Go Back   Tech Support Forum > Security Center > Virus/Trojan/Spyware Help > Resolved HJT Threads

[SOLVED] Need help to remove ad/yieldmanager popus.

This is a discussion on [SOLVED] Need help to remove ad/yieldmanager popus. within the Resolved HJT Threads forums, part of the Tech Support Forum category. Hello, My PC seems to be infected with the ad/yieldmanager popups, since they keep popping up whenever I click on


 
 
Thread Tools Search this Thread
Old 05-02-2013, 08:25 AM   #1
Registered Member
 
Join Date: Apr 2013
Posts: 40
OS: Win XP



Hello,
My PC seems to be infected with the ad/yieldmanager popups, since they keep popping up whenever I click on any links. Note that this is happening only in Mozilla Firefox, and not in IE v8 and hence, I have promptly removed / uninstalled Firefox completely.

However, before i uninstalled firefox, I had already done following -

1) Found an older post
ad/yieldmanager.com - Tech Support Forum and downloaded Ad-Aware AV and Spybot S&D.
Ran Ad-aware in Full Scan mode and removed 40 cookies, and 2 virus files quarantined in my earlier AV (Quickheal) folder.

Ran Spybot S&D in following order -
> Ran updates first.
> Ran Immunize
> Ran System Repair.

Also remove / uninstalled unwanted softwares from the PC.

Next I found the First steps newer post and followed the instructions there.

Downloaded and ran dds.scr and gmer.exe as required and saved the logs.

Following is the output of the dds.txt as required.

Any help to remove the virus would be much appreciated.

Regards,
Parin

---------------

DDS (Ver_2012-11-20.01) - NTFS_x86
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 10.17.2
Run by Master User at 18:26:59 on 2013-05-01
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2046.1196 [GMT 5.5:30]
.
AV: Lavasoft Ad-Aware *Disabled/Updated* {964FCE60-0B18-4D30-ADD6-EB178909041C}
FW: Lavasoft Ad-Aware *Disabled*
.
============== Running Processes ================
.
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\netdde.exe
C:\Program Files\Ad-Aware Antivirus\AdAwareService.exe
C:\WINDOWS\system32\clipsrv.exe
C:\WINDOWS\system32\crypserv.exe
C:\Program Files\Dell Network Assistant\hnm_svc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
C:\Program Files\Ad-Aware Antivirus\SBAMSvc.exe
C:\Program Files\Spybot - Search & Destroy 2\SDFSSvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\Program Files\Spybot - Search & Destroy 2\SDUpdSvc.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\RunDLL32.exe
C:\WINDOWS\OEM02Mon.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\WINDOWS\stsystra.exe
C:\WINDOWS\system32\KADxMain.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Dell\MediaDirect\PCMService.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\Dell Support Center\bin\sprtcmd.exe
C:\program files\real\realplayer\update\realsched.exe
C:\Program Files\Citrix\ICA Client\concentr.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Documents and Settings\All Users\Application Data\Ad-Aware Browsing Protection\adawarebp.exe
C:\Documents and Settings\All Users\Application Data\Search Protection\SearchProtection.exe
C:\Program Files\Spybot - Search & Destroy 2\SDTray.exe
C:\Program Files\Citrix\ICA Client\wfcrun32.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\AD-AWA~1\AdAware.exe
C:\Program Files\Samsung\Kies\KiesTrayAgent.exe
C:\Program Files\Samsung\Kies\External\FirmwareUpdate\KiesPDLR.exe
C:\Program Files\Samsung\Kies\Kies.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://websearch.greatresults.info/
uDefault_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=6080107
mStart Page = hxxp://websearch.greatresults.info/
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*Yahoo! SearchBar Home Page
uInternet Connection Wizard,ShellNext = hxxp://www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=6080107
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search/?q=%s
uURLSearchHooks: Ad-Aware Security Add-on: {6c97a91e-4524-4019-86af-2aa2d567bf5c} - c:\program files\adawaretb\adawareDx.dll
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - <orphaned>
BHO: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049C3E9-B461-4BC5-8870-4C09146192CA} - c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\ie\rpbrowserrecordplugin.dll
BHO: Spybot-S&D IE Protection: {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy 2\SDHelper.dll
BHO: Ad-Aware Security Add-on: {6c97a91e-4524-4019-86af-2aa2d567bf5c} - c:\program files\adawaretb\adawareDx.dll
BHO: Java(tm) Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\program files\java\jre7\bin\ssv.dll
BHO: Google Toolbar Notifier BHO: {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - c:\program files\google\googletoolbarnotifier\5.6.5612.1312\swg.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - c:\program files\java\jre7\bin\jp2ssv.dll
TB: Ad-Aware Security Add-on: {6c97a91e-4524-4019-86af-2aa2d567bf5c} - c:\program files\adawaretb\adawareDx.dll
uRun: [DellAutomatedPCTuneUp] "c:\program files\dellautomatedpctuneup\PTAgnt.exe" /startup
uRun: [DellSupportCenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P DellSupportCenter
uRun: [OM2_Monitor] "c:\program files\olympus\olympus master 2\MMonitor.exe" -NoStart
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Google Update] "c:\documents and settings\master user\local settings\application data\google\update\GoogleUpdate.exe" /c
uRun: [KiesTrayAgent] c:\program files\samsung\kies\KiesTrayAgent.exe
uRun: [KiesPDLR] c:\program files\samsung\kies\external\firmwareupdate\KiesPDLR.exe
uRun: [KiesPreload] c:\program files\samsung\kies\Kies.exe /preload
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /installquiet
mRun: [NVHotkey] rundll32.exe nvHotkey.dll,Start
mRun: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
mRun: [OEM02Mon.exe] c:\windows\OEM02Mon.exe
mRun: [DELL Webcam Manager] "c:\program files\dell\dell webcam manager\DellWMgr.exe" /s
mRun: [Broadcom Wireless Manager UI] c:\windows\system32\WLTRAY.exe
mRun: [SigmatelSysTrayApp] stsystra.exe
mRun: [KADxMain] c:\windows\system32\KADxMain.exe
mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [PCMService] "c:\program files\dell\mediadirect\PCMService.exe"
mRun: [dscactivate] "c:\program files\dell support center\gs_agent\custom\dsca.exe"
mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
mRun: [RemoteControl] "c:\program files\cyberlink\powerdvd\PDVDServ.exe"
mRun: [InCD] c:\program files\ahead\incd\InCD.exe
mRun: [DellSupportCenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P DellSupportCenter
mRun: [OM2_Monitor] "c:\program files\olympus\olympus master 2\FirstStart.exe" /OM
mRun: [Google Desktop Search] "c:\program files\google\google desktop search\GoogleDesktop.exe" /startup
mRun: [TkBellExe] "c:\program files\real\realplayer\update\realsched.exe" -osboot
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [ConnectionCenter] "c:\program files\citrix\ica client\concentr.exe" /startup
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [Ad-Aware Browsing Protection] "c:\documents and settings\all users\application data\ad-aware browsing protection\adawarebp.exe"
mRun: [SearchProtection] c:\documents and settings\all users\application data\search protection\_run.bat
mRun: [Ad-Aware Antivirus] "c:\program files\ad-aware antivirus\AdAwareLauncher" --windows-run
mRun: [SDTray] "c:\program files\spybot - search & destroy 2\SDTray.exe"
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\dellne~1.lnk - c:\windows\installer\{0240bdfb-2995-4a3f-8c96-18d41282b716}\Icon0240BDFB3.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
uPolicies-Explorer: NoDriveTypeAutoRun = dword:145
mPolicies-System: EnableLUA = dword:0
mPolicies-Windows\System: Allow-LogonScript-NetbiosDisabled = dword:1
mPolicies-Explorer: NoDriveTypeAutoRun = dword:145
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503}
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy 2\SDHelper.dll
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
LSP: mswsock.dll
.
INFO: HKCU has more than 50 listed domains.
If you wish to scan all of them, select the 'Force scan all domains' option.
.
.
INFO: HKLM has more than 50 listed domains.
If you wish to scan all of them, select the 'Force scan all domains' option.
.
DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} - hxxp://support.dell.com/systemprofiler/SysPro.CAB
DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} - hxxps://www-secure.symantec.com/techsupp/asa/ss/sa/sa_cabs/tgctlsr.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0017-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_05-windows-i586.cab
DPF: {F27237D7-93C8-44C2-AC6E-D6057B9A918F} - hxxps://juniper.net/dana-cached/sc/JuniperSetupClient.cab
TCP: NameServer = 192.168.0.1
TCP: Interfaces\{AB02087C-4FE0-4820-AC40-413F58768C26} : DHCPNameServer = 192.168.0.1
Notify: SDWinLogon - SDWinLogon.dll
AppInit_DLLs= c:\progra~1\google\google~4\goec62~1.dll c:\progra~1\simple~1\sprote~1.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
Hosts: 127.0.0.1 www.spywareinfo.com
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\master user\application data\mozilla\firefox\profiles\1gfhslal.default-1356232362265\
FF - prefs.js: browser.search.selectedEngine - SecureSearch
FF - prefs.js: keyword.URL - hxxp://lavasoft.blekko.com/ws/?source=f439e2c0&tbp=url&toolbarid=adawaretb&u=29AAA63654149AFF50FBB4517FE91DC4&q=
FF - plugin: c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\mozillaplugins\nprpchromebrowserrecordext.dll
FF - plugin: c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\mozillaplugins\nprphtml5videoshim.dll
FF - plugin: c:\documents and settings\master user\application data\mozilla\plugins\npgoogletalk.dll
FF - plugin: c:\documents and settings\master user\application data\mozilla\plugins\npgtpo3dautoplugin.dll
FF - plugin: c:\documents and settings\master user\application data\mozilla\plugins\npo1d.dll
FF - plugin: c:\documents and settings\master user\local settings\application data\google\update\1.3.21.135\npGoogleUpdate3.dll
FF - plugin: c:\program files\adobe\reader 10.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\google\google updater\2.4.2432.1652\npCIDetect14.dll
FF - plugin: c:\program files\java\jre7\bin\plugin2\npjp2.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npicaN.dll
FF - plugin: c:\program files\windows media player\npatgpc.dll
FF - plugin: c:\windows\system32\adobe\director\np32dsw_1200112.dll
FF - plugin: c:\windows\system32\macromed\flash\NPSWF32_11_7_700_169.dll
FF - plugin: c:\windows\system32\npDeployJava1.dll
FF - plugin: c:\windows\system32\npptools.dll
FF - ExtSQL: 2013-04-30 21:24; {87934c42-161d-45bc-8cef-ef18abe2a30c}; c:\documents and settings\master user\application data\mozilla\firefox\profiles\1gfhslal.default-1356232362265\extensions\{87934c42-161d-45bc-8cef-ef18abe2a30c}
FF - ExtSQL: 2013-04-30 21:24; jid1-yZwVFzbsyfMrqQ@jetpack; c:\documents and settings\master user\application data\mozilla\firefox\profiles\1gfhslal.default-1356232362265\extensions\jid1-yZwVFzbsyfMrqQ@jetpack
FF - ExtSQL: !HIDDEN! 2013-02-23 07:31; speedanalysis@SpeedAnalysis.com; c:\documents and settings\master user\application data\mozilla\extensions\speedanalysis@SpeedAnalysis.com
.
---- FIREFOX POLICIES ----
FF - user.js: extensions.BabylonToolbar.tlbrSrchUrl - hxxp://search.babylon.com/?babsrc=TB_def&mntrId=e4f6320d000000000000001dd97119d9&q=
FF - user.js: extensions.BabylonToolbar.id - e4f6320d000000000000001dd97119d9
FF - user.js: extensions.BabylonToolbar.appId - {BDB69379-802F-4eaf-B541-F8DE92DD98DB}
FF - user.js: extensions.BabylonToolbar.instlDay - 15759
FF - user.js: extensions.BabylonToolbar.vrsn - 1.8.11.10
FF - user.js: extensions.BabylonToolbar.vrsni - 1.8.11.10
FF - user.js: extensions.BabylonToolbar.vrsnTs - 1.8.11.107:33:21
FF - user.js: extensions.BabylonToolbar.prtnrId - babylon
FF - user.js: extensions.BabylonToolbar.prdct - BabylonToolbar
FF - user.js: extensions.BabylonToolbar.aflt - babsst
FF - user.js: extensions.BabylonToolbar.smplGrp - none
FF - user.js: extensions.BabylonToolbar.tlbrId - uninst
FF - user.js: extensions.BabylonToolbar.instlRef - sst
FF - user.js: extensions.BabylonToolbar.dfltLng - en
FF - user.js: extensions.BabylonToolbar.excTlbr - false
FF - user.js: extensions.BabylonToolbar.ffxUnstlRst - true
FF - user.js: extensions.BabylonToolbar.admin - false
FF - user.js: extensions.BabylonToolbar_i.babTrack - affID=121183
FF - user.js: extensions.BabylonToolbar_i.babExt -
FF - user.js: extensions.BabylonToolbar_i.srcExt - ss
FF - user.js: extensions.BabylonToolbar.autoRvrt - false
FF - user.js: extensions.BabylonToolbar.rvrt - false
FF - user.js: extensions.BabylonToolbar.newTab - false
.
============= SERVICES / DRIVERS ===============
.
R0 gfibto;gfibto;c:\windows\system32\drivers\gfibto.sys [2013-4-30 13560]
R1 ctxusbm;Citrix USB Monitor Driver;c:\windows\system32\drivers\ctxusbm.sys [2009-11-30 65584]
R1 sbaphd;sbaphd;c:\windows\system32\drivers\sbaphd.sys [2013-4-30 22064]
R2 Ad-Aware Service;Ad-Aware Service;c:\program files\ad-aware antivirus\AdAwareService.exe [2013-3-18 1236336]
R2 SBAMSvc;Ad-Aware;c:\program files\ad-aware antivirus\SBAMSvc.exe [2012-9-20 3677000]
R2 sbapifs;sbapifs;c:\windows\system32\drivers\sbapifs.sys [2013-4-30 66344]
R2 SDScannerService;Spybot-S&D 2 Scanner Service;c:\program files\spybot - search & destroy 2\SDFSSvc.exe [2013-5-1 1103392]
R2 SDUpdateService;Spybot-S&D 2 Updating Service;c:\program files\spybot - search & destroy 2\SDUpdSvc.exe [2013-5-1 1369624]
R3 RMSPPPOE;WAN Miniport (PPP over Ethernet Protocol);c:\windows\system32\drivers\RMSPPPOE.SYS [2009-1-23 31232]
S1 SBRE;SBRE;c:\windows\system32\drivers\sbredrv.sys --> c:\windows\system32\drivers\SBREDrv.sys [?]
S2 SDWSCService;Spybot-S&D 2 Security Center Service;c:\program files\spybot - search & destroy 2\SDWSCSvc.exe [2013-5-1 168384]
S3 androidusb;SAMSUNG Android Composite ADB Interface Driver;c:\windows\system32\drivers\ssadadb.sys [2011-11-14 30312]
S3 dg_ssudbus;SAMSUNG Mobile USB Composite Device Driver (DEVGURU Ver.);c:\windows\system32\drivers\ssudbus.sys [2012-9-23 83168]
S3 gfiark;gfiark;c:\windows\system32\drivers\gfiark.sys [2013-5-1 35896]
S3 GoogleDesktopManager-051210-111108;Google Desktop Manager 5.9.1005.12335;c:\program files\google\google desktop search\GoogleDesktop.exe [2010-2-21 30192]
S3 nmwcdnsu;Nokia USB Flashing Phone Parent;c:\windows\system32\drivers\nmwcdnsu.sys --> c:\windows\system32\drivers\nmwcdnsu.sys [?]
S3 nmwcdnsuc;Nokia USB Flashing Generic;c:\windows\system32\drivers\nmwcdnsuc.sys --> c:\windows\system32\drivers\nmwcdnsuc.sys [?]
S3 NPF;Netgroup Packet Filter;c:\windows\system32\drivers\npf.sys [2004-12-10 30336]
S3 RTL8192su;%RTL8192su.DeviceDesc.DispName%;c:\windows\system32\drivers\RTL8192su.sys [2010-1-6 594048]
S3 ssadbus;SAMSUNG Android USB Composite Device driver (WDM);c:\windows\system32\drivers\ssadbus.sys [2011-11-14 121064]
S3 ssadmdfl;SAMSUNG Android USB Modem (Filter);c:\windows\system32\drivers\ssadmdfl.sys [2011-11-14 12776]
S3 ssadmdm;SAMSUNG Android USB Modem Drivers;c:\windows\system32\drivers\ssadmdm.sys [2011-11-14 136808]
S3 ssadserd;SAMSUNG Android USB Diagnostic Serial Port (WDM);c:\windows\system32\drivers\ssadserd.sys [2011-11-14 114280]
S3 ssudmdm;SAMSUNG Mobile USB Modem Drivers (DEVGURU Ver.);c:\windows\system32\drivers\ssudmdm.sys [2012-9-23 181344]
.
=============== Created Last 30 ================
.
2013-05-01 12:44:41 -------- d-----w- c:\documents and settings\all users\application data\SoftSafe
2013-05-01 12:44:40 -------- d-----w- c:\program files\SimpleSpeedy
2013-05-01 12:43:39 -------- d-----w- c:\documents and settings\all users\application data\InstallMate
2013-05-01 12:43:08 -------- d-----w- C:\HJT
2013-05-01 03:09:48 35896 ----a-w- c:\windows\system32\drivers\gfiark.sys
2013-05-01 03:05:27 -------- d-----w- c:\documents and settings\all users\application data\Spybot - Search & Destroy
2013-05-01 03:05:11 15224 ----a-w- c:\windows\system32\sdnclean.exe
2013-05-01 03:05:02 -------- d-----w- c:\program files\Spybot - Search & Destroy 2
2013-04-30 16:15:28 -------- d-----w- c:\documents and settings\master user\application data\LavasoftStatistics
2013-04-30 16:15:27 -------- d-----w- c:\documents and settings\all users\application data\Ad-Aware Antivirus
2013-04-30 15:55:30 66344 ----a-w- c:\windows\system32\drivers\sbapifs.sys
2013-04-30 15:55:29 22064 ----a-w- c:\windows\system32\drivers\sbaphd.sys
2013-04-30 15:55:18 -------- d-----w- c:\windows\system32\drivers\VDD
2013-04-30 15:55:18 -------- d-----w- c:\program files\Ad-Aware Antivirus
2013-04-30 15:54:46 -------- d-----w- c:\documents and settings\all users\application data\Downloaded Installations
2013-04-30 15:54:42 -------- d-----w- c:\documents and settings\all users\application data\Search Protection
2013-04-30 15:54:40 -------- d-----w- c:\documents and settings\master user\local settings\application data\adawarebp
2013-04-30 15:54:40 -------- d-----w- c:\documents and settings\all users\application data\blekko toolbars
2013-04-30 15:54:37 -------- d-----w- c:\documents and settings\all users\application data\Ad-Aware Browsing Protection
2013-04-30 15:54:29 -------- d-----w- c:\program files\Toolbar Cleaner
2013-04-30 15:54:20 -------- d-----w- c:\documents and settings\master user\application data\SecureSearch
2013-04-30 15:54:06 -------- d-----w- c:\documents and settings\master user\application data\adawaretb
2013-04-30 15:54:03 -------- d-----w- c:\program files\adawaretb
2013-04-30 15:37:36 13560 ----a-w- c:\windows\system32\drivers\gfibto.sys
2013-04-30 15:37:34 -------- d-----w- c:\documents and settings\master user\application data\Ad-Aware Antivirus
2013-04-24 15:21:42 -------- d-----w- c:\documents and settings\all users\Uniblue
2013-04-24 15:02:40 178688 ----a-w- c:\windows\system32\unrar.dll
2013-04-24 15:02:21 -------- d-----w- c:\program files\K-Lite Codec Pack
2013-04-21 03:07:53 26520 ----a-w- c:\program files\mozilla firefox\plugin-hang-ui.exe
.
==================== Find3M ====================
.
2013-04-25 15:12:00 59 ----a-w- c:\windows\wpd99.drv
2013-04-21 03:17:06 71048 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2013-04-21 03:17:06 691592 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2013-03-11 13:41:56 94112 ----a-w- c:\windows\system32\WindowsAccessBridge.dll
2013-03-11 13:41:50 143872 ----a-w- c:\windows\system32\javacpl.cpl
2013-03-11 13:41:49 861088 ----a-w- c:\windows\system32\npDeployJava1.dll
2013-03-11 13:41:49 782240 ----a-w- c:\windows\system32\deployJava1.dll
.
============= FINISH: 18:27:52.47 ===============

__________________
pgangar is offline  
Old 05-03-2013, 01:15 AM   #2
Security Team
Moderator, Analyst
Rangemaster, TSF Academy
 
amateur's Avatar
 
Join Date: Jun 2006
Location: here & there and everywhere
Posts: 14,765
OS: XP Win7 Ubuntu 10.10



Hello and welcome to TSF.

Unfortunately the system has more than the adyieldmanager popups. It is infected with what's commonly known as ZeroAccess Rootkit, which can sometimes be very difficult to remove.

This type of infection allows hackers to remotely control your computer, log keystrokes, steal critical system information, and download and execute files without your knowledge.

If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Do not change passwords or do any transactions from the infected computer until it has been cleaned.

Please read this: How Do I Handle Possible Identity Theft, Internet Fraud, and CC Fraud?

Please have your important data backed up before proceeding.

Emergency Backup Procedure - Tech Support Forum

For this infection, formatting and reinstalling may be the only way to to ensure that the system is 100% clean.

If you would like to continue with the cleaning, please continue with the following instructions.

============================

Please note that more than one round may be needed to properly eradicate malware. In co-operation with the cleaning process, please:
  • do not uninstall/install any programs unless asked to do so, to make it easier on us as it is more difficult when files/programs are appearing in/disappearing from the logs;
  • do not run any tools or scans other than those requested;
  • follow all instructions in the order they are presented;
  • if you have problems with or do not understand the instructions, ask before continuing;
  • stay with this thread until given the All Clear, as absence of symptoms does not always mean the machine is clean;
  • do not attach any logs/reports, etc.. unless specifically requested to do so.
  • All logs/reports, etc.. must be posted in Notepad making sure the word wrap is unchecked. (In notepad click format, uncheck word wrap if it is checked.)
Also note that the forum is very busy and if I don't hear from you within three days this thread will be closed.

================

Please download ComboFix from one of these locations:

Link 1
Link 2
* IMPORTANT !!! Save ComboFix.exe to your Desktop
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you need further help, see How to disable your security applications
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.




Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:




Click on Yes, to continue scanning for malware.

# Your desktop may go blank. This is normal. It will return when ComboFix is done. ComboFix may reboot your machine. This is normal.

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Note: Please make sure that your AntiVirus and AntiSpyware applications are re-enabled. A reboot should have done that

__________________

amateur is offline  
Old 05-03-2013, 06:40 AM   #3
Registered Member
 
Join Date: Apr 2013
Posts: 40
OS: Win XP



Thanks a lot for the detailed analysis and steps and note that I would like to proceed with further cleaning etc. and will be doing the steps mentioned above shortly after I get some DVDs to safely backup my stuff (in a day). Also note that I seem to have misplaced the original Windows Boot CD and the drivers CD that came with this laptop. This is just for your information, I am aware that should anything go wrong severely and I have to get a formal boot and clean wipe, I will have to take this to a technician and purchase new Windows software.

Will be back with the combofix log in a day.

Regards,
Parin
__________________
pgangar is offline  
Old 05-03-2013, 07:09 AM   #4
Registered Member
 
Join Date: Apr 2013
Posts: 40
OS: Win XP



Also, regarding the backup of data...I have two partitions on my HDD - C: and D:
All the programs, OS, etc. are stored in C:, however my personal data is stored on D:. Would you recommend backing up data in D: as well ?
__________________
pgangar is offline  
Old 05-03-2013, 09:10 PM   #5
Security Team
Moderator, Analyst
Rangemaster, TSF Academy
 
amateur's Avatar
 
Join Date: Jun 2006
Location: here & there and everywhere
Posts: 14,765
OS: XP Win7 Ubuntu 10.10



Yes, please backup your data in D drive too.
__________________

amateur is offline  
Old 05-05-2013, 10:06 AM   #6
Registered Member
 
Join Date: Apr 2013
Posts: 40
OS: Win XP



Hi,
I have run the Combofix.exe and have pasted the log as directed below. Note that while the log was being prepared, I had to disable / close the AV program and other startup programs as the last message on the COmbofix console was to not start any apps.

Also note that I tried two to three times to paste the log contents here, but the forum would not take the post at all, and I would get directed to a blank screen. Hence I am attaching the log file here.

Regards,
Parin



ComboFix 13-05-04.01 - Master User 05/05/2013 18:49:27.1.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2046.1554 [GMT 5.5:30]
Running from: c:\documents and settings\Master User\Desktop\ComboFix.exe
AV: Lavasoft Ad-Aware *Disabled/Updated* {964FCE60-0B18-4D30-ADD6-EB178909041C}
FW: Lavasoft Ad-Aware *Disabled* {FF1CD5B7-1553-4625-A258-1775385CED33}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\All Users\Application Data\AMMYY
c:\documents and settings\All Users\Application Data\AMMYY\hr
c:\documents and settings\All Users\Application Data\AMMYY\hr3
c:\documents and settings\All Users\Application Data\AMMYY\settings3.bin
c:\documents and settings\All Users\Application Data\TEMP
c:\documents and settings\All Users\Application Data\TEMP\DFC5A2B2.TMP
c:\documents and settings\Master User\Desktop\Internet Explorer.lnk
c:\documents and settings\Master User\GoToAssistDownloadHelper.exe
c:\documents and settings\Master User\Local Settings\Application Data\assembly\tmp
c:\documents and settings\Master User\Local Settings\Application Data\assembly\tmp\V6FOX6FO\__AssemblyInfo__.ini
c:\documents and settings\Master User\Local Settings\Application Data\assembly\tmp\V6FOX6FO\olk_2007_3_5.DLL
c:\documents and settings\Master User\WINDOWS
c:\windows\$NtUninstallKB45788$
c:\windows\$NtUninstallKB45788$\2644974038
c:\windows\$NtUninstallKB45788$\327590234\@
c:\windows\$NtUninstallKB45788$\327590234\Desktop.ini
c:\windows\$NtUninstallKB45788$\327590234\L\00000004.@
c:\windows\$NtUninstallKB45788$\327590234\L\201d3dde
c:\windows\$NtUninstallKB45788$\327590234\L\odetmngk
c:\windows\$NtUninstallKB45788$\327590234\U\00000004.@
c:\windows\$NtUninstallKB45788$\327590234\U\00000008.@
c:\windows\$NtUninstallKB45788$\327590234\U\000000cb.@
c:\windows\$NtUninstallKB45788$\327590234\U\80000000.@
c:\windows\$NtUninstallKB45788$\327590234\U\80000032.@
c:\windows\Installer\{0240BDFB-2995-4A3F-8C96-18D41282B716}\Icon0240BDFB3.exe
c:\windows\system32\Packet.dll
c:\windows\system32\pthreadVC.dll
c:\windows\system32\System32\MASetupCleaner.exe
c:\windows\system32\System32\muzapp.exe
c:\windows\system32\UNWISE.EXE
c:\windows\system32\URTTemp
c:\windows\system32\URTTemp\fusion.dll
c:\windows\system32\URTTemp\mscoree.dll
c:\windows\system32\URTTemp\mscoree.dll.local
c:\windows\system32\URTTemp\mscorsn.dll
c:\windows\system32\URTTemp\mscorwks.dll
c:\windows\system32\URTTemp\msvcr71.dll
c:\windows\system32\URTTemp\regtlib.exe
c:\windows\system32\wpcap.dll
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_NPF
-------\Service_NPF
.
.
((((((((((((((((((((((((( Files Created from 2013-04-05 to 2013-05-05 )))))))))))))))))))))))))))))))
.
.
2013-05-05 16:13 . 2013-05-05 16:13 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2013-05-01 12:44 . 2013-05-01 12:44 -------- d-----w- c:\documents and settings\All Users\Application Data\SoftSafe
2013-05-01 12:44 . 2013-05-01 12:47 -------- d-----w- c:\program files\SimpleSpeedy
2013-05-01 12:43 . 2013-05-01 12:47 -------- d-----w- c:\documents and settings\All Users\Application Data\InstallMate
2013-05-01 03:09 . 2013-02-11 06:58 35896 ----a-w- c:\windows\system32\drivers\gfiark.sys
2013-05-01 03:05 . 2013-05-01 12:42 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2013-05-01 03:05 . 2009-01-25 06:44 15224 ----a-w- c:\windows\system32\sdnclean.exe
2013-05-01 03:05 . 2013-05-01 03:05 -------- d-----w- c:\program files\Spybot - Search & Destroy 2
2013-04-30 16:15 . 2013-04-30 16:15 -------- d-----w- c:\documents and settings\Master User\Application Data\LavasoftStatistics
2013-04-30 16:15 . 2013-05-01 02:31 -------- d-----w- c:\documents and settings\All Users\Application Data\Ad-Aware Antivirus
2013-04-30 15:55 . 2012-09-12 14:49 66344 ----a-w- c:\windows\system32\drivers\sbapifs.sys
2013-04-30 15:55 . 2012-09-12 14:49 22064 ----a-w- c:\windows\system32\drivers\sbaphd.sys
2013-04-30 15:55 . 2013-04-30 15:55 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2013-04-30 15:55 . 2013-05-01 03:10 -------- d-----w- c:\program files\Ad-Aware Antivirus
2013-04-30 15:55 . 2013-04-30 15:55 -------- d-----w- c:\windows\system32\drivers\VDD
2013-04-30 15:54 . 2013-04-30 15:54 -------- d-----w- c:\documents and settings\All Users\Application Data\Downloaded Installations
2013-04-30 15:54 . 2013-04-30 15:54 -------- d-----w- c:\documents and settings\All Users\Application Data\Search Protection
2013-04-30 15:54 . 2013-04-30 15:54 -------- d-----w- c:\documents and settings\Master User\Local Settings\Application Data\adawarebp
2013-04-30 15:54 . 2013-04-30 15:54 -------- d-----w- c:\documents and settings\All Users\Application Data\blekko toolbars
2013-04-30 15:54 . 2013-05-04 02:10 -------- d-----w- c:\documents and settings\All Users\Application Data\Ad-Aware Browsing Protection
2013-04-30 15:54 . 2013-04-30 15:54 -------- d-----w- c:\program files\Toolbar Cleaner
2013-04-30 15:54 . 2013-05-01 13:08 -------- d-----w- c:\documents and settings\Master User\Application Data\SecureSearch
2013-04-30 15:54 . 2013-05-01 14:48 -------- d-----w- c:\documents and settings\Master User\Application Data\adawaretb
2013-04-30 15:54 . 2013-04-30 15:54 -------- d-----w- c:\program files\adawaretb
2013-04-30 15:37 . 2013-04-30 15:37 13560 ----a-w- c:\windows\system32\drivers\gfibto.sys
2013-04-30 15:37 . 2013-05-05 12:47 -------- d-----w- c:\documents and settings\Master User\Application Data\Ad-Aware Antivirus
2013-04-24 15:21 . 2013-04-24 15:21 -------- d-----w- c:\documents and settings\All Users\Uniblue
2013-04-24 15:02 . 2012-06-09 17:21 178688 ----a-w- c:\windows\system32\unrar.dll
2013-04-24 15:02 . 2013-04-24 15:02 -------- d-----w- c:\program files\K-Lite Codec Pack
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-04-21 03:17 . 2012-08-15 14:44 691592 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2013-04-21 03:17 . 2011-06-26 12:41 71048 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2013-03-11 13:41 . 2013-03-11 13:42 94112 ----a-w- c:\windows\system32\WindowsAccessBridge.dll
2013-03-11 13:41 . 2013-03-11 13:42 143872 ----a-w- c:\windows\system32\javacpl.cpl
2013-03-11 13:41 . 2012-07-12 00:02 861088 ----a-w- c:\windows\system32\npDeployJava1.dll
2013-03-11 13:41 . 2010-05-14 16:08 782240 ----a-w- c:\windows\system32\deployJava1.dll
2009-12-01 08:26 . 2009-12-01 08:26 124240 ----a-w- c:\program files\mozilla firefox\plugins\CCMSDK.dll
2009-12-01 08:31 . 2009-12-01 08:31 13136 ----a-w- c:\program files\mozilla firefox\plugins\cgpcfg.dll
2009-12-01 08:29 . 2009-12-01 08:29 70488 ----a-w- c:\program files\mozilla firefox\plugins\CgpCore.dll
2009-12-01 08:30 . 2009-12-01 08:30 91480 ----a-w- c:\program files\mozilla firefox\plugins\confmgr.dll
2009-12-01 08:30 . 2009-12-01 08:30 22360 ----a-w- c:\program files\mozilla firefox\plugins\ctxlogging.dll
2009-12-01 08:27 . 2009-12-01 08:27 255312 ----a-w- c:\program files\mozilla firefox\plugins\ctxmui.dll
2009-12-01 08:30 . 2009-12-01 08:30 31064 ----a-w- c:\program files\mozilla firefox\plugins\icafile.dll
2009-12-01 08:31 . 2009-12-01 08:31 40280 ----a-w- c:\program files\mozilla firefox\plugins\icalogon.dll
2009-11-30 10:00 . 2009-11-30 10:00 652640 ----a-w- c:\program files\mozilla firefox\plugins\sslsdk_b.dll
2009-12-01 08:29 . 2009-12-01 08:29 23896 ----a-w- c:\program files\mozilla firefox\plugins\TcpPServ.dll
2010-08-12 15:59 . 2012-10-28 11:33 119808 ----a-w- c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
.
.
------- Sigcheck -------
Note: Unsigned files aren't necessarily malware.
.
.
.
.
[7] 2008-04-13 . 463C1EC80CD17420A542B7F36A36F128 . 24576 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\kbdclass.sys
[7] 2008-04-13 . 463C1EC80CD17420A542B7F36A36F128 . 24576 . . [5.1.2600.5512] . . c:\windows\system32\drivers\kbdclass.sys
.
[7] 2008-04-13 . 1DF7F42665C94B825322FAE71721130D . 182656 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\ndis.sys
[7] 2008-04-13 . 1DF7F42665C94B825322FAE71721130D . 182656 . . [5.1.2600.5512] . . c:\windows\system32\drivers\ndis.sys
.
[7] 2008-04-13 . 78A08DD6A8D65E697C18E1DB01C5CDCA . 574976 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\ntfs.sys
[7] 2008-04-13 . 78A08DD6A8D65E697C18E1DB01C5CDCA . 574976 . . [5.1.2600.5512] . . c:\windows\system32\drivers\ntfs.sys
[-] 2007-02-09 . 05AB81909514BFD69CBB1F2C147CF6B9 . 574976 . . [5.1.2600.3081] . . c:\windows\$hf_mig$\KB930916\SP2QFE\ntfs.sys
.
[7] 2004-08-04 . 73C1E1F395918BC2C6DD67AF7591A3AD . 2944 . . [5.1.2600.0] . . c:\windows\system32\drivers\null.sys
.
[7] 2008-06-20 . AD978A1B783B5719720CFF204B666C8E . 361600 . . [5.1.2600.5625] . . c:\windows\$hf_mig$\KB2509553\SP3QFE\tcpip.sys
[7] 2008-06-20 . AD978A1B783B5719720CFF204B666C8E . 361600 . . [5.1.2600.5625] . . c:\windows\$hf_mig$\KB951748\SP3QFE\tcpip.sys
[7] 2008-06-20 . 9AEFA14BD6B182D61E3119FA5F436D3D . 361600 . . [5.1.2600.5625] . . c:\windows\$hf_mig$\KB951748\SP3GDR\tcpip.sys
[7] 2008-06-20 . 9AEFA14BD6B182D61E3119FA5F436D3D . 361600 . . [5.1.2600.5625] . . c:\windows\system32\dllcache\tcpip.sys
[7] 2008-06-20 . 9AEFA14BD6B182D61E3119FA5F436D3D . 361600 . . [5.1.2600.5625] . . c:\windows\system32\drivers\tcpip.sys
[7] 2008-06-20 . 744E57C99232201AE98C49168B918F48 . 360960 . . [5.1.2600.3394] . . c:\windows\$hf_mig$\KB951748\SP2QFE\tcpip.sys
[7] 2008-04-13 . 93EA8D04EC73A85DB02EB8805988F733 . 361344 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\tcpip.sys
[-] 2007-10-30 . 64798ECFA43D78C7178375FCDD16D8C8 . 360832 . . [5.1.2600.3244] . . c:\windows\$hf_mig$\KB941644\SP2QFE\tcpip.sys
.
[7] 2012-07-06 . CFD4E51402DA9838B5A04AE680AF54A0 . 78336 . . [5.1.2600.6260] . . c:\windows\system32\browser.dll
[7] 2012-07-06 . CFD4E51402DA9838B5A04AE680AF54A0 . 78336 . . [5.1.2600.6260] . . c:\windows\system32\dllcache\browser.dll
[7] 2012-07-06 . FC6D1D80588D371F0321E15A75B2F8F2 . 78336 . . [5.1.2600.6260] . . c:\windows\$hf_mig$\KB2705219\SP3QFE\browser.dll
[7] 2008-04-14 . A06CE3399D16DB864F55FAEB1F1927A9 . 77824 . . [5.1.2600.5512] . . c:\windows\$NtUninstallKB2705219$\browser.dll
[7] 2008-04-14 . A06CE3399D16DB864F55FAEB1F1927A9 . 77824 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\browser.dll
.
[7] 2008-04-14 . BF2466B3E18E970D8A976FB95FC1CA85 . 13312 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\lsass.exe
[7] 2008-04-14 . BF2466B3E18E970D8A976FB95FC1CA85 . 13312 . . [5.1.2600.5512] . . c:\windows\system32\lsass.exe
.
[7] 2008-04-14 . 13E67B55B3ABD7BF3FE7AAE5A0F9A9DE . 198144 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\netman.dll
[7] 2008-04-14 . 13E67B55B3ABD7BF3FE7AAE5A0F9A9DE . 198144 . . [5.1.2600.5512] . . c:\windows\system32\netman.dll
[-] 2005-08-22 . 3516D8A18B36784B1005B950B84232E1 . 197632 . . [5.1.2600.2743] . . c:\windows\$hf_mig$\KB905414\SP2QFE\netman.dll
.
[7] 2008-04-14 00:11 . 1280A158C722FA95A80FB7AEBE78FA7D . 792064 . . [2001.12.4414.700] . . c:\windows\ServicePackFiles\i386\comres.dll
[7] 2008-04-14 00:11 . 1280A158C722FA95A80FB7AEBE78FA7D . 792064 . . [2001.12.4414.700] . . c:\windows\system32\comres.dll
.
[7] 2008-04-14 . 574738F61FCA2935F5265DC4E5691314 . 409088 . . [6.7.2600.5512] . . c:\windows\ServicePackFiles\i386\qmgr.dll
[7] 2008-04-14 . 574738F61FCA2935F5265DC4E5691314 . 409088 . . [6.7.2600.5512] . . c:\windows\system32\qmgr.dll
[7] 2008-04-14 . 574738F61FCA2935F5265DC4E5691314 . 409088 . . [6.7.2600.5512] . . c:\windows\system32\bits\qmgr.dll
.
[7] 2009-02-09 . 6B27A5C03DFB94B4245739065431322C . 401408 . . [5.1.2600.5755] . . c:\windows\system32\rpcss.dll
[7] 2009-02-09 . 6B27A5C03DFB94B4245739065431322C . 401408 . . [5.1.2600.5755] . . c:\windows\system32\dllcache\rpcss.dll
[7] 2009-02-09 . 9222562D44021B988B9F9F62207FB6F2 . 401408 . . [5.1.2600.5755] . . c:\windows\$hf_mig$\KB956572\SP3QFE\rpcss.dll
[7] 2008-04-14 . 2589FE6015A316C0F5D5112B4DA7B509 . 399360 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\rpcss.dll
[-] 2005-07-26 . C369DF215D352B6F3A0B8C3469AA34F8 . 398336 . . [5.1.2600.2726] . . c:\windows\$hf_mig$\KB902400\SP2QFE\rpcss.dll
[-] 2005-04-28 . DA383FB39A6F1C445F3AFC94B3EB1248 . 396288 . . [5.1.2600.2665] . . c:\windows\$hf_mig$\KB894391\SP2QFE\rpcss.dll
.
[7] 2009-02-06 . 65DF52F5B8B6E9BBD183505225C37315 . 110592 . . [5.1.2600.5755] . . c:\windows\system32\services.exe
[7] 2009-02-06 . 65DF52F5B8B6E9BBD183505225C37315 . 110592 . . [5.1.2600.5755] . . c:\windows\system32\dllcache\services.exe
[7] 2009-02-06 . 020CEAAEDC8EB655B6506B8C70D53BB6 . 110592 . . [5.1.2600.5755] . . c:\windows\$hf_mig$\KB956572\SP3QFE\services.exe
[7] 2008-04-14 . 0E776ED5F7CC9F94299E70461B7B8185 . 108544 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\services.exe
.
[7] 2010-08-17 . 258DD5D4283FD9F9A7166BE9AE45CE73 . 58880 . . [5.1.2600.6024] . . c:\windows\$hf_mig$\KB2347290\SP3QFE\spoolsv.exe
[7] 2010-08-17 . 60784F891563FB1B767F70117FC2428F . 58880 . . [5.1.2600.6024] . . c:\windows\system32\spoolsv.exe
[7] 2010-08-17 . 60784F891563FB1B767F70117FC2428F . 58880 . . [5.1.2600.6024] . . c:\windows\system32\dllcache\spoolsv.exe
[7] 2008-04-14 . D8E14A61ACC1D4A6CD0D38AEBAC7FA3B . 57856 . . [5.1.2600.5512] . . c:\windows\$NtUninstallKB2347290$\spoolsv.exe
[7] 2008-04-14 . D8E14A61ACC1D4A6CD0D38AEBAC7FA3B . 57856 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\spoolsv.exe
[-] 2005-06-11 . AD3D9D191AEA7B5445FE1D82FFBB4788 . 57856 . . [5.1.2600.2696] . . c:\windows\$hf_mig$\KB896423\SP2QFE\spoolsv.exe
.
[7] 2008-04-14 . ED0EF0A136DEC83DF69F04118870003E . 507904 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\winlogon.exe
[7] 2008-04-14 . ED0EF0A136DEC83DF69F04118870003E . 507904 . . [5.1.2600.5512] . . c:\windows\system32\winlogon.exe
.
[7] 2012-06-02 . 2E0B0A051FFAA86E358465BB0880D453 . 53784 . . [7.6.7600.256] . . c:\windows\system32\wuauclt.exe
[7] 2012-06-02 . 2E0B0A051FFAA86E358465BB0880D453 . 53784 . . [7.6.7600.256] . . c:\windows\system32\dllcache\wuauclt.exe
[7] 2008-04-14 . ED7262E52C31CF1625B65039102BC16C . 111104 . . [5.4.3790.5512] . . c:\windows\ServicePackFiles\i386\wuauclt.exe
.
[7] 2008-04-13 . 23C74D75E36E7158768DD63D92789A91 . 75264 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\ipsec.sys
[7] 2008-04-13 . 23C74D75E36E7158768DD63D92789A91 . 75264 . . [5.1.2600.5512] . . c:\windows\system32\drivers\ipsec.sys
.
[7] 2010-08-23 . 93AFB83FBC1F9443CAC722FCA63D73BF . 617472 . . [5.82] . . c:\windows\system32\comctl32.dll
[7] 2010-08-23 . 93AFB83FBC1F9443CAC722FCA63D73BF . 617472 . . [5.82] . . c:\windows\system32\dllcache\comctl32.dll
[7] 2010-08-23 . 736B12B725AEB2B07F0241A9F680CB10 . 1054208 . . [6.0] . . c:\windows\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll
[7] 2008-04-14 . BD38D1EBE24A46BD3EDA059560AFBA12 . 1054208 . . [6.0] . . c:\windows\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll
[7] 2008-04-14 . 06F247492BC786CE5C24A23E178C711A . 617472 . . [5.82] . . c:\windows\$NtUninstallKB2296011$\comctl32.dll
[7] 2008-04-14 . 06F247492BC786CE5C24A23E178C711A . 617472 . . [5.82] . . c:\windows\ServicePackFiles\i386\comctl32.dll
[-] 2006-08-25 . C4E80875C1CF1222FC5EFD0314AE5C01 . 1054208 . . [6.0] . . c:\windows\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2982_x-ww_ac3f9c03\comctl32.dll
[7] 2004-08-04 . AEF3D788DBF40C7C4D204EA45EB0C505 . 921088 . . [6.0] . . c:\windows\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a\comctl32.dll
[7] 2004-08-04 . 5AF68A5E44734A082442668E9C787743 . 1050624 . . [6.0] . . c:\windows\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2180_x-ww_a84f1ff9\comctl32.dll
.
[7] 2008-04-14 . 3D4E199942E29207970E04315D02AD3B . 62464 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\cryptsvc.dll
[7] 2008-04-14 . 3D4E199942E29207970E04315D02AD3B . 62464 . . [5.1.2600.5512] . . c:\windows\system32\cryptsvc.dll
.
[7] 2008-07-07 20:26 . D4991D98F2DB73C60D042F1AEF79EFAE . 253952 . . [2001.12.4414.706] . . c:\windows\$hf_mig$\KB950974\SP3GDR\es.dll
[7] 2008-07-07 20:26 . D4991D98F2DB73C60D042F1AEF79EFAE . 253952 . . [2001.12.4414.706] . . c:\windows\system32\es.dll
[7] 2008-07-07 20:26 . D4991D98F2DB73C60D042F1AEF79EFAE . 253952 . . [2001.12.4414.706] . . c:\windows\system32\dllcache\es.dll
[7] 2008-07-07 20:23 . F17F6226BDC0CD5F0BEF0DAF84D29BEC . 253952 . . [2001.12.4414.706] . . c:\windows\$hf_mig$\KB950974\SP3QFE\es.dll
[7] 2008-07-07 20:06 . A4AB3DCA4A383F0DF4988ABDEB84F9A4 . 253952 . . [2001.12.4414.320] . . c:\windows\$hf_mig$\KB950974\SP2QFE\es.dll
[7] 2008-04-14 00:11 . 19A799805B24990867B00C120D300C3A . 246272 . . [2001.12.4414.701] . . c:\windows\ServicePackFiles\i386\es.dll
[-] 2005-07-26 04:20 . 95F5FEA4C6DE2C3F28784D0DCC8F0DD3 . 243200 . . [2001.12.4414.308] . . c:\windows\$hf_mig$\KB902400\SP2QFE\es.dll
.
[7] 2008-04-14 . 0DA85218E92526972A821587E6A8BF8F . 110080 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\imm32.dll
[7] 2008-04-14 . 0DA85218E92526972A821587E6A8BF8F . 110080 . . [5.1.2600.5512] . . c:\windows\system32\imm32.dll
.
[7] 2009-03-21 . B921FB870C9AC0D509B2CCABBBBE95F3 . 989696 . . [5.1.2600.5781] . . c:\windows\system32\kernel32.dll
[7] 2009-03-21 . B921FB870C9AC0D509B2CCABBBBE95F3 . 989696 . . [5.1.2600.5781] . . c:\windows\system32\dllcache\kernel32.dll
[7] 2009-03-21 . DA11D9D6ECBDF0F93436A4B7C13F7BEC . 991744 . . [5.1.2600.5781] . . c:\windows\$hf_mig$\KB959426\SP3QFE\kernel32.dll
[7] 2008-04-14 . C24B983D211C34DA8FCC1AC38477971D . 989696 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\kernel32.dll
[-] 2007-04-16 . 09F7CB3687F86EDAA4CA081F7AB66C03 . 986112 . . [5.1.2600.3119] . . c:\windows\$hf_mig$\KB935839\SP2QFE\kernel32.dll
[-] 2006-07-05 . 0FDD84928A5DDE2510761B7EC76CCEC9 . 985088 . . [5.1.2600.2945] . . c:\windows\$hf_mig$\KB917422\SP2QFE\kernel32.dll
.
[7] 2008-04-14 . 2DC5A8019E2387987905F77C664E4BE2 . 19968 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\linkinfo.dll
[7] 2008-04-14 . 2DC5A8019E2387987905F77C664E4BE2 . 19968 . . [5.1.2600.5512] . . c:\windows\system32\linkinfo.dll
[-] 2005-09-01 . 648BF0B4DDE4F7A1156DAE7174D36EFA . 19968 . . [5.1.2600.2751] . . c:\windows\$hf_mig$\KB900725\SP2QFE\linkinfo.dll
.
[7] 2008-04-14 . 012DF358CEBAA23ACB26D82077820817 . 22016 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\lpk.dll
[7] 2008-04-14 . 012DF358CEBAA23ACB26D82077820817 . 22016 . . [5.1.2600.5512] . . c:\windows\system32\lpk.dll
.
[7] 2012-07-02 . 13D2E016B784730A98F24D6E5BEED22F . 6008320 . . [8.00.6001.19298] . . c:\windows\system32\mshtml.dll
[7] 2012-07-02 . 13D2E016B784730A98F24D6E5BEED22F . 6008320 . . [8.00.6001.19298] . . c:\windows\system32\dllcache\mshtml.dll
[7] 2012-07-02 . DF599AC52B62DE001E42D36F92B45E68 . 6010368 . . [8.00.6001.23385] . . c:\windows\$hf_mig$\KB2722913-IE8\SP3QFE\mshtml.dll
.
[7] 2008-04-14 . D7075E95AA599EE77B7A89D39296BD3D . 343040 . . [7.0.2600.5512] . . c:\windows\WinSxS\x86_Microsoft.Windows.CPlusPlusRuntime_6595b64144ccf1df_7.0.2600.5512_x-ww_3fd60d63\msvcrt.dll
[7] 2008-04-14 . 355EDBB4D412B01F1740C17E3F50FA00 . 343040 . . [7.0.2600.5512] . . c:\windows\ServicePackFiles\i386\msvcrt.dll
[7] 2008-04-14 . 355EDBB4D412B01F1740C17E3F50FA00 . 343040 . . [7.0.2600.5512] . . c:\windows\system32\msvcrt.dll
[7] 2004-08-04 . 4200BE3808F6406DBE45A7B88DAE5035 . 322560 . . [7.0.2600.0] . . c:\windows\WinSxS\x86_Microsoft.Windows.CPlusPlusRuntime_6595b64144ccf1df_7.0.0.0_x-ww_2726e76a\msvcrt.dll
[7] 2004-08-04 . 98EC447E00229AFD88D5161A25D065DA . 343040 . . [7.0.2600.2180] . . c:\windows\WinSxS\x86_Microsoft.Windows.CPlusPlusRuntime_6595b64144ccf1df_7.0.2600.2180_x-ww_b2505ed9\msvcrt.dll
.
[7] 2008-06-20 . 832E4DD8964AB7ACC880B2837CB1ED20 . 245248 . . [5.1.2600.5625] . . c:\windows\$hf_mig$\KB951748\SP3GDR\mswsock.dll
[7] 2008-06-20 . 832E4DD8964AB7ACC880B2837CB1ED20 . 245248 . . [5.1.2600.5625] . . c:\windows\$NtUninstallKB2509553$\mswsock.dll
[7] 2008-06-20 . FCEE5FCB99F7C724593365C706D28388 . 245248 . . [5.1.2600.5625] . . c:\windows\$hf_mig$\KB2509553\SP3QFE\mswsock.dll
[7] 2008-06-20 . FCEE5FCB99F7C724593365C706D28388 . 245248 . . [5.1.2600.5625] . . c:\windows\$hf_mig$\KB951748\SP3QFE\mswsock.dll
[7] 2008-06-20 . 1DFCA7713EA5A70D5D93B436AEA0317A . 245248 . . [5.1.2600.3394] . . c:\windows\$hf_mig$\KB951748\SP2QFE\mswsock.dll
[7] 2008-06-20 . 943337D786A56729263071623BBB9DE5 . 245248 . . [5.1.2600.5625] . . c:\windows\system32\mswsock.dll
[7] 2008-06-20 . 943337D786A56729263071623BBB9DE5 . 245248 . . [5.1.2600.5625] . . c:\windows\system32\dllcache\mswsock.dll
[7] 2008-04-14 . B4138E99236F0F57D4CF49BAE98A0746 . 245248 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\mswsock.dll
.
[7] 2008-04-14 . 1B7F071C51B77C272875C3A23E1E4550 . 407040 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\netlogon.dll
[7] 2008-04-14 . 1B7F071C51B77C272875C3A23E1E4550 . 407040 . . [5.1.2600.5512] . . c:\windows\system32\netlogon.dll
.
[7] 2008-04-14 . 50A166237A0FA771261275A405646CC0 . 17408 . . [6.00.2900.5512] . . c:\windows\ServicePackFiles\i386\powrprof.dll
[7] 2008-04-14 . 50A166237A0FA771261275A405646CC0 . 17408 . . [6.00.2900.5512] . . c:\windows\system32\powrprof.dll
.
[7] 2008-04-14 . A86BB5E61BF3E39B62AB4C7E7085A084 . 181248 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\scecli.dll
[7] 2008-04-14 . A86BB5E61BF3E39B62AB4C7E7085A084 . 181248 . . [5.1.2600.5512] . . c:\windows\system32\scecli.dll
.
[7] 2008-04-14 . 96E1C926F22EE1BFBAE82901A35F6BF3 . 5120 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\sfc.dll
[7] 2008-04-14 . 96E1C926F22EE1BFBAE82901A35F6BF3 . 5120 . . [5.1.2600.5512] . . c:\windows\system32\sfc.dll
.
[7] 2008-04-14 . 27C6D03BCDB8CFEB96B716F3D8BE3E18 . 14336 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\svchost.exe
[7] 2008-04-14 . 27C6D03BCDB8CFEB96B716F3D8BE3E18 . 14336 . . [5.1.2600.5512] . . c:\windows\system32\svchost.exe
.
[7] 2008-04-14 . 3CB78C17BB664637787C9A1C98F79C38 . 249856 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\tapisrv.dll
[7] 2008-04-14 . 3CB78C17BB664637787C9A1C98F79C38 . 249856 . . [5.1.2600.5512] . . c:\windows\system32\tapisrv.dll
[-] 2005-07-08 . 1418A3A6E76E5A2E3F5E43866E793A8B . 249344 . . [5.1.2600.2716] . . c:\windows\$hf_mig$\KB893756\SP2QFE\tapisrv.dll
.
[7] 2008-04-14 . B26B135FF1B9F60C9388B4A7D16F600B . 578560 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\user32.dll
[7] 2008-04-14 . B26B135FF1B9F60C9388B4A7D16F600B . 578560 . . [5.1.2600.5512] . . c:\windows\system32\user32.dll
[-] 2007-03-08 . 7AA4F6C00405DFC4B70ED4214E7D687B . 578048 . . [5.1.2600.3099] . . c:\windows\$hf_mig$\KB925902\SP2QFE\user32.dll
[-] 2005-03-02 . 1800F293BCCC8EDE8A70E12B88D80036 . 577024 . . [5.1.2600.2622] . . c:\windows\$hf_mig$\KB890859\SP2QFE\user32.dll
.
[7] 2008-04-14 . A93AEE1928A9D7CE3E16D24EC7380F89 . 26112 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\userinit.exe
[7] 2008-04-14 . A93AEE1928A9D7CE3E16D24EC7380F89 . 26112 . . [5.1.2600.5512] . . c:\windows\system32\userinit.exe
.
[7] 2012-07-02 . C4300CB4D20B1159DC77E01E8A2525EC . 916992 . . [8.00.6001.19298] . . c:\windows\system32\wininet.dll
[7] 2012-07-02 . C4300CB4D20B1159DC77E01E8A2525EC . 916992 . . [8.00.6001.19298] . . c:\windows\system32\dllcache\wininet.dll
[7] 2012-07-02 . EFB2241DE3AA6480521A16D0CB67B0EC . 920064 . . [8.00.6001.23385] . . c:\windows\$hf_mig$\KB2722913-IE8\SP3QFE\wininet.dll
[7] 2012-05-16 . 6B1774334E2975AA60596E54F5EA1430 . 916992 . . [8.00.6001.19272] . . c:\windows\ie8updates\KB2722913-IE8\wininet.dll
[7] 2012-05-16 . 553AD35768CD27959391DD5AA82CEF6F . 920064 . . [8.00.6001.23359] . . c:\windows\$hf_mig$\KB2699988-IE8\SP3QFE\wininet.dll
[7] 2012-05-16 . 48774253430B223842CBA385215192FD . 667136 . . [6.00.2900.6228] . . c:\windows\ie8\wininet.dll
[7] 2012-05-16 . E9D9945BDD183AF467A5220BE746EAEF . 668672 . . [6.00.2900.6228] . . c:\windows\$hf_mig$\KB2699988\SP3QFE\wininet.dll
[7] 2012-02-28 . 39140CE6E77DCA706A04D913058B5006 . 667136 . . [6.00.2900.6197] . . c:\windows\$NtUninstallKB2699988$\wininet.dll
[7] 2012-02-28 . AC3E276FF2D3C4A89B85D2A8587EF9FA . 668672 . . [6.00.2900.6197] . . c:\windows\$hf_mig$\KB2675157\SP3QFE\wininet.dll
[7] 2011-12-19 . B701B7DF6B9B243B155523B5F868A90A . 667136 . . [6.00.2900.6182] . . c:\windows\$NtUninstallKB2675157$\wininet.dll
[7] 2011-12-19 . 19404059BFBD2DDA979D5FD3D744DE8B . 668672 . . [6.00.2900.6182] . . c:\windows\$hf_mig$\KB2647516\SP3QFE\wininet.dll
[7] 2011-11-04 . 552263502EA8C24D301A0C43FF90B3ED . 916992 . . [8.00.6001.19165] . . c:\windows\ie8updates\KB2699988-IE8\wininet.dll
[7] 2011-11-04 . 4E4716CAF514717814D07113AD0425B6 . 919552 . . [8.00.6001.23261] . . c:\windows\$hf_mig$\KB2618444-IE8\SP3QFE\wininet.dll
[7] 2011-11-01 . 8C02B1933148BF7EA8993C44A38C24ED . 667136 . . [6.00.2900.6168] . . c:\windows\$NtUninstallKB2647516$\wininet.dll
[7] 2011-11-01 . 736FC4ADDCAB3055EB8641DD82668646 . 668672 . . [6.00.2900.6168] . . c:\windows\$hf_mig$\KB2618444\SP3QFE\wininet.dll
[7] 2011-09-05 . 24F757BD57B16E208BA0057FCD207AAA . 667136 . . [6.00.2900.6148] . . c:\windows\$NtUninstallKB2618444$\wininet.dll
[7] 2011-09-05 . 89AD0A701D80969C40F11205864F72CB . 668672 . . [6.00.2900.6148] . . c:\windows\$hf_mig$\KB2586448\SP3QFE\wininet.dll
[7] 2011-06-21 . 10D0068A5F17490B1DA6DFC6FB11EFF8 . 667136 . . [6.00.2900.6126] . . c:\windows\$NtUninstallKB2586448$\wininet.dll
[7] 2011-06-21 . CE82C101C2DA9ADD36E325CC9844C9BC . 668672 . . [6.00.2900.6126] . . c:\windows\$hf_mig$\KB2559049\SP3QFE\wininet.dll
[7] 2011-04-25 . 6878542C5A86875716B51EFF68D2AC00 . 667136 . . [6.00.2900.6104] . . c:\windows\$NtUninstallKB2559049$\wininet.dll
[7] 2011-04-25 . C09D9EF2B1A77DBCD30585F12FBC306E . 668672 . . [6.00.2900.6104] . . c:\windows\$hf_mig$\KB2530548\SP3QFE\wininet.dll
[7] 2011-02-17 . A9BF76039751D844CE807B9A98F0E955 . 667136 . . [6.00.2900.6082] . . c:\windows\$NtUninstallKB2530548$\wininet.dll
[7] 2011-02-17 . F0C8272270134ED382CC9F9CEBB74806 . 668672 . . [6.00.2900.6082] . . c:\windows\$hf_mig$\KB2497640\SP3QFE\wininet.dll
[7] 2010-12-20 . D2DEBA1AC8CFA19B3FC18CFBFFD978D7 . 667136 . . [6.00.2900.6058] . . c:\windows\$NtUninstallKB2497640$\wininet.dll
[7] 2010-12-20 . A58306FBF1D163B47244BD6C4A08B1A8 . 668672 . . [6.00.2900.6058] . . c:\windows\$hf_mig$\KB2482017\SP3QFE\wininet.dll
[7] 2010-11-05 . 4FE2F2C6A860BD9B22F7C0E49CA448AE . 667136 . . [6.00.2900.6049] . . c:\windows\$NtUninstallKB2482017$\wininet.dll
[7] 2010-11-05 . 67D8591A9FC9EDA74AF63FAC72A1D150 . 668672 . . [6.00.2900.6049] . . c:\windows\$hf_mig$\KB2416400\SP3QFE\wininet.dll
[7] 2010-09-09 . D7275E6DA8D1A8BEB36468548899522C . 668672 . . [6.00.2900.6036] . . c:\windows\$hf_mig$\KB2360131\SP3QFE\wininet.dll
[7] 2010-09-09 . 118767E386CBAE1AD67D934BC9402E08 . 667136 . . [6.00.2900.6036] . . c:\windows\$NtUninstallKB2416400$\wininet.dll
[7] 2010-06-24 . 7F489AED93B4AA2B170025DF0670E17F . 668672 . . [6.00.2900.6003] . . c:\windows\$hf_mig$\KB2183461\SP3QFE\wininet.dll
.
[7] 2008-04-14 . 2CCC474EB85CEAA3E1FA1726580A3E5A . 82432 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\ws2_32.dll
[7] 2008-04-14 . 2CCC474EB85CEAA3E1FA1726580A3E5A . 82432 . . [5.1.2600.5512] . . c:\windows\system32\ws2_32.dll
.
[7] 2008-04-14 . 9789E95E1D88EEB4B922BF3EA7779C28 . 19968 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\ws2help.dll
[7] 2008-04-14 . 9789E95E1D88EEB4B922BF3EA7779C28 . 19968 . . [5.1.2600.5512] . . c:\windows\system32\ws2help.dll
.
[7] 2008-04-14 . 12896823FB95BFB3DC9B46BCAEDC9923 . 1033728 . . [6.00.2900.5512] . . c:\windows\explorer.exe
[7] 2008-04-14 . 12896823FB95BFB3DC9B46BCAEDC9923 . 1033728 . . [6.00.2900.5512] . . c:\windows\ServicePackFiles\i386\explorer.exe
[-] 2007-06-13 . 7712DF0CDDE3A5AC89843E61CD5B3658 . 1033216 . . [6.00.2900.3156] . . c:\windows\$hf_mig$\KB938828\SP2QFE\explorer.exe
.
[7] 2008-04-14 . 058710B720282CA82B909912D3EF28DB . 146432 . . [5.1.2600.5512] . . c:\windows\regedit.exe
[7] 2008-04-14 . 058710B720282CA82B909912D3EF28DB . 146432 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\regedit.exe
.
[7] 2011-11-01 . 6BAD1BED9872E62049E487FB91AE2F3A . 1288704 . . [5.1.2600.6168] . . c:\windows\system32\ole32.dll
[7] 2011-11-01 . 6BAD1BED9872E62049E487FB91AE2F3A . 1288704 . . [5.1.2600.6168] . . c:\windows\system32\dllcache\ole32.dll
[7] 2011-11-01 . 7D9DDE1AB4B00DDB173F5A16E9206517 . 1289216 . . [5.1.2600.6168] . . c:\windows\$hf_mig$\KB2624667\SP3QFE\ole32.dll
[7] 2010-07-16 . 7A6A7900B5E322763430BA6FD9A31224 . 1288192 . . [5.1.2600.6010] . . c:\windows\$NtUninstallKB2624667$\ole32.dll
[7] 2010-07-16 . 8D51FB47062F2A1A9EFECCEF338A4C46 . 1289216 . . [5.1.2600.6010] . . c:\windows\$hf_mig$\KB979687\SP3QFE\ole32.dll
[7] 2008-04-14 . ECCE74BC6168375016450A86A164D976 . 1287168 . . [5.1.2600.5512] . . c:\windows\$NtUninstallKB979687$\ole32.dll
.
[7] 2010-04-16 . 9E03DC5AB51CFD0190541CE2038D819D . 406016 . . [1.0420.2600.5969] . . c:\windows\system32\usp10.dll
[7] 2010-04-16 . 9E03DC5AB51CFD0190541CE2038D819D . 406016 . . [1.0420.2600.5969] . . c:\windows\system32\dllcache\usp10.dll
[7] 2010-04-16 . F8894BCC961D461674002B4BAE7AECC1 . 406016 . . [1.0420.2600.5969] . . c:\windows\$hf_mig$\KB981322\SP3QFE\usp10.dll
[7] 2008-04-14 . 7D7D8501F3CB45D0408CDEFA08CDAEFF . 406016 . . [1.0420.2600.5512] . . c:\windows\$NtUninstallKB981322$\usp10.dll
[7] 2008-04-14 . 7D7D8501F3CB45D0408CDEFA08CDAEFF . 406016 . . [1.0420.2600.5512] . . c:\windows\ServicePackFiles\i386\usp10.dll
.
[7] 2008-04-14 . 9B9F1C38D559047B8AC0DBA2D5FEBDE9 . 4096 . . [5.3.2600.5512] . . c:\windows\ServicePackFiles\i386\ksuser.dll
[7] 2008-04-14 . 9B9F1C38D559047B8AC0DBA2D5FEBDE9 . 4096 . . [5.3.2600.5512] . . c:\windows\system32\ksuser.dll
[7] 2004-08-04 . CBCD254547689BFF80C9F547B20911E9 . 4096 . . [5.3.2600.2180] . . c:\windows\system32\ReinstallBackups\0018\DriverFiles\i386\ksuser.dll
[7] 2002-12-11 18:44 . 15914E0BF4DDA56CF797993DCCB637D1 . 4096 . . [5.3.0000000.900 built by: DIRECTX] . . c:\windows\Driver Cache\i386\ksuser.dll
[7] 2002-12-11 18:44 . 15914E0BF4DDA56CF797993DCCB637D1 . 4096 . . [5.3.0000000.900 built by: DIRECTX] . . c:\windows\RegisteredPackages\{44BBA855-CC51-11CF-AAFA-00AA00B6015C}\ksuser.dll
.
[7] 2008-04-14 . 5F1D5F88303D4A4DBC8E5F97BA967CC3 . 15360 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\ctfmon.exe
[7] 2008-04-14 . 5F1D5F88303D4A4DBC8E5F97BA967CC3 . 15360 . . [5.1.2600.5512] . . c:\windows\system32\ctfmon.exe
.
[7] 2009-07-27 . 99BC0B50F511924348BE19C7C7313BBF . 135168 . . [6.00.2900.5853] . . c:\windows\system32\shsvcs.dll
[7] 2009-07-27 . 99BC0B50F511924348BE19C7C7313BBF . 135168 . . [6.00.2900.5853] . . c:\windows\system32\dllcache\shsvcs.dll
[7] 2009-07-27 . 888CD7B39C37E13A2419BECFAAF0A28C . 135168 . . [6.00.2900.5853] . . c:\windows\$hf_mig$\KB971029\SP3QFE\shsvcs.dll
[7] 2008-04-14 . 1926899BF9FFE2602B63074971700412 . 135168 . . [6.00.2900.5512] . . c:\windows\$NtUninstallKB971029$\shsvcs.dll
[7] 2008-04-14 . 1926899BF9FFE2602B63074971700412 . 135168 . . [6.00.2900.5512] . . c:\windows\ServicePackFiles\i386\shsvcs.dll
[-] 2006-12-19 . 53D9184A21C5CBF600D918E51EF3A7E5 . 135168 . . [6.00.2900.3051] . . c:\windows\$hf_mig$\KB928255\SP2QFE\shsvcs.dll
.
[7] 2008-04-14 . AFFC87E2501FCE8F09D4C10BA6421CCF . 4608 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\msimg32.dll
[7] 2008-04-14 . AFFC87E2501FCE8F09D4C10BA6421CCF . 4608 . . [5.1.2600.5512] . . c:\windows\system32\msimg32.dll
.
[7] 2008-04-14 . 3805DF0AC4296A34BA4BF93B346CC378 . 171008 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\srsvc.dll
[7] 2008-04-14 . 3805DF0AC4296A34BA4BF93B346CC378 . 171008 . . [5.1.2600.5512] . . c:\windows\system32\srsvc.dll
.
[7] 2008-04-14 . F92E1076C42FCD6DB3D72D8CFE9816D5 . 13824 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\wscntfy.exe
[7] 2008-04-14 . F92E1076C42FCD6DB3D72D8CFE9816D5 . 13824 . . [5.1.2600.5512] . . c:\windows\system32\wscntfy.exe
.
[7] 2008-04-14 . 295D21F14C335B53CB8154E5B1F892B9 . 129024 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\xmlprov.dll
[7] 2008-04-14 . 295D21F14C335B53CB8154E5B1F892B9 . 129024 . . [5.1.2600.5512] . . c:\windows\system32\xmlprov.dll
.
[7] 2010-12-09 . 15CE4DBC22FAB90B3CA5352AF1FFF81C . 718336 . . [5.1.2600.6055] . . c:\windows\$hf_mig$\KB2393802\SP3QFE\ntdll.dll
[7] 2010-12-09 . F8F0D25CA553E39DDE485D8FC7FCCE89 . 718336 . . [5.1.2600.6055] . . c:\windows\system32\ntdll.dll
[7] 2010-12-09 . F8F0D25CA553E39DDE485D8FC7FCCE89 . 718336 . . [5.1.2600.6055] . . c:\windows\system32\dllcache\ntdll.dll
[7] 2009-02-09 . 911DDF2E16761643A47225F654D811E5 . 714752 . . [5.1.2600.5755] . . c:\windows\$NtUninstallKB2393802$\ntdll.dll
[7] 2009-02-09 . B0913005EE3FC15D7F72472D0B8A30EB . 715264 . . [5.1.2600.5755] . . c:\windows\$hf_mig$\KB956572\SP3QFE\ntdll.dll
[7] 2008-04-14 . 27D9ED8CB8B62D1E0A8E5ACE6CF52E2F . 706048 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\ntdll.dll
.
[7] 2008-04-14 . 5733177BCF16EE78B99543C9B0AB81EA . 177152 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\msctfime.ime
[7] 2008-04-14 . 5733177BCF16EE78B99543C9B0AB81EA . 177152 . . [5.1.2600.5512] . . c:\windows\system32\msctfime.ime
.
[7] 2008-04-14 . 6D4FEB43EE538FC5428CC7F0565AA656 . 56320 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\eventlog.dll
[7] 2008-04-14 . 6D4FEB43EE538FC5428CC7F0565AA656 . 56320 . . [5.1.2600.5512] . . c:\windows\system32\eventlog.dll
.
[7] 2008-04-14 . 9DD07AF82244867CA36681EA2D29CE79 . 1614848 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\sfcfiles.dll
[7] 2008-04-14 . 9DD07AF82244867CA36681EA2D29CE79 . 1614848 . . [5.1.2600.5512] . . c:\windows\system32\sfcfiles.dll
.
[7] 2008-04-13 . 23C74D75E36E7158768DD63D92789A91 . 75264 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\ipsec.sys
[7] 2008-04-13 . 23C74D75E36E7158768DD63D92789A91 . 75264 . . [5.1.2600.5512] . . c:\windows\system32\drivers\ipsec.sys
.
[7] 2008-04-14 . 5B19B557B0C188210A56A6B699D90B8F . 59904 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\regsvc.dll
[7] 2008-04-14 . 5B19B557B0C188210A56A6B699D90B8F . 59904 . . [5.1.2600.5512] . . c:\windows\system32\regsvc.dll
.
[7] 2008-04-14 . 0A9A7365A1CA4319AA7C1D6CD8E4EAFA . 192512 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\schedsvc.dll
[7] 2008-04-14 . 0A9A7365A1CA4319AA7C1D6CD8E4EAFA . 192512 . . [5.1.2600.5512] . . c:\windows\system32\schedsvc.dll
.
[7] 2008-04-14 . 0A5679B3714EDAB99E357057EE88FCA6 . 71680 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\ssdpsrv.dll
[7] 2008-04-14 . 0A5679B3714EDAB99E357057EE88FCA6 . 71680 . . [5.1.2600.5512] . . c:\windows\system32\ssdpsrv.dll
.
[7] 2008-04-14 . FF3477C03BE7201C294C35F684B3479F . 295424 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\termsrv.dll
[7] 2008-04-14 . FF3477C03BE7201C294C35F684B3479F . 295424 . . [5.1.2600.5512] . . c:\windows\system32\termsrv.dll
.
[7] 2008-04-14 . 3CB32D3B8CBE79899D63280BB7A83CD9 . 344064 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\hnetcfg.dll
[7] 2008-04-14 . 3CB32D3B8CBE79899D63280BB7A83CD9 . 344064 . . [5.1.2600.5512] . . c:\windows\system32\hnetcfg.dll
.
[7] 2004-08-04 . 9859C0F6936E723E4892D7141B1327D5 . 11648 . . [5.1.2600.0] . . c:\windows\system32\drivers\acpiec.sys
.
[7] 2008-04-13 16:39 . 8BED39E3C35D6A489438B8141717A557 . 142592 . . [5.1.2601.3142] . . c:\windows\ServicePackFiles\i386\aec.sys
[7] 2008-04-13 16:39 . 8BED39E3C35D6A489438B8141717A557 . 142592 . . [5.1.2601.3142] . . c:\windows\system32\drivers\aec.sys
[-] 2006-02-15 00:30 . 1EE7B434BA961EF845DE136224C30FEC . 142464 . . [5.1.2601.2180] . . c:\windows\$hf_mig$\KB900485\SP2QFE\aec.sys
.
[7] 2008-04-13 . 08FD04AA961BDC77FB983F328334E3D7 . 42368 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\agp440.sys
[7] 2008-04-13 . 08FD04AA961BDC77FB983F328334E3D7 . 42368 . . [5.1.2600.5512] . . c:\windows\system32\drivers\agp440.sys
.
[7] 2008-04-13 . 3BB22519A194418D5FEC05D800A19AD0 . 36608 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\ip6fw.sys
[7] 2008-04-13 . 3BB22519A194418D5FEC05D800A19AD0 . 36608 . . [5.1.2600.5512] . . c:\windows\system32\drivers\ip6fw.sys
.
[7] 2010-09-18 07:18 . 842900DEDBC8E3E8DBCCCB298FD88F65 . 953856 . . [4.1.6151] . . c:\windows\$hf_mig$\KB2387149\SP3QFE\mfc40u.dll
[7] 2010-09-18 06:53 . E76A5C202E68AF5A322D16B5A78F48B9 . 953856 . . [4.1.6151] . . c:\windows\system32\mfc40u.dll
[7] 2010-09-18 06:53 . E76A5C202E68AF5A322D16B5A78F48B9 . 953856 . . [4.1.6151] . . c:\windows\system32\dllcache\mfc40u.dll
[7] 2008-04-14 00:11 . CDDD4416B2B4C7295FE3FDB6DDE57E4E . 927504 . . [4.1.0.61] . . c:\windows\$NtUninstallKB2387149$\mfc40u.dll
[7] 2008-04-14 00:11 . CDDD4416B2B4C7295FE3FDB6DDE57E4E . 927504 . . [4.1.0.61] . . c:\windows\ServicePackFiles\i386\mfc40u.dll
.
[7] 2008-04-14 . 986B1FF5814366D71E0AC5755C88F2D3 . 33792 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\msgsvc.dll
[7] 2008-04-14 . 986B1FF5814366D71E0AC5755C88F2D3 . 33792 . . [5.1.2600.5512] . . c:\windows\system32\msgsvc.dll
.
[7] 2006-10-18 16:17 . C51B4A5C05A5475708E3C81C7765B71D . 27136 . . [11.0.5721.5145] . . c:\windows\system32\mspmsnsv.dll
[7] 2006-10-18 16:17 . C51B4A5C05A5475708E3C81C7765B71D . 27136 . . [11.0.5721.5145] . . c:\windows\system32\dllcache\mspmsnsv.dll
[7] 2005-01-28 19:44 . 140EF97B64F560FD78643CAE2CDAD838 . 25088 . . [10.0.3790.3802] . . c:\windows\RegisteredPackages\{30C7234B-6482-4A55-A11D-ECD9030313F2}\MsPMSNSv.dll
[7] 2004-08-04 11:00 . C086483E3DBA8C1C0A687EC8D5B3D4C1 . 52224 . . [9.0.1.56] . . c:\windows\RegisteredPackages\{30C7234B-6482-4A55-A11D-ECD9030313F2}$BACKUP$\System\MsPMSNSv.dll
.
[7] 2012-05-04 . 8E99A0CE02C1BEDA6C0935A4DDE9CEAA . 2069120 . . [5.1.2600.6223] . . c:\windows\$hf_mig$\KB2707511\SP3QFE\ntkrnlpa.exe
[7] 2012-05-04 . 5DD80D56AF1CEFBFF4F25951069B55BB . 2069120 . . [5.1.2600.6223] . . c:\windows\Driver Cache\i386\ntkrnlpa.exe
[7] 2012-05-04 . 87763BB6C95901818050E52C378C9E15 . 2026496 . . [5.1.2600.6223] . . c:\windows\system32\ntkrnlpa.exe
[7] 2012-05-04 . 5DD80D56AF1CEFBFF4F25951069B55BB . 2069120 . . [5.1.2600.6223] . . c:\windows\system32\dllcache\ntkrnlpa.exe
.
[7] 2008-04-14 00:12 . 156F64A3345BD23C600655FB4D10BC08 . 435200 . . [5.1.2400.5512] . . c:\windows\ServicePackFiles\i386\ntmssvc.dll
[7] 2008-04-14 00:12 . 156F64A3345BD23C600655FB4D10BC08 . 435200 . . [5.1.2400.5512] . . c:\windows\system32\ntmssvc.dll
.
[7] 2008-04-14 . 1EBAFEB9A3FBDC41B8D9C7F0F687AD91 . 185856 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\upnphost.dll
[7] 2008-04-14 . 1EBAFEB9A3FBDC41B8D9C7F0F687AD91 . 185856 . . [5.1.2600.5512] . . c:\windows\system32\upnphost.dll
[-] 2007-02-05 . 36ACA6CDC19C95FF468A1426EB7F32F0 . 185344 . . [5.1.2600.3077] . . c:\windows\$hf_mig$\KB931261\SP2QFE\upnphost.dll
.
[7] 2008-04-14 . 4D83ED8BDDEC431FC8AD907B47CFB6E3 . 367616 . . [5.3.2600.5512] . . c:\windows\ServicePackFiles\i386\dsound.dll
[7] 2008-04-14 . 4D83ED8BDDEC431FC8AD907B47CFB6E3 . 367616 . . [5.3.2600.5512] . . c:\windows\system32\dsound.dll
[7] 2004-07-08 22:57 . 033A45AB696EEF481707C2808C806E1A . 381952 . . [5.3.0000001.0904 built by: private/Lab06_dev(DXBLD00)] . . c:\windows\RegisteredPackages\{44BBA855-CC51-11CF-AAFA-00AA00B6015C}\dsound.dll
[7] 2004-07-08 22:57 . 033A45AB696EEF481707C2808C806E1A . 381952 . . [5.3.0000001.0904 built by: private/Lab06_dev(DXBLD00)] . . c:\windows\system32\dllcache\dsound.dll
.
[7] 2008-04-14 . 0607CBC6FA20114CB491EFE4B2F9EFAD . 1689088 . . [5.03.2600.5512] . . c:\windows\ServicePackFiles\i386\d3d9.dll
[7] 2008-04-14 . 0607CBC6FA20114CB491EFE4B2F9EFAD . 1689088 . . [5.03.2600.5512] . . c:\windows\system32\d3d9.dll
.
[7] 2008-04-14 . A340CD71EB535A3DD751B5F28723E50C . 279552 . . [5.03.2600.5512] . . c:\windows\ServicePackFiles\i386\ddraw.dll
[7] 2008-04-14 . A340CD71EB535A3DD751B5F28723E50C . 279552 . . [5.03.2600.5512] . . c:\windows\system32\ddraw.dll
[7] 2004-07-08 22:57 . 90114704C17A581DA1BAE029F20932BE . 292864 . . [5.3.0000001.0904 built by: private/Lab06_dev(DXBLD00)] . . c:\windows\RegisteredPackages\{44BBA855-CC51-11CF-AAFA-00AA00B6015C}\ddraw.dll
[7] 2004-07-08 22:57 . 90114704C17A581DA1BAE029F20932BE . 292864 . . [5.3.0000001.0904 built by: private/Lab06_dev(DXBLD00)] . . c:\windows\system32\dllcache\ddraw.dll
.
[7] 2008-04-14 00:12 . 5652F6CE1D9E9D8068B9D29BC21B5409 . 84992 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\olepro32.dll
[7] 2008-04-14 00:12 . 5652F6CE1D9E9D8068B9D29BC21B5409 . 84992 . . [5.1.2600.5512] . . c:\windows\system32\olepro32.dll
.
[7] 2008-04-14 . DBE2B62353660ECCA0D75EA307A717E9 . 39936 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\perfctrs.dll
[7] 2008-04-14 . DBE2B62353660ECCA0D75EA307A717E9 . 39936 . . [5.1.2600.5512] . . c:\windows\system32\perfctrs.dll
.
[7] 2008-04-14 . C7CE131408739B0B3A318BE2D0032719 . 18944 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\version.dll
[7] 2008-04-14 . C7CE131408739B0B3A318BE2D0032719 . 18944 . . [5.1.2600.5512] . . c:\windows\system32\version.dll
.
[7] 2009-03-08 . B60DDDD2D63CE41CB8C487FCFBB6419E . 638816 . . [8.00.6001.18702] . . c:\windows\system32\dllcache\iexplore.exe
[7] 2008-04-14 . 55794B97A7FAABD2910873C85274F409 . 93184 . . [6.00.2900.5512] . . c:\windows\ie8\iexplore.exe
[7] 2008-04-14 . 55794B97A7FAABD2910873C85274F409 . 93184 . . [6.00.2900.5512] . . c:\windows\ServicePackFiles\i386\iexplore.exe
.
[7] 2012-05-04 . 099A0F80A563EBE935F4A9750F96C219 . 2192640 . . [5.1.2600.6223] . . c:\windows\$hf_mig$\KB2707511\SP3QFE\ntoskrnl.exe
[7] 2012-05-04 . AC4B3C4A6DC31867034C66663B9B8A38 . 2148352 . . [5.1.2600.6223] . . c:\windows\system32\ntoskrnl.exe
[7] 2012-05-04 . DDF0CB8CD3C6007CDF4AD8F0409ED930 . 2192640 . . [5.1.2600.6223] . . c:\windows\Driver Cache\i386\ntoskrnl.exe
[7] 2012-05-04 . DDF0CB8CD3C6007CDF4AD8F0409ED930 . 2192640 . . [5.1.2600.6223] . . c:\windows\system32\dllcache\ntoskrnl.exe
[7] 2012-04-11 . 8D061BB825BC606C2B1C6F7452D1BAAA . 2192640 . . [5.1.2600.6206] . . c:\windows\$hf_mig$\KB2676562\SP3QFE\ntoskrnl.exe
[7] 2012-04-11 . A144D60B35E6DD14CCB9649B5E0D1092 . 2148352 . . [5.1.2600.6206] . . c:\windows\$NtUninstallKB2707511$\ntoskrnl.exe
[7] 2011-10-25 . 3B663B9B193D7E1DE39A466020F1FD91 . 2148864 . . [5.1.2600.6165] . . c:\windows\$NtUninstallKB2676562$\ntoskrnl.exe
[7] 2011-10-25 . F512C662874D7545E5BD8005E6800A44 . 2192768 . . [5.1.2600.6165] . . c:\windows\$hf_mig$\KB2633171\SP3QFE\ntoskrnl.exe
[7] 2010-12-09 . A531BBD3DE13121C1380ED7DC99082DB . 2192768 . . [5.1.2600.6055] . . c:\windows\$hf_mig$\KB2393802\SP3QFE\ntoskrnl.exe
[7] 2010-12-09 . 60E16152D847D7A7B7D3DA4C4B8E2120 . 2148864 . . [5.1.2600.6055] . . c:\windows\$NtUninstallKB2633171$\ntoskrnl.exe
[7] 2010-04-27 . 466A3E1239F4A9428797730E81A7A865 . 2146304 . . [5.1.2600.5973] . . c:\windows\$NtUninstallKB2393802$\ntoskrnl.exe
.
[7] 2008-04-14 . 3805DF0AC4296A34BA4BF93B346CC378 . 171008 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\srsvc.dll
[7] 2008-04-14 . 3805DF0AC4296A34BA4BF93B346CC378 . 171008 . . [5.1.2600.5512] . . c:\windows\system32\srsvc.dll
.
[7] 2008-04-14 . 54AF4B1D5459500EF0937F6D33B1914F . 175104 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\w32time.dll
[7] 2008-04-14 . 54AF4B1D5459500EF0937F6D33B1914F . 175104 . . [5.1.2600.5512] . . c:\windows\system32\w32time.dll
.
[7] 2008-04-14 . 8BAD69CBAC032D4BBACFCE0306174C30 . 333824 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\wiaservc.dll
[7] 2008-04-14 . 8BAD69CBAC032D4BBACFCE0306174C30 . 333824 . . [5.1.2600.5512] . . c:\windows\system32\wiaservc.dll
[-] 2006-12-19 . D9F097AA3B97034D3358A01B43E635B2 . 333824 . . [5.1.2600.3051] . . c:\windows\$hf_mig$\KB927802\SP2QFE\wiaservc.dll
.
[7] 2008-04-14 . 5C12660A97822F6E61576943B49AAAD6 . 18944 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\midimap.dll
[7] 2008-04-14 . 5C12660A97822F6E61576943B49AAAD6 . 18944 . . [5.1.2600.5512] . . c:\windows\system32\midimap.dll
.
[7] 2008-04-14 . 6F9BEF24C578D5D6740E080BEDD6A448 . 7680 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\rasadhlp.dll
[7] 2008-04-14 . 6F9BEF24C578D5D6740E080BEDD6A448 . 7680 . . [5.1.2600.5512] . . c:\windows\system32\rasadhlp.dll
[-] 2006-06-26 . B5D08C96B2DADAF5171FB69E341B272B . 7680 . . [5.1.2600.2938] . . c:\windows\$hf_mig$\KB920683\SP2QFE\rasadhlp.dll
.
[7] 2008-04-14 . 4E3D06D6E68EEDB52565080F55B460D3 . 19456 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\wshtcpip.dll
[7] 2008-04-14 . 4E3D06D6E68EEDB52565080F55B460D3 . 19456 . . [5.1.2600.5512] . . c:\windows\system32\wshtcpip.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{6c97a91e-4524-4019-86af-2aa2d567bf5c}"= "c:\program files\adawaretb\adawareDx.dll" [2013-02-11 87464]
.
[HKEY_CLASSES_ROOT\clsid\{6c97a91e-4524-4019-86af-2aa2d567bf5c}]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\~\Browser Helper Objects\{6c97a91e-4524-4019-86af-2aa2d567bf5c}]
2013-02-11 10:47 87464 ----a-w- c:\program files\adawaretb\adawareDx.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{6c97a91e-4524-4019-86af-2aa2d567bf5c}"= "c:\program files\adawaretb\adawareDx.dll" [2013-02-11 87464]
.
[HKEY_CLASSES_ROOT\clsid\{6c97a91e-4524-4019-86af-2aa2d567bf5c}]
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellAutomatedPCTuneUp"="c:\program files\DellAutomatedPCTuneUp\PTAgnt.exe" [2007-10-11 465136]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2009-05-21 206064]
"OM2_Monitor"="c:\program files\OLYMPUS\OLYMPUS Master 2\MMonitor.exe" [2007-09-04 95536]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2010-02-21 39408]
"KiesTrayAgent"="c:\program files\Samsung\Kies\KiesTrayAgent.exe" [2012-08-31 3524536]
"KiesPDLR"="c:\program files\Samsung\Kies\External\FirmwareUpdate\KiesPDLR.exe" [2012-08-31 21432]
"KiesPreload"="c:\program files\Samsung\Kies\Kies.exe" [2012-08-31 964024]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Ad-Aware Antivirus"="c:\program files\Ad-Aware Antivirus\AdAwareLauncher --windows-run" [X]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-06-03 851968]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-06-06 8429568]
"nwiz"="nwiz.exe" [2007-06-06 1626112]
"NVHotkey"="nvHotkey.dll" [2007-06-06 67584]
"NvMediaCenter"="NvMCTray.dll" [2007-06-06 81920]
"OEM02Mon.exe"="c:\windows\OEM02Mon.exe" [2007-08-28 36864]
"DELL Webcam Manager"="c:\program files\Dell\Dell Webcam Manager\DellWMgr.exe" [2007-07-27 118784]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2008-11-26 2289664]
"SigmatelSysTrayApp"="stsystra.exe" [2007-06-06 405504]
"KADxMain"="c:\windows\system32\KADxMain.exe" [2006-11-02 282624]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2006-10-03 221184]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2006-10-03 81920]
"PCMService"="c:\program files\Dell\MediaDirect\PCMService.exe" [2007-04-16 184320]
"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-10-10 16384]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2003-12-08 32768]
"InCD"="c:\program files\Ahead\InCD\InCD.exe" [2004-09-07 1400944]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2009-05-21 206064]
"OM2_Monitor"="c:\program files\OLYMPUS\OLYMPUS Master 2\FirstStart.exe" [2007-09-04 54576]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2010-08-12 30192]
"TkBellExe"="c:\program files\real\realplayer\update\realsched.exe" [2012-02-16 296056]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-12-03 946352]
"ConnectionCenter"="c:\program files\Citrix\ICA Client\concentr.exe" [2009-12-01 103768]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2012-07-03 252848]
"Ad-Aware Browsing Protection"="c:\documents and settings\All Users\Application Data\Ad-Aware Browsing Protection\adawarebp.exe" [2013-01-31 542632]
"SearchProtection"="c:\documents and settings\All Users\Application Data\Search Protection\_run.bat" [2013-04-30 174]
"SDTray"="c:\program files\Spybot - Search & Destroy 2\SDTray.exe" [2012-11-13 3825176]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Dell Network Assistant.lnk - c:\windows\Installer\{0240BDFB-2995-4A3F-8C96-18D41282B716}\Icon0240BDFB3.exe [N/A]
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2008-1-8 50688]
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ sdnclean.exe
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Ad-Aware Service]
@="Ad-Aware Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MSIServer]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SBAMSvc]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NokiaMServer]
c:\program files\Common Files\Nokia\MPlatform\NokiaMServer [X]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\googletalk]
2007-01-01 21:22 3739648 ----a-w- c:\program files\Google\Google Talk\googletalk.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxioDragToDisc]
2006-08-17 15:00 1116920 ----a-w- c:\program files\Roxio\Drag-to-Disc\DrgToDsc.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxWatchTray]
2006-11-05 17:22 221184 ----a-w- c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Spybot - Search & Destroy 2\\SDTray.exe"=
"c:\\Program Files\\Spybot - Search & Destroy 2\\SDFSSvc.exe"=
"c:\\Program Files\\Spybot - Search & Destroy 2\\SDUpdate.exe"=
"c:\\Program Files\\Spybot - Search & Destroy 2\\SDUpdSvc.exe"=
"%windir%\\system32\\sessmgr.exe"=
.
R0 gfibto;gfibto;c:\windows\system32\drivers\gfibto.sys [4/30/2013 9:07 PM 13560]
R0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [11/16/2008 7:25 PM 685816]
R1 ctxusbm;Citrix USB Monitor Driver;c:\windows\system32\drivers\ctxusbm.sys [11/30/2009 3:29 PM 65584]
R1 sbaphd;sbaphd;c:\windows\system32\drivers\sbaphd.sys [4/30/2013 9:25 PM 22064]
R2 Ad-Aware Service;Ad-Aware Service;c:\program files\Ad-Aware Antivirus\AdAwareService.exe [3/18/2013 3:25 AM 1236336]
R2 sbapifs;sbapifs;c:\windows\system32\drivers\sbapifs.sys [4/30/2013 9:25 PM 66344]
R2 SDScannerService;Spybot-S&D 2 Scanner Service;c:\program files\Spybot - Search & Destroy 2\SDFSSvc.exe [5/1/2013 8:35 AM 1103392]
R2 SDUpdateService;Spybot-S&D 2 Updating Service;c:\program files\Spybot - Search & Destroy 2\SDUpdSvc.exe [5/1/2013 8:35 AM 1369624]
R3 RMSPPPOE;WAN Miniport (PPP over Ethernet Protocol);c:\windows\system32\drivers\RMSPPPOE.SYS [1/23/2009 7:11 PM 31232]
S1 SBRE;SBRE;c:\windows\system32\drivers\SBREDrv.sys --> c:\windows\system32\drivers\SBREDrv.sys [?]
S2 SBAMSvc;Ad-Aware;c:\program files\Ad-Aware Antivirus\SBAMSvc.exe [9/20/2012 5:39 AM 3677000]
S2 SDWSCService;Spybot-S&D 2 Security Center Service;c:\program files\Spybot - Search & Destroy 2\SDWSCSvc.exe [5/1/2013 8:35 AM 168384]
S3 androidusb;SAMSUNG Android Composite ADB Interface Driver;c:\windows\system32\drivers\ssadadb.sys [11/14/2011 3:54 PM 30312]
S3 dg_ssudbus;SAMSUNG Mobile USB Composite Device Driver (DEVGURU Ver.);c:\windows\system32\drivers\ssudbus.sys [9/23/2012 9:39 AM 83168]
S3 gfiark;gfiark;c:\windows\system32\drivers\gfiark.sys [5/1/2013 8:39 AM 35896]
S3 GoogleDesktopManager-051210-111108;Google Desktop Manager 5.9.1005.12335;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [2/21/2010 4:58 PM 30192]
S3 nmwcdnsu;Nokia USB Flashing Phone Parent;c:\windows\system32\drivers\nmwcdnsu.sys --> c:\windows\system32\drivers\nmwcdnsu.sys [?]
S3 nmwcdnsuc;Nokia USB Flashing Generic;c:\windows\system32\drivers\nmwcdnsuc.sys --> c:\windows\system32\drivers\nmwcdnsuc.sys [?]
S3 RTL8192su;%RTL8192su.DeviceDesc.DispName%;c:\windows\system32\drivers\RTL8192su.sys [1/6/2010 5:21 PM 594048]
S3 ssadbus;SAMSUNG Android USB Composite Device driver (WDM);c:\windows\system32\drivers\ssadbus.sys [11/14/2011 3:54 PM 121064]
S3 ssadmdfl;SAMSUNG Android USB Modem (Filter);c:\windows\system32\drivers\ssadmdfl.sys [11/14/2011 3:54 PM 12776]
S3 ssadmdm;SAMSUNG Android USB Modem Drivers;c:\windows\system32\drivers\ssadmdm.sys [11/14/2011 3:54 PM 136808]
S3 ssadserd;SAMSUNG Android USB Diagnostic Serial Port (WDM);c:\windows\system32\drivers\ssadserd.sys [11/14/2011 3:54 PM 114280]
S3 ssudmdm;SAMSUNG Mobile USB Modem Drivers (DEVGURU Ver.);c:\windows\system32\drivers\ssudmdm.sys [9/23/2012 9:39 AM 181344]
.
Contents of the 'Scheduled Tasks' folder
.
2013-05-05 c:\windows\Tasks\Ad-Aware Antivirus Scheduled Scan.job
- c:\progra~1\AD-AWA~1\AdAwareLauncher.exe [2013-03-17 21:55]
.
2013-05-05 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-08-15 03:17]
.
2013-05-01 c:\windows\Tasks\Check for updates (Spybot - Search & Destroy).job
- c:\program files\Spybot - Search & Destroy 2\SDUpdate.exe [2013-05-01 08:38]
.
2013-05-05 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1176011502-1338575389-4188504004-1006Core.job
- c:\documents and settings\Master User\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-11-07 05:34]
.
2013-05-05 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1176011502-1338575389-4188504004-1006UA.job
- c:\documents and settings\Master User\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-11-07 05:34]
.
2012-02-23 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-1176011502-1338575389-4188504004-1006.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2011-11-29 10:32]
.
2013-05-02 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-1176011502-1338575389-4188504004-1006.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2011-11-29 10:32]
.
2013-05-05 c:\windows\Tasks\ReclaimerUpdateFiles_Master User.job
- c:\documents and settings\Master User\Application Data\Real\Update\UpgradeHelper\RealPlayer\10.40\agent\rnupgagent.exe [2013-03-29 02:06]
.
2013-05-03 c:\windows\Tasks\ReclaimerUpdateXML_Master User.job
- c:\documents and settings\Master User\Application Data\Real\Update\UpgradeHelper\RealPlayer\10.40\agent\rnupgagent.exe [2013-03-29 02:06]
.
2013-05-01 c:\windows\Tasks\Refresh immunization (Spybot - Search & Destroy).job
- c:\program files\Spybot - Search & Destroy 2\SDImmunize.exe [2013-05-01 08:37]
.
2013-03-30 c:\windows\Tasks\RNUpgradeHelperLogonPrompt_Master User.job
- c:\documents and settings\Master User\Application Data\Real\Update\UpgradeHelper\RealPlayer\10.40\agent\rnupgagent.exe [2013-03-29 02:06]
.
2013-05-01 c:\windows\Tasks\Scan the system (Spybot - Search & Destroy).job
- c:\program files\Spybot - Search & Destroy 2\SDScan.exe [2013-05-01 08:37]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
mStart Page = hxxp://websearch.greatresults.info/
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*Yahoo! SearchBar Home Page
uInternet Connection Wizard,ShellNext = hxxp://www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=6080107
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search/?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
Trusted Zone: e-mudhra.com\www
TCP: DhcpNameServer = 192.168.0.1
.
- - - - ORPHANS REMOVED - - - -
.
ShellIconOverlayIdentifiers-{1EC23CFF-4C58-458f-924C-8519AEF61B32} - (no file)
Notify-SDWinLogon - SDWinLogon.dll
MSConfigStartUp-DivXUpdate - c:\program files\DivX\DivX Update\DivXUpdate.exe
MSConfigStartUp-NokiaOviSuite2 - c:\program files\Nokia\Nokia Ovi Suite\NokiaOviSuite.exe
MSConfigStartUp-WordWeb - c:\program files\WordWeb\wweb32.exe
AddRemove-HASP Device Drivers - c:\windows\system32\UNWISE.EXE
AddRemove-01_Simmental - c:\program files\Samsung\USB Drivers\01_Simmental\Uninstall.exe
AddRemove-02_Siberian - c:\program files\Samsung\USB Drivers\02_Siberian\Uninstall.exe
AddRemove-03_Swallowtail - c:\program files\Samsung\USB Drivers\03_Swallowtail\Uninstall.exe
AddRemove-04_semseyite - c:\program files\Samsung\USB Drivers\04_semseyite\Uninstall.exe
AddRemove-05_Sloan - c:\program files\Samsung\USB Drivers\05_Sloan\Uninstall.exe
AddRemove-06_Spencer - c:\program files\Samsung\USB Drivers\06_Spencer\Uninstall.exe
AddRemove-07_Schorl - c:\program files\Samsung\USB Drivers\07_Schorl\Uninstall.exe
AddRemove-08_EMPChipset - c:\program files\Samsung\USB Drivers\08_EMPChipset\Uninstall.exe
AddRemove-09_Hsp - c:\program files\Samsung\USB Drivers\09_Hsp\Uninstall.exe
AddRemove-11_HSP_Plus_Default - c:\program files\Samsung\USB Drivers\11_HSP_Plus_Default\Uninstall.exe
AddRemove-16_Shrewsbury - c:\program files\Samsung\USB Drivers\16_Shrewsbury\Uninstall.exe
AddRemove-17_EMP_Chipset2 - c:\program files\Samsung\USB Drivers\17_EMP_Chipset2\Uninstall.exe
AddRemove-18_Zinia_Serial_Driver - c:\program files\Samsung\USB Drivers\18_Zinia_Serial_Driver\Uninstall.exe
AddRemove-19_VIA_driver - c:\program files\Samsung\USB Drivers\19_VIA_driver\Uninstall.exe
AddRemove-20_NXP_Driver - c:\program files\Samsung\USB Drivers\20_NXP_Driver\Uninstall.exe
AddRemove-21_Searsburg - c:\program files\Samsung\USB Drivers\21_Searsburg\Uninstall.exe
AddRemove-22_WiBro_WiMAX - c:\program files\Samsung\USB Drivers\22_WiBro_WiMAX\Uninstall.exe
AddRemove-24_flashusbdriver - c:\program files\Samsung\USB Drivers\24_flashusbdriver\Uninstall.exe
AddRemove-25_escape - c:\program files\Samsung\USB Drivers\25_escape\Uninstall.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, GMER - Rootkit Detector and Remover
Rootkit scan 2013-05-05 21:40
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_6_602_180_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_6_602_180_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(2828)
c:\windows\system32\WININET.dll
c:\documents and settings\All Users\Application Data\Ad-Aware Browsing Protection\adawarebp.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\program files\Roxio\Drag-to-Disc\Shellex.dll
c:\windows\system32\DLAAPI_W.DLL
c:\windows\system32\CDRTC.DLL
c:\program files\Roxio\Drag-to-Disc\ShellRes.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Ahead\InCD\InCDsrv.exe
c:\windows\System32\WLTRYSVC.EXE
c:\windows\System32\bcmwltry.exe
c:\windows\system32\netdde.exe
c:\windows\system32\crypserv.exe
c:\program files\Dell Network Assistant\hnm_svc.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\windows\system32\nvsvc32.exe
c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
c:\program files\Dell Support Center\bin\sprtsvc.exe
c:\windows\system32\rundll32.exe
c:\windows\system32\RunDLL32.exe
c:\windows\stsystra.exe
c:\documents and settings\All Users\Application Data\Search Protection\SearchProtection.exe
c:\program files\Citrix\ICA Client\wfcrun32.exe
.
**************************************************************************
.
Completion time: 2013-05-05 22:12:13 - machine was rebooted
ComboFix-quarantined-files.txt 2013-05-05 16:42
.
Pre-Run: 10,064,490,496 bytes free
Post-Run: 10,885,738,496 bytes free
.
WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect
[spybotsd]
timeout.old=30
.
- - End Of File - - 69D4E9563580A90059D412188E6D3C47
Attached Files
File Type: txt ComboFix.txt (61.5 KB, 10 views)
__________________
pgangar is offline  
Old 05-05-2013, 10:54 AM   #7
Security Team
Moderator, Analyst
Rangemaster, TSF Academy
 
amateur's Avatar
 
Join Date: Jun 2006
Location: here & there and everywhere
Posts: 14,765
OS: XP Win7 Ubuntu 10.10



Well done. The infection appears to be neutralized. You should see some improvement in the system behavior. However, we have more work to do.

Please go to Start > Run and copy/paste the following single-line command into the Run box and click OK:

C:\Qoobox\Add-Remove Programs.txt

A text file should open. Please post the contents of that file in your next reply.

=================

Please download Malwarebytes' Anti-Malware to your desktop.
  • Double-click mbam-setup.exe and follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to the following:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
  • If an update is found, it will download and install the latest version.
  • Launch Malwarebyte's, and select Perform Quick scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is checked, and click Remove Selected.
  • When completed, a log will open in Notepad. Save it to your desktop.
Note:

**Malwarebytes' Anti-Malware may require a reboot to complete removals. After a reboot, if required, post that saved log in your next reply.

**If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.
__________________

amateur is offline  
Old 05-05-2013, 06:27 PM   #8
Registered Member
 
Join Date: Apr 2013
Posts: 40
OS: Win XP



Hi,
Refer below the contents of the Add-remove files.txt. Note that after the scans, my PC has become mighty slow, and especially when I launch IE the screen freezes for several seconds before allowing me to do anything. Also, when I was downloading the MBAM software, the IE froze for some time. This may be because of my slow internet connection as well (512 KBPS) but nevertheless I thought of letting you know. I will post the MBAM log in my next reply -


µTorrent
AC3Filter 2.5b
Ad-Aware Antivirus
Ad-Aware Security Add-on
Adobe AIR
Adobe Flash Player 11 ActiveX
Adobe Flash Player 11 Plugin
Adobe Reader X (10.1.6)
Adobe Shockwave Player 12.0
Advanced Audio FX Engine
Advanced Video FX Engine
AT&T Connect Participant
Belkin F7D1101 Basic Wireless USB Adapter
Broadcom Management Programs
calibre
CCleaner
Cisco WebEx Meetings
Citrix online plug-in - web
Citrix online plug-in (DV)
Citrix online plug-in (HDX)
Citrix online plug-in (USB)
Citrix online plug-in (Web)
Compatibility Pack for the 2007 Office system
Conexant HDA D330 MDC V.92 Modem
Crossword Weaver 8.0
Data Access Objects (DAO) 3.5
Defraggler
Dell Automated PC TuneUp
Dell Driver Reset Tool
Dell Network Assistant
Dell Support Center (Support Software)
Dell Touchpad
Dell Webcam Center
Dell Webcam Manager
Dell Wireless WLAN Card Utility
Digital Line Detect
DivX Converter
DivX Plus DirectShow Filters
DivX Version Checker
EchoLink
eQSO by M0ZPD
Google Desktop
Google Talk (remove only)
Google Talk Plugin
Google Updater
HASP Device Drivers
Hompath Classic M.D.
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB2158563)
Hotfix for Windows XP (KB2443685)
Hotfix for Windows XP (KB2570791)
Hotfix for Windows XP (KB2633952)
Hotfix for Windows XP (KB915800-v4)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB961118)
IntelliSonic Speech Enhancement
Java 7 Update 17
Java Auto Updater
Juniper Citrix Services Client
Juniper Networks, Inc. Setup Client
Juniper Networks, Inc. Setup Client Activex Control
K-Lite Codec Pack 9.8.5 (Full)
Laptop Integrated Webcam Driver (1.03.02.0719)
Live! Cam Avatar v1.0
Magic ISO Maker v5.4 (build 0251)
MediaDirect
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB2656353)
Microsoft .NET Framework 1.1 Security Update (KB2656370)
Microsoft .NET Framework 1.1 Security Update (KB979906)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Office Live Meeting 2007
Microsoft Office Professional Edition 2003
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - KB2467174 - x86 9.0.30729.5570
Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219
Microsoft Visual Studio 2010 Tools for Office Runtime (x86)
Microsoft Works
Modem Diagnostic Tool
MotionDV STUDIO 5.6E LE for DV
MSVC80_x86_v2
MSVC90_x86
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
MSXML 4.0 SP2 Parser and SDK
MSXML 6.0 Parser
MyFreeCodec
Nero Suite
NetWaiting
NVIDIA Drivers
OLYMPUS Master 2
OutlookAddinSetup
Panasonic DVC USB Driver
PC Connectivity Solution
Pdf995
PowerDVD
PPP over Ethernet Protocol 0.98
QuickSet
RealNetworks - Microsoft Visual C++ 2008 Runtime
RealPlayer
RealUpgrade 1.1
Recuva
Roxio Creator Audio
Roxio Creator BDAV Plugin
Roxio Creator Copy
Roxio Creator Data
Roxio Creator DE
Roxio Creator Tools
Roxio Drag-to-Disc
Roxio Express Labeler
Roxio MyDVD DE
Roxio Update Manager
Samsung Kies
SAMSUNG USB Driver for Mobile Phones
Search Assistant SimpleSpeedy 1.74
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2604111)
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2657424)
Security Update for Microsoft Windows (KB2564958)
Security Update for Windows Internet Explorer 8 (KB2510531)
Security Update for Windows Internet Explorer 8 (KB2544521)
Security Update for Windows Internet Explorer 8 (KB2618444)
Security Update for Windows Internet Explorer 8 (KB2699988)
Security Update for Windows Internet Explorer 8 (KB2722913)
Security Update for Windows Internet Explorer 8 (KB982381)
Security Update for Windows Media Player (KB2378111)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player (KB975558)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows Media Player 9 (KB936782)
Security Update for Windows Search 4 - KB963093
Security Update for Windows XP (KB2121546)
Security Update for Windows XP (KB2183461)
Security Update for Windows XP (KB2259922)
Security Update for Windows XP (KB2279986)
Security Update for Windows XP (KB2296011)
Security Update for Windows XP (KB2296199)
Security Update for Windows XP (KB2347290)
Security Update for Windows XP (KB2360131)
Security Update for Windows XP (KB2360937)
Security Update for Windows XP (KB2387149)
Security Update for Windows XP (KB2393802)
Security Update for Windows XP (KB2412687)
Security Update for Windows XP (KB2416400)
Security Update for Windows XP (KB2419632)
Security Update for Windows XP (KB2423089)
Security Update for Windows XP (KB2436673)
Security Update for Windows XP (KB2440591)
Security Update for Windows XP (KB2443105)
Security Update for Windows XP (KB2476490)
Security Update for Windows XP (KB2476687)
Security Update for Windows XP (KB2478960)
Security Update for Windows XP (KB2478971)
Security Update for Windows XP (KB2479628)
Security Update for Windows XP (KB2479943)
Security Update for Windows XP (KB2481109)
Security Update for Windows XP (KB2482017)
Security Update for Windows XP (KB2483185)
Security Update for Windows XP (KB2485376)
Security Update for Windows XP (KB2485663)
Security Update for Windows XP (KB2491683)
Security Update for Windows XP (KB2497640)
Security Update for Windows XP (KB2503658)
Security Update for Windows XP (KB2503665)
Security Update for Windows XP (KB2506212)
Security Update for Windows XP (KB2506223)
Security Update for Windows XP (KB2507618)
Security Update for Windows XP (KB2507938)
Security Update for Windows XP (KB2508272)
Security Update for Windows XP (KB2508429)
Security Update for Windows XP (KB2509553)
Security Update for Windows XP (KB2510581)
Security Update for Windows XP (KB2511455)
Security Update for Windows XP (KB2524375)
Security Update for Windows XP (KB2530548)
Security Update for Windows XP (KB2535512)
Security Update for Windows XP (KB2536276-v2)
Security Update for Windows XP (KB2536276)
Security Update for Windows XP (KB2544521)
Security Update for Windows XP (KB2544893-v2)
Security Update for Windows XP (KB2544893)
Security Update for Windows XP (KB2555917)
Security Update for Windows XP (KB2559049)
Security Update for Windows XP (KB2562937)
Security Update for Windows XP (KB2566454)
Security Update for Windows XP (KB2567053)
Security Update for Windows XP (KB2567680)
Security Update for Windows XP (KB2570222)
Security Update for Windows XP (KB2570947)
Security Update for Windows XP (KB2584146)
Security Update for Windows XP (KB2585542)
Security Update for Windows XP (KB2586448)
Security Update for Windows XP (KB2592799)
Security Update for Windows XP (KB2598479)
Security Update for Windows XP (KB2603381)
Security Update for Windows XP (KB2618444)
Security Update for Windows XP (KB2618451)
Security Update for Windows XP (KB2619339)
Security Update for Windows XP (KB2620712)
Security Update for Windows XP (KB2621440)
Security Update for Windows XP (KB2624667)
Security Update for Windows XP (KB2631813)
Security Update for Windows XP (KB2633171)
Security Update for Windows XP (KB2639417)
Security Update for Windows XP (KB2641653)
Security Update for Windows XP (KB2646524)
Security Update for Windows XP (KB2647516)
Security Update for Windows XP (KB2647518)
Security Update for Windows XP (KB2653956)
Security Update for Windows XP (KB2655992)
Security Update for Windows XP (KB2659262)
Security Update for Windows XP (KB2660465)
Security Update for Windows XP (KB2661637)
Security Update for Windows XP (KB2675157)
Security Update for Windows XP (KB2676562)
Security Update for Windows XP (KB2685939)
Security Update for Windows XP (KB2686509)
Security Update for Windows XP (KB2691442)
Security Update for Windows XP (KB2695962)
Security Update for Windows XP (KB2698365)
Security Update for Windows XP (KB2699988)
Security Update for Windows XP (KB2705219)
Security Update for Windows XP (KB2707511)
Security Update for Windows XP (KB2709162)
Security Update for Windows XP (KB2712808)
Security Update for Windows XP (KB2718523)
Security Update for Windows XP (KB2719985)
Security Update for Windows XP (KB2723135)
Security Update for Windows XP (KB2731847)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB979687)
Security Update for Windows XP (KB981322)
Security Update for Windows XP (KB981957)
Security Update for Windows XP (KB982132)
Security Update for Windows XP (KB982214)
Security Update for Windows XP (KB982802)
SigmaTel MSCN Audio Player
Sonic Activation Module
Spybot - Search & Destroy
StarToken
swMSM
TTSInstaller
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Windows Internet Explorer 8 (KB2598845)
Update for Windows XP (KB2141007)
Update for Windows XP (KB2345886)
Update for Windows XP (KB2467659)
Update for Windows XP (KB2541763)
Update for Windows XP (KB2607712)
Update for Windows XP (KB2616676)
Update for Windows XP (KB2641690)
Update for Windows XP (KB2718704)
Update for Windows XP (KB2736233)
Update for Windows XP (KB971029)
VC80CRTRedist - 8.0.50727.6195
VLC media player 2.0.1
WD Diagnostics
WebFldrs XP
Winamp
Windows Installer 3.1 (KB893803)
Windows Internet Explorer 8
Windows Media Format 11 runtime
Windows Media Player 11
Windows PowerShell(TM) 1.0
WinRAR archiver
__________________
pgangar is offline  
Old 05-05-2013, 11:28 PM   #9
Security Team
Moderator, Analyst
Rangemaster, TSF Academy
 
amateur's Avatar
 
Join Date: Jun 2006
Location: here & there and everywhere
Posts: 14,765
OS: XP Win7 Ubuntu 10.10



OK, I'll wait for the Malwarebytes log.
__________________

amateur is offline  
Old 05-06-2013, 06:32 AM   #10
Registered Member
 
Join Date: Apr 2013
Posts: 40
OS: Win XP



Hello,
I ran the MBAM Quick Scan, but at the end of the scan, I did not get any option to click on 'Show Results' as you mentioned above. The log directly opened with a message that the scan didn't find anything. Refer below log contents -

Malwarebytes Anti-Malware (Trial) 1.75.0.1300
www.malwarebytes.org
Database version: v2013.05.06.01
Windows XP Service Pack 3 x86 NTFS
Internet Explorer 8.0.6001.18702
Master User :: PARIN [administrator]
Protection: Enabled
5/6/2013 6:30:35 PM
mbam-log-2013-05-06 (18-30-35).txt
Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 184452
Time elapsed: 26 minute(s), 15 second(s)
Memory Processes Detected: 0
(No malicious items detected)
Memory Modules Detected: 0
(No malicious items detected)
Registry Keys Detected: 0
(No malicious items detected)
Registry Values Detected: 0
(No malicious items detected)
Registry Data Items Detected: 0
(No malicious items detected)
Folders Detected: 0
(No malicious items detected)
Files Detected: 0
(No malicious items detected)
(end)
__________________
pgangar is offline  
Old 05-06-2013, 06:42 AM   #11
Registered Member
 
Join Date: Apr 2013
Posts: 40
OS: Win XP



Note that while the MBAM scan was in progress, the AV software Adaware quarantined following files -

Applications:
C:\Documents and Settings\Master User\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\Program Files\Quick Heal\Quick Heal AntiVirus Pro\SAPISSVC.EXE
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe

Objects:
C:\Program Files\SimpleSpeedy\sprotector.dll
C:\Program Files\Quick Heal\Quick Heal AntiVirus Pro\pepoly.dll
C:\WINDOWS\system32\roboot.exe

Please advise.

Regards,
Parin
__________________
pgangar is offline  
Old 05-06-2013, 07:01 AM   #12
Security Team
Moderator, Analyst
Rangemaster, TSF Academy
 
amateur's Avatar
 
Join Date: Jun 2006
Location: here & there and everywhere
Posts: 14,765
OS: XP Win7 Ubuntu 10.10



Malwarebytes is certainly a false positive. Adaware is known for its false positives. . Did you just install Quick Heal and SimpleSpeedy? They have never been shown in any of the logs before. Uninstall them via Add or Remove Programs in Control Panel, if present. Then, delete their folders:

C:\Program Files\SimpleSpeedy
C:\Program Files\Quick Heal

As for C:\WINDOWS\system32\roboot.exe, are you sure about the spelling? could it be reboot.exe?

===============

Let's see if an online scan will find any remnants.

But before we do that, I see that you have µTorrent installed, which is a p2p application. This practice can make you vulnerable to data and identity theft. Please read this sticky:

Perils of P2P File Sharing

I would strongly urge you to remove it via Add or Remove Programs in Control Panel as suggested in our
NEW INSTRUCTIONS - Read This Before Posting For Malware Removal Help page.

Quote:
  • p2p programs like uTorrent, Bittorrent, LimeWire, Morpheus, etc., as they are a major conduit for malware and a likely source of your current issues. See this link
=================

CCleaner is a good tool to clean the temp files, but care should be taken with the Registry setion of the tool. It's best not to use that. We do not recommend the use of registry cleaners/optimizers/tweakers. Our colleague miekiemoes has an excellent writeup here

Two other excellent articles: One by Bill Castner is located here and the other by Ed Bott is here

=================


Java 7 Update 17 is outdated. Please uninstall it via Programs and Features.
Next, download the latest Java, version 7 update 21 from the following link:

Download Free Java Software


=================

Please run this online scan to help look for remnants. Ensure your external and/or USB drives are inserted during the scan.

Go here and click 'ESET Online Scanner'.
  • If you are not using Internet Explorer, double-click esetsmartinstaller_enu.exe to install it, then click 'Run'.
  • Turn off the real-time scanner of any existing antivirus program while performing the online scan.
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • If using Internet Explorer, allow the ActiveX control to install when asked.
  • Make sure that the option Remove found threats is unticked and the Scan Archives option is ticked.
  • Click on Advanced Settings and ensure these options are ticked:
    • Scan for potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth Technology
  • Next to 'Current scan targets: Operating memory, Local drives', click the Change.. button.
  • Tick all the boxes that correspond to your external/inserted drives.
  • Click Start
  • Wait for the scan to finish.
  • When the scan is done, if it shows a screen that says "Threats found!", click "List of found threats", and then click "Export to text file..."
  • Save that text file to your desktop, and then copy/paste the contents in your next reply.
__________________

amateur is offline  
Old 05-07-2013, 06:15 AM   #13
Registered Member
 
Join Date: Apr 2013
Posts: 40
OS: Win XP



Hi,
I had Quick Heal Antivirus Pro installed on this PC even before I downloaded Adaware (as a result of some other thread on Tech Support forum which claimed to be done first).
But then Adaware quarantined and deleted some file from Quick Heal and hence I had to uninstall the same permanently. I don't know why this folder never showed up in your scans but I have deleted this now.
Note that after this clean-up exercise is over, I would like to go back to uninstalling following -
1) Adaware since it's a trial version anyways.
2) Spybot S&D
And re-install, Quick Heal AV Pro since I have paid for this licensed version. Let me know if this would be a wise decision, or else please give your recommendations.

Regarding the SimpleSpeedy, I don't have this installed (can't find in Add / Remove Software / programs), but I have now deleted this folder.

I have also uninstalled uTorrent from this PC as well as from my smartphone. I never thought of the security angle when enjoying the bliss of P2P sharing.

I am attaching the screenshot from Adaware logs where it says ROBOOT.exe and not reboot.



I have also uninstalled Ccleaner since apparently I don't use it often at all, and I don't want to unsuspectingly delete anything from the Registry.

Uninstalled Java 7 Update 17 and installed Java 7 Update 21.

Note that I have two external drives but only one USB cable. Hence I have done the scan with only one drive attached.

Would you suggest running the online scan again with the second drive connected or is there a better way. Note that for this second drive, I have been getting messages to format the same, since I believe it's file system is damaged, and for that I ran chkdsk on the same, but there
was nothing to fix.

Refer below ESET scan log.

C:\Documents and Settings\Master User\Application Data\Real\Update\UpgradeHelper\RealPlayer\10.40\agent\stub_data\stubinst_pkg_en-ap.cab Win32/OpenCandy application
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP649\A0147073.exe Win32/InstalleRex.I application
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP649\A0147126.exe Win32/InstalleRex.I application
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP651\A0147563.dll a variant of Win32/SProtector.A application
D:\PARIN\Software\LIT Reader - SoftonicDownloader_for_calibre.exe Win32/SoftonicDownloader application
D:\PARIN\Software\winamp5622_full_bundle_emusic-7plus_all.exe Win32/OpenCandy application
F:\Bkup-Lappy\PARIN\Software\LIT Reader - SoftonicDownloader_for_calibre.exe Win32/SoftonicDownloader application
F:\Bkup-Lappy\PARIN\Software\winamp5622_full_bundle_emusic-7plus_all.exe Win32/OpenCandy application
F:\CVJECE\bacio.exe a variant of Win32/Kryptik.HSQ trojan

Thanks for your help.

Parin
Attached Thumbnails
Click image for larger version

Name:	roboot screenshot.JPG
Views:	765
Size:	107.5 KB
ID:	124900  
__________________
pgangar is offline  
Old 05-07-2013, 06:50 AM   #14
Registered Member
 
Join Date: Apr 2013
Posts: 40
OS: Win XP



Also, i have recently noticed a spike in activity by wuauclt.exe & svchost.exe. When I searched about these on this forum and elsewhere, they all mention it's the auto update function for Windows and / or Microsoft products, however there may be a virus / malware piggybacked on this and that folks like you would be able to correctly diagnose this and explain. Given that we have run the scans on my computer, can you point out anything amiss with these two files ??

Thanks,
Parin
__________________
pgangar is offline  
Old 05-07-2013, 08:17 AM   #15
Security Team
Moderator, Analyst
Rangemaster, TSF Academy
 
amateur's Avatar
 
Join Date: Jun 2006
Location: here & there and everywhere
Posts: 14,765
OS: XP Win7 Ubuntu 10.10



Hi Parin,

I am not seeing anything out of the ordinary in the logs concerning the wuauclt.exe & svchost.exe The system may have simply been updating. Windows has extended its support for XP Home until August 2014.

Glad to hear that you uninstalled the p2p application. It's indeed a major conduit for infections.

I am not familiar with Quick Heal AV Pro, so I cannot help you with that. Have a look at this excellent article:

What is the best antivirus program?

Additional information in the sticky at the top of this forum
PC Safety and Security - What Do I Need?

=================

Thanks for the screen shots for roboot.exe. Roboot.exe has been known to be used by some registry optimizing software. So, it may be a false positive. You can have it scanned at VirusTotal to be sure.

=================

Quote:
Note that I have two external drives but only one USB cable. Hence I have done the scan with only one drive attached.

Would you suggest running the online scan again with the second drive connected or is there a better way.
You can set ESET to scan only the drive that was not scanned before.

==================

Now, for the ESET findings:

Quote:
C:\Documents and Settings\Master User\Application Data\Real\Update\UpgradeHelper\RealPlayer\10.40\agent\stub_data\stubinst_pkg_en-ap.cab Win32/OpenCandy application
D:\PARIN\Software\winamp5622_full_bundle_emusic-7plus_all.exe Win32/OpenCandy application
F:\Bkup-Lappy\PARIN\Software\winamp5622_full_bundle_emusic-7plus_all.exe Win32/OpenCandy application
Encyclopedia entry: Adware:Win32/OpenCandy - Learn more about malware - Microsoft Malware Protection Center

Quote:
Adware:Win32/OpenCandy is an adware program that may be bundled with certain third-party software installation programs. Some versions of this program may send user-specific information, including a unique machine code, operating system information, locale (country), and certain other information to a remote server without obtaining adequate user consent. These versions are detected by Microsoft's anti-malware products.
You can delete them if you don't need them any longer.

--------------

Quote:
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP649\A0147073.exe Win32/InstalleRex.I application
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP649\A0147126.exe Win32/InstalleRex.I application
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP651\A0147563.dll a variant of Win32/SProtector.A application
These are in the System Restore Cache and will be cleared as part of the final steps when we are done.

-----------------

We'll use Combofix for a last sweep and to remove the remaining items.
  • Open notepad (Start>All programs>accessories>notepad ) (It must be notepad, not wordpad, or it won’t work)
  • Copy the entire contents of the Quote Box below to Notepad.
  • Name the file as CFScript.txt
  • Change the Save as Type to All Files
  • and Save it on the desktop
  • Click Format and ensure Wordwrap is unchecked.

Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

How to Disable your Security Applications

Code:
File::
F:\CVJECE\bacio.exe 
D:\PARIN\Software\LIT Reader - SoftonicDownloader_for_calibre.exe
F:\Bkup-Lappy\PARIN\Software\LIT Reader - SoftonicDownloader_for_calibre.exe

ClearJavaCache::
Save this as CFScript.txt on your Desktop.



  • Referring to the picture above, drag CFScript into ComboFix.exe
  • ComboFix may request an update; please allow it.
  • When finished, please post the log it produced in your next reply, and let me know how the system is behaving now.
Note:
Do not mouseclick ComboFix's window whilst it's running. That may cause it to stall.
__________________

amateur is offline  
Old 05-07-2013, 08:51 AM   #16
Registered Member
 
Join Date: Apr 2013
Posts: 40
OS: Win XP



Hi,
I have run Combofix as directed above. Please let me know when can I run ESET for my other portable HDD. Here's the combofix log -

ComboFix 13-05-07.02 - Master User 05/07/2013 20:58:08.2.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2046.1468 [GMT 5.5:30]
Running from: c:\documents and settings\Master User\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Master User\Desktop\CFScript.txt
AV: Lavasoft Ad-Aware *Disabled/Outdated* {964FCE60-0B18-4D30-ADD6-EB178909041C}
FW: Lavasoft Ad-Aware *Disabled* {FF1CD5B7-1553-4625-A258-1775385CED33}
.
FILE ::
"d:\parin\Software\LIT Reader - SoftonicDownloader_for_calibre.exe"
"f:\bkup-lappy\PARIN\Software\LIT Reader - SoftonicDownloader_for_calibre.exe"
"f:\cvjece\bacio.exe"
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\All Users\Application Data\TEMP
F:\autorun.inf
.
.
((((((((((((((((((((((((( Files Created from 2013-04-07 to 2013-05-07 )))))))))))))))))))))))))))))))
.
.
2013-05-06 15:25 . 2013-05-06 15:25 -------- d-----w- c:\program files\ESET
2013-05-06 15:19 . 2013-05-06 15:19 -------- d-----w- c:\program files\Common Files\Java
2013-05-06 15:18 . 2013-05-06 15:16 144896 ----a-w- c:\windows\system32\javacpl.cpl
2013-05-06 15:17 . 2013-05-06 15:16 94112 ----a-w- c:\windows\system32\WindowsAccessBridge.dll
2013-05-06 01:30 . 2013-05-06 01:30 -------- d-----w- c:\documents and settings\Master User\Application Data\Malwarebytes
2013-05-06 01:29 . 2013-05-06 01:29 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2013-05-06 01:28 . 2013-04-04 09:20 22856 ----a-w- c:\windows\system32\drivers\mbam.sys
2013-05-06 01:28 . 2013-05-06 01:29 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2013-05-01 12:44 . 2013-05-01 12:44 -------- d-----w- c:\documents and settings\All Users\Application Data\SoftSafe
2013-05-01 12:43 . 2013-05-01 12:47 -------- d-----w- c:\documents and settings\All Users\Application Data\InstallMate
2013-05-01 03:09 . 2013-02-11 06:58 35896 ----a-w- c:\windows\system32\drivers\gfiark.sys
2013-05-01 03:05 . 2013-05-01 12:42 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2013-05-01 03:05 . 2009-01-25 06:44 15224 ----a-w- c:\windows\system32\sdnclean.exe
2013-05-01 03:05 . 2013-05-01 03:05 -------- d-----w- c:\program files\Spybot - Search & Destroy 2
2013-04-30 16:15 . 2013-04-30 16:15 -------- d-----w- c:\documents and settings\Master User\Application Data\LavasoftStatistics
2013-04-30 16:15 . 2013-05-01 02:31 -------- d-----w- c:\documents and settings\All Users\Application Data\Ad-Aware Antivirus
2013-04-30 15:55 . 2012-09-12 14:49 66344 ----a-w- c:\windows\system32\drivers\sbapifs.sys
2013-04-30 15:55 . 2012-09-12 14:49 22064 ----a-w- c:\windows\system32\drivers\sbaphd.sys
2013-04-30 15:55 . 2013-04-30 15:55 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2013-04-30 15:55 . 2013-05-01 03:10 -------- d-----w- c:\program files\Ad-Aware Antivirus
2013-04-30 15:55 . 2013-04-30 15:55 -------- d-----w- c:\windows\system32\drivers\VDD
2013-04-30 15:54 . 2013-04-30 15:54 -------- d-----w- c:\documents and settings\All Users\Application Data\Downloaded Installations
2013-04-30 15:54 . 2013-04-30 15:54 -------- d-----w- c:\documents and settings\All Users\Application Data\Search Protection
2013-04-30 15:54 . 2013-04-30 15:54 -------- d-----w- c:\documents and settings\Master User\Local Settings\Application Data\adawarebp
2013-04-30 15:54 . 2013-04-30 15:54 -------- d-----w- c:\documents and settings\All Users\Application Data\blekko toolbars
2013-04-30 15:54 . 2013-05-06 12:50 -------- d-----w- c:\documents and settings\All Users\Application Data\Ad-Aware Browsing Protection
2013-04-30 15:54 . 2013-04-30 15:54 -------- d-----w- c:\program files\Toolbar Cleaner
2013-04-30 15:54 . 2013-05-01 13:08 -------- d-----w- c:\documents and settings\Master User\Application Data\SecureSearch
2013-04-30 15:54 . 2013-05-01 14:48 -------- d-----w- c:\documents and settings\Master User\Application Data\adawaretb
2013-04-30 15:54 . 2013-04-30 15:54 -------- d-----w- c:\program files\adawaretb
2013-04-30 15:37 . 2013-04-30 15:37 13560 ----a-w- c:\windows\system32\drivers\gfibto.sys
2013-04-30 15:37 . 2013-05-05 12:47 -------- d-----w- c:\documents and settings\Master User\Application Data\Ad-Aware Antivirus
2013-04-24 15:21 . 2013-04-24 15:21 -------- d-----w- c:\documents and settings\All Users\Uniblue
2013-04-24 15:02 . 2012-06-09 17:21 178688 ----a-w- c:\windows\system32\unrar.dll
2013-04-24 15:02 . 2013-04-24 15:02 -------- d-----w- c:\program files\K-Lite Codec Pack
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-05-06 15:16 . 2012-07-12 00:02 866720 ----a-w- c:\windows\system32\npDeployJava1.dll
2013-05-06 15:16 . 2010-05-14 16:08 788896 ----a-w- c:\windows\system32\deployJava1.dll
2013-04-21 03:17 . 2012-08-15 14:44 691592 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2013-04-21 03:17 . 2011-06-26 12:41 71048 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2009-12-01 08:26 . 2009-12-01 08:26 124240 ----a-w- c:\program files\mozilla firefox\plugins\CCMSDK.dll
2009-12-01 08:31 . 2009-12-01 08:31 13136 ----a-w- c:\program files\mozilla firefox\plugins\cgpcfg.dll
2009-12-01 08:29 . 2009-12-01 08:29 70488 ----a-w- c:\program files\mozilla firefox\plugins\CgpCore.dll
2009-12-01 08:30 . 2009-12-01 08:30 91480 ----a-w- c:\program files\mozilla firefox\plugins\confmgr.dll
2009-12-01 08:30 . 2009-12-01 08:30 22360 ----a-w- c:\program files\mozilla firefox\plugins\ctxlogging.dll
2009-12-01 08:27 . 2009-12-01 08:27 255312 ----a-w- c:\program files\mozilla firefox\plugins\ctxmui.dll
2009-12-01 08:30 . 2009-12-01 08:30 31064 ----a-w- c:\program files\mozilla firefox\plugins\icafile.dll
2009-12-01 08:31 . 2009-12-01 08:31 40280 ----a-w- c:\program files\mozilla firefox\plugins\icalogon.dll
2009-11-30 10:00 . 2009-11-30 10:00 652640 ----a-w- c:\program files\mozilla firefox\plugins\sslsdk_b.dll
2009-12-01 08:29 . 2009-12-01 08:29 23896 ----a-w- c:\program files\mozilla firefox\plugins\TcpPServ.dll
2010-08-12 15:59 . 2012-10-28 11:33 119808 ----a-w- c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{6c97a91e-4524-4019-86af-2aa2d567bf5c}"= "c:\program files\adawaretb\adawareDx.dll" [2013-02-11 87464]
.
[HKEY_CLASSES_ROOT\clsid\{6c97a91e-4524-4019-86af-2aa2d567bf5c}]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\~\Browser Helper Objects\{6c97a91e-4524-4019-86af-2aa2d567bf5c}]
2013-02-11 10:47 87464 ----a-w- c:\program files\adawaretb\adawareDx.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{6c97a91e-4524-4019-86af-2aa2d567bf5c}"= "c:\program files\adawaretb\adawareDx.dll" [2013-02-11 87464]
.
[HKEY_CLASSES_ROOT\clsid\{6c97a91e-4524-4019-86af-2aa2d567bf5c}]
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellAutomatedPCTuneUp"="c:\program files\DellAutomatedPCTuneUp\PTAgnt.exe" [2007-10-11 465136]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2009-05-21 206064]
"OM2_Monitor"="c:\program files\OLYMPUS\OLYMPUS Master 2\MMonitor.exe" [2007-09-04 95536]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2010-02-21 39408]
"KiesTrayAgent"="c:\program files\Samsung\Kies\KiesTrayAgent.exe" [2012-08-31 3524536]
"KiesPDLR"="c:\program files\Samsung\Kies\External\FirmwareUpdate\KiesPDLR.exe" [2012-08-31 21432]
"KiesPreload"="c:\program files\Samsung\Kies\Kies.exe" [2012-08-31 964024]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Ad-Aware Antivirus"="c:\program files\Ad-Aware Antivirus\AdAwareLauncher --windows-run" [X]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-06-03 851968]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-06-06 8429568]
"nwiz"="nwiz.exe" [2007-06-06 1626112]
"NVHotkey"="nvHotkey.dll" [2007-06-06 67584]
"NvMediaCenter"="NvMCTray.dll" [2007-06-06 81920]
"OEM02Mon.exe"="c:\windows\OEM02Mon.exe" [2007-08-28 36864]
"DELL Webcam Manager"="c:\program files\Dell\Dell Webcam Manager\DellWMgr.exe" [2007-07-27 118784]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2008-11-26 2289664]
"SigmatelSysTrayApp"="stsystra.exe" [2007-06-06 405504]
"KADxMain"="c:\windows\system32\KADxMain.exe" [2006-11-02 282624]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2006-10-03 221184]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2006-10-03 81920]
"PCMService"="c:\program files\Dell\MediaDirect\PCMService.exe" [2007-04-16 184320]
"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-10-10 16384]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2003-12-08 32768]
"InCD"="c:\program files\Ahead\InCD\InCD.exe" [2004-09-07 1400944]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2009-05-21 206064]
"OM2_Monitor"="c:\program files\OLYMPUS\OLYMPUS Master 2\FirstStart.exe" [2007-09-04 54576]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2010-08-12 30192]
"TkBellExe"="c:\program files\real\realplayer\update\realsched.exe" [2012-02-16 296056]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-12-03 946352]
"ConnectionCenter"="c:\program files\Citrix\ICA Client\concentr.exe" [2009-12-01 103768]
"Ad-Aware Browsing Protection"="c:\documents and settings\All Users\Application Data\Ad-Aware Browsing Protection\adawarebp.exe" [2013-01-31 542632]
"SearchProtection"="c:\documents and settings\All Users\Application Data\Search Protection\_run.bat" [2013-04-30 174]
"SDTray"="c:\program files\Spybot - Search & Destroy 2\SDTray.exe" [2012-11-13 3825176]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2013-03-12 253816]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Dell Network Assistant.lnk - c:\windows\Installer\{0240BDFB-2995-4A3F-8C96-18D41282B716}\Icon0240BDFB3.exe [N/A]
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2008-1-8 50688]
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ sdnclean.exe
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Ad-Aware Service]
@="Ad-Aware Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MSIServer]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SBAMSvc]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NokiaMServer]
c:\program files\Common Files\Nokia\MPlatform\NokiaMServer [X]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\googletalk]
2007-01-01 21:22 3739648 ----a-w- c:\program files\Google\Google Talk\googletalk.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxioDragToDisc]
2006-08-17 15:00 1116920 ----a-w- c:\program files\Roxio\Drag-to-Disc\DrgToDsc.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxWatchTray]
2006-11-05 17:22 221184 ----a-w- c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Spybot - Search & Destroy 2\\SDTray.exe"=
"c:\\Program Files\\Spybot - Search & Destroy 2\\SDFSSvc.exe"=
"c:\\Program Files\\Spybot - Search & Destroy 2\\SDUpdate.exe"=
"c:\\Program Files\\Spybot - Search & Destroy 2\\SDUpdSvc.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Dell Network Assistant\\ezi_hnm2.exe"=
.
R0 gfibto;gfibto;c:\windows\system32\drivers\gfibto.sys [4/30/2013 9:07 PM 13560]
R0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [11/16/2008 7:25 PM 685816]
R1 ctxusbm;Citrix USB Monitor Driver;c:\windows\system32\drivers\ctxusbm.sys [11/30/2009 3:29 PM 65584]
R1 sbaphd;sbaphd;c:\windows\system32\drivers\sbaphd.sys [4/30/2013 9:25 PM 22064]
R2 sbapifs;sbapifs;c:\windows\system32\drivers\sbapifs.sys [4/30/2013 9:25 PM 66344]
R2 SDUpdateService;Spybot-S&D 2 Updating Service;c:\program files\Spybot - Search & Destroy 2\SDUpdSvc.exe [5/1/2013 8:35 AM 1369624]
R3 RMSPPPOE;WAN Miniport (PPP over Ethernet Protocol);c:\windows\system32\drivers\RMSPPPOE.SYS [1/23/2009 7:11 PM 31232]
S1 SBRE;SBRE;c:\windows\system32\drivers\SBREDrv.sys --> c:\windows\system32\drivers\SBREDrv.sys [?]
S2 Ad-Aware Service;Ad-Aware Service;c:\program files\Ad-Aware Antivirus\AdAwareService.exe [3/18/2013 3:25 AM 1236336]
S2 MBAMScheduler;MBAMScheduler;c:\program files\Malwarebytes' Anti-Malware\mbamscheduler.exe [5/6/2013 6:58 AM 418376]
S2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [5/6/2013 6:58 AM 701512]
S2 SBAMSvc;Ad-Aware;c:\program files\Ad-Aware Antivirus\SBAMSvc.exe [9/20/2012 5:39 AM 3677000]
S2 SDScannerService;Spybot-S&D 2 Scanner Service;c:\program files\Spybot - Search & Destroy 2\SDFSSvc.exe [5/1/2013 8:35 AM 1103392]
S2 SDWSCService;Spybot-S&D 2 Security Center Service;c:\program files\Spybot - Search & Destroy 2\SDWSCSvc.exe [5/1/2013 8:35 AM 168384]
S3 androidusb;SAMSUNG Android Composite ADB Interface Driver;c:\windows\system32\drivers\ssadadb.sys [11/14/2011 3:54 PM 30312]
S3 dg_ssudbus;SAMSUNG Mobile USB Composite Device Driver (DEVGURU Ver.);c:\windows\system32\drivers\ssudbus.sys [9/23/2012 9:39 AM 83168]
S3 gfiark;gfiark;c:\windows\system32\drivers\gfiark.sys [5/1/2013 8:39 AM 35896]
S3 GoogleDesktopManager-051210-111108;Google Desktop Manager 5.9.1005.12335;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [2/21/2010 4:58 PM 30192]
S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [5/6/2013 6:58 AM 22856]
S3 nmwcdnsu;Nokia USB Flashing Phone Parent;c:\windows\system32\drivers\nmwcdnsu.sys --> c:\windows\system32\drivers\nmwcdnsu.sys [?]
S3 nmwcdnsuc;Nokia USB Flashing Generic;c:\windows\system32\drivers\nmwcdnsuc.sys --> c:\windows\system32\drivers\nmwcdnsuc.sys [?]
S3 RTL8192su;%RTL8192su.DeviceDesc.DispName%;c:\windows\system32\drivers\RTL8192su.sys [1/6/2010 5:21 PM 594048]
S3 ssadbus;SAMSUNG Android USB Composite Device driver (WDM);c:\windows\system32\drivers\ssadbus.sys [11/14/2011 3:54 PM 121064]
S3 ssadmdfl;SAMSUNG Android USB Modem (Filter);c:\windows\system32\drivers\ssadmdfl.sys [11/14/2011 3:54 PM 12776]
S3 ssadmdm;SAMSUNG Android USB Modem Drivers;c:\windows\system32\drivers\ssadmdm.sys [11/14/2011 3:54 PM 136808]
S3 ssadserd;SAMSUNG Android USB Diagnostic Serial Port (WDM);c:\windows\system32\drivers\ssadserd.sys [11/14/2011 3:54 PM 114280]
S3 ssudmdm;SAMSUNG Mobile USB Modem Drivers (DEVGURU Ver.);c:\windows\system32\drivers\ssudmdm.sys [9/23/2012 9:39 AM 181344]
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - JAVAQUICKSTARTERSERVICE
.
Contents of the 'Scheduled Tasks' folder
.
2013-05-05 c:\windows\Tasks\Ad-Aware Antivirus Scheduled Scan.job
- c:\progra~1\AD-AWA~1\AdAwareLauncher.exe [2013-03-17 21:55]
.
2013-05-07 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-08-15 03:17]
.
2013-05-07 c:\windows\Tasks\Check for updates (Spybot - Search & Destroy).job
- c:\program files\Spybot - Search & Destroy 2\SDUpdate.exe [2013-05-01 08:38]
.
2013-05-06 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-02-01 01:59]
.
2013-05-07 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1176011502-1338575389-4188504004-1006Core.job
- c:\documents and settings\Master User\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-11-07 05:34]
.
2013-05-07 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1176011502-1338575389-4188504004-1006UA.job
- c:\documents and settings\Master User\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-11-07 05:34]
.
2013-05-06 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-1176011502-1338575389-4188504004-1006.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2011-11-29 10:32]
.
2013-05-02 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-1176011502-1338575389-4188504004-1006.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2011-11-29 10:32]
.
2013-05-06 c:\windows\Tasks\ReclaimerUpdateFiles_Master User.job
- c:\documents and settings\Master User\Application Data\Real\Update\UpgradeHelper\RealPlayer\10.40\agent\rnupgagent.exe [2013-03-29 02:06]
.
2013-05-07 c:\windows\Tasks\ReclaimerUpdateXML_Master User.job
- c:\documents and settings\Master User\Application Data\Real\Update\UpgradeHelper\RealPlayer\10.40\agent\rnupgagent.exe [2013-03-29 02:06]
.
2013-05-01 c:\windows\Tasks\Refresh immunization (Spybot - Search & Destroy).job
- c:\program files\Spybot - Search & Destroy 2\SDImmunize.exe [2013-05-01 08:37]
.
2013-05-06 c:\windows\Tasks\RNUpgradeHelperLogonPrompt_Master User.job
- c:\documents and settings\Master User\Application Data\Real\Update\UpgradeHelper\RealPlayer\10.40\agent\rnupgagent.exe [2013-03-29 02:06]
.
2013-05-01 c:\windows\Tasks\Scan the system (Spybot - Search & Destroy).job
- c:\program files\Spybot - Search & Destroy 2\SDScan.exe [2013-05-01 08:37]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
mStart Page = hxxp://websearch.greatresults.info/
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*Yahoo! SearchBar Home Page
uInternet Connection Wizard,ShellNext = hxxp://www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=6080107
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search/?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
Trusted Zone: e-mudhra.com\www
TCP: DhcpNameServer = 192.168.0.1
.
- - - - ORPHANS REMOVED - - - -
.
AddRemove-SP_7699c875 - c:\program files\SimpleSpeedy\uninstall.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, GMER - Rootkit Detector and Remover
Rootkit scan 2013-05-07 21:13
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_6_602_180_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_6_602_180_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(1132)
c:\windows\System32\BCMLogon.dll
.
Completion time: 2013-05-07 21:17:18
ComboFix-quarantined-files.txt 2013-05-07 15:47
ComboFix2.txt 2013-05-05 16:42
.
Pre-Run: 10,165,174,272 bytes free
Post-Run: 10,163,568,640 bytes free
.
- - End Of File - - 09870920A13BB5F473320A0745C3E8B5
__________________
pgangar is offline  
Old 05-07-2013, 09:22 AM   #17
Security Team
Moderator, Analyst
Rangemaster, TSF Academy
 
amateur's Avatar
 
Join Date: Jun 2006
Location: here & there and everywhere
Posts: 14,765
OS: XP Win7 Ubuntu 10.10



Hi Parin,

Quote:
FILE ::
"d:\parin\Software\LIT Reader - SoftonicDownloader_for_calibre.exe"
"f:\bkup-lappy\PARIN\Software\LIT Reader - SoftonicDownloader_for_calibre.exe"
"f:\cvjece\bacio.exe"
You'll need to repeat the steps for Combofix. It appears that you did not copy the script inside the code box as requested. My instructions don't have the lines wrapped in quotation marks. Please copy/paste them exactly as they were in the instructions and make sure your present external drive is attached while running it.

Quote:
Please let me know when can I run ESET for my other portable HDD.
You can do it whenever you want after running Combofix. If you want me to take a look, please post the results of the ESET scan.
__________________

amateur is offline  
Old 05-07-2013, 07:15 PM   #18
Registered Member
 
Join Date: Apr 2013
Posts: 40
OS: Win XP



Hi,
I had followed your instructions to the letter. However I did the same again, and saved the script as required. Refer the snapshot below -

However, the log still shows the script enclosed in quotation marks. Also note that I will run ESET scan for the other drive today evening and post here for your advice.

ComboFix 13-05-07.02 - Master User 05/08/2013 7:21.3.2 - x86
Running from: c:\documents and settings\Master User\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Master User\Desktop\CFScript.txt
AV: Lavasoft Ad-Aware *Disabled/Outdated* {964FCE60-0B18-4D30-ADD6-EB178909041C}
FW: Lavasoft Ad-Aware *Disabled* {FF1CD5B7-1553-4625-A258-1775385CED33}
.
FILE ::
"d:\parin\Software\LIT Reader - SoftonicDownloader_for_calibre.exe"
"f:\bkup-lappy\PARIN\Software\LIT Reader - SoftonicDownloader_for_calibre.exe"
"f:\cvjece\bacio.exe"
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\All Users\Application Data\TEMP
.
.
((((((((((((((((((((((((( Files Created from 2013-04-08 to 2013-05-08 )))))))))))))))))))))))))))))))
.
.
2013-05-08 01:39 . 2013-05-08 01:39 -------- d-----w- c:\windows\LastGood
2013-05-06 15:25 . 2013-05-06 15:25 -------- d-----w- c:\program files\ESET
2013-05-06 15:19 . 2013-05-06 15:19 -------- d-----w- c:\program files\Common Files\Java
2013-05-06 15:18 . 2013-05-06 15:16 144896 ----a-w- c:\windows\system32\javacpl.cpl
2013-05-06 15:17 . 2013-05-06 15:16 94112 ----a-w- c:\windows\system32\WindowsAccessBridge.dll
2013-05-06 01:30 . 2013-05-06 01:30 -------- d-----w- c:\documents and settings\Master User\Application Data\Malwarebytes
2013-05-06 01:29 . 2013-05-06 01:29 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2013-05-06 01:28 . 2013-04-04 09:20 22856 ----a-w- c:\windows\system32\drivers\mbam.sys
2013-05-06 01:28 . 2013-05-06 01:29 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2013-05-01 12:44 . 2013-05-01 12:44 -------- d-----w- c:\documents and settings\All Users\Application Data\SoftSafe
2013-05-01 12:43 . 2013-05-01 12:47 -------- d-----w- c:\documents and settings\All Users\Application Data\InstallMate
2013-05-01 03:09 . 2013-02-11 06:58 35896 ----a-w- c:\windows\system32\drivers\gfiark.sys
2013-05-01 03:05 . 2013-05-01 12:42 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2013-05-01 03:05 . 2009-01-25 06:44 15224 ----a-w- c:\windows\system32\sdnclean.exe
2013-05-01 03:05 . 2013-05-01 03:05 -------- d-----w- c:\program files\Spybot - Search & Destroy 2
2013-04-30 16:15 . 2013-04-30 16:15 -------- d-----w- c:\documents and settings\Master User\Application Data\LavasoftStatistics
2013-04-30 16:15 . 2013-05-01 02:31 -------- d-----w- c:\documents and settings\All Users\Application Data\Ad-Aware Antivirus
2013-04-30 15:55 . 2012-09-12 14:49 66344 ----a-w- c:\windows\system32\drivers\sbapifs.sys
2013-04-30 15:55 . 2012-09-12 14:49 22064 ----a-w- c:\windows\system32\drivers\sbaphd.sys
2013-04-30 15:55 . 2013-04-30 15:55 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2013-04-30 15:55 . 2013-05-01 03:10 -------- d-----w- c:\program files\Ad-Aware Antivirus
2013-04-30 15:55 . 2013-04-30 15:55 -------- d-----w- c:\windows\system32\drivers\VDD
2013-04-30 15:54 . 2013-04-30 15:54 -------- d-----w- c:\documents and settings\All Users\Application Data\Downloaded Installations
2013-04-30 15:54 . 2013-04-30 15:54 -------- d-----w- c:\documents and settings\All Users\Application Data\Search Protection
2013-04-30 15:54 . 2013-04-30 15:54 -------- d-----w- c:\documents and settings\Master User\Local Settings\Application Data\adawarebp
2013-04-30 15:54 . 2013-04-30 15:54 -------- d-----w- c:\documents and settings\All Users\Application Data\blekko toolbars
2013-04-30 15:54 . 2013-05-08 01:34 -------- d-----w- c:\documents and settings\All Users\Application Data\Ad-Aware Browsing Protection
2013-04-30 15:54 . 2013-04-30 15:54 -------- d-----w- c:\program files\Toolbar Cleaner
2013-04-30 15:54 . 2013-05-01 13:08 -------- d-----w- c:\documents and settings\Master User\Application Data\SecureSearch
2013-04-30 15:54 . 2013-05-01 14:48 -------- d-----w- c:\documents and settings\Master User\Application Data\adawaretb
2013-04-30 15:54 . 2013-04-30 15:54 -------- d-----w- c:\program files\adawaretb
2013-04-30 15:37 . 2013-04-30 15:37 13560 ----a-w- c:\windows\system32\drivers\gfibto.sys
2013-04-30 15:37 . 2013-05-05 12:47 -------- d-----w- c:\documents and settings\Master User\Application Data\Ad-Aware Antivirus
2013-04-24 15:21 . 2013-04-24 15:21 -------- d-----w- c:\documents and settings\All Users\Uniblue
2013-04-24 15:02 . 2012-06-09 17:21 178688 ----a-w- c:\windows\system32\unrar.dll
2013-04-24 15:02 . 2013-04-24 15:02 -------- d-----w- c:\program files\K-Lite Codec Pack
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-05-06 15:16 . 2012-07-12 00:02 866720 ----a-w- c:\windows\system32\npDeployJava1.dll
2013-05-06 15:16 . 2010-05-14 16:08 788896 ----a-w- c:\windows\system32\deployJava1.dll
2013-04-21 03:17 . 2012-08-15 14:44 691592 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2013-04-21 03:17 . 2011-06-26 12:41 71048 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2009-12-01 08:26 . 2009-12-01 08:26 124240 ----a-w- c:\program files\mozilla firefox\plugins\CCMSDK.dll
2009-12-01 08:31 . 2009-12-01 08:31 13136 ----a-w- c:\program files\mozilla firefox\plugins\cgpcfg.dll
2009-12-01 08:29 . 2009-12-01 08:29 70488 ----a-w- c:\program files\mozilla firefox\plugins\CgpCore.dll
2009-12-01 08:30 . 2009-12-01 08:30 91480 ----a-w- c:\program files\mozilla firefox\plugins\confmgr.dll
2009-12-01 08:30 . 2009-12-01 08:30 22360 ----a-w- c:\program files\mozilla firefox\plugins\ctxlogging.dll
2009-12-01 08:27 . 2009-12-01 08:27 255312 ----a-w- c:\program files\mozilla firefox\plugins\ctxmui.dll
2009-12-01 08:30 . 2009-12-01 08:30 31064 ----a-w- c:\program files\mozilla firefox\plugins\icafile.dll
2009-12-01 08:31 . 2009-12-01 08:31 40280 ----a-w- c:\program files\mozilla firefox\plugins\icalogon.dll
2009-11-30 10:00 . 2009-11-30 10:00 652640 ----a-w- c:\program files\mozilla firefox\plugins\sslsdk_b.dll
2009-12-01 08:29 . 2009-12-01 08:29 23896 ----a-w- c:\program files\mozilla firefox\plugins\TcpPServ.dll
2010-08-12 15:59 . 2012-10-28 11:33 119808 ----a-w- c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{6c97a91e-4524-4019-86af-2aa2d567bf5c}"= "c:\program files\adawaretb\adawareDx.dll" [2013-02-11 87464]
.
[HKEY_CLASSES_ROOT\clsid\{6c97a91e-4524-4019-86af-2aa2d567bf5c}]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\~\Browser Helper Objects\{6c97a91e-4524-4019-86af-2aa2d567bf5c}]
2013-02-11 10:47 87464 ----a-w- c:\program files\adawaretb\adawareDx.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{6c97a91e-4524-4019-86af-2aa2d567bf5c}"= "c:\program files\adawaretb\adawareDx.dll" [2013-02-11 87464]
.
[HKEY_CLASSES_ROOT\clsid\{6c97a91e-4524-4019-86af-2aa2d567bf5c}]
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellAutomatedPCTuneUp"="c:\program files\DellAutomatedPCTuneUp\PTAgnt.exe" [2007-10-11 465136]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2009-05-21 206064]
"OM2_Monitor"="c:\program files\OLYMPUS\OLYMPUS Master 2\MMonitor.exe" [2007-09-04 95536]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2010-02-21 39408]
"KiesTrayAgent"="c:\program files\Samsung\Kies\KiesTrayAgent.exe" [2012-08-31 3524536]
"KiesPDLR"="c:\program files\Samsung\Kies\External\FirmwareUpdate\KiesPDLR.exe" [2012-08-31 21432]
"KiesPreload"="c:\program files\Samsung\Kies\Kies.exe" [2012-08-31 964024]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Ad-Aware Antivirus"="c:\program files\Ad-Aware Antivirus\AdAwareLauncher --windows-run" [X]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-06-03 851968]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-06-06 8429568]
"nwiz"="nwiz.exe" [2007-06-06 1626112]
"NVHotkey"="nvHotkey.dll" [2007-06-06 67584]
"NvMediaCenter"="NvMCTray.dll" [2007-06-06 81920]
"OEM02Mon.exe"="c:\windows\OEM02Mon.exe" [2007-08-28 36864]
"DELL Webcam Manager"="c:\program files\Dell\Dell Webcam Manager\DellWMgr.exe" [2007-07-27 118784]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2008-11-26 2289664]
"SigmatelSysTrayApp"="stsystra.exe" [2007-06-06 405504]
"KADxMain"="c:\windows\system32\KADxMain.exe" [2006-11-02 282624]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2006-10-03 221184]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2006-10-03 81920]
"PCMService"="c:\program files\Dell\MediaDirect\PCMService.exe" [2007-04-16 184320]
"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-10-10 16384]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2003-12-08 32768]
"InCD"="c:\program files\Ahead\InCD\InCD.exe" [2004-09-07 1400944]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2009-05-21 206064]
"OM2_Monitor"="c:\program files\OLYMPUS\OLYMPUS Master 2\FirstStart.exe" [2007-09-04 54576]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2010-08-12 30192]
"TkBellExe"="c:\program files\real\realplayer\update\realsched.exe" [2012-02-16 296056]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-12-03 946352]
"ConnectionCenter"="c:\program files\Citrix\ICA Client\concentr.exe" [2009-12-01 103768]
"Ad-Aware Browsing Protection"="c:\documents and settings\All Users\Application Data\Ad-Aware Browsing Protection\adawarebp.exe" [2013-01-31 542632]
"SearchProtection"="c:\documents and settings\All Users\Application Data\Search Protection\_run.bat" [2013-04-30 174]
"SDTray"="c:\program files\Spybot - Search & Destroy 2\SDTray.exe" [2012-11-13 3825176]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2013-03-12 253816]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Dell Network Assistant.lnk - c:\windows\Installer\{0240BDFB-2995-4A3F-8C96-18D41282B716}\Icon0240BDFB3.exe [N/A]
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2008-1-8 50688]
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ sdnclean.exe
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Ad-Aware Service]
@="Ad-Aware Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MSIServer]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SBAMSvc]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NokiaMServer]
c:\program files\Common Files\Nokia\MPlatform\NokiaMServer [X]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\googletalk]
2007-01-01 21:22 3739648 ----a-w- c:\program files\Google\Google Talk\googletalk.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxioDragToDisc]
2006-08-17 15:00 1116920 ----a-w- c:\program files\Roxio\Drag-to-Disc\DrgToDsc.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxWatchTray]
2006-11-05 17:22 221184 ----a-w- c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Spybot - Search & Destroy 2\\SDTray.exe"=
"c:\\Program Files\\Spybot - Search & Destroy 2\\SDFSSvc.exe"=
"c:\\Program Files\\Spybot - Search & Destroy 2\\SDUpdate.exe"=
"c:\\Program Files\\Spybot - Search & Destroy 2\\SDUpdSvc.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Dell Network Assistant\\ezi_hnm2.exe"=
.
R0 gfibto;gfibto;c:\windows\system32\drivers\gfibto.sys [4/30/2013 9:07 PM 13560]
R0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [11/16/2008 7:25 PM 685816]
R1 ctxusbm;Citrix USB Monitor Driver;c:\windows\system32\drivers\ctxusbm.sys [11/30/2009 3:29 PM 65584]
R1 sbaphd;sbaphd;c:\windows\system32\drivers\sbaphd.sys [4/30/2013 9:25 PM 22064]
R2 Ad-Aware Service;Ad-Aware Service;c:\program files\Ad-Aware Antivirus\AdAwareService.exe [3/18/2013 3:25 AM 1236336]
R2 MBAMScheduler;MBAMScheduler;c:\program files\Malwarebytes' Anti-Malware\mbamscheduler.exe [5/6/2013 6:58 AM 418376]
R2 sbapifs;sbapifs;c:\windows\system32\drivers\sbapifs.sys [4/30/2013 9:25 PM 66344]
R2 SDScannerService;Spybot-S&D 2 Scanner Service;c:\program files\Spybot - Search & Destroy 2\SDFSSvc.exe [5/1/2013 8:35 AM 1103392]
R2 SDUpdateService;Spybot-S&D 2 Updating Service;c:\program files\Spybot - Search & Destroy 2\SDUpdSvc.exe [5/1/2013 8:35 AM 1369624]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [5/6/2013 6:58 AM 22856]
R3 RMSPPPOE;WAN Miniport (PPP over Ethernet Protocol);c:\windows\system32\drivers\RMSPPPOE.SYS [1/23/2009 7:11 PM 31232]
S1 SBRE;SBRE;c:\windows\system32\drivers\SBREDrv.sys --> c:\windows\system32\drivers\SBREDrv.sys [?]
S2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [5/6/2013 6:58 AM 701512]
S2 SBAMSvc;Ad-Aware;c:\program files\Ad-Aware Antivirus\SBAMSvc.exe [9/20/2012 5:39 AM 3677000]
S2 SDWSCService;Spybot-S&D 2 Security Center Service;c:\program files\Spybot - Search & Destroy 2\SDWSCSvc.exe [5/1/2013 8:35 AM 168384]
S3 androidusb;SAMSUNG Android Composite ADB Interface Driver;c:\windows\system32\drivers\ssadadb.sys [11/14/2011 3:54 PM 30312]
S3 dg_ssudbus;SAMSUNG Mobile USB Composite Device Driver (DEVGURU Ver.);c:\windows\system32\drivers\ssudbus.sys [9/23/2012 9:39 AM 83168]
S3 gfiark;gfiark;c:\windows\system32\drivers\gfiark.sys [5/1/2013 8:39 AM 35896]
S3 GoogleDesktopManager-051210-111108;Google Desktop Manager 5.9.1005.12335;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [2/21/2010 4:58 PM 30192]
S3 nmwcdnsu;Nokia USB Flashing Phone Parent;c:\windows\system32\drivers\nmwcdnsu.sys --> c:\windows\system32\drivers\nmwcdnsu.sys [?]
S3 nmwcdnsuc;Nokia USB Flashing Generic;c:\windows\system32\drivers\nmwcdnsuc.sys --> c:\windows\system32\drivers\nmwcdnsuc.sys [?]
S3 RTL8192su;%RTL8192su.DeviceDesc.DispName%;c:\windows\system32\drivers\RTL8192su.sys [1/6/2010 5:21 PM 594048]
S3 ssadbus;SAMSUNG Android USB Composite Device driver (WDM);c:\windows\system32\drivers\ssadbus.sys [11/14/2011 3:54 PM 121064]
S3 ssadmdfl;SAMSUNG Android USB Modem (Filter);c:\windows\system32\drivers\ssadmdfl.sys [11/14/2011 3:54 PM 12776]
S3 ssadmdm;SAMSUNG Android USB Modem Drivers;c:\windows\system32\drivers\ssadmdm.sys [11/14/2011 3:54 PM 136808]
S3 ssadserd;SAMSUNG Android USB Diagnostic Serial Port (WDM);c:\windows\system32\drivers\ssadserd.sys [11/14/2011 3:54 PM 114280]
S3 ssudmdm;SAMSUNG Mobile USB Modem Drivers (DEVGURU Ver.);c:\windows\system32\drivers\ssudmdm.sys [9/23/2012 9:39 AM 181344]
.
Contents of the 'Scheduled Tasks' folder
.
2013-05-05 c:\windows\Tasks\Ad-Aware Antivirus Scheduled Scan.job
- c:\progra~1\AD-AWA~1\AdAwareLauncher.exe [2013-03-17 21:55]
.
2013-05-08 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-08-15 03:17]
.
2013-05-08 c:\windows\Tasks\Check for updates (Spybot - Search & Destroy).job
- c:\program files\Spybot - Search & Destroy 2\SDUpdate.exe [2013-05-01 08:38]
.
2013-05-06 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-02-01 01:59]
.
2013-05-07 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1176011502-1338575389-4188504004-1006Core.job
- c:\documents and settings\Master User\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-11-07 05:34]
.
2013-05-07 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1176011502-1338575389-4188504004-1006UA.job
- c:\documents and settings\Master User\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-11-07 05:34]
.
2013-05-08 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-1176011502-1338575389-4188504004-1006.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2011-11-29 10:32]
.
2013-05-02 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-1176011502-1338575389-4188504004-1006.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2011-11-29 10:32]
.
2013-05-06 c:\windows\Tasks\ReclaimerUpdateFiles_Master User.job
- c:\documents and settings\Master User\Application Data\Real\Update\UpgradeHelper\RealPlayer\10.40\agent\rnupgagent.exe [2013-03-29 02:06]
.
2013-05-07 c:\windows\Tasks\ReclaimerUpdateXML_Master User.job
- c:\documents and settings\Master User\Application Data\Real\Update\UpgradeHelper\RealPlayer\10.40\agent\rnupgagent.exe [2013-03-29 02:06]
.
2013-05-01 c:\windows\Tasks\Refresh immunization (Spybot - Search & Destroy).job
- c:\program files\Spybot - Search & Destroy 2\SDImmunize.exe [2013-05-01 08:37]
.
2013-05-08 c:\windows\Tasks\RNUpgradeHelperLogonPrompt_Master User.job
- c:\documents and settings\Master User\Application Data\Real\Update\UpgradeHelper\RealPlayer\10.40\agent\rnupgagent.exe [2013-03-29 02:06]
.
2013-05-01 c:\windows\Tasks\Scan the system (Spybot - Search & Destroy).job
- c:\program files\Spybot - Search & Destroy 2\SDScan.exe [2013-05-01 08:37]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
mStart Page = hxxp://websearch.greatresults.info/
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*Yahoo! SearchBar Home Page
uInternet Connection Wizard,ShellNext = hxxp://www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=6080107
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search/?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
Trusted Zone: e-mudhra.com\www
TCP: DhcpNameServer = 192.168.0.1
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, GMER - Rootkit Detector and Remover
Rootkit scan 2013-05-08 07:36
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_6_602_180_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_6_602_180_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(824)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2013-05-08 07:40:29
ComboFix-quarantined-files.txt 2013-05-08 02:10
ComboFix2.txt 2013-05-07 15:47
ComboFix3.txt 2013-05-05 16:42
.
Pre-Run: 10,015,404,032 bytes free
Post-Run: 10,005,471,232 bytes free
.
- - End Of File - - 78B85FECE18CAE2B5F4FE3C7CE939B98
Attached Thumbnails
Click image for larger version

Name:	CFScript-snapshot.JPG
Views:	754
Size:	53.1 KB
ID:	124929  
__________________
pgangar is offline  
Old 05-07-2013, 10:57 PM   #19
Security Team
Moderator, Analyst
Rangemaster, TSF Academy
 
amateur's Avatar
 
Join Date: Jun 2006
Location: here & there and everywhere
Posts: 14,765
OS: XP Win7 Ubuntu 10.10



That's fine, Parin. If you check manually, are those files still present? If so, please right-click on them and delete.

How is the machine behaving now?
__________________

amateur is offline  
Old 05-08-2013, 08:29 AM   #20
Registered Member
 
Join Date: Apr 2013
Posts: 40
OS: Win XP



Hi,
The files were still present and when I attempted to delete them manually by right-clicking and delete, it just froze my system. After several minutes, I could delete them. But then I attempted to empty my Recycle Bin as well, which froze my system again, closed IE and just hung up on me. After the recycle bin was clean, now the system is very slow and even a simple request to open IE hangs and even the Task Manager hangs.

Also, I have noticed following folders -

D:\RECYCLER
F:\$RECYCLE.BIN
F:\RECYCLER

Please advise if these can be deleted. Also, please advise how to get the system back to normal speeds. Note that I have posted this reply from another machine, since i have tried to restart my infect machine and it just hangs on the Login page after I enter my password. I have now attempted to open this machine in Safe Mode with Networking. Will check if this opens up and if I am able to connect to IE.

Parin

__________________
pgangar is offline  
 

Thread Tools Search this Thread
Search this Thread:

Advanced Search

Similar Threads
Thread Thread Starter Forum Replies Last Post
remove thermal pad from cpu fan
ASUS P5Q-E - LGA775 Socket Corsair XMS2 - 2x2GB Intel Core 2 Duo E8400 / 3 GHz eVGA GeForce GTX 260 corsair 650W win xp sp3 i want to replace a cpu fan from intel. it is attached with a thermal pad. -i have another intel fan that looks very similar to the intel fan currently...
okeee Motherboards, Bios & CPU 3 02-23-2013 04:35 AM
[SOLVED] How to remove Un-needed program?
Hi: I accidently downloaded and install 'unwanted program' and want to remove it. Whenever I attempted to remove, ... Control Panel> Add/Remove Program > clicked to remove the program, ... an error message popping up in the middle of the screen, ... not remove or something similar phrase,......
Snowflake10 Windows XP Support 2 12-20-2012 09:06 AM
[SOLVED] Cannot remove printer device
We have a printer showing up on our computer that we no longer have, and when I remove it, it comes right back. Well I found out this is because it has pending jobs from over a year ago. I tried canceling them and it says "error completing command". How can I remove these jobs so that I cannot...
ClemsonSCJ Windows 7 Support, Windows Vista Support 5 11-23-2012 02:26 AM

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is on
Smilies are on
[IMG] code is on
HTML code is Off
Trackbacks are Off
Pingbacks are Off
Refbacks are Off


Post a Question


» Site Navigation
 > FAQ
  > 10.0.0.2


All times are GMT -7. The time now is 10:53 AM.


Copyright 2001 - 2014, Tech Support Forum

Windows 7 - Windows XP - Windows Vista - Trojan Removal - Spyware Removal - Virus Removal - Networking - Security - Top Web Hosts