View Full Version : Defender.exe
scotsking
2011-07-31, 13:01
Anti virus has been compromised. Spybot no longer working and 100ksearches.com when trying to access web site from google search results.
Tried to remove Defender manually and this did appear to work and Virgin scan started but stoped part way through & now longer working now.
Have run ERUNT and copy of DDS shown below.
.
DDS (Ver_2011-06-23.01) - NTFSx86 NETWORK
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_21
Run by Shirley King at 10:57:36 on 2011-07-31
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.506 [GMT 1:00]
.
AV: Virgin Media Security Anti-Virus *Enabled/Updated* {5B5A3BD7-8573-4672-AEA8-C9BB713B6755}
FW: Virgin Media Security Firewall *Enabled*
.
============== Running Processes ===============
.
"\\.\globalroot\Device\svchost.exe\svchost.exe"
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\system32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Virgin Media\Security\RPS.exe
C:\Program Files\Virgin Media\Service Manager\ServiceManagerComHandler.exe
C:\Program Files\Mozilla Firefox\firefox.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = www.ntlworld.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mStart Page = about:blank
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
uURLSearchHooks: PC Tools Browser Guard: {472734ea-242a-422b-adf8-83d1e48cc825} - c:\program files\spyware doctor\bdt\PCTBrowserDefender.dll
BHO: Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: PC Tools Browser Guard BHO: {2a0f3d1b-0909-4ff4-b272-609cce6054e7} - c:\program files\spyware doctor\bdt\PCTBrowserDefender.dll
BHO: Conduit Engine : {30f9b915-b755-4826-820b-08fba6bd249d} - c:\program files\conduitengine\prxConduitEngine.dll
BHO: DivX Plus Web Player HTML5 <video>: {326e768d-4182-46fd-9c16-1449a49795f4} - c:\program files\divx\divx plus web player\npdivx32.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\program files\spybot - search & destroy\SDHelper.dll
BHO: DivX HiQ: {593ddec6-7468-4cdd-90e1-42dadaa222e9} - c:\program files\divx\divx plus web player\npdivx32.dll
BHO: RepliGoIEHelperCtl Class: {91de4477-9cdc-4806-9bcb-28a963988e94} - c:\program files\cerience\repligo\RepliGoIEHelper.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.7.6406.1642\swg.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: EpsonToolBandKicker Class: {e99421fb-68dd-40f0-b4ac-b7027cae2f1a} - c:\program files\epson\epson web-to-page\EPSON Web-To-Page.dll
TB: EPSON Web-To-Page: {ee5d279f-081b-4404-994d-c6b60aaeba6d} - c:\program files\epson\epson web-to-page\EPSON Web-To-Page.dll
TB: &RepliGo: {81f4066b-f330-4872-8094-3e9fbccec8c1} - c:\program files\cerience\repligo\RepliGoIEBar.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
TB: Conduit Engine : {30f9b915-b755-4826-820b-08fba6bd249d} - c:\program files\conduitengine\prxConduitEngine.dll
TB: PC Tools Browser Guard: {472734ea-242a-422b-adf8-83d1e48cc825} - c:\program files\spyware doctor\bdt\PCTBrowserDefender.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: {A386D4B0-FDDB-4E1C-AE61-4F014013CD9B} - No File
uRun: [Creative Detector] "c:\program files\creative\mediasource\detector\CTDetect.exe" /R
uRun: [DellSupport] "c:\program files\dell support\DSAgnt.exe" /startup
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [V Stuff Backup] "c:\program files\virginmedia\v stuff backup\v_stuff_backup.exe" /delayed
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [Backup & Storage] "c:\program files\virginmedia\v stuff backup\Backup & Storage.exe" /delayed
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [SigmatelSysTrayApp] stsystra.exe
mRun: [ATIPTA] "c:\program files\ati technologies\ati control panel\atiptaxx.exe"
mRun: [IntelMeM] c:\program files\intel\modem event monitor\IntelMEM.exe
mRun: [CTSysVol] c:\program files\creative\sbaudigy\surround mixer\CTSysVol.exe /r
mRun: [MBMon] Rundll32 CTMBHA.DLL,MBMon
mRun: [UpdReg] c:\windows\UpdReg.EXE
mRun: [VoiceCenter] "c:\program files\creative\voicecenter\AndreaVC.exe" /tray
mRun: [ISUSPM Startup] "c:\program files\common files\installshield\updateservice\isuspm.exe" -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [AOLDialer] c:\program files\common files\aol\acs\AOLDial.exe
mRun: [Corel Photo Downloader] c:\program files\corel\corel photo album 6\MediaDetect.exe
mRun: [EPSON Stylus Photo R220 Series] c:\windows\system32\spool\drivers\w32x86\3\E_FATIAIE.EXE /P30 "EPSON Stylus Photo R220 Series" /O6 "USB001" /M "Stylus Photo R220"
mRun: [RepliGo Assistant] "c:\program files\cerience\repligo\RepliGoMon.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [MSKDetectorExe] c:\program files\mcafee\spamkiller\MSKDetct.exe /uninstall
mRun: [B2C_AGENT] c:\documents and settings\all users\application data\lgmobileax\b2c_client\B2CNotiAgent.exe"
mRun: [DivXUpdate] "c:\program files\divx\divx update\DivXUpdate.exe" /CHECKNOW
mRun: [DivX Download Manager] "c:\program files\divx\divx plus web player\DDmService.exe" start
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [ServiceManager.exe] "c:\program files\virgin media\service manager\ServiceManager.exe" /AUTORUN
mRun: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
mRun: [PCTools FGuard] c:\program files\spyware doctor\bdt\FGuard.exe
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: c:\docume~1\shirle~1\startm~1\programs\startup\erunta~1.lnk - c:\program files\erunt\AUTOBACK.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\aol90t~1.lnk - c:\program files\aol 9.0\aoltray.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\exifla~1.lnk - c:\program files\finepixviewers\QuickDCF2.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\extend~1.lnk - c:\windows\ehome\RMSysTry.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hotsyn~1.lnk - c:\program files\palm\Hotsync.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\mcafee~1.lnk - c:\program files\mcafee security scan\2.0.181\SSScheduler.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office\OSA9.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\pictur~2.lnk - c:\program files\sony corporation\picture package\picture package menu\SonyTray.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\pictur~1.lnk - c:\program files\sony corporation\picture package\picture package applications\Residence.exe
IE: &Google Search
IE: &Translate English Word
IE: Backward Links
IE: Cached Snapshot of Page
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_43C348BC2E93EB2B.dll/cmsidewiki.html
IE: Similar Pages
IE: Translate Page into English
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
LSP: mswsock.dll
DPF: {00000075-9980-0010-8000-00AA00389B71} - hxxp://codecs.microsoft.com/codecs/i386/voxacm.CAB
DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} - hxxp://office.microsoft.com/sites/production/ieawsdc32.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - hxxp://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase5036.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1259092611031
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {A3256902-51FA-45A0-8A97-FC1143C169D9} - hxxp://support.microsoft.com/mats/DiagWebControl.cab
DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} - hxxp://www.crucial.com/controls/cpcScanner.cab
DPF: {BF6BBE9A-0656-4598-A0CD-32DAC03959B5} - hxxp://www.bootsdigitalphotocentre.com/wpp/boots/app/opcuploader.cab
DPF: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {DBDC1CDA-B64B-49F7-9535-6317AA416E51} - hxxps://vdiweb.intraining.co.uk/downloads/VMware-viewclient.cab
TCP: DhcpNameServer = 192.168.2.1
TCP: Interfaces\{0327911A-0E8C-4A3B-B811-30F2DFBB88A6} : DhcpNameServer = 192.168.2.1
Filter: application/x-internet-signup - {A173B69A-1F9B-4823-9FDA-412F641E65D6} - c:\program files\tiscali\tiscali internet\dlls\tiscalifilter.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
Hosts: 127.0.0.1 www.spywareinfo.com
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\shirley king\application data\mozilla\firefox\profiles\8rr57ers.default\
FF - prefs.js: keyword.URL - hxxp://www.ask.com/web?&o=13048&l=dis&q=
FF - component: c:\program files\spyware doctor\bdt\firefox\platform\winnt_x86-msvc\components\libheuristic.dll
FF - plugin: c:\program files\adobe\reader 9.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\divx\divx ovs helper\npovshelper.dll
FF - plugin: c:\program files\divx\divx plus web player\npdivx32.dll
FF - plugin: c:\program files\google\update\1.3.21.57\npGoogleUpdate3.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\microsoft silverlight\4.0.60531.0\npctrl.1.0.20926.0.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll
FF - plugin: c:\program files\virgin media\service manager\nprpspa.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\java\jre6\lib\deploy\jqs\ff
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
FF - Ext: DivX Plus Web Player HTML5 <video>: {23fcfd51-4958-4f00-80a3-ae97e717ed8b} - c:\program files\divx\divx plus web player\firefox\html5video
FF - Ext: DivX HiQ: {6904342A-8307-11DF-A508-4AE2DFD72085} - c:\program files\divx\divx plus web player\firefox\wpa
FF - Ext: Browser Defender Toolbar: {cb84136f-9c44-433a-9048-c5cd9df1dc16} - c:\program files\spyware doctor\bdt\Firefox
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
.
---- FIREFOX POLICIES ----
FF - user.js: dom.disable_open_during_load - false // Popupblocker control handled by McAfee Privacy Service
.
============= SERVICES / DRIVERS ===============
.
R0 RadialpointIDSEH;RadialpointIDSEH;c:\windows\system32\drivers\AVGIDSEH.sys [2010-6-20 25608]
R3 vmwvusb;VMware View Generic USB Driver;c:\windows\system32\drivers\vmwvusb.sys [2011-7-20 39984]
S2 AdobeActiveFileMonitor8.0;Adobe Active File Monitor V8;c:\program files\adobe\elements organizer 8.0\photoshopelementsfileagent.exe --> c:\program files\adobe\elements organizer 8.0\PhotoshopElementsFileAgent.exe [?]
S2 Browser Defender Update Service;Browser Defender Update Service;"c:\program files\spyware doctor\bdt\bdtupdateservice.exe" --> c:\program files\spyware doctor\bdt\BDTUpdateService.exe [?]
S2 DolphinInterceptorStartup;Dolphin Utility Service;c:\windows\system32\dolserve.exe --> c:\windows\system32\dolserve.exe [?]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-2-13 135664]
S2 McrdSvc;Media Center Extender Service;c:\windows\ehome\McrdSvc.exe [2005-10-20 96256]
S2 Radialpoint Security Services;Virgin Media Security;c:\program files\virgin media\security\RpsSecurityAwareR.exe [2010-1-4 165408]
S2 RadialpointIDSAgent;RadialpointIDSAgent;c:\program files\virgin media\security\avg\identity protection\agent\bin\AVGIDSAgent.exe [2011-7-28 5832712]
S2 ServicepointService;ServicepointService;"c:\program files\virgin media\service manager\servicepointservice.exe" --> c:\program files\virgin media\service manager\ServicepointService.exe [?]
S2 wsnm;VMware View Client;"c:\program files\vmware\vmware view\client\bin\wsnm.exe" -scmstartup --> c:\program files\vmware\vmware view\client\bin\wsnm.exe [?]
S2 wsnm_usbctrl;VMware View USB Control;"c:\program files\vmware\vmware view\client\bin\wsnm_usbctrl.exe" -scmstartup --> c:\program files\vmware\vmware view\client\bin\wsnm_usbctrl.exe [?]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2010-2-13 135664]
S3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\mcafee security scan\2.0.181\McCHSvc.exe [2010-1-15 227232]
S3 RadialpointIDSDriver;RadialpointIDSDriver;c:\program files\virgin media\security\avg\identity protection\agent\drivers\AVGIDSDriver.sys [2010-6-20 122376]
S3 RadialpointIDSFilter;RadialpointIDSFilter;c:\program files\virgin media\security\avg\identity protection\agent\drivers\AVGIDSfilter.sys [2010-6-20 30216]
S3 RadialpointIDSShim;RadialpointIDSShim;c:\program files\virgin media\security\avg\identity protection\agent\drivers\AVGIDSShim.sys [2010-6-20 25736]
.
=============== Created Last 30 ================
.
2011-07-28 20:17:37 -------- d-----w- c:\documents and settings\shirley king\local settings\application data\Threat Expert
2011-07-28 19:55:35 -------- d-----w- c:\documents and settings\all users\application data\IObit
2011-07-28 19:55:30 -------- d-----w- c:\program files\IObit
2011-07-28 19:29:43 767952 ----a-w- c:\windows\BDTSupport.dll0701.old
2011-07-28 19:29:43 767952 ----a-w- c:\windows\BDTSupport.dll
2011-07-28 19:29:43 149456 ----a-w- c:\windows\SGDetectionTool.dll0701.old
2011-07-28 19:29:43 149456 ----a-w- c:\windows\SGDetectionTool.dll
2011-07-28 19:29:42 2074576 ----a-w- c:\windows\PCTBDCore.dll
2011-07-28 19:29:42 1652688 ----a-w- c:\windows\PCTBDCore.dll0701.old
2011-07-28 19:29:42 1533904 ----a-w- c:\windows\PCTBDRes.dll
2011-07-28 19:27:02 -------- d-----w- c:\program files\Spyware Doctor
2011-07-28 19:27:02 -------- d-----w- c:\program files\common files\PC Tools
2011-07-20 08:56:10 16928 ------w- c:\windows\system32\spmsgXP_2k3.dll
2011-07-20 08:56:03 39984 ----a-r- c:\windows\system32\drivers\vmwvusb.sys
2011-07-20 08:55:28 -------- d-----w- c:\program files\common files\VMware
.
==================== Find3M ====================
.
2011-07-28 19:04:01 53192 ----a-w- c:\windows\system32\drivers\rp_skt32.sys
2011-07-28 19:03:57 48384 ----a-w- c:\windows\system32\drivers\rp_pkt32.sys
2011-07-06 18:52:42 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-07-06 18:52:42 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-07-05 19:21:56 4184 --sha-w- c:\windows\system32\KGyGaAvL.sys
2011-07-05 19:21:54 56 --sh--r- c:\windows\system32\8731209D39.sys
2011-06-02 14:02:05 1858944 ----a-w- c:\windows\system32\win32k.sys
2011-05-02 15:31:52 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-05-02 10:39:47 0 ----a-w- c:\windows\system32\ConduitEngine.tmp
2009-11-22 15:34:57 85504 ----a-w- c:\program files\Inherit.exe
.
============= FINISH: 10:58:15.39 ===============
Please help
Thanks
shelf life
2011-08-08, 19:20
hi scotsking,
Your post is a few days old. If you still need help simply reply back.
scotsking
2011-08-13, 22:29
Hi Shelf Life
Yes I still need help please
Thanks
shelf life
2011-08-14, 04:00
Lets try booting into safe mode and running Malwarebytes. To reach safe mode you would tap the f8 key during a computer restart. Chose the first option from the list: safe mode. Once at the safe mode desktop run malwarebytes.
If it dosnt start try this while still in safe mode: using explorer navigate to:
C\Program Files\Malwarebytes
Right click on the mbam.exe icon and select rename.
Rename it to mbam.com then double click and see if it starts up.
Also in safe mode navigate to C:\Documents and Settings\All Users and you may find the defender.exe you could delete, also look in C:\Documents and Settings\All Users\Application Data for the .exe
To show all files in explorer:
FOr XP: on the desktop double click my computer,at the top click on> tools>folder options>view> then select "show hidden files and folders", then UNcheck "hide protected operating system files " also UNcheck "hide extensions for known file types" click apply to all folders, apply then ok
scotsking
2011-08-14, 16:16
Hi Thanks for getting back to me.
I have re-booted in safe mode and unable to run Malwarebytes message "Windows cannot access the specified device path or file You may mot have the appropriate permissions to access the item."
Also I am unable to rename the mbam.exe message "Cannot rename mbam Access is denied make sure the disk is not full or write-protected and that the file is not currently in use"
I cannot find any sign of defender.exe in the users folder or application data.
Hope you can help
Thanks
shelf life
2011-08-14, 20:54
ok try this instead. download each of these to your desktop;
link (http://download.bleepingcomputer.com/grinler/rkill.scr)
link (http://download.bleepingcomputer.com/grinler/rkill.pif)
link (http://download.bleepingcomputer.com/grinler/iExplore.exe)
link (http://download.bleepingcomputer.com/grinler/uSeRiNiT.exe)
doubleclick one and allow it to run, It will produce a console windows that will open and close by itself. Once its done try running malwarebytes.
If Malwarebytes wont start then try the next download and allow it to run then try malwarebytes again. Continue with the next two. Hopefully Malwarebytes will run.
You can also repeat the process back in safe mode. Note that these dont not delete malware, they only attempt to stop certain processes from running.
scotsking
2011-08-14, 22:04
Hi
Ran 1at 3rd and 4th links, 2nd would not work, in normal mode and still not ab;e to run malwarebytes.
Ran the same 3 in safe mode and still not able to run malwarebytes
What's next?
Shirl.
shelf life
2011-08-14, 23:59
Read through this guide first, then apply the directions on your machine.
Guide to using Combofix (http://www.bleepingcomputer.com/combofix/how-to-use-combofix)
scotsking
2011-08-15, 21:46
Hi
Loaded combofix and set to run. came up with a message about Virgin Media security running which I checked and no sign of it running so continued with the process. Message box "Comboxfix Zero Access" I missed the rest but came up with another message that combofix would reboot the machine.
It has been and hour since this message and PC has not shut down. Just the desktop screen no icons just the mouse pointer.
What should I do
Shirl.
shelf life
2011-08-16, 00:02
Go ahead and reboot the machine (if you haven't already) and restart it in safe mode, try running combofix again while in safe mode.
scotsking
2011-08-16, 00:45
Hi
Rebooted in safe mode with networking and combofix started. txt file below
ComboFix 11-08-15.07 - Shirley King 15/08/2011 22:21:23.6.2 - x86 NETWORK
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.791 [GMT 1:00]
Running from: c:\documents and settings\Shirley King\Desktop\ComboFix.exe
AV: Virgin Media Security Anti-Virus *Enabled/Updated* {5B5A3BD7-8573-4672-AEA8-C9BB713B6755}
FW: Virgin Media Security Firewall *Enabled* {80593BF4-D969-4EC5-ADAE-A22F2DFC7A22}
.
ADS - WINDOWS: deleted 0 bytes in 1 streams.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\Shirley King\Application Data\Adobe\plugs
c:\documents and settings\Shirley King\Application Data\Adobe\shed
c:\documents and settings\Shirley King\Application Data\Adobe\shed\thr1.chm
c:\documents and settings\Shirley King\Application Data\PriceGong
c:\documents and settings\Shirley King\Application Data\PriceGong\Data\1.xml
c:\documents and settings\Shirley King\Application Data\PriceGong\Data\a.xml
c:\documents and settings\Shirley King\Application Data\PriceGong\Data\b.xml
c:\documents and settings\Shirley King\Application Data\PriceGong\Data\c.xml
c:\documents and settings\Shirley King\Application Data\PriceGong\Data\d.xml
c:\documents and settings\Shirley King\Application Data\PriceGong\Data\e.xml
c:\documents and settings\Shirley King\Application Data\PriceGong\Data\f.xml
c:\documents and settings\Shirley King\Application Data\PriceGong\Data\g.xml
c:\documents and settings\Shirley King\Application Data\PriceGong\Data\h.xml
c:\documents and settings\Shirley King\Application Data\PriceGong\Data\i.xml
c:\documents and settings\Shirley King\Application Data\PriceGong\Data\J.xml
c:\documents and settings\Shirley King\Application Data\PriceGong\Data\k.xml
c:\documents and settings\Shirley King\Application Data\PriceGong\Data\l.xml
c:\documents and settings\Shirley King\Application Data\PriceGong\Data\m.xml
c:\documents and settings\Shirley King\Application Data\PriceGong\Data\mru.xml
c:\documents and settings\Shirley King\Application Data\PriceGong\Data\n.xml
c:\documents and settings\Shirley King\Application Data\PriceGong\Data\o.xml
c:\documents and settings\Shirley King\Application Data\PriceGong\Data\p.xml
c:\documents and settings\Shirley King\Application Data\PriceGong\Data\q.xml
c:\documents and settings\Shirley King\Application Data\PriceGong\Data\r.xml
c:\documents and settings\Shirley King\Application Data\PriceGong\Data\s.xml
c:\documents and settings\Shirley King\Application Data\PriceGong\Data\t.xml
c:\documents and settings\Shirley King\Application Data\PriceGong\Data\u.xml
c:\documents and settings\Shirley King\Application Data\PriceGong\Data\v.xml
c:\documents and settings\Shirley King\Application Data\PriceGong\Data\w.xml
c:\documents and settings\Shirley King\Application Data\PriceGong\Data\x.xml
c:\documents and settings\Shirley King\Application Data\PriceGong\Data\y.xml
c:\documents and settings\Shirley King\Application Data\PriceGong\Data\z.xml
c:\documents and settings\Shirley King\WINDOWS
c:\windows\$NtUninstallKB1802$
c:\windows\$NtUninstallKB1802$\1603512166\{1B372133-BFFA-4dba-9CCF-5474BED6A9F6}
c:\windows\$NtUninstallKB1802$\1603512166\click.tlb
c:\windows\$NtUninstallKB1802$\1603512166\L\pdmzmplg
c:\windows\$NtUninstallKB1802$\1603512166\loader.tlb
c:\windows\$NtUninstallKB1802$\1603512166\U\@00000001
c:\windows\$NtUninstallKB1802$\1603512166\U\@000000c0
c:\windows\$NtUninstallKB1802$\1603512166\U\@000000cb
c:\windows\$NtUninstallKB1802$\1603512166\U\@000000cf
c:\windows\$NtUninstallKB1802$\1603512166\U\@80000000
c:\windows\$NtUninstallKB1802$\1603512166\U\@800000c0
c:\windows\$NtUninstallKB1802$\1603512166\U\@800000cb
c:\windows\$NtUninstallKB1802$\1603512166\U\@800000cf
c:\windows\$NtUninstallKB1802$\1896645999
c:\windows\system32\c_16845.nls
c:\windows\system32\regobj.dll
c:\windows\system32\rnaph.dll
c:\windows\system32\system
c:\windows\system32\Thumbs.db
.
Infected copy of c:\windows\system32\drivers\netbt.sys was found and disinfected
Restored copy from - The cat found it :)
Infected copy of c:\windows\system32\wuauclt.exe was found and disinfected
Restored copy from - c:\windows\system32\dllcache\wuauclt.exe
.
.
((((((((((((((((((((((((( Files Created from 2011-07-15 to 2011-08-15 )))))))))))))))))))))))))))))))
.
.
2011-08-15 17:30 . 2008-04-13 19:21 162816 ----a-w- c:\windows\system32\drivers\netbt.sys
2011-08-14 18:40 . 2011-06-24 14:10 139656 ------w- c:\windows\system32\dllcache\rdpwd.sys
2011-08-14 18:40 . 2011-07-08 14:02 10496 ------w- c:\windows\system32\dllcache\ndistapi.sys
2011-08-02 20:14 . 2011-08-02 20:14 -------- d--h--w- c:\documents and settings\All Users\Application Data\Common Files
2011-08-02 19:55 . 2011-08-02 20:18 -------- d-----w- c:\documents and settings\All Users\Application Data\MFAData
2011-07-31 09:51 . 2011-07-31 09:51 -------- d-----w- c:\program files\ERUNT
2011-07-28 20:27 . 2011-07-28 20:27 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2011-07-28 20:17 . 2011-07-28 20:17 -------- d-----w- c:\documents and settings\Shirley King\Local Settings\Application Data\Threat Expert
2011-07-28 19:55 . 2011-07-28 19:55 -------- d-----w- c:\documents and settings\All Users\Application Data\IObit
2011-07-28 19:55 . 2011-07-28 19:55 -------- d-----w- c:\program files\IObit
2011-07-28 19:29 . 2011-04-27 14:37 149456 ----a-w- c:\windows\SGDetectionTool.dll
2011-07-28 19:29 . 2011-04-27 14:36 767952 ----a-w- c:\windows\BDTSupport.dll
2011-07-28 19:29 . 2011-04-27 14:37 2074576 ----a-w- c:\windows\PCTBDCore.dll
2011-07-28 19:29 . 2011-04-27 14:37 1533904 ----a-w- c:\windows\PCTBDRes.dll
2011-07-28 19:27 . 2011-07-28 20:41 -------- d-----w- c:\program files\Spyware Doctor
2011-07-28 19:27 . 2011-07-28 20:41 -------- d-----w- c:\program files\Common Files\PC Tools
2011-07-20 08:56 . 2008-11-07 17:55 16928 ------w- c:\windows\system32\spmsgXP_2k3.dll
2011-07-20 08:56 . 2011-02-18 17:38 39984 ----a-r- c:\windows\system32\drivers\vmwvusb.sys
2011-07-20 08:55 . 2011-07-20 08:55 -------- d-----w- c:\program files\Common Files\VMware
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-07-28 19:04 . 2009-11-05 23:15 53192 ----a-w- c:\windows\system32\drivers\rp_skt32.sys
2011-07-28 19:03 . 2009-11-05 23:15 48384 ----a-w- c:\windows\system32\drivers\rp_pkt32.sys
2011-07-15 13:29 . 2006-02-20 23:01 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-07-08 14:02 . 2005-08-16 04:18 10496 ----a-w- c:\windows\system32\drivers\ndistapi.sys
2011-07-06 18:52 . 2008-08-03 09:18 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-07-06 18:52 . 2008-08-03 09:18 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-06-24 14:10 . 2005-08-16 04:37 139656 ----a-w- c:\windows\system32\drivers\rdpwd.sys
2011-06-23 18:36 . 2005-08-16 04:18 916480 ----a-w- c:\windows\system32\wininet.dll
2011-06-23 18:36 . 2005-08-16 04:18 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-06-23 18:36 . 2005-08-16 04:18 1469440 ------w- c:\windows\system32\inetcpl.cpl
2011-06-23 12:05 . 2005-08-16 04:18 385024 ----a-w- c:\windows\system32\html.iec
2011-06-20 17:44 . 2005-08-16 04:18 293376 ----a-w- c:\windows\system32\winsrv.dll
2011-06-02 14:02 . 2005-08-16 04:18 1858944 ----a-w- c:\windows\system32\win32k.sys
2009-11-22 15:34 . 2009-11-22 15:37 85504 ----a-w- c:\program files\Inherit.exe
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{30F9B915-B755-4826-820B-08FBA6BD249D}]
2011-01-17 14:54 175912 ----a-w- c:\program files\ConduitEngine\prxConduitEngine.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{30F9B915-B755-4826-820B-08FBA6BD249D}"= "c:\program files\ConduitEngine\prxConduitEngine.dll" [2011-01-17 175912]
.
[HKEY_CLASSES_ROOT\clsid\{30f9b915-b755-4826-820b-08fba6bd249d}]
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{30F9B915-B755-4826-820B-08FBA6BD249D}"= "c:\program files\ConduitEngine\prxConduitEngine.dll" [2011-01-17 175912]
.
[HKEY_CLASSES_ROOT\clsid\{30f9b915-b755-4826-820b-08fba6bd249d}]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\SKIcoBackuped]
@="{7E5951A0-8683-432A-9483-5F43168D6A8C}"
[HKEY_CLASSES_ROOT\CLSID\{7E5951A0-8683-432A-9483-5F43168D6A8C}]
2011-04-04 09:35 3047088 ----a-w- c:\program files\VirginMedia\V Stuff Backup\AGSIconOverlay.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\SKIcoSelected]
@="{15054241-49B4-4FA6-B4C7-A0071F118110}"
[HKEY_CLASSES_ROOT\CLSID\{15054241-49B4-4FA6-B4C7-A0071F118110}]
2011-04-04 09:35 3047088 ----a-w- c:\program files\VirginMedia\V Stuff Backup\AGSIconOverlay.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Creative Detector"="c:\program files\Creative\MediaSource\Detector\CTDetect.exe" [2004-12-02 102400]
"DellSupport"="c:\program files\Dell Support\DSAgnt.exe" [2004-07-19 306688]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-15 68856]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
"Backup & Storage"="c:\program files\VirginMedia\V Stuff Backup\Backup & Storage.exe" [2011-04-04 12273328]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-09-29 67584]
"SigmatelSysTrayApp"="stsystra.exe" [2005-03-23 339968]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-08-05 344064]
"IntelMeM"="c:\program files\Intel\Modem Event Monitor\IntelMEM.exe" [2003-09-03 221184]
"CTSysVol"="c:\program files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe" [2005-09-15 57344]
"MBMon"="CTMBHA.DLL" [2005-05-19 1345520]
"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112]
"VoiceCenter"="c:\program files\Creative\VoiceCenter\AndreaVC.exe" [2005-09-19 1159168]
"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 249856]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 81920]
"AOLDialer"="c:\program files\Common Files\AOL\ACS\AOLDial.exe" [2007-01-10 71216]
"EPSON Stylus Photo R220 Series"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_FATIAIE.EXE" [2005-03-09 98304]
"RepliGo Assistant"="c:\program files\Cerience\RepliGo\RepliGoMon.exe" [2005-11-07 172032]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-09-05 417792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-09-21 305440]
"MSKDetectorExe"="c:\program files\McAfee\SpamKiller\MSKDetct.exe" [2006-11-07 1121280]
"B2C_AGENT"="c:\documents and settings\All Users\Application Data\LGMOBILEAX\B2C_Client\B2CNotiAgent.exe" [2010-03-16 300992]
"DivXUpdate"="c:\program files\DivX\DivX Update\DivXUpdate.exe" [2010-12-09 1226608]
"DivX Download Manager"="c:\program files\DivX\DivX Plus Web Player\DDmService.exe" [2010-12-08 63360]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-06-08 37296]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-03-30 937920]
"ServiceManager.exe"="c:\program files\Virgin Media\Service Manager\ServiceManager.exe" [2011-03-25 4371768]
"PCTools FGuard"="c:\program files\Spyware Doctor\BDT\FGuard.exe" [2011-04-27 247760]
"Corel Photo Downloader"="c:\program files\Corel\Corel Photo Album 6\MediaDetect.exe" [2005-11-17 106496]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
.
c:\documents and settings\Shirley King\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
AOL 9.0 Tray Icon.lnk - c:\program files\AOL 9.0\aoltray.exe [2006-2-21 156784]
Exif Launcher S.lnk - c:\program files\FinePixViewerS\QuickDCF2.exe [2007-10-20 303104]
Extender Resource Monitor.lnk - c:\windows\ehome\RMSysTry.exe [2005-10-20 18432]
HOTSYNCSHORTCUTNAME.lnk - c:\program files\Palm\Hotsync.exe [2004-6-9 471040]
McAfee Security Scan Plus.lnk - c:\program files\McAfee Security Scan\2.0.181\SSScheduler.exe [2010-1-15 255536]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-2-17 65588]
Picture Package Menu.lnk - c:\program files\Sony Corporation\Picture Package\Picture Package Menu\SonyTray.exe [2006-3-2 151552]
Picture Package VCD Maker.lnk - c:\program files\Sony Corporation\Picture Package\Picture Package Applications\Residence.exe [2006-3-2 106496]
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest wsauth
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MSIServer]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Radialpoint Security Services]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ServicepointService]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Palm\\HOTSYNC.EXE"=
"c:\\Documents and Settings\\Shirley King\\Application Data\\Firaxis Games\\Sid Meier's Civilization 4\\Civilization4.exe"=
"c:\\Program Files\\AOL 9.0\\waol.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Adobe\\Elements Organizer 8.0\\AdobePhotoshopElementsMediaServer.exe"=
"c:\\Program Files\\VMware\\VMware View\\Client\\bin\\vmware-remotemks.exe"=
"c:\\Program Files\\VMware\\VMware View\\Client\\bin\\wswc.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3776:UDP"= 3776:UDP:Media Center Extender Service
"3390:TCP"= 3390:TCP:Remote Media Center Experience
"3389:TCP"= 3389:TCP:*:Disabled:@xpsp2res.dll,-22009
.
R0 RadialpointIDSEH;RadialpointIDSEH;c:\windows\system32\drivers\AVGIDSEH.sys [20/06/2010 11:10 25608]
R2 RadialpointIDSAgent;RadialpointIDSAgent;c:\program files\Virgin Media\Security\AVG\Identity Protection\agent\bin\AVGIDSAgent.exe [28/07/2011 20:03 5832712]
R3 RadialpointIDSDriver;RadialpointIDSDriver;c:\program files\Virgin Media\Security\AVG\Identity Protection\agent\drivers\AVGIDSDriver.sys [20/06/2010 11:10 122376]
R3 RadialpointIDSFilter;RadialpointIDSFilter;c:\program files\Virgin Media\Security\AVG\Identity Protection\agent\drivers\AVGIDSfilter.sys [20/06/2010 11:10 30216]
R3 RadialpointIDSShim;RadialpointIDSShim;c:\program files\Virgin Media\Security\AVG\Identity Protection\agent\drivers\AVGIDSShim.sys [20/06/2010 11:10 25736]
R3 vmwvusb;VMware View Generic USB Driver;c:\windows\system32\drivers\vmwvusb.sys [20/07/2011 09:56 39984]
S2 AdobeActiveFileMonitor8.0;Adobe Active File Monitor V8;c:\program files\Adobe\Elements Organizer 8.0\PhotoshopElementsFileAgent.exe --> c:\program files\Adobe\Elements Organizer 8.0\PhotoshopElementsFileAgent.exe [?]
S2 Browser Defender Update Service;Browser Defender Update Service;"c:\program files\Spyware Doctor\BDT\BDTUpdateService.exe" --> c:\program files\Spyware Doctor\BDT\BDTUpdateService.exe [?]
S2 DolphinInterceptorStartup;Dolphin Utility Service;c:\windows\system32\dolserve.exe --> c:\windows\system32\dolserve.exe [?]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [13/02/2010 18:10 135664]
S2 Radialpoint Security Services;Virgin Media Security;c:\program files\Virgin Media\Security\RpsSecurityAwareR.exe [04/01/2010 12:17 165408]
S2 ServicepointService;ServicepointService;"c:\program files\Virgin Media\Service Manager\ServicepointService.exe" --> c:\program files\Virgin Media\Service Manager\ServicepointService.exe [?]
S2 wsnm;VMware View Client;"c:\program files\VMware\VMware View\Client\bin\wsnm.exe" -SCMStartup --> c:\program files\VMware\VMware View\Client\bin\wsnm.exe [?]
S2 wsnm_usbctrl;VMware View USB Control;"c:\program files\VMware\VMware View\Client\bin\wsnm_usbctrl.exe" -SCMStartup --> c:\program files\VMware\VMware View\Client\bin\wsnm_usbctrl.exe [?]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [13/02/2010 18:10 135664]
S3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\McAfee Security Scan\2.0.181\McCHSvc.exe [15/01/2010 13:49 227232]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
QWAVE REG_MULTI_SZ QWAVE
bdx REG_MULTI_SZ scan sysagent
.
Contents of the 'Scheduled Tasks' folder
.
2011-08-15 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-13 17:10]
.
2011-08-14 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-13 17:10]
.
.
------- Supplementary Scan -------
.
uStart Page = www.ntlworld.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mStart Page = about:blank
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: &Google Search
IE: &Translate English Word
IE: Backward Links
IE: Cached Snapshot of Page
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_70C5B381380DB17F.dll/cmsidewiki.html
IE: Similar Pages
IE: Translate Page into English
TCP: DhcpNameServer = 192.168.2.1
FF - ProfilePath - c:\documents and settings\Shirley King\Application Data\Mozilla\Firefox\Profiles\8rr57ers.default\
FF - prefs.js: keyword.URL - hxxp://www.ask.com/web?&o=13048&l=dis&q=
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Ext: DivX Plus Web Player HTML5 <video>: {23fcfd51-4958-4f00-80a3-ae97e717ed8b} - c:\program files\DivX\DivX Plus Web Player\firefox\html5video
FF - Ext: DivX HiQ: {6904342A-8307-11DF-A508-4AE2DFD72085} - c:\program files\DivX\DivX Plus Web Player\firefox\wpa
FF - Ext: Browser Defender Toolbar: {cb84136f-9c44-433a-9048-c5cd9df1dc16} - c:\program files\Spyware Doctor\BDT\Firefox
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - user.js: dom.disable_open_during_load - false // Popupblocker control handled by McAfee Privacy Service
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-Locked - (no file)
WebBrowser-{A386D4B0-FDDB-4E1C-AE61-4F014013CD9B} - (no file)
HKCU-Run-V Stuff Backup - c:\program files\VirginMedia\V Stuff Backup\v_stuff_backup.exe
AddRemove-AVS4YOU Video Converter 6_is1 - c:\my downloads\AVSVideoConverter6\unins000.exe
AddRemove-MovieJoiner - c:\documents and settings\Nick Parker\My Documents\Palm T3\Power One\Movie Joiner\uninst.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-08-15 22:34
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(952)
c:\windows\system32\wsauth.dll
.
- - - - - - - > 'lsass.exe'(1008)
c:\windows\system32\wsauth.dll
.
- - - - - - - > 'explorer.exe'(3384)
c:\windows\system32\WININET.dll
c:\program files\VirginMedia\V Stuff Backup\AGSIconOverlay.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.6195_x-ww_44262b86\MSVCR80.dll
c:\windows\system32\ieframe.dll
c:\program files\Creative\Creative Zen Micro\Zen Micro Media Explorer\CTJBNS2.dll
c:\program files\Creative\Creative Zen Micro\Zen Micro Media Explorer\CTIntrfc.dll
c:\program files\Creative\Creative Zen Micro\Zen Micro Media Explorer\CTConfig.DLL
c:\program files\Creative\Creative Zen Micro\Zen Micro Media Explorer\JBNSRES.DLL
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\AOL\ACS\AOLAcsd.exe
c:\windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
c:\windows\eHome\ehRecvr.exe
c:\windows\eHome\ehSched.exe
c:\windows\ehome\RMSvc.exe
c:\windows\ehome\mcrdsvc.exe
c:\windows\system32\dllhost.exe
c:\windows\stsystra.exe
c:\windows\system32\Rundll32.exe
c:\windows\eHome\ehmsas.exe
c:\docume~1\SHIRLE~1\LOCALS~1\Temp\clclean.0001
c:\program files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe
.
**************************************************************************
.
Completion time: 2011-08-15 22:41:14 - machine was rebooted
ComboFix-quarantined-files.txt 2011-08-15 21:41
.
Pre-Run: 108,939,718,656 bytes free
Post-Run: 108,104,904,704 bytes free
.
- - End Of File - - 1F021F99CCA1828263A40DA708D6BC99
Still not able to run malwarebytes, spybot or Virgin media security.
shelf life
2011-08-16, 01:30
ok good. Progress. So what happens now when you try to run malwarebytes or your AV?
Try running combofix now after a normal boot up.
scotsking
2011-08-16, 20:54
Hi Combfix run in normal
ComboFix 11-08-16.02 - Shirley King 16/08/2011 18:29:46.7.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.577 [GMT 1:00]
Running from: c:\documents and settings\Shirley King\Desktop\ComboFix.exe
AV: Virgin Media Security Anti-Virus *Enabled/Updated* {5B5A3BD7-8573-4672-AEA8-C9BB713B6755}
FW: Virgin Media Security Firewall *Enabled* {80593BF4-D969-4EC5-ADAE-A22F2DFC7A22}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\docume~1\SHIRLE~1\LOCALS~1\Temp\clclean.0001.dir.0001\~df394b.tmp
.
.
((((((((((((((((((((((((( Files Created from 2011-07-16 to 2011-08-16 )))))))))))))))))))))))))))))))
.
.
2011-08-15 22:05 . 2011-08-15 22:05 -------- d-----w- c:\program files\Raxco
2011-08-15 22:05 . 2011-08-15 22:05 -------- d-----w- c:\documents and settings\All Users\Application Data\Raxco
2011-08-15 17:30 . 2008-04-13 19:21 162816 ----a-w- c:\windows\system32\drivers\netbt.sys
2011-08-14 18:40 . 2011-06-24 14:10 139656 ------w- c:\windows\system32\dllcache\rdpwd.sys
2011-08-14 18:40 . 2011-07-08 14:02 10496 ------w- c:\windows\system32\dllcache\ndistapi.sys
2011-08-02 20:14 . 2011-08-02 20:14 -------- d--h--w- c:\documents and settings\All Users\Application Data\Common Files
2011-08-02 19:55 . 2011-08-02 20:18 -------- d-----w- c:\documents and settings\All Users\Application Data\MFAData
2011-07-31 09:51 . 2011-07-31 09:51 -------- d-----w- c:\program files\ERUNT
2011-07-28 20:27 . 2011-07-28 20:27 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2011-07-28 20:17 . 2011-07-28 20:17 -------- d-----w- c:\documents and settings\Shirley King\Local Settings\Application Data\Threat Expert
2011-07-28 19:55 . 2011-07-28 19:55 -------- d-----w- c:\documents and settings\All Users\Application Data\IObit
2011-07-28 19:55 . 2011-07-28 19:55 -------- d-----w- c:\program files\IObit
2011-07-28 19:29 . 2011-04-27 14:37 149456 ----a-w- c:\windows\SGDetectionTool.dll
2011-07-28 19:29 . 2011-04-27 14:36 767952 ----a-w- c:\windows\BDTSupport.dll
2011-07-28 19:29 . 2011-04-27 14:37 2074576 ----a-w- c:\windows\PCTBDCore.dll
2011-07-28 19:29 . 2011-04-27 14:37 1533904 ----a-w- c:\windows\PCTBDRes.dll
2011-07-28 19:27 . 2011-07-28 20:41 -------- d-----w- c:\program files\Spyware Doctor
2011-07-28 19:27 . 2011-07-28 20:41 -------- d-----w- c:\program files\Common Files\PC Tools
2011-07-20 08:56 . 2008-11-07 17:55 16928 ------w- c:\windows\system32\spmsgXP_2k3.dll
2011-07-20 08:56 . 2011-02-18 17:38 39984 ----a-r- c:\windows\system32\drivers\vmwvusb.sys
2011-07-20 08:55 . 2011-07-20 08:55 -------- d-----w- c:\program files\Common Files\VMware
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-07-28 19:04 . 2009-11-05 23:15 53192 ----a-w- c:\windows\system32\drivers\rp_skt32.sys
2011-07-28 19:03 . 2009-11-05 23:15 48384 ----a-w- c:\windows\system32\drivers\rp_pkt32.sys
2011-07-15 13:29 . 2006-02-20 23:01 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-07-08 14:02 . 2005-08-16 04:18 10496 ----a-w- c:\windows\system32\drivers\ndistapi.sys
2011-07-06 18:52 . 2008-08-03 09:18 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-07-06 18:52 . 2008-08-03 09:18 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-06-24 14:10 . 2005-08-16 04:37 139656 ----a-w- c:\windows\system32\drivers\rdpwd.sys
2011-06-23 18:36 . 2005-08-16 04:18 916480 ----a-w- c:\windows\system32\wininet.dll
2011-06-23 18:36 . 2005-08-16 04:18 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-06-23 18:36 . 2005-08-16 04:18 1469440 ------w- c:\windows\system32\inetcpl.cpl
2011-06-23 12:05 . 2005-08-16 04:18 385024 ----a-w- c:\windows\system32\html.iec
2011-06-20 17:44 . 2005-08-16 04:18 293376 ----a-w- c:\windows\system32\winsrv.dll
2011-06-02 14:02 . 2005-08-16 04:18 1858944 ----a-w- c:\windows\system32\win32k.sys
2009-11-22 15:34 . 2009-11-22 15:37 85504 ----a-w- c:\program files\Inherit.exe
.
.
((((((((((((((((((((((((((((( SnapShot@2011-08-15_21.34.32 )))))))))))))))))))))))))))))))))))))))))
.
+ 2011-08-16 17:15 . 2011-08-16 17:15 16384 c:\windows\temp\Perflib_Perfdata_79c.dat
+ 2009-06-08 09:00 . 2009-06-08 09:00 71696 c:\windows\system32\drivers\DefragFs.sys
+ 2011-08-15 22:06 . 2011-08-15 22:06 53248 c:\windows\Installer\{7673108D-9DED-4454-9712-FB2771D94446}\ARPPRODUCTICON.exe
+ 2011-08-16 17:40 . 2011-08-16 17:40 37888 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Pres#\343c52b741531ce9ae874ea7508831a7\System.Windows.Presentation.ni.dll
- 2011-08-15 17:40 . 2011-08-15 17:40 37888 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Pres#\343c52b741531ce9ae874ea7508831a7\System.Windows.Presentation.ni.dll
- 2011-08-15 17:40 . 2011-08-15 17:40 36864 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Web.DynamicD#\246110974e3c48733458819b07464b23\System.Web.DynamicData.Design.ni.dll
+ 2011-08-16 17:39 . 2011-08-16 17:39 36864 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Web.DynamicD#\246110974e3c48733458819b07464b23\System.Web.DynamicData.Design.ni.dll
- 2011-08-15 17:38 . 2011-08-15 17:38 94208 c:\windows\assembly\NativeImages_v2.0.50727_32\System.ComponentMod#\ace861fe8dbf146c3e449abaa7691e9f\System.ComponentModel.DataAnnotations.ni.dll
+ 2011-08-15 22:02 . 2011-08-15 22:02 94208 c:\windows\assembly\NativeImages_v2.0.50727_32\System.ComponentMod#\ace861fe8dbf146c3e449abaa7691e9f\System.ComponentModel.DataAnnotations.ni.dll
- 2011-08-15 17:39 . 2011-08-15 17:39 55296 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Vsa\f9c514544c8e23220493cd42a0e20678\Microsoft.Vsa.ni.dll
+ 2011-08-16 17:38 . 2011-08-16 17:38 55296 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Vsa\f9c514544c8e23220493cd42a0e20678\Microsoft.Vsa.ni.dll
+ 2009-06-08 11:07 . 2009-06-08 11:07 232200 c:\windows\system32\PDBoot.exe
+ 2011-08-15 22:06 . 2011-08-15 22:06 335360 c:\windows\Installer\1de3e4.msi
+ 2011-08-15 22:05 . 2011-08-15 22:05 371894 c:\windows\Installer\{7B738CD9-D107-48C7-8E65-2E6639A39C8D}\ARPPRODUCTICON.exe
+ 2011-08-16 07:11 . 2011-08-16 07:11 192512 c:\windows\erdnt\AutoBackup\16-08-2011\Users\00000002\UsrClass.dat
+ 2011-08-16 07:11 . 2005-10-20 11:02 163328 c:\windows\erdnt\AutoBackup\16-08-2011\ERDNT.EXE
+ 2011-08-15 21:56 . 2011-08-15 21:56 321536 c:\windows\assembly\NativeImages_v2.0.50727_32\WsatConfig\cc14c69205b984edba1db26fd5e421ac\WsatConfig.ni.exe
- 2011-08-15 17:37 . 2011-08-15 17:37 321536 c:\windows\assembly\NativeImages_v2.0.50727_32\WsatConfig\cc14c69205b984edba1db26fd5e421ac\WsatConfig.ni.exe
- 2011-08-15 17:40 . 2011-08-15 17:40 400896 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Xml.Linq\946eefb99bc116ee68e0e7c69a5a8a5c\System.Xml.Linq.ni.dll
+ 2011-08-16 17:40 . 2011-08-16 17:40 400896 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Xml.Linq\946eefb99bc116ee68e0e7c69a5a8a5c\System.Xml.Linq.ni.dll
+ 2011-08-16 17:39 . 2011-08-16 17:39 129536 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Web.Routing\a82eef3128b9527dc05b3c8667e713bc\System.Web.Routing.ni.dll
- 2011-08-15 17:39 . 2011-08-15 17:39 129536 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Web.Routing\a82eef3128b9527dc05b3c8667e713bc\System.Web.Routing.ni.dll
+ 2011-08-16 17:40 . 2011-08-16 17:40 202240 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Web.RegularE#\203c148c913357bfc2ae9d209101f2b3\System.Web.RegularExpressions.ni.dll
- 2011-08-15 17:40 . 2011-08-15 17:40 202240 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Web.RegularE#\203c148c913357bfc2ae9d209101f2b3\System.Web.RegularExpressions.ni.dll
+ 2011-08-16 17:39 . 2011-08-16 17:39 859648 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Web.Extensio#\f89fe39468ea6faf71c4257c89cf3c54\System.Web.Extensions.Design.ni.dll
- 2011-08-15 17:40 . 2011-08-15 17:40 859648 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Web.Extensio#\f89fe39468ea6faf71c4257c89cf3c54\System.Web.Extensions.Design.ni.dll
+ 2011-08-16 17:39 . 2011-08-16 17:39 328704 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Web.Entity\2314ff800782dc85224e69e802a073f7\System.Web.Entity.ni.dll
- 2011-08-15 17:40 . 2011-08-15 17:40 328704 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Web.Entity\2314ff800782dc85224e69e802a073f7\System.Web.Entity.ni.dll
+ 2011-08-16 17:39 . 2011-08-16 17:39 301056 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Web.Entity.D#\f690a8f5d784a5bb20f2cbaa7277eb6c\System.Web.Entity.Design.ni.dll
- 2011-08-15 17:40 . 2011-08-15 17:40 301056 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Web.Entity.D#\f690a8f5d784a5bb20f2cbaa7277eb6c\System.Web.Entity.Design.ni.dll
+ 2011-08-16 17:39 . 2011-08-16 17:39 547328 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Web.DynamicD#\c5c96400424b85536443623f96f64581\System.Web.DynamicData.ni.dll
- 2011-08-15 17:40 . 2011-08-15 17:40 547328 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Web.DynamicD#\c5c96400424b85536443623f96f64581\System.Web.DynamicData.ni.dll
+ 2011-08-16 17:39 . 2011-08-16 17:39 141312 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Web.Abstract#\5f8e87b47465a038403e73012c6d102a\System.Web.Abstractions.ni.dll
- 2011-08-15 17:39 . 2011-08-15 17:39 141312 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Web.Abstract#\5f8e87b47465a038403e73012c6d102a\System.Web.Abstractions.ni.dll
+ 2011-08-16 17:38 . 2011-08-16 17:38 627200 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Transactions\846dd505f97805f00999ee26aec9bf75\System.Transactions.ni.dll
- 2011-08-15 17:39 . 2011-08-15 17:39 627200 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Transactions\846dd505f97805f00999ee26aec9bf75\System.Transactions.ni.dll
+ 2011-08-16 17:38 . 2011-08-16 17:38 212992 c:\windows\assembly\NativeImages_v2.0.50727_32\System.ServiceProce#\70a1400affdc775d7c7398e036359286\System.ServiceProcess.ni.dll
- 2011-08-15 17:39 . 2011-08-15 17:39 212992 c:\windows\assembly\NativeImages_v2.0.50727_32\System.ServiceProce#\70a1400affdc775d7c7398e036359286\System.ServiceProcess.ni.dll
- 2011-08-15 17:37 . 2011-08-15 17:37 679936 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Security\de9cd25ccb24bcf8a0316756e766721f\System.Security.ni.dll
+ 2011-08-15 21:56 . 2011-08-15 21:56 679936 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Security\de9cd25ccb24bcf8a0316756e766721f\System.Security.ni.dll
+ 2011-08-16 17:38 . 2011-08-16 17:38 311296 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Runtime.Seri#\21248037960cf6dfa2ce401d355bd6c9\System.Runtime.Serialization.Formatters.Soap.ni.dll
- 2011-08-15 17:39 . 2011-08-15 17:39 311296 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Runtime.Seri#\21248037960cf6dfa2ce401d355bd6c9\System.Runtime.Serialization.Formatters.Soap.ni.dll
- 2011-08-15 17:39 . 2011-08-15 17:39 621056 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Net\480ea914e13fe41cdd8fb542bb1f7e81\System.Net.ni.dll
+ 2011-08-16 17:38 . 2011-08-16 17:38 621056 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Net\480ea914e13fe41cdd8fb542bb1f7e81\System.Net.ni.dll
+ 2011-08-16 17:38 . 2011-08-16 17:38 998400 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Management\6e563a58e6fc0117070d5b8fd59e4e1b\System.Management.ni.dll
- 2011-08-15 17:39 . 2011-08-15 17:39 998400 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Management\6e563a58e6fc0117070d5b8fd59e4e1b\System.Management.ni.dll
- 2011-08-15 17:39 . 2011-08-15 17:39 330752 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Management.I#\dc72c7581f1b3794c0ea595ba02ff7ad\System.Management.Instrumentation.ni.dll
+ 2011-08-16 17:38 . 2011-08-16 17:38 330752 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Management.I#\dc72c7581f1b3794c0ea595ba02ff7ad\System.Management.Instrumentation.ni.dll
+ 2011-08-15 21:55 . 2011-08-15 21:55 381440 c:\windows\assembly\NativeImages_v2.0.50727_32\System.IO.Log\fcf8612a210d1f76e0b37dc8467b4696\System.IO.Log.ni.dll
- 2011-08-15 17:36 . 2011-08-15 17:36 381440 c:\windows\assembly\NativeImages_v2.0.50727_32\System.IO.Log\fcf8612a210d1f76e0b37dc8467b4696\System.IO.Log.ni.dll
+ 2011-08-15 21:55 . 2011-08-15 21:55 212992 c:\windows\assembly\NativeImages_v2.0.50727_32\System.IdentityMode#\ec017b5a95d02fccaefd835490ef1e14\System.IdentityModel.Selectors.ni.dll
- 2011-08-15 17:36 . 2011-08-15 17:36 212992 c:\windows\assembly\NativeImages_v2.0.50727_32\System.IdentityMode#\ec017b5a95d02fccaefd835490ef1e14\System.IdentityModel.Selectors.ni.dll
+ 2011-08-16 17:37 . 2011-08-16 17:37 280064 c:\windows\assembly\NativeImages_v2.0.50727_32\System.EnterpriseSe#\75f452279422a7898e840ee5768c9d2e\System.EnterpriseServices.Wrapper.dll
- 2011-08-15 17:39 . 2011-08-15 17:39 280064 c:\windows\assembly\NativeImages_v2.0.50727_32\System.EnterpriseSe#\75f452279422a7898e840ee5768c9d2e\System.EnterpriseServices.Wrapper.dll
- 2011-08-15 17:39 . 2011-08-15 17:39 627712 c:\windows\assembly\NativeImages_v2.0.50727_32\System.EnterpriseSe#\75f452279422a7898e840ee5768c9d2e\System.EnterpriseServices.ni.dll
+ 2011-08-16 17:37 . 2011-08-16 17:37 627712 c:\windows\assembly\NativeImages_v2.0.50727_32\System.EnterpriseSe#\75f452279422a7898e840ee5768c9d2e\System.EnterpriseServices.ni.dll
- 2011-08-15 17:39 . 2011-08-15 17:39 881152 c:\windows\assembly\NativeImages_v2.0.50727_32\System.DirectorySer#\822c996e6ad4901219b7de399a6f78bf\System.DirectoryServices.AccountManagement.ni.dll
+ 2011-08-16 17:37 . 2011-08-16 17:37 881152 c:\windows\assembly\NativeImages_v2.0.50727_32\System.DirectorySer#\822c996e6ad4901219b7de399a6f78bf\System.DirectoryServices.AccountManagement.ni.dll
+ 2011-08-16 17:37 . 2011-08-16 17:37 455680 c:\windows\assembly\NativeImages_v2.0.50727_32\System.DirectorySer#\1ffe911e62f482e42be2c4428bd08c10\System.DirectoryServices.Protocols.ni.dll
- 2011-08-15 17:39 . 2011-08-15 17:39 455680 c:\windows\assembly\NativeImages_v2.0.50727_32\System.DirectorySer#\1ffe911e62f482e42be2c4428bd08c10\System.DirectoryServices.Protocols.ni.dll
- 2011-08-15 17:39 . 2011-08-15 17:39 354816 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Data.Service#\e1c009b2c9becdb732a2ea45f32a46b8\System.Data.Services.Design.ni.dll
+ 2011-08-16 17:37 . 2011-08-16 17:37 354816 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Data.Service#\e1c009b2c9becdb732a2ea45f32a46b8\System.Data.Services.Design.ni.dll
+ 2011-08-16 17:37 . 2011-08-16 17:37 939008 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Data.Service#\1defd94e1662a4478ccf2cd0b1b4e6a6\System.Data.Services.Client.ni.dll
- 2011-08-15 17:39 . 2011-08-15 17:39 939008 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Data.Service#\1defd94e1662a4478ccf2cd0b1b4e6a6\System.Data.Services.Client.ni.dll
+ 2011-08-16 17:37 . 2011-08-16 17:37 756736 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Data.Entity.#\04267c1dbdcdd8ec37e1518126767ead\System.Data.Entity.Design.ni.dll
- 2011-08-15 17:39 . 2011-08-15 17:39 756736 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Data.Entity.#\04267c1dbdcdd8ec37e1518126767ead\System.Data.Entity.Design.ni.dll
- 2011-08-15 17:38 . 2011-08-15 17:38 135680 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Data.DataSet#\f2a6d41b3f6e26eea6dcac9298aa637b\System.Data.DataSetExtensions.ni.dll
+ 2011-08-15 22:02 . 2011-08-15 22:02 135680 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Data.DataSet#\f2a6d41b3f6e26eea6dcac9298aa637b\System.Data.DataSetExtensions.ni.dll
- 2011-08-15 17:37 . 2011-08-15 17:37 971264 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Configuration\77df2cd21a5b85a1605b335aa9ad9d44\System.Configuration.ni.dll
+ 2011-08-15 21:56 . 2011-08-15 21:56 971264 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Configuration\77df2cd21a5b85a1605b335aa9ad9d44\System.Configuration.ni.dll
- 2011-08-15 17:39 . 2011-08-15 17:39 141312 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Configuratio#\585e68739b2a8aff61ee6b2786513245\System.Configuration.Install.ni.dll
+ 2011-08-16 17:38 . 2011-08-16 17:38 141312 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Configuratio#\585e68739b2a8aff61ee6b2786513245\System.Configuration.Install.ni.dll
- 2011-08-15 17:38 . 2011-08-15 17:38 633856 c:\windows\assembly\NativeImages_v2.0.50727_32\System.AddIn\fbf6ef12d1456058acde29f2640092fb\System.AddIn.ni.dll
+ 2011-08-15 22:02 . 2011-08-15 22:02 633856 c:\windows\assembly\NativeImages_v2.0.50727_32\System.AddIn\fbf6ef12d1456058acde29f2640092fb\System.AddIn.ni.dll
+ 2011-08-15 21:56 . 2011-08-15 21:56 366080 c:\windows\assembly\NativeImages_v2.0.50727_32\SMSvcHost\896e42071939e038008b0bbbfed1213c\SMSvcHost.ni.exe
- 2011-08-15 17:37 . 2011-08-15 17:37 366080 c:\windows\assembly\NativeImages_v2.0.50727_32\SMSvcHost\896e42071939e038008b0bbbfed1213c\SMSvcHost.ni.exe
- 2011-08-15 17:37 . 2011-08-15 17:37 256000 c:\windows\assembly\NativeImages_v2.0.50727_32\SMDiagnostics\ca07e9cf488af1290d2340d682574a24\SMDiagnostics.ni.dll
+ 2011-08-15 21:56 . 2011-08-15 21:56 256000 c:\windows\assembly\NativeImages_v2.0.50727_32\SMDiagnostics\ca07e9cf488af1290d2340d682574a24\SMDiagnostics.ni.dll
- 2011-08-15 17:37 . 2011-08-15 17:37 320512 c:\windows\assembly\NativeImages_v2.0.50727_32\ServiceModelReg\a5aa977dd575a6beb3a416bd480b98a7\ServiceModelReg.ni.exe
+ 2011-08-15 21:56 . 2011-08-15 21:56 320512 c:\windows\assembly\NativeImages_v2.0.50727_32\ServiceModelReg\a5aa977dd575a6beb3a416bd480b98a7\ServiceModelReg.ni.exe
- 2011-08-15 17:37 . 2011-08-15 17:37 133632 c:\windows\assembly\NativeImages_v2.0.50727_32\MSBuild\2d89c7b72bc8e527b26d5b6f3b931012\MSBuild.ni.exe
+ 2011-08-15 21:56 . 2011-08-15 21:56 133632 c:\windows\assembly\NativeImages_v2.0.50727_32\MSBuild\2d89c7b72bc8e527b26d5b6f3b931012\MSBuild.ni.exe
- 2011-08-15 17:37 . 2011-08-15 17:37 386560 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Transacti#\39e9d172f0cf5eec30b1b67212cc032b\Microsoft.Transactions.Bridge.Dtc.ni.dll
+ 2011-08-15 21:56 . 2011-08-15 21:56 386560 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Transacti#\39e9d172f0cf5eec30b1b67212cc032b\Microsoft.Transactions.Bridge.Dtc.ni.dll
+ 2011-08-15 22:02 . 2011-08-15 22:02 968192 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.PowerShel#\eae2ab662e4b44aacd4cebd3f9b6c34f\Microsoft.PowerShell.Commands.Utility.ni.dll
- 2011-08-15 17:38 . 2011-08-15 17:38 968192 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.PowerShel#\eae2ab662e4b44aacd4cebd3f9b6c34f\Microsoft.PowerShell.Commands.Utility.ni.dll
+ 2011-08-15 22:02 . 2011-08-15 22:02 433664 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.PowerShel#\9bcb002ea577b825f7c7872ec21b78a3\Microsoft.PowerShell.Commands.Management.ni.dll
- 2011-08-15 17:37 . 2011-08-15 17:37 433664 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.PowerShel#\9bcb002ea577b825f7c7872ec21b78a3\Microsoft.PowerShell.Commands.Management.ni.dll
+ 2011-08-15 22:02 . 2011-08-15 22:02 492032 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.PowerShel#\97869a9a27244319a1bcb5c2d446a1cc\Microsoft.PowerShell.ConsoleHost.ni.dll
- 2011-08-15 17:38 . 2011-08-15 17:38 492032 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.PowerShel#\97869a9a27244319a1bcb5c2d446a1cc\Microsoft.PowerShell.ConsoleHost.ni.dll
- 2011-08-15 17:38 . 2011-08-15 17:38 148480 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.PowerShel#\4d166154a2d5a4497acccfcd08355267\Microsoft.PowerShell.Security.ni.dll
+ 2011-08-15 22:02 . 2011-08-15 22:02 148480 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.PowerShel#\4d166154a2d5a4497acccfcd08355267\Microsoft.PowerShell.Security.ni.dll
- 2011-08-15 17:37 . 2011-08-15 17:37 144384 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Build.Uti#\f1b0ec3ccde9142e67ac681fb521ac66\Microsoft.Build.Utilities.ni.dll
+ 2011-08-15 22:02 . 2011-08-15 22:02 144384 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Build.Uti#\f1b0ec3ccde9142e67ac681fb521ac66\Microsoft.Build.Utilities.ni.dll
+ 2011-08-15 22:02 . 2011-08-15 22:02 175104 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Build.Uti#\9250f038410f0d6432e3ccb0b046862b\Microsoft.Build.Utilities.v3.5.ni.dll
- 2011-08-15 17:37 . 2011-08-15 17:37 175104 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Build.Uti#\9250f038410f0d6432e3ccb0b046862b\Microsoft.Build.Utilities.v3.5.ni.dll
- 2011-08-15 17:37 . 2011-08-15 17:37 839680 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Build.Eng#\a4672179aba638cd78bdfe268391b47b\Microsoft.Build.Engine.ni.dll
+ 2011-08-15 21:57 . 2011-08-15 21:57 839680 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Build.Eng#\a4672179aba638cd78bdfe268391b47b\Microsoft.Build.Engine.ni.dll
+ 2011-08-15 21:57 . 2011-08-15 21:57 222720 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Build.Con#\37db660a84ee52b61a7ca55812581bbd\Microsoft.Build.Conversion.v3.5.ni.dll
- 2011-08-15 17:37 . 2011-08-15 17:37 222720 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Build.Con#\37db660a84ee52b61a7ca55812581bbd\Microsoft.Build.Conversion.v3.5.ni.dll
+ 2011-08-15 21:56 . 2011-08-15 21:56 410112 c:\windows\assembly\NativeImages_v2.0.50727_32\ComSvcConfig\fe9a21b94803f74697bb42b9d1fdea5b\ComSvcConfig.ni.exe
- 2011-08-15 17:37 . 2011-08-15 17:37 410112 c:\windows\assembly\NativeImages_v2.0.50727_32\ComSvcConfig\fe9a21b94803f74697bb42b9d1fdea5b\ComSvcConfig.ni.exe
+ 2011-08-15 21:55 . 2011-08-15 21:55 842240 c:\windows\assembly\NativeImages_v2.0.50727_32\AspNetMMCExt\f160c8e40b60edd47ae74b0b911fece1\AspNetMMCExt.ni.dll
- 2011-08-15 17:36 . 2011-08-15 17:36 842240 c:\windows\assembly\NativeImages_v2.0.50727_32\AspNetMMCExt\f160c8e40b60edd47ae74b0b911fece1\AspNetMMCExt.ni.dll
+ 2011-08-15 22:05 . 2011-08-15 22:05 1159680 c:\windows\Installer\1de3df.msi
+ 2011-08-16 07:11 . 2011-08-16 07:11 9453568 c:\windows\erdnt\AutoBackup\16-08-2011\Users\00000001\NTUSER.DAT
- 2011-08-15 17:40 . 2011-08-15 17:40 1356288 c:\windows\assembly\NativeImages_v2.0.50727_32\System.WorkflowServ#\22229a30650a9afbac984e1093898b13\System.WorkflowServices.ni.dll
+ 2011-08-16 17:40 . 2011-08-16 17:40 1356288 c:\windows\assembly\NativeImages_v2.0.50727_32\System.WorkflowServ#\22229a30650a9afbac984e1093898b13\System.WorkflowServices.ni.dll
- 2011-08-15 17:40 . 2011-08-15 17:40 1908224 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Workflow.Run#\4d6b3cc1fc7a4788612241af7966715a\System.Workflow.Runtime.ni.dll
+ 2011-08-16 17:40 . 2011-08-16 17:40 1908224 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Workflow.Run#\4d6b3cc1fc7a4788612241af7966715a\System.Workflow.Runtime.ni.dll
- 2011-08-15 17:40 . 2011-08-15 17:40 4514304 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Workflow.Com#\e4c9853af945c9cfede19f3faf18af6e\System.Workflow.ComponentModel.ni.dll
+ 2011-08-16 17:40 . 2011-08-16 17:40 4514304 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Workflow.Com#\e4c9853af945c9cfede19f3faf18af6e\System.Workflow.ComponentModel.ni.dll
- 2011-08-15 17:40 . 2011-08-15 17:40 2992640 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Workflow.Act#\ab4b50c7c789e46a485903365765fde8\System.Workflow.Activities.ni.dll
+ 2011-08-16 17:40 . 2011-08-16 17:40 2992640 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Workflow.Act#\ab4b50c7c789e46a485903365765fde8\System.Workflow.Activities.ni.dll
+ 2011-08-16 17:40 . 2011-08-16 17:40 1840640 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Web.Services\a2392c995b1bb6b63079091259222357\System.Web.Services.ni.dll
- 2011-08-15 17:40 . 2011-08-15 17:40 1840640 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Web.Services\a2392c995b1bb6b63079091259222357\System.Web.Services.ni.dll
+ 2011-08-16 17:39 . 2011-08-16 17:39 2209280 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Web.Mobile\3da92a0b9b8ac97e11ca8bf4df671a78\System.Web.Mobile.ni.dll
- 2011-08-15 17:40 . 2011-08-15 17:40 2209280 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Web.Mobile\3da92a0b9b8ac97e11ca8bf4df671a78\System.Web.Mobile.ni.dll
- 2011-08-15 17:39 . 2011-08-15 17:39 2405376 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Web.Extensio#\01f4d6aa3299a41b8578b7e96afdcfb1\System.Web.Extensions.ni.dll
+ 2011-08-16 17:39 . 2011-08-16 17:39 2405376 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Web.Extensio#\01f4d6aa3299a41b8578b7e96afdcfb1\System.Web.Extensions.ni.dll
+ 2011-08-16 17:38 . 2011-08-16 17:38 1706496 c:\windows\assembly\NativeImages_v2.0.50727_32\System.ServiceModel#\27e1b8dfd5e1ccf2c5b9efc51f674c69\System.ServiceModel.Web.ni.dll
- 2011-08-15 17:39 . 2011-08-15 17:39 1706496 c:\windows\assembly\NativeImages_v2.0.50727_32\System.ServiceModel#\27e1b8dfd5e1ccf2c5b9efc51f674c69\System.ServiceModel.Web.ni.dll
+ 2011-08-15 21:56 . 2011-08-15 21:56 2345472 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Runtime.Seri#\dece01bd9e9c32e47630fdfc78d3bd32\System.Runtime.Serialization.ni.dll
- 2011-08-15 17:36 . 2011-08-15 17:36 2345472 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Runtime.Seri#\dece01bd9e9c32e47630fdfc78d3bd32\System.Runtime.Serialization.ni.dll
- 2011-08-15 17:39 . 2011-08-15 17:39 4949504 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Management.A#\8a9589fd87302a1333af22962bb5f1f1\System.Management.Automation.ni.dll
+ 2011-08-16 17:38 . 2011-08-16 17:38 4949504 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Management.A#\8a9589fd87302a1333af22962bb5f1f1\System.Management.Automation.ni.dll
+ 2011-08-15 21:55 . 2011-08-15 21:55 1070080 c:\windows\assembly\NativeImages_v2.0.50727_32\System.IdentityModel\a50e2fc92db32751857fb8d297f9d7bc\System.IdentityModel.ni.dll
- 2011-08-15 17:36 . 2011-08-15 17:36 1070080 c:\windows\assembly\NativeImages_v2.0.50727_32\System.IdentityModel\a50e2fc92db32751857fb8d297f9d7bc\System.IdentityModel.ni.dll
- 2011-08-15 17:39 . 2011-08-15 17:39 1116672 c:\windows\assembly\NativeImages_v2.0.50727_32\System.DirectorySer#\259ecf480769f4e60514b7ae2abaa6f1\System.DirectoryServices.ni.dll
+ 2011-08-16 17:37 . 2011-08-16 17:37 1116672 c:\windows\assembly\NativeImages_v2.0.50727_32\System.DirectorySer#\259ecf480769f4e60514b7ae2abaa6f1\System.DirectoryServices.ni.dll
+ 2011-08-16 17:37 . 2011-08-16 17:37 1801216 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Deployment\71cf3eb40fc38e6ac8fba09e872d2878\System.Deployment.ni.dll
- 2011-08-15 17:39 . 2011-08-15 17:39 1801216 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Deployment\71cf3eb40fc38e6ac8fba09e872d2878\System.Deployment.ni.dll
+ 2011-08-15 21:56 . 2011-08-15 21:56 2510336 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Data.SqlXml\0b16305773369cf740c6a2b1f1d785b2\System.Data.SqlXml.ni.dll
- 2011-08-15 17:37 . 2011-08-15 17:37 2510336 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Data.SqlXml\0b16305773369cf740c6a2b1f1d785b2\System.Data.SqlXml.ni.dll
+ 2011-08-16 17:37 . 2011-08-16 17:37 1328128 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Data.Services\c1b9b8ce390548dcca661a5e6a908408\System.Data.Services.ni.dll
- 2011-08-15 17:39 . 2011-08-15 17:39 1328128 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Data.Services\c1b9b8ce390548dcca661a5e6a908408\System.Data.Services.ni.dll
+ 2011-08-16 17:36 . 2011-08-16 17:36 9924096 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Data.Entity\2b58cc071d6bf0c741e91f86c09de5d7\System.Data.Entity.ni.dll
- 2011-08-15 17:38 . 2011-08-15 17:38 9924096 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Data.Entity\2b58cc071d6bf0c741e91f86c09de5d7\System.Data.Entity.ni.dll
- 2011-08-15 17:38 . 2011-08-15 17:38 1712128 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualBas#\c6b19db2534042d435ede580f92bc75c\Microsoft.VisualBasic.ni.dll
+ 2011-08-15 22:02 . 2011-08-15 22:02 1712128 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualBas#\c6b19db2534042d435ede580f92bc75c\Microsoft.VisualBasic.ni.dll
- 2011-08-15 17:37 . 2011-08-15 17:37 1093120 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Transacti#\08594c4ba9ea0253a836fe1d8d341984\Microsoft.Transactions.Bridge.ni.dll
+ 2011-08-15 21:56 . 2011-08-15 21:56 1093120 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Transacti#\08594c4ba9ea0253a836fe1d8d341984\Microsoft.Transactions.Bridge.ni.dll
+ 2011-08-16 17:38 . 2011-08-16 17:38 2332160 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.JScript\345abd035c9378667b1cac54c1f21c97\Microsoft.JScript.ni.dll
- 2011-08-15 17:39 . 2011-08-15 17:39 2332160 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.JScript\345abd035c9378667b1cac54c1f21c97\Microsoft.JScript.ni.dll
- 2011-08-15 17:37 . 2011-08-15 17:37 1966080 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Build.Tas#\906cd5555b79e4e0486dc8ef2a748b13\Microsoft.Build.Tasks.v3.5.ni.dll
+ 2011-08-15 22:02 . 2011-08-15 22:02 1966080 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Build.Tas#\906cd5555b79e4e0486dc8ef2a748b13\Microsoft.Build.Tasks.v3.5.ni.dll
+ 2011-08-15 21:57 . 2011-08-15 21:57 1620992 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Build.Tas#\7baff7d694394aaba490082c88d48fd2\Microsoft.Build.Tasks.ni.dll
- 2011-08-15 17:37 . 2011-08-15 17:37 1620992 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Build.Tas#\7baff7d694394aaba490082c88d48fd2\Microsoft.Build.Tasks.ni.dll
+ 2011-08-15 21:56 . 2011-08-15 21:56 1888768 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Build.Eng#\235a22e1ae9742bb724d411629dd99d5\Microsoft.Build.Engine.ni.dll
- 2011-08-15 17:37 . 2011-08-15 17:37 1888768 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Build.Eng#\235a22e1ae9742bb724d411629dd99d5\Microsoft.Build.Engine.ni.dll
+ 2011-08-16 17:39 . 2011-08-16 17:39 11800576 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Web\40893760431f8f0dcce3e18630e45b23\System.Web.ni.dll
- 2011-08-15 17:39 . 2011-08-15 17:39 11800576 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Web\40893760431f8f0dcce3e18630e45b23\System.Web.ni.dll
+ 2011-08-15 21:56 . 2011-08-15 21:56 17403904 c:\windows\assembly\NativeImages_v2.0.50727_32\System.ServiceModel\e3a0205acab2215fbad7927d9d483aeb\System.ServiceModel.ni.dll
- 2011-08-15 17:37 . 2011-08-15 17:37 17403904 c:\windows\assembly\NativeImages_v2.0.50727_32\System.ServiceModel\e3a0205acab2215fbad7927d9d483aeb\System.ServiceModel.ni.dll
- 2011-06-15 19:22 . 2011-06-15 19:23 11490816 c:\windows\assembly\NativeImages_v2.0.50727_32\mscorlib\0309936a8e1672d39b9cf14463ce69f9\mscorlib.ni.dll
+ 2011-08-15 21:55 . 2011-08-15 21:55 11490816 c:\windows\assembly\NativeImages_v2.0.50727_32\mscorlib\0309936a8e1672d39b9cf14463ce69f9\mscorlib.ni.dll
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{30F9B915-B755-4826-820B-08FBA6BD249D}]
2011-01-17 14:54 175912 ----a-w- c:\program files\ConduitEngine\prxConduitEngine.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{30F9B915-B755-4826-820B-08FBA6BD249D}"= "c:\program files\ConduitEngine\prxConduitEngine.dll" [2011-01-17 175912]
.
[HKEY_CLASSES_ROOT\clsid\{30f9b915-b755-4826-820b-08fba6bd249d}]
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{30F9B915-B755-4826-820B-08FBA6BD249D}"= "c:\program files\ConduitEngine\prxConduitEngine.dll" [2011-01-17 175912]
.
[HKEY_CLASSES_ROOT\clsid\{30f9b915-b755-4826-820b-08fba6bd249d}]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\SKIcoBackuped]
@="{7E5951A0-8683-432A-9483-5F43168D6A8C}"
[HKEY_CLASSES_ROOT\CLSID\{7E5951A0-8683-432A-9483-5F43168D6A8C}]
2011-04-04 09:35 3047088 ----a-w- c:\program files\VirginMedia\V Stuff Backup\AGSIconOverlay.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\SKIcoSelected]
@="{15054241-49B4-4FA6-B4C7-A0071F118110}"
[HKEY_CLASSES_ROOT\CLSID\{15054241-49B4-4FA6-B4C7-A0071F118110}]
2011-04-04 09:35 3047088 ----a-w- c:\program files\VirginMedia\V Stuff Backup\AGSIconOverlay.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Creative Detector"="c:\program files\Creative\MediaSource\Detector\CTDetect.exe" [2004-12-02 102400]
"DellSupport"="c:\program files\Dell Support\DSAgnt.exe" [2004-07-19 306688]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-15 68856]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
"Backup & Storage"="c:\program files\VirginMedia\V Stuff Backup\Backup & Storage.exe" [2011-04-04 12273328]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-09-29 67584]
"SigmatelSysTrayApp"="stsystra.exe" [2005-03-23 339968]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-08-05 344064]
"IntelMeM"="c:\program files\Intel\Modem Event Monitor\IntelMEM.exe" [2003-09-03 221184]
"CTSysVol"="c:\program files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe" [2005-09-15 57344]
"MBMon"="CTMBHA.DLL" [2005-05-19 1345520]
"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112]
"VoiceCenter"="c:\program files\Creative\VoiceCenter\AndreaVC.exe" [2005-09-19 1159168]
"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 249856]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 81920]
"AOLDialer"="c:\program files\Common Files\AOL\ACS\AOLDial.exe" [2007-01-10 71216]
"EPSON Stylus Photo R220 Series"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_FATIAIE.EXE" [2005-03-09 98304]
"RepliGo Assistant"="c:\program files\Cerience\RepliGo\RepliGoMon.exe" [2005-11-07 172032]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-09-05 417792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-09-21 305440]
"MSKDetectorExe"="c:\program files\McAfee\SpamKiller\MSKDetct.exe" [2006-11-07 1121280]
"B2C_AGENT"="c:\documents and settings\All Users\Application Data\LGMOBILEAX\B2C_Client\B2CNotiAgent.exe" [2010-03-16 300992]
"DivXUpdate"="c:\program files\DivX\DivX Update\DivXUpdate.exe" [2010-12-09 1226608]
"DivX Download Manager"="c:\program files\DivX\DivX Plus Web Player\DDmService.exe" [2010-12-08 63360]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-06-08 37296]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-03-30 937920]
"ServiceManager.exe"="c:\program files\Virgin Media\Service Manager\ServiceManager.exe" [2011-03-25 4371768]
"PCTools FGuard"="c:\program files\Spyware Doctor\BDT\FGuard.exe" [2011-04-27 247760]
"Corel Photo Downloader"="c:\program files\Corel\Corel Photo Album 6\MediaDetect.exe" [2005-11-17 106496]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
.
c:\documents and settings\Shirley King\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
AOL 9.0 Tray Icon.lnk - c:\program files\AOL 9.0\aoltray.exe [2006-2-21 156784]
Exif Launcher S.lnk - c:\program files\FinePixViewerS\QuickDCF2.exe [2007-10-20 303104]
Extender Resource Monitor.lnk - c:\windows\ehome\RMSysTry.exe [2005-10-20 18432]
HOTSYNCSHORTCUTNAME.lnk - c:\program files\Palm\Hotsync.exe [2004-6-9 471040]
McAfee Security Scan Plus.lnk - c:\program files\McAfee Security Scan\2.0.181\SSScheduler.exe [2010-1-15 255536]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-2-17 65588]
Picture Package Menu.lnk - c:\program files\Sony Corporation\Picture Package\Picture Package Menu\SonyTray.exe [2006-3-2 151552]
Picture Package VCD Maker.lnk - c:\program files\Sony Corporation\Picture Package\Picture Package Applications\Residence.exe [2006-3-2 106496]
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ PDBoot.exe\0autocheck autochk *
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest wsauth
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MSIServer]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Radialpoint Security Services]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ServicepointService]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Palm\\HOTSYNC.EXE"=
"c:\\Documents and Settings\\Shirley King\\Application Data\\Firaxis Games\\Sid Meier's Civilization 4\\Civilization4.exe"=
"c:\\Program Files\\AOL 9.0\\waol.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Adobe\\Elements Organizer 8.0\\AdobePhotoshopElementsMediaServer.exe"=
"c:\\Program Files\\VMware\\VMware View\\Client\\bin\\vmware-remotemks.exe"=
"c:\\Program Files\\VMware\\VMware View\\Client\\bin\\wswc.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3776:UDP"= 3776:UDP:Media Center Extender Service
"3390:TCP"= 3390:TCP:Remote Media Center Experience
"3389:TCP"= 3389:TCP:*:Disabled:@xpsp2res.dll,-22009
.
R0 RadialpointIDSEH;RadialpointIDSEH;c:\windows\system32\drivers\AVGIDSEH.sys [20/06/2010 11:10 25608]
R2 RadialpointIDSAgent;RadialpointIDSAgent;c:\program files\Virgin Media\Security\AVG\Identity Protection\agent\bin\AVGIDSAgent.exe [28/07/2011 20:03 5832712]
R3 RadialpointIDSDriver;RadialpointIDSDriver;c:\program files\Virgin Media\Security\AVG\Identity Protection\agent\drivers\AVGIDSDriver.sys [20/06/2010 11:10 122376]
R3 RadialpointIDSFilter;RadialpointIDSFilter;c:\program files\Virgin Media\Security\AVG\Identity Protection\agent\drivers\AVGIDSfilter.sys [20/06/2010 11:10 30216]
R3 RadialpointIDSShim;RadialpointIDSShim;c:\program files\Virgin Media\Security\AVG\Identity Protection\agent\drivers\AVGIDSShim.sys [20/06/2010 11:10 25736]
R3 vmwvusb;VMware View Generic USB Driver;c:\windows\system32\drivers\vmwvusb.sys [20/07/2011 09:56 39984]
S2 AdobeActiveFileMonitor8.0;Adobe Active File Monitor V8;c:\program files\Adobe\Elements Organizer 8.0\PhotoshopElementsFileAgent.exe --> c:\program files\Adobe\Elements Organizer 8.0\PhotoshopElementsFileAgent.exe [?]
S2 Browser Defender Update Service;Browser Defender Update Service;"c:\program files\Spyware Doctor\BDT\BDTUpdateService.exe" --> c:\program files\Spyware Doctor\BDT\BDTUpdateService.exe [?]
S2 DolphinInterceptorStartup;Dolphin Utility Service;c:\windows\system32\dolserve.exe --> c:\windows\system32\dolserve.exe [?]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [13/02/2010 18:10 135664]
S2 Radialpoint Security Services;Virgin Media Security;c:\program files\Virgin Media\Security\RpsSecurityAwareR.exe [04/01/2010 12:17 165408]
S2 ServicepointService;ServicepointService;"c:\program files\Virgin Media\Service Manager\ServicepointService.exe" --> c:\program files\Virgin Media\Service Manager\ServicepointService.exe [?]
S2 wsnm;VMware View Client;"c:\program files\VMware\VMware View\Client\bin\wsnm.exe" -SCMStartup --> c:\program files\VMware\VMware View\Client\bin\wsnm.exe [?]
S2 wsnm_usbctrl;VMware View USB Control;"c:\program files\VMware\VMware View\Client\bin\wsnm_usbctrl.exe" -SCMStartup --> c:\program files\VMware\VMware View\Client\bin\wsnm_usbctrl.exe [?]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [13/02/2010 18:10 135664]
S3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\McAfee Security Scan\2.0.181\McCHSvc.exe [15/01/2010 13:49 227232]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
QWAVE REG_MULTI_SZ QWAVE
bdx REG_MULTI_SZ scan sysagent
.
Contents of the 'Scheduled Tasks' folder
.
2011-08-16 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-13 17:10]
.
2011-08-14 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-13 17:10]
.
.
------- Supplementary Scan -------
.
uStart Page = www.ntlworld.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mStart Page = about:blank
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: &Google Search
IE: &Translate English Word
IE: Backward Links
IE: Cached Snapshot of Page
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_70C5B381380DB17F.dll/cmsidewiki.html
IE: Similar Pages
IE: Translate Page into English
TCP: DhcpNameServer = 192.168.2.1
FF - ProfilePath - c:\documents and settings\Shirley King\Application Data\Mozilla\Firefox\Profiles\8rr57ers.default\
FF - prefs.js: keyword.URL - hxxp://www.ask.com/web?&o=13048&l=dis&q=
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Ext: DivX Plus Web Player HTML5 <video>: {23fcfd51-4958-4f00-80a3-ae97e717ed8b} - c:\program files\DivX\DivX Plus Web Player\firefox\html5video
FF - Ext: DivX HiQ: {6904342A-8307-11DF-A508-4AE2DFD72085} - c:\program files\DivX\DivX Plus Web Player\firefox\wpa
FF - Ext: Browser Defender Toolbar: {cb84136f-9c44-433a-9048-c5cd9df1dc16} - c:\program files\Spyware Doctor\BDT\Firefox
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - user.js: dom.disable_open_during_load - false // Popupblocker control handled by McAfee Privacy Service
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-08-16 18:42
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(956)
c:\windows\system32\wsauth.dll
.
- - - - - - - > 'lsass.exe'(1012)
c:\windows\system32\wsauth.dll
.
Completion time: 2011-08-16 18:46:28
ComboFix-quarantined-files.txt 2011-08-16 17:46
ComboFix2.txt 2011-08-15 21:41
.
Pre-Run: 107,963,523,072 bytes free
Post-Run: 107,884,527,616 bytes free
.
- - End Of File - - 6CB973757096A25B86ADE65036C0406F
Still not able to run Malwarebytes, Spybot or AV
shelf life
2011-08-16, 23:47
Still not able to run Malwarebytes, Spybot or AV
So what happens when you click on them? Can you run PCtools Spyware Doctor?
scotsking
2011-08-17, 00:16
Tried to run Spyware doctor setup and get Runtime error at 503:633 could not call proc.
Malwarebytes error with windows cannot access the specified devise,path or file. You may not have the appropriate permissions to access the item
Same message with spybot
Tried to re-download spybot but would not install (exe read only file)
Virgin media security onoly showing the firewall, ad blocker, Identify Theft Protection & privacy Manager no AV showing
Used Inherit on Malwarebytes folder and now running full scan. Did not take option to update.
This will prob take a while will post results when finished
scotsking
2011-08-17, 01:38
malwarebytes found 2 infections
Spyware.Passwords.XGen & Heuristics.Resevered.Word.Exploit.
deleted both & rebooted. have now updated Malwarebytes.
Also used inherit on spybot and this is also now working.
Still no joy with Virgin AV. Running diagnostis to see if can find the problem.
Loathed to uninstall and install as prog licenced to 3 PCs only and have running on 3Pcs. Forums for Virgin mention problems when re-installing with licence issues. But may have to restore to trying if all else fails.
malware scan took over 1hour so will run again tomorrow when back from work.
will let you know the results.
Thanks
Shirl
Ps should i be worried about either of the 2 items found?
shelf life
2011-08-17, 04:06
thanks for the info. Is Virgin AV a package from your ISP? There are several free AV solutions if you cant get it resolved. I assume its free but you mention a license, so maybe its not?
I wouldnt worry to much about what Malwarebytes found, combofix removed most of the malware.
looks like it is from your ISP:
Radialpoint Security Services is provided exclusively through Internet or Broadband Service Providers. Contact your service provider to find out if they offer Radialpoint Security Services. Looks like your ISP purchases it from Radialpoint security who in turn lease's the technology from AVG, who happen to have a free AV verison
RadialpointIDSAgent;RadialpointIDSAgent;c:\program files\Virgin Media\Security\AVG\Identity Protection\agent\bin\AVGIDSAgent.exe