MS Removal Tool infection

View previous topic View next topic Go down

MS Removal Tool infection

Post by Rivers on Fri 13 May 2011, 4:55 am

Yesterday my desktop became infected with the MS Removal Tool virus. I downloaded (with my laptop) a virus removal tool from Norton and one from Microsoft, but neither would run from my desktop. I wasn't able to boot Windows in safe mode. However, after several hours with the computer turned off, I was finally able to boot in safe mode. I then downloaded (with the laptop) and ran Malwarebytes. It detected 13 infected files and I deleted them. But now I cannot boot to Windows and cannot boot to safe mode. When I try to boot to Windows, I get a fake screen that says "We are sorry for the inconvenience..." and has safe mode booting options. Any choice from the fake screen just loops back to the same fake screen. When I try to boot pressing F8, I get the Windows screen that lets me choose safe mode with networking, but from there it seems to load drivers, then seems to try to load Windows regular mode, but ends up at the fake boot options screen.

So, I am unable to run the diagnosis programs I have seen recommended in other posts on this forum. However, I have one shred of hope.

I was able to go to BIOS and change to boot disk order to boot from a CD Rom. I have an Acronis True Image Home recovery disk that I am able to load. I've just started tinkering with it (cautiously) and I don't know what I'll be able to do, but may be able to retrieve the Malwarebytes logs. I will post here if I can.

Are you familiar with Acronis? It will allow me to create a "secure zone" on my disk. From there I have an option to run Acronis Startup Recovery Manager, which lets me run Acronis without loading Windows. Then, according to the instructions, I should be able to "restore damaged partitions." This may assume that I am able to access my external hard drive which has a full system backup. The existing backup is a couple of months old, so I want to save more recent documents on my computer. I want to avoid a wipe and restore of the hard drive if possible, but that is an option if I can still save recent documents without also saving the virus.

So, if I can pick and choose which files/folders to restore from the backup, which should I choose? In other words, I should be able to replace infected files/folders with clean ones from the backup. Does this sound like a reasonable approach? I am open for any suggestions, if you have something better please let me know. I will gladly give any suggestion at try.

I think I can safely create the secure zone and try to retrieve the Malwarebytes logs. I will post my results.

Rivers

Newbie Surfer
Newbie Surfer

Posts : 32
Joined : 2011-05-13
Operating System : Windows XP

View user profile

Back to top Go down

Re: MS Removal Tool infection

Post by Rivers on Fri 13 May 2011, 5:09 am

Ok, that was easy. Didn't have to create the secure zone, just backed up the log files then restored to laptop. Here is the log.

Malwarebytes' Anti-Malware 1.50.1.1100
[You must be registered and logged in to see this link.]

Database version: 6559

Windows 5.1.2600 Service Pack 3 (Safe Mode)
Internet Explorer 7.0.5730.13

5/11/2011 10:51:25 PM
mbam-log-2011-05-11 (22-51-19).txt

Scan type: Quick scan
Objects scanned: 191671
Time elapsed: 6 minute(s), 0 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 6
Registry Values Infected: 11
Registry Data Items Infected: 3
Folders Infected: 0
Files Infected: 20

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\5GUTNY6MFK (Trojan.FakeAlert.SA) -> No action taken.
HKEY_CURRENT_USER\Software\R8388QA8U8 (Malware.Trace) -> No action taken.
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\ (Hijack.Zones) -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\SERVICES\INPUT MANAGER (Trojan.Agent) -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\SERVICES\MOUSEDRIVER (Trojan.Agent) -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\SERVICES\PLUG MANAGER (Trojan.Agent) -> No action taken.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Vrikuhi (IPH.Trojan.Hiloti.B) -> Value: Vrikuhi -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tukdtjsrx (Malware.Packer.Gen) -> Value: tukdtjsrx -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Flika (Trojan.Hiloti) -> Value: Flika -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\5GUTNY6MFK (Trojan.FraudPack.Gen) -> Value: 5GUTNY6MFK -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\R8388QA8U8 (Trojan.FraudPack.Gen) -> Value: R8388QA8U8 -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tukdtjsr (Trojan.Downloader) -> Value: tukdtjsr -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Manager (Trojan.Agent) -> Value: Manager -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Input Manager (Trojan.Downloader) -> Value: Input Manager -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Input Manager\ImagePath (Trojan.Agent) -> Value: ImagePath -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MouseDriver\ImagePath (Trojan.Agent) -> Value: ImagePath -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Plug Manager\ImagePath (Trojan.Agent) -> Value: ImagePath -> No action taken.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.

Folders Infected:
(No malicious items detected)

Files Infected:
c:\WINDOWS\atolizodowurafox.dll (IPH.Trojan.Hiloti.B) -> No action taken.
c:\WINDOWS\system32\tukdtjsrx.exe (Malware.Packer.Gen) -> No action taken.
c:\WINDOWS\rdntmt.dll (Trojan.Hiloti) -> No action taken.
c:\WINDOWS\Agusia.exe (Trojan.FraudPack.Gen) -> No action taken.
c:\documents and settings\mmartin\local settings\Temp\Afr.exe (Trojan.FraudPack.Gen) -> No action taken.
c:\WINDOWS\system32\dgjasr46w.exe (Trojan.Clicker) -> No action taken.
c:\documents and settings\mmartin\local settings\Temp\Afs.exe (Trojan.FraudPack.Gen) -> No action taken.
c:\documents and settings\mmartin\local settings\Temp\Aft.exe (Trojan.FraudPack.Gen) -> No action taken.
c:\documents and settings\mmartin\local settings\Temp\rwsmenoacx.tmp (Trojan.Hiloti) -> No action taken.
c:\documents and settings\mmartin\local settings\Temp\yrto5pa9.exe (Malware.Packer.Gen) -> No action taken.
c:\WINDOWS\Temp\conima.exe (Spyware.Passwords) -> No action taken.
c:\WINDOWS\Temp\f3qx2w9.exe (Backdoor.Bot) -> No action taken.
c:\WINDOWS\Temp\Managee.exe (Trojan.Agent) -> No action taken.
c:\WINDOWS\system32\comsats.sys (Trojan.Agent) -> No action taken.
c:\WINDOWS\Tasks\{22116563-108c-42c0-a7ce-60161b75e508}.job (Trojan.Downloader) -> No action taken.
c:\WINDOWS\system32\tukdtjsr.exe (Trojan.Downloader) -> No action taken.
c:\WINDOWS\Tasks\{810401e2-dde0-454e-b0e2-aa89c9e5967c}.job (Trojan.FraudPack) -> No action taken.
c:\WINDOWS\Temp\input manager.bat (Trojan.Agent) -> No action taken.
c:\WINDOWS\Temp\mousedriver.bat (Trojan.Agent) -> No action taken.
c:\WINDOWS\Temp\Plug.bat (Trojan.Agent) -> No action taken.

Rivers

Newbie Surfer
Newbie Surfer

Posts : 32
Joined : 2011-05-13
Operating System : Windows XP

View user profile

Back to top Go down

Re: MS Removal Tool infection

Post by DragonMaster Jay on Fri 13 May 2011, 5:13 am

Please visit this webpage for a tutorial on downloading and running ComboFix:

[You must be registered and logged in to see this link.]

See the area: Using ComboFix, and when done, post the log back here.


[You must be registered and logged in to see this link.] - Get $30 off Kaspersky products.

~DMJ
GeekPolice Academy Manager


Donations/Contributions

DragonMaster Jay

Manager | Tech Officer
Manager | Tech Officer

Posts : 13451
Joined : 2009-09-07
Operating System : Windows 7 Ultimate

View user profile http://www.twitter.com/jaypfoutz

Back to top Go down

Re: MS Removal Tool infection

Post by Rivers on Fri 13 May 2011, 6:37 am

Sorry for the delay. I was able to go into safe mode. Tried to download Combofix, but downloaded ARO2011 instead. Installed and ran it, but realized my mistake before accepting changes. So went back and downloaded Combofix and installed it. But it gives me an error message that it cannot run when AVG is installed. Tried to remove AVG but it will not uninstall. Went to Control Panel/Add or Remove Programs, but get error code. Says "installation failed." Cannot open AVG either, the virus seems to have targeted it. Can't launch it from icon in explorer or program files.

Rivers

Newbie Surfer
Newbie Surfer

Posts : 32
Joined : 2011-05-13
Operating System : Windows XP

View user profile

Back to top Go down

Re: MS Removal Tool infection

Post by Rivers on Fri 13 May 2011, 8:24 am

Downloaded and ran AVG Remover. When it rebooted, Windows came up in normal mode. Ran Malwarebytes again and it found no infections.
Running ComboFix now. Got error message that AVG real time scanner is still active but ComboFix will continue to run. "Please note that this is at your own risk." I let it continue to run.

Rivers

Newbie Surfer
Newbie Surfer

Posts : 32
Joined : 2011-05-13
Operating System : Windows XP

View user profile

Back to top Go down

Re: MS Removal Tool infection

Post by Rivers on Fri 13 May 2011, 8:53 am

ComboFix 11-05-11.04 - mmartin 05/12/2011 16:28:47.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1478 [GMT -5:00]
Running from: c:\documents and settings\mmartin\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *Enabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\All Users\Application Data\iM28601JgCdN28601
c:\documents and settings\All Users\Application Data\iM28601JgCdN28601\iM28601JgCdN28601
c:\documents and settings\All Users\Application Data\iM28601JgCdN28601\iM28601JgCdN28601.exe
c:\documents and settings\mmartin\Local Settings\Application Data\{965D8DA0-38B9-4456-B9D5-FB0C9EF3FD36}
c:\documents and settings\mmartin\Local Settings\Application Data\{965D8DA0-38B9-4456-B9D5-FB0C9EF3FD36}\chrome.manifest
c:\documents and settings\mmartin\Local Settings\Application Data\{965D8DA0-38B9-4456-B9D5-FB0C9EF3FD36}\chrome\content\_cfg.js
c:\documents and settings\mmartin\Local Settings\Application Data\{965D8DA0-38B9-4456-B9D5-FB0C9EF3FD36}\chrome\content\overlay.xul
c:\documents and settings\mmartin\Local Settings\Application Data\{965D8DA0-38B9-4456-B9D5-FB0C9EF3FD36}\install.rdf
c:\windows\system32\bszip.dll
c:\windows\system32\ReadMe.txt
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_INPUT_MANAGER
-------\Legacy_MOUSEDRIVER
-------\Legacy_PLUG_MANAGER
.
.
((((((((((((((((((((((((( Files Created from 2011-04-12 to 2011-05-12 )))))))))))))))))))))))))))))))
.
.
2011-05-12 19:00 . 2011-05-12 19:00 -------- d-----w- c:\documents and settings\mmartin\Application Data\Sammsoft
2011-05-12 18:59 . 2011-05-12 18:59 -------- d-----w- c:\program files\ARO 2011
2011-05-12 03:43 . 2011-05-12 03:43 -------- d-----w- c:\documents and settings\mmartin\Application Data\Malwarebytes
2011-05-12 03:35 . 2011-05-12 03:35 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2011-05-12 03:35 . 2010-12-20 23:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-05-12 03:35 . 2011-05-12 03:51 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-05-12 03:35 . 2010-12-20 23:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-05-11 20:02 . 2011-05-11 20:02 0 ----a-w- c:\windows\Pcinidedu.bin
2011-05-11 20:00 . 2011-05-11 20:00 131072 --sha-r- c:\windows\system32\tapiz.dll
2011-04-27 03:49 . 2011-04-27 03:49 -------- d-----w- c:\documents and settings\mmartin\Application Data\SmartFTP
2011-04-27 03:49 . 2011-04-27 03:49 -------- d-----w- c:\program files\SmartFTP Client
2011-04-27 03:47 . 2011-04-27 03:47 -------- d-----w- c:\program files\SmartFTP Client 4.0 Setup Files
2011-04-27 02:12 . 2011-04-27 02:12 -------- d-----w- c:\program files\HashTab Shell Extension
2011-04-22 19:04 . 2011-04-23 03:24 -------- d-----w- c:\documents and settings\mmartin\Application Data\Download Manager
2011-04-21 14:41 . 2011-04-21 14:41 -------- d-----w- c:\documents and settings\All Users\Application Data\ATI
2011-04-15 16:30 . 2011-04-20 15:48 -------- d-----w- c:\program files\ATI
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-02-20 05:03 . 2011-02-20 05:03 4422992 ----a-w- c:\windows\mfc100u.dll
2011-02-20 04:03 . 2011-02-20 04:03 64336 ----a-w- c:\windows\system32\mfc100fra.dll
2011-02-20 04:03 . 2011-02-20 04:03 64336 ----a-w- c:\windows\system32\mfc100deu.dll
2011-02-20 04:03 . 2011-02-20 04:03 63824 ----a-w- c:\windows\system32\mfc100esn.dll
2011-02-20 04:03 . 2011-02-20 04:03 62288 ----a-w- c:\windows\system32\mfc100ita.dll
2011-02-20 04:03 . 2011-02-20 04:03 60752 ----a-w- c:\windows\system32\mfc100rus.dll
2011-02-20 04:03 . 2011-02-20 04:03 55120 ----a-w- c:\windows\system32\mfc100enu.dll
2011-02-20 04:03 . 2011-02-20 04:03 43856 ----a-w- c:\windows\system32\mfc100jpn.dll
2011-02-20 04:03 . 2011-02-20 04:03 43344 ----a-w- c:\windows\system32\mfc100kor.dll
2011-02-20 04:03 . 2011-02-20 04:03 421200 ----a-w- c:\windows\system32\msvcp100.dll
2011-02-20 04:03 . 2011-02-20 04:03 36176 ----a-w- c:\windows\system32\mfc100cht.dll
2011-02-20 04:03 . 2011-02-20 04:03 36176 ----a-w- c:\windows\system32\mfc100chs.dll
2011-02-19 05:40 . 2011-02-19 05:40 773968 ----a-w- c:\windows\system32\msvcr100.dll
2011-02-18 21:36 . 2009-08-04 17:06 41984 ----a-w- c:\windows\system32\drivers\usbaapl.sys
2011-02-18 21:36 . 2009-08-04 17:06 4184352 ----a-w- c:\windows\system32\usbaaplrc.dll
2011-05-01 16:47 . 2011-03-24 16:37 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
2007-10-26 15:00 . 2009-01-12 18:19 16896 ----a-w- c:\program files\mozilla firefox\components\tmfftb.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AROReminder"="c:\program files\ARO 2011\aro.exe" [2011-01-25 2312048]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMan"="SOUNDMAN.EXE" [2006-08-03 577536]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"StatusClient 2.6"="c:\program files\Hewlett-Packard\Toolbox\StatusClient\StatusClient.exe" [2003-10-03 61440]
"TomcatStartup 2.5"="c:\program files\Hewlett-Packard\Toolbox\hpbpsttp.exe" [2004-04-09 184320]
"OrderReminder"="c:\program files\Hewlett-Packard\OrderReminder\OrderReminder\OrderReminder.exe" [2009-01-12 98304]
"HP Software Update"="c:\program files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe" [2003-12-05 49152]
"TrueImageMonitor.exe"="c:\program files\Acronis\TrueImageHome\TrueImageMonitor.exe" [2007-10-31 2595616]
"AcronisTimounterMonitor"="c:\program files\Acronis\TrueImageHome\TimounterMonitor.exe" [2007-10-31 909208]
"Acronis Scheduler2 Service"="c:\program files\Common Files\Acronis\Schedule2\schedhlp.exe" [2007-10-31 140568]
"Adobe Acrobat Speed Launcher"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe" [2008-06-12 37232]
"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe" [2008-06-12 640376]
"Share-to-Web Namespace Daemon"="c:\program files\hp\HP Share-to-Web\hpgs2wnd.exe" [2002-04-17 69632]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-02-04 198160]
"BJCFD"="c:\program files\BroadJump\Client Foundation\CFD.exe" [2002-09-11 368706]
"itype"="c:\program files\Microsoft IntelliType Pro\itype.exe" [2006-11-21 813912]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2008-06-10 1406024]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-11-29 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-03-07 421160]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2009-04-28 61440]
.
c:\documents and settings\Administrator\Start Menu\Programs\Startup\
palmOne Registration.lnk - c:\program files\palmOne\register.exe [2005-6-9 2355200]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
CardMinder Viewer.lnk - c:\program files\PFU\ScanSnap\CardMinder\CardLauncher.exe [2009-6-10 77824]
Conversion to PDF with ScanSnap Organizer.lnk - c:\program files\PFU\ScanSnap\Organizer\PfuSsOrgOcrChk.exe [2009-6-10 15360]
HotSync Manager.lnk - c:\program files\palmOne\Hotsync.exe [2008-1-3 1392640]
QuickBooks Update Agent.lnk - c:\program files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2007-11-6 815104]
SATARaid.lnk - c:\program files\Silicon Image\SiISATARaid\SATARaid.exe [2009-1-8 1019961]
ScanSnap Manager.lnk - c:\program files\PFU\ScanSnap\Driver\PfuSsMon.exe [2009-6-10 1048576]
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoWelcomeScreen"= 1 (0x1)
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2008-05-27 304128]
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Hewlett-Packard\\Toolbox\\jre\\bin\\javaw.exe"=
"c:\\Program Files\\Logitech\\Logitech Harmony Remote Software 7\\HarmonyRemote.exe"=
"c:\\Program Files\\FileZilla FTP Client\\filezilla.exe"=
"c:\\Program Files\\Laplink\\PCsync\\SFTHost.exe"=
"c:\\Program Files\\Sling Media\\SlingPlayer\\SlingPlayer.exe"=
"c:\\Documents and Settings\\mmartin\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.exe"=
"c:\\Documents and Settings\\mmartin\\Application Data\\Macromedia\\Flash Player\\[You must be registered and logged in to see this link.]
"c:\\Program Files\\Google\\Google Earth\\client\\googleearth.exe"=
"c:\\Program Files\\Google\\Google Earth\\plugin\\geplugin.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\SmartFTP Client\\SmartFTP.exe"=
.
R2 EAPPkt;Realtek EAPPkt Protocol;c:\windows\system32\drivers\EAPPkt.sys [1/9/2009 3:16 PM 38144]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [12/18/2009 11:33 PM 135664]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [12/18/2009 11:33 PM 135664]
S3 gwiopm;gwiopm;\??\c:\program files\Unknown Device Identifier\gwiopm.sys --> c:\program files\Unknown Device Identifier\gwiopm.sys [?]
S3 Netaapl;Apple Mobile Device Ethernet Service;c:\windows\system32\drivers\netaapl.sys [8/4/2009 12:06 PM 17408]
S3 RTL8187B;Realtek RTL8187B Wireless 802.11g 54Mbps USB 2.0 Network Adapter;c:\windows\system32\DRIVERS\RTL8187B.sys --> c:\windows\system32\DRIVERS\RTL8187B.sys [?]
.
Contents of the 'Scheduled Tasks' folder
.
2011-05-12 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-12-19 04:33]
.
2011-05-11 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-12-19 04:33]
.
.
------- Supplementary Scan -------
.
uStart Page = [You must be registered and logged in to see this link.]
uInternet Settings,ProxyOverride = *.local
IE: Add to Evernote - c:\program files\Evernote\Evernote3\enbar.dll/2000
IE: Append Link Target to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
Trusted Zone: intuit.com\ttlc
FF - ProfilePath - c:\documents and settings\mmartin\Application Data\Mozilla\Firefox\Profiles\p5a9s7yp.default\
FF - prefs.js: browser.search.selectedEngine - AVG Secure Search
FF - prefs.js: keyword.URL - [You must be registered and logged in to see this link.]
FF - prefs.js: network.proxy.type - 0
.
- - - - ORPHANS REMOVED - - - -
.
HKLM-Run-HotSync - c:\program files\PalmSource\Desktop\HotSync.exe
Notify-avgrsstarter - avgrsstx.dll
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2011-05-12 16:36
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(836)
c:\windows\system32\Ati2evxx.dll
.
- - - - - - - > 'explorer.exe'(3396)
c:\windows\system32\MSVCP100.dll
c:\program files\SmartFTP Client\en-US\sfShellTools.dll.mui
c:\program files\Windows Desktop Search\deskbar.dll
c:\program files\Windows Desktop Search\en-us\dbres.dll.mui
c:\program files\Windows Desktop Search\dbres.dll
c:\program files\Windows Desktop Search\wordwheel.dll
c:\program files\Windows Desktop Search\en-us\msnlExtRes.dll.mui
c:\program files\Windows Desktop Search\msnlExtRes.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\program files\Common Files\Acronis\Schedule2\schedul2.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\Ati2evxx.exe
c:\program files\Common Files\Acronis\Fomatik\TrueImageTryStartService.exe
c:\windows\system32\SearchIndexer.exe
c:\windows\SOUNDMAN.EXE
c:\program files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
c:\program files\hp\HP Share-to-Web\hpgs2wnf.exe
c:\program files\Hewlett-Packard\Toolbox\jre\bin\javaw.exe
c:\program files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2011-05-12 16:42:17 - machine was rebooted
ComboFix-quarantined-files.txt 2011-05-12 21:42
.
Pre-Run: 213,967,106,048 bytes free
Post-Run: 215,889,342,464 bytes free
.
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn
.
- - End Of File - - DAD9AE568BA6E1609A04ED14AE2BA707

Rivers

Newbie Surfer
Newbie Surfer

Posts : 32
Joined : 2011-05-13
Operating System : Windows XP

View user profile

Back to top Go down

Re: MS Removal Tool infection

Post by DragonMaster Jay on Fri 13 May 2011, 12:08 pm

Re-running ComboFix to remove infections:

  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • Open notepad and copy/paste the text in the codebox below into it:
    killall::
    Folder::
    c:\documents and settings\mmartin\Application Data\Sammsoft
    c:\program files\ARO 2011
    c:\program files\Unknown Device Identifier

    Registry::
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "AROReminder"=-

    Driver::
    gwiopm

    Reboot::
  • Save this as CFScript.txt, in the same location as ComboFix.exe



  • Referring to the picture above, drag CFScript into ComboFix.exe
  • When finished, it shall produce a log for you at C:\ComboFix.txt
  • Please post the contents of the log in your next reply.


[You must be registered and logged in to see this link.] - Get $30 off Kaspersky products.

~DMJ
GeekPolice Academy Manager


Donations/Contributions

DragonMaster Jay

Manager | Tech Officer
Manager | Tech Officer

Posts : 13451
Joined : 2009-09-07
Operating System : Windows 7 Ultimate

View user profile http://www.twitter.com/jaypfoutz

Back to top Go down

Re: MS Removal Tool infection

Post by Rivers on Sat 14 May 2011, 2:42 am

ComboFix 11-05-12.04 - mmartin 05/13/2011 10:06:11.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1408 [GMT -5:00]
Running from: c:\documents and settings\mmartin\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\mmartin\Desktop\CFScript.txt
AV: AVG Anti-Virus Free *Enabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\mmartin\Application Data\Sammsoft
c:\documents and settings\mmartin\Application Data\Sammsoft\ARO\Version 2011\ExcludeList.aro
c:\documents and settings\mmartin\Application Data\Sammsoft\ARO\Version 2011\results.aro
c:\documents and settings\mmartin\Application Data\Sammsoft\ARO\Version 2011\TempHLList.aro
c:\program files\ARO 2011
c:\program files\ARO 2011\ARO.exe
c:\program files\ARO 2011\AroLangFile.Ini
c:\program files\ARO 2011\AROSS.dll
c:\program files\ARO 2011\CheckForV4.dll
c:\program files\ARO 2011\CleanSchedule.exe
c:\program files\ARO 2011\install_left_image.bmp
c:\program files\ARO 2011\soref.dll
c:\program files\ARO 2011\unins000.dat
c:\program files\ARO 2011\unins000.exe
c:\program files\ARO 2011\uninstall.hta
c:\program files\ARO 2011\update.dll
c:\program files\ARO 2011\xmllite.dll
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_GWIOPM
-------\Service_gwiopm
.
.
((((((((((((((((((((((((( Files Created from 2011-04-13 to 2011-05-13 )))))))))))))))))))))))))))))))
.
.
2011-05-12 03:43 . 2011-05-12 03:43 -------- d-----w- c:\documents and settings\mmartin\Application Data\Malwarebytes
2011-05-12 03:35 . 2011-05-12 03:35 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2011-05-12 03:35 . 2010-12-20 23:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-05-12 03:35 . 2011-05-12 03:51 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-05-12 03:35 . 2010-12-20 23:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-05-11 20:02 . 2011-05-11 20:02 0 ----a-w- c:\windows\Pcinidedu.bin
2011-05-11 20:00 . 2011-05-11 20:00 131072 --sha-r- c:\windows\system32\tapiz.dll
2011-04-27 03:49 . 2011-04-27 03:49 -------- d-----w- c:\documents and settings\mmartin\Application Data\SmartFTP
2011-04-27 03:49 . 2011-04-27 03:49 -------- d-----w- c:\program files\SmartFTP Client
2011-04-27 03:47 . 2011-04-27 03:47 -------- d-----w- c:\program files\SmartFTP Client 4.0 Setup Files
2011-04-27 02:12 . 2011-04-27 02:12 -------- d-----w- c:\program files\HashTab Shell Extension
2011-04-22 19:04 . 2011-04-23 03:24 -------- d-----w- c:\documents and settings\mmartin\Application Data\Download Manager
2011-04-21 14:41 . 2011-04-21 14:41 -------- d-----w- c:\documents and settings\All Users\Application Data\ATI
2011-04-15 16:30 . 2011-04-20 15:48 -------- d-----w- c:\program files\ATI
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-02-20 05:03 . 2011-02-20 05:03 4422992 ----a-w- c:\windows\mfc100u.dll
2011-02-20 04:03 . 2011-02-20 04:03 64336 ----a-w- c:\windows\system32\mfc100fra.dll
2011-02-20 04:03 . 2011-02-20 04:03 64336 ----a-w- c:\windows\system32\mfc100deu.dll
2011-02-20 04:03 . 2011-02-20 04:03 63824 ----a-w- c:\windows\system32\mfc100esn.dll
2011-02-20 04:03 . 2011-02-20 04:03 62288 ----a-w- c:\windows\system32\mfc100ita.dll
2011-02-20 04:03 . 2011-02-20 04:03 60752 ----a-w- c:\windows\system32\mfc100rus.dll
2011-02-20 04:03 . 2011-02-20 04:03 55120 ----a-w- c:\windows\system32\mfc100enu.dll
2011-02-20 04:03 . 2011-02-20 04:03 43856 ----a-w- c:\windows\system32\mfc100jpn.dll
2011-02-20 04:03 . 2011-02-20 04:03 43344 ----a-w- c:\windows\system32\mfc100kor.dll
2011-02-20 04:03 . 2011-02-20 04:03 421200 ----a-w- c:\windows\system32\msvcp100.dll
2011-02-20 04:03 . 2011-02-20 04:03 36176 ----a-w- c:\windows\system32\mfc100cht.dll
2011-02-20 04:03 . 2011-02-20 04:03 36176 ----a-w- c:\windows\system32\mfc100chs.dll
2011-02-19 05:40 . 2011-02-19 05:40 773968 ----a-w- c:\windows\system32\msvcr100.dll
2011-02-18 21:36 . 2009-08-04 17:06 41984 ----a-w- c:\windows\system32\drivers\usbaapl.sys
2011-02-18 21:36 . 2009-08-04 17:06 4184352 ----a-w- c:\windows\system32\usbaaplrc.dll
2011-05-01 16:47 . 2011-03-24 16:37 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
2007-10-26 15:00 . 2009-01-12 18:19 16896 ----a-w- c:\program files\mozilla firefox\components\tmfftb.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMan"="SOUNDMAN.EXE" [2006-08-03 577536]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"StatusClient 2.6"="c:\program files\Hewlett-Packard\Toolbox\StatusClient\StatusClient.exe" [2003-10-03 61440]
"TomcatStartup 2.5"="c:\program files\Hewlett-Packard\Toolbox\hpbpsttp.exe" [2004-04-09 184320]
"OrderReminder"="c:\program files\Hewlett-Packard\OrderReminder\OrderReminder\OrderReminder.exe" [2009-01-12 98304]
"HP Software Update"="c:\program files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe" [2003-12-05 49152]
"TrueImageMonitor.exe"="c:\program files\Acronis\TrueImageHome\TrueImageMonitor.exe" [2007-10-31 2595616]
"AcronisTimounterMonitor"="c:\program files\Acronis\TrueImageHome\TimounterMonitor.exe" [2007-10-31 909208]
"Acronis Scheduler2 Service"="c:\program files\Common Files\Acronis\Schedule2\schedhlp.exe" [2007-10-31 140568]
"Adobe Acrobat Speed Launcher"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe" [2008-06-12 37232]
"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe" [2008-06-12 640376]
"Share-to-Web Namespace Daemon"="c:\program files\hp\HP Share-to-Web\hpgs2wnd.exe" [2002-04-17 69632]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-02-04 198160]
"BJCFD"="c:\program files\BroadJump\Client Foundation\CFD.exe" [2002-09-11 368706]
"itype"="c:\program files\Microsoft IntelliType Pro\itype.exe" [2006-11-21 813912]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2008-06-10 1406024]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-11-29 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-03-07 421160]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2009-04-28 61440]
.
c:\documents and settings\Administrator\Start Menu\Programs\Startup\
palmOne Registration.lnk - c:\program files\palmOne\register.exe [2005-6-9 2355200]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
CardMinder Viewer.lnk - c:\program files\PFU\ScanSnap\CardMinder\CardLauncher.exe [2009-6-10 77824]
Conversion to PDF with ScanSnap Organizer.lnk - c:\program files\PFU\ScanSnap\Organizer\PfuSsOrgOcrChk.exe [2009-6-10 15360]
HotSync Manager.lnk - c:\program files\palmOne\Hotsync.exe [2008-1-3 1392640]
QuickBooks Update Agent.lnk - c:\program files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2007-11-6 815104]
SATARaid.lnk - c:\program files\Silicon Image\SiISATARaid\SATARaid.exe [2009-1-8 1019961]
ScanSnap Manager.lnk - c:\program files\PFU\ScanSnap\Driver\PfuSsMon.exe [2009-6-10 1048576]
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoWelcomeScreen"= 1 (0x1)
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2008-05-27 304128]
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Hewlett-Packard\\Toolbox\\jre\\bin\\javaw.exe"=
"c:\\Program Files\\Logitech\\Logitech Harmony Remote Software 7\\HarmonyRemote.exe"=
"c:\\Program Files\\FileZilla FTP Client\\filezilla.exe"=
"c:\\Program Files\\Laplink\\PCsync\\SFTHost.exe"=
"c:\\Program Files\\Sling Media\\SlingPlayer\\SlingPlayer.exe"=
"c:\\Documents and Settings\\mmartin\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.exe"=
"c:\\Documents and Settings\\mmartin\\Application Data\\Macromedia\\Flash Player\\[You must be registered and logged in to see this link.]
"c:\\Program Files\\Google\\Google Earth\\client\\googleearth.exe"=
"c:\\Program Files\\Google\\Google Earth\\plugin\\geplugin.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\SmartFTP Client\\SmartFTP.exe"=
.
R2 EAPPkt;Realtek EAPPkt Protocol;c:\windows\system32\drivers\EAPPkt.sys [1/9/2009 3:16 PM 38144]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [12/18/2009 11:33 PM 135664]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [12/18/2009 11:33 PM 135664]
S3 Netaapl;Apple Mobile Device Ethernet Service;c:\windows\system32\drivers\netaapl.sys [8/4/2009 12:06 PM 17408]
S3 RTL8187B;Realtek RTL8187B Wireless 802.11g 54Mbps USB 2.0 Network Adapter;c:\windows\system32\DRIVERS\RTL8187B.sys --> c:\windows\system32\DRIVERS\RTL8187B.sys [?]
.
Contents of the 'Scheduled Tasks' folder
.
2011-05-13 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-12-19 04:33]
.
2011-05-13 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-12-19 04:33]
.
.
------- Supplementary Scan -------
.
uStart Page = [You must be registered and logged in to see this link.]
uInternet Settings,ProxyOverride = *.local
IE: Add to Evernote - c:\program files\Evernote\Evernote3\enbar.dll/2000
IE: Append Link Target to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
Trusted Zone: intuit.com\ttlc
FF - ProfilePath - c:\documents and settings\mmartin\Application Data\Mozilla\Firefox\Profiles\p5a9s7yp.default\
FF - prefs.js: browser.search.selectedEngine - AVG Secure Search
FF - prefs.js: keyword.URL - [You must be registered and logged in to see this link.]
FF - prefs.js: network.proxy.type - 0
.
- - - - ORPHANS REMOVED - - - -
.
AddRemove-ARO 2011_is1 - c:\program files\ARO 2011\unins000.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2011-05-13 10:16
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(824)
c:\windows\system32\Ati2evxx.dll
.
- - - - - - - > 'explorer.exe'(2368)
c:\windows\system32\MSVCP100.dll
c:\program files\SmartFTP Client\en-US\sfShellTools.dll.mui
c:\program files\Windows Desktop Search\deskbar.dll
c:\program files\Windows Desktop Search\en-us\dbres.dll.mui
c:\program files\Windows Desktop Search\dbres.dll
c:\program files\Windows Desktop Search\wordwheel.dll
c:\program files\Windows Desktop Search\en-us\msnlExtRes.dll.mui
c:\program files\Windows Desktop Search\msnlExtRes.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\program files\Common Files\Acronis\Schedule2\schedul2.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\Ati2evxx.exe
c:\program files\Common Files\Acronis\Fomatik\TrueImageTryStartService.exe
c:\windows\system32\SearchIndexer.exe
c:\windows\SOUNDMAN.EXE
c:\program files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
c:\program files\hp\HP Share-to-Web\hpgs2wnf.exe
c:\program files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
c:\program files\Hewlett-Packard\Toolbox\jre\bin\javaw.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2011-05-13 10:22:01 - machine was rebooted
ComboFix-quarantined-files.txt 2011-05-13 15:21
ComboFix2.txt 2011-05-12 21:42
.
Pre-Run: 215,769,325,568 bytes free
Post-Run: 215,751,090,176 bytes free
.
- - End Of File - - 67D158B41567BA069B3190D0F1465172

Rivers

Newbie Surfer
Newbie Surfer

Posts : 32
Joined : 2011-05-13
Operating System : Windows XP

View user profile

Back to top Go down

Re: MS Removal Tool infection

Post by DragonMaster Jay on Sat 14 May 2011, 3:50 pm

Please run the BitDefender QuickScan Beta, and once done, press the View Report link. Post that log in your next reply.


[You must be registered and logged in to see this link.] - Get $30 off Kaspersky products.

~DMJ
GeekPolice Academy Manager


Donations/Contributions

DragonMaster Jay

Manager | Tech Officer
Manager | Tech Officer

Posts : 13451
Joined : 2009-09-07
Operating System : Windows 7 Ultimate

View user profile http://www.twitter.com/jaypfoutz

Back to top Go down

Re: MS Removal Tool infection

Post by Rivers on Sun 15 May 2011, 3:35 am

QuickScan Beta 32-bit v0.9.9.91
-------------------------------
Scan date: Sat May 14 11:31:34 2011
Machine ID: DCA334B6

C:\WINDOWS\system32\tapiz.dll - could not be scanned


No infection found.
-------------------



Processes
---------
(unsigned) CardMinder Viewer 3564 C:\Program Files\PFU\ScanSnap\CardMinder\CardLauncher.exe
(unsigned) Catalyst Control Centre 2112 C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
(unsigned) Catalyst Control Centre 3420 C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
(unsigned) Hewlett-Packard hpgs2wnd 3184 C:\Program Files\hp\HP Share-to-Web\hpgs2wnd.exe
(unsigned) Hewlett-Packard hpwuSchd 3120 C:\Program Files\Hewlett-Packard\HP Software Update\hpwuSchd2.exe
(unsigned) Hewlett-Packard T-TR Status Client 3084 C:\Program Files\Hewlett-Packard\Toolbox\StatusClient\StatusClient.exe
(unsigned) HotSync® Manager 3692 C:\Program Files\palmOne\Hotsync.exe
(unsigned) HP Cartridge Order Reminder 3104 C:\Program Files\Hewlett-Packard\OrderReminder\OrderReminder\OrderReminder.exe
(unsigned) hpgs2wnf Module 3440 C:\Program Files\hp\HP Share-to-Web\hpgs2wnf.exe
(unsigned) javaw.exe 3820 C:\Program Files\Hewlett-Packard\Toolbox\jre\bin\javaw.exe
(unsigned) SATARaid 3792 C:\Program Files\Silicon Image\SiISATARaid\SATARaid.exe
(unsigned) ScanSnap Manager 3816 C:\Program Files\PFU\ScanSnap\Driver\PfuSsMon.exe

(verified) Acronis Scheduler 2 1736 C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
(verified) Acronis Scheduler Helper 3148 C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
(verified) Acronis True Image 3136 C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe
(verified) Acronis True Image 3128 C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe
(verified) AcroTray - Adobe Acrobat Distiller help 3172 C:\Program Files\Adobe\Acrobat 9.0\Acrobat\acrotray.exe
(verified) ATI External Event Utility for Windows 560 C:\WINDOWS\system32\ati2evxx.exe
(verified) ATI External Event Utility for Windows 1036 C:\WINDOWS\system32\ati2evxx.exe
(verified) Bonjour 1800 C:\Program Files\Bonjour\mDNSResponder.exe
(verified) Firefox 2076 C:\Program Files\Mozilla Firefox\firefox.exe
(verified) Firefox 1000 C:\Program Files\Mozilla Firefox\plugin-container.exe
(verified) Intuit Update Service 1916 C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
(verified) iTunes 2248 C:\Program Files\iPod\bin\iPodService.exe
(verified) iTunes 3352 C:\Program Files\iTunes\iTunesHelper.exe
(verified) Java(TM) Platform SE 6 U18 308 C:\Program Files\Java\jre6\bin\jqs.exe
(verified) Java(TM) Platform SE Auto Updater 2 0 3284 C:\Program Files\Common Files\Java\Java Update\jusched.exe
(verified) Microsoft IntelliPoint 3276 C:\Program Files\Microsoft IntelliPoint\ipoint.exe
(verified) Microsoft IntelliType Pro 3216 C:\Program Files\Microsoft IntelliType Pro\itype.exe
(verified) Microsoft® Windows® Operating System 3848 C:\Program Files\Windows Desktop Search\WindowsSearch.exe
(verified) Microsoft® Windows® Operating System 2616 C:\WINDOWS\explorer.exe
(verified) Microsoft® Windows® Operating System 2164 C:\WINDOWS\system32\alg.exe
(verified) Microsoft® Windows® Operating System 756 C:\WINDOWS\system32\csrss.exe
(verified) Microsoft® Windows® Operating System 2928 C:\WINDOWS\system32\ctfmon.exe
(verified) Microsoft® Windows® Operating System 844 C:\WINDOWS\system32\lsass.exe
(verified) Microsoft® Windows® Operating System 1192 C:\WINDOWS\system32\searchindexer.exe
(verified) Microsoft® Windows® Operating System 832 C:\WINDOWS\system32\services.exe
(verified) Microsoft® Windows® Operating System 704 C:\WINDOWS\system32\smss.exe
(verified) Microsoft® Windows® Operating System 1560 C:\WINDOWS\system32\spoolsv.exe
(verified) Microsoft® Windows® Operating System 1464 C:\WINDOWS\system32\svchost.exe
(verified) Microsoft® Windows® Operating System 1360 C:\WINDOWS\system32\svchost.exe
(verified) Microsoft® Windows® Operating System 1228 C:\WINDOWS\system32\svchost.exe
(verified) Microsoft® Windows® Operating System 1132 C:\WINDOWS\system32\svchost.exe
(verified) Microsoft® Windows® Operating System 1056 C:\WINDOWS\system32\svchost.exe
(verified) Microsoft® Windows® Operating System 740 C:\WINDOWS\system32\svchost.exe
(verified) Microsoft® Windows® Operating System 788 C:\WINDOWS\system32\winlogon.exe
(verified) MobileDeviceService 1748 C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
(verified) RealPlayer (32-bit) 3192 C:\Program Files\Common Files\Real\Update_OB\realsched.exe
(verified) Realtek Sound Manager 3064 C:\WINDOWS\soundman.exe
(verified) TrueImageTryStartService.exe 912 C:\Program Files\Common Files\Acronis\Fomatik\TrueImageTryStartService.exe


Network activity
----------------
Process plugin-container.exe (1000) connected on port 80 (HTTP) --> 97.67.101.72
Process plugin-container.exe (1000) connected on port 80 (HTTP) --> 199.7.48.190
Process firefox.exe (2076) connected on port 443 (HTTP over SSL) --> 69.171.224.11
Process firefox.exe (2076) connected on port 80 (HTTP) --> 74.125.91.101
Process firefox.exe (2076) connected on port 80 (HTTP) --> 74.125.91.101

Process svchost.exe (1132) listens on ports: 135 (RPC)
Process javaw.exe (3820) listens on ports: 5225, 5226, 8008


Autoruns and critical files
---------------------------
(unsigned) Catalyst® Control Center C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe
(unsigned) CFD.exe C:\Program Files\BroadJump\Client Foundation\CFD.exe
(unsigned) Hewlett-Packard hpgs2wnd C:\Program Files\hp\HP Share-to-Web\hpgs2wnd.exe
(unsigned) Hewlett-Packard hpwuSchd C:\Program Files\Hewlett-Packard\HP Software Update\hpwuSchd2.exe
(unsigned) Hewlett-Packard ProxyStop3 C:\Program Files\Hewlett-Packard\Toolbox\hpbpsttp.exe
(unsigned) Hewlett-Packard T-TR Status Client C:\Program Files\Hewlett-Packard\Toolbox\StatusClient\StatusClient.exe
(unsigned) HotSync® Manager C:\Program Files\palmOne\Hotsync.exe
(unsigned) HP Cartridge Order Reminder C:\Program Files\Hewlett-Packard\OrderReminder\OrderReminder\OrderReminder.exe
(unsigned) QuickBooks Automatic Update C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
(unsigned) QuickTime C:\Program Files\QuickTime\QTTask.exe

(verified) Acronis Scheduler Helper C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
(verified) Acronis True Image C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe
(verified) Acronis True Image C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe
(verified) AcroTray - Adobe Acrobat Distiller help C:\Program Files\Adobe\Acrobat 9.0\Acrobat\acrotray.exe
(verified) Adobe Acrobat C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe
(verified) Adobe Acrobat C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe
(verified) ATI External Event Utility for Windows C:\WINDOWS\system32\ati2evxx.dll
(verified) Google Update C:\Program Files\Google\Update\GoogleUpdate.exe
(verified) iTunes C:\Program Files\iTunes\iTunesHelper.exe
(verified) Java(TM) Platform SE Auto Updater 2 0 C:\Program Files\Common Files\Java\Java Update\jusched.exe
(verified) Microsoft Genuine Advantage C:\WINDOWS\system32\WgaLogon.dll
(verified) Microsoft IntelliPoint C:\Program Files\Microsoft IntelliPoint\ipoint.exe
(verified) Microsoft IntelliType Pro C:\Program Files\Microsoft IntelliType Pro\itype.exe
(verified) Microsoft® Windows® Operating System c:\program files\windows desktop search\msnlnamespacemgr.dll
(verified) Microsoft® Windows® Operating System C:\Program Files\Windows Desktop Search\WindowsSearch.exe
(verified) Microsoft® Windows® Operating System C:\WINDOWS\system32\browseui.dll
(verified) Microsoft® Windows® Operating System C:\WINDOWS\system32\crypt32.dll
(verified) Microsoft® Windows® Operating System C:\WINDOWS\system32\cryptnet.dll
(verified) Microsoft® Windows® Operating System C:\WINDOWS\system32\cscdll.dll
(verified) Microsoft® Windows® Operating System C:\WINDOWS\system32\ctfmon.exe
(verified) Microsoft® Windows® Operating System C:\WINDOWS\system32\dimsntfy.dll
(verified) Microsoft® Windows® Operating System C:\WINDOWS\system32\logonui.exe
(verified) Microsoft® Windows® Operating System C:\WINDOWS\system32\sclgntfy.dll
(verified) Microsoft® Windows® Operating System C:\WINDOWS\system32\shell32.dll
(verified) Microsoft® Windows® Operating System C:\WINDOWS\System32\ssmypics.scr
(verified) Microsoft® Windows® Operating System C:\WINDOWS\system32\stobject.dll
(verified) Microsoft® Windows® Operating System c:\windows\system32\userinit.exe
(verified) Microsoft® Windows® Operating System C:\WINDOWS\system32\wlnotify.dll
(verified) RealPlayer (32-bit) C:\Program Files\Common Files\Real\Update_OB\realsched.exe
(verified) Realtek Sound Manager C:\WINDOWS\soundman.exe
(verified) Windows® Internet Explorer C:\WINDOWS\system32\webcheck.dll


Browser plugins
---------------
(unsigned) FireShot C:\Documents and Settings\mmartin\Application Data\Mozilla\Firefox\Profiles\p5a9s7yp.default\extensions\{0b457cAA-602d-484a-8fe7-c1d894a011ba}\library\sss.dll
(unsigned) FireShot for Internet Explorer C:\Documents and Settings\mmartin\Application Data\Mozilla\Firefox\Profiles\p5a9s7yp.default\extensions\{0b457cAA-602d-484a-8fe7-c1d894a011ba}\library\FSAddin.dll
(unsigned) fireshot-install.exe C:\Documents and Settings\mmartin\Application Data\Mozilla\Firefox\Profiles\p5a9s7yp.default\extensions\{0b457cAA-602d-484a-8fe7-c1d894a011ba}\library\fireshot-install.exe
(unsigned) Google Earth Plugin C:\Program Files\Google\Google Earth\plugin\npgeplugin.dll
(unsigned) InstallShield Update Service C:\WINDOWS\Downloaded Program Files\isusweb.dll
(unsigned) NPInstal.dll C:\Program Files\palmOne\PackageInstaller\NPInstal.dll
(unsigned) nppdf32.DEU C:\Program Files\Mozilla Firefox\plugins\nppdf32.DEU
(unsigned) nppdf32.FRA C:\Program Files\Mozilla Firefox\plugins\nppdf32.FRA
(unsigned) NPSWF32.dll C:\WINDOWS\system32\Macromed\Flash\NPSWF32.dll
(unsigned) QuickTime Plug-in 7.6.9 C:\Program Files\Internet Explorer\plugins\npqtplugin.dll
(unsigned) QuickTime Plug-in 7.6.9 C:\Program Files\Internet Explorer\plugins\npqtplugin2.dll
(unsigned) QuickTime Plug-in 7.6.9 C:\Program Files\Internet Explorer\plugins\npqtplugin3.dll
(unsigned) QuickTime Plug-in 7.6.9 C:\Program Files\Internet Explorer\plugins\npqtplugin4.dll
(unsigned) QuickTime Plug-in 7.6.9 C:\Program Files\Internet Explorer\plugins\npqtplugin5.dll
(unsigned) QuickTime Plug-in 7.6.9 C:\Program Files\Internet Explorer\plugins\npqtplugin6.dll
(unsigned) QuickTime Plug-in 7.6.9 C:\Program Files\Internet Explorer\plugins\npqtplugin7.dll
(unsigned) QuickTime Plug-in 7.6.9 C:\Program Files\Mozilla Firefox\plugins\npqtplugin.dll
(unsigned) QuickTime Plug-in 7.6.9 C:\Program Files\Mozilla Firefox\plugins\npqtplugin2.dll
(unsigned) QuickTime Plug-in 7.6.9 C:\Program Files\Mozilla Firefox\plugins\npqtplugin3.dll
(unsigned) QuickTime Plug-in 7.6.9 C:\Program Files\Mozilla Firefox\plugins\npqtplugin4.dll
(unsigned) QuickTime Plug-in 7.6.9 C:\Program Files\Mozilla Firefox\plugins\npqtplugin5.dll
(unsigned) QuickTime Plug-in 7.6.9 C:\Program Files\Mozilla Firefox\plugins\npqtplugin6.dll
(unsigned) QuickTime Plug-in 7.6.9 C:\Program Files\Mozilla Firefox\plugins\npqtplugin7.dll

(verified) 2007 Microsoft Office system C:\Program Files\Mozilla Firefox\plugins\NPOFF12.DLL
(verified) AcroIEHelperShim Library c:\program files\common files\adobe\acrobat\activex\acroiehelpershim.dll
(verified) Adobe Acrobat C:\Program Files\Internet Explorer\plugins\nppdf32.dll
(verified) Adobe Acrobat C:\Program Files\Mozilla Firefox\plugins\nppdf32.dll
(verified) Adobe PDF Toolbar for IE c:\program files\common files\adobe\acrobat\activex\acroiefavclient.dll
(verified) Adobe® Flash® Player ActiveX C:\WINDOWS\Downloaded Program Files\FP_AX_CAB_INSTALLER.exe
(verified) BitDefender QuickScan C:\Documents and Settings\mmartin\Application Data\Mozilla\Firefox\Profiles\p5a9s7yp.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}\plugins\npqscan.dll
(verified) Bonjour C:\Program Files\Bonjour\mdnsNSP.dll
(verified) Google Talk Plugin C:\Documents and Settings\mmartin\Application Data\Mozilla\plugins\npgoogletalk.dll
(verified) Google Talk Plugin Video Accelerator C:\Documents and Settings\mmartin\Application Data\Mozilla\plugins\npgtpo3dautoplugin.dll
(verified) Google Update C:\Program Files\Google\Update\1.3.21.53\npGoogleUpdate3.dll
(verified) InstallShield Update Service C:\WINDOWS\Downloaded Program Files\dwusplay.dll
(verified) InstallShield Update Service C:\WINDOWS\Downloaded Program Files\dwusplay.exe
(verified) Java Deployment Toolkit 6.0.180.7 C:\Program Files\Mozilla Firefox\plugins\npdeploytk.dll
(verified) Java(TM) Platform SE 6 U18 c:\program files\java\jre6\bin\jp2ssv.dll
(verified) Java(TM) Platform SE 6 U18 c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
(verified) Messenger C:\Program Files\Messenger\msmsgs.exe
(verified) Microsoft® Windows® Operating System C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
(verified) Microsoft® Windows® Operating System C:\WINDOWS\system32\mswsock.dll
(verified) Microsoft® Windows® Operating System C:\WINDOWS\system32\rsvpsp.dll
(verified) Microsoft® Windows® Operating System C:\WINDOWS\system32\winrnr.dll
(verified) Microsoft® Windows® Small Business Serv C:\WINDOWS\Downloaded Program Files\nshelp.dll
(verified) npitunes.dll C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll
(verified) RealJukebox NS Plugin C:\Program Files\Real\RealPlayer\Netscape6\nprjplug.dll
(verified) RealPlayer Download and Record Plugin f c:\program files\real\realplayer\rpbrowserrecordplugin.dll
(verified) RealPlayer Version Plugin C:\Program Files\Real\RealPlayer\Netscape6\nprpjplug.dll
(verified) RealPlayer(tm) G2 LiveConnect-Enabled P C:\Program Files\Real\RealPlayer\Netscape6\nppl3260.dll
(verified) Silverlight Plug-In c:\Program Files\Microsoft Silverlight\4.0.51204.0\npctrl.dll
(verified) Time Matters 9.0 c:\tmw9\tmietb.dll
(verified) Windows Presentation Foundation C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll
(verified) Windows® Internet Explorer C:\WINDOWS\system32\ieframe.dll


Scan
----
(unsigned) MD5: cd8637f32c465bff7f00c80db3d5de82 C:\Documents and Settings\mmartin\Application Data\Mozilla\Firefox\Profiles\p5a9s7yp.default\extensions\{0b457cAA-602d-484a-8fe7-c1d894a011ba}\gecko2\WINNT_x86-msvc\SSSLauncher.dll
(unsigned) MD5: 465f5409196f77cf6734fa8ed528a530 C:\Documents and Settings\mmartin\Application Data\Mozilla\Firefox\Profiles\p5a9s7yp.default\extensions\{0b457cAA-602d-484a-8fe7-c1d894a011ba}\library\fireshot-install.exe
(unsigned) MD5: 0ad121c7176c60c3accf8b6ddf5df78e C:\Documents and Settings\mmartin\Application Data\Mozilla\Firefox\Profiles\p5a9s7yp.default\extensions\{0b457cAA-602d-484a-8fe7-c1d894a011ba}\library\FSAddin.dll
(unsigned) MD5: 9c3d282bd0dbc0190ec40391d3cbab86 C:\Documents and Settings\mmartin\Application Data\Mozilla\Firefox\Profiles\p5a9s7yp.default\extensions\{0b457cAA-602d-484a-8fe7-c1d894a011ba}\library\sss.dll
(unsigned) MD5: 9818ff792cb0fe3a7c226fb5aa194010 C:\Program Files\Adobe\Acrobat 9.0\Acrobat\AcroTray.DEU
(unsigned) MD5: 35b000440df7855da29ca7df50d6952d C:\Program Files\Adobe\Acrobat 9.0\Acrobat\AcroTray.FRA
(unsigned) MD5: 0a7977ff7535f237c8c745ae09887c35 C:\Program Files\ATI Technologies\ATI.ACE\Branding\Branding.dll
(unsigned) MD5: d68018aebb6226bca5103da8b66a57d6 C:\Program Files\ATI Technologies\ATI.ACE\Core-Implementation\32\wbhelp2.dll
(unsigned) MD5: 4c08fb7acb28689b586d986d3f5826cf C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
(unsigned) MD5: d07b54e783d76a742d4eeb522e3f68ad C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe
(unsigned) MD5: a28de8e4eb7641639f68c62a32264578 C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\DEM.Graphics.I0709.dll
(unsigned) MD5: dab3b370e0c2815fdf5b29204b8fb984 C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\DEM.Graphics.I0712.dll
(unsigned) MD5: 7f9a009e33940087fde0fa25d8aa5706 C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\DEM.Graphics.I0804.dll
(unsigned) MD5: 0386fad4fee556be7c263dd397d30e75 C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\DEM.Graphics.I0805.dll
(unsigned) MD5: acfd0d2cd67c478673f2eab1cb4d9d79 C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\DEM.Graphics.I0812.dll
(unsigned) MD5: 6b87742f27b087af7fd4adc2db685de0 C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
(unsigned) MD5: ba9af06103549a96f77036861fde357b C:\Program Files\BroadJump\Client Foundation\CFD.exe
(unsigned) MD5: 0ed5d2b6263e1e2539f03a7836199269 C:\Program Files\Common Files\Acronis\Common\icudt34.dll
(unsigned) MD5: b9147da6eba75637551bf997b24d6fe7 C:\Program Files\Common Files\Acronis\Common\rpc_client.dll
(unsigned) MD5: 28957d38b5b769c2ed64795ff8c968ce C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
(unsigned) MD5: f76d04f7413b07daa029f6520b64b4e8 C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
(unsigned) MD5: 5e947691097ba0a9aa4b8e44a4b9feb0 C:\Program Files\Google\Google Earth\plugin\npgeplugin.dll
(unsigned) MD5: 19b4cf5d39c66024ca40282bf458f2c4 C:\Program Files\Hewlett-Packard\HP Software Update\hpwuSchd2.exe
(unsigned) MD5: 225271075aa0e4b788eedee3c8481d89 C:\Program Files\Hewlett-Packard\OrderReminder\OrderReminder\OrderReminder.exe
(unsigned) MD5: 795fabf2f86f62d7101ba0ea511ccf48 C:\Program Files\Hewlett-Packard\Toolbox\hpbpsttp.exe
(unsigned) MD5: 36c3628b64360572d35bd72e57df234c C:\Program Files\Hewlett-Packard\Toolbox\jre\bin\hotspot\jvm.dll
(unsigned) MD5: ffe5e0092947726394f918f8405e76c8 C:\Program Files\Hewlett-Packard\Toolbox\jre\bin\hpi.dll
(unsigned) MD5: 7c4e3fc40e18b398767c40c0cda96ddc C:\Program Files\Hewlett-Packard\Toolbox\jre\bin\java.dll
(unsigned) MD5: b7614f58b6d2ae8efade3a6e0916e49d C:\Program Files\Hewlett-Packard\Toolbox\jre\bin\javaw.exe
(unsigned) MD5: 47fba24f7e068d9687e465131dcdb765 C:\Program Files\Hewlett-Packard\Toolbox\jre\bin\net.dll
(unsigned) MD5: 6f0bc1d98713e5f04599e7fc66a6da56 C:\Program Files\Hewlett-Packard\Toolbox\jre\bin\verify.dll
(unsigned) MD5: 6259f604987e06a9f237ef99599682f2 C:\Program Files\Hewlett-Packard\Toolbox\jre\bin\zip.dll
(unsigned) MD5: 27e123b7d898e43cdc240690527946d2 C:\Program Files\Hewlett-Packard\Toolbox\StatusClient\hpptui0.dll
(unsigned) MD5: 217cebf2eae1d13bf9c9d0e2b21fd46c C:\Program Files\Hewlett-Packard\Toolbox\StatusClient\StatusClient.exe
(unsigned) MD5: d5bc63d2822b8e244e53d2ff8078cc6b C:\Program Files\hp\HP Share-to-Web\hpgs2wnd.exe
(unsigned) MD5: 59380d1808a83aa4150f550f45bee3a9 C:\Program Files\hp\HP Share-to-Web\hpgs2wnf.exe
(unsigned) MD5: 38004991dcf2b14d911e6d94a86d16d9 C:\Program Files\hp\HP Share-to-Web\hpgs2wnfps.dll
(unsigned) MD5: e8ce213bf216ea13aa0839a41cfd6345 C:\Program Files\hp\HP Share-to-Web\S2WNSRES.dll
(unsigned) MD5: 6c859c6fce6d694eafd7ea3ae66d54db C:\Program Files\Internet Explorer\plugins\npqtplugin.dll
(unsigned) MD5: 6c859c6fce6d694eafd7ea3ae66d54db C:\Program Files\Internet Explorer\plugins\npqtplugin2.dll
(unsigned) MD5: 6c859c6fce6d694eafd7ea3ae66d54db C:\Program Files\Internet Explorer\plugins\npqtplugin3.dll
(unsigned) MD5: 6c859c6fce6d694eafd7ea3ae66d54db C:\Program Files\Internet Explorer\plugins\npqtplugin4.dll
(unsigned) MD5: 6c859c6fce6d694eafd7ea3ae66d54db C:\Program Files\Internet Explorer\plugins\npqtplugin5.dll
(unsigned) MD5: 6c859c6fce6d694eafd7ea3ae66d54db C:\Program Files\Internet Explorer\plugins\npqtplugin6.dll
(unsigned) MD5: 6c859c6fce6d694eafd7ea3ae66d54db C:\Program Files\Internet Explorer\plugins\npqtplugin7.dll
(unsigned) MD5: 8d9d6896ae583b4025e810342b50257e C:\Program Files\Mozilla Firefox\plugins\nppdf32.DEU
(unsigned) MD5: b6a50dbf117db339e81dca97fd96340f C:\Program Files\Mozilla Firefox\plugins\nppdf32.FRA
(unsigned) MD5: 6c859c6fce6d694eafd7ea3ae66d54db C:\Program Files\Mozilla Firefox\plugins\npqtplugin.dll
(unsigned) MD5: 6c859c6fce6d694eafd7ea3ae66d54db C:\Program Files\Mozilla Firefox\plugins\npqtplugin2.dll
(unsigned) MD5: 6c859c6fce6d694eafd7ea3ae66d54db C:\Program Files\Mozilla Firefox\plugins\npqtplugin3.dll
(unsigned) MD5: 6c859c6fce6d694eafd7ea3ae66d54db C:\Program Files\Mozilla Firefox\plugins\npqtplugin4.dll
(unsigned) MD5: 6c859c6fce6d694eafd7ea3ae66d54db C:\Program Files\Mozilla Firefox\plugins\npqtplugin5.dll
(unsigned) MD5: 6c859c6fce6d694eafd7ea3ae66d54db C:\Program Files\Mozilla Firefox\plugins\npqtplugin6.dll
(unsigned) MD5: 6c859c6fce6d694eafd7ea3ae66d54db C:\Program Files\Mozilla Firefox\plugins\npqtplugin7.dll
(unsigned) MD5: 4e29f86c8034aa05fb8cba640af612cf C:\Program Files\palmOne\CIApI.dll
(unsigned) MD5: b678073447d3d5342cf74d7fbbc5a02a C:\Program Files\palmOne\cmds21.dll
(unsigned) MD5: f0d00be116aad71772c288fa8a517e44 C:\Program Files\palmOne\Condmgr.dll
(unsigned) MD5: e97df7e5bca0a35e5302aea39e5cc01c C:\Program Files\palmOne\Hotsync.exe
(unsigned) MD5: 8130350a8ba1e22506924175dabe1e1b C:\Program Files\palmOne\hslog20.dll
(unsigned) MD5: 5b0daef7a87614fa849d6d2623ffd4f0 C:\Program Files\palmOne\Instaide.dll
(unsigned) MD5: f35a584e947a5b401feb0fe01db4a0d7 C:\Program Files\palmOne\mfc71.dll
(unsigned) MD5: 3d1da6dcf692faa42ce3f37d63f5b53c C:\Program Files\palmOne\PackageInstaller\NPInstal.dll
(unsigned) MD5: cc70d55e5d292f07a1ecef1768dc54da C:\Program Files\palmOne\PalmCmn.dll
(unsigned) MD5: e2a868aed3d1153175506b77f99b4dd6 C:\Program Files\palmOne\PdCmn50.dll
(unsigned) MD5: 2868921374756917dd5534690b1fd50c C:\Program Files\palmOne\sync20.dll
(unsigned) MD5: b4e73c215b94a38289c269bcc7c7e909 C:\Program Files\palmOne\USBTransport.dll
(unsigned) MD5: a6204a91795ed21dd21fa090d7b6340a C:\Program Files\palmOne\UserData.dll
(unsigned) MD5: a31df73270ccc4dc3776dabba93a35b4 C:\Program Files\palmOne\VFSAPI.dll
(unsigned) MD5: 9ef5525bc5d7988d4f0b52957789bcbd C:\Program Files\PFU\ScanSnap\CardMinder\CardCommon.dll
(unsigned) MD5: 45ba87d5adce407f92e19d8c70a12750 C:\Program Files\PFU\ScanSnap\CardMinder\CardConfig.dll
(unsigned) MD5: 904f99c877e7ce222842c88fbbeb7d65 C:\Program Files\PFU\ScanSnap\CardMinder\CardData.dll
(unsigned) MD5: f43c3054ded199391a716792d7893a46 C:\Program Files\PFU\ScanSnap\CardMinder\CardDialog.dll
(unsigned) MD5: 03f1e80cf0c45eb9bc0f1b2808071c0a C:\Program Files\PFU\ScanSnap\CardMinder\CardFinder.dll
(unsigned) MD5: 352cbb79546d4264f8f6732207bac81d C:\Program Files\PFU\ScanSnap\CardMinder\CardHook.dll
(unsigned) MD5: 3a02de2bd117c4e8c6b3eb002c3986f7 C:\Program Files\PFU\ScanSnap\CardMinder\CardLauncher.exe
(unsigned) MD5: bcf897425fcd55f23b14ffc65cc9cd85 C:\Program Files\PFU\ScanSnap\CardMinder\CardMsg.dll
(unsigned) MD5: 1826bd82cc2e4ce4c31f0e6cd19822a7 C:\Program Files\PFU\ScanSnap\CardMinder\CardPath.dll
(unsigned) MD5: 765dbfec22c1ace40d73ebe2892d4745 C:\Program Files\PFU\ScanSnap\CardMinder\CardWndCmmn.dll
(unsigned) MD5: 0ef470fdf7c6adc5609703d57cd4ab47 C:\Program Files\PFU\ScanSnap\CardMinder\pgd_file\pgd_file.dll
(unsigned) MD5: f7e6e09d6fcd374ad85afa2c0a93d03b C:\Program Files\PFU\ScanSnap\Driver\distortion.dll
(unsigned) MD5: 235480ab2f216f79e11927f6d4d1100b C:\Program Files\PFU\ScanSnap\Driver\Imgproc2.dll
(unsigned) MD5: 5733ae5273e02558bd31ad97ea3fa319 C:\Program Files\PFU\ScanSnap\Driver\P2ICMUKIS.dll
(unsigned) MD5: 24e30918b6adca6f56aa6192a0d142f3 C:\Program Files\PFU\ScanSnap\Driver\P2iCrppr.dll
(unsigned) MD5: 5cfde9112563bc3a07009f58cb368315 C:\Program Files\PFU\ScanSnap\Driver\P2Igr2mo.dll
(unsigned) MD5: 72a045a58dca74e306e9cc63b4c07ba6 C:\Program Files\PFU\ScanSnap\Driver\P2IJDGWP.dll
(unsigned) MD5: 197446a86cb9fbab76183bff9869c832 C:\Program Files\PFU\ScanSnap\Driver\P2IMOCR.dll
(unsigned) MD5: 2696da6b59736d700343064728794176 C:\Program Files\PFU\ScanSnap\Driver\P2IROTAT.dll
(unsigned) MD5: 99109c5408e96c051e5a2646af2a12fe C:\Program Files\PFU\ScanSnap\Driver\P2Iscale.dll
(unsigned) MD5: c098e06525727a33f32bcac098da61f5 C:\Program Files\PFU\ScanSnap\Driver\pfumkocr.dll
(unsigned) MD5: 4481975d9f4a636abaa3f47f0792f08b C:\Program Files\PFU\ScanSnap\Driver\PfuSsCommon.dll
(unsigned) MD5: bd8ce6c04d3a4029c4a33cb89eaab0cd C:\Program Files\PFU\ScanSnap\Driver\PfuSsConfig.dll
(unsigned) MD5: cec882a6d40f51bafa88dbe7a2b57fb9 C:\Program Files\PFU\ScanSnap\Driver\PfuSsCtl.dll
(unsigned) MD5: 9767f956ba8e745b2b1b3f80b51cb8c4 C:\Program Files\PFU\ScanSnap\Driver\PfuSsExtention.dll
(unsigned) MD5: f7221b03c9fd7df2c2550d4be1ed6409 C:\Program Files\PFU\ScanSnap\Driver\PfuSsImgIO.dll
(unsigned) MD5: 432cb2ff3a1c90a46071f20278f9a492 C:\Program Files\PFU\ScanSnap\Driver\PfuSsLaunchapp.dll
(unsigned) MD5: 7bd1d4fedbf1468f263deb00dbd981e4 C:\Program Files\PFU\ScanSnap\Driver\PfuSsMon.exe
(unsigned) MD5: e9ff14ad2b17b4f4da3f33614b62017f C:\Program Files\PFU\ScanSnap\Driver\PfuSsOrgFolder.dll
(unsigned) MD5: 1e49e7b5e52aaaba8f1cdd04863d6261 C:\Program Files\PFU\ScanSnap\Driver\PfuSsSRGB.dll
(unsigned) MD5: b1a2800d893538785b4fa9bc4c7b5803 C:\Program Files\PFU\ScanSnap\Driver\PfuSsSvc.dll
(unsigned) MD5: 7b511245a0e91d401a34b049a71bde05 C:\Program Files\PFU\ScanSnap\Driver\PfuUpdater.dll
(unsigned) MD5: 868ba871adecd8195574b68b3647f808 C:\Program Files\PFU\ScanSnap\Driver\pgd_file.dll
(unsigned) MD5: 0ab08d789c3b04f9def0c88d7d054080 C:\Program Files\PFU\ScanSnap\Driver\PtsaaEIf.dll
(unsigned) MD5: 3c0be81ee40c22cabf777ed24dd78341 C:\Program Files\PFU\ScanSnap\Driver\SignLib.dll
(unsigned) MD5: 3c43ce164fa4915408ab6796de962cb3 C:\Program Files\PFU\ScanSnap\Driver\SsIjl.dll
(unsigned) MD5: c95d6248f8ca15ccf04447eea77913b5 C:\Program Files\PFU\ScanSnap\Driver\SSsltsa.dll
(unsigned) MD5: afdae59fe562a7cdb44f9d4abedac316 C:\Program Files\QuickTime\QTSystem\QTCF.dll
(unsigned) MD5: 1d856e6e7490447fcfaa46e09a2bf9c9 C:\Program Files\QuickTime\QTSystem\QuickTime.qts
(unsigned) MD5: dddbd3d825e9846b6adb78578aa7a699 C:\Program Files\QuickTime\QTSystem\QuickTime.Resources\en.lproj\QuickTimeLocalized.dll
(unsigned) MD5: 103976a97e25724e0a3ed50e48921cd2 C:\Program Files\QuickTime\QTSystem\QuickTime.Resources\QuickTime.dll
(unsigned) MD5: 0aee5668eb59912f32ff245bfa72465f C:\Program Files\QuickTime\QTTask.exe
(unsigned) MD5: 68594bc00941143d6bd5514d67501773 C:\Program Files\Real\RealPlayer\rpchromebrowserrecordhelper.dll
(unsigned) MD5: f353ca555252332f9f9094aaaf67e3c5 C:\Program Files\Silicon Image\SiISATARaid\Res409.dll
(unsigned) MD5: 2f999b116092128ca03b31f68e343a37 C:\Program Files\Silicon Image\SiISATARaid\SATARaid.exe
(unsigned) MD5: d5ef655cc397b5eb58a77482fa63d669 C:\Program Files\SmartFTP Client\en-US\sfShellTools.dll.mui
(unsigned) MD5: 78828daa6e0b54c07a9a979faa22e930 C:\Program Files\SmartFTP Client\sfShellTools.dll
(unsigned) MD5: 0be92b27dc8c7b6035a5ec373fc2b619 C:\PROGRA~1\ATITEC~1\ATI.ACE\CORE-I~1\32\wbocx.ocx
(unsigned) MD5: 1bf1820b86f4921d42d74c922044ac18 C:\WINDOWS\assembly\GAC\Interop.WBOCXLib\1.0.0.0__90ba9c70f846762e\Interop.WBOCXLib.DLL
(unsigned) MD5: bd1e2bb8c96105353078ad23ff5489d0 C:\WINDOWS\assembly\GAC_32\System.Data.SQLite\1.0.56.0__28c9bcd4dddc48a1\System.Data.SQLite.DLL
(unsigned) MD5: 937fbd23997a91af923d5e89286126bd C:\WINDOWS\assembly\GAC_32\System.Data.SQLite\1.0.61.0__db937bc2d44ff139\System.Data.SQLite.DLL
(unsigned) MD5: 16f96c1496cbd0965285ab19a9271d02 C:\WINDOWS\assembly\GAC_32\System.Data\2.0.0.0__b77a5c561934e089\System.Data.dll
(unsigned) MD5: f054572a92573ca32d5f3aa8c15d2bac C:\WINDOWS\assembly\GAC_32\System.Transactions\2.0.0.0__b77a5c561934e089\System.Transactions.dll
(unsigned) MD5: 93d5b9634c4744fb115785081ecf9738 C:\WINDOWS\assembly\GAC_MSIL\ACE.Graphics.DisplaysManager.Shared\2.0.2573.17685__90ba9c70f846762e\ACE.Graphics.DisplaysManager.Shared.DLL
(unsigned) MD5: 05e8a9b52ec52dd611b748d80f3b212b C:\WINDOWS\assembly\GAC_MSIL\AEM.Actions.CCAA.Shared\2.0.3309.28608__90ba9c70f846762e\AEM.Actions.CCAA.Shared.DLL
(unsigned) MD5: b8d8fb4d41fb3df6f3a24495f6b5e0e9 C:\WINDOWS\assembly\GAC_MSIL\AEM.Plugin.DPPE.Shared\2.0.3309.28647__90ba9c70f846762e\AEM.Plugin.DPPE.Shared.DLL
(unsigned) MD5: 34138ac5853df0e420904c4b0eb58898 C:\WINDOWS\assembly\GAC_MSIL\AEM.Plugin.EEU.Shared\2.0.3309.28627__90ba9c70f846762e\AEM.Plugin.EEU.Shared.DLL
(unsigned) MD5: ceaa5823bd0eccb77675de53cfc59f23 C:\WINDOWS\assembly\GAC_MSIL\AEM.Plugin.GD.Shared\2.0.3309.28647__90ba9c70f846762e\AEM.Plugin.GD.Shared.DLL
(unsigned) MD5: dac86f8aa223fa55adbc94bd2033df7f C:\WINDOWS\assembly\GAC_MSIL\AEM.Plugin.Hotkeys.Shared\2.0.3309.28617__90ba9c70f846762e\AEM.Plugin.Hotkeys.Shared.DLL
(unsigned) MD5: a2c0e7f8793569c4cc8ca0d5301f283e C:\WINDOWS\assembly\GAC_MSIL\AEM.Plugin.REG.Shared\2.0.3309.28645__90ba9c70f846762e\AEM.Plugin.REG.Shared.DLL
(unsigned) MD5: c63f1bac30c08ad8616cd0fcd038a4a0 C:\WINDOWS\assembly\GAC_MSIL\AEM.Plugin.Source.Kit.Server\2.0.3404.40490__90ba9c70f846762e\AEM.Plugin.Source.Kit.Server.DLL
(unsigned) MD5: 1eb5c58c9b446a13a8319ef513e8b5e8 C:\WINDOWS\assembly\GAC_MSIL\AEM.Plugin.WinMessages.Shared\2.0.3309.28629__90ba9c70f846762e\AEM.Plugin.WinMessages.Shared.DLL
(unsigned) MD5: 8eb085b26e602cb4a1203f4f1f8ac6f4 C:\WINDOWS\assembly\GAC_MSIL\AEM.Server.Shared\2.0.3309.28617__90ba9c70f846762e\AEM.Server.Shared.DLL
(unsigned) MD5: 017e6faf9a90d496bd6be86a78f44c24 C:\WINDOWS\assembly\GAC_MSIL\AEM.Server\2.0.3404.40393__90ba9c70f846762e\AEM.Server.DLL
(unsigned) MD5: 0eb0ff2b6755532976080cab065f202c C:\WINDOWS\assembly\GAC_MSIL\APM.Foundation\2.0.3309.28626__90ba9c70f846762e\APM.Foundation.DLL
(unsigned) MD5: 0a9c2412c9247845ede5d62a970961b0 C:\WINDOWS\assembly\GAC_MSIL\APM.Server\2.0.3404.40394__90ba9c70f846762e\APM.Server.DLL
(unsigned) MD5: 7012a995c98958d957dcd8d8e9508f55 C:\WINDOWS\assembly\GAC_MSIL\ATICCCom\2.0.0.0__90ba9c70f846762e\ATICCCom.DLL
(unsigned) MD5: 70e631d32baeaf86fe99e3187ec31823 C:\WINDOWS\assembly\GAC_MSIL\ATIDEMOS\2.0.3404.40395__90ba9c70f846762e\ATIDEMOS.DLL
(unsigned) MD5: ee850c95ed088e8835f2425ee551296f C:\WINDOWS\assembly\GAC_MSIL\atixclib\1.0.0.0__90ba9c70f846762e\atixclib.DLL
(unsigned) MD5: cd632a9274e7e85b9f37f84c91595c27 C:\WINDOWS\assembly\GAC_MSIL\AxInterop.WBOCXLib\1.0.0.0__90ba9c70f846762e\AxInterop.WBOCXLib.DLL
(unsigned) MD5: db328a03325b4242d04be481a4687dc9 C:\WINDOWS\assembly\GAC_MSIL\CCC.Implementation\2.0.3404.40477__90ba9c70f846762e\CCC.Implementation.DLL
(unsigned) MD5: 3f96dea77d74a25d49b3572cf8e4af08 C:\WINDOWS\assembly\GAC_MSIL\CLI.Aspect.CustomFormats.Graphics.Shared\2.0.3309.28627__90ba9c70f846762e\CLI.Aspect.CustomFormats.Graphics.Shared.DLL
(unsigned) MD5: 1bae5a48a02b8fe67107fef0994b25a6 C:\WINDOWS\assembly\GAC_MSIL\CLI.Aspect.DeviceCRT.Graphics.Dashboard\2.0.3404.40437__90ba9c70f846762e\CLI.Aspect.DeviceCRT.Graphics.Dashboard.DLL
(unsigned) MD5: 5fa73429dec92fdcc4e5af526446c084 C:\WINDOWS\assembly\GAC_MSIL\CLI.Aspect.DeviceCRT.Graphics.Runtime\2.0.3404.40437__90ba9c70f846762e\CLI.Aspect.DeviceCRT.Graphics.Runtime.DLL
(unsigned) MD5: 4ee13d5ea60a071e0e17e9a9483d8ce9 C:\WINDOWS\assembly\GAC_MSIL\CLI.Aspect.DeviceCRT.Graphics.Shared\2.0.3309.28634__90ba9c70f846762e\CLI.Aspect.DeviceCRT.Graphics.Shared.DLL
(unsigned) MD5: 31ac37dec372f7485d7d2291dd4b97ed C:\WINDOWS\assembly\GAC_MSIL\CLI.Aspect.DeviceCV.Graphics.Dashboard\2.0.3404.40448__90ba9c70f846762e\CLI.Aspect.DeviceCV.Graphics.Dashboard.DLL
(unsigned) MD5: b292b518a945054269cc107d1c7b53a7 C:\WINDOWS\assembly\GAC_MSIL\CLI.Aspect.DeviceCV.Graphics.Runtime\2.0.3404.40448__90ba9c70f846762e\CLI.Aspect.DeviceCV.Graphics.Runtime.DLL
(unsigned) MD5: 84c2bdb0072817c2a44d80a69f9327bb C:\WINDOWS\assembly\GAC_MSIL\CLI.Aspect.DeviceCV.Graphics.Shared\2.0.3309.28636__90ba9c70f846762e\CLI.Aspect.DeviceCV.Graphics.Shared.DLL
(unsigned) MD5: 62b918081a7edcf4d095f19018b2b68c C:\WINDOWS\assembly\GAC_MSIL\CLI.Aspect.DeviceCV.Graphics.Wizard\2.0.3404.40456__90ba9c70f846762e\CLI.Aspect.DeviceCV.Graphics.Wizard.DLL
(unsigned) MD5: 18432edfdcd03966dcc7cae8f98e7e2c C:\WINDOWS\assembly\GAC_MSIL\CLI.Aspect.DeviceDFP.Graphics.Runtime\2.0.3404.40436__90ba9c70f846762e\CLI.Aspect.DeviceDFP.Graphics.Runtime.DLL
(unsigned) MD5: 87e6cca5694e6855ad34e7e7b968931b C:\WINDOWS\assembly\GAC_MSIL\CLI.Aspect.DeviceDFP.Graphics.Shared\2.0.3309.28634__90ba9c70f846762e\CLI.Aspect.DeviceDFP.Graphics.Shared.DLL
(unsigned) MD5: 058c4f78621d77df682ed6f9110c095c C:\WINDOWS\assembly\GAC_MSIL\CLI.Aspect.DeviceLCD.Graphics.Runtime\2.0.3404.40447__90ba9c70f846762e\CLI.Aspect.DeviceLCD.Graphics.Runtime.DLL
(unsigned) MD5: 3b5211f0135bedc6463cb2722d367a51 C:\WINDOWS\assembly\GAC_MSIL\CLI.Aspect.DeviceLCD.Graphics.Shared\2.0.3309.28630__90ba9c70f846762e\CLI.Aspect.DeviceLCD.Graphics.Shared.DLL
(unsigned) MD5: 1678fd03385b2d1b2c7017335f398f7e C:\WINDOWS\assembly\GAC_MSIL\CLI.Aspect.DeviceProperty.Graphics.Runtime\2.0.3404.40436__90ba9c70f846762e\CLI.Aspect.DeviceProperty.Graphics.Runtime.DLL
(unsigned) MD5: 1ff7f1098dac0da6280d6fc9b8d89e6f C:\WINDOWS\assembly\GAC_MSIL\CLI.Aspect.DeviceProperty.Graphics.Shared\2.0.3309.28624__90ba9c70f846762e\CLI.Aspect.DeviceProperty.Graphics.Shared.DLL
(unsigned) MD5: 63331afee505560ce7efd78257752218 C:\WINDOWS\assembly\GAC_MSIL\CLI.Aspect.DeviceTV.Graphics.Dashboard\2.0.3404.40465__90ba9c70f846762e\CLI.Aspect.DeviceTV.Graphics.Dashboard.DLL
(unsigned) MD5: b117f9800deaabaf975cf94cdc639525 C:\WINDOWS\assembly\GAC_MSIL\CLI.Aspect.DeviceTV.Graphics.Runtime\2.0.3404.40464__90ba9c70f846762e\CLI.Aspect.DeviceTV.Graphics.Runtime.DLL
(unsigned) MD5: 31c2a9e6d8fefa62759318a7f85ea646 C:\WINDOWS\assembly\GAC_MSIL\CLI.Aspect.DeviceTV.Graphics.Shared\2.0.3309.28636__90ba9c70f846762e\CLI.Aspect.DeviceTV.Graphics.Shared.DLL
(unsigned) MD5: 3b61c7256506094f29387df0575abb74 C:\WINDOWS\assembly\GAC_MSIL\CLI.Aspect.DeviceTV.Graphics.Wizard\2.0.3404.40469__90ba9c70f846762e\CLI.Aspect.DeviceTV.Graphics.Wizard.DLL
(unsigned) MD5: 5533fe8ed9e62d5d065893712317abe7 C:\WINDOWS\assembly\GAC_MSIL\CLI.Aspect.DisplaysColour2.Graphics.Dashboard\2.0.3404.40415__90ba9c70f846762e\CLI.Aspect.DisplaysColour2.Graphics.Dashboard.DLL
(unsigned) MD5: 47875bbc65957f5879e6c82ea63d9af0 C:\WINDOWS\assembly\GAC_MSIL\CLI.Aspect.DisplaysColour2.Graphics.Runtime\2.0.3404.40418__90ba9c70f846762e\CLI.Aspect.DisplaysColour2.Graphics.Runtime.DLL
(unsigned) MD5: b962a41eecf27644d7b6159060a5db9c C:\WINDOWS\assembly\GAC_MSIL\CLI.Aspect.DisplaysColour2.Graphics.Shared\2.0.3309.28632__90ba9c70f846762e\CLI.Aspect.DisplaysColour2.Graphics.Shared.DLL
(unsigned) MD5: ddfec3ad2c6992914895fa1e14b8a58e C:\WINDOWS\assembly\GAC_MSIL\CLI.Aspect.DisplaysManager.Graphics.Dashboard\2.0.3404.40405__90ba9c70f846762e\CLI.Aspect.DisplaysManager.Graphics.Dashboard.DLL
(unsigned) MD5: 1b43486f7100681f75768f423c981422 C:\WINDOWS\assembly\GAC_MSIL\CLI.Aspect.DisplaysManager.Graphics.Wizard\2.0.3404.40413__90ba9c70f846762e\CLI.Aspect.DisplaysManager.Graphics.Wizard.DLL
(unsigned) MD5: c22038661d5c738472d0ffc7c6fe8837 C:\WINDOWS\assembly\GAC_MSIL\CLI.Aspect.DisplaysOptions.Graphics.Dashboard\2.0.3404.40446__90ba9c70f846762e\CLI.Aspect.DisplaysOptions.Graphics.Dashboard.DLL
(unsigned) MD5: 76f882db196f778b78f6a70f4e300948 C:\WINDOWS\assembly\GAC_MSIL\CLI.Aspect.DisplaysOptions.Graphics.Runtime\2.0.3404.40445__90ba9c70f846762e\CLI.Aspect.DisplaysOptions.Graphics.Runtime.DLL
(unsigned) MD5: 14018abdb92b40a145e24c441f5c4361 C:\WINDOWS\assembly\GAC_MSIL\CLI.Aspect.DisplaysOptions.Graphics.Shared\2.0.3309.28635__90ba9c70f846762e\CLI.Aspect.DisplaysOptions.Graphics.Shared.DLL
(unsigned) MD5: ddc6583ee086fc9eba1c1e7badfb781d C:\WINDOWS\assembly\GAC_MSIL\CLI.Aspect.HotkeysHandling.Graphics.Runtime\2.0.3404.40404__90ba9c70f846762e\CLI.Aspect.HotkeysHandling.Graphics.Runtime.DLL
(unsigned) MD5: c60e27cdfe13e60ca4104fd64c6bf489 C:\WINDOWS\assembly\GAC_MSIL\CLI.Aspect.HotkeysHandling.Graphics.Shared\2.0.3309.28630__90ba9c70f846762e\CLI.Aspect.HotkeysHandling.Graphics.Shared.DLL
(unsigned) MD5: b303c4650b06badae865f11f98225908 C:\WINDOWS\assembly\GAC_MSIL\CLI.Aspect.InfoCentre.Graphics.Dashboard\2.0.3404.40414__90ba9c70f846762e\CLI.Aspect.InfoCentre.Graphics.Dashboard.DLL
(unsigned) MD5: 25ed1587cf3ff0199e93692f254d1b6e C:\WINDOWS\assembly\GAC_MSIL\CLI.Aspect.InfoCentre.Graphics.Wizard\2.0.3404.40414__90ba9c70f846762e\CLI.Aspect.InfoCentre.Graphics.Wizard.DLL
(unsigned) MD5: 24eff93b5aa9b8b61744360fa8c9f594 C:\WINDOWS\assembly\GAC_MSIL\CLI.Aspect.MMVideo.Graphics.Dashboard\2.0.3404.40438__90ba9c70f846762e\CLI.Aspect.MMVideo.Graphics.Dashboard.DLL
(unsigned) MD5: 20d0c76795bef21d31bf2d28873adaa5 C:\WINDOWS\assembly\GAC_MSIL\CLI.Aspect.MMVideo.Graphics.Runtime\2.0.3404.40437__90ba9c70f846762e\CLI.Aspect.MMVideo.Graphics.Runtime.DLL
(unsigned) MD5: 4d2d6c3b8280d48c33745acc44894702 C:\WINDOWS\assembly\GAC_MSIL\CLI.Aspect.MMVideo.Graphics.Shared\2.0.3309.28634__90ba9c70f846762e\CLI.Aspect.MMVideo.Graphics.Shared.DLL
(unsigned) MD5: d25e713285970aa034f560c2108c1291 C:\WINDOWS\assembly\GAC_MSIL\CLI.Aspect.MMVideo.Graphics.Wizard\2.0.3404.40460__90ba9c70f846762e\CLI.Aspect.MMVideo.Graphics.Wizard.DLL
(unsigned) MD5: cbb79db0b562172f41990691c6210cd2 C:\WINDOWS\assembly\GAC_MSIL\CLI.Aspect.Radeon3D.Graphics.Dashboard\2.0.3404.40452__90ba9c70f846762e\CLI.Aspect.Radeon3D.Graphics.Dashboard.DLL
(unsigned) MD5: a895fd260109911308d2a3a269b4fdcd C:\WINDOWS\assembly\GAC_MSIL\CLI.Aspect.Radeon3D.Graphics.Runtime\2.0.3404.40452__90ba9c70f846762e\CLI.Aspect.Radeon3D.Graphics.Runtime.DLL
(unsigned) MD5: 4936982f43a4f23856b398b3d9dd1589 C:\WINDOWS\assembly\GAC_MSIL\CLI.Aspect.Radeon3D.Graphics.Shared\2.0.3309.28636__90ba9c70f846762e\CLI.Aspect.Radeon3D.Graphics.Shared.DLL
(unsigned) MD5: f6d8003b46e2d9f6e03eb346ac5df7c8 C:\WINDOWS\assembly\GAC_MSIL\CLI.Aspect.Radeon3D.Graphics.Wizard\2.0.3404.40453__90ba9c70f846762e\CLI.Aspect.Radeon3D.Graphics.Wizard.DLL
(unsigned) MD5: e7618d942dd51f8c20c80717260c8db8 C:\WINDOWS\assembly\GAC_MSIL\CLI.Aspect.SmartGart.Graphics.Dashboard\2.0.3404.40422__90ba9c70f846762e\CLI.Aspect.SmartGart.Graphics.Dashboard.DLL
(unsigned) MD5: ae44272815be50b2d6c184481c09d225 C:\WINDOWS\assembly\GAC_MSIL\CLI.Aspect.SmartGart.Graphics.Runtime\2.0.3404.40422__90ba9c70f846762e\CLI.Aspect.SmartGart.Graphics.Runtime.DLL
(unsigned) MD5: beef83ff416d5744e946a1554ee7118a C:\WINDOWS\assembly\GAC_MSIL\CLI.Aspect.SmartGart.Graphics.Shared\2.0.3309.28632__90ba9c70f846762e\CLI.Aspect.SmartGart.Graphics.Shared.DLL
(unsigned) MD5: ba8e4def946325d96ef2da87ecffc594 C:\WINDOWS\assembly\GAC_MSIL\CLI.Aspect.TransCode.Graphics.Shared\2.0.3309.28644__90ba9c70f846762e\CLI.Aspect.TransCode.Graphics.Shared.DLL
(unsigned) MD5: 34caa6b4d1be75e10f699ff46edee776 C:\WINDOWS\assembly\GAC_MSIL\CLI.Aspect.TransCode.Graphics.Wizard\2.0.3404.40482__90ba9c70f846762e\CLI.Aspect.TransCode.Graphics.Wizard.DLL
(unsigned) MD5: f2df5e921c5f356c940ed271dad10914 C:\WINDOWS\assembly\GAC_MSIL\CLI.Aspect.VPURecover.Graphics.Dashboard\2.0.3404.40414__90ba9c70f846762e\CLI.Aspect.VPURecover.Graphics.Dashboard.DLL
(unsigned) MD5: 710c53c480d1ac5acb14667d21b02a85 C:\WINDOWS\assembly\GAC_MSIL\CLI.Aspect.VPURecover.Graphics.Runtime\2.0.3404.40413__90ba9c70f846762e\CLI.Aspect.VPURecover.Graphics.Runtime.DLL
(unsigned) MD5: 0d80843568d285390d7b53aa2b64284c C:\WINDOWS\assembly\GAC_MSIL\CLI.Aspect.VPURecover.Graphics.Shared\2.0.3309.28631__90ba9c70f846762e\CLI.Aspect.VPURecover.Graphics.Shared.DLL
(unsigned) MD5: 6b2bd112de22bb10ac6fdc3bcb79095a C:\WINDOWS\assembly\GAC_MSIL\CLI.Aspect.Welcome.Graphics.Dashboard\2.0.3404.40483__90ba9c70f846762e\CLI.Aspect.Welcome.Graphics.Dashboard.DLL
(unsigned) MD5: 26beb141ba70fd1427c69a3d8ec27a79 C:\WINDOWS\assembly\GAC_MSIL\CLI.Caste.Graphics.Dashboard.Shared\2.0.3309.28630__90ba9c70f846762e\CLI.Caste.Graphics.Dashboard.Shared.DLL
(unsigned) MD5: 58fa666691c7e8b0cd213e3fb6004aa7 C:\WINDOWS\assembly\GAC_MSIL\CLI.Caste.Graphics.Dashboard\2.0.3404.40404__90ba9c70f846762e\CLI.Caste.Graphics.Dashboard.DLL
(unsigned) MD5: 54387b3763ba5c91a4c6fa8e5916b2df C:\WINDOWS\assembly\GAC_MSIL\CLI.Caste.Graphics.Runtime.Shared.Private\2.0.3309.28637__90ba9c70f846762e\CLI.Caste.Graphics.Runtime.Shared.Private.DLL
(unsigned) MD5: 416ade74cdfb9f4cf75ad646b3fe65e5 C:\WINDOWS\assembly\GAC_MSIL\CLI.Caste.Graphics.Runtime\2.0.3404.40397__90ba9c70f846762e\CLI.Caste.Graphics.Runtime.DLL
(unsigned) MD5: 62b845865fd089cee940e682a7793253 C:\WINDOWS\assembly\GAC_MSIL\CLI.Caste.Graphics.Shared\2.0.3309.28618__90ba9c70f846762e\CLI.Caste.Graphics.Shared.DLL
(unsigned) MD5: d38601320578fb9235e6a3634ae5fe20 C:\WINDOWS\assembly\GAC_MSIL\CLI.Caste.Graphics.Wizard.Shared\2.0.3309.28631__90ba9c70f846762e\CLI.Caste.Graphics.Wizard.Shared.DLL
(unsigned) MD5: 0c0418b4373df6df0b4c7f18a536cbff C:\WINDOWS\assembly\GAC_MSIL\CLI.Caste.Graphics.Wizard\2.0.3404.40409__90ba9c70f846762e\CLI.Caste.Graphics.Wizard.DLL
(unsigned) MD5: ea6f9f3bcfec54a172ca2bb878e4c761 C:\WINDOWS\assembly\GAC_MSIL\CLI.Caste.HydraVision.Dashboard\2.0.3404.40496__90ba9c70f846762e\CLI.Caste.HydraVision.Dashboard.DLL
(unsigned) MD5: 8f801821586e489b5f3758282004d340 C:\WINDOWS\assembly\GAC_MSIL\CLI.Caste.HydraVision.Runtime\2.0.3404.40497__90ba9c70f846762e\CLI.Caste.HydraVision.Runtime.DLL
(unsigned) MD5: 1042374b82d886a19b1edf5797455b04 C:\WINDOWS\assembly\GAC_MSIL\CLI.Caste.HydraVision.Shared\2.0.3404.40496__90ba9c70f846762e\CLI.Caste.HydraVision.Shared.DLL
(unsigned) MD5: 814213b212405ac09e45bd5e63694ea5 C:\WINDOWS\assembly\GAC_MSIL\CLI.Caste.HydraVision.Wizard\2.0.3404.40500__90ba9c70f846762e\CLI.Caste.HydraVision.Wizard.DLL
(unsigned) MD5: 1f3d9b7cf4749de1bbca442142976a15 C:\WINDOWS\assembly\GAC_MSIL\CLI.Component.Client.Shared.Private\2.0.3309.28621__90ba9c70f846762e\CLI.Component.Client.Shared.Private.DLL
(unsigned) MD5: 3eb71bb5571db026448fb00c80961d5a C:\WINDOWS\assembly\GAC_MSIL\CLI.Component.Client.Shared\2.0.3309.28611__90ba9c70f846762e\CLI.Component.Client.Shared.DLL
(unsigned) MD5: 31f3a43ddf0fe42f88de86004003e01f C:\WINDOWS\assembly\GAC_MSIL\CLI.Component.Dashboard.Shared.Private\2.0.3309.28624__90ba9c70f846762e\CLI.Component.Dashboard.Shared.Private.DLL
(unsigned) MD5: 2f0a0d437666efecef0fcecb44700ca3 C:\WINDOWS\assembly\GAC_MSIL\CLI.Component.Dashboard.Shared\2.0.3309.28617__90ba9c70f846762e\CLI.Component.Dashboard.Shared.DLL
(unsigned) MD5: adfc9964cc30456b996593be2194d438 C:\WINDOWS\assembly\GAC_MSIL\CLI.Component.Dashboard\2.0.3404.40401__90ba9c70f846762e\CLI.Component.Dashboard.DLL
(unsigned) MD5: ef10dfb6a7306b0d61ccb272246f0181 C:\WINDOWS\assembly\GAC_MSIL\CLI.Component.Runtime.Extension.EEU\2.0.3404.40393__90ba9c70f846762e\CLI.Component.Runtime.Extension.EEU.DLL
(unsigned) MD5: 805a0d817c61a2778e5859689fc7cbb8 C:\WINDOWS\assembly\GAC_MSIL\CLI.Component.Runtime.Shared.Private\2.0.3309.28628__90ba9c70f846762e\CLI.Component.Runtime.Shared.Private.DLL
(unsigned) MD5: e46c94064b485bb0adfb8ed53ccfd598 C:\WINDOWS\assembly\GAC_MSIL\CLI.Component.Runtime.Shared\2.0.3309.28617__90ba9c70f846762e\CLI.Component.Runtime.Shared.DLL
(unsigned) MD5: cc56ce389825333eb29822341696ebac C:\WINDOWS\assembly\GAC_MSIL\CLI.Component.Runtime\2.0.3404.40395__90ba9c70f846762e\CLI.Component.Runtime.DLL
(unsigned) MD5: e4fbd695c26d0a2543d0b54721695fbb C:\WINDOWS\assembly\GAC_MSIL\CLI.Component.SkinFactory\2.0.3404.40396__90ba9c70f846762e\CLI.Component.SkinFactory.DLL
(unsigned) MD5: 8d0859bfcc1a22575cdc740ccae3235b C:\WINDOWS\assembly\GAC_MSIL\CLI.Component.Systemtray\2.0.3404.40472__90ba9c70f846762e\CLI.Component.Systemtray.DLL
(unsigned) MD5: e40bc3251f860437c4d9068cc9284f80 C:\WINDOWS\assembly\GAC_MSIL\CLI.Component.Wizard.Shared.Private\2.0.3309.28627__90ba9c70f846762e\CLI.Component.Wizard.Shared.Private.DLL
(unsigned) MD5: f26996e9c8d91f5825a692df8e169506 C:\WINDOWS\assembly\GAC_MSIL\CLI.Component.Wizard.Shared\2.0.3309.28620__90ba9c70f846762e\CLI.Component.Wizard.Shared.DLL
(unsigned) MD5: e2984812f8f940cdf6ef87aaff2062bb C:\WINDOWS\assembly\GAC_MSIL\CLI.Component.Wizard\2.0.3404.40409__90ba9c70f846762e\CLI.Component.Wizard.DLL
(unsigned) MD5: f6f72c70c12aac66c5b9efcbef484188 C:\WINDOWS\assembly\GAC_MSIL\CLI.Foundation.Private\2.0.3309.28608__90ba9c70f846762e\CLI.Foundation.Private.DLL
(unsigned) MD5: a4ec9e917285a39f6fe7fa40669aaa03 C:\WINDOWS\assembly\GAC_MSIL\CLI.Foundation.XManifest\2.0.3309.28669__90ba9c70f846762e\CLI.Foundation.XManifest.DLL
(unsigned) MD5: f73739ba177c749156f4ba29b314fc6a C:\WINDOWS\assembly\GAC_MSIL\CLI.Foundation\2.0.3309.28604__90ba9c70f846762e\CLI.Foundation.DLL
(unsigned) MD5: 2e7fab502a8615b1aab0eab35afbca3b C:\WINDOWS\assembly\GAC_MSIL\DEM.Graphics.I0706\2.0.2743.23304__90ba9c70f846762e\DEM.Graphics.I0706.DLL
(unsigned) MD5: 814b9d77b93f0f10d1619483e39a6141 C:\WINDOWS\assembly\GAC_MSIL\DEM.Graphics\2.0.3309.28630__90ba9c70f846762e\DEM.Graphics.DLL
(unsigned) MD5: 03571509ec8c5cda4c347e5398ae0e29 C:\WINDOWS\assembly\GAC_MSIL\DEM.OS.I0602\2.0.3309.28630__90ba9c70f846762e\DEM.OS.I0602.DLL
(unsigned) MD5: dc3ca97fe07a5e4387d53e3d77b4a7a7 C:\WINDOWS\assembly\GAC_MSIL\DEM.OS\2.0.3309.28645__90ba9c70f846762e\DEM.OS.DLL
(unsigned) MD5: 34dcf0e4754f8fa599e33aa444742481 C:\WINDOWS\assembly\GAC_MSIL\Intuit.Spc.Foundations.Portability\3.1.2.2__540d4816ead86321\Intuit.Spc.Foundations.Portability.dll
(unsigned) MD5: 58ed45bfb06ec7c6b7d151b77247e4b3 C:\WINDOWS\assembly\GAC_MSIL\Intuit.Spc.Foundations.Primary.Config\3.1.2.2__540d4816ead86321\Intuit.Spc.Foundations.Primary.Config.dll
(unsigned) MD5: 8da93d9a662e4ba18802bc6c2ccacd66 C:\WINDOWS\assembly\GAC_MSIL\Intuit.Spc.Foundations.Primary.ExceptionHandling\3.1.2.2__540d4816ead86321\Intuit.Spc.Foundations.Primary.ExceptionHandling.dll
(unsigned) MD5: 5ac46a3a31bc58e512c4cafd87327922 C:\WINDOWS\assembly\GAC_MSIL\Intuit.Spc.Foundations.Primary.Logging\3.1.2.2__540d4816ead86321\Intuit.Spc.Foundations.Primary.Logging.dll
(unsigned) MD5: 04de2774c2a6602da45e9e76d46bc071 C:\WINDOWS\assembly\GAC_MSIL\Intuit.Spc.Map.Reporter\4.0.114.0__7ce6deabcb36a8ea\Intuit.Spc.Map.Reporter.dll
(unsigned) MD5: 333244713f41c02de8502061c0a11622 C:\WINDOWS\assembly\GAC_MSIL\Intuit.Spc.Map.Reporter\5.0.104.0__7ce6deabcb36a8ea\Intuit.Spc.Map.Reporter.dll
(unsigned) MD5: 7e1174e9a3d17855680e144aa5d130a1 C:\WINDOWS\assembly\GAC_MSIL\Intuit.Spc.Map.WindowsFirewallUtilities\4.0.114.0__7ce6deabcb36a8ea\Intuit.Spc.Map.WindowsFirewallUtilities.dll
(unsigned) MD5: b334fca2f0878c2af77826211dbe55bb C:\WINDOWS\assembly\GAC_MSIL\Intuit.Spc.Map.WindowsFirewallUtilities\5.0.104.0__7ce6deabcb36a8ea\Intuit.Spc.Map.WindowsFirewallUtilities.dll
(unsigned) MD5: 80afa16c347a60ba6ecabcfb7351585d C:\WINDOWS\assembly\GAC_MSIL\LOG.Foundation.Implementation.Private\2.0.3309.28626__90ba9c70f846762e\LOG.Foundation.Implementation.Private.DLL
(unsigned) MD5: a8bdc7720f0309c33974442581aa0b68 C:\WINDOWS\assembly\GAC_MSIL\LOG.Foundation.Implementation\2.0.3404.40476__90ba9c70f846762e\LOG.Foundation.Implementation.DLL
(unsigned) MD5: df8ea7c61bad44d22867a1b9aee4e3d8 C:\WINDOWS\assembly\GAC_MSIL\LOG.Foundation.Private\2.0.3309.28614__90ba9c70f846762e\LOG.Foundation.Private.DLL
(unsigned) MD5: 14d1332bd5dedabd1c85a5d74eb4bada C:\WINDOWS\assembly\GAC_MSIL\LOG.Foundation\2.0.3309.28601__90ba9c70f846762e\LOG.Foundation.DLL
(unsigned) MD5: b89cb7f3f1a1e2807e708f5435deb13d C:\WINDOWS\assembly\GAC_MSIL\log4net\1.2.10.0__1b44e1d426115821\log4net.dll
(unsigned) MD5: 2995d06505645fe3e58cf270a6653dc8 C:\WINDOWS\assembly\GAC_MSIL\MOM.Foundation\2.0.3309.28626__90ba9c70f846762e\MOM.Foundation.DLL
(unsigned) MD5: 6940c864dcb2b37d76ff73a31b0c4c64 C:\WINDOWS\assembly\GAC_MSIL\MOM.Implementation\2.0.3404.40477__90ba9c70f846762e\MOM.Implementation.DLL
(unsigned) MD5: 9d5f0100cef5ab1db7111e0004e61003 C:\WINDOWS\assembly\GAC_MSIL\NEWAEM.Foundation\2.0.3309.28603__90ba9c70f846762e\NEWAEM.Foundation.DLL
(unsigned) MD5: 675e48e1e3141108cbccdb26b84cbcfa C:\WINDOWS\assembly\GAC_MSIL\ResourceManagement.Foundation.Implementation\2.0.3404.40507__90ba9c70f846762e\ResourceManagement.Foundation.Implementation.DLL
(unsigned) MD5: 986f472cdcd90453bbb0643a235ace09 C:\WINDOWS\assembly\GAC_MSIL\ResourceManagement.Foundation.Private\2.0.3309.28612__90ba9c70f846762e\ResourceManagement.Foundation.Private.DLL
(unsigned) MD5: c1c4025b5f5311ac8bcc318b0c244d58 C:\WINDOWS\assembly\GAC_MSIL\System.Configuration\2.0.0.0__b03f5f7f11d50a3a\System.configuration.dll
(unsigned) MD5: 179cc375c81b39902825abfe3a7cd49d C:\WINDOWS\assembly\GAC_MSIL\System.Drawing\2.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll
(unsigned) MD5: 2849f13593d2712ccb97ffbdd3c1232e C:\WINDOWS\assembly\GAC_MSIL\System.Runtime.Remoting\2.0.0.0__b77a5c561934e089\System.Runtime.Remoting.dll
(unsigned) MD5: 50d2943d426ba91771ad87fdec802ac3 C:\WINDOWS\assembly\GAC_MSIL\System.ServiceProcess\2.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll
(unsigned) MD5: 4bbb50ee0660ad59380e27ea00f318c9 C:\WINDOWS\assembly\GAC_MSIL\System.Windows.Forms\2.0.0.0__b77a5c561934e089\System.Windows.Forms.dll
(unsigned) MD5: eb97291e3c9e0035b47b45dbb1af710d C:\WINDOWS\assembly\GAC_MSIL\System.Xml\2.0.0.0__b77a5c561934e089\System.XML.dll
(unsigned) MD5: 86601f6a08c75a16d4d0509cb31ee318 C:\WINDOWS\assembly\GAC_MSIL\System\2.0.0.0__b77a5c561934e089\System.dll
(unsigned) MD5: 182b565c7d3fe6d3e30f091bbf9748fa C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Accessibility\11eb4f6606ba01e5128805759121ea6c\Accessibility.ni.dll
(unsigned) MD5: 3ffd4d117cdd21c3c039fdb9649bc07b C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\mscorlib\6d667f19d687361886990f3ca0f49816\mscorlib.ni.dll
(unsigned) MD5: 283c0214276244e69cccce3154b53662 C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Drawing\3da96ee075bab9202626ae44c18d226c\System.Drawing.ni.dll
(unsigned) MD5: fa47a3e4955f12c55096d2302899a2c6 C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Runtime.Remo#\2abd876a3c8a6b088fa6d8d39d901e3c\System.Runtime.Remoting.ni.dll
(unsigned) MD5: e7cd2c99846448922d45d31e9de9a4b6 C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.ServiceProce#\ea3366939280c1715f1c620e33ee3c8a\System.ServiceProcess.ni.dll
(unsigned) MD5: 2bc8c429e7835e8cfe66a45249e45d38 C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Web\3963ce03d445a8619abbf388d590134b\System.Web.ni.dll
(unsigned) MD5: 0c32bc7b1d60f3a4dfc1bb818bde35c7 C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\63406259e94d5c0ff5b79401dfe113ce\System.Windows.Forms.ni.dll
(unsigned) MD5: e201f488c4993c46dbfc46e86558295c C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Xml\773a9786013451d3baaeff003dc4230f\System.Xml.ni.dll
(unsigned) MD5: 65cc0de3db7c6ae92bb96e0a06459b10 C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System\80978a322d7dd39f0a71be1251ae395a\System.ni.dll
(unsigned) MD5: 7bba5b65f6645d9fd314ddb8d3953a95 C:\WINDOWS\Downloaded Program Files\isusweb.dll
(unsigned) MD5: c0b71d285df2952347c93265326a5d75 C:\WINDOWS\system32\acrotls.dll
(unsigned) MD5: 5d6b9c31593281647905f49e2f0bf7cf C:\WINDOWS\system32\ati2sgag.exe
(unsigned) MD5: 2405b08383a2b41beae9a2c5bd90d0a2 C:\WINDOWS\system32\d4channel.dll
(unsigned) MD5: 30bb1bde595ca65fd5549462080d94e5 C:\WINDOWS\system32\drivers\AEGISP.sys
(unsigned) MD5: b34b1ab0a7690a0e2301fec6d17b2fc1 C:\WINDOWS\system32\drivers\AFS2K.sys
(unsigned) MD5: d82414ec520453efe2eba936f6a9115a C:\WINDOWS\system32\drivers\EAPPKT.sys
(unsigned) MD5: 29c45722e20572b6440b57e3359e73ee C:\WINDOWS\system32\DRIVERS\netaapl.sys
(unsigned) MD5: e266683fc95abdec17cd378564e1b54b C:\WINDOWS\system32\drivers\TVICHW32.sys
(unsigned) MD5: 0eccfd4c8f90d1542c9f72784ad8b2e4 C:\WINDOWS\system32\hpbmmjno.dll
(unsigned) MD5: 5d7d04f503b0252cebd718b8032fdd1a C:\WINDOWS\system32\hppadt40.dll
(unsigned) MD5: af399b7c219571955c868775dcd0e4a4 C:\WINDOWS\system32\hppcappm.dll
(unsigned) MD5: d4b955d7aec636322e04f1c73735a0e0 C:\WINDOWS\system32\jst.dll
(unsigned) MD5: 68fe12c5785b30b360bace26a867fbaa C:\WINDOWS\system32\ltfil11n.DLL
(unsigned) MD5: 0268e31ea510a41900b2a3cdc25e6520 C:\WINDOWS\system32\ltkrn11n.dll
(unsigned) MD5: 5006b5dba7979cdc3481e24dd0c03802 C:\WINDOWS\system32\Macromed\Flash\NPSWF32.dll
(unsigned) MD5: 779b6f868721c10e94631316a2aa9867 C:\WINDOWS\system32\mfc42loc.dll
(unsigned) MD5: 44e45bd9327abc0540593e809b32f3ca C:\WINDOWS\system32\msxml4.dll
(unsigned) MD5: 073bf349c16ab332d1d5a6f59d276ea2 C:\WINDOWS\system32\USBPort.dll
(unsigned) MD5: ccc2e312486ae6b80970211da472268b C:\WINDOWS\WinSxS\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_3bf8fa05\mfc80u.dll
(unsigned) MD5: 9631b15db7c43c267636ff43c3075e07 C:\WINDOWS\WinSxS\x86_System.EnterpriseServices_b03f5f7f11d50a3a_2.0.0.0_x-ww_7d5f3790\System.EnterpriseServices.dll

The following file(s) must be uploaded for server-side scanning:
C:\Program Files\SmartFTP Client\sfShellTools.dll

Upload started - 1 file(s)
sfShellTools.dll (419200)
Upload speed - 22 KB/s
Upload finished - 1 uploaded, 0 failed

The uploaded file(s) were found clean.

Scan finished - communication took 22 sec
Total traffic - 0.48 MB sent, 2.24 KB recvd
Scanned 1637 files and modules - 70 seconds

==============================================================================


Rivers

Newbie Surfer
Newbie Surfer

Posts : 32
Joined : 2011-05-13
Operating System : Windows XP

View user profile

Back to top Go down

Re: MS Removal Tool infection

Post by DragonMaster Jay on Sun 15 May 2011, 9:55 pm

1. ComboFix re-run
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • Open notepad and copy/paste the text in the box below into it:
    Code:
    killall::

    File::
    C:\WINDOWS\system32\tapiz.dll

    Reboot::
  • Save this as CFScript.txt, in the same location as ComboFix.exe



  • Referring to the picture above, drag CFScript into ComboFix.exe
  • When finished, it shall produce a log for you at C:\ComboFix.txt
  • Please post the contents of the log in your next reply.

2. Online Scan

Please run a free online scan with the ESET Online Scanner
  • Tick the box next to YES, I accept the Terms of Use
  • Click Start
  • When asked, allow the ActiveX control to install
  • Click Start
  • Make sure that the options Remove found threats and the option Scan unwanted applications is checked
  • Click Scan (This scan can take several hours, so please be patient)
  • Once the scan is completed, you may close the window
  • Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
  • Copy and paste that log as a reply to this topic

3. Post logs

Make sure to post these logs for my review:
  • ComboFix log
  • ESET Scan log

Also, let me know how your computer is running.

Thanks!


[You must be registered and logged in to see this link.] - Get $30 off Kaspersky products.

~DMJ
GeekPolice Academy Manager


Donations/Contributions

DragonMaster Jay

Manager | Tech Officer
Manager | Tech Officer

Posts : 13451
Joined : 2009-09-07
Operating System : Windows 7 Ultimate

View user profile http://www.twitter.com/jaypfoutz

Back to top Go down

Re: MS Removal Tool infection

Post by Rivers on Tue 17 May 2011, 10:50 am

ComboFix 11-05-16.02 - mmartin 05/16/2011 18:22:45.3.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1424 [GMT -5:00]
Running from: c:\documents and settings\mmartin\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\mmartin\Desktop\CFScript2.txt
AV: AVG Anti-Virus Free *Enabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.
FILE ::
"c:\windows\system32\tapiz.dll"
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\system32\tapiz.dll
.
.
((((((((((((((((((((((((( Files Created from 2011-04-16 to 2011-05-16 )))))))))))))))))))))))))))))))
.
.
2011-05-14 16:31 . 2011-05-14 16:31 -------- d-----w- c:\documents and settings\mmartin\Application Data\QuickScan
2011-05-12 03:43 . 2011-05-12 03:43 -------- d-----w- c:\documents and settings\mmartin\Application Data\Malwarebytes
2011-05-12 03:35 . 2011-05-12 03:35 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2011-05-12 03:35 . 2010-12-20 23:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-05-12 03:35 . 2011-05-12 03:51 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-05-12 03:35 . 2010-12-20 23:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-05-11 20:02 . 2011-05-11 20:02 0 ----a-w- c:\windows\Pcinidedu.bin
2011-04-27 03:49 . 2011-04-27 03:49 -------- d-----w- c:\documents and settings\mmartin\Application Data\SmartFTP
2011-04-27 03:49 . 2011-04-27 03:49 -------- d-----w- c:\program files\SmartFTP Client
2011-04-27 03:47 . 2011-04-27 03:47 -------- d-----w- c:\program files\SmartFTP Client 4.0 Setup Files
2011-04-27 02:12 . 2011-04-27 02:12 -------- d-----w- c:\program files\HashTab Shell Extension
2011-04-22 19:04 . 2011-04-23 03:24 -------- d-----w- c:\documents and settings\mmartin\Application Data\Download Manager
2011-04-21 14:41 . 2011-04-21 14:41 -------- d-----w- c:\documents and settings\All Users\Application Data\ATI
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-02-20 05:03 . 2011-02-20 05:03 4422992 ----a-w- c:\windows\mfc100u.dll
2011-02-20 04:03 . 2011-02-20 04:03 64336 ----a-w- c:\windows\system32\mfc100fra.dll
2011-02-20 04:03 . 2011-02-20 04:03 64336 ----a-w- c:\windows\system32\mfc100deu.dll
2011-02-20 04:03 . 2011-02-20 04:03 63824 ----a-w- c:\windows\system32\mfc100esn.dll
2011-02-20 04:03 . 2011-02-20 04:03 62288 ----a-w- c:\windows\system32\mfc100ita.dll
2011-02-20 04:03 . 2011-02-20 04:03 60752 ----a-w- c:\windows\system32\mfc100rus.dll
2011-02-20 04:03 . 2011-02-20 04:03 55120 ----a-w- c:\windows\system32\mfc100enu.dll
2011-02-20 04:03 . 2011-02-20 04:03 43856 ----a-w- c:\windows\system32\mfc100jpn.dll
2011-02-20 04:03 . 2011-02-20 04:03 43344 ----a-w- c:\windows\system32\mfc100kor.dll
2011-02-20 04:03 . 2011-02-20 04:03 421200 ----a-w- c:\windows\system32\msvcp100.dll
2011-02-20 04:03 . 2011-02-20 04:03 36176 ----a-w- c:\windows\system32\mfc100cht.dll
2011-02-20 04:03 . 2011-02-20 04:03 36176 ----a-w- c:\windows\system32\mfc100chs.dll
2011-02-19 05:40 . 2011-02-19 05:40 773968 ----a-w- c:\windows\system32\msvcr100.dll
2011-02-18 21:36 . 2009-08-04 17:06 41984 ----a-w- c:\windows\system32\drivers\usbaapl.sys
2011-02-18 21:36 . 2009-08-04 17:06 4184352 ----a-w- c:\windows\system32\usbaaplrc.dll
2011-05-01 16:47 . 2011-03-24 16:37 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
2007-10-26 15:00 . 2009-01-12 18:19 16896 ----a-w- c:\program files\mozilla firefox\components\tmfftb.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMan"="SOUNDMAN.EXE" [2006-08-03 577536]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"StatusClient 2.6"="c:\program files\Hewlett-Packard\Toolbox\StatusClient\StatusClient.exe" [2003-10-03 61440]
"TomcatStartup 2.5"="c:\program files\Hewlett-Packard\Toolbox\hpbpsttp.exe" [2004-04-09 184320]
"OrderReminder"="c:\program files\Hewlett-Packard\OrderReminder\OrderReminder\OrderReminder.exe" [2009-01-12 98304]
"HP Software Update"="c:\program files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe" [2003-12-05 49152]
"TrueImageMonitor.exe"="c:\program files\Acronis\TrueImageHome\TrueImageMonitor.exe" [2007-10-31 2595616]
"AcronisTimounterMonitor"="c:\program files\Acronis\TrueImageHome\TimounterMonitor.exe" [2007-10-31 909208]
"Acronis Scheduler2 Service"="c:\program files\Common Files\Acronis\Schedule2\schedhlp.exe" [2007-10-31 140568]
"Adobe Acrobat Speed Launcher"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe" [2008-06-12 37232]
"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe" [2008-06-12 640376]
"Share-to-Web Namespace Daemon"="c:\program files\hp\HP Share-to-Web\hpgs2wnd.exe" [2002-04-17 69632]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-02-04 198160]
"BJCFD"="c:\program files\BroadJump\Client Foundation\CFD.exe" [2002-09-11 368706]
"itype"="c:\program files\Microsoft IntelliType Pro\itype.exe" [2006-11-21 813912]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2008-06-10 1406024]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-11-29 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-03-07 421160]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2009-04-28 61440]
.
c:\documents and settings\Administrator\Start Menu\Programs\Startup\
palmOne Registration.lnk - c:\program files\palmOne\register.exe [2005-6-9 2355200]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
CardMinder Viewer.lnk - c:\program files\PFU\ScanSnap\CardMinder\CardLauncher.exe [2009-6-10 77824]
Conversion to PDF with ScanSnap Organizer.lnk - c:\program files\PFU\ScanSnap\Organizer\PfuSsOrgOcrChk.exe [2009-6-10 15360]
HotSync Manager.lnk - c:\program files\palmOne\Hotsync.exe [2008-1-3 1392640]
QuickBooks Update Agent.lnk - c:\program files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2007-11-6 815104]
SATARaid.lnk - c:\program files\Silicon Image\SiISATARaid\SATARaid.exe [2009-1-8 1019961]
ScanSnap Manager.lnk - c:\program files\PFU\ScanSnap\Driver\PfuSsMon.exe [2009-6-10 1048576]
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoWelcomeScreen"= 1 (0x1)
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2008-05-27 304128]
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Hewlett-Packard\\Toolbox\\jre\\bin\\javaw.exe"=
"c:\\Program Files\\Logitech\\Logitech Harmony Remote Software 7\\HarmonyRemote.exe"=
"c:\\Program Files\\FileZilla FTP Client\\filezilla.exe"=
"c:\\Program Files\\Laplink\\PCsync\\SFTHost.exe"=
"c:\\Program Files\\Sling Media\\SlingPlayer\\SlingPlayer.exe"=
"c:\\Documents and Settings\\mmartin\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.exe"=
"c:\\Documents and Settings\\mmartin\\Application Data\\Macromedia\\Flash Player\\[You must be registered and logged in to see this link.]
"c:\\Program Files\\Google\\Google Earth\\client\\googleearth.exe"=
"c:\\Program Files\\Google\\Google Earth\\plugin\\geplugin.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\SmartFTP Client\\SmartFTP.exe"=
.
R2 EAPPkt;Realtek EAPPkt Protocol;c:\windows\system32\drivers\EAPPkt.sys [1/9/2009 3:16 PM 38144]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [12/18/2009 11:33 PM 135664]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [12/18/2009 11:33 PM 135664]
S3 Netaapl;Apple Mobile Device Ethernet Service;c:\windows\system32\drivers\netaapl.sys [8/4/2009 12:06 PM 17408]
S3 RTL8187B;Realtek RTL8187B Wireless 802.11g 54Mbps USB 2.0 Network Adapter;c:\windows\system32\DRIVERS\RTL8187B.sys --> c:\windows\system32\DRIVERS\RTL8187B.sys [?]
.
Contents of the 'Scheduled Tasks' folder
.
2011-05-16 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-12-19 04:33]
.
2011-05-16 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-12-19 04:33]
.
.
------- Supplementary Scan -------
.
uStart Page = [You must be registered and logged in to see this link.]
uInternet Settings,ProxyOverride = *.local
IE: Add to Evernote - c:\program files\Evernote\Evernote3\enbar.dll/2000
IE: Append Link Target to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
Trusted Zone: intuit.com\ttlc
FF - ProfilePath - c:\documents and settings\mmartin\Application Data\Mozilla\Firefox\Profiles\p5a9s7yp.default\
FF - prefs.js: browser.search.selectedEngine - AVG Secure Search
FF - prefs.js: keyword.URL - [You must be registered and logged in to see this link.]
FF - prefs.js: network.proxy.type - 0
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2011-05-16 18:32
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(824)
c:\windows\system32\Ati2evxx.dll
.
- - - - - - - > 'explorer.exe'(3376)
c:\windows\system32\MSVCP100.dll
c:\program files\SmartFTP Client\en-US\sfShellTools.dll.mui
c:\program files\Windows Desktop Search\deskbar.dll
c:\program files\Windows Desktop Search\en-us\dbres.dll.mui
c:\program files\Windows Desktop Search\dbres.dll
c:\program files\Windows Desktop Search\wordwheel.dll
c:\program files\Windows Desktop Search\en-us\msnlExtRes.dll.mui
c:\program files\Windows Desktop Search\msnlExtRes.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\program files\Common Files\Acronis\Schedule2\schedul2.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\Ati2evxx.exe
c:\program files\Common Files\Acronis\Fomatik\TrueImageTryStartService.exe
c:\windows\system32\SearchIndexer.exe
c:\windows\SOUNDMAN.EXE
c:\program files\hp\HP Share-to-Web\hpgs2wnf.exe
c:\program files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
c:\program files\Hewlett-Packard\Toolbox\jre\bin\javaw.exe
c:\program files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2011-05-16 18:38:51 - machine was rebooted
ComboFix-quarantined-files.txt 2011-05-16 23:38
ComboFix2.txt 2011-05-13 15:22
ComboFix3.txt 2011-05-12 21:42
.
Pre-Run: 215,399,432,192 bytes free
Post-Run: 215,402,733,568 bytes free
.
- - End Of File - - 79E53DF2DB86899EA6E9EA992952A630

Rivers

Newbie Surfer
Newbie Surfer

Posts : 32
Joined : 2011-05-13
Operating System : Windows XP

View user profile

Back to top Go down

Re: MS Removal Tool infection

Post by Rivers on Tue 17 May 2011, 1:28 pm

ESETSmartInstaller@High as downloader log:
all ok
# version=7
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.6427
# api_version=3.0.2
# EOSSerial=de94924f6ef1a0448501326252ff69fc
# end=finished
# remove_checked=true
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2011-05-17 01:35:58
# local_time=2011-05-16 08:35:58 (-0600, Central Daylight Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=1032 16777174 0 30 272427 47933678 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=132874
# found=13
# cleaned=13
# scan_time=6072
C:\ACTIVE\OFFICE ADMIN\HARDWARE & SOFTWARE\Palm Treo\downloads\RomInstaller.zip probably a variant of Win32/Agent.ZPSXCA trojan (deleted - quarantined) 00000000000000000000000000000000 C
C:\ACTIVE\OFFICE ADMIN\HARDWARE & SOFTWARE\Palm Treo\Extract to\rominstaller\Installer.exe probably a variant of Win32/Agent.ZPSXCA trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Qoobox\Quarantine\C\Documents and Settings\All Users\Application Data\iM28601JgCdN28601\iM28601JgCdN28601.exe.vir a variant of Win32/Kryptik.NQY trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Qoobox\Quarantine\C\WINDOWS\system32\tapiz.dll.vir a variant of Win32/Kryptik.LLT trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{83D3F6F2-E755-49FA-8ADC-3B3A2CE385C6}\RP1\A0004018.dll a variant of Win32/Kryptik.NOS trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{83D3F6F2-E755-49FA-8ADC-3B3A2CE385C6}\RP1\A0004019.exe a variant of Win32/TrojanDropper.VB.NPV trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{83D3F6F2-E755-49FA-8ADC-3B3A2CE385C6}\RP1\A0004020.dll a variant of Win32/Kryptik.NQE trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{83D3F6F2-E755-49FA-8ADC-3B3A2CE385C6}\RP1\A0004021.exe Win32/TrojanDownloader.FakeAlert.BGV trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{83D3F6F2-E755-49FA-8ADC-3B3A2CE385C6}\RP1\A0004022.exe a variant of Win32/TrojanClicker.VB.NFM trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{83D3F6F2-E755-49FA-8ADC-3B3A2CE385C6}\RP1\A0004024.exe probably a variant of Win32/Refpron.G trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{83D3F6F2-E755-49FA-8ADC-3B3A2CE385C6}\RP1\A0004190.exe a variant of Win32/Kryptik.NQY trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{83D3F6F2-E755-49FA-8ADC-3B3A2CE385C6}\RP4\A0006777.dll a variant of Win32/Kryptik.LLT trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{83D3F6F2-E755-49FA-8ADC-3B3A2CE385C6}\RP4\A0006867.exe probably a variant of Win32/Agent.ZPSXCA trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

Rivers

Newbie Surfer
Newbie Surfer

Posts : 32
Joined : 2011-05-13
Operating System : Windows XP

View user profile

Back to top Go down

Re: MS Removal Tool infection

Post by Rivers on Tue 17 May 2011, 1:31 pm

Everything seems to be working fine.

Thanks for all the help.

Rivers

Newbie Surfer
Newbie Surfer

Posts : 32
Joined : 2011-05-13
Operating System : Windows XP

View user profile

Back to top Go down

Re: MS Removal Tool infection

Post by DragonMaster Jay on Tue 17 May 2011, 4:01 pm

If there are no more issues, then we shall clean up!

Clean up System Restore

Now, to get you off to a clean start, we will be creating a new Restore Point, then clearing the old ones to make sure you do not get reinfected, in case you need to "restore back."
  • Select Start > All Programs > Accessories > System tools > System Restore.
  • On the dialogue box that appears select Create a Restore Point
  • Click NEXT
  • Enter a name e.g. Clean
  • Click CREATE

You now have a clean restore point, to get rid of the bad ones:
  • Select Start > All Programs > Accessories > System tools > Disk Cleanup.
  • In the Drop down box that appears select your main drive e.g. C
  • Click OK
  • The System will do some calculation and the display a dialogue box with TABS
  • Select the More Options Tab.
  • At the bottom will be a system restore box with a CLEANUP button click this
  • Accept the Warning and select OK again, the program will close and you are done


Run OTC to remove our tools

To remove all of the tools we used and the files and folders they created, please do the following:
Please download OTC.exe by OldTimer:
  • Save it to your Desktop.
  • Double click OTC.exe.
  • Click the CleanUp! button.
  • If you are prompted to Reboot during the cleanup, select Yes.
  • The tool will delete itself once it finishes.

Note: If any tool, file or folder (belonging to the program we have used) hasn't been deleted, please delete it manually.

Purge old temporary files

Please download TFC by OldTimer to your desktop
  • Please double-click TFC.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
  • It will close all programs when run, so make sure you have saved all your work before you begin.
  • Click the Start
    button to begin the process. Depending on how often you clean temp
    files, execution time should be anywhere from a few seconds to a minute
    or two. Let it run uninterrupted to completion.
  • Once it's finished it should reboot your machine. If it does not, please manually reboot the machine yourself to ensure a complete clean.


Security Check

Please download Security Check by screen317 from SpywareInfoforum.org or Changelog.fr.
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.


[You must be registered and logged in to see this link.] - Get $30 off Kaspersky products.

~DMJ
GeekPolice Academy Manager


Donations/Contributions

DragonMaster Jay

Manager | Tech Officer
Manager | Tech Officer

Posts : 13451
Joined : 2009-09-07
Operating System : Windows 7 Ultimate

View user profile http://www.twitter.com/jaypfoutz

Back to top Go down

Re: MS Removal Tool infection

Post by Rivers on Wed 18 May 2011, 3:43 am

Results of screen317's Security Check version 0.99.11
Windows XP Service Pack 3
Internet Explorer 7 Out of date!
``````````````````````````````
Antivirus/Firewall Check:

Windows Firewall Enabled!
Antivirus up to date!
```````````````````````````````
Anti-malware/Other Utilities Check:

Malwarebytes' Anti-Malware
Java(TM) 6 Update 18
Out of date Java installed!
Adobe Flash Player 10.2.159.1
Adobe Reader 9
Out of date Adobe Reader installed!
Mozilla Firefox (x86 en-US..)
````````````````````````````````
Process Check:
objlist.exe by Laurent

``````````End of Log````````````

Rivers

Newbie Surfer
Newbie Surfer

Posts : 32
Joined : 2011-05-13
Operating System : Windows XP

View user profile

Back to top Go down

Re: MS Removal Tool infection

Post by DragonMaster Jay on Wed 18 May 2011, 2:29 pm

Adobe Reader Update!

Please download the newest version of Adobe Acrobat Reader from Adobe.com

Before installing: it is important to remove older versions of Acrobat Reader since it does not do so automatically and old versions still leave you vulnerable.
Go to the Control Panel and enter Add or Remove Programs (Programs and Features in Vista/7).
Search in the list for all previous installed versions of Adobe Acrobat Reader. Uninstall/Remove each of them.

Once old versions are gone, please install the newest version.

Java Update!

Please download the newest version of Java from Java.com.

Before installing: it is important to remove older versions of Java since it does not do so automatically and old versions still leave you vulnerable.
Go to the Control Panel and enter Add or Remove Programs (Programs and Features in Vista/7).
Search in the list for all previous installed versions of Java. (J2SE Runtime Environment). Please uninstall/remove each of them.

Once old versions are gone, please install the newest version.


Please read the following information that I have provided, which will help you prevent malicious software in the future. Please keep in mind, malware is a continuous danger on the Internet. It is highly important to stay safe while browsing, to prevent re-infection.

Software recommendations

Antivirus/Antispyware

  • Microsoft Security Essentials: this is Microsoft's free antivirus/antispyware program. It equips you with protection against viruses, spyware, trojans, rootkits, and worms. It is also light on the computer's performance. Note: when installing this, you have both an antivirus and antispyware. Make sure you also get a firewall.
  • Avira Free: this is one of the most powerful, and easiest to use security software. The free version equips you with protection against viruses, spyware, trojans, rootkits, worms, and rogue software.


Firewall

  • Tallemu Online Armor: the free version is just as good as the premium. I have linked you to the free version.
  • Comodo Firewall: the free version is just as good as the premium. I have linked you to the free version. The optional security suite enhances the firewall by 40% increase. If you would like to install the suite that includes antivirus, then remove your old antivirus first.
  • PC Tools Firewall Plus: free and excellent firewall.


Note: Please keep ALL of these programs up-to-date and run them whenever you suspect a problem to prevent malware problems.

Resident Protection help
A number of programs have resident protection and it is a good idea to run the resident protection of one of each type of program to maintain protection. However, it is important to run only one resident program of each type since they can conflict and become less effective. That means only one antivirus, firewall, and scanning anti-spyware program at a time. Passive protectors such as SpywareBlaster can be run with any of them.

Securing your computer

  • Windows Updates - It is very important to make sure that both Internet Explorer and Windows are kept current with the latest critical security patches from Microsoft. To do this just start Internet Explorer and select Tools > Windows Update, and follow the online instructions from there.
  • hpHosts file replaces your current HOSTS file with one containing well known ad sites and other bad sites. This prevents your computer from connecting to those sites by redirecting them to 127.0.0.1, which is your local computer's loopback address, meaning it will be difficult to infect your computer in the future.


Please consider using an alternate browser
Mozilla's Firefox browser is a very good alternative. In addition to being generally more secure than Internet Explorer, it has a very good built-in popup blocker and add-ons, like NoScript, can make it even more secure. Opera is another good option.

If you are interested:


See [You must be registered and logged in to see this link.] for more info about malware and prevention.

Thank you for choosing GeekPolice. Please see [You must be registered and logged in to see this link.] if you would like to leave feedback or contribute to our site. Do you have any more questions?


[You must be registered and logged in to see this link.] - Get $30 off Kaspersky products.

~DMJ
GeekPolice Academy Manager


Donations/Contributions

DragonMaster Jay

Manager | Tech Officer
Manager | Tech Officer

Posts : 13451
Joined : 2009-09-07
Operating System : Windows 7 Ultimate

View user profile http://www.twitter.com/jaypfoutz

Back to top Go down

Re: MS Removal Tool infection

Post by Sponsored content Today at 6:18 pm


Sponsored content


Back to top Go down

View previous topic View next topic Back to top


 
Permissions in this forum:
You cannot reply to topics in this forum