Banker Fox and Win32/Nuqel need help

Page 1 of 2 1, 2  Next

View previous topic View next topic Go down

Banker Fox and Win32/Nuqel need help

Post by guerro on Wed 18 Aug 2010, 1:02 pm

Hi, after helping my mom with her computer about 6 months ago, my brother now has similar problems. I need help removing these virii.

Please advise.

guerro

Newbie Surfer
Newbie Surfer

Posts : 32
Joined : 2010-01-17
Operating System : Win XP

View user profile

Back to top Go down

Re: Banker Fox and Win32/Nuqel need help

Post by guerro on Wed 18 Aug 2010, 2:34 pm

OTL logfile created on: 8/17/2010 8:11:00 PM - Run 1
OTL by OldTimer - Version 3.2.10.0 Folder = C:\Documents and Settings\Media\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.13)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 2.00 Gb Available Physical Memory | 89.00% Memory free
4.00 Gb Paging File | 4.00 Gb Available in Paging File | 98.00% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 698.63 Gb Total Space | 543.62 Gb Free Space | 77.81% Space Free | Partition Type: NTFS
Unable to calculate disk information.
Drive E: | 6.14 Gb Total Space | 0.00 Gb Free Space | 0.00% Space Free | Partition Type: CDFS
Drive F: | 698.64 Gb Total Space | 323.19 Gb Free Space | 46.26% Space Free | Partition Type: NTFS
Drive G: | 698.64 Gb Total Space | 534.87 Gb Free Space | 76.56% Space Free | Partition Type: NTFS
Drive H: | 698.63 Gb Total Space | 21.61 Gb Free Space | 3.09% Space Free | Partition Type: NTFS
I: Drive not present or media not loaded
Drive J: | 931.51 Gb Total Space | 161.27 Gb Free Space | 17.31% Space Free | Partition Type: NTFS
Drive K: | 931.51 Gb Total Space | 53.89 Gb Free Space | 5.78% Space Free | Partition Type: NTFS

Computer Name: MEDIA
Current User Name: Media
Logged in as Administrator.

Current Boot Mode: SafeMode with Networking
Scan Mode: Current user
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Processes (SafeList) ==========

PRC - [2010/08/17 19:44:13 | 000,575,488 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Media\Desktop\OTL.com
PRC - [2008/04/13 17:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe


========== Modules (SafeList) ==========

MOD - [2010/08/17 19:44:13 | 000,575,488 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Media\Desktop\OTL.com
MOD - [2008/04/13 17:10:20 | 000,110,592 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\msscript.ocx


========== Win32 Services (SafeList) ==========

SRV - File not found [Auto | Stopped] -- C:\WINDOWS\System32\d193543c.exe -- (MSWA-d193543c)
SRV - [2010/06/10 21:03:08 | 000,144,176 | ---- | M] (Apple Inc.) [Auto | Stopped] -- C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe -- (Apple Mobile Device)
SRV - [2008/05/02 02:42:06 | 000,121,360 | ---- | M] (Logitech, Inc.) [On_Demand | Stopped] -- C:\Program Files\Common Files\Logishrd\Bluetooth\LBTServ.exe -- (LBTServ)
SRV - [2006/11/30 08:50:00 | 000,144,960 | ---- | M] (McAfee, Inc.) [Auto | Stopped] -- C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe -- (McShield)
SRV - [2006/11/30 08:50:00 | 000,054,872 | ---- | M] (McAfee, Inc.) [Auto | Stopped] -- C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe -- (McTaskManager)
SRV - [2006/11/17 13:37:44 | 000,104,000 | ---- | M] (McAfee, Inc.) [Auto | Stopped] -- C:\Program Files\Network Associates\Common Framework\FrameworkService.exe -- (McAfeeFramework)


========== Driver Services (SafeList) ==========

DRV - [2010/06/04 12:45:44 | 000,000,000 | ---- | M] () [Kernel | Boot | Stopped] -- C:\WINDOWS\System32\drivers\kiwyikh.sys -- (kiwyikh)
DRV - [2008/04/13 09:36:05 | 000,144,384 | ---- | M] (Windows (R) Server 2003 DDK provider) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\hdaudbus.sys -- (HDAudBus)
DRV - [2008/02/29 03:13:24 | 000,036,880 | ---- | M] (Logitech, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\LMouFilt.Sys -- (LMouFilt)
DRV - [2008/02/29 03:13:16 | 000,035,344 | ---- | M] (Logitech, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\LHidFilt.Sys -- (LHidFilt)
DRV - [2008/02/29 03:12:48 | 000,020,240 | ---- | M] (Logitech, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\L8042Kbd.sys -- (L8042Kbd)
DRV - [2007/05/08 18:58:20 | 002,164,736 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\ati2mtag.sys -- (ati2mtag)
DRV - [2007/03/23 20:20:24 | 000,046,208 | R--- | M] (JMicron Technology Corp.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\jraid.sys -- (JRAID)
DRV - [2007/01/15 18:09:06 | 000,293,888 | R--- | M] (Analog Devices, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\ADIHdAud.sys -- (ADIHdAudAddService)
DRV - [2007/01/11 00:19:14 | 000,011,008 | R--- | M] (BUFFALO INC.) [Kernel | System | Stopped] -- C:\WINDOWS\system32\BUFADPT.SYS -- (BUFADPT)
DRV - [2006/12/28 09:44:44 | 000,084,992 | ---- | M] (ATI Research Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\AtiHdAud.sys -- (HdAudAddService)
DRV - [2006/11/30 08:50:00 | 000,168,776 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\mfehidk.sys -- (mfehidk)
DRV - [2006/11/30 08:50:00 | 000,072,264 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\mfeavfk.sys -- (mfeavfk)
DRV - [2006/11/30 08:50:00 | 000,064,360 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\mfeapfk.sys -- (mfeapfk)
DRV - [2006/11/30 08:50:00 | 000,052,136 | ---- | M] (McAfee, Inc.) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\mfetdik.sys -- (mfetdik)
DRV - [2006/11/30 08:50:00 | 000,034,152 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\mfebopk.sys -- (mfebopk)
DRV - [2006/11/30 08:50:00 | 000,031,944 | ---- | M] (McAfee, Inc.) [Kernel | System | Stopped] -- C:\Program Files\McAfee\VirusScan Enterprise\mferkdk.sys -- (mferkdk)
DRV - [2006/07/26 08:56:00 | 000,248,832 | ---- | M] (Marvell) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\yk51x86.sys -- (yukonwxp)
DRV - [2006/06/16 00:30:16 | 000,176,128 | ---- | M] (Realtek Semiconductor Corporation ) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\RTL8187.sys -- (RTLWUSB)
DRV - [2006/06/01 14:15:20 | 000,509,440 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\xnacc.sys -- (xnacc)
DRV - [2006/03/31 04:39:54 | 000,013,532 | ---- | M] (Windows (R) 2000 DDK provider) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\SjyPkt.sys -- (SjyPkt)
DRV - [2006/03/17 02:18:58 | 000,392,960 | R--- | M] (Sensaura) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\senfilt.sys -- (SenFiltService)
DRV - [2006/02/07 04:52:58 | 000,006,912 | R--- | M] (JMicron ) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\JGOGO.sys -- (JGOGO)
DRV - [2004/08/13 03:56:20 | 000,005,810 | R--- | M] () [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ASACPI.sys -- (MTsensor)
DRV - [2004/08/03 22:31:34 | 000,020,992 | ---- | M] (Realtek Semiconductor Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\RTL8139.sys -- (rtl8139) Realtek RTL8139(A/B/C)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm

IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 1
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" =
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = http=127.0.0.1:6522

========== FireFox ==========

FF - prefs.js..browser.search.order.1: "Google"
FF - prefs.js..browser.search.selectedEngine: "Google"
FF - prefs.js..extensions.enabledItems: {C99F331F-501F-4CFA-ADC4-F5A38F8A0151}:1.9.1
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}:6.0.21
FF - prefs.js..keyword.URL: "http://search.search-go.net/?sid=10101053100&s="

FF - user.js..browser.search.selectedEngine: "Google"
FF - user.js..browser.search.order.1: "Google"
FF - user.js..keyword.URL: "http://search.search-go.net/?sid=10101053100&s="

FF - HKLM\software\mozilla\Firefox\extensions\\{C99F331F-501F-4CFA-ADC4-F5A38F8A0151}: C:\Documents and Settings\Media\Local Settings\Application Data\{C99F331F-501F-4CFA-ADC4-F5A38F8A0151} [2010/08/15 13:31:06 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.3\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/08/15 13:43:11 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.3\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010/08/15 13:43:11 | 000,000,000 | ---D | M]

[2008/08/28 21:36:58 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Media\Application Data\Mozilla\Extensions
[2010/08/17 19:39:25 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Media\Application Data\Mozilla\Firefox\Profiles\1hx4ckko.default\extensions
[2010/05/03 19:45:14 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Documents and Settings\Media\Application Data\Mozilla\Firefox\Profiles\1hx4ckko.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2010/08/17 19:39:25 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions
[2010/08/15 13:36:14 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
[2010/07/17 05:00:04 | 000,423,656 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npdeployJava1.dll
[2010/08/15 03:52:20 | 000,002,074 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\google_search.xml

O1 HOSTS File: ([2010/08/15 13:42:49 | 000,000,915 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: 212.117.178.25 [You must be registered and logged in to see this link.]
O2 - BHO: (scriptproxy) - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan Enterprise\scriptcl.dll (McAfee, Inc.)
O4 - HKLM..\Run: [36X Raid Configurer] C:\WINDOWS\System32\xRaidSetup.exe (JMicron Technology Corp.)
O4 - HKLM..\Run: [hfaeiaih] C:\Documents and Settings\NetworkService\Local Settings\Application Data\uuqspgfcg\nloqjershdw.exe ()
O4 - HKLM..\Run: [JMB36X IDE Setup] C:\WINDOWS\RaidTool\xInsIDE.exe ()
O4 - HKLM..\Run: [Kernel and Hardware Abstraction Layer] C:\WINDOWS\KHALMNPR.Exe (Logitech, Inc.)
O4 - HKLM..\Run: [McAfeeUpdaterUI] C:\Program Files\Network Associates\Common Framework\UdaterUI.exe (McAfee, Inc.)
O4 - HKLM..\Run: [Sgimokofatahi] C:\WINDOWS\obonerulatoqez.DLL (Sonic Solutions)
O4 - HKLM..\Run: [ShStatEXE] C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE (McAfee, Inc.)
O4 - HKLM..\Run: [SoundMAX] C:\Program Files\Analog Devices\SoundMAX\Smax4.exe (Analog Devices, Inc.)
O4 - HKLM..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe (Analog Devices, Inc.)
O4 - HKLM..\Run: [StartCCC] C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe ()
O4 - HKCU..\Run: [hsfe8owijfisjhgs7ye39gjsoighsd7y3eu] C:\Documents and Settings\Media\Local Settings\Temp\fs00ucxf9.exe ()
O4 - HKCU..\Run: [M5T8QL3YW3] C:\DOCUME~1\Media\LOCALS~1\Temp\Jlr.exe File not found
O4 - HKCU..\Run: [Ukaluregadagaku] C:\WINDOWS\kbcong.DLL File not found
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ASUS WiFi-AP Solo.lnk = C:\Program Files\ASUS WiFi-AP Solo\RtWLan.exe (ASUSTek Computer Inc.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe (Logitech, Inc.)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoControlPanel = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} [You must be registered and logged in to see this link.] (WUWebControl Class)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} [You must be registered and logged in to see this link.] (Java Plug-in 1.6.0_21)
O16 - DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} [You must be registered and logged in to see this link.] (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} [You must be registered and logged in to see this link.] (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} [You must be registered and logged in to see this link.] (Java Plug-in 1.6.0_21)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} [You must be registered and logged in to see this link.] (Java Plug-in 1.6.0_21)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\AtiExtEvent: DllName - Ati2evxx.dll - C:\WINDOWS\System32\ati2evxx.dll (ATI Technologies Inc.)
O20 - Winlogon\Notify\LBTWlgn: DllName - c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll - c:\Program Files\Common Files\Logishrd\Bluetooth\LBTWLgn.dll (Logitech, Inc.)
O24 - Desktop WallPaper: C:\Documents and Settings\Media\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\Media\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2008/03/15 15:21:45 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O32 - AutoRun File - [2007/11/15 20:43:13 | 000,000,066 | RH-- | M] () - E:\AUTORUN.INF -- [ CDFS ]
O33 - MountPoints2\{1237f450-2378-11dd-8677-001e8c897997}\Shell\AutoRun\command - "" = G:\wd_windows_tools\setup.exe -- File not found
O33 - MountPoints2\E\Shell - "" = AutoRun
O33 - MountPoints2\E\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\E\Shell\AutoRun\command - "" = E:\SETUP.EXE -- [2007/11/15 20:44:32 | 000,062,976 | RH-- | M] (Aspyr Media, Inc.)
O33 - MountPoints2\I\Shell - "" = AutoRun
O33 - MountPoints2\I\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\I\Shell\AutoRun\command - "" = I:\LaunchU3.exe -- File not found
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2010/08/17 19:44:13 | 000,575,488 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Media\Desktop\OTL.com
[2010/08/15 13:44:40 | 000,000,000 | ---D | C] -- C:\Program Files\iPod
[2010/08/15 13:44:35 | 000,000,000 | ---D | C] -- C:\Program Files\iTunes
[2010/08/15 13:44:35 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
[2010/08/15 13:43:04 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\ajyrpitea
[2010/08/15 13:42:55 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\uuqspgfcg
[2010/08/15 13:42:48 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Update
[2010/08/15 13:42:33 | 000,000,000 | ---D | C] -- C:\Program Files\QuickTime
[2010/08/15 13:40:57 | 000,000,000 | ---D | C] -- C:\Program Files\Bonjour
[2010/08/15 13:40:55 | 000,000,000 | -HSD | C] -- C:\Config.Msi
[2010/08/15 13:36:22 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Sun
[2010/08/15 13:36:13 | 000,423,656 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\deployJava1.dll
[2010/08/15 13:36:13 | 000,153,376 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaws.exe
[2010/08/15 13:36:13 | 000,145,184 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaw.exe
[2010/08/15 13:36:13 | 000,145,184 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\java.exe
[2010/08/15 13:31:06 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Media\Local Settings\Application Data\{C99F331F-501F-4CFA-ADC4-F5A38F8A0151}
[2010/08/15 13:29:52 | 000,020,992 | ---- | C] (Realtek Semiconductor Corporation) -- C:\WINDOWS\System32\drivers\RTL8139.sys
[2010/08/15 13:29:52 | 000,020,992 | ---- | C] (Realtek Semiconductor Corporation) -- C:\WINDOWS\System32\dllcache\rtl8139.sys
[2010/08/08 14:16:38 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Media\Application Data\Malwarebytes
[2010/08/08 14:16:21 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2010/08/08 14:16:20 | 000,020,952 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2010/08/08 14:16:20 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2010/08/08 14:16:20 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
[2010/08/08 14:15:21 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Media\Application Data\U3
[2010/08/08 14:07:07 | 000,000,000 | -HSD | C] -- C:\WINDOWS\CSC
[4 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[4 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2010/08/17 20:12:08 | 000,781,824 | ---- | M] () -- C:\WINDOWS\System32\drivers\ufcafypt.sys
[2010/08/17 20:10:11 | 000,013,646 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2010/08/17 20:07:18 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010/08/17 20:05:35 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2010/08/17 20:05:34 | 003,932,160 | -H-- | M] () -- C:\Documents and Settings\Media\NTUSER.DAT
[2010/08/17 20:05:34 | 000,000,178 | -HS- | M] () -- C:\Documents and Settings\Media\ntuser.ini
[2010/08/17 20:03:25 | 000,000,282 | -H-- | M] () -- C:\WINDOWS\tasks\{8C3FDD81-7AE0-4605-A46A-2488B179F2A3}.job
[2010/08/17 20:02:10 | 004,288,972 | -H-- | M] () -- C:\Documents and Settings\Media\Local Settings\Application Data\IconCache.db
[2010/08/17 19:44:13 | 000,575,488 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Media\Desktop\OTL.com
[2010/08/17 19:42:00 | 000,000,416 | ---- | M] () -- C:\WINDOWS\tasks\Updater.job
[2010/08/17 19:36:58 | 000,363,520 | ---- | M] () -- C:\Documents and Settings\Media\Desktop\rkill.com
[2010/08/17 18:52:11 | 000,000,000 | ---- | M] () -- C:\WINDOWS\Lviqahemile.bin
[2010/08/15 13:45:04 | 000,001,804 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\iTunes.lnk
[2010/08/15 13:42:53 | 000,000,005 | ---- | M] () -- C:\zrpt.xml
[2010/08/15 13:42:23 | 000,000,664 | ---- | M] () -- C:\WINDOWS\System32\d3d9caps.dat
[2010/08/15 13:33:05 | 000,001,664 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Sonos Desktop Controller.lnk
[2010/08/15 13:31:08 | 000,000,120 | ---- | M] () -- C:\WINDOWS\Pqaju.dat
[2010/08/14 18:05:00 | 000,000,284 | ---- | M] () -- C:\WINDOWS\tasks\AppleSoftwareUpdate.job
[2010/08/08 14:16:24 | 000,000,696 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[4 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[4 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

========== Files Created - No Company Name ==========

[2010/08/17 19:36:58 | 000,363,520 | ---- | C] () -- C:\Documents and Settings\Media\Desktop\rkill.com
[2010/08/15 13:45:04 | 000,001,804 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\iTunes.lnk
[2010/08/15 13:43:02 | 000,781,824 | ---- | C] () -- C:\WINDOWS\System32\drivers\ufcafypt.sys
[2010/08/15 13:42:52 | 000,000,416 | ---- | C] () -- C:\WINDOWS\tasks\Updater.job
[2010/08/15 13:42:51 | 000,000,005 | ---- | C] () -- C:\zrpt.xml
[2010/08/15 13:31:08 | 000,000,120 | ---- | C] () -- C:\WINDOWS\Pqaju.dat
[2010/08/15 13:31:08 | 000,000,000 | ---- | C] () -- C:\WINDOWS\Lviqahemile.bin
[2010/08/08 14:16:24 | 000,000,696 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2010/05/24 20:05:02 | 000,002,572 | ---- | C] () -- C:\WINDOWS\apohigafeku.dll
[2010/05/24 19:53:19 | 000,002,572 | ---- | C] () -- C:\WINDOWS\uzelahetilarej.dll
[2010/05/24 17:51:20 | 000,002,572 | ---- | C] () -- C:\WINDOWS\uvehunicapa.dll
[2010/05/24 15:49:34 | 000,002,572 | ---- | C] () -- C:\WINDOWS\ixonucij.dll
[2010/05/24 13:47:19 | 000,002,572 | ---- | C] () -- C:\WINDOWS\ujoqijoyiqo.dll
[2010/05/24 11:44:41 | 000,000,000 | ---- | C] () -- C:\WINDOWS\System32\drivers\kiwyikh.sys
[2010/05/24 11:44:27 | 000,003,321 | -HS- | C] () -- C:\Documents and Settings\Media\Application Data\0200000005448916922P.manifest
[2010/05/24 11:44:27 | 000,000,013 | -HS- | C] () -- C:\Documents and Settings\Media\Application Data\0200000005448916922C.manifest
[2010/05/24 11:44:27 | 000,000,011 | -HS- | C] () -- C:\Documents and Settings\Media\Application Data\0200000005448916922S.manifest
[2010/05/24 11:44:27 | 000,000,011 | -HS- | C] () -- C:\Documents and Settings\Media\Application Data\0200000005448916922O.manifest
[2009/08/08 15:00:17 | 000,000,760 | ---- | C] () -- C:\Documents and Settings\Media\Application Data\setup_ldm.iss
[2008/07/04 08:16:15 | 000,006,144 | ---- | C] () -- C:\Documents and Settings\Media\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2008/03/15 17:11:44 | 000,000,280 | ---- | C] () -- C:\WINDOWS\System32\epoPGPsdk.dll.sig
[2008/03/15 15:29:19 | 000,019,725 | ---- | C] () -- C:\WINDOWS\Ascd_log.ini
[2008/03/15 15:29:07 | 000,019,344 | ---- | C] () -- C:\WINDOWS\Ascd_tmp.ini
[2008/03/15 15:29:06 | 000,005,810 | R--- | C] () -- C:\WINDOWS\System32\drivers\ASACPI.sys
[2008/03/15 15:28:57 | 000,010,288 | ---- | C] () -- C:\WINDOWS\System32\drivers\ASUSHWIO.SYS
[2008/01/15 01:33:02 | 000,012,520 | ---- | C] () -- C:\WINDOWS\UN900121.INI
< End of report >

guerro

Newbie Surfer
Newbie Surfer

Posts : 32
Joined : 2010-01-17
Operating System : Win XP

View user profile

Back to top Go down

Re: Banker Fox and Win32/Nuqel need help

Post by DragonMaster Jay on Wed 18 Aug 2010, 5:05 pm

Hello, and welcome to GeekPolice.

Please note the following information about the malware forum:
  • Only Tech Officers, Global Moderators, Administrators, and Malware Advisors are allowed to give advice on removing malware from your computer.
  • From this point on, please do not make any more changes to your computer; such as install/uninstall programs, use special fix tools, delete files, edit the registry, etc. - unless advised by the staff I noted above.
  • Please do not ask for help elsewhere (in this site or other sites). Doing so can result in system changes, which may not show up in the logs you post.
  • If you have already asked for help somewhere, please post the link to the topic you were helped.
  • We try our best to reply quickly, but for any reason we do not reply in two days, do one of two things:

    Reply to this topic with the word BUMP, or
    see [You must be registered and logged in to see this link.].

  • Lastly, keep in mind that we are volunteers, so you do not have to pay for malware removal. Persist in this topic until its close, and your computer is declared clean.





Please download Malwarebytes Anti-Malware from Malwarebytes.org.
Alternate link: BleepingComputer.com.
(Note: if you already have the program installed, just follow the directions. No need to re-download or re-install!)

Double Click mbam-setup.exe to install the application.

(Note: if you already have the program installed, open Malwarebytes from the Start Menu or Desktop shortcut, click the Update tab, and click Check for Updates, before doing the scan as instructed below!)

  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. If you are prompted to restart, please allow it to restart your computer. Failure to do this, will cause the infection to still be active on the computer.
  • Please save the log to a location you will remember.
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • The log can also be found at C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt or at C:\Program Files\Malwarebytes' Anti-Malware\Logs\log-date.txt
  • Copy and paste the entire report in your next reply.


[You must be registered and logged in to see this link.] - Get $30 off Kaspersky products.

~DMJ
GeekPolice Academy Manager


Donations/Contributions

DragonMaster Jay

Manager | Tech Officer
Manager | Tech Officer

Posts : 13451
Joined : 2009-09-07
Operating System : Windows 7 Ultimate

View user profile http://www.twitter.com/jaypfoutz

Back to top Go down

Re: Banker Fox and Win32/Nuqel need help

Post by guerro on Thu 19 Aug 2010, 10:25 am

Malwarebytes' Anti-Malware 1.46
[You must be registered and logged in to see this link.]

Database version: 4052

Windows 5.1.2600 Service Pack 3 (Safe Mode)
Internet Explorer 7.0.5730.13

8/8/2010 2:21:32 PM
mbam-log-2010-08-08 (14-21-32).txt

Scan type: Quick scan
Objects scanned: 112247
Time elapsed: 3 minute(s), 56 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 5
Registry Values Infected: 6
Registry Data Items Infected: 8
Folders Infected: 1
Files Infected: 8

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\setup.exe (Trojan.Chifrax) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\avsoft (Trojan.Fraudpack) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\XML (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\net (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\QZAIB7KITK (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mcexecwin (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\juanioue (Rogue.AntivirusSuite.Gen) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hsfg9w8gujsokgahi8gysgnsdgefshyjy (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\idstrf (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\winid (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\nofolderoptions (Hijack.FolderOptions) -> Delete on reboot.

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions (Hijack.FolderOptions) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools (Hijack.Regedit) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\DhcpNameServer (Trojan.DNSChanger) -> Data: 93.188.164.134,93.188.166.180 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\NameServer (Trojan.DNSChanger) -> Data: 93.188.164.134,93.188.166.180 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{be65aed8-8300-4de6-828d-e6663ac0eef8}\DhcpNameServer (Trojan.DNSChanger) -> Data: 93.188.164.134,93.188.166.180 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{be65aed8-8300-4de6-828d-e6663ac0eef8}\NameServer (Trojan.DNSChanger) -> Data: 93.188.164.134,93.188.166.180 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{d89d509c-870d-404a-9a87-e8c6291f9b45}\DhcpNameServer (Trojan.DNSChanger) -> Data: 93.188.164.134,93.188.166.180 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{d89d509c-870d-404a-9a87-e8c6291f9b45}\NameServer (Trojan.DNSChanger) -> Data: 93.188.164.134,93.188.166.180 -> Quarantined and deleted successfully.

Folders Infected:
C:\Documents and Settings\Media\Application Data\SystemProc (Trojan.Agent) -> Quarantined and deleted successfully.

Files Infected:
C:\Documents and Settings\Media\Local Settings\Temp\nsxoerawcm.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Media\Local Settings\Temporary Internet Files\Content.IE5\5VIHOGOF\rvqxfn[1].htm (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Media\Local Settings\Temp\setup.exe (Trojan.Chifrax) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\Alkc.exe (Trojan.Zlob) -> Quarantined and deleted successfully.
C:\Documents and Settings\Media\Local Settings\Temp\svchost.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Media\Local Settings\Temp\win32.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Media\Local Settings\Temp\winlogon.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Media\Local Settings\Temp\jisfije9fjoiee.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.

guerro

Newbie Surfer
Newbie Surfer

Posts : 32
Joined : 2010-01-17
Operating System : Win XP

View user profile

Back to top Go down

Re: Banker Fox and Win32/Nuqel need help

Post by DragonMaster Jay on Fri 20 Aug 2010, 6:15 am

Scan with Malwarebytes' Anti-Malware

Please re-open Malwarebytes' Anti-Malware, click the Update tab, and click Check for Updates. Then, click the Scanner tab, select Perform Full Scan, and press Scan. Remove selected, and post the log in your next reply.


[You must be registered and logged in to see this link.] - Get $30 off Kaspersky products.

~DMJ
GeekPolice Academy Manager


Donations/Contributions

DragonMaster Jay

Manager | Tech Officer
Manager | Tech Officer

Posts : 13451
Joined : 2009-09-07
Operating System : Windows 7 Ultimate

View user profile http://www.twitter.com/jaypfoutz

Back to top Go down

Re: Banker Fox and Win32/Nuqel need help

Post by guerro on Fri 20 Aug 2010, 12:56 pm

Malwarebytes' Anti-Malware 1.46
[You must be registered and logged in to see this link.]

Database version: 4450

Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.13

8/19/2010 6:55:57 PM
mbam-log-2010-08-19 (18-55-57).txt

Scan type: Quick scan
Objects scanned: 123888
Time elapsed: 4 minute(s), 39 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

guerro

Newbie Surfer
Newbie Surfer

Posts : 32
Joined : 2010-01-17
Operating System : Win XP

View user profile

Back to top Go down

Re: Banker Fox and Win32/Nuqel need help

Post by DragonMaster Jay on Fri 20 Aug 2010, 7:49 pm

Note: the following tool is to only be used under the guidance of a malware helper. In the event you already have the tool, please delete the old copy and download a new copy.

Please download ComboFix from BleepingComputer.com

Alternate link: GeeksToGo.com

Alternate link: Forospyware.com (Click the green button on the page to download it).

Rename ComboFix.exe to combo-fix.exe before you save it to your Desktop
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools A guide to do this can be found here
  • Click Start>Run then copy paste the following command into the Run box & click OK "%userprofile%\desktop\combo-fix.exe" /killall
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed.

    *NOTE*: If you already have the Recovery Console installed, ComboFix will skip this part and will continue scanning for malware.

    With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:


  • Click on Yes, to continue scanning for malware.
  • When finished, it shall produce a log for you. Please include the contents of C:\ComboFix.txt in your next reply.


[You must be registered and logged in to see this link.] - Get $30 off Kaspersky products.

~DMJ
GeekPolice Academy Manager


Donations/Contributions

DragonMaster Jay

Manager | Tech Officer
Manager | Tech Officer

Posts : 13451
Joined : 2009-09-07
Operating System : Windows 7 Ultimate

View user profile http://www.twitter.com/jaypfoutz

Back to top Go down

Re: Banker Fox and Win32/Nuqel need help

Post by guerro on Sun 22 Aug 2010, 2:59 am

ComboFix 10-08-20.01 - Media 08/21/2010 8:44.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1540 [GMT -7:00]
Running from: c:\documents and settings\Media\desktop\combo-fix.exe
Command switches used :: /killall
AV: McAfee VirusScan Enterprise *On-access scanning disabled* (Updated) {918A2B0B-2C60-4016-A4AB-E868DEABF7F0}
* Resident AV is active

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

Infected copy of c:\windows\system32\drivers\ohci1394.sys was found and disinfected
Restored copy from - Kitty had a snack :p
.
((((((((((((((((((((((((( Files Created from 2010-07-21 to 2010-08-21 )))))))))))))))))))))))))))))))
.

2010-08-18 02:20 . 2010-08-18 02:20 -------- d-----w- c:\windows\system32\config\systemprofile\Application Data\ATI
2010-08-15 20:44 . 2010-08-15 20:44 -------- d-----w- c:\program files\iPod
2010-08-15 20:44 . 2010-08-15 20:45 -------- d-----w- c:\program files\iTunes
2010-08-15 20:44 . 2010-08-15 20:45 -------- d-----w- c:\documents and settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
2010-08-15 20:43 . 2010-08-15 20:43 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\ajyrpitea
2010-08-15 20:43 . 2010-08-21 15:51 781824 ----a-w- c:\windows\system32\drivers\ufcafypt.sys
2010-08-15 20:42 . 2010-08-18 05:04 -------- d-----w- c:\documents and settings\All Users\Application Data\Update
2010-08-15 20:42 . 2010-08-15 20:43 -------- d-----w- c:\program files\QuickTime
2010-08-15 20:40 . 2010-08-15 20:40 -------- d-----w- c:\program files\Bonjour
2010-08-15 20:36 . 2010-08-15 20:36 61440 ----a-w- c:\documents and settings\Media\Application Data\Sun\Java\Deployment\SystemCache\6.0\42\4488892a-7292907c-n\decora-sse.dll
2010-08-15 20:36 . 2010-08-15 20:36 12800 ----a-w- c:\documents and settings\Media\Application Data\Sun\Java\Deployment\SystemCache\6.0\42\4488892a-7292907c-n\decora-d3d.dll
2010-08-15 20:36 . 2010-08-15 20:36 503808 ----a-w- c:\documents and settings\Media\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-3566b2fb-n\msvcp71.dll
2010-08-15 20:36 . 2010-08-15 20:36 499712 ----a-w- c:\documents and settings\Media\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-3566b2fb-n\jmc.dll
2010-08-15 20:36 . 2010-08-15 20:36 348160 ----a-w- c:\documents and settings\Media\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-3566b2fb-n\msvcr71.dll
2010-08-15 20:36 . 2010-07-17 12:00 423656 ----a-w- c:\windows\system32\deployJava1.dll
2010-08-15 20:34 . 2010-08-15 20:34 73000 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.2.1.5\SetupAdmin.exe
2010-08-15 20:31 . 2010-08-18 01:52 0 ----a-w- c:\windows\Lviqahemile.bin
2010-08-15 20:31 . 2010-08-15 20:31 120 ----a-w- c:\windows\Pqaju.dat
2010-08-15 20:29 . 2004-08-04 05:31 20992 -c--a-w- c:\windows\system32\dllcache\rtl8139.sys
2010-08-15 20:29 . 2004-08-04 05:31 20992 ----a-w- c:\windows\system32\drivers\RTL8139.sys
2010-08-08 21:21 . 2006-04-06 02:38 110592 ----a-w- c:\documents and settings\Media\Application Data\U3\temp\cleanup.exe
2010-08-08 21:16 . 2010-08-08 21:16 -------- d-----w- c:\documents and settings\Media\Application Data\Malwarebytes
2010-08-08 21:16 . 2010-04-29 22:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-08-08 21:16 . 2010-08-18 01:54 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-08-08 21:16 . 2010-08-08 21:16 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-08-08 21:16 . 2010-04-29 22:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-08-08 21:15 . 2010-08-08 21:21 -------- d-----w- c:\documents and settings\Media\Application Data\U3

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-08-15 20:44 . 2008-03-16 00:25 -------- d-----w- c:\program files\Common Files\Apple
2010-08-15 20:42 . 2010-06-04 20:56 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-08-15 20:36 . 2008-05-12 23:55 -------- d-----w- c:\program files\Common Files\Java
2010-08-15 20:36 . 2008-05-12 23:56 -------- d-----w- c:\program files\Java
2010-08-15 20:33 . 2008-03-17 02:50 -------- d-----w- c:\program files\Sonos
2010-05-28 03:35 . 2010-05-28 03:35 503808 ----a-w- c:\documents and settings\Media\Application Data\Sun\Java\Deployment\cache\6.0\46\f84c6ae-1ae14fc3-n\msvcp71.dll
2010-05-28 03:35 . 2010-05-28 03:35 499712 ----a-w- c:\documents and settings\Media\Application Data\Sun\Java\Deployment\cache\6.0\46\f84c6ae-1ae14fc3-n\jmc.dll
2010-05-28 03:35 . 2010-05-28 03:35 348160 ----a-w- c:\documents and settings\Media\Application Data\Sun\Java\Deployment\cache\6.0\46\f84c6ae-1ae14fc3-n\msvcr71.dll
2010-05-26 00:44 . 2010-05-26 00:44 666112 ----a-w- c:\documents and settings\Media\Application Data\Macromedia\Flash Player\[You must be registered and logged in to see this link.]
2010-05-26 00:44 . 2010-05-26 00:44 319488 ----a-w- c:\documents and settings\Media\Application Data\Macromedia\Flash Player\[You must be registered and logged in to see this link.]
.

((((((((((((((((((((((((((((( [You must be registered and logged in to see this link.] )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-08-21 15:50 . 2010-08-21 15:50 16384 c:\windows\Temp\Perflib_Perfdata_7b4.dat
+ 2004-08-04 12:00 . 2010-08-18 06:15 67516 c:\windows\system32\perfc009.dat
- 2004-08-04 12:00 . 2009-12-10 10:19 67516 c:\windows\system32\perfc009.dat
- 2004-08-04 12:00 . 2008-04-13 18:36 68224 c:\windows\system32\drivers\pci.sys
+ 2004-08-04 12:00 . 2004-08-04 12:00 68224 c:\windows\system32\drivers\pci.sys
+ 2004-08-04 12:00 . 2004-08-04 12:00 95360 c:\windows\system32\drivers\atapi.sys
- 2004-08-04 12:00 . 2001-08-17 20:51 3328 c:\windows\system32\drivers\pciide.sys
+ 2004-08-04 12:00 . 2004-08-04 12:00 3328 c:\windows\system32\drivers\pciide.sys
- 2004-08-04 12:00 . 2009-12-10 10:19 432686 c:\windows\system32\perfh009.dat
+ 2004-08-04 12:00 . 2010-08-18 06:15 432686 c:\windows\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2006-12-18 868352]
"JMB36X IDE Setup"="c:\windows\RaidTool\xInsIDE.exe" [2007-03-20 36864]
"36X Raid Configurer"="c:\windows\system32\xRaidSetup.exe" [2007-03-21 1953792]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2006-11-10 90112]
"McAfeeUpdaterUI"="c:\program files\Network Associates\Common Framework\UdaterUI.exe" [2006-11-17 136768]
"ShStatEXE"="c:\program files\McAfee\VirusScan Enterprise\SHSTAT.EXE" [2006-11-30 112216]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2008-02-29 76304]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-03-19 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-07-21 141608]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
ASUS WiFi-AP Solo.lnk - c:\program files\ASUS WiFi-AP Solo\RtWLan.exe [2008-3-15 987136]
Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2008-7-18 805392]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
2008-05-02 09:42 72208 ----a-w- c:\program files\Common Files\Logishrd\Bluetooth\LBTWLgn.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

S2 MSWA-d193543c;MSWA-d193543c;c:\windows\system32\d193543c.exe --> c:\windows\system32\d193543c.exe [?]
S3 RTLWUSB;Realtek RTL8187 Wireless 802.11g 54Mbps USB 2.0 Network Adapter;c:\windows\system32\drivers\RTL8187.sys [3/15/2008 3:43 PM 176128]
S3 SjyPkt;SjyPkt;c:\windows\system32\drivers\SjyPkt.sys [3/15/2008 3:43 PM 13532]

--- Other Services/Drivers In Memory ---

*Deregistered* - ufcafypt
.
Contents of the 'Scheduled Tasks' folder

2010-08-15 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 19:34]
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride =
uInternet Settings,ProxyServer = http=127.0.0.1:6522
FF - ProfilePath - c:\documents and settings\Media\Application Data\Mozilla\Firefox\Profiles\1hx4ckko.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: keyword.URL - [You must be registered and logged in to see this link.]
FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: browser.search.selectedEngine - Google
FF - user.js: browser.search.order.1 - Google
FF - user.js: keyword.URL - [You must be registered and logged in to see this link.] files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2010-08-21 08:51
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ufcafypt]

.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(600)
c:\windows\system32\Ati2evxx.dll
c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll
c:\program files\common files\logishrd\bluetooth\LBTServ.dll

- - - - - - - > 'explorer.exe'(3772)
c:\windows\system32\WININET.dll
c:\program files\Logitech\SetPoint\lgscroll.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\Ati2evxx.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Network Associates\Common Framework\FrameworkService.exe
c:\program files\McAfee\VirusScan Enterprise\mcshield.exe
c:\program files\McAfee\VirusScan Enterprise\vstskmgr.exe
c:\program files\Network Associates\Common Framework\naPrdMgr.exe
c:\program files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
c:\program files\Network Associates\Common Framework\McTray.exe
c:\program files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
c:\program files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2010-08-21 08:55:06 - machine was rebooted
ComboFix-quarantined-files.txt 2010-08-21 15:55
ComboFix2.txt 2010-08-18 05:11

Pre-Run: 588,352,999,424 bytes free
Post-Run: 588,340,117,504 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - 728D19CD733CC92AC1E6664FE04A3F5C

guerro

Newbie Surfer
Newbie Surfer

Posts : 32
Joined : 2010-01-17
Operating System : Win XP

View user profile

Back to top Go down

Re: Banker Fox and Win32/Nuqel need help

Post by DragonMaster Jay on Sun 22 Aug 2010, 7:51 am

Re-running ComboFix to remove infections:

  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • Open notepad and copy/paste the text in the codebox below into it:
    Code:
    killall::

    DDS::
    uInternet Settings,ProxyOverride =
    uInternet Settings,ProxyServer = http=127.0.0.1:6522

    Registry::
    [-HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ufcafypt]

    Driver::
    ufcafypt

    Reboot::
  • Save this as CFScript.txt, in the same location as ComboFix.exe



  • Referring to the picture above, drag CFScript into ComboFix.exe
  • When finished, it shall produce a log for you at C:\ComboFix.txt
  • Please post the contents of the log in your next reply.


[You must be registered and logged in to see this link.] - Get $30 off Kaspersky products.

~DMJ
GeekPolice Academy Manager


Donations/Contributions

DragonMaster Jay

Manager | Tech Officer
Manager | Tech Officer

Posts : 13451
Joined : 2009-09-07
Operating System : Windows 7 Ultimate

View user profile http://www.twitter.com/jaypfoutz

Back to top Go down

Re: Banker Fox and Win32/Nuqel need help

Post by guerro on Mon 23 Aug 2010, 8:52 am

ComboFix 10-08-22.01 - Media 08/22/2010 14:45:25.3.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1618 [GMT -7:00]
Running from: c:\documents and settings\Media\Desktop\combo-fix.exe
Command switches used :: c:\documents and settings\Media\Desktop\CFScript.txt
AV: McAfee VirusScan Enterprise *On-access scanning enabled* (Updated) {918A2B0B-2C60-4016-A4AB-E868DEABF7F0}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_UFCAFYPT
-------\Service_ufcafypt


((((((((((((((((((((((((( Files Created from 2010-07-22 to 2010-08-22 )))))))))))))))))))))))))))))))
.

2010-08-18 02:20 . 2010-08-18 02:20 -------- d-----w- c:\windows\system32\config\systemprofile\Application Data\ATI
2010-08-15 20:44 . 2010-08-15 20:44 -------- d-----w- c:\program files\iPod
2010-08-15 20:44 . 2010-08-15 20:45 -------- d-----w- c:\program files\iTunes
2010-08-15 20:44 . 2010-08-15 20:45 -------- d-----w- c:\documents and settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
2010-08-15 20:43 . 2010-08-15 20:43 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\ajyrpitea
2010-08-15 20:43 . 2010-08-22 21:48 781824 ----a-w- c:\windows\system32\drivers\ufcafypt.sys
2010-08-15 20:42 . 2010-08-18 05:04 -------- d-----w- c:\documents and settings\All Users\Application Data\Update
2010-08-15 20:42 . 2010-08-15 20:43 -------- d-----w- c:\program files\QuickTime
2010-08-15 20:40 . 2010-08-15 20:40 -------- d-----w- c:\program files\Bonjour
2010-08-15 20:36 . 2010-08-15 20:36 61440 ----a-w- c:\documents and settings\Media\Application Data\Sun\Java\Deployment\SystemCache\6.0\42\4488892a-7292907c-n\decora-sse.dll
2010-08-15 20:36 . 2010-08-15 20:36 12800 ----a-w- c:\documents and settings\Media\Application Data\Sun\Java\Deployment\SystemCache\6.0\42\4488892a-7292907c-n\decora-d3d.dll
2010-08-15 20:36 . 2010-08-15 20:36 503808 ----a-w- c:\documents and settings\Media\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-3566b2fb-n\msvcp71.dll
2010-08-15 20:36 . 2010-08-15 20:36 499712 ----a-w- c:\documents and settings\Media\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-3566b2fb-n\jmc.dll
2010-08-15 20:36 . 2010-08-15 20:36 348160 ----a-w- c:\documents and settings\Media\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-3566b2fb-n\msvcr71.dll
2010-08-15 20:36 . 2010-07-17 12:00 423656 ----a-w- c:\windows\system32\deployJava1.dll
2010-08-15 20:34 . 2010-08-15 20:34 73000 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.2.1.5\SetupAdmin.exe
2010-08-15 20:31 . 2010-08-18 01:52 0 ----a-w- c:\windows\Lviqahemile.bin
2010-08-15 20:31 . 2010-08-15 20:31 120 ----a-w- c:\windows\Pqaju.dat
2010-08-15 20:29 . 2004-08-04 05:31 20992 -c--a-w- c:\windows\system32\dllcache\rtl8139.sys
2010-08-15 20:29 . 2004-08-04 05:31 20992 ----a-w- c:\windows\system32\drivers\RTL8139.sys
2010-08-08 21:21 . 2006-04-06 02:38 110592 ----a-w- c:\documents and settings\Media\Application Data\U3\temp\cleanup.exe
2010-08-08 21:16 . 2010-08-08 21:16 -------- d-----w- c:\documents and settings\Media\Application Data\Malwarebytes
2010-08-08 21:16 . 2010-04-29 22:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-08-08 21:16 . 2010-08-18 01:54 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-08-08 21:16 . 2010-08-08 21:16 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-08-08 21:16 . 2010-04-29 22:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-08-08 21:15 . 2010-08-08 21:21 -------- d-----w- c:\documents and settings\Media\Application Data\U3

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-08-15 20:44 . 2008-03-16 00:25 -------- d-----w- c:\program files\Common Files\Apple
2010-08-15 20:42 . 2010-06-04 20:56 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-08-15 20:36 . 2008-05-12 23:55 -------- d-----w- c:\program files\Common Files\Java
2010-08-15 20:36 . 2008-05-12 23:56 -------- d-----w- c:\program files\Java
2010-08-15 20:33 . 2008-03-17 02:50 -------- d-----w- c:\program files\Sonos
2010-05-28 03:35 . 2010-05-28 03:35 503808 ----a-w- c:\documents and settings\Media\Application Data\Sun\Java\Deployment\cache\6.0\46\f84c6ae-1ae14fc3-n\msvcp71.dll
2010-05-28 03:35 . 2010-05-28 03:35 499712 ----a-w- c:\documents and settings\Media\Application Data\Sun\Java\Deployment\cache\6.0\46\f84c6ae-1ae14fc3-n\jmc.dll
2010-05-28 03:35 . 2010-05-28 03:35 348160 ----a-w- c:\documents and settings\Media\Application Data\Sun\Java\Deployment\cache\6.0\46\f84c6ae-1ae14fc3-n\msvcr71.dll
2010-05-26 00:44 . 2010-05-26 00:44 666112 ----a-w- c:\documents and settings\Media\Application Data\Macromedia\Flash Player\[You must be registered and logged in to see this link.]
2010-05-26 00:44 . 2010-05-26 00:44 319488 ----a-w- c:\documents and settings\Media\Application Data\Macromedia\Flash Player\[You must be registered and logged in to see this link.]
.

((((((((((((((((((((((((((((( [You must be registered and logged in to see this link.] )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-08-22 21:49 . 2010-08-22 21:49 16384 c:\windows\temp\Perflib_Perfdata_798.dat
+ 2004-08-04 12:00 . 2010-08-18 06:15 67516 c:\windows\system32\perfc009.dat
- 2004-08-04 12:00 . 2009-12-10 10:19 67516 c:\windows\system32\perfc009.dat
- 2004-08-04 12:00 . 2008-04-13 18:36 68224 c:\windows\system32\drivers\pci.sys
+ 2004-08-04 12:00 . 2004-08-04 12:00 68224 c:\windows\system32\drivers\pci.sys
+ 2004-08-04 12:00 . 2004-08-04 12:00 95360 c:\windows\system32\drivers\atapi.sys
- 2004-08-04 12:00 . 2001-08-17 20:51 3328 c:\windows\system32\drivers\pciide.sys
+ 2004-08-04 12:00 . 2004-08-04 12:00 3328 c:\windows\system32\drivers\pciide.sys
- 2004-08-04 12:00 . 2009-12-10 10:19 432686 c:\windows\system32\perfh009.dat
+ 2004-08-04 12:00 . 2010-08-18 06:15 432686 c:\windows\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2006-12-18 868352]
"JMB36X IDE Setup"="c:\windows\RaidTool\xInsIDE.exe" [2007-03-20 36864]
"36X Raid Configurer"="c:\windows\system32\xRaidSetup.exe" [2007-03-21 1953792]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2006-11-10 90112]
"McAfeeUpdaterUI"="c:\program files\Network Associates\Common Framework\UdaterUI.exe" [2006-11-17 136768]
"ShStatEXE"="c:\program files\McAfee\VirusScan Enterprise\SHSTAT.EXE" [2006-11-30 112216]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2008-02-29 76304]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-03-19 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-07-21 141608]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
ASUS WiFi-AP Solo.lnk - c:\program files\ASUS WiFi-AP Solo\RtWLan.exe [2008-3-15 987136]
Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2008-7-18 805392]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
2008-05-02 09:42 72208 ----a-w- c:\program files\Common Files\Logishrd\Bluetooth\LBTWLgn.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

S2 MSWA-d193543c;MSWA-d193543c;c:\windows\system32\d193543c.exe --> c:\windows\system32\d193543c.exe [?]
S3 RTLWUSB;Realtek RTL8187 Wireless 802.11g 54Mbps USB 2.0 Network Adapter;c:\windows\system32\drivers\RTL8187.sys [3/15/2008 3:43 PM 176128]
S3 SjyPkt;SjyPkt;c:\windows\system32\drivers\SjyPkt.sys [3/15/2008 3:43 PM 13532]
.
Contents of the 'Scheduled Tasks' folder

2010-08-15 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 19:34]
.
.
------- Supplementary Scan -------
.
FF - ProfilePath - c:\documents and settings\Media\Application Data\Mozilla\Firefox\Profiles\1hx4ckko.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: keyword.URL - [You must be registered and logged in to see this link.]
FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: browser.search.selectedEngine - Google
FF - user.js: browser.search.order.1 - Google
FF - user.js: keyword.URL - [You must be registered and logged in to see this link.] files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
.

**************************************************************************
scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files:

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(592)
c:\windows\system32\Ati2evxx.dll
c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll
c:\program files\common files\logishrd\bluetooth\LBTServ.dll

- - - - - - - > 'explorer.exe'(2964)
c:\windows\system32\WININET.dll
c:\program files\Logitech\SetPoint\lgscroll.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\Ati2evxx.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Network Associates\Common Framework\FrameworkService.exe
c:\program files\McAfee\VirusScan Enterprise\mcshield.exe
c:\program files\McAfee\VirusScan Enterprise\vstskmgr.exe
c:\program files\Network Associates\Common Framework\naPrdMgr.exe
c:\program files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
c:\program files\Network Associates\Common Framework\McTray.exe
c:\program files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
c:\program files\iPod\bin\iPodService.exe
c:\program files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
.
**************************************************************************
.
Completion time: 2010-08-22 14:51:45 - machine was rebooted
ComboFix-quarantined-files.txt 2010-08-22 21:51
ComboFix2.txt 2010-08-21 15:55
ComboFix3.txt 2010-08-18 05:11

Pre-Run: 588,177,084,416 bytes free
Post-Run: 588,091,723,776 bytes free

- - End Of File - - 1DEE3610BF54F59895DFCD0FC38681A9

guerro

Newbie Surfer
Newbie Surfer

Posts : 32
Joined : 2010-01-17
Operating System : Win XP

View user profile

Back to top Go down

Re: Banker Fox and Win32/Nuqel need help

Post by DragonMaster Jay on Mon 23 Aug 2010, 6:28 pm

Re-running ComboFix to remove infections:

  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • Open notepad and copy/paste the text in the codebox below into it:
    Code:
    killall::
    File::
    c:\windows\system32\drivers\ufcafypt.sys
    c:\windows\Lviqahemile.bin
    c:\windows\Pqaju.dat
    c:\windows\system32\drivers\SjyPkt.sys

    Driver::
    ufcafypt
    MSWA-d193543c
    SjyPkt

    Firefox::
    FF - prefs.js: keyword.URL - hxxp://search.search-go.net/?sid=10101053100&s=
    FF - user.js: keyword.URL - hxxp://search.search-go.net/?sid=10101053100&s=c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);

    reboot::
  • Save this as CFScript.txt, in the same location as ComboFix.exe



  • Referring to the picture above, drag CFScript into ComboFix.exe
  • When finished, it shall produce a log for you at C:\ComboFix.txt
  • Please post the contents of the log in your next reply.


[You must be registered and logged in to see this link.] - Get $30 off Kaspersky products.

~DMJ
GeekPolice Academy Manager


Donations/Contributions

DragonMaster Jay

Manager | Tech Officer
Manager | Tech Officer

Posts : 13451
Joined : 2009-09-07
Operating System : Windows 7 Ultimate

View user profile http://www.twitter.com/jaypfoutz

Back to top Go down

Re: Banker Fox and Win32/Nuqel need help

Post by guerro on Tue 24 Aug 2010, 12:53 pm

ComboFix 10-08-23.02 - Media 08/23/2010 18:44:15.4.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1525 [GMT -7:00]
Running from: c:\documents and settings\Media\Desktop\combo-fix.exe
Command switches used :: c:\documents and settings\Media\Desktop\CFScript.txt
AV: McAfee VirusScan Enterprise *On-access scanning enabled* (Updated) {918A2B0B-2C60-4016-A4AB-E868DEABF7F0}

FILE ::
"c:\windows\Lviqahemile.bin"
"c:\windows\Pqaju.dat"
"c:\windows\system32\drivers\SjyPkt.sys"
"c:\windows\system32\drivers\ufcafypt.sys"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Media\My Documents\Internet Explorer.lnk
c:\windows\Lviqahemile.bin
c:\windows\Pqaju.dat
c:\windows\system32\drivers\SjyPkt.sys
c:\windows\system32\drivers\ufcafypt.sys

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_MSWA-D193543C
-------\Legacy_SJYPKT
-------\Service_MSWA-d193543c
-------\Service_SjyPkt


((((((((((((((((((((((((( Files Created from 2010-07-24 to 2010-08-24 )))))))))))))))))))))))))))))))
.

2010-08-22 21:43 . 2010-08-22 21:51 -------- d-----w- C:\combo-fix
2010-08-22 21:40 . 2010-06-14 14:31 744448 -c----w- c:\windows\system32\dllcache\helpsvc.exe
2010-08-15 20:44 . 2010-08-15 20:44 -------- d-----w- c:\program files\iPod
2010-08-15 20:44 . 2010-08-15 20:45 -------- d-----w- c:\program files\iTunes
2010-08-15 20:44 . 2010-08-15 20:45 -------- d-----w- c:\documents and settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
2010-08-15 20:43 . 2010-08-15 20:43 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\ajyrpitea
2010-08-15 20:42 . 2010-08-18 05:04 -------- d-----w- c:\documents and settings\All Users\Application Data\Update
2010-08-15 20:42 . 2010-08-15 20:43 -------- d-----w- c:\program files\QuickTime
2010-08-15 20:40 . 2010-08-15 20:40 -------- d-----w- c:\program files\Bonjour
2010-08-15 20:36 . 2010-08-15 20:36 61440 ----a-w- c:\documents and settings\Media\Application Data\Sun\Java\Deployment\SystemCache\6.0\42\4488892a-7292907c-n\decora-sse.dll
2010-08-15 20:36 . 2010-08-15 20:36 12800 ----a-w- c:\documents and settings\Media\Application Data\Sun\Java\Deployment\SystemCache\6.0\42\4488892a-7292907c-n\decora-d3d.dll
2010-08-15 20:36 . 2010-08-15 20:36 503808 ----a-w- c:\documents and settings\Media\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-3566b2fb-n\msvcp71.dll
2010-08-15 20:36 . 2010-08-15 20:36 499712 ----a-w- c:\documents and settings\Media\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-3566b2fb-n\jmc.dll
2010-08-15 20:36 . 2010-08-15 20:36 348160 ----a-w- c:\documents and settings\Media\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-3566b2fb-n\msvcr71.dll
2010-08-15 20:36 . 2010-07-17 12:00 423656 ----a-w- c:\windows\system32\deployJava1.dll
2010-08-15 20:34 . 2010-08-15 20:34 73000 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.2.1.5\SetupAdmin.exe
2010-08-15 20:29 . 2004-08-04 05:31 20992 -c--a-w- c:\windows\system32\dllcache\rtl8139.sys
2010-08-15 20:29 . 2004-08-04 05:31 20992 ----a-w- c:\windows\system32\drivers\RTL8139.sys
2010-08-08 21:21 . 2006-04-06 02:38 110592 ----a-w- c:\documents and settings\Media\Application Data\U3\temp\cleanup.exe
2010-08-08 21:16 . 2010-08-08 21:16 -------- d-----w- c:\documents and settings\Media\Application Data\Malwarebytes
2010-08-08 21:16 . 2010-04-29 22:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-08-08 21:16 . 2010-08-18 01:54 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-08-08 21:16 . 2010-08-08 21:16 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-08-08 21:16 . 2010-04-29 22:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-08-08 21:15 . 2010-08-08 21:21 -------- d-----w- c:\documents and settings\Media\Application Data\U3

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-08-15 20:44 . 2008-03-16 00:25 -------- d-----w- c:\program files\Common Files\Apple
2010-08-15 20:42 . 2010-06-04 20:56 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-08-15 20:36 . 2008-05-12 23:55 -------- d-----w- c:\program files\Common Files\Java
2010-08-15 20:36 . 2008-05-12 23:56 -------- d-----w- c:\program files\Java
2010-08-15 20:33 . 2008-03-17 02:50 -------- d-----w- c:\program files\Sonos
2010-06-30 12:31 . 2004-08-04 12:00 149504 ----a-w- c:\windows\system32\schannel.dll
2010-06-24 12:15 . 2004-08-04 12:00 832512 ----a-w- c:\windows\system32\wininet.dll
2010-06-24 12:15 . 2004-08-04 12:00 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-06-24 12:15 . 2004-08-04 12:00 17408 ------w- c:\windows\system32\corpol.dll
2010-06-23 13:44 . 2004-08-04 12:00 1851904 ----a-w- c:\windows\system32\win32k.sys
2010-06-21 15:27 . 2004-08-04 12:00 354304 ----a-w- c:\windows\system32\drivers\srv.sys
2010-06-17 14:03 . 2004-08-04 12:00 80384 ----a-w- c:\windows\system32\iccvid.dll
2010-06-14 14:31 . 2008-03-15 22:19 744448 ----a-w- c:\windows\pchealth\helpctr\binaries\helpsvc.exe
2010-06-14 07:41 . 2004-08-04 12:00 1172480 ----a-w- c:\windows\system32\msxml3.dll
2010-05-28 03:35 . 2010-05-28 03:35 503808 ----a-w- c:\documents and settings\Media\Application Data\Sun\Java\Deployment\cache\6.0\46\f84c6ae-1ae14fc3-n\msvcp71.dll
2010-05-28 03:35 . 2010-05-28 03:35 499712 ----a-w- c:\documents and settings\Media\Application Data\Sun\Java\Deployment\cache\6.0\46\f84c6ae-1ae14fc3-n\jmc.dll
2010-05-28 03:35 . 2010-05-28 03:35 348160 ----a-w- c:\documents and settings\Media\Application Data\Sun\Java\Deployment\cache\6.0\46\f84c6ae-1ae14fc3-n\msvcr71.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2006-12-18 868352]
"JMB36X IDE Setup"="c:\windows\RaidTool\xInsIDE.exe" [2007-03-20 36864]
"36X Raid Configurer"="c:\windows\system32\xRaidSetup.exe" [2007-03-21 1953792]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2006-11-10 90112]
"McAfeeUpdaterUI"="c:\program files\Network Associates\Common Framework\UdaterUI.exe" [2006-11-17 136768]
"ShStatEXE"="c:\program files\McAfee\VirusScan Enterprise\SHSTAT.EXE" [2006-11-30 112216]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2008-02-29 76304]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-03-19 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-07-21 141608]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
ASUS WiFi-AP Solo.lnk - c:\program files\ASUS WiFi-AP Solo\RtWLan.exe [2008-3-15 987136]
Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2008-7-18 805392]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
2008-05-02 09:42 72208 ----a-w- c:\program files\Common Files\Logishrd\Bluetooth\LBTWLgn.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

S3 RTLWUSB;Realtek RTL8187 Wireless 802.11g 54Mbps USB 2.0 Network Adapter;c:\windows\system32\drivers\RTL8187.sys [3/15/2008 3:43 PM 176128]
.
Contents of the 'Scheduled Tasks' folder

2010-08-15 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 19:34]
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyServer = http=127.0.0.1:6522
uInternet Settings,ProxyOverride =
FF - ProfilePath - c:\documents and settings\Media\Application Data\Mozilla\Firefox\Profiles\1hx4ckko.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: keyword.URL - [You must be registered and logged in to see this link.]
FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: browser.search.selectedEngine - Google
FF - user.js: browser.search.order.1 - Google
FF - user.js: keyword.URL - [You must be registered and logged in to see this link.] files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2010-08-23 18:48
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(596)
c:\windows\system32\Ati2evxx.dll
c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll
c:\program files\common files\logishrd\bluetooth\LBTServ.dll

- - - - - - - > 'explorer.exe'(2584)
c:\windows\system32\WININET.dll
c:\program files\Logitech\SetPoint\lgscroll.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\Ati2evxx.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Network Associates\Common Framework\FrameworkService.exe
c:\program files\McAfee\VirusScan Enterprise\mcshield.exe
c:\program files\McAfee\VirusScan Enterprise\vstskmgr.exe
c:\program files\Network Associates\Common Framework\naPrdMgr.exe
c:\windows\system32\wscntfy.exe
c:\program files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
c:\program files\Network Associates\Common Framework\McTray.exe
c:\program files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
c:\program files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2010-08-23 18:51:39 - machine was rebooted
ComboFix-quarantined-files.txt 2010-08-24 01:51
ComboFix2.txt 2010-08-22 21:51
ComboFix3.txt 2010-08-21 15:55
ComboFix4.txt 2010-08-18 05:11

Pre-Run: 587,520,290,816 bytes free
Post-Run: 587,552,157,696 bytes free

- - End Of File - - 6465FA0AEC4A45CFE211D4A479F24590

guerro

Newbie Surfer
Newbie Surfer

Posts : 32
Joined : 2010-01-17
Operating System : Win XP

View user profile

Back to top Go down

Re: Banker Fox and Win32/Nuqel need help

Post by DragonMaster Jay on Wed 25 Aug 2010, 7:37 am

Re-running ComboFix to remove infections:

  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • Open notepad and copy/paste the text in the codebox below into it:
    Code:
    SRPEEK::
    c:\windows\system32\dllcache\helpsvc.exe

    DDS::
    uInternet Settings,ProxyServer = http=127.0.0.1:6522
    uInternet Settings,ProxyOverride =
  • Save this as CFScript.txt, in the same location as ComboFix.exe



  • Referring to the picture above, drag CFScript into ComboFix.exe
  • When finished, it shall produce a log for you at C:\ComboFix.txt
  • Please post the contents of the log in your next reply.


[You must be registered and logged in to see this link.] - Get $30 off Kaspersky products.

~DMJ
GeekPolice Academy Manager


Donations/Contributions

DragonMaster Jay

Manager | Tech Officer
Manager | Tech Officer

Posts : 13451
Joined : 2009-09-07
Operating System : Windows 7 Ultimate

View user profile http://www.twitter.com/jaypfoutz

Back to top Go down

Re: Banker Fox and Win32/Nuqel need help

Post by guerro on Fri 27 Aug 2010, 1:22 pm

ComboFix 10-08-26.02 - Media 08/26/2010 19:15:38.5.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1370 [GMT -7:00]
Running from: c:\documents and settings\Media\Desktop\combo-fix.exe
Command switches used :: c:\documents and settings\Media\Desktop\CFScript.txt
AV: McAfee VirusScan Enterprise *On-access scanning disabled* (Updated) {918A2B0B-2C60-4016-A4AB-E868DEABF7F0}
.

((((((((((((((((((((((((( Files Created from 2010-07-27 to 2010-08-27 )))))))))))))))))))))))))))))))
.

2010-08-22 21:43 . 2010-08-22 21:51 -------- d-----w- C:\combo-fix
2010-08-22 21:40 . 2010-06-14 14:31 744448 -c----w- c:\windows\system32\dllcache\helpsvc.exe
2010-08-15 20:44 . 2010-08-15 20:44 -------- d-----w- c:\program files\iPod
2010-08-15 20:44 . 2010-08-15 20:45 -------- d-----w- c:\program files\iTunes
2010-08-15 20:44 . 2010-08-15 20:45 -------- d-----w- c:\documents and settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
2010-08-15 20:43 . 2010-08-15 20:43 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\ajyrpitea
2010-08-15 20:42 . 2010-08-18 05:04 -------- d-----w- c:\documents and settings\All Users\Application Data\Update
2010-08-15 20:42 . 2010-08-15 20:43 -------- d-----w- c:\program files\QuickTime
2010-08-15 20:40 . 2010-08-15 20:40 -------- d-----w- c:\program files\Bonjour
2010-08-15 20:36 . 2010-08-15 20:36 61440 ----a-w- c:\documents and settings\Media\Application Data\Sun\Java\Deployment\SystemCache\6.0\42\4488892a-7292907c-n\decora-sse.dll
2010-08-15 20:36 . 2010-08-15 20:36 12800 ----a-w- c:\documents and settings\Media\Application Data\Sun\Java\Deployment\SystemCache\6.0\42\4488892a-7292907c-n\decora-d3d.dll
2010-08-15 20:36 . 2010-08-15 20:36 503808 ----a-w- c:\documents and settings\Media\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-3566b2fb-n\msvcp71.dll
2010-08-15 20:36 . 2010-08-15 20:36 499712 ----a-w- c:\documents and settings\Media\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-3566b2fb-n\jmc.dll
2010-08-15 20:36 . 2010-08-15 20:36 348160 ----a-w- c:\documents and settings\Media\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-3566b2fb-n\msvcr71.dll
2010-08-15 20:36 . 2010-07-17 12:00 423656 ----a-w- c:\windows\system32\deployJava1.dll
2010-08-15 20:34 . 2010-08-15 20:34 73000 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.2.1.5\SetupAdmin.exe
2010-08-15 20:29 . 2004-08-04 05:31 20992 -c--a-w- c:\windows\system32\dllcache\rtl8139.sys
2010-08-15 20:29 . 2004-08-04 05:31 20992 ----a-w- c:\windows\system32\drivers\RTL8139.sys
2010-08-08 21:21 . 2006-04-06 02:38 110592 ----a-w- c:\documents and settings\Media\Application Data\U3\temp\cleanup.exe
2010-08-08 21:16 . 2010-08-08 21:16 -------- d-----w- c:\documents and settings\Media\Application Data\Malwarebytes
2010-08-08 21:16 . 2010-04-29 22:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-08-08 21:16 . 2010-08-18 01:54 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-08-08 21:16 . 2010-08-08 21:16 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-08-08 21:16 . 2010-04-29 22:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-08-08 21:15 . 2010-08-08 21:21 -------- d-----w- c:\documents and settings\Media\Application Data\U3

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-08-15 20:44 . 2008-03-16 00:25 -------- d-----w- c:\program files\Common Files\Apple
2010-08-15 20:42 . 2010-06-04 20:56 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-08-15 20:36 . 2008-05-12 23:55 -------- d-----w- c:\program files\Common Files\Java
2010-08-15 20:36 . 2008-05-12 23:56 -------- d-----w- c:\program files\Java
2010-08-15 20:33 . 2008-03-17 02:50 -------- d-----w- c:\program files\Sonos
2010-06-30 12:31 . 2004-08-04 12:00 149504 ----a-w- c:\windows\system32\schannel.dll
2010-06-24 12:15 . 2004-08-04 12:00 832512 ----a-w- c:\windows\system32\wininet.dll
2010-06-24 12:15 . 2004-08-04 12:00 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-06-24 12:15 . 2004-08-04 12:00 17408 ------w- c:\windows\system32\corpol.dll
2010-06-23 13:44 . 2004-08-04 12:00 1851904 ----a-w- c:\windows\system32\win32k.sys
2010-06-21 15:27 . 2004-08-04 12:00 354304 ----a-w- c:\windows\system32\drivers\srv.sys
2010-06-17 14:03 . 2004-08-04 12:00 80384 ----a-w- c:\windows\system32\iccvid.dll
2010-06-14 14:31 . 2008-03-15 22:19 744448 ----a-w- c:\windows\pchealth\helpctr\binaries\helpsvc.exe
2010-06-14 07:41 . 2004-08-04 12:00 1172480 ----a-w- c:\windows\system32\msxml3.dll
.

(((((((((((((((((((((((((((((((((((((((((( SR_Search ))))))))))))))))))))))))))))))))))))))))))))))))))))))))

[7] E5517D0908CA75EEF9633A93FF3F0408 744448 c:\windows\pchealth\helpctr\binaries\helpsvc.exe
[7] B9CBAEA39CEA686827D152C650247EED 744448 \RP4\A0001257.exe
.
((((((((((((((((((((((((((((( [You must be registered and logged in to see this link.] )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-08-24 01:47 . 2010-08-24 01:47 16384 c:\windows\temp\Perflib_Perfdata_760.dat
+ 2007-11-13 11:31 . 2010-04-21 13:28 46080 c:\windows\system32\tzchange.exe
- 2007-11-13 11:31 . 2010-01-23 08:11 46080 c:\windows\system32\tzchange.exe
+ 2010-03-31 07:16 . 2010-03-31 07:16 99176 c:\windows\system32\PresentationHostProxy.dll
+ 2004-08-04 12:00 . 2010-06-24 12:15 44544 c:\windows\system32\pngfilt.dll
- 2004-08-04 12:00 . 2010-03-11 12:38 44544 c:\windows\system32\pngfilt.dll
- 2004-08-04 12:00 . 2009-12-10 10:19 67516 c:\windows\system32\perfc009.dat
+ 2004-08-04 12:00 . 2010-08-22 22:04 67516 c:\windows\system32\perfc009.dat
+ 2009-11-07 08:07 . 2009-11-07 08:07 49488 c:\windows\system32\netfxperf.dll
+ 2009-11-07 08:07 . 2009-11-07 08:07 11600 c:\windows\system32\mui\0409\mscorees.dll
+ 2007-08-14 01:54 . 2010-06-24 12:15 52224 c:\windows\system32\msfeedsbs.dll
- 2007-08-14 01:54 . 2010-03-11 12:38 52224 c:\windows\system32\msfeedsbs.dll
+ 2004-08-04 12:00 . 2010-06-24 12:15 27648 c:\windows\system32\jsproxy.dll
- 2004-08-04 12:00 . 2010-03-11 12:38 27648 c:\windows\system32\jsproxy.dll
+ 2007-08-14 01:39 . 2010-06-23 12:06 13824 c:\windows\system32\ieudinit.exe
- 2007-08-14 01:39 . 2010-03-10 13:18 13824 c:\windows\system32\ieudinit.exe
+ 2004-08-04 12:00 . 2010-06-24 12:15 44544 c:\windows\system32\iernonce.dll
- 2004-08-04 12:00 . 2010-03-11 12:38 44544 c:\windows\system32\iernonce.dll
- 2004-08-04 12:00 . 2010-03-10 13:18 70656 c:\windows\system32\ie4uinit.exe
+ 2004-08-04 12:00 . 2010-06-23 12:06 70656 c:\windows\system32\ie4uinit.exe
+ 2007-08-14 01:36 . 2010-06-24 12:15 63488 c:\windows\system32\icardie.dll
- 2007-08-14 01:36 . 2010-03-11 12:38 63488 c:\windows\system32\icardie.dll
+ 2008-03-16 06:09 . 2010-08-22 23:07 95072 c:\windows\system32\FNTCACHE.DAT
- 2008-03-16 06:09 . 2009-11-12 02:34 95072 c:\windows\system32\FNTCACHE.DAT
+ 2004-08-04 12:00 . 2004-08-04 12:00 68224 c:\windows\system32\drivers\pci.sys
- 2004-08-04 12:00 . 2008-04-13 18:36 68224 c:\windows\system32\drivers\pci.sys
+ 2004-08-04 12:00 . 2004-08-04 12:00 95360 c:\windows\system32\drivers\atapi.sys
- 2004-08-04 12:00 . 2010-03-11 12:38 44544 c:\windows\system32\dllcache\pngfilt.dll
+ 2004-08-04 12:00 . 2010-06-24 12:15 44544 c:\windows\system32\dllcache\pngfilt.dll
- 2008-03-15 23:30 . 2010-03-11 12:38 52224 c:\windows\system32\dllcache\msfeedsbs.dll
+ 2008-03-15 23:30 . 2010-06-24 12:15 52224 c:\windows\system32\dllcache\msfeedsbs.dll
- 2004-08-04 12:00 . 2010-03-11 12:38 27648 c:\windows\system32\dllcache\jsproxy.dll
+ 2004-08-04 12:00 . 2010-06-24 12:15 27648 c:\windows\system32\dllcache\jsproxy.dll
+ 2008-03-15 23:30 . 2010-06-23 12:06 13824 c:\windows\system32\dllcache\ieudinit.exe
- 2008-03-15 23:30 . 2010-03-10 13:18 13824 c:\windows\system32\dllcache\ieudinit.exe
- 2004-08-04 12:00 . 2010-03-11 12:38 44544 c:\windows\system32\dllcache\iernonce.dll
+ 2004-08-04 12:00 . 2010-06-24 12:15 44544 c:\windows\system32\dllcache\iernonce.dll
- 2009-02-20 18:09 . 2010-03-11 12:38 78336 c:\windows\system32\dllcache\ieencode.dll
+ 2009-02-20 18:09 . 2010-06-24 12:15 78336 c:\windows\system32\dllcache\ieencode.dll
- 2004-08-04 12:00 . 2010-03-10 13:18 70656 c:\windows\system32\dllcache\ie4uinit.exe
+ 2004-08-04 12:00 . 2010-06-23 12:06 70656 c:\windows\system32\dllcache\ie4uinit.exe
- 2008-03-15 23:30 . 2010-03-11 12:38 63488 c:\windows\system32\dllcache\icardie.dll
+ 2008-03-15 23:30 . 2010-06-24 12:15 63488 c:\windows\system32\dllcache\icardie.dll
+ 2009-06-29 16:12 . 2010-06-24 12:15 17408 c:\windows\system32\dllcache\corpol.dll
- 2009-06-29 16:12 . 2010-03-11 12:38 17408 c:\windows\system32\dllcache\corpol.dll
+ 2010-03-05 14:37 . 2010-03-05 14:37 65536 c:\windows\system32\dllcache\asycfilt.dll
+ 2004-08-04 12:00 . 2010-03-05 14:37 65536 c:\windows\system32\asycfilt.dll
- 2008-07-30 02:16 . 2008-07-30 02:16 32768 c:\windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\System.ServiceModel.WasHosting.dll
+ 2010-04-08 06:48 . 2010-04-08 06:48 32768 c:\windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\System.ServiceModel.WasHosting.dll
+ 2009-11-07 08:07 . 2009-11-07 08:07 13648 c:\windows\Microsoft.NET\Framework\v2.0.50727\sbscmp20_mscorlib.dll
+ 2010-03-23 12:31 . 2010-03-23 12:31 30544 c:\windows\Microsoft.NET\Framework\v2.0.50727\aspnet_wp.exe
+ 2009-11-07 08:07 . 2009-11-07 08:07 13648 c:\windows\Microsoft.NET\Framework\SharedReg12.dll
+ 2009-11-07 08:07 . 2009-11-07 08:07 13648 c:\windows\Microsoft.NET\Framework\sbscmp20_perfcounter.dll
+ 2009-11-07 08:07 . 2009-11-07 08:07 13648 c:\windows\Microsoft.NET\Framework\sbscmp20_mscorwks.dll
+ 2009-11-07 08:07 . 2009-11-07 08:07 13648 c:\windows\Microsoft.NET\Framework\sbscmp10.dll
+ 2009-11-07 08:07 . 2009-11-07 08:07 13664 c:\windows\Microsoft.NET\Framework\sbs_wminet_utils.dll
+ 2009-11-07 08:07 . 2009-11-07 08:07 13688 c:\windows\Microsoft.NET\Framework\sbs_system.enterpriseservices.dll
+ 2009-11-07 08:07 . 2009-11-07 08:07 13664 c:\windows\Microsoft.NET\Framework\sbs_system.data.dll
+ 2009-11-07 08:07 . 2009-11-07 08:07 13696 c:\windows\Microsoft.NET\Framework\sbs_system.configuration.install.dll
+ 2009-11-07 08:07 . 2009-11-07 08:07 13656 c:\windows\Microsoft.NET\Framework\sbs_mscorsec.dll
+ 2009-11-07 08:07 . 2009-11-07 08:07 13656 c:\windows\Microsoft.NET\Framework\sbs_mscorrc.dll
+ 2009-11-07 08:07 . 2009-11-07 08:07 13656 c:\windows\Microsoft.NET\Framework\sbs_mscordbi.dll
+ 2009-11-07 08:07 . 2009-11-07 08:07 13672 c:\windows\Microsoft.NET\Framework\sbs_microsoft.jscript.dll
+ 2009-11-07 08:07 . 2009-11-07 08:07 13664 c:\windows\Microsoft.NET\Framework\sbs_diasymreader.dll
+ 2009-11-07 08:07 . 2009-11-07 08:07 86864 c:\windows\Microsoft.NET\Framework\NETFXSBS10.exe
+ 2010-08-22 22:05 . 2010-03-11 12:38 44544 c:\windows\ie7updates\KB2183461-IE7\pngfilt.dll
+ 2010-08-22 22:05 . 2010-03-11 12:38 52224 c:\windows\ie7updates\KB2183461-IE7\msfeedsbs.dll
+ 2010-08-22 22:05 . 2010-03-11 12:38 27648 c:\windows\ie7updates\KB2183461-IE7\jsproxy.dll
+ 2010-08-22 22:05 . 2010-03-10 13:18 13824 c:\windows\ie7updates\KB2183461-IE7\ieudinit.exe
+ 2010-08-22 22:05 . 2010-03-11 12:38 44544 c:\windows\ie7updates\KB2183461-IE7\iernonce.dll
+ 2010-08-22 22:05 . 2010-03-11 12:38 78336 c:\windows\ie7updates\KB2183461-IE7\ieencode.dll
+ 2010-08-22 22:05 . 2010-03-10 13:18 70656 c:\windows\ie7updates\KB2183461-IE7\ie4uinit.exe
+ 2010-08-22 22:05 . 2010-03-11 12:38 63488 c:\windows\ie7updates\KB2183461-IE7\icardie.dll
+ 2010-08-22 22:05 . 2010-03-11 12:38 17408 c:\windows\ie7updates\KB2183461-IE7\corpol.dll
+ 2010-08-22 23:08 . 2010-08-22 23:08 60928 c:\windows\assembly\NativeImages_v2.0.50727_32\UIAutomationProvider\5ec9dec678303ebff0ef018edb5ec595\UIAutomationProvider.ni.dll
+ 2010-08-22 23:20 . 2010-08-22 23:20 37888 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Pres#\46ef15b88ef577de4882c519329fc5d2\System.Windows.Presentation.ni.dll
+ 2010-08-22 23:20 . 2010-08-22 23:20 36864 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Web.DynamicD#\aada360296a42e0413579a19c771ec2d\System.Web.DynamicData.Design.ni.dll
+ 2010-08-22 23:19 . 2010-08-22 23:19 94208 c:\windows\assembly\NativeImages_v2.0.50727_32\System.ComponentMod#\2b5ff2c6358c483eb1439b99badb54fd\System.ComponentModel.DataAnnotations.ni.dll
+ 2010-08-22 23:19 . 2010-08-22 23:19 82944 c:\windows\assembly\NativeImages_v2.0.50727_32\System.AddIn.Contra#\6125ff5a4fcd93d70a246cbff3005d42\System.AddIn.Contract.ni.dll
+ 2010-08-22 22:03 . 2010-08-22 22:03 47104 c:\windows\assembly\NativeImages_v2.0.50727_32\PresentationFontCac#\f857fa084a139cc3d510e72ca1218a5f\PresentationFontCache.ni.exe
+ 2010-08-22 22:05 . 2010-08-22 22:05 47104 c:\windows\assembly\NativeImages_v2.0.50727_32\PresentationFontCac#\de26af01222270c121788161496fcfe7\PresentationFontCache.ni.exe
+ 2010-08-22 22:03 . 2010-08-22 22:03 39424 c:\windows\assembly\NativeImages_v2.0.50727_32\PresentationCFFRast#\bfb89ce9799bcfb90bde99702d542e3f\PresentationCFFRasterizer.ni.dll
+ 2010-08-22 22:05 . 2010-08-22 22:05 39424 c:\windows\assembly\NativeImages_v2.0.50727_32\PresentationCFFRast#\3c5adeedb70e6e052a6556c6ab9b6918\PresentationCFFRasterizer.ni.dll
+ 2010-08-22 23:20 . 2010-08-22 23:20 55296 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Vsa\5e5176efbfeb803b7f217525beec6844\Microsoft.Vsa.ni.dll
+ 2010-08-22 23:19 . 2010-08-22 23:19 74752 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Build.Fra#\e1d4e0b1f112000ab33bbaf88bd9ed99\Microsoft.Build.Framework.ni.dll
+ 2010-08-22 23:19 . 2010-08-22 23:19 65024 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Build.Fra#\4200cf5b7f247ec1b997808c6d1ba7d1\Microsoft.Build.Framework.ni.dll
+ 2010-08-22 23:19 . 2010-08-22 23:19 14336 c:\windows\assembly\NativeImages_v2.0.50727_32\dfsvc\50b7fc7f36c76313cbb434b10923e4e9\dfsvc.ni.exe
+ 2010-08-22 23:19 . 2010-08-22 23:19 25600 c:\windows\assembly\NativeImages_v2.0.50727_32\Accessibility\5ffa548547613dbc5a92f2c5b7cad196\Accessibility.ni.dll
+ 2010-08-22 22:04 . 2010-08-22 22:04 77824 c:\windows\assembly\GAC_MSIL\System.Web.RegularExpressions\2.0.0.0__b03f5f7f11d50a3a\System.Web.RegularExpressions.dll
- 2009-10-16 10:03 . 2009-10-16 10:03 77824 c:\windows\assembly\GAC_MSIL\System.Web.RegularExpressions\2.0.0.0__b03f5f7f11d50a3a\System.Web.RegularExpressions.dll
- 2009-08-08 22:37 . 2009-08-08 22:37 32768 c:\windows\assembly\GAC_MSIL\System.ServiceModel.WasHosting\3.0.0.0__b77a5c561934e089\System.ServiceModel.WasHosting.dll
+ 2010-08-22 21:59 . 2010-08-22 21:59 32768 c:\windows\assembly\GAC_MSIL\System.ServiceModel.WasHosting\3.0.0.0__b77a5c561934e089\System.ServiceModel.WasHosting.dll
- 2009-10-16 10:03 . 2009-10-16 10:03 81920 c:\windows\assembly\GAC_MSIL\System.Drawing.Design\2.0.0.0__b03f5f7f11d50a3a\System.Drawing.Design.dll
+ 2010-08-22 22:04 . 2010-08-22 22:04 81920 c:\windows\assembly\GAC_MSIL\System.Drawing.Design\2.0.0.0__b03f5f7f11d50a3a\System.Drawing.Design.dll
- 2009-10-16 10:03 . 2009-10-16 10:03 81920 c:\windows\assembly\GAC_MSIL\System.Configuration.Install\2.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll
+ 2010-08-22 22:04 . 2010-08-22 22:04 81920 c:\windows\assembly\GAC_MSIL\System.Configuration.Install\2.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll
+ 2010-08-22 22:04 . 2010-08-22 22:04 32768 c:\windows\assembly\GAC_MSIL\Microsoft.Vsa\8.0.0.0__b03f5f7f11d50a3a\Microsoft.Vsa.dll
- 2009-10-16 10:03 . 2009-10-16 10:03 32768 c:\windows\assembly\GAC_MSIL\Microsoft.Vsa\8.0.0.0__b03f5f7f11d50a3a\Microsoft.Vsa.dll
+ 2010-08-22 22:04 . 2010-08-22 22:04 12800 c:\windows\assembly\GAC_MSIL\Microsoft.Vsa.Vb.CodeDOMProcessor\8.0.0.0__b03f5f7f11d50a3a\Microsoft.Vsa.Vb.CodeDOMProcessor.dll
- 2009-10-16 10:03 . 2009-10-16 10:03 12800 c:\windows\assembly\GAC_MSIL\Microsoft.Vsa.Vb.CodeDOMProcessor\8.0.0.0__b03f5f7f11d50a3a\Microsoft.Vsa.Vb.CodeDOMProcessor.dll
- 2009-10-16 10:03 . 2009-10-16 10:03 28672 c:\windows\assembly\GAC_MSIL\Microsoft.VisualBasic.Vsa\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.Vsa.dll
+ 2010-08-22 22:04 . 2010-08-22 22:04 28672 c:\windows\assembly\GAC_MSIL\Microsoft.VisualBasic.Vsa\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.Vsa.dll
+ 2010-08-22 22:04 . 2010-08-22 22:04 77824 c:\windows\assembly\GAC_MSIL\Microsoft.Build.Utilities\2.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Utilities.dll
- 2009-10-16 10:03 . 2009-10-16 10:03 77824 c:\windows\assembly\GAC_MSIL\Microsoft.Build.Utilities\2.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Utilities.dll
- 2009-10-16 10:03 . 2009-10-16 10:03 36864 c:\windows\assembly\GAC_MSIL\Microsoft.Build.Framework\2.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Framework.dll
+ 2010-08-22 22:04 . 2010-08-22 22:04 36864 c:\windows\assembly\GAC_MSIL\Microsoft.Build.Framework\2.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Framework.dll
- 2009-10-16 10:03 . 2009-10-16 10:03 77824 c:\windows\assembly\GAC_MSIL\IEHost\2.0.0.0__b03f5f7f11d50a3a\IEHost.dll
+ 2010-08-22 22:04 . 2010-08-22 22:04 77824 c:\windows\assembly\GAC_MSIL\IEHost\2.0.0.0__b03f5f7f11d50a3a\IEHost.dll
- 2009-10-16 10:03 . 2009-10-16 10:03 13312 c:\windows\assembly\GAC_MSIL\cscompmgd\8.0.0.0__b03f5f7f11d50a3a\cscompmgd.dll
+ 2010-08-22 22:04 . 2010-08-22 22:04 13312 c:\windows\assembly\GAC_MSIL\cscompmgd\8.0.0.0__b03f5f7f11d50a3a\cscompmgd.dll
- 2009-10-16 10:03 . 2009-10-16 10:03 10752 c:\windows\assembly\GAC_MSIL\Accessibility\2.0.0.0__b03f5f7f11d50a3a\Accessibility.dll
+ 2010-08-22 22:04 . 2010-08-22 22:04 10752 c:\windows\assembly\GAC_MSIL\Accessibility\2.0.0.0__b03f5f7f11d50a3a\Accessibility.dll
+ 2010-08-22 22:04 . 2010-08-22 22:04 72192 c:\windows\assembly\GAC_32\ISymWrapper\2.0.0.0__b03f5f7f11d50a3a\ISymWrapper.dll
- 2009-10-16 10:03 . 2009-10-16 10:03 72192 c:\windows\assembly\GAC_32\ISymWrapper\2.0.0.0__b03f5f7f11d50a3a\ISymWrapper.dll
+ 2010-08-22 22:04 . 2010-08-22 22:04 69120 c:\windows\assembly\GAC_32\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll
- 2009-10-16 10:03 . 2009-10-16 10:03 69120 c:\windows\assembly\GAC_32\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll
- 2009-10-16 10:03 . 2009-10-16 10:03 8192 c:\windows\WinSxS\MSIL_IEExecRemote_b03f5f7f11d50a3a_2.0.0.0_x-ww_6e57c34e\IEExecRemote.dll
+ 2010-08-22 22:04 . 2010-08-22 22:04 8192 c:\windows\WinSxS\MSIL_IEExecRemote_b03f5f7f11d50a3a_2.0.0.0_x-ww_6e57c34e\IEExecRemote.dll
+ 2004-08-04 12:00 . 2004-08-04 12:00 3328 c:\windows\system32\drivers\pciide.sys
- 2004-08-04 12:00 . 2001-08-17 20:51 3328 c:\windows\system32\drivers\pciide.sys
+ 2010-08-22 22:04 . 2010-08-22 22:04 7168 c:\windows\assembly\GAC_MSIL\Microsoft_VsaVb\8.0.0.0__b03f5f7f11d50a3a\Microsoft_VsaVb.dll
- 2009-10-16 10:03 . 2009-10-16 10:03 7168 c:\windows\assembly\GAC_MSIL\Microsoft_VsaVb\8.0.0.0__b03f5f7f11d50a3a\Microsoft_VsaVb.dll
- 2009-10-16 10:03 . 2009-10-16 10:03 5632 c:\windows\assembly\GAC_MSIL\Microsoft.VisualC\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualC.Dll
+ 2010-08-22 22:04 . 2010-08-22 22:04 5632 c:\windows\assembly\GAC_MSIL\Microsoft.VisualC\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualC.Dll
+ 2010-08-22 22:04 . 2010-08-22 22:04 6656 c:\windows\assembly\GAC_MSIL\IIEHost\2.0.0.0__b03f5f7f11d50a3a\IIEHost.dll
- 2009-10-16 10:03 . 2009-10-16 10:03 6656 c:\windows\assembly\GAC_MSIL\IIEHost\2.0.0.0__b03f5f7f11d50a3a\IIEHost.dll
- 2009-10-16 10:03 . 2009-10-16 10:03 8192 c:\windows\assembly\GAC_MSIL\IEExecRemote\2.0.0.0__b03f5f7f11d50a3a\IEExecRemote.dll
+ 2010-08-22 22:04 . 2010-08-22 22:04 8192 c:\windows\assembly\GAC_MSIL\IEExecRemote\2.0.0.0__b03f5f7f11d50a3a\IEExecRemote.dll
- 2009-10-16 10:03 . 2009-10-16 10:03 113664 c:\windows\WinSxS\x86_System.EnterpriseServices_b03f5f7f11d50a3a_2.0.0.0_x-ww_7d5f3790\System.EnterpriseServices.Wrapper.dll
+ 2010-08-22 22:04 . 2010-08-22 22:04 113664 c:\windows\WinSxS\x86_System.EnterpriseServices_b03f5f7f11d50a3a_2.0.0.0_x-ww_7d5f3790\System.EnterpriseServices.Wrapper.dll
- 2009-10-16 10:03 . 2009-10-16 10:03 258048 c:\windows\WinSxS\x86_System.EnterpriseServices_b03f5f7f11d50a3a_2.0.0.0_x-ww_7d5f3790\System.EnterpriseServices.dll
+ 2010-08-22 22:04 . 2010-08-22 22:04 258048 c:\windows\WinSxS\x86_System.EnterpriseServices_b03f5f7f11d50a3a_2.0.0.0_x-ww_7d5f3790\System.EnterpriseServices.dll

guerro

Newbie Surfer
Newbie Surfer

Posts : 32
Joined : 2010-01-17
Operating System : Win XP

View user profile

Back to top Go down

Re: Banker Fox and Win32/Nuqel need help

Post by guerro on Fri 27 Aug 2010, 1:23 pm

- 2004-08-04 12:00 . 2010-03-11 12:38 233472 c:\windows\system32\webcheck.dll
+ 2004-08-04 12:00 . 2010-06-24 12:15 233472 c:\windows\system32\webcheck.dll
+ 2004-08-04 12:00 . 2010-06-24 12:15 105984 c:\windows\system32\url.dll
- 2004-08-04 12:00 . 2010-03-11 12:38 105984 c:\windows\system32\url.dll
+ 2010-03-31 07:10 . 2010-03-31 07:10 295264 c:\windows\system32\PresentationHost.exe
+ 2004-08-04 12:00 . 2010-08-22 22:04 432686 c:\windows\system32\perfh009.dat
- 2004-08-04 12:00 . 2009-12-10 10:19 432686 c:\windows\system32\perfh009.dat
+ 2004-08-04 12:00 . 2010-06-24 12:15 102912 c:\windows\system32\occache.dll
- 2004-08-04 12:00 . 2010-03-11 12:38 102912 c:\windows\system32\occache.dll
- 2004-08-04 12:00 . 2010-03-11 12:38 671232 c:\windows\system32\mstime.dll
+ 2004-08-04 12:00 . 2010-06-24 12:15 671232 c:\windows\system32\mstime.dll
+ 2004-08-04 12:00 . 2010-06-24 12:15 193024 c:\windows\system32\msrating.dll
- 2004-08-04 12:00 . 2010-03-11 12:38 193024 c:\windows\system32\msrating.dll
+ 2004-08-04 12:00 . 2010-06-24 12:15 477696 c:\windows\system32\mshtmled.dll
- 2004-08-04 12:00 . 2010-03-11 12:38 477696 c:\windows\system32\mshtmled.dll
+ 2007-08-14 01:54 . 2010-06-24 12:15 459264 c:\windows\system32\msfeeds.dll
- 2007-08-14 01:54 . 2010-03-11 12:38 459264 c:\windows\system32\msfeeds.dll
+ 2009-11-07 08:07 . 2009-11-07 08:07 297808 c:\windows\system32\mscoree.dll
- 2007-08-14 01:34 . 2010-03-11 12:38 268288 c:\windows\system32\iertutil.dll
+ 2007-08-14 01:34 . 2010-06-24 12:15 268288 c:\windows\system32\iertutil.dll
+ 2004-08-04 12:00 . 2010-06-24 12:15 192512 c:\windows\system32\iepeers.dll
- 2004-08-04 12:00 . 2010-03-11 12:38 192512 c:\windows\system32\iepeers.dll
- 2004-08-04 12:00 . 2010-03-11 12:38 385024 c:\windows\system32\iedkcs32.dll
+ 2004-08-04 12:00 . 2010-06-24 12:15 385024 c:\windows\system32\iedkcs32.dll
- 2007-07-11 19:27 . 2010-03-11 12:38 380928 c:\windows\system32\ieapfltr.dll
+ 2007-07-11 19:27 . 2010-06-24 12:15 380928 c:\windows\system32\ieapfltr.dll
- 2004-08-04 12:00 . 2010-02-23 05:18 161792 c:\windows\system32\ieakui.dll
+ 2004-08-04 12:00 . 2010-06-17 15:11 161792 c:\windows\system32\ieakui.dll
- 2004-08-04 12:00 . 2010-03-11 12:38 230400 c:\windows\system32\ieaksie.dll
+ 2004-08-04 12:00 . 2010-06-24 12:15 230400 c:\windows\system32\ieaksie.dll
+ 2004-08-04 12:00 . 2010-06-24 12:15 153088 c:\windows\system32\ieakeng.dll
- 2004-08-04 12:00 . 2010-03-11 12:38 153088 c:\windows\system32\ieakeng.dll
+ 2004-08-04 12:00 . 2010-06-24 12:15 133120 c:\windows\system32\extmgr.dll
- 2004-08-04 12:00 . 2010-03-11 12:38 133120 c:\windows\system32\extmgr.dll
- 2004-08-04 12:00 . 2010-03-11 12:38 214528 c:\windows\system32\dxtrans.dll
+ 2004-08-04 12:00 . 2010-06-24 12:15 214528 c:\windows\system32\dxtrans.dll
- 2004-08-04 12:00 . 2010-03-11 12:38 347136 c:\windows\system32\dxtmsft.dll
+ 2004-08-04 12:00 . 2010-06-24 12:15 347136 c:\windows\system32\dxtmsft.dll
- 2004-08-04 12:00 . 2010-03-11 12:38 832512 c:\windows\system32\dllcache\wininet.dll
+ 2004-08-04 12:00 . 2010-06-24 12:15 832512 c:\windows\system32\dllcache\wininet.dll
- 2004-08-04 12:00 . 2010-03-11 12:38 233472 c:\windows\system32\dllcache\webcheck.dll
+ 2004-08-04 12:00 . 2010-06-24 12:15 233472 c:\windows\system32\dllcache\webcheck.dll
+ 2004-08-04 12:00 . 2010-06-24 12:15 105984 c:\windows\system32\dllcache\url.dll
- 2004-08-04 12:00 . 2010-03-11 12:38 105984 c:\windows\system32\dllcache\url.dll
+ 2008-10-14 17:03 . 2010-06-21 15:27 354304 c:\windows\system32\dllcache\srv.sys
+ 2008-12-05 06:54 . 2010-06-30 12:31 149504 c:\windows\system32\dllcache\schannel.dll
- 2004-08-04 12:00 . 2010-03-11 12:38 102912 c:\windows\system32\dllcache\occache.dll
+ 2004-08-04 12:00 . 2010-06-24 12:15 102912 c:\windows\system32\dllcache\occache.dll
- 2004-08-04 12:00 . 2010-03-11 12:38 671232 c:\windows\system32\dllcache\mstime.dll
+ 2004-08-04 12:00 . 2010-06-24 12:15 671232 c:\windows\system32\dllcache\mstime.dll
- 2004-08-04 12:00 . 2010-03-11 12:38 193024 c:\windows\system32\dllcache\msrating.dll
+ 2004-08-04 12:00 . 2010-06-24 12:15 193024 c:\windows\system32\dllcache\msrating.dll
- 2004-08-04 12:00 . 2010-03-11 12:38 477696 c:\windows\system32\dllcache\mshtmled.dll
+ 2004-08-04 12:00 . 2010-06-24 12:15 477696 c:\windows\system32\dllcache\mshtmled.dll
- 2008-03-15 23:30 . 2010-03-11 12:38 459264 c:\windows\system32\dllcache\msfeeds.dll
+ 2008-03-15 23:30 . 2010-06-24 12:15 459264 c:\windows\system32\dllcache\msfeeds.dll
+ 2008-03-15 22:18 . 2010-06-17 15:12 634656 c:\windows\system32\dllcache\iexplore.exe
+ 2008-03-15 23:30 . 2010-06-24 12:15 268288 c:\windows\system32\dllcache\iertutil.dll
- 2008-03-15 23:30 . 2010-03-11 12:38 268288 c:\windows\system32\dllcache\iertutil.dll
+ 2004-08-04 12:00 . 2010-06-24 12:15 192512 c:\windows\system32\dllcache\iepeers.dll
- 2004-08-04 12:00 . 2010-03-11 12:38 192512 c:\windows\system32\dllcache\iepeers.dll
+ 2004-08-04 12:00 . 2010-06-24 12:15 385024 c:\windows\system32\dllcache\iedkcs32.dll
- 2004-08-04 12:00 . 2010-03-11 12:38 385024 c:\windows\system32\dllcache\iedkcs32.dll
+ 2008-03-15 23:30 . 2010-06-24 12:15 380928 c:\windows\system32\dllcache\ieapfltr.dll
- 2008-03-15 23:30 . 2010-03-11 12:38 380928 c:\windows\system32\dllcache\ieapfltr.dll
+ 2004-08-04 12:00 . 2010-06-17 15:11 161792 c:\windows\system32\dllcache\ieakui.dll
- 2004-08-04 12:00 . 2010-02-23 05:18 161792 c:\windows\system32\dllcache\ieakui.dll
+ 2004-08-04 12:00 . 2010-06-24 12:15 230400 c:\windows\system32\dllcache\ieaksie.dll
- 2004-08-04 12:00 . 2010-03-11 12:38 230400 c:\windows\system32\dllcache\ieaksie.dll
- 2004-08-04 12:00 . 2010-03-11 12:38 153088 c:\windows\system32\dllcache\ieakeng.dll
+ 2004-08-04 12:00 . 2010-06-24 12:15 153088 c:\windows\system32\dllcache\ieakeng.dll
+ 2004-08-04 12:00 . 2010-06-24 12:15 133120 c:\windows\system32\dllcache\extmgr.dll
- 2004-08-04 12:00 . 2010-03-11 12:38 133120 c:\windows\system32\dllcache\extmgr.dll
- 2004-08-04 12:00 . 2010-03-11 12:38 214528 c:\windows\system32\dllcache\dxtrans.dll
+ 2004-08-04 12:00 . 2010-06-24 12:15 214528 c:\windows\system32\dllcache\dxtrans.dll
+ 2004-08-04 12:00 . 2010-06-24 12:15 347136 c:\windows\system32\dllcache\dxtmsft.dll
- 2004-08-04 12:00 . 2010-03-11 12:38 347136 c:\windows\system32\dllcache\dxtmsft.dll
+ 2010-04-20 05:30 . 2010-04-20 05:30 285696 c:\windows\system32\dllcache\atmfd.dll
+ 2004-08-04 12:00 . 2010-06-24 12:15 124928 c:\windows\system32\dllcache\advpack.dll
- 2004-08-04 12:00 . 2010-03-11 12:38 124928 c:\windows\system32\dllcache\advpack.dll
- 2004-08-04 12:00 . 2008-04-14 00:09 285696 c:\windows\system32\atmfd.dll
+ 2004-08-04 12:00 . 2010-04-20 05:30 285696 c:\windows\system32\atmfd.dll
- 2004-08-04 12:00 . 2010-03-11 12:38 124928 c:\windows\system32\advpack.dll
+ 2004-08-04 12:00 . 2010-06-24 12:15 124928 c:\windows\system32\advpack.dll
+ 2010-03-31 07:16 . 2010-03-31 07:16 130408 c:\windows\Microsoft.NET\Framework\v3.0\WPF\PresentationHostDLL.dll
+ 2010-04-08 06:48 . 2010-04-08 06:48 970752 c:\windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\System.Runtime.Serialization.dll
+ 2010-04-08 06:48 . 2010-04-08 06:48 110592 c:\windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMdiagnostics.dll
- 2008-07-30 02:16 . 2008-07-30 02:16 110592 c:\windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMdiagnostics.dll
+ 2010-03-23 12:31 . 2010-03-23 12:31 435024 c:\windows\Microsoft.NET\Framework\v2.0.50727\webengine.dll
- 2008-07-25 18:17 . 2008-07-25 18:17 258048 c:\windows\Microsoft.NET\Framework\v2.0.50727\System.Security.dll
+ 2010-02-09 19:22 . 2010-02-09 19:22 258048 c:\windows\Microsoft.NET\Framework\v2.0.50727\System.Security.dll
+ 2010-05-11 13:40 . 2010-05-11 13:40 388936 c:\windows\Microsoft.NET\Framework\v2.0.50727\SOS.dll
- 2009-08-08 06:51 . 2009-08-08 06:51 989016 c:\windows\Microsoft.NET\Framework\v2.0.50727\mscordacwks.dll
+ 2010-05-11 13:40 . 2010-05-11 13:40 989016 c:\windows\Microsoft.NET\Framework\v2.0.50727\mscordacwks.dll
+ 2010-02-25 07:14 . 2010-02-25 07:14 543232 c:\windows\Installer\6fb35.msp
+ 2010-08-22 22:05 . 2010-03-11 12:38 832512 c:\windows\ie7updates\KB2183461-IE7\wininet.dll
+ 2010-08-22 22:05 . 2010-03-11 12:38 233472 c:\windows\ie7updates\KB2183461-IE7\webcheck.dll
+ 2010-08-22 22:05 . 2010-03-11 12:38 105984 c:\windows\ie7updates\KB2183461-IE7\url.dll
+ 2010-08-22 22:05 . 2010-02-22 14:23 382840 c:\windows\ie7updates\KB2183461-IE7\spuninst\updspapi.dll
+ 2010-08-22 22:05 . 2010-02-22 14:23 231288 c:\windows\ie7updates\KB2183461-IE7\spuninst\spuninst.exe
+ 2010-08-22 22:05 . 2010-03-11 12:38 102912 c:\windows\ie7updates\KB2183461-IE7\occache.dll
+ 2010-08-22 22:05 . 2010-03-11 12:38 671232 c:\windows\ie7updates\KB2183461-IE7\mstime.dll
+ 2010-08-22 22:05 . 2010-03-11 12:38 193024 c:\windows\ie7updates\KB2183461-IE7\msrating.dll
+ 2010-08-22 22:05 . 2010-03-11 12:38 477696 c:\windows\ie7updates\KB2183461-IE7\mshtmled.dll
+ 2010-08-22 22:05 . 2010-03-11 12:38 459264 c:\windows\ie7updates\KB2183461-IE7\msfeeds.dll
+ 2010-08-22 22:05 . 2010-02-23 05:20 634648 c:\windows\ie7updates\KB2183461-IE7\iexplore.exe
+ 2010-08-22 22:05 . 2010-03-11 12:38 268288 c:\windows\ie7updates\KB2183461-IE7\iertutil.dll
+ 2010-08-22 22:05 . 2010-03-11 12:38 192512 c:\windows\ie7updates\KB2183461-IE7\iepeers.dll
+ 2010-08-22 22:05 . 2010-03-11 12:38 385024 c:\windows\ie7updates\KB2183461-IE7\iedkcs32.dll
+ 2010-08-22 22:05 . 2010-03-11 12:38 380928 c:\windows\ie7updates\KB2183461-IE7\ieapfltr.dll
+ 2010-08-22 22:05 . 2010-02-23 05:18 161792 c:\windows\ie7updates\KB2183461-IE7\ieakui.dll
+ 2010-08-22 22:05 . 2010-03-11 12:38 230400 c:\windows\ie7updates\KB2183461-IE7\ieaksie.dll
+ 2010-08-22 22:05 . 2010-03-11 12:38 153088 c:\windows\ie7updates\KB2183461-IE7\ieakeng.dll
+ 2010-08-22 22:05 . 2010-03-11 12:38 133120 c:\windows\ie7updates\KB2183461-IE7\extmgr.dll
+ 2010-08-22 22:05 . 2010-03-11 12:38 214528 c:\windows\ie7updates\KB2183461-IE7\dxtrans.dll
+ 2010-08-22 22:05 . 2010-03-11 12:38 347136 c:\windows\ie7updates\KB2183461-IE7\dxtmsft.dll
+ 2010-08-22 22:05 . 2010-03-11 12:38 124928 c:\windows\ie7updates\KB2183461-IE7\advpack.dll
+ 2010-08-22 23:19 . 2010-08-22 23:19 321536 c:\windows\assembly\NativeImages_v2.0.50727_32\WsatConfig\a16b8bcca59515281688ec856c034698\WsatConfig.ni.exe
+ 2010-08-22 23:08 . 2010-08-22 23:08 240128 c:\windows\assembly\NativeImages_v2.0.50727_32\WindowsFormsIntegra#\672c4d8e3c33e309c1ed90fa4cb85aba\WindowsFormsIntegration.ni.dll
+ 2010-08-22 23:08 . 2010-08-22 23:08 187904 c:\windows\assembly\NativeImages_v2.0.50727_32\UIAutomationTypes\cd91a32f4e36ccb2981c72c0d333e928\UIAutomationTypes.ni.dll
+ 2010-08-22 23:08 . 2010-08-22 23:08 447488 c:\windows\assembly\NativeImages_v2.0.50727_32\UIAutomationClient\9df760fdf8071c7b0de78f39de365e6a\UIAutomationClient.ni.dll
+ 2010-08-22 23:20 . 2010-08-22 23:20 400896 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Xml.Linq\ff53d5b5249a2841ee196294429f51cf\System.Xml.Linq.ni.dll
+ 2010-08-22 23:20 . 2010-08-22 23:20 129536 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Web.Routing\5e16c279496a553c988c6199f0cee8aa\System.Web.Routing.ni.dll
+ 2010-08-22 23:20 . 2010-08-22 23:20 202240 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Web.RegularE#\d0ae809162b55e2fa958739177476af8\System.Web.RegularExpressions.ni.dll
+ 2010-08-22 23:20 . 2010-08-22 23:20 859648 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Web.Extensio#\720b28d81e987b889180b291ea19b821\System.Web.Extensions.Design.ni.dll
+ 2010-08-22 23:20 . 2010-08-22 23:20 328704 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Web.Entity\da36fd678161cd3444ef547c894e3f35\System.Web.Entity.ni.dll
+ 2010-08-22 23:20 . 2010-08-22 23:20 301056 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Web.Entity.D#\49ae7c73fac8827123d5db1714c22599\System.Web.Entity.Design.ni.dll
+ 2010-08-22 23:20 . 2010-08-22 23:20 547328 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Web.DynamicD#\ce3aa27d3c4c052845ac5abb1374defa\System.Web.DynamicData.ni.dll
+ 2010-08-22 23:20 . 2010-08-22 23:20 141312 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Web.Abstract#\95fab896ef2af14876e3e1524379773b\System.Web.Abstractions.ni.dll
+ 2010-08-22 23:20 . 2010-08-22 23:20 627200 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Transactions\26d5bf1f7e700c2c19aa9b1da5519b24\System.Transactions.ni.dll
+ 2010-08-22 23:20 . 2010-08-22 23:20 212992 c:\windows\assembly\NativeImages_v2.0.50727_32\System.ServiceProce#\8b000cc703c9d95593b516bf2c2ec316\System.ServiceProcess.ni.dll
+ 2010-08-22 23:19 . 2010-08-22 23:19 679936 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Security\75e331a5d731d8e207be07adc06dec23\System.Security.ni.dll
+ 2010-08-22 23:20 . 2010-08-22 23:20 311296 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Runtime.Seri#\dd7497aa089340600c8c5af8ab421ff7\System.Runtime.Serialization.Formatters.Soap.ni.dll
+ 2010-08-22 23:20 . 2010-08-22 23:20 621056 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Net\2a080994f308f347b0497bb8804861cf\System.Net.ni.dll
+ 2010-08-22 23:20 . 2010-08-22 23:20 998400 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Management\bc1cf48ba7dc00f45d0e949c49ab677a\System.Management.ni.dll
+ 2010-08-22 23:20 . 2010-08-22 23:20 330752 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Management.I#\904fda53006680a67f917ab638be0305\System.Management.Instrumentation.ni.dll
+ 2010-08-22 23:18 . 2010-08-22 23:18 381440 c:\windows\assembly\NativeImages_v2.0.50727_32\System.IO.Log\4490976887e2e5a3b594041edbdf5064\System.IO.Log.ni.dll
+ 2010-08-22 23:19 . 2010-08-22 23:19 212992 c:\windows\assembly\NativeImages_v2.0.50727_32\System.IdentityMode#\77b9f6f6671aaaeb84c6907d467e792c\System.IdentityModel.Selectors.ni.dll
+ 2010-08-22 23:20 . 2010-08-22 23:20 280064 c:\windows\assembly\NativeImages_v2.0.50727_32\System.EnterpriseSe#\15724a7517f939c9b300f341fb5620b8\System.EnterpriseServices.Wrapper.dll
+ 2010-08-22 23:20 . 2010-08-22 23:20 627712 c:\windows\assembly\NativeImages_v2.0.50727_32\System.EnterpriseSe#\15724a7517f939c9b300f341fb5620b8\System.EnterpriseServices.ni.dll
+ 2010-08-22 22:06 . 2010-08-22 22:06 208384 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Drawing.Desi#\90199b4aa63b1b9c8ed0c3de16eec824\System.Drawing.Design.ni.dll
+ 2010-08-22 23:20 . 2010-08-22 23:20 881152 c:\windows\assembly\NativeImages_v2.0.50727_32\System.DirectorySer#\849e98c9f428a12cb581320a23f69dbd\System.DirectoryServices.AccountManagement.ni.dll
+ 2010-08-22 23:20 . 2010-08-22 23:20 455680 c:\windows\assembly\NativeImages_v2.0.50727_32\System.DirectorySer#\7a823a4f61cf8c86aad02559f8fed07b\System.DirectoryServices.Protocols.ni.dll
+ 2010-08-22 23:20 . 2010-08-22 23:20 354816 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Data.Service#\ad95820d2e29e8d55c0d8a838214c6e5\System.Data.Services.Design.ni.dll
+ 2010-08-22 23:20 . 2010-08-22 23:20 939008 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Data.Service#\617acb0d900bdde947ec79f7b5ccc183\System.Data.Services.Client.ni.dll
+ 2010-08-22 23:20 . 2010-08-22 23:20 756736 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Data.Entity.#\488c4017d45e861644a34fae557aa80f\System.Data.Entity.Design.ni.dll
+ 2010-08-22 23:19 . 2010-08-22 23:19 135680 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Data.DataSet#\41345e34f26854fc1878eae3e4d5d4a5\System.Data.DataSetExtensions.ni.dll
+ 2010-08-22 23:19 . 2010-08-22 23:19 971264 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Configuration\ab688d0f9f333ba117832726bfb589c1\System.Configuration.ni.dll
+ 2010-08-22 23:20 . 2010-08-22 23:20 141312 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Configuratio#\b48677ab9aa7a6830785f67b8478b4da\System.Configuration.Install.ni.dll
+ 2010-08-22 23:19 . 2010-08-22 23:19 633856 c:\windows\assembly\NativeImages_v2.0.50727_32\System.AddIn\93a0958d5557e2b380647af0171ad354\System.AddIn.ni.dll
+ 2010-08-22 23:19 . 2010-08-22 23:19 366080 c:\windows\assembly\NativeImages_v2.0.50727_32\SMSvcHost\d0758f84e927e3f0a15a6cde1b96d835\SMSvcHost.ni.exe
+ 2010-08-22 23:19 . 2010-08-22 23:19 256000 c:\windows\assembly\NativeImages_v2.0.50727_32\SMDiagnostics\8043a108e3bb2d3dcc84b547b8085e99\SMDiagnostics.ni.dll
+ 2010-08-22 23:19 . 2010-08-22 23:19 320512 c:\windows\assembly\NativeImages_v2.0.50727_32\ServiceModelReg\5aeb40ff7128df2881fb03c01d070b20\ServiceModelReg.ni.exe
+ 2010-08-22 22:05 . 2010-08-22 22:05 368128 c:\windows\assembly\NativeImages_v2.0.50727_32\PresentationFramewo#\e7e7321956e6822b1bf3691c35c842f6\PresentationFramework.Aero.ni.dll
+ 2010-08-22 22:05 . 2010-08-22 22:05 258048 c:\windows\assembly\NativeImages_v2.0.50727_32\PresentationFramewo#\a14488afff027f0f2985e659449097f5\PresentationFramework.Royale.ni.dll
+ 2010-08-22 22:05 . 2010-08-22 22:05 224768 c:\windows\assembly\NativeImages_v2.0.50727_32\PresentationFramewo#\787e60c5dd562cb45887080095d2a3b7\PresentationFramework.Classic.ni.dll
+ 2010-08-22 22:05 . 2010-08-22 22:05 539648 c:\windows\assembly\NativeImages_v2.0.50727_32\PresentationFramewo#\2313ccc125dcb6a9800048ec1c51ec12\PresentationFramework.Luna.ni.dll
+ 2010-08-22 23:19 . 2010-08-22 23:19 133632 c:\windows\assembly\NativeImages_v2.0.50727_32\MSBuild\5db9c32d9f352162e6da220ca463db0d\MSBuild.ni.exe
+ 2010-08-22 23:19 . 2010-08-22 23:19 386560 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Transacti#\fcf975f74bd134d8e0fa8f37c5bc6a8c\Microsoft.Transactions.Bridge.Dtc.ni.dll
+ 2010-08-22 23:19 . 2010-08-22 23:19 144384 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Build.Uti#\d6b9038136600fbfbbbd7460dc19da19\Microsoft.Build.Utilities.ni.dll
+ 2010-08-22 23:19 . 2010-08-22 23:19 175104 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Build.Uti#\585cc7218599e7806521d0e737ba5ffb\Microsoft.Build.Utilities.v3.5.ni.dll
+ 2010-08-22 23:19 . 2010-08-22 23:19 839680 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Build.Eng#\3057ec53731286e69e389d103c32fa41\Microsoft.Build.Engine.ni.dll
+ 2010-08-22 23:19 . 2010-08-22 23:19 222720 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Build.Con#\914e338ac6e92714f3e32ae5d89bf03b\Microsoft.Build.Conversion.v3.5.ni.dll
+ 2010-08-22 23:19 . 2010-08-22 23:19 220672 c:\windows\assembly\NativeImages_v2.0.50727_32\CustomMarshalers\12ae6f3635448471fc9f7d8bfe39c67d\CustomMarshalers.ni.dll
+ 2010-08-22 23:19 . 2010-08-22 23:19 410112 c:\windows\assembly\NativeImages_v2.0.50727_32\ComSvcConfig\daca3c9ad6d867d3fec70d14b4f20cf3\ComSvcConfig.ni.exe
+ 2010-08-22 23:19 . 2010-08-22 23:19 842240 c:\windows\assembly\NativeImages_v2.0.50727_32\AspNetMMCExt\56aec0938ef1bbdeca65b07a5fe8cd39\AspNetMMCExt.ni.dll
- 2009-10-16 10:03 . 2009-10-16 10:03 839680 c:\windows\assembly\GAC_MSIL\System.Web.Services\2.0.0.0__b03f5f7f11d50a3a\System.Web.Services.dll
+ 2010-08-22 22:04 . 2010-08-22 22:04 839680 c:\windows\assembly\GAC_MSIL\System.Web.Services\2.0.0.0__b03f5f7f11d50a3a\System.Web.Services.dll
- 2009-10-16 10:03 . 2009-10-16 10:03 835584 c:\windows\assembly\GAC_MSIL\System.Web.Mobile\2.0.0.0__b03f5f7f11d50a3a\System.Web.Mobile.dll
+ 2010-08-22 22:04 . 2010-08-22 22:04 835584 c:\windows\assembly\GAC_MSIL\System.Web.Mobile\2.0.0.0__b03f5f7f11d50a3a\System.Web.Mobile.dll
- 2009-10-16 10:03 . 2009-10-16 10:03 114688 c:\windows\assembly\GAC_MSIL\System.ServiceProcess\2.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll
+ 2010-08-22 22:04 . 2010-08-22 22:04 114688 c:\windows\assembly\GAC_MSIL\System.ServiceProcess\2.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll
+ 2010-08-22 22:04 . 2010-08-22 22:04 258048 c:\windows\assembly\GAC_MSIL\System.Security\2.0.0.0__b03f5f7f11d50a3a\System.Security.dll
- 2009-10-16 10:03 . 2009-10-16 10:03 258048 c:\windows\assembly\GAC_MSIL\System.Security\2.0.0.0__b03f5f7f11d50a3a\System.Security.dll
+ 2010-08-22 21:59 . 2010-08-22 21:59 970752 c:\windows\assembly\GAC_MSIL\System.Runtime.Serialization\3.0.0.0__b77a5c561934e089\System.Runtime.Serialization.dll
+ 2010-08-22 22:04 . 2010-08-22 22:04 131072 c:\windows\assembly\GAC_MSIL\System.Runtime.Serialization.Formatters.Soap\2.0.0.0__b03f5f7f11d50a3a\System.Runtime.Serialization.Formatters.Soap.dll
- 2009-10-16 10:03 . 2009-10-16 10:03 131072 c:\windows\assembly\GAC_MSIL\System.Runtime.Serialization.Formatters.Soap\2.0.0.0__b03f5f7f11d50a3a\System.Runtime.Serialization.Formatters.Soap.dll
- 2009-10-16 10:03 . 2009-10-16 10:03 303104 c:\windows\assembly\GAC_MSIL\System.Runtime.Remoting\2.0.0.0__b77a5c561934e089\System.Runtime.Remoting.dll
+ 2010-08-22 22:04 . 2010-08-22 22:04 303104 c:\windows\assembly\GAC_MSIL\System.Runtime.Remoting\2.0.0.0__b77a5c561934e089\System.Runtime.Remoting.dll
- 2009-10-16 10:03 . 2009-10-16 10:03 258048 c:\windows\assembly\GAC_MSIL\System.Messaging\2.0.0.0__b03f5f7f11d50a3a\System.Messaging.dll
+ 2010-08-22 22:04 . 2010-08-22 22:04 258048 c:\windows\assembly\GAC_MSIL\System.Messaging\2.0.0.0__b03f5f7f11d50a3a\System.Messaging.dll
- 2009-10-16 10:03 . 2009-10-16 10:03 372736 c:\windows\assembly\GAC_MSIL\System.Management\2.0.0.0__b03f5f7f11d50a3a\System.Management.dll
+ 2010-08-22 22:04 . 2010-08-22 22:04 372736 c:\windows\assembly\GAC_MSIL\System.Management\2.0.0.0__b03f5f7f11d50a3a\System.Management.dll
+ 2010-08-22 21:59 . 2010-08-22 21:59 438272 c:\windows\assembly\GAC_MSIL\System.IdentityModel\3.0.0.0__b77a5c561934e089\System.IdentityModel.dll
- 2009-10-16 10:03 . 2009-10-16 10:03 626688 c:\windows\assembly\GAC_MSIL\System.Drawing\2.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll
+ 2010-08-22 22:04 . 2010-08-22 22:04 626688 c:\windows\assembly\GAC_MSIL\System.Drawing\2.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll
+ 2010-08-22 22:04 . 2010-08-22 22:04 401408 c:\windows\assembly\GAC_MSIL\System.DirectoryServices\2.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll
- 2009-10-16 10:03 . 2009-10-16 10:03 401408 c:\windows\assembly\GAC_MSIL\System.DirectoryServices\2.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll
- 2009-10-16 10:03 . 2009-10-16 10:03 188416 c:\windows\assembly\GAC_MSIL\System.DirectoryServices.Protocols\2.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.Protocols.dll
+ 2010-08-22 22:04 . 2010-08-22 22:04 188416 c:\windows\assembly\GAC_MSIL\System.DirectoryServices.Protocols\2.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.Protocols.dll
+ 2010-08-22 22:04 . 2010-08-22 22:04 970752 c:\windows\assembly\GAC_MSIL\System.Deployment\2.0.0.0__b03f5f7f11d50a3a\System.Deployment.dll
- 2009-10-16 10:03 . 2009-10-16 10:03 970752 c:\windows\assembly\GAC_MSIL\System.Deployment\2.0.0.0__b03f5f7f11d50a3a\System.Deployment.dll
+ 2010-08-22 22:04 . 2010-08-22 22:04 745472 c:\windows\assembly\GAC_MSIL\System.Data.SqlXml\2.0.0.0__b77a5c561934e089\System.Data.SqlXml.dll
- 2009-10-16 10:03 . 2009-10-16 10:03 745472 c:\windows\assembly\GAC_MSIL\System.Data.SqlXml\2.0.0.0__b77a5c561934e089\System.Data.SqlXml.dll
+ 2010-08-22 22:04 . 2010-08-22 22:04 425984 c:\windows\assembly\GAC_MSIL\System.Configuration\2.0.0.0__b03f5f7f11d50a3a\System.configuration.dll
- 2009-10-16 10:03 . 2009-10-16 10:03 425984 c:\windows\assembly\GAC_MSIL\System.Configuration\2.0.0.0__b03f5f7f11d50a3a\System.configuration.dll
+ 2010-08-22 22:04 . 2010-08-22 22:04 110592 c:\windows\assembly\GAC_MSIL\sysglobl\2.0.0.0__b03f5f7f11d50a3a\sysglobl.dll
- 2009-10-16 10:03 . 2009-10-16 10:03 110592 c:\windows\assembly\GAC_MSIL\sysglobl\2.0.0.0__b03f5f7f11d50a3a\sysglobl.dll
- 2009-08-08 22:37 . 2009-08-08 22:37 110592 c:\windows\assembly\GAC_MSIL\SMDiagnostics\3.0.0.0__b77a5c561934e089\SMdiagnostics.dll
+ 2010-08-22 21:59 . 2010-08-22 21:59 110592 c:\windows\assembly\GAC_MSIL\SMDiagnostics\3.0.0.0__b77a5c561934e089\SMdiagnostics.dll
+ 2010-08-22 22:04 . 2010-08-22 22:04 659456 c:\windows\assembly\GAC_MSIL\Microsoft.VisualBasic\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll
- 2009-10-16 10:03 . 2009-10-16 10:03 659456 c:\windows\assembly\GAC_MSIL\Microsoft.VisualBasic\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll
- 2009-10-16 10:03 . 2009-10-16 10:03 372736 c:\windows\assembly\GAC_MSIL\Microsoft.VisualBasic.Compatibility\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.Compatibility.dll
+ 2010-08-22 22:04 . 2010-08-22 22:04 372736 c:\windows\assembly\GAC_MSIL\Microsoft.VisualBasic.Compatibility\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.Compatibility.dll
+ 2010-08-22 22:04 . 2010-08-22 22:04 110592 c:\windows\assembly\GAC_MSIL\Microsoft.VisualBasic.Compatibility.Data\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.Compatibility.Data.dll
- 2009-10-16 10:03 . 2009-10-16 10:03 110592 c:\windows\assembly\GAC_MSIL\Microsoft.VisualBasic.Compatibility.Data\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.Compatibility.Data.dll
- 2009-10-16 10:03 . 2009-10-16 10:03 749568 c:\windows\assembly\GAC_MSIL\Microsoft.JScript\8.0.0.0__b03f5f7f11d50a3a\Microsoft.JScript.dll
+ 2010-08-22 22:04 . 2010-08-22 22:04 749568 c:\windows\assembly\GAC_MSIL\Microsoft.JScript\8.0.0.0__b03f5f7f11d50a3a\Microsoft.JScript.dll
- 2009-10-16 10:03 . 2009-10-16 10:03 655360 c:\windows\assembly\GAC_MSIL\Microsoft.Build.Tasks\2.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Tasks.dll
+ 2010-08-22 22:04 . 2010-08-22 22:04 655360 c:\windows\assembly\GAC_MSIL\Microsoft.Build.Tasks\2.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Tasks.dll
- 2009-10-16 10:03 . 2009-10-16 10:03 348160 c:\windows\assembly\GAC_MSIL\Microsoft.Build.Engine\2.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Engine.dll
+ 2010-08-22 22:04 . 2010-08-22 22:04 348160 c:\windows\assembly\GAC_MSIL\Microsoft.Build.Engine\2.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Engine.dll
- 2009-10-16 10:03 . 2009-10-16 10:03 507904 c:\windows\assembly\GAC_MSIL\AspNetMMCExt\2.0.0.0__b03f5f7f11d50a3a\AspNetMMCExt.dll
+ 2010-08-22 22:04 . 2010-08-22 22:04 507904 c:\windows\assembly\GAC_MSIL\AspNetMMCExt\2.0.0.0__b03f5f7f11d50a3a\AspNetMMCExt.dll
- 2009-10-16 10:03 . 2009-10-16 10:03 261632 c:\windows\assembly\GAC_32\System.Transactions\2.0.0.0__b77a5c561934e089\System.Transactions.dll
+ 2010-08-22 22:04 . 2010-08-22 22:04 261632 c:\windows\assembly\GAC_32\System.Transactions\2.0.0.0__b77a5c561934e089\System.Transactions.dll
+ 2010-08-22 22:04 . 2010-08-22 22:04 113664 c:\windows\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll
- 2009-10-16 10:03 . 2009-10-16 10:03 113664 c:\windows\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll
- 2009-10-16 10:03 . 2009-10-16 10:03 258048 c:\windows\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.dll
+ 2010-08-22 22:04 . 2010-08-22 22:04 258048 c:\windows\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.dll
+ 2010-08-22 22:04 . 2010-08-22 22:04 486400 c:\windows\assembly\GAC_32\System.Data.OracleClient\2.0.0.0__b77a5c561934e089\System.Data.OracleClient.dll
- 2009-10-16 10:03 . 2009-10-16 10:03 486400 c:\windows\assembly\GAC_32\System.Data.OracleClient\2.0.0.0__b77a5c561934e089\System.Data.OracleClient.dll
+ 2004-08-04 12:00 . 2010-04-06 11:52 2462720 c:\windows\system32\WMVCore.dll
+ 2004-08-04 12:00 . 2010-06-24 12:15 1168384 c:\windows\system32\urlmon.dll
- 2004-08-04 12:00 . 2010-03-11 12:38 1168384 c:\windows\system32\urlmon.dll
+ 2004-08-04 12:00 . 2010-07-27 06:30 8462336 c:\windows\system32\shell32.dll
+ 2004-08-04 12:00 . 2010-02-05 18:27 1291776 c:\windows\system32\quartz.dll
- 2004-08-04 12:00 . 2009-11-27 17:11 1291776 c:\windows\system32\quartz.dll
+ 2004-08-04 12:00 . 2010-04-27 13:59 2146304 c:\windows\system32\ntoskrnl.exe
- 2004-08-04 12:00 . 2010-02-16 14:08 2146304 c:\windows\system32\ntoskrnl.exe
- 2004-08-03 22:59 . 2010-02-16 13:25 2024448 c:\windows\system32\ntkrnlpa.exe
+ 2004-08-03 22:59 . 2010-04-27 13:05 2024448 c:\windows\system32\ntkrnlpa.exe
+ 2004-08-04 12:00 . 2010-06-24 12:15 3600896 c:\windows\system32\mshtml.dll
- 2007-08-14 01:54 . 2010-03-11 12:38 6067200 c:\windows\system32\ieframe.dll
+ 2007-08-14 01:54 . 2010-06-24 12:15 6067200 c:\windows\system32\ieframe.dll
+ 2004-08-04 12:00 . 2010-04-06 11:52 2462720 c:\windows\system32\dllcache\WMVCore.dll
+ 2008-10-14 17:03 . 2010-06-23 13:44 1851904 c:\windows\system32\dllcache\win32k.sys
+ 2004-08-04 12:00 . 2010-06-24 12:15 1168384 c:\windows\system32\dllcache\urlmon.dll
- 2004-08-04 12:00 . 2010-03-11 12:38 1168384 c:\windows\system32\dllcache\urlmon.dll
+ 2008-06-17 19:02 . 2010-07-27 06:30 8462336 c:\windows\system32\dllcache\shell32.dll
- 2008-05-07 05:12 . 2009-11-27 17:11 1291776 c:\windows\system32\dllcache\quartz.dll
+ 2008-05-07 05:12 . 2010-02-05 18:27 1291776 c:\windows\system32\dllcache\quartz.dll
+ 2008-10-14 17:03 . 2010-04-28 02:25 2189952 c:\windows\system32\dllcache\ntoskrnl.exe
- 2008-10-14 17:03 . 2010-02-17 16:10 2189952 c:\windows\system32\dllcache\ntoskrnl.exe
- 2008-10-14 17:03 . 2010-02-16 13:25 2024448 c:\windows\system32\dllcache\ntkrpamp.exe
+ 2008-10-14 17:03 . 2010-04-27 13:05 2024448 c:\windows\system32\dllcache\ntkrpamp.exe
- 2008-10-14 17:03 . 2010-02-16 13:25 2066816 c:\windows\system32\dllcache\ntkrnlpa.exe
+ 2008-10-14 17:03 . 2010-04-27 13:05 2066816 c:\windows\system32\dllcache\ntkrnlpa.exe
+ 2008-10-14 17:03 . 2010-04-27 13:59 2146304 c:\windows\system32\dllcache\ntkrnlmp.exe
- 2008-10-14 17:03 . 2010-02-16 14:08 2146304 c:\windows\system32\dllcache\ntkrnlmp.exe
- 2008-11-12 05:19 . 2009-07-31 04:35 1172480 c:\windows\system32\dllcache\msxml3.dll
+ 2008-11-12 05:19 . 2010-06-14 07:41 1172480 c:\windows\system32\dllcache\msxml3.dll
+ 2004-08-04 12:00 . 2010-06-24 12:15 3600896 c:\windows\system32\dllcache\mshtml.dll
+ 2010-03-11 00:13 . 2010-06-18 13:36 3558912 c:\windows\system32\dllcache\moviemk.exe
- 2010-03-11 00:13 . 2009-10-23 15:28 3558912 c:\windows\system32\dllcache\moviemk.exe
- 2008-03-15 23:30 . 2010-03-11 12:38 6067200 c:\windows\system32\dllcache\ieframe.dll
+ 2008-03-15 23:30 . 2010-06-24 12:15 6067200 c:\windows\system32\dllcache\ieframe.dll
+ 2009-11-07 08:06 . 2009-11-07 08:06 1130824 c:\windows\system32\dfshim.dll
+ 2010-04-08 06:48 . 2010-04-08 06:48 5967872 c:\windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\System.ServiceModel.dll
- 2008-11-25 11:59 . 2008-11-25 11:59 5242880 c:\windows\Microsoft.NET\Framework\v2.0.50727\System.Web.dll
+ 2010-03-23 12:32 . 2010-03-23 12:32 5242880 c:\windows\Microsoft.NET\Framework\v2.0.50727\System.Web.dll
+ 2010-03-23 12:32 . 2010-03-23 12:32 3182592 c:\windows\Microsoft.NET\Framework\v2.0.50727\System.dll
+ 2010-05-11 13:40 . 2010-05-11 13:40 5812560 c:\windows\Microsoft.NET\Framework\v2.0.50727\mscorwks.dll
- 2009-08-08 06:51 . 2009-08-08 06:51 5812560 c:\windows\Microsoft.NET\Framework\v2.0.50727\mscorwks.dll
+ 2010-05-11 13:40 . 2010-05-11 13:40 4550656 c:\windows\Microsoft.NET\Framework\v2.0.50727\mscorlib.dll
+ 2009-11-09 07:25 . 2009-11-09 07:25 1935360 c:\windows\Installer\6fb87.msp
+ 2010-04-12 05:17 . 2010-04-12 05:17 2607104 c:\windows\Installer\6fb46.msp
+ 2010-04-12 05:17 . 2010-04-12 05:17 4210688 c:\windows\Installer\6fb45.msp
+ 2010-08-22 22:05 . 2010-03-11 12:38 1168384 c:\windows\ie7updates\KB2183461-IE7\urlmon.dll
+ 2010-08-22 22:05 . 2010-03-11 12:38 3599872 c:\windows\ie7updates\KB2183461-IE7\mshtml.dll
+ 2010-08-22 22:05 . 2010-03-11 12:38 6067200 c:\windows\ie7updates\KB2183461-IE7\ieframe.dll
+ 2008-10-14 17:03 . 2010-04-28 02:25 2189952 c:\windows\Driver Cache\i386\ntoskrnl.exe
- 2008-10-14 17:03 . 2010-02-17 16:10 2189952 c:\windows\Driver Cache\i386\ntoskrnl.exe
- 2008-10-14 17:03 . 2010-02-16 13:25 2024448 c:\windows\Driver Cache\i386\ntkrpamp.exe
+ 2008-10-14 17:03 . 2010-04-27 13:05 2024448 c:\windows\Driver Cache\i386\ntkrpamp.exe
+ 2008-10-14 17:03 . 2010-04-27 13:05 2066816 c:\windows\Driver Cache\i386\ntkrnlpa.exe
- 2008-10-14 17:03 . 2010-02-16 13:25 2066816 c:\windows\Driver Cache\i386\ntkrnlpa.exe
- 2008-10-14 17:03 . 2010-02-16 14:08 2146304 c:\windows\Driver Cache\i386\ntkrnlmp.exe
+ 2008-10-14 17:03 . 2010-04-27 13:59 2146304 c:\windows\Driver Cache\i386\ntkrnlmp.exe
+ 2009-08-08 22:37 . 2009-08-08 22:37 1245184 c:\windows\assembly\temp\KBAZYNMR6F\WindowsBase.dll
+ 2009-08-08 22:40 . 2009-08-08 22:40 5283840 c:\windows\assembly\temp\ITSHG5IB0T\PresentationFramework.dll
+ 2009-08-08 22:37 . 2009-08-08 22:37 4210688 c:\windows\assembly\temp\GJ6ZSHG5YN\PresentationCore.dll
+ 2010-08-22 22:05 . 2010-08-22 22:05 3325440 c:\windows\assembly\NativeImages_v2.0.50727_32\WindowsBase\cec7ecb8eac09dd630d180ce87d23b80\WindowsBase.ni.dll
+ 2010-08-22 22:03 . 2010-08-22 22:03 3313664 c:\windows\assembly\NativeImages_v2.0.50727_32\WindowsBase\3b743d968b43ce8025fccd58c251e4c4\WindowsBase.ni.dll
+ 2010-08-22 23:08 . 2010-08-22 23:08 1049600 c:\windows\assembly\NativeImages_v2.0.50727_32\UIAutomationClients#\b7f6e7b265f9aae807ddc4284563e550\UIAutomationClientsideProviders.ni.dll
+ 2010-08-22 21:58 . 2010-08-22 21:58 1595392 c:\windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP103.tmp\PresentationUI.dll
+ 2010-08-22 22:03 . 2010-08-22 22:03 7949824 c:\windows\assembly\NativeImages_v2.0.50727_32\System\08ffa4d388d5f007869aa7651c458e7c\System.ni.dll
+ 2010-08-22 23:08 . 2010-08-22 23:08 5450752 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Xml\a6dbe24cbfe3ab6b318ed3095cc572d8\System.Xml.ni.dll
+ 2010-08-22 23:20 . 2010-08-22 23:20 1356288 c:\windows\assembly\NativeImages_v2.0.50727_32\System.WorkflowServ#\60b3c9a63b2065a6952d16256545c25d\System.WorkflowServices.ni.dll
+ 2010-08-22 23:20 . 2010-08-22 23:20 1908224 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Workflow.Run#\5cc2a23ce8ac371c7a97b5e542ee27ed\System.Workflow.Runtime.ni.dll
+ 2010-08-22 23:20 . 2010-08-22 23:20 4514304 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Workflow.Com#\c0aabf67e7ef98dc10c3e174c136731b\System.Workflow.ComponentModel.ni.dll
+ 2010-08-22 23:20 . 2010-08-22 23:20 2992640 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Workflow.Act#\66682c8a064608ba4ffd0463cf09aef9\System.Workflow.Activities.ni.dll
+ 2010-08-22 23:20 . 2010-08-22 23:20 1840640 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Web.Services\2d662564b8d9c57a34c588cc2970902b\System.Web.Services.ni.dll
+ 2010-08-22 23:20 . 2010-08-22 23:20 2209280 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Web.Mobile\9b455702c9b7b02c5708406f87986751\System.Web.Mobile.ni.dll
+ 2010-08-22 23:20 . 2010-08-22 23:20 2403328 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Web.Extensio#\49c7a1c78ed9502ba97c11e6bd993f63\System.Web.Extensions.ni.dll
+ 2010-08-22 23:08 . 2010-08-22 23:08 1917952 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Speech\5eb08849d17b272ed2a393420cb0305b\System.Speech.ni.dll
+ 2010-08-22 23:20 . 2010-08-22 23:20 1706496 c:\windows\assembly\NativeImages_v2.0.50727_32\System.ServiceModel#\f5790a1b7b41e7b8d05f01b549c80f39\System.ServiceModel.Web.ni.dll
+ 2010-08-22 23:18 . 2010-08-22 23:18 2345472 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Runtime.Seri#\8061a0f5c1c2ee0549e19224352f67fa\System.Runtime.Serialization.ni.dll
+ 2010-08-22 23:08 . 2010-08-22 23:08 1035776 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Printing\99767d4df92b83fdfb06012512722ec1\System.Printing.ni.dll
+ 2010-08-22 23:18 . 2010-08-22 23:18 1070080 c:\windows\assembly\NativeImages_v2.0.50727_32\System.IdentityModel\0885f31c21b796465fde6297dba20981\System.IdentityModel.ni.dll
+ 2010-08-22 22:06 . 2010-08-22 22:06 1587200 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\dcc0244092fe52e6885b50be25ef3b31\System.Drawing.ni.dll
+ 2010-08-22 23:20 . 2010-08-22 23:20 1116672 c:\windows\assembly\NativeImages_v2.0.50727_32\System.DirectorySer#\d20b7e58607ddb1ded9b687627ae8c21\System.DirectoryServices.ni.dll
+ 2010-08-22 23:20 . 2010-08-22 23:20 1801216 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Deployment\daa33674d4250e38a24b70180d209ac8\System.Deployment.ni.dll
+ 2010-08-22 22:05 . 2010-08-22 22:05 6616576 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Data\f04ef00e652a8655a717639e8aeb7b63\System.Data.ni.dll
+ 2010-08-22 23:19 . 2010-08-22 23:19 2510336 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Data.SqlXml\f0470c2be4e6bb1dadbeed43e4e8af5c\System.Data.SqlXml.ni.dll
+ 2010-08-22 23:20 . 2010-08-22 23:20 1328128 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Data.Services\23cf0498f2ebe4c8ffa5cc79efca2dc5\System.Data.Services.ni.dll
+ 2010-08-22 22:05 . 2010-08-22 22:05 2516480 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Data.Linq\c18c236a09e715138daec2e25be205bb\System.Data.Linq.ni.dll
+ 2010-08-22 23:20 . 2010-08-22 23:20 9924096 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Data.Entity\6ce886492d9b6a34555be3f328682ec2\System.Data.Entity.ni.dll
+ 2010-08-22 22:05 . 2010-08-22 22:05 2295296 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Core\faeda674832135a080bc73eda51813ff\System.Core.ni.dll
+ 2010-08-22 22:05 . 2010-08-22 22:05 2128896 c:\windows\assembly\NativeImages_v2.0.50727_32\ReachFramework\3e85c3d63ce3c3f37061aa626feb2a52\ReachFramework.ni.dll
+ 2010-08-22 22:05 . 2010-08-22 22:05 1657856 c:\windows\assembly\NativeImages_v2.0.50727_32\PresentationUI\bf67db30179ff6e8cb1bdbaa290d122e\PresentationUI.ni.dll
+ 2010-08-22 22:03 . 2010-08-22 22:03 1451008 c:\windows\assembly\NativeImages_v2.0.50727_32\PresentationBuildTa#\835786d8a0caabae09ad440f6e3abfc6\PresentationBuildTasks.ni.dll
+ 2010-08-22 23:19 . 2010-08-22 23:19 1712128 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualBas#\9732a7c993055f82040642966db07ccf\Microsoft.VisualBasic.ni.dll
+ 2010-08-22 23:19 . 2010-08-22 23:19 1093120 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Transacti#\773d7bf69a9a0c0556aa41f53e75ab05\Microsoft.Transactions.Bridge.ni.dll
+ 2010-08-22 23:20 . 2010-08-22 23:20 2332160 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.JScript\16ff33f07efdb9da2a18e27585c604be\Microsoft.JScript.ni.dll
+ 2010-08-22 23:19 . 2010-08-22 23:19 1620992 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Build.Tas#\d0fb91b296616a1a844bf265947018ee\Microsoft.Build.Tasks.ni.dll
+ 2010-08-22 23:19 . 2010-08-22 23:19 1966080 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Build.Tas#\892e993c8df1c75081113131dc429c15\Microsoft.Build.Tasks.v3.5.ni.dll
+ 2010-08-22 23:19 . 2010-08-22 23:19 1888768 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Build.Eng#\d0beebd2c9045158cdcd4bd5987b717b\Microsoft.Build.Engine.ni.dll
+ 2010-08-22 22:04 . 2010-08-22 22:04 1249280 c:\windows\assembly\GAC_MSIL\WindowsBase\3.0.0.0__31bf3856ad364e35\WindowsBase.dll
+ 2010-08-22 22:04 . 2010-08-22 22:04 3182592 c:\windows\assembly\GAC_MSIL\System\2.0.0.0__b77a5c561934e089\System.dll
- 2009-10-16 10:03 . 2009-10-16 10:03 2048000 c:\windows\assembly\GAC_MSIL\System.Xml\2.0.0.0__b77a5c561934e089\System.XML.dll
+ 2010-08-22 22:04 . 2010-08-22 22:04 2048000 c:\windows\assembly\GAC_MSIL\System.Xml\2.0.0.0__b77a5c561934e089\System.XML.dll
- 2009-10-16 10:03 . 2009-10-16 10:03 5025792 c:\windows\assembly\GAC_MSIL\System.Windows.Forms\2.0.0.0__b77a5c561934e089\System.Windows.Forms.dll
+ 2010-08-22 22:04 . 2010-08-22 22:04 5025792 c:\windows\assembly\GAC_MSIL\System.Windows.Forms\2.0.0.0__b77a5c561934e089\System.Windows.Forms.dll
+ 2010-08-22 21:59 . 2010-08-22 21:59 5967872 c:\windows\assembly\GAC_MSIL\System.ServiceModel\3.0.0.0__b77a5c561934e089\System.ServiceModel.dll
- 2009-10-16 10:03 . 2009-10-16 10:03 5062656 c:\windows\assembly\GAC_MSIL\System.Design\2.0.0.0__b03f5f7f11d50a3a\System.Design.dll
+ 2010-08-22 22:04 . 2010-08-22 22:04 5062656 c:\windows\assembly\GAC_MSIL\System.Design\2.0.0.0__b03f5f7f11d50a3a\System.Design.dll
+ 2010-08-22 22:04 . 2010-08-22 22:04 5279744 c:\windows\assembly\GAC_MSIL\PresentationFramework\3.0.0.0__31bf3856ad364e35\PresentationFramework.dll
- 2009-10-16 10:03 . 2009-10-16 10:03 5242880 c:\windows\assembly\GAC_32\System.Web\2.0.0.0__b03f5f7f11d50a3a\System.Web.dll
+ 2010-08-22 22:04 . 2010-08-22 22:04 5242880 c:\windows\assembly\GAC_32\System.Web\2.0.0.0__b03f5f7f11d50a3a\System.Web.dll
- 2009-10-16 10:03 . 2009-10-16 10:03 2933248 c:\windows\assembly\GAC_32\System.Data\2.0.0.0__b77a5c561934e089\System.Data.dll
+ 2010-08-22 22:04 . 2010-08-22 22:04 2933248 c:\windows\assembly\GAC_32\System.Data\2.0.0.0__b77a5c561934e089\System.Data.dll
- 2009-08-08 22:37 . 2009-08-08 22:37 4210688 c:\windows\assembly\GAC_32\PresentationCore\3.0.0.0__31bf3856ad364e35\PresentationCore.dll
+ 2010-08-22 22:04 . 2010-08-22 22:04 4210688 c:\windows\assembly\GAC_32\PresentationCore\3.0.0.0__31bf3856ad364e35\PresentationCore.dll
+ 2010-08-22 22:04 . 2010-08-22 22:04 4550656 c:\windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\mscorlib.dll
+ 2008-03-15 23:29 . 2010-08-03 18:09 35962312 c:\windows\system32\MRT.exe
+ 2010-03-31 08:23 . 2010-03-31 08:23 15638528 c:\windows\Installer\6fb98.msp
+ 2010-05-19 20:08 . 2010-05-19 20:08 11408896 c:\windows\Installer\6fb68.msp
+ 2010-04-12 05:17 . 2010-04-12 05:17 14599680 c:\windows\Installer\6fb59.msp
+ 2010-08-22 23:08 . 2010-08-22 23:08 12430848 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\439c466b60614915587c5273eaf0ca7f\System.Windows.Forms.ni.dll
+ 2010-08-22 23:20 . 2010-08-22 23:20 11798016 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Web\411a627d6f5cb83509332253406988e5\System.Web.ni.dll
+ 2010-08-22 23:19 . 2010-08-22 23:19 17403904 c:\windows\assembly\NativeImages_v2.0.50727_32\System.ServiceModel\f523a69e7c93ee4f245c996eac4b3a57\System.ServiceModel.ni.dll
+ 2010-08-22 22:06 . 2010-08-22 22:06 10683392 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Design\b307acf63075b997d02a97a7492d0d9c\System.Design.ni.dll
+ 2010-08-22 22:05 . 2010-08-22 22:05 14328320 c:\windows\assembly\NativeImages_v2.0.50727_32\PresentationFramewo#\a632f3ef85ffd35341b383eed577cb93\PresentationFramework.ni.dll
+ 2010-08-22 22:05 . 2010-08-22 22:05 12215808 c:\windows\assembly\NativeImages_v2.0.50727_32\PresentationCore\f00db8db51f5707c7fe52c0683dc6136\PresentationCore.ni.dll
+ 2010-08-22 22:03 . 2010-08-22 22:03 12216320 c:\windows\assembly\NativeImages_v2.0.50727_32\PresentationCore\a6d35f1f179b6bc42bf2b3c4506fbb03\PresentationCore.ni.dll
+ 2010-08-22 22:03 . 2010-08-22 22:03 11490816 c:\windows\assembly\NativeImages_v2.0.50727_32\mscorlib\7bffd7ff2009f421fe5d229927588496\mscorlib.ni.dll
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2006-12-18 868352]
"JMB36X IDE Setup"="c:\windows\RaidTool\xInsIDE.exe" [2007-03-20 36864]
"36X Raid Configurer"="c:\windows\system32\xRaidSetup.exe" [2007-03-21 1953792]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2006-11-10 90112]
"McAfeeUpdaterUI"="c:\program files\Network Associates\Common Framework\UdaterUI.exe" [2006-11-17 136768]
"ShStatEXE"="c:\program files\McAfee\VirusScan Enterprise\SHSTAT.EXE" [2006-11-30 112216]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2008-02-29 76304]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-03-19 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-07-21 141608]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
ASUS WiFi-AP Solo.lnk - c:\program files\ASUS WiFi-AP Solo\RtWLan.exe [2008-3-15 987136]
Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2008-7-18 805392]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
2008-05-02 09:42 72208 ----a-w- c:\program files\Common Files\Logishrd\Bluetooth\LBTWLgn.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

S3 RTLWUSB;Realtek RTL8187 Wireless 802.11g 54Mbps USB 2.0 Network Adapter;c:\windows\system32\drivers\RTL8187.sys [3/15/2008 3:43 PM 176128]
.
Contents of the 'Scheduled Tasks' folder

2010-08-15 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 19:34]
.
.
------- Supplementary Scan -------
.
FF - ProfilePath - c:\documents and settings\Media\Application Data\Mozilla\Firefox\Profiles\1hx4ckko.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: keyword.URL - [You must be registered and logged in to see this link.]
FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: browser.search.selectedEngine - Google
FF - user.js: browser.search.order.1 - Google
FF - user.js: keyword.URL - [You must be registered and logged in to see this link.] files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.proxy.type", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.buffer.cache.count", 24);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.buffer.cache.size", 4096);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2010-08-26 19:17
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(596)
c:\windows\system32\Ati2evxx.dll
c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll
c:\program files\common files\logishrd\bluetooth\LBTServ.dll

- - - - - - - > 'explorer.exe'(4052)
c:\windows\system32\WININET.dll
c:\program files\Logitech\SetPoint\lgscroll.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2010-08-26 19:18:21
ComboFix-quarantined-files.txt 2010-08-27 02:18
ComboFix2.txt 2010-08-24 01:51
ComboFix3.txt 2010-08-22 21:51
ComboFix4.txt 2010-08-21 15:55
ComboFix5.txt 2010-08-27 02:13

Pre-Run: 587,481,444,352 bytes free
Post-Run: 587,463,733,248 bytes free

- - End Of File - - EC076E5351E0D29E5A288A38955F07FE

guerro

Newbie Surfer
Newbie Surfer

Posts : 32
Joined : 2010-01-17
Operating System : Win XP

View user profile

Back to top Go down

Re: Banker Fox and Win32/Nuqel need help

Post by DragonMaster Jay on Sat 28 Aug 2010, 7:05 am

Please download MBRCheck.exe by a_d_13 from one of the links provided below and save it to your desktop.
    Link 1
    Link 2
    Link 3

  • Double-click on MBRCheck.exe to run it.
  • It will open a black window...please do not fix anything (if it gives you an option).
  • When complete, you should see Done! Press ENTER to exit.... Press Enter on the keyboard.
  • A log named MBRCheck_date_time.txt (i.e. MBRCheck_07.21.10_10.22.51.txt) will appear on the desktop.
  • Please copy and paste the contents of that log in your next reply.


==================================

ESET Online Scan

Please run a free online scan with the ESET Online Scanner
  • Tick the box next to YES, I accept the Terms of Use
  • Click Start
  • When asked, allow the ActiveX control to install
  • Click Start
  • Make sure that the options Remove found threats and the option Scan unwanted applications is checked
  • Click Scan (This scan can take several hours, so please be patient)
  • Once the scan is completed, you may close the window
  • Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
  • Copy and paste that log as a reply to this topic


[You must be registered and logged in to see this link.] - Get $30 off Kaspersky products.

~DMJ
GeekPolice Academy Manager


Donations/Contributions

DragonMaster Jay

Manager | Tech Officer
Manager | Tech Officer

Posts : 13451
Joined : 2009-09-07
Operating System : Windows 7 Ultimate

View user profile http://www.twitter.com/jaypfoutz

Back to top Go down

Re: Banker Fox and Win32/Nuqel need help

Post by guerro on Sat 28 Aug 2010, 10:04 am

MBRCheck, version 1.2.3
(c) 2010, AD

Command-line:
Windows Version: Windows XP Professional
Windows Information: Service Pack 3 (build 2600)
Logical Drives Mask: 0x000006fd

Kernel Drivers (total 137):
0x804D7000 \WINDOWS\system32\ntkrnlpa.exe
0x806E4000 \WINDOWS\system32\hal.dll
0xBA5A8000 \WINDOWS\system32\KDCOM.DLL
0xBA4B8000 \WINDOWS\system32\BOOTVID.dll
0xB9F79000 ACPI.sys
0xBA5AA000 \WINDOWS\system32\DRIVERS\WMILIB.SYS
0xB9F68000 pci.sys
0xBA0A8000 isapnp.sys
0xBA0B8000 ohci1394.sys
0xBA0C8000 \WINDOWS\system32\DRIVERS\1394BUS.SYS
0xBA670000 pciide.sys
0xBA328000 \WINDOWS\system32\DRIVERS\PCIIDEX.SYS
0xBA0D8000 MountMgr.sys
0xB9F49000 ftdisk.sys
0xBA5AC000 dmload.sys
0xB9F23000 dmio.sys
0xBA330000 PartMgr.sys
0xBA0E8000 VolSnap.sys
0xB9F0B000 atapi.sys
0xBA0F8000 jraid.sys
0xB9EF3000 \WINDOWS\system32\DRIVERS\SCSIPORT.SYS
0xBA108000 disk.sys
0xBA118000 \WINDOWS\system32\DRIVERS\CLASSPNP.SYS
0xB9ED3000 fltmgr.sys
0xB9EC1000 sr.sys
0xB9EAA000 KSecDD.sys
0xB9E1D000 Ntfs.sys
0xB9DF0000 NDIS.sys
0xBA128000 Combo-Fix.sys
0xB9DD6000 Mup.sys
0xBA5AE000 JGOGO.sys
0xBA288000 \SystemRoot\system32\DRIVERS\intelppm.sys
0xB96B9000 \SystemRoot\system32\DRIVERS\ati2mtag.sys
0xB96A5000 \SystemRoot\system32\DRIVERS\VIDEOPRT.SYS
0xB967D000 \SystemRoot\system32\DRIVERS\HDAudBus.sys
0xBA3E0000 \SystemRoot\system32\DRIVERS\usbuhci.sys
0xB9659000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
0xBA3E8000 \SystemRoot\system32\DRIVERS\usbehci.sys
0xBA298000 \SystemRoot\system32\DRIVERS\imapi.sys
0xBA2A8000 \SystemRoot\system32\DRIVERS\cdrom.sys
0xBA2B8000 \SystemRoot\system32\DRIVERS\redbook.sys
0xB9636000 \SystemRoot\system32\DRIVERS\ks.sys
0xBA3F0000 \SystemRoot\System32\Drivers\GEARAspiWDM.sys
0xB95F9000 \SystemRoot\system32\DRIVERS\yk51x86.sys
0xBA2C8000 \SystemRoot\system32\DRIVERS\nic1394.sys
0xBA3F8000 \SystemRoot\system32\DRIVERS\fdc.sys
0xBA5BC000 \SystemRoot\system32\DRIVERS\ASACPI.sys
0xBA2D8000 \SystemRoot\system32\DRIVERS\serial.sys
0xBA570000 \SystemRoot\system32\DRIVERS\serenum.sys
0xBA574000 \SystemRoot\system32\DRIVERS\L8042Kbd.sys
0xBA400000 \SystemRoot\system32\DRIVERS\kbdclass.sys
0xBA7E4000 \SystemRoot\system32\DRIVERS\audstub.sys
0xBA2F8000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
0xBA578000 \SystemRoot\system32\DRIVERS\ndistapi.sys
0xB95E2000 \SystemRoot\system32\DRIVERS\ndiswan.sys
0xBA308000 \SystemRoot\system32\DRIVERS\raspppoe.sys
0xBA318000 \SystemRoot\system32\DRIVERS\raspptp.sys
0xBA408000 \SystemRoot\system32\DRIVERS\TDI.SYS
0xB95D1000 \SystemRoot\system32\DRIVERS\psched.sys
0xBA198000 \SystemRoot\system32\DRIVERS\msgpc.sys
0xB950D000 \SystemRoot\System32\drivers\dmboot.sys
0xBA410000 \SystemRoot\system32\DRIVERS\ptilink.sys
0xBA418000 \SystemRoot\system32\DRIVERS\raspti.sys
0xB94B5000 \SystemRoot\system32\DRIVERS\rdpdr.sys
0xBA1A8000 \SystemRoot\system32\DRIVERS\termdd.sys
0xBA420000 \SystemRoot\system32\DRIVERS\mouclass.sys
0xBA5BE000 \SystemRoot\system32\DRIVERS\swenum.sys
0xB9457000 \SystemRoot\system32\DRIVERS\update.sys
0xBA594000 \SystemRoot\system32\DRIVERS\mssmbios.sys
0xBA1B8000 \SystemRoot\System32\Drivers\NDProxy.SYS
0xAD3F3000 \SystemRoot\system32\drivers\AtiHdAud.sys
0xAD3CF000 \SystemRoot\system32\drivers\portcls.sys
0xBA1E8000 \SystemRoot\system32\drivers\drmk.sys
0xBA1F8000 \SystemRoot\system32\DRIVERS\usbhub.sys
0xBA5C2000 \SystemRoot\system32\DRIVERS\USBD.SYS
0xAD2E3000 \SystemRoot\system32\drivers\ADIHdAud.sys
0xAD2CC000 \SystemRoot\system32\drivers\AEAudio.sys
0xAD26C000 \SystemRoot\system32\drivers\Senfilt.sys
0xBA450000 \SystemRoot\system32\DRIVERS\flpydisk.sys
0xBA5D4000 \SystemRoot\System32\Drivers\Fs_Rec.SYS
0xBA6E4000 \SystemRoot\System32\Drivers\Null.SYS
0xBA5D6000 \SystemRoot\System32\Drivers\Beep.SYS
0xB995B000 \SystemRoot\system32\DRIVERS\i8042prt.sys
0xBA468000 \SystemRoot\system32\DRIVERS\HIDPARSE.SYS
0xBA470000 \SystemRoot\System32\drivers\vga.sys
0xBA5D8000 \SystemRoot\System32\Drivers\mnmdd.SYS
0xBA5DA000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
0xBA478000 \SystemRoot\System32\Drivers\Msfs.SYS
0xBA480000 \SystemRoot\System32\Drivers\Npfs.SYS
0xB9505000 \SystemRoot\system32\DRIVERS\rasacd.sys
0xAD211000 \SystemRoot\system32\DRIVERS\ipsec.sys
0xAD1B8000 \SystemRoot\system32\DRIVERS\tcpip.sys
0xB994B000 \SystemRoot\system32\drivers\mfetdik.sys
0xAD192000 \SystemRoot\system32\DRIVERS\ipnat.sys
0xAD16A000 \SystemRoot\system32\DRIVERS\netbt.sys
0xAD148000 \SystemRoot\System32\drivers\afd.sys
0xBA488000 \??\C:\Program Files\McAfee\VirusScan Enterprise\mferkdk.sys
0xB993B000 \SystemRoot\System32\Drivers\Fips.SYS
0xB94E9000 \??\C:\WINDOWS\system32\BUFADPT.SYS
0xBA490000 \SystemRoot\system32\DRIVERS\usbccgp.sys
0xB944F000 \SystemRoot\system32\DRIVERS\hidusb.sys
0xB991B000 \SystemRoot\system32\DRIVERS\HIDCLASS.SYS
0xBA498000 \SystemRoot\system32\DRIVERS\LHidFilt.Sys
0xB990B000 \SystemRoot\system32\DRIVERS\WDFLDR.SYS
0xAD0CD000 \SystemRoot\system32\DRIVERS\Wdf01000.sys
0xB944B000 \SystemRoot\system32\DRIVERS\mouhid.sys
0xBA4A8000 \SystemRoot\system32\DRIVERS\LMouFilt.Sys
0xB943B000 \SystemRoot\system32\DRIVERS\kbdhid.sys
0xB98FB000 \SystemRoot\System32\Drivers\Cdfs.SYS
0xAD08D000 \SystemRoot\System32\Drivers\dump_atapi.sys
0xBA5F0000 \SystemRoot\System32\Drivers\dump_WMILIB.SYS
0xBF800000 \SystemRoot\System32\win32k.sys
0xB9D8E000 \SystemRoot\System32\drivers\Dxapi.sys
0xBA340000 \SystemRoot\System32\watchdog.sys
0xBF000000 \SystemRoot\System32\drivers\dxg.sys
0xBA75C000 \SystemRoot\System32\drivers\dxgthk.sys
0xBF012000 \SystemRoot\System32\ati2dvag.dll
0xBF057000 \SystemRoot\System32\ati2cqag.dll
0xBF0B1000 \SystemRoot\System32\atikvmag.dll
0xBF101000 \SystemRoot\System32\atiok3x2.dll
0xBF112000 \SystemRoot\System32\ati3duag.dll
0xBF3DC000 \SystemRoot\System32\ativvaxx.dll
0xBFFA0000 \SystemRoot\System32\ATMFD.DLL
0xBA3C0000 \SystemRoot\system32\DRIVERS\AegisP.sys
0xAAD6C000 \SystemRoot\system32\DRIVERS\ndisuio.sys
0xAAA17000 \SystemRoot\system32\DRIVERS\mrxdav.sys
0xAA6CF000 \SystemRoot\system32\drivers\mfehidk.sys
0xBA438000 \SystemRoot\system32\drivers\mfebopk.sys
0xAA8B7000 \SystemRoot\system32\drivers\mfeapfk.sys
0xAA692000 \SystemRoot\system32\drivers\wdmaud.sys
0xAA837000 \SystemRoot\system32\drivers\sysaudio.sys
0xAA95F000 \SystemRoot\system32\drivers\mfeavfk.sys
0xBA460000 \??\C:\DOCUME~1\Media\LOCALS~1\Temp\mbr.sys
0xA9EF3000 \SystemRoot\System32\Drivers\HTTP.sys
0xAA2C4000 \??\C:\combo-fix25909c\catchme.sys
0xBA5FE000 \??\C:\WINDOWS\system32\Drivers\PROCEXP113.SYS
0x7C900000 \WINDOWS\system32\ntdll.dll

Processes (total 42):
0 System Idle Process
4 System
508 C:\WINDOWS\system32\smss.exe
568 csrss.exe
596 C:\WINDOWS\system32\winlogon.exe
640 C:\WINDOWS\system32\services.exe
652 C:\WINDOWS\system32\lsass.exe
824 C:\WINDOWS\system32\ati2evxx.exe
840 C:\WINDOWS\system32\svchost.exe
912 svchost.exe
1024 C:\WINDOWS\system32\svchost.exe
1156 svchost.exe
1232 svchost.exe
1356 C:\WINDOWS\system32\ati2evxx.exe
1380 C:\WINDOWS\system32\spoolsv.exe
1576 svchost.exe
1680 C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
1804 C:\Program Files\Bonjour\mDNSResponder.exe
1888 C:\Program Files\Java\jre6\bin\jqs.exe
1900 C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
1968 C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe
2028 C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe
460 naPrdMgr.exe
488 C:\WINDOWS\system32\svchost.exe
2108 alg.exe
2476 C:\WINDOWS\system32\wscntfy.exe
2664 C:\Program Files\Analog Devices\Core\smax4pnp.exe
2764 C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
2804 C:\Program Files\Network Associates\Common Framework\UdaterUI.exe
2824 C:\Program Files\Network Associates\Common Framework\Mctray.exe
2864 C:\Program Files\McAfee\VirusScan Enterprise\shstat.exe
2932 C:\Program Files\Common Files\Java\Java Update\jusched.exe
2984 C:\Program Files\iTunes\iTunesHelper.exe
2996 C:\Program Files\ASUS WiFi-AP Solo\RtWLan.exe
3004 C:\Program Files\Logitech\SetPoint\SetPoint.exe
3156 C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.exe
3464 C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
3720 C:\Program Files\iPod\bin\iPodService.exe
4052 C:\WINDOWS\explorer.exe
3604 C:\WINDOWS\system32\notepad.exe
2172 C:\Program Files\Mozilla Firefox\firefox.exe
1852 C:\Documents and Settings\Media\Desktop\MBRCheck.exe

\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`00007e00 (NTFS)
\\.\F: --> \\.\PhysicalDrive2 at offset 0x00000000`00007e00 (NTFS)
\\.\G: --> \\.\PhysicalDrive1 at offset 0x00000000`00007e00 (NTFS)
\\.\H: --> \\.\PhysicalDrive3 at offset 0x00000000`00007e00 (NTFS)
\\.\J: --> \\.\PhysicalDrive4 at offset 0x00000000`00007e00 (NTFS)
\\.\K: --> \\.\PhysicalDrive5 at offset 0x00000000`00007e00 (NTFS)

PhysicalDrive0 Model Number: SAMSUNGHD753LJ, Rev: 1AA01107
PhysicalDrive2 Model Number: SAMSUNGHD753LJ, Rev: 1AA01107
PhysicalDrive1 Model Number: SAMSUNGHD753LJ, Rev: 1AA01107
PhysicalDrive3 Model Number: SAMSUNGHD753LJ, Rev: 1AA01107
PhysicalDrive4 Model Number: SAMSUNGHD103UJ, Rev: 1AA01113
PhysicalDrive5 Model Number: SAMSUNGHD103UJ, Rev: 1AA01113

Size Device Name MBR Status
--------------------------------------------
698 GB \\.\PhysicalDrive0 Windows XP MBR code detected
SHA1: DA38B874B7713D1B51CBC449F4EF809B0DEC644A
698 GB \\.\PhysicalDrive2 Unknown MBR code
SHA1: 639AC5CDF8A5CF3245975932C6A4215450A7B98F
698 GB \\.\PhysicalDrive1 Windows XP MBR code detected
SHA1: DA38B874B7713D1B51CBC449F4EF809B0DEC644A
698 GB \\.\PhysicalDrive3 Windows XP MBR code detected
SHA1: DA38B874B7713D1B51CBC449F4EF809B0DEC644A
931 GB \\.\PhysicalDrive4 Windows XP MBR code detected
SHA1: DA38B874B7713D1B51CBC449F4EF809B0DEC644A
931 GB \\.\PhysicalDrive5 Windows XP MBR code detected
SHA1: DA38B874B7713D1B51CBC449F4EF809B0DEC644A


Found non-standard or infected MBR.
Enter 'Y' and hit ENTER for more options, or 'N' to exit:

Done!

guerro

Newbie Surfer
Newbie Surfer

Posts : 32
Joined : 2010-01-17
Operating System : Win XP

View user profile

Back to top Go down

Re: Banker Fox and Win32/Nuqel need help

Post by guerro on Sat 28 Aug 2010, 10:05 am

ESETSmartInstaller@High as downloader log:
all ok
# version=7
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.6211
# api_version=3.0.2
# EOSSerial=1b8e3774b4fafd4d9c191f256cf01529
# end=finished
# remove_checked=true
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=false
# utc_time=2010-08-27 10:54:05
# local_time=2010-08-27 03:54:05 (-0700, US Mountain Standard Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=55523
# found=2
# cleaned=2
# scan_time=1065
C:\Qoobox\Quarantine\C\WINDOWS\system32\Drivers\ufcafypt.sys.vir a variant of Win32/Bubnix.AW trojan (cleaned by deleting - quarantined) 3D0CF9B608DB46F0F1957ACFC0FF929A C
C:\System Volume Information\_restore{A0378095-F669-4875-9041-96FAA45CBCF1}\RP5\A0001476.sys a variant of Win32/Bubnix.AW trojan (cleaned by deleting - quarantined) 3D0CF9B608DB46F0F1957ACFC0FF929A C

guerro

Newbie Surfer
Newbie Surfer

Posts : 32
Joined : 2010-01-17
Operating System : Win XP

View user profile

Back to top Go down

Re: Banker Fox and Win32/Nuqel need help

Post by DragonMaster Jay on Sun 29 Aug 2010, 12:24 pm

Fix using MBRCheck.exe

Run MBRCheck.exe again by double-clicking on it.
  • Wait until you see the following line: Enter 'Y' and hit ENTER for more options, or 'N' to exit:
  • Enter 'Y' and then press Enter.
  • When asked: 'Enter your choice:', select option 2 (Restore the MBR of a physical disk with a standard boot code) and press the Enter key.
  • Now the program will ask: 'Enter the physical disk number to fix (0-99, -1 to cancel)'
  • Enter 2 and press the Enter key.
  • The program will show Available MBR codes followed by a list of operating systems as shown below:
    Available MBR codes:
    [ 0] Default (Windows XP)
    [ 1] Windows XP
    [ 2] Windows Server 2003
    [ 3] Windows Vista
    [ 4] Windows 2008
    [ 5] Windows 7
    [-1] Cancel
    Please select the MBR code to write to this drive:
  • Please select your version of Windows from the list and enter the corresponding number and then press Enter.
  • When prompted for confirmation: "Do you want to fix the MBR code?". Type the full word Yes (not Y or the fix will not work) and press Enter.
  • Left-click on the title bar (where program name and path is written).
  • From the menu chose Edit -> Select All.
  • Press the Enter key to copy selected text.
  • Open Notepad, paste that text into it and save to your desktop as MBRCheck.txt.
  • When complete, you should see Done! Press ENTER to exit.... Press Enter on the keyboard.
  • Reboot your computer to complete the fix and copy/paste MBRCheck.txt in your next reply.
  • If your computer does not restart on its own, please restart it manually.

Important Note: The Master Boot Record contains the Partition Table for the hard disk and a a little executable code for the boot start. While fixing the Master Boot Record (MBR) is generally safe, there is a small risk of damaging the MBR, which may cause the computer to not boot up or it may corrupt a partition.

The following are signs of a damaged MBR:
  • Invalid Partition Table
  • Missing Operating System
  • Error loading operating system


If it is the worst case scenario, and your computer cannot boot, please take note of the following:

Please have your Windows CD available, which will allow recovering the boot code via the Windows Recovery Console in case of any problems or install the XP Recovery Console before proceeding with the above fix. Then, if any problems occur, the links below explain how to use and repair the MBR:
  • How to use the Recovery Console
  • How to fix MBR in Windows XP and Vista


If you do not have a Windows CD available, please let me know. You will need access to a computer that can burn CDs.


[You must be registered and logged in to see this link.] - Get $30 off Kaspersky products.

~DMJ
GeekPolice Academy Manager


Donations/Contributions

DragonMaster Jay

Manager | Tech Officer
Manager | Tech Officer

Posts : 13451
Joined : 2009-09-07
Operating System : Windows 7 Ultimate

View user profile http://www.twitter.com/jaypfoutz

Back to top Go down

Re: Banker Fox and Win32/Nuqel need help

Post by guerro on Mon 30 Aug 2010, 11:56 pm

MBRCheck, version 1.2.3
(c) 2010, AD

Command-line:
Windows Version: Windows XP Professional
Windows Information: Service Pack 3 (build 2600)
Logical Drives Mask: 0x000006fd

\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`00007e00 (NTFS)
\\.\F: --> \\.\PhysicalDrive2 at offset 0x00000000`00007e00 (NTFS)
\\.\G: --> \\.\PhysicalDrive1 at offset 0x00000000`00007e00 (NTFS)
\\.\H: --> \\.\PhysicalDrive3 at offset 0x00000000`00007e00 (NTFS)
\\.\J: --> \\.\PhysicalDrive4 at offset 0x00000000`00007e00 (NTFS)
\\.\K: --> \\.\PhysicalDrive5 at offset 0x00000000`00007e00 (NTFS)

Size Device Name MBR Status
--------------------------------------------
698 GB \\.\PhysicalDrive0 Windows XP MBR code detected
SHA1: DA38B874B7713D1B51CBC449F4EF809B0DEC644A
698 GB \\.\PhysicalDrive2 Unknown MBR code
SHA1: 639AC5CDF8A5CF3245975932C6A4215450A7B98F
698 GB \\.\PhysicalDrive1 Windows XP MBR code detected
SHA1: DA38B874B7713D1B51CBC449F4EF809B0DEC644A
698 GB \\.\PhysicalDrive3 Windows XP MBR code detected
SHA1: DA38B874B7713D1B51CBC449F4EF809B0DEC644A
931 GB \\.\PhysicalDrive4 Windows XP MBR code detected
SHA1: DA38B874B7713D1B51CBC449F4EF809B0DEC644A
931 GB \\.\PhysicalDrive5 Windows XP MBR code detected
SHA1: DA38B874B7713D1B51CBC449F4EF809B0DEC644A


Found non-standard or infected MBR.
Enter 'Y' and hit ENTER for more options, or 'N' to exit: y

Options:
[1] Dump the MBR of a physical disk to file.
[2] Restore the MBR of a physical disk with a standard boot code.
[3] Exit.

Enter your choice: 2

Enter the physical disk number to fix (0-99, -1 to cancel): 2
Available MBR codes:
[ 0] Default (Windows XP)
[ 1] Windows XP
[ 2] Windows Server 2003
[ 3] Windows Vista
[ 4] Windows 2008
[ 5] Windows 7
[-1] Cancel

Please select the MBR code to write to this drive: 1
Do you want to fix the MBR code? Type 'YES' and hit ENTER to continue: yes
Successfully wrote new MBR code!
Please reboot your computer to complete the fix.


Done!
Press ENTER to exit...

guerro

Newbie Surfer
Newbie Surfer

Posts : 32
Joined : 2010-01-17
Operating System : Win XP

View user profile

Back to top Go down

Re: Banker Fox and Win32/Nuqel need help

Post by DragonMaster Jay on Tue 31 Aug 2010, 3:59 pm

Reboot your computer, and post a new MBRCheck log.


[You must be registered and logged in to see this link.] - Get $30 off Kaspersky products.

~DMJ
GeekPolice Academy Manager


Donations/Contributions

DragonMaster Jay

Manager | Tech Officer
Manager | Tech Officer

Posts : 13451
Joined : 2009-09-07
Operating System : Windows 7 Ultimate

View user profile http://www.twitter.com/jaypfoutz

Back to top Go down

Re: Banker Fox and Win32/Nuqel need help

Post by guerro on Wed 01 Sep 2010, 12:17 am

MBRCheck, version 1.2.3
(c) 2010, AD

Command-line:
Windows Version: Windows XP Professional
Windows Information: Service Pack 3 (build 2600)
Logical Drives Mask: 0x000006fd

Kernel Drivers (total 133):
0x804D7000 \WINDOWS\system32\ntkrnlpa.exe
0x806E4000 \WINDOWS\system32\hal.dll
0xBA5A8000 \WINDOWS\system32\KDCOM.DLL
0xBA4B8000 \WINDOWS\system32\BOOTVID.dll
0xB9F79000 ACPI.sys
0xBA5AA000 \WINDOWS\system32\DRIVERS\WMILIB.SYS
0xB9F68000 pci.sys
0xBA0A8000 isapnp.sys
0xBA0B8000 ohci1394.sys
0xBA0C8000 \WINDOWS\system32\DRIVERS\1394BUS.SYS
0xBA670000 pciide.sys
0xBA328000 \WINDOWS\system32\DRIVERS\PCIIDEX.SYS
0xBA0D8000 MountMgr.sys
0xB9F49000 ftdisk.sys
0xBA5AC000 dmload.sys
0xB9F23000 dmio.sys
0xBA330000 PartMgr.sys
0xBA0E8000 VolSnap.sys
0xB9F0B000 atapi.sys
0xBA0F8000 jraid.sys
0xB9EF3000 \WINDOWS\system32\DRIVERS\SCSIPORT.SYS
0xBA108000 disk.sys
0xBA118000 \WINDOWS\system32\DRIVERS\CLASSPNP.SYS
0xB9ED3000 fltmgr.sys
0xB9EC1000 sr.sys
0xB9EAA000 KSecDD.sys
0xB9E1D000 Ntfs.sys
0xB9DF0000 NDIS.sys
0xB9DD6000 Mup.sys
0xBA5AE000 JGOGO.sys
0xBA278000 \SystemRoot\system32\DRIVERS\intelppm.sys
0xB96B9000 \SystemRoot\system32\DRIVERS\ati2mtag.sys
0xB96A5000 \SystemRoot\system32\DRIVERS\VIDEOPRT.SYS
0xB967D000 \SystemRoot\system32\DRIVERS\HDAudBus.sys
0xBA3D8000 \SystemRoot\system32\DRIVERS\usbuhci.sys
0xB9659000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
0xBA3E0000 \SystemRoot\system32\DRIVERS\usbehci.sys
0xBA288000 \SystemRoot\system32\DRIVERS\imapi.sys
0xBA298000 \SystemRoot\system32\DRIVERS\cdrom.sys
0xBA2A8000 \SystemRoot\system32\DRIVERS\redbook.sys
0xB9636000 \SystemRoot\system32\DRIVERS\ks.sys
0xBA3E8000 \SystemRoot\System32\Drivers\GEARAspiWDM.sys
0xB95F9000 \SystemRoot\system32\DRIVERS\yk51x86.sys
0xBA2B8000 \SystemRoot\system32\DRIVERS\nic1394.sys
0xBA3F0000 \SystemRoot\system32\DRIVERS\fdc.sys
0xBA5BC000 \SystemRoot\system32\DRIVERS\ASACPI.sys
0xBA2C8000 \SystemRoot\system32\DRIVERS\serial.sys
0xBA570000 \SystemRoot\system32\DRIVERS\serenum.sys
0xBA574000 \SystemRoot\system32\DRIVERS\L8042Kbd.sys
0xBA3F8000 \SystemRoot\system32\DRIVERS\kbdclass.sys
0xBA7DE000 \SystemRoot\system32\DRIVERS\audstub.sys
0xBA2E8000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
0xBA578000 \SystemRoot\system32\DRIVERS\ndistapi.sys
0xB95E2000 \SystemRoot\system32\DRIVERS\ndiswan.sys
0xBA2F8000 \SystemRoot\system32\DRIVERS\raspppoe.sys
0xBA308000 \SystemRoot\system32\DRIVERS\raspptp.sys
0xBA400000 \SystemRoot\system32\DRIVERS\TDI.SYS
0xB95D1000 \SystemRoot\system32\DRIVERS\psched.sys
0xBA318000 \SystemRoot\system32\DRIVERS\msgpc.sys
0xB950D000 \SystemRoot\System32\drivers\dmboot.sys
0xBA408000 \SystemRoot\system32\DRIVERS\ptilink.sys
0xBA410000 \SystemRoot\system32\DRIVERS\raspti.sys
0xB94B5000 \SystemRoot\system32\DRIVERS\rdpdr.sys
0xBA188000 \SystemRoot\system32\DRIVERS\termdd.sys
0xBA418000 \SystemRoot\system32\DRIVERS\mouclass.sys
0xBA5BE000 \SystemRoot\system32\DRIVERS\swenum.sys
0xB9457000 \SystemRoot\system32\DRIVERS\update.sys
0xBA594000 \SystemRoot\system32\DRIVERS\mssmbios.sys
0xBA198000 \SystemRoot\System32\Drivers\NDProxy.SYS
0xAD3F3000 \SystemRoot\system32\drivers\AtiHdAud.sys
0xAD3CF000 \SystemRoot\system32\drivers\portcls.sys
0xBA1C8000 \SystemRoot\system32\drivers\drmk.sys
0xBA1D8000 \SystemRoot\system32\DRIVERS\usbhub.sys
0xBA5C2000 \SystemRoot\system32\DRIVERS\USBD.SYS
0xAD383000 \SystemRoot\system32\drivers\ADIHdAud.sys
0xAD36C000 \SystemRoot\system32\drivers\AEAudio.sys
0xAD30C000 \SystemRoot\system32\drivers\Senfilt.sys
0xBA460000 \SystemRoot\system32\DRIVERS\flpydisk.sys
0xBA5F6000 \SystemRoot\System32\Drivers\Fs_Rec.SYS
0xBA6FC000 \SystemRoot\System32\Drivers\Null.SYS
0xBA5F8000 \SystemRoot\System32\Drivers\Beep.SYS
0xBA1F8000 \SystemRoot\system32\DRIVERS\i8042prt.sys
0xBA478000 \SystemRoot\system32\DRIVERS\HIDPARSE.SYS
0xBA480000 \SystemRoot\System32\drivers\vga.sys
0xBA5FA000 \SystemRoot\System32\Drivers\mnmdd.SYS
0xBA5FC000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
0xBA488000 \SystemRoot\System32\Drivers\Msfs.SYS
0xBA490000 \SystemRoot\System32\Drivers\Npfs.SYS
0xB944B000 \SystemRoot\system32\DRIVERS\rasacd.sys
0xAD211000 \SystemRoot\system32\DRIVERS\ipsec.sys
0xAD1B8000 \SystemRoot\system32\DRIVERS\tcpip.sys
0xBA208000 \SystemRoot\system32\drivers\mfetdik.sys
0xAD192000 \SystemRoot\system32\DRIVERS\ipnat.sys
0xAD16A000 \SystemRoot\system32\DRIVERS\netbt.sys
0xAD148000 \SystemRoot\System32\drivers\afd.sys
0xBA498000 \??\C:\Program Files\McAfee\VirusScan Enterprise\mferkdk.sys
0xBA218000 \SystemRoot\System32\Drivers\Fips.SYS
0xB9433000 \??\C:\WINDOWS\system32\BUFADPT.SYS
0xBA4A0000 \SystemRoot\system32\DRIVERS\usbccgp.sys
0xB9D92000 \SystemRoot\system32\DRIVERS\hidusb.sys
0xBA238000 \SystemRoot\system32\DRIVERS\HIDCLASS.SYS
0xBA4A8000 \SystemRoot\system32\DRIVERS\LHidFilt.Sys
0xBA248000 \SystemRoot\system32\DRIVERS\WDFLDR.SYS
0xAD0A5000 \SystemRoot\system32\DRIVERS\Wdf01000.sys
0xB9D8E000 \SystemRoot\system32\DRIVERS\mouhid.sys
0xBA340000 \SystemRoot\system32\DRIVERS\LMouFilt.Sys
0xBA548000 \SystemRoot\system32\DRIVERS\kbdhid.sys
0xBA258000 \SystemRoot\System32\Drivers\Cdfs.SYS
0xAD08D000 \SystemRoot\System32\Drivers\dump_atapi.sys
0xBA62A000 \SystemRoot\System32\Drivers\dump_WMILIB.SYS
0xBF800000 \SystemRoot\System32\win32k.sys
0xAD258000 \SystemRoot\System32\drivers\Dxapi.sys
0xBA3A0000 \SystemRoot\System32\watchdog.sys
0xBF000000 \SystemRoot\System32\drivers\dxg.sys
0xBA6B7000 \SystemRoot\System32\drivers\dxgthk.sys
0xBF012000 \SystemRoot\System32\ati2dvag.dll
0xBF057000 \SystemRoot\System32\ati2cqag.dll
0xBF0B1000 \SystemRoot\System32\atikvmag.dll
0xBF101000 \SystemRoot\System32\atiok3x2.dll
0xBF112000 \SystemRoot\System32\ati3duag.dll
0xBF3DC000 \SystemRoot\System32\ativvaxx.dll
0xBFFA0000 \SystemRoot\System32\ATMFD.DLL
0xBA4B0000 \SystemRoot\system32\DRIVERS\AegisP.sys
0xAAD7C000 \SystemRoot\system32\DRIVERS\ndisuio.sys
0xAAA3F000 \SystemRoot\system32\DRIVERS\mrxdav.sys
0xAA797000 \SystemRoot\system32\drivers\mfehidk.sys
0xBA3B8000 \SystemRoot\system32\drivers\mfebopk.sys
0xAAB04000 \SystemRoot\system32\drivers\mfeapfk.sys
0xAA96F000 \SystemRoot\system32\drivers\mfeavfk.sys
0xAA5A2000 \SystemRoot\system32\drivers\wdmaud.sys
0xAA6A7000 \SystemRoot\system32\drivers\sysaudio.sys
0xA9EF3000 \SystemRoot\System32\Drivers\HTTP.sys
0x7C900000 \WINDOWS\system32\ntdll.dll

Processes (total 42):
0 System Idle Process
4 System
504 C:\WINDOWS\system32\smss.exe
564 csrss.exe
592 C:\WINDOWS\system32\winlogon.exe
636 C:\WINDOWS\system32\services.exe
648 C:\WINDOWS\system32\lsass.exe
820 C:\WINDOWS\system32\ati2evxx.exe
840 C:\WINDOWS\system32\svchost.exe
908 svchost.exe
1020 C:\WINDOWS\system32\svchost.exe
1124 svchost.exe
1228 svchost.exe
1324 C:\WINDOWS\system32\ati2evxx.exe
1476 C:\WINDOWS\system32\spoolsv.exe
1552 svchost.exe
1636 C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
1708 C:\Program Files\Bonjour\mDNSResponder.exe
1780 C:\Program Files\Java\jre6\bin\jqs.exe
1800 C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
1880 C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe
1980 C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe
304 naPrdMgr.exe
428 C:\WINDOWS\system32\svchost.exe
1156 C:\WINDOWS\system32\wuauclt.exe
1288 C:\WINDOWS\explorer.exe
968 wmiprvse.exe
1840 C:\WINDOWS\system32\wscntfy.exe
1928 alg.exe
2056 C:\Program Files\Analog Devices\Core\smax4pnp.exe
2160 C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
2168 C:\Program Files\Network Associates\Common Framework\UdaterUI.exe
2176 C:\Program Files\McAfee\VirusScan Enterprise\shstat.exe
2224 C:\Program Files\Network Associates\Common Framework\Mctray.exe
2252 C:\Program Files\Common Files\Java\Java Update\jusched.exe
2284 C:\Program Files\iTunes\iTunesHelper.exe
2296 C:\Program Files\ASUS WiFi-AP Solo\RtWLan.exe
2304 C:\Program Files\Logitech\SetPoint\SetPoint.exe
2348 C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.exe
3708 C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
3740 C:\Program Files\iPod\bin\iPodService.exe
1936 C:\Documents and Settings\Media\Desktop\MBRCheck.exe

\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`00007e00 (NTFS)
\\.\F: --> \\.\PhysicalDrive2 at offset 0x00000000`00007e00 (NTFS)
\\.\G: --> \\.\PhysicalDrive1 at offset 0x00000000`00007e00 (NTFS)
\\.\H: --> \\.\PhysicalDrive3 at offset 0x00000000`00007e00 (NTFS)
\\.\J: --> \\.\PhysicalDrive4 at offset 0x00000000`00007e00 (NTFS)
\\.\K: --> \\.\PhysicalDrive5 at offset 0x00000000`00007e00 (NTFS)

PhysicalDrive0 Model Number: SAMSUNGHD753LJ, Rev: 1AA01107
PhysicalDrive2 Model Number: SAMSUNGHD753LJ, Rev: 1AA01107
PhysicalDrive1 Model Number: SAMSUNGHD753LJ, Rev: 1AA01107
PhysicalDrive3 Model Number: SAMSUNGHD753LJ, Rev: 1AA01107
PhysicalDrive4 Model Number: SAMSUNGHD103UJ, Rev: 1AA01113
PhysicalDrive5 Model Number: SAMSUNGHD103UJ, Rev: 1AA01113

Size Device Name MBR Status
--------------------------------------------
698 GB \\.\PhysicalDrive0 Windows XP MBR code detected
SHA1: DA38B874B7713D1B51CBC449F4EF809B0DEC644A
698 GB \\.\PhysicalDrive2 Unknown MBR code
SHA1: 639AC5CDF8A5CF3245975932C6A4215450A7B98F
698 GB \\.\PhysicalDrive1 Windows XP MBR code detected
SHA1: DA38B874B7713D1B51CBC449F4EF809B0DEC644A
698 GB \\.\PhysicalDrive3 Windows XP MBR code detected
SHA1: DA38B874B7713D1B51CBC449F4EF809B0DEC644A
931 GB \\.\PhysicalDrive4 Windows XP MBR code detected
SHA1: DA38B874B7713D1B51CBC449F4EF809B0DEC644A
931 GB \\.\PhysicalDrive5 Windows XP MBR code detected
SHA1: DA38B874B7713D1B51CBC449F4EF809B0DEC644A


Found non-standard or infected MBR.
Enter 'Y' and hit ENTER for more options, or 'N' to exit:
Options:
[1] Dump the MBR of a physical disk to file.
[2] Restore the MBR of a physical disk with a standard boot code.
[3] Exit.

Enter your choice: Enter the physical disk number to fix (0-99, -1 to cancel): 2Available MBR codes:
[ 0] Default (Windows XP)
[ 1] Windows XP
[ 2] Windows Server 2003
[ 3] Windows Vista
[ 4] Windows 2008
[ 5] Windows 7
[-1] Cancel

Please select the MBR code to write to this drive: 1
Do you want to fix the MBR code? Type 'YES' and hit ENTER to continue: yes
Successfully wrote new MBR code!
Please reboot your computer to complete the fix.


Done!

guerro

Newbie Surfer
Newbie Surfer

Posts : 32
Joined : 2010-01-17
Operating System : Win XP

View user profile

Back to top Go down

Re: Banker Fox and Win32/Nuqel need help

Post by DragonMaster Jay on Wed 01 Sep 2010, 6:14 am

Download Bootkit Remover to your Desktop.

  • You then need to extract the remover.exe file from the RAR using a program capable of extracing RAR compressed files. If you don't have an extraction program, you can use 7-Zip: [You must be registered and logged in to see this link.]
  • After extracing remover.exe to your Desktop, double-click on remover.exe to run the program (Vista/7 users,right click on remover.exe and click Run As Administrator.
  • It will show a Black screen with some data on it.
  • Right click on the screen and click Select All.
  • Press Enter
  • Open a Notepad and press CTRL V
  • Post the output back here.


[You must be registered and logged in to see this link.] - Get $30 off Kaspersky products.

~DMJ
GeekPolice Academy Manager


Donations/Contributions

DragonMaster Jay

Manager | Tech Officer
Manager | Tech Officer

Posts : 13451
Joined : 2009-09-07
Operating System : Windows 7 Ultimate

View user profile http://www.twitter.com/jaypfoutz

Back to top Go down

Re: Banker Fox and Win32/Nuqel need help

Post by guerro on Wed 01 Sep 2010, 2:17 pm

Bootkit Remover
(c) 2009 eSage Lab
[You must be registered and logged in to see this link.]

Program version: 1.1.0.0
OS Version: Microsoft Windows XP Professional Service Pack 3 (build 2600)

System volume is \\.\C:
\\.\C: -> \\.\PhysicalDrive0 at offset 0x00000000`00007e00
Boot sector MD5 is: 6def5ffcbcdbdb4082f1015625e597bd

Size Device Name MBR Status
--------------------------------------------
698 GB \\.\PhysicalDrive0 OK (DOS/Win32 Boot code found)


Done;
Press any key to quit...

guerro

Newbie Surfer
Newbie Surfer

Posts : 32
Joined : 2010-01-17
Operating System : Win XP

View user profile

Back to top Go down

Re: Banker Fox and Win32/Nuqel need help

Post by DragonMaster Jay on Thu 02 Sep 2010, 9:08 am

Please download Stealth MBR Rootkit Detector by GMER from GMER.net, and save to your Desktop.
  • Double-click mbr.exe to start the program.
  • When done scanning, it will save a log on the Desktop called mbr.log.
  • Please post the contents of that log in your next reply.


[You must be registered and logged in to see this link.] - Get $30 off Kaspersky products.

~DMJ
GeekPolice Academy Manager


Donations/Contributions

DragonMaster Jay

Manager | Tech Officer
Manager | Tech Officer

Posts : 13451
Joined : 2009-09-07
Operating System : Windows 7 Ultimate

View user profile http://www.twitter.com/jaypfoutz

Back to top Go down

Re: Banker Fox and Win32/Nuqel need help

Post by Sponsored content Today at 1:14 am


Sponsored content


Back to top Go down

Page 1 of 2 1, 2  Next

View previous topic View next topic Back to top


 
Permissions in this forum:
You cannot reply to topics in this forum