Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

XP infected with possible rootkit/ pops up browser windows


  • This topic is locked This topic is locked
16 replies to this topic

#1 J. F.

J. F.

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:02:54 PM

Posted 12 January 2012 - 05:35 PM

Hi,

A couple days ago my computer (Toshiba Satellite laptop running Windows XP) contracted some kind of virus/ malware. It ran a process named "vjq.exe", redirected Google searches, and popped up various windows starting with "9newstoday". It also bumped CPU usage up to 90-100%,

I killed the process and removed all references to it in the registry, then ran Malwarebytes, Hitman, and Microsoft Security Essentials. These returned an assortment of messages that they had removed various Trojans (I'm sorry, I didn't record which ones because I thought it was fixed... silly me). I uninstalled and reinstalled Firefox as well. However, the popups are still occurring intermittently. The CPU usage issue seems to be resolved.

(Then I backed up all my files.)

I looked through the Spyware and Malware Removal Self-Help Guide and did not see this issue; this post references a similar issue. I then ran DeFogger, DDS, and GMER.

DDS log is below; two other files attached as per instructions.

Thank you so much for your help! I'm at my wits' end, too poor to buy a new computer, and about ready to type FORMAT C:


DDS log:

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702
Run by J at 14:33:08 on 2012-01-12
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1022.381 [GMT -6:00]
.
AV: *Disabled/Updated* {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Xcalibur\system\programs\CFRDBService.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\system32\DVDRAMSV.exe
C:\Xcalibur\system\programs\FinAutoLogOff.exe
C:\Xcalibur\system\programs\finSS_Server.exe
C:\Program Files\Flip Video\FlipShare\FlipShareService.exe
C:\Program Files\Flip Video\FlipShareServer\FlipShareServer.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Program Files\Microsoft IntelliPoint\Point32.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.toshibadirect.com/dpdstart
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\DLASHX_W.DLL
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
uRun: [TOSCDSPD] c:\program files\toshiba\toscdspd\toscdspd.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /installquiet /keeploaded /nodetect
mRun: [NVRotateSysTray] rundll32.exe c:\windows\system32\nvsysrot.dll,Enable
mRun: [PSQLLauncher] "c:\program files\protector suite ql\launcher.exe" /startup
mRun: [AGRSMMSG] AGRSMMSG.exe
mRun: [Tvs] c:\program files\toshiba\tvs\TvsTray.exe
mRun: [TFncKy] TFncKy.exe
mRun: [TPSMain] TPSMain.exe
mRun: [Pinger] c:\toshiba\ivp\ism\pinger.exe /run
mRun: [DLA] c:\windows\system32\dla\DLACTRLW.EXE
mRun: [IntelZeroConfig] "c:\program files\intel\wireless\bin\ZCfgSvc.exe"
mRun: [IntelWireless] "c:\program files\intel\wireless\bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
mRun: [IntelliPoint] "c:\program files\microsoft intellipoint\point32.exe"
mRun: [Motive SmartBridge] c:\progra~1\sbclig~1\smartb~1\MotiveSB.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [THotkey] c:\program files\toshiba\toshiba applet\thotkey.exe
mRun: [SmoothView] c:\program files\toshiba\toshiba zooming utility\SmoothView.exe
mRun: [LogitechQuickCamRibbon] "c:\program files\logitech\logitech webcam software\LWS.exe" /hide
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [Acrobat Assistant 7.0] "c:\program files\adobe\acrobat 7.0\distillr\Acrotray.exe"
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
dRunOnce: [RunNarrator] Narrator.exe
dRunOnce: [adaware] reg.exe delete "HKCU\Software\AppDataLow\Software\adaware" /f
dRunOnce: [adaware_XP] reg.exe delete "HKCU\Software\adaware" /f
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobea~1.lnk - c:\windows\installer\{ac76ba86-1033-0000-7760-000000000002}\SC_Acrobat.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\ramasst.lnk - c:\windows\system32\RAMASST.exe
IE: &Google Search - c:\program files\google\GoogleToolbar1.dll/cmsearch.html
IE: Backward Links - c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
IE: Cached Snapshot of Page - c:\program files\google\GoogleToolbar1.dll/cmcache.html
IE: Convert link target to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: Similar Pages - c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
IE: Translate into English - c:\program files\google\GoogleToolbar1.dll/cmtrans.html
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE}
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
DPF: 55963676-2F5E-4BAF-AC28-CF26AA587566 - vpnweb.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} - file://c:\program files\mahjong escape - ancient china\images\stg_drm.ocx
DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} - file://c:\program files\mahjong escape - ancient china\images\armhelper.ocx
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
TCP: DhcpNameServer = 192.168.1.254
TCP: Interfaces\{40A239E3-060D-481D-AD28-D2AD9D4F2745} : DhcpNameServer = 192.168.1.254
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: psfus - psqlpwd.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
LSA: Notification Packages = scecli psqlpwd
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\j\application data\mozilla\firefox\profiles\imf0pcgy.default\
FF - plugin: c:\program files\adobe\reader 9.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\microsoft silverlight\4.0.60531.0\npctrlui.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPcol400.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npCouponPrinter.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npMozCouponPrinter.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPTURNMED.dll
.
---- FIREFOX POLICIES ----
user_pref(security.warn_viewing_mixed,false);
user_pref(security.warn_viewing_mixed.show_once,false);
FF - user.js: network.cookie.cookieBehavior - 0
FF - user.js: privacy.clearOnShutdown.cookies - false
user_pref(security.warn_submit_insecure,false);
FF - user.js: security.warn_submit_insecure.show_once - false
.
============= SERVICES / DRIVERS ===============
.
R2 CFRDBService;Finnigan Database Service;c:\xcalibur\system\programs\CFRDBService.exe [2008-12-9 335923]
R2 FdRedir;FdRedir;c:\program files\common files\protector suite ql\drivers\FdRedir.sys [2006-5-5 13568]
R2 FileDisk2;FileDisk Protector Kernel Driver;c:\program files\common files\protector suite ql\drivers\filedisk.sys [2006-5-5 33024]
R2 FinAutoLogOff;Finnigan Auto Logoff;c:\xcalibur\system\programs\FinAutoLogOff.exe [2008-12-9 86068]
R2 Finnigan Security Server;Finnigan Security Server;c:\xcalibur\system\programs\finSS_Server.exe [2008-12-9 65536]
R2 FlipShareServer;FlipShare Server;c:\program files\flip video\flipshareserver\FlipShareServer.exe [2011-5-6 1085440]
R2 smihlp;SMI helper driver;c:\program files\protector suite ql\smihlp.sys [2006-5-5 3456]
S0 Lbd;Lbd;c:\windows\system32\drivers\lbd.sys --> c:\windows\system32\drivers\Lbd.sys [?]
S2 SequestDaemon;SequestDaemon;c:\xcalibur\system\programs\bioworksbrowser\sequestdaemon.exe --> c:\xcalibur\system\programs\bioworksbrowser\SequestDaemon.exe [?]
S3 IO_Memory;IO_Memory;\??\c:\sysprep\drivers\ioport.sys --> c:\sysprep\drivers\ioport.sys [?]
S3 SVRPEDRV;SVRPEDRV;\??\c:\sysprep\pedrv.sys --> c:\sysprep\PEDrv.sys [?]
S3 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys --> c:\windows\system32\vsdatant.sys [?]
.
=============== Created Last 30 ================
.
2012-01-12 17:24:42 -------- d-sh--w- c:\documents and settings\j\PrivacIE
2012-01-12 17:21:38 23624 ----a-w- c:\windows\system32\drivers\hitmanpro36.sys
2012-01-12 17:21:20 -------- d-----w- c:\documents and settings\all users\application data\HitmanPro
2012-01-12 16:44:40 -------- d-sha-r- C:\cmdcons
2012-01-12 16:28:47 98816 ----a-w- c:\windows\sed.exe
2012-01-12 16:28:47 518144 ----a-w- c:\windows\SWREG.exe
2012-01-12 16:28:47 256000 ----a-w- c:\windows\PEV.exe
2012-01-12 16:28:47 208896 ----a-w- c:\windows\MBR.exe
2012-01-12 15:09:37 -------- d-----w- c:\documents and settings\all users\application data\Malwarebytes
2012-01-12 15:09:30 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-01-12 15:09:28 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2012-01-12 00:56:17 -------- d-----w- c:\program files\Wise Registry Cleaner
2012-01-11 18:56:33 -------- d-----w- c:\windows\system32\MpEngineStore
2012-01-11 17:11:17 -------- d-----w- C:\49e20896d2841622df7c
2012-01-11 17:11:08 -------- d-----w- c:\program files\Microsoft Security Client
2012-01-11 14:19:37 -------- d-----w- c:\program files\Toolbar Cleaner
.
==================== Find3M ====================
.
2011-11-23 13:25:32 1859584 ----a-w- c:\windows\system32\win32k.sys
2011-11-04 19:20:51 916992 ----a-w- c:\windows\system32\wininet.dll
2011-11-04 19:20:51 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-11-04 19:20:51 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2011-11-04 11:23:59 385024 ----a-w- c:\windows\system32\html.iec
2011-11-01 16:07:10 1288704 ----a-w- c:\windows\system32\ole32.dll
2011-10-28 05:31:48 33280 ----a-w- c:\windows\system32\csrsrv.dll
2011-10-25 13:37:08 2148864 ----a-w- c:\windows\system32\ntoskrnl.exe
2011-10-25 12:52:02 2027008 ----a-w- c:\windows\system32\ntkrnlpa.exe
2011-10-18 11:13:22 186880 ----a-w- c:\windows\system32\encdec.dll
.
============= FINISH: 14:33:18.32 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:03:54 PM

Posted 16 January 2012 - 12:51 AM

Hello and Welcome to the forums!

My name is Gringo and I'll be glad to help you with your computer problems.

Somethings to remember while we are working together.

  • Do not run any other tool untill instructed to do so!
  • please Do not Attach logs or put in code boxes.
  • Tell me about any problems that have occurred during the fix.
  • Tell me of any other symptoms you may be having as these can help also.
  • Do not run anything while running a fix.
  • Do not run any other tool untill instructed to do so!


Click on the Watch Topic Button and select Immediate Notification and click on proceed, this will help you to get notified faster when I have replied and make the cleaning process faster.

Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

Run Combofix:

You may be asked to install or update the Recovery Console (Win XP Only) if this happens please allow it to do so (you will need to be connected to the internet for this)

Before you run Combofix I will need you to turn off any security software you have running, If you do not know how to do this you can find out >here< or >here<

Combofix may need to reboot your computer more than once to do its job this is normal.

You can download Combofix from one of these links.
Link 1
Link 2
Link 3
1. Close any open browsers or any other programs that are open.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.

Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall

Note 2: If you recieve an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer

"information and logs"

  • In your next post I need the following
  • Log from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now?

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#3 J. F.

J. F.
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:02:54 PM

Posted 16 January 2012 - 03:04 PM

Hi Gringo,

Thanks again for your help.

Per your instructions, I disabled the firewall and all AV programs, installed Recovery Console, and ran Combofix twice.

Summary: Combofix displays popups saying 1) the computer is infected with Rootkit.ZeroAccess in the tcp/ip stack and 2) Rootkit activity is detected. Running Combofix again causes the same messages to display.

Log from first run follows. I ran a diff vs. the second run log and they were identical except the program snapshot was not present in the second one.


Quarantined files log:


2012-01-12 17:26:27 . 2012-01-12 17:26:27 96 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\J\Application Data\Remote\xnhrr.dat.vir
2012-01-12 17:24:39 . 2012-01-12 17:24:39 1 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\J\Application Data\Remote\ppkk.dat.vir
2012-01-12 17:24:39 . 2012-01-12 17:24:39 1 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\J\Application Data\Remote\ddee.dat.vir
2012-01-12 17:18:56 . 2012-01-12 17:18:56 1 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\J\Application Data\Remote\uuoo.dat.vir
2012-01-12 17:18:56 . 2012-01-12 17:18:56 1 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\J\Application Data\Remote\ffcd.vir
2012-01-12 17:16:09 . 2012-01-12 17:16:09 306 ----a-w- C:\Qoobox\Quarantine\Registry_backups\Notify-NavLogon.reg.dat
2012-01-12 17:10:46 . 2012-01-12 17:10:46 140 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\J\Application Data\Remote\_udx5_shrd_.zip
2012-01-12 17:10:37 . 2012-01-12 17:10:38 4,444 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\J\Application Data\Remote\udx5_shrd.vir
2012-01-12 17:03:36 . 2012-01-12 17:03:36 222 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\$NtUninstallKB43590$\_3873769081_.zip
2012-01-12 17:02:16 . 2012-01-16 19:39:50 10,360 ----a-w- C:\Qoobox\Quarantine\Registry_backups\tcpip.reg
2012-01-12 16:48:52 . 2012-01-12 16:48:52 61 -c--a-w- C:\Qoobox\Quarantine\C\WINDOWS\$NtUninstallKB43590$\338738806\cfg.ini.vir
2012-01-12 16:26:38 . 2012-01-16 19:32:14 1,682 ----a-w- C:\Qoobox\Quarantine\catchme.log
2012-01-12 10:26:46 . 2012-01-12 15:06:55 2,048 -c--a-w- C:\Qoobox\Quarantine\C\WINDOWS\$NtUninstallKB43590$\338738806\U\00000001.@.vir
2012-01-11 05:14:52 . 2008-04-14 00:12:32 146,432 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\regedit.com.vir
2012-01-11 05:03:52 . 2012-01-12 14:53:09 5,176 -c--a-w- C:\Qoobox\Quarantine\C\WINDOWS\$NtUninstallKB43590$\338738806\lsflt7.ver.vir
2012-01-11 04:28:13 . 2012-01-12 16:20:50 233 -c--a-w- C:\Qoobox\Quarantine\C\WINDOWS\$NtUninstallKB43590$\338738806\keywords.vir
2012-01-11 04:25:46 . 2012-01-12 16:18:52 223,744 -c--a-w- C:\Qoobox\Quarantine\C\WINDOWS\$NtUninstallKB43590$\338738806\kwrd.dll.vir
2012-01-11 04:25:43 . 2012-01-12 16:28:53 860 -c--a-w- C:\Qoobox\Quarantine\C\WINDOWS\$NtUninstallKB43590$\338738806\bckfg.tmp.vir
2012-01-11 04:24:02 . 2012-01-11 04:24:02 2,048 -c--a-w- C:\Qoobox\Quarantine\C\WINDOWS\$NtUninstallKB43590$\338738806\@.vir
2012-01-11 04:24:02 . 2012-01-11 04:24:02 57,600 -c--a-w- C:\Qoobox\Quarantine\C\WINDOWS\$NtUninstallKB43590$\338738806\L\mabnfnrc.vir
2012-01-11 04:24:02 . 2012-01-12 16:18:32 4,608 -c--a-w- C:\Qoobox\Quarantine\C\WINDOWS\$NtUninstallKB43590$\338738806\Desktop.ini.vir
2012-01-05 11:32:16 . 2012-01-11 04:25:41 11,264 -c--a-w- C:\Qoobox\Quarantine\C\WINDOWS\$NtUninstallKB43590$\338738806\U\80000000.@.vir
2012-01-05 11:19:31 . 2012-01-11 04:25:43 77,312 -c--a-w- C:\Qoobox\Quarantine\C\WINDOWS\$NtUninstallKB43590$\338738806\U\80000032.@.vir
2011-12-02 12:07:49 . 2012-01-11 04:25:46 224,768 -c--a-w- C:\Qoobox\Quarantine\C\WINDOWS\$NtUninstallKB43590$\338738806\U\00000002.@.vir
2011-11-29 13:10:08 . 2012-01-11 04:25:41 12,800 -c--a-w- C:\Qoobox\Quarantine\C\WINDOWS\$NtUninstallKB43590$\338738806\U\80000004.@.vir
2011-11-02 17:48:14 . 2012-01-11 04:25:40 1,024 -c--a-w- C:\Qoobox\Quarantine\C\WINDOWS\$NtUninstallKB43590$\338738806\U\00000004.@.vir
2011-09-19 13:40:01 . 2011-09-19 13:40:01 9,627 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\J\Application Data\Remote\19092011_083916_261411406_skey_19-09-2011__08-40-0_.cab.vir
2011-08-05 14:45:15 . 2012-01-12 16:10:14 4,444 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\NetworkService\Application Data\Remote\udx5_shrd.vir
2011-08-04 20:05:19 . 2012-01-10 20:56:03 4,444 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\LocalService\Application Data\Remote\udx5_shrd.vir
2008-09-14 22:35:51 . 2008-09-14 22:35:51 153 ----a-w- C:\Qoobox\Quarantine\C\DelUS.bat.vir

Combofix run log:


ComboFix 12-01-16.02 - J 01/16/2012 13:14:45.4.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1022.730 [GMT -6:00]
Running from: c:\documents and settings\J\My Documents\Downloads\ComboFix.exe
AV: *Disabled/Updated* {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
.
.
((((((((((((((((((((((((( Files Created from 2011-12-16 to 2012-01-16 )))))))))))))))))))))))))))))))
.
.
2012-01-13 04:08 . 2012-01-13 04:08 -------- d-----w- c:\documents and settings\J\Application Data\Malwarebytes
2012-01-12 17:24 . 2012-01-12 17:24 -------- d-sh--w- c:\documents and settings\J\PrivacIE
2012-01-12 17:21 . 2012-01-12 17:30 23624 ----a-w- c:\windows\system32\drivers\hitmanpro36.sys
2012-01-12 17:21 . 2012-01-12 17:28 -------- d-----w- c:\documents and settings\All Users\Application Data\HitmanPro
2012-01-12 15:09 . 2012-01-12 15:09 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2012-01-12 15:09 . 2011-12-10 21:24 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-01-12 15:09 . 2012-01-12 15:09 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2012-01-12 00:56 . 2012-01-12 00:56 -------- d-----w- c:\program files\Wise Registry Cleaner
2012-01-11 20:54 . 2012-01-11 20:55 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2012-01-11 20:23 . 2012-01-11 20:23 -------- d-sh--w- c:\documents and settings\Janice\IECompatCache
2012-01-11 18:56 . 2012-01-12 01:12 -------- d-----w- c:\windows\system32\MpEngineStore
2012-01-11 18:51 . 2012-01-11 18:51 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\PCHealth
2012-01-11 17:11 . 2012-01-12 20:10 -------- d-----w- C:\49e20896d2841622df7c
2012-01-11 17:11 . 2012-01-12 16:33 -------- d-----w- c:\program files\Microsoft Security Client
2012-01-11 14:19 . 2012-01-11 14:19 -------- d-----w- c:\program files\Toolbar Cleaner
2012-01-03 14:22 . 2012-01-03 14:22 103864 ----a-w- c:\program files\Mozilla Firefox\plugins\nppdf32.dll
2012-01-03 14:22 . 2012-01-03 14:22 103864 ----a-w- c:\program files\Internet Explorer\PLUGINS\nppdf32.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-11-25 21:57 . 2006-01-19 02:02 293376 ----a-w- c:\windows\system32\winsrv.dll
2011-11-23 13:25 . 2006-01-19 02:02 1859584 ----a-w- c:\windows\system32\win32k.sys
2011-11-18 12:35 . 2006-01-19 02:02 60416 ----a-w- c:\windows\system32\packager.exe
2011-11-16 14:21 . 2006-01-19 02:02 354816 ----a-w- c:\windows\system32\winhttp.dll
2011-11-16 14:21 . 2006-01-19 02:02 152064 ----a-w- c:\windows\system32\schannel.dll
2011-11-04 19:20 . 2006-01-19 02:02 916992 ----a-w- c:\windows\system32\wininet.dll
2011-11-04 19:20 . 2006-01-19 02:01 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-11-04 19:20 . 2006-01-19 02:01 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2011-11-04 11:23 . 2006-01-19 02:01 385024 ----a-w- c:\windows\system32\html.iec
2011-11-03 15:28 . 2006-01-19 02:02 386048 ----a-w- c:\windows\system32\qdvd.dll
2011-11-03 15:28 . 2006-01-19 02:02 1292288 ----a-w- c:\windows\system32\quartz.dll
2011-11-01 16:07 . 2006-01-19 02:02 1288704 ----a-w- c:\windows\system32\ole32.dll
2011-10-28 05:31 . 2006-01-19 02:01 33280 ----a-w- c:\windows\system32\csrsrv.dll
2011-10-25 13:37 . 2006-01-19 02:02 2148864 ----a-w- c:\windows\system32\ntoskrnl.exe
2011-10-25 12:52 . 2004-08-03 22:59 2027008 ----a-w- c:\windows\system32\ntkrnlpa.exe
2011-12-21 07:24 . 2012-01-12 04:05 121816 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((( SnapShot@2012-01-12_17.10.35 )))))))))))))))))))))))))))))))))))))))))
.
- 2006-01-19 02:02 . 2011-11-06 19:59 73426 c:\windows\system32\perfc009.dat
+ 2006-01-19 02:02 . 2012-01-13 14:21 73426 c:\windows\system32\perfc009.dat
- 2006-01-19 02:01 . 2008-04-14 00:11 23040 c:\windows\system32\mciseq.dll
+ 2006-01-19 02:01 . 2011-10-14 14:47 23040 c:\windows\system32\mciseq.dll
+ 2011-11-18 12:35 . 2011-11-18 12:35 60416 c:\windows\system32\dllcache\packager.exe
+ 2011-10-14 14:47 . 2011-10-14 14:47 23040 c:\windows\system32\dllcache\mciseq.dll
+ 2011-12-25 09:49 . 2011-12-25 09:49 31504 c:\windows\Microsoft.NET\Framework\v2.0.50727\aspnet_wp.exe
- 2011-07-08 19:00 . 2011-07-08 19:00 81920 c:\windows\Microsoft.NET\Framework\v1.1.4322\System.Security.dll
+ 2011-12-25 17:07 . 2011-12-25 17:07 81920 c:\windows\Microsoft.NET\Framework\v1.1.4322\System.Security.dll
- 2011-07-07 17:04 . 2011-07-07 17:04 77824 c:\windows\Microsoft.NET\Framework\v1.1.4322\mscorsn.dll
+ 2011-12-25 04:55 . 2011-12-25 04:55 77824 c:\windows\Microsoft.NET\Framework\v1.1.4322\mscorsn.dll
- 2011-07-07 17:04 . 2011-07-07 17:04 86016 c:\windows\Microsoft.NET\Framework\v1.1.4322\mscorie.dll
+ 2011-12-25 04:55 . 2011-12-25 04:55 86016 c:\windows\Microsoft.NET\Framework\v1.1.4322\mscorie.dll
+ 2011-12-25 04:55 . 2011-12-25 04:55 81920 c:\windows\Microsoft.NET\Framework\v1.1.4322\CORPerfMonExt.dll
- 2011-07-07 17:03 . 2011-07-07 17:03 81920 c:\windows\Microsoft.NET\Framework\v1.1.4322\CORPerfMonExt.dll
- 2011-07-07 18:09 . 2011-07-07 18:09 32768 c:\windows\Microsoft.NET\Framework\v1.1.4322\aspnet_wp.exe
+ 2011-12-25 05:49 . 2011-12-25 05:49 32768 c:\windows\Microsoft.NET\Framework\v1.1.4322\aspnet_wp.exe
- 2011-07-07 18:09 . 2011-07-07 18:09 24576 c:\windows\Microsoft.NET\Framework\v1.1.4322\aspnet_filter.dll
+ 2011-12-25 05:49 . 2011-12-25 05:49 24576 c:\windows\Microsoft.NET\Framework\v1.1.4322\aspnet_filter.dll
+ 2012-01-13 14:24 . 2012-01-13 14:24 90112 c:\windows\assembly\NativeImages1_v1.1.4322\System.Drawing.Design\1.0.5000.0__b03f5f7f11d50a3a_187129a3\System.Drawing.Design.dll
+ 2012-01-13 14:24 . 2012-01-13 14:24 61440 c:\windows\assembly\NativeImages1_v1.1.4322\CustomMarshalers\1.0.5000.0__b03f5f7f11d50a3a_3307497f\CustomMarshalers.dll
+ 2012-01-13 14:32 . 2012-01-13 14:32 36864 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Web.DynamicD#\750de53f30e516eb2c62de9bab7954e9\System.Web.DynamicData.Design.ni.dll
- 2011-10-16 20:13 . 2011-10-16 20:13 77824 c:\windows\assembly\GAC_MSIL\System.Web.RegularExpressions\2.0.0.0__b03f5f7f11d50a3a\System.Web.RegularExpressions.dll
+ 2012-01-13 14:20 . 2012-01-13 14:20 77824 c:\windows\assembly\GAC_MSIL\System.Web.RegularExpressions\2.0.0.0__b03f5f7f11d50a3a\System.Web.RegularExpressions.dll
+ 2012-01-13 14:20 . 2012-01-13 14:20 81920 c:\windows\assembly\GAC_MSIL\System.Drawing.Design\2.0.0.0__b03f5f7f11d50a3a\System.Drawing.Design.dll
- 2011-10-16 20:12 . 2011-10-16 20:12 81920 c:\windows\assembly\GAC_MSIL\System.Drawing.Design\2.0.0.0__b03f5f7f11d50a3a\System.Drawing.Design.dll
+ 2012-01-13 14:20 . 2012-01-13 14:20 81920 c:\windows\assembly\GAC_MSIL\System.Configuration.Install\2.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll
- 2011-10-16 20:13 . 2011-10-16 20:13 81920 c:\windows\assembly\GAC_MSIL\System.Configuration.Install\2.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll
+ 2012-01-13 14:20 . 2012-01-13 14:20 32768 c:\windows\assembly\GAC_MSIL\Microsoft.Vsa\8.0.0.0__b03f5f7f11d50a3a\Microsoft.Vsa.dll
- 2011-10-16 20:13 . 2011-10-16 20:13 32768 c:\windows\assembly\GAC_MSIL\Microsoft.Vsa\8.0.0.0__b03f5f7f11d50a3a\Microsoft.Vsa.dll
- 2011-10-16 20:13 . 2011-10-16 20:13 12800 c:\windows\assembly\GAC_MSIL\Microsoft.Vsa.Vb.CodeDOMProcessor\8.0.0.0__b03f5f7f11d50a3a\Microsoft.Vsa.Vb.CodeDOMProcessor.dll
+ 2012-01-13 14:20 . 2012-01-13 14:20 12800 c:\windows\assembly\GAC_MSIL\Microsoft.Vsa.Vb.CodeDOMProcessor\8.0.0.0__b03f5f7f11d50a3a\Microsoft.Vsa.Vb.CodeDOMProcessor.dll
+ 2012-01-13 14:20 . 2012-01-13 14:20 28672 c:\windows\assembly\GAC_MSIL\Microsoft.VisualBasic.Vsa\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.Vsa.dll
- 2011-10-16 20:13 . 2011-10-16 20:13 28672 c:\windows\assembly\GAC_MSIL\Microsoft.VisualBasic.Vsa\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.Vsa.dll
+ 2012-01-13 14:20 . 2012-01-13 14:20 77824 c:\windows\assembly\GAC_MSIL\Microsoft.Build.Utilities\2.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Utilities.dll
- 2011-10-16 20:13 . 2011-10-16 20:13 77824 c:\windows\assembly\GAC_MSIL\Microsoft.Build.Utilities\2.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Utilities.dll
+ 2012-01-13 14:20 . 2012-01-13 14:20 36864 c:\windows\assembly\GAC_MSIL\Microsoft.Build.Framework\2.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Framework.dll
- 2011-10-16 20:13 . 2011-10-16 20:13 36864 c:\windows\assembly\GAC_MSIL\Microsoft.Build.Framework\2.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Framework.dll
- 2011-10-16 20:13 . 2011-10-16 20:13 77824 c:\windows\assembly\GAC_MSIL\IEHost\2.0.0.0__b03f5f7f11d50a3a\IEHost.dll
+ 2012-01-13 14:20 . 2012-01-13 14:20 77824 c:\windows\assembly\GAC_MSIL\IEHost\2.0.0.0__b03f5f7f11d50a3a\IEHost.dll
- 2011-10-16 20:13 . 2011-10-16 20:13 13312 c:\windows\assembly\GAC_MSIL\cscompmgd\8.0.0.0__b03f5f7f11d50a3a\cscompmgd.dll
+ 2012-01-13 14:20 . 2012-01-13 14:20 13312 c:\windows\assembly\GAC_MSIL\cscompmgd\8.0.0.0__b03f5f7f11d50a3a\cscompmgd.dll
+ 2012-01-13 14:20 . 2012-01-13 14:20 10752 c:\windows\assembly\GAC_MSIL\Accessibility\2.0.0.0__b03f5f7f11d50a3a\Accessibility.dll
- 2011-10-16 20:13 . 2011-10-16 20:13 10752 c:\windows\assembly\GAC_MSIL\Accessibility\2.0.0.0__b03f5f7f11d50a3a\Accessibility.dll
- 2011-10-16 20:13 . 2011-10-16 20:13 72192 c:\windows\assembly\GAC_32\ISymWrapper\2.0.0.0__b03f5f7f11d50a3a\ISymWrapper.dll
+ 2012-01-13 14:20 . 2012-01-13 14:20 72192 c:\windows\assembly\GAC_32\ISymWrapper\2.0.0.0__b03f5f7f11d50a3a\ISymWrapper.dll
- 2011-10-16 20:13 . 2011-10-16 20:13 69120 c:\windows\assembly\GAC_32\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll
+ 2012-01-13 14:20 . 2012-01-13 14:20 69120 c:\windows\assembly\GAC_32\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll
+ 2012-01-13 14:23 . 2012-01-13 14:23 81920 c:\windows\assembly\GAC\System.Security\1.0.5000.0__b03f5f7f11d50a3a\System.Security.dll
- 2011-10-16 20:01 . 2011-10-16 20:01 81920 c:\windows\assembly\GAC\System.Security\1.0.5000.0__b03f5f7f11d50a3a\System.Security.dll
- 2011-10-16 20:13 . 2011-10-16 20:13 8192 c:\windows\WinSxS\MSIL_IEExecRemote_b03f5f7f11d50a3a_2.0.0.0_x-ww_6e57c34e\IEExecRemote.dll
+ 2012-01-13 14:20 . 2012-01-13 14:20 8192 c:\windows\WinSxS\MSIL_IEExecRemote_b03f5f7f11d50a3a_2.0.0.0_x-ww_6e57c34e\IEExecRemote.dll
+ 2012-01-13 14:20 . 2012-01-13 14:20 7168 c:\windows\assembly\GAC_MSIL\Microsoft_VsaVb\8.0.0.0__b03f5f7f11d50a3a\Microsoft_VsaVb.dll
- 2011-10-16 20:13 . 2011-10-16 20:13 7168 c:\windows\assembly\GAC_MSIL\Microsoft_VsaVb\8.0.0.0__b03f5f7f11d50a3a\Microsoft_VsaVb.dll
+ 2012-01-13 14:20 . 2012-01-13 14:20 5632 c:\windows\assembly\GAC_MSIL\Microsoft.VisualC\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualC.Dll
- 2011-10-16 20:13 . 2011-10-16 20:13 5632 c:\windows\assembly\GAC_MSIL\Microsoft.VisualC\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualC.Dll
+ 2012-01-13 14:20 . 2012-01-13 14:20 6656 c:\windows\assembly\GAC_MSIL\IIEHost\2.0.0.0__b03f5f7f11d50a3a\IIEHost.dll
- 2011-10-16 20:13 . 2011-10-16 20:13 6656 c:\windows\assembly\GAC_MSIL\IIEHost\2.0.0.0__b03f5f7f11d50a3a\IIEHost.dll
- 2011-10-16 20:13 . 2011-10-16 20:13 8192 c:\windows\assembly\GAC_MSIL\IEExecRemote\2.0.0.0__b03f5f7f11d50a3a\IEExecRemote.dll
+ 2012-01-13 14:20 . 2012-01-13 14:20 8192 c:\windows\assembly\GAC_MSIL\IEExecRemote\2.0.0.0__b03f5f7f11d50a3a\IEExecRemote.dll
+ 2012-01-13 14:20 . 2012-01-13 14:20 113664 c:\windows\WinSxS\x86_System.EnterpriseServices_b03f5f7f11d50a3a_2.0.0.0_x-ww_7d5f3790\System.EnterpriseServices.Wrapper.dll
- 2011-10-16 20:13 . 2011-10-16 20:13 113664 c:\windows\WinSxS\x86_System.EnterpriseServices_b03f5f7f11d50a3a_2.0.0.0_x-ww_7d5f3790\System.EnterpriseServices.Wrapper.dll
+ 2012-01-13 14:20 . 2012-01-13 14:20 258048 c:\windows\WinSxS\x86_System.EnterpriseServices_b03f5f7f11d50a3a_2.0.0.0_x-ww_7d5f3790\System.EnterpriseServices.dll
- 2011-10-16 20:13 . 2011-10-16 20:13 258048 c:\windows\WinSxS\x86_System.EnterpriseServices_b03f5f7f11d50a3a_2.0.0.0_x-ww_7d5f3790\System.EnterpriseServices.dll
+ 2006-01-19 02:02 . 2011-10-14 14:47 176128 c:\windows\system32\winmm.dll
- 2006-01-19 02:02 . 2008-04-14 00:12 176128 c:\windows\system32\winmm.dll
- 2006-01-19 02:02 . 2011-11-06 19:59 446386 c:\windows\system32\perfh009.dat
+ 2006-01-19 02:02 . 2012-01-13 14:21 446386 c:\windows\system32\perfh009.dat
+ 2010-06-18 17:45 . 2011-11-25 21:57 293376 c:\windows\system32\dllcache\winsrv.dll
- 2010-06-18 17:45 . 2011-06-20 17:44 293376 c:\windows\system32\dllcache\winsrv.dll
+ 2011-10-14 14:47 . 2011-10-14 14:47 176128 c:\windows\system32\dllcache\winmm.dll
- 2008-12-16 12:30 . 2009-08-25 09:17 354816 c:\windows\system32\dllcache\winhttp.dll
+ 2008-12-16 12:30 . 2011-11-16 14:21 354816 c:\windows\system32\dllcache\winhttp.dll
+ 2008-12-05 06:54 . 2011-11-16 14:21 152064 c:\windows\system32\dllcache\schannel.dll
+ 2011-11-03 15:28 . 2011-11-03 15:28 386048 c:\windows\system32\dllcache\qdvd.dll
+ 2011-12-25 09:49 . 2011-12-25 09:49 436496 c:\windows\Microsoft.NET\Framework\v2.0.50727\webengine.dll
- 2011-07-07 17:04 . 2011-07-07 17:04 102400 c:\windows\Microsoft.NET\Framework\v1.1.4322\mscorld.dll
+ 2011-12-25 04:55 . 2011-12-25 04:55 102400 c:\windows\Microsoft.NET\Framework\v1.1.4322\mscorld.dll
+ 2011-12-25 04:53 . 2011-12-25 04:53 315392 c:\windows\Microsoft.NET\Framework\v1.1.4322\mscorjit.dll
- 2011-07-07 17:01 . 2011-07-07 17:01 315392 c:\windows\Microsoft.NET\Framework\v1.1.4322\mscorjit.dll
+ 2011-12-25 05:49 . 2011-12-25 05:49 258048 c:\windows\Microsoft.NET\Framework\v1.1.4322\aspnet_isapi.dll
- 2011-07-07 18:09 . 2011-07-07 18:09 258048 c:\windows\Microsoft.NET\Framework\v1.1.4322\aspnet_isapi.dll
+ 2011-12-25 11:40 . 2011-12-25 11:40 819200 c:\windows\Installer\11aeb3.msp
+ 2012-01-13 14:24 . 2012-01-13 14:24 835584 c:\windows\assembly\NativeImages1_v1.1.4322\System.Drawing\1.0.5000.0__b03f5f7f11d50a3a_f2faada8\System.Drawing.dll
+ 2012-01-13 14:24 . 2012-01-13 14:24 192512 c:\windows\assembly\NativeImages1_v1.1.4322\System.Drawing.Design\1.0.5000.0__b03f5f7f11d50a3a_2ab23dfb\System.Drawing.Design.dll
+ 2012-01-13 14:24 . 2012-01-13 14:24 118784 c:\windows\assembly\NativeImages1_v1.1.4322\CustomMarshalers\1.0.5000.0__b03f5f7f11d50a3a_b444b703\CustomMarshalers.dll
+ 2012-01-13 14:32 . 2012-01-13 14:32 129536 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Web.Routing\0bda7bdfaf440d5dd4bc6a1dea7ffa39\System.Web.Routing.ni.dll
+ 2012-01-13 14:32 . 2012-01-13 14:32 859648 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Web.Extensio#\6e29f9faa74a48b83a13a3413b826295\System.Web.Extensions.Design.ni.dll
+ 2012-01-13 14:32 . 2012-01-13 14:32 328704 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Web.Entity\be8965fe859bc53dff61579bf626858b\System.Web.Entity.ni.dll
+ 2012-01-13 14:32 . 2012-01-13 14:32 301056 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Web.Entity.D#\8441b3eb247e0344fede848337ee911c\System.Web.Entity.Design.ni.dll
+ 2012-01-13 14:32 . 2012-01-13 14:32 547328 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Web.DynamicD#\09c6a41f187ba483486cdb92dad714a1\System.Web.DynamicData.ni.dll
+ 2012-01-13 14:32 . 2012-01-13 14:32 141312 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Web.Abstract#\5efb726d424b9712632eff749411fa89\System.Web.Abstractions.ni.dll
+ 2012-01-13 14:31 . 2012-01-13 14:31 756736 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Data.Entity.#\f374e8e7849a72d1470b4a6a0771a137\System.Data.Entity.Design.ni.dll
+ 2012-01-13 14:31 . 2012-01-13 14:31 320512 c:\windows\assembly\NativeImages_v2.0.50727_32\ServiceModelReg\439732479756e0f6df88d29e50a402bf\ServiceModelReg.ni.exe
+ 2012-01-13 14:31 . 2012-01-13 14:31 842240 c:\windows\assembly\NativeImages_v2.0.50727_32\AspNetMMCExt\bfcea15c95909860c4f4ac19bd7a2d6c\AspNetMMCExt.ni.dll
+ 2012-01-13 14:20 . 2012-01-13 14:20 839680 c:\windows\assembly\GAC_MSIL\System.Web.Services\2.0.0.0__b03f5f7f11d50a3a\System.Web.Services.dll
- 2011-10-16 20:13 . 2011-10-16 20:13 839680 c:\windows\assembly\GAC_MSIL\System.Web.Services\2.0.0.0__b03f5f7f11d50a3a\System.Web.Services.dll
- 2011-10-16 20:12 . 2011-10-16 20:12 835584 c:\windows\assembly\GAC_MSIL\System.Web.Mobile\2.0.0.0__b03f5f7f11d50a3a\System.Web.Mobile.dll
+ 2012-01-13 14:20 . 2012-01-13 14:20 835584 c:\windows\assembly\GAC_MSIL\System.Web.Mobile\2.0.0.0__b03f5f7f11d50a3a\System.Web.Mobile.dll
+ 2012-01-13 14:20 . 2012-01-13 14:20 114688 c:\windows\assembly\GAC_MSIL\System.ServiceProcess\2.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll
- 2011-10-16 20:13 . 2011-10-16 20:13 114688 c:\windows\assembly\GAC_MSIL\System.ServiceProcess\2.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll
- 2011-10-16 20:13 . 2011-10-16 20:13 258048 c:\windows\assembly\GAC_MSIL\System.Security\2.0.0.0__b03f5f7f11d50a3a\System.Security.dll
+ 2012-01-13 14:20 . 2012-01-13 14:20 258048 c:\windows\assembly\GAC_MSIL\System.Security\2.0.0.0__b03f5f7f11d50a3a\System.Security.dll
+ 2012-01-13 14:20 . 2012-01-13 14:20 131072 c:\windows\assembly\GAC_MSIL\System.Runtime.Serialization.Formatters.Soap\2.0.0.0__b03f5f7f11d50a3a\System.Runtime.Serialization.Formatters.Soap.dll
- 2011-10-16 20:13 . 2011-10-16 20:13 131072 c:\windows\assembly\GAC_MSIL\System.Runtime.Serialization.Formatters.Soap\2.0.0.0__b03f5f7f11d50a3a\System.Runtime.Serialization.Formatters.Soap.dll
+ 2012-01-13 14:20 . 2012-01-13 14:20 303104 c:\windows\assembly\GAC_MSIL\System.Runtime.Remoting\2.0.0.0__b77a5c561934e089\System.Runtime.Remoting.dll
- 2011-10-16 20:13 . 2011-10-16 20:13 303104 c:\windows\assembly\GAC_MSIL\System.Runtime.Remoting\2.0.0.0__b77a5c561934e089\System.Runtime.Remoting.dll
+ 2012-01-13 14:20 . 2012-01-13 14:20 258048 c:\windows\assembly\GAC_MSIL\System.Messaging\2.0.0.0__b03f5f7f11d50a3a\System.Messaging.dll
- 2011-10-16 20:13 . 2011-10-16 20:13 258048 c:\windows\assembly\GAC_MSIL\System.Messaging\2.0.0.0__b03f5f7f11d50a3a\System.Messaging.dll
- 2011-10-16 20:13 . 2011-10-16 20:13 372736 c:\windows\assembly\GAC_MSIL\System.Management\2.0.0.0__b03f5f7f11d50a3a\System.Management.dll
+ 2012-01-13 14:20 . 2012-01-13 14:20 372736 c:\windows\assembly\GAC_MSIL\System.Management\2.0.0.0__b03f5f7f11d50a3a\System.Management.dll
- 2011-10-16 20:13 . 2011-10-16 20:13 626688 c:\windows\assembly\GAC_MSIL\System.Drawing\2.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll
+ 2012-01-13 14:20 . 2012-01-13 14:20 626688 c:\windows\assembly\GAC_MSIL\System.Drawing\2.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll
+ 2012-01-13 14:20 . 2012-01-13 14:20 401408 c:\windows\assembly\GAC_MSIL\System.DirectoryServices\2.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll
- 2011-10-16 20:13 . 2011-10-16 20:13 401408 c:\windows\assembly\GAC_MSIL\System.DirectoryServices\2.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll
+ 2012-01-13 14:20 . 2012-01-13 14:20 188416 c:\windows\assembly\GAC_MSIL\System.DirectoryServices.Protocols\2.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.Protocols.dll
- 2011-10-16 20:13 . 2011-10-16 20:13 188416 c:\windows\assembly\GAC_MSIL\System.DirectoryServices.Protocols\2.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.Protocols.dll
- 2011-10-16 20:13 . 2011-10-16 20:13 970752 c:\windows\assembly\GAC_MSIL\System.Deployment\2.0.0.0__b03f5f7f11d50a3a\System.Deployment.dll
+ 2012-01-13 14:21 . 2012-01-13 14:21 970752 c:\windows\assembly\GAC_MSIL\System.Deployment\2.0.0.0__b03f5f7f11d50a3a\System.Deployment.dll
+ 2012-01-13 14:21 . 2012-01-13 14:21 745472 c:\windows\assembly\GAC_MSIL\System.Data.SqlXml\2.0.0.0__b77a5c561934e089\System.Data.SqlXml.dll
- 2011-10-16 20:13 . 2011-10-16 20:13 745472 c:\windows\assembly\GAC_MSIL\System.Data.SqlXml\2.0.0.0__b77a5c561934e089\System.Data.SqlXml.dll
+ 2012-01-13 14:20 . 2012-01-13 14:20 425984 c:\windows\assembly\GAC_MSIL\System.Configuration\2.0.0.0__b03f5f7f11d50a3a\System.configuration.dll
- 2011-10-16 20:13 . 2011-10-16 20:13 425984 c:\windows\assembly\GAC_MSIL\System.Configuration\2.0.0.0__b03f5f7f11d50a3a\System.configuration.dll
- 2011-10-16 20:13 . 2011-10-16 20:13 110592 c:\windows\assembly\GAC_MSIL\sysglobl\2.0.0.0__b03f5f7f11d50a3a\sysglobl.dll
+ 2012-01-13 14:20 . 2012-01-13 14:20 110592 c:\windows\assembly\GAC_MSIL\sysglobl\2.0.0.0__b03f5f7f11d50a3a\sysglobl.dll
+ 2012-01-13 14:20 . 2012-01-13 14:20 659456 c:\windows\assembly\GAC_MSIL\Microsoft.VisualBasic\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll
- 2011-10-16 20:13 . 2011-10-16 20:13 659456 c:\windows\assembly\GAC_MSIL\Microsoft.VisualBasic\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll
+ 2012-01-13 14:20 . 2012-01-13 14:20 372736 c:\windows\assembly\GAC_MSIL\Microsoft.VisualBasic.Compatibility\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.Compatibility.dll
- 2011-10-16 20:13 . 2011-10-16 20:13 372736 c:\windows\assembly\GAC_MSIL\Microsoft.VisualBasic.Compatibility\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.Compatibility.dll
+ 2012-01-13 14:20 . 2012-01-13 14:20 110592 c:\windows\assembly\GAC_MSIL\Microsoft.VisualBasic.Compatibility.Data\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.Compatibility.Data.dll
- 2011-10-16 20:13 . 2011-10-16 20:13 110592 c:\windows\assembly\GAC_MSIL\Microsoft.VisualBasic.Compatibility.Data\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.Compatibility.Data.dll
+ 2012-01-13 14:20 . 2012-01-13 14:20 749568 c:\windows\assembly\GAC_MSIL\Microsoft.JScript\8.0.0.0__b03f5f7f11d50a3a\Microsoft.JScript.dll
- 2011-10-16 20:13 . 2011-10-16 20:13 749568 c:\windows\assembly\GAC_MSIL\Microsoft.JScript\8.0.0.0__b03f5f7f11d50a3a\Microsoft.JScript.dll
+ 2012-01-13 14:20 . 2012-01-13 14:20 655360 c:\windows\assembly\GAC_MSIL\Microsoft.Build.Tasks\2.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Tasks.dll
- 2011-10-16 20:13 . 2011-10-16 20:13 655360 c:\windows\assembly\GAC_MSIL\Microsoft.Build.Tasks\2.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Tasks.dll
- 2011-10-16 20:13 . 2011-10-16 20:13 348160 c:\windows\assembly\GAC_MSIL\Microsoft.Build.Engine\2.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Engine.dll
+ 2012-01-13 14:20 . 2012-01-13 14:20 348160 c:\windows\assembly\GAC_MSIL\Microsoft.Build.Engine\2.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Engine.dll
+ 2012-01-13 14:20 . 2012-01-13 14:20 507904 c:\windows\assembly\GAC_MSIL\AspNetMMCExt\2.0.0.0__b03f5f7f11d50a3a\AspNetMMCExt.dll
- 2011-10-16 20:12 . 2011-10-16 20:12 507904 c:\windows\assembly\GAC_MSIL\AspNetMMCExt\2.0.0.0__b03f5f7f11d50a3a\AspNetMMCExt.dll
- 2011-10-16 20:13 . 2011-10-16 20:13 261632 c:\windows\assembly\GAC_32\System.Transactions\2.0.0.0__b77a5c561934e089\System.Transactions.dll
+ 2012-01-13 14:20 . 2012-01-13 14:20 261632 c:\windows\assembly\GAC_32\System.Transactions\2.0.0.0__b77a5c561934e089\System.Transactions.dll
- 2011-10-16 20:13 . 2011-10-16 20:13 113664 c:\windows\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll
+ 2012-01-13 14:20 . 2012-01-13 14:20 113664 c:\windows\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll
+ 2012-01-13 14:20 . 2012-01-13 14:20 258048 c:\windows\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.dll
- 2011-10-16 20:13 . 2011-10-16 20:13 258048 c:\windows\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.dll
+ 2012-01-13 14:20 . 2012-01-13 14:20 486400 c:\windows\assembly\GAC_32\System.Data.OracleClient\2.0.0.0__b77a5c561934e089\System.Data.OracleClient.dll
- 2011-10-16 20:13 . 2011-10-16 20:13 486400 c:\windows\assembly\GAC_32\System.Data.OracleClient\2.0.0.0__b77a5c561934e089\System.Data.OracleClient.dll
+ 2008-05-07 05:12 . 2011-11-03 15:28 1292288 c:\windows\system32\dllcache\quartz.dll
+ 2011-12-25 09:50 . 2011-12-25 09:50 5246976 c:\windows\Microsoft.NET\Framework\v2.0.50727\System.Web.dll
+ 2011-12-25 17:07 . 2011-12-25 17:07 2064384 c:\windows\Microsoft.NET\Framework\v1.1.4322\System.Windows.Forms.dll
+ 2011-12-25 17:06 . 2011-12-25 17:06 1269760 c:\windows\Microsoft.NET\Framework\v1.1.4322\System.Web.dll
+ 2011-12-25 17:06 . 2011-12-25 17:06 1232896 c:\windows\Microsoft.NET\Framework\v1.1.4322\System.dll
- 2011-07-08 18:59 . 2011-07-08 18:59 1232896 c:\windows\Microsoft.NET\Framework\v1.1.4322\System.dll
+ 2011-12-25 04:54 . 2011-12-25 04:54 2514944 c:\windows\Microsoft.NET\Framework\v1.1.4322\mscorwks.dll
- 2011-07-07 17:02 . 2011-07-07 17:02 2514944 c:\windows\Microsoft.NET\Framework\v1.1.4322\mscorwks.dll
- 2011-07-07 17:02 . 2011-07-07 17:02 2527232 c:\windows\Microsoft.NET\Framework\v1.1.4322\mscorsvr.dll
+ 2011-12-25 04:53 . 2011-12-25 04:53 2527232 c:\windows\Microsoft.NET\Framework\v1.1.4322\mscorsvr.dll
+ 2011-12-25 17:06 . 2011-12-25 17:06 2142208 c:\windows\Microsoft.NET\Framework\v1.1.4322\mscorlib.dll
- 2011-07-08 18:59 . 2011-07-08 18:59 2142208 c:\windows\Microsoft.NET\Framework\v1.1.4322\mscorlib.dll
+ 2012-01-15 21:48 . 2012-01-15 21:48 3947520 c:\windows\Installer\3219e.msi
+ 2011-12-26 15:59 . 2011-12-26 15:59 4368896 c:\windows\Installer\11ae94.msp
+ 2012-01-13 14:24 . 2012-01-13 14:24 4792320 c:\windows\assembly\NativeImages1_v1.1.4322\System\1.0.5000.0__b77a5c561934e089_f9a0e787\System.dll
+ 2012-01-13 14:24 . 2012-01-13 14:24 1966080 c:\windows\assembly\NativeImages1_v1.1.4322\System\1.0.5000.0__b77a5c561934e089_c7cb88de\System.dll
+ 2012-01-13 14:25 . 2012-01-13 14:25 5513216 c:\windows\assembly\NativeImages1_v1.1.4322\System.Xml\1.0.5000.0__b77a5c561934e089_dfba4d09\System.Xml.dll
+ 2012-01-13 14:24 . 2012-01-13 14:24 2088960 c:\windows\assembly\NativeImages1_v1.1.4322\System.Xml\1.0.5000.0__b77a5c561934e089_c9c898ba\System.Xml.dll
+ 2012-01-13 14:24 . 2012-01-13 14:24 3035136 c:\windows\assembly\NativeImages1_v1.1.4322\System.Windows.Forms\1.0.5000.0__b77a5c561934e089_94672ac9\System.Windows.Forms.dll
+ 2012-01-13 14:25 . 2012-01-13 14:25 7917568 c:\windows\assembly\NativeImages1_v1.1.4322\System.Windows.Forms\1.0.5000.0__b77a5c561934e089_73689133\System.Windows.Forms.dll
+ 2012-01-13 14:25 . 2012-01-13 14:25 2244608 c:\windows\assembly\NativeImages1_v1.1.4322\System.Drawing\1.0.5000.0__b03f5f7f11d50a3a_816fa0e6\System.Drawing.dll
+ 2012-01-13 14:24 . 2012-01-13 14:24 1470464 c:\windows\assembly\NativeImages1_v1.1.4322\System.Design\1.0.5000.0__b03f5f7f11d50a3a_f001cac4\System.Design.dll
+ 2012-01-13 14:25 . 2012-01-13 14:25 3395584 c:\windows\assembly\NativeImages1_v1.1.4322\System.Design\1.0.5000.0__b03f5f7f11d50a3a_ed7fa817\System.Design.dll
+ 2012-01-13 14:25 . 2012-01-13 14:25 8908800 c:\windows\assembly\NativeImages1_v1.1.4322\mscorlib\1.0.5000.0__b77a5c561934e089_e6e3707e\mscorlib.dll
+ 2012-01-13 14:24 . 2012-01-13 14:24 3391488 c:\windows\assembly\NativeImages1_v1.1.4322\mscorlib\1.0.5000.0__b77a5c561934e089_073b90b4\mscorlib.dll
+ 2012-01-13 14:32 . 2012-01-13 14:32 1356288 c:\windows\assembly\NativeImages_v2.0.50727_32\System.WorkflowServ#\05c29118462056cf810df0b6aa660d05\System.WorkflowServices.ni.dll
+ 2012-01-13 14:32 . 2012-01-13 14:32 1908224 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Workflow.Run#\26b3258c559dc0ab6bdce481ffd458b3\System.Workflow.Runtime.ni.dll
+ 2012-01-13 14:32 . 2012-01-13 14:32 4514304 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Workflow.Com#\1642d1b72cd84caf24cbe7c5e8fd8368\System.Workflow.ComponentModel.ni.dll
+ 2012-01-13 14:32 . 2012-01-13 14:32 2992640 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Workflow.Act#\32ce12c3c2049f2df94c44c94b052e16\System.Workflow.Activities.ni.dll
+ 2012-01-13 14:32 . 2012-01-13 14:32 1840640 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Web.Services\f63ae1310e004777e880f28377bcddd2\System.Web.Services.ni.dll
+ 2012-01-13 14:32 . 2012-01-13 14:32 2209280 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Web.Mobile\c99b02434e71ca9898bebbc08d63e885\System.Web.Mobile.ni.dll
+ 2012-01-13 14:32 . 2012-01-13 14:32 2405888 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Web.Extensio#\c8f78b9e94857fdf6c2a378dd1629ee0\System.Web.Extensions.ni.dll
+ 2012-01-13 14:31 . 2012-01-13 14:31 1706496 c:\windows\assembly\NativeImages_v2.0.50727_32\System.ServiceModel#\ae749b024162e9ac79110c633b5ce6be\System.ServiceModel.Web.ni.dll
+ 2012-01-13 14:31 . 2012-01-13 14:31 1070080 c:\windows\assembly\NativeImages_v2.0.50727_32\System.IdentityModel\23eb4618c9d171be9fb551a13a475a32\System.IdentityModel.ni.dll
+ 2012-01-13 14:31 . 2012-01-13 14:31 1328128 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Data.Services\f35064c125799df650c1a959d8fa450b\System.Data.Services.ni.dll
+ 2012-01-13 14:31 . 2012-01-13 14:31 1712128 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualBas#\a86c12788293105a0d9fda1bc90c90bc\Microsoft.VisualBasic.ni.dll
+ 2012-01-13 14:21 . 2012-01-13 14:21 3182592 c:\windows\assembly\GAC_MSIL\System\2.0.0.0__b77a5c561934e089\System.dll
- 2011-10-16 20:13 . 2011-10-16 20:13 3182592 c:\windows\assembly\GAC_MSIL\System\2.0.0.0__b77a5c561934e089\System.dll
- 2011-10-16 20:13 . 2011-10-16 20:13 2048000 c:\windows\assembly\GAC_MSIL\System.Xml\2.0.0.0__b77a5c561934e089\System.XML.dll
+ 2012-01-13 14:20 . 2012-01-13 14:20 2048000 c:\windows\assembly\GAC_MSIL\System.Xml\2.0.0.0__b77a5c561934e089\System.XML.dll
+ 2012-01-13 14:20 . 2012-01-13 14:20 5025792 c:\windows\assembly\GAC_MSIL\System.Windows.Forms\2.0.0.0__b77a5c561934e089\System.Windows.Forms.dll
- 2011-10-16 20:12 . 2011-10-16 20:12 5025792 c:\windows\assembly\GAC_MSIL\System.Windows.Forms\2.0.0.0__b77a5c561934e089\System.Windows.Forms.dll
- 2010-10-08 02:47 . 2010-10-08 02:47 1277952 c:\windows\assembly\GAC_MSIL\System.Web.Extensions\3.5.0.0__31bf3856ad364e35\System.Web.Extensions.dll
+ 2012-01-13 14:24 . 2012-01-13 14:24 1277952 c:\windows\assembly\GAC_MSIL\System.Web.Extensions\3.5.0.0__31bf3856ad364e35\System.Web.Extensions.dll
- 2011-10-16 20:12 . 2011-10-16 20:12 5062656 c:\windows\assembly\GAC_MSIL\System.Design\2.0.0.0__b03f5f7f11d50a3a\System.Design.dll
+ 2012-01-13 14:20 . 2012-01-13 14:20 5062656 c:\windows\assembly\GAC_MSIL\System.Design\2.0.0.0__b03f5f7f11d50a3a\System.Design.dll
+ 2012-01-13 14:20 . 2012-01-13 14:20 5246976 c:\windows\assembly\GAC_32\System.Web\2.0.0.0__b03f5f7f11d50a3a\System.Web.dll
+ 2012-01-13 14:21 . 2012-01-13 14:21 2933248 c:\windows\assembly\GAC_32\System.Data\2.0.0.0__b77a5c561934e089\System.Data.dll
- 2011-10-16 20:13 . 2011-10-16 20:13 2933248 c:\windows\assembly\GAC_32\System.Data\2.0.0.0__b77a5c561934e089\System.Data.dll
+ 2012-01-13 14:20 . 2012-01-13 14:20 4550656 c:\windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\mscorlib.dll
- 2011-10-16 20:13 . 2011-10-16 20:13 4550656 c:\windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\mscorlib.dll
- 2011-10-16 20:01 . 2011-10-16 20:01 1232896 c:\windows\assembly\GAC\System\1.0.5000.0__b77a5c561934e089\System.dll
+ 2012-01-13 14:23 . 2012-01-13 14:23 1232896 c:\windows\assembly\GAC\System\1.0.5000.0__b77a5c561934e089\System.dll
+ 2012-01-13 14:23 . 2012-01-13 14:23 2064384 c:\windows\assembly\GAC\System.Windows.Forms\1.0.5000.0__b77a5c561934e089\System.Windows.Forms.dll
+ 2012-01-13 14:23 . 2012-01-13 14:23 1269760 c:\windows\assembly\GAC\System.Web\1.0.5000.0__b03f5f7f11d50a3a\System.Web.dll
+ 2011-12-26 23:02 . 2011-12-26 23:02 12482048 c:\windows\Microsoft.NET\Framework\v1.1.4322\Updates\M2656353\M2656353Uninstall.msp
+ 2011-12-26 15:02 . 2011-12-26 15:02 19677184 c:\windows\Installer\11aead.msp
+ 2012-01-13 14:32 . 2012-01-13 14:32 11817472 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Web\62e34cfb5a8b233667c7c5a47a32ad93\System.Web.ni.dll
+ 2012-01-13 14:31 . 2012-01-13 14:31 17403904 c:\windows\assembly\NativeImages_v2.0.50727_32\System.ServiceModel\2dac4fc006596760cd4988d0bfd52ff0\System.ServiceModel.ni.dll
+ 2012-01-13 14:23 . 2012-01-13 14:23 10683392 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Design\9e15d80ffb037e9171fa4bd2e0233497\System.Design.ni.dll
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TOSCDSPD"="c:\program files\TOSHIBA\TOSCDSPD\toscdspd.exe" [2004-12-30 65536]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-05-01 7557120]
"nwiz"="nwiz.exe" [2006-05-01 1519616]
"NVRotateSysTray"="c:\windows\system32\nvsysrot.dll" [2006-05-01 49152]
"PSQLLauncher"="c:\program files\Protector Suite QL\launcher.exe" [2006-05-06 30208]
"AGRSMMSG"="AGRSMMSG.exe" [2005-10-15 88203]
"Tvs"="c:\program files\Toshiba\Tvs\TvsTray.exe" [2005-11-30 73728]
"TFncKy"="TFncKy.exe" [BU]
"TPSMain"="TPSMain.exe" [2005-06-01 282624]
"Pinger"="c:\toshiba\ivp\ism\pinger.exe" [2005-03-18 151552]
"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-10-06 122940]
"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2005-12-05 667718]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2005-11-28 602182]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\point32.exe" [2005-03-23 217088]
"Motive SmartBridge"="c:\progra~1\SBCLIG~1\SMARTB~1\MotiveSB.exe" [2003-12-10 380928]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-08-14 1343488]
"THotkey"="c:\program files\Toshiba\Toshiba Applet\thotkey.exe" [2006-01-05 352256]
"SmoothView"="c:\program files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe" [2005-04-27 122880]
"LogitechQuickCamRibbon"="c:\program files\Logitech\Logitech WebCam Software\LWS.exe" [2009-10-14 2793304]
"Acrobat Assistant 7.0"="c:\program files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" [2008-04-23 483328]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2012-01-04 37296]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-02 843712]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 437160]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"adaware"="reg.exe delete HKCU\Software\AppDataLow\Software\adaware" [X]
"adaware_XP"="reg.exe delete HKCU\Software\adaware" [X]
"RunNarrator"="Narrator.exe" [2008-04-14 53760]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Acrobat Speed Launcher.lnk - c:\windows\Installer\{AC76BA86-1033-0000-7760-000000000002}\SC_Acrobat.exe [2006-10-25 25214]
RAMASST.lnk - c:\windows\system32\RAMASST.exe [2006-1-18 155648]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\psfus]
2006-05-06 00:48 40448 ----a-w- c:\windows\system32\psqlpwd.dll
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ scecli psqlpwd
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.exe.lnk]
backup=c:\windows\pss\Adobe Gamma Loader.exe.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
backup=c:\windows\pss\Adobe Gamma Loader.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^VPN Client.lnk]
backup=c:\windows\pss\VPN Client.lnkCommon Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"24726:TCP"= 24726:TCP:FlipShareServer
"24727:TCP"= 24727:TCP:FlipShareServer
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundMaskRequest"= 1 (0x1)
"AllowInboundRouterRequest"= 1 (0x1)
"AllowOutboundDestinationUnreachable"= 1 (0x1)
"AllowOutboundSourceQuench"= 1 (0x1)
"AllowOutboundParameterProblem"= 1 (0x1)
"AllowOutboundTimeExceeded"= 1 (0x1)
"AllowRedirect"= 1 (0x1)
"AllowOutboundPacketTooBig"= 1 (0x1)
.
R2 CFRDBService;Finnigan Database Service;c:\xcalibur\system\programs\CFRDBService.exe [12/9/2008 8:23 PM 335923]
R2 FdRedir;FdRedir;c:\program files\Common Files\Protector Suite QL\Drivers\FdRedir.sys [5/5/2006 7:00 PM 13568]
R2 FileDisk2;FileDisk Protector Kernel Driver;c:\program files\Common Files\Protector Suite QL\Drivers\filedisk.sys [5/5/2006 6:59 PM 33024]
R2 FinAutoLogOff;Finnigan Auto Logoff;c:\xcalibur\system\programs\FinAutoLogOff.exe [12/9/2008 8:23 PM 86068]
R2 Finnigan Security Server;Finnigan Security Server;c:\xcalibur\system\programs\finSS_Server.exe [12/9/2008 8:23 PM 65536]
R2 FlipShareServer;FlipShare Server;c:\program files\Flip Video\FlipShareServer\FlipShareServer.exe [5/6/2011 12:58 PM 1085440]
R2 smihlp;SMI helper driver;c:\program files\Protector Suite QL\smihlp.sys [5/5/2006 6:33 PM 3456]
S0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys --> c:\windows\system32\DRIVERS\Lbd.sys [?]
S2 SequestDaemon;SequestDaemon;c:\xcalibur\system\programs\BioworksBrowser\SequestDaemon.exe --> c:\xcalibur\system\programs\BioworksBrowser\SequestDaemon.exe [?]
S3 IO_Memory;IO_Memory;\??\c:\sysprep\Drivers\ioport.sys --> c:\sysprep\Drivers\ioport.sys [?]
S3 SVRPEDRV;SVRPEDRV;\??\c:\sysprep\PEDrv.sys --> c:\sysprep\PEDrv.sys [?]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.toshibadirect.com/dpdstart
IE: &Google Search - c:\program files\Google\GoogleToolbar1.dll/cmsearch.html
IE: Backward Links - c:\program files\Google\GoogleToolbar1.dll/cmbacklinks.html
IE: Cached Snapshot of Page - c:\program files\Google\GoogleToolbar1.dll/cmcache.html
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Similar Pages - c:\program files\Google\GoogleToolbar1.dll/cmsimilar.html
IE: Translate into English - c:\program files\Google\GoogleToolbar1.dll/cmtrans.html
TCP: DhcpNameServer = 192.168.1.254
DPF: 55963676-2F5E-4BAF-AC28-CF26AA587566 - vpnweb.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\J\Application Data\Mozilla\Firefox\Profiles\imf0pcgy.default\
user_pref(security.warn_viewing_mixed,false);
user_pref(security.warn_viewing_mixed.show_once,false);
FF - user.js: network.cookie.cookieBehavior - 0
FF - user.js: privacy.clearOnShutdown.cookies - false
user_pref(security.warn_submit_insecure,false);
FF - user.js: security.warn_submit_insecure.show_once - false
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-01-16 13:23
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(852)
c:\windows\system32\psqlpwd.dll
c:\program files\Protector Suite QL\infra.dll
c:\program files\Protector Suite QL\homefus2.dll
c:\windows\system32\biologon.dll
c:\program files\Protector Suite QL\homepass.dll
c:\program files\Protector Suite QL\bio.dll
c:\program files\Protector Suite QL\remote.dll
c:\program files\Protector Suite QL\crypto.dll
.
- - - - - - - > 'lsass.exe'(908)
c:\windows\system32\psqlpwd.dll
c:\program files\Protector Suite QL\infra.dll
c:\program files\Protector Suite QL\homefus2.dll
.
Completion time: 2012-01-16 13:24:28
ComboFix-quarantined-files.txt 2012-01-16 19:24
.
Pre-Run: 44,234,764,288 bytes free
Post-Run: 44,251,893,760 bytes free
.
- - End Of File - - 7C75418373308C5C6CD2D88522681CD5

#4 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:03:54 PM

Posted 19 January 2012 - 12:57 AM

Hello

so sorry for missing your reply

I want you to run this tool for me next.

tdsskiller:

Please read carefully and follow these steps.
  • Download TDSSKiller and save it to your Desktop.
  • doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
  • If an infected file is detected, the default action will be Cure, click on Continue.
  • If a suspicious file is detected, the default action will be Skip, click on Continue.
  • It may ask you to reboot the computer to complete the process. Click on Reboot Now.
  • If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
  • If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#5 J. F.

J. F.
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:02:54 PM

Posted 19 January 2012 - 09:45 AM

I ran TDSSkiller and it did not detect any suspicious files. The log follows. Thanks!


************

08:43:57.0937 3356 TDSS rootkit removing tool 2.7.5.0 Jan 18 2012 09:26:24
08:43:58.0296 3356 ============================================================
08:43:58.0296 3356 Current date / time: 2012/01/19 08:43:58.0296
08:43:58.0296 3356 SystemInfo:
08:43:58.0296 3356
08:43:58.0296 3356 OS Version: 5.1.2600 ServicePack: 3.0
08:43:58.0296 3356 Product type: Workstation
08:43:58.0296 3356 ComputerName: US
08:43:58.0296 3356 UserName: J
08:43:58.0296 3356 Windows directory: C:\WINDOWS
08:43:58.0296 3356 System windows directory: C:\WINDOWS
08:43:58.0296 3356 Processor architecture: Intel x86
08:43:58.0296 3356 Number of processors: 2
08:43:58.0296 3356 Page size: 0x1000
08:43:58.0296 3356 Boot type: Normal boot
08:43:58.0296 3356 ============================================================
08:43:59.0921 3356 Drive \Device\Harddisk0\DR0 - Size: 0x12A1F16000 (74.53 Gb), SectorSize: 0x200, Cylinders: 0x2601, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'K0', Flags 0x00000054
08:43:59.0937 3356 Initialize success
08:44:03.0265 2296 ============================================================
08:44:03.0265 2296 Scan started
08:44:03.0265 2296 Mode: Manual;
08:44:03.0265 2296 ============================================================
08:44:04.0281 2296 Abiosdsk - ok
08:44:04.0312 2296 abp480n5 - ok
08:44:04.0375 2296 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
08:44:04.0375 2296 ACPI - ok
08:44:04.0390 2296 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\DRIVERS\ACPIEC.sys
08:44:04.0390 2296 ACPIEC - ok
08:44:04.0406 2296 adpu160m - ok
08:44:04.0437 2296 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
08:44:04.0437 2296 aec - ok
08:44:04.0484 2296 AegisP (12dafd934641dcf61e446313bc261ec2) C:\WINDOWS\system32\DRIVERS\AegisP.sys
08:44:04.0484 2296 AegisP - ok
08:44:04.0546 2296 AFD (1e44bc1e83d8fd2305f8d452db109cf9) C:\WINDOWS\System32\drivers\afd.sys
08:44:04.0546 2296 AFD - ok
08:44:04.0796 2296 AgereSoftModem (b3192376c7a3814b5341efc2202022f8) C:\WINDOWS\system32\DRIVERS\AGRSM.sys
08:44:04.0796 2296 AgereSoftModem - ok
08:44:04.0828 2296 Aha154x - ok
08:44:04.0875 2296 aic78u2 - ok
08:44:04.0906 2296 aic78xx - ok
08:44:04.0937 2296 AliIde - ok
08:44:04.0968 2296 amsint - ok
08:44:05.0187 2296 Arp1394 (b5b8a80875c1dededa8b02765642c32f) C:\WINDOWS\system32\DRIVERS\arp1394.sys
08:44:05.0187 2296 Arp1394 - ok
08:44:05.0218 2296 asc - ok
08:44:05.0250 2296 asc3350p - ok
08:44:05.0296 2296 asc3550 - ok
08:44:05.0359 2296 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
08:44:05.0359 2296 AsyncMac - ok
08:44:05.0406 2296 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
08:44:05.0406 2296 atapi - ok
08:44:05.0484 2296 Atdisk - ok
08:44:05.0703 2296 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
08:44:05.0703 2296 Atmarpc - ok
08:44:05.0734 2296 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
08:44:05.0734 2296 audstub - ok
08:44:05.0781 2296 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
08:44:05.0781 2296 Beep - ok
08:44:05.0843 2296 C-Dilla (4ff76600b4ca68376b80af1683799c60) C:\WINDOWS\system32\drivers\CDANT.SYS
08:44:05.0843 2296 C-Dilla - ok
08:44:06.0015 2296 catchme - ok
08:44:06.0265 2296 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
08:44:06.0265 2296 cbidf2k - ok
08:44:06.0656 2296 CCDECODE (0be5aef125be881c4f854c554f2b025c) C:\WINDOWS\system32\DRIVERS\CCDECODE.sys
08:44:06.0656 2296 CCDECODE - ok
08:44:06.0750 2296 cd20xrnt - ok
08:44:06.0984 2296 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
08:44:06.0984 2296 Cdaudio - ok
08:44:07.0156 2296 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
08:44:07.0156 2296 Cdfs - ok
08:44:07.0218 2296 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
08:44:07.0218 2296 Cdrom - ok
08:44:07.0343 2296 Changer - ok
08:44:07.0437 2296 CmBatt (0f6c187d38d98f8df904589a5f94d411) C:\WINDOWS\system32\DRIVERS\CmBatt.sys
08:44:07.0437 2296 CmBatt - ok
08:44:07.0484 2296 CmdIde - ok
08:44:07.0515 2296 Compbatt (6e4c9f21f0fae8940661144f41b13203) C:\WINDOWS\system32\DRIVERS\compbatt.sys
08:44:07.0515 2296 Compbatt - ok
08:44:07.0531 2296 Cpqarray - ok
08:44:07.0593 2296 CVirtA (b5ecadf7708960f1818c7fa015f4c239) C:\WINDOWS\system32\DRIVERS\CVirtA.sys
08:44:07.0593 2296 CVirtA - ok
08:44:07.0656 2296 dac2w2k - ok
08:44:07.0718 2296 dac960nt - ok
08:44:07.0781 2296 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
08:44:07.0781 2296 Disk - ok
08:44:07.0859 2296 DLABOIOM (ee4325becef51b8c32b4329097e4f301) C:\WINDOWS\system32\DLA\DLABOIOM.SYS
08:44:07.0859 2296 DLABOIOM - ok
08:44:07.0921 2296 DLACDBHM (d979bebcf7edcc9c9ee1857d1a68c67b) C:\WINDOWS\system32\Drivers\DLACDBHM.SYS
08:44:07.0921 2296 DLACDBHM - ok
08:44:07.0937 2296 DLADResN (1e6c6597833a04c2157be7b39ea92ce1) C:\WINDOWS\system32\DLA\DLADResN.SYS
08:44:07.0937 2296 DLADResN - ok
08:44:07.0953 2296 DLAIFS_M (752376e109a090970bfa9722f0f40b03) C:\WINDOWS\system32\DLA\DLAIFS_M.SYS
08:44:07.0953 2296 DLAIFS_M - ok
08:44:07.0968 2296 DLAOPIOM (62ee7902e74b90bf1ccc4643fc6c07a7) C:\WINDOWS\system32\DLA\DLAOPIOM.SYS
08:44:07.0968 2296 DLAOPIOM - ok
08:44:07.0984 2296 DLAPoolM (5c220124c5afeaee84a9bb89d685c17b) C:\WINDOWS\system32\DLA\DLAPoolM.SYS
08:44:07.0984 2296 DLAPoolM - ok
08:44:07.0984 2296 DLARTL_N (7ee0852ae8907689df25049dcd2342e8) C:\WINDOWS\system32\Drivers\DLARTL_N.SYS
08:44:07.0984 2296 DLARTL_N - ok
08:44:08.0000 2296 DLAUDFAM (4ebb78d9bbf072119363b35b9b3e518f) C:\WINDOWS\system32\DLA\DLAUDFAM.SYS
08:44:08.0000 2296 DLAUDFAM - ok
08:44:08.0015 2296 DLAUDF_M (333b770e52d2cea7bd86391120466e43) C:\WINDOWS\system32\DLA\DLAUDF_M.SYS
08:44:08.0015 2296 DLAUDF_M - ok
08:44:08.0078 2296 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
08:44:08.0078 2296 dmboot - ok
08:44:08.0156 2296 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
08:44:08.0171 2296 dmio - ok
08:44:08.0265 2296 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
08:44:08.0265 2296 dmload - ok
08:44:08.0390 2296 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
08:44:08.0390 2296 DMusic - ok
08:44:08.0421 2296 dpti2o - ok
08:44:08.0468 2296 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
08:44:08.0468 2296 drmkaud - ok
08:44:08.0593 2296 DRVMCDB (fd0f95981fef9073659d8ec58e40aa3c) C:\WINDOWS\system32\Drivers\DRVMCDB.SYS
08:44:08.0593 2296 DRVMCDB - ok
08:44:08.0671 2296 DRVNDDM (b4869d320428cdc5ec4d7f5e808e99b5) C:\WINDOWS\system32\Drivers\DRVNDDM.SYS
08:44:08.0671 2296 DRVNDDM - ok
08:44:08.0781 2296 e1express (e1fa10ed8f9f700c1be1eae05a80ef57) C:\WINDOWS\system32\DRIVERS\e1e5132.sys
08:44:08.0781 2296 e1express - ok
08:44:08.0859 2296 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
08:44:08.0859 2296 Fastfat - ok
08:44:08.0906 2296 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\drivers\Fdc.sys
08:44:08.0906 2296 Fdc - ok
08:44:09.0000 2296 FdRedir (3314f3134ac59771a133a0cd3d343fff) C:\Program Files\Common Files\Protector Suite QL\Drivers\FdRedir.sys
08:44:09.0000 2296 FdRedir - ok
08:44:09.0000 2296 FileDisk2 (7b33f094a7a42a0225c344f5b25b1b05) C:\Program Files\Common Files\Protector Suite QL\Drivers\filedisk.sys
08:44:09.0000 2296 FileDisk2 - ok
08:44:09.0218 2296 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
08:44:09.0218 2296 Fips - ok
08:44:09.0281 2296 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\drivers\Flpydisk.sys
08:44:09.0296 2296 Flpydisk - ok
08:44:09.0312 2296 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys
08:44:09.0312 2296 FltMgr - ok
08:44:09.0328 2296 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
08:44:09.0328 2296 Fs_Rec - ok
08:44:09.0343 2296 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
08:44:09.0343 2296 Ftdisk - ok
08:44:09.0359 2296 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
08:44:09.0359 2296 Gpc - ok
08:44:09.0390 2296 HDAudBus (573c7d0a32852b48f3058cfd8026f511) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
08:44:09.0390 2296 HDAudBus - ok
08:44:09.0640 2296 HidUsb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
08:44:09.0640 2296 HidUsb - ok
08:44:09.0671 2296 hpn - ok
08:44:09.0796 2296 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
08:44:09.0796 2296 HTTP - ok
08:44:09.0828 2296 i2omgmt - ok
08:44:09.0953 2296 i2omp - ok
08:44:10.0093 2296 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
08:44:10.0093 2296 i8042prt - ok
08:44:10.0156 2296 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
08:44:10.0156 2296 Imapi - ok
08:44:10.0171 2296 ini910u - ok
08:44:10.0343 2296 IntcAzAudAddService (b12a9fc49cd2765a43829d834f518aed) C:\WINDOWS\system32\drivers\RtkHDAud.sys
08:44:10.0375 2296 IntcAzAudAddService - ok
08:44:10.0375 2296 IntelIde - ok
08:44:10.0421 2296 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys
08:44:10.0421 2296 intelppm - ok
08:44:10.0421 2296 IO_Memory - ok
08:44:10.0515 2296 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys
08:44:10.0515 2296 Ip6Fw - ok
08:44:10.0640 2296 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
08:44:10.0640 2296 IpFilterDriver - ok
08:44:10.0750 2296 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
08:44:10.0750 2296 IpInIp - ok
08:44:10.0796 2296 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
08:44:10.0796 2296 IpNat - ok
08:44:10.0843 2296 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
08:44:10.0843 2296 IPSec - ok
08:44:10.0953 2296 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
08:44:10.0953 2296 IRENUM - ok
08:44:11.0078 2296 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
08:44:11.0078 2296 isapnp - ok
08:44:11.0078 2296 Iviaspi (f59c3569a2f2c464bb78cb1bdcdca55e) C:\WINDOWS\system32\drivers\iviaspi.sys
08:44:11.0078 2296 Iviaspi - ok
08:44:11.0109 2296 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
08:44:11.0109 2296 Kbdclass - ok
08:44:11.0140 2296 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
08:44:11.0140 2296 kmixer - ok
08:44:11.0156 2296 KR10N (00c1ea8decf810b8eccb5c5a8186a96e) C:\WINDOWS\system32\drivers\KR10N.sys
08:44:11.0156 2296 KR10N - ok
08:44:11.0203 2296 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
08:44:11.0203 2296 KSecDD - ok
08:44:11.0218 2296 Lbd - ok
08:44:11.0234 2296 lbrtfdc - ok
08:44:11.0281 2296 LVPr2Mon (1a7db7a00a4b0d8da24cd691a4547291) C:\WINDOWS\system32\Drivers\LVPr2Mon.sys
08:44:11.0281 2296 LVPr2Mon - ok
08:44:11.0453 2296 LVRS (87ecce893d8aec5a9337b917742d339c) C:\WINDOWS\system32\DRIVERS\lvrs.sys
08:44:11.0453 2296 LVRS - ok
08:44:11.0578 2296 LVUSBSta (5f987fc1aad215ec2c60cf07719b1cce) C:\WINDOWS\system32\drivers\LVUSBSta.sys
08:44:11.0578 2296 LVUSBSta - ok
08:44:11.0593 2296 meiudf (7efac183a25b30fb5d64cc9d484b1eb6) C:\WINDOWS\system32\Drivers\meiudf.sys
08:44:11.0593 2296 meiudf - ok
08:44:11.0625 2296 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
08:44:11.0625 2296 mnmdd - ok
08:44:11.0671 2296 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
08:44:11.0671 2296 Modem - ok
08:44:11.0718 2296 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
08:44:11.0718 2296 Mouclass - ok
08:44:11.0765 2296 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
08:44:11.0765 2296 mouhid - ok
08:44:11.0890 2296 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
08:44:11.0890 2296 MountMgr - ok
08:44:12.0015 2296 mraid35x - ok
08:44:12.0140 2296 MREMP50 (9bd4dcb5412921864a7aacdedfbd1923) C:\PROGRA~1\COMMON~1\Motive\MREMP50.SYS
08:44:12.0140 2296 MREMP50 - ok
08:44:12.0140 2296 MREMPR5 - ok
08:44:12.0140 2296 MRENDIS5 - ok
08:44:12.0171 2296 MRESP50 (07c02c892e8e1a72d6bf35004f0e9c5e) C:\PROGRA~1\COMMON~1\Motive\MRESP50.SYS
08:44:12.0171 2296 MRESP50 - ok
08:44:12.0375 2296 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
08:44:12.0375 2296 MRxDAV - ok
08:44:12.0484 2296 MRxSmb (7d304a5eb4344ebeeab53a2fe3ffb9f0) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
08:44:12.0484 2296 MRxSmb - ok
08:44:12.0562 2296 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
08:44:12.0562 2296 Msfs - ok
08:44:12.0640 2296 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
08:44:12.0640 2296 MSKSSRV - ok
08:44:12.0703 2296 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
08:44:12.0703 2296 MSPCLOCK - ok
08:44:12.0765 2296 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
08:44:12.0765 2296 MSPQM - ok
08:44:12.0906 2296 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
08:44:12.0906 2296 mssmbios - ok
08:44:13.0031 2296 MSTEE (e53736a9e30c45fa9e7b5eac55056d1d) C:\WINDOWS\system32\drivers\MSTEE.sys
08:44:13.0031 2296 MSTEE - ok
08:44:13.0109 2296 Mup (de6a75f5c270e756c5508d94b6cf68f5) C:\WINDOWS\system32\drivers\Mup.sys
08:44:13.0125 2296 Mup - ok
08:44:13.0187 2296 NABTSFEC (5b50f1b2a2ed47d560577b221da734db) C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys
08:44:13.0187 2296 NABTSFEC - ok
08:44:13.0406 2296 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
08:44:13.0406 2296 NDIS - ok
08:44:13.0468 2296 NdisIP (7ff1f1fd8609c149aa432f95a8163d97) C:\WINDOWS\system32\DRIVERS\NdisIP.sys
08:44:13.0468 2296 NdisIP - ok
08:44:13.0562 2296 NdisTapi (0109c4f3850dfbab279542515386ae22) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
08:44:13.0562 2296 NdisTapi - ok
08:44:13.0671 2296 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
08:44:13.0671 2296 Ndisuio - ok
08:44:13.0796 2296 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
08:44:13.0796 2296 NdisWan - ok
08:44:13.0859 2296 NDProxy (9282bd12dfb069d3889eb3fcc1000a9b) C:\WINDOWS\system32\drivers\NDProxy.sys
08:44:13.0859 2296 NDProxy - ok
08:44:13.0921 2296 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
08:44:13.0921 2296 NetBIOS - ok
08:44:13.0968 2296 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
08:44:13.0984 2296 NetBT - ok
08:44:14.0140 2296 Netdevio (1265eb253ed4ebe4acb3bd5f548ff796) C:\WINDOWS\system32\DRIVERS\netdevio.sys
08:44:14.0140 2296 Netdevio - ok
08:44:14.0265 2296 NIC1394 (e9e47cfb2d461fa0fc75b7a74c6383ea) C:\WINDOWS\system32\DRIVERS\nic1394.sys
08:44:14.0281 2296 NIC1394 - ok
08:44:14.0546 2296 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
08:44:14.0546 2296 Npfs - ok
08:44:14.0828 2296 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
08:44:14.0828 2296 Ntfs - ok
08:44:14.0875 2296 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
08:44:14.0875 2296 Null - ok
08:44:15.0109 2296 nv (ac5267c71f72fb42511ed5790ba0e9f5) C:\WINDOWS\system32\DRIVERS\nv4_mini.sys
08:44:15.0140 2296 nv - ok
08:44:15.0203 2296 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
08:44:15.0203 2296 NwlnkFlt - ok
08:44:15.0375 2296 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
08:44:15.0375 2296 NwlnkFwd - ok
08:44:15.0468 2296 ohci1394 (ca33832df41afb202ee7aeb05145922f) C:\WINDOWS\system32\DRIVERS\ohci1394.sys
08:44:15.0468 2296 ohci1394 - ok
08:44:15.0500 2296 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\drivers\Parport.sys
08:44:15.0515 2296 Parport - ok
08:44:15.0515 2296 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
08:44:15.0515 2296 PartMgr - ok
08:44:15.0531 2296 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
08:44:15.0531 2296 ParVdm - ok
08:44:15.0546 2296 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
08:44:15.0546 2296 PCI - ok
08:44:15.0562 2296 PCIDump - ok
08:44:15.0578 2296 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
08:44:15.0578 2296 PCIIde - ok
08:44:15.0593 2296 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\DRIVERS\pcmcia.sys
08:44:15.0593 2296 Pcmcia - ok
08:44:15.0609 2296 PDCOMP - ok
08:44:15.0625 2296 PDFRAME - ok
08:44:15.0640 2296 PDRELI - ok
08:44:15.0656 2296 PDRFRAME - ok
08:44:15.0703 2296 pepifilter (b20f958b207e6aaac5f70d04dd2c30d8) C:\WINDOWS\system32\DRIVERS\lv302af.sys
08:44:15.0703 2296 pepifilter - ok
08:44:15.0750 2296 perc2 - ok
08:44:15.0765 2296 perc2hib - ok
08:44:15.0796 2296 Pfc (444f122e68db44c0589227781f3c8b3f) C:\WINDOWS\system32\drivers\pfc.sys
08:44:15.0796 2296 Pfc - ok
08:44:15.0984 2296 PID_PEPI (dd184d9adfe2a8a21741dbdfe9e22f5c) C:\WINDOWS\system32\DRIVERS\LV302V32.SYS
08:44:16.0000 2296 PID_PEPI - ok
08:44:16.0171 2296 Point32 (e4910ce9d882bf825979fcf4636a9bd8) C:\WINDOWS\system32\DRIVERS\point32.sys
08:44:16.0171 2296 Point32 - ok
08:44:16.0281 2296 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
08:44:16.0281 2296 PptpMiniport - ok
08:44:16.0296 2296 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
08:44:16.0296 2296 PSched - ok
08:44:16.0312 2296 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
08:44:16.0312 2296 Ptilink - ok
08:44:16.0343 2296 PxHelp20 (81088114178112618b1c414a65e50f7c) C:\WINDOWS\system32\Drivers\PxHelp20.sys
08:44:16.0343 2296 PxHelp20 - ok
08:44:16.0390 2296 ql1080 - ok
08:44:16.0390 2296 Ql10wnt - ok
08:44:16.0406 2296 ql12160 - ok
08:44:16.0421 2296 ql1240 - ok
08:44:16.0437 2296 ql1280 - ok
08:44:16.0484 2296 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
08:44:16.0484 2296 RasAcd - ok
08:44:16.0500 2296 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
08:44:16.0500 2296 Rasl2tp - ok
08:44:16.0515 2296 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
08:44:16.0515 2296 RasPppoe - ok
08:44:16.0531 2296 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
08:44:16.0531 2296 Raspti - ok
08:44:16.0562 2296 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
08:44:16.0562 2296 Rdbss - ok
08:44:16.0703 2296 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
08:44:16.0703 2296 RDPCDD - ok
08:44:16.0812 2296 RDPWD (fc105dd312ed64eb66bff111e8ec6eac) C:\WINDOWS\system32\drivers\RDPWD.sys
08:44:16.0812 2296 RDPWD - ok
08:44:16.0906 2296 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
08:44:16.0906 2296 redbook - ok
08:44:16.0953 2296 s24trans (1cc074e0d48383d4e9bffc6a26c2a58a) C:\WINDOWS\system32\DRIVERS\s24trans.sys
08:44:16.0953 2296 s24trans - ok
08:44:17.0046 2296 sdbus (8d04819a3ce51b9eb47e5689b44d43c4) C:\WINDOWS\system32\DRIVERS\sdbus.sys
08:44:17.0046 2296 sdbus - ok
08:44:17.0156 2296 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
08:44:17.0156 2296 Secdrv - ok
08:44:17.0234 2296 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\drivers\Serial.sys
08:44:17.0234 2296 Serial - ok
08:44:17.0312 2296 sffdisk (0fa803c64df0914b41f807ea276bf2a6) C:\WINDOWS\system32\DRIVERS\sffdisk.sys
08:44:17.0312 2296 sffdisk - ok
08:44:17.0406 2296 sffp_sd (c17c331e435ed8737525c86a7557b3ac) C:\WINDOWS\system32\DRIVERS\sffp_sd.sys
08:44:17.0406 2296 sffp_sd - ok
08:44:17.0546 2296 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
08:44:17.0546 2296 Sfloppy - ok
08:44:17.0578 2296 Simbad - ok
08:44:17.0656 2296 SLIP (866d538ebe33709a5c9f5c62b73b7d14) C:\WINDOWS\system32\DRIVERS\SLIP.sys
08:44:17.0656 2296 SLIP - ok
08:44:17.0718 2296 smihlp (94eede27fd7d46707be49127922695a7) C:\Program Files\Protector Suite QL\smihlp.sys
08:44:17.0718 2296 smihlp - ok
08:44:17.0875 2296 Sparrow - ok
08:44:17.0953 2296 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
08:44:17.0953 2296 splitter - ok
08:44:17.0984 2296 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
08:44:17.0984 2296 sr - ok
08:44:18.0031 2296 Srv (47ddfc2f003f7f9f0592c6874962a2e7) C:\WINDOWS\system32\DRIVERS\srv.sys
08:44:18.0031 2296 Srv - ok
08:44:18.0093 2296 streamip (77813007ba6265c4b6098187e6ed79d2) C:\WINDOWS\system32\DRIVERS\StreamIP.sys
08:44:18.0093 2296 streamip - ok
08:44:18.0109 2296 SVRPEDRV - ok
08:44:18.0140 2296 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
08:44:18.0140 2296 swenum - ok
08:44:18.0250 2296 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
08:44:18.0250 2296 swmidi - ok
08:44:18.0328 2296 symc810 - ok
08:44:18.0375 2296 symc8xx - ok
08:44:18.0421 2296 sym_hi - ok
08:44:18.0453 2296 sym_u3 - ok
08:44:18.0562 2296 SynTP (cfb41bf11ae95c26133bae3ec2e334bd) C:\WINDOWS\system32\DRIVERS\SynTP.sys
08:44:18.0562 2296 SynTP - ok
08:44:18.0734 2296 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
08:44:18.0734 2296 sysaudio - ok
08:44:18.0781 2296 tbiosdrv (7147b0575bcc93a6ab7d5c90f47c0b9f) C:\WINDOWS\system32\DRIVERS\tbiosdrv.sys
08:44:18.0781 2296 tbiosdrv - ok
08:44:18.0890 2296 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
08:44:18.0890 2296 Tcpip - ok
08:44:19.0046 2296 TcUsb (fc6fe02f400308606a911640e72326b5) C:\WINDOWS\system32\Drivers\tcusb.sys
08:44:19.0046 2296 TcUsb - ok
08:44:19.0156 2296 tdcmdpst (2f8bfbdb5824c71f672779b4b8cf8b01) C:\WINDOWS\system32\DRIVERS\tdcmdpst.sys
08:44:19.0156 2296 tdcmdpst - ok
08:44:19.0250 2296 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
08:44:19.0250 2296 TDPIPE - ok
08:44:19.0390 2296 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
08:44:19.0390 2296 TDTCP - ok
08:44:19.0468 2296 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
08:44:19.0468 2296 TermDD - ok
08:44:19.0562 2296 tifm21 (244cfbffdefb77f3df571a8cd108fc06) C:\WINDOWS\system32\drivers\tifm21.sys
08:44:19.0562 2296 tifm21 - ok
08:44:19.0625 2296 TosIde - ok
08:44:19.0750 2296 tosrfec (cc069342ee0eae55b32a0ae99cf6185c) C:\WINDOWS\system32\DRIVERS\tosrfec.sys
08:44:19.0765 2296 tosrfec - ok
08:44:19.0828 2296 TVALD (676db15ddf2e0ff6ec03068dea428b8b) C:\WINDOWS\system32\DRIVERS\NBSMI.sys
08:44:19.0828 2296 TVALD - ok
08:44:19.0859 2296 Tvs (cc6763889198ef975b143d49789bcfa9) C:\WINDOWS\system32\DRIVERS\Tvs.sys
08:44:19.0859 2296 Tvs - ok
08:44:19.0890 2296 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
08:44:19.0890 2296 Udfs - ok
08:44:19.0937 2296 ultra - ok
08:44:20.0078 2296 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
08:44:20.0078 2296 Update - ok
08:44:20.0171 2296 usbaudio (e919708db44ed8543a7c017953148330) C:\WINDOWS\system32\drivers\usbaudio.sys
08:44:20.0171 2296 usbaudio - ok
08:44:20.0328 2296 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
08:44:20.0328 2296 usbccgp - ok
08:44:20.0468 2296 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
08:44:20.0468 2296 usbehci - ok
08:44:20.0546 2296 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
08:44:20.0562 2296 usbhub - ok
08:44:20.0656 2296 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys
08:44:20.0656 2296 usbprint - ok
08:44:20.0781 2296 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys
08:44:20.0781 2296 usbscan - ok
08:44:20.0906 2296 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
08:44:20.0906 2296 USBSTOR - ok
08:44:21.0000 2296 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
08:44:21.0000 2296 usbuhci - ok
08:44:21.0046 2296 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
08:44:21.0046 2296 VgaSave - ok
08:44:21.0093 2296 ViaIde - ok
08:44:21.0187 2296 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
08:44:21.0187 2296 VolSnap - ok
08:44:21.0281 2296 vpnva - ok
08:44:21.0312 2296 vsdatant - ok
08:44:21.0453 2296 w39n51 (b1f126e7e28877106d60e6ff3998d033) C:\WINDOWS\system32\DRIVERS\w39n51.sys
08:44:21.0468 2296 w39n51 - ok
08:44:21.0578 2296 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
08:44:21.0578 2296 Wanarp - ok
08:44:21.0734 2296 wanatw (0a716c08cb13c3a8f4f51e882dbf7416) C:\WINDOWS\system32\DRIVERS\wanatw4.sys
08:44:21.0734 2296 wanatw - ok
08:44:21.0781 2296 WDICA - ok
08:44:21.0828 2296 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
08:44:21.0828 2296 wdmaud - ok
08:44:21.0906 2296 WpdUsb (cf4def1bf66f06964dc0d91844239104) C:\WINDOWS\system32\DRIVERS\wpdusb.sys
08:44:21.0906 2296 WpdUsb - ok
08:44:21.0984 2296 WS2IFSL (6abe6e225adb5a751622a9cc3bc19ce8) C:\WINDOWS\System32\drivers\ws2ifsl.sys
08:44:21.0984 2296 WS2IFSL - ok
08:44:22.0046 2296 WSTCODEC (c98b39829c2bbd34e454150633c62c78) C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS
08:44:22.0046 2296 WSTCODEC - ok
08:44:22.0171 2296 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
08:44:22.0171 2296 WudfPf - ok
08:44:22.0250 2296 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
08:44:22.0250 2296 WudfRd - ok
08:44:22.0281 2296 MBR (0x1B8) (09ce7397af23d4c0b331b89d0297cc7e) \Device\Harddisk0\DR0
08:44:22.0468 2296 \Device\Harddisk0\DR0 - ok
08:44:22.0484 2296 Boot (0x1200) (d6ea8fdbc2b86a6409622611fcd97680) \Device\Harddisk0\DR0\Partition0
08:44:22.0484 2296 \Device\Harddisk0\DR0\Partition0 - ok
08:44:22.0484 2296 ============================================================
08:44:22.0484 2296 Scan finished
08:44:22.0484 2296 ============================================================
08:44:22.0500 2312 Detected object count: 0
08:44:22.0500 2312 Actual detected object count: 0
08:44:36.0046 3324 Deinitialize success

#6 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:03:54 PM

Posted 19 January 2012 - 11:59 AM

Greetings

How is the computer doing now - still get popups?

:Run CFScript:

Open Notepad and copy/paste the text in the box into the window:

ClearJavaCache::

Save it to your desktop as CFScript.txt

Refering to the picture above, drag CFScript.txt into ComboFix.exe
Posted Image
This will let ComboFix run again.
Restart if you have to.
Save the produced logfile to your desktop.

Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

"information and logs"

  • In your next post I need the following

  • report from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now after running the script?

Gringo

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#7 J. F.

J. F.
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:02:54 PM

Posted 20 January 2012 - 09:40 AM

Hi,

1) I haven't gotten any popups since I uninstalled and reinstalled Java (I forgot to mention I did this, last week before I posted; sorry).

2) I ran Combofix again after clearing the cache and it still reports that Rootkit.ZeroAccess is present and that there is rootkit activity.

Log follows. Thanks!

ComboFix 12-01-19.02 - J 01/20/2012 8:28.6.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1022.721 [GMT -6:00]
Running from: c:\documents and settings\J\My Documents\Downloads\ComboFix.exe
Command switches used :: c:\documents and settings\J\Desktop\cfscript.txt
AV: *Disabled/Updated* {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
.
.
((((((((((((((((((((((((( Files Created from 2011-12-20 to 2012-01-20 )))))))))))))))))))))))))))))))
.
.
2012-01-19 14:43 . 2012-01-19 14:43 -------- d-----w- c:\documents and settings\J\Application Data\Windows Search
2012-01-17 19:20 . 2010-10-20 20:40 128416 ----a-w- c:\windows\system32\TODDSrv.exe
2012-01-17 19:16 . 2012-01-17 19:16 -------- d-----w- c:\windows\system32\winrm
2012-01-17 19:16 . 2012-01-17 19:16 -------- dc-h--w- c:\windows\$968930Uinstall_KB968930$
2012-01-17 19:16 . 2012-01-17 19:20 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Adobe
2012-01-17 19:15 . 2012-01-17 19:15 -------- d-----w- c:\program files\Synaptics
2012-01-17 19:15 . 2012-01-17 19:15 -------- d-----w- c:\documents and settings\J\Application Data\Windows Desktop Search
2012-01-17 19:15 . 2012-01-19 15:54 -------- d-----w- c:\program files\Windows Desktop Search
2012-01-17 19:15 . 2012-01-17 19:15 -------- d-----w- c:\windows\system32\GroupPolicy
2012-01-17 19:12 . 2008-03-07 17:02 98304 -c----w- c:\windows\system32\dllcache\nlhtml.dll
2012-01-17 19:12 . 2008-03-07 17:02 29696 -c----w- c:\windows\system32\dllcache\mimefilt.dll
2012-01-17 19:12 . 2008-03-07 17:02 192000 -c----w- c:\windows\system32\dllcache\offfilt.dll
2012-01-17 19:12 . 2011-08-16 10:45 6144 -c----w- c:\windows\system32\dllcache\iecompat.dll
2012-01-17 13:01 . 2012-01-17 13:01 -------- d-----w- c:\documents and settings\J\Application Data\WinBatch
2012-01-13 04:08 . 2012-01-13 04:08 -------- d-----w- c:\documents and settings\J\Application Data\Malwarebytes
2012-01-12 17:24 . 2012-01-12 17:24 -------- d-sh--w- c:\documents and settings\J\PrivacIE
2012-01-12 17:21 . 2012-01-12 17:30 23624 ----a-w- c:\windows\system32\drivers\hitmanpro36.sys
2012-01-12 17:21 . 2012-01-12 17:28 -------- d-----w- c:\documents and settings\All Users\Application Data\HitmanPro
2012-01-12 15:09 . 2012-01-12 15:09 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2012-01-12 15:09 . 2011-12-10 21:24 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-01-12 15:09 . 2012-01-12 15:09 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2012-01-12 00:56 . 2012-01-12 00:56 -------- d-----w- c:\program files\Wise Registry Cleaner
2012-01-11 20:54 . 2012-01-11 20:55 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2012-01-11 20:23 . 2012-01-11 20:23 -------- d-sh--w- c:\documents and settings\Janice\IECompatCache
2012-01-11 18:56 . 2012-01-12 01:12 -------- d-----w- c:\windows\system32\MpEngineStore
2012-01-11 18:51 . 2012-01-11 18:51 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\PCHealth
2012-01-11 17:11 . 2012-01-12 20:10 -------- d-----w- C:\49e20896d2841622df7c
2012-01-11 17:11 . 2012-01-12 16:33 -------- d-----w- c:\program files\Microsoft Security Client
2012-01-11 14:19 . 2012-01-11 14:19 -------- d-----w- c:\program files\Toolbar Cleaner
2012-01-03 14:22 . 2012-01-03 14:22 103864 ----a-w- c:\program files\Mozilla Firefox\plugins\nppdf32.dll
2012-01-03 14:22 . 2012-01-03 14:22 103864 ----a-w- c:\program files\Internet Explorer\PLUGINS\nppdf32.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-11-25 21:57 . 2006-01-19 02:02 293376 ----a-w- c:\windows\system32\winsrv.dll
2011-11-23 13:25 . 2006-01-19 02:02 1859584 ----a-w- c:\windows\system32\win32k.sys
2011-11-18 12:35 . 2006-01-19 02:02 60416 ----a-w- c:\windows\system32\packager.exe
2011-11-16 14:21 . 2006-01-19 02:02 354816 ----a-w- c:\windows\system32\winhttp.dll
2011-11-16 14:21 . 2006-01-19 02:02 152064 ----a-w- c:\windows\system32\schannel.dll
2011-11-04 19:20 . 2006-01-19 02:02 916992 ----a-w- c:\windows\system32\wininet.dll
2011-11-04 19:20 . 2006-01-19 02:01 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-11-04 19:20 . 2006-01-19 02:01 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2011-11-04 11:23 . 2006-01-19 02:01 385024 ----a-w- c:\windows\system32\html.iec
2011-11-03 15:28 . 2006-01-19 02:02 386048 ----a-w- c:\windows\system32\qdvd.dll
2011-11-03 15:28 . 2006-01-19 02:02 1292288 ----a-w- c:\windows\system32\quartz.dll
2011-11-01 16:07 . 2006-01-19 02:02 1288704 ----a-w- c:\windows\system32\ole32.dll
2011-10-28 05:31 . 2006-01-19 02:01 33280 ----a-w- c:\windows\system32\csrsrv.dll
2011-10-25 13:37 . 2006-01-19 02:02 2148864 ----a-w- c:\windows\system32\ntoskrnl.exe
2011-10-25 12:52 . 2004-08-03 22:59 2027008 ----a-w- c:\windows\system32\ntkrnlpa.exe
2011-12-21 07:24 . 2012-01-12 04:05 121816 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((( SnapShot_2012-01-16_19.23.03 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-05-27 04:18 . 2008-05-27 04:18 56320 c:\windows\system32\xmlfilter.dll
+ 2009-10-09 20:56 . 2009-10-09 20:56 14848 c:\windows\system32\wsmprovhost.exe
+ 2009-10-09 20:56 . 2009-10-09 20:56 12288 c:\windows\system32\wsmplpxy.dll
+ 2009-10-09 20:56 . 2009-10-09 20:56 12288 c:\windows\system32\winrssrv.dll
+ 2009-10-09 20:56 . 2009-10-09 20:56 22528 c:\windows\system32\winrshost.exe
+ 2009-10-09 22:22 . 2009-10-09 22:22 69632 c:\windows\system32\winrs.exe
+ 2009-10-09 20:56 . 2009-10-09 20:56 25088 c:\windows\system32\winrmprov.dll
+ 2009-10-09 20:56 . 2009-10-09 20:56 24064 c:\windows\system32\WindowsPowerShell\v1.0\pwrshsip.dll
+ 2008-05-27 04:19 . 2008-05-27 04:19 97792 c:\windows\system32\UncCplExt.dll
+ 2008-05-27 03:59 . 2008-05-27 03:59 18904 c:\windows\system32\structuredqueryschematrivial.bin
+ 2006-01-19 03:50 . 2009-05-12 21:12 26144 c:\windows\system32\spupdsvc.exe
- 2006-01-19 03:50 . 2009-01-07 23:21 26144 c:\windows\system32\spupdsvc.exe
- 2008-06-26 02:35 . 2009-01-07 23:20 16928 c:\windows\system32\spmsg.dll
+ 2008-06-26 02:35 . 2009-05-12 21:12 16928 c:\windows\system32\spmsg.dll
+ 2008-05-27 04:17 . 2008-05-27 04:17 87552 c:\windows\system32\searchfilterhost.exe
+ 2008-05-27 04:18 . 2008-05-27 04:18 38400 c:\windows\system32\rtffilt.dll
+ 2012-01-17 19:15 . 2008-04-13 19:39 23040 c:\windows\system32\ReinstallBackups\0011\DriverFiles\i386\mouclass.sys
- 2011-02-06 04:18 . 2008-04-13 18:39 23040 c:\windows\system32\ReinstallBackups\0011\DriverFiles\i386\mouclass.sys
+ 2012-01-17 19:15 . 2008-04-13 20:18 52480 c:\windows\system32\ReinstallBackups\0011\DriverFiles\i386\i8042prt.sys
- 2011-02-06 04:18 . 2008-04-13 19:18 52480 c:\windows\system32\ReinstallBackups\0011\DriverFiles\i386\i8042prt.sys
+ 2009-10-09 22:22 . 2009-10-09 22:22 42496 c:\windows\system32\pwrshplugin.dll
+ 2008-05-27 04:18 . 2008-05-27 04:18 71680 c:\windows\system32\propdefs.dll
+ 2005-10-29 05:49 . 2005-10-29 05:49 84480 c:\windows\system32\pintool.exe
+ 2006-01-19 02:02 . 2012-01-17 19:15 80764 c:\windows\system32\perfc009.dat
+ 2008-05-27 04:19 . 2008-05-27 04:19 11264 c:\windows\system32\oephRes.dll
+ 2006-01-19 02:02 . 2008-03-07 17:02 98304 c:\windows\system32\nlhtml.dll
- 2006-01-19 02:02 . 2008-04-14 00:12 98304 c:\windows\system32\nlhtml.dll
+ 2008-05-27 04:18 . 2008-05-27 04:18 44032 c:\windows\system32\msstrc.dll
+ 2008-05-27 04:17 . 2008-05-27 04:17 32768 c:\windows\system32\mssprxy.dll
+ 2008-05-27 04:17 . 2008-05-27 04:17 87552 c:\windows\system32\mssitlb.dll
+ 2008-05-27 04:17 . 2008-05-27 04:17 11776 c:\windows\system32\msshooks.dll
+ 2008-05-27 04:17 . 2008-05-27 04:17 60416 c:\windows\system32\msscntrs.dll
+ 2008-05-27 04:17 . 2008-05-27 04:17 34816 c:\windows\system32\msscb.dll
- 2006-01-19 02:01 . 2008-04-14 00:11 29696 c:\windows\system32\mimefilt.dll
+ 2006-01-19 02:01 . 2008-03-07 17:02 29696 c:\windows\system32\mimefilt.dll
+ 2007-02-22 21:10 . 2007-02-22 21:10 16128 c:\windows\system32\drivers\tdcmdpst.sys
+ 2005-10-29 05:49 . 2005-10-29 05:49 25600 c:\windows\system32\bcsprsrc.dll
+ 2005-10-28 22:40 . 2005-10-28 22:40 96792 c:\windows\system32\basecsp.dll
- 2006-10-25 17:17 . 2010-10-11 16:23 25214 c:\windows\Installer\{AC76BA86-1033-0000-7760-000000000002}\SC_Distiller.exe
+ 2006-10-25 17:17 . 2012-01-17 19:05 25214 c:\windows\Installer\{AC76BA86-1033-0000-7760-000000000002}\SC_Distiller.exe
- 2006-10-25 17:17 . 2010-10-11 16:23 25214 c:\windows\Installer\{AC76BA86-1033-0000-7760-000000000002}\SC_Acrobat_Standard.exe
+ 2006-10-25 17:17 . 2012-01-17 19:05 25214 c:\windows\Installer\{AC76BA86-1033-0000-7760-000000000002}\SC_Acrobat_Standard.exe
+ 2006-10-25 17:17 . 2012-01-17 19:05 25214 c:\windows\Installer\{AC76BA86-1033-0000-7760-000000000002}\SC_Acrobat.exe
- 2006-10-25 17:17 . 2010-10-11 16:23 25214 c:\windows\Installer\{AC76BA86-1033-0000-7760-000000000002}\SC_Acrobat.exe
- 2006-10-25 17:17 . 2010-10-11 16:23 65536 c:\windows\Installer\{AC76BA86-1033-0000-7760-000000000002}\PM_Designer.exe
+ 2006-10-25 17:17 . 2012-01-17 19:05 65536 c:\windows\Installer\{AC76BA86-1033-0000-7760-000000000002}\PM_Designer.exe
+ 2012-01-17 19:20 . 2012-01-17 19:20 45056 c:\windows\Installer\{5DA0E02F-970B-424B-BF41-513A5018E4C0}\NewShortcut14_5DA0E02F970B424BBF41513A5018E4C0.exe
+ 2012-01-17 19:20 . 2012-01-17 19:20 45056 c:\windows\Installer\{5DA0E02F-970B-424B-BF41-513A5018E4C0}\NewShortcut13_5DA0E02F970B424BBF41513A5018E4C0.exe
+ 2012-01-17 19:20 . 2012-01-17 19:20 45056 c:\windows\Installer\{5DA0E02F-970B-424B-BF41-513A5018E4C0}\NewShortcut12_5DA0E02F970B424BBF41513A5018E4C0.exe
+ 2012-01-17 19:20 . 2012-01-17 19:20 45056 c:\windows\Installer\{5DA0E02F-970B-424B-BF41-513A5018E4C0}\NewShortcut11_5DA0E02F970B424BBF41513A5018E4C0.exe
+ 2012-01-17 19:20 . 2012-01-17 19:20 14848 c:\windows\Installer\{5DA0E02F-970B-424B-BF41-513A5018E4C0}\NewShortcut1_5DA0E02F970B424BBF41513A5018E4C0.exe
+ 2012-01-17 19:18 . 2012-01-17 19:18 17920 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.WSMan.Run#\a615508098c5f4f5a34e89d22527c9de\Microsoft.WSMan.Runtime.ni.dll
+ 2012-01-17 19:18 . 2012-01-17 19:18 21504 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.WSMan.Man#\6fe0ec64be50db1d60d4b6f1ef914215\Microsoft.WSMan.Management.resources.ni.dll
+ 2012-01-17 19:17 . 2012-01-17 19:17 18432 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.PowerShel#\f336ce6e2c551ae93c93f92cf60677bb\Microsoft.PowerShell.Commands.Diagnostics.resources.ni.dll
+ 2012-01-17 19:18 . 2012-01-17 19:18 36352 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.PowerShel#\d66515e04af07be267ca1d1b2b9a1113\Microsoft.PowerShell.GPowerShell.resources.ni.dll
+ 2012-01-17 19:17 . 2012-01-17 19:17 45568 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.PowerShel#\caec9a9b0ae96df2e324cde6ebcac3e7\Microsoft.PowerShell.Commands.Utility.resources.ni.dll
+ 2012-01-17 19:18 . 2012-01-17 19:18 67072 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.PowerShel#\c44cda92e7a0bc4224cb54409aab05f1\Microsoft.PowerShell.Editor.resources.ni.dll
+ 2012-01-17 19:18 . 2012-01-17 19:18 16896 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.PowerShel#\7891b4f8446137c93298b36129ee43b4\Microsoft.PowerShell.Security.resources.ni.dll
+ 2012-01-17 19:18 . 2012-01-17 19:18 38912 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.PowerShel#\73e9eadf2fc234ff59c7297a4a96982b\Microsoft.PowerShell.ConsoleHost.resources.ni.dll
+ 2012-01-17 19:18 . 2012-01-17 19:18 24576 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.PowerShel#\65632f4fe9504960d242e8a7e88be8f5\Microsoft.PowerShell.GraphicalHost.resources.ni.dll
+ 2012-01-17 19:17 . 2012-01-17 19:17 31744 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.PowerShel#\384f30e8714277e4c61af987d2e2e017\Microsoft.PowerShell.Commands.Management.resources.ni.dll
+ 2012-01-17 19:17 . 2012-01-17 19:17 14848 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Backgroun#\f667da1d215cd7d804c2e57a16aeb5e1\Microsoft.BackgroundIntelligentTransfer.Management.resources.ni.dll
+ 2012-01-17 19:17 . 2012-01-17 19:17 91648 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Backgroun#\17fc30ccabf04ef1cf60a571067bc6dc\Microsoft.BackgroundIntelligentTransfer.Management.ni.dll
+ 2012-01-17 19:16 . 2012-01-17 19:16 13824 c:\windows\assembly\GAC_MSIL\Microsoft.WSMan.Management.resources\1.0.0.0_en_31bf3856ad364e35\Microsoft.WSMan.Management.resources.dll
+ 2012-01-17 19:16 . 2012-01-17 19:16 69632 c:\windows\assembly\GAC_MSIL\Microsoft.PowerShell.Security\1.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll
+ 2012-01-17 19:16 . 2012-01-17 19:16 16896 c:\windows\assembly\GAC_MSIL\Microsoft.PowerShell.GraphicalHost.resources\1.0.0.0_en_31bf3856ad364e35\Microsoft.PowerShell.GraphicalHost.resources.dll
+ 2012-01-17 19:16 . 2012-01-17 19:16 40960 c:\windows\assembly\GAC_MSIL\Microsoft.PowerShell.GPowerShell.resources\1.0.0.0_en_31bf3856ad364e35\Microsoft.PowerShell.GPowerShell.resources.dll
+ 2012-01-17 19:16 . 2012-01-17 19:16 69632 c:\windows\assembly\GAC_MSIL\Microsoft.PowerShell.Editor.resources\1.0.0.0_en_31bf3856ad364e35\Microsoft.PowerShell.Editor.resources.dll
+ 2012-01-17 19:16 . 2012-01-17 19:16 40960 c:\windows\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost.resources\1.0.0.0_en_31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.resources.dll
+ 2012-01-17 19:16 . 2012-01-17 19:16 49152 c:\windows\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility.resources\1.0.0.0_en_31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.resources.dll
+ 2012-01-17 19:16 . 2012-01-17 19:16 36864 c:\windows\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management.resources\1.0.0.0_en_31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.resources.dll
+ 2012-01-17 19:16 . 2012-01-17 19:16 10752 c:\windows\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Diagnostics.resources\1.0.0.0_en_31bf3856ad364e35\Microsoft.PowerShell.Commands.Diagnostics.resources.dll
+ 2012-01-17 19:16 . 2012-01-17 19:16 57344 c:\windows\assembly\GAC_MSIL\Microsoft.BackgroundIntelligentTransfer.Management\1.0.0.0__31bf3856ad364e35\Microsoft.BackgroundIntelligentTransfer.Management.dll
+ 2009-10-09 20:57 . 2009-10-09 20:57 20480 c:\windows\$968930Uinstall_KB968930$\PSCustomSetupUtil.exe
+ 2009-10-09 20:56 . 2009-10-09 20:56 2048 c:\windows\system32\winrsmgr.dll
+ 2009-10-09 22:23 . 2009-10-09 22:23 4608 c:\windows\system32\WindowsPowerShell\v1.0\pwrshmsg.dll
+ 2009-10-09 22:23 . 2009-10-09 22:23 4096 c:\windows\system32\WindowsPowerShell\v1.0\powershell_ise.resources.dll
+ 2008-05-27 04:19 . 2008-05-27 04:19 2048 c:\windows\system32\UncRes.dll
+ 2006-10-25 17:17 . 2012-01-17 19:05 7278 c:\windows\Installer\{AC76BA86-1033-0000-7760-000000000002}\SC_ELEMENTS_DT.exe
- 2006-10-25 17:17 . 2010-10-11 16:23 7278 c:\windows\Installer\{AC76BA86-1033-0000-7760-000000000002}\SC_ELEMENTS_DT.exe
+ 2012-01-17 19:17 . 2009-03-08 09:35 2048 c:\windows\ie8updates\KB2598845-IE8\iecompat.dll
+ 2012-01-17 19:16 . 2012-01-17 19:16 7168 c:\windows\assembly\GAC_MSIL\Microsoft.WSMan.Runtime\1.0.0.0__31bf3856ad364e35\Microsoft.WSMan.Runtime.dll
+ 2012-01-17 19:16 . 2012-01-17 19:16 9216 c:\windows\assembly\GAC_MSIL\Microsoft.PowerShell.Security.resources\1.0.0.0_en_31bf3856ad364e35\Microsoft.PowerShell.Security.resources.dll
+ 2012-01-17 19:16 . 2012-01-17 19:16 7168 c:\windows\assembly\GAC_MSIL\Microsoft.BackgroundIntelligentTransfer.Management.resources\1.0.0.0_en_31bf3856ad364e35\Microsoft.BackgroundIntelligentTransfer.Management.resources.dll
+ 2009-10-09 20:56 . 2009-10-09 20:56 9216 c:\windows\$968930Uinstall_KB968930$\PSSetupNativeUtils.exe
+ 2009-10-09 20:56 . 2009-10-09 20:56 209408 c:\windows\system32\WsmWmiPl.dll
+ 2009-10-09 22:22 . 2009-10-09 22:22 368640 c:\windows\system32\WsmRes.dll
+ 2009-10-09 20:56 . 2009-10-09 20:56 139776 c:\windows\system32\WsmAuto.dll
+ 2009-10-09 20:56 . 2009-10-09 20:56 225280 c:\windows\system32\wsmanhttpconfig.exe
+ 2009-10-09 20:56 . 2009-10-09 20:56 233984 c:\windows\system32\winrscmd.dll
+ 2009-08-01 05:27 . 2009-08-01 05:27 201184 c:\windows\system32\winrm.vbs
+ 2009-10-09 22:23 . 2009-10-09 22:23 148480 c:\windows\system32\WindowsPowerShell\v1.0\pspluginwkr.dll
+ 2009-10-09 20:57 . 2009-10-09 20:57 204800 c:\windows\system32\WindowsPowerShell\v1.0\powershell_ise.exe
+ 2009-10-09 20:56 . 2009-10-09 20:56 448000 c:\windows\system32\WindowsPowerShell\v1.0\powershell.exe
+ 2009-10-09 20:57 . 2009-10-09 20:57 112640 c:\windows\system32\WindowsPowerShell\v1.0\Modules\BitsTransfer\microsoft.backgroundintelligenttransfer.management.interop.dll
+ 2009-07-16 16:22 . 2009-07-16 16:22 126976 c:\windows\system32\WindowsPowerShell\v1.0\CompiledComposition.Microsoft.PowerShell.GPowerShell.dll
+ 2009-10-09 22:23 . 2009-10-09 22:23 178176 c:\windows\system32\wevtfwd.dll
+ 2008-05-27 04:19 . 2008-05-27 04:19 131072 c:\windows\system32\UncPH.dll
+ 2008-05-27 04:19 . 2008-05-27 04:19 108032 c:\windows\system32\UncNE.dll
+ 2008-05-27 04:19 . 2008-05-27 04:19 143872 c:\windows\system32\UncDMS.dll
+ 2008-05-27 03:59 . 2008-05-27 03:59 106605 c:\windows\system32\structuredqueryschema.bin
+ 2008-05-27 04:17 . 2008-05-27 04:17 301568 c:\windows\system32\srchadmin.dll
+ 2008-05-27 04:18 . 2008-05-27 04:18 184832 c:\windows\system32\searchprotocolhost.exe
+ 2008-05-27 04:18 . 2008-05-27 04:18 439808 c:\windows\system32\searchindexer.exe
+ 2008-05-27 04:17 . 2008-05-27 04:17 754176 c:\windows\system32\propsys.dll
+ 2006-01-19 02:02 . 2012-01-17 19:15 467714 c:\windows\system32\perfh009.dat
+ 2006-01-19 02:02 . 2008-03-07 17:02 192000 c:\windows\system32\offfilt.dll
- 2006-01-19 02:02 . 2008-04-14 00:12 192000 c:\windows\system32\offfilt.dll
+ 2008-05-27 04:19 . 2008-05-27 04:19 273408 c:\windows\system32\oeph.dll
+ 2008-05-27 04:18 . 2008-05-27 04:18 203776 c:\windows\system32\mssphtb.dll
+ 2008-05-27 04:18 . 2009-05-25 06:24 350208 c:\windows\system32\mssph.dll
+ 2008-05-27 04:18 . 2008-05-27 04:18 231936 c:\windows\system32\msshsq.dll
- 2006-01-19 02:01 . 2011-03-04 06:37 726528 c:\windows\system32\jscript.dll
+ 2006-01-19 02:01 . 2011-10-28 16:07 726528 c:\windows\system32\jscript.dll
+ 2005-10-29 05:49 . 2005-10-29 05:49 151552 c:\windows\system32\ifxcardm.dll
- 2008-05-09 10:53 . 2011-03-04 06:37 726528 c:\windows\system32\dllcache\jscript.dll
+ 2008-05-09 10:53 . 2011-10-28 16:07 726528 c:\windows\system32\dllcache\jscript.dll
- 2010-01-13 01:42 . 2009-11-21 15:51 471552 c:\windows\system32\dllcache\aclayers.dll
+ 2010-01-13 01:42 . 2011-03-11 14:10 471552 c:\windows\system32\dllcache\aclayers.dll
+ 2005-10-29 05:49 . 2005-10-29 05:49 133120 c:\windows\system32\axaltocm.dll
+ 2012-01-17 19:20 . 2012-01-17 19:20 413696 c:\windows\Installer\{5DA0E02F-970B-424B-BF41-513A5018E4C0}\NewShortcut41_5DA0E02F970B424BBF41513A5018E4C0.exe
+ 2012-01-17 19:20 . 2012-01-17 19:20 413696 c:\windows\Installer\{5DA0E02F-970B-424B-BF41-513A5018E4C0}\NewShortcut4_5DA0E02F970B424BBF41513A5018E4C0.exe
+ 2012-01-17 19:20 . 2012-01-17 19:20 413696 c:\windows\Installer\{5DA0E02F-970B-424B-BF41-513A5018E4C0}\NewShortcut31_5DA0E02F970B424BBF41513A5018E4C0.exe
+ 2012-01-17 19:20 . 2012-01-17 19:20 413696 c:\windows\Installer\{5DA0E02F-970B-424B-BF41-513A5018E4C0}\NewShortcut3_5DA0E02F970B424BBF41513A5018E4C0.exe
+ 2012-01-17 19:20 . 2012-01-17 19:20 413696 c:\windows\Installer\{5DA0E02F-970B-424B-BF41-513A5018E4C0}\NewShortcut21_5DA0E02F970B424BBF41513A5018E4C0.exe
+ 2012-01-17 19:20 . 2012-01-17 19:20 413696 c:\windows\Installer\{5DA0E02F-970B-424B-BF41-513A5018E4C0}\NewShortcut2_5DA0E02F970B424BBF41513A5018E4C0.exe
+ 2012-01-17 19:20 . 2012-01-17 19:20 371894 c:\windows\Installer\{5DA0E02F-970B-424B-BF41-513A5018E4C0}\NewShortcut15_5DA0E02F970B424BBF41513A5018E4C0.exe
+ 2012-01-17 19:20 . 2012-01-17 19:20 371894 c:\windows\Installer\{5DA0E02F-970B-424B-BF41-513A5018E4C0}\ARPPRODUCTICON.exe
+ 2012-01-17 19:17 . 2010-07-05 13:16 382840 c:\windows\ie8updates\KB2632503-IE8\spuninst\updspapi.dll
+ 2012-01-17 19:17 . 2010-07-05 13:15 231288 c:\windows\ie8updates\KB2632503-IE8\spuninst\spuninst.exe
+ 2012-01-17 19:17 . 2011-03-04 06:37 726528 c:\windows\ie8updates\KB2632503-IE8\jscript.dll
+ 2012-01-17 19:17 . 2010-07-05 13:16 382840 c:\windows\ie8updates\KB2598845-IE8\spuninst\updspapi.dll
+ 2012-01-17 19:17 . 2010-07-05 13:15 231288 c:\windows\ie8updates\KB2598845-IE8\spuninst\spuninst.exe
+ 2012-01-17 19:19 . 2012-01-17 19:19 250368 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Management.A#\fff9ba9f177c193d8c5ac9bc74d1ff6e\System.Management.Automation.resources.ni.dll
+ 2012-01-17 19:18 . 2012-01-17 19:18 508928 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.WSMan.Man#\a976a4b51c81150402b0abee38f41ab1\Microsoft.WSMan.Management.ni.dll
+ 2012-01-17 19:18 . 2012-01-17 19:18 156160 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.PowerShel#\df4a7b6bc850621fa2d38fb08f910ef7\Microsoft.PowerShell.Security.ni.dll
+ 2012-01-17 19:17 . 2012-01-17 19:17 515584 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.PowerShel#\b3d3d76cfc8350587616860fb0f64ccc\Microsoft.PowerShell.ConsoleHost.ni.dll
+ 2012-01-17 19:18 . 2012-01-17 19:18 729600 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.PowerShel#\6f6b54b6cebab6867dafeb6db1b98ab1\Microsoft.PowerShell.GraphicalHost.ni.dll
+ 2012-01-17 19:17 . 2012-01-17 19:17 737792 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.PowerShel#\592e4b99037ec91cd4201d1ee28895b7\Microsoft.PowerShell.Commands.Management.ni.dll
+ 2012-01-17 19:17 . 2012-01-17 19:17 291328 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.PowerShel#\3a03ec48148fa16aa65fd9ba5df49cb8\Microsoft.PowerShell.Commands.Diagnostics.ni.dll
+ 2012-01-17 19:16 . 2012-01-17 19:16 253952 c:\windows\assembly\GAC_MSIL\System.Management.Automation.resources\1.0.0.0_en_31bf3856ad364e35\System.Management.Automation.resources.dll
+ 2012-01-17 19:16 . 2012-01-17 19:16 274432 c:\windows\assembly\GAC_MSIL\Microsoft.WSMan.Management\1.0.0.0__31bf3856ad364e35\Microsoft.WSMan.Management.dll
+ 2012-01-17 19:16 . 2012-01-17 19:16 278528 c:\windows\assembly\GAC_MSIL\Microsoft.PowerShell.GraphicalHost\1.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.GraphicalHost.dll
+ 2012-01-17 19:16 . 2012-01-17 19:16 651264 c:\windows\assembly\GAC_MSIL\Microsoft.PowerShell.GPowerShell\1.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.GPowerShell.dll
+ 2012-01-17 19:16 . 2012-01-17 19:16 991232 c:\windows\assembly\GAC_MSIL\Microsoft.PowerShell.Editor\1.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Editor.dll
+ 2012-01-17 19:16 . 2012-01-17 19:16 200704 c:\windows\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\1.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll
+ 2012-01-17 19:16 . 2012-01-17 19:16 618496 c:\windows\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\1.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll
+ 2012-01-17 19:16 . 2012-01-17 19:16 262144 c:\windows\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\1.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll
+ 2012-01-17 19:16 . 2012-01-17 19:16 102400 c:\windows\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Diagnostics\1.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Diagnostics.dll
- 2006-01-19 02:01 . 2009-11-21 15:51 471552 c:\windows\AppPatch\aclayers.dll
+ 2006-01-19 02:01 . 2011-03-11 14:10 471552 c:\windows\AppPatch\aclayers.dll
+ 2012-01-17 19:16 . 2009-06-18 00:59 379184 c:\windows\$968930Uinstall_KB968930$\spuninst\updspapi.dll
+ 2012-01-17 19:16 . 2009-06-18 00:59 221488 c:\windows\$968930Uinstall_KB968930$\spuninst\spuninst.exe
+ 2009-10-09 22:23 . 2009-10-09 22:23 1107456 c:\windows\system32\WsmSvc.dll
+ 2008-05-27 04:21 . 2008-05-27 04:21 1582592 c:\windows\system32\tquery.dll
+ 2008-05-27 04:21 . 2008-05-27 04:21 1418240 c:\windows\system32\mssrch.dll
+ 2012-01-17 19:20 . 2012-01-17 19:20 7387648 c:\windows\Installer\10bfab.msi
+ 2012-01-17 19:19 . 2012-01-17 19:19 8365056 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Management.A#\3959e9012ee532343861eb35c6c72b24\System.Management.Automation.ni.dll
+ 2012-01-17 19:18 . 2012-01-17 19:18 1704448 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.PowerShel#\fba2661cffd923f17dbfa6662adf5ce3\Microsoft.PowerShell.GPowerShell.ni.dll
+ 2012-01-17 19:18 . 2012-01-17 19:18 3722752 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.PowerShel#\eb5b6ad2dc6e2ecbdbb1ce1bf754b32e\Microsoft.PowerShell.Editor.ni.dll
+ 2012-01-17 19:17 . 2012-01-17 19:17 1609728 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.PowerShel#\6c46eade19e6f222f8b233ab0065d84a\Microsoft.PowerShell.Commands.Utility.ni.dll
+ 2012-01-17 19:16 . 2012-01-17 19:16 2682880 c:\windows\assembly\GAC_MSIL\System.Management.Automation\1.0.0.0__31bf3856ad364e35\System.Management.Automation.dll
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TOSCDSPD"="c:\program files\TOSHIBA\TOSCDSPD\toscdspd.exe" [2004-12-30 65536]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-05-01 7557120]
"nwiz"="nwiz.exe" [2006-05-01 1519616]
"NVRotateSysTray"="c:\windows\system32\nvsysrot.dll" [2006-05-01 49152]
"PSQLLauncher"="c:\program files\Protector Suite QL\launcher.exe" [2006-05-06 30208]
"AGRSMMSG"="AGRSMMSG.exe" [2005-10-15 88203]
"Tvs"="c:\program files\Toshiba\Tvs\TvsTray.exe" [2005-11-30 73728]
"TFncKy"="TFncKy.exe" [BU]
"TPSMain"="TPSMain.exe" [2005-06-01 282624]
"Pinger"="c:\toshiba\ivp\ism\pinger.exe" [2005-03-18 151552]
"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-10-06 122940]
"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2005-12-05 667718]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2005-11-28 602182]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\point32.exe" [2005-03-23 217088]
"Motive SmartBridge"="c:\progra~1\SBCLIG~1\SMARTB~1\MotiveSB.exe" [2003-12-10 380928]
"THotkey"="c:\program files\Toshiba\Toshiba Applet\thotkey.exe" [2006-01-05 352256]
"SmoothView"="c:\program files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe" [2005-04-27 122880]
"LogitechQuickCamRibbon"="c:\program files\Logitech\Logitech WebCam Software\LWS.exe" [2009-10-14 2793304]
"Acrobat Assistant 7.0"="c:\program files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" [2008-04-23 483328]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2012-01-04 37296]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-02 843712]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-08-14 1343488]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 437160]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"adaware"="reg.exe delete HKCU\Software\AppDataLow\Software\adaware" [X]
"adaware_XP"="reg.exe delete HKCU\Software\adaware" [X]
"RunNarrator"="Narrator.exe" [2008-04-14 53760]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Acrobat Speed Launcher.lnk - c:\windows\Installer\{AC76BA86-1033-0000-7760-000000000002}\SC_Acrobat.exe [2006-10-25 25214]
RAMASST.lnk - c:\windows\system32\RAMASST.exe [2006-1-18 155648]
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\psfus]
2006-05-06 00:48 40448 ----a-w- c:\windows\system32\psqlpwd.dll
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ scecli psqlpwd
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.exe.lnk]
backup=c:\windows\pss\Adobe Gamma Loader.exe.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
backup=c:\windows\pss\Adobe Gamma Loader.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^VPN Client.lnk]
backup=c:\windows\pss\VPN Client.lnkCommon Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"24726:TCP"= 24726:TCP:FlipShareServer
"24727:TCP"= 24727:TCP:FlipShareServer
"5985:TCP"= 5985:TCP:*:Disabled:Windows Remote Management
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundMaskRequest"= 1 (0x1)
"AllowInboundRouterRequest"= 1 (0x1)
"AllowOutboundDestinationUnreachable"= 1 (0x1)
"AllowOutboundSourceQuench"= 1 (0x1)
"AllowOutboundParameterProblem"= 1 (0x1)
"AllowOutboundTimeExceeded"= 1 (0x1)
"AllowRedirect"= 1 (0x1)
"AllowOutboundPacketTooBig"= 1 (0x1)
.
R2 CFRDBService;Finnigan Database Service;c:\xcalibur\system\programs\CFRDBService.exe [12/9/2008 8:23 PM 335923]
R2 FdRedir;FdRedir;c:\program files\Common Files\Protector Suite QL\Drivers\FdRedir.sys [5/5/2006 7:00 PM 13568]
R2 FileDisk2;FileDisk Protector Kernel Driver;c:\program files\Common Files\Protector Suite QL\Drivers\filedisk.sys [5/5/2006 6:59 PM 33024]
R2 FinAutoLogOff;Finnigan Auto Logoff;c:\xcalibur\system\programs\FinAutoLogOff.exe [12/9/2008 8:23 PM 86068]
R2 Finnigan Security Server;Finnigan Security Server;c:\xcalibur\system\programs\finSS_Server.exe [12/9/2008 8:23 PM 65536]
R2 FlipShareServer;FlipShare Server;c:\program files\Flip Video\FlipShareServer\FlipShareServer.exe [5/6/2011 12:58 PM 1085440]
R2 smihlp;SMI helper driver;c:\program files\Protector Suite QL\smihlp.sys [5/5/2006 6:33 PM 3456]
S0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys --> c:\windows\system32\DRIVERS\Lbd.sys [?]
S2 SequestDaemon;SequestDaemon;c:\xcalibur\system\programs\BioworksBrowser\SequestDaemon.exe --> c:\xcalibur\system\programs\BioworksBrowser\SequestDaemon.exe [?]
S3 IO_Memory;IO_Memory;\??\c:\sysprep\Drivers\ioport.sys --> c:\sysprep\Drivers\ioport.sys [?]
S3 SVRPEDRV;SVRPEDRV;\??\c:\sysprep\PEDrv.sys --> c:\sysprep\PEDrv.sys [?]
S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [1/18/2006 8:02 PM 14336]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
WINRM REG_MULTI_SZ WINRM
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.toshibadirect.com/dpdstart
IE: &Google Search - c:\program files\Google\GoogleToolbar1.dll/cmsearch.html
IE: Backward Links - c:\program files\Google\GoogleToolbar1.dll/cmbacklinks.html
IE: Cached Snapshot of Page - c:\program files\Google\GoogleToolbar1.dll/cmcache.html
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Similar Pages - c:\program files\Google\GoogleToolbar1.dll/cmsimilar.html
IE: Translate into English - c:\program files\Google\GoogleToolbar1.dll/cmtrans.html
TCP: DhcpNameServer = 192.168.1.254
DPF: 55963676-2F5E-4BAF-AC28-CF26AA587566 - vpnweb.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\J\Application Data\Mozilla\Firefox\Profiles\imf0pcgy.default\
user_pref(security.warn_viewing_mixed,false);
user_pref(security.warn_viewing_mixed.show_once,false);
FF - user.js: network.cookie.cookieBehavior - 0
FF - user.js: privacy.clearOnShutdown.cookies - false
user_pref(security.warn_submit_insecure,false);
FF - user.js: security.warn_submit_insecure.show_once - false
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-01-20 08:37
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(848)
c:\windows\system32\psqlpwd.dll
c:\program files\Protector Suite QL\infra.dll
c:\program files\Protector Suite QL\homefus2.dll
c:\windows\system32\biologon.dll
c:\program files\Protector Suite QL\homepass.dll
c:\program files\Protector Suite QL\bio.dll
c:\program files\Protector Suite QL\remote.dll
c:\program files\Protector Suite QL\crypto.dll
.
- - - - - - - > 'lsass.exe'(908)
c:\windows\system32\psqlpwd.dll
c:\program files\Protector Suite QL\infra.dll
c:\program files\Protector Suite QL\homefus2.dll
.
Completion time: 2012-01-20 08:38:50
ComboFix-quarantined-files.txt 2012-01-20 14:38
ComboFix2.txt 2012-01-16 19:42
ComboFix3.txt 2012-01-16 19:24
ComboFix4.txt 2012-01-12 20:09
ComboFix5.txt 2012-01-20 14:21
.
Pre-Run: 43,537,784,832 bytes free
Post-Run: 43,739,029,504 bytes free
.
- - End Of File - - 16CE43E087EBA77A505592135B584ACB

#8 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:03:54 PM

Posted 20 January 2012 - 01:57 PM

Hello

This is the tool I would like you to try and run next.

Please download aswMBR ( 511KB ) to your desktop.
  • Double click the aswMBR.exe icon to run it
  • Click the Scan button to start the scan
  • On completion of the scan, click the save log button, save it to your desktop and post it in your next reply.



Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#9 J. F.

J. F.
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:02:54 PM

Posted 20 January 2012 - 04:16 PM

Hi,

On computer performance: I recently updated the touchpad driver (via Toshiba's website) and I keep having to reinstall it. I'm not sure if this is due to the virus.

I ran the tool and this is the output. Thanks again!

-J



aswMBR version 0.9.9.1297 Copyright© 2011 AVAST Software
Run date: 2012-01-20 14:33:56
-----------------------------
14:33:56.656 OS Version: Windows 5.1.2600 Service Pack 3
14:33:56.656 Number of processors: 2 586 0xE08
14:33:56.656 ComputerName: US UserName: J
14:33:57.484 Initialize success
14:41:57.593 AVAST engine defs: 12012001
14:46:24.781 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
14:46:24.781 Disk 0 Vendor: FUJITSU_MHV2080BH_PL 00000029 Size: 76319MB BusType: 3
14:46:24.812 Disk 0 MBR read successfully
14:46:24.812 Disk 0 MBR scan
14:46:24.843 Disk 0 Windows XP default MBR code
14:46:24.843 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 76065 MB offset 63
14:46:24.875 Disk 0 Partition 2 00 88 Linux plaintext A Kárò'ó 251 MB offset 155782305
14:46:24.906 Disk 0 scanning sectors +156296385
14:46:24.953 Disk 0 scanning C:\WINDOWS\system32\drivers
14:46:37.296 Service scanning
14:46:38.781 Modules scanning
14:46:45.781 Module: C:\WINDOWS\System32\DLA\DLADResN.SYS **SUSPICIOUS**
14:46:46.656 Disk 0 trace - called modules:
14:46:46.687 ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys pciide.sys PCIIDEX.SYS
14:46:46.687 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x86b611f0]
14:46:46.687 3 CLASSPNP.SYS[f7536fd7] -> nt!IofCallDriver -> \Device\00000085[0x86b819e8]
14:46:46.687 5 ACPI.sys[f748d620] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-3[0x86b83940]
14:46:47.234 AVAST engine scan C:\WINDOWS
14:47:14.812 AVAST engine scan C:\WINDOWS\system32
14:49:12.343 AVAST engine scan C:\WINDOWS\system32\drivers
14:49:27.890 AVAST engine scan C:\Documents and Settings\J
14:50:02.343 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\J\Desktop\MBR.dat"
14:50:02.375 The log file has been saved successfully to "C:\Documents and Settings\J\Desktop\aswMBR1.txt"

#10 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:03:54 PM

Posted 21 January 2012 - 05:18 AM

SystemLook:

Please download SystemLook from one of the links below and save it to your Desktop.

Download Mirror #1
Download Mirror #2

  • Double-click SystemLook.exe to run it.
  • Copy the content of the following codebox into the main textfield:
:filefind
DLADResN.SYS
  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#11 J. F.

J. F.
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:02:54 PM

Posted 21 January 2012 - 07:20 PM

Here it is:

SystemLook 30.07.11 by jpshortstuff
Log created at 18:16 on 21/01/2012 by J
Administrator - Elevation successful

========== filefind ==========

Searching for "DLADResN.SYS "
C:\Program Files\Sonic\DLA\install\dladresn.sys --a---- 2496 bytes [12:20 06/10/2005] [12:20 06/10/2005] 1E6C6597833A04C2157BE7B39EA92CE1
C:\WINDOWS\system32\DLA\DLADResN.SYS --a---- 2496 bytes [20:07 18/10/2006] [12:20 06/10/2005] 1E6C6597833A04C2157BE7B39EA92CE1

-= EOF =-

#12 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:03:54 PM

Posted 21 January 2012 - 08:55 PM

These logs are looking allot better. But we still have some work to do.

Please print out these instructions, or copy them to a Notepad file. It will make it easier for you to follow the instructions and complete all of the necessary steps..

uninstall some programs

NOTE** Because of the cleanup process some of the programs I have listed may not be in add/remove anymore this is fine just move to the next item on the list.

1. click on start
2. then go to settings
3. after that you need control panel
4. look for the icon add/remove programs
click on the following programs

Adobe Reader 9.4.7


and click on remove

Update Adobe Reader

Recently there have been vulnerabilities detected in older versions of Adobe Reader. It is strongly suggested that you update to the current version.

You can download it from http://www.adobe.com/products/acrobat/readstep2.html
After installing the latest Adobe Reader, uninstall all previous versions.
If you already have Adobe Photoshop® Album Starter Edition installed or do not wish to have it installed UNcheck the box which says Also Download Adobe Photoshop® Album Starter Edition.

If you don't like Adobe Reader (53 MB), you can download Foxit PDF Reader(7 MB) from here. It's a much smaller file to download and uses a lot less resources than Adobe Reader.

Note: When installing FoxitReader, be careful not to install anything to do with AskBar.
[/list]

Install Java:

Please go here to install Java

  • click on the Free Java Download Button
  • click on Agree and start Free download
  • click on Run
  • click on run again
  • click on install
  • when install is complete click on close

TFC(Temp File Cleaner):

  • Please download TFC to your desktop,
  • Save any unsaved work. TFC will close all open application windows.
  • Double-click TFC.exe to run the program.
  • If prompted, click "Yes" to reboot.
Note: Save your work. TFC will automatically close any open programs, let it run uninterrupted. It shouldn't take longer take a couple of minutes, and may only take a few seconds. Only if needed will you be prompted to reboot.

: Malwarebytes' Anti-Malware :

  • I would like you to rerun MBAM
  • Double-click mbam icon
  • go to the update tab at the top
  • click on check for updates
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform quick scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is Checked (ticked) except items in the C:\System Volume Information folder and click on Remove Selected.
  • When completed, a log will open in Notepad. please copy and paste the log into your next reply
  • If you accidentally close it, the log file is saved here and will be named like this:
  • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.


Download HijackThis

If you have any problems running Hijackthis see NOTE** below (Host file not read, blank notepad ...)

  • Go Here to download HijackThis Installer
  • Save HijackThis Installer to your desktop.
  • Double-click on the HijackThis Installer icon on your desktop. (Vista and Win 7 right click and run as admin)
  • By default it will install to C:\Program Files\Trend Micro\HijackThis .
  • Click on Install.
  • It will create a HijackThis icon on the desktop.
  • Once installed it will launch Hijackthis.
  • Click on the Do a system scan and save a log file button. It will scan and the log should open in notepad.
  • Click on Edit > Select All then click on Edit > Copy to copy the entire contents of the log.
  • Come back here to this thread and Paste the log in your next reply.
  • DO NOT use the Analyze This button its findings are dangerous if misinterpreted.
  • DO NOT have Hijackthis fix anything yet. Most of what it finds will be harmless or even required.

NOTE**
sometimes we have to run it like this To run HijackThis as an administrator, right-click HijackThis.exe
(located: C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe)<--32bit
(located: C:\Program Files(86)\Trend Micro\HiJackThis\HiJackThis.exe)<--64bit
and select to run as administrator

"information and logs"

  • In your next post I need the following

  • Log From MBAM
  • report from Hijackthis
  • let me know of any problems you may have had
  • How is the computer doing now?

Gringo

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#13 J. F.

J. F.
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:02:54 PM

Posted 22 January 2012 - 07:41 PM

Hi,

1) I uninstalled Acrobat Reader and installed the new version
2) I installed Java
3) I ran TFC
4) I ran MBAM and the log follows
5) The computer seems to be running well so far and I haven't had any more popups. It also hasn't uninstalled my touchpad driver again.

Thanks!!




MBAM log:

Malwarebytes Anti-Malware 1.60.0.1800
www.malwarebytes.org

Database version: v2012.01.22.04

Windows XP Service Pack 3 x86 NTFS
Internet Explorer 8.0.6001.18702
J :: US [administrator]

1/22/2012 6:11:01 PM
mbam-log-2012-01-22 (18-11-01).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System

| Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 209691
Time elapsed: 5 minute(s), 41 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)

Hijackthis log:

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 6:34:20 PM, on 1/22/2012
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\DRIVERS\CDANTSRV.EXE
C:\Xcalibur\system\programs\CFRDBService.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\system32\DVDRAMSV.exe
C:\Xcalibur\system\programs\FinAutoLogOff.exe
C:\Xcalibur\system\programs\finSS_Server.exe
C:\Program Files\Flip Video\FlipShare\FlipShareService.exe
C:\Program Files\Flip Video\FlipShareServer\FlipShareServer.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
c:\TOSHIBA\IVP\swupdate\swupdtmr.exe
C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe
C:\WINDOWS\system32\TODDSrv.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Toshiba\Tvs\TvsTray.exe
C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe
C:\WINDOWS\system32\TPSMain.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\Protector Suite QL\psqltray.exe
C:\PROGRA~1\SBCLIG~1\SMARTB~1\MotiveSB.exe
C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe
C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
C:\WINDOWS\system32\TPSBattM.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Synaptics\SynTP\SynToshiba.exe
C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\RAMASST.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\PROGRA~1\Intel\Wireless\Bin\Dot1XCfg.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\notepad.exe
C:\WINDOWS\system32\msiexec.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.toshibadirect.com/dpdstart
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded /nodetect
O4 - HKLM\..\Run: [NVRotateSysTray] rundll32.exe C:\WINDOWS\system32\nvsysrot.dll,Enable
O4 - HKLM\..\Run: [PSQLLauncher] "C:\Program Files\Protector Suite QL\launcher.exe" /startup
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [Tvs] C:\Program Files\Toshiba\Tvs\TvsTray.exe
O4 - HKLM\..\Run: [TFncKy] TFncKy.exe
O4 - HKLM\..\Run: [TPSMain] TPSMain.exe
O4 - HKLM\..\Run: [Pinger] c:\toshiba\ivp\ism\pinger.exe /run
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\SBCLIG~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [THotkey] C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe
O4 - HKLM\..\Run: [SmoothView] C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
O4 - HKLM\..\Run: [LogitechQuickCamRibbon] "C:\Program Files\Logitech\Logitech WebCam Software\LWS.exe" /hide
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKCU\..\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "c:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [adaware_XP] reg.exe delete "HKCU\Software\adaware" /f (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "c:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O4 - Global Startup: Windows Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.toshibadirect.com/dpdstart
O16 - DPF: 55963676-2F5E-4BAF-AC28-CF26AA587566 - vpnweb.cab
O16 - DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} (SpinTop DRM Control) - file://C:\Program Files\Mahjong Escape - Ancient China\Images\stg_drm.ocx
O16 - DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} (ArmHelper Control) - file://C:\Program Files\Mahjong Escape - Ancient China\Images\armhelper.ocx
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: C-DillaSrv - C-Dilla Ltd - C:\WINDOWS\system32\DRIVERS\CDANTSRV.EXE
O23 - Service: Finnigan Database Service (CFRDBService) - Thermo Electron Corporation - C:\Xcalibur\system\programs\CFRDBService.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: DVD-RAM_Service - Matsubleepa Electric Industrial Co., Ltd. - C:\WINDOWS\system32\DVDRAMSV.exe
O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Finnigan Auto Logoff (FinAutoLogOff) - Thermo Electron Corporation - C:\Xcalibur\system\programs\FinAutoLogOff.exe
O23 - Service: Finnigan Security Server - Thermo Electron Corporation - C:\Xcalibur\system\programs\finSS_Server.exe
O23 - Service: FlipShare Service - Unknown owner - C:\Program Files\Flip Video\FlipShare\FlipShareService.exe
O23 - Service: FlipShare Server (FlipShareServer) - Unknown owner - C:\Program Files\Flip Video\FlipShareServer\FlipShareServer.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: SequestDaemon - Unknown owner - C:\Xcalibur\system\programs\BioworksBrowser\SequestDaemon.exe (file missing)
O23 - Service: Swupdtmr - Unknown owner - c:\TOSHIBA\IVP\swupdate\swupdtmr.exe
O23 - Service: TOSHIBA Application Service (TAPPSRV) - TOSHIBA Corp. - C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe
O23 - Service: TOSHIBA Optical Disc Drive Service (TODDSrv) - TOSHIBA Corporation - C:\WINDOWS\system32\TODDSrv.exe

--
End of file - 13084 bytes

#14 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:03:54 PM

Posted 22 January 2012 - 08:04 PM

Greetings

These logs are looking very good, we are almost done!!! Just one more scan to go.

:Remove unneeded start-up entries:

This part of the fix is purely optional
These are programs that start up when you turn on your computer but don't need to be, any of these programs you can click on their icons (or start from the control panel) and start the program when you need it. By stopping these programs you will boot up faster and your computer will work faster.

If you have any problems running Hijackthis see NOTE** below (Host file not read, blank notepad ...)

  • Run HijackThis
  • Click on the Scan button
  • Put a check beside all of the items listed below (if present):

    • O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
      O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded /nodetect
      O4 - HKLM\..\Run: [NVRotateSysTray] rundll32.exe C:\WINDOWS\system32\nvsysrot.dll,Enable
      O4 - HKLM\..\Run: [Tvs] C:\Program Files\Toshiba\Tvs\TvsTray.exe
      O4 - HKLM\..\Run: [TFncKy] TFncKy.exe
      O4 - HKLM\..\Run: [TPSMain] TPSMain.exe
      O4 - HKLM\..\Run: [Pinger] c:\toshiba\ivp\ism\pinger.exe /run
      O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
      O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\SBCLIG~1\SMARTB~1\MotiveSB.exe
      O4 - HKLM\..\Run: [SmoothView] C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
      O4 - HKLM\..\Run: [LogitechQuickCamRibbon] "C:\Program Files\Logitech\Logitech WebCam Software\LWS.exe" /hide
      O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
      O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
      O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
      O4 - HKCU\..\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
      O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
      O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
      O4 - Global Startup: Windows Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
  • Close all open windows and browsers/email, etc...
  • Click on the "Fix Checked" button
  • When completed, close the application.

    NOTE**You can research each of those lines >here< and see if you want to keep them or not
    just copy the name between the brackets and paste into the search space
    O4 - HKLM\..\Run: [IntelliPoint]


NOTE**
sometimes we have to run it like this To run HijackThis as an administrator, right-click HijackThis.exe
(located: C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe)<--32bit
(located: C:\Program Files(86)\Trend Micro\HiJackThis\HiJackThis.exe)<--64bit
and select to run as administrator

Eset Online Scanner

**Note** You will need to use Internet explorer for this scan - Vista and win 7 right click on IE shortcut and run as admin

Go Eset web page to run an online scanner from ESET.

  • Turn off the real time scanner of any existing antivirus program while performing the online scan
  • click on the ESET Online Scanner button
  • Tick the box next to YES, I accept the Terms of Use.
    • Click Start
  • When asked, allow the ActiveX control to install
    • Click Start
  • Make sure that the option Remove found threats is unticked and the Scan Archives option is ticked.
  • Click on Advanced Settings, ensure the options
    Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.
  • Click Scan
  • Wait for the scan to finish
  • Click on copy to clipboard and paste the results here in this topic
  • you may also find here C:\Program Files\Eset\Eset Online Scanner\log.txt
Copy and paste that log as a reply to this topic

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#15 J. F.

J. F.
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:02:54 PM

Posted 25 January 2012 - 08:18 AM

Hi,

1) I ran HijackThis to remove the startup entries specified
2) I ran ESET and it did not report finding anything

ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
# version=7
# iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)
# OnlineScanner.ocx=1.0.0.6583
# api_version=3.0.2
# EOSSerial=89e20c54d4ab774aafb19a754e82c9f9
# end=finished
# remove_checked=false
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=true
# antistealth_checked=true
# utc_time=2012-01-24 01:13:29
# local_time=2012-01-23 07:13:29 (-0600, Central Standard Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=512 16777215 100 0 2818 2818 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=82075
# found=0
# cleaned=0
# scan_time=3163

Thanks!




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users