Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with TDSS, Google keeps redirecting, cannot run many programs


  • This topic is locked This topic is locked
23 replies to this topic

#1 erzherzog

erzherzog

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:04:31 AM

Posted 20 August 2011 - 12:58 PM

Infected by something that calls itself Security Protection. When I run TDSSkiller or related programs it terminates the program mid-scan and I can no longer use said program.

.
DDS (Ver_2011-06-23.01) - NTFSx86
Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_17
Run by Owner at 13:50:41 on 2011-08-20
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.3326.2664 [GMT -4:00]
.
AV: Bitdefender Antivirus *Disabled/Updated* {6C4BB89C-B0ED-4F41-A29C-4373888923BB}
FW: Bitdefender Firewall *Enabled*
.
============== Running Processes ===============
.
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\2088078439:2557708931.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\LogMeIn Hamachi\hamachi-2-ui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\LogMeIn Hamachi\hamachi-2.exe
C:\WINDOWS\system32\svchost.exe -k hpdevmgmt
C:\WINDOWS\system32\svchost.exe -k HPService
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\runservice.exe
C:\Program Files\Microsoft LifeCam\MSCamS32.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\system32\PnkBstrA.exe
C:\Program Files\Comcast\Desktop Doctor\bin\sprtsvc.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\System32\svchost.exe -k termsvc
C:\Program Files\Common Files\BitDefender\BitDefender Communicator\xcommsvr.exe
C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\WINDOWS\system32\msiexec.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = about:blank
uWindow Title = Windows Internet Explorer provided by Comcast
mStart Page = about:blank
mWindow Title = Windows Internet Explorer provided by Comcast
uInternet Settings,ProxyOverride = <local>;*.local
uURLSearchHooks: DeviceVM Url Search Hook: {0063bf63-bfff-4b8f-9d26-4267df7f17dd} - c:\windows\system32\dvmurl.dll
BHO: HP Print Enhancer: {0347c33e-8762-4905-bf09-768834316c61} - c:\program files\hp\digital imaging\smart web printing\hpswp_printenhancer.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: {cf3f0b7c-65fc-4254-aa61-0db98776b859} - c:\windows\system32\devenu.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: HP Smart BHO Class: {ffffffff-cf4e-4f2b-bdc2-0e72e116a856} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
TB: BitDefender Toolbar: {381ffde8-2394-4f90-b10d-fc6124a40f8c} - c:\program files\bitdefender\bitdefender 2008\IEToolbar.dll
EB: HP Smart Web Printing: {555d4d79-4bd2-4094-a395-cfc534424a05} - c:\program files\hp\digital imaging\smart web printing\hpswp_bho.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [SoundMan] SOUNDMAN.EXE
mRun: [AlcWzrd] ALCWZRD.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
mRun: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
mRun: [LogMeIn Hamachi Ui] "c:\program files\logmein hamachi\hamachi-2-ui.exe" --auto-start
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
LSP: mswsock.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
TCP: Interfaces\{C864AE0D-86A4-478F-B1C1-6E7586C5545E} : DhcpNameServer = 68.87.72.134 68.87.77.134
TCP: Interfaces\{F57FDF10-B5AA-4903-BFEE-D8C8AC4BF034} : DhcpNameServer = 192.168.1.1
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: termew32 - termew32.dll
Notify: termsvces - termew32.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\owner\application data\mozilla\firefox\profiles\l8b1qdi3.default\
FF - prefs.js: browser.startup.homepage - hxxp://wikipedia.org/
FF - prefs.js: network.proxy.type - 0
FF - plugin: c:\documents and settings\owner\application data\facebook\npfbplugin_1_0_0.dll
FF - plugin: c:\documents and settings\owner\application data\facebook\npfbplugin_1_0_1.dll
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\update\1.3.21.65\npGoogleUpdate3.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npCouponPrinter.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npMozCouponPrinter.dll
FF - plugin: c:\windows\system32\c2mp\npdivx32.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\java\jre6\lib\deploy\jqs\ff
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
FF - Ext: GameFOX: {6dd0bdba-0a02-429e-b595-87a7dfdca7a1} - %profile%\extensions\{6dd0bdba-0a02-429e-b595-87a7dfdca7a1}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
.
============= SERVICES / DRIVERS ===============
.
R2 Hamachi2Svc;LogMeIn Hamachi Tunneling Engine;c:\program files\logmein hamachi\hamachi-2.exe [2011-8-4 1361288]
R2 LicCtrlService;LicCtrl Service;c:\windows\runservice.exe [2011-5-29 16384]
R2 TermServices;Remote Desktop Service;c:\windows\system32\svchost.exe -k termsvc [2008-4-14 14336]
R3 Bdfndisf;BitDefender Firewall NDIS Filter Service;c:\windows\system32\drivers\bdfndisf.sys [2008-6-2 86792]
R3 MSHUSBVideo;NX6000/NX3000/VX5000/VX5500/VX2000/VX7000 Filter Driver;c:\windows\system32\drivers\nx6000.sys [2009-12-26 30560]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-2-19 135664]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2010-2-19 135664]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
.
=============== Created Last 30 ================
.
2011-08-20 17:16:43 9484 ----a-w- c:\windows\look.bat
2011-08-20 17:16:43 -------- d-----w- c:\windows\maxdrive
2011-08-16 18:22:56 26176 ---ha-w- c:\windows\system32\hamachi.sys
2011-08-16 18:22:41 -------- d-----w- c:\program files\LogMeIn Hamachi
.
==================== Find3M ====================
.
2011-08-20 17:28:32 1433 --sha-w- c:\windows\system32\mmf.sys
2011-08-20 16:07:39 81984 ----a-w- c:\windows\system32\bdod.bin
2011-07-10 07:18:03 218624 ----a-w- c:\windows\system32\termsw32.dll
2011-07-06 23:52:42 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-07-06 23:52:42 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-05-30 00:12:13 249856 ----a-w- c:\windows\lcmmfu.cpl
2011-05-30 00:12:13 16384 ----a-w- c:\windows\runservice.exe
2011-05-30 00:12:12 48640 ----a-w- c:\windows\mmfs.dll
2011-05-29 23:19:47 704282 ----a-w- c:\program files\unins000.exe
.
============= FINISH: 13:51:20.07 ===============

Edited by erzherzog, 20 August 2011 - 02:17 PM.


BC AdBot (Login to Remove)

 


#2 HelpBot

HelpBot

    Bleepin' Binary Bot


  • Bots
  • 12,760 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:31 AM

Posted 25 August 2011 - 01:00 PM

Hello and welcome to Bleeping Computer!

I am HelpBot: an automated program designed to help the Bleeping Computer Staff better assist you! This message contains very important information, so please read through all of it before doing anything.

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

To help Bleeping Computer better assist you please perform the following steps:

***************************************************

Posted Image In order to continue receiving help at BleepingComputer.com, YOU MUST tell me if you still need help or if your issue has already been resolved on your own or through another resource! To tell me this, please click on the following link and follow the instructions there.

CLICK THIS LINK >>> http://www.bleepingcomputer.com/logreply/415316 <<< CLICK THIS LINK



If you no longer need help, then all you needed to do was the previous instructions of telling me so. You can skip the rest of this post. If you do need help please continue with Step 2 below.

***************************************************

Posted Image If you still need help, I would like you to post a Reply to this topic (click the "Add Reply" button in the lower right hand of this page). In that reply, please include the following information:

  • If you have not done so already, include a clear description of the problems you're having, along with any steps you may have performed so far.
  • A new DDS and GMER log. For your convenience, you will find the instructions for generating these logs repeated at the bottom of this post.
    • Please do this even if you have previously posted logs for us.
    • If you were unable to produce the logs originally please try once more.
    • If you are unable to create a log please provide detailed information about your installed Windows Operating System including the Version, Edition and if it is a 32bit or a 64bit system.
    • If you are unsure about any of these characteristics just post what you can and we will guide you.
  • Please tell us if you have your original Windows CD/DVD available.
  • Upon completing the above steps and posting a reply, another staff member will review your topic and do their best to resolve your issues.

Thank you for your patience, and again sorry for the delay.

***************************************************

We need to see some information about what is happening in your machine. Please perform the following scan again:

  • Download DDS by sUBs from one of the following links if you no longer have it available. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE


We also need a new log from the GMER anti-rootkit Scanner.

Please note that if you are running a 64-bit version of Windows you will not be able to run GMER and you may skip this step.

Please first disable any CD emulation programs using the steps found in this topic:

Why we request you disable CD Emulation when receiving Malware Removal Advice


Then create another GMER log and post it as an attachment to the reply where you post your new DDS log. Instructions on how to properly create a GMER log can be found here:

How to create a GMER log


As I am just a silly little program running on the BleepingComputer.com servers, please do not send me private messages as I do not know how to read and reply to them! Thanks!

#3 erzherzog

erzherzog
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:04:31 AM

Posted 27 August 2011 - 07:47 AM

Tried using TDSSkiller and running malwarebytes and bitdefender scans to remove virus files but no luck.

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_17
Run by Owner at 8:40:28 on 2011-08-27
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.3326.2623 [GMT -4:00]
.
AV: Bitdefender Antivirus *Disabled/Updated* {6C4BB89C-B0ED-4F41-A29C-4373888923BB}
FW: Bitdefender Firewall *Enabled*
.
============== Running Processes ===============
.
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\2088078439:2557708931.exe
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\svchost.exe -k hpdevmgmt
C:\WINDOWS\system32\svchost.exe -k HPService
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\runservice.exe
C:\Program Files\Microsoft LifeCam\MSCamS32.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\System32\svchost.exe -k termsvc
C:\Program Files\Common Files\BitDefender\BitDefender Communicator\xcommsvr.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\msiexec.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Program Files\BitDefender\BitDefender 2008\bdagent.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\MsiExec.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = about:blank
uWindow Title = Windows Internet Explorer provided by Comcast
mStart Page = about:blank
mWindow Title = Windows Internet Explorer provided by Comcast
uInternet Settings,ProxyOverride = <local>;*.local
uURLSearchHooks: DeviceVM Url Search Hook: {0063bf63-bfff-4b8f-9d26-4267df7f17dd} - c:\windows\system32\dvmurl.dll
BHO: HP Print Enhancer: {0347c33e-8762-4905-bf09-768834316c61} - c:\program files\hp\digital imaging\smart web printing\hpswp_printenhancer.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: {cf3f0b7c-65fc-4254-aa61-0db98776b859} - c:\windows\system32\devenu.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: HP Smart BHO Class: {ffffffff-cf4e-4f2b-bdc2-0e72e116a856} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
TB: BitDefender Toolbar: {381ffde8-2394-4f90-b10d-fc6124a40f8c} - c:\program files\bitdefender\bitdefender 2008\IEToolbar.dll
EB: HP Smart Web Printing: {555d4d79-4bd2-4094-a395-cfc534424a05} - c:\program files\hp\digital imaging\smart web printing\hpswp_bho.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [SoundMan] SOUNDMAN.EXE
mRun: [AlcWzrd] ALCWZRD.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
mRun: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
mRun: [LogMeIn Hamachi Ui] "c:\program files\logmein hamachi\hamachi-2-ui.exe" --auto-start
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
LSP: mswsock.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
TCP: DhcpNameServer = 192.168.1.1
TCP: Interfaces\{C864AE0D-86A4-478F-B1C1-6E7586C5545E} : DhcpNameServer = 68.87.72.134 68.87.77.134
TCP: Interfaces\{F57FDF10-B5AA-4903-BFEE-D8C8AC4BF034} : DhcpNameServer = 192.168.1.1
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: termew32 - termew32.dll
Notify: termsvces - termew32.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\owner\application data\mozilla\firefox\profiles\l8b1qdi3.default\
FF - prefs.js: browser.startup.homepage - hxxp://wikipedia.org/
FF - prefs.js: network.proxy.type - 0
FF - plugin: c:\documents and settings\owner\application data\facebook\npfbplugin_1_0_0.dll
FF - plugin: c:\documents and settings\owner\application data\facebook\npfbplugin_1_0_1.dll
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\update\1.3.21.65\npGoogleUpdate3.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npCouponPrinter.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npMozCouponPrinter.dll
FF - plugin: c:\windows\system32\c2mp\npdivx32.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\java\jre6\lib\deploy\jqs\ff
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
FF - Ext: GameFOX: {6dd0bdba-0a02-429e-b595-87a7dfdca7a1} - %profile%\extensions\{6dd0bdba-0a02-429e-b595-87a7dfdca7a1}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
.
============= SERVICES / DRIVERS ===============
.
R2 LicCtrlService;LicCtrl Service;c:\windows\runservice.exe [2011-5-29 16384]
R2 TermServices;Remote Desktop Service;c:\windows\system32\svchost.exe -k termsvc [2008-4-14 14336]
R3 Bdfndisf;BitDefender Firewall NDIS Filter Service;c:\windows\system32\drivers\bdfndisf.sys [2008-6-2 86792]
R3 MSHUSBVideo;NX6000/NX3000/VX5000/VX5500/VX2000/VX7000 Filter Driver;c:\windows\system32\drivers\nx6000.sys [2009-12-26 30560]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-2-19 135664]
S2 Hamachi2Svc;LogMeIn Hamachi Tunneling Engine;c:\program files\logmein hamachi\hamachi-2.exe [2011-8-4 1361288]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2010-2-19 135664]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2011-7-9 41272]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
.
=============== Created Last 30 ================
.
2011-08-24 17:44:01 45328 --sha-w- c:\windows\system32\c_42352.nl_
2011-08-20 17:16:43 9484 ----a-w- c:\windows\look.bat
2011-08-20 17:16:43 -------- d-----w- c:\windows\maxdrive
2011-08-16 18:22:56 26176 ---ha-w- c:\windows\system32\hamachi.sys
2011-08-16 18:22:41 -------- d-----w- c:\program files\LogMeIn Hamachi
.
==================== Find3M ====================
.
2011-08-27 00:23:00 1433 --sha-w- c:\windows\system32\mmf.sys
2011-08-26 00:59:48 64512 ----a-w- c:\windows\system32\drivers\serial.sys
2011-08-25 00:51:14 75264 ----a-w- c:\windows\system32\drivers\ipsec.sys
2011-08-25 00:22:15 62976 ----a-w- c:\windows\system32\drivers\cdrom.sys
2011-08-25 00:10:21 138496 ----a-w- c:\windows\system32\drivers\afd.sys
2011-08-20 16:07:39 81984 ----a-w- c:\windows\system32\bdod.bin
2011-07-10 07:18:03 218624 ----a-w- c:\windows\system32\termsw32.dll
2011-07-06 23:52:42 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-07-06 23:52:42 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-05-30 00:12:13 249856 ----a-w- c:\windows\lcmmfu.cpl
2011-05-30 00:12:13 16384 ----a-w- c:\windows\runservice.exe
2011-05-30 00:12:12 48640 ----a-w- c:\windows\mmfs.dll
2011-05-29 23:19:47 704282 ----a-w- c:\program files\unins000.exe
.
============= FINISH: 8:41:02.68 ===============

Using Windows XP Home edition 32-bit

Have the OS install cd, but do not have the serial code.

#4 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:05:31 AM

Posted 27 August 2011 - 08:00 AM

Hi

Please run the following:

Please download and run the following tool to help allow other programs to run. (courtesy of BleepingComputer.com)
There are 4 different versions. If one of them won't run then download and try to run the other one.
Vista and Win7 users need to right click and choose Run as Admin
You only need to get one of them to run, not all of them.

Link 1
Link 2
Link 3
Link 4



Note:

You will likely see a message from this rogue telling you the file is infected. Ignore the message. Leave the message OPEN, do not close the message. Run rkill repeatedly until it's able to do it's job. This may take a few tries. You'll be able to tell rkill has done it's job when your desktop (explorer.exe) cycles off and then on again.

At this point, you should now be able to run analysis tools.

Once the tool has run, do NOT reboot the machine, and then try to run GMER.

If for some reason the machine reboots, repeat the process. Again, try not to restart the machine.




Posted Image
Download GMER Rootkit Scanner from here or here.
  • Extract the contents of the zipped file to desktop.
  • Double click GMER.exe. If asked to allow gmer.sys driver to load, please consent .
  • If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO.

    Posted Image
    Click the image to enlarge it
  • In the right panel, you will see several boxes that have been checked. Uncheck the following ...
    • IAT/EAT
    • Drives/Partition other than Systemdrive (typically C:\)
    • Show All (don't miss this one)
  • Then click the Scan button & wait for it to finish.
  • Once done click on the [Save..] button, and in the File name area, type in "Gmer.txt" or it will save as a .log file which cannot be uploaded to your post.
  • Save it where you can easily find it, such as your desktop, and attach it in your reply.

**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#5 erzherzog

erzherzog
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:04:31 AM

Posted 30 August 2011 - 08:49 AM

I've tried rkill quite a few times but it just doesn't seem to be working.

I was planning to uodate to windows 7, would formatting my hard drive be likely to get rid of the virus? I'm fine with trying that.

#6 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:05:31 AM

Posted 30 August 2011 - 04:17 PM

Yes, if you totally wipe the hard drive and start from scratch, then yes, it should remove all the problems.

If you still wanted to have a try at cleaning, try booting into safe mode and running the programs in safe mode

boot into safe mode with networking and run ComboFix

To Enter Safemode
  • Go to Start> Shut off your Computer> Restart
  • As the computer starts to boot-up, Tap the F8 KEY repeatedly,
  • this will bring up a menu.
  • Use the Up and Down Arrow Keys to scroll up to Safemode with networking
  • Then press the Enter Key on your Keyboard
  • go into your usual account


Now that you are in safe mode, please do the following:

Download ComboFix from one of the following locations:
Link 1
Link 2

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop

* IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here
  • Double click on ComboFix.exe & follow the prompts.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image

  • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image

  • Click on Yes, to continue scanning for malware.
When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#7 erzherzog

erzherzog
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:04:31 AM

Posted 01 September 2011 - 05:02 PM

Ran it, let's see how this works.

ComboFix 11-09-01.03 - Owner 09/01/2011 17:37:30.1.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.3326.2960 [GMT -4:00]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
AV: Bitdefender Antivirus *Disabled/Updated* {6C4BB89C-B0ED-4F41-A29C-4373888923BB}
FW: Bitdefender Firewall *Enabled* {4055920F-2E99-48A8-A270-4243D2B8F242}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\All Users\Desktop\Security Protection.lnk
c:\documents and settings\Owner\WINDOWS
c:\windows\$NtUninstallKB60687$
c:\windows\$NtUninstallKB60687$\1737258364\{1B372133-BFFA-4dba-9CCF-5474BED6A9F6}
c:\windows\$NtUninstallKB60687$\1737258364\click.tlb
c:\windows\$NtUninstallKB60687$\1737258364\L\yicididr
c:\windows\$NtUninstallKB60687$\1737258364\loader.tlb
c:\windows\$NtUninstallKB60687$\1737258364\U\@00000001
c:\windows\$NtUninstallKB60687$\1737258364\U\@000000c0
c:\windows\$NtUninstallKB60687$\1737258364\U\@000000cb
c:\windows\$NtUninstallKB60687$\1737258364\U\@000000cf
c:\windows\$NtUninstallKB60687$\1737258364\U\@80000000
c:\windows\$NtUninstallKB60687$\1737258364\U\@800000c0
c:\windows\$NtUninstallKB60687$\1737258364\U\@800000cb
c:\windows\$NtUninstallKB60687$\1737258364\U\@800000cf
c:\windows\$NtUninstallKB60687$\2303710228
c:\windows\system32\AutoRun.inf
c:\windows\system32\c_42352.nls
c:\windows\system32\mfc100deu.dll
.
Infected copy of c:\windows\system32\drivers\ipsec.sys was found and disinfected
Restored copy from - The cat found it :)
c:\windows\runservice.exe . . . is infected!!
.
c:\windows\system32\nvsvc32.exe . . . is infected!!
.
c:\windows\system32\PnkBstrA.exe . . . is infected!!
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_6TO4
-------\Service_678c757c
-------\Service_6to4
.
.
((((((((((((((((((((((((( Files Created from 2011-08-01 to 2011-09-01 )))))))))))))))))))))))))))))))
.
.
2011-09-01 21:31 . 2011-08-28 12:36 75264 -c--a-w- c:\windows\system32\dllcache\ipsec.sys
2011-09-01 21:31 . 2011-08-28 12:36 75264 ----a-w- c:\windows\system32\drivers\ipsec.sys
2011-09-01 21:22 . 2011-09-01 21:22 -------- d-----w- c:\documents and settings\Administrator
2011-08-24 17:44 . 2011-08-29 19:23 43408 --sha-w- c:\windows\system32\c_42352.nl_
2011-08-20 17:16 . 2011-08-20 17:16 9484 ----a-w- c:\windows\look.bat
2011-08-20 17:16 . 2011-08-20 17:16 -------- d-----w- c:\windows\maxdrive
2011-08-16 18:22 . 2009-03-18 21:35 26176 ---ha-w- c:\windows\system32\hamachi.sys
2011-08-16 18:22 . 2011-08-16 18:22 -------- d-----w- c:\program files\LogMeIn Hamachi
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-08-29 19:23 . 2008-04-14 12:00 62976 ----a-w- c:\windows\system32\drivers\cdrom.sys
2011-08-27 21:57 . 2008-04-14 12:00 138496 ----a-w- c:\windows\system32\drivers\afd.sys
2011-08-26 00:59 . 2008-04-14 12:00 64512 ----a-w- c:\windows\system32\drivers\serial.sys
2011-07-10 07:18 . 2011-07-10 07:18 218624 ----a-w- c:\windows\system32\termsw32.dll
2011-07-06 23:52 . 2011-07-10 03:16 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-07-06 23:52 . 2011-07-10 03:16 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-05-29 23:19 . 2011-05-29 23:20 704282 ----a-w- c:\program files\unins000.exe
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RTHDCPL"="RTHDCPL.EXE" [2008-07-23 16804864]
"SoundMan"="SOUNDMAN.EXE" [2008-06-18 77824]
"AlcWzrd"="ALCWZRD.EXE" [2008-06-19 2808832]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2011-01-07 13880424]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-01-25 421160]
"LogMeIn Hamachi Ui"="c:\program files\LogMeIn Hamachi\hamachi-2-ui.exe" [2011-08-04 1955208]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2009-11-18 275072]
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Steam\\Steam.exe"=
"c:\\Program Files\\Ventrilo\\Ventrilo.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\Microsoft LifeCam\\LifeCam.exe"=
"c:\\Program Files\\Microsoft LifeCam\\LifeEnC2.exe"=
"c:\\Program Files\\Microsoft LifeCam\\LifeExp.exe"=
"c:\\Program Files\\Microsoft LifeCam\\LifeTray.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\universe at war earth assault\\LaunchUAW.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\men of war red tide\\redtide.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\the witcher enhanced edition\\System\\witcher.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\the witcher enhanced edition\\System\\djinni!.exe"=
"c:\\Program Files\\Steam\\steamapps\\tvirusoutbreak\\age of chivalry\\hl2.exe"=
"c:\\Program Files\\EA GAMES\\Battlefield 1942\\BF1942.exe"=
"c:\\Program Files\\Xfire\\Xfire.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\empire total war\\Empire.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\il 2 sturmovik 1946\\il2fb.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\company of heroes\\RelicDownloader\\RelicDownloader.exe"=
"c:\\WINDOWS\\system32\\dxdiag.exe"=
"c:\\WINDOWS\\system32\\dpnsvr.exe"=
"c:\\Sierra\\Empire Earth\\Empire Earth.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\morrowind\\Morrowind Launcher.exe"=
"c:\\Program Files\\Square Enix\\Batman Arkham Asylum GOTY\\Binaries\\ShippingPC-BmGame.exe"=
"c:\\Program Files\\Paradox Interactive\\Europa Universalis - Rome\\RomeGame.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqcopy2.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfcCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpiscnapp.exe"=
"c:\\Program Files\\Common Files\\HP\\Digital Imaging\\bin\\hpqPhotoCrm.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqpsapp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqpse.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqgplgtupl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqgpc01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqusgm.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqusgh.exe"=
"c:\\Program Files\\HP\\HP Software Update\\hpwucli.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\smart web printing\\SmartWebPrintExe.exe"=
"c:\\Program Files\\Paradox Interactive\\Europa Universalis III\\eu3game.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\theatre of war ii kursk 1943\\Kursk1943.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\theatre of war 2 africa 1943\\Africa1943.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\theatre of war 2 africa 1943\\options.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\theatre of war\\tow.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\theatre of war\\towsetup.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\theatre of war\\MissionEditor\\Editor.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\theatre of war\\MissionEditor\\MissionGen.exe"=
"c:\\Program Files\\ComicRack\\ComicRack.exe"=
"c:\\Program Files\\Atari\\Neverwinter Nights 2\\nwn2main.exe"=
"c:\\Program Files\\Atari\\Neverwinter Nights 2\\nwn2main_amdxp.exe"=
"c:\\Program Files\\Atari\\Neverwinter Nights 2\\nwupdate.exe"=
"c:\\Program Files\\Atari\\Neverwinter Nights 2\\nwn2server.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\universe at war earth assault\\UAWEA.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Aspyr\\Men of War\\mow.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\battlefield 2\\BF2.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\battlefield 2\\support\\EA Help\\Electronic_Arts_Technical_Support.htm"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"c:\\Program Files\\Wolfenstein - Enemy Territory\\ET.exe"=
"c:\\Program Files\\Aspyr\\Men of War\\mow_mp.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\silent hunters wolves of the pacific\\sh4.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\company of heroes\\RelicCOH.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\arma 2\\arma2.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\magicka\\Magicka.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\killingfloor\\System\\KillingFloor.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\men of war assault squad\\mow_assault_squad.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\red orchestra\\System\\RedOrchestra.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\supreme commander 2\\bin\\SupremeCommander2.exe"=
.
R2 Hamachi2Svc;LogMeIn Hamachi Tunneling Engine;c:\program files\LogMeIn Hamachi\hamachi-2.exe [8/4/2011 2:34 PM 1361288]
R2 TermServices;Remote Desktop Service;c:\windows\System32\svchost.exe -k termsvc [4/14/2008 8:00 AM 14336]
R3 Bdfndisf;BitDefender Firewall NDIS Filter Service;c:\windows\system32\drivers\bdfndisf.sys [6/2/2008 5:16 PM 86792]
R3 MSHUSBVideo;NX6000/NX3000/VX5000/VX5500/VX2000/VX7000 Filter Driver;c:\windows\system32\drivers\nx6000.sys [12/26/2009 11:42 PM 30560]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 2:16 PM 130384]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2/19/2010 11:19 PM 135664]
S2 LicCtrlService;LicCtrl Service;c:\windows\runservice.exe --> c:\windows\runservice.exe [?]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [2/19/2010 11:19 PM 135664]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 2:16 PM 753504]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
bdx REG_MULTI_SZ scan
HPService REG_MULTI_SZ HPSLPSVC
termsvc REG_MULTI_SZ TermServices
.
Contents of the 'Scheduled Tasks' folder
.
2011-09-01 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-20 03:19]
.
2011-09-01 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-20 03:19]
.
2010-01-04 c:\windows\Tasks\Microsoft_Hardware_Launch_LifeExp_exe.job
- c:\program files\Microsoft LifeCam\LifeExp.exe [2009-03-17 20:24]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
mStart Page = about:blank
mWindow Title = Windows Internet Explorer provided by Comcast
uInternet Settings,ProxyOverride = <local>;*.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
TCP: DhcpNameServer = 192.168.1.1
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\l8b1qdi3.default\
FF - prefs.js: browser.startup.homepage - hxxp://wikipedia.org/
FF - prefs.js: network.proxy.type - 0
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Ext: GameFOX: {6dd0bdba-0a02-429e-b595-87a7dfdca7a1} - %profile%\extensions\{6dd0bdba-0a02-429e-b595-87a7dfdca7a1}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
.
- - - - ORPHANS REMOVED - - - -
.
BHO-{CF3F0B7C-65FC-4254-AA61-0DB98776B859} - c:\windows\system32\devenu.dll
Notify-termew32 - termew32.dll
Notify-termsvces - termew32.dll
SafeBoot-01423037.sys
SafeBoot-17864374.sys
SafeBoot-22466592.sys
SafeBoot-37684181.sys
SafeBoot-41601981.sys
SafeBoot-48471414.sys
SafeBoot-58394001.sys
SafeBoot-63939331.sys
SafeBoot-83570295.sys
SafeBoot-83783730.sys
SafeBoot-84564952.sys
SafeBoot-88291404.sys
SafeBoot-90565032.sys
SafeBoot-95865154.sys
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-09-01 17:55
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-1390067357-527237240-1417001333-1003\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:9b,2f,f5,d3,9a,6d,04,c2,6f,77,e6,69,f6,76,83,0f,43,a0,fe,68,96,76,dc,
4f,74,cf,f8,05,32,1d,7f,d8,c4,eb,92,0b,60,5c,71,50,79,1a,0e,d2,e5,59,8f,f7,\
"??"=hex:87,ea,ed,11,0e,0a,a8,cb,5e,df,1e,c9,83,50,6b,48
.
[HKEY_USERS\S-1-5-21-1390067357-527237240-1417001333-1003\Software\SecuROM\License information*]
"datasecu"=hex:ae,c2,05,fa,9e,f2,dd,fc,8e,e4,7d,b2,5a,6f,80,27,19,8b,37,25,fc,
25,c4,e9,71,1a,e3,a2,ed,75,aa,dd,2a,f6,07,ac,ce,3b,b9,be,10,95,74,d8,4f,f1,\
"rkeysecu"=hex:e2,ee,a1,b5,e4,44,d1,d4,b9,6a,a6,b8,22,36,76,f2
.
[HKEY_LOCAL_MACHINE\software\LicCtrl\LicCtrl\LicCtrl\LicCtrl*lkzs$i&#&y@^t! #^$ g9^$&pgb SDB36o \D25BC253F035D347]
"1"=hex:6a,0b,56,13,c1,93,dc,9c,fb,61,a2,a0,e4,ff,91,20,60,bf,2f,c2,35,91,ae,
25
"2"=hex:fb,e6,50,7f,41,f4,51,a7,7f,ec,2d,f9,42,45,3a,02,3a,b7,45,15,3f,9d,8b,
c3
"3"=hex:6a,0b,56,13,c1,93,dc,9c,fb,61,a2,a0,e4,ff,91,20,5d,f5,58,d1,21,e0,48,
8b,38,57,44,9c,4e,8d,78,88,fd,f1,01,9d,86,d8,b5,cb,d9,bf,23,55,4a,bb,31,1f
.
[HKEY_LOCAL_MACHINE\software\LicCtrl\LicCtrl\LicCtrl\LicCtrl*lkzs$i&#&y@^t! #^$ g9^$&pgb SDB36o \D25BC253F035D347\198D4574A2BCA7D4BA51871F57EEA50C]
"1"=hex:b0,57,4a,e6,b6,28,dc,b1,d4,b3,12,05,d7,ea,a1,55,83,90,50,9b,f1,d7,47,
8a,64,3a,d9,c4,e6,aa,fc,b0
"2"=hex:ff,46,a9,cd,53,d2,ef,98
"3"=hex:56,2c,a3,35,39,a2,c4,ed,ab,80,62,80,34,7e,21,fe,c1,f7,60,0c,7d,60,45,
5d,02,66,91,8d,5d,79,3e,9e,8c,b8,e9,5d,7d,70,39,69,04,2f,f2,78,91,fa,77,b8,\
"4"=hex:2f,ad,a2,e7,8a,bf,05,5e
"5"=hex:bf,e5,23,7b,b0,66,d6,fc,b8,e8,6b,a0,96,52,f7,32,80,09,8f,24,b7,b3,55,
1a,98,d1,47,16,02,43,61,1c,b9,d5,8f,2a,7b,81,b1,fb,95,22,f8,b3,2c,53,9d,ae,\
"6"=hex:b0,57,4a,e6,b6,28,dc,b1,d4,b3,12,05,d7,ea,a1,55,83,90,50,9b,f1,d7,47,
8a,b1,a7,a6,92,c1,bd,03,11,24,42,63,25,d3,91,33,ac,33,a7,da,f0,3b,f7,80,6d,\
"7"=hex:58,eb,3b,8d,af,31,32,62,45,fe,2a,f0,ac,22,d0,33,a4,31,52,95,51,16,0b,
60,24,b1,58,9f,ed,64,45,cb,db,0f,ba,92,11,d1,bc,91,54,86,2e,97,ce,5d,8f,8d,\
"8"=hex:9d,9e,b2,b9,a7,a5,f4,ae,4d,29,c2,a3,c0,78,c4,c5,2e,4e,96,8c,7e,a3,52,
64,b7,5a,c6,8b,d8,dd,90,06,46,e7,74,06,e1,ab,e4,80,2e,9b,e9,e1,49,06,fc,b2,\
"9"=hex:81,20,8f,ab,28,6a,52,9c
"18"=hex:d0,71,12,cb,08,b7,a7,d6
"10"=hex:81,20,8f,ab,28,6a,52,9c
"11"=hex:81,20,8f,ab,28,6a,52,9c
"12"=hex:72,ef,ed,b4,0b,f9,08,74,6a,e9,98,24,12,b2,26,a1,dc,5b,87,5c,40,76,14,
4c,1c,50,7e,c6,eb,41,c2,af,bc,28,08,32,1f,2a,f3,43,a4,f7,21,a3,ec,5c,1c,b2,\
"13"=hex:b6,e5,50,43,12,c6,01,e1,c4,da,b9,bc,7f,53,2e,9a,ac,c7,33,f8,91,62,1f,
0b,98,83,b9,3c,3b,98,8e,b5,b7,60,9c,64,a2,90,90,3f
"14"=hex:37,e1,d3,73,c6,56,a2,87,8f,41,42,b5,d8,48,ab,7e
"24"=hex:81,20,8f,ab,28,6a,52,9c
"26"=hex:81,20,8f,ab,28,6a,52,9c
"27"=hex:81,20,8f,ab,28,6a,52,9c
"19"=hex:51,b6,73,aa,7a,2b,b3,8c,b6,e5,63,f5,c1,a2,d3,17
"22"=hex:81,20,8f,ab,28,6a,52,9c
"15"=hex:03,a8,42,ff,62,a5,e9,76,a0,97,2a,d8,c1,8d,97,66,35,e8,d4,dd,00,96,ec,
9d,7c,9c,56,45,a0,77,cb,85,8a,06,14,6b,20,df,46,6d,2a,03,dd,86,33,7f,c9,89,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(216)
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\RTHDCPL.EXE
c:\windows\SOUNDMAN.EXE
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Microsoft LifeCam\MSCamS32.exe
c:\program files\Common Files\BitDefender\BitDefender Communicator\xcommsvr.exe
c:\program files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe
c:\program files\iPod\bin\iPodService.exe
c:\windows\system32\msiexec.exe
c:\windows\system32\rundll32.exe
c:\windows\system32\MsiExec.exe
.
**************************************************************************
.
Completion time: 2011-09-01 17:58:33 - machine was rebooted
ComboFix-quarantined-files.txt 2011-09-01 21:58
.
Pre-Run: 273,560,358,912 bytes free
Post-Run: 279,158,190,080 bytes free
.
- - End Of File - - E138615E9108E0F7AF61B8DD69091E40

#8 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:05:31 AM

Posted 01 September 2011 - 06:37 PM

Hi,

Please do the following:

  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below.
  • They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
Copy/paste the text inside the Codebox below into notepad:

Here's how to do that:
Click Start > Run type Notepad click OK.
This will open an empty notepad file:

Copy all the text inside of the code box - Press Ctrl+C (or right click on the highlighted section and choose 'copy')

http://www.bleepingcomputer.com/forums/topic415316.html/page__pid__2393454#entry2393454

Collect::
c:\windows\system32\c_42352.nl_
c:\windows\system32\termsw32.dll

Driver::
TermServices

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
"termsvc"=-

Now paste the copied text into the open notepad - press CTRL+V (or right click and choose 'paste')

Save this file to your desktop, Save this as "CFScript"


Here's how to do that:

1.Click File;
2.Click Save As... Change the directory to your desktop;
3.Change the Save as type to "All Files";
4.Type in the file name: CFScript
5.Click Save ...

Posted Image
  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix may request an update; please allow it.
  • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  • When finished, it shall produce a log for you.
  • Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.


NEXT



submit a file to virustotal for analysis
  • Use the browse button on that page to navigate to the location of the file to be scanned.
  • In the right hand panel,
  • click on the file c:\windows\system32\drivers\serial.sys
  • then click the open button.
  • The file will now be displayed in the submit box.
  • Scroll down a bit and click "send file", wait for the results
  • If you get a message saying File has already been analyzed: click Reanalyze file now
  • Once scanned, copy and paste the link to the results page in your next reply.

Edited by CatByte, 01 September 2011 - 06:38 PM.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#9 erzherzog

erzherzog
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:04:31 AM

Posted 02 September 2011 - 05:36 AM

ComboFix 11-09-01.03 - Owner 09/01/2011 22:36:47.2.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.3326.2658 [GMT -4:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Owner\Desktop\CFScript.txt
AV: Bitdefender Antivirus *Disabled/Updated* {6C4BB89C-B0ED-4F41-A29C-4373888923BB}
FW: Bitdefender Firewall *Enabled* {4055920F-2E99-48A8-A270-4243D2B8F242}
.
file zipped: c:\windows\system32\c_42352.nl_
file zipped: c:\windows\system32\termsw32.dll
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\Owner\Application Data\8714B5917A571BBF7C22FFD9274EB379
c:\documents and settings\Owner\Application Data\8714B5917A571BBF7C22FFD9274EB379\enemies-names.txt
c:\documents and settings\Owner\Application Data\8714B5917A571BBF7C22FFD9274EB379\local.ini
c:\documents and settings\Owner\Application Data\Adobe\plugs
c:\documents and settings\Owner\Application Data\Adobe\shed
c:\documents and settings\Owner\Application Data\Dealio
c:\documents and settings\Owner\Application Data\Dealio\res\widgets.xml
c:\documents and settings\Owner\Application Data\Dealio\temp\http___www_dealio_com_rss_coupons-deals_dotd_.xml
c:\documents and settings\Owner\My Documents\iexplorer.exe
c:\windows\system32\c_42352.nl_
c:\windows\system32\termsw32.dll
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_TERMSERVICES
-------\Service_TermServices
.
.
((((((((((((((((((((((((( Files Created from 2011-08-02 to 2011-09-02 )))))))))))))))))))))))))))))))
.
.
2011-09-01 21:31 . 2011-08-28 12:36 75264 -c--a-w- c:\windows\system32\dllcache\ipsec.sys
2011-09-01 21:31 . 2011-08-28 12:36 75264 ----a-w- c:\windows\system32\drivers\ipsec.sys
2011-09-01 21:22 . 2011-09-01 21:22 -------- d-----w- c:\documents and settings\Administrator
2011-08-20 17:16 . 2011-08-20 17:16 9484 ----a-w- c:\windows\look.bat
2011-08-20 17:16 . 2011-08-20 17:16 -------- d-----w- c:\windows\maxdrive
2011-08-16 18:22 . 2009-03-18 21:35 26176 ---ha-w- c:\windows\system32\hamachi.sys
2011-08-16 18:22 . 2011-08-16 18:22 -------- d-----w- c:\program files\LogMeIn Hamachi
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-08-29 19:23 . 2008-04-14 12:00 62976 ----a-w- c:\windows\system32\drivers\cdrom.sys
2011-08-27 21:57 . 2008-04-14 12:00 138496 ----a-w- c:\windows\system32\drivers\afd.sys
2011-08-26 00:59 . 2008-04-14 12:00 64512 ----a-w- c:\windows\system32\drivers\serial.sys
2011-07-06 23:52 . 2011-07-10 03:16 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-07-06 23:52 . 2011-07-10 03:16 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-05-29 23:19 . 2011-05-29 23:20 704282 ----a-w- c:\program files\unins000.exe
.
.
((((((((((((((((((((((((((((( SnapShot@2011-09-01_21.54.18 )))))))))))))))))))))))))))))))))))))))))
.
+ 2011-09-02 02:46 . 2011-09-02 02:46 16384 c:\windows\Temp\Perflib_Perfdata_71c.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RTHDCPL"="RTHDCPL.EXE" [2008-07-23 16804864]
"SoundMan"="SOUNDMAN.EXE" [2008-06-18 77824]
"AlcWzrd"="ALCWZRD.EXE" [2008-06-19 2808832]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2011-01-07 13880424]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-01-25 421160]
"LogMeIn Hamachi Ui"="c:\program files\LogMeIn Hamachi\hamachi-2-ui.exe" [2011-08-04 1955208]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2009-11-18 275072]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\termsvces]
termew32.dll [BU]
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Steam\\Steam.exe"=
"c:\\Program Files\\Ventrilo\\Ventrilo.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\Microsoft LifeCam\\LifeCam.exe"=
"c:\\Program Files\\Microsoft LifeCam\\LifeEnC2.exe"=
"c:\\Program Files\\Microsoft LifeCam\\LifeExp.exe"=
"c:\\Program Files\\Microsoft LifeCam\\LifeTray.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\universe at war earth assault\\LaunchUAW.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\men of war red tide\\redtide.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\the witcher enhanced edition\\System\\witcher.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\the witcher enhanced edition\\System\\djinni!.exe"=
"c:\\Program Files\\Steam\\steamapps\\tvirusoutbreak\\age of chivalry\\hl2.exe"=
"c:\\Program Files\\EA GAMES\\Battlefield 1942\\BF1942.exe"=
"c:\\Program Files\\Xfire\\Xfire.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\empire total war\\Empire.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\il 2 sturmovik 1946\\il2fb.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\company of heroes\\RelicDownloader\\RelicDownloader.exe"=
"c:\\WINDOWS\\system32\\dxdiag.exe"=
"c:\\WINDOWS\\system32\\dpnsvr.exe"=
"c:\\Sierra\\Empire Earth\\Empire Earth.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\morrowind\\Morrowind Launcher.exe"=
"c:\\Program Files\\Square Enix\\Batman Arkham Asylum GOTY\\Binaries\\ShippingPC-BmGame.exe"=
"c:\\Program Files\\Paradox Interactive\\Europa Universalis - Rome\\RomeGame.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqcopy2.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfcCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpiscnapp.exe"=
"c:\\Program Files\\Common Files\\HP\\Digital Imaging\\bin\\hpqPhotoCrm.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqpsapp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqpse.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqgplgtupl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqgpc01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqusgm.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqusgh.exe"=
"c:\\Program Files\\HP\\HP Software Update\\hpwucli.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\smart web printing\\SmartWebPrintExe.exe"=
"c:\\Program Files\\Paradox Interactive\\Europa Universalis III\\eu3game.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\theatre of war ii kursk 1943\\Kursk1943.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\theatre of war 2 africa 1943\\Africa1943.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\theatre of war 2 africa 1943\\options.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\theatre of war\\tow.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\theatre of war\\towsetup.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\theatre of war\\MissionEditor\\Editor.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\theatre of war\\MissionEditor\\MissionGen.exe"=
"c:\\Program Files\\ComicRack\\ComicRack.exe"=
"c:\\Program Files\\Atari\\Neverwinter Nights 2\\nwn2main.exe"=
"c:\\Program Files\\Atari\\Neverwinter Nights 2\\nwn2main_amdxp.exe"=
"c:\\Program Files\\Atari\\Neverwinter Nights 2\\nwupdate.exe"=
"c:\\Program Files\\Atari\\Neverwinter Nights 2\\nwn2server.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\universe at war earth assault\\UAWEA.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Aspyr\\Men of War\\mow.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\battlefield 2\\BF2.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\battlefield 2\\support\\EA Help\\Electronic_Arts_Technical_Support.htm"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"c:\\Program Files\\Wolfenstein - Enemy Territory\\ET.exe"=
"c:\\Program Files\\Aspyr\\Men of War\\mow_mp.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\silent hunters wolves of the pacific\\sh4.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\company of heroes\\RelicCOH.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\arma 2\\arma2.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\magicka\\Magicka.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\killingfloor\\System\\KillingFloor.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\men of war assault squad\\mow_assault_squad.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\red orchestra\\System\\RedOrchestra.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\supreme commander 2\\bin\\SupremeCommander2.exe"=
.
R2 Hamachi2Svc;LogMeIn Hamachi Tunneling Engine;c:\program files\LogMeIn Hamachi\hamachi-2.exe [8/4/2011 2:34 PM 1361288]
R3 Bdfndisf;BitDefender Firewall NDIS Filter Service;c:\windows\system32\drivers\bdfndisf.sys [6/2/2008 5:16 PM 86792]
R3 MSHUSBVideo;NX6000/NX3000/VX5000/VX5500/VX2000/VX7000 Filter Driver;c:\windows\system32\drivers\nx6000.sys [12/26/2009 11:42 PM 30560]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 2:16 PM 130384]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2/19/2010 11:19 PM 135664]
S2 LicCtrlService;LicCtrl Service;c:\windows\runservice.exe --> c:\windows\runservice.exe [?]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [2/19/2010 11:19 PM 135664]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 2:16 PM 753504]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
bdx REG_MULTI_SZ scan
HPService REG_MULTI_SZ HPSLPSVC
.
Contents of the 'Scheduled Tasks' folder
.
2011-09-02 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-20 03:19]
.
2011-09-02 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-20 03:19]
.
2010-01-04 c:\windows\Tasks\Microsoft_Hardware_Launch_LifeExp_exe.job
- c:\program files\Microsoft LifeCam\LifeExp.exe [2009-03-17 20:24]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
mStart Page = about:blank
mWindow Title = Windows Internet Explorer provided by Comcast
uInternet Settings,ProxyOverride = <local>;*.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
TCP: DhcpNameServer = 192.168.1.1
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\l8b1qdi3.default\
FF - prefs.js: browser.startup.homepage - hxxp://wikipedia.org/
FF - prefs.js: network.proxy.type - 0
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Ext: GameFOX: {6dd0bdba-0a02-429e-b595-87a7dfdca7a1} - %profile%\extensions\{6dd0bdba-0a02-429e-b595-87a7dfdca7a1}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-09-01 22:47
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-1390067357-527237240-1417001333-1003\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:9b,2f,f5,d3,9a,6d,04,c2,6f,77,e6,69,f6,76,83,0f,43,a0,fe,68,96,76,dc,
4f,74,cf,f8,05,32,1d,7f,d8,c4,eb,92,0b,60,5c,71,50,79,1a,0e,d2,e5,59,8f,f7,\
"??"=hex:87,ea,ed,11,0e,0a,a8,cb,5e,df,1e,c9,83,50,6b,48
.
[HKEY_USERS\S-1-5-21-1390067357-527237240-1417001333-1003\Software\SecuROM\License information*]
"datasecu"=hex:ae,c2,05,fa,9e,f2,dd,fc,8e,e4,7d,b2,5a,6f,80,27,19,8b,37,25,fc,
25,c4,e9,71,1a,e3,a2,ed,75,aa,dd,2a,f6,07,ac,ce,3b,b9,be,10,95,74,d8,4f,f1,\
"rkeysecu"=hex:e2,ee,a1,b5,e4,44,d1,d4,b9,6a,a6,b8,22,36,76,f2
.
[HKEY_LOCAL_MACHINE\software\LicCtrl\LicCtrl\LicCtrl\LicCtrl*lkzs$i&#&y@^t! #^$ g9^$&pgb SDB36o \D25BC253F035D347]
"1"=hex:6a,0b,56,13,c1,93,dc,9c,fb,61,a2,a0,e4,ff,91,20,60,bf,2f,c2,35,91,ae,
25
"2"=hex:fb,e6,50,7f,41,f4,51,a7,7f,ec,2d,f9,42,45,3a,02,3a,b7,45,15,3f,9d,8b,
c3
"3"=hex:6a,0b,56,13,c1,93,dc,9c,fb,61,a2,a0,e4,ff,91,20,5d,f5,58,d1,21,e0,48,
8b,38,57,44,9c,4e,8d,78,88,fd,f1,01,9d,86,d8,b5,cb,d9,bf,23,55,4a,bb,31,1f
.
[HKEY_LOCAL_MACHINE\software\LicCtrl\LicCtrl\LicCtrl\LicCtrl*lkzs$i&#&y@^t! #^$ g9^$&pgb SDB36o \D25BC253F035D347\198D4574A2BCA7D4BA51871F57EEA50C]
"1"=hex:b0,57,4a,e6,b6,28,dc,b1,d4,b3,12,05,d7,ea,a1,55,83,90,50,9b,f1,d7,47,
8a,64,3a,d9,c4,e6,aa,fc,b0
"2"=hex:ff,46,a9,cd,53,d2,ef,98
"3"=hex:56,2c,a3,35,39,a2,c4,ed,ab,80,62,80,34,7e,21,fe,c1,f7,60,0c,7d,60,45,
5d,02,66,91,8d,5d,79,3e,9e,8c,b8,e9,5d,7d,70,39,69,04,2f,f2,78,91,fa,77,b8,\
"4"=hex:2f,ad,a2,e7,8a,bf,05,5e
"5"=hex:bf,e5,23,7b,b0,66,d6,fc,b8,e8,6b,a0,96,52,f7,32,80,09,8f,24,b7,b3,55,
1a,98,d1,47,16,02,43,61,1c,b9,d5,8f,2a,7b,81,b1,fb,95,22,f8,b3,2c,53,9d,ae,\
"6"=hex:b0,57,4a,e6,b6,28,dc,b1,d4,b3,12,05,d7,ea,a1,55,83,90,50,9b,f1,d7,47,
8a,b1,a7,a6,92,c1,bd,03,11,24,42,63,25,d3,91,33,ac,33,a7,da,f0,3b,f7,80,6d,\
"7"=hex:58,eb,3b,8d,af,31,32,62,45,fe,2a,f0,ac,22,d0,33,a4,31,52,95,51,16,0b,
60,24,b1,58,9f,ed,64,45,cb,db,0f,ba,92,11,d1,bc,91,54,86,2e,97,ce,5d,8f,8d,\
"8"=hex:9d,9e,b2,b9,a7,a5,f4,ae,4d,29,c2,a3,c0,78,c4,c5,2e,4e,96,8c,7e,a3,52,
64,b7,5a,c6,8b,d8,dd,90,06,46,e7,74,06,e1,ab,e4,80,2e,9b,e9,e1,49,06,fc,b2,\
"9"=hex:81,20,8f,ab,28,6a,52,9c
"18"=hex:d0,71,12,cb,08,b7,a7,d6
"10"=hex:81,20,8f,ab,28,6a,52,9c
"11"=hex:81,20,8f,ab,28,6a,52,9c
"12"=hex:72,ef,ed,b4,0b,f9,08,74,6a,e9,98,24,12,b2,26,a1,dc,5b,87,5c,40,76,14,
4c,1c,50,7e,c6,eb,41,c2,af,bc,28,08,32,1f,2a,f3,43,a4,f7,21,a3,ec,5c,1c,b2,\
"13"=hex:b6,e5,50,43,12,c6,01,e1,c4,da,b9,bc,7f,53,2e,9a,ac,c7,33,f8,91,62,1f,
0b,98,83,b9,3c,3b,98,8e,b5,b7,60,9c,64,a2,90,90,3f
"14"=hex:37,e1,d3,73,c6,56,a2,87,8f,41,42,b5,d8,48,ab,7e
"24"=hex:81,20,8f,ab,28,6a,52,9c
"26"=hex:81,20,8f,ab,28,6a,52,9c
"27"=hex:81,20,8f,ab,28,6a,52,9c
"19"=hex:51,b6,73,aa,7a,2b,b3,8c,b6,e5,63,f5,c1,a2,d3,17
"22"=hex:81,20,8f,ab,28,6a,52,9c
"15"=hex:03,a8,42,ff,62,a5,e9,76,a0,97,2a,d8,c1,8d,97,66,35,e8,d4,dd,00,96,ec,
9d,7c,9c,56,45,a0,77,cb,85,8a,06,14,6b,20,df,46,6d,2a,03,dd,86,33,7f,c9,89,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(3328)
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\RTHDCPL.EXE
c:\windows\SOUNDMAN.EXE
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Microsoft LifeCam\MSCamS32.exe
c:\program files\Common Files\BitDefender\BitDefender Communicator\xcommsvr.exe
c:\program files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe
c:\program files\iPod\bin\iPodService.exe
c:\windows\system32\msiexec.exe
c:\windows\system32\rundll32.exe
c:\windows\system32\MsiExec.exe
.
**************************************************************************
.
Completion time: 2011-09-01 22:50:26 - machine was rebooted
ComboFix-quarantined-files.txt 2011-09-02 02:50
ComboFix2.txt 2011-09-01 21:58
.
Pre-Run: 279,058,751,488 bytes free
Post-Run: 279,164,747,776 bytes free
.
- - End Of File - - 06D36341CC394BCE2962600CAE9434BA
Upload was successful

Virustotal link:

http://www.virustotal.com/file-scan/report.html?id=5999b39242283cd803319aadca171cccc6e2a40fb2fafa51b1d29f3ff2dd8d6c-1314958833

#10 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:05:31 AM

Posted 02 September 2011 - 03:08 PM

Hi

Please do the following:

Please download TDSSKiller.zip
  • Extract it to your desktop
  • Double click TDSSKiller.exe
  • Press Start Scan
    • Only if Malicious objects are found then ensure Cure is selected
    • Then click Continue > Reboot now
  • Copy and paste the log in your next reply
    • A copy of the log will be saved automatically to the root of the drive (typically C:\)



NEXT



  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below.
  • They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
Copy/paste the text inside the Codebox below into notepad:

Here's how to do that:
Click Start > Run type Notepad click OK.
This will open an empty notepad file:

Copy all the text inside of the code box - Press Ctrl+C (or right click on the highlighted section and choose 'copy')

File::
c:\windows\system32\termew32.dll

Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\termsvces]


Now paste the copied text into the open notepad - press CTRL+V (or right click and choose 'paste')

Save this file to your desktop, Save this as "CFScript"


Here's how to do that:

1.Click File;
2.Click Save As... Change the directory to your desktop;
3.Change the Save as type to "All Files";
4.Type in the file name: CFScript
5.Click Save ...

Posted Image
  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix may request an update; please allow it.
  • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  • When finished, it shall produce a log for you.
  • Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#11 erzherzog

erzherzog
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:04:31 AM

Posted 03 September 2011 - 08:08 AM

TDSS didn't find anything at all, then again Google hadn't been redirecting for a couple days either.

ComboFix says my bitdefender firewall is enabled but bitdefender says it is not. I am so confused on that one.

And the log:

ComboFix 11-09-02.04 - Owner 09/03/2011 8:52.3.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.3326.2741 [GMT -4:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Owner\Desktop\CFScript.txt
AV: Bitdefender Antivirus *Disabled/Updated* {6C4BB89C-B0ED-4F41-A29C-4373888923BB}
FW: Bitdefender Firewall *Enabled* {4055920F-2E99-48A8-A270-4243D2B8F242}
.
FILE ::
"c:\windows\system32\termew32.dll"
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\All Users\Application Data\defender.exe
c:\windows\assembly\GAC_MSIL\desktop.ini
c:\windows\system32\_000006_.tmp.dll
c:\windows\system32\_000007_.tmp.dll
.
c:\windows\2088078439:2557708931.exe . . . is infected!!
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Service_678c757c
.
.
((((((((((((((((((((((((( Files Created from 2011-08-03 to 2011-09-03 )))))))))))))))))))))))))))))))
.
.
2011-09-03 12:43 . 2011-09-03 12:43 -------- d-----w- c:\windows\LastGood.Tmp
2011-09-02 12:45 . 2011-09-02 12:45 4194304 ----a-w- c:\windows\system32\yicididr.dll
2011-09-01 21:31 . 2011-08-28 12:36 75264 -c--a-w- c:\windows\system32\dllcache\ipsec.sys
2011-09-01 21:31 . 2011-08-28 12:36 75264 ----a-w- c:\windows\system32\drivers\ipsec.sys
2011-09-01 21:22 . 2011-09-01 21:22 -------- d-----w- c:\documents and settings\Administrator
2011-08-20 17:16 . 2011-08-20 17:16 9484 ----a-w- c:\windows\look.bat
2011-08-20 17:16 . 2011-08-20 17:16 -------- d-----w- c:\windows\maxdrive
2011-08-16 18:22 . 2009-03-18 21:35 26176 ---ha-w- c:\windows\system32\hamachi.sys
2011-08-16 18:22 . 2011-08-16 18:22 -------- d-----w- c:\program files\LogMeIn Hamachi
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-08-29 19:23 . 2008-04-14 12:00 62976 ----a-w- c:\windows\system32\drivers\cdrom.sys
2011-08-27 21:57 . 2008-04-14 12:00 138496 ----a-w- c:\windows\system32\drivers\afd.sys
2011-08-26 00:59 . 2008-04-14 12:00 64512 ----a-w- c:\windows\system32\drivers\serial.sys
2011-07-15 13:29 . 2008-04-14 12:00 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-07-08 14:02 . 2008-04-14 12:00 10496 ----a-w- c:\windows\system32\drivers\ndistapi.sys
2011-07-06 23:52 . 2011-07-10 03:16 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-07-06 23:52 . 2011-07-10 03:16 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-06-24 14:10 . 2009-12-27 02:11 139656 ----a-w- c:\windows\system32\drivers\rdpwd.sys
2011-06-21 18:18 . 2008-04-14 12:00 81920 ----a-w- c:\windows\system32\ieencode.dll
2011-06-21 18:18 . 2008-04-14 12:00 667136 ----a-w- c:\windows\system32\wininet.dll
2011-06-21 18:18 . 2008-04-14 12:00 61952 ----a-w- c:\windows\system32\tdc.ocx
2011-06-21 12:58 . 2008-04-14 12:00 369664 ----a-w- c:\windows\system32\html.iec
2011-06-20 17:44 . 2008-04-14 12:00 293376 ----a-w- c:\windows\system32\winsrv.dll
2011-05-29 23:19 . 2011-05-29 23:20 704282 ----a-w- c:\program files\unins000.exe
.
.
((((((((((((((((((((((((((((( SnapShot@2011-09-01_21.54.18 )))))))))))))))))))))))))))))))))))))))))
.
+ 2011-09-03 12:46 . 2011-09-03 12:46 21880 c:\windows\WinSxS\MSIL_Microsoft.Workflow.Compiler_31bf3856ad364e35_4.0.0.0_x-ww_97359ba5\Microsoft.Workflow.Compiler.exe
- 2011-01-03 18:58 . 2011-01-03 18:58 21880 c:\windows\WinSxS\MSIL_Microsoft.Workflow.Compiler_31bf3856ad364e35_4.0.0.0_x-ww_97359ba5\Microsoft.Workflow.Compiler.exe
+ 2011-09-03 13:03 . 2011-09-03 13:03 16384 c:\windows\Temp\Perflib_Perfdata_110.dat
+ 2008-04-14 12:00 . 2011-06-21 18:18 37888 c:\windows\system32\url.dll
- 2008-04-14 12:00 . 2008-04-14 12:00 37888 c:\windows\system32\url.dll
- 2008-04-14 12:00 . 2011-06-30 00:42 83802 c:\windows\system32\perfc009.dat
+ 2008-04-14 12:00 . 2011-09-03 12:51 83802 c:\windows\system32\perfc009.dat
+ 2008-04-14 12:00 . 2011-06-21 18:18 37888 c:\windows\system32\dllcache\url.dll
- 2008-04-14 12:00 . 2008-04-14 12:00 37888 c:\windows\system32\dllcache\url.dll
+ 2008-04-14 12:00 . 2011-07-08 14:02 10496 c:\windows\system32\dllcache\ndistapi.sys
+ 2008-04-14 12:00 . 2011-06-21 18:18 81920 c:\windows\system32\dllcache\ieencode.dll
- 2008-04-14 12:00 . 2011-04-25 14:47 81920 c:\windows\system32\dllcache\ieencode.dll
- 2008-04-14 12:00 . 2010-12-09 14:30 33280 c:\windows\system32\dllcache\csrsrv.dll
+ 2008-04-14 12:00 . 2011-04-26 11:07 33280 c:\windows\system32\dllcache\csrsrv.dll
- 2008-04-14 12:00 . 2010-12-09 14:30 33280 c:\windows\system32\csrsrv.dll
+ 2008-04-14 12:00 . 2011-04-26 11:07 33280 c:\windows\system32\csrsrv.dll
+ 2011-09-03 12:46 . 2011-09-03 12:46 97624 c:\windows\Microsoft.NET\assembly\GAC_MSIL\XamlBuildTask\v4.0_4.0.0.0__31bf3856ad364e35\XamlBuildTask.dll
- 2011-01-03 18:58 . 2011-01-03 18:58 97624 c:\windows\Microsoft.NET\assembly\GAC_MSIL\XamlBuildTask\v4.0_4.0.0.0__31bf3856ad364e35\XamlBuildTask.dll
- 2011-01-03 18:58 . 2011-01-03 18:58 29544 c:\windows\Microsoft.NET\assembly\GAC_MSIL\System.Xaml.Hosting\v4.0_4.0.0.0__31bf3856ad364e35\System.Xaml.Hosting.dll
+ 2011-09-03 12:46 . 2011-09-03 12:46 29544 c:\windows\Microsoft.NET\assembly\GAC_MSIL\System.Xaml.Hosting\v4.0_4.0.0.0__31bf3856ad364e35\System.Xaml.Hosting.dll
- 2011-01-03 18:58 . 2011-01-03 18:58 70040 c:\windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms.DataVisualization.Design\v4.0_4.0.0.0__31bf3856ad364e35\System.Windows.Forms.DataVisualization.Design.dll
+ 2011-09-03 12:46 . 2011-09-03 12:46 70040 c:\windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms.DataVisualization.Design\v4.0_4.0.0.0__31bf3856ad364e35\System.Windows.Forms.DataVisualization.Design.dll
+ 2011-09-03 12:46 . 2011-09-03 12:46 24928 c:\windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Routing\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Routing.dll
- 2011-01-03 18:58 . 2011-01-03 18:58 24928 c:\windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Routing\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Routing.dll
- 2011-01-03 18:58 . 2011-01-03 18:58 81272 c:\windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.RegularExpressions\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.RegularExpressions.dll
+ 2011-09-03 12:46 . 2011-09-03 12:46 81272 c:\windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.RegularExpressions\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.RegularExpressions.dll
- 2011-01-03 18:58 . 2011-01-03 18:58 33144 c:\windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.DynamicData.Design\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.DynamicData.Design.dll
+ 2011-09-03 12:46 . 2011-09-03 12:46 33144 c:\windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.DynamicData.Design\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.DynamicData.Design.dll
+ 2011-09-03 12:46 . 2011-09-03 12:46 93576 c:\windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.DataVisualization.Design\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.DataVisualization.Design.dll
- 2011-01-03 18:58 . 2011-01-03 18:58 93576 c:\windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.DataVisualization.Design\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.DataVisualization.Design.dll
- 2011-01-03 18:58 . 2011-01-03 18:58 24944 c:\windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Abstractions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Abstractions.dll
+ 2011-09-03 12:46 . 2011-09-03 12:46 24944 c:\windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Abstractions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Abstractions.dll
- 2011-01-03 18:58 . 2011-01-03 18:58 28024 c:\windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.WasHosting\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.WasHosting.dll
+ 2011-09-03 12:46 . 2011-09-03 12:46 28024 c:\windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.WasHosting\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.WasHosting.dll
+ 2011-09-03 12:46 . 2011-09-03 12:46 12168 c:\windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.ServiceMoniker40\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.ServiceMoniker40.dll
- 2011-01-03 18:58 . 2011-01-03 18:58 12168 c:\windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.ServiceMoniker40\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.ServiceMoniker40.dll
- 2011-01-03 18:58 . 2011-01-03 18:58 95592 c:\windows\Microsoft.NET\assembly\GAC_MSIL\System.Runtime.Caching\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Runtime.Caching.dll
+ 2011-09-03 12:46 . 2011-09-03 12:46 95592 c:\windows\Microsoft.NET\assembly\GAC_MSIL\System.Runtime.Caching\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Runtime.Caching.dll
- 2011-01-03 18:58 . 2011-01-03 18:58 86888 c:\windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing.Design\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.Design.dll
+ 2011-09-03 12:46 . 2011-09-03 12:46 86888 c:\windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing.Design\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.Design.dll
+ 2011-09-03 12:46 . 2011-09-03 12:46 21880 c:\windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Workflow.Compiler\v4.0_4.0.0.0__31bf3856ad364e35\Microsoft.Workflow.Compiler.exe
+ 2011-09-03 12:46 . 2011-09-03 12:46 40304 c:\windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualC.STLCLR\v4.0_2.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualC.STLCLR.dll
- 2011-01-03 18:58 . 2011-01-03 18:58 40304 c:\windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualC.STLCLR\v4.0_2.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualC.STLCLR.dll
+ 2011-09-03 12:46 . 2011-09-03 12:46 67968 c:\windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Build.Conversion.v4.0\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Conversion.v4.0.dll
- 2011-01-03 18:58 . 2011-01-03 18:58 67968 c:\windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Build.Conversion.v4.0\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Conversion.v4.0.dll
+ 2011-09-03 13:00 . 2011-09-03 13:00 37888 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Pres#\343c52b741531ce9ae874ea7508831a7\System.Windows.Presentation.ni.dll
+ 2011-09-03 13:00 . 2011-09-03 13:00 36864 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Web.DynamicD#\246110974e3c48733458819b07464b23\System.Web.DynamicData.Design.ni.dll
+ 2011-09-03 12:59 . 2011-09-03 12:59 94208 c:\windows\assembly\NativeImages_v2.0.50727_32\System.ComponentMod#\ace861fe8dbf146c3e449abaa7691e9f\System.ComponentModel.DataAnnotations.ni.dll
+ 2011-09-03 12:52 . 2011-09-03 12:52 47104 c:\windows\assembly\NativeImages_v2.0.50727_32\PresentationFontCac#\40ee65aacd9d7472cd6f8dddbfca604b\PresentationFontCache.ni.exe
+ 2011-09-03 12:54 . 2011-09-03 12:54 39424 c:\windows\assembly\NativeImages_v2.0.50727_32\PresentationCFFRast#\12c424eed7ee0e9c017bf72ff09eb78c\PresentationCFFRasterizer.ni.dll
+ 2011-09-03 13:00 . 2011-09-03 13:00 55296 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Vsa\f9c514544c8e23220493cd42a0e20678\Microsoft.Vsa.ni.dll
- 2011-06-30 00:42 . 2011-06-30 00:42 77824 c:\windows\assembly\GAC_MSIL\System.Web.RegularExpressions\2.0.0.0__b03f5f7f11d50a3a\System.Web.RegularExpressions.dll
+ 2011-09-03 12:49 . 2011-09-03 12:49 77824 c:\windows\assembly\GAC_MSIL\System.Web.RegularExpressions\2.0.0.0__b03f5f7f11d50a3a\System.Web.RegularExpressions.dll
- 2011-06-30 00:42 . 2011-06-30 00:42 81920 c:\windows\assembly\GAC_MSIL\System.Drawing.Design\2.0.0.0__b03f5f7f11d50a3a\System.Drawing.Design.dll
+ 2011-09-03 12:49 . 2011-09-03 12:49 81920 c:\windows\assembly\GAC_MSIL\System.Drawing.Design\2.0.0.0__b03f5f7f11d50a3a\System.Drawing.Design.dll
+ 2011-09-03 12:50 . 2011-09-03 12:50 81920 c:\windows\assembly\GAC_MSIL\System.Configuration.Install\2.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll
- 2011-06-30 00:42 . 2011-06-30 00:42 81920 c:\windows\assembly\GAC_MSIL\System.Configuration.Install\2.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll
+ 2011-09-03 12:49 . 2011-09-03 12:49 32768 c:\windows\assembly\GAC_MSIL\Microsoft.Vsa\8.0.0.0__b03f5f7f11d50a3a\Microsoft.Vsa.dll
- 2011-06-30 00:42 . 2011-06-30 00:42 32768 c:\windows\assembly\GAC_MSIL\Microsoft.Vsa\8.0.0.0__b03f5f7f11d50a3a\Microsoft.Vsa.dll
+ 2011-09-03 12:49 . 2011-09-03 12:49 12800 c:\windows\assembly\GAC_MSIL\Microsoft.Vsa.Vb.CodeDOMProcessor\8.0.0.0__b03f5f7f11d50a3a\Microsoft.Vsa.Vb.CodeDOMProcessor.dll
- 2011-06-30 00:42 . 2011-06-30 00:42 12800 c:\windows\assembly\GAC_MSIL\Microsoft.Vsa.Vb.CodeDOMProcessor\8.0.0.0__b03f5f7f11d50a3a\Microsoft.Vsa.Vb.CodeDOMProcessor.dll
+ 2011-09-03 12:49 . 2011-09-03 12:49 28672 c:\windows\assembly\GAC_MSIL\Microsoft.VisualBasic.Vsa\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.Vsa.dll
- 2011-06-30 00:42 . 2011-06-30 00:42 28672 c:\windows\assembly\GAC_MSIL\Microsoft.VisualBasic.Vsa\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.Vsa.dll
- 2011-06-30 00:42 . 2011-06-30 00:42 77824 c:\windows\assembly\GAC_MSIL\Microsoft.Build.Utilities\2.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Utilities.dll
+ 2011-09-03 12:50 . 2011-09-03 12:50 77824 c:\windows\assembly\GAC_MSIL\Microsoft.Build.Utilities\2.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Utilities.dll
- 2011-06-30 00:42 . 2011-06-30 00:42 36864 c:\windows\assembly\GAC_MSIL\Microsoft.Build.Framework\2.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Framework.dll
+ 2011-09-03 12:49 . 2011-09-03 12:49 36864 c:\windows\assembly\GAC_MSIL\Microsoft.Build.Framework\2.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Framework.dll
+ 2011-09-03 12:49 . 2011-09-03 12:49 77824 c:\windows\assembly\GAC_MSIL\IEHost\2.0.0.0__b03f5f7f11d50a3a\IEHost.dll
- 2011-06-30 00:42 . 2011-06-30 00:42 77824 c:\windows\assembly\GAC_MSIL\IEHost\2.0.0.0__b03f5f7f11d50a3a\IEHost.dll
- 2011-06-30 00:42 . 2011-06-30 00:42 13312 c:\windows\assembly\GAC_MSIL\cscompmgd\8.0.0.0__b03f5f7f11d50a3a\cscompmgd.dll
+ 2011-09-03 12:49 . 2011-09-03 12:49 13312 c:\windows\assembly\GAC_MSIL\cscompmgd\8.0.0.0__b03f5f7f11d50a3a\cscompmgd.dll
- 2011-06-30 00:42 . 2011-06-30 00:42 10752 c:\windows\assembly\GAC_MSIL\Accessibility\2.0.0.0__b03f5f7f11d50a3a\Accessibility.dll
+ 2011-09-03 12:49 . 2011-09-03 12:49 10752 c:\windows\assembly\GAC_MSIL\Accessibility\2.0.0.0__b03f5f7f11d50a3a\Accessibility.dll
+ 2011-09-03 12:49 . 2011-09-03 12:49 72192 c:\windows\assembly\GAC_32\ISymWrapper\2.0.0.0__b03f5f7f11d50a3a\ISymWrapper.dll
- 2011-06-30 00:42 . 2011-06-30 00:42 72192 c:\windows\assembly\GAC_32\ISymWrapper\2.0.0.0__b03f5f7f11d50a3a\ISymWrapper.dll
- 2011-06-30 00:42 . 2011-06-30 00:42 69120 c:\windows\assembly\GAC_32\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll
+ 2011-09-03 12:49 . 2011-09-03 12:49 69120 c:\windows\assembly\GAC_32\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll
- 2011-06-30 00:42 . 2011-06-30 00:42 8192 c:\windows\WinSxS\MSIL_IEExecRemote_b03f5f7f11d50a3a_2.0.0.0_x-ww_6e57c34e\IEExecRemote.dll
+ 2011-09-03 12:49 . 2011-09-03 12:49 8192 c:\windows\WinSxS\MSIL_IEExecRemote_b03f5f7f11d50a3a_2.0.0.0_x-ww_6e57c34e\IEExecRemote.dll
- 2011-06-30 00:42 . 2011-06-30 00:42 7168 c:\windows\assembly\GAC_MSIL\Microsoft_VsaVb\8.0.0.0__b03f5f7f11d50a3a\Microsoft_VsaVb.dll
+ 2011-09-03 12:49 . 2011-09-03 12:49 7168 c:\windows\assembly\GAC_MSIL\Microsoft_VsaVb\8.0.0.0__b03f5f7f11d50a3a\Microsoft_VsaVb.dll
- 2011-06-30 00:42 . 2011-06-30 00:42 5632 c:\windows\assembly\GAC_MSIL\Microsoft.VisualC\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualC.Dll
+ 2011-09-03 12:50 . 2011-09-03 12:50 5632 c:\windows\assembly\GAC_MSIL\Microsoft.VisualC\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualC.Dll
+ 2011-09-03 12:49 . 2011-09-03 12:49 6656 c:\windows\assembly\GAC_MSIL\IIEHost\2.0.0.0__b03f5f7f11d50a3a\IIEHost.dll
- 2011-06-30 00:42 . 2011-06-30 00:42 6656 c:\windows\assembly\GAC_MSIL\IIEHost\2.0.0.0__b03f5f7f11d50a3a\IIEHost.dll
+ 2011-09-03 12:49 . 2011-09-03 12:49 8192 c:\windows\assembly\GAC_MSIL\IEExecRemote\2.0.0.0__b03f5f7f11d50a3a\IEExecRemote.dll
- 2011-06-30 00:42 . 2011-06-30 00:42 113664 c:\windows\WinSxS\x86_System.EnterpriseServices_b03f5f7f11d50a3a_2.0.0.0_x-ww_7d5f3790\System.EnterpriseServices.Wrapper.dll
+ 2011-09-03 12:49 . 2011-09-03 12:49 113664 c:\windows\WinSxS\x86_System.EnterpriseServices_b03f5f7f11d50a3a_2.0.0.0_x-ww_7d5f3790\System.EnterpriseServices.Wrapper.dll
+ 2011-09-03 12:49 . 2011-09-03 12:49 258048 c:\windows\WinSxS\x86_System.EnterpriseServices_b03f5f7f11d50a3a_2.0.0.0_x-ww_7d5f3790\System.EnterpriseServices.dll
- 2011-06-30 00:42 . 2011-06-30 00:42 258048 c:\windows\WinSxS\x86_System.EnterpriseServices_b03f5f7f11d50a3a_2.0.0.0_x-ww_7d5f3790\System.EnterpriseServices.dll
+ 2008-04-14 12:00 . 2011-06-21 18:18 633344 c:\windows\system32\urlmon.dll
+ 2008-04-14 12:00 . 2011-09-03 12:51 493384 c:\windows\system32\perfh009.dat
- 2008-04-14 12:00 . 2011-06-30 00:42 493384 c:\windows\system32\perfh009.dat
- 2008-04-14 12:00 . 2011-04-25 14:47 532480 c:\windows\system32\mstime.dll
+ 2008-04-14 12:00 . 2011-06-21 18:18 532480 c:\windows\system32\mstime.dll
+ 2008-04-14 12:00 . 2011-06-21 18:18 449536 c:\windows\system32\mshtmled.dll
- 2008-04-14 12:00 . 2011-04-25 14:47 449536 c:\windows\system32\mshtmled.dll
+ 2008-04-14 12:00 . 2011-06-21 18:18 251904 c:\windows\system32\iepeers.dll
- 2008-04-14 12:00 . 2011-04-25 14:47 251904 c:\windows\system32\iepeers.dll
- 2009-12-26 20:00 . 2011-04-14 19:35 147608 c:\windows\system32\FNTCACHE.DAT
+ 2009-12-26 20:00 . 2011-09-03 13:03 147608 c:\windows\system32\FNTCACHE.DAT
+ 2008-04-14 12:00 . 2011-06-20 17:44 293376 c:\windows\system32\dllcache\winsrv.dll
- 2008-04-14 12:00 . 2010-06-18 17:45 293376 c:\windows\system32\dllcache\winsrv.dll
+ 2008-04-14 12:00 . 2011-06-21 18:18 667136 c:\windows\system32\dllcache\wininet.dll
- 2008-04-14 12:00 . 2011-04-25 14:47 667136 c:\windows\system32\dllcache\wininet.dll
+ 2008-04-14 12:00 . 2011-06-21 18:18 633344 c:\windows\system32\dllcache\urlmon.dll
+ 2009-12-27 02:11 . 2011-06-24 14:10 139656 c:\windows\system32\dllcache\rdpwd.sys
- 2009-12-27 02:11 . 2008-04-14 12:00 139656 c:\windows\system32\dllcache\rdpwd.sys
- 2008-04-14 12:00 . 2011-04-25 14:47 532480 c:\windows\system32\dllcache\mstime.dll
+ 2008-04-14 12:00 . 2011-06-21 18:18 532480 c:\windows\system32\dllcache\mstime.dll
- 2008-04-14 12:00 . 2011-04-25 14:47 449536 c:\windows\system32\dllcache\mshtmled.dll
+ 2008-04-14 12:00 . 2011-06-21 18:18 449536 c:\windows\system32\dllcache\mshtmled.dll
- 2011-01-03 16:33 . 2011-04-29 16:19 456320 c:\windows\system32\dllcache\mrxsmb.sys
+ 2011-01-03 16:33 . 2011-07-15 13:29 456320 c:\windows\system32\dllcache\mrxsmb.sys
- 2008-04-14 12:00 . 2011-04-25 14:47 251904 c:\windows\system32\dllcache\iepeers.dll
+ 2008-04-14 12:00 . 2011-06-21 18:18 251904 c:\windows\system32\dllcache\iepeers.dll
+ 2011-09-03 12:46 . 2011-09-03 12:46 431984 c:\windows\Microsoft.NET\assembly\GAC_MSIL\System.WorkflowServices\v4.0_4.0.0.0__31bf3856ad364e35\System.WorkflowServices.dll
- 2011-01-03 18:58 . 2011-01-03 18:58 431984 c:\windows\Microsoft.NET\assembly\GAC_MSIL\System.WorkflowServices\v4.0_4.0.0.0__31bf3856ad364e35\System.WorkflowServices.dll
+ 2011-09-03 12:46 . 2011-09-03 12:46 511344 c:\windows\Microsoft.NET\assembly\GAC_MSIL\System.Workflow.Runtime\v4.0_4.0.0.0__31bf3856ad364e35\System.Workflow.Runtime.dll
- 2011-01-03 18:58 . 2011-01-03 18:58 511344 c:\windows\Microsoft.NET\assembly\GAC_MSIL\System.Workflow.Runtime\v4.0_4.0.0.0__31bf3856ad364e35\System.Workflow.Runtime.dll
- 2011-01-03 18:58 . 2011-01-03 18:58 826208 c:\windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Mobile\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.Mobile.dll
+ 2011-09-03 12:46 . 2011-09-03 12:46 826208 c:\windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Mobile\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.Mobile.dll
+ 2011-09-03 12:46 . 2011-09-03 12:46 321912 c:\windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions.Design\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.Design.dll
- 2011-01-03 18:58 . 2011-01-03 18:58 321912 c:\windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions.Design\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.Design.dll
+ 2011-09-03 12:46 . 2011-09-03 12:46 137568 c:\windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Entity\v4.0_4.0.0.0__b77a5c561934e089\System.Web.Entity.dll
- 2011-01-03 18:58 . 2011-01-03 18:58 137568 c:\windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Entity\v4.0_4.0.0.0__b77a5c561934e089\System.Web.Entity.dll
+ 2011-09-03 12:46 . 2011-09-03 12:46 132464 c:\windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Entity.Design\v4.0_4.0.0.0__b77a5c561934e089\System.Web.Entity.Design.dll
- 2011-01-03 18:58 . 2011-01-03 18:58 132464 c:\windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Entity.Design\v4.0_4.0.0.0__b77a5c561934e089\System.Web.Entity.Design.dll
+ 2011-09-03 12:46 . 2011-09-03 12:46 237928 c:\windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.DynamicData\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.DynamicData.dll
- 2011-01-03 18:58 . 2011-01-03 18:58 237928 c:\windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.DynamicData\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.DynamicData.dll
- 2011-01-03 18:58 . 2011-01-03 18:58 316272 c:\windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Web\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Web.dll
+ 2011-09-03 12:46 . 2011-09-03 12:46 316272 c:\windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Web\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Web.dll
- 2011-01-03 18:58 . 2011-01-03 18:58 170872 c:\windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Activation\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Activation.dll
+ 2011-09-03 12:46 . 2011-09-03 12:46 170872 c:\windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Activation\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Activation.dll
+ 2011-09-03 12:46 . 2011-09-03 12:46 683368 c:\windows\Microsoft.NET\assembly\GAC_MSIL\System.Data.Services\v4.0_4.0.0.0__b77a5c561934e089\System.Data.Services.dll
- 2011-01-03 18:58 . 2011-01-03 18:58 683368 c:\windows\Microsoft.NET\assembly\GAC_MSIL\System.Data.Services\v4.0_4.0.0.0__b77a5c561934e089\System.Data.Services.dll
+ 2011-09-03 12:46 . 2011-09-03 12:46 178040 c:\windows\Microsoft.NET\assembly\GAC_MSIL\System.Data.Services.Design\v4.0_4.0.0.0__b77a5c561934e089\System.Data.Services.Design.dll
- 2011-01-03 18:58 . 2011-01-03 18:58 178040 c:\windows\Microsoft.NET\assembly\GAC_MSIL\System.Data.Services.Design\v4.0_4.0.0.0__b77a5c561934e089\System.Data.Services.Design.dll
- 2011-01-03 18:58 . 2011-01-03 18:58 804720 c:\windows\Microsoft.NET\assembly\GAC_MSIL\System.Data.Entity.Design\v4.0_4.0.0.0__b77a5c561934e089\System.Data.Entity.Design.dll
+ 2011-09-03 12:46 . 2011-09-03 12:46 804720 c:\windows\Microsoft.NET\assembly\GAC_MSIL\System.Data.Entity.Design\v4.0_4.0.0.0__b77a5c561934e089\System.Data.Entity.Design.dll
- 2011-01-03 18:58 . 2011-01-03 18:58 587624 c:\windows\Microsoft.NET\assembly\GAC_MSIL\PresentationBuildTasks\v4.0_4.0.0.0__31bf3856ad364e35\PresentationBuildTasks.dll
+ 2011-09-03 12:46 . 2011-09-03 12:46 587624 c:\windows\Microsoft.NET\assembly\GAC_MSIL\PresentationBuildTasks\v4.0_4.0.0.0__31bf3856ad364e35\PresentationBuildTasks.dll
- 2011-01-03 18:58 . 2011-01-03 18:58 220024 c:\windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Build.Utilities.v4.0\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Utilities.v4.0.dll
+ 2011-09-03 12:46 . 2011-09-03 12:46 220024 c:\windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Build.Utilities.v4.0\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Utilities.v4.0.dll
- 2011-01-03 18:58 . 2011-01-03 18:58 107376 c:\windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Build.Framework\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Framework.dll
+ 2011-09-03 12:46 . 2011-09-03 12:46 107376 c:\windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Build.Framework\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Framework.dll
+ 2011-09-03 12:46 . 2011-09-03 12:46 714600 c:\windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Build.Engine\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Engine.dll
- 2011-01-03 18:58 . 2011-01-03 18:58 714600 c:\windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Build.Engine\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Engine.dll
- 2011-01-03 18:58 . 2011-01-03 18:58 498520 c:\windows\Microsoft.NET\assembly\GAC_MSIL\AspNetMMCExt\v4.0_4.0.0.0__b03f5f7f11d50a3a\AspNetMMCExt.dll
+ 2011-09-03 12:46 . 2011-09-03 12:46 498520 c:\windows\Microsoft.NET\assembly\GAC_MSIL\AspNetMMCExt\v4.0_4.0.0.0__b03f5f7f11d50a3a\AspNetMMCExt.dll
- 2011-01-03 18:58 . 2011-01-03 18:58 495984 c:\windows\Microsoft.NET\assembly\GAC_32\System.Data.OracleClient\v4.0_4.0.0.0__b77a5c561934e089\System.Data.OracleClient.dll
+ 2011-09-03 12:46 . 2011-09-03 12:46 495984 c:\windows\Microsoft.NET\assembly\GAC_32\System.Data.OracleClient\v4.0_4.0.0.0__b77a5c561934e089\System.Data.OracleClient.dll
- 2011-01-03 16:33 . 2011-04-29 16:19 456320 c:\windows\Driver Cache\i386\mrxsmb.sys
+ 2011-01-03 16:33 . 2011-07-15 13:29 456320 c:\windows\Driver Cache\i386\mrxsmb.sys
+ 2011-09-03 13:01 . 2011-09-03 13:01 646656 c:\windows\assembly\NativeImages_v4.0.30319_32\System.Transactions\0df91adfb9c0e51b7b967d61e8151b78\System.Transactions.ni.dll
- 2011-06-30 10:19 . 2011-06-30 10:19 646656 c:\windows\assembly\NativeImages_v4.0.30319_32\System.Transactions\0df91adfb9c0e51b7b967d61e8151b78\System.Transactions.ni.dll
- 2011-06-30 10:19 . 2011-06-30 10:19 236032 c:\windows\assembly\NativeImages_v4.0.30319_32\System.EnterpriseSe#\401ca9defa4213be5372532a2754d50d\System.EnterpriseServices.Wrapper.dll
+ 2011-09-03 13:01 . 2011-09-03 13:01 236032 c:\windows\assembly\NativeImages_v4.0.30319_32\System.EnterpriseSe#\401ca9defa4213be5372532a2754d50d\System.EnterpriseServices.Wrapper.dll
- 2011-06-30 10:19 . 2011-06-30 10:19 786944 c:\windows\assembly\NativeImages_v4.0.30319_32\System.EnterpriseSe#\401ca9defa4213be5372532a2754d50d\System.EnterpriseServices.ni.dll
+ 2011-09-03 13:01 . 2011-09-03 13:01 786944 c:\windows\assembly\NativeImages_v4.0.30319_32\System.EnterpriseSe#\401ca9defa4213be5372532a2754d50d\System.EnterpriseServices.ni.dll
+ 2011-09-03 13:00 . 2011-09-03 13:00 474624 c:\windows\assembly\NativeImages_v4.0.30319_32\ComSvcConfig\8e0296bb72bc508991212f4c60a493a0\ComSvcConfig.ni.exe
- 2011-06-30 10:19 . 2011-06-30 10:19 474624 c:\windows\assembly\NativeImages_v4.0.30319_32\ComSvcConfig\8e0296bb72bc508991212f4c60a493a0\ComSvcConfig.ni.exe
+ 2011-09-03 12:59 . 2011-09-03 12:59 321536 c:\windows\assembly\NativeImages_v2.0.50727_32\WsatConfig\cc14c69205b984edba1db26fd5e421ac\WsatConfig.ni.exe
+ 2011-09-03 12:56 . 2011-09-03 12:56 240128 c:\windows\assembly\NativeImages_v2.0.50727_32\WindowsFormsIntegra#\39ce0c9c9cc294c0ee26c4ff01522961\WindowsFormsIntegration.ni.dll
+ 2011-09-03 12:56 . 2011-09-03 12:56 447488 c:\windows\assembly\NativeImages_v2.0.50727_32\UIAutomationClient\431e918aee8da919f5b9e3a5195ccf93\UIAutomationClient.ni.dll
+ 2011-09-03 13:00 . 2011-09-03 13:00 400896 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Xml.Linq\946eefb99bc116ee68e0e7c69a5a8a5c\System.Xml.Linq.ni.dll
+ 2011-09-03 13:00 . 2011-09-03 13:00 129536 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Web.Routing\a82eef3128b9527dc05b3c8667e713bc\System.Web.Routing.ni.dll
+ 2011-09-03 12:56 . 2011-09-03 12:56 202240 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Web.RegularE#\203c148c913357bfc2ae9d209101f2b3\System.Web.RegularExpressions.ni.dll
+ 2011-09-03 13:00 . 2011-09-03 13:00 859648 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Web.Extensio#\f89fe39468ea6faf71c4257c89cf3c54\System.Web.Extensions.Design.ni.dll
+ 2011-09-03 13:00 . 2011-09-03 13:00 328704 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Web.Entity\2314ff800782dc85224e69e802a073f7\System.Web.Entity.ni.dll
+ 2011-09-03 13:00 . 2011-09-03 13:00 301056 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Web.Entity.D#\f690a8f5d784a5bb20f2cbaa7277eb6c\System.Web.Entity.Design.ni.dll
+ 2011-09-03 13:00 . 2011-09-03 13:00 547328 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Web.DynamicD#\c5c96400424b85536443623f96f64581\System.Web.DynamicData.ni.dll
+ 2011-09-03 13:00 . 2011-09-03 13:00 141312 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Web.Abstract#\5f8e87b47465a038403e73012c6d102a\System.Web.Abstractions.ni.dll
+ 2011-09-03 12:55 . 2011-09-03 12:55 627200 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Transactions\846dd505f97805f00999ee26aec9bf75\System.Transactions.ni.dll
+ 2011-09-03 12:52 . 2011-09-03 12:52 212992 c:\windows\assembly\NativeImages_v2.0.50727_32\System.ServiceProce#\70a1400affdc775d7c7398e036359286\System.ServiceProcess.ni.dll
+ 2011-09-03 12:53 . 2011-09-03 12:53 679936 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Security\de9cd25ccb24bcf8a0316756e766721f\System.Security.ni.dll
+ 2011-09-03 12:53 . 2011-09-03 12:53 311296 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Runtime.Seri#\21248037960cf6dfa2ce401d355bd6c9\System.Runtime.Serialization.Formatters.Soap.ni.dll
+ 2011-09-03 12:55 . 2011-09-03 12:55 771584 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Runtime.Remo#\b7e0214a811f81e09041864081139641\System.Runtime.Remoting.ni.dll
+ 2011-09-03 13:00 . 2011-09-03 13:00 621056 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Net\480ea914e13fe41cdd8fb542bb1f7e81\System.Net.ni.dll
+ 2011-09-03 13:00 . 2011-09-03 13:00 593408 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Messaging\18a7efd299665b8bfa0d0dc6701343c6\System.Messaging.ni.dll
+ 2011-09-03 12:59 . 2011-09-03 12:59 998400 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Management\6e563a58e6fc0117070d5b8fd59e4e1b\System.Management.ni.dll
+ 2011-09-03 12:59 . 2011-09-03 12:59 330752 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Management.I#\dc72c7581f1b3794c0ea595ba02ff7ad\System.Management.Instrumentation.ni.dll
+ 2011-09-03 12:58 . 2011-09-03 12:58 381440 c:\windows\assembly\NativeImages_v2.0.50727_32\System.IO.Log\fcf8612a210d1f76e0b37dc8467b4696\System.IO.Log.ni.dll
+ 2011-09-03 12:58 . 2011-09-03 12:58 212992 c:\windows\assembly\NativeImages_v2.0.50727_32\System.IdentityMode#\ec017b5a95d02fccaefd835490ef1e14\System.IdentityModel.Selectors.ni.dll
+ 2011-09-03 12:55 . 2011-09-03 12:55 280064 c:\windows\assembly\NativeImages_v2.0.50727_32\System.EnterpriseSe#\75f452279422a7898e840ee5768c9d2e\System.EnterpriseServices.Wrapper.dll
+ 2011-09-03 12:55 . 2011-09-03 12:55 627712 c:\windows\assembly\NativeImages_v2.0.50727_32\System.EnterpriseSe#\75f452279422a7898e840ee5768c9d2e\System.EnterpriseServices.ni.dll
+ 2011-09-03 12:56 . 2011-09-03 12:56 208384 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Drawing.Desi#\f7cd3d07c15366b76fe4c38d24455d6b\System.Drawing.Design.ni.dll
+ 2011-09-03 12:59 . 2011-09-03 12:59 881152 c:\windows\assembly\NativeImages_v2.0.50727_32\System.DirectorySer#\822c996e6ad4901219b7de399a6f78bf\System.DirectoryServices.AccountManagement.ni.dll
+ 2011-09-03 12:56 . 2011-09-03 12:56 455680 c:\windows\assembly\NativeImages_v2.0.50727_32\System.DirectorySer#\1ffe911e62f482e42be2c4428bd08c10\System.DirectoryServices.Protocols.ni.dll
+ 2011-09-03 12:59 . 2011-09-03 12:59 354816 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Data.Service#\e1c009b2c9becdb732a2ea45f32a46b8\System.Data.Services.Design.ni.dll
+ 2011-09-03 12:59 . 2011-09-03 12:59 939008 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Data.Service#\1defd94e1662a4478ccf2cd0b1b4e6a6\System.Data.Services.Client.ni.dll
+ 2011-09-03 12:59 . 2011-09-03 12:59 756736 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Data.Entity.#\04267c1dbdcdd8ec37e1518126767ead\System.Data.Entity.Design.ni.dll
+ 2011-09-03 12:59 . 2011-09-03 12:59 135680 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Data.DataSet#\f2a6d41b3f6e26eea6dcac9298aa637b\System.Data.DataSetExtensions.ni.dll
+ 2011-09-03 12:52 . 2011-09-03 12:52 971264 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Configuration\77df2cd21a5b85a1605b335aa9ad9d44\System.Configuration.ni.dll
+ 2011-09-03 12:53 . 2011-09-03 12:53 141312 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Configuratio#\585e68739b2a8aff61ee6b2786513245\System.Configuration.Install.ni.dll
+ 2011-09-03 12:59 . 2011-09-03 12:59 633856 c:\windows\assembly\NativeImages_v2.0.50727_32\System.AddIn\fbf6ef12d1456058acde29f2640092fb\System.AddIn.ni.dll
+ 2011-09-03 12:59 . 2011-09-03 12:59 366080 c:\windows\assembly\NativeImages_v2.0.50727_32\SMSvcHost\896e42071939e038008b0bbbfed1213c\SMSvcHost.ni.exe
+ 2011-09-03 12:58 . 2011-09-03 12:58 256000 c:\windows\assembly\NativeImages_v2.0.50727_32\SMDiagnostics\ca07e9cf488af1290d2340d682574a24\SMDiagnostics.ni.dll
+ 2011-09-03 12:58 . 2011-09-03 12:58 320512 c:\windows\assembly\NativeImages_v2.0.50727_32\ServiceModelReg\a5aa977dd575a6beb3a416bd480b98a7\ServiceModelReg.ni.exe
+ 2011-09-03 12:56 . 2011-09-03 12:56 224768 c:\windows\assembly\NativeImages_v2.0.50727_32\PresentationFramewo#\f52e48f55258d0a04fbab3a1f93752e9\PresentationFramework.Classic.ni.dll
+ 2011-09-03 12:56 . 2011-09-03 12:56 368128 c:\windows\assembly\NativeImages_v2.0.50727_32\PresentationFramewo#\cf812b99f587ab514afb36fa9d4c1567\PresentationFramework.Aero.ni.dll
+ 2011-09-03 12:56 . 2011-09-03 12:56 539648 c:\windows\assembly\NativeImages_v2.0.50727_32\PresentationFramewo#\b7795999cc67f3a6cec40f5b24005e00\PresentationFramework.Luna.ni.dll
+ 2011-09-03 12:56 . 2011-09-03 12:56 258048 c:\windows\assembly\NativeImages_v2.0.50727_32\PresentationFramewo#\09f5af61ea2af04eb32c04b3091ffc86\PresentationFramework.Royale.ni.dll
+ 2011-09-03 12:59 . 2011-09-03 12:59 133632 c:\windows\assembly\NativeImages_v2.0.50727_32\MSBuild\2d89c7b72bc8e527b26d5b6f3b931012\MSBuild.ni.exe
+ 2011-09-03 12:58 . 2011-09-03 12:58 386560 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Transacti#\39e9d172f0cf5eec30b1b67212cc032b\Microsoft.Transactions.Bridge.Dtc.ni.dll
+ 2011-09-03 12:54 . 2011-09-03 12:54 144384 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Build.Uti#\f1b0ec3ccde9142e67ac681fb521ac66\Microsoft.Build.Utilities.ni.dll
+ 2011-09-03 12:59 . 2011-09-03 12:59 175104 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Build.Uti#\9250f038410f0d6432e3ccb0b046862b\Microsoft.Build.Utilities.v3.5.ni.dll
+ 2011-09-03 12:59 . 2011-09-03 12:59 839680 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Build.Eng#\a4672179aba638cd78bdfe268391b47b\Microsoft.Build.Engine.ni.dll
+ 2011-09-03 12:59 . 2011-09-03 12:59 222720 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Build.Con#\37db660a84ee52b61a7ca55812581bbd\Microsoft.Build.Conversion.v3.5.ni.dll
+ 2011-09-03 12:58 . 2011-09-03 12:58 410112 c:\windows\assembly\NativeImages_v2.0.50727_32\ComSvcConfig\fe9a21b94803f74697bb42b9d1fdea5b\ComSvcConfig.ni.exe
+ 2011-09-03 12:58 . 2011-09-03 12:58 842240 c:\windows\assembly\NativeImages_v2.0.50727_32\AspNetMMCExt\f160c8e40b60edd47ae74b0b911fece1\AspNetMMCExt.ni.dll
+ 2011-09-03 12:49 . 2011-09-03 12:49 839680 c:\windows\assembly\GAC_MSIL\System.Web.Services\2.0.0.0__b03f5f7f11d50a3a\System.Web.Services.dll
- 2011-06-30 00:42 . 2011-06-30 00:42 839680 c:\windows\assembly\GAC_MSIL\System.Web.Services\2.0.0.0__b03f5f7f11d50a3a\System.Web.Services.dll
+ 2011-09-03 12:49 . 2011-09-03 12:49 835584 c:\windows\assembly\GAC_MSIL\System.Web.Mobile\2.0.0.0__b03f5f7f11d50a3a\System.Web.Mobile.dll
- 2011-06-30 00:42 . 2011-06-30 00:42 835584 c:\windows\assembly\GAC_MSIL\System.Web.Mobile\2.0.0.0__b03f5f7f11d50a3a\System.Web.Mobile.dll
+ 2011-09-03 12:49 . 2011-09-03 12:49 114688 c:\windows\assembly\GAC_MSIL\System.ServiceProcess\2.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll
- 2011-06-30 00:42 . 2011-06-30 00:42 114688 c:\windows\assembly\GAC_MSIL\System.ServiceProcess\2.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll
- 2011-06-30 00:42 . 2011-06-30 00:42 258048 c:\windows\assembly\GAC_MSIL\System.Security\2.0.0.0__b03f5f7f11d50a3a\System.Security.dll
+ 2011-09-03 12:49 . 2011-09-03 12:49 258048 c:\windows\assembly\GAC_MSIL\System.Security\2.0.0.0__b03f5f7f11d50a3a\System.Security.dll
- 2011-06-30 00:42 . 2011-06-30 00:42 131072 c:\windows\assembly\GAC_MSIL\System.Runtime.Serialization.Formatters.Soap\2.0.0.0__b03f5f7f11d50a3a\System.Runtime.Serialization.Formatters.Soap.dll
+ 2011-09-03 12:49 . 2011-09-03 12:49 131072 c:\windows\assembly\GAC_MSIL\System.Runtime.Serialization.Formatters.Soap\2.0.0.0__b03f5f7f11d50a3a\System.Runtime.Serialization.Formatters.Soap.dll
- 2011-06-30 00:42 . 2011-06-30 00:42 303104 c:\windows\assembly\GAC_MSIL\System.Runtime.Remoting\2.0.0.0__b77a5c561934e089\System.Runtime.Remoting.dll
+ 2011-09-03 12:49 . 2011-09-03 12:49 303104 c:\windows\assembly\GAC_MSIL\System.Runtime.Remoting\2.0.0.0__b77a5c561934e089\System.Runtime.Remoting.dll
+ 2011-09-03 12:49 . 2011-09-03 12:49 258048 c:\windows\assembly\GAC_MSIL\System.Messaging\2.0.0.0__b03f5f7f11d50a3a\System.Messaging.dll
- 2011-06-30 00:42 . 2011-06-30 00:42 258048 c:\windows\assembly\GAC_MSIL\System.Messaging\2.0.0.0__b03f5f7f11d50a3a\System.Messaging.dll
+ 2011-09-03 12:50 . 2011-09-03 12:50 372736 c:\windows\assembly\GAC_MSIL\System.Management\2.0.0.0__b03f5f7f11d50a3a\System.Management.dll
- 2011-06-30 00:42 . 2011-06-30 00:42 372736 c:\windows\assembly\GAC_MSIL\System.Management\2.0.0.0__b03f5f7f11d50a3a\System.Management.dll
+ 2011-09-03 12:49 . 2011-09-03 12:49 626688 c:\windows\assembly\GAC_MSIL\System.Drawing\2.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll
- 2011-06-30 00:42 . 2011-06-30 00:42 626688 c:\windows\assembly\GAC_MSIL\System.Drawing\2.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll
+ 2011-09-03 12:49 . 2011-09-03 12:49 401408 c:\windows\assembly\GAC_MSIL\System.DirectoryServices\2.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll
- 2011-06-30 00:42 . 2011-06-30 00:42 401408 c:\windows\assembly\GAC_MSIL\System.DirectoryServices\2.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll
+ 2011-09-03 12:49 . 2011-09-03 12:49 188416 c:\windows\assembly\GAC_MSIL\System.DirectoryServices.Protocols\2.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.Protocols.dll
- 2011-06-30 00:42 . 2011-06-30 00:42 188416 c:\windows\assembly\GAC_MSIL\System.DirectoryServices.Protocols\2.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.Protocols.dll
+ 2011-09-03 12:50 . 2011-09-03 12:50 970752 c:\windows\assembly\GAC_MSIL\System.Deployment\2.0.0.0__b03f5f7f11d50a3a\System.Deployment.dll
- 2011-06-30 00:42 . 2011-06-30 00:42 970752 c:\windows\assembly\GAC_MSIL\System.Deployment\2.0.0.0__b03f5f7f11d50a3a\System.Deployment.dll
- 2011-06-30 00:42 . 2011-06-30 00:42 745472 c:\windows\assembly\GAC_MSIL\System.Data.SqlXml\2.0.0.0__b77a5c561934e089\System.Data.SqlXml.dll
+ 2011-09-03 12:50 . 2011-09-03 12:50 745472 c:\windows\assembly\GAC_MSIL\System.Data.SqlXml\2.0.0.0__b77a5c561934e089\System.Data.SqlXml.dll
- 2011-06-30 00:42 . 2011-06-30 00:42 425984 c:\windows\assembly\GAC_MSIL\System.Configuration\2.0.0.0__b03f5f7f11d50a3a\System.configuration.dll
+ 2011-09-03 12:50 . 2011-09-03 12:50 425984 c:\windows\assembly\GAC_MSIL\System.Configuration\2.0.0.0__b03f5f7f11d50a3a\System.configuration.dll
+ 2011-09-03 12:50 . 2011-09-03 12:50 110592 c:\windows\assembly\GAC_MSIL\sysglobl\2.0.0.0__b03f5f7f11d50a3a\sysglobl.dll
- 2011-06-30 00:42 . 2011-06-30 00:42 110592 c:\windows\assembly\GAC_MSIL\sysglobl\2.0.0.0__b03f5f7f11d50a3a\sysglobl.dll
+ 2011-09-03 12:49 . 2011-09-03 12:49 659456 c:\windows\assembly\GAC_MSIL\Microsoft.VisualBasic\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll
- 2011-06-30 00:42 . 2011-06-30 00:42 659456 c:\windows\assembly\GAC_MSIL\Microsoft.VisualBasic\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll
+ 2011-09-03 12:49 . 2011-09-03 12:49 372736 c:\windows\assembly\GAC_MSIL\Microsoft.VisualBasic.Compatibility\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.Compatibility.dll
- 2011-06-30 00:42 . 2011-06-30 00:42 372736 c:\windows\assembly\GAC_MSIL\Microsoft.VisualBasic.Compatibility\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.Compatibility.dll
- 2011-06-30 00:42 . 2011-06-30 00:42 110592 c:\windows\assembly\GAC_MSIL\Microsoft.VisualBasic.Compatibility.Data\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.Compatibility.Data.dll
+ 2011-09-03 12:49 . 2011-09-03 12:49 110592 c:\windows\assembly\GAC_MSIL\Microsoft.VisualBasic.Compatibility.Data\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.Compatibility.Data.dll
+ 2011-09-03 12:49 . 2011-09-03 12:49 749568 c:\windows\assembly\GAC_MSIL\Microsoft.JScript\8.0.0.0__b03f5f7f11d50a3a\Microsoft.JScript.dll
- 2011-06-30 00:42 . 2011-06-30 00:42 749568 c:\windows\assembly\GAC_MSIL\Microsoft.JScript\8.0.0.0__b03f5f7f11d50a3a\Microsoft.JScript.dll
+ 2011-09-03 12:49 . 2011-09-03 12:49 655360 c:\windows\assembly\GAC_MSIL\Microsoft.Build.Tasks\2.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Tasks.dll
- 2011-06-30 00:42 . 2011-06-30 00:42 655360 c:\windows\assembly\GAC_MSIL\Microsoft.Build.Tasks\2.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Tasks.dll
- 2011-06-30 00:42 . 2011-06-30 00:42 348160 c:\windows\assembly\GAC_MSIL\Microsoft.Build.Engine\2.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Engine.dll
+ 2011-09-03 12:49 . 2011-09-03 12:49 348160 c:\windows\assembly\GAC_MSIL\Microsoft.Build.Engine\2.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Engine.dll
+ 2011-09-03 12:49 . 2011-09-03 12:49 507904 c:\windows\assembly\GAC_MSIL\AspNetMMCExt\2.0.0.0__b03f5f7f11d50a3a\AspNetMMCExt.dll
- 2011-06-30 00:42 . 2011-06-30 00:42 507904 c:\windows\assembly\GAC_MSIL\AspNetMMCExt\2.0.0.0__b03f5f7f11d50a3a\AspNetMMCExt.dll
+ 2011-09-03 12:49 . 2011-09-03 12:49 261632 c:\windows\assembly\GAC_32\System.Transactions\2.0.0.0__b77a5c561934e089\System.Transactions.dll
- 2011-06-30 00:42 . 2011-06-30 00:42 261632 c:\windows\assembly\GAC_32\System.Transactions\2.0.0.0__b77a5c561934e089\System.Transactions.dll
+ 2011-09-03 12:49 . 2011-09-03 12:49 113664 c:\windows\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll
+ 2011-09-03 12:49 . 2011-09-03 12:49 258048 c:\windows\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.dll
- 2011-06-30 00:42 . 2011-06-30 00:42 486400 c:\windows\assembly\GAC_32\System.Data.OracleClient\2.0.0.0__b77a5c561934e089\System.Data.OracleClient.dll
+ 2011-09-03 12:50 . 2011-09-03 12:50 486400 c:\windows\assembly\GAC_32\System.Data.OracleClient\2.0.0.0__b77a5c561934e089\System.Data.OracleClient.dll
+ 2008-04-14 12:00 . 2011-06-02 14:02 1858944 c:\windows\system32\win32k.sys
- 2008-04-14 12:00 . 2011-04-25 14:47 1510400 c:\windows\system32\shdocvw.dll
+ 2008-04-14 12:00 . 2011-06-21 18:18 1510400 c:\windows\system32\shdocvw.dll
+ 2008-04-14 12:00 . 2011-06-27 14:43 3084800 c:\windows\system32\mshtml.dll
+ 2008-04-14 12:00 . 2011-06-02 14:02 1858944 c:\windows\system32\dllcache\win32k.sys
+ 2008-04-14 12:00 . 2011-06-21 18:18 1510400 c:\windows\system32\dllcache\shdocvw.dll
- 2008-04-14 12:00 . 2011-04-25 14:47 1510400 c:\windows\system32\dllcache\shdocvw.dll
+ 2008-04-14 12:00 . 2011-06-27 14:43 3084800 c:\windows\system32\dllcache\mshtml.dll
- 2008-04-14 12:00 . 2011-04-25 14:47 1025024 c:\windows\system32\dllcache\browseui.dll
+ 2008-04-14 12:00 . 2011-06-21 18:18 1025024 c:\windows\system32\dllcache\browseui.dll
- 2008-04-14 12:00 . 2011-04-25 14:47 1025024 c:\windows\system32\browseui.dll
+ 2008-04-14 12:00 . 2011-06-21 18:18 1025024 c:\windows\system32\browseui.dll
+ 2011-04-28 15:06 . 2011-04-28 15:06 1749880 c:\windows\Microsoft.NET\Framework\v4.0.30319\System.Web.DataVisualization.dll
- 2011-01-18 08:39 . 2011-01-18 08:39 3182592 c:\windows\Microsoft.NET\Framework\v2.0.50727\System.dll
+ 2011-04-29 01:50 . 2011-04-29 01:50 3182592 c:\windows\Microsoft.NET\Framework\v2.0.50727\System.dll
- 2011-01-03 18:58 . 2011-01-03 18:58 1587064 c:\windows\Microsoft.NET\assembly\GAC_MSIL\System.Workflow.ComponentModel\v4.0_4.0.0.0__31bf3856ad364e35\System.Workflow.ComponentModel.dll
+ 2011-09-03 12:46 . 2011-09-03 12:46 1587064 c:\windows\Microsoft.NET\assembly\GAC_MSIL\System.Workflow.ComponentModel\v4.0_4.0.0.0__31bf3856ad364e35\System.Workflow.ComponentModel.dll
- 2011-01-03 18:58 . 2011-01-03 18:58 1070960 c:\windows\Microsoft.NET\assembly\GAC_MSIL\System.Workflow.Activities\v4.0_4.0.0.0__31bf3856ad364e35\System.Workflow.Activities.dll
+ 2011-09-03 12:46 . 2011-09-03 12:46 1070960 c:\windows\Microsoft.NET\assembly\GAC_MSIL\System.Workflow.Activities\v4.0_4.0.0.0__31bf3856ad364e35\System.Workflow.Activities.dll
- 2011-01-03 18:58 . 2011-01-03 18:58 1836904 c:\windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll
+ 2011-09-03 12:46 . 2011-09-03 12:46 1836904 c:\windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll
+ 2011-09-03 12:46 . 2011-09-03 12:46 1749880 c:\windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.DataVisualization\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.DataVisualization.dll
- 2011-01-03 18:58 . 2011-01-03 18:58 5078360 c:\windows\Microsoft.NET\assembly\GAC_MSIL\System.Design\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Design.dll
+ 2011-09-03 12:46 . 2011-09-03 12:46 5078360 c:\windows\Microsoft.NET\assembly\GAC_MSIL\System.Design\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Design.dll
- 2011-01-03 18:58 . 2011-01-03 18:58 1327968 c:\windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Build\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.dll
+ 2011-09-03 12:46 . 2011-09-03 12:46 1327968 c:\windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Build\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.dll
- 2011-01-03 18:58 . 2011-01-03 18:58 1064816 c:\windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Build.Tasks.v4.0\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Tasks.v4.0.dll
+ 2011-09-03 12:46 . 2011-09-03 12:46 1064816 c:\windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Build.Tasks.v4.0\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Tasks.v4.0.dll
- 2011-01-03 18:58 . 2011-01-03 18:58 5176144 c:\windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll
+ 2011-09-03 12:46 . 2011-09-03 12:46 5176144 c:\windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll
+ 2011-05-02 04:06 . 2011-05-02 04:06 2705920 c:\windows\Installer\3873d.msp
+ 2011-04-28 21:51 . 2011-04-28 21:51 1375744 c:\windows\Installer\38737.msp
- 2011-06-30 00:39 . 2011-06-30 00:39 6798336 c:\windows\assembly\NativeImages_v4.0.30319_32\System.Data\6e6f321459aa81611031cfb582e77cc6\System.Data.ni.dll
+ 2011-09-03 13:01 . 2011-09-03 13:01 6798336 c:\windows\assembly\NativeImages_v4.0.30319_32\System.Data\6e6f321459aa81611031cfb582e77cc6\System.Data.ni.dll
+ 2011-09-03 13:01 . 2011-09-03 13:01 1193984 c:\windows\assembly\NativeImages_v4.0.30319_32\System.Data.OracleC#\b79b606f95f1a745c1068f4c3c794cab\System.Data.OracleClient.ni.dll
+ 2011-09-03 12:53 . 2011-09-03 12:53 3325440 c:\windows\assembly\NativeImages_v2.0.50727_32\WindowsBase\fd6e0cd6f124a6d041ef1b4c9a5f080b\WindowsBase.ni.dll
+ 2011-09-03 12:56 . 2011-09-03 12:56 1049600 c:\windows\assembly\NativeImages_v2.0.50727_32\UIAutomationClients#\162600dde59fbaa0c048a949158ecba3\UIAutomationClientsideProviders.ni.dll
+ 2011-09-03 12:52 . 2011-09-03 12:52 7950848 c:\windows\assembly\NativeImages_v2.0.50727_32\System\e6c79e1d71b0c9000afd7e5e439b5c54\System.ni.dll
+ 2011-09-03 12:53 . 2011-09-03 12:53 5450752 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Xml\10154dcad2d62f226af2fd4211460a4b\System.Xml.ni.dll
+ 2011-09-03 13:00 . 2011-09-03 13:00 1356288 c:\windows\assembly\NativeImages_v2.0.50727_32\System.WorkflowServ#\22229a30650a9afbac984e1093898b13\System.WorkflowServices.ni.dll
+ 2011-09-03 13:00 . 2011-09-03 13:00 1908224 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Workflow.Run#\4d6b3cc1fc7a4788612241af7966715a\System.Workflow.Runtime.ni.dll
+ 2011-09-03 13:00 . 2011-09-03 13:00 4514304 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Workflow.Com#\e4c9853af945c9cfede19f3faf18af6e\System.Workflow.ComponentModel.ni.dll
+ 2011-09-03 13:00 . 2011-09-03 13:00 2992640 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Workflow.Act#\ab4b50c7c789e46a485903365765fde8\System.Workflow.Activities.ni.dll
+ 2011-09-03 12:55 . 2011-09-03 12:55 1840640 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Web.Services\a2392c995b1bb6b63079091259222357\System.Web.Services.ni.dll
+ 2011-09-03 13:00 . 2011-09-03 13:00 2209280 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Web.Mobile\3da92a0b9b8ac97e11ca8bf4df671a78\System.Web.Mobile.ni.dll
+ 2011-09-03 13:00 . 2011-09-03 13:00 2405376 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Web.Extensio#\01f4d6aa3299a41b8578b7e96afdcfb1\System.Web.Extensions.ni.dll
+ 2011-09-03 13:00 . 2011-09-03 13:00 1917952 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Speech\e1208f0d981c420fc59f806bfbaa713b\System.Speech.ni.dll
+ 2011-09-03 13:00 . 2011-09-03 13:00 1706496 c:\windows\assembly\NativeImages_v2.0.50727_32\System.ServiceModel#\27e1b8dfd5e1ccf2c5b9efc51f674c69\System.ServiceModel.Web.ni.dll
+ 2011-09-03 12:58 . 2011-09-03 12:58 2345472 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Runtime.Seri#\dece01bd9e9c32e47630fdfc78d3bd32\System.Runtime.Serialization.ni.dll
+ 2011-09-03 12:55 . 2011-09-03 12:55 1035776 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Printing\90b444d02047ef27921153d46967ef0e\System.Printing.ni.dll
+ 2011-09-03 12:58 . 2011-09-03 12:58 1070080 c:\windows\assembly\NativeImages_v2.0.50727_32\System.IdentityModel\a50e2fc92db32751857fb8d297f9d7bc\System.IdentityModel.ni.dll
+ 2011-09-03 12:53 . 2011-09-03 12:53 1587200 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\7ed09623172a292eaee51e2e3bcaf784\System.Drawing.ni.dll
+ 2011-09-03 12:55 . 2011-09-03 12:55 1116672 c:\windows\assembly\NativeImages_v2.0.50727_32\System.DirectorySer#\259ecf480769f4e60514b7ae2abaa6f1\System.DirectoryServices.ni.dll
+ 2011-09-03 12:53 . 2011-09-03 12:53 1801216 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Deployment\71cf3eb40fc38e6ac8fba09e872d2878\System.Deployment.ni.dll
+ 2011-09-03 12:55 . 2011-09-03 12:55 6616576 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Data\db2d84e279807592a680ef4135e9fe9a\System.Data.ni.dll
+ 2011-09-03 12:53 . 2011-09-03 12:53 2510336 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Data.SqlXml\0b16305773369cf740c6a2b1f1d785b2\System.Data.SqlXml.ni.dll
+ 2011-09-03 12:59 . 2011-09-03 12:59 1328128 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Data.Services\c1b9b8ce390548dcca661a5e6a908408\System.Data.Services.ni.dll
+ 2011-09-03 12:56 . 2011-09-03 12:56 1115136 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Data.OracleC#\c729750d54f6e7427230622bcccd4709\System.Data.OracleClient.ni.dll
+ 2011-09-03 12:56 . 2011-09-03 12:56 2516480 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Data.Linq\571af34939797a7c1cd05b0b925a45bf\System.Data.Linq.ni.dll
+ 2011-09-03 12:59 . 2011-09-03 12:59 9924096 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Data.Entity\afb4d5e8161d0129ba15c37de2461d8a\System.Data.Entity.ni.dll
+ 2011-09-03 12:56 . 2011-09-03 12:56 2295296 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Core\e54e013315849f5e34d8f2a8e7fdb450\System.Core.ni.dll
+ 2011-09-03 12:55 . 2011-09-03 12:55 2128896 c:\windows\assembly\NativeImages_v2.0.50727_32\ReachFramework\24ab0cacc77e8696ceff3157942a2de4\ReachFramework.ni.dll
+ 2011-09-03 12:55 . 2011-09-03 12:55 1657856 c:\windows\assembly\NativeImages_v2.0.50727_32\PresentationUI\fac1ca86f4fea17de40d7fdaba38563e\PresentationUI.ni.dll
+ 2011-09-03 12:54 . 2011-09-03 12:54 1451008 c:\windows\assembly\NativeImages_v2.0.50727_32\PresentationBuildTa#\c523412e6b11e7072f93bdd3ef24a479\PresentationBuildTasks.ni.dll
+ 2011-09-03 12:59 . 2011-09-03 12:59 1712128 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualBas#\c6b19db2534042d435ede580f92bc75c\Microsoft.VisualBasic.ni.dll
+ 2011-09-03 12:58 . 2011-09-03 12:58 1093120 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Transacti#\08594c4ba9ea0253a836fe1d8d341984\Microsoft.Transactions.Bridge.ni.dll
+ 2011-09-03 13:00 . 2011-09-03 13:00 2332160 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.JScript\345abd035c9378667b1cac54c1f21c97\Microsoft.JScript.ni.dll
+ 2011-09-03 12:59 . 2011-09-03 12:59 1966080 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Build.Tas#\906cd5555b79e4e0486dc8ef2a748b13\Microsoft.Build.Tasks.v3.5.ni.dll
+ 2011-09-03 12:59 . 2011-09-03 12:59 1620992 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Build.Tas#\7baff7d694394aaba490082c88d48fd2\Microsoft.Build.Tasks.ni.dll
+ 2011-09-03 12:59 . 2011-09-03 12:59 1888768 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Build.Eng#\235a22e1ae9742bb724d411629dd99d5\Microsoft.Build.Engine.ni.dll
- 2011-06-30 00:42 . 2011-06-30 00:42 3182592 c:\windows\assembly\GAC_MSIL\System\2.0.0.0__b77a5c561934e089\System.dll
+ 2011-09-03 12:50 . 2011-09-03 12:50 3182592 c:\windows\assembly\GAC_MSIL\System\2.0.0.0__b77a5c561934e089\System.dll
- 2011-06-30 00:42 . 2011-06-30 00:42 2048000 c:\windows\assembly\GAC_MSIL\System.Xml\2.0.0.0__b77a5c561934e089\System.XML.dll
+ 2011-09-03 12:50 . 2011-09-03 12:50 2048000 c:\windows\assembly\GAC_MSIL\System.Xml\2.0.0.0__b77a5c561934e089\System.XML.dll
+ 2011-09-03 12:49 . 2011-09-03 12:49 5025792 c:\windows\assembly\GAC_MSIL\System.Windows.Forms\2.0.0.0__b77a5c561934e089\System.Windows.Forms.dll
- 2011-06-30 00:42 . 2011-06-30 00:42 5025792 c:\windows\assembly\GAC_MSIL\System.Windows.Forms\2.0.0.0__b77a5c561934e089\System.Windows.Forms.dll
+ 2011-09-03 12:49 . 2011-09-03 12:49 5062656 c:\windows\assembly\GAC_MSIL\System.Design\2.0.0.0__b03f5f7f11d50a3a\System.Design.dll
- 2011-06-30 00:42 . 2011-06-30 00:42 5062656 c:\windows\assembly\GAC_MSIL\System.Design\2.0.0.0__b03f5f7f11d50a3a\System.Design.dll
- 2011-06-30 00:42 . 2011-06-30 00:42 5242880 c:\windows\assembly\GAC_32\System.Web\2.0.0.0__b03f5f7f11d50a3a\System.Web.dll
+ 2011-09-03 12:49 . 2011-09-03 12:49 5242880 c:\windows\assembly\GAC_32\System.Web\2.0.0.0__b03f5f7f11d50a3a\System.Web.dll
+ 2011-09-03 12:50 . 2011-09-03 12:50 2933248 c:\windows\assembly\GAC_32\System.Data\2.0.0.0__b77a5c561934e089\System.Data.dll
- 2011-06-30 00:42 . 2011-06-30 00:42 2933248 c:\windows\assembly\GAC_32\System.Data\2.0.0.0__b77a5c561934e089\System.Data.dll
- 2011-06-30 00:42 . 2011-06-30 00:42 4550656 c:\windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\mscorlib.dll
+ 2011-09-03 12:50 . 2011-09-03 12:50 4550656 c:\windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\mscorlib.dll
+ 2011-09-03 12:53 . 2011-09-03 12:53 12430848 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\d00cc387e462e4c3cdcd112b137cac87\System.Windows.Forms.ni.dll
+ 2011-09-03 12:55 . 2011-09-03 12:55 11800576 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Web\40893760431f8f0dcce3e18630e45b23\System.Web.ni.dll
+ 2011-09-03 12:58 . 2011-09-03 12:58 17403904 c:\windows\assembly\NativeImages_v2.0.50727_32\System.ServiceModel\e3a0205acab2215fbad7927d9d483aeb\System.ServiceModel.ni.dll
+ 2011-09-03 12:56 . 2011-09-03 12:56 10683392 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Design\63ad0cd9b5e038c8e2e41415657db8fc\System.Design.ni.dll
+ 2011-09-03 12:54 . 2011-09-03 12:54 14328320 c:\windows\assembly\NativeImages_v2.0.50727_32\PresentationFramewo#\704556e34128441ea9f1a81cc89f8a79\PresentationFramework.ni.dll
+ 2011-09-03 12:54 . 2011-09-03 12:54 12215808 c:\windows\assembly\NativeImages_v2.0.50727_32\PresentationCore\5f332c48d03eca57419c4f0e884092ee\PresentationCore.ni.dll
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RTHDCPL"="RTHDCPL.EXE" [2008-07-23 16804864]
"SoundMan"="SOUNDMAN.EXE" [2008-06-18 77824]
"AlcWzrd"="ALCWZRD.EXE" [2008-06-19 2808832]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2011-01-07 13880424]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-01-25 421160]
"LogMeIn Hamachi Ui"="c:\program files\LogMeIn Hamachi\hamachi-2-ui.exe" [2011-08-04 1955208]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2009-11-18 275072]
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Steam\\Steam.exe"=
"c:\\Program Files\\Ventrilo\\Ventrilo.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\Microsoft LifeCam\\LifeCam.exe"=
"c:\\Program Files\\Microsoft LifeCam\\LifeEnC2.exe"=
"c:\\Program Files\\Microsoft LifeCam\\LifeExp.exe"=
"c:\\Program Files\\Microsoft LifeCam\\LifeTray.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\universe at war earth assault\\LaunchUAW.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\men of war red tide\\redtide.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\the witcher enhanced edition\\System\\witcher.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\the witcher enhanced edition\\System\\djinni!.exe"=
"c:\\Program Files\\Steam\\steamapps\\tvirusoutbreak\\age of chivalry\\hl2.exe"=
"c:\\Program Files\\EA GAMES\\Battlefield 1942\\BF1942.exe"=
"c:\\Program Files\\Xfire\\Xfire.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\empire total war\\Empire.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\il 2 sturmovik 1946\\il2fb.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\company of heroes\\RelicDownloader\\RelicDownloader.exe"=
"c:\\WINDOWS\\system32\\dxdiag.exe"=
"c:\\WINDOWS\\system32\\dpnsvr.exe"=
"c:\\Sierra\\Empire Earth\\Empire Earth.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\morrowind\\Morrowind Launcher.exe"=
"c:\\Program Files\\Square Enix\\Batman Arkham Asylum GOTY\\Binaries\\ShippingPC-BmGame.exe"=
"c:\\Program Files\\Paradox Interactive\\Europa Universalis - Rome\\RomeGame.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqcopy2.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfcCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpiscnapp.exe"=
"c:\\Program Files\\Common Files\\HP\\Digital Imaging\\bin\\hpqPhotoCrm.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqpsapp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqpse.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqgplgtupl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqgpc01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqusgm.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqusgh.exe"=
"c:\\Program Files\\HP\\HP Software Update\\hpwucli.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\smart web printing\\SmartWebPrintExe.exe"=
"c:\\Program Files\\Paradox Interactive\\Europa Universalis III\\eu3game.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\theatre of war ii kursk 1943\\Kursk1943.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\theatre of war 2 africa 1943\\Africa1943.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\theatre of war 2 africa 1943\\options.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\theatre of war\\tow.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\theatre of war\\towsetup.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\theatre of war\\MissionEditor\\Editor.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\theatre of war\\MissionEditor\\MissionGen.exe"=
"c:\\Program Files\\ComicRack\\ComicRack.exe"=
"c:\\Program Files\\Atari\\Neverwinter Nights 2\\nwn2main.exe"=
"c:\\Program Files\\Atari\\Neverwinter Nights 2\\nwn2main_amdxp.exe"=
"c:\\Program Files\\Atari\\Neverwinter Nights 2\\nwupdate.exe"=
"c:\\Program Files\\Atari\\Neverwinter Nights 2\\nwn2server.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\universe at war earth assault\\UAWEA.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Aspyr\\Men of War\\mow.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\battlefield 2\\BF2.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\battlefield 2\\support\\EA Help\\Electronic_Arts_Technical_Support.htm"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"c:\\Program Files\\Wolfenstein - Enemy Territory\\ET.exe"=
"c:\\Program Files\\Aspyr\\Men of War\\mow_mp.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\silent hunters wolves of the pacific\\sh4.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\company of heroes\\RelicCOH.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\arma 2\\arma2.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\magicka\\Magicka.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\killingfloor\\System\\KillingFloor.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\men of war assault squad\\mow_assault_squad.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\red orchestra\\System\\RedOrchestra.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\supreme commander 2\\bin\\SupremeCommander2.exe"=
.
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 2:16 PM 130384]
R2 Hamachi2Svc;LogMeIn Hamachi Tunneling Engine;c:\program files\LogMeIn Hamachi\hamachi-2.exe [8/4/2011 2:34 PM 1361288]
R3 Bdfndisf;BitDefender Firewall NDIS Filter Service;c:\windows\system32\drivers\bdfndisf.sys [6/2/2008 5:16 PM 86792]
R3 MSHUSBVideo;NX6000/NX3000/VX5000/VX5500/VX2000/VX7000 Filter Driver;c:\windows\system32\drivers\nx6000.sys [12/26/2009 11:42 PM 30560]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2/19/2010 11:19 PM 135664]
S2 LicCtrlService;LicCtrl Service;c:\windows\runservice.exe --> c:\windows\runservice.exe [?]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [2/19/2010 11:19 PM 135664]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 2:16 PM 753504]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
bdx REG_MULTI_SZ scan
HPService REG_MULTI_SZ HPSLPSVC
.
Contents of the 'Scheduled Tasks' folder
.
2011-09-03 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-20 03:19]
.
2011-09-03 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-20 03:19]
.
2010-01-04 c:\windows\Tasks\Microsoft_Hardware_Launch_LifeExp_exe.job
- c:\program files\Microsoft LifeCam\LifeExp.exe [2009-03-17 20:24]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
mStart Page = about:blank
mWindow Title = Windows Internet Explorer provided by Comcast
uInternet Settings,ProxyOverride = <local>;*.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
TCP: DhcpNameServer = 192.168.1.1
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\l8b1qdi3.default\
FF - prefs.js: browser.startup.homepage - hxxp://wikipedia.org/
FF - prefs.js: network.proxy.type - 0
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Ext: GameFOX: {6dd0bdba-0a02-429e-b595-87a7dfdca7a1} - %profile%\extensions\{6dd0bdba-0a02-429e-b595-87a7dfdca7a1}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
.
- - - - ORPHANS REMOVED - - - -
.
SafeBoot-37024074.sys
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-09-03 09:05
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
.
c:\windows\2088078439:2557708931.exe 816 bytes executable
.
scan completed successfully
hidden files: 1
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-1390067357-527237240-1417001333-1003\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:9b,2f,f5,d3,9a,6d,04,c2,6f,77,e6,69,f6,76,83,0f,43,a0,fe,68,96,76,dc,
4f,74,cf,f8,05,32,1d,7f,d8,c4,eb,92,0b,60,5c,71,50,79,1a,0e,d2,e5,59,8f,f7,\
"??"=hex:87,ea,ed,11,0e,0a,a8,cb,5e,df,1e,c9,83,50,6b,48
.
[HKEY_USERS\S-1-5-21-1390067357-527237240-1417001333-1003\Software\SecuROM\License information*]
"datasecu"=hex:ae,c2,05,fa,9e,f2,dd,fc,8e,e4,7d,b2,5a,6f,80,27,19,8b,37,25,fc,
25,c4,e9,71,1a,e3,a2,ed,75,aa,dd,2a,f6,07,ac,ce,3b,b9,be,10,95,74,d8,4f,f1,\
"rkeysecu"=hex:e2,ee,a1,b5,e4,44,d1,d4,b9,6a,a6,b8,22,36,76,f2
.
[HKEY_LOCAL_MACHINE\software\LicCtrl\LicCtrl\LicCtrl\LicCtrl*lkzs$i&#&y@^t! #^$ g9^$&pgb SDB36o \D25BC253F035D347]
"1"=hex:6a,0b,56,13,c1,93,dc,9c,fb,61,a2,a0,e4,ff,91,20,60,bf,2f,c2,35,91,ae,
25
"2"=hex:fb,e6,50,7f,41,f4,51,a7,7f,ec,2d,f9,42,45,3a,02,3a,b7,45,15,3f,9d,8b,
c3
"3"=hex:6a,0b,56,13,c1,93,dc,9c,fb,61,a2,a0,e4,ff,91,20,5d,f5,58,d1,21,e0,48,
8b,38,57,44,9c,4e,8d,78,88,fd,f1,01,9d,86,d8,b5,cb,d9,bf,23,55,4a,bb,31,1f
.
[HKEY_LOCAL_MACHINE\software\LicCtrl\LicCtrl\LicCtrl\LicCtrl*lkzs$i&#&y@^t! #^$ g9^$&pgb SDB36o \D25BC253F035D347\198D4574A2BCA7D4BA51871F57EEA50C]
"1"=hex:b0,57,4a,e6,b6,28,dc,b1,d4,b3,12,05,d7,ea,a1,55,83,90,50,9b,f1,d7,47,
8a,64,3a,d9,c4,e6,aa,fc,b0
"2"=hex:ff,46,a9,cd,53,d2,ef,98
"3"=hex:56,2c,a3,35,39,a2,c4,ed,ab,80,62,80,34,7e,21,fe,c1,f7,60,0c,7d,60,45,
5d,02,66,91,8d,5d,79,3e,9e,8c,b8,e9,5d,7d,70,39,69,04,2f,f2,78,91,fa,77,b8,\
"4"=hex:2f,ad,a2,e7,8a,bf,05,5e
"5"=hex:bf,e5,23,7b,b0,66,d6,fc,b8,e8,6b,a0,96,52,f7,32,80,09,8f,24,b7,b3,55,
1a,98,d1,47,16,02,43,61,1c,b9,d5,8f,2a,7b,81,b1,fb,95,22,f8,b3,2c,53,9d,ae,\
"6"=hex:b0,57,4a,e6,b6,28,dc,b1,d4,b3,12,05,d7,ea,a1,55,83,90,50,9b,f1,d7,47,
8a,b1,a7,a6,92,c1,bd,03,11,24,42,63,25,d3,91,33,ac,33,a7,da,f0,3b,f7,80,6d,\
"7"=hex:58,eb,3b,8d,af,31,32,62,45,fe,2a,f0,ac,22,d0,33,a4,31,52,95,51,16,0b,
60,24,b1,58,9f,ed,64,45,cb,db,0f,ba,92,11,d1,bc,91,54,86,2e,97,ce,5d,8f,8d,\
"8"=hex:9d,9e,b2,b9,a7,a5,f4,ae,4d,29,c2,a3,c0,78,c4,c5,2e,4e,96,8c,7e,a3,52,
64,b7,5a,c6,8b,d8,dd,90,06,46,e7,74,06,e1,ab,e4,80,2e,9b,e9,e1,49,06,fc,b2,\
"9"=hex:81,20,8f,ab,28,6a,52,9c
"18"=hex:d0,71,12,cb,08,b7,a7,d6
"10"=hex:81,20,8f,ab,28,6a,52,9c
"11"=hex:81,20,8f,ab,28,6a,52,9c
"12"=hex:72,ef,ed,b4,0b,f9,08,74,6a,e9,98,24,12,b2,26,a1,dc,5b,87,5c,40,76,14,
4c,1c,50,7e,c6,eb,41,c2,af,bc,28,08,32,1f,2a,f3,43,a4,f7,21,a3,ec,5c,1c,b2,\
"13"=hex:b6,e5,50,43,12,c6,01,e1,c4,da,b9,bc,7f,53,2e,9a,ac,c7,33,f8,91,62,1f,
0b,98,83,b9,3c,3b,98,8e,b5,b7,60,9c,64,a2,90,90,3f
"14"=hex:37,e1,d3,73,c6,56,a2,87,8f,41,42,b5,d8,48,ab,7e
"24"=hex:81,20,8f,ab,28,6a,52,9c
"26"=hex:81,20,8f,ab,28,6a,52,9c
"27"=hex:81,20,8f,ab,28,6a,52,9c
"19"=hex:51,b6,73,aa,7a,2b,b3,8c,b6,e5,63,f5,c1,a2,d3,17
"22"=hex:81,20,8f,ab,28,6a,52,9c
"15"=hex:03,a8,42,ff,62,a5,e9,76,a0,97,2a,d8,c1,8d,97,66,35,e8,d4,dd,00,96,ec,
9d,7c,9c,56,45,a0,77,cb,85,8a,06,14,6b,20,df,46,6d,2a,03,dd,86,33,7f,c9,89,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(3000)
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\RTHDCPL.EXE
c:\windows\SOUNDMAN.EXE
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Microsoft LifeCam\MSCamS32.exe
c:\program files\Common Files\BitDefender\BitDefender Communicator\xcommsvr.exe
c:\program files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe
c:\program files\iPod\bin\iPodService.exe
c:\windows\system32\msiexec.exe
c:\windows\system32\rundll32.exe
c:\windows\system32\MsiExec.exe
.
**************************************************************************
.
Completion time: 2011-09-03 09:06:53 - machine was rebooted
ComboFix-quarantined-files.txt 2011-09-03 13:06
ComboFix2.txt 2011-09-02 10:29
ComboFix3.txt 2011-09-01 21:58
.
Pre-Run: 277,812,891,648 bytes free
Post-Run: 277,960,990,720 bytes free
.
- - End Of File - - 6851A5FEED48AFD22E9B4D801DC47A8B

#12 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:05:31 AM

Posted 03 September 2011 - 03:32 PM

Hi

We still have a little more work to do, please do the following:

  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below.
  • They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
Copy/paste the text inside the Codebox below into notepad:

Here's how to do that:
Click Start > Run type Notepad click OK.
This will open an empty notepad file:

Copy all the text inside of the code box - Press Ctrl+C (or right click on the highlighted section and choose 'copy')

http://www.bleepingcomputer.com/forums/topic415316.html/page__pid__2395053#entry2395053

Collect::
c:\windows\system32\yicididr.dll

ADS::
c:\windows\2088078439

Rootkit::
c:\windows\2088078439:2557708931.exe 
c:\windows\2088078439

Now paste the copied text into the open notepad - press CTRL+V (or right click and choose 'paste')

Save this file to your desktop, Save this as "CFScript"


Here's how to do that:

1.Click File;
2.Click Save As... Change the directory to your desktop;
3.Change the Save as type to "All Files";
4.Type in the file name: CFScript
5.Click Save ...

Posted Image
  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix may request an update; please allow it.
  • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  • When finished, it shall produce a log for you.
  • Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.


NEXT


  • Please open your MalwareBytes AntiMalware Program
  • Click the Update Tab and search for updates
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish, so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected. <-- very important
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.

Extra Note:If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.



NEXT


Go here to run an online scanner from ESET.
  • Turn off the real time scanner of any existing antivirus program while performing the online scan
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the activeX control to install
  • Click Start
  • Make sure that the option Remove found threats is unticked and the Scan Archives option is ticked.
  • Click on Advanced Settings, ensure the options Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.
  • Click Scan
  • Wait for the scan to finish
  • When the scan completes, press the LIST OF THREATS FOUND button
  • Press EXPORT TO TEXT FILE , name the file ESETSCAN and save it to your desktop
  • Include the contents of this report in your next reply.
  • Press the BACK button.
  • Press Finish

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#13 erzherzog

erzherzog
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:04:31 AM

Posted 04 September 2011 - 12:08 PM

Combofix:

ComboFix 11-09-03.01 - Owner 09/04/2011 8:44.5.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.3326.2679 [GMT -4:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Owner\Desktop\CFScript.txt
AV: Bitdefender Antivirus *Disabled/Updated* {6C4BB89C-B0ED-4F41-A29C-4373888923BB}
FW: Bitdefender Firewall *Enabled* {4055920F-2E99-48A8-A270-4243D2B8F242}
.
.
((((((((((((((((((((((((( Files Created from 2011-08-04 to 2011-09-04 )))))))))))))))))))))))))))))))
.
.
2011-09-01 21:31 . 2011-08-28 12:36 75264 -c--a-w- c:\windows\system32\dllcache\ipsec.sys
2011-09-01 21:31 . 2011-08-28 12:36 75264 ----a-w- c:\windows\system32\drivers\ipsec.sys
2011-09-01 21:22 . 2011-09-01 21:22 -------- d-----w- c:\documents and settings\Administrator
2011-08-20 17:16 . 2011-08-20 17:16 9484 ----a-w- c:\windows\look.bat
2011-08-20 17:16 . 2011-08-20 17:16 -------- d-----w- c:\windows\maxdrive
2011-08-16 18:22 . 2009-03-18 21:35 26176 ---ha-w- c:\windows\system32\hamachi.sys
2011-08-16 18:22 . 2011-08-16 18:22 -------- d-----w- c:\program files\LogMeIn Hamachi
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-08-29 19:23 . 2008-04-14 12:00 62976 ----a-w- c:\windows\system32\drivers\cdrom.sys
2011-08-27 21:57 . 2008-04-14 12:00 138496 ----a-w- c:\windows\system32\drivers\afd.sys
2011-08-26 00:59 . 2008-04-14 12:00 64512 ----a-w- c:\windows\system32\drivers\serial.sys
2011-07-15 13:29 . 2008-04-14 12:00 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-07-08 14:02 . 2008-04-14 12:00 10496 ----a-w- c:\windows\system32\drivers\ndistapi.sys
2011-07-06 23:52 . 2011-07-10 03:16 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-07-06 23:52 . 2011-07-10 03:16 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-06-24 14:10 . 2009-12-27 02:11 139656 ----a-w- c:\windows\system32\drivers\rdpwd.sys
2011-06-21 18:18 . 2008-04-14 12:00 81920 ----a-w- c:\windows\system32\ieencode.dll
2011-06-21 18:18 . 2008-04-14 12:00 667136 ----a-w- c:\windows\system32\wininet.dll
2011-06-21 18:18 . 2008-04-14 12:00 61952 ----a-w- c:\windows\system32\tdc.ocx
2011-06-21 12:58 . 2008-04-14 12:00 369664 ----a-w- c:\windows\system32\html.iec
2011-06-20 17:44 . 2008-04-14 12:00 293376 ----a-w- c:\windows\system32\winsrv.dll
2011-05-29 23:19 . 2011-05-29 23:20 704282 ----a-w- c:\program files\unins000.exe
.
.
((((((((((((((((((((((((((((( SnapShot_2011-09-03_13.03.23 )))))))))))))))))))))))))))))))))))))))))
.
+ 2011-09-04 12:53 . 2011-09-04 12:53 16384 c:\windows\Temp\Perflib_Perfdata_640.dat
- 2008-04-14 12:00 . 2010-11-03 13:12 46080 c:\windows\system32\tzchange.exe
+ 2008-04-14 12:00 . 2011-07-08 13:49 46080 c:\windows\system32\tzchange.exe
+ 2011-09-03 16:32 . 2011-09-03 16:32 711680 c:\windows\assembly\NativeImages_v4.0.30319_32\System.Web.DynamicD#\8374c8f256058ae7790d53419a66c014\System.Web.DynamicData.ni.dll
+ 2011-09-03 16:32 . 2011-09-03 16:32 259072 c:\windows\assembly\NativeImages_v4.0.30319_32\System.Web.DataVisu#\cf204c6fe5d6b8571709b0561ecff317\System.Web.DataVisualization.Design.ni.dll
- 2011-09-03 13:01 . 2011-09-03 13:01 646656 c:\windows\assembly\NativeImages_v4.0.30319_32\System.Transactions\0df91adfb9c0e51b7b967d61e8151b78\System.Transactions.ni.dll
+ 2011-09-03 16:35 . 2011-09-03 16:35 646656 c:\windows\assembly\NativeImages_v4.0.30319_32\System.Transactions\0df91adfb9c0e51b7b967d61e8151b78\System.Transactions.ni.dll
+ 2011-09-03 16:35 . 2011-09-03 16:35 236032 c:\windows\assembly\NativeImages_v4.0.30319_32\System.EnterpriseSe#\401ca9defa4213be5372532a2754d50d\System.EnterpriseServices.Wrapper.dll
- 2011-09-03 13:01 . 2011-09-03 13:01 236032 c:\windows\assembly\NativeImages_v4.0.30319_32\System.EnterpriseSe#\401ca9defa4213be5372532a2754d50d\System.EnterpriseServices.Wrapper.dll
+ 2011-09-03 16:35 . 2011-09-03 16:35 786944 c:\windows\assembly\NativeImages_v4.0.30319_32\System.EnterpriseSe#\401ca9defa4213be5372532a2754d50d\System.EnterpriseServices.ni.dll
- 2011-09-03 13:01 . 2011-09-03 13:01 786944 c:\windows\assembly\NativeImages_v4.0.30319_32\System.EnterpriseSe#\401ca9defa4213be5372532a2754d50d\System.EnterpriseServices.ni.dll
- 2011-06-30 10:19 . 2011-06-30 10:19 1895424 c:\windows\assembly\NativeImages_v4.0.30319_32\System.Web.Services\c313e0b2791a2924838c30459ff5f2af\System.Web.Services.ni.dll
+ 2011-09-03 16:34 . 2011-09-03 16:34 1895424 c:\windows\assembly\NativeImages_v4.0.30319_32\System.Web.Services\c313e0b2791a2924838c30459ff5f2af\System.Web.Services.ni.dll
+ 2011-09-03 16:31 . 2011-09-03 16:31 3101184 c:\windows\assembly\NativeImages_v4.0.30319_32\System.Web.Extensio#\cde2bf65e1d7dd62b2b94175776eb2dc\System.Web.Extensions.ni.dll
+ 2011-09-03 16:32 . 2011-09-03 16:32 4531712 c:\windows\assembly\NativeImages_v4.0.30319_32\System.Web.DataVisu#\adaa1d9288c8ba3d45371c5e9e914dfd\System.Web.DataVisualization.ni.dll
- 2011-09-03 13:01 . 2011-09-03 13:01 6798336 c:\windows\assembly\NativeImages_v4.0.30319_32\System.Data\6e6f321459aa81611031cfb582e77cc6\System.Data.ni.dll
+ 2011-09-03 16:35 . 2011-09-03 16:35 6798336 c:\windows\assembly\NativeImages_v4.0.30319_32\System.Data\6e6f321459aa81611031cfb582e77cc6\System.Data.ni.dll
+ 2011-09-03 16:34 . 2011-09-03 16:34 1193984 c:\windows\assembly\NativeImages_v4.0.30319_32\System.Data.OracleC#\b79b606f95f1a745c1068f4c3c794cab\System.Data.OracleClient.ni.dll
- 2011-09-03 13:01 . 2011-09-03 13:01 1193984 c:\windows\assembly\NativeImages_v4.0.30319_32\System.Data.OracleC#\b79b606f95f1a745c1068f4c3c794cab\System.Data.OracleClient.ni.dll
- 2011-06-30 10:19 . 2011-06-30 10:19 11993088 c:\windows\assembly\NativeImages_v4.0.30319_32\System.Web\b41d16c906e76aae419a021a293ee7ce\System.Web.ni.dll
+ 2011-09-03 16:34 . 2011-09-03 16:34 11993088 c:\windows\assembly\NativeImages_v4.0.30319_32\System.Web\b41d16c906e76aae419a021a293ee7ce\System.Web.ni.dll
- 2011-06-30 10:21 . 2011-06-30 10:21 17996800 c:\windows\assembly\NativeImages_v4.0.30319_32\System.ServiceModel\dc31b22f78cb510bf470f0ab5ef65816\System.ServiceModel.ni.dll
+ 2011-09-03 16:34 . 2011-09-03 16:34 17996800 c:\windows\assembly\NativeImages_v4.0.30319_32\System.ServiceModel\dc31b22f78cb510bf470f0ab5ef65816\System.ServiceModel.ni.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RTHDCPL"="RTHDCPL.EXE" [2008-07-23 16804864]
"SoundMan"="SOUNDMAN.EXE" [2008-06-18 77824]
"AlcWzrd"="ALCWZRD.EXE" [2008-06-19 2808832]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2011-01-07 13880424]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-01-25 421160]
"LogMeIn Hamachi Ui"="c:\program files\LogMeIn Hamachi\hamachi-2-ui.exe" [2011-08-04 1955208]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2009-11-18 275072]
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Steam\\Steam.exe"=
"c:\\Program Files\\Ventrilo\\Ventrilo.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\Microsoft LifeCam\\LifeCam.exe"=
"c:\\Program Files\\Microsoft LifeCam\\LifeEnC2.exe"=
"c:\\Program Files\\Microsoft LifeCam\\LifeExp.exe"=
"c:\\Program Files\\Microsoft LifeCam\\LifeTray.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\universe at war earth assault\\LaunchUAW.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\men of war red tide\\redtide.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\the witcher enhanced edition\\System\\witcher.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\the witcher enhanced edition\\System\\djinni!.exe"=
"c:\\Program Files\\Steam\\steamapps\\tvirusoutbreak\\age of chivalry\\hl2.exe"=
"c:\\Program Files\\EA GAMES\\Battlefield 1942\\BF1942.exe"=
"c:\\Program Files\\Xfire\\Xfire.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\empire total war\\Empire.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\il 2 sturmovik 1946\\il2fb.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\company of heroes\\RelicDownloader\\RelicDownloader.exe"=
"c:\\WINDOWS\\system32\\dxdiag.exe"=
"c:\\WINDOWS\\system32\\dpnsvr.exe"=
"c:\\Sierra\\Empire Earth\\Empire Earth.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\morrowind\\Morrowind Launcher.exe"=
"c:\\Program Files\\Square Enix\\Batman Arkham Asylum GOTY\\Binaries\\ShippingPC-BmGame.exe"=
"c:\\Program Files\\Paradox Interactive\\Europa Universalis - Rome\\RomeGame.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqcopy2.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfcCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpiscnapp.exe"=
"c:\\Program Files\\Common Files\\HP\\Digital Imaging\\bin\\hpqPhotoCrm.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqpsapp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqpse.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqgplgtupl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqgpc01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqusgm.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqusgh.exe"=
"c:\\Program Files\\HP\\HP Software Update\\hpwucli.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\smart web printing\\SmartWebPrintExe.exe"=
"c:\\Program Files\\Paradox Interactive\\Europa Universalis III\\eu3game.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\theatre of war ii kursk 1943\\Kursk1943.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\theatre of war 2 africa 1943\\Africa1943.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\theatre of war 2 africa 1943\\options.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\theatre of war\\tow.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\theatre of war\\towsetup.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\theatre of war\\MissionEditor\\Editor.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\theatre of war\\MissionEditor\\MissionGen.exe"=
"c:\\Program Files\\ComicRack\\ComicRack.exe"=
"c:\\Program Files\\Atari\\Neverwinter Nights 2\\nwn2main.exe"=
"c:\\Program Files\\Atari\\Neverwinter Nights 2\\nwn2main_amdxp.exe"=
"c:\\Program Files\\Atari\\Neverwinter Nights 2\\nwupdate.exe"=
"c:\\Program Files\\Atari\\Neverwinter Nights 2\\nwn2server.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\universe at war earth assault\\UAWEA.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Aspyr\\Men of War\\mow.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\battlefield 2\\BF2.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\battlefield 2\\support\\EA Help\\Electronic_Arts_Technical_Support.htm"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"c:\\Program Files\\Wolfenstein - Enemy Territory\\ET.exe"=
"c:\\Program Files\\Aspyr\\Men of War\\mow_mp.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\silent hunters wolves of the pacific\\sh4.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\company of heroes\\RelicCOH.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\arma 2\\arma2.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\magicka\\Magicka.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\killingfloor\\System\\KillingFloor.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\men of war assault squad\\mow_assault_squad.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\red orchestra\\System\\RedOrchestra.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\supreme commander 2\\bin\\SupremeCommander2.exe"=
.
R2 Hamachi2Svc;LogMeIn Hamachi Tunneling Engine;c:\program files\LogMeIn Hamachi\hamachi-2.exe [8/4/2011 2:34 PM 1361288]
R3 Bdfndisf;BitDefender Firewall NDIS Filter Service;c:\windows\system32\drivers\bdfndisf.sys [6/2/2008 5:16 PM 86792]
R3 MSHUSBVideo;NX6000/NX3000/VX5000/VX5500/VX2000/VX7000 Filter Driver;c:\windows\system32\drivers\nx6000.sys [12/26/2009 11:42 PM 30560]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 2:16 PM 130384]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2/19/2010 11:19 PM 135664]
S2 LicCtrlService;LicCtrl Service;c:\windows\runservice.exe --> c:\windows\runservice.exe [?]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [2/19/2010 11:19 PM 135664]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 2:16 PM 753504]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
bdx REG_MULTI_SZ scan
HPService REG_MULTI_SZ HPSLPSVC
.
Contents of the 'Scheduled Tasks' folder
.
2011-09-04 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-20 03:19]
.
2011-09-04 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-20 03:19]
.
2010-01-04 c:\windows\Tasks\Microsoft_Hardware_Launch_LifeExp_exe.job
- c:\program files\Microsoft LifeCam\LifeExp.exe [2009-03-17 20:24]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
mStart Page = about:blank
mWindow Title = Windows Internet Explorer provided by Comcast
uInternet Settings,ProxyOverride = <local>;*.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
TCP: DhcpNameServer = 192.168.1.1
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\l8b1qdi3.default\
FF - prefs.js: browser.startup.homepage - hxxp://wikipedia.org/
FF - prefs.js: network.proxy.type - 0
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Ext: GameFOX: {6dd0bdba-0a02-429e-b595-87a7dfdca7a1} - %profile%\extensions\{6dd0bdba-0a02-429e-b595-87a7dfdca7a1}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-09-04 08:54
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-1390067357-527237240-1417001333-1003\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:9b,2f,f5,d3,9a,6d,04,c2,6f,77,e6,69,f6,76,83,0f,43,a0,fe,68,96,76,dc,
4f,74,cf,f8,05,32,1d,7f,d8,c4,eb,92,0b,60,5c,71,50,79,1a,0e,d2,e5,59,8f,f7,\
"??"=hex:87,ea,ed,11,0e,0a,a8,cb,5e,df,1e,c9,83,50,6b,48
.
[HKEY_USERS\S-1-5-21-1390067357-527237240-1417001333-1003\Software\SecuROM\License information*]
"datasecu"=hex:ae,c2,05,fa,9e,f2,dd,fc,8e,e4,7d,b2,5a,6f,80,27,19,8b,37,25,fc,
25,c4,e9,71,1a,e3,a2,ed,75,aa,dd,2a,f6,07,ac,ce,3b,b9,be,10,95,74,d8,4f,f1,\
"rkeysecu"=hex:e2,ee,a1,b5,e4,44,d1,d4,b9,6a,a6,b8,22,36,76,f2
.
[HKEY_LOCAL_MACHINE\software\LicCtrl\LicCtrl\LicCtrl\LicCtrl*lkzs$i&#&y@^t! #^$ g9^$&pgb SDB36o \D25BC253F035D347]
"1"=hex:6a,0b,56,13,c1,93,dc,9c,fb,61,a2,a0,e4,ff,91,20,60,bf,2f,c2,35,91,ae,
25
"2"=hex:fb,e6,50,7f,41,f4,51,a7,7f,ec,2d,f9,42,45,3a,02,3a,b7,45,15,3f,9d,8b,
c3
"3"=hex:6a,0b,56,13,c1,93,dc,9c,fb,61,a2,a0,e4,ff,91,20,5d,f5,58,d1,21,e0,48,
8b,38,57,44,9c,4e,8d,78,88,fd,f1,01,9d,86,d8,b5,cb,d9,bf,23,55,4a,bb,31,1f
.
[HKEY_LOCAL_MACHINE\software\LicCtrl\LicCtrl\LicCtrl\LicCtrl*lkzs$i&#&y@^t! #^$ g9^$&pgb SDB36o \D25BC253F035D347\198D4574A2BCA7D4BA51871F57EEA50C]
"1"=hex:b0,57,4a,e6,b6,28,dc,b1,d4,b3,12,05,d7,ea,a1,55,83,90,50,9b,f1,d7,47,
8a,64,3a,d9,c4,e6,aa,fc,b0
"2"=hex:ff,46,a9,cd,53,d2,ef,98
"3"=hex:56,2c,a3,35,39,a2,c4,ed,ab,80,62,80,34,7e,21,fe,c1,f7,60,0c,7d,60,45,
5d,02,66,91,8d,5d,79,3e,9e,8c,b8,e9,5d,7d,70,39,69,04,2f,f2,78,91,fa,77,b8,\
"4"=hex:2f,ad,a2,e7,8a,bf,05,5e
"5"=hex:bf,e5,23,7b,b0,66,d6,fc,b8,e8,6b,a0,96,52,f7,32,80,09,8f,24,b7,b3,55,
1a,98,d1,47,16,02,43,61,1c,b9,d5,8f,2a,7b,81,b1,fb,95,22,f8,b3,2c,53,9d,ae,\
"6"=hex:b0,57,4a,e6,b6,28,dc,b1,d4,b3,12,05,d7,ea,a1,55,83,90,50,9b,f1,d7,47,
8a,b1,a7,a6,92,c1,bd,03,11,24,42,63,25,d3,91,33,ac,33,a7,da,f0,3b,f7,80,6d,\
"7"=hex:58,eb,3b,8d,af,31,32,62,45,fe,2a,f0,ac,22,d0,33,a4,31,52,95,51,16,0b,
60,24,b1,58,9f,ed,64,45,cb,db,0f,ba,92,11,d1,bc,91,54,86,2e,97,ce,5d,8f,8d,\
"8"=hex:9d,9e,b2,b9,a7,a5,f4,ae,4d,29,c2,a3,c0,78,c4,c5,2e,4e,96,8c,7e,a3,52,
64,b7,5a,c6,8b,d8,dd,90,06,46,e7,74,06,e1,ab,e4,80,2e,9b,e9,e1,49,06,fc,b2,\
"9"=hex:81,20,8f,ab,28,6a,52,9c
"18"=hex:d0,71,12,cb,08,b7,a7,d6
"10"=hex:81,20,8f,ab,28,6a,52,9c
"11"=hex:81,20,8f,ab,28,6a,52,9c
"12"=hex:72,ef,ed,b4,0b,f9,08,74,6a,e9,98,24,12,b2,26,a1,dc,5b,87,5c,40,76,14,
4c,1c,50,7e,c6,eb,41,c2,af,bc,28,08,32,1f,2a,f3,43,a4,f7,21,a3,ec,5c,1c,b2,\
"13"=hex:b6,e5,50,43,12,c6,01,e1,c4,da,b9,bc,7f,53,2e,9a,ac,c7,33,f8,91,62,1f,
0b,98,83,b9,3c,3b,98,8e,b5,b7,60,9c,64,a2,90,90,3f
"14"=hex:37,e1,d3,73,c6,56,a2,87,8f,41,42,b5,d8,48,ab,7e
"24"=hex:81,20,8f,ab,28,6a,52,9c
"26"=hex:81,20,8f,ab,28,6a,52,9c
"27"=hex:81,20,8f,ab,28,6a,52,9c
"19"=hex:51,b6,73,aa,7a,2b,b3,8c,b6,e5,63,f5,c1,a2,d3,17
"22"=hex:81,20,8f,ab,28,6a,52,9c
"15"=hex:03,a8,42,ff,62,a5,e9,76,a0,97,2a,d8,c1,8d,97,66,35,e8,d4,dd,00,96,ec,
9d,7c,9c,56,45,a0,77,cb,85,8a,06,14,6b,20,df,46,6d,2a,03,dd,86,33,7f,c9,89,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(2104)
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\RTHDCPL.EXE
c:\windows\SOUNDMAN.EXE
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Microsoft LifeCam\MSCamS32.exe
c:\program files\Common Files\BitDefender\BitDefender Communicator\xcommsvr.exe
c:\program files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe
c:\program files\iPod\bin\iPodService.exe
c:\windows\system32\msiexec.exe
c:\windows\system32\rundll32.exe
c:\windows\system32\MsiExec.exe
.
**************************************************************************
.
Completion time: 2011-09-04 08:57:27 - machine was rebooted
ComboFix-quarantined-files.txt 2011-09-04 12:57
ComboFix2.txt 2011-09-04 12:32
ComboFix3.txt 2011-09-03 13:06
ComboFix4.txt 2011-09-02 10:29
ComboFix5.txt 2011-09-04 12:41
.
Pre-Run: 277,768,634,368 bytes free
Post-Run: 277,748,068,352 bytes free
.
- - End Of File - - B1F055FD9AC0CEBF28700EC35692D16D



Malwarebytes:


Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\documents and settings\Owner\my documents\downloads\WiNlOgOn.exe (Heuristics.Reserved.Word.Exploit) -> Quarantined and deleted successfully.



ESETSCAN:


C:\Documents and Settings\Owner\My Documents\Downloads\cole2k.media.-.codec.pack.v7.9.0.-advanced-.setup.exe Win32/Adware.Toolbar.Dealio application
C:\Qoobox\Quarantine\[4]-Submit_2011-09-01_22.36.43.zip multiple threats
C:\Qoobox\Quarantine\C\Documents and Settings\All Users\Application Data\defender.exe.vir a variant of Win32/Kryptik.SJO trojan
C:\Qoobox\Quarantine\C\Documents and Settings\Owner\Application Data\8714B5917A571BBF7C22FFD9274EB379\enemies-names.txt.vir Win32/Adware.AntimalwareDoctor.AE.Gen application
C:\Qoobox\Quarantine\C\Documents and Settings\Owner\Application Data\8714B5917A571BBF7C22FFD9274EB379\local.ini.vir Win32/Adware.AntimalwareDoctor.AE.Gen application
C:\Qoobox\Quarantine\C\WINDOWS\runservice.exe.vir Win32/Patched.HN trojan
C:\Qoobox\Quarantine\C\WINDOWS\assembly\GAC_MSIL\desktop.ini.vir Win32/Sirefef.CH trojan
C:\Qoobox\Quarantine\C\WINDOWS\system32\nvsvc32.exe.vir Win32/Patched.HN trojan
C:\Qoobox\Quarantine\C\WINDOWS\system32\PnkBstrA.exe.vir Win32/Patched.HN trojan
C:\Qoobox\Quarantine\C\WINDOWS\system32\Drivers\ipsec.sys.vir Win32/Sirefef.CO trojan
C:\System Volume Information\_restore{E43A9CAC-F4CC-4AF5-9F2A-62A7DF707792}\RP180\A0081920.sys Win32/Sirefef.CO trojan
C:\System Volume Information\_restore{E43A9CAC-F4CC-4AF5-9F2A-62A7DF707792}\RP180\A0081921.ini Win32/Sirefef.CH trojan
C:\System Volume Information\_restore{E43A9CAC-F4CC-4AF5-9F2A-62A7DF707792}\RP180\A0081938.sys Win32/Sirefef.CO trojan
C:\System Volume Information\_restore{E43A9CAC-F4CC-4AF5-9F2A-62A7DF707792}\RP180\A0081939.ini Win32/Sirefef.CH trojan
C:\System Volume Information\_restore{E43A9CAC-F4CC-4AF5-9F2A-62A7DF707792}\RP180\A0081961.sys Win32/Sirefef.CO trojan
C:\System Volume Information\_restore{E43A9CAC-F4CC-4AF5-9F2A-62A7DF707792}\RP180\A0081962.ini Win32/Sirefef.CH trojan
C:\System Volume Information\_restore{E43A9CAC-F4CC-4AF5-9F2A-62A7DF707792}\RP180\A0082024.sys Win32/Sirefef.CO trojan
C:\System Volume Information\_restore{E43A9CAC-F4CC-4AF5-9F2A-62A7DF707792}\RP180\A0082025.ini Win32/Sirefef.CH trojan
C:\System Volume Information\_restore{E43A9CAC-F4CC-4AF5-9F2A-62A7DF707792}\RP180\A0082041.exe Win32/Patched.HN trojan
C:\System Volume Information\_restore{E43A9CAC-F4CC-4AF5-9F2A-62A7DF707792}\RP180\A0082063.sys Win32/Sirefef.CO trojan
C:\System Volume Information\_restore{E43A9CAC-F4CC-4AF5-9F2A-62A7DF707792}\RP180\A0082064.ini Win32/Sirefef.CH trojan
C:\System Volume Information\_restore{E43A9CAC-F4CC-4AF5-9F2A-62A7DF707792}\RP180\A0082065.exe Win32/Patched.HN trojan
C:\System Volume Information\_restore{E43A9CAC-F4CC-4AF5-9F2A-62A7DF707792}\RP180\A0082066.exe Win32/Patched.HN trojan
C:\System Volume Information\_restore{E43A9CAC-F4CC-4AF5-9F2A-62A7DF707792}\RP181\A0082125.sys Win32/Sirefef.CO trojan
C:\System Volume Information\_restore{E43A9CAC-F4CC-4AF5-9F2A-62A7DF707792}\RP181\A0082126.ini Win32/Sirefef.CH trojan
C:\System Volume Information\_restore{E43A9CAC-F4CC-4AF5-9F2A-62A7DF707792}\RP182\A0082164.exe Win32/Patched.HN trojan
C:\System Volume Information\_restore{E43A9CAC-F4CC-4AF5-9F2A-62A7DF707792}\RP182\A0083125.sys Win32/Sirefef.CO trojan
C:\System Volume Information\_restore{E43A9CAC-F4CC-4AF5-9F2A-62A7DF707792}\RP182\A0083126.ini Win32/Sirefef.CH trojan
C:\System Volume Information\_restore{E43A9CAC-F4CC-4AF5-9F2A-62A7DF707792}\RP182\A0083127.exe Win32/Patched.HN trojan
C:\System Volume Information\_restore{E43A9CAC-F4CC-4AF5-9F2A-62A7DF707792}\RP182\A0083128.exe Win32/Patched.HN trojan
C:\System Volume Information\_restore{E43A9CAC-F4CC-4AF5-9F2A-62A7DF707792}\RP182\A0083150.sys Win32/Sirefef.CO trojan
C:\System Volume Information\_restore{E43A9CAC-F4CC-4AF5-9F2A-62A7DF707792}\RP182\A0083151.ini Win32/Sirefef.CH trojan
C:\System Volume Information\_restore{E43A9CAC-F4CC-4AF5-9F2A-62A7DF707792}\RP182\A0084150.sys Win32/Sirefef.CO trojan
C:\System Volume Information\_restore{E43A9CAC-F4CC-4AF5-9F2A-62A7DF707792}\RP182\A0084151.ini Win32/Sirefef.CH trojan
C:\System Volume Information\_restore{E43A9CAC-F4CC-4AF5-9F2A-62A7DF707792}\RP182\A0084152.exe Win32/Patched.HN trojan
C:\System Volume Information\_restore{E43A9CAC-F4CC-4AF5-9F2A-62A7DF707792}\RP182\A0084153.exe Win32/Patched.HN trojan
C:\System Volume Information\_restore{E43A9CAC-F4CC-4AF5-9F2A-62A7DF707792}\RP183\A0084201.sys Win32/Sirefef.CO trojan
C:\System Volume Information\_restore{E43A9CAC-F4CC-4AF5-9F2A-62A7DF707792}\RP183\A0084202.ini Win32/Sirefef.CH trojan
C:\System Volume Information\_restore{E43A9CAC-F4CC-4AF5-9F2A-62A7DF707792}\RP184\A0084236.sys Win32/Sirefef.CO trojan
C:\System Volume Information\_restore{E43A9CAC-F4CC-4AF5-9F2A-62A7DF707792}\RP184\A0084237.ini Win32/Sirefef.CH trojan
C:\System Volume Information\_restore{E43A9CAC-F4CC-4AF5-9F2A-62A7DF707792}\RP184\A0085236.sys Win32/Sirefef.CO trojan
C:\System Volume Information\_restore{E43A9CAC-F4CC-4AF5-9F2A-62A7DF707792}\RP184\A0085237.ini Win32/Sirefef.CH trojan
C:\System Volume Information\_restore{E43A9CAC-F4CC-4AF5-9F2A-62A7DF707792}\RP184\A0085251.sys Win32/Sirefef.CO trojan
C:\System Volume Information\_restore{E43A9CAC-F4CC-4AF5-9F2A-62A7DF707792}\RP184\A0085252.ini Win32/Sirefef.CH trojan
C:\System Volume Information\_restore{E43A9CAC-F4CC-4AF5-9F2A-62A7DF707792}\RP185\A0086251.sys Win32/Sirefef.CO trojan
C:\System Volume Information\_restore{E43A9CAC-F4CC-4AF5-9F2A-62A7DF707792}\RP185\A0086252.ini Win32/Sirefef.CH trojan
C:\System Volume Information\_restore{E43A9CAC-F4CC-4AF5-9F2A-62A7DF707792}\RP185\A0086290.sys Win32/Sirefef.CO trojan
C:\System Volume Information\_restore{E43A9CAC-F4CC-4AF5-9F2A-62A7DF707792}\RP185\A0086291.ini Win32/Sirefef.CH trojan
C:\System Volume Information\_restore{E43A9CAC-F4CC-4AF5-9F2A-62A7DF707792}\RP185\A0086315.sys Win32/Sirefef.CO trojan
C:\System Volume Information\_restore{E43A9CAC-F4CC-4AF5-9F2A-62A7DF707792}\RP185\A0086316.ini Win32/Sirefef.CH trojan
C:\System Volume Information\_restore{E43A9CAC-F4CC-4AF5-9F2A-62A7DF707792}\RP186\A0086328.exe Win32/Patched.HN trojan
C:\System Volume Information\_restore{E43A9CAC-F4CC-4AF5-9F2A-62A7DF707792}\RP187\A0087352.sys Win32/Sirefef.CO trojan
C:\System Volume Information\_restore{E43A9CAC-F4CC-4AF5-9F2A-62A7DF707792}\RP187\A0087353.ini Win32/Sirefef.CH trojan
C:\System Volume Information\_restore{E43A9CAC-F4CC-4AF5-9F2A-62A7DF707792}\RP187\A0088352.sys Win32/Sirefef.CO trojan
C:\System Volume Information\_restore{E43A9CAC-F4CC-4AF5-9F2A-62A7DF707792}\RP187\A0088353.ini Win32/Sirefef.CH trojan
C:\System Volume Information\_restore{E43A9CAC-F4CC-4AF5-9F2A-62A7DF707792}\RP187\A0088355.exe Win32/Patched.HN trojan
C:\System Volume Information\_restore{E43A9CAC-F4CC-4AF5-9F2A-62A7DF707792}\RP187\A0088356.exe Win32/Patched.HN trojan
C:\System Volume Information\_restore{E43A9CAC-F4CC-4AF5-9F2A-62A7DF707792}\RP188\A0088406.sys Win32/Sirefef.CO trojan
C:\System Volume Information\_restore{E43A9CAC-F4CC-4AF5-9F2A-62A7DF707792}\RP188\A0088407.ini Win32/Sirefef.CH trojan
C:\System Volume Information\_restore{E43A9CAC-F4CC-4AF5-9F2A-62A7DF707792}\RP188\A0088434.sys Win32/Sirefef.CO trojan
C:\System Volume Information\_restore{E43A9CAC-F4CC-4AF5-9F2A-62A7DF707792}\RP188\A0088435.ini Win32/Sirefef.CH trojan
C:\System Volume Information\_restore{E43A9CAC-F4CC-4AF5-9F2A-62A7DF707792}\RP188\A0088436.exe Win32/Patched.HN trojan
C:\System Volume Information\_restore{E43A9CAC-F4CC-4AF5-9F2A-62A7DF707792}\RP188\A0088437.exe Win32/Patched.HN trojan
C:\System Volume Information\_restore{E43A9CAC-F4CC-4AF5-9F2A-62A7DF707792}\RP189\A0088474.sys Win32/Sirefef.CO trojan
C:\System Volume Information\_restore{E43A9CAC-F4CC-4AF5-9F2A-62A7DF707792}\RP189\A0088475.ini Win32/Sirefef.CH trojan
C:\System Volume Information\_restore{E43A9CAC-F4CC-4AF5-9F2A-62A7DF707792}\RP190\A0088515.exe Win32/Patched.HN trojan
C:\System Volume Information\_restore{E43A9CAC-F4CC-4AF5-9F2A-62A7DF707792}\RP190\A0088528.sys Win32/Sirefef.CO trojan
C:\System Volume Information\_restore{E43A9CAC-F4CC-4AF5-9F2A-62A7DF707792}\RP190\A0088529.ini Win32/Sirefef.CH trojan
C:\System Volume Information\_restore{E43A9CAC-F4CC-4AF5-9F2A-62A7DF707792}\RP190\A0088530.exe Win32/Patched.HN trojan
C:\System Volume Information\_restore{E43A9CAC-F4CC-4AF5-9F2A-62A7DF707792}\RP190\A0088531.exe Win32/Patched.HN trojan
C:\System Volume Information\_restore{E43A9CAC-F4CC-4AF5-9F2A-62A7DF707792}\RP190\A0088704.sys Win32/Sirefef.CO trojan
C:\System Volume Information\_restore{E43A9CAC-F4CC-4AF5-9F2A-62A7DF707792}\RP190\A0088744.exe Win32/Patched.HN trojan
C:\System Volume Information\_restore{E43A9CAC-F4CC-4AF5-9F2A-62A7DF707792}\RP190\A0088745.exe Win32/Patched.HN trojan
C:\System Volume Information\_restore{E43A9CAC-F4CC-4AF5-9F2A-62A7DF707792}\RP190\A0088746.exe Win32/Patched.HN trojan
C:\System Volume Information\_restore{E43A9CAC-F4CC-4AF5-9F2A-62A7DF707792}\RP190\A0088865.ini Win32/Adware.AntimalwareDoctor.AE.Gen application
C:\System Volume Information\_restore{E43A9CAC-F4CC-4AF5-9F2A-62A7DF707792}\RP192\A0089414.ini Win32/Sirefef.CH trojan
C:\System Volume Information\_restore{E43A9CAC-F4CC-4AF5-9F2A-62A7DF707792}\RP192\A0089415.exe a variant of Win32/Kryptik.SJO trojan

#14 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:05:31 AM

Posted 04 September 2011 - 06:06 PM

This item contains an adware toolbar, so i suggest you navigate to the file and delete it:

C:\Documents and Settings\Owner\My Documents\Downloads\cole2k.media.-.codec.pack.v7.9.0.-advanced-.setup.exe


NEXT



Posted Image Your Java is out of date.
Java™ 6 Update 17 can be updated from the Java control panel Start > Control Panel (Classic View) > Java (looks like a coffee cup) > Update Tab > Update Now.
An update should begin; > follow the prompts.


Clear Java cache

Go into the Control Panel and double-click the Java Icon. (looks like a coffee cup) If you do not see the icon, look to your left and click 'Switch to Classic View'.
  • On the General tab, under Temporary Internet Files, click the Settings button.
  • Next, click on the Delete Files button
  • There are two options in the window to clear the cache - Leave BOTH Checked
    • Applications and Applets
      Trace and Log Files
  • Click OK on Delete Temporary Files Window
    Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.
  • Click OK to leave the Temporary Files Window
  • Click OK to leave the Java Control Panel.



NEXT


Please post a fresh DDS Log and advise how the computer is running now and if there are any outstanding issues.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#15 erzherzog

erzherzog
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:04:31 AM

Posted 04 September 2011 - 09:31 PM

Well, java won't run now. I got an error when I tried to update and their website says they're still trying to figure out what the error is. So I couldn't do that.

Outside of that, I'm not getting redirects, I can run anti-virus software, but I cannot activate my bitDefender anti-virus or firewall.

Annnnnd, the DDS log:

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_17
Run by Owner at 22:25:15 on 2011-09-04
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.3326.2495 [GMT -4:00]
.
AV: Bitdefender Antivirus *Disabled/Updated* {6C4BB89C-B0ED-4F41-A29C-4373888923BB}
FW: Bitdefender Firewall *Enabled*
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\LogMeIn Hamachi\hamachi-2-ui.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\LogMeIn Hamachi\hamachi-2.exe
C:\WINDOWS\system32\svchost.exe -k hpdevmgmt
C:\WINDOWS\system32\svchost.exe -k HPService
C:\Program Files\Microsoft LifeCam\MSCamS32.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Common Files\BitDefender\BitDefender Communicator\xcommsvr.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\msiexec.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\WINDOWS\system32\MsiExec.exe
C:\Program Files\BitDefender\BitDefender 2008\bdagent.exe
C:\Program Files\BitDefender\BitDefender 2008\seccenter.exe
C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = about:blank
mStart Page = about:blank
mWindow Title = Windows Internet Explorer provided by Comcast
uInternet Settings,ProxyOverride = <local>;*.local
uURLSearchHooks: DeviceVM Url Search Hook: {0063bf63-bfff-4b8f-9d26-4267df7f17dd} - c:\windows\system32\dvmurl.dll
BHO: {02bc79ff-f20d-42a8-943b-999ab1c7b8e6} - c:\windows\system32\wscui32.dll
BHO: HP Print Enhancer: {0347c33e-8762-4905-bf09-768834316c61} - c:\program files\hp\digital imaging\smart web printing\hpswp_printenhancer.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: HP Smart BHO Class: {ffffffff-cf4e-4f2b-bdc2-0e72e116a856} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
TB: BitDefender Toolbar: {381ffde8-2394-4f90-b10d-fc6124a40f8c} - c:\program files\bitdefender\bitdefender 2008\IEToolbar.dll
uRun: [FacebookUpdate] c:\documents and settings\owner\application data\facebook\facebookupdate\Facebookupdt32.exe
uRun: [DirectxTrayTray] rundll32.exe "c:\documents and settings\all users\application data\DirectxTrayTray.dll",DllRegisterServer
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [SoundMan] SOUNDMAN.EXE
mRun: [AlcWzrd] ALCWZRD.EXE
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [LogMeIn Hamachi Ui] "c:\program files\logmein hamachi\hamachi-2-ui.exe" --auto-start
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
dRun: [FacebookUpdate] c:\documents and settings\owner\application data\facebook\facebookupdate\Facebookupdt32.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
TCP: Interfaces\{C864AE0D-86A4-478F-B1C1-6E7586C5545E} : DhcpNameServer = 68.87.72.134 68.87.77.134
TCP: Interfaces\{F57FDF10-B5AA-4903-BFEE-D8C8AC4BF034} : DhcpNameServer = 192.168.1.1
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\owner\application data\mozilla\firefox\profiles\l8b1qdi3.default\
FF - prefs.js: browser.startup.homepage - hxxp://wikipedia.org/
FF - prefs.js: network.proxy.type - 0
FF - plugin: c:\documents and settings\owner\application data\facebook\npfbplugin_1_0_0.dll
FF - plugin: c:\documents and settings\owner\application data\facebook\npfbplugin_1_0_1.dll
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\update\1.3.21.65\npGoogleUpdate3.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npCouponPrinter.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npMozCouponPrinter.dll
FF - plugin: c:\windows\system32\c2mp\npdivx32.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
FF - Ext: GameFOX: {6dd0bdba-0a02-429e-b595-87a7dfdca7a1} - %profile%\extensions\{6dd0bdba-0a02-429e-b595-87a7dfdca7a1}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: XUL Cache: {f5c19102-f9cd-4377-9c36-0b7359de4f3a} - %profile%\extensions\{f5c19102-f9cd-4377-9c36-0b7359de4f3a}
.
============= SERVICES / DRIVERS ===============
.
R2 Hamachi2Svc;LogMeIn Hamachi Tunneling Engine;c:\program files\logmein hamachi\hamachi-2.exe [2011-8-4 1361288]
R3 Bdfndisf;BitDefender Firewall NDIS Filter Service;c:\windows\system32\drivers\bdfndisf.sys [2008-6-2 86792]
R3 MSHUSBVideo;NX6000/NX3000/VX5000/VX5500/VX2000/VX7000 Filter Driver;c:\windows\system32\drivers\nx6000.sys [2009-12-26 30560]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-2-19 135664]
S2 LicCtrlService;LicCtrl Service;c:\windows\runservice.exe --> c:\windows\runservice.exe [?]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2010-2-19 135664]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
.
=============== Created Last 30 ================
.
2011-09-04 23:19:20 0 ---ha-w- c:\documents and settings\owner\hgmzklwbrj.tmp
2011-09-04 19:25:00 68608 ----a-w- c:\documents and settings\all users\application data\DirectxTrayTray.dll
2011-09-04 19:25:00 239104 ----a-w- c:\windows\system32\wscui32.dll
2011-09-04 13:46:49 -------- d-----w- c:\program files\ESET
2011-09-01 21:31:56 75264 -c--a-w- c:\windows\system32\dllcache\ipsec.sys
2011-09-01 21:31:56 75264 ----a-w- c:\windows\system32\drivers\ipsec.sys
2011-09-01 21:29:24 -------- d-sha-r- C:\cmdcons
2011-09-01 21:27:42 98816 ----a-w- c:\windows\sed.exe
2011-09-01 21:27:42 518144 ----a-w- c:\windows\SWREG.exe
2011-09-01 21:27:42 256000 ----a-w- c:\windows\PEV.exe
2011-09-01 21:27:42 208896 ----a-w- c:\windows\MBR.exe
2011-08-20 17:16:43 9484 ----a-w- c:\windows\look.bat
2011-08-20 17:16:43 -------- d-----w- c:\windows\maxdrive
2011-08-16 18:22:56 26176 ---ha-w- c:\windows\system32\hamachi.sys
2011-08-16 18:22:41 -------- d-----w- c:\program files\LogMeIn Hamachi
.
==================== Find3M ====================
.
2011-09-01 21:36:50 1433 --sha-w- c:\windows\system32\mmf.sys
2011-08-29 19:23:30 62976 ----a-w- c:\windows\system32\drivers\cdrom.sys
2011-08-27 21:57:37 138496 ----a-w- c:\windows\system32\drivers\afd.sys
2011-08-26 00:59:48 64512 ----a-w- c:\windows\system32\drivers\serial.sys
2011-08-20 16:07:39 81984 ----a-w- c:\windows\system32\bdod.bin
2011-07-15 13:29:31 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-07-08 14:02:00 10496 ----a-w- c:\windows\system32\drivers\ndistapi.sys
2011-07-06 23:52:42 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-07-06 23:52:42 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-06-24 14:10:36 139656 ----a-w- c:\windows\system32\drivers\rdpwd.sys
2011-06-21 18:18:34 81920 ----a-w- c:\windows\system32\ieencode.dll
2011-06-21 18:18:34 667136 ----a-w- c:\windows\system32\wininet.dll
2011-06-21 18:18:34 61952 ----a-w- c:\windows\system32\tdc.ocx
2011-06-21 12:58:45 369664 ----a-w- c:\windows\system32\html.iec
2011-06-20 17:44:52 293376 ----a-w- c:\windows\system32\winsrv.dll
2011-05-29 23:19:47 704282 ----a-w- c:\program files\unins000.exe
.
============= FINISH: 22:30:39.70 ===============




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users