Banker Fox and Win32/Nuqel need help

View previous topic View next topic Go down

Banker Fox and Win32/Nuqel need help

Post by guerro on 18th August 2010, 2:02 am

Hi, after helping my mom with her computer about 6 months ago, my brother now has similar problems. I need help removing these virii.

Please advise.

guerro
Novice
Novice

Posts Posts : 32
Joined Joined : 2010-01-17
Gender Gender : Male
OS OS : Win XP
Points Points : 25636
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Banker Fox and Win32/Nuqel need help

Post by guerro on 18th August 2010, 3:34 am

OTL logfile created on: 8/17/2010 8:11:00 PM - Run 1
OTL by OldTimer - Version 3.2.10.0 Folder = C:\Documents and Settings\Media\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.13)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 2.00 Gb Available Physical Memory | 89.00% Memory free
4.00 Gb Paging File | 4.00 Gb Available in Paging File | 98.00% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 698.63 Gb Total Space | 543.62 Gb Free Space | 77.81% Space Free | Partition Type: NTFS
Unable to calculate disk information.
Drive E: | 6.14 Gb Total Space | 0.00 Gb Free Space | 0.00% Space Free | Partition Type: CDFS
Drive F: | 698.64 Gb Total Space | 323.19 Gb Free Space | 46.26% Space Free | Partition Type: NTFS
Drive G: | 698.64 Gb Total Space | 534.87 Gb Free Space | 76.56% Space Free | Partition Type: NTFS
Drive H: | 698.63 Gb Total Space | 21.61 Gb Free Space | 3.09% Space Free | Partition Type: NTFS
I: Drive not present or media not loaded
Drive J: | 931.51 Gb Total Space | 161.27 Gb Free Space | 17.31% Space Free | Partition Type: NTFS
Drive K: | 931.51 Gb Total Space | 53.89 Gb Free Space | 5.78% Space Free | Partition Type: NTFS

Computer Name: MEDIA
Current User Name: Media
Logged in as Administrator.

Current Boot Mode: SafeMode with Networking
Scan Mode: Current user
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Processes (SafeList) ==========

PRC - [2010/08/17 19:44:13 | 000,575,488 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Media\Desktop\OTL.com
PRC - [2008/04/13 17:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe


========== Modules (SafeList) ==========

MOD - [2010/08/17 19:44:13 | 000,575,488 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Media\Desktop\OTL.com
MOD - [2008/04/13 17:10:20 | 000,110,592 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\msscript.ocx


========== Win32 Services (SafeList) ==========

SRV - File not found [Auto | Stopped] -- C:\WINDOWS\System32\d193543c.exe -- (MSWA-d193543c)
SRV - [2010/06/10 21:03:08 | 000,144,176 | ---- | M] (Apple Inc.) [Auto | Stopped] -- C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe -- (Apple Mobile Device)
SRV - [2008/05/02 02:42:06 | 000,121,360 | ---- | M] (Logitech, Inc.) [On_Demand | Stopped] -- C:\Program Files\Common Files\Logishrd\Bluetooth\LBTServ.exe -- (LBTServ)
SRV - [2006/11/30 08:50:00 | 000,144,960 | ---- | M] (McAfee, Inc.) [Auto | Stopped] -- C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe -- (McShield)
SRV - [2006/11/30 08:50:00 | 000,054,872 | ---- | M] (McAfee, Inc.) [Auto | Stopped] -- C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe -- (McTaskManager)
SRV - [2006/11/17 13:37:44 | 000,104,000 | ---- | M] (McAfee, Inc.) [Auto | Stopped] -- C:\Program Files\Network Associates\Common Framework\FrameworkService.exe -- (McAfeeFramework)


========== Driver Services (SafeList) ==========

DRV - [2010/06/04 12:45:44 | 000,000,000 | ---- | M] () [Kernel | Boot | Stopped] -- C:\WINDOWS\System32\drivers\kiwyikh.sys -- (kiwyikh)
DRV - [2008/04/13 09:36:05 | 000,144,384 | ---- | M] (Windows (R) Server 2003 DDK provider) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\hdaudbus.sys -- (HDAudBus)
DRV - [2008/02/29 03:13:24 | 000,036,880 | ---- | M] (Logitech, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\LMouFilt.Sys -- (LMouFilt)
DRV - [2008/02/29 03:13:16 | 000,035,344 | ---- | M] (Logitech, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\LHidFilt.Sys -- (LHidFilt)
DRV - [2008/02/29 03:12:48 | 000,020,240 | ---- | M] (Logitech, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\L8042Kbd.sys -- (L8042Kbd)
DRV - [2007/05/08 18:58:20 | 002,164,736 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\ati2mtag.sys -- (ati2mtag)
DRV - [2007/03/23 20:20:24 | 000,046,208 | R--- | M] (JMicron Technology Corp.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\jraid.sys -- (JRAID)
DRV - [2007/01/15 18:09:06 | 000,293,888 | R--- | M] (Analog Devices, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\ADIHdAud.sys -- (ADIHdAudAddService)
DRV - [2007/01/11 00:19:14 | 000,011,008 | R--- | M] (BUFFALO INC.) [Kernel | System | Stopped] -- C:\WINDOWS\system32\BUFADPT.SYS -- (BUFADPT)
DRV - [2006/12/28 09:44:44 | 000,084,992 | ---- | M] (ATI Research Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\AtiHdAud.sys -- (HdAudAddService)
DRV - [2006/11/30 08:50:00 | 000,168,776 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\mfehidk.sys -- (mfehidk)
DRV - [2006/11/30 08:50:00 | 000,072,264 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\mfeavfk.sys -- (mfeavfk)
DRV - [2006/11/30 08:50:00 | 000,064,360 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\mfeapfk.sys -- (mfeapfk)
DRV - [2006/11/30 08:50:00 | 000,052,136 | ---- | M] (McAfee, Inc.) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\mfetdik.sys -- (mfetdik)
DRV - [2006/11/30 08:50:00 | 000,034,152 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\mfebopk.sys -- (mfebopk)
DRV - [2006/11/30 08:50:00 | 000,031,944 | ---- | M] (McAfee, Inc.) [Kernel | System | Stopped] -- C:\Program Files\McAfee\VirusScan Enterprise\mferkdk.sys -- (mferkdk)
DRV - [2006/07/26 08:56:00 | 000,248,832 | ---- | M] (Marvell) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\yk51x86.sys -- (yukonwxp)
DRV - [2006/06/16 00:30:16 | 000,176,128 | ---- | M] (Realtek Semiconductor Corporation ) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\RTL8187.sys -- (RTLWUSB)
DRV - [2006/06/01 14:15:20 | 000,509,440 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\xnacc.sys -- (xnacc)
DRV - [2006/03/31 04:39:54 | 000,013,532 | ---- | M] (Windows (R) 2000 DDK provider) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\SjyPkt.sys -- (SjyPkt)
DRV - [2006/03/17 02:18:58 | 000,392,960 | R--- | M] (Sensaura) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\senfilt.sys -- (SenFiltService)
DRV - [2006/02/07 04:52:58 | 000,006,912 | R--- | M] (JMicron ) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\JGOGO.sys -- (JGOGO)
DRV - [2004/08/13 03:56:20 | 000,005,810 | R--- | M] () [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ASACPI.sys -- (MTsensor)
DRV - [2004/08/03 22:31:34 | 000,020,992 | ---- | M] (Realtek Semiconductor Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\RTL8139.sys -- (rtl8139) Realtek RTL8139(A/B/C)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm

IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 1
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" =
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = http=127.0.0.1:6522

========== FireFox ==========

FF - prefs.js..browser.search.order.1: "Google"
FF - prefs.js..browser.search.selectedEngine: "Google"
FF - prefs.js..extensions.enabledItems: {C99F331F-501F-4CFA-ADC4-F5A38F8A0151}:1.9.1
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}:6.0.21
FF - prefs.js..keyword.URL: "http://search.search-go.net/?sid=10101053100&s="

FF - user.js..browser.search.selectedEngine: "Google"
FF - user.js..browser.search.order.1: "Google"
FF - user.js..keyword.URL: "http://search.search-go.net/?sid=10101053100&s="

FF - HKLM\software\mozilla\Firefox\extensions\\{C99F331F-501F-4CFA-ADC4-F5A38F8A0151}: C:\Documents and Settings\Media\Local Settings\Application Data\{C99F331F-501F-4CFA-ADC4-F5A38F8A0151} [2010/08/15 13:31:06 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.3\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/08/15 13:43:11 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.3\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010/08/15 13:43:11 | 000,000,000 | ---D | M]

[2008/08/28 21:36:58 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Media\Application Data\Mozilla\Extensions
[2010/08/17 19:39:25 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Media\Application Data\Mozilla\Firefox\Profiles\1hx4ckko.default\extensions
[2010/05/03 19:45:14 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Documents and Settings\Media\Application Data\Mozilla\Firefox\Profiles\1hx4ckko.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2010/08/17 19:39:25 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions
[2010/08/15 13:36:14 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
[2010/07/17 05:00:04 | 000,423,656 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npdeployJava1.dll
[2010/08/15 03:52:20 | 000,002,074 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\google_search.xml

O1 HOSTS File: ([2010/08/15 13:42:49 | 000,000,915 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: 212.117.178.25 [You must be registered and logged in to see this link.]
O2 - BHO: (scriptproxy) - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan Enterprise\scriptcl.dll (McAfee, Inc.)
O4 - HKLM..\Run: [36X Raid Configurer] C:\WINDOWS\System32\xRaidSetup.exe (JMicron Technology Corp.)
O4 - HKLM..\Run: [hfaeiaih] C:\Documents and Settings\NetworkService\Local Settings\Application Data\uuqspgfcg\nloqjershdw.exe ()
O4 - HKLM..\Run: [JMB36X IDE Setup] C:\WINDOWS\RaidTool\xInsIDE.exe ()
O4 - HKLM..\Run: [Kernel and Hardware Abstraction Layer] C:\WINDOWS\KHALMNPR.Exe (Logitech, Inc.)
O4 - HKLM..\Run: [McAfeeUpdaterUI] C:\Program Files\Network Associates\Common Framework\UdaterUI.exe (McAfee, Inc.)
O4 - HKLM..\Run: [Sgimokofatahi] C:\WINDOWS\obonerulatoqez.DLL (Sonic Solutions)
O4 - HKLM..\Run: [ShStatEXE] C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE (McAfee, Inc.)
O4 - HKLM..\Run: [SoundMAX] C:\Program Files\Analog Devices\SoundMAX\Smax4.exe (Analog Devices, Inc.)
O4 - HKLM..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe (Analog Devices, Inc.)
O4 - HKLM..\Run: [StartCCC] C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe ()
O4 - HKCU..\Run: [hsfe8owijfisjhgs7ye39gjsoighsd7y3eu] C:\Documents and Settings\Media\Local Settings\Temp\fs00ucxf9.exe ()
O4 - HKCU..\Run: [M5T8QL3YW3] C:\DOCUME~1\Media\LOCALS~1\Temp\Jlr.exe File not found
O4 - HKCU..\Run: [Ukaluregadagaku] C:\WINDOWS\kbcong.DLL File not found
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ASUS WiFi-AP Solo.lnk = C:\Program Files\ASUS WiFi-AP Solo\RtWLan.exe (ASUSTek Computer Inc.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe (Logitech, Inc.)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoControlPanel = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} [You must be registered and logged in to see this link.] (WUWebControl Class)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} [You must be registered and logged in to see this link.] (Java Plug-in 1.6.0_21)
O16 - DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} [You must be registered and logged in to see this link.] (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} [You must be registered and logged in to see this link.] (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} [You must be registered and logged in to see this link.] (Java Plug-in 1.6.0_21)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} [You must be registered and logged in to see this link.] (Java Plug-in 1.6.0_21)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\AtiExtEvent: DllName - Ati2evxx.dll - C:\WINDOWS\System32\ati2evxx.dll (ATI Technologies Inc.)
O20 - Winlogon\Notify\LBTWlgn: DllName - c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll - c:\Program Files\Common Files\Logishrd\Bluetooth\LBTWLgn.dll (Logitech, Inc.)
O24 - Desktop WallPaper: C:\Documents and Settings\Media\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\Media\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2008/03/15 15:21:45 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O32 - AutoRun File - [2007/11/15 20:43:13 | 000,000,066 | RH-- | M] () - E:\AUTORUN.INF -- [ CDFS ]
O33 - MountPoints2\{1237f450-2378-11dd-8677-001e8c897997}\Shell\AutoRun\command - "" = G:\wd_windows_tools\setup.exe -- File not found
O33 - MountPoints2\E\Shell - "" = AutoRun
O33 - MountPoints2\E\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\E\Shell\AutoRun\command - "" = E:\SETUP.EXE -- [2007/11/15 20:44:32 | 000,062,976 | RH-- | M] (Aspyr Media, Inc.)
O33 - MountPoints2\I\Shell - "" = AutoRun
O33 - MountPoints2\I\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\I\Shell\AutoRun\command - "" = I:\LaunchU3.exe -- File not found
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2010/08/17 19:44:13 | 000,575,488 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Media\Desktop\OTL.com
[2010/08/15 13:44:40 | 000,000,000 | ---D | C] -- C:\Program Files\iPod
[2010/08/15 13:44:35 | 000,000,000 | ---D | C] -- C:\Program Files\iTunes
[2010/08/15 13:44:35 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
[2010/08/15 13:43:04 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\ajyrpitea
[2010/08/15 13:42:55 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\uuqspgfcg
[2010/08/15 13:42:48 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Update
[2010/08/15 13:42:33 | 000,000,000 | ---D | C] -- C:\Program Files\QuickTime
[2010/08/15 13:40:57 | 000,000,000 | ---D | C] -- C:\Program Files\Bonjour
[2010/08/15 13:40:55 | 000,000,000 | -HSD | C] -- C:\Config.Msi
[2010/08/15 13:36:22 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Sun
[2010/08/15 13:36:13 | 000,423,656 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\deployJava1.dll
[2010/08/15 13:36:13 | 000,153,376 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaws.exe
[2010/08/15 13:36:13 | 000,145,184 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaw.exe
[2010/08/15 13:36:13 | 000,145,184 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\java.exe
[2010/08/15 13:31:06 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Media\Local Settings\Application Data\{C99F331F-501F-4CFA-ADC4-F5A38F8A0151}
[2010/08/15 13:29:52 | 000,020,992 | ---- | C] (Realtek Semiconductor Corporation) -- C:\WINDOWS\System32\drivers\RTL8139.sys
[2010/08/15 13:29:52 | 000,020,992 | ---- | C] (Realtek Semiconductor Corporation) -- C:\WINDOWS\System32\dllcache\rtl8139.sys
[2010/08/08 14:16:38 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Media\Application Data\Malwarebytes
[2010/08/08 14:16:21 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2010/08/08 14:16:20 | 000,020,952 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2010/08/08 14:16:20 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2010/08/08 14:16:20 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
[2010/08/08 14:15:21 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Media\Application Data\U3
[2010/08/08 14:07:07 | 000,000,000 | -HSD | C] -- C:\WINDOWS\CSC
[4 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[4 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2010/08/17 20:12:08 | 000,781,824 | ---- | M] () -- C:\WINDOWS\System32\drivers\ufcafypt.sys
[2010/08/17 20:10:11 | 000,013,646 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2010/08/17 20:07:18 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010/08/17 20:05:35 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2010/08/17 20:05:34 | 003,932,160 | -H-- | M] () -- C:\Documents and Settings\Media\NTUSER.DAT
[2010/08/17 20:05:34 | 000,000,178 | -HS- | M] () -- C:\Documents and Settings\Media\ntuser.ini
[2010/08/17 20:03:25 | 000,000,282 | -H-- | M] () -- C:\WINDOWS\tasks\{8C3FDD81-7AE0-4605-A46A-2488B179F2A3}.job
[2010/08/17 20:02:10 | 004,288,972 | -H-- | M] () -- C:\Documents and Settings\Media\Local Settings\Application Data\IconCache.db
[2010/08/17 19:44:13 | 000,575,488 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Media\Desktop\OTL.com
[2010/08/17 19:42:00 | 000,000,416 | ---- | M] () -- C:\WINDOWS\tasks\Updater.job
[2010/08/17 19:36:58 | 000,363,520 | ---- | M] () -- C:\Documents and Settings\Media\Desktop\rkill.com
[2010/08/17 18:52:11 | 000,000,000 | ---- | M] () -- C:\WINDOWS\Lviqahemile.bin
[2010/08/15 13:45:04 | 000,001,804 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\iTunes.lnk
[2010/08/15 13:42:53 | 000,000,005 | ---- | M] () -- C:\zrpt.xml
[2010/08/15 13:42:23 | 000,000,664 | ---- | M] () -- C:\WINDOWS\System32\d3d9caps.dat
[2010/08/15 13:33:05 | 000,001,664 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Sonos Desktop Controller.lnk
[2010/08/15 13:31:08 | 000,000,120 | ---- | M] () -- C:\WINDOWS\Pqaju.dat
[2010/08/14 18:05:00 | 000,000,284 | ---- | M] () -- C:\WINDOWS\tasks\AppleSoftwareUpdate.job
[2010/08/08 14:16:24 | 000,000,696 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[4 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[4 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

========== Files Created - No Company Name ==========

[2010/08/17 19:36:58 | 000,363,520 | ---- | C] () -- C:\Documents and Settings\Media\Desktop\rkill.com
[2010/08/15 13:45:04 | 000,001,804 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\iTunes.lnk
[2010/08/15 13:43:02 | 000,781,824 | ---- | C] () -- C:\WINDOWS\System32\drivers\ufcafypt.sys
[2010/08/15 13:42:52 | 000,000,416 | ---- | C] () -- C:\WINDOWS\tasks\Updater.job
[2010/08/15 13:42:51 | 000,000,005 | ---- | C] () -- C:\zrpt.xml
[2010/08/15 13:31:08 | 000,000,120 | ---- | C] () -- C:\WINDOWS\Pqaju.dat
[2010/08/15 13:31:08 | 000,000,000 | ---- | C] () -- C:\WINDOWS\Lviqahemile.bin
[2010/08/08 14:16:24 | 000,000,696 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2010/05/24 20:05:02 | 000,002,572 | ---- | C] () -- C:\WINDOWS\apohigafeku.dll
[2010/05/24 19:53:19 | 000,002,572 | ---- | C] () -- C:\WINDOWS\uzelahetilarej.dll
[2010/05/24 17:51:20 | 000,002,572 | ---- | C] () -- C:\WINDOWS\uvehunicapa.dll
[2010/05/24 15:49:34 | 000,002,572 | ---- | C] () -- C:\WINDOWS\ixonucij.dll
[2010/05/24 13:47:19 | 000,002,572 | ---- | C] () -- C:\WINDOWS\ujoqijoyiqo.dll
[2010/05/24 11:44:41 | 000,000,000 | ---- | C] () -- C:\WINDOWS\System32\drivers\kiwyikh.sys
[2010/05/24 11:44:27 | 000,003,321 | -HS- | C] () -- C:\Documents and Settings\Media\Application Data\0200000005448916922P.manifest
[2010/05/24 11:44:27 | 000,000,013 | -HS- | C] () -- C:\Documents and Settings\Media\Application Data\0200000005448916922C.manifest
[2010/05/24 11:44:27 | 000,000,011 | -HS- | C] () -- C:\Documents and Settings\Media\Application Data\0200000005448916922S.manifest
[2010/05/24 11:44:27 | 000,000,011 | -HS- | C] () -- C:\Documents and Settings\Media\Application Data\0200000005448916922O.manifest
[2009/08/08 15:00:17 | 000,000,760 | ---- | C] () -- C:\Documents and Settings\Media\Application Data\setup_ldm.iss
[2008/07/04 08:16:15 | 000,006,144 | ---- | C] () -- C:\Documents and Settings\Media\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2008/03/15 17:11:44 | 000,000,280 | ---- | C] () -- C:\WINDOWS\System32\epoPGPsdk.dll.sig
[2008/03/15 15:29:19 | 000,019,725 | ---- | C] () -- C:\WINDOWS\Ascd_log.ini
[2008/03/15 15:29:07 | 000,019,344 | ---- | C] () -- C:\WINDOWS\Ascd_tmp.ini
[2008/03/15 15:29:06 | 000,005,810 | R--- | C] () -- C:\WINDOWS\System32\drivers\ASACPI.sys
[2008/03/15 15:28:57 | 000,010,288 | ---- | C] () -- C:\WINDOWS\System32\drivers\ASUSHWIO.SYS
[2008/01/15 01:33:02 | 000,012,520 | ---- | C] () -- C:\WINDOWS\UN900121.INI
< End of report >

guerro
Novice
Novice

Posts Posts : 32
Joined Joined : 2010-01-17
Gender Gender : Male
OS OS : Win XP
Points Points : 25636
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Banker Fox and Win32/Nuqel need help

Post by Dr Jay on 18th August 2010, 6:05 am

Hello, and welcome to GeekPolice.

Please note the following information about the malware forum:
  • Only Tech Officers, Global Moderators, Administrators, and Malware Advisors are allowed to give advice on removing malware from your computer.
  • From this point on, please do not make any more changes to your computer; such as install/uninstall programs, use special fix tools, delete files, edit the registry, etc. - unless advised by the staff I noted above.
  • Please do not ask for help elsewhere (in this site or other sites). Doing so can result in system changes, which may not show up in the logs you post.
  • If you have already asked for help somewhere, please post the link to the topic you were helped.
  • We try our best to reply quickly, but for any reason we do not reply in two days, do one of two things:

    Reply to this topic with the word BUMP, or
    see [You must be registered and logged in to see this link.].

  • Lastly, keep in mind that we are volunteers, so you do not have to pay for malware removal. Persist in this topic until its close, and your computer is declared clean.





Please download Malwarebytes Anti-Malware from [You must be registered and logged in to see this link.].
Alternate link: [You must be registered and logged in to see this link.].
(Note: if you already have the program installed, just follow the directions. No need to re-download or re-install!)

Double Click mbam-setup.exe to install the application.

(Note: if you already have the program installed, open Malwarebytes from the Start Menu or Desktop shortcut, click the Update tab, and click Check for Updates, before doing the scan as instructed below!)

  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. If you are prompted to restart, please allow it to restart your computer. Failure to do this, will cause the infection to still be active on the computer.
  • Please save the log to a location you will remember.
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • The log can also be found at C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt or at C:\Program Files\Malwarebytes' Anti-Malware\Logs\log-date.txt
  • Copy and paste the entire report in your next reply.


Dr. Jay (DJ)


[You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.]

Dr Jay
Head Administrator
Head Administrator

Posts Posts : 14309
Joined Joined : 2009-09-06
Gender Gender : Male
OS OS : Windows 10 Home & Pro
Arch. Arch. : x64 (64-bit)
Protection Protection : Bitdefender Total Security
Points Points : 302960
# Likes # Likes : 10

View user profile

Back to top Go down

Re: Banker Fox and Win32/Nuqel need help

Post by guerro on 18th August 2010, 11:25 pm

Malwarebytes' Anti-Malware 1.46
[You must be registered and logged in to see this link.]

Database version: 4052

Windows 5.1.2600 Service Pack 3 (Safe Mode)
Internet Explorer 7.0.5730.13

8/8/2010 2:21:32 PM
mbam-log-2010-08-08 (14-21-32).txt

Scan type: Quick scan
Objects scanned: 112247
Time elapsed: 3 minute(s), 56 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 5
Registry Values Infected: 6
Registry Data Items Infected: 8
Folders Infected: 1
Files Infected: 8

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\setup.exe (Trojan.Chifrax) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\avsoft (Trojan.Fraudpack) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\XML (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\net (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\QZAIB7KITK (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mcexecwin (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\juanioue (Rogue.AntivirusSuite.Gen) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hsfg9w8gujsokgahi8gysgnsdgefshyjy (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\idstrf (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\winid (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\nofolderoptions (Hijack.FolderOptions) -> Delete on reboot.

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions (Hijack.FolderOptions) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools (Hijack.Regedit) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\DhcpNameServer (Trojan.DNSChanger) -> Data: 93.188.164.134,93.188.166.180 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\NameServer (Trojan.DNSChanger) -> Data: 93.188.164.134,93.188.166.180 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{be65aed8-8300-4de6-828d-e6663ac0eef8}\DhcpNameServer (Trojan.DNSChanger) -> Data: 93.188.164.134,93.188.166.180 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{be65aed8-8300-4de6-828d-e6663ac0eef8}\NameServer (Trojan.DNSChanger) -> Data: 93.188.164.134,93.188.166.180 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{d89d509c-870d-404a-9a87-e8c6291f9b45}\DhcpNameServer (Trojan.DNSChanger) -> Data: 93.188.164.134,93.188.166.180 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{d89d509c-870d-404a-9a87-e8c6291f9b45}\NameServer (Trojan.DNSChanger) -> Data: 93.188.164.134,93.188.166.180 -> Quarantined and deleted successfully.

Folders Infected:
C:\Documents and Settings\Media\Application Data\SystemProc (Trojan.Agent) -> Quarantined and deleted successfully.

Files Infected:
C:\Documents and Settings\Media\Local Settings\Temp\nsxoerawcm.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Media\Local Settings\Temporary Internet Files\Content.IE5\5VIHOGOF\rvqxfn[1].htm (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Media\Local Settings\Temp\setup.exe (Trojan.Chifrax) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\Alkc.exe (Trojan.Zlob) -> Quarantined and deleted successfully.
C:\Documents and Settings\Media\Local Settings\Temp\svchost.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Media\Local Settings\Temp\win32.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Media\Local Settings\Temp\winlogon.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Media\Local Settings\Temp\jisfije9fjoiee.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.

guerro
Novice
Novice

Posts Posts : 32
Joined Joined : 2010-01-17
Gender Gender : Male
OS OS : Win XP
Points Points : 25636
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Banker Fox and Win32/Nuqel need help

Post by Dr Jay on 19th August 2010, 7:15 pm

Scan with Malwarebytes' Anti-Malware

Please re-open Malwarebytes' Anti-Malware, click the Update tab, and click Check for Updates. Then, click the Scanner tab, select Perform Full Scan, and press Scan. Remove selected, and post the log in your next reply.


Dr. Jay (DJ)


[You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.]

Dr Jay
Head Administrator
Head Administrator

Posts Posts : 14309
Joined Joined : 2009-09-06
Gender Gender : Male
OS OS : Windows 10 Home & Pro
Arch. Arch. : x64 (64-bit)
Protection Protection : Bitdefender Total Security
Points Points : 302960
# Likes # Likes : 10

View user profile

Back to top Go down

Re: Banker Fox and Win32/Nuqel need help

Post by guerro on 20th August 2010, 1:56 am

Malwarebytes' Anti-Malware 1.46
[You must be registered and logged in to see this link.]

Database version: 4450

Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.13

8/19/2010 6:55:57 PM
mbam-log-2010-08-19 (18-55-57).txt

Scan type: Quick scan
Objects scanned: 123888
Time elapsed: 4 minute(s), 39 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

guerro
Novice
Novice

Posts Posts : 32
Joined Joined : 2010-01-17
Gender Gender : Male
OS OS : Win XP
Points Points : 25636
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Banker Fox and Win32/Nuqel need help

Post by Dr Jay on 20th August 2010, 8:49 am

Note: the following tool is to only be used under the guidance of a malware helper. In the event you already have the tool, please delete the old copy and download a new copy.

Please download ComboFix from [You must be registered and logged in to see this link.]

[You must be registered and logged in to see this link.]

[You must be registered and logged in to see this link.] (Click the green button on the page to download it).

Rename ComboFix.exe to combo-fix.exe before you save it to your Desktop
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools A guide to do this can be found [You must be registered and logged in to see this link.]
  • Click Start>Run then copy paste the following command into the Run box & click OK "%userprofile%\desktop\combo-fix.exe" /killall
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed.

    *NOTE*: If you already have the Recovery Console installed, ComboFix will skip this part and will continue scanning for malware.

    With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:


  • Click on Yes, to continue scanning for malware.
  • When finished, it shall produce a log for you. Please include the contents of C:\ComboFix.txt in your next reply.


Dr. Jay (DJ)


[You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.]

Dr Jay
Head Administrator
Head Administrator

Posts Posts : 14309
Joined Joined : 2009-09-06
Gender Gender : Male
OS OS : Windows 10 Home & Pro
Arch. Arch. : x64 (64-bit)
Protection Protection : Bitdefender Total Security
Points Points : 302960
# Likes # Likes : 10

View user profile

Back to top Go down

Re: Banker Fox and Win32/Nuqel need help

Post by guerro on 21st August 2010, 3:59 pm

ComboFix 10-08-20.01 - Media 08/21/2010 8:44.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1540 [GMT -7:00]
Running from: c:\documents and settings\Media\desktop\combo-fix.exe
Command switches used :: /killall
AV: McAfee VirusScan Enterprise *On-access scanning disabled* (Updated) {918A2B0B-2C60-4016-A4AB-E868DEABF7F0}
* Resident AV is active

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

Infected copy of c:\windows\system32\drivers\ohci1394.sys was found and disinfected
Restored copy from - Kitty had a snack :p
.
((((((((((((((((((((((((( Files Created from 2010-07-21 to 2010-08-21 )))))))))))))))))))))))))))))))
.

2010-08-18 02:20 . 2010-08-18 02:20 -------- d-----w- c:\windows\system32\config\systemprofile\Application Data\ATI
2010-08-15 20:44 . 2010-08-15 20:44 -------- d-----w- c:\program files\iPod
2010-08-15 20:44 . 2010-08-15 20:45 -------- d-----w- c:\program files\iTunes
2010-08-15 20:44 . 2010-08-15 20:45 -------- d-----w- c:\documents and settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
2010-08-15 20:43 . 2010-08-15 20:43 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\ajyrpitea
2010-08-15 20:43 . 2010-08-21 15:51 781824 ----a-w- c:\windows\system32\drivers\ufcafypt.sys
2010-08-15 20:42 . 2010-08-18 05:04 -------- d-----w- c:\documents and settings\All Users\Application Data\Update
2010-08-15 20:42 . 2010-08-15 20:43 -------- d-----w- c:\program files\QuickTime
2010-08-15 20:40 . 2010-08-15 20:40 -------- d-----w- c:\program files\Bonjour
2010-08-15 20:36 . 2010-08-15 20:36 61440 ----a-w- c:\documents and settings\Media\Application Data\Sun\Java\Deployment\SystemCache\6.0\42\4488892a-7292907c-n\decora-sse.dll
2010-08-15 20:36 . 2010-08-15 20:36 12800 ----a-w- c:\documents and settings\Media\Application Data\Sun\Java\Deployment\SystemCache\6.0\42\4488892a-7292907c-n\decora-d3d.dll
2010-08-15 20:36 . 2010-08-15 20:36 503808 ----a-w- c:\documents and settings\Media\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-3566b2fb-n\msvcp71.dll
2010-08-15 20:36 . 2010-08-15 20:36 499712 ----a-w- c:\documents and settings\Media\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-3566b2fb-n\jmc.dll
2010-08-15 20:36 . 2010-08-15 20:36 348160 ----a-w- c:\documents and settings\Media\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-3566b2fb-n\msvcr71.dll
2010-08-15 20:36 . 2010-07-17 12:00 423656 ----a-w- c:\windows\system32\deployJava1.dll
2010-08-15 20:34 . 2010-08-15 20:34 73000 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.2.1.5\SetupAdmin.exe
2010-08-15 20:31 . 2010-08-18 01:52 0 ----a-w- c:\windows\Lviqahemile.bin
2010-08-15 20:31 . 2010-08-15 20:31 120 ----a-w- c:\windows\Pqaju.dat
2010-08-15 20:29 . 2004-08-04 05:31 20992 -c--a-w- c:\windows\system32\dllcache\rtl8139.sys
2010-08-15 20:29 . 2004-08-04 05:31 20992 ----a-w- c:\windows\system32\drivers\RTL8139.sys
2010-08-08 21:21 . 2006-04-06 02:38 110592 ----a-w- c:\documents and settings\Media\Application Data\U3\temp\cleanup.exe
2010-08-08 21:16 . 2010-08-08 21:16 -------- d-----w- c:\documents and settings\Media\Application Data\Malwarebytes
2010-08-08 21:16 . 2010-04-29 22:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-08-08 21:16 . 2010-08-18 01:54 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-08-08 21:16 . 2010-08-08 21:16 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-08-08 21:16 . 2010-04-29 22:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-08-08 21:15 . 2010-08-08 21:21 -------- d-----w- c:\documents and settings\Media\Application Data\U3

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-08-15 20:44 . 2008-03-16 00:25 -------- d-----w- c:\program files\Common Files\Apple
2010-08-15 20:42 . 2010-06-04 20:56 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-08-15 20:36 . 2008-05-12 23:55 -------- d-----w- c:\program files\Common Files\Java
2010-08-15 20:36 . 2008-05-12 23:56 -------- d-----w- c:\program files\Java
2010-08-15 20:33 . 2008-03-17 02:50 -------- d-----w- c:\program files\Sonos
2010-05-28 03:35 . 2010-05-28 03:35 503808 ----a-w- c:\documents and settings\Media\Application Data\Sun\Java\Deployment\cache\6.0\46\f84c6ae-1ae14fc3-n\msvcp71.dll
2010-05-28 03:35 . 2010-05-28 03:35 499712 ----a-w- c:\documents and settings\Media\Application Data\Sun\Java\Deployment\cache\6.0\46\f84c6ae-1ae14fc3-n\jmc.dll
2010-05-28 03:35 . 2010-05-28 03:35 348160 ----a-w- c:\documents and settings\Media\Application Data\Sun\Java\Deployment\cache\6.0\46\f84c6ae-1ae14fc3-n\msvcr71.dll
2010-05-26 00:44 . 2010-05-26 00:44 666112 ----a-w- c:\documents and settings\Media\Application Data\Macromedia\Flash Player\[You must be registered and logged in to see this link.]
2010-05-26 00:44 . 2010-05-26 00:44 319488 ----a-w- c:\documents and settings\Media\Application Data\Macromedia\Flash Player\[You must be registered and logged in to see this link.]
.

((((((((((((((((((((((((((((( [You must be registered and logged in to see this link.] )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-08-21 15:50 . 2010-08-21 15:50 16384 c:\windows\Temp\Perflib_Perfdata_7b4.dat
+ 2004-08-04 12:00 . 2010-08-18 06:15 67516 c:\windows\system32\perfc009.dat
- 2004-08-04 12:00 . 2009-12-10 10:19 67516 c:\windows\system32\perfc009.dat
- 2004-08-04 12:00 . 2008-04-13 18:36 68224 c:\windows\system32\drivers\pci.sys
+ 2004-08-04 12:00 . 2004-08-04 12:00 68224 c:\windows\system32\drivers\pci.sys
+ 2004-08-04 12:00 . 2004-08-04 12:00 95360 c:\windows\system32\drivers\atapi.sys
- 2004-08-04 12:00 . 2001-08-17 20:51 3328 c:\windows\system32\drivers\pciide.sys
+ 2004-08-04 12:00 . 2004-08-04 12:00 3328 c:\windows\system32\drivers\pciide.sys
- 2004-08-04 12:00 . 2009-12-10 10:19 432686 c:\windows\system32\perfh009.dat
+ 2004-08-04 12:00 . 2010-08-18 06:15 432686 c:\windows\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2006-12-18 868352]
"JMB36X IDE Setup"="c:\windows\RaidTool\xInsIDE.exe" [2007-03-20 36864]
"36X Raid Configurer"="c:\windows\system32\xRaidSetup.exe" [2007-03-21 1953792]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2006-11-10 90112]
"McAfeeUpdaterUI"="c:\program files\Network Associates\Common Framework\UdaterUI.exe" [2006-11-17 136768]
"ShStatEXE"="c:\program files\McAfee\VirusScan Enterprise\SHSTAT.EXE" [2006-11-30 112216]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2008-02-29 76304]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-03-19 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-07-21 141608]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
ASUS WiFi-AP Solo.lnk - c:\program files\ASUS WiFi-AP Solo\RtWLan.exe [2008-3-15 987136]
Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2008-7-18 805392]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
2008-05-02 09:42 72208 ----a-w- c:\program files\Common Files\Logishrd\Bluetooth\LBTWLgn.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

S2 MSWA-d193543c;MSWA-d193543c;c:\windows\system32\d193543c.exe --> c:\windows\system32\d193543c.exe [?]
S3 RTLWUSB;Realtek RTL8187 Wireless 802.11g 54Mbps USB 2.0 Network Adapter;c:\windows\system32\drivers\RTL8187.sys [3/15/2008 3:43 PM 176128]
S3 SjyPkt;SjyPkt;c:\windows\system32\drivers\SjyPkt.sys [3/15/2008 3:43 PM 13532]

--- Other Services/Drivers In Memory ---

*Deregistered* - ufcafypt
.
Contents of the 'Scheduled Tasks' folder

2010-08-15 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 19:34]
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride =
uInternet Settings,ProxyServer = http=127.0.0.1:6522
FF - ProfilePath - c:\documents and settings\Media\Application Data\Mozilla\Firefox\Profiles\1hx4ckko.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: keyword.URL - [You must be registered and logged in to see this link.]
FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: browser.search.selectedEngine - Google
FF - user.js: browser.search.order.1 - Google
FF - user.js: keyword.URL - [You must be registered and logged in to see this link.] files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2010-08-21 08:51
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ufcafypt]

.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(600)
c:\windows\system32\Ati2evxx.dll
c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll
c:\program files\common files\logishrd\bluetooth\LBTServ.dll

- - - - - - - > 'explorer.exe'(3772)
c:\windows\system32\WININET.dll
c:\program files\Logitech\SetPoint\lgscroll.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\Ati2evxx.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Network Associates\Common Framework\FrameworkService.exe
c:\program files\McAfee\VirusScan Enterprise\mcshield.exe
c:\program files\McAfee\VirusScan Enterprise\vstskmgr.exe
c:\program files\Network Associates\Common Framework\naPrdMgr.exe
c:\program files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
c:\program files\Network Associates\Common Framework\McTray.exe
c:\program files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
c:\program files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2010-08-21 08:55:06 - machine was rebooted
ComboFix-quarantined-files.txt 2010-08-21 15:55
ComboFix2.txt 2010-08-18 05:11

Pre-Run: 588,352,999,424 bytes free
Post-Run: 588,340,117,504 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - 728D19CD733CC92AC1E6664FE04A3F5C

guerro
Novice
Novice

Posts Posts : 32
Joined Joined : 2010-01-17
Gender Gender : Male
OS OS : Win XP
Points Points : 25636
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Banker Fox and Win32/Nuqel need help

Post by Dr Jay on 21st August 2010, 8:51 pm

Re-running ComboFix to remove infections:

  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • Open notepad and copy/paste the text in the codebox below into it:
    Code:
    killall::

    DDS::
    uInternet Settings,ProxyOverride =
    uInternet Settings,ProxyServer = http=127.0.0.1:6522

    Registry::
    [-HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ufcafypt]

    Driver::
    ufcafypt

    Reboot::
  • Save this as CFScript.txt, in the same location as ComboFix.exe



  • Referring to the picture above, drag CFScript into ComboFix.exe
  • When finished, it shall produce a log for you at C:\ComboFix.txt
  • Please post the contents of the log in your next reply.


Dr. Jay (DJ)


[You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.]

Dr Jay
Head Administrator
Head Administrator

Posts Posts : 14309
Joined Joined : 2009-09-06
Gender Gender : Male
OS OS : Windows 10 Home & Pro
Arch. Arch. : x64 (64-bit)
Protection Protection : Bitdefender Total Security
Points Points : 302960
# Likes # Likes : 10

View user profile

Back to top Go down

Re: Banker Fox and Win32/Nuqel need help

Post by guerro on 22nd August 2010, 9:52 pm

ComboFix 10-08-22.01 - Media 08/22/2010 14:45:25.3.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1618 [GMT -7:00]
Running from: c:\documents and settings\Media\Desktop\combo-fix.exe
Command switches used :: c:\documents and settings\Media\Desktop\CFScript.txt
AV: McAfee VirusScan Enterprise *On-access scanning enabled* (Updated) {918A2B0B-2C60-4016-A4AB-E868DEABF7F0}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_UFCAFYPT
-------\Service_ufcafypt


((((((((((((((((((((((((( Files Created from 2010-07-22 to 2010-08-22 )))))))))))))))))))))))))))))))
.

2010-08-18 02:20 . 2010-08-18 02:20 -------- d-----w- c:\windows\system32\config\systemprofile\Application Data\ATI
2010-08-15 20:44 . 2010-08-15 20:44 -------- d-----w- c:\program files\iPod
2010-08-15 20:44 . 2010-08-15 20:45 -------- d-----w- c:\program files\iTunes
2010-08-15 20:44 . 2010-08-15 20:45 -------- d-----w- c:\documents and settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
2010-08-15 20:43 . 2010-08-15 20:43 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\ajyrpitea
2010-08-15 20:43 . 2010-08-22 21:48 781824 ----a-w- c:\windows\system32\drivers\ufcafypt.sys
2010-08-15 20:42 . 2010-08-18 05:04 -------- d-----w- c:\documents and settings\All Users\Application Data\Update
2010-08-15 20:42 . 2010-08-15 20:43 -------- d-----w- c:\program files\QuickTime
2010-08-15 20:40 . 2010-08-15 20:40 -------- d-----w- c:\program files\Bonjour
2010-08-15 20:36 . 2010-08-15 20:36 61440 ----a-w- c:\documents and settings\Media\Application Data\Sun\Java\Deployment\SystemCache\6.0\42\4488892a-7292907c-n\decora-sse.dll
2010-08-15 20:36 . 2010-08-15 20:36 12800 ----a-w- c:\documents and settings\Media\Application Data\Sun\Java\Deployment\SystemCache\6.0\42\4488892a-7292907c-n\decora-d3d.dll
2010-08-15 20:36 . 2010-08-15 20:36 503808 ----a-w- c:\documents and settings\Media\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-3566b2fb-n\msvcp71.dll
2010-08-15 20:36 . 2010-08-15 20:36 499712 ----a-w- c:\documents and settings\Media\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-3566b2fb-n\jmc.dll
2010-08-15 20:36 . 2010-08-15 20:36 348160 ----a-w- c:\documents and settings\Media\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-3566b2fb-n\msvcr71.dll
2010-08-15 20:36 . 2010-07-17 12:00 423656 ----a-w- c:\windows\system32\deployJava1.dll
2010-08-15 20:34 . 2010-08-15 20:34 73000 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.2.1.5\SetupAdmin.exe
2010-08-15 20:31 . 2010-08-18 01:52 0 ----a-w- c:\windows\Lviqahemile.bin
2010-08-15 20:31 . 2010-08-15 20:31 120 ----a-w- c:\windows\Pqaju.dat
2010-08-15 20:29 . 2004-08-04 05:31 20992 -c--a-w- c:\windows\system32\dllcache\rtl8139.sys
2010-08-15 20:29 . 2004-08-04 05:31 20992 ----a-w- c:\windows\system32\drivers\RTL8139.sys
2010-08-08 21:21 . 2006-04-06 02:38 110592 ----a-w- c:\documents and settings\Media\Application Data\U3\temp\cleanup.exe
2010-08-08 21:16 . 2010-08-08 21:16 -------- d-----w- c:\documents and settings\Media\Application Data\Malwarebytes
2010-08-08 21:16 . 2010-04-29 22:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-08-08 21:16 . 2010-08-18 01:54 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-08-08 21:16 . 2010-08-08 21:16 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-08-08 21:16 . 2010-04-29 22:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-08-08 21:15 . 2010-08-08 21:21 -------- d-----w- c:\documents and settings\Media\Application Data\U3

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-08-15 20:44 . 2008-03-16 00:25 -------- d-----w- c:\program files\Common Files\Apple
2010-08-15 20:42 . 2010-06-04 20:56 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-08-15 20:36 . 2008-05-12 23:55 -------- d-----w- c:\program files\Common Files\Java
2010-08-15 20:36 . 2008-05-12 23:56 -------- d-----w- c:\program files\Java
2010-08-15 20:33 . 2008-03-17 02:50 -------- d-----w- c:\program files\Sonos
2010-05-28 03:35 . 2010-05-28 03:35 503808 ----a-w- c:\documents and settings\Media\Application Data\Sun\Java\Deployment\cache\6.0\46\f84c6ae-1ae14fc3-n\msvcp71.dll
2010-05-28 03:35 . 2010-05-28 03:35 499712 ----a-w- c:\documents and settings\Media\Application Data\Sun\Java\Deployment\cache\6.0\46\f84c6ae-1ae14fc3-n\jmc.dll
2010-05-28 03:35 . 2010-05-28 03:35 348160 ----a-w- c:\documents and settings\Media\Application Data\Sun\Java\Deployment\cache\6.0\46\f84c6ae-1ae14fc3-n\msvcr71.dll
2010-05-26 00:44 . 2010-05-26 00:44 666112 ----a-w- c:\documents and settings\Media\Application Data\Macromedia\Flash Player\[You must be registered and logged in to see this link.]
2010-05-26 00:44 . 2010-05-26 00:44 319488 ----a-w- c:\documents and settings\Media\Application Data\Macromedia\Flash Player\[You must be registered and logged in to see this link.]
.

((((((((((((((((((((((((((((( [You must be registered and logged in to see this link.] )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-08-22 21:49 . 2010-08-22 21:49 16384 c:\windows\temp\Perflib_Perfdata_798.dat
+ 2004-08-04 12:00 . 2010-08-18 06:15 67516 c:\windows\system32\perfc009.dat
- 2004-08-04 12:00 . 2009-12-10 10:19 67516 c:\windows\system32\perfc009.dat
- 2004-08-04 12:00 . 2008-04-13 18:36 68224 c:\windows\system32\drivers\pci.sys
+ 2004-08-04 12:00 . 2004-08-04 12:00 68224 c:\windows\system32\drivers\pci.sys
+ 2004-08-04 12:00 . 2004-08-04 12:00 95360 c:\windows\system32\drivers\atapi.sys
- 2004-08-04 12:00 . 2001-08-17 20:51 3328 c:\windows\system32\drivers\pciide.sys
+ 2004-08-04 12:00 . 2004-08-04 12:00 3328 c:\windows\system32\drivers\pciide.sys
- 2004-08-04 12:00 . 2009-12-10 10:19 432686 c:\windows\system32\perfh009.dat
+ 2004-08-04 12:00 . 2010-08-18 06:15 432686 c:\windows\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2006-12-18 868352]
"JMB36X IDE Setup"="c:\windows\RaidTool\xInsIDE.exe" [2007-03-20 36864]
"36X Raid Configurer"="c:\windows\system32\xRaidSetup.exe" [2007-03-21 1953792]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2006-11-10 90112]
"McAfeeUpdaterUI"="c:\program files\Network Associates\Common Framework\UdaterUI.exe" [2006-11-17 136768]
"ShStatEXE"="c:\program files\McAfee\VirusScan Enterprise\SHSTAT.EXE" [2006-11-30 112216]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2008-02-29 76304]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-03-19 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-07-21 141608]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
ASUS WiFi-AP Solo.lnk - c:\program files\ASUS WiFi-AP Solo\RtWLan.exe [2008-3-15 987136]
Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2008-7-18 805392]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
2008-05-02 09:42 72208 ----a-w- c:\program files\Common Files\Logishrd\Bluetooth\LBTWLgn.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

S2 MSWA-d193543c;MSWA-d193543c;c:\windows\system32\d193543c.exe --> c:\windows\system32\d193543c.exe [?]
S3 RTLWUSB;Realtek RTL8187 Wireless 802.11g 54Mbps USB 2.0 Network Adapter;c:\windows\system32\drivers\RTL8187.sys [3/15/2008 3:43 PM 176128]
S3 SjyPkt;SjyPkt;c:\windows\system32\drivers\SjyPkt.sys [3/15/2008 3:43 PM 13532]
.
Contents of the 'Scheduled Tasks' folder

2010-08-15 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 19:34]
.
.
------- Supplementary Scan -------
.
FF - ProfilePath - c:\documents and settings\Media\Application Data\Mozilla\Firefox\Profiles\1hx4ckko.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: keyword.URL - [You must be registered and logged in to see this link.]
FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: browser.search.selectedEngine - Google
FF - user.js: browser.search.order.1 - Google
FF - user.js: keyword.URL - [You must be registered and logged in to see this link.] files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
.

**************************************************************************
scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files:

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(592)
c:\windows\system32\Ati2evxx.dll
c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll
c:\program files\common files\logishrd\bluetooth\LBTServ.dll

- - - - - - - > 'explorer.exe'(2964)
c:\windows\system32\WININET.dll
c:\program files\Logitech\SetPoint\lgscroll.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\Ati2evxx.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Network Associates\Common Framework\FrameworkService.exe
c:\program files\McAfee\VirusScan Enterprise\mcshield.exe
c:\program files\McAfee\VirusScan Enterprise\vstskmgr.exe
c:\program files\Network Associates\Common Framework\naPrdMgr.exe
c:\program files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
c:\program files\Network Associates\Common Framework\McTray.exe
c:\program files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
c:\program files\iPod\bin\iPodService.exe
c:\program files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
.
**************************************************************************
.
Completion time: 2010-08-22 14:51:45 - machine was rebooted
ComboFix-quarantined-files.txt 2010-08-22 21:51
ComboFix2.txt 2010-08-21 15:55
ComboFix3.txt 2010-08-18 05:11

Pre-Run: 588,177,084,416 bytes free
Post-Run: 588,091,723,776 bytes free

- - End Of File - - 1DEE3610BF54F59895DFCD0FC38681A9

guerro
Novice
Novice

Posts Posts : 32
Joined Joined : 2010-01-17
Gender Gender : Male
OS OS : Win XP
Points Points : 25636
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Banker Fox and Win32/Nuqel need help

Post by Dr Jay on 23rd August 2010, 7:28 am

Re-running ComboFix to remove infections:

  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • Open notepad and copy/paste the text in the codebox below into it:
    Code:
    killall::
    File::
    c:\windows\system32\drivers\ufcafypt.sys
    c:\windows\Lviqahemile.bin
    c:\windows\Pqaju.dat
    c:\windows\system32\drivers\SjyPkt.sys

    Driver::
    ufcafypt
    MSWA-d193543c
    SjyPkt

    Firefox::
    FF - prefs.js: keyword.URL - hxxp://search.search-go.net/?sid=10101053100&s=
    FF - user.js: keyword.URL - hxxp://search.search-go.net/?sid=10101053100&s=c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);

    reboot::
  • Save this as CFScript.txt, in the same location as ComboFix.exe



  • Referring to the picture above, drag CFScript into ComboFix.exe
  • When finished, it shall produce a log for you at C:\ComboFix.txt
  • Please post the contents of the log in your next reply.


Dr. Jay (DJ)


[You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.]

Dr Jay
Head Administrator
Head Administrator

Posts Posts : 14309
Joined Joined : 2009-09-06
Gender Gender : Male
OS OS : Windows 10 Home & Pro
Arch. Arch. : x64 (64-bit)
Protection Protection : Bitdefender Total Security
Points Points : 302960
# Likes # Likes : 10

View user profile

Back to top Go down

Re: Banker Fox and Win32/Nuqel need help

Post by guerro on 24th August 2010, 1:53 am

ComboFix 10-08-23.02 - Media 08/23/2010 18:44:15.4.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1525 [GMT -7:00]
Running from: c:\documents and settings\Media\Desktop\combo-fix.exe
Command switches used :: c:\documents and settings\Media\Desktop\CFScript.txt
AV: McAfee VirusScan Enterprise *On-access scanning enabled* (Updated) {918A2B0B-2C60-4016-A4AB-E868DEABF7F0}

FILE ::
"c:\windows\Lviqahemile.bin"
"c:\windows\Pqaju.dat"
"c:\windows\system32\drivers\SjyPkt.sys"
"c:\windows\system32\drivers\ufcafypt.sys"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Media\My Documents\Internet Explorer.lnk
c:\windows\Lviqahemile.bin
c:\windows\Pqaju.dat
c:\windows\system32\drivers\SjyPkt.sys
c:\windows\system32\drivers\ufcafypt.sys

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_MSWA-D193543C
-------\Legacy_SJYPKT
-------\Service_MSWA-d193543c
-------\Service_SjyPkt


((((((((((((((((((((((((( Files Created from 2010-07-24 to 2010-08-24 )))))))))))))))))))))))))))))))
.

2010-08-22 21:43 . 2010-08-22 21:51 -------- d-----w- C:\combo-fix
2010-08-22 21:40 . 2010-06-14 14:31 744448 -c----w- c:\windows\system32\dllcache\helpsvc.exe
2010-08-15 20:44 . 2010-08-15 20:44 -------- d-----w- c:\program files\iPod
2010-08-15 20:44 . 2010-08-15 20:45 -------- d-----w- c:\program files\iTunes
2010-08-15 20:44 . 2010-08-15 20:45 -------- d-----w- c:\documents and settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
2010-08-15 20:43 . 2010-08-15 20:43 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\ajyrpitea
2010-08-15 20:42 . 2010-08-18 05:04 -------- d-----w- c:\documents and settings\All Users\Application Data\Update
2010-08-15 20:42 . 2010-08-15 20:43 -------- d-----w- c:\program files\QuickTime
2010-08-15 20:40 . 2010-08-15 20:40 -------- d-----w- c:\program files\Bonjour
2010-08-15 20:36 . 2010-08-15 20:36 61440 ----a-w- c:\documents and settings\Media\Application Data\Sun\Java\Deployment\SystemCache\6.0\42\4488892a-7292907c-n\decora-sse.dll
2010-08-15 20:36 . 2010-08-15 20:36 12800 ----a-w- c:\documents and settings\Media\Application Data\Sun\Java\Deployment\SystemCache\6.0\42\4488892a-7292907c-n\decora-d3d.dll
2010-08-15 20:36 . 2010-08-15 20:36 503808 ----a-w- c:\documents and settings\Media\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-3566b2fb-n\msvcp71.dll
2010-08-15 20:36 . 2010-08-15 20:36 499712 ----a-w- c:\documents and settings\Media\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-3566b2fb-n\jmc.dll
2010-08-15 20:36 . 2010-08-15 20:36 348160 ----a-w- c:\documents and settings\Media\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-3566b2fb-n\msvcr71.dll
2010-08-15 20:36 . 2010-07-17 12:00 423656 ----a-w- c:\windows\system32\deployJava1.dll
2010-08-15 20:34 . 2010-08-15 20:34 73000 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.2.1.5\SetupAdmin.exe
2010-08-15 20:29 . 2004-08-04 05:31 20992 -c--a-w- c:\windows\system32\dllcache\rtl8139.sys
2010-08-15 20:29 . 2004-08-04 05:31 20992 ----a-w- c:\windows\system32\drivers\RTL8139.sys
2010-08-08 21:21 . 2006-04-06 02:38 110592 ----a-w- c:\documents and settings\Media\Application Data\U3\temp\cleanup.exe
2010-08-08 21:16 . 2010-08-08 21:16 -------- d-----w- c:\documents and settings\Media\Application Data\Malwarebytes
2010-08-08 21:16 . 2010-04-29 22:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-08-08 21:16 . 2010-08-18 01:54 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-08-08 21:16 . 2010-08-08 21:16 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-08-08 21:16 . 2010-04-29 22:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-08-08 21:15 . 2010-08-08 21:21 -------- d-----w- c:\documents and settings\Media\Application Data\U3

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-08-15 20:44 . 2008-03-16 00:25 -------- d-----w- c:\program files\Common Files\Apple
2010-08-15 20:42 . 2010-06-04 20:56 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-08-15 20:36 . 2008-05-12 23:55 -------- d-----w- c:\program files\Common Files\Java
2010-08-15 20:36 . 2008-05-12 23:56 -------- d-----w- c:\program files\Java
2010-08-15 20:33 . 2008-03-17 02:50 -------- d-----w- c:\program files\Sonos
2010-06-30 12:31 . 2004-08-04 12:00 149504 ----a-w- c:\windows\system32\schannel.dll
2010-06-24 12:15 . 2004-08-04 12:00 832512 ----a-w- c:\windows\system32\wininet.dll
2010-06-24 12:15 . 2004-08-04 12:00 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-06-24 12:15 . 2004-08-04 12:00 17408 ------w- c:\windows\system32\corpol.dll
2010-06-23 13:44 . 2004-08-04 12:00 1851904 ----a-w- c:\windows\system32\win32k.sys
2010-06-21 15:27 . 2004-08-04 12:00 354304 ----a-w- c:\windows\system32\drivers\srv.sys
2010-06-17 14:03 . 2004-08-04 12:00 80384 ----a-w- c:\windows\system32\iccvid.dll
2010-06-14 14:31 . 2008-03-15 22:19 744448 ----a-w- c:\windows\pchealth\helpctr\binaries\helpsvc.exe
2010-06-14 07:41 . 2004-08-04 12:00 1172480 ----a-w- c:\windows\system32\msxml3.dll
2010-05-28 03:35 . 2010-05-28 03:35 503808 ----a-w- c:\documents and settings\Media\Application Data\Sun\Java\Deployment\cache\6.0\46\f84c6ae-1ae14fc3-n\msvcp71.dll
2010-05-28 03:35 . 2010-05-28 03:35 499712 ----a-w- c:\documents and settings\Media\Application Data\Sun\Java\Deployment\cache\6.0\46\f84c6ae-1ae14fc3-n\jmc.dll
2010-05-28 03:35 . 2010-05-28 03:35 348160 ----a-w- c:\documents and settings\Media\Application Data\Sun\Java\Deployment\cache\6.0\46\f84c6ae-1ae14fc3-n\msvcr71.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2006-12-18 868352]
"JMB36X IDE Setup"="c:\windows\RaidTool\xInsIDE.exe" [2007-03-20 36864]
"36X Raid Configurer"="c:\windows\system32\xRaidSetup.exe" [2007-03-21 1953792]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2006-11-10 90112]
"McAfeeUpdaterUI"="c:\program files\Network Associates\Common Framework\UdaterUI.exe" [2006-11-17 136768]
"ShStatEXE"="c:\program files\McAfee\VirusScan Enterprise\SHSTAT.EXE" [2006-11-30 112216]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2008-02-29 76304]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-03-19 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-07-21 141608]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
ASUS WiFi-AP Solo.lnk - c:\program files\ASUS WiFi-AP Solo\RtWLan.exe [2008-3-15 987136]
Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2008-7-18 805392]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
2008-05-02 09:42 72208 ----a-w- c:\program files\Common Files\Logishrd\Bluetooth\LBTWLgn.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

S3 RTLWUSB;Realtek RTL8187 Wireless 802.11g 54Mbps USB 2.0 Network Adapter;c:\windows\system32\drivers\RTL8187.sys [3/15/2008 3:43 PM 176128]
.
Contents of the 'Scheduled Tasks' folder

2010-08-15 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 19:34]
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyServer = http=127.0.0.1:6522
uInternet Settings,ProxyOverride =
FF - ProfilePath - c:\documents and settings\Media\Application Data\Mozilla\Firefox\Profiles\1hx4ckko.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: keyword.URL - [You must be registered and logged in to see this link.]
FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: browser.search.selectedEngine - Google
FF - user.js: browser.search.order.1 - Google
FF - user.js: keyword.URL - [You must be registered and logged in to see this link.] files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2010-08-23 18:48
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(596)
c:\windows\system32\Ati2evxx.dll
c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll
c:\program files\common files\logishrd\bluetooth\LBTServ.dll

- - - - - - - > 'explorer.exe'(2584)
c:\windows\system32\WININET.dll
c:\program files\Logitech\SetPoint\lgscroll.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\Ati2evxx.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Network Associates\Common Framework\FrameworkService.exe
c:\program files\McAfee\VirusScan Enterprise\mcshield.exe
c:\program files\McAfee\VirusScan Enterprise\vstskmgr.exe
c:\program files\Network Associates\Common Framework\naPrdMgr.exe
c:\windows\system32\wscntfy.exe
c:\program files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
c:\program files\Network Associates\Common Framework\McTray.exe
c:\program files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
c:\program files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2010-08-23 18:51:39 - machine was rebooted
ComboFix-quarantined-files.txt 2010-08-24 01:51
ComboFix2.txt 2010-08-22 21:51
ComboFix3.txt 2010-08-21 15:55
ComboFix4.txt 2010-08-18 05:11

Pre-Run: 587,520,290,816 bytes free
Post-Run: 587,552,157,696 bytes free

- - End Of File - - 6465FA0AEC4A45CFE211D4A479F24590

guerro
Novice
Novice

Posts Posts : 32
Joined Joined : 2010-01-17
Gender Gender : Male
OS OS : Win XP
Points Points : 25636
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Banker Fox and Win32/Nuqel need help

Post by Dr Jay on 24th August 2010, 8:37 pm

Re-running ComboFix to remove infections:

  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • Open notepad and copy/paste the text in the codebox below into it:
    Code:
    SRPEEK::
    c:\windows\system32\dllcache\helpsvc.exe

    DDS::
    uInternet Settings,ProxyServer = http=127.0.0.1:6522
    uInternet Settings,ProxyOverride =
  • Save this as CFScript.txt, in the same location as ComboFix.exe



  • Referring to the picture above, drag CFScript into ComboFix.exe
  • When finished, it shall produce a log for you at C:\ComboFix.txt
  • Please post the contents of the log in your next reply.


Dr. Jay (DJ)


[You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.]

Dr Jay
Head Administrator
Head Administrator

Posts Posts : 14309
Joined Joined : 2009-09-06
Gender Gender : Male
OS OS : Windows 10 Home & Pro
Arch. Arch. : x64 (64-bit)
Protection Protection : Bitdefender Total Security
Points Points : 302960
# Likes # Likes : 10

View user profile

Back to top Go down

Re: Banker Fox and Win32/Nuqel need help

Post by guerro on 27th August 2010, 2:22 am

ComboFix 10-08-26.02 - Media 08/26/2010 19:15:38.5.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1370 [GMT -7:00]
Running from: c:\documents and settings\Media\Desktop\combo-fix.exe
Command switches used :: c:\documents and settings\Media\Desktop\CFScript.txt
AV: McAfee VirusScan Enterprise *On-access scanning disabled* (Updated) {918A2B0B-2C60-4016-A4AB-E868DEABF7F0}
.

((((((((((((((((((((((((( Files Created from 2010-07-27 to 2010-08-27 )))))))))))))))))))))))))))))))
.

2010-08-22 21:43 . 2010-08-22 21:51 -------- d-----w- C:\combo-fix
2010-08-22 21:40 . 2010-06-14 14:31 744448 -c----w- c:\windows\system32\dllcache\helpsvc.exe
2010-08-15 20:44 . 2010-08-15 20:44 -------- d-----w- c:\program files\iPod
2010-08-15 20:44 . 2010-08-15 20:45 -------- d-----w- c:\program files\iTunes
2010-08-15 20:44 . 2010-08-15 20:45 -------- d-----w- c:\documents and settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
2010-08-15 20:43 . 2010-08-15 20:43 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\ajyrpitea
2010-08-15 20:42 . 2010-08-18 05:04 -------- d-----w- c:\documents and settings\All Users\Application Data\Update
2010-08-15 20:42 . 2010-08-15 20:43 -------- d-----w- c:\program files\QuickTime
2010-08-15 20:40 . 2010-08-15 20:40 -------- d-----w- c:\program files\Bonjour
2010-08-15 20:36 . 2010-08-15 20:36 61440 ----a-w- c:\documents and settings\Media\Application Data\Sun\Java\Deployment\SystemCache\6.0\42\4488892a-7292907c-n\decora-sse.dll
2010-08-15 20:36 . 2010-08-15 20:36 12800 ----a-w- c:\documents and settings\Media\Application Data\Sun\Java\Deployment\SystemCache\6.0\42\4488892a-7292907c-n\decora-d3d.dll
2010-08-15 20:36 . 2010-08-15 20:36 503808 ----a-w- c:\documents and settings\Media\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-3566b2fb-n\msvcp71.dll
2010-08-15 20:36 . 2010-08-15 20:36 499712 ----a-w- c:\documents and settings\Media\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-3566b2fb-n\jmc.dll
2010-08-15 20:36 . 2010-08-15 20:36 348160 ----a-w- c:\documents and settings\Media\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-3566b2fb-n\msvcr71.dll
2010-08-15 20:36 . 2010-07-17 12:00 423656 ----a-w- c:\windows\system32\deployJava1.dll
2010-08-15 20:34 . 2010-08-15 20:34 73000 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.2.1.5\SetupAdmin.exe
2010-08-15 20:29 . 2004-08-04 05:31 20992 -c--a-w- c:\windows\system32\dllcache\rtl8139.sys
2010-08-15 20:29 . 2004-08-04 05:31 20992 ----a-w- c:\windows\system32\drivers\RTL8139.sys
2010-08-08 21:21 . 2006-04-06 02:38 110592 ----a-w- c:\documents and settings\Media\Application Data\U3\temp\cleanup.exe
2010-08-08 21:16 . 2010-08-08 21:16 -------- d-----w- c:\documents and settings\Media\Application Data\Malwarebytes
2010-08-08 21:16 . 2010-04-29 22:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-08-08 21:16 . 2010-08-18 01:54 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-08-08 21:16 . 2010-08-08 21:16 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-08-08 21:16 . 2010-04-29 22:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-08-08 21:15 . 2010-08-08 21:21 -------- d-----w- c:\documents and settings\Media\Application Data\U3

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-08-15 20:44 . 2008-03-16 00:25 -------- d-----w- c:\program files\Common Files\Apple
2010-08-15 20:42 . 2010-06-04 20:56 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-08-15 20:36 . 2008-05-12 23:55 -------- d-----w- c:\program files\Common Files\Java
2010-08-15 20:36 . 2008-05-12 23:56 -------- d-----w- c:\program files\Java
2010-08-15 20:33 . 2008-03-17 02:50 -------- d-----w- c:\program files\Sonos
2010-06-30 12:31 . 2004-08-04 12:00 149504 ----a-w- c:\windows\system32\schannel.dll
2010-06-24 12:15 . 2004-08-04 12:00 832512 ----a-w- c:\windows\system32\wininet.dll
2010-06-24 12:15 . 2004-08-04 12:00 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-06-24 12:15 . 2004-08-04 12:00 17408 ------w- c:\windows\system32\corpol.dll
2010-06-23 13:44 . 2004-08-04 12:00 1851904 ----a-w- c:\windows\system32\win32k.sys
2010-06-21 15:27 . 2004-08-04 12:00 354304 ----a-w- c:\windows\system32\drivers\srv.sys
2010-06-17 14:03 . 2004-08-04 12:00 80384 ----a-w- c:\windows\system32\iccvid.dll
2010-06-14 14:31 . 2008-03-15 22:19 744448 ----a-w- c:\windows\pchealth\helpctr\binaries\helpsvc.exe
2010-06-14 07:41 . 2004-08-04 12:00 1172480 ----a-w- c:\windows\system32\msxml3.dll
.

(((((((((((((((((((((((((((((((((((((((((( SR_Search ))))))))))))))))))))))))))))))))))))))))))))))))))))))))

[7] E5517D0908CA75EEF9633A93FF3F0408 744448 c:\windows\pchealth\helpctr\binaries\helpsvc.exe
[7] B9CBAEA39CEA686827D152C650247EED 744448 \RP4\A0001257.exe
.
((((((((((((((((((((((((((((( [You must be registered and logged in to see this link.] )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-08-24 01:47 . 2010-08-24 01:47 16384 c:\windows\temp\Perflib_Perfdata_760.dat
+ 2007-11-13 11:31 . 2010-04-21 13:28 46080 c:\windows\system32\tzchange.exe
- 2007-11-13 11:31 . 2010-01-23 08:11 46080 c:\windows\system32\tzchange.exe
+ 2010-03-31 07:16 . 2010-03-31 07:16 99176 c:\windows\system32\PresentationHostProxy.dll
+ 2004-08-04 12:00 . 2010-06-24 12:15 44544 c:\windows\system32\pngfilt.dll
- 2004-08-04 12:00 . 2010-03-11 12:38 44544 c:\windows\system32\pngfilt.dll
- 2004-08-04 12:00 . 2009-12-10 10:19 67516 c:\windows\system32\perfc009.dat
+ 2004-08-04 12:00 . 2010-08-22 22:04 67516 c:\windows\system32\perfc009.dat
+ 2009-11-07 08:07 . 2009-11-07 08:07 49488 c:\windows\system32\netfxperf.dll
+ 2009-11-07 08:07 . 2009-11-07 08:07 11600 c:\windows\system32\mui\0409\mscorees.dll
+ 2007-08-14 01:54 . 2010-06-24 12:15 52224 c:\windows\system32\msfeedsbs.dll
- 2007-08-14 01:54 . 2010-03-11 12:38 52224 c:\windows\system32\msfeedsbs.dll
+ 2004-08-04 12:00 . 2010-06-24 12:15 27648 c:\windows\system32\jsproxy.dll
- 2004-08-04 12:00 . 2010-03-11 12:38 27648 c:\windows\system32\jsproxy.dll
+ 2007-08-14 01:39 . 2010-06-23 12:06 13824 c:\windows\system32\ieudinit.exe
- 2007-08-14 01:39 . 2010-03-10 13:18 13824 c:\windows\system32\ieudinit.exe
+ 2004-08-04 12:00 . 2010-06-24 12:15 44544 c:\windows\system32\iernonce.dll
- 2004-08-04 12:00 . 2010-03-11 12:38 44544 c:\windows\system32\iernonce.dll
- 2004-08-04 12:00 . 2010-03-10 13:18 70656 c:\windows\system32\ie4uinit.exe
+ 2004-08-04 12:00 . 2010-06-23 12:06 70656 c:\windows\system32\ie4uinit.exe
+ 2007-08-14 01:36 . 2010-06-24 12:15 63488 c:\windows\system32\icardie.dll
- 2007-08-14 01:36 . 2010-03-11 12:38 63488 c:\windows\system32\icardie.dll
+ 2008-03-16 06:09 . 2010-08-22 23:07 95072 c:\windows\system32\FNTCACHE.DAT
- 2008-03-16 06:09 . 2009-11-12 02:34 95072 c:\windows\system32\FNTCACHE.DAT
+ 2004-08-04 12:00 . 2004-08-04 12:00 68224 c:\windows\system32\drivers\pci.sys
- 2004-08-04 12:00 . 2008-04-13 18:36 68224 c:\windows\system32\drivers\pci.sys
+ 2004-08-04 12:00 . 2004-08-04 12:00 95360 c:\windows\system32\drivers\atapi.sys
- 2004-08-04 12:00 . 2010-03-11 12:38 44544 c:\windows\system32\dllcache\pngfilt.dll
+ 2004-08-04 12:00 . 2010-06-24 12:15 44544 c:\windows\system32\dllcache\pngfilt.dll
- 2008-03-15 23:30 . 2010-03-11 12:38 52224 c:\windows\system32\dllcache\msfeedsbs.dll
+ 2008-03-15 23:30 . 2010-06-24 12:15 52224 c:\windows\system32\dllcache\msfeedsbs.dll
- 2004-08-04 12:00 . 2010-03-11 12:38 27648 c:\windows\system32\dllcache\jsproxy.dll
+ 2004-08-04 12:00 . 2010-06-24 12:15 27648 c:\windows\system32\dllcache\jsproxy.dll
+ 2008-03-15 23:30 . 2010-06-23 12:06 13824 c:\windows\system32\dllcache\ieudinit.exe
- 2008-03-15 23:30 . 2010-03-10 13:18 13824 c:\windows\system32\dllcache\ieudinit.exe
- 2004-08-04 12:00 . 2010-03-11 12:38 44544 c:\windows\system32\dllcache\iernonce.dll
+ 2004-08-04 12:00 . 2010-06-24 12:15 44544 c:\windows\system32\dllcache\iernonce.dll
- 2009-02-20 18:09 . 2010-03-11 12:38 78336 c:\windows\system32\dllcache\ieencode.dll
+ 2009-02-20 18:09 . 2010-06-24 12:15 78336 c:\windows\system32\dllcache\ieencode.dll
- 2004-08-04 12:00 . 2010-03-10 13:18 70656 c:\windows\system32\dllcache\ie4uinit.exe
+ 2004-08-04 12:00 . 2010-06-23 12:06 70656 c:\windows\system32\dllcache\ie4uinit.exe
- 2008-03-15 23:30 . 2010-03-11 12:38 63488 c:\windows\system32\dllcache\icardie.dll
+ 2008-03-15 23:30 . 2010-06-24 12:15 63488 c:\windows\system32\dllcache\icardie.dll
+ 2009-06-29 16:12 . 2010-06-24 12:15 17408 c:\windows\system32\dllcache\corpol.dll
- 2009-06-29 16:12 . 2010-03-11 12:38 17408 c:\windows\system32\dllcache\corpol.dll
+ 2010-03-05 14:37 . 2010-03-05 14:37 65536 c:\windows\system32\dllcache\asycfilt.dll
+ 2004-08-04 12:00 . 2010-03-05 14:37 65536 c:\windows\system32\asycfilt.dll
- 2008-07-30 02:16 . 2008-07-30 02:16 32768 c:\windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\System.ServiceModel.WasHosting.dll
+ 2010-04-08 06:48 . 2010-04-08 06:48 32768 c:\windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\System.ServiceModel.WasHosting.dll
+ 2009-11-07 08:07 . 2009-11-07 08:07 13648 c:\windows\Microsoft.NET\Framework\v2.0.50727\sbscmp20_mscorlib.dll
+ 2010-03-23 12:31 . 2010-03-23 12:31 30544 c:\windows\Microsoft.NET\Framework\v2.0.50727\aspnet_wp.exe
+ 2009-11-07 08:07 . 2009-11-07 08:07 13648 c:\windows\Microsoft.NET\Framework\SharedReg12.dll
+ 2009-11-07 08:07 . 2009-11-07 08:07 13648 c:\windows\Microsoft.NET\Framework\sbscmp20_perfcounter.dll
+ 2009-11-07 08:07 . 2009-11-07 08:07 13648 c:\windows\Microsoft.NET\Framework\sbscmp20_mscorwks.dll
+ 2009-11-07 08:07 . 2009-11-07 08:07 13648 c:\windows\Microsoft.NET\Framework\sbscmp10.dll
+ 2009-11-07 08:07 . 2009-11-07 08:07 13664 c:\windows\Microsoft.NET\Framework\sbs_wminet_utils.dll
+ 2009-11-07 08:07 . 2009-11-07 08:07 13688 c:\windows\Microsoft.NET\Framework\sbs_system.enterpriseservices.dll
+ 2009-11-07 08:07 . 2009-11-07 08:07 13664 c:\windows\Microsoft.NET\Framework\sbs_system.data.dll
+ 2009-11-07 08:07 . 2009-11-07 08:07 13696 c:\windows\Microsoft.NET\Framework\sbs_system.configuration.install.dll
+ 2009-11-07 08:07 . 2009-11-07 08:07 13656 c:\windows\Microsoft.NET\Framework\sbs_mscorsec.dll
+ 2009-11-07 08:07 . 2009-11-07 08:07 13656 c:\windows\Microsoft.NET\Framework\sbs_mscorrc.dll
+ 2009-11-07 08:07 . 2009-11-07 08:07 13656 c:\windows\Microsoft.NET\Framework\sbs_mscordbi.dll
+ 2009-11-07 08:07 . 2009-11-07 08:07 13672 c:\windows\Microsoft.NET\Framework\sbs_microsoft.jscript.dll
+ 2009-11-07 08:07 . 2009-11-07 08:07 13664 c:\windows\Microsoft.NET\Framework\sbs_diasymreader.dll
+ 2009-11-07 08:07 . 2009-11-07 08:07 86864 c:\windows\Microsoft.NET\Framework\NETFXSBS10.exe
+ 2010-08-22 22:05 . 2010-03-11 12:38 44544 c:\windows\ie7updates\KB2183461-IE7\pngfilt.dll
+ 2010-08-22 22:05 . 2010-03-11 12:38 52224 c:\windows\ie7updates\KB2183461-IE7\msfeedsbs.dll
+ 2010-08-22 22:05 . 2010-03-11 12:38 27648 c:\windows\ie7updates\KB2183461-IE7\jsproxy.dll
+ 2010-08-22 22:05 . 2010-03-10 13:18 13824 c:\windows\ie7updates\KB2183461-IE7\ieudinit.exe
+ 2010-08-22 22:05 . 2010-03-11 12:38 44544 c:\windows\ie7updates\KB2183461-IE7\iernonce.dll
+ 2010-08-22 22:05 . 2010-03-11 12:38 78336 c:\windows\ie7updates\KB2183461-IE7\ieencode.dll
+ 2010-08-22 22:05 . 2010-03-10 13:18 70656 c:\windows\ie7updates\KB2183461-IE7\ie4uinit.exe
+ 2010-08-22 22:05 . 2010-03-11 12:38 63488 c:\windows\ie7updates\KB2183461-IE7\icardie.dll
+ 2010-08-22 22:05 . 2010-03-11 12:38 17408 c:\windows\ie7updates\KB2183461-IE7\corpol.dll
+ 2010-08-22 23:08 . 2010-08-22 23:08 60928 c:\windows\assembly\NativeImages_v2.0.50727_32\UIAutomationProvider\5ec9dec678303ebff0ef018edb5ec595\UIAutomationProvider.ni.dll
+ 2010-08-22 23:20 . 2010-08-22 23:20 37888 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Pres#\46ef15b88ef577de4882c519329fc5d2\System.Windows.Presentation.ni.dll
+ 2010-08-22 23:20 . 2010-08-22 23:20 36864 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Web.DynamicD#\aada360296a42e0413579a19c771ec2d\System.Web.DynamicData.Design.ni.dll
+ 2010-08-22 23:19 . 2010-08-22 23:19 94208 c:\windows\assembly\NativeImages_v2.0.50727_32\System.ComponentMod#\2b5ff2c6358c483eb1439b99badb54fd\System.ComponentModel.DataAnnotations.ni.dll
+ 2010-08-22 23:19 . 2010-08-22 23:19 82944 c:\windows\assembly\NativeImages_v2.0.50727_32\System.AddIn.Contra#\6125ff5a4fcd93d70a246cbff3005d42\System.AddIn.Contract.ni.dll
+ 2010-08-22 22:03 . 2010-08-22 22:03 47104 c:\windows\assembly\NativeImages_v2.0.50727_32\PresentationFontCac#\f857fa084a139cc3d510e72ca1218a5f\PresentationFontCache.ni.exe
+ 2010-08-22 22:05 . 2010-08-22 22:05 47104 c:\windows\assembly\NativeImages_v2.0.50727_32\PresentationFontCac#\de26af01222270c121788161496fcfe7\PresentationFontCache.ni.exe
+ 2010-08-22 22:03 . 2010-08-22 22:03 39424 c:\windows\assembly\NativeImages_v2.0.50727_32\PresentationCFFRast#\bfb89ce9799bcfb90bde99702d542e3f\PresentationCFFRasterizer.ni.dll
+ 2010-08-22 22:05 . 2010-08-22 22:05 39424 c:\windows\assembly\NativeImages_v2.0.50727_32\PresentationCFFRast#\3c5adeedb70e6e052a6556c6ab9b6918\PresentationCFFRasterizer.ni.dll
+ 2010-08-22 23:20 . 2010-08-22 23:20 55296 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Vsa\5e5176efbfeb803b7f217525beec6844\Microsoft.Vsa.ni.dll
+ 2010-08-22 23:19 . 2010-08-22 23:19 74752 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Build.Fra#\e1d4e0b1f112000ab33bbaf88bd9ed99\Microsoft.Build.Framework.ni.dll
+ 2010-08-22 23:19 . 2010-08-22 23:19 65024 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Build.Fra#\4200cf5b7f247ec1b997808c6d1ba7d1\Microsoft.Build.Framework.ni.dll
+ 2010-08-22 23:19 . 2010-08-22 23:19 14336 c:\windows\assembly\NativeImages_v2.0.50727_32\dfsvc\50b7fc7f36c76313cbb434b10923e4e9\dfsvc.ni.exe
+ 2010-08-22 23:19 . 2010-08-22 23:19 25600 c:\windows\assembly\NativeImages_v2.0.50727_32\Accessibility\5ffa548547613dbc5a92f2c5b7cad196\Accessibility.ni.dll
+ 2010-08-22 22:04 . 2010-08-22 22:04 77824 c:\windows\assembly\GAC_MSIL\System.Web.RegularExpressions\2.0.0.0__b03f5f7f11d50a3a\System.Web.RegularExpressions.dll
- 2009-10-16 10:03 . 2009-10-16 10:03 77824 c:\windows\assembly\GAC_MSIL\System.Web.RegularExpressions\2.0.0.0__b03f5f7f11d50a3a\System.Web.RegularExpressions.dll
- 2009-08-08 22:37 . 2009-08-08 22:37 32768 c:\windows\assembly\GAC_MSIL\System.ServiceModel.WasHosting\3.0.0.0__b77a5c561934e089\System.ServiceModel.WasHosting.dll
+ 2010-08-22 21:59 . 2010-08-22 21:59 32768 c:\windows\assembly\GAC_MSIL\System.ServiceModel.WasHosting\3.0.0.0__b77a5c561934e089\System.ServiceModel.WasHosting.dll
- 2009-10-16 10:03 . 2009-10-16 10:03 81920 c:\windows\assembly\GAC_MSIL\System.Drawing.Design\2.0.0.0__b03f5f7f11d50a3a\System.Drawing.Design.dll
+ 2010-08-22 22:04 . 2010-08-22 22:04 81920 c:\windows\assembly\GAC_MSIL\System.Drawing.Design\2.0.0.0__b03f5f7f11d50a3a\System.Drawing.Design.dll
- 2009-10-16 10:03 . 2009-10-16 10:03 81920 c:\windows\assembly\GAC_MSIL\System.Configuration.Install\2.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll
+ 2010-08-22 22:04 . 2010-08-22 22:04 81920 c:\windows\assembly\GAC_MSIL\System.Configuration.Install\2.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll
+ 2010-08-22 22:04 . 2010-08-22 22:04 32768 c:\windows\assembly\GAC_MSIL\Microsoft.Vsa\8.0.0.0__b03f5f7f11d50a3a\Microsoft.Vsa.dll
- 2009-10-16 10:03 . 2009-10-16 10:03 32768 c:\windows\assembly\GAC_MSIL\Microsoft.Vsa\8.0.0.0__b03f5f7f11d50a3a\Microsoft.Vsa.dll
+ 2010-08-22 22:04 . 2010-08-22 22:04 12800 c:\windows\assembly\GAC_MSIL\Microsoft.Vsa.Vb.CodeDOMProcessor\8.0.0.0__b03f5f7f11d50a3a\Microsoft.Vsa.Vb.CodeDOMProcessor.dll
- 2009-10-16 10:03 . 2009-10-16 10:03 12800 c:\windows\assembly\GAC_MSIL\Microsoft.Vsa.Vb.CodeDOMProcessor\8.0.0.0__b03f5f7f11d50a3a\Microsoft.Vsa.Vb.CodeDOMProcessor.dll
- 2009-10-16 10:03 . 2009-10-16 10:03 28672 c:\windows\assembly\GAC_MSIL\Microsoft.VisualBasic.Vsa\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.Vsa.dll
+ 2010-08-22 22:04 . 2010-08-22 22:04 28672 c:\windows\assembly\GAC_MSIL\Microsoft.VisualBasic.Vsa\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.Vsa.dll
+ 2010-08-22 22:04 . 2010-08-22 22:04 77824 c:\windows\assembly\GAC_MSIL\Microsoft.Build.Utilities\2.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Utilities.dll
- 2009-10-16 10:03 . 2009-10-16 10:03 77824 c:\windows\assembly\GAC_MSIL\Microsoft.Build.Utilities\2.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Utilities.dll
- 2009-10-16 10:03 . 2009-10-16 10:03 36864 c:\windows\assembly\GAC_MSIL\Microsoft.Build.Framework\2.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Framework.dll
+ 2010-08-22 22:04 . 2010-08-22 22:04 36864 c:\windows\assembly\GAC_MSIL\Microsoft.Build.Framework\2.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Framework.dll
- 2009-10-16 10:03 . 2009-10-16 10:03 77824 c:\windows\assembly\GAC_MSIL\IEHost\2.0.0.0__b03f5f7f11d50a3a\IEHost.dll
+ 2010-08-22 22:04 . 2010-08-22 22:04 77824 c:\windows\assembly\GAC_MSIL\IEHost\2.0.0.0__b03f5f7f11d50a3a\IEHost.dll
- 2009-10-16 10:03 . 2009-10-16 10:03 13312 c:\windows\assembly\GAC_MSIL\cscompmgd\8.0.0.0__b03f5f7f11d50a3a\cscompmgd.dll
+ 2010-08-22 22:04 . 2010-08-22 22:04 13312 c:\windows\assembly\GAC_MSIL\cscompmgd\8.0.0.0__b03f5f7f11d50a3a\cscompmgd.dll
- 2009-10-16 10:03 . 2009-10-16 10:03 10752 c:\windows\assembly\GAC_MSIL\Accessibility\2.0.0.0__b03f5f7f11d50a3a\Accessibility.dll
+ 2010-08-22 22:04 . 2010-08-22 22:04 10752 c:\windows\assembly\GAC_MSIL\Accessibility\2.0.0.0__b03f5f7f11d50a3a\Accessibility.dll
+ 2010-08-22 22:04 . 2010-08-22 22:04 72192 c:\windows\assembly\GAC_32\ISymWrapper\2.0.0.0__b03f5f7f11d50a3a\ISymWrapper.dll
- 2009-10-16 10:03 . 2009-10-16 10:03 72192 c:\windows\assembly\GAC_32\ISymWrapper\2.0.0.0__b03f5f7f11d50a3a\ISymWrapper.dll
+ 2010-08-22 22:04 . 2010-08-22 22:04 69120 c:\windows\assembly\GAC_32\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll
- 2009-10-16 10:03 . 2009-10-16 10:03 69120 c:\windows\assembly\GAC_32\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll
- 2009-10-16 10:03 . 2009-10-16 10:03 8192 c:\windows\WinSxS\MSIL_IEExecRemote_b03f5f7f11d50a3a_2.0.0.0_x-ww_6e57c34e\IEExecRemote.dll
+ 2010-08-22 22:04 . 2010-08-22 22:04 8192 c:\windows\WinSxS\MSIL_IEExecRemote_b03f5f7f11d50a3a_2.0.0.0_x-ww_6e57c34e\IEExecRemote.dll
+ 2004-08-04 12:00 . 2004-08-04 12:00 3328 c:\windows\system32\drivers\pciide.sys
- 2004-08-04 12:00 . 2001-08-17 20:51 3328 c:\windows\system32\drivers\pciide.sys
+ 2010-08-22 22:04 . 2010-08-22 22:04 7168 c:\windows\assembly\GAC_MSIL\Microsoft_VsaVb\8.0.0.0__b03f5f7f11d50a3a\Microsoft_VsaVb.dll
- 2009-10-16 10:03 . 2009-10-16 10:03 7168 c:\windows\assembly\GAC_MSIL\Microsoft_VsaVb\8.0.0.0__b03f5f7f11d50a3a\Microsoft_VsaVb.dll
- 2009-10-16 10:03 . 2009-10-16 10:03 5632 c:\windows\assembly\GAC_MSIL\Microsoft.VisualC\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualC.Dll
+ 2010-08-22 22:04 . 2010-08-22 22:04 5632 c:\windows\assembly\GAC_MSIL\Microsoft.VisualC\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualC.Dll
+ 2010-08-22 22:04 . 2010-08-22 22:04 6656 c:\windows\assembly\GAC_MSIL\IIEHost\2.0.0.0__b03f5f7f11d50a3a\IIEHost.dll
- 2009-10-16 10:03 . 2009-10-16 10:03 6656 c:\windows\assembly\GAC_MSIL\IIEHost\2.0.0.0__b03f5f7f11d50a3a\IIEHost.dll
- 2009-10-16 10:03 . 2009-10-16 10:03 8192 c:\windows\assembly\GAC_MSIL\IEExecRemote\2.0.0.0__b03f5f7f11d50a3a\IEExecRemote.dll
+ 2010-08-22 22:04 . 2010-08-22 22:04 8192 c:\windows\assembly\GAC_MSIL\IEExecRemote\2.0.0.0__b03f5f7f11d50a3a\IEExecRemote.dll
- 2009-10-16 10:03 . 2009-10-16 10:03 113664 c:\windows\WinSxS\x86_System.EnterpriseServices_b03f5f7f11d50a3a_2.0.0.0_x-ww_7d5f3790\System.EnterpriseServices.Wrapper.dll
+ 2010-08-22 22:04 . 2010-08-22 22:04 113664 c:\windows\WinSxS\x86_System.EnterpriseServices_b03f5f7f11d50a3a_2.0.0.0_x-ww_7d5f3790\System.EnterpriseServices.Wrapper.dll
- 2009-10-16 10:03 . 2009-10-16 10:03 258048 c:\windows\WinSxS\x86_System.EnterpriseServices_b03f5f7f11d50a3a_2.0.0.0_x-ww_7d5f3790\System.EnterpriseServices.dll
+ 2010-08-22 22:04 . 2010-08-22 22:04 258048 c:\windows\WinSxS\x86_System.EnterpriseServices_b03f5f7f11d50a3a_2.0.0.0_x-ww_7d5f3790\System.EnterpriseServices.dll

guerro
Novice
Novice

Posts Posts : 32
Joined Joined : 2010-01-17
Gender Gender : Male
OS OS : Win XP
Points Points : 25636
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Banker Fox and Win32/Nuqel need help

Post by guerro on 27th August 2010, 2:23 am

- 2004-08-04 12:00 . 2010-03-11 12:38 233472 c:\windows\system32\webcheck.dll
+ 2004-08-04 12:00 . 2010-06-24 12:15 233472 c:\windows\system32\webcheck.dll
+ 2004-08-04 12:00 . 2010-06-24 12:15 105984 c:\windows\system32\url.dll
- 2004-08-04 12:00 . 2010-03-11 12:38 105984 c:\windows\system32\url.dll
+ 2010-03-31 07:10 . 2010-03-31 07:10 295264 c:\windows\system32\PresentationHost.exe
+ 2004-08-04 12:00 . 2010-08-22 22:04 432686 c:\windows\system32\perfh009.dat
- 2004-08-04 12:00 . 2009-12-10 10:19 432686 c:\windows\system32\perfh009.dat
+ 2004-08-04 12:00 . 2010-06-24 12:15 102912 c:\windows\system32\occache.dll
- 2004-08-04 12:00 . 2010-03-11 12:38 102912 c:\windows\system32\occache.dll
- 2004-08-04 12:00 . 2010-03-11 12:38 671232 c:\windows\system32\mstime.dll
+ 2004-08-04 12:00 . 2010-06-24 12:15 671232 c:\windows\system32\mstime.dll
+ 2004-08-04 12:00 . 2010-06-24 12:15 193024 c:\windows\system32\msrating.dll
- 2004-08-04 12:00 . 2010-03-11 12:38 193024 c:\windows\system32\msrating.dll
+ 2004-08-04 12:00 . 2010-06-24 12:15 477696 c:\windows\system32\mshtmled.dll
- 2004-08-04 12:00 . 2010-03-11 12:38 477696 c:\windows\system32\mshtmled.dll
+ 2007-08-14 01:54 . 2010-06-24 12:15 459264 c:\windows\system32\msfeeds.dll
- 2007-08-14 01:54 . 2010-03-11 12:38 459264 c:\windows\system32\msfeeds.dll
+ 2009-11-07 08:07 . 2009-11-07 08:07 297808 c:\windows\system32\mscoree.dll
- 2007-08-14 01:34 . 2010-03-11 12:38 268288 c:\windows\system32\iertutil.dll
+ 2007-08-14 01:34 . 2010-06-24 12:15 268288 c:\windows\system32\iertutil.dll
+ 2004-08-04 12:00 . 2010-06-24 12:15 192512 c:\windows\system32\iepeers.dll
- 2004-08-04 12:00 . 2010-03-11 12:38 192512 c:\windows\system32\iepeers.dll
- 2004-08-04 12:00 . 2010-03-11 12:38 385024 c:\windows\system32\iedkcs32.dll
+ 2004-08-04 12:00 . 2010-06-24 12:15 385024 c:\windows\system32\iedkcs32.dll
- 2007-07-11 19:27 . 2010-03-11 12:38 380928 c:\windows\system32\ieapfltr.dll
+ 2007-07-11 19:27 . 2010-06-24 12:15 380928 c:\windows\system32\ieapfltr.dll
- 2004-08-04 12:00 . 2010-02-23 05:18 161792 c:\windows\system32\ieakui.dll
+ 2004-08-04 12:00 . 2010-06-17 15:11 161792 c:\windows\system32\ieakui.dll
- 2004-08-04 12:00 . 2010-03-11 12:38 230400 c:\windows\system32\ieaksie.dll
+ 2004-08-04 12:00 . 2010-06-24 12:15 230400 c:\windows\system32\ieaksie.dll
+ 2004-08-04 12:00 . 2010-06-24 12:15 153088 c:\windows\system32\ieakeng.dll
- 2004-08-04 12:00 . 2010-03-11 12:38 153088 c:\windows\system32\ieakeng.dll
+ 2004-08-04 12:00 . 2010-06-24 12:15 133120 c:\windows\system32\extmgr.dll
- 2004-08-04 12:00 . 2010-03-11 12:38 133120 c:\windows\system32\extmgr.dll
- 2004-08-04 12:00 . 2010-03-11 12:38 214528 c:\windows\system32\dxtrans.dll
+ 2004-08-04 12:00 . 2010-06-24 12:15 214528 c:\windows\system32\dxtrans.dll
- 2004-08-04 12:00 . 2010-03-11 12:38 347136 c:\windows\system32\dxtmsft.dll
+ 2004-08-04 12:00 . 2010-06-24 12:15 347136 c:\windows\system32\dxtmsft.dll
- 2004-08-04 12:00 . 2010-03-11 12:38 832512 c:\windows\system32\dllcache\wininet.dll
+ 2004-08-04 12:00 . 2010-06-24 12:15 832512 c:\windows\system32\dllcache\wininet.dll
- 2004-08-04 12:00 . 2010-03-11 12:38 233472 c:\windows\system32\dllcache\webcheck.dll
+ 2004-08-04 12:00 . 2010-06-24 12:15 233472 c:\windows\system32\dllcache\webcheck.dll
+ 2004-08-04 12:00 . 2010-06-24 12:15 105984 c:\windows\system32\dllcache\url.dll
- 2004-08-04 12:00 . 2010-03-11 12:38 105984 c:\windows\system32\dllcache\url.dll
+ 2008-10-14 17:03 . 2010-06-21 15:27 354304 c:\windows\system32\dllcache\srv.sys
+ 2008-12-05 06:54 . 2010-06-30 12:31 149504 c:\windows\system32\dllcache\schannel.dll
- 2004-08-04 12:00 . 2010-03-11 12:38 102912 c:\windows\system32\dllcache\occache.dll
+ 2004-08-04 12:00 . 2010-06-24 12:15 102912 c:\windows\system32\dllcache\occache.dll
- 2004-08-04 12:00 . 2010-03-11 12:38 671232 c:\windows\system32\dllcache\mstime.dll
+ 2004-08-04 12:00 . 2010-06-24 12:15 671232 c:\windows\system32\dllcache\mstime.dll
- 2004-08-04 12:00 . 2010-03-11 12:38 193024 c:\windows\system32\dllcache\msrating.dll
+ 2004-08-04 12:00 . 2010-06-24 12:15 193024 c:\windows\system32\dllcache\msrating.dll
- 2004-08-04 12:00 . 2010-03-11 12:38 477696 c:\windows\system32\dllcache\mshtmled.dll
+ 2004-08-04 12:00 . 2010-06-24 12:15 477696 c:\windows\system32\dllcache\mshtmled.dll
- 2008-03-15 23:30 . 2010-03-11 12:38 459264 c:\windows\system32\dllcache\msfeeds.dll
+ 2008-03-15 23:30 . 2010-06-24 12:15 459264 c:\windows\system32\dllcache\msfeeds.dll
+ 2008-03-15 22:18 . 2010-06-17 15:12 634656 c:\windows\system32\dllcache\iexplore.exe
+ 2008-03-15 23:30 . 2010-06-24 12:15 268288 c:\windows\system32\dllcache\iertutil.dll
- 2008-03-15 23:30 . 2010-03-11 12:38 268288 c:\windows\system32\dllcache\iertutil.dll
+ 2004-08-04 12:00 . 2010-06-24 12:15 192512 c:\windows\system32\dllcache\iepeers.dll
- 2004-08-04 12:00 . 2010-03-11 12:38 192512 c:\windows\system32\dllcache\iepeers.dll
+ 2004-08-04 12:00 . 2010-06-24 12:15 385024 c:\windows\system32\dllcache\iedkcs32.dll
- 2004-08-04 12:00 . 2010-03-11 12:38 385024 c:\windows\system32\dllcache\iedkcs32.dll
+ 2008-03-15 23:30 . 2010-06-24 12:15 380928 c:\windows\system32\dllcache\ieapfltr.dll
- 2008-03-15 23:30 . 2010-03-11 12:38 380928 c:\windows\system32\dllcache\ieapfltr.dll
+ 2004-08-04 12:00 . 2010-06-17 15:11 161792 c:\windows\system32\dllcache\ieakui.dll
- 2004-08-04 12:00 . 2010-02-23 05:18 161792 c:\windows\system32\dllcache\ieakui.dll
+ 2004-08-04 12:00 . 2010-06-24 12:15 230400 c:\windows\system32\dllcache\ieaksie.dll
- 2004-08-04 12:00 . 2010-03-11 12:38 230400 c:\windows\system32\dllcache\ieaksie.dll
- 2004-08-04 12:00 . 2010-03-11 12:38 153088 c:\windows\system32\dllcache\ieakeng.dll
+ 2004-08-04 12:00 . 2010-06-24 12:15 153088 c:\windows\system32\dllcache\ieakeng.dll
+ 2004-08-04 12:00 . 2010-06-24 12:15 133120 c:\windows\system32\dllcache\extmgr.dll
- 2004-08-04 12:00 . 2010-03-11 12:38 133120 c:\windows\system32\dllcache\extmgr.dll
- 2004-08-04 12:00 . 2010-03-11 12:38 214528 c:\windows\system32\dllcache\dxtrans.dll
+ 2004-08-04 12:00 . 2010-06-24 12:15 214528 c:\windows\system32\dllcache\dxtrans.dll
+ 2004-08-04 12:00 . 2010-06-24 12:15 347136 c:\windows\system32\dllcache\dxtmsft.dll
- 2004-08-04 12:00 . 2010-03-11 12:38 347136 c:\windows\system32\dllcache\dxtmsft.dll
+ 2010-04-20 05:30 . 2010-04-20 05:30 285696 c:\windows\system32\dllcache\atmfd.dll
+ 2004-08-04 12:00 . 2010-06-24 12:15 124928 c:\windows\system32\dllcache\advpack.dll
- 2004-08-04 12:00 . 2010-03-11 12:38 124928 c:\windows\system32\dllcache\advpack.dll
- 2004-08-04 12:00 . 2008-04-14 00:09 285696 c:\windows\system32\atmfd.dll
+ 2004-08-04 12:00 . 2010-04-20 05:30 285696 c:\windows\system32\atmfd.dll
- 2004-08-04 12:00 . 2010-03-11 12:38 124928 c:\windows\system32\advpack.dll
+ 2004-08-04 12:00 . 2010-06-24 12:15 124928 c:\windows\system32\advpack.dll
+ 2010-03-31 07:16 . 2010-03-31 07:16 130408 c:\windows\Microsoft.NET\Framework\v3.0\WPF\PresentationHostDLL.dll
+ 2010-04-08 06:48 . 2010-04-08 06:48 970752 c:\windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\System.Runtime.Serialization.dll
+ 2010-04-08 06:48 . 2010-04-08 06:48 110592 c:\windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMdiagnostics.dll
- 2008-07-30 02:16 . 2008-07-30 02:16 110592 c:\windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMdiagnostics.dll
+ 2010-03-23 12:31 . 2010-03-23 12:31 435024 c:\windows\Microsoft.NET\Framework\v2.0.50727\webengine.dll
- 2008-07-25 18:17 . 2008-07-25 18:17 258048 c:\windows\Microsoft.NET\Framework\v2.0.50727\System.Security.dll
+ 2010-02-09 19:22 . 2010-02-09 19:22 258048 c:\windows\Microsoft.NET\Framework\v2.0.50727\System.Security.dll
+ 2010-05-11 13:40 . 2010-05-11 13:40 388936 c:\windows\Microsoft.NET\Framework\v2.0.50727\SOS.dll
- 2009-08-08 06:51 . 2009-08-08 06:51 989016 c:\windows\Microsoft.NET\Framework\v2.0.50727\mscordacwks.dll
+ 2010-05-11 13:40 . 2010-05-11 13:40 989016 c:\windows\Microsoft.NET\Framework\v2.0.50727\mscordacwks.dll
+ 2010-02-25 07:14 . 2010-02-25 07:14 543232 c:\windows\Installer\6fb35.msp
+ 2010-08-22 22:05 . 2010-03-11 12:38 832512 c:\windows\ie7updates\KB2183461-IE7\wininet.dll
+ 2010-08-22 22:05 . 2010-03-11 12:38 233472 c:\windows\ie7updates\KB2183461-IE7\webcheck.dll
+ 2010-08-22 22:05 . 2010-03-11 12:38 105984 c:\windows\ie7updates\KB2183461-IE7\url.dll
+ 2010-08-22 22:05 . 2010-02-22 14:23 382840 c:\windows\ie7updates\KB2183461-IE7\spuninst\updspapi.dll
+ 2010-08-22 22:05 . 2010-02-22 14:23 231288 c:\windows\ie7updates\KB2183461-IE7\spuninst\spuninst.exe
+ 2010-08-22 22:05 . 2010-03-11 12:38 102912 c:\windows\ie7updates\KB2183461-IE7\occache.dll
+ 2010-08-22 22:05 . 2010-03-11 12:38 671232 c:\windows\ie7updates\KB2183461-IE7\mstime.dll
+ 2010-08-22 22:05 . 2010-03-11 12:38 193024 c:\windows\ie7updates\KB2183461-IE7\msrating.dll
+ 2010-08-22 22:05 . 2010-03-11 12:38 477696 c:\windows\ie7updates\KB2183461-IE7\mshtmled.dll
+ 2010-08-22 22:05 . 2010-03-11 12:38 459264 c:\windows\ie7updates\KB2183461-IE7\msfeeds.dll
+ 2010-08-22 22:05 . 2010-02-23 05:20 634648 c:\windows\ie7updates\KB2183461-IE7\iexplore.exe
+ 2010-08-22 22:05 . 2010-03-11 12:38 268288 c:\windows\ie7updates\KB2183461-IE7\iertutil.dll
+ 2010-08-22 22:05 . 2010-03-11 12:38 192512 c:\windows\ie7updates\KB2183461-IE7\iepeers.dll
+ 2010-08-22 22:05 . 2010-03-11 12:38 385024 c:\windows\ie7updates\KB2183461-IE7\iedkcs32.dll
+ 2010-08-22 22:05 . 2010-03-11 12:38 380928 c:\windows\ie7updates\KB2183461-IE7\ieapfltr.dll
+ 2010-08-22 22:05 . 2010-02-23 05:18 161792 c:\windows\ie7updates\KB2183461-IE7\ieakui.dll
+ 2010-08-22 22:05 . 2010-03-11 12:38 230400 c:\windows\ie7updates\KB2183461-IE7\ieaksie.dll
+ 2010-08-22 22:05 . 2010-03-11 12:38 153088 c:\windows\ie7updates\KB2183461-IE7\ieakeng.dll
+ 2010-08-22 22:05 . 2010-03-11 12:38 133120 c:\windows\ie7updates\KB2183461-IE7\extmgr.dll
+ 2010-08-22 22:05 . 2010-03-11 12:38 214528 c:\windows\ie7updates\KB2183461-IE7\dxtrans.dll
+ 2010-08-22 22:05 . 2010-03-11 12:38 347136 c:\windows\ie7updates\KB2183461-IE7\dxtmsft.dll
+ 2010-08-22 22:05 . 2010-03-11 12:38 124928 c:\windows\ie7updates\KB2183461-IE7\advpack.dll
+ 2010-08-22 23:19 . 2010-08-22 23:19 321536 c:\windows\assembly\NativeImages_v2.0.50727_32\WsatConfig\a16b8bcca59515281688ec856c034698\WsatConfig.ni.exe
+ 2010-08-22 23:08 . 2010-08-22 23:08 240128 c:\windows\assembly\NativeImages_v2.0.50727_32\WindowsFormsIntegra#\672c4d8e3c33e309c1ed90fa4cb85aba\WindowsFormsIntegration.ni.dll
+ 2010-08-22 23:08 . 2010-08-22 23:08 187904 c:\windows\assembly\NativeImages_v2.0.50727_32\UIAutomationTypes\cd91a32f4e36ccb2981c72c0d333e928\UIAutomationTypes.ni.dll
+ 2010-08-22 23:08 . 2010-08-22 23:08 447488 c:\windows\assembly\NativeImages_v2.0.50727_32\UIAutomationClient\9df760fdf8071c7b0de78f39de365e6a\UIAutomationClient.ni.dll
+ 2010-08-22 23:20 . 2010-08-22 23:20 400896 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Xml.Linq\ff53d5b5249a2841ee196294429f51cf\System.Xml.Linq.ni.dll
+ 2010-08-22 23:20 . 2010-08-22 23:20 129536 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Web.Routing\5e16c279496a553c988c6199f0cee8aa\System.Web.Routing.ni.dll
+ 2010-08-22 23:20 . 2010-08-22 23:20 202240 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Web.RegularE#\d0ae809162b55e2fa958739177476af8\System.Web.RegularExpressions.ni.dll
+ 2010-08-22 23:20 . 2010-08-22 23:20 859648 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Web.Extensio#\720b28d81e987b889180b291ea19b821\System.Web.Extensions.Design.ni.dll
+ 2010-08-22 23:20 . 2010-08-22 23:20 328704 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Web.Entity\da36fd678161cd3444ef547c894e3f35\System.Web.Entity.ni.dll
+ 2010-08-22 23:20 . 2010-08-22 23:20 301056 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Web.Entity.D#\49ae7c73fac8827123d5db1714c22599\System.Web.Entity.Design.ni.dll
+ 2010-08-22 23:20 . 2010-08-22 23:20 547328 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Web.DynamicD#\ce3aa27d3c4c052845ac5abb1374defa\System.Web.DynamicData.ni.dll
+ 2010-08-22 23:20 . 2010-08-22 23:20 141312 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Web.Abstract#\95fab896ef2af14876e3e1524379773b\System.Web.Abstractions.ni.dll
+ 2010-08-22 23:20 . 2010-08-22 23:20 627200 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Transactions\26d5bf1f7e700c2c19aa9b1da5519b24\System.Transactions.ni.dll
+ 2010-08-22 23:20 . 2010-08-22 23:20 212992 c:\windows\assembly\NativeImages_v2.0.50727_32\System.ServiceProce#\8b000cc703c9d95593b516bf2c2ec316\System.ServiceProcess.ni.dll
+ 2010-08-22 23:19 . 2010-08-22 23:19 679936 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Security\75e331a5d731d8e207be07adc06dec23\System.Security.ni.dll
+ 2010-08-22 23:20 . 2010-08-22 23:20 311296 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Runtime.Seri#\dd7497aa089340600c8c5af8ab421ff7\System.Runtime.Serialization.Formatters.Soap.ni.dll
+ 2010-08-22 23:20 . 2010-08-22 23:20 621056 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Net\2a080994f308f347b0497bb8804861cf\System.Net.ni.dll
+ 2010-08-22 23:20 . 2010-08-22 23:20 998400 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Management\bc1cf48ba7dc00f45d0e949c49ab677a\System.Management.ni.dll
+ 2010-08-22 23:20 . 2010-08-22 23:20 330752 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Management.I#\904fda53006680a67f917ab638be0305\System.Management.Instrumentation.ni.dll
+ 2010-08-22 23:18 . 2010-08-22 23:18 381440 c:\windows\assembly\NativeImages_v2.0.50727_32\System.IO.Log\4490976887e2e5a3b594041edbdf5064\System.IO.Log.ni.dll
+ 2010-08-22 23:19 . 2010-08-22 23:19 212992 c:\windows\assembly\NativeImages_v2.0.50727_32\System.IdentityMode#\77b9f6f6671aaaeb84c6907d467e792c\System.IdentityModel.Selectors.ni.dll
+ 2010-08-22 23:20 . 2010-08-22 23:20 280064 c:\windows\assembly\NativeImages_v2.0.50727_32\System.EnterpriseSe#\15724a7517f939c9b300f341fb5620b8\System.EnterpriseServices.Wrapper.dll
+ 2010-08-22 23:20 . 2010-08-22 23:20 627712 c:\windows\assembly\NativeImages_v2.0.50727_32\System.EnterpriseSe#\15724a7517f939c9b300f341fb5620b8\System.EnterpriseServices.ni.dll
+ 2010-08-22 22:06 . 2010-08-22 22:06 208384 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Drawing.Desi#\90199b4aa63b1b9c8ed0c3de16eec824\System.Drawing.Design.ni.dll
+ 2010-08-22 23:20 . 2010-08-22 23:20 881152 c:\windows\assembly\NativeImages_v2.0.50727_32\System.DirectorySer#\849e98c9f428a12cb581320a23f69dbd\System.DirectoryServices.AccountManagement.ni.dll
+ 2010-08-22 23:20 . 2010-08-22 23:20 455680 c:\windows\assembly\NativeImages_v2.0.50727_32\System.DirectorySer#\7a823a4f61cf8c86aad02559f8fed07b\System.DirectoryServices.Protocols.ni.dll
+ 2010-08-22 23:20 . 2010-08-22 23:20 354816 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Data.Service#\ad95820d2e29e8d55c0d8a838214c6e5\System.Data.Services.Design.ni.dll
+ 2010-08-22 23:20 . 2010-08-22 23:20 939008 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Data.Service#\617acb0d900bdde947ec79f7b5ccc183\System.Data.Services.Client.ni.dll
+ 2010-08-22 23:20 . 2010-08-22 23:20 756736 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Data.Entity.#\488c4017d45e861644a34fae557aa80f\System.Data.Entity.Design.ni.dll
+ 2010-08-22 23:19 . 2010-08-22 23:19 135680 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Data.DataSet#\41345e34f26854fc1878eae3e4d5d4a5\System.Data.DataSetExtensions.ni.dll
+ 2010-08-22 23:19 . 2010-08-22 23:19 971264 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Configuration\ab688d0f9f333ba117832726bfb589c1\System.Configuration.ni.dll
+ 2010-08-22 23:20 . 2010-08-22 23:20 141312 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Configuratio#\b48677ab9aa7a6830785f67b8478b4da\System.Configuration.Install.ni.dll
+ 2010-08-22 23:19 . 2010-08-22 23:19 633856 c:\windows\assembly\NativeImages_v2.0.50727_32\System.AddIn\93a0958d5557e2b380647af0171ad354\System.AddIn.ni.dll
+ 2010-08-22 23:19 . 2010-08-22 23:19 366080 c:\windows\assembly\NativeImages_v2.0.50727_32\SMSvcHost\d0758f84e927e3f0a15a6cde1b96d835\SMSvcHost.ni.exe
+ 2010-08-22 23:19 . 2010-08-22 23:19 256000 c:\windows\assembly\NativeImages_v2.0.50727_32\SMDiagnostics\8043a108e3bb2d3dcc84b547b8085e99\SMDiagnostics.ni.dll
+ 2010-08-22 23:19 . 2010-08-22 23:19 320512 c:\windows\assembly\NativeImages_v2.0.50727_32\ServiceModelReg\5aeb40ff7128df2881fb03c01d070b20\ServiceModelReg.ni.exe
+ 2010-08-22 22:05 . 2010-08-22 22:05 368128 c:\windows\assembly\NativeImages_v2.0.50727_32\PresentationFramewo#\e7e7321956e6822b1bf3691c35c842f6\PresentationFramework.Aero.ni.dll
+ 2010-08-22 22:05 . 2010-08-22 22:05 258048 c:\windows\assembly\NativeImages_v2.0.50727_32\PresentationFramewo#\a14488afff027f0f2985e659449097f5\PresentationFramework.Royale.ni.dll
+ 2010-08-22 22:05 . 2010-08-22 22:05 224768 c:\windows\assembly\NativeImages_v2.0.50727_32\PresentationFramewo#\787e60c5dd562cb45887080095d2a3b7\PresentationFramework.Classic.ni.dll
+ 2010-08-22 22:05 . 2010-08-22 22:05 539648 c:\windows\assembly\NativeImages_v2.0.50727_32\PresentationFramewo#\2313ccc125dcb6a9800048ec1c51ec12\PresentationFramework.Luna.ni.dll
+ 2010-08-22 23:19 . 2010-08-22 23:19 133632 c:\windows\assembly\NativeImages_v2.0.50727_32\MSBuild\5db9c32d9f352162e6da220ca463db0d\MSBuild.ni.exe
+ 2010-08-22 23:19 . 2010-08-22 23:19 386560 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Transacti#\fcf975f74bd134d8e0fa8f37c5bc6a8c\Microsoft.Transactions.Bridge.Dtc.ni.dll
+ 2010-08-22 23:19 . 2010-08-22 23:19 144384 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Build.Uti#\d6b9038136600fbfbbbd7460dc19da19\Microsoft.Build.Utilities.ni.dll
+ 2010-08-22 23:19 . 2010-08-22 23:19 175104 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Build.Uti#\585cc7218599e7806521d0e737ba5ffb\Microsoft.Build.Utilities.v3.5.ni.dll
+ 2010-08-22 23:19 . 2010-08-22 23:19 839680 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Build.Eng#\3057ec53731286e69e389d103c32fa41\Microsoft.Build.Engine.ni.dll
+ 2010-08-22 23:19 . 2010-08-22 23:19 222720 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Build.Con#\914e338ac6e92714f3e32ae5d89bf03b\Microsoft.Build.Conversion.v3.5.ni.dll
+ 2010-08-22 23:19 . 2010-08-22 23:19 220672 c:\windows\assembly\NativeImages_v2.0.50727_32\CustomMarshalers\12ae6f3635448471fc9f7d8bfe39c67d\CustomMarshalers.ni.dll
+ 2010-08-22 23:19 . 2010-08-22 23:19 410112 c:\windows\assembly\NativeImages_v2.0.50727_32\ComSvcConfig\daca3c9ad6d867d3fec70d14b4f20cf3\ComSvcConfig.ni.exe
+ 2010-08-22 23:19 . 2010-08-22 23:19 842240 c:\windows\assembly\NativeImages_v2.0.50727_32\AspNetMMCExt\56aec0938ef1bbdeca65b07a5fe8cd39\AspNetMMCExt.ni.dll
- 2009-10-16 10:03 . 2009-10-16 10:03 839680 c:\windows\assembly\GAC_MSIL\System.Web.Services\2.0.0.0__b03f5f7f11d50a3a\System.Web.Services.dll
+ 2010-08-22 22:04 . 2010-08-22 22:04 839680 c:\windows\assembly\GAC_MSIL\System.Web.Services\2.0.0.0__b03f5f7f11d50a3a\System.Web.Services.dll
- 2009-10-16 10:03 . 2009-10-16 10:03 835584 c:\windows\assembly\GAC_MSIL\System.Web.Mobile\2.0.0.0__b03f5f7f11d50a3a\System.Web.Mobile.dll
+ 2010-08-22 22:04 . 2010-08-22 22:04 835584 c:\windows\assembly\GAC_MSIL\System.Web.Mobile\2.0.0.0__b03f5f7f11d50a3a\System.Web.Mobile.dll
- 2009-10-16 10:03 . 2009-10-16 10:03 114688 c:\windows\assembly\GAC_MSIL\System.ServiceProcess\2.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll
+ 2010-08-22 22:04 . 2010-08-22 22:04 114688 c:\windows\assembly\GAC_MSIL\System.ServiceProcess\2.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll
+ 2010-08-22 22:04 . 2010-08-22 22:04 258048 c:\windows\assembly\GAC_MSIL\System.Security\2.0.0.0__b03f5f7f11d50a3a\System.Security.dll
- 2009-10-16 10:03 . 2009-10-16 10:03 258048 c:\windows\assembly\GAC_MSIL\System.Security\2.0.0.0__b03f5f7f11d50a3a\System.Security.dll
+ 2010-08-22 21:59 . 2010-08-22 21:59 970752 c:\windows\assembly\GAC_MSIL\System.Runtime.Serialization\3.0.0.0__b77a5c561934e089\System.Runtime.Serialization.dll
+ 2010-08-22 22:04 . 2010-08-22 22:04 131072 c:\windows\assembly\GAC_MSIL\System.Runtime.Serialization.Formatters.Soap\2.0.0.0__b03f5f7f11d50a3a\System.Runtime.Serialization.Formatters.Soap.dll
- 2009-10-16 10:03 . 2009-10-16 10:03 131072 c:\windows\assembly\GAC_MSIL\System.Runtime.Serialization.Formatters.Soap\2.0.0.0__b03f5f7f11d50a3a\System.Runtime.Serialization.Formatters.Soap.dll
- 2009-10-16 10:03 . 2009-10-16 10:03 303104 c:\windows\assembly\GAC_MSIL\System.Runtime.Remoting\2.0.0.0__b77a5c561934e089\System.Runtime.Remoting.dll
+ 2010-08-22 22:04 . 2010-08-22 22:04 303104 c:\windows\assembly\GAC_MSIL\System.Runtime.Remoting\2.0.0.0__b77a5c561934e089\System.Runtime.Remoting.dll
- 2009-10-16 10:03 . 2009-10-16 10:03 258048 c:\windows\assembly\GAC_MSIL\System.Messaging\2.0.0.0__b03f5f7f11d50a3a\System.Messaging.dll
+ 2010-08-22 22:04 . 2010-08-22 22:04 258048 c:\windows\assembly\GAC_MSIL\System.Messaging\2.0.0.0__b03f5f7f11d50a3a\System.Messaging.dll
- 2009-10-16 10:03 . 2009-10-16 10:03 372736 c:\windows\assembly\GAC_MSIL\System.Management\2.0.0.0__b03f5f7f11d50a3a\System.Management.dll
+ 2010-08-22 22:04 . 2010-08-22 22:04 372736 c:\windows\assembly\GAC_MSIL\System.Management\2.0.0.0__b03f5f7f11d50a3a\System.Management.dll
+ 2010-08-22 21:59 . 2010-08-22 21:59 438272 c:\windows\assembly\GAC_MSIL\System.IdentityModel\3.0.0.0__b77a5c561934e089\System.IdentityModel.dll
- 2009-10-16 10:03 . 2009-10-16 10:03 626688 c:\windows\assembly\GAC_MSIL\System.Drawing\2.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll
+ 2010-08-22 22:04 . 2010-08-22 22:04 626688 c:\windows\assembly\GAC_MSIL\System.Drawing\2.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll
+ 2010-08-22 22:04 . 2010-08-22 22:04 401408 c:\windows\assembly\GAC_MSIL\System.DirectoryServices\2.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll
- 2009-10-16 10:03 . 2009-10-16 10:03 401408 c:\windows\assembly\GAC_MSIL\System.DirectoryServices\2.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll
- 2009-10-16 10:03 . 2009-10-16 10:03 188416 c:\windows\assembly\GAC_MSIL\System.DirectoryServices.Protocols\2.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.Protocols.dll
+ 2010-08-22 22:04 . 2010-08-22 22:04 188416 c:\windows\assembly\GAC_MSIL\System.DirectoryServices.Protocols\2.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.Protocols.dll
+ 2010-08-22 22:04 . 2010-08-22 22:04 970752 c:\windows\assembly\GAC_MSIL\System.Deployment\2.0.0.0__b03f5f7f11d50a3a\System.Deployment.dll
- 2009-10-16 10:03 . 2009-10-16 10:03 970752 c:\windows\assembly\GAC_MSIL\System.Deployment\2.0.0.0__b03f5f7f11d50a3a\System.Deployment.dll
+ 2010-08-22 22:04 . 2010-08-22 22:04 745472 c:\windows\assembly\GAC_MSIL\System.Data.SqlXml\2.0.0.0__b77a5c561934e089\System.Data.SqlXml.dll
- 2009-10-16 10:03 . 2009-10-16 10:03 745472 c:\windows\assembly\GAC_MSIL\System.Data.SqlXml\2.0.0.0__b77a5c561934e089\System.Data.SqlXml.dll
+ 2010-08-22 22:04 . 2010-08-22 22:04 425984 c:\windows\assembly\GAC_MSIL\System.Configuration\2.0.0.0__b03f5f7f11d50a3a\System.configuration.dll
- 2009-10-16 10:03 . 2009-10-16 10:03 425984 c:\windows\assembly\GAC_MSIL\System.Configuration\2.0.0.0__b03f5f7f11d50a3a\System.configuration.dll
+ 2010-08-22 22:04 . 2010-08-22 22:04 110592 c:\windows\assembly\GAC_MSIL\sysglobl\2.0.0.0__b03f5f7f11d50a3a\sysglobl.dll
- 2009-10-16 10:03 . 2009-10-16 10:03 110592 c:\windows\assembly\GAC_MSIL\sysglobl\2.0.0.0__b03f5f7f11d50a3a\sysglobl.dll
- 2009-08-08 22:37 . 2009-08-08 22:37 110592 c:\windows\assembly\GAC_MSIL\SMDiagnostics\3.0.0.0__b77a5c561934e089\SMdiagnostics.dll
+ 2010-08-22 21:59 . 2010-08-22 21:59 110592 c:\windows\assembly\GAC_MSIL\SMDiagnostics\3.0.0.0__b77a5c561934e089\SMdiagnostics.dll
+ 2010-08-22 22:04 . 2010-08-22 22:04 659456 c:\windows\assembly\GAC_MSIL\Microsoft.VisualBasic\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll
- 2009-10-16 10:03 . 2009-10-16 10:03 659456 c:\windows\assembly\GAC_MSIL\Microsoft.VisualBasic\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll
- 2009-10-16 10:03 . 2009-10-16 10:03 372736 c:\windows\assembly\GAC_MSIL\Microsoft.VisualBasic.Compatibility\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.Compatibility.dll
+ 2010-08-22 22:04 . 2010-08-22 22:04 372736 c:\windows\assembly\GAC_MSIL\Microsoft.VisualBasic.Compatibility\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.Compatibility.dll
+ 2010-08-22 22:04 . 2010-08-22 22:04 110592 c:\windows\assembly\GAC_MSIL\Microsoft.VisualBasic.Compatibility.Data\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.Compatibility.Data.dll
- 2009-10-16 10:03 . 2009-10-16 10:03 110592 c:\windows\assembly\GAC_MSIL\Microsoft.VisualBasic.Compatibility.Data\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.Compatibility.Data.dll
- 2009-10-16 10:03 . 2009-10-16 10:03 749568 c:\windows\assembly\GAC_MSIL\Microsoft.JScript\8.0.0.0__b03f5f7f11d50a3a\Microsoft.JScript.dll
+ 2010-08-22 22:04 . 2010-08-22 22:04 749568 c:\windows\assembly\GAC_MSIL\Microsoft.JScript\8.0.0.0__b03f5f7f11d50a3a\Microsoft.JScript.dll
- 2009-10-16 10:03 . 2009-10-16 10:03 655360 c:\windows\assembly\GAC_MSIL\Microsoft.Build.Tasks\2.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Tasks.dll
+ 2010-08-22 22:04 . 2010-08-22 22:04 655360 c:\windows\assembly\GAC_MSIL\Microsoft.Build.Tasks\2.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Tasks.dll
- 2009-10-16 10:03 . 2009-10-16 10:03 348160 c:\windows\assembly\GAC_MSIL\Microsoft.Build.Engine\2.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Engine.dll
+ 2010-08-22 22:04 . 2010-08-22 22:04 348160 c:\windows\assembly\GAC_MSIL\Microsoft.Build.Engine\2.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Engine.dll
- 2009-10-16 10:03 . 2009-10-16 10:03 507904 c:\windows\assembly\GAC_MSIL\AspNetMMCExt\2.0.0.0__b03f5f7f11d50a3a\AspNetMMCExt.dll
+ 2010-08-22 22:04 . 2010-08-22 22:04 507904 c:\windows\assembly\GAC_MSIL\AspNetMMCExt\2.0.0.0__b03f5f7f11d50a3a\AspNetMMCExt.dll
- 2009-10-16 10:03 . 2009-10-16 10:03 261632 c:\windows\assembly\GAC_32\System.Transactions\2.0.0.0__b77a5c561934e089\System.Transactions.dll
+ 2010-08-22 22:04 . 2010-08-22 22:04 261632 c:\windows\assembly\GAC_32\System.Transactions\2.0.0.0__b77a5c561934e089\System.Transactions.dll
+ 2010-08-22 22:04 . 2010-08-22 22:04 113664 c:\windows\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll
- 2009-10-16 10:03 . 2009-10-16 10:03 113664 c:\windows\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll
- 2009-10-16 10:03 . 2009-10-16 10:03 258048 c:\windows\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.dll
+ 2010-08-22 22:04 . 2010-08-22 22:04 258048 c:\windows\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.dll
+ 2010-08-22 22:04 . 2010-08-22 22:04 486400 c:\windows\assembly\GAC_32\System.Data.OracleClient\2.0.0.0__b77a5c561934e089\System.Data.OracleClient.dll
- 2009-10-16 10:03 . 2009-10-16 10:03 486400 c:\windows\assembly\GAC_32\System.Data.OracleClient\2.0.0.0__b77a5c561934e089\System.Data.OracleClient.dll
+ 2004-08-04 12:00 . 2010-04-06 11:52 2462720 c:\windows\system32\WMVCore.dll
+ 2004-08-04 12:00 . 2010-06-24 12:15 1168384 c:\windows\system32\urlmon.dll
- 2004-08-04 12:00 . 2010-03-11 12:38 1168384 c:\windows\system32\urlmon.dll
+ 2004-08-04 12:00 . 2010-07-27 06:30 8462336 c:\windows\system32\shell32.dll
+ 2004-08-04 12:00 . 2010-02-05 18:27 1291776 c:\windows\system32\quartz.dll
- 2004-08-04 12:00 . 2009-11-27 17:11 1291776 c:\windows\system32\quartz.dll
+ 2004-08-04 12:00 . 2010-04-27 13:59 2146304 c:\windows\system32\ntoskrnl.exe
- 2004-08-04 12:00 . 2010-02-16 14:08 2146304 c:\windows\system32\ntoskrnl.exe
- 2004-08-03 22:59 . 2010-02-16 13:25 2024448 c:\windows\system32\ntkrnlpa.exe
+ 2004-08-03 22:59 . 2010-04-27 13:05 2024448 c:\windows\system32\ntkrnlpa.exe
+ 2004-08-04 12:00 . 2010-06-24 12:15 3600896 c:\windows\system32\mshtml.dll
- 2007-08-14 01:54 . 2010-03-11 12:38 6067200 c:\windows\system32\ieframe.dll
+ 2007-08-14 01:54 . 2010-06-24 12:15 6067200 c:\windows\system32\ieframe.dll
+ 2004-08-04 12:00 . 2010-04-06 11:52 2462720 c:\windows\system32\dllcache\WMVCore.dll
+ 2008-10-14 17:03 . 2010-06-23 13:44 1851904 c:\windows\system32\dllcache\win32k.sys
+ 2004-08-04 12:00 . 2010-06-24 12:15 1168384 c:\windows\system32\dllcache\urlmon.dll
- 2004-08-04 12:00 . 2010-03-11 12:38 1168384 c:\windows\system32\dllcache\urlmon.dll
+ 2008-06-17 19:02 . 2010-07-27 06:30 8462336 c:\windows\system32\dllcache\shell32.dll
- 2008-05-07 05:12 . 2009-11-27 17:11 1291776 c:\windows\system32\dllcache\quartz.dll
+ 2008-05-07 05:12 . 2010-02-05 18:27 1291776 c:\windows\system32\dllcache\quartz.dll
+ 2008-10-14 17:03 . 2010-04-28 02:25 2189952 c:\windows\system32\dllcache\ntoskrnl.exe
- 2008-10-14 17:03 . 2010-02-17 16:10 2189952 c:\windows\system32\dllcache\ntoskrnl.exe
- 2008-10-14 17:03 . 2010-02-16 13:25 2024448 c:\windows\system32\dllcache\ntkrpamp.exe
+ 2008-10-14 17:03 . 2010-04-27 13:05 2024448 c:\windows\system32\dllcache\ntkrpamp.exe
- 2008-10-14 17:03 . 2010-02-16 13:25 2066816 c:\windows\system32\dllcache\ntkrnlpa.exe
+ 2008-10-14 17:03 . 2010-04-27 13:05 2066816 c:\windows\system32\dllcache\ntkrnlpa.exe
+ 2008-10-14 17:03 . 2010-04-27 13:59 2146304 c:\windows\system32\dllcache\ntkrnlmp.exe
- 2008-10-14 17:03 . 2010-02-16 14:08 2146304 c:\windows\system32\dllcache\ntkrnlmp.exe
- 2008-11-12 05:19 . 2009-07-31 04:35 1172480 c:\windows\system32\dllcache\msxml3.dll
+ 2008-11-12 05:19 . 2010-06-14 07:41 1172480 c:\windows\system32\dllcache\msxml3.dll
+ 2004-08-04 12:00 . 2010-06-24 12:15 3600896 c:\windows\system32\dllcache\mshtml.dll
+ 2010-03-11 00:13 . 2010-06-18 13:36 3558912 c:\windows\system32\dllcache\moviemk.exe
- 2010-03-11 00:13 . 2009-10-23 15:28 3558912 c:\windows\system32\dllcache\moviemk.exe
- 2008-03-15 23:30 . 2010-03-11 12:38 6067200 c:\windows\system32\dllcache\ieframe.dll
+ 2008-03-15 23:30 . 2010-06-24 12:15 6067200 c:\windows\system32\dllcache\ieframe.dll
+ 2009-11-07 08:06 . 2009-11-07 08:06 1130824 c:\windows\system32\dfshim.dll
+ 2010-04-08 06:48 . 2010-04-08 06:48 5967872 c:\windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\System.ServiceModel.dll
- 2008-11-25 11:59 . 2008-11-25 11:59 5242880 c:\windows\Microsoft.NET\Framework\v2.0.50727\System.Web.dll
+ 2010-03-23 12:32 . 2010-03-23 12:32 5242880 c:\windows\Microsoft.NET\Framework\v2.0.50727\System.Web.dll
+ 2010-03-23 12:32 . 2010-03-23 12:32 3182592 c:\windows\Microsoft.NET\Framework\v2.0.50727\System.dll
+ 2010-05-11 13:40 . 2010-05-11 13:40 5812560 c:\windows\Microsoft.NET\Framework\v2.0.50727\mscorwks.dll
- 2009-08-08 06:51 . 2009-08-08 06:51 5812560 c:\windows\Microsoft.NET\Framework\v2.0.50727\mscorwks.dll
+ 2010-05-11 13:40 . 2010-05-11 13:40 4550656 c:\windows\Microsoft.NET\Framework\v2.0.50727\mscorlib.dll
+ 2009-11-09 07:25 . 2009-11-09 07:25 1935360 c:\windows\Installer\6fb87.msp
+ 2010-04-12 05:17 . 2010-04-12 05:17 2607104 c:\windows\Installer\6fb46.msp
+ 2010-04-12 05:17 . 2010-04-12 05:17 4210688 c:\windows\Installer\6fb45.msp
+ 2010-08-22 22:05 . 2010-03-11 12:38 1168384 c:\windows\ie7updates\KB2183461-IE7\urlmon.dll
+ 2010-08-22 22:05 . 2010-03-11 12:38 3599872 c:\windows\ie7updates\KB2183461-IE7\mshtml.dll
+ 2010-08-22 22:05 . 2010-03-11 12:38 6067200 c:\windows\ie7updates\KB2183461-IE7\ieframe.dll
+ 2008-10-14 17:03 . 2010-04-28 02:25 2189952 c:\windows\Driver Cache\i386\ntoskrnl.exe
- 2008-10-14 17:03 . 2010-02-17 16:10 2189952 c:\windows\Driver Cache\i386\ntoskrnl.exe
- 2008-10-14 17:03 . 2010-02-16 13:25 2024448 c:\windows\Driver Cache\i386\ntkrpamp.exe
+ 2008-10-14 17:03 . 2010-04-27 13:05 2024448 c:\windows\Driver Cache\i386\ntkrpamp.exe
+ 2008-10-14 17:03 . 2010-04-27 13:05 2066816 c:\windows\Driver Cache\i386\ntkrnlpa.exe
- 2008-10-14 17:03 . 2010-02-16 13:25 2066816 c:\windows\Driver Cache\i386\ntkrnlpa.exe
- 2008-10-14 17:03 . 2010-02-16 14:08 2146304 c:\windows\Driver Cache\i386\ntkrnlmp.exe
+ 2008-10-14 17:03 . 2010-04-27 13:59 2146304 c:\windows\Driver Cache\i386\ntkrnlmp.exe
+ 2009-08-08 22:37 . 2009-08-08 22:37 1245184 c:\windows\assembly\temp\KBAZYNMR6F\WindowsBase.dll
+ 2009-08-08 22:40 . 2009-08-08 22:40 5283840 c:\windows\assembly\temp\ITSHG5IB0T\PresentationFramework.dll
+ 2009-08-08 22:37 . 2009-08-08 22:37 4210688 c:\windows\assembly\temp\GJ6ZSHG5YN\PresentationCore.dll
+ 2010-08-22 22:05 . 2010-08-22 22:05 3325440 c:\windows\assembly\NativeImages_v2.0.50727_32\WindowsBase\cec7ecb8eac09dd630d180ce87d23b80\WindowsBase.ni.dll
+ 2010-08-22 22:03 . 2010-08-22 22:03 3313664 c:\windows\assembly\NativeImages_v2.0.50727_32\WindowsBase\3b743d968b43ce8025fccd58c251e4c4\WindowsBase.ni.dll
+ 2010-08-22 23:08 . 2010-08-22 23:08 1049600 c:\windows\assembly\NativeImages_v2.0.50727_32\UIAutomationClients#\b7f6e7b265f9aae807ddc4284563e550\UIAutomationClientsideProviders.ni.dll
+ 2010-08-22 21:58 . 2010-08-22 21:58 1595392 c:\windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP103.tmp\PresentationUI.dll
+ 2010-08-22 22:03 . 2010-08-22 22:03 7949824 c:\windows\assembly\NativeImages_v2.0.50727_32\System\08ffa4d388d5f007869aa7651c458e7c\System.ni.dll
+ 2010-08-22 23:08 . 2010-08-22 23:08 5450752 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Xml\a6dbe24cbfe3ab6b318ed3095cc572d8\System.Xml.ni.dll
+ 2010-08-22 23:20 . 2010-08-22 23:20 1356288 c:\windows\assembly\NativeImages_v2.0.50727_32\System.WorkflowServ#\60b3c9a63b2065a6952d16256545c25d\System.WorkflowServices.ni.dll
+ 2010-08-22 23:20 . 2010-08-22 23:20 1908224 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Workflow.Run#\5cc2a23ce8ac371c7a97b5e542ee27ed\System.Workflow.Runtime.ni.dll
+ 2010-08-22 23:20 . 2010-08-22 23:20 4514304 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Workflow.Com#\c0aabf67e7ef98dc10c3e174c136731b\System.Workflow.ComponentModel.ni.dll
+ 2010-08-22 23:20 . 2010-08-22 23:20 2992640 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Workflow.Act#\66682c8a064608ba4ffd0463cf09aef9\System.Workflow.Activities.ni.dll
+ 2010-08-22 23:20 . 2010-08-22 23:20 1840640 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Web.Services\2d662564b8d9c57a34c588cc2970902b\System.Web.Services.ni.dll
+ 2010-08-22 23:20 . 2010-08-22 23:20 2209280 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Web.Mobile\9b455702c9b7b02c5708406f87986751\System.Web.Mobile.ni.dll
+ 2010-08-22 23:20 . 2010-08-22 23:20 2403328 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Web.Extensio#\49c7a1c78ed9502ba97c11e6bd993f63\System.Web.Extensions.ni.dll
+ 2010-08-22 23:08 . 2010-08-22 23:08 1917952 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Speech\5eb08849d17b272ed2a393420cb0305b\System.Speech.ni.dll
+ 2010-08-22 23:20 . 2010-08-22 23:20 1706496 c:\windows\assembly\NativeImages_v2.0.50727_32\System.ServiceModel#\f5790a1b7b41e7b8d05f01b549c80f39\System.ServiceModel.Web.ni.dll
+ 2010-08-22 23:18 . 2010-08-22 23:18 2345472 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Runtime.Seri#\8061a0f5c1c2ee0549e19224352f67fa\System.Runtime.Serialization.ni.dll
+ 2010-08-22 23:08 . 2010-08-22 23:08 1035776 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Printing\99767d4df92b83fdfb06012512722ec1\System.Printing.ni.dll
+ 2010-08-22 23:18 . 2010-08-22 23:18 1070080 c:\windows\assembly\NativeImages_v2.0.50727_32\System.IdentityModel\0885f31c21b796465fde6297dba20981\System.IdentityModel.ni.dll
+ 2010-08-22 22:06 . 2010-08-22 22:06 1587200 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\dcc0244092fe52e6885b50be25ef3b31\System.Drawing.ni.dll
+ 2010-08-22 23:20 . 2010-08-22 23:20 1116672 c:\windows\assembly\NativeImages_v2.0.50727_32\System.DirectorySer#\d20b7e58607ddb1ded9b687627ae8c21\System.DirectoryServices.ni.dll
+ 2010-08-22 23:20 . 2010-08-22 23:20 1801216 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Deployment\daa33674d4250e38a24b70180d209ac8\System.Deployment.ni.dll
+ 2010-08-22 22:05 . 2010-08-22 22:05 6616576 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Data\f04ef00e652a8655a717639e8aeb7b63\System.Data.ni.dll
+ 2010-08-22 23:19 . 2010-08-22 23:19 2510336 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Data.SqlXml\f0470c2be4e6bb1dadbeed43e4e8af5c\System.Data.SqlXml.ni.dll
+ 2010-08-22 23:20 . 2010-08-22 23:20 1328128 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Data.Services\23cf0498f2ebe4c8ffa5cc79efca2dc5\System.Data.Services.ni.dll
+ 2010-08-22 22:05 . 2010-08-22 22:05 2516480 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Data.Linq\c18c236a09e715138daec2e25be205bb\System.Data.Linq.ni.dll
+ 2010-08-22 23:20 . 2010-08-22 23:20 9924096 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Data.Entity\6ce886492d9b6a34555be3f328682ec2\System.Data.Entity.ni.dll
+ 2010-08-22 22:05 . 2010-08-22 22:05 2295296 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Core\faeda674832135a080bc73eda51813ff\System.Core.ni.dll
+ 2010-08-22 22:05 . 2010-08-22 22:05 2128896 c:\windows\assembly\NativeImages_v2.0.50727_32\ReachFramework\3e85c3d63ce3c3f37061aa626feb2a52\ReachFramework.ni.dll
+ 2010-08-22 22:05 . 2010-08-22 22:05 1657856 c:\windows\assembly\NativeImages_v2.0.50727_32\PresentationUI\bf67db30179ff6e8cb1bdbaa290d122e\PresentationUI.ni.dll
+ 2010-08-22 22:03 . 2010-08-22 22:03 1451008 c:\windows\assembly\NativeImages_v2.0.50727_32\PresentationBuildTa#\835786d8a0caabae09ad440f6e3abfc6\PresentationBuildTasks.ni.dll
+ 2010-08-22 23:19 . 2010-08-22 23:19 1712128 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualBas#\9732a7c993055f82040642966db07ccf\Microsoft.VisualBasic.ni.dll
+ 2010-08-22 23:19 . 2010-08-22 23:19 1093120 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Transacti#\773d7bf69a9a0c0556aa41f53e75ab05\Microsoft.Transactions.Bridge.ni.dll
+ 2010-08-22 23:20 . 2010-08-22 23:20 2332160 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.JScript\16ff33f07efdb9da2a18e27585c604be\Microsoft.JScript.ni.dll
+ 2010-08-22 23:19 . 2010-08-22 23:19 1620992 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Build.Tas#\d0fb91b296616a1a844bf265947018ee\Microsoft.Build.Tasks.ni.dll
+ 2010-08-22 23:19 . 2010-08-22 23:19 1966080 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Build.Tas#\892e993c8df1c75081113131dc429c15\Microsoft.Build.Tasks.v3.5.ni.dll
+ 2010-08-22 23:19 . 2010-08-22 23:19 1888768 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Build.Eng#\d0beebd2c9045158cdcd4bd5987b717b\Microsoft.Build.Engine.ni.dll
+ 2010-08-22 22:04 . 2010-08-22 22:04 1249280 c:\windows\assembly\GAC_MSIL\WindowsBase\3.0.0.0__31bf3856ad364e35\WindowsBase.dll
+ 2010-08-22 22:04 . 2010-08-22 22:04 3182592 c:\windows\assembly\GAC_MSIL\System\2.0.0.0__b77a5c561934e089\System.dll
- 2009-10-16 10:03 . 2009-10-16 10:03 2048000 c:\windows\assembly\GAC_MSIL\System.Xml\2.0.0.0__b77a5c561934e089\System.XML.dll
+ 2010-08-22 22:04 . 2010-08-22 22:04 2048000 c:\windows\assembly\GAC_MSIL\System.Xml\2.0.0.0__b77a5c561934e089\System.XML.dll
- 2009-10-16 10:03 . 2009-10-16 10:03 5025792 c:\windows\assembly\GAC_MSIL\System.Windows.Forms\2.0.0.0__b77a5c561934e089\System.Windows.Forms.dll
+ 2010-08-22 22:04 . 2010-08-22 22:04 5025792 c:\windows\assembly\GAC_MSIL\System.Windows.Forms\2.0.0.0__b77a5c561934e089\System.Windows.Forms.dll
+ 2010-08-22 21:59 . 2010-08-22 21:59 5967872 c:\windows\assembly\GAC_MSIL\System.ServiceModel\3.0.0.0__b77a5c561934e089\System.ServiceModel.dll
- 2009-10-16 10:03 . 2009-10-16 10:03 5062656 c:\windows\assembly\GAC_MSIL\System.Design\2.0.0.0__b03f5f7f11d50a3a\System.Design.dll
+ 2010-08-22 22:04 . 2010-08-22 22:04 5062656 c:\windows\assembly\GAC_MSIL\System.Design\2.0.0.0__b03f5f7f11d50a3a\System.Design.dll
+ 2010-08-22 22:04 . 2010-08-22 22:04 5279744 c:\windows\assembly\GAC_MSIL\PresentationFramework\3.0.0.0__31bf3856ad364e35\PresentationFramework.dll
- 2009-10-16 10:03 . 2009-10-16 10:03 5242880 c:\windows\assembly\GAC_32\System.Web\2.0.0.0__b03f5f7f11d50a3a\System.Web.dll
+ 2010-08-22 22:04 . 2010-08-22 22:04 5242880 c:\windows\assembly\GAC_32\System.Web\2.0.0.0__b03f5f7f11d50a3a\System.Web.dll
- 2009-10-16 10:03 . 2009-10-16 10:03 2933248 c:\windows\assembly\GAC_32\System.Data\2.0.0.0__b77a5c561934e089\System.Data.dll
+ 2010-08-22 22:04 . 2010-08-22 22:04 2933248 c:\windows\assembly\GAC_32\System.Data\2.0.0.0__b77a5c561934e089\System.Data.dll
- 2009-08-08 22:37 . 2009-08-08 22:37 4210688 c:\windows\assembly\GAC_32\PresentationCore\3.0.0.0__31bf3856ad364e35\PresentationCore.dll
+ 2010-08-22 22:04 . 2010-08-22 22:04 4210688 c:\windows\assembly\GAC_32\PresentationCore\3.0.0.0__31bf3856ad364e35\PresentationCore.dll
+ 2010-08-22 22:04 . 2010-08-22 22:04 4550656 c:\windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\mscorlib.dll
+ 2008-03-15 23:29 . 2010-08-03 18:09 35962312 c:\windows\system32\MRT.exe
+ 2010-03-31 08:23 . 2010-03-31 08:23 15638528 c:\windows\Installer\6fb98.msp
+ 2010-05-19 20:08 . 2010-05-19 20:08 11408896 c:\windows\Installer\6fb68.msp
+ 2010-04-12 05:17 . 2010-04-12 05:17 14599680 c:\windows\Installer\6fb59.msp
+ 2010-08-22 23:08 . 2010-08-22 23:08 12430848 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\439c466b60614915587c5273eaf0ca7f\System.Windows.Forms.ni.dll
+ 2010-08-22 23:20 . 2010-08-22 23:20 11798016 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Web\411a627d6f5cb83509332253406988e5\System.Web.ni.dll
+ 2010-08-22 23:19 . 2010-08-22 23:19 17403904 c:\windows\assembly\NativeImages_v2.0.50727_32\System.ServiceModel\f523a69e7c93ee4f245c996eac4b3a57\System.ServiceModel.ni.dll
+ 2010-08-22 22:06 . 2010-08-22 22:06 10683392 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Design\b307acf63075b997d02a97a7492d0d9c\System.Design.ni.dll
+ 2010-08-22 22:05 . 2010-08-22 22:05 14328320 c:\windows\assembly\NativeImages_v2.0.50727_32\PresentationFramewo#\a632f3ef85ffd35341b383eed577cb93\PresentationFramework.ni.dll
+ 2010-08-22 22:05 . 2010-08-22 22:05 12215808 c:\windows\assembly\NativeImages_v2.0.50727_32\PresentationCore\f00db8db51f5707c7fe52c0683dc6136\PresentationCore.ni.dll
+ 2010-08-22 22:03 . 2010-08-22 22:03 12216320 c:\windows\assembly\NativeImages_v2.0.50727_32\PresentationCore\a6d35f1f179b6bc42bf2b3c4506fbb03\PresentationCore.ni.dll
+ 2010-08-22 22:03 . 2010-08-22 22:03 11490816 c:\windows\assembly\NativeImages_v2.0.50727_32\mscorlib\7bffd7ff2009f421fe5d229927588496\mscorlib.ni.dll
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2006-12-18 868352]
"JMB36X IDE Setup"="c:\windows\RaidTool\xInsIDE.exe" [2007-03-20 36864]
"36X Raid Configurer"="c:\windows\system32\xRaidSetup.exe" [2007-03-21 1953792]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2006-11-10 90112]
"McAfeeUpdaterUI"="c:\program files\Network Associates\Common Framework\UdaterUI.exe" [2006-11-17 136768]
"ShStatEXE"="c:\program files\McAfee\VirusScan Enterprise\SHSTAT.EXE" [2006-11-30 112216]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2008-02-29 76304]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-03-19 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-07-21 141608]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
ASUS WiFi-AP Solo.lnk - c:\program files\ASUS WiFi-AP Solo\RtWLan.exe [2008-3-15 987136]
Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2008-7-18 805392]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
2008-05-02 09:42 72208 ----a-w- c:\program files\Common Files\Logishrd\Bluetooth\LBTWLgn.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

S3 RTLWUSB;Realtek RTL8187 Wireless 802.11g 54Mbps USB 2.0 Network Adapter;c:\windows\system32\drivers\RTL8187.sys [3/15/2008 3:43 PM 176128]
.
Contents of the 'Scheduled Tasks' folder

2010-08-15 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 19:34]
.
.
------- Supplementary Scan -------
.
FF - ProfilePath - c:\documents and settings\Media\Application Data\Mozilla\Firefox\Profiles\1hx4ckko.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: keyword.URL - [You must be registered and logged in to see this link.]
FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: browser.search.selectedEngine - Google
FF - user.js: browser.search.order.1 - Google
FF - user.js: keyword.URL - [You must be registered and logged in to see this link.] files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.proxy.type", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.buffer.cache.count", 24);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.buffer.cache.size", 4096);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2010-08-26 19:17
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(596)
c:\windows\system32\Ati2evxx.dll
c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll
c:\program files\common files\logishrd\bluetooth\LBTServ.dll

- - - - - - - > 'explorer.exe'(4052)
c:\windows\system32\WININET.dll
c:\program files\Logitech\SetPoint\lgscroll.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2010-08-26 19:18:21
ComboFix-quarantined-files.txt 2010-08-27 02:18
ComboFix2.txt 2010-08-24 01:51
ComboFix3.txt 2010-08-22 21:51
ComboFix4.txt 2010-08-21 15:55
ComboFix5.txt 2010-08-27 02:13

Pre-Run: 587,481,444,352 bytes free
Post-Run: 587,463,733,248 bytes free

- - End Of File - - EC076E5351E0D29E5A288A38955F07FE

guerro
Novice
Novice

Posts Posts : 32
Joined Joined : 2010-01-17
Gender Gender : Male
OS OS : Win XP
Points Points : 25636
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Banker Fox and Win32/Nuqel need help

Post by Dr Jay on 27th August 2010, 8:05 pm

Please download MBRCheck.exe by a_d_13 from one of the links provided below and save it to your desktop.

  • Double-click on MBRCheck.exe to run it.
  • It will open a black window...please do not fix anything (if it gives you an option).
  • When complete, you should see Done! Press ENTER to exit.... Press Enter on the keyboard.
  • A log named MBRCheck_date_time.txt (i.e. MBRCheck_07.21.10_10.22.51.txt) will appear on the desktop.
  • Please copy and paste the contents of that log in your next reply.


==================================

ESET Online Scan

Please run a free online scan with the [You must be registered and logged in to see this link.]
  • Tick the box next to YES, I accept the Terms of Use
  • Click Start
  • When asked, allow the ActiveX control to install
  • Click Start
  • Make sure that the options Remove found threats and the option Scan unwanted applications is checked
  • Click Scan (This scan can take several hours, so please be patient)
  • Once the scan is completed, you may close the window
  • Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
  • Copy and paste that log as a reply to this topic


Dr. Jay (DJ)


[You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.]

Dr Jay
Head Administrator
Head Administrator

Posts Posts : 14309
Joined Joined : 2009-09-06
Gender Gender : Male
OS OS : Windows 10 Home & Pro
Arch. Arch. : x64 (64-bit)
Protection Protection : Bitdefender Total Security
Points Points : 302960
# Likes # Likes : 10

View user profile

Back to top Go down

Re: Banker Fox and Win32/Nuqel need help

Post by guerro on 27th August 2010, 11:04 pm

MBRCheck, version 1.2.3
(c) 2010, AD

Command-line:
Windows Version: Windows XP Professional
Windows Information: Service Pack 3 (build 2600)
Logical Drives Mask: 0x000006fd

Kernel Drivers (total 137):
0x804D7000 \WINDOWS\system32\ntkrnlpa.exe
0x806E4000 \WINDOWS\system32\hal.dll
0xBA5A8000 \WINDOWS\system32\KDCOM.DLL
0xBA4B8000 \WINDOWS\system32\BOOTVID.dll
0xB9F79000 ACPI.sys
0xBA5AA000 \WINDOWS\system32\DRIVERS\WMILIB.SYS
0xB9F68000 pci.sys
0xBA0A8000 isapnp.sys
0xBA0B8000 ohci1394.sys
0xBA0C8000 \WINDOWS\system32\DRIVERS\1394BUS.SYS
0xBA670000 pciide.sys
0xBA328000 \WINDOWS\system32\DRIVERS\PCIIDEX.SYS
0xBA0D8000 MountMgr.sys
0xB9F49000 ftdisk.sys
0xBA5AC000 dmload.sys
0xB9F23000 dmio.sys
0xBA330000 PartMgr.sys
0xBA0E8000 VolSnap.sys
0xB9F0B000 atapi.sys
0xBA0F8000 jraid.sys
0xB9EF3000 \WINDOWS\system32\DRIVERS\SCSIPORT.SYS
0xBA108000 disk.sys
0xBA118000 \WINDOWS\system32\DRIVERS\CLASSPNP.SYS
0xB9ED3000 fltmgr.sys
0xB9EC1000 sr.sys
0xB9EAA000 KSecDD.sys
0xB9E1D000 Ntfs.sys
0xB9DF0000 NDIS.sys
0xBA128000 Combo-Fix.sys
0xB9DD6000 Mup.sys
0xBA5AE000 JGOGO.sys
0xBA288000 \SystemRoot\system32\DRIVERS\intelppm.sys
0xB96B9000 \SystemRoot\system32\DRIVERS\ati2mtag.sys
0xB96A5000 \SystemRoot\system32\DRIVERS\VIDEOPRT.SYS
0xB967D000 \SystemRoot\system32\DRIVERS\HDAudBus.sys
0xBA3E0000 \SystemRoot\system32\DRIVERS\usbuhci.sys
0xB9659000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
0xBA3E8000 \SystemRoot\system32\DRIVERS\usbehci.sys
0xBA298000 \SystemRoot\system32\DRIVERS\imapi.sys
0xBA2A8000 \SystemRoot\system32\DRIVERS\cdrom.sys
0xBA2B8000 \SystemRoot\system32\DRIVERS\redbook.sys
0xB9636000 \SystemRoot\system32\DRIVERS\ks.sys
0xBA3F0000 \SystemRoot\System32\Drivers\GEARAspiWDM.sys
0xB95F9000 \SystemRoot\system32\DRIVERS\yk51x86.sys
0xBA2C8000 \SystemRoot\system32\DRIVERS\nic1394.sys
0xBA3F8000 \SystemRoot\system32\DRIVERS\fdc.sys
0xBA5BC000 \SystemRoot\system32\DRIVERS\ASACPI.sys
0xBA2D8000 \SystemRoot\system32\DRIVERS\serial.sys
0xBA570000 \SystemRoot\system32\DRIVERS\serenum.sys
0xBA574000 \SystemRoot\system32\DRIVERS\L8042Kbd.sys
0xBA400000 \SystemRoot\system32\DRIVERS\kbdclass.sys
0xBA7E4000 \SystemRoot\system32\DRIVERS\audstub.sys
0xBA2F8000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
0xBA578000 \SystemRoot\system32\DRIVERS\ndistapi.sys
0xB95E2000 \SystemRoot\system32\DRIVERS\ndiswan.sys
0xBA308000 \SystemRoot\system32\DRIVERS\raspppoe.sys
0xBA318000 \SystemRoot\system32\DRIVERS\raspptp.sys
0xBA408000 \SystemRoot\system32\DRIVERS\TDI.SYS
0xB95D1000 \SystemRoot\system32\DRIVERS\psched.sys
0xBA198000 \SystemRoot\system32\DRIVERS\msgpc.sys
0xB950D000 \SystemRoot\System32\drivers\dmboot.sys
0xBA410000 \SystemRoot\system32\DRIVERS\ptilink.sys
0xBA418000 \SystemRoot\system32\DRIVERS\raspti.sys
0xB94B5000 \SystemRoot\system32\DRIVERS\rdpdr.sys
0xBA1A8000 \SystemRoot\system32\DRIVERS\termdd.sys
0xBA420000 \SystemRoot\system32\DRIVERS\mouclass.sys
0xBA5BE000 \SystemRoot\system32\DRIVERS\swenum.sys
0xB9457000 \SystemRoot\system32\DRIVERS\update.sys
0xBA594000 \SystemRoot\system32\DRIVERS\mssmbios.sys
0xBA1B8000 \SystemRoot\System32\Drivers\NDProxy.SYS
0xAD3F3000 \SystemRoot\system32\drivers\AtiHdAud.sys
0xAD3CF000 \SystemRoot\system32\drivers\portcls.sys
0xBA1E8000 \SystemRoot\system32\drivers\drmk.sys
0xBA1F8000 \SystemRoot\system32\DRIVERS\usbhub.sys
0xBA5C2000 \SystemRoot\system32\DRIVERS\USBD.SYS
0xAD2E3000 \SystemRoot\system32\drivers\ADIHdAud.sys
0xAD2CC000 \SystemRoot\system32\drivers\AEAudio.sys
0xAD26C000 \SystemRoot\system32\drivers\Senfilt.sys
0xBA450000 \SystemRoot\system32\DRIVERS\flpydisk.sys
0xBA5D4000 \SystemRoot\System32\Drivers\Fs_Rec.SYS
0xBA6E4000 \SystemRoot\System32\Drivers\Null.SYS
0xBA5D6000 \SystemRoot\System32\Drivers\Beep.SYS
0xB995B000 \SystemRoot\system32\DRIVERS\i8042prt.sys
0xBA468000 \SystemRoot\system32\DRIVERS\HIDPARSE.SYS
0xBA470000 \SystemRoot\System32\drivers\vga.sys
0xBA5D8000 \SystemRoot\System32\Drivers\mnmdd.SYS
0xBA5DA000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
0xBA478000 \SystemRoot\System32\Drivers\Msfs.SYS
0xBA480000 \SystemRoot\System32\Drivers\Npfs.SYS
0xB9505000 \SystemRoot\system32\DRIVERS\rasacd.sys
0xAD211000 \SystemRoot\system32\DRIVERS\ipsec.sys
0xAD1B8000 \SystemRoot\system32\DRIVERS\tcpip.sys
0xB994B000 \SystemRoot\system32\drivers\mfetdik.sys
0xAD192000 \SystemRoot\system32\DRIVERS\ipnat.sys
0xAD16A000 \SystemRoot\system32\DRIVERS\netbt.sys
0xAD148000 \SystemRoot\System32\drivers\afd.sys
0xBA488000 \??\C:\Program Files\McAfee\VirusScan Enterprise\mferkdk.sys
0xB993B000 \SystemRoot\System32\Drivers\Fips.SYS
0xB94E9000 \??\C:\WINDOWS\system32\BUFADPT.SYS
0xBA490000 \SystemRoot\system32\DRIVERS\usbccgp.sys
0xB944F000 \SystemRoot\system32\DRIVERS\hidusb.sys
0xB991B000 \SystemRoot\system32\DRIVERS\HIDCLASS.SYS
0xBA498000 \SystemRoot\system32\DRIVERS\LHidFilt.Sys
0xB990B000 \SystemRoot\system32\DRIVERS\WDFLDR.SYS
0xAD0CD000 \SystemRoot\system32\DRIVERS\Wdf01000.sys
0xB944B000 \SystemRoot\system32\DRIVERS\mouhid.sys
0xBA4A8000 \SystemRoot\system32\DRIVERS\LMouFilt.Sys
0xB943B000 \SystemRoot\system32\DRIVERS\kbdhid.sys
0xB98FB000 \SystemRoot\System32\Drivers\Cdfs.SYS
0xAD08D000 \SystemRoot\System32\Drivers\dump_atapi.sys
0xBA5F0000 \SystemRoot\System32\Drivers\dump_WMILIB.SYS
0xBF800000 \SystemRoot\System32\win32k.sys
0xB9D8E000 \SystemRoot\System32\drivers\Dxapi.sys
0xBA340000 \SystemRoot\System32\watchdog.sys
0xBF000000 \SystemRoot\System32\drivers\dxg.sys
0xBA75C000 \SystemRoot\System32\drivers\dxgthk.sys
0xBF012000 \SystemRoot\System32\ati2dvag.dll
0xBF057000 \SystemRoot\System32\ati2cqag.dll
0xBF0B1000 \SystemRoot\System32\atikvmag.dll
0xBF101000 \SystemRoot\System32\atiok3x2.dll
0xBF112000 \SystemRoot\System32\ati3duag.dll
0xBF3DC000 \SystemRoot\System32\ativvaxx.dll
0xBFFA0000 \SystemRoot\System32\ATMFD.DLL
0xBA3C0000 \SystemRoot\system32\DRIVERS\AegisP.sys
0xAAD6C000 \SystemRoot\system32\DRIVERS\ndisuio.sys
0xAAA17000 \SystemRoot\system32\DRIVERS\mrxdav.sys
0xAA6CF000 \SystemRoot\system32\drivers\mfehidk.sys
0xBA438000 \SystemRoot\system32\drivers\mfebopk.sys
0xAA8B7000 \SystemRoot\system32\drivers\mfeapfk.sys
0xAA692000 \SystemRoot\system32\drivers\wdmaud.sys
0xAA837000 \SystemRoot\system32\drivers\sysaudio.sys
0xAA95F000 \SystemRoot\system32\drivers\mfeavfk.sys
0xBA460000 \??\C:\DOCUME~1\Media\LOCALS~1\Temp\mbr.sys
0xA9EF3000 \SystemRoot\System32\Drivers\HTTP.sys
0xAA2C4000 \??\C:\combo-fix25909c\catchme.sys
0xBA5FE000 \??\C:\WINDOWS\system32\Drivers\PROCEXP113.SYS
0x7C900000 \WINDOWS\system32\ntdll.dll

Processes (total 42):
0 System Idle Process
4 System
508 C:\WINDOWS\system32\smss.exe
568 csrss.exe
596 C:\WINDOWS\system32\winlogon.exe
640 C:\WINDOWS\system32\services.exe
652 C:\WINDOWS\system32\lsass.exe
824 C:\WINDOWS\system32\ati2evxx.exe
840 C:\WINDOWS\system32\svchost.exe
912 svchost.exe
1024 C:\WINDOWS\system32\svchost.exe
1156 svchost.exe
1232 svchost.exe
1356 C:\WINDOWS\system32\ati2evxx.exe
1380 C:\WINDOWS\system32\spoolsv.exe
1576 svchost.exe
1680 C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
1804 C:\Program Files\Bonjour\mDNSResponder.exe
1888 C:\Program Files\Java\jre6\bin\jqs.exe
1900 C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
1968 C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe
2028 C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe
460 naPrdMgr.exe
488 C:\WINDOWS\system32\svchost.exe
2108 alg.exe
2476 C:\WINDOWS\system32\wscntfy.exe
2664 C:\Program Files\Analog Devices\Core\smax4pnp.exe
2764 C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
2804 C:\Program Files\Network Associates\Common Framework\UdaterUI.exe
2824 C:\Program Files\Network Associates\Common Framework\Mctray.exe
2864 C:\Program Files\McAfee\VirusScan Enterprise\shstat.exe
2932 C:\Program Files\Common Files\Java\Java Update\jusched.exe
2984 C:\Program Files\iTunes\iTunesHelper.exe
2996 C:\Program Files\ASUS WiFi-AP Solo\RtWLan.exe
3004 C:\Program Files\Logitech\SetPoint\SetPoint.exe
3156 C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.exe
3464 C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
3720 C:\Program Files\iPod\bin\iPodService.exe
4052 C:\WINDOWS\explorer.exe
3604 C:\WINDOWS\system32\notepad.exe
2172 C:\Program Files\Mozilla Firefox\firefox.exe
1852 C:\Documents and Settings\Media\Desktop\MBRCheck.exe

\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`00007e00 (NTFS)
\\.\F: --> \\.\PhysicalDrive2 at offset 0x00000000`00007e00 (NTFS)
\\.\G: --> \\.\PhysicalDrive1 at offset 0x00000000`00007e00 (NTFS)
\\.\H: --> \\.\PhysicalDrive3 at offset 0x00000000`00007e00 (NTFS)
\\.\J: --> \\.\PhysicalDrive4 at offset 0x00000000`00007e00 (NTFS)
\\.\K: --> \\.\PhysicalDrive5 at offset 0x00000000`00007e00 (NTFS)

PhysicalDrive0 Model Number: SAMSUNGHD753LJ, Rev: 1AA01107
PhysicalDrive2 Model Number: SAMSUNGHD753LJ, Rev: 1AA01107
PhysicalDrive1 Model Number: SAMSUNGHD753LJ, Rev: 1AA01107
PhysicalDrive3 Model Number: SAMSUNGHD753LJ, Rev: 1AA01107
PhysicalDrive4 Model Number: SAMSUNGHD103UJ, Rev: 1AA01113
PhysicalDrive5 Model Number: SAMSUNGHD103UJ, Rev: 1AA01113

Size Device Name MBR Status
--------------------------------------------
698 GB \\.\PhysicalDrive0 Windows XP MBR code detected
SHA1: DA38B874B7713D1B51CBC449F4EF809B0DEC644A
698 GB \\.\PhysicalDrive2 Unknown MBR code
SHA1: 639AC5CDF8A5CF3245975932C6A4215450A7B98F
698 GB \\.\PhysicalDrive1 Windows XP MBR code detected
SHA1: DA38B874B7713D1B51CBC449F4EF809B0DEC644A
698 GB \\.\PhysicalDrive3 Windows XP MBR code detected
SHA1: DA38B874B7713D1B51CBC449F4EF809B0DEC644A
931 GB \\.\PhysicalDrive4 Windows XP MBR code detected
SHA1: DA38B874B7713D1B51CBC449F4EF809B0DEC644A
931 GB \\.\PhysicalDrive5 Windows XP MBR code detected
SHA1: DA38B874B7713D1B51CBC449F4EF809B0DEC644A


Found non-standard or infected MBR.
Enter 'Y' and hit ENTER for more options, or 'N' to exit:

Done!

guerro
Novice
Novice

Posts Posts : 32
Joined Joined : 2010-01-17
Gender Gender : Male
OS OS : Win XP
Points Points : 25636
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Banker Fox and Win32/Nuqel need help

Post by guerro on 27th August 2010, 11:05 pm

ESETSmartInstaller@High as downloader log:
all ok
# version=7
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.6211
# api_version=3.0.2
# EOSSerial=1b8e3774b4fafd4d9c191f256cf01529
# end=finished
# remove_checked=true
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=false
# utc_time=2010-08-27 10:54:05
# local_time=2010-08-27 03:54:05 (-0700, US Mountain Standard Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=55523
# found=2
# cleaned=2
# scan_time=1065
C:\Qoobox\Quarantine\C\WINDOWS\system32\Drivers\ufcafypt.sys.vir a variant of Win32/Bubnix.AW trojan (cleaned by deleting - quarantined) 3D0CF9B608DB46F0F1957ACFC0FF929A C
C:\System Volume Information\_restore{A0378095-F669-4875-9041-96FAA45CBCF1}\RP5\A0001476.sys a variant of Win32/Bubnix.AW trojan (cleaned by deleting - quarantined) 3D0CF9B608DB46F0F1957ACFC0FF929A C

guerro
Novice
Novice

Posts Posts : 32
Joined Joined : 2010-01-17
Gender Gender : Male
OS OS : Win XP
Points Points : 25636
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Banker Fox and Win32/Nuqel need help

Post by Dr Jay on 29th August 2010, 1:24 am

Fix using MBRCheck.exe

Run MBRCheck.exe again by double-clicking on it.
  • Wait until you see the following line: Enter 'Y' and hit ENTER for more options, or 'N' to exit:
  • Enter 'Y' and then press Enter.
  • When asked: 'Enter your choice:', select option 2 (Restore the MBR of a physical disk with a standard boot code) and press the Enter key.
  • Now the program will ask: 'Enter the physical disk number to fix (0-99, -1 to cancel)'
  • Enter 2 and press the Enter key.
  • The program will show Available MBR codes followed by a list of operating systems as shown below:
    Available MBR codes:
    [ 0] Default (Windows XP)
    [ 1] Windows XP
    [ 2] Windows Server 2003
    [ 3] Windows Vista
    [ 4] Windows 2008
    [ 5] Windows 7
    [-1] Cancel
    Please select the MBR code to write to this drive:
  • Please select your version of Windows from the list and enter the corresponding number and then press Enter.
  • When prompted for confirmation: "Do you want to fix the MBR code?". Type the full word Yes (not Y or the fix will not work) and press Enter.
  • Left-click on the title bar (where program name and path is written).
  • From the menu chose Edit -> Select All.
  • Press the Enter key to copy selected text.
  • Open Notepad, paste that text into it and save to your desktop as MBRCheck.txt.
  • When complete, you should see Done! Press ENTER to exit.... Press Enter on the keyboard.
  • Reboot your computer to complete the fix and copy/paste MBRCheck.txt in your next reply.
  • If your computer does not restart on its own, please restart it manually.

Important Note: The Master Boot Record contains the Partition Table for the hard disk and a a little executable code for the boot start. While fixing the [You must be registered and logged in to see this link.] is generally safe, there is a small risk of damaging the MBR, which may cause the computer to not boot up or it may corrupt a partition.

The following are signs of a damaged MBR:
  • Invalid Partition Table
  • Missing Operating System
  • Error loading operating system


If it is the worst case scenario, and your computer cannot boot, please take note of the following:

Please have your Windows CD available, which will allow recovering the boot code via the Windows Recovery Console in case of any problems or install the [You must be registered and logged in to see this link.] before proceeding with the above fix. Then, if any problems occur, the links below explain how to use and repair the MBR:

If you do not have a Windows CD available, please let me know. You will need access to a computer that can burn CDs.


Dr. Jay (DJ)


[You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.]

Dr Jay
Head Administrator
Head Administrator

Posts Posts : 14309
Joined Joined : 2009-09-06
Gender Gender : Male
OS OS : Windows 10 Home & Pro
Arch. Arch. : x64 (64-bit)
Protection Protection : Bitdefender Total Security
Points Points : 302960
# Likes # Likes : 10

View user profile

Back to top Go down

Re: Banker Fox and Win32/Nuqel need help

Post by guerro on 30th August 2010, 12:56 pm

MBRCheck, version 1.2.3
(c) 2010, AD

Command-line:
Windows Version: Windows XP Professional
Windows Information: Service Pack 3 (build 2600)
Logical Drives Mask: 0x000006fd

\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`00007e00 (NTFS)
\\.\F: --> \\.\PhysicalDrive2 at offset 0x00000000`00007e00 (NTFS)
\\.\G: --> \\.\PhysicalDrive1 at offset 0x00000000`00007e00 (NTFS)
\\.\H: --> \\.\PhysicalDrive3 at offset 0x00000000`00007e00 (NTFS)
\\.\J: --> \\.\PhysicalDrive4 at offset 0x00000000`00007e00 (NTFS)
\\.\K: --> \\.\PhysicalDrive5 at offset 0x00000000`00007e00 (NTFS)

Size Device Name MBR Status
--------------------------------------------
698 GB \\.\PhysicalDrive0 Windows XP MBR code detected
SHA1: DA38B874B7713D1B51CBC449F4EF809B0DEC644A
698 GB \\.\PhysicalDrive2 Unknown MBR code
SHA1: 639AC5CDF8A5CF3245975932C6A4215450A7B98F
698 GB \\.\PhysicalDrive1 Windows XP MBR code detected
SHA1: DA38B874B7713D1B51CBC449F4EF809B0DEC644A
698 GB \\.\PhysicalDrive3 Windows XP MBR code detected
SHA1: DA38B874B7713D1B51CBC449F4EF809B0DEC644A
931 GB \\.\PhysicalDrive4 Windows XP MBR code detected
SHA1: DA38B874B7713D1B51CBC449F4EF809B0DEC644A
931 GB \\.\PhysicalDrive5 Windows XP MBR code detected
SHA1: DA38B874B7713D1B51CBC449F4EF809B0DEC644A


Found non-standard or infected MBR.
Enter 'Y' and hit ENTER for more options, or 'N' to exit: y

Options:
[1] Dump the MBR of a physical disk to file.
[2] Restore the MBR of a physical disk with a standard boot code.
[3] Exit.

Enter your choice: 2

Enter the physical disk number to fix (0-99, -1 to cancel): 2
Available MBR codes:
[ 0] Default (Windows XP)
[ 1] Windows XP
[ 2] Windows Server 2003
[ 3] Windows Vista
[ 4] Windows 2008
[ 5] Windows 7
[-1] Cancel

Please select the MBR code to write to this drive: 1
Do you want to fix the MBR code? Type 'YES' and hit ENTER to continue: yes
Successfully wrote new MBR code!
Please reboot your computer to complete the fix.


Done!
Press ENTER to exit...

guerro
Novice
Novice

Posts Posts : 32
Joined Joined : 2010-01-17
Gender Gender : Male
OS OS : Win XP
Points Points : 25636
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Banker Fox and Win32/Nuqel need help

Post by Dr Jay on 31st August 2010, 4:59 am

Reboot your computer, and post a new MBRCheck log.


Dr. Jay (DJ)


[You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.]

Dr Jay
Head Administrator
Head Administrator

Posts Posts : 14309
Joined Joined : 2009-09-06
Gender Gender : Male
OS OS : Windows 10 Home & Pro
Arch. Arch. : x64 (64-bit)
Protection Protection : Bitdefender Total Security
Points Points : 302960
# Likes # Likes : 10

View user profile

Back to top Go down

Re: Banker Fox and Win32/Nuqel need help

Post by guerro on 31st August 2010, 1:17 pm

MBRCheck, version 1.2.3
(c) 2010, AD

Command-line:
Windows Version: Windows XP Professional
Windows Information: Service Pack 3 (build 2600)
Logical Drives Mask: 0x000006fd

Kernel Drivers (total 133):
0x804D7000 \WINDOWS\system32\ntkrnlpa.exe
0x806E4000 \WINDOWS\system32\hal.dll
0xBA5A8000 \WINDOWS\system32\KDCOM.DLL
0xBA4B8000 \WINDOWS\system32\BOOTVID.dll
0xB9F79000 ACPI.sys
0xBA5AA000 \WINDOWS\system32\DRIVERS\WMILIB.SYS
0xB9F68000 pci.sys
0xBA0A8000 isapnp.sys
0xBA0B8000 ohci1394.sys
0xBA0C8000 \WINDOWS\system32\DRIVERS\1394BUS.SYS
0xBA670000 pciide.sys
0xBA328000 \WINDOWS\system32\DRIVERS\PCIIDEX.SYS
0xBA0D8000 MountMgr.sys
0xB9F49000 ftdisk.sys
0xBA5AC000 dmload.sys
0xB9F23000 dmio.sys
0xBA330000 PartMgr.sys
0xBA0E8000 VolSnap.sys
0xB9F0B000 atapi.sys
0xBA0F8000 jraid.sys
0xB9EF3000 \WINDOWS\system32\DRIVERS\SCSIPORT.SYS
0xBA108000 disk.sys
0xBA118000 \WINDOWS\system32\DRIVERS\CLASSPNP.SYS
0xB9ED3000 fltmgr.sys
0xB9EC1000 sr.sys
0xB9EAA000 KSecDD.sys
0xB9E1D000 Ntfs.sys
0xB9DF0000 NDIS.sys
0xB9DD6000 Mup.sys
0xBA5AE000 JGOGO.sys
0xBA278000 \SystemRoot\system32\DRIVERS\intelppm.sys
0xB96B9000 \SystemRoot\system32\DRIVERS\ati2mtag.sys
0xB96A5000 \SystemRoot\system32\DRIVERS\VIDEOPRT.SYS
0xB967D000 \SystemRoot\system32\DRIVERS\HDAudBus.sys
0xBA3D8000 \SystemRoot\system32\DRIVERS\usbuhci.sys
0xB9659000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
0xBA3E0000 \SystemRoot\system32\DRIVERS\usbehci.sys
0xBA288000 \SystemRoot\system32\DRIVERS\imapi.sys
0xBA298000 \SystemRoot\system32\DRIVERS\cdrom.sys
0xBA2A8000 \SystemRoot\system32\DRIVERS\redbook.sys
0xB9636000 \SystemRoot\system32\DRIVERS\ks.sys
0xBA3E8000 \SystemRoot\System32\Drivers\GEARAspiWDM.sys
0xB95F9000 \SystemRoot\system32\DRIVERS\yk51x86.sys
0xBA2B8000 \SystemRoot\system32\DRIVERS\nic1394.sys
0xBA3F0000 \SystemRoot\system32\DRIVERS\fdc.sys
0xBA5BC000 \SystemRoot\system32\DRIVERS\ASACPI.sys
0xBA2C8000 \SystemRoot\system32\DRIVERS\serial.sys
0xBA570000 \SystemRoot\system32\DRIVERS\serenum.sys
0xBA574000 \SystemRoot\system32\DRIVERS\L8042Kbd.sys
0xBA3F8000 \SystemRoot\system32\DRIVERS\kbdclass.sys
0xBA7DE000 \SystemRoot\system32\DRIVERS\audstub.sys
0xBA2E8000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
0xBA578000 \SystemRoot\system32\DRIVERS\ndistapi.sys
0xB95E2000 \SystemRoot\system32\DRIVERS\ndiswan.sys
0xBA2F8000 \SystemRoot\system32\DRIVERS\raspppoe.sys
0xBA308000 \SystemRoot\system32\DRIVERS\raspptp.sys
0xBA400000 \SystemRoot\system32\DRIVERS\TDI.SYS
0xB95D1000 \SystemRoot\system32\DRIVERS\psched.sys
0xBA318000 \SystemRoot\system32\DRIVERS\msgpc.sys
0xB950D000 \SystemRoot\System32\drivers\dmboot.sys
0xBA408000 \SystemRoot\system32\DRIVERS\ptilink.sys
0xBA410000 \SystemRoot\system32\DRIVERS\raspti.sys
0xB94B5000 \SystemRoot\system32\DRIVERS\rdpdr.sys
0xBA188000 \SystemRoot\system32\DRIVERS\termdd.sys
0xBA418000 \SystemRoot\system32\DRIVERS\mouclass.sys
0xBA5BE000 \SystemRoot\system32\DRIVERS\swenum.sys
0xB9457000 \SystemRoot\system32\DRIVERS\update.sys
0xBA594000 \SystemRoot\system32\DRIVERS\mssmbios.sys
0xBA198000 \SystemRoot\System32\Drivers\NDProxy.SYS
0xAD3F3000 \SystemRoot\system32\drivers\AtiHdAud.sys
0xAD3CF000 \SystemRoot\system32\drivers\portcls.sys
0xBA1C8000 \SystemRoot\system32\drivers\drmk.sys
0xBA1D8000 \SystemRoot\system32\DRIVERS\usbhub.sys
0xBA5C2000 \SystemRoot\system32\DRIVERS\USBD.SYS
0xAD383000 \SystemRoot\system32\drivers\ADIHdAud.sys
0xAD36C000 \SystemRoot\system32\drivers\AEAudio.sys
0xAD30C000 \SystemRoot\system32\drivers\Senfilt.sys
0xBA460000 \SystemRoot\system32\DRIVERS\flpydisk.sys
0xBA5F6000 \SystemRoot\System32\Drivers\Fs_Rec.SYS
0xBA6FC000 \SystemRoot\System32\Drivers\Null.SYS
0xBA5F8000 \SystemRoot\System32\Drivers\Beep.SYS
0xBA1F8000 \SystemRoot\system32\DRIVERS\i8042prt.sys
0xBA478000 \SystemRoot\system32\DRIVERS\HIDPARSE.SYS
0xBA480000 \SystemRoot\System32\drivers\vga.sys
0xBA5FA000 \SystemRoot\System32\Drivers\mnmdd.SYS
0xBA5FC000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
0xBA488000 \SystemRoot\System32\Drivers\Msfs.SYS
0xBA490000 \SystemRoot\System32\Drivers\Npfs.SYS
0xB944B000 \SystemRoot\system32\DRIVERS\rasacd.sys
0xAD211000 \SystemRoot\system32\DRIVERS\ipsec.sys
0xAD1B8000 \SystemRoot\system32\DRIVERS\tcpip.sys
0xBA208000 \SystemRoot\system32\drivers\mfetdik.sys
0xAD192000 \SystemRoot\system32\DRIVERS\ipnat.sys
0xAD16A000 \SystemRoot\system32\DRIVERS\netbt.sys
0xAD148000 \SystemRoot\System32\drivers\afd.sys
0xBA498000 \??\C:\Program Files\McAfee\VirusScan Enterprise\mferkdk.sys
0xBA218000 \SystemRoot\System32\Drivers\Fips.SYS
0xB9433000 \??\C:\WINDOWS\system32\BUFADPT.SYS
0xBA4A0000 \SystemRoot\system32\DRIVERS\usbccgp.sys
0xB9D92000 \SystemRoot\system32\DRIVERS\hidusb.sys
0xBA238000 \SystemRoot\system32\DRIVERS\HIDCLASS.SYS
0xBA4A8000 \SystemRoot\system32\DRIVERS\LHidFilt.Sys
0xBA248000 \SystemRoot\system32\DRIVERS\WDFLDR.SYS
0xAD0A5000 \SystemRoot\system32\DRIVERS\Wdf01000.sys
0xB9D8E000 \SystemRoot\system32\DRIVERS\mouhid.sys
0xBA340000 \SystemRoot\system32\DRIVERS\LMouFilt.Sys
0xBA548000 \SystemRoot\system32\DRIVERS\kbdhid.sys
0xBA258000 \SystemRoot\System32\Drivers\Cdfs.SYS
0xAD08D000 \SystemRoot\System32\Drivers\dump_atapi.sys
0xBA62A000 \SystemRoot\System32\Drivers\dump_WMILIB.SYS
0xBF800000 \SystemRoot\System32\win32k.sys
0xAD258000 \SystemRoot\System32\drivers\Dxapi.sys
0xBA3A0000 \SystemRoot\System32\watchdog.sys
0xBF000000 \SystemRoot\System32\drivers\dxg.sys
0xBA6B7000 \SystemRoot\System32\drivers\dxgthk.sys
0xBF012000 \SystemRoot\System32\ati2dvag.dll
0xBF057000 \SystemRoot\System32\ati2cqag.dll
0xBF0B1000 \SystemRoot\System32\atikvmag.dll
0xBF101000 \SystemRoot\System32\atiok3x2.dll
0xBF112000 \SystemRoot\System32\ati3duag.dll
0xBF3DC000 \SystemRoot\System32\ativvaxx.dll
0xBFFA0000 \SystemRoot\System32\ATMFD.DLL
0xBA4B0000 \SystemRoot\system32\DRIVERS\AegisP.sys
0xAAD7C000 \SystemRoot\system32\DRIVERS\ndisuio.sys
0xAAA3F000 \SystemRoot\system32\DRIVERS\mrxdav.sys
0xAA797000 \SystemRoot\system32\drivers\mfehidk.sys
0xBA3B8000 \SystemRoot\system32\drivers\mfebopk.sys
0xAAB04000 \SystemRoot\system32\drivers\mfeapfk.sys
0xAA96F000 \SystemRoot\system32\drivers\mfeavfk.sys
0xAA5A2000 \SystemRoot\system32\drivers\wdmaud.sys
0xAA6A7000 \SystemRoot\system32\drivers\sysaudio.sys
0xA9EF3000 \SystemRoot\System32\Drivers\HTTP.sys
0x7C900000 \WINDOWS\system32\ntdll.dll

Processes (total 42):
0 System Idle Process
4 System
504 C:\WINDOWS\system32\smss.exe
564 csrss.exe
592 C:\WINDOWS\system32\winlogon.exe
636 C:\WINDOWS\system32\services.exe
648 C:\WINDOWS\system32\lsass.exe
820 C:\WINDOWS\system32\ati2evxx.exe
840 C:\WINDOWS\system32\svchost.exe
908 svchost.exe
1020 C:\WINDOWS\system32\svchost.exe
1124 svchost.exe
1228 svchost.exe
1324 C:\WINDOWS\system32\ati2evxx.exe
1476 C:\WINDOWS\system32\spoolsv.exe
1552 svchost.exe
1636 C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
1708 C:\Program Files\Bonjour\mDNSResponder.exe
1780 C:\Program Files\Java\jre6\bin\jqs.exe
1800 C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
1880 C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe
1980 C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe
304 naPrdMgr.exe
428 C:\WINDOWS\system32\svchost.exe
1156 C:\WINDOWS\system32\wuauclt.exe
1288 C:\WINDOWS\explorer.exe
968 wmiprvse.exe
1840 C:\WINDOWS\system32\wscntfy.exe
1928 alg.exe
2056 C:\Program Files\Analog Devices\Core\smax4pnp.exe
2160 C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
2168 C:\Program Files\Network Associates\Common Framework\UdaterUI.exe
2176 C:\Program Files\McAfee\VirusScan Enterprise\shstat.exe
2224 C:\Program Files\Network Associates\Common Framework\Mctray.exe
2252 C:\Program Files\Common Files\Java\Java Update\jusched.exe
2284 C:\Program Files\iTunes\iTunesHelper.exe
2296 C:\Program Files\ASUS WiFi-AP Solo\RtWLan.exe
2304 C:\Program Files\Logitech\SetPoint\SetPoint.exe
2348 C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.exe
3708 C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
3740 C:\Program Files\iPod\bin\iPodService.exe
1936 C:\Documents and Settings\Media\Desktop\MBRCheck.exe

\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`00007e00 (NTFS)
\\.\F: --> \\.\PhysicalDrive2 at offset 0x00000000`00007e00 (NTFS)
\\.\G: --> \\.\PhysicalDrive1 at offset 0x00000000`00007e00 (NTFS)
\\.\H: --> \\.\PhysicalDrive3 at offset 0x00000000`00007e00 (NTFS)
\\.\J: --> \\.\PhysicalDrive4 at offset 0x00000000`00007e00 (NTFS)
\\.\K: --> \\.\PhysicalDrive5 at offset 0x00000000`00007e00 (NTFS)

PhysicalDrive0 Model Number: SAMSUNGHD753LJ, Rev: 1AA01107
PhysicalDrive2 Model Number: SAMSUNGHD753LJ, Rev: 1AA01107
PhysicalDrive1 Model Number: SAMSUNGHD753LJ, Rev: 1AA01107
PhysicalDrive3 Model Number: SAMSUNGHD753LJ, Rev: 1AA01107
PhysicalDrive4 Model Number: SAMSUNGHD103UJ, Rev: 1AA01113
PhysicalDrive5 Model Number: SAMSUNGHD103UJ, Rev: 1AA01113

Size Device Name MBR Status
--------------------------------------------
698 GB \\.\PhysicalDrive0 Windows XP MBR code detected
SHA1: DA38B874B7713D1B51CBC449F4EF809B0DEC644A
698 GB \\.\PhysicalDrive2 Unknown MBR code
SHA1: 639AC5CDF8A5CF3245975932C6A4215450A7B98F
698 GB \\.\PhysicalDrive1 Windows XP MBR code detected
SHA1: DA38B874B7713D1B51CBC449F4EF809B0DEC644A
698 GB \\.\PhysicalDrive3 Windows XP MBR code detected
SHA1: DA38B874B7713D1B51CBC449F4EF809B0DEC644A
931 GB \\.\PhysicalDrive4 Windows XP MBR code detected
SHA1: DA38B874B7713D1B51CBC449F4EF809B0DEC644A
931 GB \\.\PhysicalDrive5 Windows XP MBR code detected
SHA1: DA38B874B7713D1B51CBC449F4EF809B0DEC644A


Found non-standard or infected MBR.
Enter 'Y' and hit ENTER for more options, or 'N' to exit:
Options:
[1] Dump the MBR of a physical disk to file.
[2] Restore the MBR of a physical disk with a standard boot code.
[3] Exit.

Enter your choice: Enter the physical disk number to fix (0-99, -1 to cancel): 2Available MBR codes:
[ 0] Default (Windows XP)
[ 1] Windows XP
[ 2] Windows Server 2003
[ 3] Windows Vista
[ 4] Windows 2008
[ 5] Windows 7
[-1] Cancel

Please select the MBR code to write to this drive: 1
Do you want to fix the MBR code? Type 'YES' and hit ENTER to continue: yes
Successfully wrote new MBR code!
Please reboot your computer to complete the fix.


Done!

guerro
Novice
Novice

Posts Posts : 32
Joined Joined : 2010-01-17
Gender Gender : Male
OS OS : Win XP
Points Points : 25636
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Banker Fox and Win32/Nuqel need help

Post by Dr Jay on 31st August 2010, 7:14 pm

Download [You must be registered and logged in to see this link.] to your Desktop.

  • You then need to extract the remover.exe file from the RAR using a program capable of extracing RAR compressed files. If you don't have an extraction program, you can use 7-Zip: [You must be registered and logged in to see this link.]
  • After extracing remover.exe to your Desktop, double-click on remover.exe to run the program (Vista/7 users,right click on remover.exe and click Run As Administrator.
  • It will show a Black screen with some data on it.
  • Right click on the screen and click Select All.
  • Press Enter
  • Open a Notepad and press CTRL V
  • Post the output back here.


Dr. Jay (DJ)


[You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.]

Dr Jay
Head Administrator
Head Administrator

Posts Posts : 14309
Joined Joined : 2009-09-06
Gender Gender : Male
OS OS : Windows 10 Home & Pro
Arch. Arch. : x64 (64-bit)
Protection Protection : Bitdefender Total Security
Points Points : 302960
# Likes # Likes : 10

View user profile

Back to top Go down

Re: Banker Fox and Win32/Nuqel need help

Post by guerro on 1st September 2010, 3:17 am

Bootkit Remover
(c) 2009 eSage Lab
[You must be registered and logged in to see this link.]

Program version: 1.1.0.0
OS Version: Microsoft Windows XP Professional Service Pack 3 (build 2600)

System volume is \\.\C:
\\.\C: -> \\.\PhysicalDrive0 at offset 0x00000000`00007e00
Boot sector MD5 is: 6def5ffcbcdbdb4082f1015625e597bd

Size Device Name MBR Status
--------------------------------------------
698 GB \\.\PhysicalDrive0 OK (DOS/Win32 Boot code found)


Done;
Press any key to quit...

guerro
Novice
Novice

Posts Posts : 32
Joined Joined : 2010-01-17
Gender Gender : Male
OS OS : Win XP
Points Points : 25636
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Banker Fox and Win32/Nuqel need help

Post by Dr Jay on 1st September 2010, 10:08 pm

Please download Stealth MBR Rootkit Detector by GMER from [You must be registered and logged in to see this link.], and save to your Desktop.
  • Double-click mbr.exe to start the program.
  • When done scanning, it will save a log on the Desktop called mbr.log.
  • Please post the contents of that log in your next reply.


Dr. Jay (DJ)


[You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.]

Dr Jay
Head Administrator
Head Administrator

Posts Posts : 14309
Joined Joined : 2009-09-06
Gender Gender : Male
OS OS : Windows 10 Home & Pro
Arch. Arch. : x64 (64-bit)
Protection Protection : Bitdefender Total Security
Points Points : 302960
# Likes # Likes : 10

View user profile

Back to top Go down

Re: Banker Fox and Win32/Nuqel need help

Post by guerro on 2nd September 2010, 3:10 am

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, [You must be registered and logged in to see this link.]

device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
user & kernel MBR OK

guerro
Novice
Novice

Posts Posts : 32
Joined Joined : 2010-01-17
Gender Gender : Male
OS OS : Win XP
Points Points : 25636
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Banker Fox and Win32/Nuqel need help

Post by Dr Jay on 4th September 2010, 4:24 am

How is the computer running?


Dr. Jay (DJ)


[You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.]

Dr Jay
Head Administrator
Head Administrator

Posts Posts : 14309
Joined Joined : 2009-09-06
Gender Gender : Male
OS OS : Windows 10 Home & Pro
Arch. Arch. : x64 (64-bit)
Protection Protection : Bitdefender Total Security
Points Points : 302960
# Likes # Likes : 10

View user profile

Back to top Go down

Re: Banker Fox and Win32/Nuqel need help

Post by guerro on 4th September 2010, 5:03 am

It seems to be running fine. Would you say that everything has been remedied?

guerro
Novice
Novice

Posts Posts : 32
Joined Joined : 2010-01-17
Gender Gender : Male
OS OS : Win XP
Points Points : 25636
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Banker Fox and Win32/Nuqel need help

Post by Dr Jay on 4th September 2010, 5:16 am

Sure. If there are no more issues, then we shall clean up!

Clean up System Restore

Now, to get you off to a clean start, we will be creating a new Restore Point, then clearing the old ones to make sure you do not get reinfected, in case you need to "restore back."
  • Select Start > All Programs > Accessories > System tools > System Restore.
  • On the dialogue box that appears select Create a Restore Point
  • Click NEXT
  • Enter a name e.g. Clean
  • Click CREATE

You now have a clean restore point, to get rid of the bad ones:
  • Select Start > All Programs > Accessories > System tools > Disk Cleanup.
  • In the Drop down box that appears select your main drive e.g. C
  • Click OK
  • The System will do some calculation and the display a dialogue box with TABS
  • Select the More Options Tab.
  • At the bottom will be a system restore box with a CLEANUP button click this
  • Accept the Warning and select OK again, the program will close and you are done


Run OTC to remove our tools

To remove all of the tools we used and the files and folders they created, please do the following:
Please download [You must be registered and logged in to see this link.] by OldTimer:
  • Save it to your Desktop.
  • Double click OTC.exe.
  • Click the CleanUp! button.
  • If you are prompted to Reboot during the cleanup, select Yes.
  • The tool will delete itself once it finishes.

Note: If any tool, file or folder (belonging to the program we have used) hasn't been deleted, please delete it manually.

Purge old temporary files

Please download [You must be registered and logged in to see this link.] to your desktop
  • Please double-click TFC.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
  • It will close all programs when run, so make sure you have saved all your work before you begin.
  • Click the Start
    button to begin the process. Depending on how often you clean temp
    files, execution time should be anywhere from a few seconds to a minute
    or two. Let it run uninterrupted to completion.
  • Once it's finished it should reboot your machine. If it does not, please manually reboot the machine yourself to ensure a complete clean.


Security Check

Please download Security Check by screen317 from [You must be registered and logged in to see this link.] or [You must be registered and logged in to see this link.].
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.


Tell me in your next reply, if you have completed these tasks:
  • Cleaned System Restore
  • Ran OTC
  • Ran TFC
  • Ran Security Check

Also, let me know how your computer is running, and don't forget to post the contents of the Security Check log.


Dr. Jay (DJ)


[You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.]

Dr Jay
Head Administrator
Head Administrator

Posts Posts : 14309
Joined Joined : 2009-09-06
Gender Gender : Male
OS OS : Windows 10 Home & Pro
Arch. Arch. : x64 (64-bit)
Protection Protection : Bitdefender Total Security
Points Points : 302960
# Likes # Likes : 10

View user profile

Back to top Go down

Re: Banker Fox and Win32/Nuqel need help

Post by guerro on 6th September 2010, 6:22 pm

DragonMaster Jay wrote:Sure. If there are no more issues, then we shall clean up!

Clean up System Restore

Now, to get you off to a clean start, we will be creating a new Restore Point, then clearing the old ones to make sure you do not get reinfected, in case you need to "restore back."
  • Select Start > All Programs > Accessories > System tools > System Restore.
  • On the dialogue box that appears select Create a Restore Point
  • Click NEXT
  • Enter a name e.g. Clean
  • Click CREATE

You now have a clean restore point, to get rid of the bad ones:
  • Select Start > All Programs > Accessories > System tools > Disk Cleanup.
  • In the Drop down box that appears select your main drive e.g. C
  • Click OK
  • The System will do some calculation and the display a dialogue box with TABS
  • Select the More Options Tab.
  • At the bottom will be a system restore box with a CLEANUP button click this
  • Accept the Warning and select OK again, the program will close and you are done


Run OTC to remove our tools

To remove all of the tools we used and the files and folders they created, please do the following:
Please download [You must be registered and logged in to see this link.] by OldTimer:
  • Save it to your Desktop.
  • Double click OTC.exe.
  • Click the CleanUp! button.
  • If you are prompted to Reboot during the cleanup, select Yes.
  • The tool will delete itself once it finishes.

Note: If any tool, file or folder (belonging to the program we have used) hasn't been deleted, please delete it manually.

Purge old temporary files

Please download [You must be registered and logged in to see this link.] to your desktop
  • Please double-click TFC.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
  • It will close all programs when run, so make sure you have saved all your work before you begin.
  • Click the Start
    button to begin the process. Depending on how often you clean temp
    files, execution time should be anywhere from a few seconds to a minute
    or two. Let it run uninterrupted to completion.
  • Once it's finished it should reboot your machine. If it does not, please manually reboot the machine yourself to ensure a complete clean.


Security Check

Please download Security Check by screen317 from [You must be registered and logged in to see this link.] or [You must be registered and logged in to see this link.].
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.


Tell me in your next reply, if you have completed these tasks:
  • Cleaned System Restore
  • Ran OTC
  • Ran TFC
  • Ran Security Check

Also, let me know how your computer is running, and don't forget to post the contents of the Security Check log.

Results of screen317's Security Check version 0.99.5
Windows XP Service Pack 3
Internet Explorer 7 Out of date!
``````````````````````````````
Antivirus/Firewall Check:

Windows Firewall Enabled!
ESET Online Scanner v3
McAfee VirusScan Enterprise
Antivirus out of date!
```````````````````````````````
Anti-malware/Other Utilities Check:

Malwarebytes' Anti-Malware
Java(TM) 6 Update 21
Java(TM) 6 Update 5
Java(TM) 6 Update 7
Out of date Java installed!
Adobe Flash Player 10.0.22.87
Mozilla Firefox (3.6.8)
````````````````````````````````
Process Check:
objlist.exe by Laurent

McAfee VirusScan Enterprise mcshield.exe
McAfee VirusScan Enterprise vstskmgr.exe
McAfee VirusScan Enterprise SHSTAT.EXE
````````````````````````````````
DNS Vulnerability Check:

Request Timed Out (Wireless Internet connection/Disconnected Internet/Proxy?)

``````````End of Log````````````


i ran all the programs you listed complete with no errors. Everything seems to be working fine.

guerro
Novice
Novice

Posts Posts : 32
Joined Joined : 2010-01-17
Gender Gender : Male
OS OS : Win XP
Points Points : 25636
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Banker Fox and Win32/Nuqel need help

Post by Dr Jay on 7th September 2010, 3:24 am

Java Update!

Please download the newest version of Java from [You must be registered and logged in to see this link.].

Before installing: it is important to remove older versions of Java since it does not do so automatically and old versions still leave you vulnerable.
Go to the Control Panel and enter Add or Remove Programs (Programs and Features in Vista/7).
Search in the list for all previous installed versions of Java. (J2SE Runtime Environment). Please uninstall/remove each of them.

Once old versions are gone, please install the newest version.

===================================================

Please read the following information that I have provided, which will help you prevent malicious software in the future. Please keep in mind, malware is a continuous danger on the Internet. It is highly important to stay safe while browsing, to prevent re-infection.

Software recommendations

AntiSpyware

  • [You must be registered and logged in to see this link.]
    SpywareBlaster is a program that prevents spyware from installing on your computer. A tutorial on using SpywareBlaster may be found [You must be registered and logged in to see this link.].
  • [You must be registered and logged in to see this link.].
    Spybot - Search & Destroy is a spyware and adware removal program. It also has realtime protection, TeaTimer to help safeguard your computer against spyware. (The link for Spybot - Search & Destroy contains a tutorial that will help you download, install, and begin using Spybot).


NOTE: Please keep ALL of these programs up-to-date and run them whenever you suspect a problem to prevent malware problems.

Resident Protection help
A number of programs have resident protection and it is a good idea to run the resident protection of one of each type of program to maintain protection. However, it is important to run only one resident program of each type since they can conflict and become less effective. That means only one antivirus, firewall, and scanning anti-spyware program at a time. Passive protectors such as SpywareBlaster can be run with any of them.

Securing your computer

  • [You must be registered and logged in to see this link.] - It is very important to make sure that both Internet Explorer and Windows are kept current with the latest critical security patches from Microsoft. To do this just start Internet Explorer and select Tools > Windows Update, and follow the online instructions from there.
  • [You must be registered and logged in to see this link.] replaces your current HOSTS file with one containing well known ad sites and other bad sites. This prevents your computer from connecting to those sites by redirecting them to 127.0.0.1, which is your local computer's loopback address, meaning it will be difficult to infect your computer in the future.


Please consider using an alternate browser
Mozilla's Firefox browser is a very good alternative. In addition to being generally more secure than Internet Explorer, it has a very good built-in popup blocker and add-ons, like NoScript, can make it even more secure. Opera is another good option.

If you are interested:


Thank you for choosing GeekPolice. Please see [You must be registered and logged in to see this link.] if you would like to leave feedback or contribute to our site. Do you have any more questions?


Dr. Jay (DJ)


[You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.]

Dr Jay
Head Administrator
Head Administrator

Posts Posts : 14309
Joined Joined : 2009-09-06
Gender Gender : Male
OS OS : Windows 10 Home & Pro
Arch. Arch. : x64 (64-bit)
Protection Protection : Bitdefender Total Security
Points Points : 302960
# Likes # Likes : 10

View user profile

Back to top Go down

Re: Banker Fox and Win32/Nuqel need help

Post by guerro on 7th September 2010, 4:13 am

The only thing I cannot get to update is the McAfee antivirus. It keeps barfing when downloading the new DAT file. Not sure what to do about that.

guerro
Novice
Novice

Posts Posts : 32
Joined Joined : 2010-01-17
Gender Gender : Male
OS OS : Win XP
Points Points : 25636
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Banker Fox and Win32/Nuqel need help

Post by Dr Jay on 8th September 2010, 9:22 pm

Seems like an internal software issue with McAfee.

What version of McAfee Antivirus are you running?


Dr. Jay (DJ)


[You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.]

Dr Jay
Head Administrator
Head Administrator

Posts Posts : 14309
Joined Joined : 2009-09-06
Gender Gender : Male
OS OS : Windows 10 Home & Pro
Arch. Arch. : x64 (64-bit)
Protection Protection : Bitdefender Total Security
Points Points : 302960
# Likes # Likes : 10

View user profile

Back to top Go down

Re: Banker Fox and Win32/Nuqel need help

Post by guerro on 8th September 2010, 9:23 pm

8.5i

guerro
Novice
Novice

Posts Posts : 32
Joined Joined : 2010-01-17
Gender Gender : Male
OS OS : Win XP
Points Points : 25636
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Banker Fox and Win32/Nuqel need help

Post by Dr Jay on 9th September 2010, 7:54 pm

My bad, I wanted to ask this earlier. Do you have the install media for the McAfee product?


Dr. Jay (DJ)


[You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.]

Dr Jay
Head Administrator
Head Administrator

Posts Posts : 14309
Joined Joined : 2009-09-06
Gender Gender : Male
OS OS : Windows 10 Home & Pro
Arch. Arch. : x64 (64-bit)
Protection Protection : Bitdefender Total Security
Points Points : 302960
# Likes # Likes : 10

View user profile

Back to top Go down

Re: Banker Fox and Win32/Nuqel need help

Post by guerro on 9th September 2010, 9:46 pm

Yes, and I reinstalled but either it is not connecting to the McAfee ftp for download or the files it pulls down are corrupt/have a problem. I get the same error as I got before reinstalling. I will post a log of the error later tonight when I get home from work.

guerro
Novice
Novice

Posts Posts : 32
Joined Joined : 2010-01-17
Gender Gender : Male
OS OS : Win XP
Points Points : 25636
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Banker Fox and Win32/Nuqel need help

Post by guerro on 10th September 2010, 1:36 am

Well, I ran the update on McAfee so I could post the log but it looks like the update worked this time. i think everything is fixed and updated. thanks again for all your help. i will be sure my brother makes a donation.


Results of screen317's Security Check version 0.99.5
Windows XP Service Pack 3
Internet Explorer 7 Out of date!
``````````````````````````````
Antivirus/Firewall Check:

Windows Firewall Enabled!
ESET Online Scanner v3
McAfee VirusScan Enterprise
Antivirus up to date!
```````````````````````````````
Anti-malware/Other Utilities Check:

Malwarebytes' Anti-Malware
Java(TM) 6 Update 21
Adobe Flash Player 10.0.22.87
Adobe Reader 9.3.4
Mozilla Firefox (3.6.8)
````````````````````````````````
Process Check:
objlist.exe by Laurent

McAfee VirusScan Enterprise vstskmgr.exe
McAfee VirusScan Enterprise mcshield.exe
````````````````````````````````
DNS Vulnerability Check:

Request Timed Out (Wireless Internet connection/Disconnected Internet/Proxy?)

``````````End of Log````````````

guerro
Novice
Novice

Posts Posts : 32
Joined Joined : 2010-01-17
Gender Gender : Male
OS OS : Win XP
Points Points : 25636
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Banker Fox and Win32/Nuqel need help

Post by Dr Jay on 11th September 2010, 4:31 am

Let me know of any more issues.


Dr. Jay (DJ)


[You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.]

Dr Jay
Head Administrator
Head Administrator

Posts Posts : 14309
Joined Joined : 2009-09-06
Gender Gender : Male
OS OS : Windows 10 Home & Pro
Arch. Arch. : x64 (64-bit)
Protection Protection : Bitdefender Total Security
Points Points : 302960
# Likes # Likes : 10

View user profile

Back to top Go down

View previous topic View next topic Back to top

- Similar topics

 
Permissions in this forum:
You cannot reply to topics in this forum