Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Originally System Fix virus, tried to fix, now computer won't boot


  • This topic is locked This topic is locked
30 replies to this topic

#1 Stalag Stag

Stalag Stag

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:03:17 PM

Posted 10 January 2012 - 07:54 PM

I am running Windows XP on a Dell desktop. About 3 months ago I got one of the Google Redirect + XP Security 2012 viruses. I was eventually able to clear it with rkill, tdss killer, and malwarebytes. Since this computer contains a lot of my bulk work from home, I was careful from that point on to rarely download anything onto it (and I always had downloaded from known sources). The XP security cropped up again about a month later and I cleared it yet again. Most recently, System Fix popped up. Usually I was able to kill the virus by the previous combo of rkill, tdss killer, and malwarebytes, but while I was able to stop the System Fix program from autorunning by following the System Fix removal guide from this website, search engines still redirected and the computer wasn't stable. Malwarebytes would sometimes find a virus, but not always, and removal of the virus via malwarebytes didn't seem to solve anything. Finally, I was able to transfer the most recent version of tdsskiller and run it. It found something and said to clear the infection that I needed to restart. Upon restart, the computer goes past the intial screen and then stops at a black screen with a blinking white cursor in the upper left (the BIOS load screen?). From what I gather, something is keeping my hard drive from booting. I'm hoping that I can recover my computer without having to wipe anything. Any help is greatly appreciated!

BC AdBot (Login to Remove)

 


#2 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,316 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:11:17 PM

Posted 12 January 2012 - 12:44 PM

Hello, first lets have a look at the Master Boot Record.

Try this please. You will need a USB drive.

Download GETxPUD.exe to the desktop of your clean computer
  • Run GETxPUD.exe
  • A new folder will appear on the desktop.
  • Open the GETxPUD folder and click on the get&burn.bat
  • The program will download xpud_0.9.2.iso, and upon finished will open BurnCDCC ready to burn the image.
  • Click on Start and follow the prompts to burn the image to a CD.
  • Remove the USB & CD and insert it in the sick computer
  • Boot the Sick computer with the CD you just burned
  • The computer must be set to boot from the CD
  • Gently tap F12 and choose to boot from the CD
  • Follow the prompts
  • A Welcome to xPUD screen will appear
  • Press File
  • Expand mnt
  • sda1,2...usually corresponds to your HDD
  • sdb1 is likely your USB
  • Click on the folder that represents your USB drive (sdb1 ?)
  • Press Tool at the top
  • Choose Open Terminal
  • Type the following and press enter:

    dd if=/dev/sda of=mbr.bin bs=512 count=1

  • Press Enter
  • After it has finished a file will be located on your USB drive named mbr.bin
  • Remove the USB drive and insert it back in your working computer and navigate to mbr.bin, zip it up and attach it to your next reply.

This will allow me to have a look at the MasterBootRecord of your drive and see if it is infected.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#3 Stalag Stag

Stalag Stag
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:03:17 PM

Posted 12 January 2012 - 02:56 PM

Thanks for the help! I'll get right on it this afternoon.

#4 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,316 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:11:17 PM

Posted 12 January 2012 - 02:57 PM

Okay, please take your time. If you encounter any problem, just let me know.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#5 Stalag Stag

Stalag Stag
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:03:17 PM

Posted 13 January 2012 - 01:09 AM

Here's the mbr.bin file.Attached File  mbr.zip   577bytes   10 downloads

#6 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,316 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:11:17 PM

Posted 13 January 2012 - 04:24 AM

That is rootkit infected. Do the following fix, then restart normally.

Try this please. You will need a USB drive.

Download xPUDtd and save it to an USB drive. (if the download opens in a separate tab, right-click the link and select Save Link/Target As)
  • Remove the USB & xPUD CD and insert it in the sick computer
  • Boot the Sick computer with the xPUD CD
  • The computer must be set to boot from the CD
  • Gently tap F12 and choose to boot from the CD
  • Follow the prompts
  • A Welcome to xPUD screen will appear
  • Press File
  • Expand mnt
  • sda1,2...usually corresponds to your HDD
  • sdb1 is likely your USB
  • Click on the folder that represents your USB drive (sdb1 ?)
  • Doubleclick on xPUDtd to extract and run it.
The first screen will present log options - press Enter to continue.

Posted Image

TestDisk will scan the system and show drive information.
If more than 1 drive, select the correct drive, make sure [Proceed] is selected then press Enter to continue.

Posted Image

Select [Intel] partiton and press Enter to continue.

Posted Image

Select [MBR Code] and press Enter to continue.

Posted Image

Type Y when prompted to write a new mbr code to the first sector, then confirm at the next screen by typing Y again.

Posted Image

Press Q repeatedly until TestDisk exits then reboot.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#7 Stalag Stag

Stalag Stag
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:03:17 PM

Posted 14 January 2012 - 06:51 PM

Okay, I did the instructions you posted. Should I reboot normally via windows?

#8 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,316 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:11:17 PM

Posted 15 January 2012 - 03:01 AM

Yes, please. :)

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#9 Stalag Stag

Stalag Stag
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:03:17 PM

Posted 15 January 2012 - 03:13 AM

Okay, windows started up normally and loaded. Thanks! What else do I need to do to clean out the virus?

#10 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,316 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:11:17 PM

Posted 15 January 2012 - 03:31 AM

Lets see what else needs to be taken care of.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#11 Stalag Stag

Stalag Stag
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:03:17 PM

Posted 16 January 2012 - 05:56 PM

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_26
Run by Pete at 17:48:44 on 2012-01-16
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1165 [GMT -5:00]
.
AV: Lavasoft Ad-Watch Live! Anti-Virus *Enabled/Updated* {A1C4F2E0-7FDE-4917-AFAE-013EFC3EDE33}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Cisco\Cisco AnyConnect VPN Client\vpnagent.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\D-Tools\daemon.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Western Digital\WD SmartWare\WD Drive Manager\WDDMStatus.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Western Digital\WD SmartWare\WD Drive Manager\WDDMService.exe
C:\Program Files\Western Digital\WD SmartWare\Front Parlor\WDFME\WDFME.exe
C:\Program Files\Western Digital\WD SmartWare\Front Parlor\WDSC.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.yahoo.com/
uInternet Connection Wizard,ShellNext = hxxp://www.dell4me.com/myway
uInternet Settings,ProxyOverride = local.;*.local
uInternet Settings,ProxyServer = http=127.0.0.1:49798
BHO: AutorunsDisabled - No File
BHO: WormRadar.com IESiteBlocker.NavFilter - No File
BHO: : {4d25f921-b9fe-4682-bf72-8ab8210d6d75} - c:\program files\mywaysa\srchasde\1.bin\deSrcAs.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\tfswshx.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\progra~1\mi1933~1\office12\GRA8E1~1.DLL
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No File
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
TB: &Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
TB: {FD2FD708-1F6F-4B68-B141-C5778F0C19BB} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [IAAnotif] c:\program files\intel\intel application accelerator\iaanotif.exe
mRun: [dla] c:\windows\system32\dla\tfswctrl.exe
mRun: [DAEMON Tools-1033] "c:\program files\d-tools\daemon.exe" -lang 1033
mRun: [APSDaemon] "c:\program files\common files\apple\apple application support\APSDaemon.exe"
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [XcmqyLMkQQUTNHM.exe] c:\documents and settings\all users\application data\XcmqyLMkQQUTNHM.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\wddmst~1.lnk - c:\program files\western digital\wd smartware\wd drive manager\WDDMStatus.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\autoru~1\digita~1.lnk - c:\program files\digital line detect\DLG.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {08B0E5C0-4FCB-11CF-AAA5-00401C608501}
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\mi1933~1\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\mi1933~1\office12\REFIEBAR.DLL
LSP: mswsock.dll
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1124768442750
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {7D731A83-6C80-4EA4-9646-5E06A0513274} - hxxp://www.shockwave.com/content/snailmail/slgwebinstall.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/products/plugin/autodl/jinstall-160-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-160-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
TCP: DhcpNameServer = 97.81.22.195 71.92.29.130 24.217.201.67
TCP: Interfaces\{29CF8D6E-0C5D-4F6B-AE1A-402C101645D5} : DhcpNameServer = 97.81.22.195 71.92.29.130 24.217.201.67
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\progra~1\mi1933~1\office12\GR99D3~1.DLL
Notify: necusb - nwusbw32.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\progra~1\mi1933~1\office12\GRA8E1~1.DLL
mASetup: {9C450606-ED24-4958-92BA-B8940C99D441} - c:\program files\pixiepack codec pack\InstallerHelper.exe
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\pete\application data\mozilla\firefox\profiles\2mmvpq95.default\
FF - prefs.js: browser.startup.homepage - www.yahoo.com
FF - prefs.js: network.proxy.http - 127.0.0.1
FF - prefs.js: network.proxy.http_port - 49798
FF - prefs.js: network.proxy.type - 4
FF - plugin: c:\documents and settings\pete\application data\facebook\npfbplugin_1_0_1.dll
FF - plugin: c:\documents and settings\pete\application data\facebook\npfbplugin_1_0_3.dll
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\update\1.3.21.79\npGoogleUpdate3.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\microsoft silverlight\4.0.60531.0\npctrlui.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npmozax.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npunagi2.dll
FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll
FF - plugin: c:\program files\virtual earth 3d\npVE3D.dll
.
============= SERVICES / DRIVERS ===============
.
R0 a347scsi;a347scsi;c:\windows\system32\drivers\a347scsi.sys [2006-4-25 5248]
R0 d347bus;d347bus;c:\windows\system32\drivers\d347bus.sys [2007-1-31 155136]
R0 d347prt;d347prt;c:\windows\system32\drivers\d347prt.sys [2007-1-31 5248]
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2011-12-13 64512]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2011-11-3 2152152]
R2 vpnagent;Cisco AnyConnect VPN Agent;c:\program files\cisco\cisco anyconnect vpn client\vpnagent.exe [2011-9-22 645048]
R2 WDDMService;WDDMService;c:\program files\western digital\wd smartware\wd drive manager\WDDMService.exe [2011-3-9 238592]
R2 WDFME;WD File Management Engine;c:\program files\western digital\wd smartware\front parlor\wdfme\WDFME.exe [2011-3-9 1060864]
R2 WDSC;WD File Management Shadow Engine;c:\program files\western digital\wd smartware\front parlor\WDSC.exe [2011-3-9 484352]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2009-9-27 133104]
S2 necusb;NEC USB Device Service;c:\windows\system32\svchost.exe -k necusb3 [2004-8-4 14336]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2009-9-27 133104]
S3 Lavasoft Kernexplorer;Lavasoft helper driver;c:\program files\lavasoft\ad-aware\kernexplorer.sys [2011-11-3 15232]
S3 pohci13F;pohci13F;\??\c:\docume~1\pete\locals~1\temp\pohci13f.sys --> c:\docume~1\pete\locals~1\temp\pohci13F.sys [?]
S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys [2011-6-18 11520]
S4 a347bus;a347bus;c:\windows\system32\drivers\a347bus.sys [2006-4-25 160640]
.
=============== Created Last 30 ================
.
2012-01-10 09:09:42 626688 ----a-w- c:\program files\mozilla firefox\msvcr80.dll
2012-01-10 09:09:42 548864 ----a-w- c:\program files\mozilla firefox\msvcp80.dll
2012-01-10 09:09:42 479232 ----a-w- c:\program files\mozilla firefox\msvcm80.dll
2012-01-10 09:09:42 43992 ----a-w- c:\program files\mozilla firefox\mozutils.dll
.
==================== Find3M ====================
.
2011-12-22 10:26:28 75264 ----a-w- c:\windows\system32\drivers\ipsec.sys
2011-12-13 22:39:41 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-12-13 21:45:01 101720 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2011-12-13 21:45:00 16432 ----a-w- c:\windows\system32\lsdelete.exe
2011-11-17 22:36:56 162816 ----a-w- c:\windows\system32\drivers\netbt.sys
2011-11-17 03:52:07 26112 ----a-w- c:\windows\system32\userinit.exe
2011-11-03 17:06:56 64512 ----a-w- c:\windows\system32\drivers\Lbd.sys
.
============= FINISH: 17:53:32.84 ===============
Attached File  attach.zip   1.91KB   2 downloads

#12 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,316 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:11:17 PM

Posted 17 January 2012 - 02:23 AM

Still an active rootkit here, so lets take care of that first.

COMBOFIX
---------------
Please download ComboFix from one of these locations:
Bleepingcomputer
ForoSpyware
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on Combofix.exe and follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, or if you are running Vista, ComboFix will continue it's malware removal procedures.

Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\Combofix.txt in your next reply.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#13 Stalag Stag

Stalag Stag
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:03:17 PM

Posted 17 January 2012 - 04:54 AM

ComboFix 12-01-16.05 - Pete 01/17/2012 3:56.2.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1368 [GMT -5:00]
Running from: c:\documents and settings\Pete\Desktop\Antivirus\Fixes\ComboFix.exe
AV: Lavasoft Ad-Watch Live! Anti-Virus *Disabled/Updated* {A1C4F2E0-7FDE-4917-AFAE-013EFC3EDE33}
* Created a new restore point
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\All Users\Application Data\~Xy8q19jIw1Igia
c:\documents and settings\All Users\Application Data\~Xy8q19jIw1Igiar
c:\documents and settings\All Users\Application Data\Xy8q19jIw1Igia
c:\documents and settings\HelpAssistant\WINDOWS
c:\documents and settings\Pete\Application Data\Microsoft\Internet Explorer\Quick Launch\System Fix.lnk
c:\documents and settings\Pete\Desktop\System Fix.lnk
c:\documents and settings\Pete\Local Settings\Application Data\assembly\tmp
c:\documents and settings\Pete\Start Menu\Programs\System Fix
c:\documents and settings\Pete\Start Menu\Programs\System Fix\System Fix.lnk
c:\documents and settings\Pete\Start Menu\Programs\System Fix\Uninstall System Fix.lnk
c:\documents and settings\Pete\WINDOWS
c:\program files\LP
c:\program files\LP\BBC4\162.tmp
c:\program files\LP\BBC4\164.tmp
c:\program files\LP\BBC4\6F7.tmp
c:\program files\LP\BBC4\6F9.tmp
c:\program files\LP\BBC4\6FA.tmp
c:\program files\LP\BBC4\897.tmp
c:\program files\LP\BBC4\898.tmp
c:\windows\$NtUninstallKB48183$
c:\windows\$NtUninstallKB48183$\2556306537\@
c:\windows\$NtUninstallKB48183$\2556306537\bckfg.tmp
c:\windows\$NtUninstallKB48183$\2556306537\cfg.ini
c:\windows\$NtUninstallKB48183$\2556306537\Desktop.ini
c:\windows\$NtUninstallKB48183$\2556306537\keywords
c:\windows\$NtUninstallKB48183$\2556306537\kwrd.dll
c:\windows\$NtUninstallKB48183$\2556306537\L\iahonoel
c:\windows\$NtUninstallKB48183$\2556306537\lsflt7.ver
c:\windows\$NtUninstallKB48183$\2556306537\U\00000001.@
c:\windows\$NtUninstallKB48183$\2556306537\U\00000002.@
c:\windows\$NtUninstallKB48183$\2556306537\U\00000004.@
c:\windows\$NtUninstallKB48183$\2556306537\U\80000000.@
c:\windows\$NtUninstallKB48183$\2556306537\U\80000004.@
c:\windows\$NtUninstallKB48183$\2556306537\U\80000032.@
c:\windows\$NtUninstallKB48183$\3940536593
c:\windows\daemon.dll
c:\windows\Downloaded Installations\BMP
c:\windows\Downloaded Installations\BMP\{EA2E6144-0834-4704-915A-AF9FDB0D73CA}\0x0409.ini
c:\windows\Downloaded Installations\BMP\{EA2E6144-0834-4704-915A-AF9FDB0D73CA}\1033.MST
c:\windows\Downloaded Installations\BMP\{EA2E6144-0834-4704-915A-AF9FDB0D73CA}\BACS.msi
c:\windows\iun6002.exe
c:\windows\system32\setb2.tmp
.
c:\windows\system32\drivers\Serial.sys was missing
Restored copy from - c:\windows\ServicePackFiles\i386\serial.sys
.
.
((((((((((((((((((((((((( Files Created from 2011-12-17 to 2012-01-17 )))))))))))))))))))))))))))))))
.
.
2012-01-17 09:12 . 2008-04-13 19:15 64512 ----a-w- c:\windows\system32\drivers\Serial.sys
2012-01-17 09:12 . 2008-04-13 19:15 64512 ----a-w- c:\windows\system32\dllcache\serial.sys
2012-01-10 09:09 . 2012-01-10 09:09 626688 ----a-w- c:\program files\Mozilla Firefox\msvcr80.dll
2012-01-10 09:09 . 2012-01-10 09:09 548864 ----a-w- c:\program files\Mozilla Firefox\msvcp80.dll
2012-01-10 09:09 . 2012-01-10 09:09 479232 ----a-w- c:\program files\Mozilla Firefox\msvcm80.dll
2012-01-10 09:09 . 2012-01-10 09:09 43992 ----a-w- c:\program files\Mozilla Firefox\mozutils.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-12-22 10:26 . 2004-08-04 10:00 75264 ----a-w- c:\windows\system32\drivers\ipsec.sys
2011-12-13 22:39 . 2011-07-29 05:26 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-12-13 21:45 . 2009-11-15 21:08 101720 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2011-12-13 21:45 . 2011-12-14 02:43 16432 ----a-w- c:\windows\system32\lsdelete.exe
2011-11-17 22:36 . 2004-08-04 10:00 162816 ----a-w- c:\windows\system32\drivers\netbt.sys
2011-11-17 03:52 . 2004-08-04 10:00 26112 ----a-w- c:\windows\system32\userinit.exe
2011-11-03 17:06 . 2011-12-13 21:42 64512 ----a-w- c:\windows\system32\drivers\Lbd.sys
2012-01-10 09:09 . 2011-10-05 05:09 121816 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IAAnotif"="c:\program files\Intel\Intel Application Accelerator\iaanotif.exe" [2004-06-29 135168]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-12-06 127035]
"DAEMON Tools-1033"="c:\program files\D-Tools\daemon.exe" [2004-08-22 81920]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2011-09-27 59240]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-10-09 421736]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
WDDMStatus.lnk - c:\program files\Western Digital\WD SmartWare\WD Drive Manager\WDDMStatus.exe [2011-3-9 3986944]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\AutorunsDisabled
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2005-6-7 24576]
.
[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\1]
FriendlyName= J-Track: Satellite Tracking
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^QuickBooks Update Agent.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\QuickBooks Update Agent.lnk
backup=c:\windows\pss\QuickBooks Update Agent.lnkCommon Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDLauncher]
2005-02-23 21:19 53248 ------w- c:\program files\CyberLink\PowerDVD\DVDLauncher.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 00:12 1695232 ----a-w- c:\program files\Messenger\msmsgs.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2001-07-09 15:50 155648 ----a-w- c:\windows\SYSTEM32\NeroCheck.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Picasa Media Detector]
2005-10-28 18:08 335872 ----a-w- c:\program files\Picasa2\PicasaMediaDetector.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\EA GAMES\\The Battle for Middle-earth ™\\game.dat"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\WINDOWS\\SYSTEM32\\LEXPPS.EXE"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Electronic Arts\\The Battle for Middle-earth ™ II\\game.dat"=
"c:\\Program Files\\EA GAMES\\Battlefield 2\\BF2.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Common Files\\Apple\\Apple Application Support\\WebKit2WebProcess.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"65533:TCP"= 65533:TCP:Services
"52344:TCP"= 52344:TCP:Services
"7827:TCP"= 7827:TCP:Services
"7828:TCP"= 7828:TCP:Services
"3389:TCP"= 3389:TCP:Remote Desktop
"3978:TCP"= 3978:TCP:Services
"6456:TCP"= 6456:TCP:Services
.
R0 a347scsi;a347scsi;c:\windows\SYSTEM32\DRIVERS\a347scsi.sys [4/25/2006 7:48 PM 5248]
R0 d347bus;d347bus;c:\windows\SYSTEM32\DRIVERS\d347bus.sys [1/31/2007 11:41 PM 155136]
R0 d347prt;d347prt;c:\windows\SYSTEM32\DRIVERS\d347prt.sys [1/31/2007 11:41 PM 5248]
R0 Lbd;Lbd;c:\windows\SYSTEM32\DRIVERS\Lbd.sys [12/13/2011 4:42 PM 64512]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [11/3/2011 12:06 PM 2152152]
R2 vpnagent;Cisco AnyConnect VPN Agent;c:\program files\Cisco\Cisco AnyConnect VPN Client\vpnagent.exe [9/22/2011 1:43 PM 645048]
R2 WDDMService;WDDMService;c:\program files\Western Digital\WD SmartWare\WD Drive Manager\WDDMService.exe [3/9/2011 10:07 AM 238592]
R2 WDFME;WD File Management Engine;c:\program files\Western Digital\WD SmartWare\Front Parlor\WDFME\WDFME.exe [3/9/2011 10:18 AM 1060864]
R2 WDSC;WD File Management Shadow Engine;c:\program files\Western Digital\WD SmartWare\Front Parlor\WDSC.exe [3/9/2011 10:16 AM 484352]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [9/27/2009 3:32 PM 133104]
S2 necusb;NEC USB Device Service;c:\windows\System32\svchost.exe -k necusb3 [8/4/2004 5:00 AM 14336]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [9/27/2009 3:32 PM 133104]
S3 Lavasoft Kernexplorer;Lavasoft helper driver;c:\program files\Lavasoft\Ad-Aware\kernexplorer.sys [11/3/2011 12:06 PM 15232]
S3 pohci13F;pohci13F;\??\c:\docume~1\Pete\LOCALS~1\Temp\pohci13F.sys --> c:\docume~1\Pete\LOCALS~1\Temp\pohci13F.sys [?]
S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\SYSTEM32\DRIVERS\wdcsam.sys [6/18/2011 6:58 PM 11520]
S4 a347bus;a347bus;c:\windows\SYSTEM32\DRIVERS\a347bus.sys [4/25/2006 7:48 PM 160640]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
necusb3 REG_MULTI_SZ necusb
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{9C450606-ED24-4958-92BA-B8940C99D441}]
2009-03-04 20:32 8192 ----a-w- c:\program files\PixiePack Codec Pack\InstallerHelper.exe
.
Contents of the 'Scheduled Tasks' folder
.
2012-01-17 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2011-11-03 17:06]
.
2011-12-06 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-09-27 20:32]
.
2011-12-06 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-09-27 20:32]
.
2011-10-04 c:\windows\Tasks\{DDC57407-B91B-4B27-9E25-03CE44CC5339}_PAKERSDESKTOP_Pete.job
- c:\windows\system32\MOBSYNC.EXE [2004-08-04 00:12]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
uInternet Connection Wizard,ShellNext = hxxp://www.dell4me.com/myway
uInternet Settings,ProxyOverride = local.;*.local
uInternet Settings,ProxyServer = http=127.0.0.1:49798
TCP: DhcpNameServer = 97.81.22.195 71.92.29.130 24.217.201.67
DPF: {7D731A83-6C80-4EA4-9646-5E06A0513274} - hxxp://www.shockwave.com/content/snailmail/slgwebinstall.cab
FF - ProfilePath - c:\documents and settings\Pete\Application Data\Mozilla\Firefox\Profiles\2mmvpq95.default\
FF - prefs.js: browser.startup.homepage - www.yahoo.com
FF - prefs.js: network.proxy.http - 127.0.0.1
FF - prefs.js: network.proxy.http_port - 49798
FF - prefs.js: network.proxy.type - 4
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-Locked - (no file)
WebBrowser-{FD2FD708-1F6F-4B68-B141-C5778F0C19BB} - (no file)
HKLM-Run-XcmqyLMkQQUTNHM.exe - c:\documents and settings\All Users\Application Data\XcmqyLMkQQUTNHM.exe
Notify-necusb - nwusbw32.dll
SafeBoot-68271506.sys
SafeBoot-90756627.sys
SafeBoot-klmdb.sys
MSConfigStartUp-Aim6 - c:\program files\AIM6\aim6.exe
MSConfigStartUp-mmtask - c:\program files\Musicmatch\Musicmatch Jukebox\mmtask.exe
MSConfigStartUp-MMTray - c:\program files\Musicmatch\Musicmatch Jukebox\mm_tray.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-01-17 04:19
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(1248)
c:\windows\system32\WININET.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.6195_x-ww_44262b86\MSVCR80.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\LEXBCES.EXE
c:\windows\system32\LEXPPS.EXE
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\system32\CTsvcCDA.EXE
c:\program files\Intel\Intel Application Accelerator\iaantmon.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\windows\system32\wdfmgr.exe
c:\program files\Canon\CAL\CALMAIN.exe
c:\windows\system32\wbem\unsecapp.exe
c:\program files\Lavasoft\Ad-Aware\AAWTray.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2012-01-17 04:27:25 - machine was rebooted
ComboFix-quarantined-files.txt 2012-01-17 09:27
ComboFix2.txt 2010-04-29 09:11
.
Pre-Run: 73,165,352,960 bytes free
Post-Run: 74,567,053,312 bytes free
.
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
.
- - End Of File - - 1714F4B5306DB6D296535298CFD2527F

#14 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,316 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:11:17 PM

Posted 17 January 2012 - 06:30 AM

Some more rootkit leftovers showing up here, lets take everything out.

CF-SCRIPT
-------------
We need to execute a CF-script.
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • Click Start > Run and in the box that opens type notepad and press enter. Copy/paste the text in the codebox below into it:
Firefox::
FF - ProfilePath - c:\documents and settings\Pete\Application Data\Mozilla\Firefox\Profiles\2mmvpq95.default\
FF - prefs.js: network.proxy.http - 127.0.0.1
FF - prefs.js: network.proxy.http_port - 49798

Save this as CFScript.txt, in the same location as ComboFix.exe

Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.


Please download HelpAsst_mebroot_fix.exe and save it to your desktop.
Close out all other open programs and windows.
Double click the file to run it and follow any prompts.
If the tool detects an mbr infection, please allow it to run mbr -f and shutdown your computer.
Upon restarting, please wait about 5 minutes, click Start>Run and type the following bolded command, then hit Enter.

helpasst -mbrt

Make sure you leave a space between helpasst and -mbrt !
When it completes, a log will open.
Please post the contents of that log.


*In the event the tool does not detect an mbr infection and completes, click Start>Run and type the following bolded command, then hit Enter.

mbr -f

Now, please do the Start>Run>mbr -f command a second time.
Now shut down the computer (do not restart, but shut it down), wait a few minutes then start it back up.
Give it about 5 minutes, then click Start>Run and type the following bolded command, then hit Enter.

helpasst -mbrt

Make sure you leave a space between helpasst and -mbrt !
When it completes, a log will open.
Please post the contents of that log.

**Important note to Dell users - fixing the mbr may prevent access the the Dell Restore Utility, which allows you to press a key on startup and revert your computer to a factory delivered state. There are a couple of known fixes for said condition, though the methods are somewhat advanced. If you are unwilling to take such a risk, you should not allow the tool to execute mbr -f nor execute the command manually, and you will either need to restore your computer to a factory state or allow your computer to remain having an infected mbr (the latter not recommended).

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#15 Stalag Stag

Stalag Stag
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:03:17 PM

Posted 19 January 2012 - 03:56 AM

Here's the Combofix log:

ComboFix 12-01-18.04 - Pete 01/19/2012 3:11.3.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1334 [GMT -5:00]
Running from: c:\documents and settings\Pete\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Pete\Desktop\CFScript.txt
AV: Lavasoft Ad-Watch Live! Anti-Virus *Disabled/Updated* {A1C4F2E0-7FDE-4917-AFAE-013EFC3EDE33}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\system32\_000005_.tmp.dll
c:\windows\system32\SET120.tmp
c:\windows\system32\SET121.tmp
c:\windows\system32\SET122.tmp
c:\windows\system32\SET126.tmp
c:\windows\system32\SET127.tmp
c:\windows\system32\SET128.tmp
c:\windows\system32\SET12C.tmp
c:\windows\system32\SET12E.tmp
c:\windows\system32\SET1D5.tmp
c:\windows\system32\SET1F9.tmp
.
.
((((((((((((((((((((((((( Files Created from 2011-12-19 to 2012-01-19 )))))))))))))))))))))))))))))))
.
.
2012-01-19 08:04 . 2012-01-19 08:11 -------- d-----w- C:\9fb48724ed39f03099dce976e2a3623c
2012-01-19 07:54 . 2012-01-19 07:54 -------- d-----w- c:\windows\LastGood
2012-01-17 09:12 . 2008-04-13 19:15 64512 ----a-w- c:\windows\system32\drivers\Serial.sys
2012-01-17 09:12 . 2008-04-13 19:15 64512 ----a-w- c:\windows\system32\dllcache\serial.sys
2012-01-10 09:09 . 2012-01-10 09:09 626688 ----a-w- c:\program files\Mozilla Firefox\msvcr80.dll
2012-01-10 09:09 . 2012-01-10 09:09 548864 ----a-w- c:\program files\Mozilla Firefox\msvcp80.dll
2012-01-10 09:09 . 2012-01-10 09:09 479232 ----a-w- c:\program files\Mozilla Firefox\msvcm80.dll
2012-01-10 09:09 . 2012-01-10 09:09 43992 ----a-w- c:\program files\Mozilla Firefox\mozutils.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-12-22 10:26 . 2004-08-04 10:00 75264 ----a-w- c:\windows\system32\drivers\ipsec.sys
2011-12-13 22:39 . 2011-07-29 05:26 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-12-13 21:45 . 2009-11-15 21:08 101720 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2011-12-13 21:45 . 2011-12-14 02:43 16432 ----a-w- c:\windows\system32\lsdelete.exe
2011-11-18 12:35 . 2004-08-04 10:00 60416 ----a-w- c:\windows\system32\packager.exe
2011-11-17 22:36 . 2004-08-04 10:00 162816 ----a-w- c:\windows\system32\drivers\netbt.sys
2011-11-17 03:52 . 2004-08-04 10:00 26112 ----a-w- c:\windows\system32\userinit.exe
2011-11-04 19:20 . 2004-08-04 10:00 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-11-04 19:20 . 2004-08-04 10:00 1469440 ------w- c:\windows\system32\inetcpl.cpl
2011-11-04 11:23 . 2004-08-04 10:00 385024 ----a-w- c:\windows\system32\html.iec
2011-11-03 17:06 . 2011-12-13 21:42 64512 ----a-w- c:\windows\system32\drivers\Lbd.sys
2011-10-28 05:31 . 2004-08-04 10:00 33280 ----a-w- c:\windows\system32\csrsrv.dll
2011-10-25 13:37 . 1980-01-01 05:00 2148864 ----a-w- c:\windows\system32\ntoskrnl.exe
2011-10-25 12:52 . 1980-01-01 05:00 2027008 ----a-w- c:\windows\system32\ntkrnlpa.exe
2012-01-10 09:09 . 2011-10-05 05:09 121816 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((( SnapShot@2012-01-17_09.20.00 )))))))))))))))))))))))))))))))))))))))))
.
+ 2007-01-29 08:58 . 2011-11-08 13:46 46080 c:\windows\SYSTEM32\tzchange.exe
- 2007-01-29 08:58 . 2011-07-08 13:49 46080 c:\windows\SYSTEM32\tzchange.exe
- 2005-06-07 21:54 . 2011-11-06 19:09 73004 c:\windows\SYSTEM32\PERFC009.DAT
+ 2005-06-07 21:54 . 2012-01-19 08:00 73004 c:\windows\SYSTEM32\PERFC009.DAT
+ 2004-08-04 10:00 . 2011-11-04 19:20 66560 c:\windows\SYSTEM32\mshtmled.dll
- 2004-08-04 10:00 . 2011-08-22 23:48 66560 c:\windows\SYSTEM32\mshtmled.dll
- 2004-08-04 10:00 . 2008-04-14 00:11 23040 c:\windows\SYSTEM32\mciseq.dll
+ 2004-08-04 10:00 . 2011-10-14 14:47 23040 c:\windows\SYSTEM32\mciseq.dll
+ 2004-08-04 10:00 . 2011-11-04 19:20 25600 c:\windows\SYSTEM32\jsproxy.dll
- 2004-08-04 10:00 . 2011-08-22 23:48 25600 c:\windows\SYSTEM32\jsproxy.dll
- 2009-08-16 18:23 . 2011-08-22 23:48 12800 c:\windows\SYSTEM32\DLLCACHE\xpshims.dll
+ 2009-08-16 18:23 . 2011-11-04 19:20 12800 c:\windows\SYSTEM32\DLLCACHE\xpshims.dll
+ 2011-11-18 12:35 . 2011-11-18 12:35 60416 c:\windows\SYSTEM32\DLLCACHE\packager.exe
- 2007-05-17 05:53 . 2011-08-22 23:48 66560 c:\windows\SYSTEM32\DLLCACHE\mshtmled.dll
+ 2007-05-17 05:53 . 2011-11-04 19:20 66560 c:\windows\SYSTEM32\DLLCACHE\mshtmled.dll
+ 2007-04-25 08:41 . 2011-11-04 19:20 55296 c:\windows\SYSTEM32\DLLCACHE\msfeedsbs.dll
- 2007-04-25 08:41 . 2011-08-22 23:48 55296 c:\windows\SYSTEM32\DLLCACHE\msfeedsbs.dll
+ 2011-10-14 14:47 . 2011-10-14 14:47 23040 c:\windows\SYSTEM32\DLLCACHE\mciseq.dll
+ 2006-10-17 16:05 . 2011-11-04 19:20 43520 c:\windows\SYSTEM32\DLLCACHE\licmgr10.dll
- 2006-10-17 16:05 . 2011-08-22 23:48 43520 c:\windows\SYSTEM32\DLLCACHE\licmgr10.dll
- 2007-05-17 05:53 . 2011-08-22 23:48 25600 c:\windows\SYSTEM32\DLLCACHE\jsproxy.dll
+ 2007-05-17 05:53 . 2011-11-04 19:20 25600 c:\windows\SYSTEM32\DLLCACHE\jsproxy.dll
+ 2009-12-14 07:08 . 2011-10-28 05:31 33280 c:\windows\SYSTEM32\DLLCACHE\csrsrv.dll
- 2009-12-14 07:08 . 2011-04-26 11:07 33280 c:\windows\SYSTEM32\DLLCACHE\csrsrv.dll
+ 2012-01-17 08:42 . 2012-01-19 08:08 15836 c:\windows\SoftwareDistribution\EventCache\{EEB320A8-6D6A-4383-8ACA-76F5B9A77743}.bin
+ 2011-12-25 08:49 . 2011-12-25 08:49 31504 c:\windows\Microsoft.NET\Framework\v2.0.50727\aspnet_wp.exe
- 2011-07-08 18:00 . 2011-07-08 18:00 81920 c:\windows\Microsoft.NET\Framework\v1.1.4322\System.Security.dll
+ 2011-12-25 16:07 . 2011-12-25 16:07 81920 c:\windows\Microsoft.NET\Framework\v1.1.4322\System.Security.dll
- 2011-07-07 16:04 . 2011-07-07 16:04 77824 c:\windows\Microsoft.NET\Framework\v1.1.4322\mscorsn.dll
+ 2011-12-25 03:55 . 2011-12-25 03:55 77824 c:\windows\Microsoft.NET\Framework\v1.1.4322\mscorsn.dll
- 2011-07-07 16:04 . 2011-07-07 16:04 86016 c:\windows\Microsoft.NET\Framework\v1.1.4322\mscorie.dll
+ 2011-12-25 03:55 . 2011-12-25 03:55 86016 c:\windows\Microsoft.NET\Framework\v1.1.4322\mscorie.dll
- 2011-07-07 16:03 . 2011-07-07 16:03 81920 c:\windows\Microsoft.NET\Framework\v1.1.4322\CORPerfMonExt.dll
+ 2011-12-25 03:55 . 2011-12-25 03:55 81920 c:\windows\Microsoft.NET\Framework\v1.1.4322\CORPerfMonExt.dll
- 2011-07-07 17:09 . 2011-07-07 17:09 32768 c:\windows\Microsoft.NET\Framework\v1.1.4322\aspnet_wp.exe
+ 2011-12-25 04:49 . 2011-12-25 04:49 32768 c:\windows\Microsoft.NET\Framework\v1.1.4322\aspnet_wp.exe
+ 2011-12-25 04:49 . 2011-12-25 04:49 24576 c:\windows\Microsoft.NET\Framework\v1.1.4322\aspnet_filter.dll
- 2011-07-07 17:09 . 2011-07-07 17:09 24576 c:\windows\Microsoft.NET\Framework\v1.1.4322\aspnet_filter.dll
+ 2012-01-19 08:00 . 2011-08-22 23:48 12800 c:\windows\ie8updates\KB2618444-IE8\xpshims.dll
+ 2012-01-19 08:00 . 2011-08-22 23:48 66560 c:\windows\ie8updates\KB2618444-IE8\mshtmled.dll
+ 2012-01-19 08:00 . 2011-08-22 23:48 55296 c:\windows\ie8updates\KB2618444-IE8\msfeedsbs.dll
+ 2012-01-19 08:00 . 2011-08-22 23:48 43520 c:\windows\ie8updates\KB2618444-IE8\licmgr10.dll
+ 2012-01-19 08:00 . 2011-08-22 23:48 25600 c:\windows\ie8updates\KB2618444-IE8\jsproxy.dll
+ 2012-01-19 08:02 . 2012-01-19 08:02 90112 c:\windows\ASSEMBLY\NativeImages1_v1.1.4322\System.Drawing.Design\1.0.5000.0__b03f5f7f11d50a3a_ec50206e\System.Drawing.Design.dll
+ 2012-01-19 08:02 . 2012-01-19 08:02 61440 c:\windows\ASSEMBLY\NativeImages1_v1.1.4322\CustomMarshalers\1.0.5000.0__b03f5f7f11d50a3a_b7eff134\CustomMarshalers.dll
+ 2012-01-19 08:25 . 2012-01-19 08:25 36864 c:\windows\ASSEMBLY\NativeImages_v2.0.50727_32\System.Web.DynamicD#\750de53f30e516eb2c62de9bab7954e9\System.Web.DynamicData.Design.ni.dll
+ 2012-01-19 07:59 . 2012-01-19 07:59 77824 c:\windows\ASSEMBLY\GAC_MSIL\System.Web.RegularExpressions\2.0.0.0__b03f5f7f11d50a3a\System.Web.RegularExpressions.dll
- 2011-10-14 03:19 . 2011-10-14 03:19 77824 c:\windows\ASSEMBLY\GAC_MSIL\System.Web.RegularExpressions\2.0.0.0__b03f5f7f11d50a3a\System.Web.RegularExpressions.dll
- 2011-10-14 03:19 . 2011-10-14 03:19 81920 c:\windows\ASSEMBLY\GAC_MSIL\System.Drawing.Design\2.0.0.0__b03f5f7f11d50a3a\System.Drawing.Design.dll
+ 2012-01-19 07:59 . 2012-01-19 07:59 81920 c:\windows\ASSEMBLY\GAC_MSIL\System.Drawing.Design\2.0.0.0__b03f5f7f11d50a3a\System.Drawing.Design.dll
+ 2012-01-19 07:59 . 2012-01-19 07:59 81920 c:\windows\ASSEMBLY\GAC_MSIL\System.Configuration.Install\2.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll
- 2011-10-14 03:19 . 2011-10-14 03:19 81920 c:\windows\ASSEMBLY\GAC_MSIL\System.Configuration.Install\2.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll
- 2011-10-14 03:19 . 2011-10-14 03:19 32768 c:\windows\ASSEMBLY\GAC_MSIL\Microsoft.Vsa\8.0.0.0__b03f5f7f11d50a3a\Microsoft.Vsa.dll
+ 2012-01-19 07:59 . 2012-01-19 07:59 32768 c:\windows\ASSEMBLY\GAC_MSIL\Microsoft.Vsa\8.0.0.0__b03f5f7f11d50a3a\Microsoft.Vsa.dll
+ 2012-01-19 07:59 . 2012-01-19 07:59 12800 c:\windows\ASSEMBLY\GAC_MSIL\Microsoft.Vsa.Vb.CodeDOMProcessor\8.0.0.0__b03f5f7f11d50a3a\Microsoft.Vsa.Vb.CodeDOMProcessor.dll
- 2011-10-14 03:19 . 2011-10-14 03:19 12800 c:\windows\ASSEMBLY\GAC_MSIL\Microsoft.Vsa.Vb.CodeDOMProcessor\8.0.0.0__b03f5f7f11d50a3a\Microsoft.Vsa.Vb.CodeDOMProcessor.dll
- 2011-10-14 03:19 . 2011-10-14 03:19 28672 c:\windows\ASSEMBLY\GAC_MSIL\Microsoft.VisualBasic.Vsa\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.Vsa.dll
+ 2012-01-19 07:59 . 2012-01-19 07:59 28672 c:\windows\ASSEMBLY\GAC_MSIL\Microsoft.VisualBasic.Vsa\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.Vsa.dll
+ 2012-01-19 07:59 . 2012-01-19 07:59 77824 c:\windows\ASSEMBLY\GAC_MSIL\Microsoft.Build.Utilities\2.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Utilities.dll
- 2011-10-14 03:19 . 2011-10-14 03:19 77824 c:\windows\ASSEMBLY\GAC_MSIL\Microsoft.Build.Utilities\2.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Utilities.dll
- 2011-10-14 03:19 . 2011-10-14 03:19 36864 c:\windows\ASSEMBLY\GAC_MSIL\Microsoft.Build.Framework\2.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Framework.dll
+ 2012-01-19 07:59 . 2012-01-19 07:59 36864 c:\windows\ASSEMBLY\GAC_MSIL\Microsoft.Build.Framework\2.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Framework.dll
+ 2012-01-19 07:59 . 2012-01-19 07:59 77824 c:\windows\ASSEMBLY\GAC_MSIL\IEHost\2.0.0.0__b03f5f7f11d50a3a\IEHost.dll
- 2011-10-14 03:19 . 2011-10-14 03:19 77824 c:\windows\ASSEMBLY\GAC_MSIL\IEHost\2.0.0.0__b03f5f7f11d50a3a\IEHost.dll
+ 2012-01-19 07:59 . 2012-01-19 07:59 13312 c:\windows\ASSEMBLY\GAC_MSIL\cscompmgd\8.0.0.0__b03f5f7f11d50a3a\cscompmgd.dll
- 2011-10-14 03:19 . 2011-10-14 03:19 13312 c:\windows\ASSEMBLY\GAC_MSIL\cscompmgd\8.0.0.0__b03f5f7f11d50a3a\cscompmgd.dll
+ 2012-01-19 07:59 . 2012-01-19 07:59 10752 c:\windows\ASSEMBLY\GAC_MSIL\Accessibility\2.0.0.0__b03f5f7f11d50a3a\Accessibility.dll
- 2011-10-14 03:19 . 2011-10-14 03:19 10752 c:\windows\ASSEMBLY\GAC_MSIL\Accessibility\2.0.0.0__b03f5f7f11d50a3a\Accessibility.dll
- 2011-10-14 03:19 . 2011-10-14 03:19 72192 c:\windows\ASSEMBLY\GAC_32\ISymWrapper\2.0.0.0__b03f5f7f11d50a3a\ISymWrapper.dll
+ 2012-01-19 07:59 . 2012-01-19 07:59 72192 c:\windows\ASSEMBLY\GAC_32\ISymWrapper\2.0.0.0__b03f5f7f11d50a3a\ISymWrapper.dll
+ 2012-01-19 07:59 . 2012-01-19 07:59 69120 c:\windows\ASSEMBLY\GAC_32\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll
- 2011-10-14 03:19 . 2011-10-14 03:19 69120 c:\windows\ASSEMBLY\GAC_32\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll
- 2011-10-14 03:16 . 2011-10-14 03:16 81920 c:\windows\ASSEMBLY\GAC\System.Security\1.0.5000.0__b03f5f7f11d50a3a\System.Security.dll
+ 2012-01-19 08:02 . 2012-01-19 08:02 81920 c:\windows\ASSEMBLY\GAC\System.Security\1.0.5000.0__b03f5f7f11d50a3a\System.Security.dll
+ 2012-01-19 07:59 . 2012-01-19 07:59 8192 c:\windows\WinSxS\MSIL_IEExecRemote_b03f5f7f11d50a3a_2.0.0.0_x-ww_6e57c34e\IEExecRemote.dll
- 2011-10-14 03:19 . 2011-10-14 03:19 8192 c:\windows\WinSxS\MSIL_IEExecRemote_b03f5f7f11d50a3a_2.0.0.0_x-ww_6e57c34e\IEExecRemote.dll
+ 2012-01-19 07:59 . 2012-01-19 07:59 7168 c:\windows\ASSEMBLY\GAC_MSIL\Microsoft_VsaVb\8.0.0.0__b03f5f7f11d50a3a\Microsoft_VsaVb.dll
- 2011-10-14 03:19 . 2011-10-14 03:19 7168 c:\windows\ASSEMBLY\GAC_MSIL\Microsoft_VsaVb\8.0.0.0__b03f5f7f11d50a3a\Microsoft_VsaVb.dll
- 2011-10-14 03:19 . 2011-10-14 03:19 5632 c:\windows\ASSEMBLY\GAC_MSIL\Microsoft.VisualC\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualC.Dll
+ 2012-01-19 07:59 . 2012-01-19 07:59 5632 c:\windows\ASSEMBLY\GAC_MSIL\Microsoft.VisualC\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualC.Dll
+ 2012-01-19 07:59 . 2012-01-19 07:59 6656 c:\windows\ASSEMBLY\GAC_MSIL\IIEHost\2.0.0.0__b03f5f7f11d50a3a\IIEHost.dll
- 2011-10-14 03:19 . 2011-10-14 03:19 6656 c:\windows\ASSEMBLY\GAC_MSIL\IIEHost\2.0.0.0__b03f5f7f11d50a3a\IIEHost.dll
+ 2012-01-19 07:59 . 2012-01-19 07:59 8192 c:\windows\ASSEMBLY\GAC_MSIL\IEExecRemote\2.0.0.0__b03f5f7f11d50a3a\IEExecRemote.dll
- 2011-10-14 03:19 . 2011-10-14 03:19 8192 c:\windows\ASSEMBLY\GAC_MSIL\IEExecRemote\2.0.0.0__b03f5f7f11d50a3a\IEExecRemote.dll
+ 2012-01-19 07:59 . 2012-01-19 07:59 113664 c:\windows\WinSxS\x86_System.EnterpriseServices_b03f5f7f11d50a3a_2.0.0.0_x-ww_7d5f3790\System.EnterpriseServices.Wrapper.dll
- 2011-10-14 03:19 . 2011-10-14 03:19 113664 c:\windows\WinSxS\x86_System.EnterpriseServices_b03f5f7f11d50a3a_2.0.0.0_x-ww_7d5f3790\System.EnterpriseServices.Wrapper.dll
- 2011-10-14 03:19 . 2011-10-14 03:19 258048 c:\windows\WinSxS\x86_System.EnterpriseServices_b03f5f7f11d50a3a_2.0.0.0_x-ww_7d5f3790\System.EnterpriseServices.dll
+ 2012-01-19 07:59 . 2012-01-19 07:59 258048 c:\windows\WinSxS\x86_System.EnterpriseServices_b03f5f7f11d50a3a_2.0.0.0_x-ww_7d5f3790\System.EnterpriseServices.dll
+ 2005-06-07 21:54 . 2012-01-19 08:00 445798 c:\windows\SYSTEM32\PERFH009.DAT
- 2005-06-07 21:54 . 2011-11-06 19:09 445798 c:\windows\SYSTEM32\PERFH009.DAT
- 2004-08-04 10:00 . 2011-08-22 23:48 206848 c:\windows\SYSTEM32\occache.dll
+ 2004-08-04 10:00 . 2011-11-04 19:20 206848 c:\windows\SYSTEM32\occache.dll
+ 2004-08-04 10:00 . 2011-11-04 19:20 611840 c:\windows\SYSTEM32\mstime.dll
- 2004-08-04 10:00 . 2011-08-22 23:48 611840 c:\windows\SYSTEM32\mstime.dll
+ 2004-08-04 10:00 . 2011-11-04 19:20 184320 c:\windows\SYSTEM32\iepeers.dll
- 2004-08-04 10:00 . 2011-08-22 23:48 184320 c:\windows\SYSTEM32\iepeers.dll
+ 2004-08-04 10:00 . 2011-11-04 19:20 387584 c:\windows\SYSTEM32\iedkcs32.dll
- 2004-08-04 10:00 . 2011-08-22 23:48 387584 c:\windows\SYSTEM32\iedkcs32.dll
- 2004-08-04 10:00 . 2011-08-22 11:56 174080 c:\windows\SYSTEM32\ie4uinit.exe
+ 2004-08-04 10:00 . 2011-11-04 11:24 174080 c:\windows\SYSTEM32\ie4uinit.exe
- 2004-08-04 10:00 . 2011-02-09 13:53 186880 c:\windows\SYSTEM32\encdec.dll
+ 2004-08-04 10:00 . 2011-10-18 11:13 186880 c:\windows\SYSTEM32\encdec.dll
+ 2011-10-14 14:47 . 2011-10-14 14:47 176128 c:\windows\SYSTEM32\DLLCACHE\winmm.dll
+ 2007-05-17 05:53 . 2011-11-04 19:20 916992 c:\windows\SYSTEM32\DLLCACHE\wininet.dll
+ 2006-10-17 16:05 . 2011-11-04 19:20 105984 c:\windows\SYSTEM32\DLLCACHE\url.dll
- 2006-10-17 16:05 . 2011-08-22 23:48 105984 c:\windows\SYSTEM32\DLLCACHE\url.dll
+ 2006-10-17 16:04 . 2011-11-04 19:20 206848 c:\windows\SYSTEM32\DLLCACHE\occache.dll
- 2006-10-17 16:04 . 2011-08-22 23:48 206848 c:\windows\SYSTEM32\DLLCACHE\occache.dll
- 2007-05-17 05:53 . 2011-08-22 23:48 611840 c:\windows\SYSTEM32\DLLCACHE\mstime.dll
+ 2007-05-17 05:53 . 2011-11-04 19:20 611840 c:\windows\SYSTEM32\DLLCACHE\mstime.dll
- 2007-04-25 08:41 . 2011-08-22 23:48 602112 c:\windows\SYSTEM32\DLLCACHE\msfeeds.dll
+ 2007-04-25 08:41 . 2011-11-04 19:20 602112 c:\windows\SYSTEM32\DLLCACHE\msfeeds.dll
- 2009-08-16 18:23 . 2011-08-22 23:48 247808 c:\windows\SYSTEM32\DLLCACHE\ieproxy.dll
+ 2009-08-16 18:23 . 2011-11-04 19:20 247808 c:\windows\SYSTEM32\DLLCACHE\ieproxy.dll
- 2007-05-17 05:53 . 2011-08-22 23:48 184320 c:\windows\SYSTEM32\DLLCACHE\iepeers.dll
+ 2007-05-17 05:53 . 2011-11-04 19:20 184320 c:\windows\SYSTEM32\DLLCACHE\iepeers.dll
+ 2011-07-29 03:59 . 2011-11-04 19:20 743424 c:\windows\SYSTEM32\DLLCACHE\iedvtool.dll
- 2011-07-29 03:59 . 2011-08-22 23:48 743424 c:\windows\SYSTEM32\DLLCACHE\iedvtool.dll
+ 2006-11-07 07:27 . 2011-11-04 19:20 387584 c:\windows\SYSTEM32\DLLCACHE\iedkcs32.dll
- 2006-11-07 07:27 . 2011-08-22 23:48 387584 c:\windows\SYSTEM32\DLLCACHE\iedkcs32.dll
+ 2006-11-07 07:26 . 2011-11-04 11:24 174080 c:\windows\SYSTEM32\DLLCACHE\ie4uinit.exe
- 2006-11-07 07:26 . 2011-08-22 11:56 174080 c:\windows\SYSTEM32\DLLCACHE\ie4uinit.exe
+ 2011-02-09 13:53 . 2011-10-18 11:13 186880 c:\windows\SYSTEM32\DLLCACHE\encdec.dll
- 2011-02-09 13:53 . 2011-02-09 13:53 186880 c:\windows\SYSTEM32\DLLCACHE\encdec.dll
+ 2011-12-25 08:49 . 2011-12-25 08:49 436496 c:\windows\Microsoft.NET\Framework\v2.0.50727\webengine.dll
- 2011-07-07 16:04 . 2011-07-07 16:04 102400 c:\windows\Microsoft.NET\Framework\v1.1.4322\mscorld.dll
+ 2011-12-25 03:55 . 2011-12-25 03:55 102400 c:\windows\Microsoft.NET\Framework\v1.1.4322\mscorld.dll
+ 2011-12-25 03:53 . 2011-12-25 03:53 315392 c:\windows\Microsoft.NET\Framework\v1.1.4322\mscorjit.dll
- 2011-07-07 16:01 . 2011-07-07 16:01 315392 c:\windows\Microsoft.NET\Framework\v1.1.4322\mscorjit.dll
- 2011-07-07 17:09 . 2011-07-07 17:09 258048 c:\windows\Microsoft.NET\Framework\v1.1.4322\aspnet_isapi.dll
+ 2011-12-25 04:49 . 2011-12-25 04:49 258048 c:\windows\Microsoft.NET\Framework\v1.1.4322\aspnet_isapi.dll
+ 2011-12-25 10:40 . 2011-12-25 10:40 819200 c:\windows\Installer\532d7.msp
+ 2012-01-19 08:00 . 2011-08-22 23:48 916480 c:\windows\ie8updates\KB2618444-IE8\wininet.dll
+ 2012-01-19 08:00 . 2011-08-22 23:48 105984 c:\windows\ie8updates\KB2618444-IE8\url.dll
+ 2012-01-19 08:01 . 2010-07-05 13:16 382840 c:\windows\ie8updates\KB2618444-IE8\spuninst\updspapi.dll
+ 2012-01-19 08:01 . 2010-07-05 13:15 231288 c:\windows\ie8updates\KB2618444-IE8\spuninst\spuninst.exe
+ 2012-01-19 08:00 . 2011-08-22 23:48 206848 c:\windows\ie8updates\KB2618444-IE8\occache.dll
+ 2012-01-19 08:00 . 2011-08-22 23:48 611840 c:\windows\ie8updates\KB2618444-IE8\mstime.dll
+ 2012-01-19 08:00 . 2011-08-22 23:48 602112 c:\windows\ie8updates\KB2618444-IE8\msfeeds.dll
+ 2012-01-19 08:00 . 2011-08-22 23:48 247808 c:\windows\ie8updates\KB2618444-IE8\ieproxy.dll
+ 2012-01-19 08:00 . 2011-08-22 23:48 184320 c:\windows\ie8updates\KB2618444-IE8\iepeers.dll
+ 2012-01-19 08:00 . 2011-08-22 23:48 743424 c:\windows\ie8updates\KB2618444-IE8\iedvtool.dll
+ 2012-01-19 08:00 . 2011-08-22 23:48 387584 c:\windows\ie8updates\KB2618444-IE8\iedkcs32.dll
+ 2012-01-19 08:00 . 2011-08-22 11:56 174080 c:\windows\ie8updates\KB2618444-IE8\ie4uinit.exe
+ 2011-07-29 07:27 . 2011-10-14 03:19 261632 c:\windows\ASSEMBLY\TEMP\J2CM5OYZIJ\System.Transactions.dll
+ 2012-01-19 08:03 . 2012-01-19 08:03 835584 c:\windows\ASSEMBLY\NativeImages1_v1.1.4322\System.Drawing\1.0.5000.0__b03f5f7f11d50a3a_fcc2bc10\System.Drawing.dll
+ 2012-01-19 08:03 . 2012-01-19 08:03 192512 c:\windows\ASSEMBLY\NativeImages1_v1.1.4322\System.Drawing.Design\1.0.5000.0__b03f5f7f11d50a3a_05fd2758\System.Drawing.Design.dll
+ 2012-01-19 08:03 . 2012-01-19 08:03 118784 c:\windows\ASSEMBLY\NativeImages1_v1.1.4322\CustomMarshalers\1.0.5000.0__b03f5f7f11d50a3a_eb27eba7\CustomMarshalers.dll
+ 2012-01-19 08:25 . 2012-01-19 08:25 129536 c:\windows\ASSEMBLY\NativeImages_v2.0.50727_32\System.Web.Routing\0bda7bdfaf440d5dd4bc6a1dea7ffa39\System.Web.Routing.ni.dll
+ 2012-01-19 08:26 . 2012-01-19 08:26 859648 c:\windows\ASSEMBLY\NativeImages_v2.0.50727_32\System.Web.Extensio#\6e29f9faa74a48b83a13a3413b826295\System.Web.Extensions.Design.ni.dll
+ 2012-01-19 08:25 . 2012-01-19 08:25 328704 c:\windows\ASSEMBLY\NativeImages_v2.0.50727_32\System.Web.Entity\be8965fe859bc53dff61579bf626858b\System.Web.Entity.ni.dll
+ 2012-01-19 08:25 . 2012-01-19 08:25 301056 c:\windows\ASSEMBLY\NativeImages_v2.0.50727_32\System.Web.Entity.D#\8441b3eb247e0344fede848337ee911c\System.Web.Entity.Design.ni.dll
+ 2012-01-19 08:25 . 2012-01-19 08:25 547328 c:\windows\ASSEMBLY\NativeImages_v2.0.50727_32\System.Web.DynamicD#\09c6a41f187ba483486cdb92dad714a1\System.Web.DynamicData.ni.dll
+ 2012-01-19 08:25 . 2012-01-19 08:25 141312 c:\windows\ASSEMBLY\NativeImages_v2.0.50727_32\System.Web.Abstract#\5efb726d424b9712632eff749411fa89\System.Web.Abstractions.ni.dll
+ 2012-01-19 08:17 . 2012-01-19 08:17 771584 c:\windows\ASSEMBLY\NativeImages_v2.0.50727_32\System.Runtime.Remo#\3c272cad7afb127e2a2bdb8a5a808512\System.Runtime.Remoting.ni.dll
+ 2012-01-19 08:24 . 2012-01-19 08:24 756736 c:\windows\ASSEMBLY\NativeImages_v2.0.50727_32\System.Data.Entity.#\f374e8e7849a72d1470b4a6a0771a137\System.Data.Entity.Design.ni.dll
+ 2012-01-19 08:24 . 2012-01-19 08:24 320512 c:\windows\ASSEMBLY\NativeImages_v2.0.50727_32\ServiceModelReg\439732479756e0f6df88d29e50a402bf\ServiceModelReg.ni.exe
+ 2012-01-19 08:14 . 2012-01-19 08:14 842240 c:\windows\ASSEMBLY\NativeImages_v2.0.50727_32\AspNetMMCExt\bfcea15c95909860c4f4ac19bd7a2d6c\AspNetMMCExt.ni.dll
- 2011-10-14 03:19 . 2011-10-14 03:19 839680 c:\windows\ASSEMBLY\GAC_MSIL\System.Web.Services\2.0.0.0__b03f5f7f11d50a3a\System.Web.Services.dll
+ 2012-01-19 07:59 . 2012-01-19 07:59 839680 c:\windows\ASSEMBLY\GAC_MSIL\System.Web.Services\2.0.0.0__b03f5f7f11d50a3a\System.Web.Services.dll
+ 2012-01-19 07:59 . 2012-01-19 07:59 835584 c:\windows\ASSEMBLY\GAC_MSIL\System.Web.Mobile\2.0.0.0__b03f5f7f11d50a3a\System.Web.Mobile.dll
- 2011-10-14 03:19 . 2011-10-14 03:19 835584 c:\windows\ASSEMBLY\GAC_MSIL\System.Web.Mobile\2.0.0.0__b03f5f7f11d50a3a\System.Web.Mobile.dll
- 2011-10-14 03:19 . 2011-10-14 03:19 114688 c:\windows\ASSEMBLY\GAC_MSIL\System.ServiceProcess\2.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll
+ 2012-01-19 07:59 . 2012-01-19 07:59 114688 c:\windows\ASSEMBLY\GAC_MSIL\System.ServiceProcess\2.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll
+ 2012-01-19 07:59 . 2012-01-19 07:59 258048 c:\windows\ASSEMBLY\GAC_MSIL\System.Security\2.0.0.0__b03f5f7f11d50a3a\System.Security.dll
- 2011-10-14 03:19 . 2011-10-14 03:19 258048 c:\windows\ASSEMBLY\GAC_MSIL\System.Security\2.0.0.0__b03f5f7f11d50a3a\System.Security.dll
+ 2012-01-19 07:59 . 2012-01-19 07:59 131072 c:\windows\ASSEMBLY\GAC_MSIL\System.Runtime.Serialization.Formatters.Soap\2.0.0.0__b03f5f7f11d50a3a\System.Runtime.Serialization.Formatters.Soap.dll
- 2011-10-14 03:19 . 2011-10-14 03:19 131072 c:\windows\ASSEMBLY\GAC_MSIL\System.Runtime.Serialization.Formatters.Soap\2.0.0.0__b03f5f7f11d50a3a\System.Runtime.Serialization.Formatters.Soap.dll
- 2011-10-14 03:19 . 2011-10-14 03:19 303104 c:\windows\ASSEMBLY\GAC_MSIL\System.Runtime.Remoting\2.0.0.0__b77a5c561934e089\System.Runtime.Remoting.dll
+ 2012-01-19 07:59 . 2012-01-19 07:59 303104 c:\windows\ASSEMBLY\GAC_MSIL\System.Runtime.Remoting\2.0.0.0__b77a5c561934e089\System.Runtime.Remoting.dll
+ 2012-01-19 07:59 . 2012-01-19 07:59 258048 c:\windows\ASSEMBLY\GAC_MSIL\System.Messaging\2.0.0.0__b03f5f7f11d50a3a\System.Messaging.dll
- 2011-10-14 03:19 . 2011-10-14 03:19 258048 c:\windows\ASSEMBLY\GAC_MSIL\System.Messaging\2.0.0.0__b03f5f7f11d50a3a\System.Messaging.dll
+ 2012-01-19 07:59 . 2012-01-19 07:59 372736 c:\windows\ASSEMBLY\GAC_MSIL\System.Management\2.0.0.0__b03f5f7f11d50a3a\System.Management.dll
- 2011-10-14 03:19 . 2011-10-14 03:19 372736 c:\windows\ASSEMBLY\GAC_MSIL\System.Management\2.0.0.0__b03f5f7f11d50a3a\System.Management.dll
+ 2012-01-19 07:59 . 2012-01-19 07:59 626688 c:\windows\ASSEMBLY\GAC_MSIL\System.Drawing\2.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll
- 2011-10-14 03:19 . 2011-10-14 03:19 626688 c:\windows\ASSEMBLY\GAC_MSIL\System.Drawing\2.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll
- 2011-10-14 03:19 . 2011-10-14 03:19 401408 c:\windows\ASSEMBLY\GAC_MSIL\System.DirectoryServices\2.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll
+ 2012-01-19 07:59 . 2012-01-19 07:59 401408 c:\windows\ASSEMBLY\GAC_MSIL\System.DirectoryServices\2.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll
+ 2012-01-19 07:59 . 2012-01-19 07:59 188416 c:\windows\ASSEMBLY\GAC_MSIL\System.DirectoryServices.Protocols\2.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.Protocols.dll
- 2011-10-14 03:19 . 2011-10-14 03:19 188416 c:\windows\ASSEMBLY\GAC_MSIL\System.DirectoryServices.Protocols\2.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.Protocols.dll
+ 2012-01-19 07:59 . 2012-01-19 07:59 970752 c:\windows\ASSEMBLY\GAC_MSIL\System.Deployment\2.0.0.0__b03f5f7f11d50a3a\System.Deployment.dll
- 2011-10-14 03:19 . 2011-10-14 03:19 970752 c:\windows\ASSEMBLY\GAC_MSIL\System.Deployment\2.0.0.0__b03f5f7f11d50a3a\System.Deployment.dll
+ 2012-01-19 07:59 . 2012-01-19 07:59 745472 c:\windows\ASSEMBLY\GAC_MSIL\System.Data.SqlXml\2.0.0.0__b77a5c561934e089\System.Data.SqlXml.dll
- 2011-10-14 03:19 . 2011-10-14 03:19 745472 c:\windows\ASSEMBLY\GAC_MSIL\System.Data.SqlXml\2.0.0.0__b77a5c561934e089\System.Data.SqlXml.dll
+ 2012-01-19 07:59 . 2012-01-19 07:59 425984 c:\windows\ASSEMBLY\GAC_MSIL\System.Configuration\2.0.0.0__b03f5f7f11d50a3a\System.configuration.dll
- 2011-10-14 03:19 . 2011-10-14 03:19 425984 c:\windows\ASSEMBLY\GAC_MSIL\System.Configuration\2.0.0.0__b03f5f7f11d50a3a\System.configuration.dll
+ 2012-01-19 07:59 . 2012-01-19 07:59 110592 c:\windows\ASSEMBLY\GAC_MSIL\sysglobl\2.0.0.0__b03f5f7f11d50a3a\sysglobl.dll
- 2011-10-14 03:19 . 2011-10-14 03:19 110592 c:\windows\ASSEMBLY\GAC_MSIL\sysglobl\2.0.0.0__b03f5f7f11d50a3a\sysglobl.dll
- 2011-10-14 03:19 . 2011-10-14 03:19 659456 c:\windows\ASSEMBLY\GAC_MSIL\Microsoft.VisualBasic\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll
+ 2012-01-19 07:59 . 2012-01-19 07:59 659456 c:\windows\ASSEMBLY\GAC_MSIL\Microsoft.VisualBasic\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll
- 2011-10-14 03:19 . 2011-10-14 03:19 372736 c:\windows\ASSEMBLY\GAC_MSIL\Microsoft.VisualBasic.Compatibility\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.Compatibility.dll
+ 2012-01-19 07:59 . 2012-01-19 07:59 372736 c:\windows\ASSEMBLY\GAC_MSIL\Microsoft.VisualBasic.Compatibility\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.Compatibility.dll
+ 2012-01-19 07:59 . 2012-01-19 07:59 110592 c:\windows\ASSEMBLY\GAC_MSIL\Microsoft.VisualBasic.Compatibility.Data\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.Compatibility.Data.dll
- 2011-10-14 03:19 . 2011-10-14 03:19 110592 c:\windows\ASSEMBLY\GAC_MSIL\Microsoft.VisualBasic.Compatibility.Data\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.Compatibility.Data.dll
- 2011-10-14 03:19 . 2011-10-14 03:19 749568 c:\windows\ASSEMBLY\GAC_MSIL\Microsoft.JScript\8.0.0.0__b03f5f7f11d50a3a\Microsoft.JScript.dll
+ 2012-01-19 07:59 . 2012-01-19 07:59 749568 c:\windows\ASSEMBLY\GAC_MSIL\Microsoft.JScript\8.0.0.0__b03f5f7f11d50a3a\Microsoft.JScript.dll
- 2011-10-14 03:19 . 2011-10-14 03:19 655360 c:\windows\ASSEMBLY\GAC_MSIL\Microsoft.Build.Tasks\2.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Tasks.dll
+ 2012-01-19 07:59 . 2012-01-19 07:59 655360 c:\windows\ASSEMBLY\GAC_MSIL\Microsoft.Build.Tasks\2.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Tasks.dll
+ 2012-01-19 07:59 . 2012-01-19 07:59 348160 c:\windows\ASSEMBLY\GAC_MSIL\Microsoft.Build.Engine\2.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Engine.dll
- 2011-10-14 03:19 . 2011-10-14 03:19 348160 c:\windows\ASSEMBLY\GAC_MSIL\Microsoft.Build.Engine\2.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Engine.dll
- 2011-10-14 03:19 . 2011-10-14 03:19 507904 c:\windows\ASSEMBLY\GAC_MSIL\AspNetMMCExt\2.0.0.0__b03f5f7f11d50a3a\AspNetMMCExt.dll
+ 2012-01-19 07:59 . 2012-01-19 07:59 507904 c:\windows\ASSEMBLY\GAC_MSIL\AspNetMMCExt\2.0.0.0__b03f5f7f11d50a3a\AspNetMMCExt.dll
- 2011-07-29 07:27 . 2011-10-14 03:19 261632 c:\windows\ASSEMBLY\GAC_32\System.Transactions\2.0.0.0__b77a5c561934e089\System.Transactions.dll
+ 2011-07-29 07:27 . 2012-01-19 07:59 261632 c:\windows\ASSEMBLY\GAC_32\System.Transactions\2.0.0.0__b77a5c561934e089\System.Transactions.dll
- 2011-10-14 03:19 . 2011-10-14 03:19 113664 c:\windows\ASSEMBLY\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll
+ 2012-01-19 07:59 . 2012-01-19 07:59 113664 c:\windows\ASSEMBLY\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll
- 2011-10-14 03:19 . 2011-10-14 03:19 258048 c:\windows\ASSEMBLY\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.dll
+ 2012-01-19 07:59 . 2012-01-19 07:59 258048 c:\windows\ASSEMBLY\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.dll
+ 2012-01-19 07:59 . 2012-01-19 07:59 486400 c:\windows\ASSEMBLY\GAC_32\System.Data.OracleClient\2.0.0.0__b77a5c561934e089\System.Data.OracleClient.dll
- 2011-10-14 03:19 . 2011-10-14 03:19 486400 c:\windows\ASSEMBLY\GAC_32\System.Data.OracleClient\2.0.0.0__b77a5c561934e089\System.Data.OracleClient.dll
- 2007-05-17 05:53 . 2011-08-22 23:48 1212416 c:\windows\SYSTEM32\DLLCACHE\urlmon.dll
+ 2007-05-17 05:53 . 2011-11-04 19:20 1212416 c:\windows\SYSTEM32\DLLCACHE\urlmon.dll
+ 2010-07-16 12:05 . 2011-11-01 16:07 1288704 c:\windows\SYSTEM32\DLLCACHE\ole32.dll
- 2009-08-14 01:36 . 2010-12-09 13:38 2192768 c:\windows\SYSTEM32\DLLCACHE\ntoskrnl.exe
+ 2009-08-14 01:36 . 2011-10-25 13:33 2192768 c:\windows\SYSTEM32\DLLCACHE\ntoskrnl.exe
+ 2009-08-14 01:36 . 2011-10-25 12:52 2027008 c:\windows\SYSTEM32\DLLCACHE\ntkrpamp.exe
- 2009-08-14 01:36 . 2010-12-09 13:07 2027008 c:\windows\SYSTEM32\DLLCACHE\ntkrpamp.exe
- 2009-02-08 00:02 . 2010-12-09 13:07 2069376 c:\windows\SYSTEM32\DLLCACHE\ntkrnlpa.exe
+ 2009-02-08 00:02 . 2011-10-25 12:52 2069376 c:\windows\SYSTEM32\DLLCACHE\ntkrnlpa.exe
- 2009-08-14 01:36 . 2010-12-09 13:42 2148864 c:\windows\SYSTEM32\DLLCACHE\ntkrnlmp.exe
+ 2009-08-14 01:36 . 2011-10-25 13:37 2148864 c:\windows\SYSTEM32\DLLCACHE\ntkrnlmp.exe
+ 2007-05-17 05:53 . 2011-11-04 19:20 5978112 c:\windows\SYSTEM32\DLLCACHE\mshtml.dll
+ 2007-04-25 08:41 . 2011-11-04 19:20 2000384 c:\windows\SYSTEM32\DLLCACHE\iertutil.dll
- 2007-04-25 08:41 . 2011-08-22 23:48 2000384 c:\windows\SYSTEM32\DLLCACHE\iertutil.dll
+ 2011-12-25 08:50 . 2011-12-25 08:50 5246976 c:\windows\Microsoft.NET\Framework\v2.0.50727\System.Web.dll
+ 2011-12-25 16:07 . 2011-12-25 16:07 2064384 c:\windows\Microsoft.NET\Framework\v1.1.4322\System.Windows.Forms.dll
+ 2011-12-25 16:06 . 2011-12-25 16:06 1269760 c:\windows\Microsoft.NET\Framework\v1.1.4322\System.Web.dll
+ 2011-12-25 16:06 . 2011-12-25 16:06 1232896 c:\windows\Microsoft.NET\Framework\v1.1.4322\System.dll
- 2011-07-08 17:59 . 2011-07-08 17:59 1232896 c:\windows\Microsoft.NET\Framework\v1.1.4322\System.dll
+ 2011-12-25 03:54 . 2011-12-25 03:54 2514944 c:\windows\Microsoft.NET\Framework\v1.1.4322\mscorwks.dll
- 2011-07-07 16:02 . 2011-07-07 16:02 2514944 c:\windows\Microsoft.NET\Framework\v1.1.4322\mscorwks.dll
- 2011-07-07 16:02 . 2011-07-07 16:02 2527232 c:\windows\Microsoft.NET\Framework\v1.1.4322\mscorsvr.dll
+ 2011-12-25 03:53 . 2011-12-25 03:53 2527232 c:\windows\Microsoft.NET\Framework\v1.1.4322\mscorsvr.dll
+ 2011-12-25 16:06 . 2011-12-25 16:06 2142208 c:\windows\Microsoft.NET\Framework\v1.1.4322\mscorlib.dll
- 2011-07-08 17:59 . 2011-07-08 17:59 2142208 c:\windows\Microsoft.NET\Framework\v1.1.4322\mscorlib.dll
+ 2011-12-26 14:59 . 2011-12-26 14:59 4368896 c:\windows\Installer\532b8.msp
+ 2012-01-19 08:00 . 2011-08-22 23:48 1212416 c:\windows\ie8updates\KB2618444-IE8\urlmon.dll
+ 2012-01-19 08:00 . 2011-10-03 08:35 5971456 c:\windows\ie8updates\KB2618444-IE8\mshtml.dll
+ 2012-01-19 08:00 . 2011-08-22 23:48 2000384 c:\windows\ie8updates\KB2618444-IE8\iertutil.dll
- 2009-08-14 01:36 . 2010-12-09 13:38 2192768 c:\windows\Driver Cache\I386\ntoskrnl.exe
+ 2009-08-14 01:36 . 2011-10-25 13:33 2192768 c:\windows\Driver Cache\I386\ntoskrnl.exe
+ 2009-08-14 01:36 . 2011-10-25 12:52 2027008 c:\windows\Driver Cache\I386\ntkrpamp.exe
- 2009-08-14 01:36 . 2010-12-09 13:07 2027008 c:\windows\Driver Cache\I386\ntkrpamp.exe
+ 2009-02-08 00:02 . 2011-10-25 12:52 2069376 c:\windows\Driver Cache\I386\ntkrnlpa.exe
- 2009-02-08 00:02 . 2010-12-09 13:07 2069376 c:\windows\Driver Cache\I386\ntkrnlpa.exe
+ 2009-08-14 01:36 . 2011-10-25 13:37 2148864 c:\windows\Driver Cache\I386\ntkrnlmp.exe
- 2009-08-14 01:36 . 2010-12-09 13:42 2148864 c:\windows\Driver Cache\I386\ntkrnlmp.exe
+ 2011-07-29 07:27 . 2011-10-14 03:19 2933248 c:\windows\ASSEMBLY\TEMP\6YQ91TCVWF\System.Data.dll
+ 2012-01-19 08:03 . 2012-01-19 08:03 4792320 c:\windows\ASSEMBLY\NativeImages1_v1.1.4322\System\1.0.5000.0__b77a5c561934e089_e7955fa8\System.dll
+ 2012-01-19 08:02 . 2012-01-19 08:02 1966080 c:\windows\ASSEMBLY\NativeImages1_v1.1.4322\System\1.0.5000.0__b77a5c561934e089_bd694762\System.dll
+ 2012-01-19 08:03 . 2012-01-19 08:03 5513216 c:\windows\ASSEMBLY\NativeImages1_v1.1.4322\System.Xml\1.0.5000.0__b77a5c561934e089_acf349e5\System.Xml.dll
+ 2012-01-19 08:02 . 2012-01-19 08:02 2088960 c:\windows\ASSEMBLY\NativeImages1_v1.1.4322\System.Xml\1.0.5000.0__b77a5c561934e089_21d9b482\System.Xml.dll
+ 2012-01-19 08:02 . 2012-01-19 08:02 3035136 c:\windows\ASSEMBLY\NativeImages1_v1.1.4322\System.Windows.Forms\1.0.5000.0__b77a5c561934e089_fa159b58\System.Windows.Forms.dll
+ 2012-01-19 08:03 . 2012-01-19 08:03 7917568 c:\windows\ASSEMBLY\NativeImages1_v1.1.4322\System.Windows.Forms\1.0.5000.0__b77a5c561934e089_34f2991b\System.Windows.Forms.dll
+ 2012-01-19 08:04 . 2012-01-19 08:04 2244608 c:\windows\ASSEMBLY\NativeImages1_v1.1.4322\System.Drawing\1.0.5000.0__b03f5f7f11d50a3a_ddfad199\System.Drawing.dll
+ 2012-01-19 08:03 . 2012-01-19 08:03 3395584 c:\windows\ASSEMBLY\NativeImages1_v1.1.4322\System.Design\1.0.5000.0__b03f5f7f11d50a3a_ddf8d9a3\System.Design.dll
+ 2012-01-19 08:03 . 2012-01-19 08:03 1470464 c:\windows\ASSEMBLY\NativeImages1_v1.1.4322\System.Design\1.0.5000.0__b03f5f7f11d50a3a_3b3f3490\System.Design.dll
+ 2012-01-19 08:03 . 2012-01-19 08:03 3391488 c:\windows\ASSEMBLY\NativeImages1_v1.1.4322\MSCORLIB\1.0.5000.0__b77a5c561934e089_5b125ab8\mscorlib.dll
+ 2012-01-19 08:04 . 2012-01-19 08:04 8908800 c:\windows\ASSEMBLY\NativeImages1_v1.1.4322\MSCORLIB\1.0.5000.0__b77a5c561934e089_544066e2\mscorlib.dll
+ 2012-01-19 08:27 . 2012-01-19 08:27 1356288 c:\windows\ASSEMBLY\NativeImages_v2.0.50727_32\System.WorkflowServ#\05c29118462056cf810df0b6aa660d05\System.WorkflowServices.ni.dll
+ 2012-01-19 08:26 . 2012-01-19 08:26 1908224 c:\windows\ASSEMBLY\NativeImages_v2.0.50727_32\System.Workflow.Run#\26b3258c559dc0ab6bdce481ffd458b3\System.Workflow.Runtime.ni.dll
+ 2012-01-19 08:26 . 2012-01-19 08:26 4514304 c:\windows\ASSEMBLY\NativeImages_v2.0.50727_32\System.Workflow.Com#\1642d1b72cd84caf24cbe7c5e8fd8368\System.Workflow.ComponentModel.ni.dll
+ 2012-01-19 08:26 . 2012-01-19 08:26 2992640 c:\windows\ASSEMBLY\NativeImages_v2.0.50727_32\System.Workflow.Act#\32ce12c3c2049f2df94c44c94b052e16\System.Workflow.Activities.ni.dll
+ 2012-01-19 08:18 . 2012-01-19 08:18 1840640 c:\windows\ASSEMBLY\NativeImages_v2.0.50727_32\System.Web.Services\f63ae1310e004777e880f28377bcddd2\System.Web.Services.ni.dll
+ 2012-01-19 08:26 . 2012-01-19 08:26 2209280 c:\windows\ASSEMBLY\NativeImages_v2.0.50727_32\System.Web.Mobile\c99b02434e71ca9898bebbc08d63e885\System.Web.Mobile.ni.dll
+ 2012-01-19 08:25 . 2012-01-19 08:25 2405888 c:\windows\ASSEMBLY\NativeImages_v2.0.50727_32\System.Web.Extensio#\c8f78b9e94857fdf6c2a378dd1629ee0\System.Web.Extensions.ni.dll
+ 2012-01-19 08:25 . 2012-01-19 08:25 1706496 c:\windows\ASSEMBLY\NativeImages_v2.0.50727_32\System.ServiceModel#\ae749b024162e9ac79110c633b5ce6be\System.ServiceModel.Web.ni.dll
+ 2012-01-19 08:14 . 2012-01-19 08:14 1070080 c:\windows\ASSEMBLY\NativeImages_v2.0.50727_32\System.IdentityModel\23eb4618c9d171be9fb551a13a475a32\System.IdentityModel.ni.dll
+ 2012-01-19 08:24 . 2012-01-19 08:24 1328128 c:\windows\ASSEMBLY\NativeImages_v2.0.50727_32\System.Data.Services\f35064c125799df650c1a959d8fa450b\System.Data.Services.ni.dll
+ 2012-01-19 08:24 . 2012-01-19 08:24 1712128 c:\windows\ASSEMBLY\NativeImages_v2.0.50727_32\Microsoft.VisualBas#\a86c12788293105a0d9fda1bc90c90bc\Microsoft.VisualBasic.ni.dll
- 2011-10-14 03:19 . 2011-10-14 03:19 3182592 c:\windows\ASSEMBLY\GAC_MSIL\System\2.0.0.0__b77a5c561934e089\System.dll
+ 2012-01-19 08:00 . 2012-01-19 08:00 3182592 c:\windows\ASSEMBLY\GAC_MSIL\System\2.0.0.0__b77a5c561934e089\System.dll
- 2011-10-14 03:19 . 2011-10-14 03:19 2048000 c:\windows\ASSEMBLY\GAC_MSIL\System.Xml\2.0.0.0__b77a5c561934e089\System.XML.dll
+ 2012-01-19 07:59 . 2012-01-19 07:59 2048000 c:\windows\ASSEMBLY\GAC_MSIL\System.Xml\2.0.0.0__b77a5c561934e089\System.XML.dll
+ 2012-01-19 07:59 . 2012-01-19 07:59 5025792 c:\windows\ASSEMBLY\GAC_MSIL\System.Windows.Forms\2.0.0.0__b77a5c561934e089\System.Windows.Forms.dll
- 2011-10-14 03:19 . 2011-10-14 03:19 5025792 c:\windows\ASSEMBLY\GAC_MSIL\System.Windows.Forms\2.0.0.0__b77a5c561934e089\System.Windows.Forms.dll
- 2011-07-29 07:22 . 2011-07-29 07:22 1277952 c:\windows\ASSEMBLY\GAC_MSIL\System.Web.Extensions\3.5.0.0__31bf3856ad364e35\System.Web.Extensions.dll
+ 2012-01-19 08:04 . 2012-01-19 08:04 1277952 c:\windows\ASSEMBLY\GAC_MSIL\System.Web.Extensions\3.5.0.0__31bf3856ad364e35\System.Web.Extensions.dll
+ 2012-01-19 07:59 . 2012-01-19 07:59 5062656 c:\windows\ASSEMBLY\GAC_MSIL\System.Design\2.0.0.0__b03f5f7f11d50a3a\System.Design.dll
- 2011-10-14 03:19 . 2011-10-14 03:19 5062656 c:\windows\ASSEMBLY\GAC_MSIL\System.Design\2.0.0.0__b03f5f7f11d50a3a\System.Design.dll
+ 2012-01-19 07:59 . 2012-01-19 07:59 5246976 c:\windows\ASSEMBLY\GAC_32\System.Web\2.0.0.0__b03f5f7f11d50a3a\System.Web.dll
- 2011-07-29 07:27 . 2011-10-14 03:19 2933248 c:\windows\ASSEMBLY\GAC_32\System.Data\2.0.0.0__b77a5c561934e089\System.Data.dll
+ 2011-07-29 07:27 . 2012-01-19 07:59 2933248 c:\windows\ASSEMBLY\GAC_32\System.Data\2.0.0.0__b77a5c561934e089\System.Data.dll
+ 2011-07-29 07:27 . 2012-01-19 07:59 4550656 c:\windows\ASSEMBLY\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\mscorlib.dll
- 2011-07-29 07:27 . 2011-10-14 03:19 4550656 c:\windows\ASSEMBLY\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\mscorlib.dll
+ 2012-01-19 08:02 . 2012-01-19 08:02 1232896 c:\windows\ASSEMBLY\GAC\System\1.0.5000.0__b77a5c561934e089\System.dll
- 2011-10-14 03:16 . 2011-10-14 03:16 1232896 c:\windows\ASSEMBLY\GAC\System\1.0.5000.0__b77a5c561934e089\System.dll
+ 2012-01-19 08:02 . 2012-01-19 08:02 2064384 c:\windows\ASSEMBLY\GAC\System.Windows.Forms\1.0.5000.0__b77a5c561934e089\System.Windows.Forms.dll
+ 2012-01-19 08:02 . 2012-01-19 08:02 1269760 c:\windows\ASSEMBLY\GAC\System.Web\1.0.5000.0__b03f5f7f11d50a3a\System.Web.dll
+ 2005-08-23 15:44 . 2012-01-04 22:15 52128560 c:\windows\SYSTEM32\MRT.exe
- 2007-04-25 08:41 . 2011-08-23 21:48 11081728 c:\windows\SYSTEM32\DLLCACHE\ieframe.dll
+ 2007-04-25 08:41 . 2011-11-04 19:20 11081728 c:\windows\SYSTEM32\DLLCACHE\ieframe.dll
+ 2011-12-26 22:02 . 2011-12-26 22:02 12482048 c:\windows\Microsoft.NET\Framework\v1.1.4322\Updates\M2656353\M2656353Uninstall.msp
+ 2011-12-26 14:02 . 2011-12-26 14:02 19677184 c:\windows\Installer\532d1.msp
+ 2012-01-19 08:00 . 2011-08-23 21:48 11081728 c:\windows\ie8updates\KB2618444-IE8\ieframe.dll
+ 2012-01-19 08:18 . 2012-01-19 08:18 11817472 c:\windows\ASSEMBLY\NativeImages_v2.0.50727_32\System.Web\62e34cfb5a8b233667c7c5a47a32ad93\System.Web.ni.dll
+ 2012-01-19 08:15 . 2012-01-19 08:15 17403904 c:\windows\ASSEMBLY\NativeImages_v2.0.50727_32\System.ServiceModel\2dac4fc006596760cd4988d0bfd52ff0\System.ServiceModel.ni.dll
+ 2012-01-19 08:01 . 2012-01-19 08:01 10683392 c:\windows\ASSEMBLY\NativeImages_v2.0.50727_32\System.Design\9e15d80ffb037e9171fa4bd2e0233497\System.Design.ni.dll
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IAAnotif"="c:\program files\Intel\Intel Application Accelerator\iaanotif.exe" [2004-06-29 135168]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-12-06 127035]
"DAEMON Tools-1033"="c:\program files\D-Tools\daemon.exe" [2004-08-22 81920]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2011-09-27 59240]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-10-09 421736]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
WDDMStatus.lnk - c:\program files\Western Digital\WD SmartWare\WD Drive Manager\WDDMStatus.exe [2011-3-9 3986944]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\AutorunsDisabled
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2005-6-7 24576]
.
[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\1]
FriendlyName= J-Track: Satellite Tracking
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^QuickBooks Update Agent.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\QuickBooks Update Agent.lnk
backup=c:\windows\pss\QuickBooks Update Agent.lnkCommon Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDLauncher]
2005-02-23 21:19 53248 ------w- c:\program files\CyberLink\PowerDVD\DVDLauncher.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 00:12 1695232 ----a-w- c:\program files\Messenger\msmsgs.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2001-07-09 15:50 155648 ----a-w- c:\windows\SYSTEM32\NeroCheck.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Picasa Media Detector]
2005-10-28 18:08 335872 ----a-w- c:\program files\Picasa2\PicasaMediaDetector.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\EA GAMES\\The Battle for Middle-earth ™\\game.dat"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\WINDOWS\\SYSTEM32\\LEXPPS.EXE"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Electronic Arts\\The Battle for Middle-earth ™ II\\game.dat"=
"c:\\Program Files\\EA GAMES\\Battlefield 2\\BF2.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Common Files\\Apple\\Apple Application Support\\WebKit2WebProcess.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"65533:TCP"= 65533:TCP:Services
"52344:TCP"= 52344:TCP:Services
"7827:TCP"= 7827:TCP:Services
"7828:TCP"= 7828:TCP:Services
"3389:TCP"= 3389:TCP:Remote Desktop
"3978:TCP"= 3978:TCP:Services
"6456:TCP"= 6456:TCP:Services
.
R0 a347scsi;a347scsi;c:\windows\SYSTEM32\DRIVERS\a347scsi.sys [4/25/2006 7:48 PM 5248]
R0 d347bus;d347bus;c:\windows\SYSTEM32\DRIVERS\d347bus.sys [1/31/2007 11:41 PM 155136]
R0 d347prt;d347prt;c:\windows\SYSTEM32\DRIVERS\d347prt.sys [1/31/2007 11:41 PM 5248]
R0 Lbd;Lbd;c:\windows\SYSTEM32\DRIVERS\Lbd.sys [12/13/2011 4:42 PM 64512]
R2 vpnagent;Cisco AnyConnect VPN Agent;c:\program files\Cisco\Cisco AnyConnect VPN Client\vpnagent.exe [9/22/2011 1:43 PM 645048]
R2 WDDMService;WDDMService;c:\program files\Western Digital\WD SmartWare\WD Drive Manager\WDDMService.exe [3/9/2011 10:07 AM 238592]
R2 WDFME;WD File Management Engine;c:\program files\Western Digital\WD SmartWare\Front Parlor\WDFME\WDFME.exe [3/9/2011 10:18 AM 1060864]
R2 WDSC;WD File Management Shadow Engine;c:\program files\Western Digital\WD SmartWare\Front Parlor\WDSC.exe [3/9/2011 10:16 AM 484352]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [9/27/2009 3:32 PM 133104]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [11/3/2011 12:06 PM 2152152]
S2 necusb;NEC USB Device Service;c:\windows\System32\svchost.exe -k necusb3 [8/4/2004 5:00 AM 14336]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [9/27/2009 3:32 PM 133104]
S3 Lavasoft Kernexplorer;Lavasoft helper driver;c:\program files\Lavasoft\Ad-Aware\kernexplorer.sys [11/3/2011 12:06 PM 15232]
S3 pohci13F;pohci13F;\??\c:\docume~1\Pete\LOCALS~1\Temp\pohci13F.sys --> c:\docume~1\Pete\LOCALS~1\Temp\pohci13F.sys [?]
S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\SYSTEM32\DRIVERS\wdcsam.sys [6/18/2011 6:58 PM 11520]
S4 a347bus;a347bus;c:\windows\SYSTEM32\DRIVERS\a347bus.sys [4/25/2006 7:48 PM 160640]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
necusb3 REG_MULTI_SZ necusb
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{9C450606-ED24-4958-92BA-B8940C99D441}]
2009-03-04 20:32 8192 ----a-w- c:\program files\PixiePack Codec Pack\InstallerHelper.exe
.
Contents of the 'Scheduled Tasks' folder
.
2012-01-19 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2011-11-03 17:06]
.
2011-12-06 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-09-27 20:32]
.
2011-12-06 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-09-27 20:32]
.
2011-10-04 c:\windows\Tasks\{DDC57407-B91B-4B27-9E25-03CE44CC5339}_PAKERSDESKTOP_Pete.job
- c:\windows\system32\MOBSYNC.EXE [2004-08-04 00:12]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
uInternet Connection Wizard,ShellNext = hxxp://www.dell4me.com/myway
uInternet Settings,ProxyOverride = local.;*.local
uInternet Settings,ProxyServer = http=127.0.0.1:49798
TCP: DhcpNameServer = 97.81.22.195 71.92.29.130 24.217.201.67
DPF: {7D731A83-6C80-4EA4-9646-5E06A0513274} - hxxp://www.shockwave.com/content/snailmail/slgwebinstall.cab
FF - ProfilePath - c:\documents and settings\Pete\Application Data\Mozilla\Firefox\Profiles\2mmvpq95.default\
FF - prefs.js: browser.startup.homepage - www.yahoo.com
FF - prefs.js: network.proxy.http - 127.0.0.1
FF - prefs.js: network.proxy.http_port - 49798
FF - prefs.js: network.proxy.type - 4
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-01-19 03:29
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
Completion time: 2012-01-19 03:32:30
ComboFix-quarantined-files.txt 2012-01-19 08:32
ComboFix2.txt 2012-01-17 09:27
ComboFix3.txt 2010-04-29 09:11
.
Pre-Run: 74,729,586,688 bytes free
Post-Run: 74,716,016,640 bytes free
.
- - End Of File - - 196E50F63231C47FF2AAB72ABD3DB571


And here's the helpasst log:

C:\Documents and Settings\Pete\Desktop\HelpAsst_mebroot_fix.exe
Thu 01/19/2012 at 3:45:26.03

HelpAssistant account Inactive

~~ Checking for termsrv32.dll ~~

termsrv32.dll not found

~~ Checking firewall ports ~~

HKLM\~\services\sharedaccess\parameters\firewallpolicy\domainprofile\globallyopenports\list

HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\globallyopenports\list

~~ Checking profile list ~~

No HelpAssistant profile in registry

~~ Checking mbr ~~

user & kernel MBR OK

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Status check on Thu 01/19/2012 at 3:54:00.42

Account active No
Local Group Memberships

~~ Checking mbr ~~

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys iaStor.sys hal.dll
kernel: MBR read successfully
user & kernel MBR OK
malicious code @ sector 0x02E937CC4 !

~~ Checking for termsrv32.dll ~~

termsrv32.dll not found


HKEY_LOCAL_MACHINE\system\currentcontrolset\services\termservice\parameters
ServiceDll REG_EXPAND_SZ %systemroot%\System32\termsrv.dll

~~ Checking profile list ~~

No HelpAssistant profile in registry

~~ Checking for HelpAssistant directories ~~

HelpAssistant

~~ Checking firewall ports ~~

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\domainprofile\GloballyOpenPorts\List]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]


~~ EOF ~~




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users