Jump to content


Photo

need help to remove trojan horse agent_r.asr


  • This topic is locked This topic is locked
24 replies to this topic

#1 mandala

mandala

    Member

  • Full Member
  • Pip
  • 15 posts

Posted 05 February 2012 - 02:21 PM

all of a sudden, got a fake security shield pop up that kept coming back. ran malware bytes and spybot and they picked up a few viruses and got rid of them. all was ok for a day, then started getting redirected searches on google and pop-up browser windows to consumer reports. ran the above again and they did not find anything. ran my avg and it cleaned a few trojans, but left a trojan horse agent_r.asr that is said it could not remove becuase the object is white-lited (critical system file that should not be removed). now in safe mode, reran all tools with no luck, and there are still redirects in web browsing. please help me get rid of this or whatever else is causing the problem. thank you


Edit: Please read the Instructions and post the requested logs. We need the information in order to help you.

here is the malware bytes log:
2/5/2012 12:19:26 AM
mbam-log-2012-02-05 (00-19-26).txt

Scan type: Full scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 332959
Time elapsed: 1 hour(s), 10 minute(s), 22 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)

Edited by mandala, 05 February 2012 - 02:44 PM.


#2 mandala

mandala

    Member

  • Full Member
  • Pip
  • 15 posts

Posted 05 February 2012 - 03:11 PM

all of a sudden, got a fake security shield pop up that kept coming back. ran malware bytes and spybot and they picked up a few viruses and got rid of them. all was ok for a day, then started getting redirected searches on google and pop-up browser windows to consumer reports. ran the above again and they did not find anything. ran my avg and it cleaned a few trojans, but left a trojan horse agent_r.asr that is said it could not remove becuase the object is white-lited (critical system file that should not be removed). now in safe mode, reran all tools with no luck, and there are still redirects in web browsing. please help me get rid of this or whatever else is causing the problem. thank you


Edit: Please read the Instructions and post the requested logs. We need the information in order to help you.

here is the malware bytes log:
2/5/2012 12:19:26 AM
mbam-log-2012-02-05 (00-19-26).txt

Scan type: Full scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 332959
Time elapsed: 1 hour(s), 10 minute(s), 22 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)



#3 mandala

mandala

    Member

  • Full Member
  • Pip
  • 15 posts

Posted 05 February 2012 - 03:13 PM

trying to post more logs, but it is not letting me...

#4 mandala

mandala

    Member

  • Full Member
  • Pip
  • 15 posts

Posted 05 February 2012 - 03:14 PM

here is the security check log:
Results of screen317's Security Check version 0.99.30
Windows XP Service Pack 3 x86
Internet Explorer 8
``````````````````````````````
Antivirus/Firewall Check:

Windows Security Center service is not running! This report may not be accurate!
Windows Firewall Enabled!
AVG 2012
Antivirus up to date!
```````````````````````````````
Anti-malware/Other Utilities Check:

MVPS Hosts File
Spybot - Search & Destroy
Windows Defender
CCleaner (remove only)
Java™ SE Runtime Environment 6 Update 1
Java™ 6 Update 3
Java™ 6 Update 5
Java 2 Runtime Environment, SE v1.4.2_06
Java version out of date!
Adobe Reader 8 Adobe Reader out of date!
Mozilla Firefox (2.0.0 Firefox out of Date!
````````````````````````````````
Process Check:
objlist.exe by Laurent

``````````End of Log````````````


AV: AVG Anti-Virus Free Edition 2012 *Enabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\system32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
C:\Program Files\AVG\AVG2012\avgui.exe
C:\Program Files\AVG\AVG2012\avgscanx.exe
C:\Program Files\AVG\AVG2012\avgcsrvx.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\internet explorer\iexplore.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyServer =
uInternet Settings,ProxyOverride = ;*.local
uURLSearchHooks: UrlSearchHook Class: {3d31a26e-04d4-4b45-afd4-da4e1ae4af1b} - c:\program files\fuji medical system\synapse\workstation\FujiFld.dll
mURLSearchHooks: UrlSearchHook Class: {3d31a26e-04d4-4b45-afd4-da4e1ae4af1b} - c:\program files\fuji medical system\synapse\workstation\FujiFld.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Synapse BHO Class: {33414365-e6c7-460d-880a-a163bd69e84d} - c:\program files\fuji medical system\synapse\workstation\FujiFld.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg2012\avgssie.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_05\bin\ssv.dll__BHODemonDisabled
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\googletoolbar1.dll__BHODemonDisabled
BHO: EpsonToolBandKicker Class: {e99421fb-68dd-40f0-b4ac-b7027cae2f1a} - c:\program files\epson\epson web-to-page\EPSON Web-To-Page.dll__BHODemonDisabled
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar1.dll
TB: EPSON Web-To-Page: {ee5d279f-081b-4404-994d-c6b60aaeba6d} - c:\program files\epson\epson web-to-page\EPSON Web-To-Page.dll
uRun: [EasyLinkAdvisor] "c:\program files\linksys easylink advisor\LinksysAgent.exe" /startup
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
mRun: [InCD] c:\program files\ahead\incd\InCD.exe
mRun: [AdobeVersionCue] c:\program files\adobe\adobe version cue\controlpanel\VersionCueTray.exe
mRun: [EPSON Stylus Photo R200 Series] c:\windows\system32\spool\drivers\w32x86\3\E_S4I2H1.EXE /P30 "EPSON Stylus Photo R200 Series" /O6 "USB001" /M "Stylus Photo R200"
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [AVG_TRAY] "c:\program files\avg\avg2012\avgtray.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [FujiSynapseBridge] "c:\program files\fuji medical system\synapse\workstation\FujiSynapseBridge.exe"
mRun: [Synapse URLSearchHook Configuration] RUNDLL32.EXE c:\progra~1\fujime~1\synapse\workst~1\FujiFld.dll,ConfigureSynapseUrlSearchHook
mRun: [LogMeIn GUI] "c:\program files\logmein\x86\LogMeInSystray.exe"
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
StartupFolder: c:\docume~1\ajay\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office\FINDFAST.EXE
StartupFolder: c:\docume~1\ajay\startm~1\programs\startup\onenot~1.lnk - c:\program files\microsoft office\office12\ONENOTEM.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobeg~2.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\ciscos~1.lnk - c:\program files\cisco systems\vpn client\vpngui.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\citrix~1.lnk - c:\program files\citrix\secure access client\nsload.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\cleana~1.lnk - c:\program files\cisco systems\clean access agent\CCAAgent.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\nkbmon~1.lnk - c:\program files\nikon\pictureproject\NkbMonitor.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\window~1.lnk - c:\program files\windows desktop search\WindowsSearch.exe
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {08B0E5C0-4FCB-11CF-AAA5-00401C608501}
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
LSP: mswsock.dll
DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} - hxxp://www.ipix.com/download/ipixx.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/E/5/6/E5611B10-0D6D-4117-8430-A67417AA88CD/LegitCheckControl.cab
DPF: {1FBD11EF-1260-11D1-87A7-444553540001} - hxxp://immcsynapse.immc.advocatehealth.com/osd/SynapseWorkstationInf.cab
DPF: {225781F3-B27C-4182-83F1-CBF79247D36B} - hxxp://portal.partners.org/vpn/PHSVPNPortal.CAB
DPF: {2FAD241F-D04F-43A4-9356-BF78AEBEFAD2} - hxxp://lmrintra.partners.org/lmr/lmr.cab
DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} - hxxps://www-secure.symantec.com/techsupp/asa/ss/sa/sa_cabs/tgctlsr.cab
DPF: {474F00F5-3853-492C-AC3A-476512BBC336} - hxxp://picasaweb.google.com/s/v/52.06/uploader2.cab
DPF: {541AEDD4-20E8-4E6F-B12B-0FDD38BB712F} - hxxp://pacsweb.mskcc.org/ami/install/amiviewer.cab
DPF: {5C885ED3-9E77-4140-B63E-134BF7B19DEC} - hxxp://pacsweb.mskcc.org/ami/install/amiviewer.cab
DPF: {5D637FAD-E202-48D1-8F18-5B9C459BD1E3} - hxxp://cdn.smugmug.com/photos/activex/ImageUploader5-5.5.1.0-082608.cab
DPF: {61611A68-B68C-420E-8E4D-6C61E68C03C6} - hxxp://lmrintra.partners.org/lmr/cvt.cab
DPF: {6262D3A0-531B-11CF-91F6-C2863C385E30} - hxxp://ppd.partners.org/gme/MSflxGrd.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1180661164644
DPF: {66157B4F-9E4A-488C-92A4-4434A16FCBF2} - hxxp://lmrintra.partners.org/lmr/diagram.cab
DPF: {664A9390-02B0-4311-9C01-4C6D5CD48D27} - hxxp://centricity/ami/install/amiviewer.cab
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
DPF: {88D969C0-F192-11D4-A65F-0040963251E5} - hxxp://centricity/ami/install/msxml4.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/products/plugin/autodl/jinstall-160-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {96C524F5-F7BE-42C8-B8C7-89E55CD1FEB1} - hxxp://lmrintra.partners.org/lmr/lmr2.cab
DPF: {988E583E-D78B-4BC5-8011-7F6674484D9C} - hxxp://pacsweb.mskcc.org/ami/install/amiviewer.cab
DPF: {A8B3A7FE-9C8D-4F15-9B01-8805BDF43B1B} - hxxp://centricity/ami/install/amiviewer.cab
DPF: {BCDD741A-3F0F-483F-AB50-345E464F3617} - hxxp://lmrintra.partners.org/lmr/lmr2a.cab
DPF: {CAFEEFAC-0014-0002-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {D40E7275-159D-419E-9AC1-46FD8884B464} - hxxp://lmrintra.partners.org/lmr/LMRWebPrint.cab
DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} - hxxps://mskvpn.mskcc.org/dana-cached/setup/JuniperSetupSP1.cab
DPF: {F27237D7-93C8-44C2-AC6E-D6057B9A918F} - hxxps://mskvpn.mskcc.org/dana-cached/sc/JuniperSetupClient.cab
DPF: {FDFB6B21-9F60-4C74-B540-32D83C4357D1} - hxxp://lmrintra.partners.org/lmr/LMRWebIESetting.cab
TCP: DhcpNameServer = 206.13.30.12 8.8.8.8
TCP: Interfaces\{9B5FB89F-1C09-4F9F-8651-A4648C5CD314} : DhcpNameServer = 206.13.30.12 8.8.8.8
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg2012\avgpp.dll
Notify: LMIinit - LMIinit.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\window~4\MpShHook.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
Hosts: 127.0.0.1 www.spywareinfo.com
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\ajay\application data\mozilla\firefox\profiles\4rte8p2n.default\
.
============= SERVICES / DRIVERS ===============
.
R0 AVGIDSEH;AVGIDSEH;c:\windows\system32\drivers\AVGIDSEH.sys [2010-9-13 23120]
R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [2010-9-7 32592]
R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [2010-11-9 295248]
R3 ctxva51;Citrix Virtual Adapter;c:\windows\system32\drivers\ctxva51.sys [2010-1-19 41624]
R3 Eacfilt;Eacfilt Miniport;c:\windows\system32\drivers\eacfilt.sys [2008-7-12 24521]
S1 AEC671X;AEC671X;c:\windows\system32\drivers\aec671x.sys [1998-5-5 12128]
S1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [2010-9-7 230608]
S1 Avgmfx86;AVG Mini-Filter Resident Anti-Virus Shield;c:\windows\system32\drivers\avgmfx86.sys [2010-9-7 40016]
S1 DMX3191;DMX3191;c:\windows\system32\drivers\dmx3191.sys [1999-2-23 17700]
S2 AVGIDSAgent;AVGIDSAgent;c:\program files\avg\avg2012\AVGIDSAgent.exe [2011-10-12 4433248]
S2 avgwd;AVG WatchDog;c:\program files\avg\avg2012\avgwdsvc.exe [2011-8-2 192776]
S2 cag;Citrix cag plugin for Access Gateway;c:\program files\common files\deterministic networks\common files\cag.sys [2009-10-22 80920]
S2 LMIGuardianSvc;LMIGuardianSvc;c:\program files\logmein\x86\LMIGuardianSvc.exe [2011-7-6 374152]
S2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\logmein\x86\rainfo.sys [2011-1-11 12856]
S2 LMIRfsDriver;LogMeIn Remote File System Driver;c:\windows\system32\drivers\LMIRfsDriver.sys [2011-9-25 47640]
S2 nsverctl;Citrix Secure Access Client Service;c:\program files\citrix\secure access client\nsverctl.exe [2010-1-19 154264]
S2 SynapseUpdateSvc;Synapse Update Manager;c:\program files\fuji medical system\synapse\workstation\SynapseUpdateManager.exe [2011-6-15 200704]
S3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\AVGIDSDriver.sys [2010-8-19 134608]
S3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\AVGIDSFilter.sys [2010-8-19 24272]
S3 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\AVGIDSShim.sys [2010-8-19 16720]
S3 ExtranetAccess;Contivity VPN Service;c:\program files\nortel networks\Extranet_serv.exe [2008-7-12 811008]
S3 IPSECEXT;Nortel Extranet Access Protocol;c:\windows\system32\drivers\ipsecw2k.sys [2008-7-12 155184]
S3 Net6IM;Net6;c:\windows\system32\drivers\net6im51.sys --> c:\windows\system32\drivers\net6im51.sys [?]
S3 PDEXLOCK;Photodex Hardware Lock Driver;c:\windows\system32\drivers\PDEXLOCK.sys [2008-3-11 12288]
S3 Rsvdrspiaa;Rsvdrspiaa; [x]
S3 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2007-6-3 189792]
S4 LMIRfsClientNP;LMIRfsClientNP; [x]
S4 Wudmseacce;Wudmseacce; [x]
.
=============== Created Last 30 ================
.
2012-02-05 14:12:37 0 --sha-w- c:\windows\system32\dds_trash_log.cmd
2012-01-15 17:42:17 -------- d-----w- c:\documents and settings\ajay\application data\AVG2012
2012-01-15 17:41:08 -------- d-----w- c:\documents and settings\all users\application data\AVG2012
.
==================== Find3M ====================
.
2011-12-10 21:24:06 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-11-25 21:57:19 293376 ----a-w- c:\windows\system32\winsrv.dll
2011-11-23 13:25:32 1859584 ----a-w- c:\windows\system32\win32k.sys
2011-11-18 12:35:08 60416 ----a-w- c:\windows\system32\packager.exe
2011-11-16 14:21:44 354816 ----a-w- c:\windows\system32\winhttp.dll
2011-11-16 14:21:44 152064 ----a-w- c:\windows\system32\schannel.dll
.
============= FINISH: 13:46:44.03 ===============

Edited by mandala, 05 February 2012 - 03:24 PM.


#5 jedi

jedi

    aequam memento rebus in arduis servare mentem

  • Administrators
  • PipPipPipPipPip
  • 15,830 posts

Posted 06 February 2012 - 09:24 AM

Hi,

I notice that you have Spybot's TeaTimer running. While this is normally a wonderful tool to protect against hijackers, it can also interfere with fixes. So please disable TeaTimer by doing the following:
1) Run Spybot-S&D
2) Go to the Mode menu, and make sure "Advanced Mode" is selected
3) On the left hand side, choose Tools -> Resident
4) Uncheck "Resident TeaTimer" and OK any prompts
5) Restart your computer.
You can reenable TeaTimer once your system is clean.

Download ComboFix from one of these locations:

Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop


  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

  • Double click on ComboFix.exe & follow the prompts.

  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:


Posted Image


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply for further review.

jedi
jedi

My help is free, but if you wish to help keep these forums running please consider a donation, see This Topic for details.

#6 mandala

mandala

    Member

  • Full Member
  • Pip
  • 15 posts

Posted 06 February 2012 - 07:56 PM

Hi,

I notice that you have Spybot's TeaTimer running. While this is normally a wonderful tool to protect against hijackers, it can also interfere with fixes. So please disable TeaTimer by doing the following:
1) Run Spybot-S&D
2) Go to the Mode menu, and make sure "Advanced Mode" is selected
3) On the left hand side, choose Tools -> Resident
4) Uncheck "Resident TeaTimer" and OK any prompts
5) Restart your computer.
You can reenable TeaTimer once your system is clean.

Download ComboFix from one of these locations:

Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop


  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

  • Double click on ComboFix.exe & follow the prompts.

  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:


Posted Image


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply for further review.

jedi



#7 mandala

mandala

    Member

  • Full Member
  • Pip
  • 15 posts

Posted 06 February 2012 - 07:57 PM

Thank you. I will do these. I already have combofix and tried to run it a few days ago, but it says I have to remove AVG entirely to run it. Is this true? AVG has to be uninstalled?

#8 jedi

jedi

    aequam memento rebus in arduis servare mentem

  • Administrators
  • PipPipPipPipPip
  • 15,830 posts

Posted 07 February 2012 - 02:39 AM

Hi again,

This used to be the case, but I understood it was not necessary any more. Delete the version of Combofix you have and try with a new version and let me know what happens.

jedi
jedi

My help is free, but if you wish to help keep these forums running please consider a donation, see This Topic for details.

#9 mandala

mandala

    Member

  • Full Member
  • Pip
  • 15 posts

Posted 07 February 2012 - 09:46 AM

While I was waiting for reply, I removed avg, downloaded new combo fix and ran it. It then said " combo fix has detected the presence of rooting activity and needs to reboot the machine" which it did, and now there is a blue box that says "rebooting windows...pls wait. Pls allow combo fix to reboot the machine. Warning!,!do not manually reboot the machine yourself" and it has been stuck like this for 8 hours. Help!

#10 jedi

jedi

    aequam memento rebus in arduis servare mentem

  • Administrators
  • PipPipPipPipPip
  • 15,830 posts

Posted 07 February 2012 - 01:47 PM

Hi again,

OK, close the open Combofix window manually. Check to see if it has produced a log at C:\Combofix.txt. If it has please post that log here.

Next, boot into Safe Mode by restarting and tapping the F8 key after your PC beeps on startup. Use the arrow up/down keys to select Safe Mode.

Now run Combofix again and see if it will complete. If it does, restart normally and post the new C:\Combofix.txt log.

jedi
jedi

My help is free, but if you wish to help keep these forums running please consider a donation, see This Topic for details.

#11 mandala

mandala

    Member

  • Full Member
  • Pip
  • 15 posts

Posted 07 February 2012 - 09:57 PM

Hi again,

OK, close the open Combofix window manually. Check to see if it has produced a log at C:\Combofix.txt. If it has please post that log here.

Next, boot into Safe Mode by restarting and tapping the F8 key after your PC beeps on startup. Use the arrow up/down keys to select Safe Mode.

Now run Combofix again and see if it will complete. If it does, restart normally and post the new C:\Combofix.txt log.

jedi

ok. so the blue window would not close, so I had to physically turn the computer off and on. I opened it straight into safe mode and combofix automatically started running, perhaps from where it left off, and finished, posting a log which i will attached below. i tried then to open the internet to send it to you, but IE would not engage or connect to anything. so i rebooted into normal mode, and same problem. then i rebooted into safe mode with networking again, and still internet would not connect. so then i tried to run combofix again as you mentioned. again, it stopped and briefly popped a window saying i was infected with a rootkit virus that was very difficult to clear, that i may have trouble with the internet, and that if this happened, to rerun combofix again...then this window disappeared and i am now stuck with the same window as last night. the header of the window says Rootkit!! and then it says it wants to reboot the machine. before running combofix, i never had any problem getting on the internet -- this seems to be getting worse. here is the log. your help is all i have to go on here. thanks

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1622 [GMT -6:00]
Running from: c:\documents and settings\Ajay\Desktop\ComboFix.exe
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\Ajay\Start Menu\Programs\HDD Rescue
c:\documents and settings\Ajay\Start Menu\Programs\HDD Rescue\Uninstall HDD Rescue.lnk
c:\documents and settings\Ajay\WINDOWS
c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.exe.lnk
c:\documents and settings\All Users\Start Menu\Programs\Startup\NkbMonitor.exe.lnk
c:\windows\$NtUninstallKB3857$\2604569647\@
c:\windows\$NtUninstallKB3857$\2604569647\cfg.ini
c:\windows\$NtUninstallKB3857$\2604569647\Desktop.ini
c:\windows\$NtUninstallKB3857$\2604569647\L\sovhxxix
c:\windows\$NtUninstallKB3857$\2604569647\oemid
c:\windows\$NtUninstallKB3857$\2604569647\U\00000001.@
c:\windows\$NtUninstallKB3857$\2604569647\U\00000002.@
c:\windows\$NtUninstallKB3857$\2604569647\U\00000004.@
c:\windows\$NtUninstallKB3857$\2604569647\U\80000000.@
c:\windows\$NtUninstallKB3857$\2604569647\U\80000004.@
c:\windows\$NtUninstallKB3857$\2604569647\U\80000032.@
c:\windows\$NtUninstallKB3857$\2604569647\version
c:\windows\$NtUninstallKB3857$\3959817906
c:\windows\EventSystem.log
c:\windows\system32\allegro.dll
c:\windows\system32\AmdLLD.dll
c:\windows\system32\backupexecrpcservice.dll
c:\windows\system32\c-dillasrv.dll
c:\windows\system32\clientservice.dll
c:\windows\system32\CSDriver.dll
c:\windows\system32\dbmang.dll
c:\windows\system32\dlaopiom.dll
c:\windows\system32\dntus26.dll
c:\windows\system32\eelogsvc.dll
c:\windows\system32\ELmon.dll
c:\windows\system32\Epiusb.dll
c:\windows\system32\EpmPsd.dll
c:\windows\system32\hwpsgt.dll
c:\windows\system32\icm10blk.dll
c:\windows\system32\ifp800.dll
c:\windows\system32\ipssvc.dll
c:\windows\system32\jukebox3.dll
c:\windows\system32\klblmain.dll
c:\windows\system32\lxrsge10s.dll
c:\windows\system32\mmc_2K.dll
c:\windows\system32\MS1000.dll
c:\windows\system32\pcouffin.dll
c:\windows\system32\pdagent.dll
c:\windows\system32\prtg4service.dll
c:\windows\system32\rdbss.dll
c:\windows\system32\rdpnp.dll
c:\windows\system32\rtl8185.dll
c:\windows\system32\SABProcEnum.dll
c:\windows\system32\sbhooksvc.dll
c:\windows\system32\scanwscs.dll
c:\windows\system32\se45obex.dll
c:\windows\system32\SED133x.dll
c:\windows\system32\SET7530.tmp
c:\windows\system32\SET7534.tmp
c:\windows\system32\SET753C.tmp
c:\windows\system32\SNP2STD.dll
c:\windows\system32\sonytvc.dll
c:\windows\system32\tosrfhid.dll
c:\windows\system32\UNDPX2A.dll
c:\windows\system32\USB_NDIS_51.dll
c:\windows\system32\useraccess7.dll
c:\windows\system32\VC4CB104.dll
c:\windows\system32\VC6SecS.dll
c:\windows\system32\vcomm.dll
c:\windows\system32\vpcnets2.dll
c:\windows\system32\vxsvc.dll
c:\windows\system32\wap3gx.dll
c:\windows\system32\WaveFDE.dll
c:\windows\system32\webrootspysweeperservice.dll
c:\windows\system32\wintab32.dll
c:\windows\system32\wmconnectcds.dll
c:\windows\system32\ZSMC301b.dll
.
Infected copy of c:\windows\system32\drivers\afd.sys was found and disinfected
Restored copy from - The cat found it :)
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_Xyz777b
-------\Service_Xyz777b
.
.
((((((((((((((((((((((((( Files Created from 2012-01-08 to 2012-02-08 )))))))))))))))))))))))))))))))
.
.
2012-02-07 04:59 . 2011-02-16 13:22 138496 ----a-w- c:\windows\system32\drivers\afd.sys
2012-02-07 04:55 . 2012-02-07 04:56 -------- d-----w- C:\Combo-Fix
2012-02-06 06:03 . 2011-08-17 13:49 138496 ----a-w- C:\afd.sys.org
2012-02-06 05:55 . 2011-02-16 13:22 138496 ----a-w- C:\afd.sys.bak
2012-02-05 14:12 . 2012-02-07 17:03 0 --sha-w- c:\windows\system32\dds_trash_log.cmd
2012-01-15 17:41 . 2012-02-07 02:45 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG2012
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-12-10 21:24 . 2010-08-14 19:07 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-11-25 21:57 . 2004-08-04 04:56 293376 ----a-w- c:\windows\system32\winsrv.dll
2011-11-23 13:25 . 2004-08-03 23:17 1859584 ----a-w- c:\windows\system32\win32k.sys
2011-11-18 12:35 . 2004-08-04 04:56 60416 ----a-w- c:\windows\system32\packager.exe
2011-11-16 14:21 . 2004-08-04 04:56 354816 ----a-w- c:\windows\system32\winhttp.dll
2011-11-16 14:21 . 2004-08-04 04:56 152064 ----a-w- c:\windows\system32\schannel.dll
2009-08-14 17:33 . 2009-08-14 17:33 13136 ----a-w- c:\program files\mozilla firefox\plugins\cgpcfg.dll
2009-08-14 17:33 . 2009-08-14 17:33 70488 ----a-w- c:\program files\mozilla firefox\plugins\CgpCore.dll
2009-08-14 17:33 . 2009-08-14 17:33 91480 ----a-w- c:\program files\mozilla firefox\plugins\confmgr.dll
2009-08-14 17:33 . 2009-08-14 17:33 20824 ----a-w- c:\program files\mozilla firefox\plugins\ctxlogging.dll
2009-08-14 17:34 . 2009-08-14 17:34 206160 ----a-w- c:\program files\mozilla firefox\plugins\ctxmui.dll
2009-08-14 17:33 . 2009-08-14 17:33 31064 ----a-w- c:\program files\mozilla firefox\plugins\icafile.dll
2009-08-14 17:33 . 2009-08-14 17:33 40280 ----a-w- c:\program files\mozilla firefox\plugins\icalogon.dll
2008-05-21 13:41 . 2008-05-21 13:41 479232 ----a-w- c:\program files\mozilla firefox\plugins\msvcm80.dll
2008-05-21 13:41 . 2008-05-21 13:41 548864 ----a-w- c:\program files\mozilla firefox\plugins\msvcp80.dll
2008-05-21 13:41 . 2008-05-21 13:41 626688 ----a-w- c:\program files\mozilla firefox\plugins\msvcr80.dll
2009-08-14 16:50 . 2009-08-14 16:50 652640 ----a-w- c:\program files\mozilla firefox\plugins\sslsdk_b.dll
2009-08-14 17:33 . 2009-08-14 17:33 23896 ----a-w- c:\program files\mozilla firefox\plugins\TcpPServ.dll
2010-10-10 00:05 . 2007-06-01 01:15 67688 ----a-w- c:\program files\mozilla firefox\components\jar50.dll
2010-10-10 00:05 . 2007-06-01 01:15 54368 ----a-w- c:\program files\mozilla firefox\components\jsd3250.dll
2010-10-10 00:05 . 2007-06-01 01:15 34944 ----a-w- c:\program files\mozilla firefox\components\myspell.dll
2010-10-10 00:05 . 2007-06-01 01:15 46712 ----a-w- c:\program files\mozilla firefox\components\spellchk.dll
2010-10-10 00:05 . 2007-06-01 01:15 172136 ----a-w- c:\program files\mozilla firefox\components\xpinstal.dll
.
.
((((((((((((((((((((((((((((( SnapShot@2010-12-10_06.00.21 )))))))))))))))))))))))))))))))))))))))))
.
+ 2011-04-19 03:51 . 2011-04-19 03:51 51024 c:\windows\WinSxS\x86_Microsoft.VC90.OpenMP_1fc8b3b9a1e18e3b_9.0.30729.6161_x-ww_4ddc769f\vcomp90.dll
+ 2011-01-11 15:59 . 2011-01-11 15:59 51024 c:\windows\WinSxS\x86_Microsoft.VC90.OpenMP_1fc8b3b9a1e18e3b_9.0.30729.5570_x-ww_214ee422\vcomp90.dll
+ 2011-04-19 03:51 . 2011-04-19 03:51 59728 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.6161_x-ww_730c3508\mfc90rus.dll
+ 2011-04-19 03:51 . 2011-04-19 03:51 42832 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.6161_x-ww_730c3508\mfc90kor.dll
+ 2011-04-19 03:51 . 2011-04-19 03:51 43344 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.6161_x-ww_730c3508\mfc90jpn.dll
+ 2011-04-19 03:51 . 2011-04-19 03:51 61264 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.6161_x-ww_730c3508\mfc90ita.dll
+ 2011-04-19 03:51 . 2011-04-19 03:51 62800 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.6161_x-ww_730c3508\mfc90fra.dll
+ 2011-04-19 03:51 . 2011-04-19 03:51 61776 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.6161_x-ww_730c3508\mfc90esp.dll
+ 2011-04-19 03:51 . 2011-04-19 03:51 61776 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.6161_x-ww_730c3508\mfc90esn.dll
+ 2011-04-19 03:51 . 2011-04-19 03:51 53584 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.6161_x-ww_730c3508\mfc90enu.dll
+ 2011-04-19 03:51 . 2011-04-19 03:51 63312 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.6161_x-ww_730c3508\mfc90deu.dll
+ 2011-04-19 03:51 . 2011-04-19 03:51 36688 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.6161_x-ww_730c3508\mfc90cht.dll
+ 2011-04-19 03:51 . 2011-04-19 03:51 35664 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.6161_x-ww_730c3508\mfc90chs.dll
+ 2011-01-11 15:59 . 2011-01-11 15:59 59728 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.5570_x-ww_467ea28b\mfc90rus.dll
+ 2011-01-11 15:59 . 2011-01-11 15:59 42832 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.5570_x-ww_467ea28b\mfc90kor.dll
+ 2011-01-11 15:59 . 2011-01-11 15:59 43344 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.5570_x-ww_467ea28b\mfc90jpn.dll
+ 2011-01-11 15:59 . 2011-01-11 15:59 61264 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.5570_x-ww_467ea28b\mfc90ita.dll
+ 2011-01-11 15:59 . 2011-01-11 15:59 62800 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.5570_x-ww_467ea28b\mfc90fra.dll
+ 2011-01-11 15:59 . 2011-01-11 15:59 61776 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.5570_x-ww_467ea28b\mfc90esp.dll
+ 2011-01-11 15:59 . 2011-01-11 15:59 61776 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.5570_x-ww_467ea28b\mfc90esn.dll
+ 2011-01-11 15:59 . 2011-01-11 15:59 53584 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.5570_x-ww_467ea28b\mfc90enu.dll
+ 2011-01-11 15:59 . 2011-01-11 15:59 63312 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.5570_x-ww_467ea28b\mfc90deu.dll
+ 2011-01-11 15:59 . 2011-01-11 15:59 36688 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.5570_x-ww_467ea28b\mfc90cht.dll
+ 2011-01-11 15:59 . 2011-01-11 15:59 35664 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.5570_x-ww_467ea28b\mfc90chs.dll
+ 2007-11-07 07:19 . 2007-11-07 07:19 46592 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.21022.8_x-ww_11f3ea3a\mfc90kor.dll
+ 2007-11-07 07:19 . 2007-11-07 07:19 47104 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.21022.8_x-ww_11f3ea3a\mfc90jpn.dll
+ 2007-11-07 07:19 . 2007-11-07 07:19 59392 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.21022.8_x-ww_11f3ea3a\mfc90ita.dll
+ 2007-11-07 07:19 . 2007-11-07 07:19 60416 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.21022.8_x-ww_11f3ea3a\mfc90fra.dll
+ 2007-11-07 07:19 . 2007-11-07 07:19 59392 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.21022.8_x-ww_11f3ea3a\mfc90esp.dll
+ 2007-11-07 07:19 . 2007-11-07 07:19 59392 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.21022.8_x-ww_11f3ea3a\mfc90esn.dll
+ 2007-11-07 07:19 . 2007-11-07 07:19 54272 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.21022.8_x-ww_11f3ea3a\mfc90enu.dll
+ 2007-11-07 07:19 . 2007-11-07 07:19 60928 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.21022.8_x-ww_11f3ea3a\mfc90deu.dll
+ 2007-11-07 07:19 . 2007-11-07 07:19 41984 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.21022.8_x-ww_11f3ea3a\mfc90cht.dll
+ 2007-11-07 07:19 . 2007-11-07 07:19 41472 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.21022.8_x-ww_11f3ea3a\mfc90chs.dll
+ 2011-04-19 03:51 . 2011-04-19 03:51 59904 c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.6161_x-ww_028bc148\mfcm90u.dll
+ 2011-04-19 03:51 . 2011-04-19 03:51 59904 c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.6161_x-ww_028bc148\mfcm90.dll
+ 2011-01-11 15:59 . 2011-01-11 15:59 59904 c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.5570_x-ww_d5fe2ecb\mfcm90u.dll
+ 2011-01-11 15:59 . 2011-01-11 15:59 59904 c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.5570_x-ww_d5fe2ecb\mfcm90.dll
+ 2007-11-07 04:51 . 2007-11-07 04:51 59904 c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.21022.8_x-ww_a173767a\mfcm90u.dll
+ 2007-11-07 04:51 . 2007-11-07 04:51 59904 c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.21022.8_x-ww_a173767a\mfcm90.dll
+ 1998-09-29 15:20 . 2011-03-15 01:35 48128 c:\windows\ucmsp_32.dll
+ 1999-12-28 20:34 . 2011-03-15 01:35 49152 c:\windows\system32\umaxusdf.dll
+ 1998-07-04 10:16 . 2011-03-15 01:35 89356 c:\windows\system32\umaxusd.dll
+ 2007-01-29 08:58 . 2011-11-08 13:46 46080 c:\windows\system32\tzchange.exe
- 2007-01-29 08:58 . 2010-06-21 14:46 46080 c:\windows\system32\tzchange.exe
+ 2004-08-04 04:56 . 2010-08-27 05:57 99840 c:\windows\system32\srvsvc.dll
+ 2011-09-25 16:06 . 2011-07-06 21:32 53632 c:\windows\system32\spool\prtprocs\w32x86\LMIproc.dll
+ 2011-09-25 16:06 . 2011-07-06 21:32 54656 c:\windows\system32\spool\drivers\w32x86\LMIprinterui.dll
+ 2011-09-25 16:06 . 2011-07-06 21:32 54656 c:\windows\system32\spool\drivers\w32x86\LMIprinterdat.dll
+ 2011-09-25 16:06 . 2011-07-06 21:32 42880 c:\windows\system32\spool\drivers\w32x86\LMIprinter.dll
+ 2011-09-25 16:06 . 2011-07-06 21:32 54656 c:\windows\system32\spool\drivers\w32x86\3\LMIprinterui.dll
+ 2011-09-25 16:06 . 2011-07-06 21:32 54656 c:\windows\system32\spool\drivers\w32x86\3\LMIprinterdat.dll
+ 2011-09-25 16:06 . 2011-07-06 21:32 42880 c:\windows\system32\spool\drivers\w32x86\3\LMIprinter.dll
+ 2009-05-11 17:42 . 2009-05-11 17:42 59888 c:\windows\system32\pxwma.dll
+ 2009-04-17 18:28 . 2009-04-17 18:28 68080 c:\windows\system32\pxinsa64.exe
+ 2009-04-17 18:28 . 2009-04-17 18:28 68080 c:\windows\system32\pxcpya64.exe
+ 2003-12-23 20:10 . 2012-01-11 09:02 75850 c:\windows\system32\perfc009.dat
+ 2003-12-23 20:10 . 2011-09-26 16:41 20480 c:\windows\system32\oleaccrc.dll
+ 2004-08-04 04:56 . 2011-11-04 19:20 66560 c:\windows\system32\mshtmled.dll
- 2004-08-04 04:56 . 2009-03-08 08:31 66560 c:\windows\system32\mshtmled.dll
- 2009-03-08 08:31 . 2010-06-24 12:21 55296 c:\windows\system32\msfeedsbs.dll
+ 2009-03-08 08:31 . 2011-11-04 19:20 55296 c:\windows\system32\msfeedsbs.dll
+ 2010-03-18 15:15 . 2010-03-18 15:15 80720 c:\windows\system32\mfcm100u.dll
+ 2010-03-18 15:15 . 2010-03-18 15:15 80208 c:\windows\system32\mfcm100.dll
+ 2010-03-18 15:15 . 2010-03-18 15:15 60752 c:\windows\system32\mfc100rus.dll
+ 2010-03-18 15:15 . 2010-03-18 15:15 43344 c:\windows\system32\mfc100kor.dll
+ 2010-03-18 15:15 . 2010-03-18 15:15 43856 c:\windows\system32\mfc100jpn.dll
+ 2010-03-18 15:15 . 2010-03-18 15:15 62288 c:\windows\system32\mfc100ita.dll
+ 2010-03-18 15:15 . 2010-03-18 15:15 64336 c:\windows\system32\mfc100fra.dll
+ 2010-03-18 15:15 . 2010-03-18 15:15 63824 c:\windows\system32\mfc100esn.dll
+ 2010-03-18 15:15 . 2010-03-18 15:15 55120 c:\windows\system32\mfc100enu.dll
+ 2010-03-18 15:15 . 2010-03-18 15:15 64336 c:\windows\system32\mfc100deu.dll
+ 2010-03-18 15:15 . 2010-03-18 15:15 36176 c:\windows\system32\mfc100cht.dll
+ 2010-03-18 15:15 . 2010-03-18 15:15 36176 c:\windows\system32\mfc100chs.dll
+ 2004-08-04 04:56 . 2011-10-14 14:47 23040 c:\windows\system32\mciseq.dll
- 2004-08-04 04:56 . 2008-04-14 00:11 23040 c:\windows\system32\mciseq.dll
+ 2011-09-25 16:06 . 2011-07-06 21:32 83360 c:\windows\system32\LMIRfsClientNP.dll
+ 2011-09-25 16:06 . 2011-07-06 21:32 29568 c:\windows\system32\LMIport.dll
+ 2011-01-12 00:04 . 2011-01-12 00:04 11552 c:\windows\system32\lmimirr2.dll
+ 2011-01-12 00:04 . 2011-01-12 00:04 25248 c:\windows\system32\lmimirr.dll
+ 2011-09-25 16:05 . 2011-07-06 21:32 87424 c:\windows\system32\LMIinit.dll
+ 2004-08-04 04:56 . 2011-11-04 19:20 43520 c:\windows\system32\licmgr10.dll
+ 2004-08-04 04:56 . 2011-11-04 19:20 25600 c:\windows\system32\jsproxy.dll
- 2004-08-04 04:56 . 2010-06-24 12:21 25600 c:\windows\system32\jsproxy.dll
+ 2011-07-12 16:20 . 2011-07-12 16:20 50536 c:\windows\system32\jdns_sd.dll
+ 2007-06-01 00:51 . 2010-11-18 18:12 81920 c:\windows\system32\isign32.dll
- 2007-06-01 00:51 . 2008-04-14 00:11 81920 c:\windows\system32\isign32.dll
+ 2011-07-29 03:57 . 2011-05-10 13:06 42496 c:\windows\system32\DRVSTORE\usbaapl_5CBB3A09528F68FC4AD2F36E43C028E7E6F20400\usbaapl.sys
+ 2011-07-29 03:57 . 2011-05-10 13:06 18432 c:\windows\system32\DRVSTORE\netaapl_B71F8545DA20A81C41BFD744E8D7D9784787E916\netaapl.sys
+ 2011-07-29 04:02 . 2009-05-18 18:17 26600 c:\windows\system32\DRVSTORE\GEARAspiWD_3B7AACF0636A2C042EB7AD2AFF76D37B27BDD28C\x86\GEARAspiWDM.sys
+ 2009-04-17 18:28 . 2009-04-17 18:28 68080 c:\windows\system32\drvins64.exe
+ 2011-07-29 03:57 . 2011-05-10 13:06 42496 c:\windows\system32\drivers\usbaapl.sys
+ 2009-04-17 09:00 . 2009-04-17 09:00 44944 c:\windows\system32\drivers\pxhelp20.sys
+ 2003-12-23 20:10 . 2010-11-02 15:17 40960 c:\windows\system32\drivers\ndproxy.sys
+ 2003-12-23 20:10 . 2011-07-08 14:02 10496 c:\windows\system32\drivers\ndistapi.sys
+ 2011-09-25 16:06 . 2011-01-12 00:04 47640 c:\windows\system32\drivers\LMIRfsDriver.sys
+ 2011-09-25 16:06 . 2011-01-12 00:04 10144 c:\windows\system32\drivers\lmimirr.sys
+ 2006-09-19 18:44 . 2009-05-18 18:17 26600 c:\windows\system32\drivers\GEARAspiWDM.sys
+ 2011-07-12 16:20 . 2011-07-12 16:20 73064 c:\windows\system32\dnssd.dll
+ 2004-08-04 04:56 . 2009-04-20 17:17 45568 c:\windows\system32\dnsrslvr.dll
- 2004-08-04 04:56 . 2008-04-14 00:11 45568 c:\windows\system32\dnsrslvr.dll
+ 2011-07-12 16:20 . 2011-07-12 16:20 83816 c:\windows\system32\dns-sd.exe
+ 2009-06-15 23:38 . 2011-11-04 19:20 12800 c:\windows\system32\dllcache\xpshims.dll
- 2009-06-15 23:38 . 2010-06-24 12:22 12800 c:\windows\system32\dllcache\xpshims.dll
+ 2011-01-30 04:51 . 2010-10-11 14:59 45568 c:\windows\system32\dllcache\wab.exe
+ 2010-08-27 05:57 . 2010-08-27 05:57 99840 c:\windows\system32\dllcache\srvsvc.dll
+ 2011-11-18 12:35 . 2011-11-18 12:35 60416 c:\windows\system32\dllcache\packager.exe
+ 2003-12-23 20:10 . 2011-09-26 16:41 20480 c:\windows\system32\dllcache\oleaccrc.dll
+ 2011-01-30 04:53 . 2010-11-02 15:17 40960 c:\windows\system32\dllcache\ndproxy.sys
+ 2011-08-11 03:31 . 2011-07-08 14:02 10496 c:\windows\system32\dllcache\ndistapi.sys
- 2009-03-08 08:31 . 2009-03-08 08:31 66560 c:\windows\system32\dllcache\mshtmled.dll
+ 2009-03-08 08:31 . 2011-11-04 19:20 66560 c:\windows\system32\dllcache\mshtmled.dll
- 2009-07-28 18:52 . 2010-06-24 12:21 55296 c:\windows\system32\dllcache\msfeedsbs.dll
+ 2009-07-28 18:52 . 2011-11-04 19:20 55296 c:\windows\system32\dllcache\msfeedsbs.dll
+ 2011-10-14 14:47 . 2011-10-14 14:47 23040 c:\windows\system32\dllcache\mciseq.dll
+ 2009-03-08 08:34 . 2011-11-04 19:20 43520 c:\windows\system32\dllcache\licmgr10.dll
+ 2009-03-08 08:33 . 2011-11-04 19:20 25600 c:\windows\system32\dllcache\jsproxy.dll
- 2009-03-08 08:33 . 2010-06-24 12:21 25600 c:\windows\system32\dllcache\jsproxy.dll
+ 2010-11-18 18:12 . 2010-11-18 18:12 81920 c:\windows\system32\dllcache\isign32.dll
+ 2009-04-20 17:17 . 2009-04-20 17:17 45568 c:\windows\system32\dllcache\dnsrslvr.dll
+ 2009-12-14 07:08 . 2011-10-28 05:31 33280 c:\windows\system32\dllcache\csrsrv.dll
- 2009-12-14 07:08 . 2009-12-14 07:08 33280 c:\windows\system32\dllcache\csrsrv.dll
+ 2000-04-28 18:51 . 2011-03-15 01:35 25466 c:\windows\system32\disk3\asc.sys
+ 2004-08-04 04:56 . 2011-10-28 05:31 33280 c:\windows\system32\csrsrv.dll
- 2004-08-04 04:56 . 2009-12-14 07:08 33280 c:\windows\system32\csrsrv.dll
+ 2011-12-25 09:49 . 2011-12-25 09:49 31504 c:\windows\Microsoft.NET\Framework\v2.0.50727\aspnet_wp.exe
+ 1999-06-01 21:29 . 2011-03-15 01:35 39680 c:\windows\is11_16.exe
+ 1999-08-17 15:52 . 2011-03-15 01:35 81920 c:\windows\ipmfile.dll
+ 2011-08-21 00:52 . 2011-08-21 00:52 19968 c:\windows\Installer\40467.msi
+ 2011-10-03 03:30 . 2011-10-03 03:30 73728 c:\windows\Installer\{C0B165DC-F037-483F-B1C9-D89D91529CEB}\liteico.exe.827545C6_7013_4DE1_8E6C_DAEE4C57F54A.exe
+ 2011-10-03 03:30 . 2011-10-03 03:30 73728 c:\windows\Installer\{C0B165DC-F037-483F-B1C9-D89D91529CEB}\ARPICON.exe
+ 2007-09-29 17:27 . 2012-01-12 09:01 35088 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\oisicon.exe
- 2007-09-29 17:27 . 2010-09-15 08:04 35088 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\oisicon.exe
+ 2007-09-29 17:27 . 2012-01-12 09:01 18704 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\mspicons.exe
- 2007-09-29 17:27 . 2010-09-15 08:04 18704 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\mspicons.exe
+ 2007-09-29 17:27 . 2012-01-12 09:01 20240 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\cagicon.exe
- 2007-09-29 17:27 . 2010-09-15 08:04 20240 c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\cagicon.exe
+ 2011-02-02 01:13 . 2011-02-02 01:13 37807 c:\windows\Installer\{8C1D4735-84E4-41E2-A1DB-70EADE27633C}\RunLightroom313212_C2C2101F05384548B5AF39E0D3B3CB50.exe
+ 2011-02-02 01:13 . 2011-02-02 01:13 37807 c:\windows\Installer\{8C1D4735-84E4-41E2-A1DB-70EADE27633C}\NewShortcut4_C2C2101F05384548B5AF39E0D3B3CB50.exe
+ 2011-02-02 01:13 . 2011-02-02 01:13 37807 c:\windows\Installer\{8C1D4735-84E4-41E2-A1DB-70EADE27633C}\ARPPRODUCTICON.exe
+ 2011-07-29 03:59 . 2011-07-29 03:59 27136 c:\windows\Installer\{789A5B64-9DD9-4BA5-915A-F0FC0A1B7BFE}\AppleSoftwareUpdateIco.exe
+ 2011-12-15 09:08 . 2011-08-22 23:48 12800 c:\windows\ie8updates\KB2618444-IE8\xpshims.dll
+ 2011-12-15 09:08 . 2011-08-22 23:48 66560 c:\windows\ie8updates\KB2618444-IE8\mshtmled.dll
+ 2011-12-15 09:08 . 2011-08-22 23:48 55296 c:\windows\ie8updates\KB2618444-IE8\msfeedsbs.dll
+ 2011-12-15 09:08 . 2011-08-22 23:48 43520 c:\windows\ie8updates\KB2618444-IE8\licmgr10.dll
+ 2011-12-15 09:08 . 2011-08-22 23:48 25600 c:\windows\ie8updates\KB2618444-IE8\jsproxy.dll
+ 2011-10-13 08:01 . 2011-06-23 18:36 12800 c:\windows\ie8updates\KB2586448-IE8\xpshims.dll
+ 2011-10-13 08:01 . 2011-06-23 18:36 66560 c:\windows\ie8updates\KB2586448-IE8\mshtmled.dll
+ 2011-10-13 08:01 . 2011-06-23 18:36 55296 c:\windows\ie8updates\KB2586448-IE8\msfeedsbs.dll
+ 2011-10-13 08:01 . 2011-06-23 18:36 43520 c:\windows\ie8updates\KB2586448-IE8\licmgr10.dll
+ 2011-10-13 08:01 . 2011-06-23 18:36 25600 c:\windows\ie8updates\KB2586448-IE8\jsproxy.dll
+ 2011-08-11 08:01 . 2011-04-25 16:11 12800 c:\windows\ie8updates\KB2559049-IE8\xpshims.dll
+ 2011-08-11 08:01 . 2011-04-25 16:11 66560 c:\windows\ie8updates\KB2559049-IE8\mshtmled.dll
+ 2011-08-11 08:01 . 2011-04-25 16:11 55296 c:\windows\ie8updates\KB2559049-IE8\msfeedsbs.dll
+ 2011-08-11 08:01 . 2011-04-25 16:11 43520 c:\windows\ie8updates\KB2559049-IE8\licmgr10.dll
+ 2011-08-11 08:01 . 2011-04-25 16:11 25600 c:\windows\ie8updates\KB2559049-IE8\jsproxy.dll
+ 2011-06-17 08:01 . 2011-02-22 23:06 12800 c:\windows\ie8updates\KB2530548-IE8\xpshims.dll
+ 2011-06-17 08:01 . 2011-02-22 23:06 66560 c:\windows\ie8updates\KB2530548-IE8\mshtmled.dll
+ 2011-06-17 08:01 . 2011-02-22 23:06 55296 c:\windows\ie8updates\KB2530548-IE8\msfeedsbs.dll
+ 2011-06-17 08:01 . 2011-02-22 23:06 43520 c:\windows\ie8updates\KB2530548-IE8\licmgr10.dll
+ 2011-06-17 08:01 . 2011-02-22 23:06 25600 c:\windows\ie8updates\KB2530548-IE8\jsproxy.dll
+ 2011-04-15 08:08 . 2010-12-20 23:59 12800 c:\windows\ie8updates\KB2497640-IE8\xpshims.dll
+ 2011-04-15 08:08 . 2010-12-20 23:59 66560 c:\windows\ie8updates\KB2497640-IE8\mshtmled.dll
+ 2011-04-15 08:08 . 2010-12-20 23:59 55296 c:\windows\ie8updates\KB2497640-IE8\msfeedsbs.dll
+ 2011-04-15 08:08 . 2010-12-20 23:59 43520 c:\windows\ie8updates\KB2497640-IE8\licmgr10.dll
+ 2011-04-15 08:08 . 2010-12-20 23:59 25600 c:\windows\ie8updates\KB2497640-IE8\jsproxy.dll
+ 2011-02-10 09:01 . 2010-11-06 00:26 12800 c:\windows\ie8updates\KB2482017-IE8\xpshims.dll
+ 2011-02-10 09:01 . 2010-11-06 00:26 66560 c:\windows\ie8updates\KB2482017-IE8\mshtmled.dll
+ 2011-02-10 09:01 . 2010-11-06 00:26 55296 c:\windows\ie8updates\KB2482017-IE8\msfeedsbs.dll
+ 2011-02-10 09:01 . 2010-11-06 00:26 43520 c:\windows\ie8updates\KB2482017-IE8\licmgr10.dll
+ 2011-02-10 09:01 . 2010-11-06 00:26 25600 c:\windows\ie8updates\KB2482017-IE8\jsproxy.dll
+ 2011-01-30 09:05 . 2010-06-24 12:22 12800 c:\windows\ie8updates\KB2416400-IE8\xpshims.dll
+ 2011-01-30 09:05 . 2009-03-08 08:31 66560 c:\windows\ie8updates\KB2416400-IE8\mshtmled.dll
+ 2011-01-30 09:05 . 2010-06-24 12:21 55296 c:\windows\ie8updates\KB2416400-IE8\msfeedsbs.dll
+ 2011-01-30 09:05 . 2009-03-08 08:34 43008 c:\windows\ie8updates\KB2416400-IE8\licmgr10.dll
+ 2011-01-30 09:05 . 2010-06-24 12:21 25600 c:\windows\ie8updates\KB2416400-IE8\jsproxy.dll
+ 1997-12-03 14:21 . 2011-03-15 01:35 90112 c:\windows\binupref\zinc.dat
+ 1998-08-13 00:10 . 2011-03-15 01:35 54784 c:\windows\bdongle.dll
+ 2011-10-13 08:11 . 2011-10-13 08:11 60928 c:\windows\assembly\NativeImages_v2.0.50727_32\UIAutomationProvider\888b745ca99d39692c2e9af222e5eae8\UIAutomationProvider.ni.dll
+ 2011-10-13 08:15 . 2011-10-13 08:15 37888 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Pres#\6c334564da041df8fb75415f2d503224\System.Windows.Presentation.ni.dll
+ 2011-10-13 08:15 . 2011-10-13 08:15 36864 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Web.DynamicD#\a54a122f1070ab71931dd9679ddd8e90\System.Web.DynamicData.Design.ni.dll
+ 2012-01-11 09:06 . 2012-01-11 09:06 36864 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Web.DynamicD#\750de53f30e516eb2c62de9bab7954e9\System.Web.DynamicData.Design.ni.dll
+ 2011-10-13 08:13 . 2011-10-13 08:13 94208 c:\windows\assembly\NativeImages_v2.0.50727_32\System.ComponentMod#\ac92806d5bd508eb25f1b4b73a36b101\System.ComponentModel.DataAnnotations.ni.dll
+ 2011-10-13 08:13 . 2011-10-13 08:13 82944 c:\windows\assembly\NativeImages_v2.0.50727_32\System.AddIn.Contra#\e6a9cd66d11a21776dbf425e8e28099c\System.AddIn.Contract.ni.dll
+ 2011-10-13 08:09 . 2011-10-13 08:09 47104 c:\windows\assembly\NativeImages_v2.0.50727_32\PresentationFontCac#\66873b557d5c7013e4c630361473b0c2\PresentationFontCache.ni.exe
+ 2011-10-13 08:09 . 2011-10-13 08:09 39424 c:\windows\assembly\NativeImages_v2.0.50727_32\PresentationCFFRast#\5b30652a7b802199984f93b5e414260f\PresentationCFFRasterizer.ni.dll
+ 2011-10-13 08:14 . 2011-10-13 08:14 55296 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Vsa\eaa8d72317e5b8047e413939cc71ffba\Microsoft.Vsa.ni.dll
+ 2011-10-13 08:13 . 2011-10-13 08:13 74752 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Build.Fra#\aefe683674c97a998f4e908c1a7ee7c6\Microsoft.Build.Framework.ni.dll
+ 2011-10-13 08:13 . 2011-10-13 08:13 65024 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Build.Fra#\845eef4d09f28da6ee05d99f93c90f6e\Microsoft.Build.Framework.ni.dll
+ 2011-10-13 08:13 . 2011-10-13 08:13 14336 c:\windows\assembly\NativeImages_v2.0.50727_32\dfsvc\ab7ce2d94ca725c3889a4e3c1ee88ece\dfsvc.ni.exe
+ 2011-10-13 08:12 . 2011-10-13 08:12 25600 c:\windows\assembly\NativeImages_v2.0.50727_32\Accessibility\d86a3346c3d90ff12d0df9d7726f3ece\Accessibility.ni.dll
+ 2012-01-11 09:01 . 2012-01-11 09:01 77824 c:\windows\assembly\GAC_MSIL\System.Web.RegularExpressions\2.0.0.0__b03f5f7f11d50a3a\System.Web.RegularExpressions.dll
- 2010-10-03 08:01 . 2010-10-03 08:01 77824 c:\windows\assembly\GAC_MSIL\System.Web.RegularExpressions\2.0.0.0__b03f5f7f11d50a3a\System.Web.RegularExpressions.dll
- 2010-10-03 08:01 . 2010-10-03 08:01 81920 c:\windows\assembly\GAC_MSIL\System.Drawing.Design\2.0.0.0__b03f5f7f11d50a3a\System.Drawing.Design.dll
+ 2012-01-11 09:01 . 2012-01-11 09:01 81920 c:\windows\assembly\GAC_MSIL\System.Drawing.Design\2.0.0.0__b03f5f7f11d50a3a\System.Drawing.Design.dll
- 2010-10-03 08:02 . 2010-10-03 08:02 81920 c:\windows\assembly\GAC_MSIL\System.Configuration.Install\2.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll
+ 2012-01-11 09:02 . 2012-01-11 09:02 81920 c:\windows\assembly\GAC_MSIL\System.Configuration.Install\2.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll
+ 2012-01-11 09:02 . 2012-01-11 09:02 32768 c:\windows\assembly\GAC_MSIL\Microsoft.Vsa\8.0.0.0__b03f5f7f11d50a3a\Microsoft.Vsa.dll
- 2010-10-03 08:01 . 2010-10-03 08:01 32768 c:\windows\assembly\GAC_MSIL\Microsoft.Vsa\8.0.0.0__b03f5f7f11d50a3a\Microsoft.Vsa.dll
- 2010-10-03 08:02 . 2010-10-03 08:02 12800 c:\windows\assembly\GAC_MSIL\Microsoft.Vsa.Vb.CodeDOMProcessor\8.0.0.0__b03f5f7f11d50a3a\Microsoft.Vsa.Vb.CodeDOMProcessor.dll
+ 2012-01-11 09:02 . 2012-01-11 09:02 12800 c:\windows\assembly\GAC_MSIL\Microsoft.Vsa.Vb.CodeDOMProcessor\8.0.0.0__b03f5f7f11d50a3a\Microsoft.Vsa.Vb.CodeDOMProcessor.dll
- 2010-10-03 08:02 . 2010-10-03 08:02 28672 c:\windows\assembly\GAC_MSIL\Microsoft.VisualBasic.Vsa\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.Vsa.dll
+ 2012-01-11 09:02 . 2012-01-11 09:02 28672 c:\windows\assembly\GAC_MSIL\Microsoft.VisualBasic.Vsa\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.Vsa.dll
+ 2012-01-11 09:02 . 2012-01-11 09:02 77824 c:\windows\assembly\GAC_MSIL\Microsoft.Build.Utilities\2.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Utilities.dll
- 2010-10-03 08:02 . 2010-10-03 08:02 77824 c:\windows\assembly\GAC_MSIL\Microsoft.Build.Utilities\2.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Utilities.dll
+ 2012-01-11 09:02 . 2012-01-11 09:02 36864 c:\windows\assembly\GAC_MSIL\Microsoft.Build.Framework\2.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Framework.dll
- 2010-10-03 08:02 . 2010-10-03 08:02 36864 c:\windows\assembly\GAC_MSIL\Microsoft.Build.Framework\2.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Framework.dll
+ 2012-01-11 09:02 . 2012-01-11 09:02 77824 c:\windows\assembly\GAC_MSIL\IEHost\2.0.0.0__b03f5f7f11d50a3a\IEHost.dll
- 2010-10-03 08:01 . 2010-10-03 08:01 77824 c:\windows\assembly\GAC_MSIL\IEHost\2.0.0.0__b03f5f7f11d50a3a\IEHost.dll
- 2010-10-03 08:01 . 2010-10-03 08:01 13312 c:\windows\assembly\GAC_MSIL\cscompmgd\8.0.0.0__b03f5f7f11d50a3a\cscompmgd.dll
+ 2012-01-11 09:01 . 2012-01-11 09:01 13312 c:\windows\assembly\GAC_MSIL\cscompmgd\8.0.0.0__b03f5f7f11d50a3a\cscompmgd.dll
- 2010-10-03 08:02 . 2010-10-03 08:02 10752 c:\windows\assembly\GAC_MSIL\Accessibility\2.0.0.0__b03f5f7f11d50a3a\Accessibility.dll
+ 2012-01-11 09:02 . 2012-01-11 09:02 10752 c:\windows\assembly\GAC_MSIL\Accessibility\2.0.0.0__b03f5f7f11d50a3a\Accessibility.dll
+ 2012-01-11 09:02 . 2012-01-11 09:02 72192 c:\windows\assembly\GAC_32\ISymWrapper\2.0.0.0__b03f5f7f11d50a3a\ISymWrapper.dll
- 2010-10-03 08:02 . 2010-10-03 08:02 72192 c:\windows\assembly\GAC_32\ISymWrapper\2.0.0.0__b03f5f7f11d50a3a\ISymWrapper.dll
- 2010-10-03 08:01 . 2010-10-03 08:01 69120 c:\windows\assembly\GAC_32\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll
+ 2012-01-11 09:01 . 2012-01-11 09:01 69120 c:\windows\assembly\GAC_32\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll
+ 2011-12-15 09:03 . 2011-07-08 13:49 46080 c:\windows\$NtUninstallKB2633952$\tzchange.exe
+ 2011-12-15 09:03 . 2011-11-08 14:58 16896 c:\windows\$NtUninstallKB2633952$\spuninst\tzchange.dll
+ 2011-12-15 09:02 . 2011-04-26 11:07 33280 c:\windows\$NtUninstallKB2620712$\csrsrv.dll
+ 2011-08-24 08:00 . 2010-11-03 13:12 46080 c:\windows\$NtUninstallKB2570791$\tzchange.exe
+ 2011-08-24 08:00 . 2011-07-09 00:32 16896 c:\windows\$NtUninstallKB2570791$\spuninst\tzchange.dll
+ 2011-08-11 08:01 . 2008-04-13 18:57 10112 c:\windows\$NtUninstallKB2566454$\ndistapi.sys
+ 2011-10-13 08:09 . 2003-12-23 20:10 16896 c:\windows\$NtUninstallKB2564958$\oleaccrc.dll
+ 2011-04-15 08:01 . 2008-04-14 00:11 45568 c:\windows\$NtUninstallKB2509553$\dnsrslvr.dll
+ 2011-07-13 08:03 . 2010-12-09 14:30 33280 c:\windows\$NtUninstallKB2507938$\csrsrv.dll
+ 2011-02-10 09:01 . 2009-12-14 07:08 33280 c:\windows\$NtUninstallKB2476687$\csrsrv.dll
+ 2011-01-30 09:03 . 2010-06-21 14:46 46080 c:\windows\$NtUninstallKB2443685$\tzchange.exe
+ 2011-01-30 09:03 . 2010-11-05 05:57 16896 c:\windows\$NtUninstallKB2443685$\spuninst\tzchange.dll
+ 2011-01-30 09:05 . 2008-04-14 00:11 81920 c:\windows\$NtUninstallKB2443105$\isign32.dll
+ 2011-01-30 09:05 . 2008-04-13 18:57 40576 c:\windows\$NtUninstallKB2440591$\ndproxy.sys
+ 2011-01-30 09:01 . 2008-04-14 00:12 46080 c:\windows\$NtUninstallKB2423089$\wab.exe
+ 2011-01-30 09:06 . 2008-04-14 00:12 96768 c:\windows\$NtUninstallKB2345886$\srvsvc.dll
+ 2011-01-30 09:04 . 2009-05-26 11:40 26488 c:\windows\$hf_mig$\KB982132\update\spcustom.dll
+ 2011-01-30 09:04 . 2009-05-26 11:40 17272 c:\windows\$hf_mig$\KB982132\spmsg.dll
+ 2011-01-30 09:03 . 2009-05-26 09:01 26488 c:\windows\$hf_mig$\KB979687\update\spcustom.dll
+ 2011-01-30 09:03 . 2009-05-26 09:01 17272 c:\windows\$hf_mig$\KB979687\spmsg.dll
+ 2011-03-16 08:00 . 2008-07-08 13:02 26488 c:\windows\$hf_mig$\KB971029\update\spcustom.dll
+ 2011-03-16 08:00 . 2008-07-08 13:02 17272 c:\windows\$hf_mig$\KB971029\spmsg.dll
+ 2011-11-11 09:01 . 2010-07-05 13:15 26488 c:\windows\$hf_mig$\KB2641690\update\spcustom.dll
+ 2011-11-11 09:01 . 2010-07-05 13:15 17272 c:\windows\$hf_mig$\KB2641690\spmsg.dll
+ 2011-12-15 09:08 . 2010-07-05 13:15 26488 c:\windows\$hf_mig$\KB2639417\update\spcustom.dll
+ 2011-12-15 09:08 . 2010-07-05 13:15 17272 c:\windows\$hf_mig$\KB2639417\spmsg.dll
+ 2011-12-15 09:02 . 2010-07-05 13:15 26488 c:\windows\$hf_mig$\KB2633171\update\spcustom.dll
+ 2011-12-14 21:36 . 2011-10-26 10:50 16896 c:\windows\$hf_mig$\KB2633171\update\mpsyschk.dll
+ 2011-12-15 09:02 . 2010-07-05 13:15 17272 c:\windows\$hf_mig$\KB2633171\spmsg.dll
+ 2011-12-15 09:08 . 2010-07-05 13:15 26488 c:\windows\$hf_mig$\KB2624667\update\spcustom.dll
+ 2011-12-15 09:08 . 2010-07-05 13:15 17272 c:\windows\$hf_mig$\KB2624667\spmsg.dll
+ 2011-12-15 09:02 . 2010-07-05 13:15 26488 c:\windows\$hf_mig$\KB2620712\update\spcustom.dll
+ 2011-12-15 09:02 . 2010-07-05 13:15 17272 c:\windows\$hf_mig$\KB2620712\spmsg.dll
+ 2011-10-28 05:31 . 2011-10-28 05:31 33280 c:\windows\$hf_mig$\KB2620712\SP3QFE\csrsrv.dll
+ 2011-12-15 09:03 . 2010-07-05 13:15 26488 c:\windows\$hf_mig$\KB2619339\update\spcustom.dll
+ 2011-12-15 09:03 . 2010-07-05 13:15 17272 c:\windows\$hf_mig$\KB2619339\spmsg.dll
+ 2011-12-15 09:02 . 2010-07-05 13:15 26488 c:\windows\$hf_mig$\KB2618451\update\spcustom.dll
+ 2011-12-15 09:02 . 2010-07-05 13:15 17272 c:\windows\$hf_mig$\KB2618451\spmsg.dll
+ 2011-12-15 09:08 . 2010-07-05 13:15 26488 c:\windows\$hf_mig$\KB2618444-IE8\update\spcustom.dll
+ 2011-12-15 09:08 . 2010-07-05 13:15 17272 c:\windows\$hf_mig$\KB2618444-IE8\spmsg.dll
+ 2011-12-14 21:35 . 2011-11-04 19:19 12800 c:\windows\$hf_mig$\KB2618444-IE8\SP3QFE\xpshims.dll
+ 2011-12-14 21:35 . 2011-11-04 19:19 66560 c:\windows\$hf_mig$\KB2618444-IE8\SP3QFE\mshtmled.dll
+ 2011-12-14 21:35 . 2011-11-04 19:19 55296 c:\windows\$hf_mig$\KB2618444-IE8\SP3QFE\msfeedsbs.dll
+ 2011-12-14 21:35 . 2011-11-04 19:19 43520 c:\windows\$hf_mig$\KB2618444-IE8\SP3QFE\licmgr10.dll
+ 2011-12-14 21:35 . 2011-11-04 19:19 25600 c:\windows\$hf_mig$\KB2618444-IE8\SP3QFE\jsproxy.dll
+ 2011-09-16 08:07 . 2010-07-05 13:15 26488 c:\windows\$hf_mig$\KB2616676\update\spcustom.dll
+ 2011-09-16 08:07 . 2010-07-05 13:15 17272 c:\windows\$hf_mig$\KB2616676\spmsg.dll
+ 2011-09-07 08:01 . 2010-07-05 13:15 26488 c:\windows\$hf_mig$\KB2607712\update\spcustom.dll
+ 2011-09-07 08:01 . 2010-07-05 13:15 17272 c:\windows\$hf_mig$\KB2607712\spmsg.dll
+ 2011-10-13 08:02 . 2010-07-05 13:15 26488 c:\windows\$hf_mig$\KB2592799\update\spcustom.dll
+ 2011-10-13 08:02 . 2010-07-05 13:15 17272 c:\windows\$hf_mig$\KB2592799\spmsg.dll
+ 2011-10-13 08:01 . 2010-07-05 13:15 26488 c:\windows\$hf_mig$\KB2586448-IE8\update\spcustom.dll
+ 2011-10-13 08:01 . 2010-07-05 13:15 17272 c:\windows\$hf_mig$\KB2586448-IE8\spmsg.dll
+ 2011-10-12 11:15 . 2011-08-22 23:47 12800 c:\windows\$hf_mig$\KB2586448-IE8\SP3QFE\xpshims.dll
+ 2011-10-12 11:15 . 2011-08-22 23:47 66560 c:\windows\$hf_mig$\KB2586448-IE8\SP3QFE\mshtmled.dll
+ 2011-10-12 11:15 . 2011-08-22 23:47 55296 c:\windows\$hf_mig$\KB2586448-IE8\SP3QFE\msfeedsbs.dll
+ 2011-10-12 11:15 . 2011-08-22 23:47 43520 c:\windows\$hf_mig$\KB2586448-IE8\SP3QFE\licmgr10.dll
+ 2011-10-12 11:15 . 2011-08-22 23:47 25600 c:\windows\$hf_mig$\KB2586448-IE8\SP3QFE\jsproxy.dll
+ 2011-09-16 08:03 . 2010-07-05 13:15 26488 c:\windows\$hf_mig$\KB2570947\update\spcustom.dll
+ 2011-09-16 08:03 . 2010-07-05 13:15 17272 c:\windows\$hf_mig$\KB2570947\spmsg.dll
+ 2011-08-11 08:03 . 2010-07-05 13:15 26488 c:\windows\$hf_mig$\KB2570222\update\spcustom.dll
+ 2011-08-11 08:03 . 2010-07-05 13:15 17272 c:\windows\$hf_mig$\KB2570222\spmsg.dll
+ 2011-08-11 08:04 . 2010-07-05 13:15 26488 c:\windows\$hf_mig$\KB2567680\update\spcustom.dll
+ 2011-08-11 08:04 . 2010-07-05 13:15 17272 c:\windows\$hf_mig$\KB2567680\spmsg.dll
+ 2011-10-13 08:02 . 2010-07-05 13:15 26488 c:\windows\$hf_mig$\KB2567053\update\spcustom.dll
+ 2011-10-13 08:02 . 2010-07-05 13:15 17272 c:\windows\$hf_mig$\KB2567053\spmsg.dll
+ 2011-08-11 08:01 . 2010-07-05 13:15 26488 c:\windows\$hf_mig$\KB2566454\update\spcustom.dll
+ 2011-08-11 08:01 . 2010-07-05 13:15 17272 c:\windows\$hf_mig$\KB2566454\spmsg.dll
+ 2011-08-11 03:31 . 2011-07-08 13:51 10496 c:\windows\$hf_mig$\KB2566454\SP3QFE\ndistapi.sys
+ 2011-08-11 08:00 . 2010-07-05 13:15 26488 c:\windows\$hf_mig$\KB2562937\update\spcustom.dll
+ 2011-08-11 08:00 . 2010-07-05 13:15 17272 c:\windows\$hf_mig$\KB2562937\spmsg.dll
+ 2011-08-11 08:01 . 2010-07-05 13:15 26488 c:\windows\$hf_mig$\KB2559049-IE8\update\spcustom.dll
+ 2011-08-11 08:01 . 2010-07-05 13:15 17272 c:\windows\$hf_mig$\KB2559049-IE8\spmsg.dll
+ 2011-08-11 03:31 . 2011-06-23 18:33 12800 c:\windows\$hf_mig$\KB2559049-IE8\SP3QFE\xpshims.dll
+ 2011-08-11 03:31 . 2011-06-23 18:33 66560 c:\windows\$hf_mig$\KB2559049-IE8\SP3QFE\mshtmled.dll
+ 2011-08-11 03:31 . 2011-06-23 18:33 55296 c:\windows\$hf_mig$\KB2559049-IE8\SP3QFE\msfeedsbs.dll
+ 2011-08-11 03:31 . 2011-06-23 18:33 43520 c:\windows\$hf_mig$\KB2559049-IE8\SP3QFE\licmgr10.dll
+ 2011-08-11 03:31 . 2011-06-23 18:33 25600 c:\windows\$hf_mig$\KB2559049-IE8\SP3QFE\jsproxy.dll
+ 2011-07-13 08:01 . 2010-07-05 13:15 26488 c:\windows\$hf_mig$\KB2555917\update\spcustom.dll
+ 2011-07-13 08:01 . 2010-07-05 13:15 17272 c:\windows\$hf_mig$\KB2555917\spmsg.dll
+ 2011-06-17 08:01 . 2010-07-05 13:15 26488 c:\windows\$hf_mig$\KB2544893\update\spcustom.dll
+ 2011-06-17 08:01 . 2010-07-05 13:15 17272 c:\windows\$hf_mig$\KB2544893\spmsg.dll
+ 2011-11-09 09:02 . 2010-07-05 13:15 26488 c:\windows\$hf_mig$\KB2544893-v2\update\spcustom.dll
+ 2011-11-09 09:02 . 2010-07-05 13:15 17272 c:\windows\$hf_mig$\KB2544893-v2\spmsg.dll
+ 2011-06-17 08:01 . 2010-07-05 13:15 26488 c:\windows\$hf_mig$\KB2544521-IE8\update\spcustom.dll
+ 2011-06-17 08:01 . 2010-07-05 13:15 17272 c:\windows\$hf_mig$\KB2544521-IE8\spmsg.dll
+ 2011-06-30 08:01 . 2010-07-05 13:15 26488 c:\windows\$hf_mig$\KB2541763\update\spcustom.dll
+ 2011-06-30 08:01 . 2010-07-05 13:15 17272 c:\windows\$hf_mig$\KB2541763\spmsg.dll
+ 2011-06-17 08:01 . 2010-07-05 13:15 26488 c:\windows\$hf_mig$\KB2536276\update\spcustom.dll
+ 2011-06-17 08:01 . 2010-07-05 13:15 17272 c:\windows\$hf_mig$\KB2536276\spmsg.dll
+ 2011-08-11 08:03 . 2010-07-05 13:15 26488 c:\windows\$hf_mig$\KB2536276-v2\update\spcustom.dll
+ 2011-08-11 08:03 . 2010-07-05 13:15 17272 c:\windows\$hf_mig$\KB2536276-v2\spmsg.dll
+ 2011-06-17 08:02 . 2010-07-05 13:15 26488 c:\windows\$hf_mig$\KB2535512\update\spcustom.dll
+ 2011-06-17 08:02 . 2010-07-05 13:15 17272 c:\windows\$hf_mig$\KB2535512\spmsg.dll
+ 2011-06-17 08:01 . 2010-07-05 13:15 26488 c:\windows\$hf_mig$\KB2530548-IE8\update\spcustom.dll
+ 2011-06-17 08:01 . 2010-07-05 13:15 17272 c:\windows\$hf_mig$\KB2530548-IE8\spmsg.dll
+ 2011-06-16 21:28 . 2011-04-25 16:09 12800 c:\windows\$hf_mig$\KB2530548-IE8\SP3QFE\xpshims.dll
+ 2011-06-16 21:28 . 2011-04-25 16:09 66560 c:\windows\$hf_mig$\KB2530548-IE8\SP3QFE\mshtmled.dll
+ 2011-06-16 21:28 . 2011-04-25 16:09 55296 c:\windows\$hf_mig$\KB2530548-IE8\SP3QFE\msfeedsbs.dll
+ 2011-06-16 21:28 . 2011-04-25 16:09 43520 c:\windows\$hf_mig$\KB2530548-IE8\SP3QFE\licmgr10.dll
+ 2011-06-16 21:28 . 2011-04-25 16:09 25600 c:\windows\$hf_mig$\KB2530548-IE8\SP3QFE\jsproxy.dll
+ 2011-03-24 08:01 . 2010-07-05 13:15 26488 c:\windows\$hf_mig$\KB2524375\update\spcustom.dll
+ 2011-03-24 08:01 . 2010-07-05 13:15 17272 c:\windows\$hf_mig$\KB2524375\spmsg.dll
+ 2011-04-15 08:04 . 2010-07-05 13:15 26488 c:\windows\$hf_mig$\KB2511455\update\spcustom.dll
+ 2011-04-15 08:04 . 2010-07-05 13:15 17272 c:\windows\$hf_mig$\KB2511455\spmsg.dll
+ 2011-04-15 08:01 . 2010-07-05 13:15 26488 c:\windows\$hf_mig$\KB2510531-IE8\update\spcustom.dll
+ 2011-04-15 08:01 . 2010-07-05 13:15 17272 c:\windows\$hf_mig$\KB2510531-IE8\spmsg.dll
+ 2011-04-15 08:01 . 2010-07-05 13:15 26488 c:\windows\$hf_mig$\KB2509553\update\spcustom.dll
+ 2011-04-15 08:01 . 2010-07-05 13:15 17272 c:\windows\$hf_mig$\KB2509553\spmsg.dll
+ 2009-04-20 17:06 . 2009-04-20 17:06 45568 c:\windows\$hf_mig$\KB2509553\SP3QFE\dnsrslvr.dll
+ 2011-04-15 08:04 . 2010-07-05 13:15 26488 c:\windows\$hf_mig$\KB2508429\update\spcustom.dll
+ 2011-04-15 08:04 . 2010-07-05 13:15 17272 c:\windows\$hf_mig$\KB2508429\spmsg.dll
+ 2011-04-15 08:05 . 2010-07-05 13:15 26488 c:\windows\$hf_mig$\KB2508272\update\spcustom.dll
+ 2011-04-15 08:05 . 2010-07-05 13:15 17272 c:\windows\$hf_mig$\KB2508272\spmsg.dll
+ 2011-07-13 08:03 . 2010-07-05 13:15 26488 c:\windows\$hf_mig$\KB2507938\update\spcustom.dll
+ 2011-07-13 08:03 . 2010-07-05 13:15 17272 c:\windows\$hf_mig$\KB2507938\spmsg.dll
+ 2011-04-26 11:02 . 2011-04-26 11:02 33280 c:\windows\$hf_mig$\KB2507938\SP3QFE\csrsrv.dll
+ 2011-04-15 08:04 . 2010-07-05 13:15 26488 c:\windows\$hf_mig$\KB2507618\update\spcustom.dll
+ 2011-04-15 08:04 . 2010-07-05 13:15 17272 c:\windows\$hf_mig$\KB2507618\spmsg.dll
+ 2011-04-15 08:09 . 2010-07-05 13:15 26488 c:\windows\$hf_mig$\KB2506223\update\spcustom.dll
+ 2011-04-15 08:09 . 2010-07-05 13:15 17272 c:\windows\$hf_mig$\KB2506223\spmsg.dll
+ 2011-04-15 08:04 . 2010-07-05 13:15 26488 c:\windows\$hf_mig$\KB2506212\update\spcustom.dll
+ 2011-04-15 08:04 . 2010-07-05 13:15 17272 c:\windows\$hf_mig$\KB2506212\spmsg.dll
+ 2011-06-17 08:02 . 2010-07-05 13:15 26488 c:\windows\$hf_mig$\KB2503665\update\spcustom.dll
+ 2011-06-17 08:02 . 2010-07-05 13:15 17272 c:\windows\$hf_mig$\KB2503665\spmsg.dll
+ 2011-04-15 08:05 . 2010-07-05 13:15 26488 c:\windows\$hf_mig$\KB2503658\update\spcustom.dll
+ 2011-04-15 08:05 . 2010-07-05 13:15 17272 c:\windows\$hf_mig$\KB2503658\spmsg.dll
+ 2011-04-15 08:08 . 2010-07-05 13:15 26488 c:\windows\$hf_mig$\KB2497640-IE8\update\spcustom.dll
+ 2011-04-15 08:08 . 2010-07-05 13:15 17272 c:\windows\$hf_mig$\KB2497640-IE8\spmsg.dll
+ 2011-04-15 02:30 . 2011-02-22 23:27 12800 c:\windows\$hf_mig$\KB2497640-IE8\SP3QFE\xpshims.dll
+ 2011-04-15 02:30 . 2011-02-22 23:27 66560 c:\windows\$hf_mig$\KB2497640-IE8\SP3QFE\mshtmled.dll
+ 2011-04-15 02:30 . 2011-02-22 23:27 55296 c:\windows\$hf_mig$\KB2497640-IE8\SP3QFE\msfeedsbs.dll
+ 2011-04-15 02:30 . 2011-02-22 23:27 43520 c:\windows\$hf_mig$\KB2497640-IE8\SP3QFE\licmgr10.dll
+ 2011-04-15 02:30 . 2011-02-22 23:27 25600 c:\windows\$hf_mig$\KB2497640-IE8\SP3QFE\jsproxy.dll
+ 2011-04-15 08:09 . 2010-07-05 13:15 26488 c:\windows\$hf_mig$\KB2485663\update\spcustom.dll
+ 2011-04-15 08:09 . 2010-07-05 13:15 17272 c:\windows\$hf_mig$\KB2485663\spmsg.dll
+ 2011-02-10 09:04 . 2010-07-05 13:15 26488 c:\windows\$hf_mig$\KB2485376\update\spcustom.dll
+ 2011-02-10 09:04 . 2010-07-05 13:15 17272 c:\windows\$hf_mig$\KB2485376\spmsg.dll
+ 2011-02-10 09:04 . 2010-07-05 13:15 26488 c:\windows\$hf_mig$\KB2483185\update\spcustom.dll
+ 2011-02-10 09:04 . 2010-07-05 13:15 17272 c:\windows\$hf_mig$\KB2483185\spmsg.dll
+ 2011-02-10 09:02 . 2010-07-05 13:15 26488 c:\windows\$hf_mig$\KB2482017-IE8\update\spcustom.dll
+ 2011-02-10 09:02 . 2010-07-05 13:15 17272 c:\windows\$hf_mig$\KB2482017-IE8\spmsg.dll
+ 2011-02-09 19:41 . 2010-12-20 23:58 12800 c:\windows\$hf_mig$\KB2482017-IE8\SP3QFE\xpshims.dll
+ 2011-02-09 19:41 . 2010-12-20 23:58 66560 c:\windows\$hf_mig$\KB2482017-IE8\SP3QFE\mshtmled.dll
+ 2011-02-09 19:41 . 2010-12-20 23:58 55296 c:\windows\$hf_mig$\KB2482017-IE8\SP3QFE\msfeedsbs.dll
+ 2011-02-09 19:41 . 2010-12-20 23:58 43520 c:\windows\$hf_mig$\KB2482017-IE8\SP3QFE\licmgr10.dll
+ 2011-02-09 19:41 . 2010-12-20 23:58 25600 c:\windows\$hf_mig$\KB2482017-IE8\SP3QFE\jsproxy.dll
+ 2011-03-11 09:01 . 2010-07-05 13:15 26488 c:\windows\$hf_mig$\KB2481109\update\spcustom.dll
+ 2011-03-11 09:01 . 2010-07-05 13:15 17272 c:\windows\$hf_mig$\KB2481109\spmsg.dll
+ 2011-02-02 07:57 . 2011-02-02 07:57 53248 c:\windows\$hf_mig$\KB2481109\SP3QFE\tsgqec.dll
+ 2011-03-11 09:04 . 2010-07-05 13:15 26488 c:\windows\$hf_mig$\KB2479943\update\spcustom.dll

#12 jedi

jedi

    aequam memento rebus in arduis servare mentem

  • Administrators
  • PipPipPipPipPip
  • 15,830 posts

Posted 08 February 2012 - 05:24 PM

Hi again,

OK, close out Combofix manually and reboot, then run it again. This rootkit hooks into your internet connection and is hard to remove, but there are various ways to restore your connection if Combofix won't. If Combofix runs to completion this time please post the log. If you still have no connection follow the instructions here:
http://www.bleepingc...ombofix#restore
OPTION 6 - Manually restoring the internet connection. Let me know what happens.
jedi
jedi

My help is free, but if you wish to help keep these forums running please consider a donation, see This Topic for details.

#13 mandala

mandala

    Member

  • Full Member
  • Pip
  • 15 posts

Posted 08 February 2012 - 11:17 PM

Hi again,

OK, close out Combofix manually and reboot, then run it again. This rootkit hooks into your internet connection and is hard to remove, but there are various ways to restore your connection if Combofix won't. If Combofix runs to completion this time please post the log. If you still have no connection follow the instructions here:
http://www.bleepingc...ombofix#restore
OPTION 6 - Manually restoring the internet connection. Let me know what happens.
jedi

ok
ok. so I let it restart the system and it automatically ran once again. this time it made it through all 50 stages and created a log which i will attach here. tried to attach to internet which it could not. rebooted and also no luck. tried the "repair" per the instructions you sent me to, but it would not repair and bleeps up "TCP/IP is not enabled for the connection. cannot proceed." I checked advanced settings and TCP/IP was checked as a protocol, and made sure automatic IP address was checked. noticed no IP address was acquired. I tried to use a manual IP address, but that did not work either. anyway, here is the link. still need help getting internet set up and also to hear from you next steps re: the virus. thanks
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1644 [GMT -6:00]
Running from: c:\documents and settings\Ajay\Desktop\ComboFix.exe
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\$NtUninstallKB3857$
c:\windows\$NtUninstallKB3857$\2604569647\cfg.ini
c:\windows\$NtUninstallKB3857$\3130126610
.
Infected copy of c:\windows\system32\drivers\cdrom.sys was found and disinfected
Restored copy from - The cat found it :)
.
((((((((((((((((((((((((( Files Created from 2012-01-09 to 2012-02-09 )))))))))))))))))))))))))))))))
.
.
2012-02-08 02:30 . 2008-04-13 18:40 62976 -c--a-w- c:\windows\system32\dllcache\cdrom.sys
2012-02-08 02:30 . 2008-04-13 18:40 62976 ----a-w- c:\windows\system32\drivers\cdrom.sys
2012-02-07 04:59 . 2011-02-16 13:22 138496 ----a-w- c:\windows\system32\drivers\afd.sys
2012-02-07 04:55 . 2012-02-07 04:56 -------- d-----w- C:\Combo-Fix
2012-02-06 06:03 . 2011-08-17 13:49 138496 ----a-w- C:\afd.sys.org
2012-02-06 05:55 . 2011-02-16 13:22 138496 ----a-w- C:\afd.sys.bak
2012-02-05 14:12 . 2012-02-07 17:03 0 --sha-w- c:\windows\system32\dds_trash_log.cmd
2012-01-15 17:41 . 2012-02-07 02:45 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG2012
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-12-10 21:24 . 2010-08-14 19:07 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-11-25 21:57 . 2004-08-04 04:56 293376 ----a-w- c:\windows\system32\winsrv.dll
2011-11-23 13:25 . 2004-08-03 23:17 1859584 ----a-w- c:\windows\system32\win32k.sys
2011-11-18 12:35 . 2004-08-04 04:56 60416 ----a-w- c:\windows\system32\packager.exe
2011-11-16 14:21 . 2004-08-04 04:56 354816 ----a-w- c:\windows\system32\winhttp.dll
2011-11-16 14:21 . 2004-08-04 04:56 152064 ----a-w- c:\windows\system32\schannel.dll
2009-08-14 17:33 . 2009-08-14 17:33 13136 ----a-w- c:\program files\mozilla firefox\plugins\cgpcfg.dll
2009-08-14 17:33 . 2009-08-14 17:33 70488 ----a-w- c:\program files\mozilla firefox\plugins\CgpCore.dll
2009-08-14 17:33 . 2009-08-14 17:33 91480 ----a-w- c:\program files\mozilla firefox\plugins\confmgr.dll
2009-08-14 17:33 . 2009-08-14 17:33 20824 ----a-w- c:\program files\mozilla firefox\plugins\ctxlogging.dll
2009-08-14 17:34 . 2009-08-14 17:34 206160 ----a-w- c:\program files\mozilla firefox\plugins\ctxmui.dll
2009-08-14 17:33 . 2009-08-14 17:33 31064 ----a-w- c:\program files\mozilla firefox\plugins\icafile.dll
2009-08-14 17:33 . 2009-08-14 17:33 40280 ----a-w- c:\program files\mozilla firefox\plugins\icalogon.dll
2008-05-21 13:41 . 2008-05-21 13:41 479232 ----a-w- c:\program files\mozilla firefox\plugins\msvcm80.dll
2008-05-21 13:41 . 2008-05-21 13:41 548864 ----a-w- c:\program files\mozilla firefox\plugins\msvcp80.dll
2008-05-21 13:41 . 2008-05-21 13:41 626688 ----a-w- c:\program files\mozilla firefox\plugins\msvcr80.dll
2009-08-14 16:50 . 2009-08-14 16:50 652640 ----a-w- c:\program files\mozilla firefox\plugins\sslsdk_b.dll
2009-08-14 17:33 . 2009-08-14 17:33 23896 ----a-w- c:\program files\mozilla firefox\plugins\TcpPServ.dll
2010-10-10 00:05 . 2007-06-01 01:15 67688 ----a-w- c:\program files\mozilla firefox\components\jar50.dll
2010-10-10 00:05 . 2007-06-01 01:15 54368 ----a-w- c:\program files\mozilla firefox\components\jsd3250.dll
2010-10-10 00:05 . 2007-06-01 01:15 34944 ----a-w- c:\program files\mozilla firefox\components\myspell.dll
2010-10-10 00:05 . 2007-06-01 01:15 46712 ----a-w- c:\program files\mozilla firefox\components\spellchk.dll
2010-10-10 00:05 . 2007-06-01 01:15 172136 ----a-w- c:\program files\mozilla firefox\components\xpinstal.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"EasyLinkAdvisor"="c:\program files\Linksys EasyLink Advisor\LinksysAgent.exe" [2007-03-15 454784]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RTHDCPL"="RTHDCPL.EXE" [2007-03-21 16126464]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-04-22 13684736]
"nwiz"="nwiz.exe" [2009-04-22 1657376]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2006-01-12 155648]
"InCD"="c:\program files\Ahead\InCD\InCD.exe" [2005-07-25 1397760]
"AdobeVersionCue"="c:\program files\Adobe\Adobe Version Cue\ControlPanel\VersionCueTray.exe" [2003-10-13 1732608]
"EPSON Stylus Photo R200 Series"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_S4I2H1.EXE" [2003-07-08 99840]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-04-22 86016]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2011-01-22 40368]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-11-29 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-07-19 421736]
"FujiSynapseBridge"="c:\program files\Fuji Medical System\Synapse\Workstation\FujiSynapseBridge.exe" [2011-02-01 243072]
"Synapse URLSearchHook Configuration"="c:\progra~1\FUJIME~1\Synapse\WORKST~1\FujiFld.dll" [2011-06-15 3949952]
"LogMeIn GUI"="c:\program files\LogMeIn\x86\LogMeInSystray.exe" [2011-01-12 63048]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2008-11-04 435096]
.
c:\documents and settings\Ajay\Start Menu\Programs\Startup\
Microsoft Find Fast.lnk - c:\program files\Microsoft Office\Office\FINDFAST.EXE [1996-11-16 111376]
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2007-6-3 110592]
Cisco Systems VPN Client.lnk - c:\program files\Cisco Systems\VPN Client\vpngui.exe [2007-6-3 1466384]
Citrix Access Gateway.lnk - c:\program files\Citrix\Secure Access Client\nsload.exe [2010-1-19 1483928]
Clean Access Agent.lnk - c:\program files\Cisco Systems\Clean Access Agent\CCAAgent.exe [2007-4-26 2048074]
Windows Desktop Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2007-2-5 118784]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2007-02-05 294400]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
2011-07-06 21:32 87424 ----a-w- c:\windows\system32\LMIinit.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\NavLogon]
[BU]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"Alcmtr"=ALCMTR.EXE
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Shareaza\\Shareaza.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Java\\j2re1.4.2_06\\bin\\javaw.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Pinnacle\\VideoSpin\\Programs\\RM.exe"=
"c:\\Program Files\\Pinnacle\\VideoSpin\\Programs\\umi.exe"=
"c:\\Program Files\\Pinnacle\\VideoSpin\\Programs\\VideoSpin.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\Citrix\\Secure Access Client\\nsepa.exe"=
"c:\\Program Files\\Citrix\\Secure Access Client\\nsload.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
.
R2 cag;Citrix cag plugin for Access Gateway;c:\program files\Common Files\Deterministic Networks\Common files\cag.sys [10/22/2009 2:34 PM 80920]
R2 LMIGuardianSvc;LMIGuardianSvc;c:\program files\LogMeIn\x86\LMIGuardianSvc.exe [7/6/2011 3:32 PM 374152]
R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\LogMeIn\x86\rainfo.sys [1/11/2011 6:04 PM 12856]
R2 nsverctl;Citrix Secure Access Client Service;c:\program files\Citrix\Secure Access Client\nsverctl.exe [1/19/2010 4:56 AM 154264]
R2 SynapseUpdateSvc;Synapse Update Manager;c:\program files\Fuji Medical System\Synapse\Workstation\SynapseUpdateManager.exe [6/15/2011 2:13 PM 200704]
R3 ctxva51;Citrix Virtual Adapter;c:\windows\system32\drivers\ctxva51.sys [1/19/2010 4:58 AM 41624]
S1 AEC671X;AEC671X;c:\windows\system32\drivers\AEC671X.SYS --> c:\windows\system32\drivers\AEC671X.SYS [?]
S1 DMX3191;DMX3191;c:\windows\system32\drivers\DMX3191.SYS --> c:\windows\system32\drivers\DMX3191.SYS [?]
S3 Eacfilt;Eacfilt Miniport;c:\windows\system32\DRIVERS\eacfilt.sys --> c:\windows\system32\DRIVERS\eacfilt.sys [?]
S3 ExtranetAccess;Contivity VPN Service;c:\program files\Nortel Networks\Extranet_serv.exe [7/12/2008 12:36 PM 811008]
S3 IPSECEXT;Nortel Extranet Access Protocol;c:\windows\system32\DRIVERS\ipsecw2k.sys --> c:\windows\system32\DRIVERS\ipsecw2k.sys [?]
S3 Net6IM;Net6;c:\windows\system32\DRIVERS\net6im51.sys --> c:\windows\system32\DRIVERS\net6im51.sys [?]
S3 PDEXLOCK;Photodex Hardware Lock Driver;c:\windows\system32\drivers\PDEXLOCK.sys [3/11/2008 6:02 PM 12288]
S3 Rsvdrspiaa;Rsvdrspiaa; [x]
S4 Wudmseacce;Wudmseacce; [x]
.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
Xyz777b
tmtdi
se59mdfl
SRTSPL
hpzius12
w300mdfl
StickyMesger
ISAMSvc
PSDFilter
portio
oracleorahome811cman
veteboot
es1371
uscbs108
atimpab
LEX_AS_NIC_SERVICE_YNOS
tvs
vc5secs
hsf_dp
cdvp
mediaviewer
amdppm
dlaopiom
SWUMX20
gs30s
s616mdfl
coste
spupdsvc
DCamUSBMke2
lvselsus
pxfhbus
VX1000
id2scaps
tfsndres
atchksrv
soma
cnmpar21
dot4ufd
pdlnemsg
KMW_USB
idebusdr
pctavsvc
osaio
PDExchange
i81x
x10nets
cmbatt
.
Contents of the 'Scheduled Tasks' folder
.
2012-02-06 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 23:20]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyServer =
uInternet Settings,ProxyOverride = ;*.local
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
TCP: DhcpNameServer = 206.13.30.12 8.8.8.8
DPF: {1FBD11EF-1260-11D1-87A7-444553540001} - hxxp://immcsynapse.immc.advocatehealth.com/osd/SynapseWorkstationInf.cab
DPF: {225781F3-B27C-4182-83F1-CBF79247D36B} - hxxp://portal.partners.org/vpn/PHSVPNPortal.CAB
DPF: {2FAD241F-D04F-43A4-9356-BF78AEBEFAD2} - hxxp://lmrintra.partners.org/lmr/lmr.cab
DPF: {541AEDD4-20E8-4E6F-B12B-0FDD38BB712F} - hxxp://pacsweb.mskcc.org/ami/install/amiviewer.cab
DPF: {5C885ED3-9E77-4140-B63E-134BF7B19DEC} - hxxp://pacsweb.mskcc.org/ami/install/amiviewer.cab
DPF: {61611A68-B68C-420E-8E4D-6C61E68C03C6} - hxxp://lmrintra.partners.org/lmr/cvt.cab
DPF: {66157B4F-9E4A-488C-92A4-4434A16FCBF2} - hxxp://lmrintra.partners.org/lmr/diagram.cab
DPF: {664A9390-02B0-4311-9C01-4C6D5CD48D27} - hxxp://centricity/ami/install/amiviewer.cab
DPF: {96C524F5-F7BE-42C8-B8C7-89E55CD1FEB1} - hxxp://lmrintra.partners.org/lmr/lmr2.cab
DPF: {988E583E-D78B-4BC5-8011-7F6674484D9C} - hxxp://pacsweb.mskcc.org/ami/install/amiviewer.cab
DPF: {BCDD741A-3F0F-483F-AB50-345E464F3617} - hxxp://lmrintra.partners.org/lmr/lmr2a.cab
DPF: {D40E7275-159D-419E-9AC1-46FD8884B464} - hxxp://lmrintra.partners.org/lmr/LMRWebPrint.cab
DPF: {FDFB6B21-9F60-4C74-B540-32D83C4357D1} - hxxp://lmrintra.partners.org/lmr/LMRWebIESetting.cab
FF - ProfilePath - c:\documents and settings\Ajay\Application Data\Mozilla\Firefox\Profiles\4rte8p2n.default\
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-02-08 20:51
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(612)
c:\windows\system32\LMIinit.dll
c:\windows\system32\LMIRfsClientNP.dll
.
- - - - - - - > 'explorer.exe'(1352)
c:\windows\system32\WININET.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll
c:\program files\Fuji Medical System\Synapse\Workstation\FujiFld.dll
c:\progra~1\FUJIME~1\Synapse\WORKST~1\FujiFldR.dll
c:\program files\Fuji Medical System\Synapse\Workstation\DBCmds.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\hnetcfg.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Ahead\InCD\InCDsrv.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Cisco Systems\VPN Client\cvpnd.exe
c:\program files\Juniper Networks\Common Files\dsNcService.exe
c:\program files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\program files\LogMeIn\x86\RaMaint.exe
c:\program files\LogMeIn\x86\LogMeIn.exe
c:\windows\system32\nvsvc32.exe
c:\program files\Photodex\ProShowProducer\ScsiAccess.exe
c:\windows\system32\SearchIndexer.exe
c:\windows\system32\wscntfy.exe
c:\windows\RTHDCPL.EXE
c:\windows\system32\RUNDLL32.EXE
c:\windows\system32\rundll32.exe
c:\program files\iPod\bin\iPodService.exe
c:\windows\system32\SearchProtocolHost.exe
c:\windows\system32\SearchFilterHost.exe
.
**************************************************************************
.
Completion time: 2012-02-08 20:56:49 - machine was rebooted
ComboFix-quarantined-files.txt 2012-02-09 02:56
ComboFix2.txt 2010-12-12 16:03
ComboFix3.txt 2010-12-10 06:02
.
Pre-Run: 3,742,736,384 bytes free
Post-Run: 3,733,893,120 bytes free
.
- - End Of File - - E3AB3146002C2D8520A96FF6F70E0F4A

#14 jedi

jedi

    aequam memento rebus in arduis servare mentem

  • Administrators
  • PipPipPipPipPip
  • 15,830 posts

Posted 10 February 2012 - 05:32 AM

Hi again,

Open notepad and copy/paste the text in the quotebox below into it (do not include the word ‘Quote’)

Driver::
Xyz777b
Rsvdrspiaa
Wudmseacce


Save this as CFScript

Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply.

Next:

Do Start > Run and type in cmd and press Enter.

In the command box type

netsh winsock reset catalog and press Enter.

Next:

In the command box type

netsh int ip reset reset.log and press Enter.

Note any error messages - if there are any.

Close out the command box and try your connection again.

If you have a connection do the following:

Please run a free online scan with the ESET Online Scanner
Note: You will need to use Internet Explorer for this scan.
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the ActiveX control to install
  • Click Start
  • Make sure that the options Remove found threats and the option Scan unwanted applications is checked
  • Click Scan
    Wait for the scan to finish
  • Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
  • Copy and paste that log as a reply to this topic

If not, please note any error messages and post them here.

jedi
jedi

My help is free, but if you wish to help keep these forums running please consider a donation, see This Topic for details.

#15 mandala

mandala

    Member

  • Full Member
  • Pip
  • 15 posts

Posted 11 February 2012 - 08:50 PM

so dragged the CFScript file onyo combofix and it said conbofix was now going to run in a reduced functionality mode since it was old. i said ok, and it ran. Do I need to download a newer version and rerun this? here is the log it generated:


Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1299 [GMT -6:00]
Running from: c:\documents and settings\Ajay\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Ajay\Desktop\CFScript.txt
.
- REDUCED FUNCTIONALITY MODE -
.
.
((((((((((((((((((((((((( Files Created from 2012-01-11 to 2012-02-11 )))))))))))))))))))))))))))))))
.
.
2012-02-08 02:30 . 2008-04-13 18:40 62976 -c--a-w- c:\windows\system32\dllcache\cdrom.sys
2012-02-08 02:30 . 2008-04-13 18:40 62976 ----a-w- c:\windows\system32\drivers\cdrom.sys
2012-02-07 04:59 . 2011-02-16 13:22 138496 ----a-w- c:\windows\system32\drivers\afd.sys
2012-02-07 04:55 . 2012-02-07 04:56 -------- d-----w- C:\Combo-Fix
2012-02-06 06:03 . 2011-08-17 13:49 138496 ----a-w- C:\afd.sys.org
2012-02-06 05:55 . 2011-02-16 13:22 138496 ----a-w- C:\afd.sys.bak
2012-02-05 14:12 . 2012-02-07 17:03 0 --sha-w- c:\windows\system32\dds_trash_log.cmd
2012-01-15 17:41 . 2012-02-07 02:45 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG2012
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-12-10 21:24 . 2010-08-14 19:07 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-11-25 21:57 . 2004-08-04 04:56 293376 ----a-w- c:\windows\system32\winsrv.dll
2011-11-23 13:25 . 2004-08-03 23:17 1859584 ----a-w- c:\windows\system32\win32k.sys
2011-11-18 12:35 . 2004-08-04 04:56 60416 ----a-w- c:\windows\system32\packager.exe
2011-11-16 14:21 . 2004-08-04 04:56 354816 ----a-w- c:\windows\system32\winhttp.dll
2011-11-16 14:21 . 2004-08-04 04:56 152064 ----a-w- c:\windows\system32\schannel.dll
2009-08-14 17:33 . 2009-08-14 17:33 13136 ----a-w- c:\program files\mozilla firefox\plugins\cgpcfg.dll
2009-08-14 17:33 . 2009-08-14 17:33 70488 ----a-w- c:\program files\mozilla firefox\plugins\CgpCore.dll
2009-08-14 17:33 . 2009-08-14 17:33 91480 ----a-w- c:\program files\mozilla firefox\plugins\confmgr.dll
2009-08-14 17:33 . 2009-08-14 17:33 20824 ----a-w- c:\program files\mozilla firefox\plugins\ctxlogging.dll
2009-08-14 17:34 . 2009-08-14 17:34 206160 ----a-w- c:\program files\mozilla firefox\plugins\ctxmui.dll
2009-08-14 17:33 . 2009-08-14 17:33 31064 ----a-w- c:\program files\mozilla firefox\plugins\icafile.dll
2009-08-14 17:33 . 2009-08-14 17:33 40280 ----a-w- c:\program files\mozilla firefox\plugins\icalogon.dll
2008-05-21 13:41 . 2008-05-21 13:41 479232 ----a-w- c:\program files\mozilla firefox\plugins\msvcm80.dll
2008-05-21 13:41 . 2008-05-21 13:41 548864 ----a-w- c:\program files\mozilla firefox\plugins\msvcp80.dll
2008-05-21 13:41 . 2008-05-21 13:41 626688 ----a-w- c:\program files\mozilla firefox\plugins\msvcr80.dll
2009-08-14 16:50 . 2009-08-14 16:50 652640 ----a-w- c:\program files\mozilla firefox\plugins\sslsdk_b.dll
2009-08-14 17:33 . 2009-08-14 17:33 23896 ----a-w- c:\program files\mozilla firefox\plugins\TcpPServ.dll
2010-10-10 00:05 . 2007-06-01 01:15 67688 ----a-w- c:\program files\mozilla firefox\components\jar50.dll
2010-10-10 00:05 . 2007-06-01 01:15 54368 ----a-w- c:\program files\mozilla firefox\components\jsd3250.dll
2010-10-10 00:05 . 2007-06-01 01:15 34944 ----a-w- c:\program files\mozilla firefox\components\myspell.dll
2010-10-10 00:05 . 2007-06-01 01:15 46712 ----a-w- c:\program files\mozilla firefox\components\spellchk.dll
2010-10-10 00:05 . 2007-06-01 01:15 172136 ----a-w- c:\program files\mozilla firefox\components\xpinstal.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"EasyLinkAdvisor"="c:\program files\Linksys EasyLink Advisor\LinksysAgent.exe" [2007-03-15 454784]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RTHDCPL"="RTHDCPL.EXE" [2007-03-21 16126464]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-04-22 13684736]
"nwiz"="nwiz.exe" [2009-04-22 1657376]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2006-01-12 155648]
"InCD"="c:\program files\Ahead\InCD\InCD.exe" [2005-07-25 1397760]
"AdobeVersionCue"="c:\program files\Adobe\Adobe Version Cue\ControlPanel\VersionCueTray.exe" [2003-10-13 1732608]
"EPSON Stylus Photo R200 Series"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_S4I2H1.EXE" [2003-07-08 99840]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-04-22 86016]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2011-01-22 40368]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-11-29 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-07-19 421736]
"FujiSynapseBridge"="c:\program files\Fuji Medical System\Synapse\Workstation\FujiSynapseBridge.exe" [2011-02-01 243072]
"Synapse URLSearchHook Configuration"="c:\progra~1\FUJIME~1\Synapse\WORKST~1\FujiFld.dll" [2011-06-15 3949952]
"LogMeIn GUI"="c:\program files\LogMeIn\x86\LogMeInSystray.exe" [2011-01-12 63048]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2008-11-04 435096]
.
c:\documents and settings\Ajay\Start Menu\Programs\Startup\
Microsoft Find Fast.lnk - c:\program files\Microsoft Office\Office\FINDFAST.EXE [1996-11-16 111376]
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2007-6-3 110592]
Cisco Systems VPN Client.lnk - c:\program files\Cisco Systems\VPN Client\vpngui.exe [2007-6-3 1466384]
Citrix Access Gateway.lnk - c:\program files\Citrix\Secure Access Client\nsload.exe [2010-1-19 1483928]
Clean Access Agent.lnk - c:\program files\Cisco Systems\Clean Access Agent\CCAAgent.exe [2007-4-26 2048074]
Windows Desktop Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2007-2-5 118784]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2007-02-05 294400]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
2011-07-06 21:32 87424 ----a-w- c:\windows\system32\LMIinit.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\NavLogon]
[BU]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"Alcmtr"=ALCMTR.EXE
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Shareaza\\Shareaza.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Java\\j2re1.4.2_06\\bin\\javaw.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Pinnacle\\VideoSpin\\Programs\\RM.exe"=
"c:\\Program Files\\Pinnacle\\VideoSpin\\Programs\\umi.exe"=
"c:\\Program Files\\Pinnacle\\VideoSpin\\Programs\\VideoSpin.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\Citrix\\Secure Access Client\\nsepa.exe"=
"c:\\Program Files\\Citrix\\Secure Access Client\\nsload.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
.
R2 cag;Citrix cag plugin for Access Gateway;c:\program files\Common Files\Deterministic Networks\Common files\cag.sys [10/22/2009 2:34 PM 80920]
R2 LMIGuardianSvc;LMIGuardianSvc;c:\program files\LogMeIn\x86\LMIGuardianSvc.exe [7/6/2011 3:32 PM 374152]
R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\LogMeIn\x86\rainfo.sys [1/11/2011 6:04 PM 12856]
R2 nsverctl;Citrix Secure Access Client Service;c:\program files\Citrix\Secure Access Client\nsverctl.exe [1/19/2010 4:56 AM 154264]
R2 SynapseUpdateSvc;Synapse Update Manager;c:\program files\Fuji Medical System\Synapse\Workstation\SynapseUpdateManager.exe [6/15/2011 2:13 PM 200704]
R3 ctxva51;Citrix Virtual Adapter;c:\windows\system32\drivers\ctxva51.sys [1/19/2010 4:58 AM 41624]
S1 AEC671X;AEC671X;c:\windows\system32\drivers\AEC671X.SYS --> c:\windows\system32\drivers\AEC671X.SYS [?]
S1 DMX3191;DMX3191;c:\windows\system32\drivers\DMX3191.SYS --> c:\windows\system32\drivers\DMX3191.SYS [?]
S3 Eacfilt;Eacfilt Miniport;c:\windows\system32\DRIVERS\eacfilt.sys --> c:\windows\system32\DRIVERS\eacfilt.sys [?]
S3 ExtranetAccess;Contivity VPN Service;c:\program files\Nortel Networks\Extranet_serv.exe [7/12/2008 12:36 PM 811008]
S3 IPSECEXT;Nortel Extranet Access Protocol;c:\windows\system32\DRIVERS\ipsecw2k.sys --> c:\windows\system32\DRIVERS\ipsecw2k.sys [?]
S3 Net6IM;Net6;c:\windows\system32\DRIVERS\net6im51.sys --> c:\windows\system32\DRIVERS\net6im51.sys [?]
S3 PDEXLOCK;Photodex Hardware Lock Driver;c:\windows\system32\drivers\PDEXLOCK.sys [3/11/2008 6:02 PM 12288]
S3 Rsvdrspiaa;Rsvdrspiaa; [x]
S4 Wudmseacce;Wudmseacce; [x]
.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
tmtdi
se59mdfl
SRTSPL
hpzius12
w300mdfl
StickyMesger
ISAMSvc
PSDFilter
portio
oracleorahome811cman
veteboot
es1371
uscbs108
atimpab
LEX_AS_NIC_SERVICE_YNOS
tvs
vc5secs
hsf_dp
cdvp
mediaviewer
amdppm
dlaopiom
SWUMX20
gs30s
s616mdfl
coste
spupdsvc
DCamUSBMke2
lvselsus
pxfhbus
VX1000
id2scaps
tfsndres
atchksrv
soma
cnmpar21
dot4ufd
pdlnemsg
KMW_USB
idebusdr
pctavsvc
osaio
PDExchange
i81x
x10nets
cmbatt
.
Contents of the 'Scheduled Tasks' folder
.
2012-02-11 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 23:20]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyServer =
uInternet Settings,ProxyOverride = ;*.local
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
TCP: DhcpNameServer = 206.13.30.12 8.8.8.8
DPF: {1FBD11EF-1260-11D1-87A7-444553540001} - hxxp://immcsynapse.immc.advocatehealth.com/osd/SynapseWorkstationInf.cab
DPF: {225781F3-B27C-4182-83F1-CBF79247D36B} - hxxp://portal.partners.org/vpn/PHSVPNPortal.CAB
DPF: {2FAD241F-D04F-43A4-9356-BF78AEBEFAD2} - hxxp://lmrintra.partners.org/lmr/lmr.cab
DPF: {541AEDD4-20E8-4E6F-B12B-0FDD38BB712F} - hxxp://pacsweb.mskcc.org/ami/install/amiviewer.cab
DPF: {5C885ED3-9E77-4140-B63E-134BF7B19DEC} - hxxp://pacsweb.mskcc.org/ami/install/amiviewer.cab
DPF: {61611A68-B68C-420E-8E4D-6C61E68C03C6} - hxxp://lmrintra.partners.org/lmr/cvt.cab
DPF: {66157B4F-9E4A-488C-92A4-4434A16FCBF2} - hxxp://lmrintra.partners.org/lmr/diagram.cab
DPF: {664A9390-02B0-4311-9C01-4C6D5CD48D27} - hxxp://centricity/ami/install/amiviewer.cab
DPF: {96C524F5-F7BE-42C8-B8C7-89E55CD1FEB1} - hxxp://lmrintra.partners.org/lmr/lmr2.cab
DPF: {988E583E-D78B-4BC5-8011-7F6674484D9C} - hxxp://pacsweb.mskcc.org/ami/install/amiviewer.cab
DPF: {BCDD741A-3F0F-483F-AB50-345E464F3617} - hxxp://lmrintra.partners.org/lmr/lmr2a.cab
DPF: {D40E7275-159D-419E-9AC1-46FD8884B464} - hxxp://lmrintra.partners.org/lmr/LMRWebPrint.cab
DPF: {FDFB6B21-9F60-4C74-B540-32D83C4357D1} - hxxp://lmrintra.partners.org/lmr/LMRWebIESetting.cab
FF - ProfilePath - c:\documents and settings\Ajay\Application Data\Mozilla\Firefox\Profiles\4rte8p2n.default\
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-02-11 17:25
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(608)
c:\windows\system32\LMIinit.dll
c:\windows\system32\LMIRfsClientNP.dll
.
- - - - - - - > 'explorer.exe'(3032)
c:\windows\system32\WININET.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll
c:\program files\Fuji Medical System\Synapse\Workstation\FujiFld.dll
c:\progra~1\FUJIME~1\Synapse\WORKST~1\FujiFldR.dll
c:\program files\Fuji Medical System\Synapse\Workstation\DBCmds.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\hnetcfg.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2012-02-11 17:26:57
ComboFix-quarantined-files.txt 2012-02-11 23:26
ComboFix2.txt 2010-12-12 16:03
ComboFix3.txt 2010-12-10 06:02
.
Pre-Run: 3,610,476,544 bytes free
Post-Run: 3,604,910,080 bytes free
.
- - End Of File - - 687835CB74A3D67FC7BF544409A72ADF

Then I did the command box stuff, and it ran through. still no internet, so i restarted the computer, and now have internet. Then installed ESET and ran it. It found the following viruses:

C:\Qoobox\Quarantine\C\WINDOWS\system32\Drivers\afd.sys.vir a variant of Win32/Rootkit.Kryptik.IM trojan cleaned by deleting - quarantined
C:\Qoobox\Quarantine\C\WINDOWS\system32\Drivers\cdrom.sys.vir a variant of Win32/Sirefef.DA trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{C4DA57EA-FE29-448D-BA5C-49D8D75585DD}\RP1\A0000059.sys a variant of Win32/Rootkit.Kryptik.IM trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{C4DA57EA-FE29-448D-BA5C-49D8D75585DD}\RP1\A0001183.sys a variant of Win32/Sirefef.DA trojan cleaned by deleting - quarantined
C:\WINDOWS\system32\drivers\afd.sys.org a variant of Win32/Rootkit.Kryptik.IM trojan cleaned by deleting - quarantined


Here is the log.txt from ESET:

ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
# version=7
# iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)
# OnlineScanner.ocx=1.0.0.6583
# api_version=3.0.2
# EOSSerial=2a3be4000c13034283793149e2239988
# end=finished
# remove_checked=true
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2012-02-12 12:42:22
# local_time=2012-02-11 06:42:22 (-0600, Central Standard Time)
# country="United States"
# lang=9
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=512 16777215 100 0 0 0 0 0
# compatibility_mode=5889 16768382 80 100 147417588 168829168 0 148352422
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=130734
# found=5
# cleaned=5
# scan_time=2520
C:\Qoobox\Quarantine\C\WINDOWS\system32\Drivers\afd.sys.vir a variant of Win32/Rootkit.Kryptik.IM trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Qoobox\Quarantine\C\WINDOWS\system32\Drivers\cdrom.sys.vir a variant of Win32/Sirefef.DA trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{C4DA57EA-FE29-448D-BA5C-49D8D75585DD}\RP1\A0000059.sys a variant of Win32/Rootkit.Kryptik.IM trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{C4DA57EA-FE29-448D-BA5C-49D8D75585DD}\RP1\A0001183.sys a variant of Win32/Sirefef.DA trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\WINDOWS\system32\drivers\afd.sys.org a variant of Win32/Rootkit.Kryptik.IM trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

Now what? Thanks!

#16 mandala

mandala

    Member

  • Full Member
  • Pip
  • 15 posts

Posted 13 February 2012 - 10:22 PM

Hello. I can't log onto the web again despite a functional Internet connection. Based on the last logs I sent you, is the computer clean? Please advise. I really am starting to lose functionality in my home office.thanks.

#17 jedi

jedi

    aequam memento rebus in arduis servare mentem

  • Administrators
  • PipPipPipPipPip
  • 15,830 posts

Posted 17 February 2012 - 04:47 AM

Hi again,

Sorry about the delay, I was down with 'flu.

Let's run some more checks to see if the rootkit is still present.

First, download and run a fresh copy of Combofix and post the log here.

Next:

Download MBRCheck to your desktop from Here
Run the tool.
Please follow any prompts the tool gives you. When it has run it will produce a log on your desktop. Please post that log here.

Next:

Download GMER from here:
http://www.majorgeek...GMER_d5198.html

Unzip it to desktop.

Open the program and click on the Rootkit tab.
Make sure all the boxes on the right of the screen are checked, apart from ‘Show All’.
Click on Scan.
When the scan has run click Copy and paste the results (if any) into this thread.

jedi
jedi

My help is free, but if you wish to help keep these forums running please consider a donation, see This Topic for details.

#18 mandala

mandala

    Member

  • Full Member
  • Pip
  • 15 posts

Posted 17 February 2012 - 04:02 PM

I don't have an internet connection, so how can I download the tools you recommend?

#19 jedi

jedi

    aequam memento rebus in arduis servare mentem

  • Administrators
  • PipPipPipPipPip
  • 15,830 posts

Posted 19 February 2012 - 10:28 AM

Have you access to another PC and a flashdrive? If so, download them to the flashdrive and transfer them. If not, please rerun the commands in my 10th Feb post and see if that restores the connection.

jedi
jedi

My help is free, but if you wish to help keep these forums running please consider a donation, see This Topic for details.

#20 mandala

mandala

    Member

  • Full Member
  • Pip
  • 15 posts

Posted 22 February 2012 - 08:11 PM

so let me start by telling you that after you first helped establish internet connectivity, I tried to log into my work computer via citrix, but this failed. I then removed citrix so it could be reloaded, but after restarting the computer after this, i lost all internet connectivity.

ok. so I reran the command prompts now from your 2/10/12 post and restarted the computer and it re-established internet connectivity. downloaded a new combofix. here is the log below. I will run GMER next and post shortly.

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1318 [GMT -6:00]
Running from: c:\documents and settings\Ajay\Desktop\ComboFix2012.exe
AV: AVG Anti-Virus Free Edition 2012 *Disabled/Outdated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.
.
((((((((((((((((((((((((( Files Created from 2012-01-23 to 2012-02-23 )))))))))))))))))))))))))))))))
.
.
2012-02-23 00:37 . 2012-02-23 00:37 -------- d-----w- c:\windows\LastGood
2012-02-13 01:54 . 2012-02-13 01:54 -------- d-----w- c:\documents and settings\Ajay\Application Data\AVG2012
2012-02-11 23:56 . 2012-02-11 23:56 -------- d-----w- c:\program files\ESET
2012-02-08 02:30 . 2008-04-13 18:40 62976 -c--a-w- c:\windows\system32\dllcache\cdrom.sys
2012-02-08 02:30 . 2008-04-13 18:40 62976 ----a-w- c:\windows\system32\drivers\cdrom.sys
2012-02-07 04:59 . 2011-02-16 13:22 138496 ----a-w- c:\windows\system32\drivers\afd.sys
2012-02-07 04:55 . 2012-02-07 04:56 -------- d-----w- C:\Combo-Fix
2012-02-06 06:03 . 2011-08-17 13:49 138496 ----a-w- C:\afd.sys.org
2012-02-06 05:55 . 2011-02-16 13:22 138496 ----a-w- C:\afd.sys.bak
2012-02-05 14:12 . 2012-02-07 17:03 0 --sha-w- c:\windows\system32\dds_trash_log.cmd
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-12-10 21:24 . 2010-08-14 19:07 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-11-25 21:57 . 2004-08-04 04:56 293376 ----a-w- c:\windows\system32\winsrv.dll
2010-10-10 00:05 . 2007-06-01 01:15 67688 ----a-w- c:\program files\mozilla firefox\components\jar50.dll
2010-10-10 00:05 . 2007-06-01 01:15 54368 ----a-w- c:\program files\mozilla firefox\components\jsd3250.dll
2010-10-10 00:05 . 2007-06-01 01:15 34944 ----a-w- c:\program files\mozilla firefox\components\myspell.dll
2010-10-10 00:05 . 2007-06-01 01:15 46712 ----a-w- c:\program files\mozilla firefox\components\spellchk.dll
2010-10-10 00:05 . 2007-06-01 01:15 172136 ----a-w- c:\program files\mozilla firefox\components\xpinstal.dll
.
.
((((((((((((((((((((((((((((( SnapShot_2012-02-08_01.55.08 )))))))))))))))))))))))))))))))))))))))))
.
+ 2011-09-13 12:30 . 2011-09-13 12:30 32592 c:\windows\system32\drivers\avgrkx86.sys
+ 2011-08-08 12:08 . 2011-08-08 12:08 40016 c:\windows\system32\drivers\avgmfx86.sys
+ 2011-10-04 12:21 . 2011-10-04 12:21 16720 c:\windows\system32\drivers\AVGIDSShim.sys
+ 2011-07-11 07:14 . 2011-07-11 07:14 24272 c:\windows\system32\drivers\AVGIDSFilter.sys
+ 2011-07-11 07:14 . 2011-07-11 07:14 23120 c:\windows\system32\drivers\AVGIDSEH.sys
+ 2011-07-11 07:14 . 2011-07-11 07:14 295248 c:\windows\system32\drivers\avgtdix.sys
+ 2011-10-07 12:23 . 2011-10-07 12:23 230608 c:\windows\system32\drivers\avgldx86.sys
+ 2011-07-11 07:14 . 2011-07-11 07:14 134608 c:\windows\system32\drivers\AVGIDSDriver.sys
+ 2012-02-13 01:54 . 2012-02-13 01:54 4698112 c:\windows\Installer\59bb430.msi
+ 2012-02-13 01:52 . 2012-02-13 01:52 2186240 c:\windows\Installer\59bb42c.msi
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"EasyLinkAdvisor"="c:\program files\Linksys EasyLink Advisor\LinksysAgent.exe" [2007-03-15 454784]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RTHDCPL"="RTHDCPL.EXE" [2007-03-21 16126464]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-04-22 13684736]
"nwiz"="nwiz.exe" [2009-04-22 1657376]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2006-01-12 155648]
"InCD"="c:\program files\Ahead\InCD\InCD.exe" [2005-07-25 1397760]
"AdobeVersionCue"="c:\program files\Adobe\Adobe Version Cue\ControlPanel\VersionCueTray.exe" [2003-10-13 1732608]
"EPSON Stylus Photo R200 Series"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_S4I2H1.EXE" [2003-07-08 99840]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-04-22 86016]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2011-01-22 40368]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-11-29 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-07-19 421736]
"FujiSynapseBridge"="c:\program files\Fuji Medical System\Synapse\Workstation\FujiSynapseBridge.exe" [2011-02-01 243072]
"Synapse URLSearchHook Configuration"="c:\progra~1\FUJIME~1\Synapse\WORKST~1\FujiFld.dll" [2011-06-15 3949952]
"LogMeIn GUI"="c:\program files\LogMeIn\x86\LogMeInSystray.exe" [2011-01-12 63048]
"AVG_TRAY"="c:\program files\AVG\AVG2012\avgtray.exe" [2012-01-24 2416480]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2008-11-04 435096]
.
c:\documents and settings\Ajay\Start Menu\Programs\Startup\
Microsoft Find Fast.lnk - c:\program files\Microsoft Office\Office\FINDFAST.EXE [1996-11-16 111376]
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2007-6-3 110592]
Cisco Systems VPN Client.lnk - c:\program files\Cisco Systems\VPN Client\vpngui.exe [2007-6-3 1466384]
Clean Access Agent.lnk - c:\program files\Cisco Systems\Clean Access Agent\CCAAgent.exe [2007-4-26 2048074]
Windows Desktop Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2007-2-5 118784]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2007-02-05 294400]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
2011-07-06 21:32 87424 ----a-w- c:\windows\system32\LMIinit.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\NavLogon]
[BU]
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0c:\progra~1\AVG\AVG2012\avgrsx.exe /sync /restart
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"Alcmtr"=ALCMTR.EXE
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Shareaza\\Shareaza.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Java\\j2re1.4.2_06\\bin\\javaw.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Pinnacle\\VideoSpin\\Programs\\RM.exe"=
"c:\\Program Files\\Pinnacle\\VideoSpin\\Programs\\umi.exe"=
"c:\\Program Files\\Pinnacle\\VideoSpin\\Programs\\VideoSpin.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\AVG\\AVG2012\\avgnsx.exe"=
"c:\\Program Files\\AVG\\AVG2012\\avgdiagex.exe"=
"c:\\Program Files\\AVG\\AVG2012\\avgmfapx.exe"=
"c:\\Program Files\\AVG\\AVG2012\\avgemcx.exe"=
.
R0 AVGIDSEH;AVGIDSEH;c:\windows\system32\drivers\AVGIDSEH.sys [7/11/2011 1:14 AM 23120]
R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [9/13/2011 6:30 AM 32592]
R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [10/7/2011 6:23 AM 230608]
R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [7/11/2011 1:14 AM 295248]
R2 avgwd;AVG WatchDog;c:\program files\AVG\AVG2012\avgwdsvc.exe [8/2/2011 6:09 AM 192776]
R2 LMIGuardianSvc;LMIGuardianSvc;c:\program files\LogMeIn\x86\LMIGuardianSvc.exe [7/6/2011 3:32 PM 374152]
R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\LogMeIn\x86\rainfo.sys [1/11/2011 6:04 PM 12856]
R2 SynapseUpdateSvc;Synapse Update Manager;c:\program files\Fuji Medical System\Synapse\Workstation\SynapseUpdateManager.exe [6/15/2011 2:13 PM 200704]
R3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\AVGIDSDriver.sys [7/11/2011 1:14 AM 134608]
R3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\AVGIDSFilter.sys [7/11/2011 1:14 AM 24272]
R3 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\AVGIDSShim.sys [10/4/2011 6:21 AM 16720]
S1 AEC671X;AEC671X;c:\windows\system32\drivers\AEC671X.SYS --> c:\windows\system32\drivers\AEC671X.SYS [?]
S1 DMX3191;DMX3191;c:\windows\system32\drivers\DMX3191.SYS --> c:\windows\system32\drivers\DMX3191.SYS [?]
S2 AVGIDSAgent;AVGIDSAgent;c:\program files\AVG\AVG2012\AVGIDSAgent.exe [10/12/2011 6:25 AM 4433248]
S3 ctxva51;Citrix Virtual Adapter;c:\windows\system32\drivers\ctxva51.sys [1/19/2010 4:58 AM 41624]
S3 Eacfilt;Eacfilt Miniport;c:\windows\system32\DRIVERS\eacfilt.sys --> c:\windows\system32\DRIVERS\eacfilt.sys [?]
S3 ExtranetAccess;Contivity VPN Service;c:\program files\Nortel Networks\Extranet_serv.exe [7/12/2008 12:36 PM 811008]
S3 IPSECEXT;Nortel Extranet Access Protocol;c:\windows\system32\DRIVERS\ipsecw2k.sys --> c:\windows\system32\DRIVERS\ipsecw2k.sys [?]
S3 Net6IM;Net6;c:\windows\system32\DRIVERS\net6im51.sys --> c:\windows\system32\DRIVERS\net6im51.sys [?]
S3 PDEXLOCK;Photodex Hardware Lock Driver;c:\windows\system32\drivers\PDEXLOCK.sys [3/11/2008 6:02 PM 12288]
S3 Rsvdrspiaa;Rsvdrspiaa; [x]
S4 Wudmseacce;Wudmseacce; [x]
.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
tmtdi
se59mdfl
SRTSPL
hpzius12
w300mdfl
StickyMesger
ISAMSvc
PSDFilter
portio
oracleorahome811cman
veteboot
es1371
uscbs108
atimpab
LEX_AS_NIC_SERVICE_YNOS
tvs
vc5secs
hsf_dp
cdvp
mediaviewer
amdppm
dlaopiom
SWUMX20
gs30s
s616mdfl
coste
spupdsvc
DCamUSBMke2
lvselsus
pxfhbus
VX1000
id2scaps
tfsndres
atchksrv
soma
cnmpar21
dot4ufd
pdlnemsg
KMW_USB
idebusdr
pctavsvc
osaio
PDExchange
i81x
x10nets
cmbatt
.
Contents of the 'Scheduled Tasks' folder
.
2012-02-22 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 23:20]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = *.local
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
Trusted Zone: advocatehealth.com
TCP: DhcpNameServer = 206.13.30.12 8.8.8.8
DPF: {1FBD11EF-1260-11D1-87A7-444553540001} - hxxp://immcsynapse.immc.advocatehealth.com/osd/SynapseWorkstationInf.cab
DPF: {225781F3-B27C-4182-83F1-CBF79247D36B} - hxxp://portal.partners.org/vpn/PHSVPNPortal.CAB
DPF: {2FAD241F-D04F-43A4-9356-BF78AEBEFAD2} - hxxp://lmrintra.partners.org/lmr/lmr.cab
DPF: {541AEDD4-20E8-4E6F-B12B-0FDD38BB712F} - hxxp://pacsweb.mskcc.org/ami/install/amiviewer.cab
DPF: {5C885ED3-9E77-4140-B63E-134BF7B19DEC} - hxxp://pacsweb.mskcc.org/ami/install/amiviewer.cab
DPF: {61611A68-B68C-420E-8E4D-6C61E68C03C6} - hxxp://lmrintra.partners.org/lmr/cvt.cab
DPF: {66157B4F-9E4A-488C-92A4-4434A16FCBF2} - hxxp://lmrintra.partners.org/lmr/diagram.cab
DPF: {664A9390-02B0-4311-9C01-4C6D5CD48D27} - hxxp://centricity/ami/install/amiviewer.cab
DPF: {96C524F5-F7BE-42C8-B8C7-89E55CD1FEB1} - hxxp://lmrintra.partners.org/lmr/lmr2.cab
DPF: {988E583E-D78B-4BC5-8011-7F6674484D9C} - hxxp://pacsweb.mskcc.org/ami/install/amiviewer.cab
DPF: {BCDD741A-3F0F-483F-AB50-345E464F3617} - hxxp://lmrintra.partners.org/lmr/lmr2a.cab
DPF: {D40E7275-159D-419E-9AC1-46FD8884B464} - hxxp://lmrintra.partners.org/lmr/LMRWebPrint.cab
DPF: {FDFB6B21-9F60-4C74-B540-32D83C4357D1} - hxxp://lmrintra.partners.org/lmr/LMRWebIESetting.cab
FF - ProfilePath - c:\documents and settings\Ajay\Application Data\Mozilla\Firefox\Profiles\4rte8p2n.default\
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-02-22 18:51
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
.
c:\documents and settings\Ajay\Application Data\GTek\GTUpdate\AUpdate\EasyLinkAdvisor\DB\{BCA3DAC9-7985-4979-8178-1B387933EA47}.xml
.
scan completed successfully
hidden files: 1
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(800)
c:\windows\system32\LMIinit.dll
c:\windows\system32\LMIRfsClientNP.dll
.
- - - - - - - > 'explorer.exe'(5460)
c:\windows\system32\WININET.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll
c:\program files\Fuji Medical System\Synapse\Workstation\FujiFld.dll
c:\progra~1\FUJIME~1\Synapse\WORKST~1\FujiFldR.dll
c:\program files\Fuji Medical System\Synapse\Workstation\DBCmds.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\hnetcfg.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
c:\windows\system32\LMIRfsClientNP.dll
.
Completion time: 2012-02-22 18:53:49
ComboFix-quarantined-files.txt 2012-02-23 00:53
ComboFix2.txt 2012-02-11 23:26
ComboFix3.txt 2010-12-12 16:03
ComboFix4.txt 2010-12-10 06:02
.
Pre-Run: 2,409,562,112 bytes free
Post-Run: 2,417,393,664 bytes free
.
- - End Of File - - 8D03635FDB5BEA2411FAB57B3C1CAD94

#21 mandala

mandala

    Member

  • Full Member
  • Pip
  • 15 posts

Posted 22 February 2012 - 10:12 PM

Ran GMER. here are the results below. Please give me an update and let me know what is going on, how bad the infection was/is, if there is anything left, and why i lost internet connection.
thanks. previous post has the updated combofix log


GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2012-02-22 21:10:07
Windows 5.1.2600 Service Pack 3 Harddisk1\DR1 -> \Device\Ide\IdeDeviceP3T0L0-10 ST3320620AS rev.3.AAK
Running: gmer.exe; Driver: C:\DOCUME~1\Ajay\LOCALS~1\Temp\pxtdrpob.sys


---- System - GMER 1.0.15 ----

SSDT \SystemRoot\system32\DRIVERS\AVGIDSShim.Sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwOpenProcess [0xB2994F3C]
SSDT \SystemRoot\system32\DRIVERS\AVGIDSShim.Sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwTerminateProcess [0xB2994FE4]
SSDT \SystemRoot\system32\DRIVERS\AVGIDSShim.Sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwTerminateThread [0xB2995080]
SSDT \SystemRoot\system32\DRIVERS\AVGIDSShim.Sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwWriteVirtualMemory [0xB299511C]

Code \??\C:\DOCUME~1\Ajay\LOCALS~1\Temp\catchme.sys pIofCallDriver

---- Kernel code sections - GMER 1.0.15 ----

.text C:\WINDOWS\system32\DRIVERS\nv4_mini.sys section is writeable [0xB641E380, 0x34D4BF, 0xE8000020]
? C:\WINDOWS\system32\Drivers\PROCEXP113.SYS The system cannot find the file specified. !
? C:\DOCUME~1\Ajay\LOCALS~1\Temp\catchme.sys The system cannot find the file specified. !

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\system32\SearchIndexer.exe[1556] kernel32.dll!WriteFile 7C810E27 7 Bytes JMP 00F21B19 C:\WINDOWS\system32\mssrch.dll (mssrch.lib/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3168] USER32.dll!DialogBoxParamW 7E4247AB 5 Bytes JMP 3E2154D5 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3168] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 3E2E9AE9 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3168] USER32.dll!CallNextHookEx 7E42B3C6 5 Bytes JMP 3E2DD125 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3168] USER32.dll!CreateWindowExW 7E42D0A3 5 Bytes JMP 3E2EDB5C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3168] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 3E25467E C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3168] USER32.dll!DialogBoxIndirectParamW 7E432072 5 Bytes JMP 3E3E53C7 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3168] USER32.dll!MessageBoxIndirectA 7E43A082 5 Bytes JMP 3E3E52F9 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3168] USER32.dll!DialogBoxParamA 7E43B144 5 Bytes JMP 3E3E5364 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3168] USER32.dll!MessageBoxExW 7E450838 5 Bytes JMP 3E3E51CA C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3168] USER32.dll!MessageBoxExA 7E45085C 5 Bytes JMP 3E3E522C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3168] USER32.dll!DialogBoxIndirectParamA 7E456D7D 5 Bytes JMP 3E3E542A C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3168] USER32.dll!MessageBoxIndirectW 7E4664D5 5 Bytes JMP 3E3E528E C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3168] ole32.dll!CoCreateInstance 774FF1BC 5 Bytes JMP 3E2EDBB8 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3168] ole32.dll!OleLoadFromStream 7752983B 5 Bytes JMP 3E3E572F C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3532] USER32.dll!DialogBoxParamW 7E4247AB 5 Bytes JMP 3E2154D5 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3532] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 3E2E9AE9 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3532] USER32.dll!CallNextHookEx 7E42B3C6 5 Bytes JMP 3E2DD125 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3532] USER32.dll!CreateWindowExW 7E42D0A3 5 Bytes JMP 3E2EDB5C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3532] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 3E25467E C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3532] USER32.dll!DialogBoxIndirectParamW 7E432072 5 Bytes JMP 3E3E53C7 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3532] USER32.dll!MessageBoxIndirectA 7E43A082 5 Bytes JMP 3E3E52F9 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3532] USER32.dll!DialogBoxParamA 7E43B144 5 Bytes JMP 3E3E5364 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3532] USER32.dll!MessageBoxExW 7E450838 5 Bytes JMP 3E3E51CA C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3532] USER32.dll!MessageBoxExA 7E45085C 5 Bytes JMP 3E3E522C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3532] USER32.dll!DialogBoxIndirectParamA 7E456D7D 5 Bytes JMP 3E3E542A C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3532] USER32.dll!MessageBoxIndirectW 7E4664D5 5 Bytes JMP 3E3E528E C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3532] ole32.dll!CoCreateInstance 774FF1BC 5 Bytes JMP 3E2EDBB8 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3532] ole32.dll!OleLoadFromStream 7752983B 5 Bytes JMP 3E3E572F C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5844] USER32.dll!DialogBoxParamW 7E4247AB 5 Bytes JMP 3E2154D5 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5844] USER32.dll!CreateWindowExW 7E42D0A3 5 Bytes JMP 3E2EDB5C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5844] USER32.dll!DialogBoxIndirectParamW 7E432072 5 Bytes JMP 3E3E53C7 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5844] USER32.dll!MessageBoxIndirectA 7E43A082 5 Bytes JMP 3E3E52F9 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5844] USER32.dll!DialogBoxParamA 7E43B144 5 Bytes JMP 3E3E5364 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5844] USER32.dll!MessageBoxExW 7E450838 5 Bytes JMP 3E3E51CA C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5844] USER32.dll!MessageBoxExA 7E45085C 5 Bytes JMP 3E3E522C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5844] USER32.dll!DialogBoxIndirectParamA 7E456D7D 5 Bytes JMP 3E3E542A C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5844] USER32.dll!MessageBoxIndirectW 7E4664D5 5 Bytes JMP 3E3E528E C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\Program Files\Internet Explorer\iexplore.exe[3168] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!LoadLibraryExW] [451F1ACB] C:\Program Files\Internet Explorer\xpshims.dll (Internet Explorer Compatibility Shims for XP/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[3532] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!LoadLibraryExW] [451F1ACB] C:\Program Files\Internet Explorer\xpshims.dll (Internet Explorer Compatibility Shims for XP/Microsoft Corporation)

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs InCDrec.SYS (InCD File System Recognizer/Nero AG)
AttachedDevice \FileSystem\Ntfs \Ntfs AVGIDSFilter.Sys (IDS Application Activity Monitor Filter Driver./AVG Technologies CZ, s.r.o. )
AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \FileSystem\Fastfat \Fat InCDrec.SYS (InCD File System Recognizer/Nero AG)
AttachedDevice \FileSystem\Fastfat \Fat AVGIDSFilter.Sys (IDS Application Activity Monitor Filter Driver./AVG Technologies CZ, s.r.o. )

---- Registry - GMER 1.0.15 ----

Reg HKLM\SOFTWARE\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32@cd042efbbd7f7af1647644e76e06692b 0x2E 0xE8 0xE1 0x00 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32@bca643cdc5c2726b20d2ecedcc62c59b 0x71 0x3B 0x04 0x66 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32@2c81e34222e8052573023a60d06dd016 0xFF 0x7C 0x85 0xE0 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32@2582ae41fb52324423be06337561aa48 0x3E 0x1E 0x9E 0xE0 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32@caaeda5fd7a9ed7697d9686d4b818472 0xF5 0x1D 0x4D 0x73 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32@a4a1bcf2cc2b8bc3716b74b2b4522f5d 0xB0 0x18 0xED 0xA7 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32@4d370831d2c43cd13623e232fed27b7b 0x31 0x77 0xE1 0xBA ...
Reg HKLM\SOFTWARE\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32@1d68fe701cdea33e477eb204b76f993d 0x83 0x6C 0x56 0x8B ...
Reg HKLM\SOFTWARE\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32@1fac81b91d8e3c5aa4b0a51804d844a3 0x51 0xFA 0x6E 0x91 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32@f5f62a6129303efb32fbe080bb27835b 0x3D 0xCE 0xEA 0x26 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32@fd4e2e1a3940b94dceb5a6a021f2e3c6 0x2A 0xB7 0xCC 0xB5 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32@8a8aec57dd6508a385616fbc86791ec2 0x6C 0x43 0x2D 0x1E ...

---- EOF - GMER 1.0.15 ----

#22 jedi

jedi

    aequam memento rebus in arduis servare mentem

  • Administrators
  • PipPipPipPipPip
  • 15,830 posts

Posted 23 February 2012 - 06:21 AM

Hi again,

The infection was a rootkit, which hides itself in your system and downloads more malware. The reason it disabled your connection was because it inserts itself into the connection, and removing it sometimes results in breaking the connection. I can't see any sign that it is still present.
How is your PC running now?

jedi
jedi

My help is free, but if you wish to help keep these forums running please consider a donation, see This Topic for details.

#23 mandala

mandala

    Member

  • Full Member
  • Pip
  • 15 posts

Posted 23 February 2012 - 11:05 PM

Hi again,

The infection was a rootkit, which hides itself in your system and downloads more malware. The reason it disabled your connection was because it inserts itself into the connection, and removing it sometimes results in breaking the connection. I can't see any sign that it is still present.
How is your PC running now?

jedi


I haven't really been using it for anything until you gave me the green light, so I will start again now.
In these logs, were there any problems? I just don't understand why i lost my internet connection again after cleaning everything, and I am worried it may happen again?

#24 jedi

jedi

    aequam memento rebus in arduis servare mentem

  • Administrators
  • PipPipPipPipPip
  • 15,830 posts

Posted 24 February 2012 - 05:56 AM

Hi again,

I just don't understand why i lost my internet connection again after cleaning everything


That was slightly baffling, could be it was a result of uninstalling/reinstalling Citrix. Put the PC through its paces and see if it behaves normally now, there's no obvious signs of the infection still being active, but it was quite a severe one, the acid test of whether it is gone completely will be how the PC runs. Let me know, describe anything unusual that occurs.

jedi
jedi

My help is free, but if you wish to help keep these forums running please consider a donation, see This Topic for details.

#25 jedi

jedi

    aequam memento rebus in arduis servare mentem

  • Administrators
  • PipPipPipPipPip
  • 15,830 posts

Posted 18 March 2012 - 07:55 AM

Since the issue appears to be resolved this Topic is closed.

If you need this topic reopened, please tell the moderating team by replying here with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
jedi

My help is free, but if you wish to help keep these forums running please consider a donation, see This Topic for details.




2 user(s) are reading this topic

0 members, 2 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button