documents and settings\Scott\Application Data\FixCleaner\QuarantineW\2011-05-15 09-37-360\regb-29.db
c:\documents and settings\Scott\Application Data\FixCleaner\QuarantineW\2011-05-15 09-37-360\regb-3.db
c:\documents and settings\Scott\Application Data\FixCleaner\QuarantineW\2011-05-15 09-37-360\regb-30.db
c:\documents and settings\Scott\Application Data\FixCleaner\QuarantineW\2011-05-15 09-37-360\regb-31.db
c:\documents and settings\Scott\Application Data\FixCleaner\QuarantineW\2011-05-15 09-37-360\regb-32.db
c:\documents and settings\Scott\Application Data\FixCleaner\QuarantineW\2011-05-15 09-37-360\regb-33.db
c:\documents and settings\Scott\Application Data\FixCleaner\QuarantineW\2011-05-15 09-37-360\regb-34.db
c:\documents and settings\Scott\Application Data\FixCleaner\QuarantineW\2011-05-15 09-37-360\regb-35.db
c:\documents and settings\Scott\Application Data\FixCleaner\QuarantineW\2011-05-15 09-37-360\regb-36.db
c:\documents and settings\Scott\Application Data\FixCleaner\QuarantineW\2011-05-15 09-37-360\regb-37.db
c:\documents and settings\Scott\Application Data\FixCleaner\QuarantineW\2011-05-15 09-37-360\regb-38.db
c:\documents and settings\Scott\Application Data\FixCleaner\QuarantineW\2011-05-15 09-37-360\regb-39.db
c:\documents and settings\Scott\Application Data\FixCleaner\QuarantineW\2011-05-15 09-37-360\regb-4.db
c:\documents and settings\Scott\Application Data\FixCleaner\QuarantineW\2011-05-15 09-37-360\regb-40.db
c:\documents and settings\Scott\Application Data\FixCleaner\QuarantineW\2011-05-15 09-37-360\regb-41.db
c:\documents and settings\Scott\Application Data\FixCleaner\QuarantineW\2011-05-15 09-37-360\regb-42.db
c:\documents and settings\Scott\Application Data\FixCleaner\QuarantineW\2011-05-15 09-37-360\regb-43.db
c:\documents and settings\Scott\Application Data\FixCleaner\QuarantineW\2011-05-15 09-37-360\regb-44.db
c:\documents and settings\Scott\Application Data\FixCleaner\QuarantineW\2011-05-15 09-37-360\regb-45.db
c:\documents and settings\Scott\Application Data\FixCleaner\QuarantineW\2011-05-15 09-37-360\regb-46.db
c:\documents and settings\Scott\Application Data\FixCleaner\QuarantineW\2011-05-15 09-37-360\regb-47.db
c:\documents and settings\Scott\Application Data\FixCleaner\QuarantineW\2011-05-15 09-37-360\regb-48.db
c:\documents and settings\Scott\Application Data\FixCleaner\QuarantineW\2011-05-15 09-37-360\regb-49.db
c:\documents and settings\Scott\Application Data\FixCleaner\QuarantineW\2011-05-15 09-37-360\regb-5.db
c:\documents and settings\Scott\Application Data\FixCleaner\QuarantineW\2011-05-15 09-37-360\regb-50.db
c:\documents and settings\Scott\Application Data\FixCleaner\QuarantineW\2011-05-15 09-37-360\regb-51.db
c:\documents and settings\Scott\Application Data\FixCleaner\QuarantineW\2011-05-15 09-37-360\regb-52.db
c:\documents and settings\Scott\Application Data\FixCleaner\QuarantineW\2011-05-15 09-37-360\regb-53.db
c:\documents and settings\Scott\Application Data\FixCleaner\QuarantineW\2011-05-15 09-37-360\regb-54.db
c:\documents and settings\Scott\Application Data\FixCleaner\QuarantineW\2011-05-15 09-37-360\regb-55.db
c:\documents and settings\Scott\Application Data\FixCleaner\QuarantineW\2011-05-15 09-37-360\regb-56.db
c:\documents and settings\Scott\Application Data\FixCleaner\QuarantineW\2011-05-15 09-37-360\regb-57.db
c:\documents and settings\Scott\Application Data\FixCleaner\QuarantineW\2011-05-15 09-37-360\regb-58.db
c:\documents and settings\Scott\Application Data\FixCleaner\QuarantineW\2011-05-15 09-37-360\regb-59.db
c:\documents and settings\Scott\Application Data\FixCleaner\QuarantineW\2011-05-15 09-37-360\regb-6.db
c:\documents and settings\Scott\Application Data\FixCleaner\QuarantineW\2011-05-15 09-37-360\regb-60.db
c:\documents and settings\Scott\Application Data\FixCleaner\QuarantineW\2011-05-15 09-37-360\regb-61.db
c:\documents and settings\Scott\Application Data\FixCleaner\QuarantineW\2011-05-15 09-37-360\regb-62.db
c:\documents and settings\Scott\Application Data\FixCleaner\QuarantineW\2011-05-15 09-37-360\regb-63.db
c:\documents and settings\Scott\Application Data\FixCleaner\QuarantineW\2011-05-15 09-37-360\regb-64.db
c:\documents and settings\Scott\Application Data\FixCleaner\QuarantineW\2011-05-15 09-37-360\regb-65.db
c:\documents and settings\Scott\Application Data\FixCleaner\QuarantineW\2011-05-15 09-37-360\regb-66.db
c:\documents and settings\Scott\Application Data\FixCleaner\QuarantineW\2011-05-15 09-37-360\regb-67.db
c:\documents and settings\Scott\Application Data\FixCleaner\QuarantineW\2011-05-15 09-37-360\regb-68.db
c:\documents and settings\Scott\Application Data\FixCleaner\QuarantineW\2011-05-15 09-37-360\regb-69.db
c:\documents and settings\Scott\Application Data\FixCleaner\QuarantineW\2011-05-15 09-37-360\regb-7.db
c:\documents and settings\Scott\Application Data\FixCleaner\QuarantineW\2011-05-15 09-37-360\regb-70.db
c:\documents and settings\Scott\Application Data\FixCleaner\QuarantineW\2011-05-15 09-37-360\regb-71.db
c:\documents and settings\Scott\Application Data\FixCleaner\QuarantineW\2011-05-15 09-37-360\regb-72.db
c:\documents and settings\Scott\Application Data\FixCleaner\QuarantineW\2011-05-15 09-37-360\regb-73.db
c:\documents and settings\Scott\Application Data\FixCleaner\QuarantineW\2011-05-15 09-37-360\regb-74.db
c:\documents and settings\Scott\Application Data\FixCleaner\QuarantineW\2011-05-15 09-37-360\regb-75.db
c:\documents and settings\Scott\Application Data\FixCleaner\QuarantineW\2011-05-15 09-37-360\regb-76.db
c:\documents and settings\Scott\Application Data\FixCleaner\QuarantineW\2011-05-15 09-37-360\regb-77.db
c:\documents and settings\Scott\Application Data\FixCleaner\QuarantineW\2011-05-15 09-37-360\regb-78.db
c:\documents and settings\Scott\Application Data\FixCleaner\QuarantineW\2011-05-15 09-37-360\regb-79.db
c:\documents and settings\Scott\Application Data\FixCleaner\QuarantineW\2011-05-15 09-37-360\regb-8.db
c:\documents and settings\Scott\Application Data\FixCleaner\QuarantineW\2011-05-15 09-37-360\regb-80.db
c:\documents and settings\Scott\Application Data\FixCleaner\QuarantineW\2011-05-15 09-37-360\regb-81.db
c:\documents and settings\Scott\Application Data\FixCleaner\QuarantineW\2011-05-15 09-37-360\regb-82.db
c:\documents and settings\Scott\Application Data\FixCleaner\QuarantineW\2011-05-15 09-37-360\regb-83.db
c:\documents and settings\Scott\Application Data\FixCleaner\QuarantineW\2011-05-15 09-37-360\regb-84.db
c:\documents and settings\Scott\Application Data\FixCleaner\QuarantineW\2011-05-15 09-37-360\regb-85.db
c:\documents and settings\Scott\Application Data\FixCleaner\QuarantineW\2011-05-15 09-37-360\regb-86.db
c:\documents and settings\Scott\Application Data\FixCleaner\QuarantineW\2011-05-15 09-37-360\regb-87.db
c:\documents and settings\Scott\Application Data\FixCleaner\QuarantineW\2011-05-15 09-37-360\regb-88.db
c:\documents and settings\Scott\Application Data\FixCleaner\QuarantineW\2011-05-15 09-37-360\regb-89.db
c:\documents and settings\Scott\Application Data\FixCleaner\QuarantineW\2011-05-15 09-37-360\regb-9.db
c:\documents and settings\Scott\Application Data\FixCleaner\QuarantineW\2011-05-15 09-37-360\regb-90.db
c:\documents and settings\Scott\Application Data\FixCleaner\QuarantineW\2011-05-15 09-37-360\regb-91.db
c:\documents and settings\Scott\Application Data\FixCleaner\QuarantineW\2011-05-15 09-37-360\regb-92.db
c:\documents and settings\Scott\Application Data\FixCleaner\QuarantineW\2011-05-15 09-37-360\regb-93.db
c:\documents and settings\Scott\Application Data\FixCleaner\QuarantineW\2011-05-15 09-37-360\regb-94.db
c:\documents and settings\Scott\Application Data\FixCleaner\QuarantineW\2011-05-15 09-37-360\regb-95.db
c:\documents and settings\Scott\Application Data\FixCleaner\QuarantineW\2011-05-15 09-37-360\regb-96.db
c:\documents and settings\Scott\Application Data\FixCleaner\QuarantineW\2011-05-15 09-37-360\regb-97.db
c:\documents and settings\Scott\Application Data\FixCleaner\QuarantineW\2011-05-15 09-37-360\regb-98.db
c:\documents and settings\Scott\Application Data\FixCleaner\QuarantineW\2011-05-15 09-37-360\regb-99.db
c:\documents and settings\Scott\Application Data\FixCleaner\QuarantineW\2011-05-15 12-00-470\filelist.db
c:\documents and settings\Scott\Application Data\FixCleaner\Results\Evidence.db
c:\documents and settings\Scott\Application Data\FixCleaner\Results\Junk.db
c:\documents and settings\Scott\Application Data\FixCleaner\Results\MSUpdate.db
c:\documents and settings\Scott\Application Data\FixCleaner\Results\Registry.db
c:\documents and settings\Scott\Application Data\FixCleaner\Results\Update.db
c:\documents and settings\Scott\Application Data\FixCleaner\spy_ignore.db
c:\program files\FixCleaner
c:\program files\FixCleaner\PW\general.html
c:\program files\FixCleaner\PW\optimizations.html
c:\program files\FixCleaner\PW\privacy.html
c:\program files\FixCleaner\PW\scheduler.html
c:\program files\FixCleaner\PW\startup.html
c:\program files\FixCleaner\PW\wizard.css
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_MEMSWEEP2
-------\Service_MEMSWEEP2
.
.
((((((((((((((((((((((((( Files Created from 2011-04-19 to 2011-05-19 )))))))))))))))))))))))))))))))
.
.
2011-05-19 14:55 . 2011-05-10 12:03 307928 ----a-w- c:\windows\system32\drivers\aswSP.sys
2011-05-19 14:55 . 2011-05-10 11:59 19544 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2011-05-19 14:54 . 2011-05-10 11:59 25432 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2011-05-19 14:54 . 2011-05-10 12:03 441176 ----a-w- c:\windows\system32\drivers\aswSnx.sys
2011-05-19 14:54 . 2011-05-10 12:02 49240 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2011-05-19 14:54 . 2011-05-10 12:02 102616 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2011-05-19 14:54 . 2011-05-10 12:02 96344 ----a-w- c:\windows\system32\drivers\aswmon.sys
2011-05-19 14:54 . 2011-05-10 11:59 30808 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2011-05-19 14:54 . 2011-05-10 12:10 40112 ----a-w- c:\windows\avastSS.scr
2011-05-19 14:54 . 2011-05-10 12:10 199304 ----a-w- c:\windows\system32\aswBoot.exe
2011-05-19 14:53 . 2011-05-19 14:53 -------- d-----w- c:\program files\AVAST Software
2011-05-19 14:53 . 2011-05-19 14:53 -------- d-----w- c:\documents and settings\All Users\Application Data\AVAST Software
2011-05-19 13:51 . 2011-05-19 13:51 -------- d-----w- c:\documents and settings\Scott\Local Settings\Application Data\WinZip
2011-05-19 13:50 . 2011-05-19 13:51 -------- d-----w- c:\documents and settings\All Users\Application Data\WinZip
2011-05-18 10:24 . 2011-05-18 10:24 -------- d-----w- C:\_OTL
2011-05-15 15:35 . 2011-05-15 15:35 190032 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2011-05-15 15:24 . 2011-05-15 15:24 -------- d-----w- c:\program files\Sophos
2011-04-26 14:06 . 2011-05-15 13:11 17480 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
2011-04-26 14:06 . 2011-04-26 14:06 -------- d-----w- c:\documents and settings\All Users\Application Data\Hitman Pro
2011-04-26 13:21 . 2011-04-26 13:21 -------- d-----w- c:\program files\Sophos Anti-Rootkit
2011-04-26 04:51 . 2011-05-17 10:16 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Google
2011-04-26 04:51 . 2011-05-17 00:56 -------- d-----w- c:\documents and settings\Scott\Local Settings\Application Data\Temp
2011-04-26 04:48 . 2011-04-26 04:48 -------- d-----w- c:\documents and settings\Scott\Application Data\Reviversoft
2011-04-26 04:47 . 2011-03-16 17:28 16704 ----a-w- c:\windows\system32\roboot.exe
2011-04-26 02:22 . 2011-04-30 03:08 781272 ----a-w- c:\program files\Mozilla Firefox\mozsqlite3.dll
2011-04-26 02:22 . 2011-04-30 03:08 1874904 ----a-w- c:\program files\Mozilla Firefox\mozjs.dll
2011-04-26 02:22 . 2011-04-30 03:08 15832 ----a-w- c:\program files\Mozilla Firefox\mozalloc.dll
2011-04-26 02:22 . 2011-04-30 03:08 89048 ----a-w- c:\program files\Mozilla Firefox\libEGL.dll
2011-04-26 02:22 . 2011-04-30 03:08 465880 ----a-w- c:\program files\Mozilla Firefox\libGLESv2.dll
2011-04-26 02:22 . 2011-04-30 03:08 1892184 ----a-w- c:\program files\Mozilla Firefox\d3dx9_42.dll
2011-04-26 02:22 . 2011-04-30 03:08 142296 ----a-w- c:\program files\Mozilla Firefox\components\browsercomps.dll
2011-04-26 02:22 . 2011-04-30 03:08 1974616 ----a-w- c:\program files\Mozilla Firefox\D3DCompiler_42.dll
2011-04-22 19:23 . 2011-05-16 01:11 -------- d-----w- c:\documents and settings\Scott\Application Data\Media Player Classic
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-04-26 05:57 . 2004-08-03 22:58 23040 ----a-w- c:\windows\system32\drivers\mouclass.sys
2011-04-26 04:30 . 2009-10-31 18:01 443448 ----a-w- c:\windows\system32\drivers\sptd.sys
2011-04-07 21:44 . 2011-04-07 21:44 388096 ----a-r- c:\documents and settings\Scott\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2011-03-07 05:33 . 2009-10-29 00:12 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-03-04 06:45 . 2004-08-10 11:00 434176 ----a-w- c:\windows\system32\vbscript.dll
2011-03-03 13:21 . 2004-08-10 11:00 1857920 ----a-w- c:\windows\system32\win32k.sys
2009-07-10 18:39 . 2009-12-27 22:58 350720 ----a-w- c:\program files\hjsplit.exe
2011-04-30 03:08 . 2011-04-26 02:22 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((( SnapShot_2011-05-19_13.01.28 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-07-12 04:02 . 2009-07-12 04:02 51008 c:\windows\WinSxS\x86_Microsoft.VC90.OpenMP_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_f0ccd4aa\vcomp90.dll
+ 2009-07-12 04:02 . 2009-07-12 04:02 59728 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90rus.dll
+ 2009-07-12 04:02 . 2009-07-12 04:02 42832 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90kor.dll
+ 2009-07-12 04:02 . 2009-07-12 04:02 43344 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90jpn.dll
+ 2009-07-12 04:02 . 2009-07-12 04:02 61264 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90ita.dll
+ 2009-07-12 04:02 . 2009-07-12 04:02 62800 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90fra.dll
+ 2009-07-12 04:02 . 2009-07-12 04:02 61760 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90esp.dll
+ 2009-07-12 04:02 . 2009-07-12 04:02 61776 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90esn.dll
+ 2009-07-12 04:02 . 2009-07-12 04:02 53568 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90enu.dll
+ 2009-07-12 04:02 . 2009-07-12 04:02 63296 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90deu.dll
+ 2009-07-12 04:02 . 2009-07-12 04:02 36688 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90cht.dll
+ 2009-07-12 04:02 . 2009-07-12 04:02 35648 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90chs.dll
+ 2009-07-12 04:05 . 2009-07-12 04:05 59904 c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_a57c1f53\mfcm90u.dll
+ 2009-07-12 04:05 . 2009-07-12 04:05 59904 c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_a57c1f53\mfcm90.dll
+ 2011-05-19 15:34 . 2011-05-19 15:34 16384 c:\windows\Temp\Perflib_Perfdata_254.dat
+ 2011-05-19 13:51 . 2011-05-19 13:51 29184 c:\windows\Installer\{CD95F661-A5C4-44F5-A6AA-ECDD91C240C2}\IconCD95F6617.exe
+ 2009-07-12 04:02 . 2009-07-12 04:02 653120 c:\windows\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_d495ac4e\msvcr90.dll
+ 2009-07-12 04:02 . 2009-07-12 04:02 569664 c:\windows\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_d495ac4e\msvcp90.dll
+ 2009-07-12 04:05 . 2009-07-12 04:05 225280 c:\windows\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_d495ac4e\msvcm90.dll
+ 2011-04-27 01:30 . 2011-05-19 14:48 262144 c:\windows\system32\config\systemprofile\ntuser.dat
+ 2011-05-19 14:54 . 2011-05-19 14:54 219648 c:\windows\Installer\711878.msi
+ 2011-05-19 13:51 . 2011-05-19 13:51 632320 c:\windows\Installer\{CD95F661-A5C4-44F5-A6AA-ECDD91C240C2}\IconCD95F66110.exe
+ 2009-07-12 04:02 . 2009-07-12 04:02 3780424 c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_a57c1f53\mfc90u.dll
+ 2009-07-12 04:02 . 2009-07-12 04:02 3765048 c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_a57c1f53\mfc90.dll
+ 2011-05-19 13:51 . 2011-05-19 13:51 1696768 c:\windows\Installer\365c84.msi
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
@="{472083B0-C522-11CF-8763-00608CC02F24}"
[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
2011-05-10 12:10 122512 ----a-w- c:\program files\AVAST Software\Avast\ashShell.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-12-17 39408]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-08 761947]
"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\cli.exe" [2006-01-02 45056]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2010-12-20 443728]
"avast"="c:\program files\AVAST Software\Avast\avastUI.exe" [2011-05-10 3459712]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice]
@=""
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\CyberLink\\PowerDVD9\\PowerDVD9.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
.
R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [5/19/2011 10:54 AM 441176]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [5/19/2011 10:55 AM 307928]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [5/19/2011 10:55 AM 19544]
R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [3/31/2011 12:19 PM 363344]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [3/31/2011 12:19 PM 20952]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [4/26/2011 12:51 AM 136176]
S3 FileObjInfo;STFileDriver;c:\documents and settings\All Users\Application Data\Spyware Terminator\fileobjinfo.sys [10/31/2009 2:16 PM 5632]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [4/26/2011 12:51 AM 136176]
S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [3/31/2011 11:48 AM 356920]
S4 sptd;sptd;\SystemRoot\\SystemRoot\System32\Drivers\sptd.sys --> \SystemRoot\\SystemRoot\System32\Drivers\sptd.sys [?]
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - ASWSNX
.
Contents of the 'Scheduled Tasks' folder
.
2011-05-19 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]
.
2011-05-19 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-04-26 04:51]
.
2011-05-19 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-04-26 04:51]
.
.
------- Supplementary Scan -------
.
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
mDefault_Search_URL = hxxp://www.google.com/ie
mSearch Bar = hxxp://www.google.com/ie
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Scott\Application Data\Mozilla\Firefox\Profiles\6p0y76xk.default\
FF - prefs.js: network.proxy.type - 0
FF - user.js: yahoo.homepage.dontask - true
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-05-19 11:35
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-1343024091-113007714-839522115-1003\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:48,a5,3a,54,7e,e3,46,42,49,de,09,22,85,83,79,78,b2,a1,90,69,68,10,99,
d8,86,30,0d,ee,c8,2d,9b,30,27,57,50,00,d6,04,07,d9,1d,18,c8,59,f4,4f,f9,40,\
"??"=hex:f4,e1,fa,03,1d,9a,72,f1,8f,d2,61,9c,66,04,e9,ee
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10o_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10o_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(916)
c:\windows\system32\Ati2evxx.dll
c:\windows\System32\BCMLogon.dll
.
- - - - - - - > 'explorer.exe'(604)
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\windows\System32\WLTRYSVC.EXE
c:\windows\System32\bcmwltry.exe
c:\windows\system32\Ati2evxx.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\eHome\ehRecvr.exe
c:\windows\eHome\ehSched.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\ehome\mcrdsvc.exe
c:\windows\system32\dllhost.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2011-05-19 11:40:49 - machine was rebooted
ComboFix-quarantined-files.txt 2011-05-19 15:40
ComboFix2.txt 2011-05-19 13:03
ComboFix3.txt 2011-04-26 03:17
ComboFix4.txt 2011-04-21 02:19
ComboFix5.txt 2011-05-19 15:24
.
Pre-Run: 80,907,919,360 bytes free
Post-Run: 80,899,710,976 bytes free
.
- - End Of File - - CAD4FC35E0F19061979851EFBC325CE5




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users