Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Trojan Horse Back Door Generic

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Re: Trojan Horse Back Door Generic

Unread postby jja1313 » January 1st, 2012, 8:19 pm

Programs have been deleted.

All processes killed
========== FILES ==========
C:\Documents and Settings\HP_Owner\Local Settings\Application Data\n2ee12q3co7aih moved successfully.
C:\Documents and Settings\All Users\Application Data\n2ee12q3co7aih moved successfully.
C:\WINDOWS\Pyozoyusiku.bin moved successfully.
C:\WINDOWS\Qbeyu.dat moved successfully.
C:\WINDOWS\System32\hohumaho moved successfully.
[color=#A23BEC]< ipconfig /flushdns /c >

Windows IP Configuration
Successfully flushed the DNS Resolver Cache.
C:\Documents and Settings\HP_Owner\Desktop\cmd.bat deleted successfully.
C:\Documents and Settings\HP_Owner\Desktop\cmd.txt deleted successfully.
========== REGISTRY ==========
Registry value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List\\2869:TCP deleted successfully.
========== OTL ==========
C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}\chrome\locale\zh-TW\ffjcext folder moved successfully.
C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}\chrome\locale\zh-TW folder moved successfully.
C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}\chrome\locale\zh-CN\ffjcext folder moved successfully.
C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}\chrome\locale\zh-CN folder moved successfully.
C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}\chrome\locale\sv-SE\ffjcext folder moved successfully.
C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}\chrome\locale\sv-SE folder moved successfully.
C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}\chrome\locale\ko-KR\ffjcext folder moved successfully.
C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}\chrome\locale\ko-KR folder moved successfully.
C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}\chrome\locale\ja-JP\ffjcext folder moved successfully.
C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}\chrome\locale\ja-JP folder moved successfully.
C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}\chrome\locale\it-IT\ffjcext folder moved successfully.
C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}\chrome\locale\it-IT folder moved successfully.
C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}\chrome\locale\fr-FR\ffjcext folder moved successfully.
C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}\chrome\locale\fr-FR folder moved successfully.
C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}\chrome\locale\es-ES\ffjcext folder moved successfully.
C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}\chrome\locale\es-ES folder moved successfully.
C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}\chrome\locale\en-US\ffjcext folder moved successfully.
C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}\chrome\locale\en-US folder moved successfully.
C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}\chrome\locale\de-DE\ffjcext folder moved successfully.
C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}\chrome\locale\de-DE folder moved successfully.
C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}\chrome\locale folder moved successfully.
C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}\chrome\content\ffjcext folder moved successfully.
C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}\chrome\content folder moved successfully.
C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}\chrome folder moved successfully.
C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} folder moved successfully.
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{02478D38-C3F9-4EFB-9B51-7695ECA05670}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{02478D38-C3F9-4EFB-9B51-7695ECA05670}\ deleted successfully.
C:\Program Files\Yahoo!\Companion\Installs\cpn4\yt.dll moved successfully.
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6EBF7485-159F-4bff-A14F-B9E3AAC4465B}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{6EBF7485-159F-4bff-A14F-B9E3AAC4465B}\ deleted successfully.
C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll moved successfully.
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7b13ec3e-999a-4b70-b9cb-2617b8323822}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7b13ec3e-999a-4b70-b9cb-2617b8323822}\ not found.
File C:\Program Files\Zynga\prxtbZyn0.dll not found.
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{FDAD4DA1-61A2-4FD8-9C17-86F7AC245081}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{FDAD4DA1-61A2-4FD8-9C17-86F7AC245081}\ deleted successfully.
C:\Program Files\Yahoo!\Companion\Installs\cpn4\YTSingleInstance.dll moved successfully.
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Toolbar\\ deleted successfully.
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Toolbar\\{7b13ec3e-999a-4b70-b9cb-2617b8323822} not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7b13ec3e-999a-4b70-b9cb-2617b8323822}\ not found.
File C:\Program Files\Zynga\prxtbZyn0.dll not found.
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Toolbar\\{EF99BD32-C1FB-11D2-892F-0090271D4F88} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{EF99BD32-C1FB-11D2-892F-0090271D4F88}\ deleted successfully.
File C:\Program Files\Yahoo!\Companion\Installs\cpn4\yt.dll not found.
Registry value HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{7B13EC3E-999A-4B70-B9CB-2617B8323822} not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7B13EC3E-999A-4B70-B9CB-2617B8323822}\ not found.
File C:\Program Files\Zynga\prxtbZyn0.dll not found.
Registry value HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{EF99BD32-C1FB-11D2-892F-0090271D4F88} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{EF99BD32-C1FB-11D2-892F-0090271D4F88}\ not found.
File C:\Program Files\Yahoo!\Companion\Installs\cpn4\yt.dll not found.
Starting removal of ActiveX control {8AD9C840-044E-11D1-B3E9-00805F499D93}
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{8AD9C840-044E-11D1-B3E9-00805F499D93}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8AD9C840-044E-11D1-B3E9-00805F499D93}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{8AD9C840-044E-11D1-B3E9-00805F499D93}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8AD9C840-044E-11D1-B3E9-00805F499D93}\ not found.
Starting removal of ActiveX control {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}\ not found.
Starting removal of ActiveX control {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}\ not found.
========== COMMANDS ==========
Restore point Set: OTL Restore Point (0)

[EMPTYTEMP]

User: Administrator
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: All Users

User: Default User
->Temp folder emptied: 11724 bytes
->Temporary Internet Files folder emptied: 32969 bytes

User: Guest
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 294871 bytes
->Java cache emptied: 73163 bytes
->FireFox cache emptied: 25629623 bytes
->Flash cache emptied: 1217 bytes

User: HP_Owner
->Temp folder emptied: 4590158 bytes
->Temporary Internet Files folder emptied: 832323 bytes
->Java cache emptied: 0 bytes
->FireFox cache emptied: 248401719 bytes
->Apple Safari cache emptied: 16384 bytes
->Flash cache emptied: 6926 bytes

User: Jeff(2)

User: LocalService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 65670 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes
->Java cache emptied: 42543 bytes
->Flash cache emptied: 29952 bytes

User: Owner

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 19569 bytes
%systemroot%\System32 .tmp files removed: 2577 bytes
%systemroot%\System32\dllcache .tmp files removed: 114688 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 162041 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 67 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 267.00 mb


[EMPTYJAVA]

User: Administrator

User: All Users

User: Default User

User: Guest
->Java cache emptied: 0 bytes

User: HP_Owner
->Java cache emptied: 0 bytes

User: Jeff(2)

User: LocalService

User: NetworkService
->Java cache emptied: 0 bytes

User: Owner

Total Java Files Cleaned = 0.00 mb


[EMPTYFLASH]

User: Administrator

User: All Users

User: Default User

User: Guest
->Flash cache emptied: 0 bytes

User: HP_Owner
->Flash cache emptied: 0 bytes

User: Jeff(2)

User: LocalService

User: NetworkService
->Flash cache emptied: 0 bytes

User: Owner

Total Flash Files Cleaned = 0.00 mb

C:\WINDOWS\System32\drivers\etc\Hosts moved successfully.
HOSTS file reset successfully

OTL by OldTimer - Version 3.2.31.0 log created on 01012012_135905

Files\Folders moved on Reboot...
File\Folder C:\Documents and Settings\HP_Owner\Local Settings\Temp\Perflib_Perfdata_d64.dat not found!

Registry entries deleted on Reboot...[/color]

ESETSmartInstaller@High as downloader log:
all ok
# version=7
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.6583
# api_version=3.0.2
# EOSSerial=f73311e21d83444a8565bff3919d8f53
# end=finished
# remove_checked=false
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=true
# antistealth_checked=true
# utc_time=2012-01-01 11:58:17
# local_time=2012-01-01 05:58:17 (-0600, Central Standard Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=512 16777215 100 0 0 0 0 0
# compatibility_mode=1024 16777191 100 0 0 0 0 0
# compatibility_mode=2560 16777215 100 0 0 0 0 0
# compatibility_mode=3584 16777215 100 0 0 0 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=115734
# found=2
# cleaned=0
# scan_time=10932
C:\Documents and Settings\HP_Owner\Application Data\AVG\Rescue\PC Tuneup 2011\111229015510250.rsc Java/Exploit.Agent.NAA trojan (unable to clean) 00000000000000000000000000000000 I
C:\Documents and Settings\HP_Owner\My Documents\Downloads\Unlocker1.9.1.exe a variant of Win32/Toolbar.Babylon application (unable to clean) 00000000000000000000000000000000 I



Junction v1.06 - Windows junction creator and reparse point viewer
Copyright (C) 2000-2010 Mark Russinovich
Sysinternals - www.sysinternals.com


Failed to open \\?\c:\\hiberfil.sys: The process cannot access the file because it is being used by another process.



Failed to open \\?\c:\\pagefile.sys: The process cannot access the file because it is being used by another process.


...

...

...

...


Failed to open \\?\c:\\Documents and Settings\HP_Owner\Application Data\Macromedia\Flash Player\localhost\DOCUME~1: Access is denied.


...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...
Failed to open \\?\c:\\Qoobox\BackEnv: Access is denied.




...

...

...

...

...

...

...

...

...

...

...

...\\?\c:\\WINDOWS\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a: JUNCTION
Print Name : C:\WINDOWS\WinSxS\x86_System.EnterpriseServices_b03f5f7f11d50a3a_2.0.0.0_x-ww_7d5f3790
Substitute Name: C:\WINDOWS\WinSxS\x86_System.EnterpriseServices_b03f5f7f11d50a3a_2.0.0.0_x-ww_7d5f3790



\\?\c:\\WINDOWS\assembly\GAC_MSIL\IEExecRemote\2.0.0.0__b03f5f7f11d50a3a: JUNCTION
Print Name : C:\WINDOWS\WinSxS\MSIL_IEExecRemote_b03f5f7f11d50a3a_2.0.0.0_x-ww_6e57c34e
Substitute Name: C:\WINDOWS\WinSxS\MSIL_IEExecRemote_b03f5f7f11d50a3a_2.0.0.0_x-ww_6e57c34e

...

...

...

...

...

...

...

...

...

...

...

.
Failed to open \\?\c:\\WINDOWS\system32\config\systemprofile\Application Data\Adobe\Acrobat\6.0: Access is denied.



Failed to open \\?\c:\\WINDOWS\system32\config\systemprofile\Application Data\Aladdin Systems\InternetCleanup: Access is denied.



Failed to open \\?\c:\\WINDOWS\system32\config\systemprofile\Application Data\Aladdin Systems\StuffIt: Access is denied.



Failed to open \\?\c:\\WINDOWS\system32\config\systemprofile\Application Data\FaxCtr\FAXLOG32.CDX: Access is denied.



Failed to open \\?\c:\\WINDOWS\system32\config\systemprofile\Application Data\FaxCtr\FAXLOG32.DBF: Access is denied.



Failed to open \\?\c:\\WINDOWS\system32\config\systemprofile\Application Data\FaxCtr\FAXLOG32.FPT: Access is denied.



Failed to open \\?\c:\\WINDOWS\system32\config\systemprofile\Application Data\ICAClient\APPSRV.INI: Access is denied.



Failed to open \\?\c:\\WINDOWS\system32\config\systemprofile\Application Data\ICAClient\Cache: Access is denied.



Failed to open \\?\c:\\WINDOWS\system32\config\systemprofile\Application Data\ICAClient\UISTATE.INI: Access is denied.



Failed to open \\?\c:\\WINDOWS\system32\config\systemprofile\Application Data\ICAClient\wfcwin32.log: Access is denied.



Failed to open \\?\c:\\WINDOWS\system32\config\systemprofile\Application Data\InterMute\SpySubtract: Access is denied.



Failed to open \\?\c:\\WINDOWS\system32\config\systemprofile\Application Data\Leadertech\PowerRegister: Access is denied.


.
Failed to open \\?\c:\\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\Address Book\HP_Owner.wab: Access is denied.



Failed to open \\?\c:\\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\CLR Security Config\v1.1.4322: Access is denied.



Failed to open \\?\c:\\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\Crypto\RSA\S-1-5-21-4274570368-3287487078-2089279940-1009\6d9f885ff3fdfa045240d2f597187bce_b8ed6499-9c73-46fc-bae3-52f81158fb65: Access is denied.



Failed to open \\?\c:\\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\HTML Help\hh.dat: Access is denied.



Failed to open \\?\c:\\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\Office\Recent\bc on us.f1f.yahoofs.com.url: Access is denied.



Failed to open \\?\c:\\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\Office\Recent\index.dat: Access is denied.



Failed to open \\?\c:\\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\Protect\S-1-5-21-4274570368-3287487078-2089279940-1009\b4fdeee7-149b-4777-966d-cce295ca906f: Access is denied.



Failed to open \\?\c:\\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\Protect\S-1-5-21-4274570368-3287487078-2089279940-1009\Preferred: Access is denied.



Failed to open \\?\c:\\WINDOWS\system32\config\systemprofile\Application Data\Motive\Acme: Access is denied.



Failed to open \\?\c:\\WINDOWS\system32\config\systemprofile\Application Data\MSNInstaller\cProductInfo.xml: Access is denied.



Failed to open \\?\c:\\WINDOWS\system32\config\systemprofile\Application Data\MSNInstaller\msninstallerlog.xml: Access is denied.


.
Failed to open \\?\c:\\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\HP\Digital Imaging: Access is denied.



Failed to open \\?\c:\\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\IsolatedStorage\0hnh3l35.myv: Access is denied.



Failed to open \\?\c:\\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Movie Maker\MEDIATAB.DAT: Access is denied.



Failed to open \\?\c:\\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012005052520050526(2)\index.dat: Access is denied.



Failed to open \\?\c:\\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012005052520050526(4)\index.dat: Access is denied.



Failed to open \\?\c:\\WINDOWS\system32\config\systemprofile\My Documents\Jeff\Bike+Miles.xls: Access is denied.



Failed to open \\?\c:\\WINDOWS\system32\config\systemprofile\My Documents\Jeff\BMONEY.xls: Access is denied.



Failed to open \\?\c:\\WINDOWS\system32\config\systemprofile\My Documents\Jeff\BUDGET.xls: Access is denied.



Failed to open \\?\c:\\WINDOWS\system32\config\systemprofile\My Documents\Jeff\LPayroll.xls: Access is denied.



Failed to open \\?\c:\\WINDOWS\system32\config\systemprofile\My Documents\Jeff\RETIRE.xls: Access is denied.



Failed to open \\?\c:\\WINDOWS\system32\config\systemprofile\My Documents\Jeff\TAX2004.xls: Access is denied.



Failed to open \\?\c:\\WINDOWS\system32\config\systemprofile\UserData\4XEJGH2V: Access is denied.



Failed to open \\?\c:\\WINDOWS\system32\config\systemprofile\UserData\index.dat: Access is denied.




...

...
jja1313
Regular Member
 
Posts: 36
Joined: January 9th, 2010, 3:09 am
Advertisement
Register to Remove

Re: Trojan Horse Back Door Generic

Unread postby diver79 » January 2nd, 2012, 9:49 am

Hi Jeff,

Good work, almost there. We need to delete some files and run Grantperms again, as there are still files that have been modified by the infection. I also want to see a log from GMER to make sure there are no more hidden infections.

Run OTL Script
We need to run an OTL Fix
  • Double-click OTL.exe to start the program.
  • Copy and Paste the following code into the Image textbox. Do not include the word Code
    Code: Select all
    :files
    C:\Documents and Settings\HP_Owner\Application Data\AVG\Rescue\PC Tuneup 2011\111229015510250.rsc
    C:\Documents and Settings\HP_Owner\My Documents\Downloads\Unlocker1.9.1.exe
    :commands
    [EMPTYTEMP]
    [CREATERESTOREPOINT]
    
  • Then click the Run Fix button at the top.
  • Click Image.
  • OTL may ask to reboot the machine. Please do so if asked.
  • The report should appear in Notepad after the reboot.Copy and Paste that report in your next reply.


Re-run Grantperms
  • Locate the Grantperms folder you extracted earlier (it should be on your desktop).
  • Enter the GrantPerms folder & double click GrantPerms.exe to run it.
  • Copy and paste the contents of the codebox below into the whitebox (Do Not include Code:)
.
Code: Select all
c:\\Documents and Settings\HP_Owner\Application Data\Macromedia\Flash Player\localhost\DOCUME~1
c:\\WINDOWS\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a C:\WINDOWS\WinSxS\x86_System.EnterpriseServices_b03f5f7f11d50a3a_2.0.0.0_x-ww_7d5f3790
c:\\WINDOWS\assembly\GAC_MSIL\IEExecRemote\2.0.0.0__b03f5f7f11d50a3a
C:\WINDOWS\WinSxS\MSIL_IEExecRemote_b03f5f7f11d50a3a_2.0.0.0_x-ww_6e57c34e
c:\\WINDOWS\system32\config\systemprofile\Application Data\Adobe\Acrobat\6.0
c:\\WINDOWS\system32\config\systemprofile\Application Data\Aladdin Systems\InternetCleanup
c:\\WINDOWS\system32\config\systemprofile\Application Data\Aladdin Systems\StuffIt
c:\\WINDOWS\system32\config\systemprofile\Application Data\FaxCtr\FAXLOG32.CDX
c:\\WINDOWS\system32\config\systemprofile\Application Data\FaxCtr\FAXLOG32.DBF
c:\\WINDOWS\system32\config\systemprofile\Application Data\FaxCtr\FAXLOG32.FPT
c:\\WINDOWS\system32\config\systemprofile\Application Data\ICAClient\APPSRV.INI
c:\\WINDOWS\system32\config\systemprofile\Application Data\ICAClient\Cache
c:\\WINDOWS\system32\config\systemprofile\Application Data\ICAClient\UISTATE.INI
c:\\WINDOWS\system32\config\systemprofile\Application Data\ICAClient\wfcwin32.log
c:\\WINDOWS\system32\config\systemprofile\Application Data\InterMute\SpySubtract
c:\\WINDOWS\system32\config\systemprofile\Application Data\Leadertech\PowerRegister
c:\\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\Address Book\HP_Owner.wab
c:\\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\CLR Security Config\v1.1.4322
c:\\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\Crypto\RSA\S-1-5-21-4274570368-3287487078-2089279940-1009\6d9f885ff3fdfa045240d2f597187bce_b8ed6499-9c73-46fc-bae3-52f81158fb65
c:\\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\HTML Help\hh.dat
c:\\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\Office\Recent\bc on us.f1f.yahoofs.com.url
c:\\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\Office\Recent\index.dat
c:\\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\Protect\S-1-5-21-4274570368-3287487078-2089279940-1009\b4fdeee7-149b-4777-966d-cce295ca906f
c:\\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\Protect\S-1-5-21-4274570368-3287487078-2089279940-1009\Preferred
c:\\WINDOWS\system32\config\systemprofile\Application Data\Motive\Acme
c:\\WINDOWS\system32\config\systemprofile\Application Data\MSNInstaller\cProductInfo.xml
c:\\WINDOWS\system32\config\systemprofile\Application Data\MSNInstaller\msninstallerlog.xml
c:\\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\HP\Digital Imaging
c:\\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\IsolatedStorage\0hnh3l35.myv
c:\\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Movie Maker\MEDIATAB.DAT
c:\\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012005052520050526(2)\index.dat
c:\\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012005052520050526(4)\index.dat
c:\\WINDOWS\system32\config\systemprofile\My Documents\Jeff\Bike+Miles.xls
c:\\WINDOWS\system32\config\systemprofile\My Documents\Jeff\BMONEY.xls
c:\\WINDOWS\system32\config\systemprofile\My Documents\Jeff\BUDGET.xls
c:\\WINDOWS\system32\config\systemprofile\My Documents\Jeff\LPayroll.xls
c:\\WINDOWS\system32\config\systemprofile\My Documents\Jeff\RETIRE.xls
c:\\WINDOWS\system32\config\systemprofile\My Documents\Jeff\TAX2004.xls
c:\\WINDOWS\system32\config\systemprofile\UserData\4XEJGH2V
c:\\WINDOWS\system32\config\systemprofile\UserData\index.dat

  • Now Click Unlock
  • When it's done, click "OK".
  • Now click List Permissions and post contents of the log file that opens (Perms.txt)
  • A copy of Perms.txt will be saved in the same directory the tool is run.


Re-run Junction
  • Click Start > Run. Copy and paste the contents of the codebox below into the run box.
    (Do Not include Code:) Then click OK:
Code: Select all
cmd /c junction -s c:\ >log.txt&log.txt&del log.txt
  • A command window will open and the system will be scanned. (Click Agree to the prompt)
  • Please be patient & wait untill a log file opens in notepad.
  • Copy and paste the contents of that file in your next reply.


Please download GMER Rootkit Scanner from Here.
  • Double click the .exe file. If asked to allow gmer.sys driver to load, please consent
  • If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO
  • In the right panel, you will see several boxes that have been checked. Uncheck the following ...
    • Sections
    • IAT/EAT
    • Drives/Partition other than Systemdrive (typically C:\)
    • Show All << (don't miss this one)
    See image below, Click the image to enlarge it
    Image

  • Then click the Scan button & wait for it to finish
  • Once done click on the [Save..] button, and in the File name area, type in "Gmer.txt" or it will save as a .log file
  • Save it where you can easily find it, such as your desktop, and post it in your next reply
**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries

Note: Do not run any programs while Gmer is running.
User avatar
diver79
Retired Graduate
 
Posts: 1004
Joined: January 3rd, 2010, 7:03 pm

Re: Trojan Horse Back Door Generic

Unread postby jja1313 » January 2nd, 2012, 5:19 pm

Thanks for all your help.

All processes killed
========== FILES ==========
C:\Documents and Settings\HP_Owner\Application Data\AVG\Rescue\PC Tuneup 2011\111229015510250.rsc moved successfully.
C:\Documents and Settings\HP_Owner\My Documents\Downloads\Unlocker1.9.1.exe moved successfully.
========== COMMANDS ==========

[EMPTYTEMP]

User: Administrator
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: All Users

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Guest
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Java cache emptied: 0 bytes
->FireFox cache emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: HP_Owner
->Temp folder emptied: 66538 bytes
->Temporary Internet Files folder emptied: 3108353 bytes
->Java cache emptied: 0 bytes
->FireFox cache emptied: 144414984 bytes
->Apple Safari cache emptied: 0 bytes
->Flash cache emptied: 4836 bytes

User: Jeff(2)

User: LocalService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Java cache emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: Owner

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 89105 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes
RecycleBin emptied: 5444921 bytes

Total Files Cleaned = 146.00 mb

Restore point Set: OTL Restore Point (0)

OTL by OldTimer - Version 3.2.31.0 log created on 01022012_104058

Files\Folders moved on Reboot...

Registry entries deleted on Reboot...


GrantPerms by Farbar
Ran by HP_Owner (administrator) at 2012-01-02 10:46:54

===============================================
\\?\c:\\Documents and Settings\HP_Owner\Application Data\Macromedia\Flash Player\localhost\DOCUME~1

Owner: BUILTIN\Administrators

DACL(NP)(AI):
BUILTIN\Administrators FULL ALLOW (CI)(OI)(I)
NT AUTHORITY\SYSTEM FULL ALLOW (CI)(OI)(I)
BUILTIN\Users READ/EXECUTE ALLOW (CI)(OI)(I)
NT AUTHORITY\SYSTEM FULL ALLOW (CI)(OI)(IO)(I)
ARNDT\HP_Owner FULL ALLOW (I)
ARNDT\HP_Owner FULL ALLOW (CI)(OI)(IO)(I)


ERROR: Parsing the SD of <\\?\c:\\WINDOWS\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a C:\WINDOWS\WinSxS\x86_System.EnterpriseServices_b03f5f7f11d50a3a_2.0.0.0_x-ww_7d5f3790> failed with: The filename, directory name, or volume label syntax is incorrect.


Operating system error message: The filename, directory name, or volume label syntax is incorrect.
\\?\c:\\WINDOWS\assembly\GAC_MSIL\IEExecRemote\2.0.0.0__b03f5f7f11d50a3a

Owner: BUILTIN\Administrators

DACL((NP)+(AI):
BUILTIN\Administrators FULL ALLOW (CI)(OI)
NT AUTHORITY\SYSTEM FULL ALLOW (CI)(OI)
BUILTIN\Users READ/EXECUTE ALLOW (CI)(OI)
Everyone FULL ALLOW (CI)(OI)(I)


\\?\C:\WINDOWS\WinSxS\MSIL_IEExecRemote_b03f5f7f11d50a3a_2.0.0.0_x-ww_6e57c34e

Owner: BUILTIN\Administrators

DACL(NP)(AI):
BUILTIN\Administrators FULL ALLOW (CI)(OI)
NT AUTHORITY\SYSTEM FULL ALLOW (CI)(OI)
BUILTIN\Users READ/EXECUTE ALLOW (CI)(OI)
Everyone FULL ALLOW (CI)(OI)(I)


\\?\c:\\WINDOWS\system32\config\systemprofile\Application Data\Adobe\Acrobat\6.0

Owner: BUILTIN\Administrators

DACL(NP)(AI):
BUILTIN\Administrators FULL ALLOW (CI)(OI)(I)
NT AUTHORITY\SYSTEM FULL ALLOW (CI)(OI)(I)
BUILTIN\Users READ/EXECUTE ALLOW (CI)(OI)(I)
NT AUTHORITY\SYSTEM FULL ALLOW (CI)(OI)(IO)(I)
BUILTIN\Administrators FULL ALLOW (CI)(OI)(IO)(I)


\\?\c:\\WINDOWS\system32\config\systemprofile\Application Data\Aladdin Systems\InternetCleanup

Owner: BUILTIN\Administrators

DACL(NP)(AI):
BUILTIN\Administrators FULL ALLOW (CI)(OI)(I)
NT AUTHORITY\SYSTEM FULL ALLOW (CI)(OI)(I)
BUILTIN\Users READ/EXECUTE ALLOW (CI)(OI)(I)
NT AUTHORITY\SYSTEM FULL ALLOW (CI)(OI)(IO)(I)
BUILTIN\Administrators FULL ALLOW (CI)(OI)(IO)(I)


\\?\c:\\WINDOWS\system32\config\systemprofile\Application Data\Aladdin Systems\StuffIt

Owner: BUILTIN\Administrators

DACL(NP)(AI):
BUILTIN\Administrators FULL ALLOW (CI)(OI)(I)
NT AUTHORITY\SYSTEM FULL ALLOW (CI)(OI)(I)
BUILTIN\Users READ/EXECUTE ALLOW (CI)(OI)(I)
NT AUTHORITY\SYSTEM FULL ALLOW (CI)(OI)(IO)(I)
BUILTIN\Administrators FULL ALLOW (CI)(OI)(IO)(I)


\\?\c:\\WINDOWS\system32\config\systemprofile\Application Data\FaxCtr\FAXLOG32.CDX

Owner: BUILTIN\Administrators

DACL(NP)(AI):
BUILTIN\Administrators FULL ALLOW (I)
NT AUTHORITY\SYSTEM FULL ALLOW (I)
BUILTIN\Users READ/EXECUTE ALLOW (I)


\\?\c:\\WINDOWS\system32\config\systemprofile\Application Data\FaxCtr\FAXLOG32.DBF

Owner: BUILTIN\Administrators

DACL(NP)(AI):
BUILTIN\Administrators FULL ALLOW (I)
NT AUTHORITY\SYSTEM FULL ALLOW (I)
BUILTIN\Users READ/EXECUTE ALLOW (I)


\\?\c:\\WINDOWS\system32\config\systemprofile\Application Data\FaxCtr\FAXLOG32.FPT

Owner: BUILTIN\Administrators

DACL(NP)(AI):
BUILTIN\Administrators FULL ALLOW (I)
NT AUTHORITY\SYSTEM FULL ALLOW (I)
BUILTIN\Users READ/EXECUTE ALLOW (I)


\\?\c:\\WINDOWS\system32\config\systemprofile\Application Data\ICAClient\APPSRV.INI

Owner: BUILTIN\Administrators

DACL(NP)(AI):
BUILTIN\Administrators FULL ALLOW (I)
NT AUTHORITY\SYSTEM FULL ALLOW (I)
BUILTIN\Users READ/EXECUTE ALLOW (I)


\\?\c:\\WINDOWS\system32\config\systemprofile\Application Data\ICAClient\Cache

Owner: BUILTIN\Administrators

DACL(NP)(AI):
BUILTIN\Administrators FULL ALLOW (CI)(OI)(I)
NT AUTHORITY\SYSTEM FULL ALLOW (CI)(OI)(I)
BUILTIN\Users READ/EXECUTE ALLOW (CI)(OI)(I)
NT AUTHORITY\SYSTEM FULL ALLOW (CI)(OI)(IO)(I)
BUILTIN\Administrators FULL ALLOW (CI)(OI)(IO)(I)


\\?\c:\\WINDOWS\system32\config\systemprofile\Application Data\ICAClient\UISTATE.INI

Owner: BUILTIN\Administrators

DACL(NP)(AI):
BUILTIN\Administrators FULL ALLOW (I)
NT AUTHORITY\SYSTEM FULL ALLOW (I)
BUILTIN\Users READ/EXECUTE ALLOW (I)


\\?\c:\\WINDOWS\system32\config\systemprofile\Application Data\ICAClient\wfcwin32.log

Owner: BUILTIN\Administrators

DACL(NP)(AI):
BUILTIN\Administrators FULL ALLOW (I)
NT AUTHORITY\SYSTEM FULL ALLOW (I)
BUILTIN\Users READ/EXECUTE ALLOW (I)


\\?\c:\\WINDOWS\system32\config\systemprofile\Application Data\InterMute\SpySubtract

Owner: BUILTIN\Administrators

DACL(NP)(AI):
BUILTIN\Administrators FULL ALLOW (CI)(OI)(I)
NT AUTHORITY\SYSTEM FULL ALLOW (CI)(OI)(I)
BUILTIN\Users READ/EXECUTE ALLOW (CI)(OI)(I)
NT AUTHORITY\SYSTEM FULL ALLOW (CI)(OI)(IO)(I)
BUILTIN\Administrators FULL ALLOW (CI)(OI)(IO)(I)


\\?\c:\\WINDOWS\system32\config\systemprofile\Application Data\Leadertech\PowerRegister

Owner: BUILTIN\Administrators

DACL(NP)(AI):
BUILTIN\Administrators FULL ALLOW (CI)(OI)(I)
NT AUTHORITY\SYSTEM FULL ALLOW (CI)(OI)(I)
BUILTIN\Users READ/EXECUTE ALLOW (CI)(OI)(I)
NT AUTHORITY\SYSTEM FULL ALLOW (CI)(OI)(IO)(I)
BUILTIN\Administrators FULL ALLOW (CI)(OI)(IO)(I)


\\?\c:\\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\Address Book\HP_Owner.wab

Owner: BUILTIN\Administrators

DACL(NP)(AI):
BUILTIN\Administrators FULL ALLOW (I)
NT AUTHORITY\SYSTEM FULL ALLOW (I)
BUILTIN\Users READ/EXECUTE ALLOW (I)


\\?\c:\\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\CLR Security Config\v1.1.4322

Owner: BUILTIN\Administrators

DACL(NP)(AI):
BUILTIN\Administrators FULL ALLOW (CI)(OI)(I)
NT AUTHORITY\SYSTEM FULL ALLOW (CI)(OI)(I)
BUILTIN\Users READ/EXECUTE ALLOW (CI)(OI)(I)
NT AUTHORITY\SYSTEM FULL ALLOW (CI)(OI)(IO)(I)
BUILTIN\Administrators FULL ALLOW (CI)(OI)(IO)(I)


\\?\c:\\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\Crypto\RSA\S-1-5-21-4274570368-3287487078-2089279940-1009\6d9f885ff3fdfa045240d2f597187bce_b8ed6499-9c73-46fc-bae3-52f81158fb65

Owner: BUILTIN\Administrators

DACL(NP)(AI):
BUILTIN\Administrators FULL ALLOW (I)
NT AUTHORITY\SYSTEM FULL ALLOW (I)
BUILTIN\Users READ/EXECUTE ALLOW (I)


\\?\c:\\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\HTML Help\hh.dat

Owner: BUILTIN\Administrators

DACL(NP)(AI):
BUILTIN\Administrators FULL ALLOW (I)
NT AUTHORITY\SYSTEM FULL ALLOW (I)
BUILTIN\Users READ/EXECUTE ALLOW (I)


\\?\c:\\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\Office\Recent\bc on us.f1f.yahoofs.com.url

Owner: BUILTIN\Administrators

DACL(NP)(AI):
BUILTIN\Administrators FULL ALLOW (I)
NT AUTHORITY\SYSTEM FULL ALLOW (I)
BUILTIN\Users READ/EXECUTE ALLOW (I)


\\?\c:\\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\Office\Recent\index.dat

Owner: BUILTIN\Administrators

DACL(NP)(AI):
BUILTIN\Administrators FULL ALLOW (I)
NT AUTHORITY\SYSTEM FULL ALLOW (I)
BUILTIN\Users READ/EXECUTE ALLOW (I)


\\?\c:\\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\Protect\S-1-5-21-4274570368-3287487078-2089279940-1009\b4fdeee7-149b-4777-966d-cce295ca906f

Owner: BUILTIN\Administrators

DACL(NP)(AI):
BUILTIN\Administrators FULL ALLOW (I)
NT AUTHORITY\SYSTEM FULL ALLOW (I)
BUILTIN\Users READ/EXECUTE ALLOW (I)


\\?\c:\\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\Protect\S-1-5-21-4274570368-3287487078-2089279940-1009\Preferred

Owner: BUILTIN\Administrators

DACL(NP)(AI):
BUILTIN\Administrators FULL ALLOW (I)
NT AUTHORITY\SYSTEM FULL ALLOW (I)
BUILTIN\Users READ/EXECUTE ALLOW (I)


\\?\c:\\WINDOWS\system32\config\systemprofile\Application Data\Motive\Acme

Owner: BUILTIN\Administrators

DACL(NP)(AI):
BUILTIN\Administrators FULL ALLOW (CI)(OI)(I)
NT AUTHORITY\SYSTEM FULL ALLOW (CI)(OI)(I)
BUILTIN\Users READ/EXECUTE ALLOW (CI)(OI)(I)
NT AUTHORITY\SYSTEM FULL ALLOW (CI)(OI)(IO)(I)
BUILTIN\Administrators FULL ALLOW (CI)(OI)(IO)(I)


\\?\c:\\WINDOWS\system32\config\systemprofile\Application Data\MSNInstaller\cProductInfo.xml

Owner: BUILTIN\Administrators

DACL(NP)(AI):
BUILTIN\Administrators FULL ALLOW (I)
NT AUTHORITY\SYSTEM FULL ALLOW (I)
BUILTIN\Users READ/EXECUTE ALLOW (I)


\\?\c:\\WINDOWS\system32\config\systemprofile\Application Data\MSNInstaller\msninstallerlog.xml

Owner: BUILTIN\Administrators

DACL(NP)(AI):
BUILTIN\Administrators FULL ALLOW (I)
NT AUTHORITY\SYSTEM FULL ALLOW (I)
BUILTIN\Users READ/EXECUTE ALLOW (I)


\\?\c:\\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\HP\Digital Imaging

Owner: BUILTIN\Administrators

DACL(NP)(AI):
BUILTIN\Administrators FULL ALLOW (CI)(OI)(I)
NT AUTHORITY\SYSTEM FULL ALLOW (CI)(OI)(I)
BUILTIN\Users READ/EXECUTE ALLOW (CI)(OI)(I)
NT AUTHORITY\SYSTEM FULL ALLOW (CI)(OI)(IO)(I)
BUILTIN\Administrators FULL ALLOW (CI)(OI)(IO)(I)


\\?\c:\\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\IsolatedStorage\0hnh3l35.myv

Owner: BUILTIN\Administrators

DACL(NP)(AI):
BUILTIN\Administrators FULL ALLOW (CI)(OI)(I)
NT AUTHORITY\SYSTEM FULL ALLOW (CI)(OI)(I)
BUILTIN\Users READ/EXECUTE ALLOW (CI)(OI)(I)
NT AUTHORITY\SYSTEM FULL ALLOW (CI)(OI)(IO)(I)
BUILTIN\Administrators FULL ALLOW (CI)(OI)(IO)(I)


\\?\c:\\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Movie Maker\MEDIATAB.DAT

Owner: BUILTIN\Administrators

DACL(NP)(AI):
BUILTIN\Administrators FULL ALLOW (I)
NT AUTHORITY\SYSTEM FULL ALLOW (I)
BUILTIN\Users READ/EXECUTE ALLOW (I)


\\?\c:\\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012005052520050526(2)\index.dat

Owner: BUILTIN\Administrators

DACL(NP)(AI):
BUILTIN\Administrators FULL ALLOW (I)
NT AUTHORITY\SYSTEM FULL ALLOW (I)
BUILTIN\Users READ/EXECUTE ALLOW (I)


\\?\c:\\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012005052520050526(4)\index.dat

Owner: BUILTIN\Administrators

DACL(NP)(AI):
BUILTIN\Administrators FULL ALLOW (I)
NT AUTHORITY\SYSTEM FULL ALLOW (I)
BUILTIN\Users READ/EXECUTE ALLOW (I)


\\?\c:\\WINDOWS\system32\config\systemprofile\My Documents\Jeff\Bike+Miles.xls

Owner: BUILTIN\Administrators

DACL(NP)(AI):
BUILTIN\Administrators FULL ALLOW (I)
NT AUTHORITY\SYSTEM FULL ALLOW (I)
BUILTIN\Users READ/EXECUTE ALLOW (I)


\\?\c:\\WINDOWS\system32\config\systemprofile\My Documents\Jeff\BMONEY.xls

Owner: BUILTIN\Administrators

DACL(NP)(AI):
BUILTIN\Administrators FULL ALLOW (I)
NT AUTHORITY\SYSTEM FULL ALLOW (I)
BUILTIN\Users READ/EXECUTE ALLOW (I)


\\?\c:\\WINDOWS\system32\config\systemprofile\My Documents\Jeff\BUDGET.xls

Owner: BUILTIN\Administrators

DACL(NP)(AI):
BUILTIN\Administrators FULL ALLOW (I)
NT AUTHORITY\SYSTEM FULL ALLOW (I)
BUILTIN\Users READ/EXECUTE ALLOW (I)


\\?\c:\\WINDOWS\system32\config\systemprofile\My Documents\Jeff\LPayroll.xls

Owner: BUILTIN\Administrators

DACL(NP)(AI):
BUILTIN\Administrators FULL ALLOW (I)
NT AUTHORITY\SYSTEM FULL ALLOW (I)
BUILTIN\Users READ/EXECUTE ALLOW (I)


\\?\c:\\WINDOWS\system32\config\systemprofile\My Documents\Jeff\RETIRE.xls

Owner: BUILTIN\Administrators

DACL(NP)(AI):
BUILTIN\Administrators FULL ALLOW (I)
NT AUTHORITY\SYSTEM FULL ALLOW (I)
BUILTIN\Users READ/EXECUTE ALLOW (I)


\\?\c:\\WINDOWS\system32\config\systemprofile\My Documents\Jeff\TAX2004.xls

Owner: BUILTIN\Administrators

DACL(NP)(AI):
BUILTIN\Administrators FULL ALLOW (I)
NT AUTHORITY\SYSTEM FULL ALLOW (I)
BUILTIN\Users READ/EXECUTE ALLOW (I)


\\?\c:\\WINDOWS\system32\config\systemprofile\UserData\4XEJGH2V

Owner: BUILTIN\Administrators

DACL(NP)(AI):
BUILTIN\Administrators FULL ALLOW (CI)(OI)(I)
NT AUTHORITY\SYSTEM FULL ALLOW (CI)(OI)(I)
BUILTIN\Users READ/EXECUTE ALLOW (CI)(OI)(I)
NT AUTHORITY\SYSTEM FULL ALLOW (CI)(OI)(IO)(I)
BUILTIN\Administrators FULL ALLOW (CI)(OI)(IO)(I)


\\?\c:\\WINDOWS\system32\config\systemprofile\UserData\index.dat

Owner: BUILTIN\Administrators

DACL(NP)(AI):
BUILTIN\Administrators FULL ALLOW (I)
NT AUTHORITY\SYSTEM FULL ALLOW (I)
BUILTIN\Users READ/EXECUTE ALLOW (I)


Junction v1.06 - Windows junction creator and reparse point viewer
Copyright (C) 2000-2010 Mark Russinovich
Sysinternals - www.sysinternals.com


Failed to open \\?\c:\\hiberfil.sys: The process cannot access the file because it is being used by another process.



Failed to open \\?\c:\\pagefile.sys: The process cannot access the file because it is being used by another process.


...

...

...

...


Failed to open \\?\c:\\Documents and Settings\HP_Owner\Application Data\Macromedia\Flash Player\localhost\DOCUME~1\HP_Owner: Access is denied.


...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...
Failed to open \\?\c:\\Qoobox\BackEnv: Access is denied.




...

...

...

...

...

...

...

...

...

...

...

...\\?\c:\\WINDOWS\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a: JUNCTION
Print Name : C:\WINDOWS\WinSxS\x86_System.EnterpriseServices_b03f5f7f11d50a3a_2.0.0.0_x-ww_7d5f3790
Substitute Name: C:\WINDOWS\WinSxS\x86_System.EnterpriseServices_b03f5f7f11d50a3a_2.0.0.0_x-ww_7d5f3790

\\?\c:\\WINDOWS\assembly\GAC_MSIL\IEExecRemote\2.0.0.0__b03f5f7f11d50a3a: JUNCTION
Print Name : C:\WINDOWS\WinSxS\MSIL_IEExecRemote_b03f5f7f11d50a3a_2.0.0.0_x-ww_6e57c34e
Substitute Name: C:\WINDOWS\WinSxS\MSIL_IEExecRemote_b03f5f7f11d50a3a_2.0.0.0_x-ww_6e57c34e



...

...

...

...

...

...

...

...

...

...

...

.
Failed to open \\?\c:\\WINDOWS\system32\config\systemprofile\Application Data\Adobe\Acrobat\6.0\AcroForm: Access is denied.



Failed to open \\?\c:\\WINDOWS\system32\config\systemprofile\Application Data\Adobe\Acrobat\6.0\AdobeComFnt06.lst: Access is denied.



Failed to open \\?\c:\\WINDOWS\system32\config\systemprofile\Application Data\Adobe\Acrobat\6.0\Collab: Access is denied.



Failed to open \\?\c:\\WINDOWS\system32\config\systemprofile\Application Data\Adobe\Acrobat\6.0\eBooks: Access is denied.



Failed to open \\?\c:\\WINDOWS\system32\config\systemprofile\Application Data\Adobe\Acrobat\6.0\Preferences: Access is denied.



Failed to open \\?\c:\\WINDOWS\system32\config\systemprofile\Application Data\Adobe\Acrobat\6.0\TMGrpPrm.sav: Access is denied.



Failed to open \\?\c:\\WINDOWS\system32\config\systemprofile\Application Data\Adobe\Acrobat\6.0\Updater: Access is denied.



Failed to open \\?\c:\\WINDOWS\system32\config\systemprofile\Application Data\Aladdin Systems\InternetCleanup\InternetCleanup.stg: Access is denied.



Failed to open \\?\c:\\WINDOWS\system32\config\systemprofile\Application Data\Aladdin Systems\InternetCleanup\Popupblocker.blf: Access is denied.



Failed to open \\?\c:\\WINDOWS\system32\config\systemprofile\Application Data\Aladdin Systems\StuffIt\ArchiveSearch: Access is denied.



Failed to open \\?\c:\\WINDOWS\system32\config\systemprofile\Application Data\Aladdin Systems\StuffIt\Catalog: Access is denied.



Failed to open \\?\c:\\WINDOWS\system32\config\systemprofile\Application Data\ICAClient\Cache\zlcache: Access is denied.



Failed to open \\?\c:\\WINDOWS\system32\config\systemprofile\Application Data\InterMute\SpySubtract\tmp: Access is denied.



Failed to open \\?\c:\\WINDOWS\system32\config\systemprofile\Application Data\Leadertech\PowerRegister\PowerReg.dat: Access is denied.


.
Failed to open \\?\c:\\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\CLR Security Config\v1.1.4322\security.config.cch: Access is denied.



Failed to open \\?\c:\\WINDOWS\system32\config\systemprofile\Application Data\Motive\Acme\plugin: Access is denied.


.
Failed to open \\?\c:\\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\HP\Digital Imaging\cache: Access is denied.



Failed to open \\?\c:\\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\HP\Digital Imaging\db: Access is denied.



Failed to open \\?\c:\\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\HP\Digital Imaging\EditorShellPreferenceData.dat: Access is denied.



Failed to open \\?\c:\\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\HP\Digital Imaging\hp1_skindefV2.dat: Access is denied.



Failed to open \\?\c:\\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\HP\Digital Imaging\Vault: Access is denied.



Failed to open \\?\c:\\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\IsolatedStorage\0hnh3l35.myv\2sqf2il1.rl4: Access is denied.



Failed to open \\?\c:\\WINDOWS\system32\config\systemprofile\UserData\4XEJGH2V\sn[1].xml: Access is denied.




...

...


GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2012-01-02 15:11:55
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-17 SAMSUNG_SP1614C rev.SW100-30
Running: 7uhjyje7.exe; Driver: C:\DOCUME~1\HP_Owner\LOCALS~1\Temp\kxldrpog.sys


---- System - GMER 1.0.15 ----

SSDT \SystemRoot\system32\DRIVERS\AVGIDSShim.Sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwOpenProcess [0xA9B26F3C]
SSDT \SystemRoot\system32\DRIVERS\AVGIDSShim.Sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwTerminateProcess [0xA9B26FE4]
SSDT \SystemRoot\system32\DRIVERS\AVGIDSShim.Sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwTerminateThread [0xA9B27080]
SSDT \SystemRoot\system32\DRIVERS\AVGIDSShim.Sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwWriteVirtualMemory [0xA9B2711C]

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs AVGIDSFilter.Sys (IDS Application Activity Monitor Filter Driver./AVG Technologies CZ, s.r.o. )
AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \FileSystem\Fastfat \Fat AVGIDSFilter.Sys (IDS Application Activity Monitor Filter Driver./AVG Technologies CZ, s.r.o. )

---- EOF - GMER 1.0.15 ----
jja1313
Regular Member
 
Posts: 36
Joined: January 9th, 2010, 3:09 am

Re: Trojan Horse Back Door Generic

Unread postby diver79 » January 3rd, 2012, 6:26 am

Hi Jeff,

Junction keeps finding modified file permission issues on your machine. Because of this I am not certain that the infection has been removed. Let me know how the PC is performing, any redirect issues or programs not working correctly. We will run some new scans and attempt to fix the latest files.

Step 1 - New DDS scan
Please re-run DDS. You should still have it saved on your desktop.
If it is not on your Desktop you can get it here


Step 2 - aswMBR Scan
Please download aswMBR and save it to your Desktop.
  • Double click aswMBR.exe to run it.
  • Click the Scan button.
  • After a short while when the scan reports "Scan finished successfully", click Save log & save the log to your desktop.
  • Click OK > Exit.
  • Note: Do not attempt to fix anything at this stage!
  • Two files will be created, aswMBR.txt & a file named MBR.dat.
  • MBR.dat is a backup of the MBR(master boot record), do not delete it..
  • I strongly suggest you keep a copy of this backup stored on an external device.
  • Copy & Paste the contents of aswMBR.txt into your next reply.


Step 3 - Re-run Grantperms
  • Locate the Grantperms folder you extracted earlier (it should be on your desktop).
  • Enter the GrantPerms folder & double click GrantPerms.exe to run it.
  • Copy and paste the contents of the codebox below into the whitebox (Do Not include Code:)
Code: Select all
c:\\Documents and Settings\HP_Owner\Application Data\Macromedia\Flash Player\localhost\DOCUME~1\HP_Owner
c:\\WINDOWS\system32\config\systemprofile\Application Data\Adobe\Acrobat\6.0\AcroForm
c:\\WINDOWS\system32\config\systemprofile\Application Data\Adobe\Acrobat\6.0\AdobeComFnt06.lst
c:\\WINDOWS\system32\config\systemprofile\Application Data\Adobe\Acrobat\6.0\Collab
c:\\WINDOWS\system32\config\systemprofile\Application Data\Adobe\Acrobat\6.0\eBooks
c:\\WINDOWS\system32\config\systemprofile\Application Data\Adobe\Acrobat\6.0\Preferences
c:\\WINDOWS\system32\config\systemprofile\Application Data\Adobe\Acrobat\6.0\TMGrpPrm.sav
c:\\WINDOWS\system32\config\systemprofile\Application Data\Adobe\Acrobat\6.0\Updater
c:\\WINDOWS\system32\config\systemprofile\Application Data\Aladdin Systems\InternetCleanup\InternetCleanup.stg
c:\\WINDOWS\system32\config\systemprofile\Application Data\Aladdin Systems\InternetCleanup\Popupblocker.blf
c:\\WINDOWS\system32\config\systemprofile\Application Data\Aladdin Systems\StuffIt\ArchiveSearch
c:\\WINDOWS\system32\config\systemprofile\Application Data\Aladdin Systems\StuffIt\Catalog
c:\\WINDOWS\system32\config\systemprofile\Application Data\ICAClient\Cache\zlcache
c:\\WINDOWS\system32\config\systemprofile\Application Data\InterMute\SpySubtract\tmp
c:\\WINDOWS\system32\config\systemprofile\Application Data\Leadertech\PowerRegister\PowerReg.dat
c:\\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\CLR Security Config\v1.1.4322\security.config.cch
c:\\WINDOWS\system32\config\systemprofile\Application Data\Motive\Acme\plugin
c:\\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\HP\Digital Imaging\cache
c:\\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\HP\Digital Imaging\db
c:\\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\HP\Digital Imaging\EditorShellPreferenceData.dat
c:\\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\HP\Digital Imaging\hp1_skindefV2.dat
c:\\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\HP\Digital Imaging\Vault
c:\\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\IsolatedStorage\0hnh3l35.myv\2sqf2il1.rl4
c:\\WINDOWS\system32\config\systemprofile\UserData\4XEJGH2V\sn[1].xml
  • Now Click Unlock
  • When it's done, click "OK".
  • Now click List Permissions and post contents of the log file that opens (Perms.txt)
  • A copy of Perms.txt will be saved in the same directory the tool is run.


Step 4 - Re-run Junction
  • Click Start > Run. Copy and paste the contents of the codebox below into the run box.
    (Do Not include Code:) Then click OK:
Code: Select all
cmd /c junction -s c:\ >log.txt&log.txt&del log.txt
  • A command window will open and the system will be scanned. (Click Agree to the prompt)
  • Please be patient & wait untill a log file opens in notepad.
  • Copy and paste the contents of that file in your next reply.


For Your next Reply
  • DDS Log
  • aswMBR Log
  • GrantPerms Log
  • Junction Log
User avatar
diver79
Retired Graduate
 
Posts: 1004
Joined: January 3rd, 2010, 7:03 pm

Re: Trojan Horse Back Door Generic

Unread postby jja1313 » January 3rd, 2012, 11:18 am

Hi Diver79,

The AVG software continues to identify threats, otherwise things appear to be working fine.


.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702
Run by HP_Owner at 8:34:22 on 2012-01-03
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1015.325 [GMT -6:00]
.
AV: AVG Anti-Virus Free Edition 2012 *Enabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.
============== Running Processes ===============
.
C:\PROGRA~1\AVG\AVG2012\avgrsx.exe
C:\Program Files\AVG\AVG2012\avgcsrvx.exe
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\AVG\AVG2012\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Norton PC Checkup\Engine\2.0.2.544\SymcPCCULaunchSvc.exe
C:\Program Files\Norton Safe Web Lite\Engine\1.0.1.8\ccSvcHst.exe
C:\Program Files\AVG\AVG2012\avgnsx.exe
C:\Program Files\Norton PC Checkup\Engine\2.0.2.544\ccSvcHst.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Common Files\AVG Secure Search\vToolbarUpdater\9.0.1\ToolbarUpdater.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files\Norton PC Checkup\Engine\2.0.2.544\ccSvcHst.exe
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\Program Files\AVG\AVG2012\AVGIDSAgent.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\system32\hphmon06.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Lexmark 5200 series\lxbtbmgr.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\ALCWZRD.EXE
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Lexmark 5200 series\lxbtbmon.exe
C:\Program Files\Unlocker\UnlockerAssistant.exe
C:\Program Files\MSN Toolbar\Platform\5.0.1423.0\mswinext.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
C:\Program Files\AVG\AVG2012\avgtray.exe
C:\Program Files\AVG Secure Search\vprot.exe
C:\Program Files\Shutterfly\Studio\BIN\SFlyStudio.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Yahoo!\Yahoo! Widget Engine\YahooWidgets.exe
C:\Program Files\Mozilla Firefox5\firefox.exe
C:\Program Files\Mozilla Firefox5\plugin-container.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://my.yahoo.com/
uInternet Settings,ProxyOverride = *.local
uSearchAssistant =
uURLSearchHooks: H - No File
mURLSearchHooks: H - No File
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg2012\avgssie.dll
BHO: GoodSearch Toolbar: {4e7bd74f-2b8d-469e-95ba-ed6db186be32} - c:\progra~1\goodse~1\GOODSE~1.DLL
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: AVG Security Toolbar: {95b7759c-8c7f-4bf1-b163-73684a933233} - c:\program files\avg secure search\9.0.0.23\AVG Secure Search_toolbar.dll
BHO: Bing Bar BHO: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - c:\program files\msn toolbar\platform\5.0.1423.0\npwinext.dll
BHO: Norton Safe Web Lite BHO: {f0da78e9-6b60-42fb-bc26-ef2cfb8c8ff3} - c:\program files\norton safe web lite\engine\1.0.1.8\coIEPlg.dll
TB: HP view: {b2847e28-5d7d-4deb-8b67-05d28bcf79f5} - c:\program files\hp\digital imaging\bin\HPDTLK02.dll
TB: GoodSearch Toolbar: {4e7bd74f-2b8d-469e-95ba-ed6db186be32} - c:\progra~1\goodse~1\GOODSE~1.DLL
TB: Norton Safe Web Lite: {30ceeea2-3742-40e4-85dd-812bf1cbb83d} - c:\program files\norton safe web lite\engine\1.0.1.8\coIEPlg.dll
TB: @c:\program files\msn toolbar\platform\5.0.1423.0\npwinext.dll,-100: {8dcb7100-df86-4384-8842-8fa844297b3f} - c:\program files\msn toolbar\platform\5.0.1423.0\npwinext.dll
TB: AVG Security Toolbar: {95b7759c-8c7f-4bf1-b163-73684a933233} - c:\program files\avg secure search\9.0.0.23\AVG Secure Search_toolbar.dll
{e7df6bff-55a5-4eb7-a673-4ed3e9456d39}
uRun: [ShutterflyStudio] c:\program files\shutterfly\studio\bin\SFlyStudio.exe /trayonly
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [hpsysdrv] c:\windows\system\hpsysdrv.exe
mRun: [High Definition Audio Property Page Shortcut] HDAudPropShortcut.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [AGRSMMSG] AGRSMMSG.exe
mRun: [HPHUPD06] c:\program files\hp\{aac4fc36-8f89-4587-8dd3-ebc57c83374d}\hphupd06.exe
mRun: [HPHmon06] c:\windows\system32\hphmon06.exe
mRun: [KBD] c:\hp\kbd\KBD.EXE
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [Recguard] c:\windows\sminst\RECGUARD.EXE
mRun: [Lexmark 5200 series] "c:\program files\lexmark 5200 series\lxbtbmgr.exe"
mRun: [SoundMan] SOUNDMAN.EXE
mRun: [AlcWzrd] ALCWZRD.EXE
mRun: [LXBTCATS] rundll32 c:\windows\system32\spool\drivers\w32x86\3\LXBTtime.dll,_RunDLLEntry@16
mRun: [LSBWatcher] c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup
mRun: [FaxCenterServer] "c:\program files\lexmark fax solutions\fm3032.exe" /s
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\AppleSyncNotifier.exe
mRun: [UnlockerAssistant] "c:\program files\unlocker\UnlockerAssistant.exe"
mRun: [Bing Bar] "c:\program files\msn toolbar\platform\5.0.1423.0\mswinext.exe"
mRun: [Microsoft Default Manager] "c:\program files\microsoft\search enhancement pack\default manager\DefMgr.exe" -resume
mRun: [APSDaemon] "c:\program files\common files\apple\apple application support\APSDaemon.exe"
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [WinPatrol] c:\program files\billp studios\winpatrol\winpatrol.exe -expressboot
mRun: [AVG_TRAY] "c:\program files\avg\avg2012\avgtray.exe"
mRun: [vProt] "c:\program files\avg secure search\vprot.exe"
mRun: [PS2] c:\windows\system32\ps2.exe
StartupFolder: c:\docume~1\hp_owner\startm~1\programs\startup\yahoo!~1.lnk - c:\program files\yahoo!\yahoo! widget engine\YahooWidgets.exe
dPolicies-explorer: NoSetActiveDesktop = 1 (0x1)
dPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
IE: &Yahoo! Search - file:///c:\program files\yahoo!\Common/ycsrch.htm
IE: Add to AMV Converter... - c:\program files\mp3 player utilities 4.15\amvconverter\grab.html
IE: E&xport to Microsoft Excel - c:\progra~1\mi1933~1\office10\EXCEL.EXE/3000
IE: Yahoo! &Dictionary - file:///c:\program files\yahoo!\Common/ycdict.htm
IE: Yahoo! &Maps - file:///c:\program files\yahoo!\Common/ycmap.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\mi1933~1\office11\REFIEBAR.DLL
Trusted Zone: yahoo.com\geocities
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shoc ... tor/sw.cab
DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} - hxxps://desktop.cunamutual.com/secure/c ... wficat.cab
DPF: {30439117-02CA-4FBA-ADAF-84C2D8E2004D} - hxxps://desktop.cunamutual.com/secure/c ... icachk.cab
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\Yinsthelper20073151.dll
DPF: {3D3B42C2-11BF-4732-A304-A01384B70D68} - hxxp://picasaweb.google.com/s/v/56.44/uploader2.cab
DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} - hxxp://www.snapfish.com/SnapfishActivia.cab
DPF: {474F00F5-3853-492C-AC3A-476512BBC336} - hxxp://picasaweb.google.com/s/v/26.30/uploader2.cab
DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} - hxxp://dlm.tools.akamai.com/dlmanager/v ... .2.4.1.cab
DPF: {49232000-16E4-426C-A231-62846947304B} - hxxp://ipgweb.cce.hp.com/rdqcpc/downloads/sysinfo.cab
DPF: {50647AB5-18FD-4142-82B0-5852478DD0D5} - hxxp://webeffective.keynote.com/applica ... uncher.cab
DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} - hxxp://security.symantec.com/sscv6/Shar ... /cabsa.cab
DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} - hxxps://webdl.symantec.com/activex/symdlmgr.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftup ... 0202248187
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/200 ... ader55.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/fl ... rashim.cab
DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} - hxxp://web1.shutterfly.com/downloads/Uploader.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shoc ... wflash.cab
DPF: {EB96A156-E8D0-4A7D-A7AC-B60DFE87A6C6} - hxxps://desktop.cunamutual.com/login/cmgvpn.cab
TCP: DhcpNameServer = 24.196.64.53 68.113.206.10 24.178.162.3
TCP: Interfaces\{E1A3075B-F1C7-41F9-B94E-047D6C9492BA} : DhcpNameServer = 24.196.64.53 68.113.206.10 24.178.162.3
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg2012\avgpp.dll
Handler: viprotocol - {B658800C-F66E-4EF3-AB85-6C0C227862A9} - c:\program files\common files\avg secure search\viprotocolinstaller\9.0.1\ViProtocol.dll
Notify: igfxcui - igfxsrvc.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
mASetup: {A509B1FF-37FF-4bFF-8CFF-4F3A747040FF} - c:\windows\system32\rundll32.exe c:\windows\system32\advpack.dll,launchinfsectionex c:\program files\internet explorer\clrtour.inf,DefaultInstall.ResetTour,,12
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\hp_owner\application data\mozilla\firefox\profiles\1kx63l6h.default\
FF - prefs.js: browser.search.selectedEngine - GoodSearch
FF - prefs.js: browser.startup.homepage - hxxp://my.yahoo.com/
FF - prefs.js: keyword.URL - hxxp://search.avg.com/route/?d=4db193bb ... g=en-US&q=
FF - plugin: c:\documents and settings\hp_owner\application data\facebook\npfbplugin_1_0_3.dll
FF - plugin: c:\program files\canon\zoombrowser ex\program\NPCIG.dll
FF - plugin: c:\program files\microsoft silverlight\4.0.60831.0\npctrlui.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\nppdf32.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npqtplugin.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npqtplugin2.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npqtplugin3.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npqtplugin4.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npqtplugin5.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npqtplugin6.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npqtplugin7.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npyaxmpb.dll
FF - plugin: c:\program files\msn toolbar\platform\5.0.1423.0\npwinext.dll
FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
.
============= SERVICES / DRIVERS ===============
.
R0 AVGIDSEH;AVGIDSEH;c:\windows\system32\drivers\AVGIDSEH.sys [2011-7-11 23120]
R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [2011-9-13 32592]
R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [2011-10-7 230608]
R1 Avgmfx86;AVG Mini-Filter Resident Anti-Virus Shield;c:\windows\system32\drivers\avgmfx86.sys [2011-8-8 40016]
R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [2011-7-11 295248]
R2 AVGIDSAgent;AVGIDSAgent;c:\program files\avg\avg2012\AVGIDSAgent.exe [2011-10-12 4433248]
R2 avgwd;AVG WatchDog;c:\program files\avg\avg2012\avgwdsvc.exe [2011-8-2 192776]
R2 BCMNTIO;BCMNTIO;c:\progra~1\checkit\diagno~1\BCMNTIO.sys [2006-3-1 3744]
R2 MAPMEM;MAPMEM;c:\progra~1\checkit\diagno~1\MAPMEM.sys [2006-3-1 3904]
R2 Norton PC Checkup Application Launcher;Norton PC Checkup Application Launcher;c:\program files\norton pc checkup\engine\2.0.2.544\SymcPCCULaunchSvc.exe [2010-2-5 123320]
R2 NSL;Norton Safe Web Lite;c:\program files\norton safe web lite\engine\1.0.1.8\ccSvcHst.exe [2010-6-25 126904]
R2 PCCUJobMgr;Common Client Job Manager Service;c:\program files\norton pc checkup\engine\2.0.2.544\ccSvcHst.exe [2010-2-5 126392]
R2 vToolbarUpdater;vToolbarUpdater;c:\program files\common files\avg secure search\vtoolbarupdater\9.0.1\ToolbarUpdater.exe [2011-12-23 869216]
R3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\AVGIDSDriver.sys [2011-7-11 134608]
R3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\AVGIDSFilter.sys [2011-7-11 24272]
R3 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\AVGIDSShim.sys [2011-10-4 16720]
S3 Dsyvcii;Dsyvcii; [x]
S3 motccgp;Motorola USB Composite Device Driver;c:\windows\system32\drivers\motccgp.sys [2010-12-12 19968]
S3 motccgpfl;MotCcgpFlService;c:\windows\system32\drivers\motccgpfl.sys [2010-12-12 8320]
S3 motport;Motorola USB Diagnostic Port;c:\windows\system32\drivers\motport.sys [2010-12-12 23936]
.
=============== Created Last 30 ================
.
2012-01-01 20:10:15 -------- d-----w- c:\program files\ESET
2012-01-01 19:59:05 -------- d-----w- C:\_OTL
2012-01-01 19:56:59 -------- d-----w- c:\documents and settings\hp_owner\local settings\application data\temp
2011-12-29 07:54:28 -------- d-----w- c:\documents and settings\hp_owner\application data\AVG
2011-12-25 04:45:34 150392 ----a-w- c:\windows\junction.exe
2011-12-23 18:59:12 -------- d-----w- c:\documents and settings\hp_owner\application data\AVG2012
2011-12-23 18:55:40 -------- d-----w- c:\documents and settings\hp_owner\application data\AVG Secure Search
2011-12-23 18:55:39 -------- d-----w- c:\documents and settings\all users\application data\AVG Secure Search
2011-12-23 18:55:36 -------- d-----w- c:\program files\common files\AVG Secure Search
2011-12-23 18:55:35 -------- d-----w- c:\program files\AVG Secure Search
2011-12-23 18:50:23 -------- d-----w- c:\windows\system32\drivers\AVG
2011-12-23 18:50:23 -------- d-----w- c:\documents and settings\all users\application data\AVG2012
2011-12-23 17:48:24 98816 ----a-w- c:\windows\sed.exe
2011-12-23 17:48:24 518144 ----a-w- c:\windows\SWREG.exe
2011-12-23 17:48:24 256000 ----a-w- c:\windows\PEV.exe
2011-12-23 17:48:24 208896 ----a-w- c:\windows\MBR.exe
2011-12-23 17:02:47 -------- d-----w- C:\AVGTemp
2011-12-18 21:51:03 -------- d-----w- c:\documents and settings\hp_owner\application data\WinPatrol
2011-12-18 21:50:43 -------- d-----w- c:\program files\BillP Studios
2011-12-18 21:50:42 -------- d-----w- c:\documents and settings\all users\application data\InstallMate
2011-12-13 03:31:15 -------- d-----w- c:\windows\system32\wbem\repository\FS
2011-12-13 03:31:15 -------- d-----w- c:\windows\system32\wbem\Repository
2011-12-13 03:08:06 -------- d-----w- c:\documents and settings\hp_owner\application data\FixCleaner
2011-12-13 02:39:42 14592 ----a-w- c:\windows\system32\drivers\kbdhid.sys
2011-12-13 02:39:42 14592 ----a-w- c:\windows\system32\dllcache\kbdhid.sys
2011-12-12 14:40:28 52480 ----a-w- c:\windows\system32\drivers\i8042prt.sys
2011-12-12 14:40:28 52480 ----a-w- c:\windows\system32\dllcache\i8042prt.sys
2011-12-11 19:01:08 -------- d-----w- c:\documents and settings\hp_owner\local settings\application data\LogMeIn Rescue Applet
.
==================== Find3M ====================
.
2011-11-23 13:25:32 1859584 ----a-w- c:\windows\system32\win32k.sys
2011-11-04 19:20:51 916992 ----a-w- c:\windows\system32\wininet.dll
2011-11-04 19:20:51 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-11-04 19:20:51 1469440 ------w- c:\windows\system32\inetcpl.cpl
2011-11-04 11:23:59 385024 ----a-w- c:\windows\system32\html.iec
2011-11-01 16:07:10 1288704 ----a-w- c:\windows\system32\ole32.dll
2011-10-28 05:31:48 33280 ----a-w- c:\windows\system32\csrsrv.dll
2011-10-25 13:33:08 2192768 ------w- c:\windows\system32\ntoskrnl.exe
2011-10-25 12:52:03 2069376 ------w- c:\windows\system32\ntkrnlpa.exe
2011-10-24 20:29:02 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
2011-10-24 20:29:02 69632 ----a-w- c:\windows\system32\QuickTime.qts
2011-10-18 11:13:22 186880 ----a-w- c:\windows\system32\encdec.dll
2011-10-10 14:22:41 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-10-07 12:23:48 230608 ----a-w- c:\windows\system32\drivers\avgldx86.sys
.
============= FINISH: 8:35:48.20 ===============


aswMBR version 0.9.9.1124 Copyright(c) 2011 AVAST Software
Run date: 2012-01-03 08:37:28
-----------------------------
08:37:28.953 OS Version: Windows 5.1.2600 Service Pack 3
08:37:28.953 Number of processors: 1 586 0x401
08:37:28.953 ComputerName: ARNDT UserName:
08:37:29.890 Initialize success
08:40:12.859 AVAST engine defs: 12010300
08:40:26.031 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-17
08:40:26.031 Disk 0 Vendor: SAMSUNG_SP1614C SW100-30 Size: 152627MB BusType: 3
08:40:26.046 Disk 0 MBR read successfully
08:40:26.046 Disk 0 MBR scan
08:40:26.125 Disk 0 unknown MBR code
08:40:26.125 Disk 0 Partition 1 00 0C FAT32 LBA RECOVERY 7139 MB offset 63
08:40:26.140 Disk 0 Partition 2 80 (A) 07 HPFS/NTFS NTFS 145478 MB offset 14621040
08:40:26.156 Disk 0 scanning sectors +312560640
08:40:26.234 Disk 0 scanning C:\WINDOWS\system32\drivers
08:40:56.859 Service scanning
08:40:58.093 Modules scanning
08:41:16.093 Disk 0 trace - called modules:
08:41:16.109 ntkrnlpa.exe CLASSPNP.SYS disk.sys atapi.sys hal.dll intelide.sys PCIIDEX.SYS
08:41:16.468 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8711bab8]
08:41:16.484 3 CLASSPNP.SYS[f7588fd7] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP2T0L0-17[0x8718db00]
08:41:18.578 AVAST engine scan C:\WINDOWS
08:41:38.875 AVAST engine scan C:\WINDOWS\system32
08:47:23.765 AVAST engine scan C:\WINDOWS\system32\drivers
08:47:44.171 AVAST engine scan C:\Documents and Settings\HP_Owner
09:02:28.828 AVAST engine scan C:\Documents and Settings\All Users
09:05:25.484 Scan finished successfully
09:06:23.109 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\HP_Owner\Desktop\MBR.dat"
09:06:23.109 The log file has been saved successfully to "C:\Documents and Settings\HP_Owner\Desktop\aswMBR.txt"


GrantPerms by Farbar
Ran by HP_Owner (administrator) at 2012-01-03 09:08:57

===============================================
\\?\c:\\Documents and Settings\HP_Owner\Application Data\Macromedia\Flash Player\localhost\DOCUME~1\HP_Owner

Owner: BUILTIN\Administrators

DACL(NP)(AI):
BUILTIN\Administrators FULL ALLOW (CI)(OI)(I)
NT AUTHORITY\SYSTEM FULL ALLOW (CI)(OI)(I)
BUILTIN\Users READ/EXECUTE ALLOW (CI)(OI)(I)
NT AUTHORITY\SYSTEM FULL ALLOW (CI)(OI)(IO)(I)
ARNDT\HP_Owner FULL ALLOW (I)
ARNDT\HP_Owner FULL ALLOW (CI)(OI)(IO)(I)


\\?\c:\\WINDOWS\system32\config\systemprofile\Application Data\Adobe\Acrobat\6.0\AcroForm

Owner: BUILTIN\Administrators

DACL(NP)(AI):
BUILTIN\Administrators FULL ALLOW (CI)(OI)(I)
NT AUTHORITY\SYSTEM FULL ALLOW (CI)(OI)(I)
BUILTIN\Users READ/EXECUTE ALLOW (CI)(OI)(I)
NT AUTHORITY\SYSTEM FULL ALLOW (CI)(OI)(IO)(I)
BUILTIN\Administrators FULL ALLOW (CI)(OI)(IO)(I)


\\?\c:\\WINDOWS\system32\config\systemprofile\Application Data\Adobe\Acrobat\6.0\AdobeComFnt06.lst

Owner: BUILTIN\Administrators

DACL(NP)(AI):
BUILTIN\Administrators FULL ALLOW (I)
NT AUTHORITY\SYSTEM FULL ALLOW (I)
BUILTIN\Users READ/EXECUTE ALLOW (I)


\\?\c:\\WINDOWS\system32\config\systemprofile\Application Data\Adobe\Acrobat\6.0\Collab

Owner: BUILTIN\Administrators

DACL(NP)(AI):
BUILTIN\Administrators FULL ALLOW (CI)(OI)(I)
NT AUTHORITY\SYSTEM FULL ALLOW (CI)(OI)(I)
BUILTIN\Users READ/EXECUTE ALLOW (CI)(OI)(I)
NT AUTHORITY\SYSTEM FULL ALLOW (CI)(OI)(IO)(I)
BUILTIN\Administrators FULL ALLOW (CI)(OI)(IO)(I)


\\?\c:\\WINDOWS\system32\config\systemprofile\Application Data\Adobe\Acrobat\6.0\eBooks

Owner: BUILTIN\Administrators

DACL(NP)(AI):
BUILTIN\Administrators FULL ALLOW (CI)(OI)(I)
NT AUTHORITY\SYSTEM FULL ALLOW (CI)(OI)(I)
BUILTIN\Users READ/EXECUTE ALLOW (CI)(OI)(I)
NT AUTHORITY\SYSTEM FULL ALLOW (CI)(OI)(IO)(I)
BUILTIN\Administrators FULL ALLOW (CI)(OI)(IO)(I)


\\?\c:\\WINDOWS\system32\config\systemprofile\Application Data\Adobe\Acrobat\6.0\Preferences

Owner: BUILTIN\Administrators

DACL(NP)(AI):
BUILTIN\Administrators FULL ALLOW (CI)(OI)(I)
NT AUTHORITY\SYSTEM FULL ALLOW (CI)(OI)(I)
BUILTIN\Users READ/EXECUTE ALLOW (CI)(OI)(I)
NT AUTHORITY\SYSTEM FULL ALLOW (CI)(OI)(IO)(I)
BUILTIN\Administrators FULL ALLOW (CI)(OI)(IO)(I)


\\?\c:\\WINDOWS\system32\config\systemprofile\Application Data\Adobe\Acrobat\6.0\TMGrpPrm.sav

Owner: BUILTIN\Administrators

DACL(NP)(AI):
BUILTIN\Administrators FULL ALLOW (I)
NT AUTHORITY\SYSTEM FULL ALLOW (I)
BUILTIN\Users READ/EXECUTE ALLOW (I)


\\?\c:\\WINDOWS\system32\config\systemprofile\Application Data\Adobe\Acrobat\6.0\Updater

Owner: BUILTIN\Administrators

DACL(NP)(AI):
BUILTIN\Administrators FULL ALLOW (CI)(OI)(I)
NT AUTHORITY\SYSTEM FULL ALLOW (CI)(OI)(I)
BUILTIN\Users READ/EXECUTE ALLOW (CI)(OI)(I)
NT AUTHORITY\SYSTEM FULL ALLOW (CI)(OI)(IO)(I)
BUILTIN\Administrators FULL ALLOW (CI)(OI)(IO)(I)


\\?\c:\\WINDOWS\system32\config\systemprofile\Application Data\Aladdin Systems\InternetCleanup\InternetCleanup.stg

Owner: BUILTIN\Administrators

DACL(NP)(AI):
BUILTIN\Administrators FULL ALLOW (I)
NT AUTHORITY\SYSTEM FULL ALLOW (I)
BUILTIN\Users READ/EXECUTE ALLOW (I)


\\?\c:\\WINDOWS\system32\config\systemprofile\Application Data\Aladdin Systems\InternetCleanup\Popupblocker.blf

Owner: BUILTIN\Administrators

DACL(NP)(AI):
BUILTIN\Administrators FULL ALLOW (I)
NT AUTHORITY\SYSTEM FULL ALLOW (I)
BUILTIN\Users READ/EXECUTE ALLOW (I)


\\?\c:\\WINDOWS\system32\config\systemprofile\Application Data\Aladdin Systems\StuffIt\ArchiveSearch

Owner: BUILTIN\Administrators

DACL(NP)(AI):
BUILTIN\Administrators FULL ALLOW (CI)(OI)(I)
NT AUTHORITY\SYSTEM FULL ALLOW (CI)(OI)(I)
BUILTIN\Users READ/EXECUTE ALLOW (CI)(OI)(I)
NT AUTHORITY\SYSTEM FULL ALLOW (CI)(OI)(IO)(I)
BUILTIN\Administrators FULL ALLOW (CI)(OI)(IO)(I)


\\?\c:\\WINDOWS\system32\config\systemprofile\Application Data\Aladdin Systems\StuffIt\Catalog

Owner: BUILTIN\Administrators

DACL(NP)(AI):
BUILTIN\Administrators FULL ALLOW (CI)(OI)(I)
NT AUTHORITY\SYSTEM FULL ALLOW (CI)(OI)(I)
BUILTIN\Users READ/EXECUTE ALLOW (CI)(OI)(I)
NT AUTHORITY\SYSTEM FULL ALLOW (CI)(OI)(IO)(I)
BUILTIN\Administrators FULL ALLOW (CI)(OI)(IO)(I)


\\?\c:\\WINDOWS\system32\config\systemprofile\Application Data\ICAClient\Cache\zlcache

Owner: BUILTIN\Administrators

DACL(NP)(AI):
BUILTIN\Administrators FULL ALLOW (CI)(OI)(I)
NT AUTHORITY\SYSTEM FULL ALLOW (CI)(OI)(I)
BUILTIN\Users READ/EXECUTE ALLOW (CI)(OI)(I)
NT AUTHORITY\SYSTEM FULL ALLOW (CI)(OI)(IO)(I)
BUILTIN\Administrators FULL ALLOW (CI)(OI)(IO)(I)


\\?\c:\\WINDOWS\system32\config\systemprofile\Application Data\InterMute\SpySubtract\tmp

Owner: BUILTIN\Administrators

DACL(NP)(AI):
BUILTIN\Administrators FULL ALLOW (CI)(OI)(I)
NT AUTHORITY\SYSTEM FULL ALLOW (CI)(OI)(I)
BUILTIN\Users READ/EXECUTE ALLOW (CI)(OI)(I)
NT AUTHORITY\SYSTEM FULL ALLOW (CI)(OI)(IO)(I)
BUILTIN\Administrators FULL ALLOW (CI)(OI)(IO)(I)


\\?\c:\\WINDOWS\system32\config\systemprofile\Application Data\Leadertech\PowerRegister\PowerReg.dat

Owner: BUILTIN\Administrators

DACL(NP)(AI):
BUILTIN\Administrators FULL ALLOW (I)
NT AUTHORITY\SYSTEM FULL ALLOW (I)
BUILTIN\Users READ/EXECUTE ALLOW (I)


\\?\c:\\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\CLR Security Config\v1.1.4322\security.config.cch

Owner: BUILTIN\Administrators

DACL(NP)(AI):
BUILTIN\Administrators FULL ALLOW (I)
NT AUTHORITY\SYSTEM FULL ALLOW (I)
BUILTIN\Users READ/EXECUTE ALLOW (I)


\\?\c:\\WINDOWS\system32\config\systemprofile\Application Data\Motive\Acme\plugin

Owner: BUILTIN\Administrators

DACL(NP)(AI):
BUILTIN\Administrators FULL ALLOW (CI)(OI)(I)
NT AUTHORITY\SYSTEM FULL ALLOW (CI)(OI)(I)
BUILTIN\Users READ/EXECUTE ALLOW (CI)(OI)(I)
NT AUTHORITY\SYSTEM FULL ALLOW (CI)(OI)(IO)(I)
BUILTIN\Administrators FULL ALLOW (CI)(OI)(IO)(I)


\\?\c:\\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\HP\Digital Imaging\cache

Owner: BUILTIN\Administrators

DACL(NP)(AI):
BUILTIN\Administrators FULL ALLOW (CI)(OI)(I)
NT AUTHORITY\SYSTEM FULL ALLOW (CI)(OI)(I)
BUILTIN\Users READ/EXECUTE ALLOW (CI)(OI)(I)
NT AUTHORITY\SYSTEM FULL ALLOW (CI)(OI)(IO)(I)
BUILTIN\Administrators FULL ALLOW (CI)(OI)(IO)(I)


\\?\c:\\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\HP\Digital Imaging\db

Owner: BUILTIN\Administrators

DACL(NP)(AI):
BUILTIN\Administrators FULL ALLOW (CI)(OI)(I)
NT AUTHORITY\SYSTEM FULL ALLOW (CI)(OI)(I)
BUILTIN\Users READ/EXECUTE ALLOW (CI)(OI)(I)
NT AUTHORITY\SYSTEM FULL ALLOW (CI)(OI)(IO)(I)
BUILTIN\Administrators FULL ALLOW (CI)(OI)(IO)(I)


\\?\c:\\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\HP\Digital Imaging\EditorShellPreferenceData.dat

Owner: BUILTIN\Administrators

DACL(NP)(AI):
BUILTIN\Administrators FULL ALLOW (I)
NT AUTHORITY\SYSTEM FULL ALLOW (I)
BUILTIN\Users READ/EXECUTE ALLOW (I)


\\?\c:\\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\HP\Digital Imaging\hp1_skindefV2.dat

Owner: BUILTIN\Administrators

DACL(NP)(AI):
BUILTIN\Administrators FULL ALLOW (I)
NT AUTHORITY\SYSTEM FULL ALLOW (I)
BUILTIN\Users READ/EXECUTE ALLOW (I)


\\?\c:\\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\HP\Digital Imaging\Vault

Owner: BUILTIN\Administrators

DACL(NP)(AI):
BUILTIN\Administrators FULL ALLOW (CI)(OI)(I)
NT AUTHORITY\SYSTEM FULL ALLOW (CI)(OI)(I)
BUILTIN\Users READ/EXECUTE ALLOW (CI)(OI)(I)
NT AUTHORITY\SYSTEM FULL ALLOW (CI)(OI)(IO)(I)
BUILTIN\Administrators FULL ALLOW (CI)(OI)(IO)(I)


\\?\c:\\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\IsolatedStorage\0hnh3l35.myv\2sqf2il1.rl4

Owner: BUILTIN\Administrators

DACL(NP)(AI):
BUILTIN\Administrators FULL ALLOW (CI)(OI)(I)
NT AUTHORITY\SYSTEM FULL ALLOW (CI)(OI)(I)
BUILTIN\Users READ/EXECUTE ALLOW (CI)(OI)(I)
NT AUTHORITY\SYSTEM FULL ALLOW (CI)(OI)(IO)(I)
BUILTIN\Administrators FULL ALLOW (CI)(OI)(IO)(I)


\\?\c:\\WINDOWS\system32\config\systemprofile\UserData\4XEJGH2V\sn[1].xml

Owner: BUILTIN\Administrators

DACL(NP)(AI):
BUILTIN\Administrators FULL ALLOW (I)
NT AUTHORITY\SYSTEM FULL ALLOW (I)
BUILTIN\Users READ/EXECUTE ALLOW (I)


Junction v1.06 - Windows junction creator and reparse point viewer
Copyright (C) 2000-2010 Mark Russinovich
Sysinternals - www.sysinternals.com


Failed to open \\?\c:\\hiberfil.sys: The process cannot access the file because it is being used by another process.



Failed to open \\?\c:\\pagefile.sys: The process cannot access the file because it is being used by another process.


...

...

...

...

.
Failed to open \\?\c:\\Documents and Settings\HP_Owner\Application Data\Macromedia\Flash Player\localhost\DOCUME~1\HP_Owner\LOCALS~1: Access is denied.


..

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

..
Failed to open \\?\c:\\Qoobox\BackEnv: Access is denied.


.

...

...

...

...

...

...

...

...

...

...

...

..\\?\c:\\WINDOWS\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a: JUNCTION
Print Name : C:\WINDOWS\WinSxS\x86_System.EnterpriseServices_b03f5f7f11d50a3a_2.0.0.0_x-ww_7d5f3790
Substitute Name: C:\WINDOWS\WinSxS\x86_System.EnterpriseServices_b03f5f7f11d50a3a_2.0.0.0_x-ww_7d5f3790

\\?\c:\\WINDOWS\assembly\GAC_MSIL\IEExecRemote\2.0.0.0__b03f5f7f11d50a3a: JUNCTION
Print Name : C:\WINDOWS\WinSxS\MSIL_IEExecRemote_b03f5f7f11d50a3a_2.0.0.0_x-ww_6e57c34e
Substitute Name: C:\WINDOWS\WinSxS\MSIL_IEExecRemote_b03f5f7f11d50a3a_2.0.0.0_x-ww_6e57c34e

.

...

...

...

...

...

...

...

...

...

...

...


Failed to open \\?\c:\\WINDOWS\system32\config\systemprofile\Application Data\Adobe\Acrobat\6.0\AcroForm\MRUFormsList: Access is denied.



Failed to open \\?\c:\\WINDOWS\system32\config\systemprofile\Application Data\Adobe\Acrobat\6.0\Collab\OfflineDocs: Access is denied.



Failed to open \\?\c:\\WINDOWS\system32\config\systemprofile\Application Data\Adobe\Acrobat\6.0\Collab\Reviews: Access is denied.



Failed to open \\?\c:\\WINDOWS\system32\config\systemprofile\Application Data\Adobe\Acrobat\6.0\Preferences\AutoFillDefaults.dat: Access is denied.



Failed to open \\?\c:\\WINDOWS\system32\config\systemprofile\Application Data\Adobe\Acrobat\6.0\Preferences\defaultHeuristics.dat: Access is denied.



Failed to open \\?\c:\\WINDOWS\system32\config\systemprofile\Application Data\Adobe\Acrobat\6.0\Updater\udstore.js: Access is denied.



Failed to open \\?\c:\\WINDOWS\system32\config\systemprofile\Application Data\Aladdin Systems\StuffIt\ArchiveSearch\exclude.db: Access is denied.



Failed to open \\?\c:\\WINDOWS\system32\config\systemprofile\Application Data\Aladdin Systems\StuffIt\Catalog\exclude.db: Access is denied.



Failed to open \\?\c:\\WINDOWS\system32\config\systemprofile\Application Data\InterMute\SpySubtract\tmp\3: Access is denied.



Failed to open \\?\c:\\WINDOWS\system32\config\systemprofile\Application Data\InterMute\SpySubtract\tmp\3.ldb: Access is denied.


.
Failed to open \\?\c:\\WINDOWS\system32\config\systemprofile\Application Data\Motive\Acme\plugin\config: Access is denied.



Failed to open \\?\c:\\WINDOWS\system32\config\systemprofile\Application Data\Motive\Acme\plugin\log: Access is denied.



Failed to open \\?\c:\\WINDOWS\system32\config\systemprofile\Application Data\Motive\Acme\plugin\stats: Access is denied.


.
Failed to open \\?\c:\\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\HP\Digital Imaging\cache\1.dat: Access is denied.



Failed to open \\?\c:\\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\HP\Digital Imaging\cache\1.tif: Access is denied.



Failed to open \\?\c:\\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\HP\Digital Imaging\cache\DirectoryMap.dat: Access is denied.



Failed to open \\?\c:\\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\HP\Digital Imaging\cache\LastWrite.txt: Access is denied.



Failed to open \\?\c:\\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\HP\Digital Imaging\db\administrativeInfo.dbf: Access is denied.



Failed to open \\?\c:\\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\HP\Digital Imaging\db\albumImagesTable.cdx: Access is denied.



Failed to open \\?\c:\\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\HP\Digital Imaging\db\albumImagesTable.dbf: Access is denied.



Failed to open \\?\c:\\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\HP\Digital Imaging\db\albumTable.cdx: Access is denied.



Failed to open \\?\c:\\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\HP\Digital Imaging\db\albumTable.dbf: Access is denied.



Failed to open \\?\c:\\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\HP\Digital Imaging\db\CB_Server_Errors.txt: Access is denied.



Failed to open \\?\c:\\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\HP\Digital Imaging\db\EXIFTable.cdx: Access is denied.



Failed to open \\?\c:\\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\HP\Digital Imaging\db\EXIFTable.dbf: Access is denied.



Failed to open \\?\c:\\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\HP\Digital Imaging\db\imageTable.cdx: Access is denied.



Failed to open \\?\c:\\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\HP\Digital Imaging\db\imageTable.dbf: Access is denied.



Failed to open \\?\c:\\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\HP\Digital Imaging\db\imageTable.fpt: Access is denied.



Failed to open \\?\c:\\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\HP\Digital Imaging\db\keywordImagesTable.cdx: Access is denied.



Failed to open \\?\c:\\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\HP\Digital Imaging\db\keywordImagesTable.dbf: Access is denied.



Failed to open \\?\c:\\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\HP\Digital Imaging\db\keywordTable.cdx: Access is denied.



Failed to open \\?\c:\\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\HP\Digital Imaging\db\keywordTable.dbf: Access is denied.



Failed to open \\?\c:\\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\HP\Digital Imaging\db\managedFolderTable.dbf: Access is denied.



Failed to open \\?\c:\\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\HP\Digital Imaging\db\pathnameTable.cdx: Access is denied.



Failed to open \\?\c:\\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\HP\Digital Imaging\db\pathnameTable.dbf: Access is denied.



Failed to open \\?\c:\\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\HP\Digital Imaging\db\ROFImagesTable.cdx: Access is denied.



Failed to open \\?\c:\\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\HP\Digital Imaging\db\ROFImagesTable.dbf: Access is denied.



Failed to open \\?\c:\\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\HP\Digital Imaging\db\ROFTable.cdx: Access is denied.



Failed to open \\?\c:\\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\HP\Digital Imaging\db\ROFTable.dbf: Access is denied.



Failed to open \\?\c:\\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\HP\Digital Imaging\Vault\03dc31bd_651990.jpg: Access is denied.



Failed to open \\?\c:\\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\HP\Digital Imaging\Vault\117eb7e0_353760.jpg: Access is denied.



Failed to open \\?\c:\\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\HP\Digital Imaging\Vault\1195c1c7_712466.jpg: Access is denied.



Failed to open \\?\c:\\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\HP\Digital Imaging\Vault\15e34ec7_490552.jpg: Access is denied.



Failed to open \\?\c:\\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\HP\Digital Imaging\Vault\5da66c79_322997.jpg: Access is denied.



Failed to open \\?\c:\\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\HP\Digital Imaging\Vault\7748f3ea_570314.jpg: Access is denied.



Failed to open \\?\c:\\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\HP\Digital Imaging\Vault\79540301_392125.jpg: Access is denied.



Failed to open \\?\c:\\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\HP\Digital Imaging\Vault\9399091f_384213.jpg: Access is denied.



Failed to open \\?\c:\\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\HP\Digital Imaging\Vault\986a565d_117962.jpg: Access is denied.



Failed to open \\?\c:\\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\HP\Digital Imaging\Vault\assetFiles.settings: Access is denied.



Failed to open \\?\c:\\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\HP\Digital Imaging\Vault\e4b775cd_115834.jpg: Access is denied.



Failed to open \\?\c:\\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\HP\Digital Imaging\Vault\vaultFiles.settings: Access is denied.



Failed to open \\?\c:\\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\IsolatedStorage\0hnh3l35.myv\2sqf2il1.rl4\StrongName.czm5tyszaplbnspbwrwr5sftif5gm0kk: Access is denied.



Failed to open \\?\c:\\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\IsolatedStorage\0hnh3l35.myv\2sqf2il1.rl4\StrongName.zm3mix00r4oodf2vo5zlyh1za3feugtg: Access is denied.


.

...

...
jja1313
Regular Member
 
Posts: 36
Joined: January 9th, 2010, 3:09 am

Re: Trojan Horse Back Door Generic

Unread postby diver79 » January 5th, 2012, 4:26 am

Hi Jeff,

Apologies for the delay. I would like to run Combofix again along with some other scans. I would also like to see AVG's log file to know what it is finding, I will post instructions for this below.


Step 1 - Re-Download ComboFix
  • Delete the Combofix icon from your desktop and download it again using the links below.
  • Please download ComboFix from one of the following links.
    Link 1.
    Link 2.

    **IMPORTANT !!! Save ComboFix.exe to your Desktop**

    ComboFix - CFScript
    This script is for this user and computer ONLY! Using this tool incorrectly could cause problems with your operating system... preventing it from ever starting again!
    You will not have Internet access when you execute ComboFix. All open windows will need to be closed!
    1. Please open Notepad and copy/paste all the text below... into the window:
      Code: Select all
      dds::
      {e7df6bff-55a5-4eb7-a673-4ed3e9456d39}
      driver::
      Dsyvcii
      folder::
      c:\documents and settings\hp_owner\application data\FixCleaner
      
    2. Save it to your desktop as CFScript.txt
    3. Please close all open application windows.
    4. Disable AVG
      • Open the AVG User Interface.
      • Double-click on the Resident Shield.
      • Un-tick the option Resident Shield active.
      • Save the changes.
    5. Drag the CFScript.txt (icon) into the ComboFix.exe icon... as seen in the image below:
      Image
      This will cause ComboFix to run again.
      Do Not use your keyboard or mouse click anywhere in the ComboFix window, as this may cause the program to stall or crash.
      Do Not touch your computer when ComboFix is running!
    6. When finished ComboFix will create a log file... you can save this file to a convenient place.
    7. Please copy/paste the ComboFix log file in your next reply.


Step 2 - MBRCheck
    Please download MBRCheck.exe and save it to your desktop.
  • Double click on MBRCheck.exe to run it.
  • A window similar to this should open on your desktop:

Image

  • If you are prompted with options, enter N at the prompt and press Enter
  • Press Enter again.
  • A log will open on your Desktop ...... MBRCheck_mm.dd.yy_hh.mm.ss.txt (where mm.dd.yy_hh.mm.ss are the date and time the scan was run)
  • Please post the contents of the log in your next reply.


Step 3 - SystemLook
Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2

  • Double-click SystemLook.exe to run it.
  • Copy the content of the following codebox into the main textfield:
    Code: Select all
    :dir
    C:\Documents and Settings\HP_Owner\Application Data\AVG2012 /sub

  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt
User avatar
diver79
Retired Graduate
 
Posts: 1004
Joined: January 3rd, 2010, 7:03 pm

Re: Trojan Horse Back Door Generic

Unread postby jja1313 » January 5th, 2012, 7:18 am

ComboFix 12-01-05.01 - HP_Owner 01/05/2012 4:40.5.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1015.526 [GMT -6:00]
Running from: c:\documents and settings\HP_Owner\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\HP_Owner\Desktop\CFScript.txt
AV: AVG Anti-Virus Free Edition 2012 *Disabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\All Users\Application Data\TEMP
c:\documents and settings\All Users\Application Data\TEMP\0B4227B4.TMP
c:\documents and settings\hp_owner\application data\FixCleaner
c:\documents and settings\hp_owner\application data\FixCleaner\Logs\2011-12-12 21-08-060.log
c:\documents and settings\hp_owner\application data\FixCleaner\Logs\2011-12-12 21-21-510.log
c:\documents and settings\hp_owner\application data\FixCleaner\PCOBackups\2011-12-12 21-23-13.db
c:\documents and settings\hp_owner\application data\FixCleaner\Results\Evidence.db
c:\documents and settings\hp_owner\application data\FixCleaner\Results\Junk.db
c:\documents and settings\hp_owner\application data\FixCleaner\Results\MSUpdate.db
c:\documents and settings\hp_owner\application data\FixCleaner\Results\Registry.db
c:\documents and settings\hp_owner\application data\FixCleaner\Results\Update.db
c:\documents and settings\hp_owner\application data\FixCleaner\spy_ignore.db
c:\windows\system32\ps2.bat
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Service_Dsyvcii
.
.
((((((((((((((((((((((((( Files Created from 2011-12-05 to 2012-01-05 )))))))))))))))))))))))))))))))
.
.
2012-01-01 20:10 . 2012-01-01 20:10 -------- d-----w- c:\program files\ESET
2012-01-01 19:59 . 2012-01-01 19:59 -------- d-----w- C:\_OTL
2012-01-01 19:56 . 2012-01-01 19:56 -------- d-----w- c:\documents and settings\HP_Owner\Local Settings\Application Data\temp
2011-12-29 07:54 . 2011-12-29 07:54 -------- d-----w- c:\documents and settings\HP_Owner\Application Data\AVG
2011-12-25 04:45 . 2010-09-07 21:39 150392 ----a-w- c:\windows\junction.exe
2011-12-23 18:55 . 2011-12-23 18:55 -------- d-----w- c:\documents and settings\HP_Owner\Application Data\AVG Secure Search
2011-12-23 18:55 . 2011-12-23 18:55 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG Secure Search
2011-12-23 18:55 . 2011-12-23 18:55 -------- d-----w- c:\program files\Common Files\AVG Secure Search
2011-12-23 18:55 . 2011-12-23 18:55 -------- d-----w- c:\program files\AVG Secure Search
2011-12-23 18:50 . 2012-01-05 03:43 -------- d-----w- c:\windows\system32\drivers\AVG
2011-12-23 18:50 . 2011-12-23 19:13 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG2012
2011-12-23 17:02 . 2011-12-23 17:02 -------- d-----w- C:\AVGTemp
2011-12-18 21:51 . 2011-12-18 21:51 -------- d-----w- c:\documents and settings\HP_Owner\Application Data\WinPatrol
2011-12-18 21:50 . 2011-12-18 21:50 -------- d-----w- c:\program files\BillP Studios
2011-12-18 21:50 . 2011-12-18 21:50 -------- d-----w- c:\documents and settings\All Users\Application Data\InstallMate
2011-12-16 16:46 . 2011-12-16 16:46 -------- d-----w- c:\documents and settings\All Users\Application Data\Office Genuine Advantage
2011-12-13 03:31 . 2011-12-13 03:31 -------- d-----w- c:\windows\system32\wbem\Repository
2011-12-13 02:39 . 2008-04-13 19:39 14592 ----a-w- c:\windows\system32\drivers\kbdhid.sys
2011-12-13 02:39 . 2008-04-13 19:39 14592 ----a-w- c:\windows\system32\dllcache\kbdhid.sys
2011-12-12 14:40 . 2008-04-13 20:18 52480 ----a-w- c:\windows\system32\drivers\i8042prt.sys
2011-12-12 14:40 . 2008-04-13 20:18 52480 ----a-w- c:\windows\system32\dllcache\i8042prt.sys
2011-12-12 02:17 . 2011-12-12 15:31 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2011-12-11 19:01 . 2011-12-11 19:22 -------- d-----w- c:\documents and settings\HP_Owner\Local Settings\Application Data\LogMeIn Rescue Applet
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-11-23 13:25 . 2004-08-04 11:00 1859584 ----a-w- c:\windows\system32\win32k.sys
2011-11-04 19:20 . 2004-08-04 11:00 916992 ----a-w- c:\windows\system32\wininet.dll
2011-11-04 19:20 . 2004-08-04 11:00 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-11-04 19:20 . 2004-08-04 11:00 1469440 ------w- c:\windows\system32\inetcpl.cpl
2011-11-04 11:23 . 2004-08-04 11:00 385024 ----a-w- c:\windows\system32\html.iec
2011-11-01 16:07 . 2004-08-04 11:00 1288704 ----a-w- c:\windows\system32\ole32.dll
2011-10-28 05:31 . 2004-08-04 11:00 33280 ----a-w- c:\windows\system32\csrsrv.dll
2011-10-25 13:33 . 2004-08-04 11:00 2192768 ------w- c:\windows\system32\ntoskrnl.exe
2011-10-25 12:52 . 2004-08-04 18:00 2069376 ------w- c:\windows\system32\ntkrnlpa.exe
2011-10-24 20:29 . 2011-10-24 20:29 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
2011-10-24 20:29 . 2011-10-24 20:29 69632 ----a-w- c:\windows\system32\QuickTime.qts
2011-10-18 11:13 . 2004-08-04 11:00 186880 ----a-w- c:\windows\system32\encdec.dll
2011-10-10 14:22 . 2004-08-04 11:00 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-10-07 12:23 . 2011-10-07 12:23 230608 ----a-w- c:\windows\system32\drivers\avgldx86.sys
.
.
((((((((((((((((((((((((((((( SnapShot@2011-12-23_18.32.05 )))))))))))))))))))))))))))))))))))))))))
.
- 2004-10-15 10:43 . 2011-11-09 05:20 73254 c:\windows\system32\perfc009.dat
+ 2004-10-15 10:43 . 2012-01-04 06:03 73254 c:\windows\system32\perfc009.dat
+ 2011-09-13 12:30 . 2011-09-13 12:30 32592 c:\windows\system32\drivers\avgrkx86.sys
+ 2011-08-08 12:08 . 2011-08-08 12:08 40016 c:\windows\system32\drivers\avgmfx86.sys
+ 2011-10-04 12:21 . 2011-10-04 12:21 16720 c:\windows\system32\drivers\AVGIDSShim.sys
+ 2011-07-11 07:14 . 2011-07-11 07:14 24272 c:\windows\system32\drivers\AVGIDSFilter.sys
+ 2011-07-11 07:14 . 2011-07-11 07:14 23120 c:\windows\system32\drivers\AVGIDSEH.sys
+ 2005-05-24 05:38 . 2005-06-01 01:11 32768 c:\windows\system32\config\systemprofile\UserData\index.dat
+ 2005-05-25 05:43 . 2005-05-25 05:50 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012005052520050526(4)\index.dat
+ 2005-05-25 05:14 . 2005-05-25 05:16 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012005052520050526(2)\index.dat
+ 2005-05-24 05:20 . 2004-02-27 20:04 75102 c:\windows\system32\config\systemprofile\Local Settings\Application Data\HP\Digital Imaging\hp1_skindefV2.dat
+ 2010-01-08 02:05 . 2010-01-14 18:27 66442 c:\windows\system32\config\systemprofile\Application Data\Adobe\Acrobat\7.0\UserCache.bin
+ 2011-12-25 09:49 . 2011-12-25 09:49 31504 c:\windows\Microsoft.NET\Framework\v2.0.50727\aspnet_wp.exe
- 2011-07-08 19:00 . 2011-07-08 19:00 81920 c:\windows\Microsoft.NET\Framework\v1.1.4322\System.Security.dll
+ 2011-12-25 17:07 . 2011-12-25 17:07 81920 c:\windows\Microsoft.NET\Framework\v1.1.4322\System.Security.dll
- 2011-07-07 17:04 . 2011-07-07 17:04 77824 c:\windows\Microsoft.NET\Framework\v1.1.4322\mscorsn.dll
+ 2011-12-25 04:55 . 2011-12-25 04:55 77824 c:\windows\Microsoft.NET\Framework\v1.1.4322\mscorsn.dll
+ 2011-12-25 04:55 . 2011-12-25 04:55 86016 c:\windows\Microsoft.NET\Framework\v1.1.4322\mscorie.dll
- 2011-07-07 17:04 . 2011-07-07 17:04 86016 c:\windows\Microsoft.NET\Framework\v1.1.4322\mscorie.dll
+ 2011-12-25 04:55 . 2011-12-25 04:55 81920 c:\windows\Microsoft.NET\Framework\v1.1.4322\CORPerfMonExt.dll
- 2011-07-07 17:03 . 2011-07-07 17:03 81920 c:\windows\Microsoft.NET\Framework\v1.1.4322\CORPerfMonExt.dll
- 2011-07-07 18:09 . 2011-07-07 18:09 32768 c:\windows\Microsoft.NET\Framework\v1.1.4322\aspnet_wp.exe
+ 2011-12-25 05:49 . 2011-12-25 05:49 32768 c:\windows\Microsoft.NET\Framework\v1.1.4322\aspnet_wp.exe
- 2011-07-07 18:09 . 2011-07-07 18:09 24576 c:\windows\Microsoft.NET\Framework\v1.1.4322\aspnet_filter.dll
+ 2011-12-25 05:49 . 2011-12-25 05:49 24576 c:\windows\Microsoft.NET\Framework\v1.1.4322\aspnet_filter.dll
+ 2012-01-04 06:05 . 2012-01-04 06:05 10240 c:\windows\assembly\NativeImages1_v1.1.4322\VJSWfcBrowserStubLib\1.0.5000.0__b03f5f7f11d50a3a_b99976de\VJSWfcBrowserStubLib.dll
+ 2012-01-04 15:54 . 2012-01-04 15:54 16896 c:\windows\assembly\NativeImages1_v1.1.4322\VJSWfcBrowserStubLib\1.0.5000.0__b03f5f7f11d50a3a_b833cb70\VJSWfcBrowserStubLib.dll
+ 2012-01-04 06:05 . 2012-01-04 06:05 32768 c:\windows\assembly\NativeImages1_v1.1.4322\vjslibcw\1.0.5000.0__b03f5f7f11d50a3a_df25abbf\vjslibcw.dll
+ 2012-01-04 06:05 . 2012-01-04 06:05 69632 c:\windows\assembly\NativeImages1_v1.1.4322\VJSharpCodeProvider\7.0.5000.0__b03f5f7f11d50a3a_15f6ab52\VJSharpCodeProvider.dll
+ 2012-01-04 15:55 . 2012-01-04 15:55 18432 c:\windows\assembly\NativeImages1_v1.1.4322\vjscor\1.0.5000.0__b03f5f7f11d50a3a_ae659492\vjscor.dll
+ 2012-01-04 06:06 . 2012-01-04 06:06 20480 c:\windows\assembly\NativeImages1_v1.1.4322\vjscor\1.0.5000.0__b03f5f7f11d50a3a_a971a1d2\vjscor.dll
+ 2012-01-04 06:05 . 2012-01-04 06:05 90112 c:\windows\assembly\NativeImages1_v1.1.4322\System.Drawing.Design\1.0.5000.0__b03f5f7f11d50a3a_17f7e38a\System.Drawing.Design.dll
+ 2012-01-04 06:04 . 2012-01-04 06:04 61440 c:\windows\assembly\NativeImages1_v1.1.4322\CustomMarshalers\1.0.5000.0__b03f5f7f11d50a3a_9bf229d1\CustomMarshalers.dll
+ 2012-01-04 16:01 . 2012-01-04 16:01 36864 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Web.DynamicD#\750de53f30e516eb2c62de9bab7954e9\System.Web.DynamicData.Design.ni.dll
+ 2012-01-04 06:02 . 2012-01-04 06:02 77824 c:\windows\assembly\GAC_MSIL\System.Web.RegularExpressions\2.0.0.0__b03f5f7f11d50a3a\System.Web.RegularExpressions.dll
- 2011-10-14 13:26 . 2011-10-14 13:26 77824 c:\windows\assembly\GAC_MSIL\System.Web.RegularExpressions\2.0.0.0__b03f5f7f11d50a3a\System.Web.RegularExpressions.dll
+ 2012-01-04 06:02 . 2012-01-04 06:02 81920 c:\windows\assembly\GAC_MSIL\System.Drawing.Design\2.0.0.0__b03f5f7f11d50a3a\System.Drawing.Design.dll
- 2011-10-14 13:26 . 2011-10-14 13:26 81920 c:\windows\assembly\GAC_MSIL\System.Drawing.Design\2.0.0.0__b03f5f7f11d50a3a\System.Drawing.Design.dll
+ 2012-01-04 06:02 . 2012-01-04 06:02 81920 c:\windows\assembly\GAC_MSIL\System.Configuration.Install\2.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll
- 2011-10-14 13:26 . 2011-10-14 13:26 81920 c:\windows\assembly\GAC_MSIL\System.Configuration.Install\2.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll
- 2011-10-14 13:26 . 2011-10-14 13:26 32768 c:\windows\assembly\GAC_MSIL\Microsoft.Vsa\8.0.0.0__b03f5f7f11d50a3a\Microsoft.Vsa.dll
+ 2012-01-04 06:02 . 2012-01-04 06:02 32768 c:\windows\assembly\GAC_MSIL\Microsoft.Vsa\8.0.0.0__b03f5f7f11d50a3a\Microsoft.Vsa.dll
- 2011-10-14 13:26 . 2011-10-14 13:26 12800 c:\windows\assembly\GAC_MSIL\Microsoft.Vsa.Vb.CodeDOMProcessor\8.0.0.0__b03f5f7f11d50a3a\Microsoft.Vsa.Vb.CodeDOMProcessor.dll
+ 2012-01-04 06:02 . 2012-01-04 06:02 12800 c:\windows\assembly\GAC_MSIL\Microsoft.Vsa.Vb.CodeDOMProcessor\8.0.0.0__b03f5f7f11d50a3a\Microsoft.Vsa.Vb.CodeDOMProcessor.dll
+ 2012-01-04 06:02 . 2012-01-04 06:02 28672 c:\windows\assembly\GAC_MSIL\Microsoft.VisualBasic.Vsa\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.Vsa.dll
- 2011-10-14 13:26 . 2011-10-14 13:26 28672 c:\windows\assembly\GAC_MSIL\Microsoft.VisualBasic.Vsa\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.Vsa.dll
- 2011-10-14 13:26 . 2011-10-14 13:26 77824 c:\windows\assembly\GAC_MSIL\Microsoft.Build.Utilities\2.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Utilities.dll
+ 2012-01-04 06:02 . 2012-01-04 06:02 77824 c:\windows\assembly\GAC_MSIL\Microsoft.Build.Utilities\2.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Utilities.dll
+ 2012-01-04 06:02 . 2012-01-04 06:02 36864 c:\windows\assembly\GAC_MSIL\Microsoft.Build.Framework\2.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Framework.dll
- 2011-10-14 13:26 . 2011-10-14 13:26 36864 c:\windows\assembly\GAC_MSIL\Microsoft.Build.Framework\2.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Framework.dll
- 2011-10-14 13:26 . 2011-10-14 13:26 77824 c:\windows\assembly\GAC_MSIL\IEHost\2.0.0.0__b03f5f7f11d50a3a\IEHost.dll
+ 2012-01-04 06:02 . 2012-01-04 06:02 77824 c:\windows\assembly\GAC_MSIL\IEHost\2.0.0.0__b03f5f7f11d50a3a\IEHost.dll
- 2011-10-14 13:26 . 2011-10-14 13:26 13312 c:\windows\assembly\GAC_MSIL\cscompmgd\8.0.0.0__b03f5f7f11d50a3a\cscompmgd.dll
+ 2012-01-04 06:02 . 2012-01-04 06:02 13312 c:\windows\assembly\GAC_MSIL\cscompmgd\8.0.0.0__b03f5f7f11d50a3a\cscompmgd.dll
- 2011-10-14 13:26 . 2011-10-14 13:26 10752 c:\windows\assembly\GAC_MSIL\Accessibility\2.0.0.0__b03f5f7f11d50a3a\Accessibility.dll
+ 2012-01-04 06:02 . 2012-01-04 06:02 10752 c:\windows\assembly\GAC_MSIL\Accessibility\2.0.0.0__b03f5f7f11d50a3a\Accessibility.dll
+ 2012-01-04 06:02 . 2012-01-04 06:02 72192 c:\windows\assembly\GAC_32\ISymWrapper\2.0.0.0__b03f5f7f11d50a3a\ISymWrapper.dll
- 2011-10-14 13:26 . 2011-10-14 13:26 72192 c:\windows\assembly\GAC_32\ISymWrapper\2.0.0.0__b03f5f7f11d50a3a\ISymWrapper.dll
- 2011-10-14 13:26 . 2011-10-14 13:26 69120 c:\windows\assembly\GAC_32\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll
+ 2012-01-04 06:02 . 2012-01-04 06:02 69120 c:\windows\assembly\GAC_32\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll
- 2011-10-14 12:56 . 2011-10-14 12:56 81920 c:\windows\assembly\GAC\System.Security\1.0.5000.0__b03f5f7f11d50a3a\System.Security.dll
+ 2012-01-04 06:04 . 2012-01-04 06:04 81920 c:\windows\assembly\GAC\System.Security\1.0.5000.0__b03f5f7f11d50a3a\System.Security.dll
- 2011-10-14 13:26 . 2011-10-14 13:26 8192 c:\windows\WinSxS\MSIL_IEExecRemote_b03f5f7f11d50a3a_2.0.0.0_x-ww_6e57c34e\IEExecRemote.dll
+ 2012-01-04 06:02 . 2012-01-04 06:02 8192 c:\windows\WinSxS\MSIL_IEExecRemote_b03f5f7f11d50a3a_2.0.0.0_x-ww_6e57c34e\IEExecRemote.dll
+ 2005-05-24 05:22 . 2005-05-24 05:22 4608 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Movie Maker\MEDIATAB.DAT
+ 2005-05-24 05:20 . 2005-05-24 05:20 5481 c:\windows\system32\config\systemprofile\Local Settings\Application Data\HP\Digital Imaging\cache\1.dat
+ 2005-05-24 04:45 . 2005-05-31 01:46 8722 c:\windows\system32\config\systemprofile\Application Data\Microsoft\HTML Help\hh.dat
- 2011-10-14 13:26 . 2011-10-14 13:26 7168 c:\windows\assembly\GAC_MSIL\Microsoft_VsaVb\8.0.0.0__b03f5f7f11d50a3a\Microsoft_VsaVb.dll
+ 2012-01-04 06:02 . 2012-01-04 06:02 7168 c:\windows\assembly\GAC_MSIL\Microsoft_VsaVb\8.0.0.0__b03f5f7f11d50a3a\Microsoft_VsaVb.dll
- 2011-10-14 13:26 . 2011-10-14 13:26 5632 c:\windows\assembly\GAC_MSIL\Microsoft.VisualC\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualC.Dll
+ 2012-01-04 06:02 . 2012-01-04 06:02 5632 c:\windows\assembly\GAC_MSIL\Microsoft.VisualC\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualC.Dll
+ 2012-01-04 06:02 . 2012-01-04 06:02 6656 c:\windows\assembly\GAC_MSIL\IIEHost\2.0.0.0__b03f5f7f11d50a3a\IIEHost.dll
- 2011-10-14 13:26 . 2011-10-14 13:26 6656 c:\windows\assembly\GAC_MSIL\IIEHost\2.0.0.0__b03f5f7f11d50a3a\IIEHost.dll
+ 2012-01-04 06:02 . 2012-01-04 06:02 8192 c:\windows\assembly\GAC_MSIL\IEExecRemote\2.0.0.0__b03f5f7f11d50a3a\IEExecRemote.dll
- 2011-10-14 13:26 . 2011-10-14 13:26 8192 c:\windows\assembly\GAC_MSIL\IEExecRemote\2.0.0.0__b03f5f7f11d50a3a\IEExecRemote.dll
- 2011-10-14 13:26 . 2011-10-14 13:26 113664 c:\windows\WinSxS\x86_System.EnterpriseServices_b03f5f7f11d50a3a_2.0.0.0_x-ww_7d5f3790\System.EnterpriseServices.Wrapper.dll
+ 2012-01-04 06:02 . 2012-01-04 06:02 113664 c:\windows\WinSxS\x86_System.EnterpriseServices_b03f5f7f11d50a3a_2.0.0.0_x-ww_7d5f3790\System.EnterpriseServices.Wrapper.dll
+ 2012-01-04 06:02 . 2012-01-04 06:02 258048 c:\windows\WinSxS\x86_System.EnterpriseServices_b03f5f7f11d50a3a_2.0.0.0_x-ww_7d5f3790\System.EnterpriseServices.dll
- 2011-10-14 13:26 . 2011-10-14 13:26 258048 c:\windows\WinSxS\x86_System.EnterpriseServices_b03f5f7f11d50a3a_2.0.0.0_x-ww_7d5f3790\System.EnterpriseServices.dll
+ 2004-10-15 10:43 . 2012-01-04 06:03 446174 c:\windows\system32\perfh009.dat
- 2004-10-15 10:43 . 2011-11-09 05:20 446174 c:\windows\system32\perfh009.dat
+ 2011-07-11 07:14 . 2011-07-11 07:14 295248 c:\windows\system32\drivers\avgtdix.sys
+ 2011-07-11 07:14 . 2011-07-11 07:14 134608 c:\windows\system32\drivers\AVGIDSDriver.sys
+ 2011-12-25 09:49 . 2011-12-25 09:49 436496 c:\windows\Microsoft.NET\Framework\v2.0.50727\webengine.dll
+ 2011-12-25 04:55 . 2011-12-25 04:55 102400 c:\windows\Microsoft.NET\Framework\v1.1.4322\mscorld.dll
- 2011-07-07 17:04 . 2011-07-07 17:04 102400 c:\windows\Microsoft.NET\Framework\v1.1.4322\mscorld.dll
- 2011-07-07 17:01 . 2011-07-07 17:01 315392 c:\windows\Microsoft.NET\Framework\v1.1.4322\mscorjit.dll
+ 2011-12-25 04:53 . 2011-12-25 04:53 315392 c:\windows\Microsoft.NET\Framework\v1.1.4322\mscorjit.dll
+ 2011-12-25 05:49 . 2011-12-25 05:49 258048 c:\windows\Microsoft.NET\Framework\v1.1.4322\aspnet_isapi.dll
- 2011-07-07 18:09 . 2011-07-07 18:09 258048 c:\windows\Microsoft.NET\Framework\v1.1.4322\aspnet_isapi.dll
+ 2011-12-25 11:40 . 2011-12-25 11:40 819200 c:\windows\Installer\1be0560.msp
+ 2012-01-04 15:54 . 2012-01-04 15:54 155648 c:\windows\assembly\NativeImages1_v1.1.4322\VJSharpCodeProvider\7.0.5000.0__b03f5f7f11d50a3a_4e79c778\VJSharpCodeProvider.dll
+ 2012-01-04 06:05 . 2012-01-04 06:05 835584 c:\windows\assembly\NativeImages1_v1.1.4322\System.Drawing\1.0.5000.0__b03f5f7f11d50a3a_66b0f5d8\System.Drawing.dll
+ 2012-01-04 15:52 . 2012-01-04 15:52 192512 c:\windows\assembly\NativeImages1_v1.1.4322\System.Drawing.Design\1.0.5000.0__b03f5f7f11d50a3a_cc143709\System.Drawing.Design.dll
+ 2012-01-04 15:52 . 2012-01-04 15:52 118784 c:\windows\assembly\NativeImages1_v1.1.4322\CustomMarshalers\1.0.5000.0__b03f5f7f11d50a3a_7dbd875c\CustomMarshalers.dll
+ 2012-01-04 16:01 . 2012-01-04 16:01 129536 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Web.Routing\0bda7bdfaf440d5dd4bc6a1dea7ffa39\System.Web.Routing.ni.dll
+ 2012-01-04 16:02 . 2012-01-04 16:02 859648 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Web.Extensio#\6e29f9faa74a48b83a13a3413b826295\System.Web.Extensions.Design.ni.dll
+ 2012-01-04 16:01 . 2012-01-04 16:01 328704 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Web.Entity\be8965fe859bc53dff61579bf626858b\System.Web.Entity.ni.dll
+ 2012-01-04 16:01 . 2012-01-04 16:01 301056 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Web.Entity.D#\8441b3eb247e0344fede848337ee911c\System.Web.Entity.Design.ni.dll
+ 2012-01-04 16:01 . 2012-01-04 16:01 547328 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Web.DynamicD#\09c6a41f187ba483486cdb92dad714a1\System.Web.DynamicData.ni.dll
+ 2012-01-04 16:01 . 2012-01-04 16:01 141312 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Web.Abstract#\5efb726d424b9712632eff749411fa89\System.Web.Abstractions.ni.dll
+ 2012-01-04 16:00 . 2012-01-04 16:00 756736 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Data.Entity.#\f374e8e7849a72d1470b4a6a0771a137\System.Data.Entity.Design.ni.dll
+ 2012-01-04 16:00 . 2012-01-04 16:00 320512 c:\windows\assembly\NativeImages_v2.0.50727_32\ServiceModelReg\439732479756e0f6df88d29e50a402bf\ServiceModelReg.ni.exe
+ 2012-01-04 16:00 . 2012-01-04 16:00 968192 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.PowerShel#\3062d06077a424dff6997145cad8e9e1\Microsoft.PowerShell.Commands.Utility.ni.dll
+ 2012-01-04 15:58 . 2012-01-04 15:58 842240 c:\windows\assembly\NativeImages_v2.0.50727_32\AspNetMMCExt\bfcea15c95909860c4f4ac19bd7a2d6c\AspNetMMCExt.ni.dll
+ 2012-01-04 06:02 . 2012-01-04 06:02 839680 c:\windows\assembly\GAC_MSIL\System.Web.Services\2.0.0.0__b03f5f7f11d50a3a\System.Web.Services.dll
- 2011-10-14 13:26 . 2011-10-14 13:26 839680 c:\windows\assembly\GAC_MSIL\System.Web.Services\2.0.0.0__b03f5f7f11d50a3a\System.Web.Services.dll
+ 2012-01-04 06:02 . 2012-01-04 06:02 835584 c:\windows\assembly\GAC_MSIL\System.Web.Mobile\2.0.0.0__b03f5f7f11d50a3a\System.Web.Mobile.dll
- 2011-10-14 13:26 . 2011-10-14 13:26 835584 c:\windows\assembly\GAC_MSIL\System.Web.Mobile\2.0.0.0__b03f5f7f11d50a3a\System.Web.Mobile.dll
+ 2012-01-04 06:02 . 2012-01-04 06:02 114688 c:\windows\assembly\GAC_MSIL\System.ServiceProcess\2.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll
- 2011-10-14 13:26 . 2011-10-14 13:26 114688 c:\windows\assembly\GAC_MSIL\System.ServiceProcess\2.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll
- 2011-10-14 13:26 . 2011-10-14 13:26 258048 c:\windows\assembly\GAC_MSIL\System.Security\2.0.0.0__b03f5f7f11d50a3a\System.Security.dll
+ 2012-01-04 06:02 . 2012-01-04 06:02 258048 c:\windows\assembly\GAC_MSIL\System.Security\2.0.0.0__b03f5f7f11d50a3a\System.Security.dll
+ 2012-01-04 06:02 . 2012-01-04 06:02 131072 c:\windows\assembly\GAC_MSIL\System.Runtime.Serialization.Formatters.Soap\2.0.0.0__b03f5f7f11d50a3a\System.Runtime.Serialization.Formatters.Soap.dll
- 2011-10-14 13:26 . 2011-10-14 13:26 131072 c:\windows\assembly\GAC_MSIL\System.Runtime.Serialization.Formatters.Soap\2.0.0.0__b03f5f7f11d50a3a\System.Runtime.Serialization.Formatters.Soap.dll
- 2011-10-14 13:26 . 2011-10-14 13:26 303104 c:\windows\assembly\GAC_MSIL\System.Runtime.Remoting\2.0.0.0__b77a5c561934e089\System.Runtime.Remoting.dll
+ 2012-01-04 06:02 . 2012-01-04 06:02 303104 c:\windows\assembly\GAC_MSIL\System.Runtime.Remoting\2.0.0.0__b77a5c561934e089\System.Runtime.Remoting.dll
+ 2012-01-04 06:02 . 2012-01-04 06:02 258048 c:\windows\assembly\GAC_MSIL\System.Messaging\2.0.0.0__b03f5f7f11d50a3a\System.Messaging.dll
- 2011-10-14 13:26 . 2011-10-14 13:26 258048 c:\windows\assembly\GAC_MSIL\System.Messaging\2.0.0.0__b03f5f7f11d50a3a\System.Messaging.dll
+ 2012-01-04 06:02 . 2012-01-04 06:02 372736 c:\windows\assembly\GAC_MSIL\System.Management\2.0.0.0__b03f5f7f11d50a3a\System.Management.dll
- 2011-10-14 13:26 . 2011-10-14 13:26 372736 c:\windows\assembly\GAC_MSIL\System.Management\2.0.0.0__b03f5f7f11d50a3a\System.Management.dll
+ 2012-01-04 06:02 . 2012-01-04 06:02 626688 c:\windows\assembly\GAC_MSIL\System.Drawing\2.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll
- 2011-10-14 13:26 . 2011-10-14 13:26 626688 c:\windows\assembly\GAC_MSIL\System.Drawing\2.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll
- 2011-10-14 13:26 . 2011-10-14 13:26 401408 c:\windows\assembly\GAC_MSIL\System.DirectoryServices\2.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll
+ 2012-01-04 06:02 . 2012-01-04 06:02 401408 c:\windows\assembly\GAC_MSIL\System.DirectoryServices\2.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll
- 2011-10-14 13:26 . 2011-10-14 13:26 188416 c:\windows\assembly\GAC_MSIL\System.DirectoryServices.Protocols\2.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.Protocols.dll
+ 2012-01-04 06:02 . 2012-01-04 06:02 188416 c:\windows\assembly\GAC_MSIL\System.DirectoryServices.Protocols\2.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.Protocols.dll
- 2011-10-14 13:27 . 2011-10-14 13:27 970752 c:\windows\assembly\GAC_MSIL\System.Deployment\2.0.0.0__b03f5f7f11d50a3a\System.Deployment.dll
+ 2012-01-04 06:02 . 2012-01-04 06:02 970752 c:\windows\assembly\GAC_MSIL\System.Deployment\2.0.0.0__b03f5f7f11d50a3a\System.Deployment.dll
- 2011-10-14 13:27 . 2011-10-14 13:27 745472 c:\windows\assembly\GAC_MSIL\System.Data.SqlXml\2.0.0.0__b77a5c561934e089\System.Data.SqlXml.dll
+ 2012-01-04 06:02 . 2012-01-04 06:02 745472 c:\windows\assembly\GAC_MSIL\System.Data.SqlXml\2.0.0.0__b77a5c561934e089\System.Data.SqlXml.dll
+ 2012-01-04 06:02 . 2012-01-04 06:02 425984 c:\windows\assembly\GAC_MSIL\System.Configuration\2.0.0.0__b03f5f7f11d50a3a\System.configuration.dll
- 2011-10-14 13:26 . 2011-10-14 13:26 425984 c:\windows\assembly\GAC_MSIL\System.Configuration\2.0.0.0__b03f5f7f11d50a3a\System.configuration.dll
- 2011-10-14 13:26 . 2011-10-14 13:26 110592 c:\windows\assembly\GAC_MSIL\sysglobl\2.0.0.0__b03f5f7f11d50a3a\sysglobl.dll
+ 2012-01-04 06:02 . 2012-01-04 06:02 110592 c:\windows\assembly\GAC_MSIL\sysglobl\2.0.0.0__b03f5f7f11d50a3a\sysglobl.dll
- 2011-10-14 13:26 . 2011-10-14 13:26 659456 c:\windows\assembly\GAC_MSIL\Microsoft.VisualBasic\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll
+ 2012-01-04 06:02 . 2012-01-04 06:02 659456 c:\windows\assembly\GAC_MSIL\Microsoft.VisualBasic\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll
+ 2012-01-04 06:02 . 2012-01-04 06:02 372736 c:\windows\assembly\GAC_MSIL\Microsoft.VisualBasic.Compatibility\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.Compatibility.dll
- 2011-10-14 13:26 . 2011-10-14 13:26 372736 c:\windows\assembly\GAC_MSIL\Microsoft.VisualBasic.Compatibility\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.Compatibility.dll
+ 2012-01-04 06:02 . 2012-01-04 06:02 110592 c:\windows\assembly\GAC_MSIL\Microsoft.VisualBasic.Compatibility.Data\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.Compatibility.Data.dll
- 2011-10-14 13:26 . 2011-10-14 13:26 110592 c:\windows\assembly\GAC_MSIL\Microsoft.VisualBasic.Compatibility.Data\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.Compatibility.Data.dll
+ 2012-01-04 06:02 . 2012-01-04 06:02 749568 c:\windows\assembly\GAC_MSIL\Microsoft.JScript\8.0.0.0__b03f5f7f11d50a3a\Microsoft.JScript.dll
- 2011-10-14 13:26 . 2011-10-14 13:26 749568 c:\windows\assembly\GAC_MSIL\Microsoft.JScript\8.0.0.0__b03f5f7f11d50a3a\Microsoft.JScript.dll
- 2011-10-14 13:26 . 2011-10-14 13:26 655360 c:\windows\assembly\GAC_MSIL\Microsoft.Build.Tasks\2.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Tasks.dll
+ 2012-01-04 06:02 . 2012-01-04 06:02 655360 c:\windows\assembly\GAC_MSIL\Microsoft.Build.Tasks\2.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Tasks.dll
- 2011-10-14 13:26 . 2011-10-14 13:26 348160 c:\windows\assembly\GAC_MSIL\Microsoft.Build.Engine\2.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Engine.dll
+ 2012-01-04 06:02 . 2012-01-04 06:02 348160 c:\windows\assembly\GAC_MSIL\Microsoft.Build.Engine\2.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Engine.dll
+ 2012-01-04 06:02 . 2012-01-04 06:02 507904 c:\windows\assembly\GAC_MSIL\AspNetMMCExt\2.0.0.0__b03f5f7f11d50a3a\AspNetMMCExt.dll
- 2011-10-14 13:26 . 2011-10-14 13:26 507904 c:\windows\assembly\GAC_MSIL\AspNetMMCExt\2.0.0.0__b03f5f7f11d50a3a\AspNetMMCExt.dll
+ 2012-01-04 06:02 . 2012-01-04 06:02 261632 c:\windows\assembly\GAC_32\System.Transactions\2.0.0.0__b77a5c561934e089\System.Transactions.dll
- 2011-10-14 13:26 . 2011-10-14 13:26 261632 c:\windows\assembly\GAC_32\System.Transactions\2.0.0.0__b77a5c561934e089\System.Transactions.dll
- 2011-10-14 13:26 . 2011-10-14 13:26 113664 c:\windows\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll
+ 2012-01-04 06:02 . 2012-01-04 06:02 113664 c:\windows\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll
+ 2012-01-04 06:02 . 2012-01-04 06:02 258048 c:\windows\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.dll
- 2011-10-14 13:26 . 2011-10-14 13:26 258048 c:\windows\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.dll
+ 2012-01-04 06:02 . 2012-01-04 06:02 486400 c:\windows\assembly\GAC_32\System.Data.OracleClient\2.0.0.0__b77a5c561934e089\System.Data.OracleClient.dll
- 2011-10-14 13:26 . 2011-10-14 13:26 486400 c:\windows\assembly\GAC_32\System.Data.OracleClient\2.0.0.0__b77a5c561934e089\System.Data.OracleClient.dll
+ 2011-12-25 09:50 . 2011-12-25 09:50 5246976 c:\windows\Microsoft.NET\Framework\v2.0.50727\System.Web.dll
+ 2011-12-25 17:07 . 2011-12-25 17:07 2064384 c:\windows\Microsoft.NET\Framework\v1.1.4322\System.Windows.Forms.dll
+ 2011-12-25 17:06 . 2011-12-25 17:06 1269760 c:\windows\Microsoft.NET\Framework\v1.1.4322\System.Web.dll
- 2011-07-08 18:59 . 2011-07-08 18:59 1232896 c:\windows\Microsoft.NET\Framework\v1.1.4322\System.dll
+ 2011-12-25 17:06 . 2011-12-25 17:06 1232896 c:\windows\Microsoft.NET\Framework\v1.1.4322\System.dll
- 2011-07-07 17:02 . 2011-07-07 17:02 2514944 c:\windows\Microsoft.NET\Framework\v1.1.4322\mscorwks.dll
+ 2011-12-25 04:54 . 2011-12-25 04:54 2514944 c:\windows\Microsoft.NET\Framework\v1.1.4322\mscorwks.dll
- 2011-07-07 17:02 . 2011-07-07 17:02 2527232 c:\windows\Microsoft.NET\Framework\v1.1.4322\mscorsvr.dll
+ 2011-12-25 04:53 . 2011-12-25 04:53 2527232 c:\windows\Microsoft.NET\Framework\v1.1.4322\mscorsvr.dll
- 2011-07-08 18:59 . 2011-07-08 18:59 2142208 c:\windows\Microsoft.NET\Framework\v1.1.4322\mscorlib.dll
+ 2011-12-25 17:06 . 2011-12-25 17:06 2142208 c:\windows\Microsoft.NET\Framework\v1.1.4322\mscorlib.dll
+ 2011-12-23 18:55 . 2011-12-23 18:55 4683264 c:\windows\Installer\ff386.msi
+ 2011-12-23 18:49 . 2011-12-23 18:49 2186240 c:\windows\Installer\ff382.msi
+ 2011-12-26 15:59 . 2011-12-26 15:59 4368896 c:\windows\Installer\1be053f.msp
+ 2012-01-04 06:06 . 2012-01-04 06:06 4468736 c:\windows\assembly\NativeImages1_v1.1.4322\vjslib\1.0.5000.0__b03f5f7f11d50a3a_ee7c1a82\vjslib.dll
+ 2012-01-04 06:04 . 2012-01-04 06:04 1966080 c:\windows\assembly\NativeImages1_v1.1.4322\System\1.0.5000.0__b77a5c561934e089_39f8f067\System.dll
+ 2012-01-04 15:52 . 2012-01-04 15:52 4792320 c:\windows\assembly\NativeImages1_v1.1.4322\System\1.0.5000.0__b77a5c561934e089_19c4a9f6\System.dll
+ 2012-01-04 15:53 . 2012-01-04 15:53 5513216 c:\windows\assembly\NativeImages1_v1.1.4322\System.Xml\1.0.5000.0__b77a5c561934e089_9d72fc25\System.Xml.dll
+ 2012-01-04 06:05 . 2012-01-04 06:05 2088960 c:\windows\assembly\NativeImages1_v1.1.4322\System.Xml\1.0.5000.0__b77a5c561934e089_86250eb7\System.Xml.dll
+ 2012-01-04 06:05 . 2012-01-04 06:05 3035136 c:\windows\assembly\NativeImages1_v1.1.4322\System.Windows.Forms\1.0.5000.0__b77a5c561934e089_e8f76350\System.Windows.Forms.dll
+ 2012-01-04 15:53 . 2012-01-04 15:53 7917568 c:\windows\assembly\NativeImages1_v1.1.4322\System.Windows.Forms\1.0.5000.0__b77a5c561934e089_89fe1ac8\System.Windows.Forms.dll
+ 2012-01-04 15:53 . 2012-01-04 15:53 2244608 c:\windows\assembly\NativeImages1_v1.1.4322\System.Drawing\1.0.5000.0__b03f5f7f11d50a3a_5039a118\System.Drawing.dll
+ 2012-01-04 06:05 . 2012-01-04 06:05 1470464 c:\windows\assembly\NativeImages1_v1.1.4322\System.Design\1.0.5000.0__b03f5f7f11d50a3a_7a7ecd30\System.Design.dll
+ 2012-01-04 15:53 . 2012-01-04 15:53 3395584 c:\windows\assembly\NativeImages1_v1.1.4322\System.Design\1.0.5000.0__b03f5f7f11d50a3a_34795889\System.Design.dll
+ 2012-01-04 15:54 . 2012-01-04 15:54 8908800 c:\windows\assembly\NativeImages1_v1.1.4322\mscorlib\1.0.5000.0__b77a5c561934e089_bb1b010a\mscorlib.dll
+ 2012-01-04 06:05 . 2012-01-04 06:05 3391488 c:\windows\assembly\NativeImages1_v1.1.4322\mscorlib\1.0.5000.0__b77a5c561934e089_2e756a74\mscorlib.dll
+ 2012-01-04 18:46 . 2012-01-04 18:46 1356288 c:\windows\assembly\NativeImages_v2.0.50727_32\System.WorkflowServ#\05c29118462056cf810df0b6aa660d05\System.WorkflowServices.ni.dll
+ 2012-01-04 18:46 . 2012-01-04 18:46 1908224 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Workflow.Run#\26b3258c559dc0ab6bdce481ffd458b3\System.Workflow.Runtime.ni.dll
+ 2012-01-04 18:45 . 2012-01-04 18:45 4514304 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Workflow.Com#\1642d1b72cd84caf24cbe7c5e8fd8368\System.Workflow.ComponentModel.ni.dll
+ 2012-01-04 18:45 . 2012-01-04 18:45 2992640 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Workflow.Act#\32ce12c3c2049f2df94c44c94b052e16\System.Workflow.Activities.ni.dll
+ 2012-01-04 16:02 . 2012-01-04 16:02 1840640 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Web.Services\f63ae1310e004777e880f28377bcddd2\System.Web.Services.ni.dll
+ 2012-01-04 16:02 . 2012-01-04 16:02 2209280 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Web.Mobile\c99b02434e71ca9898bebbc08d63e885\System.Web.Mobile.ni.dll
+ 2012-01-04 16:01 . 2012-01-04 16:01 2405888 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Web.Extensio#\c8f78b9e94857fdf6c2a378dd1629ee0\System.Web.Extensions.ni.dll
+ 2012-01-04 16:01 . 2012-01-04 16:01 1706496 c:\windows\assembly\NativeImages_v2.0.50727_32\System.ServiceModel#\ae749b024162e9ac79110c633b5ce6be\System.ServiceModel.Web.ni.dll
+ 2012-01-04 15:58 . 2012-01-04 15:58 1070080 c:\windows\assembly\NativeImages_v2.0.50727_32\System.IdentityModel\23eb4618c9d171be9fb551a13a475a32\System.IdentityModel.ni.dll
+ 2012-01-04 16:01 . 2012-01-04 16:01 1328128 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Data.Services\f35064c125799df650c1a959d8fa450b\System.Data.Services.ni.dll
+ 2012-01-04 16:00 . 2012-01-04 16:00 1712128 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualBas#\a86c12788293105a0d9fda1bc90c90bc\Microsoft.VisualBasic.ni.dll
+ 2012-01-04 06:02 . 2012-01-04 06:02 3182592 c:\windows\assembly\GAC_MSIL\System\2.0.0.0__b77a5c561934e089\System.dll
- 2011-10-14 13:27 . 2011-10-14 13:27 3182592 c:\windows\assembly\GAC_MSIL\System\2.0.0.0__b77a5c561934e089\System.dll
- 2011-10-14 13:27 . 2011-10-14 13:27 2048000 c:\windows\assembly\GAC_MSIL\System.Xml\2.0.0.0__b77a5c561934e089\System.XML.dll
+ 2012-01-04 06:02 . 2012-01-04 06:02 2048000 c:\windows\assembly\GAC_MSIL\System.Xml\2.0.0.0__b77a5c561934e089\System.XML.dll
- 2011-10-14 13:26 . 2011-10-14 13:26 5025792 c:\windows\assembly\GAC_MSIL\System.Windows.Forms\2.0.0.0__b77a5c561934e089\System.Windows.Forms.dll
+ 2012-01-04 06:02 . 2012-01-04 06:02 5025792 c:\windows\assembly\GAC_MSIL\System.Windows.Forms\2.0.0.0__b77a5c561934e089\System.Windows.Forms.dll
- 2010-10-08 08:01 . 2010-10-08 08:01 1277952 c:\windows\assembly\GAC_MSIL\System.Web.Extensions\3.5.0.0__31bf3856ad364e35\System.Web.Extensions.dll
+ 2012-01-04 06:05 . 2012-01-04 06:05 1277952 c:\windows\assembly\GAC_MSIL\System.Web.Extensions\3.5.0.0__31bf3856ad364e35\System.Web.Extensions.dll
+ 2012-01-04 06:02 . 2012-01-04 06:02 5062656 c:\windows\assembly\GAC_MSIL\System.Design\2.0.0.0__b03f5f7f11d50a3a\System.Design.dll
- 2011-10-14 13:26 . 2011-10-14 13:26 5062656 c:\windows\assembly\GAC_MSIL\System.Design\2.0.0.0__b03f5f7f11d50a3a\System.Design.dll
+ 2012-01-04 06:02 . 2012-01-04 06:02 5246976 c:\windows\assembly\GAC_32\System.Web\2.0.0.0__b03f5f7f11d50a3a\System.Web.dll
- 2011-10-14 13:27 . 2011-10-14 13:27 2933248 c:\windows\assembly\GAC_32\System.Data\2.0.0.0__b77a5c561934e089\System.Data.dll
+ 2012-01-04 06:02 . 2012-01-04 06:02 2933248 c:\windows\assembly\GAC_32\System.Data\2.0.0.0__b77a5c561934e089\System.Data.dll
- 2011-08-11 08:14 . 2011-10-14 13:26 4550656 c:\windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\mscorlib.dll
+ 2012-01-04 06:02 . 2012-01-04 06:02 4550656 c:\windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\mscorlib.dll
- 2011-10-14 12:56 . 2011-10-14 12:56 1232896 c:\windows\assembly\GAC\System\1.0.5000.0__b77a5c561934e089\System.dll
+ 2012-01-04 06:04 . 2012-01-04 06:04 1232896 c:\windows\assembly\GAC\System\1.0.5000.0__b77a5c561934e089\System.dll
+ 2012-01-04 06:04 . 2012-01-04 06:04 2064384 c:\windows\assembly\GAC\System.Windows.Forms\1.0.5000.0__b77a5c561934e089\System.Windows.Forms.dll
+ 2012-01-04 06:04 . 2012-01-04 06:04 1269760 c:\windows\assembly\GAC\System.Web\1.0.5000.0__b03f5f7f11d50a3a\System.Web.dll
+ 2011-12-26 23:02 . 2011-12-26 23:02 12482048 c:\windows\Microsoft.NET\Framework\v1.1.4322\Updates\M2656353\M2656353Uninstall.msp
+ 2011-12-26 15:02 . 2011-12-26 15:02 19677184 c:\windows\Installer\1be0559.msp
+ 2012-01-04 15:54 . 2012-01-04 15:55 12165120 c:\windows\assembly\NativeImages1_v1.1.4322\vjslib\1.0.5000.0__b03f5f7f11d50a3a_b04a263c\vjslib.dll
+ 2012-01-04 16:01 . 2012-01-04 16:01 11817472 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Web\62e34cfb5a8b233667c7c5a47a32ad93\System.Web.ni.dll
+ 2012-01-04 16:00 . 2012-01-04 16:00 17403904 c:\windows\assembly\NativeImages_v2.0.50727_32\System.ServiceModel\2dac4fc006596760cd4988d0bfd52ff0\System.ServiceModel.ni.dll
+ 2012-01-04 15:55 . 2012-01-04 15:55 10683392 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Design\9e15d80ffb037e9171fa4bd2e0233497\System.Design.ni.dll
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{95B7759C-8C7F-4BF1-B163-73684A933233}]
2011-12-23 18:55 1574240 ----a-w- c:\program files\AVG Secure Search\9.0.0.23\AVG Secure Search_toolbar.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{95B7759C-8C7F-4BF1-B163-73684A933233}"= "c:\program files\AVG Secure Search\9.0.0.23\AVG Secure Search_toolbar.dll" [2011-12-23 1574240]
.
[HKEY_CLASSES_ROOT\clsid\{95b7759c-8c7f-4bf1-b163-73684a933233}]
[HKEY_CLASSES_ROOT\AVG Secure Search.PugiObj.1]
[HKEY_CLASSES_ROOT\AVG Secure Search.PugiObj]
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ShutterflyStudio"="c:\program files\Shutterfly\Studio\BIN\SFlyStudio.exe" [2008-05-07 2500096]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 52736]
"High Definition Audio Property Page Shortcut"="HDAudPropShortcut.exe" [2004-03-18 61952]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2004-08-20 118784]
"AGRSMMSG"="AGRSMMSG.exe" [2005-03-04 88209]
"HPHUPD06"="c:\program files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe" [2004-06-07 49152]
"HPHmon06"="c:\windows\system32\hphmon06.exe" [2004-06-07 659456]
"KBD"="c:\hp\KBD\KBD.EXE" [2003-02-11 61440]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2004-12-21 180269]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2004-04-14 233472]
"Lexmark 5200 series"="c:\program files\Lexmark 5200 series\lxbtbmgr.exe" [2004-06-04 57344]
"SoundMan"="SOUNDMAN.EXE" [2005-04-06 90112]
"AlcWzrd"="ALCWZRD.EXE" [2005-04-06 2805248]
"LXBTCATS"="c:\windows\System32\spool\DRIVERS\W32X86\3\LXBTtime.dll" [2004-03-17 65536]
"LSBWatcher"="c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe" [2004-10-14 253952]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-06-16 81920]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-04-18 196608]
"FaxCenterServer"="c:\program files\Lexmark Fax Solutions\fm3032.exe" [2004-03-23 294912]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2011-04-20 58656]
"UnlockerAssistant"="c:\program files\Unlocker\UnlockerAssistant.exe" [2010-07-04 17408]
"Bing Bar"="c:\program files\MSN Toolbar\Platform\5.0.1423.0\mswinext.exe" [2010-03-24 243544]
"Microsoft Default Manager"="c:\program files\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" [2009-11-11 288088]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2011-09-27 59240]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-11-13 421736]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2011-10-24 421888]
"WinPatrol"="c:\program files\BillP Studios\WinPatrol\winpatrol.exe" [2011-05-15 325512]
"AVG_TRAY"="c:\program files\AVG\AVG2012\avgtray.exe" [2011-12-03 2415456]
"vProt"="c:\program files\AVG Secure Search\vprot.exe" [2011-12-23 892768]
"PS2"="c:\windows\system32\ps2.exe" [2002-10-16 81920]
.
c:\documents and settings\Default User\Start Menu\Programs\Startup\
AutoTBar.exe [2003-10-1 57344]
.
c:\documents and settings\HP_Owner\Start Menu\Programs\Startup\
Yahoo! Widgets.lnk - c:\program files\Yahoo!\Yahoo! Widget Engine\YahooWidgets.exe [2008-3-18 4742184]
.
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"= 1 (0x1)
"NoActiveDesktopChanges"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0c:\progra~1\AVG\AVG2012\avgrsx.exe /sync /restart
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Updates from HP\\309731\\Program\\Updates from HP.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\Lexmark 5200 Series\\lxbtbmon.exe"=
"c:\\Program Files\\Common Files\\Apple\\Apple Application Support\\WebKit2WebProcess.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\AVG\\AVG2012\\avgnsx.exe"=
"c:\\Program Files\\AVG\\AVG2012\\avgdiagex.exe"=
"c:\\Program Files\\AVG\\AVG2012\\avgmfapx.exe"=
"c:\\Program Files\\AVG\\AVG2012\\avgemcx.exe"=
.
R0 AVGIDSEH;AVGIDSEH;c:\windows\system32\drivers\AVGIDSEH.sys [7/11/2011 1:14 AM 23120]
R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [9/13/2011 6:30 AM 32592]
R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [10/7/2011 6:23 AM 230608]
R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [7/11/2011 1:14 AM 295248]
R2 AVGIDSAgent;AVGIDSAgent;c:\program files\AVG\AVG2012\AVGIDSAgent.exe [10/12/2011 6:25 AM 4433248]
R2 avgwd;AVG WatchDog;c:\program files\AVG\AVG2012\avgwdsvc.exe [8/2/2011 6:09 AM 192776]
R2 BCMNTIO;BCMNTIO;c:\progra~1\CheckIt\DIAGNO~1\BCMNTIO.sys [3/1/2006 12:42 PM 3744]
R2 MAPMEM;MAPMEM;c:\progra~1\CheckIt\DIAGNO~1\MAPMEM.sys [3/1/2006 12:42 PM 3904]
R2 Norton PC Checkup Application Launcher;Norton PC Checkup Application Launcher;c:\program files\Norton PC Checkup\Engine\2.0.2.544\SymcPCCULaunchSvc.exe [2/5/2010 1:37 AM 123320]
R2 NSL;Norton Safe Web Lite;c:\program files\Norton Safe Web Lite\Engine\1.0.1.8\ccSvcHst.exe [6/25/2010 11:19 AM 126904]
R2 PCCUJobMgr;Common Client Job Manager Service;c:\program files\Norton PC Checkup\Engine\2.0.2.544\ccSvcHst.exe [2/5/2010 1:37 AM 126392]
R2 vToolbarUpdater;vToolbarUpdater;c:\program files\Common Files\AVG Secure Search\vToolbarUpdater\9.0.1\ToolbarUpdater.exe [12/23/2011 12:55 PM 869216]
R3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\AVGIDSDriver.sys [7/11/2011 1:14 AM 134608]
R3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\AVGIDSFilter.sys [7/11/2011 1:14 AM 24272]
R3 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\AVGIDSShim.sys [10/4/2011 6:21 AM 16720]
S3 motccgp;Motorola USB Composite Device Driver;c:\windows\system32\drivers\motccgp.sys [12/12/2010 1:16 PM 19968]
S3 motccgpfl;MotCcgpFlService;c:\windows\system32\drivers\motccgpfl.sys [12/12/2010 1:16 PM 8320]
S3 motport;Motorola USB Diagnostic Port;c:\windows\system32\drivers\motport.sys [12/12/2010 1:16 PM 23936]
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{A509B1FF-37FF-4bFF-8CFF-4F3A747040FF}]
2009-03-08 09:32 128512 ----a-w- c:\windows\system32\advpack.dll
.
Contents of the 'Scheduled Tasks' folder
.
2011-12-17 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-01 22:57]
.
2011-12-30 c:\windows\Tasks\Disk Cleanup.job
- c:\windows\system32\cleanmgr.exe [2004-08-04 00:12]
.
2011-12-10 c:\windows\Tasks\TuneUpMedic_scan_schedule_task_3adb4361-4b82-45ce-9cee-98b152f59b10.job
- c:\program files\TuneUpMedic\TuneUpMedic.exe [2011-03-19 04:05]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://my.yahoo.com/
uInternet Settings,ProxyOverride = *.local
uSearchAssistant =
IE: &Yahoo! Search - file:///c:\program files\Yahoo!\Common/ycsrch.htm
IE: Add to AMV Converter... - c:\program files\MP3 Player Utilities 4.15\AMVConverter\grab.html
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\Office10\EXCEL.EXE/3000
IE: Yahoo! &Dictionary - file:///c:\program files\Yahoo!\Common/ycdict.htm
IE: Yahoo! &Maps - file:///c:\program files\Yahoo!\Common/ycmap.htm
Trusted Zone: yahoo.com\geocities
Handler: viprotocol - {B658800C-F66E-4EF3-AB85-6C0C227862A9} - c:\program files\Common Files\AVG Secure Search\ViProtocolInstaller\9.0.1\ViProtocol.dll
FF - ProfilePath - c:\documents and settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\1kx63l6h.default\
FF - prefs.js: browser.search.selectedEngine - GoodSearch
FF - prefs.js: browser.startup.homepage - hxxp://my.yahoo.com/
FF - prefs.js: keyword.URL - hxxp://search.avg.com/route/?d=4db193bb ... g=en-US&q=
.
- - - - ORPHANS REMOVED - - - -
.
WebBrowser-{E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39} - (no file)
AddRemove-KeynoteConnector - c:\windows\DOWNLO~1\CONNEC~1.EXE
AddRemove-ESPN Java Check - c:\windows\system32\javaws.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-01-05 04:56
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
LXBTCATS = rundll32 c:\windows\System32\spool\DRIVERS\W32X86\3\LXBTtime.dll,_RunDLLEntry@16???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
ShutterflyStudio = c:\program files\Shutterfly\Studio\BIN\SFlyStudio.exe /trayonly?????????????????????????/keyword????????????MMURIConstraint?!????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????!??
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\NSL]
"ImagePath"="\"c:\program files\Norton Safe Web Lite\Engine\1.0.1.8\ccSvcHst.exe\" /s \"NSL\" /m \"c:\program files\Norton Safe Web Lite\Engine\1.0.1.8\diMaster.dll\" /prefetch:1"
--
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\PCCUJobMgr]
"ImagePath"="\"c:\program files\Norton PC Checkup\Engine\2.0.2.544\ccSvcHst.exe\" /s \"PCCUJobMgr\" /m \"c:\program files\Norton PC Checkup\Engine\2.0.2.544\diMaster.dll\" /prefetch:1"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(3588)
c:\windows\system32\WININET.dll
c:\program files\BillP Studios\WinPatrol\PATROLPRO.DLL
c:\windows\system32\wpdshext.dll
c:\windows\system32\PortableDeviceApi.dll
c:\windows\system32\Audiodev.dll
c:\windows\system32\WMVCore.DLL
c:\windows\system32\WMASF.DLL
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
.
------------------------ Other Running Processes ------------------------
.
c:\progra~1\AVG\AVG2012\avgrsx.exe
c:\program files\AVG\AVG2012\avgcsrvx.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
c:\program files\AVG\AVG2012\avgnsx.exe
c:\program files\Yahoo!\SoftwareUpdate\YahooAUService.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
c:\program files\Canon\CAL\CALMAIN.exe
c:\windows\system32\wscntfy.exe
c:\windows\AGRSMMSG.exe
c:\windows\SOUNDMAN.EXE
c:\windows\ALCWZRD.EXE
c:\program files\Lexmark 5200 series\lxbtbmon.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2012-01-05 05:05:41 - machine was rebooted
ComboFix-quarantined-files.txt 2012-01-05 11:05
ComboFix2.txt 2011-12-23 18:40
ComboFix3.txt 2010-01-15 23:27
.
Pre-Run: 81,120,415,744 bytes free
Post-Run: 81,147,797,504 bytes free
.
- - End Of File - - 5DAA1865EFC9384A2B87E161A8AD93E0


MBRCheck, version 1.2.3
(c) 2010, AD

Command-line:
Windows Version: Windows XP Home Edition
Windows Information: Service Pack 3 (build 2600)
Logical Drives Mask: 0x000003fc

Kernel Drivers (total 133):
0x804D7000 \WINDOWS\system32\ntkrnlpa.exe
0x806D1000 \WINDOWS\system32\hal.dll
0xF7A75000 \WINDOWS\system32\KDCOM.DLL
0xF7985000 \WINDOWS\system32\BOOTVID.dll
0xF7446000 ACPI.sys
0xF7A77000 \WINDOWS\system32\DRIVERS\WMILIB.SYS
0xF7435000 pci.sys
0xF7575000 isapnp.sys
0xF7A79000 intelide.sys
0xF77F5000 \WINDOWS\system32\DRIVERS\PCIIDEX.SYS
0xF7585000 MountMgr.sys
0xF7416000 ftdisk.sys
0xF77FD000 PartMgr.sys
0xF7595000 VolSnap.sys
0xF73FE000 atapi.sys
0xF75A5000 disk.sys
0xF75B5000 \WINDOWS\system32\DRIVERS\CLASSPNP.SYS
0xF73DE000 fltmgr.sys
0xF73CC000 sr.sys
0xF7805000 PxHelp20.sys
0xF73B5000 KSecDD.sys
0xF73A2000 WudfPf.sys
0xF7315000 Ntfs.sys
0xF72E8000 NDIS.sys
0xF75C5000 Combo-Fix.sys
0xF75D5000 ohci1394.sys
0xF75E5000 \WINDOWS\system32\DRIVERS\1394BUS.SYS
0xF72CE000 Mup.sys
0xF780D000 avgrkx86.sys
0xF7989000 AVGIDSEH.Sys
0xF7635000 \SystemRoot\system32\DRIVERS\nic1394.sys
0xF7725000 \SystemRoot\system32\DRIVERS\intelppm.sys
0xF68A5000 \SystemRoot\system32\DRIVERS\ialmnt5.sys
0xF6891000 \SystemRoot\system32\DRIVERS\VIDEOPRT.SYS
0xF6869000 \SystemRoot\system32\DRIVERS\HDAudBus.sys
0xF7845000 \SystemRoot\system32\DRIVERS\usbuhci.sys
0xF6845000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
0xF784D000 \SystemRoot\system32\DRIVERS\usbehci.sys
0xF6740000 \SystemRoot\system32\DRIVERS\AGRSM.sys
0xF7855000 \SystemRoot\System32\Drivers\Modem.SYS
0xF672C000 \SystemRoot\system32\DRIVERS\parport.sys
0xF7735000 \SystemRoot\system32\DRIVERS\i8042prt.sys
0xF72AA000 \SystemRoot\system32\DRIVERS\PS2.sys
0xF785D000 \SystemRoot\system32\DRIVERS\kbdclass.sys
0xF7745000 \SystemRoot\system32\DRIVERS\imapi.sys
0xF72A6000 \SystemRoot\system32\drivers\pfc.sys
0xF7865000 \SystemRoot\system32\drivers\iviaspi.sys
0xF7755000 \SystemRoot\system32\DRIVERS\cdrom.sys
0xF7765000 \SystemRoot\system32\DRIVERS\redbook.sys
0xF6709000 \SystemRoot\system32\DRIVERS\ks.sys
0xF786D000 \SystemRoot\System32\Drivers\GEARAspiWDM.sys
0xF7B9C000 \SystemRoot\system32\DRIVERS\audstub.sys
0xF7775000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
0xF729A000 \SystemRoot\system32\DRIVERS\ndistapi.sys
0xF66F2000 \SystemRoot\system32\DRIVERS\ndiswan.sys
0xF7785000 \SystemRoot\system32\DRIVERS\raspppoe.sys
0xF7795000 \SystemRoot\system32\DRIVERS\raspptp.sys
0xF7875000 \SystemRoot\system32\DRIVERS\TDI.SYS
0xF66E1000 \SystemRoot\system32\DRIVERS\psched.sys
0xF77A5000 \SystemRoot\system32\DRIVERS\msgpc.sys
0xF787D000 \SystemRoot\system32\DRIVERS\ptilink.sys
0xF7885000 \SystemRoot\system32\DRIVERS\raspti.sys
0xF77B5000 \SystemRoot\system32\DRIVERS\termdd.sys
0xF788D000 \SystemRoot\system32\DRIVERS\mouclass.sys
0xF7ABB000 \SystemRoot\system32\DRIVERS\swenum.sys
0xF6683000 \SystemRoot\system32\DRIVERS\update.sys
0xF728A000 \SystemRoot\system32\DRIVERS\mssmbios.sys
0xF77C5000 \SystemRoot\System32\Drivers\NDProxy.SYS
0xAA54E000 \SystemRoot\system32\drivers\RtkHDAud.sys
0xAA52A000 \SystemRoot\system32\drivers\portcls.sys
0xF77E5000 \SystemRoot\system32\drivers\drmk.sys
0xF6A8C000 \SystemRoot\system32\DRIVERS\usbhub.sys
0xF7AC1000 \SystemRoot\system32\DRIVERS\USBD.SYS
0xF6A5C000 \SystemRoot\system32\DRIVERS\avgmfx86.sys
0xF7A25000 \SystemRoot\system32\DRIVERS\hidusb.sys
0xF6A4C000 \SystemRoot\system32\DRIVERS\HIDCLASS.SYS
0xF78B5000 \SystemRoot\system32\DRIVERS\HIDPARSE.SYS
0xF7ACB000 \SystemRoot\System32\Drivers\Fs_Rec.SYS
0xF7C55000 \SystemRoot\System32\Drivers\Null.SYS
0xF7ACD000 \SystemRoot\System32\Drivers\Beep.SYS
0xF78C5000 \SystemRoot\System32\drivers\vga.sys
0xF7ACF000 \SystemRoot\System32\Drivers\mnmdd.SYS
0xF7AD1000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
0xF78CD000 \SystemRoot\System32\Drivers\Msfs.SYS
0xF78D5000 \SystemRoot\System32\Drivers\Npfs.SYS
0xF7A2D000 \SystemRoot\system32\DRIVERS\rasacd.sys
0xAA1BC000 \SystemRoot\system32\DRIVERS\ipsec.sys
0xAA163000 \SystemRoot\system32\DRIVERS\tcpip.sys
0xAA11C000 \SystemRoot\system32\DRIVERS\avgtdix.sys
0xAA0F6000 \SystemRoot\system32\DRIVERS\ipnat.sys
0xF6A3C000 \SystemRoot\system32\DRIVERS\wanarp.sys
0xF6A2C000 \SystemRoot\system32\DRIVERS\arp1394.sys
0xF78DD000 \SystemRoot\system32\DRIVERS\usbccgp.sys
0xF78E5000 \SystemRoot\system32\DRIVERS\USBSTOR.SYS
0xF7A49000 \SystemRoot\system32\DRIVERS\mouhid.sys
0xF7A4D000 \SystemRoot\system32\DRIVERS\usbscan.sys
0xF78ED000 \SystemRoot\system32\DRIVERS\usbprint.sys
0xAA0CE000 \SystemRoot\system32\DRIVERS\netbt.sys
0xF7A51000 \SystemRoot\System32\drivers\ws2ifsl.sys
0xAA0AC000 \SystemRoot\System32\drivers\afd.sys
0xF6A1C000 \SystemRoot\system32\DRIVERS\netbios.sys
0xAA081000 \SystemRoot\system32\DRIVERS\rdbss.sys
0xA9FE9000 \SystemRoot\system32\DRIVERS\mrxsmb.sys
0xF6A0C000 \SystemRoot\System32\Drivers\Fips.SYS
0xA9FB2000 \SystemRoot\system32\DRIVERS\avgldx86.sys
0xA9E1F000 \SystemRoot\System32\Drivers\Fastfat.SYS
0xA9D67000 \SystemRoot\System32\Drivers\dump_atapi.sys
0xF7AEF000 \SystemRoot\System32\Drivers\dump_WMILIB.SYS
0xBF800000 \SystemRoot\System32\win32k.sys
0xA9DE7000 \SystemRoot\System32\drivers\Dxapi.sys
0xF7955000 \SystemRoot\System32\watchdog.sys
0xBF000000 \SystemRoot\System32\drivers\dxg.sys
0xF7C4D000 \SystemRoot\System32\drivers\dxgthk.sys
0xBF020000 \SystemRoot\System32\ialmdnt5.dll
0xBF012000 \SystemRoot\System32\ialmrnt5.dll
0xBF03E000 \SystemRoot\System32\ialmdev5.DLL
0xBF064000 \SystemRoot\System32\ialmdd5.DLL
0xBF125000 \SystemRoot\System32\ATMFD.DLL
0xA9CC7000 \SystemRoot\system32\DRIVERS\ndisuio.sys
0xA9A42000 \SystemRoot\system32\DRIVERS\mrxdav.sys
0xA9B5F000 \SystemRoot\system32\DRIVERS\AVGIDSShim.Sys
0xF7C07000 \??\C:\PROGRA~1\CheckIt\DIAGNO~1\BCMNTIO.sys
0xF7C7E000 \??\C:\PROGRA~1\CheckIt\DIAGNO~1\MAPMEM.sys
0xA98D2000 \SystemRoot\system32\DRIVERS\srv.sys
0xA97F5000 \SystemRoot\system32\drivers\wdmaud.sys
0xA99DA000 \SystemRoot\system32\drivers\sysaudio.sys
0xF7945000 \SystemRoot\system32\DRIVERS\AVGIDSFilter.Sys
0xA939F000 \SystemRoot\system32\DRIVERS\AVGIDSDriver.Sys
0xA9E43000 \SystemRoot\System32\Drivers\Cdfs.SYS
0xA9F49000 \??\C:\ComboFix\catchme.sys
0xF7ADB000 \??\C:\WINDOWS\system32\Drivers\PROCEXP113.SYS
0xA8C65000 \SystemRoot\system32\DRIVERS\R8139n51.SYS
0x7C900000 \WINDOWS\system32\ntdll.dll

Processes (total 60):
0 System Idle Process
4 System
456 C:\WINDOWS\system32\smss.exe
496 C:\PROGRA~1\AVG\AVG2012\avgrsx.exe
532 C:\Program Files\AVG\AVG2012\avgcsrvx.exe
740 csrss.exe
764 C:\WINDOWS\system32\winlogon.exe
812 C:\WINDOWS\system32\services.exe
824 C:\WINDOWS\system32\lsass.exe
972 C:\WINDOWS\system32\svchost.exe
1040 svchost.exe
1080 C:\WINDOWS\system32\svchost.exe
1116 C:\WINDOWS\system32\svchost.exe
1328 svchost.exe
1424 svchost.exe
1524 C:\WINDOWS\system32\spoolsv.exe
1628 svchost.exe
1664 C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
1680 C:\Program Files\AVG\AVG2012\avgwdsvc.exe
1712 C:\Program Files\Bonjour\mDNSResponder.exe
1760 C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
1872 C:\Program Files\Norton PC Checkup\Engine\2.0.2.544\SymcPCCULaunchSvc.exe
2004 C:\Program Files\Norton Safe Web Lite\Engine\1.0.1.8\ccSvcHst.exe
140 C:\Program Files\Norton PC Checkup\Engine\2.0.2.544\ccSvcHst.exe
172 C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
388 C:\WINDOWS\system32\svchost.exe
464 C:\Program Files\Common Files\AVG Secure Search\vToolbarUpdater\9.0.1\ToolbarUpdater.exe
720 C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
1144 C:\Program Files\AVG\AVG2012\avgnsx.exe
1284 C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
2084 C:\Program Files\AVG\AVG2012\AVGIDSAgent.exe
2092 C:\Program Files\Norton PC Checkup\Engine\2.0.2.544\ccSvcHst.exe
2276 C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVCM.EXE
2508 C:\Program Files\Canon\CAL\CALMAIN.exe
2692 alg.exe
3488 C:\WINDOWS\system\hpsysdrv.exe
3528 C:\WINDOWS\system32\hkcmd.exe
3540 C:\WINDOWS\AGRSMMSG.exe
3600 C:\hp\KBD\kbd.exe
3644 C:\Program Files\Common Files\Real\Update_OB\realsched.exe
3696 C:\Program Files\Lexmark 5200 Series\lxbtbmgr.exe
3728 C:\WINDOWS\SOUNDMAN.EXE
3772 C:\WINDOWS\ALCWZRD.EXE
3804 C:\Program Files\Lexmark 5200 Series\lxbtbmon.exe
3836 C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
3980 C:\Program Files\MSN Toolbar\Platform\5.0.1423.0\mswinext.exe
4088 C:\Program Files\iTunes\iTunesHelper.exe
348 C:\Program Files\QuickTime\QTTask.exe
404 C:\Program Files\BillP Studios\WinPatrol\WinPatrol.exe
712 C:\Program Files\AVG\AVG2012\avgtray.exe
2064 C:\Program Files\AVG Secure Search\vprot.exe
1392 C:\Program Files\Shutterfly\Studio\Bin\SFlyStudio.exe
1064 C:\Program Files\Yahoo!\Yahoo! Widget Engine\YahooWidgets.exe
3300 C:\Program Files\iPod\bin\iPodService.exe
3588 C:\WINDOWS\explorer.exe
2516 C:\WINDOWS\system32\ctfmon.exe
3976 C:\Program Files\Mozilla Firefox5\firefox.exe
2312 C:\WINDOWS\system32\wuauclt.exe
1572 C:\Program Files\Mozilla Firefox5\plugin-container.exe
2928 C:\Documents and Settings\HP_Owner\Desktop\MBRCheck.exe

\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000001`be32e000 (NTFS)
\\.\D: --> \\.\PhysicalDrive0 at offset 0x00000000`00007e00 (FAT32)

PhysicalDrive0 Model Number: SAMSUNGSP1614C, Rev: SW100-30

Size Device Name MBR Status
--------------------------------------------
149 GB \\.\PhysicalDrive0 Legit MBR code detected
SHA1: F75A10171F7488C11BA9A98CEC3D186D7A8D3972


Done!


SystemLook 30.07.11 by jpshortstuff
Log created at 05:12 on 05/01/2012 by HP_Owner
Administrator - Elevation successful

========== dir ==========

C:\Documents and Settings\HP_Owner\Application Data\AVG2012 - Parameters: "/sub"

---Files---
None found.

C:\Documents and Settings\HP_Owner\Application Data\AVG2012\cfgall d------ [18:59 23/12/2011]
userawacs.cfg --a---- 6727 bytes [18:59 23/12/2011] [11:12 05/01/2012]
usergui.cfg --a---- 205 bytes [18:59 23/12/2011] [07:49 29/12/2011]

-= EOF =-
jja1313
Regular Member
 
Posts: 36
Joined: January 9th, 2010, 3:09 am

Re: Trojan Horse Back Door Generic

Unread postby diver79 » January 5th, 2012, 6:06 pm

Hi Jeff,

The scans all went well, I can see no more indications of an infection.

How is the computer performing now? Is AVG still issuing alerts?
If so can you take note of them and let me know exactly what the alert stated.

For now I would like to see another ESET scan to see if that picks up anything.

ESET Online Scanner:
Note: You can use either Internet Explorer or Mozilla FireFox for this scan. You will however need to disable your Anti-Virus.

Disable AVG
  • Open the AVG User Interface.
  • Double-click on the Resident Shield.
  • Un-tick the option Resident Shield active.
  • Save the changes.

  • Please go here to run the scan.
    Note: If using Mozilla Firefox you will need to download esetsmartinstaller_enu.exe when prompted then double click on it to install.
    All of the below instructions are compatible with either Internet Explorer or Mozilla FireFox.
  • Select the option YES, I accept the Terms of Use then click on: Image
  • When prompted allow the Add-On/Active X to install.
  • Make sure that the option Remove found threats is NOT checked, and the option Scan archives is checked.
  • Now click on Advanced Settings and select the following:
    • Scan for potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth Technology
  • Now click on: Image
  • The virus signature database... will begin to download. Be patient this make take some time depending on the speed of your Internet Connection.
  • When completed the Online Scan will begin automatically.
  • Do not touch either the Mouse or keyboard during the scan otherwise it may stall.
  • When completed select Uninstall application on close if you so wish, make sure you copy the logfile first!
  • Now click on: Image
  • Use notepad to open the logfile located at C:\Program Files\ESET\EsetOnlineScanner\log.txt.
  • Copy and paste that log as a reply to this topic.

Note: Do not forget to re-enable your Anti-Virus application after running the above scan!
User avatar
diver79
Retired Graduate
 
Posts: 1004
Joined: January 3rd, 2010, 7:03 pm

Re: Trojan Horse Back Door Generic

Unread postby jja1313 » January 5th, 2012, 11:49 pm

Hi Diver79,

Everything has been running well. I haven't noticed a threat identified in the last few days. I will log and note any future threats.

ESETSmartInstaller@High as downloader log:
all ok
# version=7
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.6583
# api_version=3.0.2
# EOSSerial=f73311e21d83444a8565bff3919d8f53
# end=finished
# remove_checked=false
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=true
# antistealth_checked=true
# utc_time=2012-01-01 11:58:17
# local_time=2012-01-01 05:58:17 (-0600, Central Standard Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=512 16777215 100 0 0 0 0 0
# compatibility_mode=1024 16777191 100 0 0 0 0 0
# compatibility_mode=2560 16777215 100 0 0 0 0 0
# compatibility_mode=3584 16777215 100 0 0 0 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=115734
# found=2
# cleaned=0
# scan_time=10932
C:\Documents and Settings\HP_Owner\Application Data\AVG\Rescue\PC Tuneup 2011\111229015510250.rsc Java/Exploit.Agent.NAA trojan (unable to clean) 00000000000000000000000000000000 I
C:\Documents and Settings\HP_Owner\My Documents\Downloads\Unlocker1.9.1.exe a variant of Win32/Toolbar.Babylon application (unable to clean) 00000000000000000000000000000000 I
esets_scanner_update returned -1 esets_gle=0
# version=7
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.6583
# api_version=3.0.2
# EOSSerial=f73311e21d83444a8565bff3919d8f53
# end=finished
# remove_checked=false
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=true
# antistealth_checked=true
# utc_time=2012-01-06 02:52:20
# local_time=2012-01-05 08:52:20 (-0600, Central Standard Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=512 16777215 100 0 0 0 0 0
# compatibility_mode=1024 16777191 100 0 0 0 0 0
# compatibility_mode=2560 16777215 100 0 0 0 0 0
# compatibility_mode=3584 16777215 100 0 0 0 0 0
# compatibility_mode=8192 67108863 100 0 274835 274835 0 0
# scanned=124998
# found=2
# cleaned=0
# scan_time=12090
C:\_OTL\MovedFiles\01022012_104058\C_Documents and Settings\HP_Owner\Application Data\AVG\Rescue\PC Tuneup 2011\111229015510250.rsc Java/Exploit.Agent.NAA trojan (unable to clean) 00000000000000000000000000000000 I
C:\_OTL\MovedFiles\01022012_104058\C_Documents and Settings\HP_Owner\My Documents\Downloads\Unlocker1.9.1.exe a variant of Win32/Toolbar.Babylon application (unable to clean) 00000000000000000000000000000000 I
jja1313
Regular Member
 
Posts: 36
Joined: January 9th, 2010, 3:09 am

Re: Trojan Horse Back Door Generic

Unread postby diver79 » January 6th, 2012, 8:08 am

Hi Jeff,

Thats good news.

The ESET log is from the original scan, can you take a look in C:\Program Files\ESET\EsetOnlineScanner there may be a file called log[1].txt

If you cannot find this file then please delete C:\Program Files\ESET\EsetOnlineScanner\log.txt and run the ESET scan again.

Thanks,

diver79.
User avatar
diver79
Retired Graduate
 
Posts: 1004
Joined: January 3rd, 2010, 7:03 pm

Re: Trojan Horse Back Door Generic

Unread postby jja1313 » January 6th, 2012, 12:09 pm

Sorry about that. However, it looks like the 1/5 data was just appended to the prior file. I will run another scan, if this isn't what you need. Thanks.

esets_scanner_update returned -1 esets_gle=0
# version=7
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.6583
# api_version=3.0.2
# EOSSerial=f73311e21d83444a8565bff3919d8f53
# end=finished
# remove_checked=false
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=true
# antistealth_checked=true
# utc_time=2012-01-06 02:52:20
# local_time=2012-01-05 08:52:20 (-0600, Central Standard Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=512 16777215 100 0 0 0 0 0
# compatibility_mode=1024 16777191 100 0 0 0 0 0
# compatibility_mode=2560 16777215 100 0 0 0 0 0
# compatibility_mode=3584 16777215 100 0 0 0 0 0
# compatibility_mode=8192 67108863 100 0 274835 274835 0 0
# scanned=124998
# found=2
# cleaned=0
# scan_time=12090
C:\_OTL\MovedFiles\01022012_104058\C_Documents and Settings\HP_Owner\Application Data\AVG\Rescue\PC Tuneup 2011\111229015510250.rsc Java/Exploit.Agent.NAA trojan (unable to clean) 00000000000000000000000000000000 I
C:\_OTL\MovedFiles\01022012_104058\C_Documents and Settings\HP_Owner\My Documents\Downloads\Unlocker1.9.1.exe a variant of Win32/Toolbar.Babylon application (unable to clean) 00000000000000000000000000000000 I
jja1313
Regular Member
 
Posts: 36
Joined: January 9th, 2010, 3:09 am

Re: Trojan Horse Back Door Generic

Unread postby diver79 » January 7th, 2012, 9:32 am

Hi Jeff,

That was the correct log, and it came back clean. We are still left with the modified files issue and there are some programs on your PC that need to be removed.

Remove Programs
  • The following programs installed on your PC need to be removed.
    Adobe Reader 9.4.6
    HijackThis 2.0.2
    Java(TM) 6 Update 24
    TuneUpMedic
    Zynga Toolbar
  • Click on start
  • Then Run
  • In the open text entry box please copy/paste appwiz.cpl Then click enter.
  • Press the "Remove" or "Change/Remove"...button to uninstall the programs listed above (in red).
  • Take care when answering any questions posed by an uninstaller. Some questions may be worded to deceive you into keeping the program.

Note: You can get the latest versions of Java and Adobe Reader at the locations below.
http://get.adobe.com/uk/reader/
http://www.java.com/en/download/index.jsp


Re-run Grantperms
  • Locate the Grantperms folder you extracted earlier (it should be on your desktop).
  • Enter the GrantPerms folder & double click GrantPerms.exe to run it.
  • Copy and paste the contents of the codebox below into the whitebox (Do Not include Code:)
Code: Select all
c:\\Documents and Settings\HP_Owner\Application Data\Macromedia\Flash Player\localhost\DOCUME~1\HP_Owner\LOCALS~1
c:\\WINDOWS\system32\config\systemprofile\Application Data\Adobe\Acrobat\6.0\AcroForm\MRUFormsList
c:\\WINDOWS\system32\config\systemprofile\Application Data\Adobe\Acrobat\6.0\Collab\OfflineDocs
c:\\WINDOWS\system32\config\systemprofile\Application Data\Adobe\Acrobat\6.0\Collab\Reviews
c:\\WINDOWS\system32\config\systemprofile\Application Data\Adobe\Acrobat\6.0\Preferences\AutoFillDefaults.dat
c:\\WINDOWS\system32\config\systemprofile\Application Data\Adobe\Acrobat\6.0\Preferences\defaultHeuristics.dat
c:\\WINDOWS\system32\config\systemprofile\Application Data\Adobe\Acrobat\6.0\Updater\udstore.js
c:\\WINDOWS\system32\config\systemprofile\Application Data\Aladdin Systems\StuffIt\ArchiveSearch\exclude.db
c:\\WINDOWS\system32\config\systemprofile\Application Data\Aladdin Systems\StuffIt\Catalog\exclude.db
c:\\WINDOWS\system32\config\systemprofile\Application Data\InterMute\SpySubtract\tmp\3
c:\\WINDOWS\system32\config\systemprofile\Application Data\InterMute\SpySubtract\tmp\3.ldb
c:\\WINDOWS\system32\config\systemprofile\Application Data\Motive\Acme\plugin\config
c:\\WINDOWS\system32\config\systemprofile\Application Data\Motive\Acme\plugin\log
c:\\WINDOWS\system32\config\systemprofile\Application Data\Motive\Acme\plugin\stats
c:\\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\HP\Digital Imaging\cache\1.dat
c:\\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\HP\Digital Imaging\cache\1.tif
c:\\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\HP\Digital Imaging\cache\DirectoryMap.dat
c:\\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\HP\Digital Imaging\cache\LastWrite.txt
c:\\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\HP\Digital Imaging\db\administrativeInfo.dbf
c:\\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\HP\Digital Imaging\db\albumImagesTable.cdx
c:\\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\HP\Digital Imaging\db\albumImagesTable.dbf
c:\\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\HP\Digital Imaging\db\albumTable.cdx
c:\\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\HP\Digital Imaging\db\albumTable.dbf
c:\\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\HP\Digital Imaging\db\CB_Server_Errors.txt
c:\\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\HP\Digital Imaging\db\EXIFTable.cdx
c:\\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\HP\Digital Imaging\db\EXIFTable.dbf
c:\\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\HP\Digital Imaging\db\imageTable.cdx
c:\\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\HP\Digital Imaging\db\imageTable.dbf
c:\\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\HP\Digital Imaging\db\imageTable.fpt
c:\\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\HP\Digital Imaging\db\keywordImagesTable.cdx
c:\\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\HP\Digital Imaging\db\keywordImagesTable.dbf
c:\\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\HP\Digital Imaging\db\keywordTable.cdx
c:\\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\HP\Digital Imaging\db\keywordTable.dbf
c:\\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\HP\Digital Imaging\db\managedFolderTable.dbf
c:\\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\HP\Digital Imaging\db\pathnameTable.cdx
c:\\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\HP\Digital Imaging\db\pathnameTable.dbf
c:\\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\HP\Digital Imaging\db\ROFImagesTable.cdx
c:\\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\HP\Digital Imaging\db\ROFImagesTable.dbf
c:\\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\HP\Digital Imaging\db\ROFTable.cdx
c:\\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\HP\Digital Imaging\db\ROFTable.dbf
c:\\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\HP\Digital Imaging\Vault\03dc31bd_651990.jpg
c:\\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\HP\Digital Imaging\Vault\117eb7e0_353760.jpg
c:\\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\HP\Digital Imaging\Vault\1195c1c7_712466.jpg
c:\\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\HP\Digital Imaging\Vault\15e34ec7_490552.jpg
c:\\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\HP\Digital Imaging\Vault\5da66c79_322997.jpg
c:\\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\HP\Digital Imaging\Vault\7748f3ea_570314.jpg
c:\\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\HP\Digital Imaging\Vault\79540301_392125.jpg
c:\\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\HP\Digital Imaging\Vault\9399091f_384213.jpg
c:\\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\HP\Digital Imaging\Vault\986a565d_117962.jpg
c:\\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\HP\Digital Imaging\Vault\assetFiles.settings
c:\\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\HP\Digital Imaging\Vault\e4b775cd_115834.jpg
c:\\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\HP\Digital Imaging\Vault\vaultFiles.settings
c:\\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\IsolatedStorage\0hnh3l35.myv\2sqf2il1.rl4\StrongName.czm5tyszaplbnspbwrwr5sftif5gm0kk
c:\\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\IsolatedStorage\0hnh3l35.myv\2sqf2il1.rl4\StrongName.zm3mix00r4oodf2vo5zlyh1za3feugtg
  • Now Click Unlock
  • When it's done, click "OK".
  • Now click List Permissions and post contents of the log file that opens (Perms.txt)
  • A copy of Perms.txt will be saved in the same directory the tool is run.


Re-run Junction
  • Click Start > Run. Copy and paste the contents of the codebox below into the run box.
    (Do Not include Code:) Then click OK:
Code: Select all
cmd /c junction -s c:\ >log.txt&log.txt&del log.txt
  • A command window will open and the system will be scanned. (Click Agree to the prompt)
  • Please be patient & wait untill a log file opens in notepad.
  • Copy and paste the contents of that file in your next reply.
User avatar
diver79
Retired Graduate
 
Posts: 1004
Joined: January 3rd, 2010, 7:03 pm

Re: Trojan Horse Back Door Generic

Unread postby jja1313 » January 7th, 2012, 10:26 am

I had early downloaded the newest version of Adobe Reader. I deleted TuneUpMedic, but could not find the other programs. I deleted a Hijack log.


GrantPerms by Farbar
Ran by HP_Owner (administrator) at 2012-01-07 08:05:18

===============================================
\\?\c:\\Documents and Settings\HP_Owner\Application Data\Macromedia\Flash Player\localhost\DOCUME~1\HP_Owner\LOCALS~1

Owner: BUILTIN\Administrators

DACL(NP)(AI):
BUILTIN\Administrators FULL ALLOW (CI)(OI)(I)
NT AUTHORITY\SYSTEM FULL ALLOW (CI)(OI)(I)
BUILTIN\Users READ/EXECUTE ALLOW (CI)(OI)(I)
NT AUTHORITY\SYSTEM FULL ALLOW (CI)(OI)(IO)(I)
ARNDT\HP_Owner FULL ALLOW (I)
ARNDT\HP_Owner FULL ALLOW (CI)(OI)(IO)(I)


\\?\c:\\WINDOWS\system32\config\systemprofile\Application Data\Adobe\Acrobat\6.0\AcroForm\MRUFormsList

Owner: BUILTIN\Administrators

DACL(NP)(AI):
BUILTIN\Administrators FULL ALLOW (I)
NT AUTHORITY\SYSTEM FULL ALLOW (I)
BUILTIN\Users READ/EXECUTE ALLOW (I)


\\?\c:\\WINDOWS\system32\config\systemprofile\Application Data\Adobe\Acrobat\6.0\Collab\OfflineDocs

Owner: BUILTIN\Administrators

DACL(NP)(AI):
BUILTIN\Administrators FULL ALLOW (I)
NT AUTHORITY\SYSTEM FULL ALLOW (I)
BUILTIN\Users READ/EXECUTE ALLOW (I)


\\?\c:\\WINDOWS\system32\config\systemprofile\Application Data\Adobe\Acrobat\6.0\Collab\Reviews

Owner: BUILTIN\Administrators

DACL(NP)(AI):
BUILTIN\Administrators FULL ALLOW (I)
NT AUTHORITY\SYSTEM FULL ALLOW (I)
BUILTIN\Users READ/EXECUTE ALLOW (I)


\\?\c:\\WINDOWS\system32\config\systemprofile\Application Data\Adobe\Acrobat\6.0\Preferences\AutoFillDefaults.dat

Owner: BUILTIN\Administrators

DACL(NP)(AI):
BUILTIN\Administrators FULL ALLOW (I)
NT AUTHORITY\SYSTEM FULL ALLOW (I)
BUILTIN\Users READ/EXECUTE ALLOW (I)


\\?\c:\\WINDOWS\system32\config\systemprofile\Application Data\Adobe\Acrobat\6.0\Preferences\defaultHeuristics.dat

Owner: BUILTIN\Administrators

DACL(NP)(AI):
BUILTIN\Administrators FULL ALLOW (I)
NT AUTHORITY\SYSTEM FULL ALLOW (I)
BUILTIN\Users READ/EXECUTE ALLOW (I)


\\?\c:\\WINDOWS\system32\config\systemprofile\Application Data\Adobe\Acrobat\6.0\Updater\udstore.js

Owner: BUILTIN\Administrators

DACL(NP)(AI):
BUILTIN\Administrators FULL ALLOW (I)
NT AUTHORITY\SYSTEM FULL ALLOW (I)
BUILTIN\Users READ/EXECUTE ALLOW (I)


\\?\c:\\WINDOWS\system32\config\systemprofile\Application Data\Aladdin Systems\StuffIt\ArchiveSearch\exclude.db

Owner: BUILTIN\Administrators

DACL(NP)(AI):
BUILTIN\Administrators FULL ALLOW (I)
NT AUTHORITY\SYSTEM FULL ALLOW (I)
BUILTIN\Users READ/EXECUTE ALLOW (I)


\\?\c:\\WINDOWS\system32\config\systemprofile\Application Data\Aladdin Systems\StuffIt\Catalog\exclude.db

Owner: BUILTIN\Administrators

DACL(NP)(AI):
BUILTIN\Administrators FULL ALLOW (I)
NT AUTHORITY\SYSTEM FULL ALLOW (I)
BUILTIN\Users READ/EXECUTE ALLOW (I)


\\?\c:\\WINDOWS\system32\config\systemprofile\Application Data\InterMute\SpySubtract\tmp\3

Owner: BUILTIN\Administrators

DACL(NP)(AI):
BUILTIN\Administrators FULL ALLOW (I)
NT AUTHORITY\SYSTEM FULL ALLOW (I)
BUILTIN\Users READ/EXECUTE ALLOW (I)


\\?\c:\\WINDOWS\system32\config\systemprofile\Application Data\InterMute\SpySubtract\tmp\3.ldb

Owner: BUILTIN\Administrators

DACL(NP)(AI):
BUILTIN\Administrators FULL ALLOW (I)
NT AUTHORITY\SYSTEM FULL ALLOW (I)
BUILTIN\Users READ/EXECUTE ALLOW (I)


\\?\c:\\WINDOWS\system32\config\systemprofile\Application Data\Motive\Acme\plugin\config

Owner: BUILTIN\Administrators

DACL(NP)(AI):
BUILTIN\Administrators FULL ALLOW (CI)(OI)(I)
NT AUTHORITY\SYSTEM FULL ALLOW (CI)(OI)(I)
BUILTIN\Users READ/EXECUTE ALLOW (CI)(OI)(I)
NT AUTHORITY\SYSTEM FULL ALLOW (CI)(OI)(IO)(I)
BUILTIN\Administrators FULL ALLOW (CI)(OI)(IO)(I)


\\?\c:\\WINDOWS\system32\config\systemprofile\Application Data\Motive\Acme\plugin\log

Owner: BUILTIN\Administrators

DACL(NP)(AI):
BUILTIN\Administrators FULL ALLOW (CI)(OI)(I)
NT AUTHORITY\SYSTEM FULL ALLOW (CI)(OI)(I)
BUILTIN\Users READ/EXECUTE ALLOW (CI)(OI)(I)
NT AUTHORITY\SYSTEM FULL ALLOW (CI)(OI)(IO)(I)
BUILTIN\Administrators FULL ALLOW (CI)(OI)(IO)(I)


\\?\c:\\WINDOWS\system32\config\systemprofile\Application Data\Motive\Acme\plugin\stats

Owner: BUILTIN\Administrators

DACL(NP)(AI):
BUILTIN\Administrators FULL ALLOW (CI)(OI)(I)
NT AUTHORITY\SYSTEM FULL ALLOW (CI)(OI)(I)
BUILTIN\Users READ/EXECUTE ALLOW (CI)(OI)(I)
NT AUTHORITY\SYSTEM FULL ALLOW (CI)(OI)(IO)(I)
BUILTIN\Administrators FULL ALLOW (CI)(OI)(IO)(I)


\\?\c:\\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\HP\Digital Imaging\cache\1.dat

Owner: BUILTIN\Administrators

DACL(NP)(AI):
BUILTIN\Administrators FULL ALLOW (I)
NT AUTHORITY\SYSTEM FULL ALLOW (I)
BUILTIN\Users READ/EXECUTE ALLOW (I)


\\?\c:\\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\HP\Digital Imaging\cache\1.tif

Owner: BUILTIN\Administrators

DACL(NP)(AI):
BUILTIN\Administrators FULL ALLOW (I)
NT AUTHORITY\SYSTEM FULL ALLOW (I)
BUILTIN\Users READ/EXECUTE ALLOW (I)


\\?\c:\\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\HP\Digital Imaging\cache\DirectoryMap.dat

Owner: BUILTIN\Administrators

DACL(NP)(AI):
BUILTIN\Administrators FULL ALLOW (I)
NT AUTHORITY\SYSTEM FULL ALLOW (I)
BUILTIN\Users READ/EXECUTE ALLOW (I)


\\?\c:\\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\HP\Digital Imaging\cache\LastWrite.txt

Owner: BUILTIN\Administrators

DACL(NP)(AI):
BUILTIN\Administrators FULL ALLOW (I)
NT AUTHORITY\SYSTEM FULL ALLOW (I)
BUILTIN\Users READ/EXECUTE ALLOW (I)


\\?\c:\\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\HP\Digital Imaging\db\administrativeInfo.dbf

Owner: BUILTIN\Administrators

DACL(NP)(AI):
BUILTIN\Administrators FULL ALLOW (I)
NT AUTHORITY\SYSTEM FULL ALLOW (I)
BUILTIN\Users READ/EXECUTE ALLOW (I)


\\?\c:\\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\HP\Digital Imaging\db\albumImagesTable.cdx

Owner: BUILTIN\Administrators

DACL(NP)(AI):
BUILTIN\Administrators FULL ALLOW (I)
NT AUTHORITY\SYSTEM FULL ALLOW (I)
BUILTIN\Users READ/EXECUTE ALLOW (I)


\\?\c:\\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\HP\Digital Imaging\db\albumImagesTable.dbf

Owner: BUILTIN\Administrators

DACL(NP)(AI):
BUILTIN\Administrators FULL ALLOW (I)
NT AUTHORITY\SYSTEM FULL ALLOW (I)
BUILTIN\Users READ/EXECUTE ALLOW (I)


\\?\c:\\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\HP\Digital Imaging\db\albumTable.cdx

Owner: BUILTIN\Administrators

DACL(NP)(AI):
BUILTIN\Administrators FULL ALLOW (I)
NT AUTHORITY\SYSTEM FULL ALLOW (I)
BUILTIN\Users READ/EXECUTE ALLOW (I)


\\?\c:\\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\HP\Digital Imaging\db\albumTable.dbf

Owner: BUILTIN\Administrators

DACL(NP)(AI):
BUILTIN\Administrators FULL ALLOW (I)
NT AUTHORITY\SYSTEM FULL ALLOW (I)
BUILTIN\Users READ/EXECUTE ALLOW (I)


\\?\c:\\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\HP\Digital Imaging\db\CB_Server_Errors.txt

Owner: BUILTIN\Administrators

DACL(NP)(AI):
BUILTIN\Administrators FULL ALLOW (I)
NT AUTHORITY\SYSTEM FULL ALLOW (I)
BUILTIN\Users READ/EXECUTE ALLOW (I)


\\?\c:\\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\HP\Digital Imaging\db\EXIFTable.cdx

Owner: BUILTIN\Administrators

DACL(NP)(AI):
BUILTIN\Administrators FULL ALLOW (I)
NT AUTHORITY\SYSTEM FULL ALLOW (I)
BUILTIN\Users READ/EXECUTE ALLOW (I)


\\?\c:\\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\HP\Digital Imaging\db\EXIFTable.dbf

Owner: BUILTIN\Administrators

DACL(NP)(AI):
BUILTIN\Administrators FULL ALLOW (I)
NT AUTHORITY\SYSTEM FULL ALLOW (I)
BUILTIN\Users READ/EXECUTE ALLOW (I)


\\?\c:\\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\HP\Digital Imaging\db\imageTable.cdx

Owner: BUILTIN\Administrators

DACL(NP)(AI):
BUILTIN\Administrators FULL ALLOW (I)
NT AUTHORITY\SYSTEM FULL ALLOW (I)
BUILTIN\Users READ/EXECUTE ALLOW (I)


\\?\c:\\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\HP\Digital Imaging\db\imageTable.dbf

Owner: BUILTIN\Administrators

DACL(NP)(AI):
BUILTIN\Administrators FULL ALLOW (I)
NT AUTHORITY\SYSTEM FULL ALLOW (I)
BUILTIN\Users READ/EXECUTE ALLOW (I)


\\?\c:\\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\HP\Digital Imaging\db\imageTable.fpt

Owner: BUILTIN\Administrators

DACL(NP)(AI):
BUILTIN\Administrators FULL ALLOW (I)
NT AUTHORITY\SYSTEM FULL ALLOW (I)
BUILTIN\Users READ/EXECUTE ALLOW (I)


\\?\c:\\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\HP\Digital Imaging\db\keywordImagesTable.cdx

Owner: BUILTIN\Administrators

DACL(NP)(AI):
BUILTIN\Administrators FULL ALLOW (I)
NT AUTHORITY\SYSTEM FULL ALLOW (I)
BUILTIN\Users READ/EXECUTE ALLOW (I)


\\?\c:\\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\HP\Digital Imaging\db\keywordImagesTable.dbf

Owner: BUILTIN\Administrators

DACL(NP)(AI):
BUILTIN\Administrators FULL ALLOW (I)
NT AUTHORITY\SYSTEM FULL ALLOW (I)
BUILTIN\Users READ/EXECUTE ALLOW (I)


\\?\c:\\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\HP\Digital Imaging\db\keywordTable.cdx

Owner: BUILTIN\Administrators

DACL(NP)(AI):
BUILTIN\Administrators FULL ALLOW (I)
NT AUTHORITY\SYSTEM FULL ALLOW (I)
BUILTIN\Users READ/EXECUTE ALLOW (I)


\\?\c:\\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\HP\Digital Imaging\db\keywordTable.dbf

Owner: BUILTIN\Administrators

DACL(NP)(AI):
BUILTIN\Administrators FULL ALLOW (I)
NT AUTHORITY\SYSTEM FULL ALLOW (I)
BUILTIN\Users READ/EXECUTE ALLOW (I)


\\?\c:\\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\HP\Digital Imaging\db\managedFolderTable.dbf

Owner: BUILTIN\Administrators

DACL(NP)(AI):
BUILTIN\Administrators FULL ALLOW (I)
NT AUTHORITY\SYSTEM FULL ALLOW (I)
BUILTIN\Users READ/EXECUTE ALLOW (I)


\\?\c:\\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\HP\Digital Imaging\db\pathnameTable.cdx

Owner: BUILTIN\Administrators

DACL(NP)(AI):
BUILTIN\Administrators FULL ALLOW (I)
NT AUTHORITY\SYSTEM FULL ALLOW (I)
BUILTIN\Users READ/EXECUTE ALLOW (I)


\\?\c:\\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\HP\Digital Imaging\db\pathnameTable.dbf

Owner: BUILTIN\Administrators

DACL(NP)(AI):
BUILTIN\Administrators FULL ALLOW (I)
NT AUTHORITY\SYSTEM FULL ALLOW (I)
BUILTIN\Users READ/EXECUTE ALLOW (I)


\\?\c:\\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\HP\Digital Imaging\db\ROFImagesTable.cdx

Owner: BUILTIN\Administrators

DACL(NP)(AI):
BUILTIN\Administrators FULL ALLOW (I)
NT AUTHORITY\SYSTEM FULL ALLOW (I)
BUILTIN\Users READ/EXECUTE ALLOW (I)


\\?\c:\\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\HP\Digital Imaging\db\ROFImagesTable.dbf

Owner: BUILTIN\Administrators

DACL(NP)(AI):
BUILTIN\Administrators FULL ALLOW (I)
NT AUTHORITY\SYSTEM FULL ALLOW (I)
BUILTIN\Users READ/EXECUTE ALLOW (I)


\\?\c:\\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\HP\Digital Imaging\db\ROFTable.cdx

Owner: BUILTIN\Administrators

DACL(NP)(AI):
BUILTIN\Administrators FULL ALLOW (I)
NT AUTHORITY\SYSTEM FULL ALLOW (I)
BUILTIN\Users READ/EXECUTE ALLOW (I)


\\?\c:\\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\HP\Digital Imaging\db\ROFTable.dbf

Owner: BUILTIN\Administrators

DACL(NP)(AI):
BUILTIN\Administrators FULL ALLOW (I)
NT AUTHORITY\SYSTEM FULL ALLOW (I)
BUILTIN\Users READ/EXECUTE ALLOW (I)


\\?\c:\\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\HP\Digital Imaging\Vault\03dc31bd_651990.jpg

Owner: BUILTIN\Administrators

DACL(NP)(AI):
BUILTIN\Administrators FULL ALLOW (I)
NT AUTHORITY\SYSTEM FULL ALLOW (I)
BUILTIN\Users READ/EXECUTE ALLOW (I)


\\?\c:\\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\HP\Digital Imaging\Vault\117eb7e0_353760.jpg

Owner: BUILTIN\Administrators

DACL(NP)(AI):
BUILTIN\Administrators FULL ALLOW (I)
NT AUTHORITY\SYSTEM FULL ALLOW (I)
BUILTIN\Users READ/EXECUTE ALLOW (I)


\\?\c:\\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\HP\Digital Imaging\Vault\1195c1c7_712466.jpg

Owner: BUILTIN\Administrators

DACL(NP)(AI):
BUILTIN\Administrators FULL ALLOW (I)
NT AUTHORITY\SYSTEM FULL ALLOW (I)
BUILTIN\Users READ/EXECUTE ALLOW (I)


\\?\c:\\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\HP\Digital Imaging\Vault\15e34ec7_490552.jpg

Owner: BUILTIN\Administrators

DACL(NP)(AI):
BUILTIN\Administrators FULL ALLOW (I)
NT AUTHORITY\SYSTEM FULL ALLOW (I)
BUILTIN\Users READ/EXECUTE ALLOW (I)


\\?\c:\\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\HP\Digital Imaging\Vault\5da66c79_322997.jpg

Owner: BUILTIN\Administrators

DACL(NP)(AI):
BUILTIN\Administrators FULL ALLOW (I)
NT AUTHORITY\SYSTEM FULL ALLOW (I)
BUILTIN\Users READ/EXECUTE ALLOW (I)


\\?\c:\\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\HP\Digital Imaging\Vault\7748f3ea_570314.jpg

Owner: BUILTIN\Administrators

DACL(NP)(AI):
BUILTIN\Administrators FULL ALLOW (I)
NT AUTHORITY\SYSTEM FULL ALLOW (I)
BUILTIN\Users READ/EXECUTE ALLOW (I)


\\?\c:\\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\HP\Digital Imaging\Vault\79540301_392125.jpg

Owner: BUILTIN\Administrators

DACL(NP)(AI):
BUILTIN\Administrators FULL ALLOW (I)
NT AUTHORITY\SYSTEM FULL ALLOW (I)
BUILTIN\Users READ/EXECUTE ALLOW (I)


\\?\c:\\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\HP\Digital Imaging\Vault\9399091f_384213.jpg

Owner: BUILTIN\Administrators

DACL(NP)(AI):
BUILTIN\Administrators FULL ALLOW (I)
NT AUTHORITY\SYSTEM FULL ALLOW (I)
BUILTIN\Users READ/EXECUTE ALLOW (I)


\\?\c:\\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\HP\Digital Imaging\Vault\986a565d_117962.jpg

Owner: BUILTIN\Administrators

DACL(NP)(AI):
BUILTIN\Administrators FULL ALLOW (I)
NT AUTHORITY\SYSTEM FULL ALLOW (I)
BUILTIN\Users READ/EXECUTE ALLOW (I)


\\?\c:\\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\HP\Digital Imaging\Vault\assetFiles.settings

Owner: BUILTIN\Administrators

DACL(NP)(AI):
BUILTIN\Administrators FULL ALLOW (I)
NT AUTHORITY\SYSTEM FULL ALLOW (I)
BUILTIN\Users READ/EXECUTE ALLOW (I)


\\?\c:\\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\HP\Digital Imaging\Vault\e4b775cd_115834.jpg

Owner: BUILTIN\Administrators

DACL(NP)(AI):
BUILTIN\Administrators FULL ALLOW (I)
NT AUTHORITY\SYSTEM FULL ALLOW (I)
BUILTIN\Users READ/EXECUTE ALLOW (I)


\\?\c:\\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\HP\Digital Imaging\Vault\vaultFiles.settings

Owner: BUILTIN\Administrators

DACL(NP)(AI):
BUILTIN\Administrators FULL ALLOW (I)
NT AUTHORITY\SYSTEM FULL ALLOW (I)
BUILTIN\Users READ/EXECUTE ALLOW (I)


\\?\c:\\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\IsolatedStorage\0hnh3l35.myv\2sqf2il1.rl4\StrongName.czm5tyszaplbnspbwrwr5sftif5gm0kk

Owner: BUILTIN\Administrators

DACL(NP)(AI):
BUILTIN\Administrators FULL ALLOW (CI)(OI)(I)
NT AUTHORITY\SYSTEM FULL ALLOW (CI)(OI)(I)
BUILTIN\Users READ/EXECUTE ALLOW (CI)(OI)(I)
NT AUTHORITY\SYSTEM FULL ALLOW (CI)(OI)(IO)(I)
BUILTIN\Administrators FULL ALLOW (CI)(OI)(IO)(I)


\\?\c:\\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\IsolatedStorage\0hnh3l35.myv\2sqf2il1.rl4\StrongName.zm3mix00r4oodf2vo5zlyh1za3feugtg

Owner: BUILTIN\Administrators

DACL(NP)(AI):
BUILTIN\Administrators FULL ALLOW (CI)(OI)(I)
NT AUTHORITY\SYSTEM FULL ALLOW (CI)(OI)(I)
BUILTIN\Users READ/EXECUTE ALLOW (CI)(OI)(I)
NT AUTHORITY\SYSTEM FULL ALLOW (CI)(OI)(IO)(I)
BUILTIN\Administrators FULL ALLOW (CI)(OI)(IO)(I)


Junction v1.06 - Windows junction creator and reparse point viewer
Copyright (C) 2000-2010 Mark Russinovich
Sysinternals - www.sysinternals.com


Failed to open \\?\c:\\hiberfil.sys: The process cannot access the file because it is being used by another process.



Failed to open \\?\c:\\pagefile.sys: The process cannot access the file because it is being used by another process.


...

...

...

...

.
Failed to open \\?\c:\\Documents and Settings\HP_Owner\Application Data\Macromedia\Flash Player\localhost\DOCUME~1\HP_Owner\LOCALS~1\Temp: Access is denied.


..

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...
Failed to open \\?\c:\\Qoobox\BackEnv: Access is denied.




...

...

...

...

...

...

...

...

...

...

...

...

\\?\c:\\WINDOWS\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a: JUNCTION
Print Name : C:\WINDOWS\WinSxS\x86_System.EnterpriseServices_b03f5f7f11d50a3a_2.0.0.0_x-ww_7d5f3790
Substitute Name: C:\WINDOWS\WinSxS\x86_System.EnterpriseServices_b03f5f7f11d50a3a_2.0.0.0_x-ww_7d5f3790

\\?\c:\\WINDOWS\assembly\GAC_MSIL\IEExecRemote\2.0.0.0__b03f5f7f11d50a3a: JUNCTION
Print Name : C:\WINDOWS\WinSxS\MSIL_IEExecRemote_b03f5f7f11d50a3a_2.0.0.0_x-ww_6e57c34e
Substitute Name: C:\WINDOWS\WinSxS\MSIL_IEExecRemote_b03f5f7f11d50a3a_2.0.0.0_x-ww_6e57c34e

...

...

...

...

...

...

...

...

...

...

...

...
Failed to open \\?\c:\\WINDOWS\system32\config\systemprofile\Application Data\Motive\Acme\plugin\config\Contact.xml: Access is denied.



Failed to open \\?\c:\\WINDOWS\system32\config\systemprofile\Application Data\Motive\Acme\plugin\log\pchbtn.log: Access is denied.



Failed to open \\?\c:\\WINDOWS\system32\config\systemprofile\Application Data\Motive\Acme\plugin\log\pluginctrl.log: Access is denied.



Failed to open \\?\c:\\WINDOWS\system32\config\systemprofile\Application Data\Motive\Acme\plugin\log\pluginmsgs.log: Access is denied.



Failed to open \\?\c:\\WINDOWS\system32\config\systemprofile\Application Data\Motive\Acme\plugin\stats\outmsgs: Access is denied.



Failed to open \\?\c:\\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\IsolatedStorage\0hnh3l35.myv\2sqf2il1.rl4\StrongName.czm5tyszaplbnspbwrwr5sftif5gm0kk\AssemFiles: Access is denied.



Failed to open \\?\c:\\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\IsolatedStorage\0hnh3l35.myv\2sqf2il1.rl4\StrongName.czm5tyszaplbnspbwrwr5sftif5gm0kk\identity.dat: Access is denied.



Failed to open \\?\c:\\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\IsolatedStorage\0hnh3l35.myv\2sqf2il1.rl4\StrongName.czm5tyszaplbnspbwrwr5sftif5gm0kk\info.dat: Access is denied.



Failed to open \\?\c:\\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\IsolatedStorage\0hnh3l35.myv\2sqf2il1.rl4\StrongName.zm3mix00r4oodf2vo5zlyh1za3feugtg\AssemFiles: Access is denied.



Failed to open \\?\c:\\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\IsolatedStorage\0hnh3l35.myv\2sqf2il1.rl4\StrongName.zm3mix00r4oodf2vo5zlyh1za3feugtg\identity.dat: Access is denied.



Failed to open \\?\c:\\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\IsolatedStorage\0hnh3l35.myv\2sqf2il1.rl4\StrongName.zm3mix00r4oodf2vo5zlyh1za3feugtg\info.dat: Access is denied.




...

...

.
jja1313
Regular Member
 
Posts: 36
Joined: January 9th, 2010, 3:09 am

Re: Trojan Horse Back Door Generic

Unread postby diver79 » January 7th, 2012, 2:35 pm

Hi Jeff,

We are getting there :)

Re-run Grantperms
  • Locate the Grantperms folder you extracted earlier (it should be on your desktop).
  • Enter the GrantPerms folder & double click GrantPerms.exe to run it.
  • Copy and paste the contents of the codebox below into the whitebox (Do Not include Code:)
Code: Select all
c:\\Documents and Settings\HP_Owner\Application Data\Macromedia\Flash Player\localhost\DOCUME~1\HP_Owner\LOCALS~1\Temp
c:\\WINDOWS\system32\config\systemprofile\Application Data\Motive\Acme\plugin\config\Contact.xml
c:\\WINDOWS\system32\config\systemprofile\Application Data\Motive\Acme\plugin\log\pchbtn.log
c:\\WINDOWS\system32\config\systemprofile\Application Data\Motive\Acme\plugin\log\pluginctrl.log
c:\\WINDOWS\system32\config\systemprofile\Application Data\Motive\Acme\plugin\log\pluginmsgs.log
c:\\WINDOWS\system32\config\systemprofile\Application Data\Motive\Acme\plugin\stats\outmsgs
c:\\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\IsolatedStorage\0hnh3l35.myv\2sqf2il1.rl4\StrongName.czm5tyszaplbnspbwrwr5sftif5gm0kk\AssemFiles
c:\\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\IsolatedStorage\0hnh3l35.myv\2sqf2il1.rl4\StrongName.czm5tyszaplbnspbwrwr5sftif5gm0kk\identity.dat
c:\\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\IsolatedStorage\0hnh3l35.myv\2sqf2il1.rl4\StrongName.czm5tyszaplbnspbwrwr5sftif5gm0kk\info.dat
c:\\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\IsolatedStorage\0hnh3l35.myv\2sqf2il1.rl4\StrongName.zm3mix00r4oodf2vo5zlyh1za3feugtg\AssemFiles
c:\\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\IsolatedStorage\0hnh3l35.myv\2sqf2il1.rl4\StrongName.zm3mix00r4oodf2vo5zlyh1za3feugtg\identity.dat
c:\\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\IsolatedStorage\0hnh3l35.myv\2sqf2il1.rl4\StrongName.zm3mix00r4oodf2vo5zlyh1za3feugtg\info.dat
  • Now Click Unlock
  • When it's done, click "OK".
  • Now click List Permissions and post contents of the log file that opens (Perms.txt)
  • A copy of Perms.txt will be saved in the same directory the tool is run.


Re-run Junction
  • Click Start > Run. Copy and paste the contents of the codebox below into the run box.
    (Do Not include Code:) Then click OK:
Code: Select all
cmd /c junction -s c:\ >log.txt&log.txt&del log.txt
  • A command window will open and the system will be scanned. (Click Agree to the prompt)
  • Please be patient & wait untill a log file opens in notepad.
  • Copy and paste the contents of that file in your next reply.
User avatar
diver79
Retired Graduate
 
Posts: 1004
Joined: January 3rd, 2010, 7:03 pm

Re: Trojan Horse Back Door Generic

Unread postby jja1313 » January 7th, 2012, 4:26 pm

Hi Diver79,

Here you go. I can't thank you enough for all your help.


GrantPerms by Farbar
Ran by HP_Owner (administrator) at 2012-01-07 14:16:51

===============================================
\\?\c:\\Documents and Settings\HP_Owner\Application Data\Macromedia\Flash Player\localhost\DOCUME~1\HP_Owner\LOCALS~1\Temp

Owner: BUILTIN\Administrators

DACL(NP)(AI):
BUILTIN\Administrators FULL ALLOW (CI)(OI)(I)
NT AUTHORITY\SYSTEM FULL ALLOW (CI)(OI)(I)
BUILTIN\Users READ/EXECUTE ALLOW (CI)(OI)(I)
NT AUTHORITY\SYSTEM FULL ALLOW (CI)(OI)(IO)(I)
ARNDT\HP_Owner FULL ALLOW (I)
ARNDT\HP_Owner FULL ALLOW (CI)(OI)(IO)(I)


\\?\c:\\WINDOWS\system32\config\systemprofile\Application Data\Motive\Acme\plugin\config\Contact.xml

Owner: BUILTIN\Administrators

DACL(NP)(AI):
BUILTIN\Administrators FULL ALLOW (I)
NT AUTHORITY\SYSTEM FULL ALLOW (I)
BUILTIN\Users READ/EXECUTE ALLOW (I)


\\?\c:\\WINDOWS\system32\config\systemprofile\Application Data\Motive\Acme\plugin\log\pchbtn.log

Owner: BUILTIN\Administrators

DACL(NP)(AI):
BUILTIN\Administrators FULL ALLOW (I)
NT AUTHORITY\SYSTEM FULL ALLOW (I)
BUILTIN\Users READ/EXECUTE ALLOW (I)


\\?\c:\\WINDOWS\system32\config\systemprofile\Application Data\Motive\Acme\plugin\log\pluginctrl.log

Owner: BUILTIN\Administrators

DACL(NP)(AI):
BUILTIN\Administrators FULL ALLOW (I)
NT AUTHORITY\SYSTEM FULL ALLOW (I)
BUILTIN\Users READ/EXECUTE ALLOW (I)


\\?\c:\\WINDOWS\system32\config\systemprofile\Application Data\Motive\Acme\plugin\log\pluginmsgs.log

Owner: BUILTIN\Administrators

DACL(NP)(AI):
BUILTIN\Administrators FULL ALLOW (I)
NT AUTHORITY\SYSTEM FULL ALLOW (I)
BUILTIN\Users READ/EXECUTE ALLOW (I)


\\?\c:\\WINDOWS\system32\config\systemprofile\Application Data\Motive\Acme\plugin\stats\outmsgs

Owner: BUILTIN\Administrators

DACL(NP)(AI):
BUILTIN\Administrators FULL ALLOW (CI)(OI)(I)
NT AUTHORITY\SYSTEM FULL ALLOW (CI)(OI)(I)
BUILTIN\Users READ/EXECUTE ALLOW (CI)(OI)(I)
NT AUTHORITY\SYSTEM FULL ALLOW (CI)(OI)(IO)(I)
BUILTIN\Administrators FULL ALLOW (CI)(OI)(IO)(I)


\\?\c:\\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\IsolatedStorage\0hnh3l35.myv\2sqf2il1.rl4\StrongName.czm5tyszaplbnspbwrwr5sftif5gm0kk\AssemFiles

Owner: BUILTIN\Administrators

DACL(NP)(AI):
BUILTIN\Administrators FULL ALLOW (CI)(OI)(I)
NT AUTHORITY\SYSTEM FULL ALLOW (CI)(OI)(I)
BUILTIN\Users READ/EXECUTE ALLOW (CI)(OI)(I)
NT AUTHORITY\SYSTEM FULL ALLOW (CI)(OI)(IO)(I)
BUILTIN\Administrators FULL ALLOW (CI)(OI)(IO)(I)


\\?\c:\\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\IsolatedStorage\0hnh3l35.myv\2sqf2il1.rl4\StrongName.czm5tyszaplbnspbwrwr5sftif5gm0kk\identity.dat

Owner: BUILTIN\Administrators

DACL(NP)(AI):
BUILTIN\Administrators FULL ALLOW (I)
NT AUTHORITY\SYSTEM FULL ALLOW (I)
BUILTIN\Users READ/EXECUTE ALLOW (I)


\\?\c:\\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\IsolatedStorage\0hnh3l35.myv\2sqf2il1.rl4\StrongName.czm5tyszaplbnspbwrwr5sftif5gm0kk\info.dat

Owner: BUILTIN\Administrators

DACL(NP)(AI):
BUILTIN\Administrators FULL ALLOW (I)
NT AUTHORITY\SYSTEM FULL ALLOW (I)
BUILTIN\Users READ/EXECUTE ALLOW (I)


\\?\c:\\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\IsolatedStorage\0hnh3l35.myv\2sqf2il1.rl4\StrongName.zm3mix00r4oodf2vo5zlyh1za3feugtg\AssemFiles

Owner: BUILTIN\Administrators

DACL(NP)(AI):
BUILTIN\Administrators FULL ALLOW (CI)(OI)(I)
NT AUTHORITY\SYSTEM FULL ALLOW (CI)(OI)(I)
BUILTIN\Users READ/EXECUTE ALLOW (CI)(OI)(I)
NT AUTHORITY\SYSTEM FULL ALLOW (CI)(OI)(IO)(I)
BUILTIN\Administrators FULL ALLOW (CI)(OI)(IO)(I)


\\?\c:\\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\IsolatedStorage\0hnh3l35.myv\2sqf2il1.rl4\StrongName.zm3mix00r4oodf2vo5zlyh1za3feugtg\identity.dat

Owner: BUILTIN\Administrators

DACL(NP)(AI):
BUILTIN\Administrators FULL ALLOW (I)
NT AUTHORITY\SYSTEM FULL ALLOW (I)
BUILTIN\Users READ/EXECUTE ALLOW (I)


\\?\c:\\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\IsolatedStorage\0hnh3l35.myv\2sqf2il1.rl4\StrongName.zm3mix00r4oodf2vo5zlyh1za3feugtg\info.dat

Owner: BUILTIN\Administrators

DACL(NP)(AI):
BUILTIN\Administrators FULL ALLOW (I)
NT AUTHORITY\SYSTEM FULL ALLOW (I)
BUILTIN\Users READ/EXECUTE ALLOW (I)



Junction v1.06 - Windows junction creator and reparse point viewer
Copyright (C) 2000-2010 Mark Russinovich
Sysinternals - www.sysinternals.com


Failed to open \\?\c:\\hiberfil.sys: The process cannot access the file because it is being used by another process.



Failed to open \\?\c:\\pagefile.sys: The process cannot access the file because it is being used by another process.


...

...

...

...

.
Failed to open \\?\c:\\Documents and Settings\HP_Owner\Application Data\Macromedia\Flash Player\localhost\DOCUME~1\HP_Owner\LOCALS~1\Temp\rf.swf: Access is denied.


..

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...


Failed to open \\?\c:\\Qoobox\BackEnv: Access is denied.


...

...

...

...

...

...

...

...

...

...

...

...

..\\?\c:\\WINDOWS\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a: JUNCTION
Print Name : C:\WINDOWS\WinSxS\x86_System.EnterpriseServices_b03f5f7f11d50a3a_2.0.0.0_x-ww_7d5f3790
Substitute Name: C:\WINDOWS\WinSxS\x86_System.EnterpriseServices_b03f5f7f11d50a3a_2.0.0.0_x-ww_7d5f3790

\\?\c:\\WINDOWS\assembly\GAC_MSIL\IEExecRemote\2.0.0.0__b03f5f7f11d50a3a: JUNCTION
Print Name : C:\WINDOWS\WinSxS\MSIL_IEExecRemote_b03f5f7f11d50a3a_2.0.0.0_x-ww_6e57c34e
Substitute Name: C:\WINDOWS\WinSxS\MSIL_IEExecRemote_b03f5f7f11d50a3a_2.0.0.0_x-ww_6e57c34e

.

...

...

...

...

...

...

...

...

...

...

...

.
Failed to open \\?\c:\\WINDOWS\system32\config\systemprofile\Application Data\Motive\Acme\plugin\stats\outmsgs\1116987081937.xml: Access is denied.



Failed to open \\?\c:\\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\IsolatedStorage\0hnh3l35.myv\2sqf2il1.rl4\StrongName.czm5tyszaplbnspbwrwr5sftif5gm0kk\AssemFiles\framePref.dat: Access is denied.



Failed to open \\?\c:\\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\IsolatedStorage\0hnh3l35.myv\2sqf2il1.rl4\StrongName.zm3mix00r4oodf2vo5zlyh1za3feugtg\AssemFiles\MyImagesPrefs.dat: Access is denied.



Failed to open \\?\c:\\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\IsolatedStorage\0hnh3l35.myv\2sqf2il1.rl4\StrongName.zm3mix00r4oodf2vo5zlyh1za3feugtg\AssemFiles\MyImagesState.dat: Access is denied.


..

...

...
jja1313
Regular Member
 
Posts: 36
Joined: January 9th, 2010, 3:09 am
Advertisement
Register to Remove

PreviousNext

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 125 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware