TechSpot

Infection caused C drive to appear empty

By Evangelical
Jun 9, 2011
  1. Hard dive contents are invisible.
    Program list is empty.

    have run TFC by oldtimer
    Have run malware bytes.
    Log is attached.

    Have run GMER
    This is the log:
    GMER 1.0.15.15640 - http://www.gmer.net
    Rootkit quick scan 2011-06-09 13:54:27
    Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3 ST3160815AS rev.4.ADA
    Running: pr504oqg.exe; Driver: C:\DOCUME~1\jmiller\LOCALS~1\Temp\agtyiaow.sys


    ---- System - GMER 1.0.15 ----

    Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwCreateKey [0xB9DE80C0]
    Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwDeleteKey [0xB9DE80D4]
    Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwDeleteValueKey [0xB9DE8100]
    Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwMapViewOfSection [0xB9DE8156]
    Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwOpenKey [0xB9DE80AC]
    Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwOpenProcess [0xB9DE8084]
    Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwOpenThread [0xB9DE8098]
    Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwRenameKey [0xB9DE80EA]
    Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwSetSecurityObject [0xB9DE812C]
    Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwSetValueKey [0xB9DE8116]
    Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwTerminateProcess [0xB9DE8180]
    Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwUnmapViewOfSection [0xB9DE816C]
    Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwYieldExecution [0xB9DE8140]
    Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtMapViewOfSection
    Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtOpenProcess
    Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtOpenThread
    Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtSetSecurityObject

    ---- Devices - GMER 1.0.15 ----

    AttachedDevice \FileSystem\Ntfs \Ntfs mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
    AttachedDevice \Driver\Tcpip \Device\Ip mfetdi2k.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
    AttachedDevice \Driver\Tcpip \Device\Tcp mfetdi2k.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
    AttachedDevice \Driver\Tcpip \Device\Udp mfetdi2k.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
    AttachedDevice \Driver\Tcpip \Device\RawIp mfetdi2k.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)

    ---- EOF - GMER 1.0.15 ----


    Thanks for your help
    Dave
     

    Attached Files:

  2. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Did you mark this thread Active?
     
  3. Evangelical

    Evangelical TS Rookie Topic Starter Posts: 16

    Active??

    Yes, I think I did mark it as Active.
     
  4. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    My Guidelines: please read and follow:
    • Be patient. Malware cleaning takes time and I am also working with other members while I am helping you.
    • Read my instructions carefully. If you don't understand or have a problem, ask me.
    • Follow the order of the tasks I give you. Order is crucial in cleaning process.
    • File sharing programs should be uninstalled or disabled during the cleaning process..
    • Observe these:
      [o] Don't use any other cleaning programs or scans while I'm helping you.
      [o] Don't use a Registry cleaner or make any changes in the Registry.
      [o] Don't download and install new programs- except those I give you.
    • Reminder to b patient

    If I have not replied for 2 days, you can send me a PM reminder. Include the URL of your thread. Please do not send me a PM to tell me your logs are up.
    If I don't get a reply from you in 5 days, the thread will be closed. If your problem persist, you can send a PM to reopen it.
    =====================================
    Please follow the rest of the steps in the Preliminary Virus and Malware Removal thread HERE.

    NOTE: If you already have any of the scanning programs on the computer, please remove them and download the versions in these links.

    When you have finished, leave the logs for review in your next reply .
    NOTE: Logs must be pasted in the replies. Attached logs will not be reviewed.

    Please do not use any other cleaning programs or scans while I'm helping you, unless I direct you to. Do not use a Registry cleaner or make any changes in the Registry.

    You don't need to run GMER again, but please update and rescan with Malwarebytes. Include the new log with the 2 logs from DDS:
    ========================================
    You may get 'alerts' and 'error' messages with this malware. Do not act on any of them. They are rogue, just like the program.
    ========================================
    Please note: This will not remove the malware entries- just the attribute used to hide you files and programs.. There is no log to leave.
    Download Unhide.exe and save to the desktop.
    • Double-click on Unhide.exe icon to run the program.
    • This program will remove the +H, or hidden, attribute from all the files on your hard drives.

    Please remove TFC from your system. We have pulled it temporarily as a glitch was found causing some processes to be removed that should not have been.
     
  5. Evangelical

    Evangelical TS Rookie Topic Starter Posts: 16

    Unhide worked

    dds log1:
    .
    DDS (Ver_2011-06-12.02) - NTFSx86
    Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_26
    Run by JMiller at 9:59:28 on 2011-06-13
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2037.1124 [GMT -4:00]
    .
    .
    ============== Running Processes ===============
    .
    C:\WINDOWS\system32\svchost -k DcomLaunch
    svchost.exe
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    svchost.exe
    svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    svchost.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\Program Files\McAfee\Common Framework\FrameworkService.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\mfevtps.exe
    C:\Program Files\The Library Corporation\Library.Solution\TLCService\TLCService.exe
    C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe
    C:\WINDOWS\system32\igfxtray.exe
    C:\WINDOWS\system32\hkcmd.exe
    C:\WINDOWS\system32\igfxpers.exe
    C:\WINDOWS\RTHDCPL.EXE
    C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
    C:\WINDOWS\system32\igfxsrvc.exe
    C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
    C:\Program Files\Common Files\Java\Java Update\jusched.exe
    C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
    C:\Program Files\McAfee\Common Framework\udaterui.exe
    C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\McAfee\Common Framework\McTray.exe
    C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Program Files\McAfee\VirusScan Enterprise\MCUPDATE.EXE
    C:\Program Files\McAfee\Common Framework\McScript_InUse.exe
    C:\Program Files\Mozilla Firefox\plugin-container.exe
    .
    ============== Pseudo HJT Report ===============
    .
    uStart Page = partnerpage.google.com/smallbiz.dell.com/en_us?hl=en&client=dell-usuk&channel=us-smb&ibd=0080605
    uSearch Page = hxxp://www.google.com/hws/sb/dell-usuk/en/side.html?channel=us-smb
    uDefault_Page_URL = partnerpage.google.com/smallbiz.dell.com/en_us?hl=en&client=dell-usuk&channel=us-smb&ibd=0080605
    uSearch Bar = hxxp://www.google.com/hws/sb/dell-usuk/en/side.html?channel=us-smb
    uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
    uSearchAssistant = hxxp://www.google.com/ie
    uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
    mSearchAssistant = hxxp://www.google.com/hws/sb/dell-usuk/en/side.html?channel=us-smb
    BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\common files\mcafee\systemcore\ScriptSn.20110609124133.dll
    BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\program files\dell\bae\BAE.dll
    BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
    BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    uRun: [ISUSPM] "c:\program files\common files\installshield\updateservice\ISUSPM.exe" -scheduler
    uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
    mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
    mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
    mRun: [Persistence] c:\windows\system32\igfxpers.exe
    mRun: [RTHDCPL] RTHDCPL.EXE
    mRun: [Alcmtr] ALCMTR.EXE
    mRun: [Google Desktop Search] "c:\program files\google\google desktop search\GoogleDesktop.exe" /startup
    mRun: [dscactivate] "c:\program files\dell support center\gs_agent\custom\dsca.exe"
    mRun: [PDVDDXSrv] "c:\program files\cyberlink\powerdvd dx\PDVDDXSrv.exe"
    mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
    mRun: [BrStsWnd] c:\program files\brownie\BrstsWnd.exe Autorun
    mRun: [McAfeeUpdaterUI] "c:\program files\mcafee\common framework\udaterui.exe" /StartedFromRunKey
    mRun: [ShStatEXE] "c:\program files\mcafee\virusscan enterprise\SHSTAT.EXE" /STANDALONE
    dRunOnce: [RunNarrator] Narrator.exe
    IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
    IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
    IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
    IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
    DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://go.microsoft.com/fwlink/?linkid=58813
    DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase6662.cab
    DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1214856050218
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
    DPF: {C7DB51B4-BCF7-4923-8874-7F1A0DC92277} - hxxp://office.microsoft.com/officeupdate/content/opuc4.cab
    DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
    TCP: DhcpNameServer = 10.1.7.254
    TCP: Interfaces\{FAEAEE90-4D6D-4ED5-8257-848B44ABB6DC} : DhcpNameServer = 10.1.7.254
    Notify: igfxcui - igfxdev.dll
    AppInit_DLLs: c:\progra~1\google\google~2\GOEC62~1.DLL
    .
    ================= FIREFOX ===================
    .
    FF - ProfilePath - c:\documents and settings\jmiller\application data\mozilla\firefox\profiles\j92djc0l.default\
    FF - prefs.js: browser.startup.homepage - hxxp://start.mozilla.org/firefox?client=firefox-a&rls=org.mozilla:en-US:eek:fficial
    FF - component: c:\program files\mozilla firefox\distribution\bundles\{d19ca586-dd6c-4a0a-96f8-14644f340d60}\components\scriptff.dll
    FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
    FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA}
    FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\java\jre6\lib\deploy\jqs\ff
    FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
    FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
    .
    ============= SERVICES / DRIVERS ===============
    .
    R0 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2011-6-9 436728]
    R1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\system32\drivers\mfetdi2k.sys [2011-6-9 88544]
    R2 McAfeeFramework;McAfee Framework Service;c:\program files\mcafee\common framework\FrameworkService.exe [2011-1-12 120128]
    R2 McShield;McAfee McShield;c:\program files\common files\mcafee\systemcore\mcshield.exe [2011-6-9 159320]
    R2 McTaskManager;McAfee Task Manager;c:\program files\mcafee\virusscan enterprise\VsTskMgr.exe [2011-1-12 209760]
    R2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [2011-6-9 145936]
    R2 TLCService;TLC Automatic Client Update Service;c:\program files\the library corporation\library.solution\tlcservice\TLCService.exe [2008-9-4 69632]
    R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2011-6-9 171296]
    R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2011-6-9 58456]
    S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2011-6-9 39984]
    S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [2011-6-9 85152]
    .
    =============== Created Last 30 ================
    .
    2011-06-09 17:08:57 39984 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2011-06-09 17:08:52 -------- d-----w- c:\program files\Anti-Malware
    2011-06-09 17:04:45 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
    2011-06-09 16:46:41 476904 ----a-w- c:\program files\mozilla firefox\plugins\npdeployJava1.dll
    2011-06-09 16:46:40 472808 ----a-w- c:\windows\system32\deployJava1.dll
    2011-06-09 16:42:48 -------- d-----w- c:\documents and settings\jmiller\application data\McAfee
    2011-06-09 16:41:37 74848 ----a-w- c:\windows\system32\MfeOtlkAddin.dll
    2011-06-09 16:41:33 24376 ----a-w- c:\program files\mozilla firefox\distribution\bundles\{d19ca586-dd6c-4a0a-96f8-14644f340d60}\components\scriptff.dll
    2011-06-09 16:41:30 9344 ----a-w- c:\windows\system32\drivers\mfeclnk.sys
    2011-06-09 16:41:30 85152 ----a-w- c:\windows\system32\drivers\mferkdet.sys
    2011-06-09 16:41:30 58456 ----a-w- c:\windows\system32\drivers\mfebopk.sys
    2011-06-09 16:41:30 171296 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
    2011-06-09 16:41:30 116104 ----a-w- c:\windows\system32\drivers\mfeapfk.sys
    2011-06-09 16:41:28 436728 ----a-w- c:\windows\system32\drivers\mfehidk.sys
    2011-06-09 16:41:17 88544 ----a-w- c:\windows\system32\drivers\mfetdi2k.sys
    2011-06-09 16:41:17 145936 ----a-w- c:\windows\system32\mfevtps.exe
    2011-05-27 16:16:41 -------- d-----w- c:\documents and settings\jmiller\application data\Malwarebytes
    .
    ==================== Find3M ====================
    .
    2011-06-09 16:39:39 22816 ----a-w- c:\windows\system32\MFEOtlk.dll
    2011-05-04 06:25:49 73728 ----a-w- c:\windows\system32\javacpl.cpl
    .
    ============= FINISH: 9:59:57.94 ===============


    dds log2:
    .
    UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
    IF REQUESTED, ZIP IT UP & ATTACH IT
    .
    DDS (Ver_2011-06-12.02)
    .
    Microsoft Windows XP Professional
    Boot Device: \Device\HarddiskVolume2
    Install Date: 6/30/2008 1:54:04 PM
    System Uptime: 6/13/2011 9:51:12 AM (0 hours ago)
    .
    Motherboard: Dell Inc. | | 0CU409
    Processor: Intel(R) Pentium(R) Dual CPU E2160 @ 1.80GHz | Socket 775 | 1795/200mhz
    .
    ==== Disk Partitions =========================
    .
    C: is FIXED (NTFS) - 149 GiB total, 129.452 GiB free.
    D: is CDROM ()
    M: is NetworkDisk (NTFS) - 847 GiB total, 729.385 GiB free.
    P: is NetworkDisk (NTFS) - 847 GiB total, 729.385 GiB free.
    S: is NetworkDisk (NTFS) - 847 GiB total, 729.385 GiB free.
    .
    ==== Disabled Device Manager Items =============
    .
    ==== System Restore Points ===================
    .
    RP531: 3/14/2011 11:52:32 AM - System Checkpoint
    RP532: 3/16/2011 9:29:28 AM - System Checkpoint
    RP533: 3/16/2011 12:25:25 PM - Software Distribution Service 3.0
    RP534: 3/18/2011 8:56:23 AM - System Checkpoint
    RP535: 3/22/2011 8:42:26 AM - System Checkpoint
    RP536: 3/24/2011 10:03:33 AM - System Checkpoint
    RP537: 3/24/2011 12:01:57 PM - Software Distribution Service 3.0
    RP538: 3/28/2011 10:08:31 AM - System Checkpoint
    RP539: 3/29/2011 11:34:00 AM - System Checkpoint
    RP540: 3/31/2011 10:05:23 AM - System Checkpoint
    RP541: 4/1/2011 10:47:59 AM - System Checkpoint
    RP542: 4/4/2011 10:14:06 AM - System Checkpoint
    RP543: 4/5/2011 10:16:25 AM - System Checkpoint
    RP544: 4/6/2011 11:06:30 AM - System Checkpoint
    RP545: 4/8/2011 9:00:17 AM - System Checkpoint
    RP546: 4/11/2011 9:01:43 AM - System Checkpoint
    RP547: 4/12/2011 11:26:59 AM - System Checkpoint
    RP548: 4/14/2011 8:35:53 AM - System Checkpoint
    RP549: 4/18/2011 11:55:14 AM - System Checkpoint
    RP550: 4/18/2011 12:04:33 PM - Software Distribution Service 3.0
    RP551: 4/20/2011 10:45:00 AM - System Checkpoint
    RP552: 4/21/2011 11:24:15 AM - System Checkpoint
    RP553: 4/26/2011 10:00:23 AM - System Checkpoint
    RP554: 4/27/2011 12:07:59 PM - Software Distribution Service 3.0
    RP555: 5/3/2011 8:49:32 AM - System Checkpoint
    RP556: 5/4/2011 9:00:24 AM - System Checkpoint
    RP557: 5/5/2011 12:06:14 PM - System Checkpoint
    RP558: 5/9/2011 9:15:00 AM - System Checkpoint
    RP559: 5/11/2011 9:00:17 AM - System Checkpoint
    RP560: 5/11/2011 12:12:48 PM - Software Distribution Service 3.0
    RP561: 5/13/2011 10:05:46 AM - System Checkpoint
    RP562: 5/16/2011 8:49:13 AM - System Checkpoint
    RP563: 5/17/2011 11:24:53 AM - System Checkpoint
    RP564: 5/19/2011 9:40:20 AM - System Checkpoint
    RP565: 5/20/2011 11:23:13 AM - System Checkpoint
    RP566: 5/23/2011 10:34:30 AM - System Checkpoint
    RP567: 5/24/2011 11:13:03 AM - System Checkpoint
    RP568: 5/26/2011 10:00:31 AM - System Checkpoint
    RP569: 5/27/2011 11:18:08 AM - System Checkpoint
    RP570: 5/27/2011 12:23:10 PM - Removed Ad-Aware
    RP571: 5/31/2011 12:00:58 PM - System Checkpoint
    RP572: 6/2/2011 9:22:54 AM - System Checkpoint
    RP573: 6/8/2011 11:36:18 AM - System Checkpoint
    RP574: 6/9/2011 12:40:22 PM - Removed McAfee VirusScan Enterprise
    RP575: 6/9/2011 12:40:51 PM - Installed McAfee VirusScan Enterprise.
    RP576: 6/9/2011 12:43:54 PM - Installed Java(TM) 6 Update 26
    .
    ==== Installed Programs ======================
    .
    Library.Solution Client
    Adobe Flash Player 10 Plugin
    Adobe Flash Player ActiveX
    Brother HL-5340D
    Browser Address Error Redirector
    CCleaner
    Compatibility Pack for the 2007 Office system
    CutePDF Writer 2.7
    Dell Driver Reset Tool
    Dell Support Center
    Foxit Reader
    Google Desktop
    Google Toolbar for Internet Explorer
    High Definition Audio Driver Package - KB835221
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
    Hotfix for Windows XP (KB2158563)
    Hotfix for Windows XP (KB2443685)
    Hotfix for Windows XP (KB952287)
    Hotfix for Windows XP (KB954550-v5)
    Hotfix for Windows XP (KB961118)
    Hotfix for Windows XP (KB970653-v3)
    Hotfix for Windows XP (KB976098-v2)
    Hotfix for Windows XP (KB979306)
    Hotfix for Windows XP (KB981793)
    Intel(R) Graphics Media Accelerator Driver
    Intel(R) PRO Network Connections 12.1.8.0
    J2SE Runtime Environment 5.0 Update 6
    Java Auto Updater
    Java(TM) 6 Update 26
    Java(TM) 6 Update 5
    Java(TM) 6 Update 7
    Malwarebytes' Anti-Malware version 1.51.0.1200
    McAfee Agent
    McAfee VirusScan Enterprise
    Microsoft .NET Framework 1.1
    Microsoft .NET Framework 1.1 Security Update (KB2416447)
    Microsoft .NET Framework 1.1 Security Update (KB979906)
    Microsoft .NET Framework 2.0 Service Pack 2
    Microsoft .NET Framework 3.0 Service Pack 2
    Microsoft .NET Framework 3.5 SP1
    Microsoft Internationalized Domain Names Mitigation APIs
    Microsoft National Language Support Downlevel APIs
    Microsoft Office Professional Edition 2003
    Mozilla Firefox (3.6.10)
    Mozilla Thunderbird (3.1.10)
    MSXML 6 Service Pack 2 (KB954459)
    NETGEAR Print Server Software
    NICI (Shared) U.S./Worldwide (128 bit) (2.7.4-1)
    OGA Notifier 2.0.0048.0
    PowerDVD
    Realtek High Definition Audio Driver
    Roxio Activation Module
    Roxio Creator Audio
    Roxio Creator BDAV Plugin
    Roxio Creator Copy
    Roxio Creator Data
    Roxio Creator DE
    Roxio Creator Tools
    Roxio Drag-to-Disc
    Roxio Express Labeler 3
    Roxio Update Manager
    SearchAssist
    Security Update for Microsoft .NET Framework 3.5 SP1 (KB2416473)
    Security Update for Step By Step Interactive Training (KB923723)
    Security Update for Windows Internet Explorer 7 (KB938127)
    Security Update for Windows Internet Explorer 7 (KB950759)
    Security Update for Windows Internet Explorer 7 (KB953838)
    Security Update for Windows Internet Explorer 7 (KB956390)
    Security Update for Windows Internet Explorer 7 (KB958215)
    Security Update for Windows Internet Explorer 7 (KB960714)
    Security Update for Windows Internet Explorer 7 (KB961260)
    Security Update for Windows Internet Explorer 7 (KB963027)
    Security Update for Windows Internet Explorer 7 (KB969897)
    Security Update for Windows Internet Explorer 7 (KB972260)
    Security Update for Windows Internet Explorer 8 (KB2183461)
    Security Update for Windows Internet Explorer 8 (KB2360131)
    Security Update for Windows Internet Explorer 8 (KB2416400)
    Security Update for Windows Internet Explorer 8 (KB2482017)
    Security Update for Windows Internet Explorer 8 (KB2497640)
    Security Update for Windows Internet Explorer 8 (KB2510531)
    Security Update for Windows Internet Explorer 8 (KB971961)
    Security Update for Windows Internet Explorer 8 (KB972260)
    Security Update for Windows Internet Explorer 8 (KB974455)
    Security Update for Windows Internet Explorer 8 (KB976325)
    Security Update for Windows Internet Explorer 8 (KB978207)
    Security Update for Windows Internet Explorer 8 (KB981332)
    Security Update for Windows Internet Explorer 8 (KB982381)
    Security Update for Windows Media Player (KB2378111)
    Security Update for Windows Media Player (KB911564)
    Security Update for Windows Media Player (KB952069)
    Security Update for Windows Media Player (KB954155)
    Security Update for Windows Media Player (KB968816)
    Security Update for Windows Media Player (KB973540)
    Security Update for Windows Media Player (KB975558)
    Security Update for Windows Media Player (KB978695)
    Security Update for Windows Media Player (KB979402)
    Security Update for Windows Media Player 6.4 (KB925398)
    Security Update for Windows Media Player 9 (KB936782)
    Security Update for Windows XP (KB2079403)
    Security Update for Windows XP (KB2115168)
    Security Update for Windows XP (KB2121546)
    Security Update for Windows XP (KB2160329)
    Security Update for Windows XP (KB2229593)
    Security Update for Windows XP (KB2259922)
    Security Update for Windows XP (KB2279986)
    Security Update for Windows XP (KB2286198)
    Security Update for Windows XP (KB2296011)
    Security Update for Windows XP (KB2296199)
    Security Update for Windows XP (KB2347290)
    Security Update for Windows XP (KB2360937)
    Security Update for Windows XP (KB2387149)
    Security Update for Windows XP (KB2393802)
    Security Update for Windows XP (KB2412687)
    Security Update for Windows XP (KB2419632)
    Security Update for Windows XP (KB2423089)
    Security Update for Windows XP (KB2436673)
    Security Update for Windows XP (KB2440591)
    Security Update for Windows XP (KB2443105)
    Security Update for Windows XP (KB2476687)
    Security Update for Windows XP (KB2478960)
    Security Update for Windows XP (KB2478971)
    Security Update for Windows XP (KB2479628)
    Security Update for Windows XP (KB2479943)
    Security Update for Windows XP (KB2481109)
    Security Update for Windows XP (KB2483185)
    Security Update for Windows XP (KB2485376)
    Security Update for Windows XP (KB2485663)
    Security Update for Windows XP (KB2491683)
    Security Update for Windows XP (KB2503658)
    Security Update for Windows XP (KB2506212)
    Security Update for Windows XP (KB2506223)
    Security Update for Windows XP (KB2507618)
    Security Update for Windows XP (KB2508272)
    Security Update for Windows XP (KB2508429)
    Security Update for Windows XP (KB2509553)
    Security Update for Windows XP (KB2511455)
    Security Update for Windows XP (KB2524375)
    Security Update for Windows XP (KB923561)
    Security Update for Windows XP (KB923689)
    Security Update for Windows XP (KB938464-v2)
    Security Update for Windows XP (KB938464)
    Security Update for Windows XP (KB941569)
    Security Update for Windows XP (KB946648)
    Security Update for Windows XP (KB950759)
    Security Update for Windows XP (KB950760)
    Security Update for Windows XP (KB950762)
    Security Update for Windows XP (KB950974)
    Security Update for Windows XP (KB951066)
    Security Update for Windows XP (KB951376-v2)
    Security Update for Windows XP (KB951698)
    Security Update for Windows XP (KB951748)
    Security Update for Windows XP (KB952004)
    Security Update for Windows XP (KB952954)
    Security Update for Windows XP (KB953839)
    Security Update for Windows XP (KB954211)
    Security Update for Windows XP (KB954459)
    Security Update for Windows XP (KB954600)
    Security Update for Windows XP (KB955069)
    Security Update for Windows XP (KB956391)
    Security Update for Windows XP (KB956572)
    Security Update for Windows XP (KB956744)
    Security Update for Windows XP (KB956802)
    Security Update for Windows XP (KB956803)
    Security Update for Windows XP (KB956841)
    Security Update for Windows XP (KB956844)
    Security Update for Windows XP (KB957095)
    Security Update for Windows XP (KB957097)
    Security Update for Windows XP (KB958644)
    Security Update for Windows XP (KB958687)
    Security Update for Windows XP (KB958690)
    Security Update for Windows XP (KB958869)
    Security Update for Windows XP (KB959426)
    Security Update for Windows XP (KB960225)
    Security Update for Windows XP (KB960715)
    Security Update for Windows XP (KB960803)
    Security Update for Windows XP (KB960859)
    Security Update for Windows XP (KB961371)
    Security Update for Windows XP (KB961373)
    Security Update for Windows XP (KB961501)
    Security Update for Windows XP (KB968537)
    Security Update for Windows XP (KB969059)
    Security Update for Windows XP (KB969898)
    Security Update for Windows XP (KB969947)
    Security Update for Windows XP (KB970238)
    Security Update for Windows XP (KB970430)
    Security Update for Windows XP (KB971468)
    Security Update for Windows XP (KB971486)
    Security Update for Windows XP (KB971557)
    Security Update for Windows XP (KB971633)
    Security Update for Windows XP (KB971657)
    Security Update for Windows XP (KB972270)
    Security Update for Windows XP (KB973346)
    Security Update for Windows XP (KB973354)
    Security Update for Windows XP (KB973507)
    Security Update for Windows XP (KB973525)
    Security Update for Windows XP (KB973869)
    Security Update for Windows XP (KB973904)
    Security Update for Windows XP (KB974112)
    Security Update for Windows XP (KB974318)
    Security Update for Windows XP (KB974392)
    Security Update for Windows XP (KB974571)
    Security Update for Windows XP (KB975025)
    Security Update for Windows XP (KB975467)
    Security Update for Windows XP (KB975560)
    Security Update for Windows XP (KB975561)
    Security Update for Windows XP (KB975562)
    Security Update for Windows XP (KB975713)
    Security Update for Windows XP (KB977165-v2)
    Security Update for Windows XP (KB977816)
    Security Update for Windows XP (KB977914)
    Security Update for Windows XP (KB978037)
    Security Update for Windows XP (KB978251)
    Security Update for Windows XP (KB978262)
    Security Update for Windows XP (KB978338)
    Security Update for Windows XP (KB978542)
    Security Update for Windows XP (KB978601)
    Security Update for Windows XP (KB978706)
    Security Update for Windows XP (KB979309)
    Security Update for Windows XP (KB979482)
    Security Update for Windows XP (KB979559)
    Security Update for Windows XP (KB979683)
    Security Update for Windows XP (KB979687)
    Security Update for Windows XP (KB980195)
    Security Update for Windows XP (KB980218)
    Security Update for Windows XP (KB980232)
    Security Update for Windows XP (KB980436)
    Security Update for Windows XP (KB981322)
    Security Update for Windows XP (KB981852)
    Security Update for Windows XP (KB981957)
    Security Update for Windows XP (KB981997)
    Security Update for Windows XP (KB982132)
    Security Update for Windows XP (KB982214)
    Security Update for Windows XP (KB982665)
    Security Update for Windows XP (KB982802)
    Sonic CinePlayer Decoder Pack
    UltimateDefrag V1 FREE Public Domain Version
    Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
    Update for Windows Internet Explorer 8 (KB972636)
    Update for Windows Internet Explorer 8 (KB976662)
    Update for Windows Internet Explorer 8 (KB976749)
    Update for Windows Internet Explorer 8 (KB980182)
    Update for Windows XP (KB2141007)
    Update for Windows XP (KB2345886)
    Update for Windows XP (KB2467659)
    Update for Windows XP (KB951072-v2)
    Update for Windows XP (KB951978)
    Update for Windows XP (KB955759)
    Update for Windows XP (KB955839)
    Update for Windows XP (KB967715)
    Update for Windows XP (KB968389)
    Update for Windows XP (KB971029)
    Update for Windows XP (KB971737)
    Update for Windows XP (KB973687)
    Update for Windows XP (KB973815)
    WebFldrs XP
    Windows Genuine Advantage Notifications (KB905474)
    Windows Genuine Advantage Validation Tool (KB892130)
    Windows Installer 3.1 (KB893803)
    Windows Internet Explorer 7
    Windows Internet Explorer 8
    Windows Live OneCare safety scanner
    Windows XP Service Pack 3
    .
    ==== Event Viewer Messages From Past Week ========
    .
    6/9/2011 12:51:29 PM, error: Service Control Manager [7034] - The Java Quick Starter service terminated unexpectedly. It has done this 1 time(s).
    6/9/2011 12:51:27 PM, error: Service Control Manager [7034] - The TLC Automatic Client Update Service service terminated unexpectedly. It has done this 1 time(s).
    6/9/2011 12:41:30 PM, error: Service Control Manager [7000] - The McAfee McShield service failed to start due to the following error: The system cannot find the file specified.
    6/6/2011 8:27:45 AM, error: NETLOGON [5776] - Failed to create/open file \system32\config\netlogon.ftl with the following error: Access is denied.
    .
    ==== End Of File ===========================

    Malwarebytes log:

    Malwarebytes' Anti-Malware 1.51.0.1200
    www.malwarebytes.org

    Database version: 6850

    Windows 5.1.2600 Service Pack 3
    Internet Explorer 8.0.6001.18702

    6/13/2011 5:26:12 PM
    mbam-log-2011-06-13 (17-26-12).txt

    Scan type: Quick scan
    Objects scanned: 179508
    Time elapsed: 6 minute(s), 40 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 0
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 0

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    (No malicious items detected)

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    (No malicious items detected)
     
  6. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    So for, I'm not seeing malware entries. But I will have you run 2 more scans that will help identify them.
    ====================================
    Some Housekeeping first:
    1. Outdated Java. Unfortunately, Java doesn't overwrite the previous versions and they are vulnerabilities on the system. You do have the current v6u26, but you also have v6u5, v6u6 and v6u7 on the operating system. The easiest way to remove all of them and any related files is to run the following: Do not leave this log!

    Please download JavaRa and unzip it to your desktop.

    Important!***Please close any instances of Internet Explorer before continuing!***
    • Double-click on JavaRa.exe to start the program.
    • From the drop-down menu, choose English and click on Select.
    • JavaRa will open; click on Remove Older Versions to remove the older versions of Java installed on your computer.
    • Click Yes when prompted. When JavaRa is done, a notice will appear that
      a logfile has been produced. Click OK.
    • A logfile will pop up. Please save it to a convenient location.
    I do not want this log!
    Then download and install then most current version and update of Java Runtime
    Environment (JRE)
    HERE.
    You will have to reinstall v6u26 using the link above.

    You have more versions of Java in Firefox: You do not need to add a separate extension for Java in Firefox. The update to the OS covers Firefox also:

    Remove outdated Java plugin files from the Firefox plugins folder:
    Note: It is recommended that you do not copy Java plugins from other locations to the Firefox plugins folder. Outdated Java plugins can cause Java not to work if you update Java and then uninstall the older Java version, if plugins from the old Java version are still in the Firefox plugins folder.
    1. Open Firefox> Tools> Add-ons. The Add-ons window will open.
    2. In the Add-ons window> select the Plugins panel, to display a list of installed plugins.
    3. Select each Java plugin listed to make sure that all are enabled.
    4. Check if the Java plugins are correctly detected. All Java plugins listed in the Add-ons window should match the version number of the currently installed JRE. There should be no plugins for earlier versions of Java.
    5. Java plugin files that do not match your current version means that the Firefox plugins folder contains outdated Java plugin files which should be removed. This folder is typically in the following location: Use Windows Explorer to access> My Computer> Local Drive> Programs>>>
    C:\Program Files\Mozilla Firefox\plugins
    Java files from older versions in the Firefox plugins folder can prevent Java from working correctly.
    The following Java versions are in Firefox: v6u7,u11,u13,u15,u17,u26 (u26 is the current version but it does not need to be in Firefox.) Usually, Java Ra does not remove the Java in Firefox
    =================================
    When you have finished the removals and update, check Add/Remove Programs for Java- the only entry should be for Java v6u26
    ==================================
    I'd like you to do the following 2 scans. We need to see if malware has caused the 'disappearance' of the contents of the C Drive.

    Please note: If you have Combofix on the desktop already, please uninstall it. Then download the current version and do the scan: Uninstall directions, if needed
    • Click START> then RUN
    • Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
    --------------------------------------
    Download Combofix from HERE or HERE and save to the desktop
    • Double click combofix.exe & follow the prompts.
    • ComboFix will check to see if the Microsoft Windows Recovery Console is installed. It is recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode if needed.
      **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
    • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
    • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
      [​IMG]
    • .Click on Yes, to continue scanning for malware
    • .If Combofix asks you to update the program, allow
    • .Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    • .Close any open browsers.
    • .Double click combofix.exe[​IMG] & follow the prompts to run.
    • When the scan completes , a report will be generated-it will open a text window. Please paste the C:\ComboFix.txt in next reply..
    Re-enable your Antivirus software.

    Note 1:Do not mouse-click Combofix's window while it is running. That may cause it to stall.
    Note 2: ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
    Note 3: Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.
    Note 4: CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
    Note 5: If you receive an error "Illegal operation attempted on a registry key that has been marked for deletion", restart computer to fix the issue.
    =================================
    • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
      ESETOnlineScan
    • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
      [o] Click on Posted Image to download the ESET Smart Installer. Save it to your desktop.
      [o] Double click on the [​IMG]on your desktop.
    • Check 'Yes I accept terms of use.'
    • Click Start button
    • Accept any security warnings from your browser.
      [​IMG]
    • Uncheck 'Remove found threats'
    • Check 'Scan archives/
    • Leave remaining settings as is.
    • Press the Start button.
    • ESET will then download updates for itself, install itself, and begin scanning your computer. Please wait for the scan to finish.
    • When the scan completes, press List of found threats
    • Push Export of text file and save the file to your desktop using a unique name, such as ESETScan. Paste this log in your next reply.
    • Push the Back button
    • Push Finish

    NOTE: If no malware is found then no log will be produced. Let me know if this is the case.
     
  7. Evangelical

    Evangelical TS Rookie Topic Starter Posts: 16

    One issue I became aware of: Entries in Programs that are nested within folders are "empty" Unhide did not make these visible. Note- I ran Unhide with the virus scanner disabled (McAfee) Example - Microsoft Office.

    I am out of the area until Monday. I will run your recommended processes on Monday.

    Thanks.
     
  8. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    I have been having members run unhide.exe early on because it is very upsetting to wonder where all these files and folders have gone.

    But until all of the malware has been found and removed, all of these issues may not have been resolved. We'll look into this if it is still and issue when the system is clean.

    Thank you for letting me know you will be gone for a bit. I will leave a note for myself here:

    Leave open- out of town. will continue next week.
     
  9. Evangelical

    Evangelical TS Rookie Topic Starter Posts: 16

    Ran ComboFix. Running ESETOnlineScan overnight.

    Here is ComboFix log:

    ComboFix 11-06-21.05 - JMiller 06/21/2011 16:23:49.1.2 - x86
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2037.1472 [GMT -4:00]
    Running from: C:\Documents and Settings\jmiller\Desktop\ComboFix.exe


    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


    C:\Documents and Settings\jmiller\Start Menu\Programs\Windows XP Recovery
    C:\Documents and Settings\jmiller\Start Menu\Programs\Windows XP Recovery\Uninstall Windows XP Recovery.lnk
    C:\Documents and Settings\jmiller\Start Menu\Programs\Windows XP Recovery\Windows XP Recovery.lnk
    C:\WINDOWS\kill.exe


    ((((((((((((((((((((((((( Files Created from 2011-05-21 to 2011-06-21 )))))))))))))))))))))))))))))))


    2011-06-20 14:03:06 . 2011-06-20 14:02:49 73728 ----a-w- C:\WINDOWS\system32\javacpl.cpl
    2011-06-20 12:24:23 . 2011-04-21 13:37:43 105472 ------w- C:\WINDOWS\system32\dllcache\mup.sys
    2011-06-09 17:08:57 . 2011-05-29 13:11:30 39984 ----a-w- C:\WINDOWS\system32\drivers\mbamswissarmy.sys
    2011-06-09 17:08:52 . 2011-06-09 17:08:37 -------- d-----w- C:\Program Files\Anti-Malware
    2011-06-09 17:04:45 . 2011-05-29 13:11:20 22712 ----a-w- C:\WINDOWS\system32\drivers\mbam.sys
    2011-06-09 16:46:41 . 2011-06-20 14:02:51 476904 ----a-w- C:\Program Files\Mozilla Firefox\plugins\npdeployJava1.dll
    2011-06-09 16:46:40 . 2011-06-20 14:02:49 472808 ----a-w- C:\WINDOWS\system32\deployJava1.dll
    2011-06-09 16:42:48 . 2011-06-09 16:42:48 -------- d-----w- C:\Documents and Settings\jmiller\Application Data\McAfee
    2011-06-09 16:41:37 . 2011-06-09 16:39:40 74848 ----a-w- C:\WINDOWS\system32\MfeOtlkAddin.dll
    2011-06-09 16:41:33 . 2011-06-09 16:39:42 24376 ----a-w- C:\Program Files\Mozilla Firefox\distribution\bundles\{D19CA586-DD6C-4a0a-96F8-14644F340D60}\components\scriptff.dll
    2011-06-09 16:41:30 . 2011-06-09 16:39:40 85152 ----a-w- C:\WINDOWS\system32\drivers\mferkdet.sys
    2011-06-09 16:41:30 . 2011-06-09 16:39:38 9344 ----a-w- C:\WINDOWS\system32\drivers\mfeclnk.sys
    2011-06-09 16:41:30 . 2011-06-09 16:39:38 58456 ----a-w- C:\WINDOWS\system32\drivers\mfebopk.sys
    2011-06-09 16:41:30 . 2011-06-09 16:39:37 171296 ----a-w- C:\WINDOWS\system32\drivers\mfeavfk.sys
    2011-06-09 16:41:30 . 2011-06-09 16:39:37 116104 ----a-w- C:\WINDOWS\system32\drivers\mfeapfk.sys
    2011-06-09 16:41:28 . 2011-06-09 16:39:39 436728 ----a-w- C:\WINDOWS\system32\drivers\mfehidk.sys
    2011-06-09 16:41:17 . 2011-06-09 16:39:41 145936 ----a-w- C:\WINDOWS\system32\mfevtps.exe
    2011-06-09 16:41:17 . 2011-06-09 16:39:40 88544 ----a-w- C:\WINDOWS\system32\drivers\mfetdi2k.sys
    2011-05-27 16:16:41 . 2011-05-27 16:16:41 -------- d-----w- C:\Documents and Settings\jmiller\Application Data\Malwarebytes
    2011-05-27 16:02:35 . 2011-05-27 16:02:35 -------- d-----w- C:\Documents and Settings\Administrator\Application Data\Malwarebytes
    2011-05-27 15:53:07 . 2011-05-27 15:53:07 -------- d-sh--w- C:\Documents and Settings\Administrator\IECompatCache
    2011-05-27 15:52:17 . 2011-05-27 15:52:17 -------- d-sh--w- C:\Documents and Settings\Administrator\PrivacIE
    2011-05-27 15:32:44 . 2011-05-27 15:32:44 -------- d-sh--w- C:\Documents and Settings\Administrator\IETldCache
    .


    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

    2011-06-09 16:39:39 . 2008-09-29 13:07:00 22816 ----a-w- C:\WINDOWS\system32\MFEOtlk.dll
    2011-05-02 15:31:52 . 2004-08-11 22:12:51 692736 ----a-w- C:\WINDOWS\system32\inetcomm.dll
    2011-04-29 16:19:43 . 2004-08-11 22:00:20 456320 ----a-w- C:\WINDOWS\system32\drivers\mrxsmb.sys
    2011-04-25 16:11:12 . 2004-08-11 22:00:37 916480 ----a-w- C:\WINDOWS\system32\wininet.dll
    2011-04-25 16:11:11 . 2004-08-11 22:00:18 43520 ----a-w- C:\WINDOWS\system32\licmgr10.dll
    2011-04-25 16:11:11 . 2004-08-11 22:00:17 1469440 ------w- C:\WINDOWS\system32\inetcpl.cpl
    2011-04-25 12:01:22 . 2004-08-11 22:00:16 385024 ----a-w- C:\WINDOWS\system32\html.iec
    2011-04-21 13:37:43 . 2004-08-11 22:00:23 105472 ----a-w- C:\WINDOWS\system32\drivers\mup.sys


    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "ISUSPM"="C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2006-09-11 09:40:32 218032]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2007-06-14 00:21:12 142104]
    "HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2007-06-14 00:21:02 162584]
    "Persistence"="C:\WINDOWS\system32\igfxpers.exe" [2007-06-14 00:21:04 138008]
    "RTHDCPL"="RTHDCPL.EXE" [2007-06-14 01:41:42 16132608]
    "Google Desktop Search"="C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" [2008-06-05 05:02:31 29744]
    "dscactivate"="C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe" [2008-03-11 17:44:42 16384]
    "PDVDDXSrv"="C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2008-02-26 15:57:28 128296]
    "BrStsWnd"="C:\Program Files\Brownie\BrstsWnd.exe" [2009-08-19 19:41:26 3618104]
    "McAfeeUpdaterUI"="C:\Program Files\McAfee\Common Framework\udaterui.exe" [2011-01-12 20:05:00 161088]
    "ShStatEXE"="C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" [2011-01-13 00:52:12 215360]
    "SunJavaUpdateSched"="C:\Program Files\Common Files\Java\Java Update\jusched.exe" [2011-04-08 16:59:52 254696]

    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
    "RunNarrator"="Narrator.exe" [2008-04-14 00:12:29 53760]

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "C:\\Program Files\\CyberLink\\PowerDVD DX\\PowerDVD.exe"=
    "C:\\Program Files\\CyberLink\\PowerDVD DX\\PDVDDXSrv.exe"=
    "C:\\Program Files\\McAfee\\Common Framework\\FrameworkService.exe"=
    "C:\\WINDOWS\\system32\\usmt\\migwiz.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=

    R1 mfetdi2k;McAfee Inc. mfetdi2k;C:\WINDOWS\system32\drivers\mfetdi2k.sys [6/9/2011 12:41:17 PM 88544]
    R2 mfevtp;McAfee Validation Trust Protection Service;C:\WINDOWS\system32\mfevtps.exe [6/9/2011 12:41:17 PM 145936]
    R2 TLCService;TLC Automatic Client Update Service;C:\Program Files\The Library Corporation\Library.Solution\TLCService\TLCService.exe [9/4/2008 4:19:28 PM 69632]
    S3 mferkdet;McAfee Inc. mferkdet;C:\WINDOWS\system32\drivers\mferkdet.sys [6/9/2011 12:41:30 PM 85152]

    --- Other Services/Drivers In Memory ---

    *Deregistered* - mfeavfk01

    Contents of the 'Scheduled Tasks' folder

    2011-06-06 C:\WINDOWS\Tasks\CleanXP.job
    - C:\Utilities\CleanXP.bat [2008-06-30 19:07:46 . 2008-06-30 19:08:11]

    2011-06-21 C:\WINDOWS\Tasks\User_Feed_Synchronization-{AC1055A1-7369-44E5-AD00-B0D94A46520C}.job
    - C:\WINDOWS\system32\msfeedssync.exe [2007-08-13 22:36:40 . 2009-03-08 08:31:54]


    ------- Supplementary Scan -------

    uStart Page = partnerpage.google.com/smallbiz.dell.com/en_us?hl=en&client=dell-usuk&channel=us-smb&ibd=0080605
    uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
    uSearchAssistant = hxxp://www.google.com/ie
    uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
    IE: E&xport to Microsoft Excel - C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    TCP: DhcpNameServer = 10.1.7.254
    FF - ProfilePath - C:\Documents and Settings\jmiller\Application Data\Mozilla\Firefox\Profiles\j92djc0l.default\
    FF - prefs.js: browser.startup.homepage - hxxp://start.mozilla.org/firefox?client=firefox-a&rls=org.mozilla:en-US:eek:fficial
    FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - C:\Program Files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA}
    FF - Ext: Java Quick Starter: jqs@sun.com - C:\Program Files\Java\jre6\lib\deploy\jqs\ff
    FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
    FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
     
  10. Evangelical

    Evangelical TS Rookie Topic Starter Posts: 16

    Did not mention it but I did the Java removal and updates as you directed.
     
  11. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Welcome back! Please find the Combofix log and look for the following:

    In the header, there should be entries between these:
    Running from: C:\Documents and Settings\jmiller\Desktop\ComboFix.exe

    Information on status of the security programs is missing. Also possible section of 'Deletions' before 'other deletions.
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

    At the end of Combofix there are several sections missing after this section> ------- Supplementary Scan ------- and the last line in it: FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}


    Please find this and re-post in it's entirety: C:\ComboFix.txt in next reply.
     
  12. Evangelical

    Evangelical TS Rookie Topic Starter Posts: 16

    rescanned with Combofix. Entire log follows.

    ComboFix 11-06-21.08 - jmiller 06/22/2011 8:56.2.2 - x86
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2037.1426 [GMT -4:00]
    Running from: c:\documents and settings\jmiller\Desktop\ComboFix.exe
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    ---- Previous Run -------
    .
    c:\documents and settings\jmiller\Start Menu\Programs\Windows XP Recovery\Uninstall Windows XP Recovery.lnk
    c:\documents and settings\jmiller\Start Menu\Programs\Windows XP Recovery\Windows XP Recovery.lnk
    c:\windows\kill.exe
    .
    .
    ((((((((((((((((((((((((( Files Created from 2011-05-22 to 2011-06-22 )))))))))))))))))))))))))))))))
    .
    .
    2011-06-22 12:50 . 2011-06-22 12:50 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
    2011-06-22 12:49 . 2011-06-09 16:39 24376 ----a-w- c:\program files\Mozilla Firefox\distribution\bundles\{D19CA586-DD6C-4a0a-96F8-14644F340D60}\components\scriptff.dll
    2011-06-22 12:49 . 2011-06-16 04:17 142296 ----a-w- c:\program files\Mozilla Firefox\components\browsercomps.dll
    2011-06-22 12:49 . 2011-06-16 04:17 89048 ----a-w- c:\program files\Mozilla Firefox\libEGL.dll
    2011-06-22 12:49 . 2011-06-16 04:17 781272 ----a-w- c:\program files\Mozilla Firefox\mozsqlite3.dll
    2011-06-22 12:49 . 2011-06-16 04:17 465880 ----a-w- c:\program files\Mozilla Firefox\libGLESv2.dll
    2011-06-22 12:49 . 2011-06-16 04:17 1850328 ----a-w- c:\program files\Mozilla Firefox\mozjs.dll
    2011-06-22 12:49 . 2011-06-16 04:17 15832 ----a-w- c:\program files\Mozilla Firefox\mozalloc.dll
    2011-06-22 12:49 . 2010-01-01 08:00 2106216 ----a-w- c:\program files\Mozilla Firefox\D3DCompiler_43.dll
    2011-06-22 12:49 . 2010-01-01 08:00 1998168 ----a-w- c:\program files\Mozilla Firefox\d3dx9_43.dll
    2011-06-21 20:38 . 2011-06-21 20:38 -------- d-----w- c:\program files\ESET
    2011-06-20 14:03 . 2011-06-20 14:02 73728 ----a-w- c:\windows\system32\javacpl.cpl
    2011-06-20 12:24 . 2011-04-21 13:37 105472 ------w- c:\windows\system32\dllcache\mup.sys
    2011-06-09 17:08 . 2011-05-29 13:11 39984 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2011-06-09 17:08 . 2011-06-09 17:08 -------- d-----w- c:\program files\Anti-Malware
    2011-06-09 17:04 . 2011-05-29 13:11 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
    2011-06-09 16:46 . 2011-06-20 14:02 476904 ----a-w- c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
    2011-06-09 16:46 . 2011-06-20 14:02 472808 ----a-w- c:\windows\system32\deployJava1.dll
    2011-06-09 16:42 . 2011-06-09 16:42 -------- d-----w- c:\documents and settings\jmiller\Application Data\McAfee
    2011-06-09 16:41 . 2011-06-09 16:39 74848 ----a-w- c:\windows\system32\MfeOtlkAddin.dll
    2011-06-09 16:41 . 2011-06-09 16:39 85152 ----a-w- c:\windows\system32\drivers\mferkdet.sys
    2011-06-09 16:41 . 2011-06-09 16:39 9344 ----a-w- c:\windows\system32\drivers\mfeclnk.sys
    2011-06-09 16:41 . 2011-06-09 16:39 58456 ----a-w- c:\windows\system32\drivers\mfebopk.sys
    2011-06-09 16:41 . 2011-06-09 16:39 171296 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
    2011-06-09 16:41 . 2011-06-09 16:39 116104 ----a-w- c:\windows\system32\drivers\mfeapfk.sys
    2011-06-09 16:41 . 2011-06-09 16:39 436728 ----a-w- c:\windows\system32\drivers\mfehidk.sys
    2011-06-09 16:41 . 2011-06-09 16:39 145936 ----a-w- c:\windows\system32\mfevtps.exe
    2011-06-09 16:41 . 2011-06-09 16:39 88544 ----a-w- c:\windows\system32\drivers\mfetdi2k.sys
    2011-05-27 16:16 . 2011-05-27 16:16 -------- d-----w- c:\documents and settings\jmiller\Application Data\Malwarebytes
    2011-05-27 16:02 . 2011-05-27 16:02 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
    2011-05-27 15:53 . 2011-05-27 15:53 -------- d-sh--w- c:\documents and settings\Administrator\IECompatCache
    2011-05-27 15:52 . 2011-05-27 15:52 -------- d-sh--w- c:\documents and settings\Administrator\PrivacIE
    2011-05-27 15:32 . 2011-05-27 15:32 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2011-06-09 16:39 . 2008-09-29 13:07 22816 ----a-w- c:\windows\system32\MFEOtlk.dll
    2011-05-02 15:31 . 2004-08-11 22:12 692736 ----a-w- c:\windows\system32\inetcomm.dll
    2011-04-29 16:19 . 2004-08-11 22:00 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
    2011-04-25 16:11 . 2004-08-11 22:00 916480 ----a-w- c:\windows\system32\wininet.dll
    2011-04-25 16:11 . 2004-08-11 22:00 43520 ----a-w- c:\windows\system32\licmgr10.dll
    2011-04-25 16:11 . 2004-08-11 22:00 1469440 ------w- c:\windows\system32\inetcpl.cpl
    2011-04-25 12:01 . 2004-08-11 22:00 385024 ----a-w- c:\windows\system32\html.iec
    2011-04-21 13:37 . 2004-08-11 22:00 105472 ----a-w- c:\windows\system32\drivers\mup.sys
    2011-06-16 04:17 . 2011-06-22 12:49 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
    .
    .
    ((((((((((((((((((((((((((((( SnapShot@2011-06-21_20.28.52 )))))))))))))))))))))))))))))))))))))))))
    .
    + 2011-06-21 20:55 . 2011-06-21 20:55 16384 c:\windows\Temp\Perflib_Perfdata_6e8.dat
    + 2011-06-22 12:50 . 2011-06-22 12:50 240288 c:\windows\system32\Macromed\Flash\FlashUtil10t_Plugin.exe
    + 2008-10-05 03:24 . 2011-06-22 12:50 6271136 c:\windows\system32\Macromed\Flash\NPSWF32.dll
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2006-09-11 218032]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-06-14 142104]
    "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-06-14 162584]
    "Persistence"="c:\windows\system32\igfxpers.exe" [2007-06-14 138008]
    "RTHDCPL"="RTHDCPL.EXE" [2007-06-14 16132608]
    "Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2008-06-05 29744]
    "dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2008-03-11 16384]
    "PDVDDXSrv"="c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2008-02-26 128296]
    "BrStsWnd"="c:\program files\Brownie\BrstsWnd.exe" [2009-08-19 3618104]
    "McAfeeUpdaterUI"="c:\program files\McAfee\Common Framework\udaterui.exe" [2011-01-12 161088]
    "ShStatEXE"="c:\program files\McAfee\VirusScan Enterprise\SHSTAT.EXE" [2011-01-13 215360]
    "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-04-08 254696]
    .
    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
    "RunNarrator"="Narrator.exe" [2008-04-14 53760]
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\Program Files\\CyberLink\\PowerDVD DX\\PowerDVD.exe"=
    "c:\\Program Files\\CyberLink\\PowerDVD DX\\PDVDDXSrv.exe"=
    "c:\\Program Files\\McAfee\\Common Framework\\FrameworkService.exe"=
    "c:\\WINDOWS\\system32\\usmt\\migwiz.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    .
    R1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\system32\drivers\mfetdi2k.sys [6/9/2011 12:41 PM 88544]
    R2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [6/9/2011 12:41 PM 145936]
    S2 TLCService;TLC Automatic Client Update Service;c:\program files\The Library Corporation\Library.Solution\TLCService\TLCService.exe [9/4/2008 4:19 PM 69632]
    S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [6/9/2011 12:41 PM 85152]
    .
    --- Other Services/Drivers In Memory ---
    .
    *Deregistered* - mfeavfk01
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2011-06-06 c:\windows\Tasks\CleanXP.job
    - c:\utilities\CleanXP.bat [2008-06-30 19:08]
    .
    2011-06-22 c:\windows\Tasks\User_Feed_Synchronization-{AC1055A1-7369-44E5-AD00-B0D94A46520C}.job
    - c:\windows\system32\msfeedssync.exe [2007-08-13 08:31]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = partnerpage.google.com/smallbiz.dell.com/en_us?hl=en&client=dell-usuk&channel=us-smb&ibd=0080605
    uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
    uSearchAssistant = hxxp://www.google.com/ie
    uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    TCP: DhcpNameServer = 10.1.7.254
    FF - ProfilePath - c:\documents and settings\jmiller\Application Data\Mozilla\Firefox\Profiles\j92djc0l.default\
    FF - prefs.js: browser.startup.homepage - hxxp://start.mozilla.org/firefox?client=firefox-a&rls=org.mozilla:en-US:eek:fficial
    .
    .
    **************************************************************************
    .
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2011-06-22 08:59
    Windows 5.1.2600 Service Pack 3 NTFS
    .
    scanning hidden processes ...
    .
    scanning hidden autostart entries ...
    .
    scanning hidden files ...
    .
    scan completed successfully
    hidden files: 0
    .
    **************************************************************************
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------
    .
    - - - - - - - > 'winlogon.exe'(756)
    c:\windows\system32\igfxdev.dll
    .
    - - - - - - - > 'explorer.exe'(708)
    c:\windows\system32\WININET.dll
    c:\windows\system32\ieframe.dll
    c:\program files\McAfee\Common Framework\McTrayLegacySupportPlugin.dll
    c:\program files\McAfee\Common Framework\McTrayInterfaceLib.dll
    c:\program files\McAfee\Common Framework\McAfeeWin32GUISupportDLL.dll
    c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.3053_x-ww_b80fa8ca\MSVCR80.dll
    c:\windows\system32\webcheck.dll
    .
    Completion time: 2011-06-22 09:01:03
    ComboFix-quarantined-files.txt 2011-06-22 13:01
    .
    Pre-Run: 138,530,906,112 bytes free
    Post-Run: 138,516,209,664 bytes free
    .
    - - End Of File - - 1A90FA842123E5B19CF23B8835CCE326
     
  13. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Please advise me of the lines in the Combofix header which tell me if the security was disabled,

     
  14. Evangelical

    Evangelical TS Rookie Topic Starter Posts: 16

    Entire ComboFix log follows:
    If sections are missing, I do not know what to do to get ComboFix log to display them.

    ComboFix 11-06-26.02 - jmiller 06/27/2011 9:47.3.2 - x86
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2037.1527 [GMT -4:00]
    Running from: c:\documents and settings\All Users\Desktop\Malware\ComboFix.exe
    * Created a new restore point
    * Resident AV is active
    .
    .
    .
    ((((((((((((((((((((((((( Files Created from 2011-05-27 to 2011-06-27 )))))))))))))))))))))))))))))))
    .
    .
    2011-06-22 12:50 . 2011-06-22 12:50 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
    2011-06-22 12:49 . 2011-06-09 16:39 24376 ----a-w- c:\program files\Mozilla Firefox\distribution\bundles\{D19CA586-DD6C-4a0a-96F8-14644F340D60}\components\scriptff.dll
    2011-06-22 12:49 . 2011-06-16 04:17 142296 ----a-w- c:\program files\Mozilla Firefox\components\browsercomps.dll
    2011-06-22 12:49 . 2011-06-16 04:17 89048 ----a-w- c:\program files\Mozilla Firefox\libEGL.dll
    2011-06-22 12:49 . 2011-06-16 04:17 781272 ----a-w- c:\program files\Mozilla Firefox\mozsqlite3.dll
    2011-06-22 12:49 . 2011-06-16 04:17 465880 ----a-w- c:\program files\Mozilla Firefox\libGLESv2.dll
    2011-06-22 12:49 . 2011-06-16 04:17 1850328 ----a-w- c:\program files\Mozilla Firefox\mozjs.dll
    2011-06-22 12:49 . 2011-06-16 04:17 15832 ----a-w- c:\program files\Mozilla Firefox\mozalloc.dll
    2011-06-22 12:49 . 2010-01-01 08:00 2106216 ----a-w- c:\program files\Mozilla Firefox\D3DCompiler_43.dll
    2011-06-22 12:49 . 2010-01-01 08:00 1998168 ----a-w- c:\program files\Mozilla Firefox\d3dx9_43.dll
    2011-06-20 14:03 . 2011-06-20 14:02 73728 ----a-w- c:\windows\system32\javacpl.cpl
    2011-06-20 12:24 . 2011-04-21 13:37 105472 ------w- c:\windows\system32\dllcache\mup.sys
    2011-06-09 17:08 . 2011-05-29 13:11 39984 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2011-06-09 17:08 . 2011-06-09 17:08 -------- d-----w- c:\program files\Anti-Malware
    2011-06-09 17:04 . 2011-05-29 13:11 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
    2011-06-09 16:46 . 2011-06-20 14:02 476904 ----a-w- c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
    2011-06-09 16:46 . 2011-06-20 14:02 472808 ----a-w- c:\windows\system32\deployJava1.dll
    2011-06-09 16:42 . 2011-06-09 16:42 -------- d-----w- c:\documents and settings\jmiller\Application Data\McAfee
    2011-06-09 16:41 . 2011-06-09 16:39 74848 ----a-w- c:\windows\system32\MfeOtlkAddin.dll
    2011-06-09 16:41 . 2011-06-09 16:39 85152 ----a-w- c:\windows\system32\drivers\mferkdet.sys
    2011-06-09 16:41 . 2011-06-09 16:39 9344 ----a-w- c:\windows\system32\drivers\mfeclnk.sys
    2011-06-09 16:41 . 2011-06-09 16:39 58456 ----a-w- c:\windows\system32\drivers\mfebopk.sys
    2011-06-09 16:41 . 2011-06-09 16:39 171296 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
    2011-06-09 16:41 . 2011-06-09 16:39 116104 ----a-w- c:\windows\system32\drivers\mfeapfk.sys
    2011-06-09 16:41 . 2011-06-09 16:39 436728 ----a-w- c:\windows\system32\drivers\mfehidk.sys
    2011-06-09 16:41 . 2011-06-09 16:39 145936 ----a-w- c:\windows\system32\mfevtps.exe
    2011-06-09 16:41 . 2011-06-09 16:39 88544 ----a-w- c:\windows\system32\drivers\mfetdi2k.sys
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2011-06-09 16:39 . 2008-09-29 13:07 22816 ----a-w- c:\windows\system32\MFEOtlk.dll
    2011-05-02 15:31 . 2004-08-11 22:12 692736 ----a-w- c:\windows\system32\inetcomm.dll
    2011-04-29 16:19 . 2004-08-11 22:00 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
    2011-04-25 16:11 . 2004-08-11 22:00 916480 ----a-w- c:\windows\system32\wininet.dll
    2011-04-25 16:11 . 2004-08-11 22:00 43520 ----a-w- c:\windows\system32\licmgr10.dll
    2011-04-25 16:11 . 2004-08-11 22:00 1469440 ------w- c:\windows\system32\inetcpl.cpl
    2011-04-25 12:01 . 2004-08-11 22:00 385024 ----a-w- c:\windows\system32\html.iec
    2011-04-21 13:37 . 2004-08-11 22:00 105472 ----a-w- c:\windows\system32\drivers\mup.sys
    2011-06-16 04:17 . 2011-06-22 12:49 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
    .
    .
    ((((((((((((((((((((((((((((( SnapShot@2011-06-21_20.28.52 )))))))))))))))))))))))))))))))))))))))))
    .
    + 2011-06-27 12:13 . 2011-06-27 12:13 16384 c:\windows\Temp\Perflib_Perfdata_6d4.dat
    + 2004-08-11 22:00 . 2011-06-22 15:53 72280 c:\windows\system32\perfc009.dat
    + 2011-06-23 12:19 . 2011-06-23 12:19 60928 c:\windows\assembly\NativeImages_v2.0.50727_32\UIAutomationProvider\1492e9393417d6e91b5ddc746b5ef320\UIAutomationProvider.ni.dll
    + 2011-06-23 13:19 . 2011-06-23 13:19 37888 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Pres#\61c3b1e170de97a8d418b610bd9b0c77\System.Windows.Presentation.ni.dll
    + 2011-06-23 13:19 . 2011-06-23 13:19 36864 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Web.DynamicD#\a4173f12a0fea30f95bc56ab04f64cae\System.Web.DynamicData.Design.ni.dll
    + 2011-06-23 13:17 . 2011-06-23 13:17 94208 c:\windows\assembly\NativeImages_v2.0.50727_32\System.ComponentMod#\ab5802527ce15dbcc25e301dbbb4d666\System.ComponentModel.DataAnnotations.ni.dll
    + 2011-06-23 13:17 . 2011-06-23 13:17 82944 c:\windows\assembly\NativeImages_v2.0.50727_32\System.AddIn.Contra#\177a17af98d803ab79006d6785706462\System.AddIn.Contract.ni.dll
    + 2011-06-23 12:17 . 2011-06-23 12:17 47104 c:\windows\assembly\NativeImages_v2.0.50727_32\PresentationFontCac#\e9bb32c656a2f80b629f129d738c392b\PresentationFontCache.ni.exe
    + 2011-06-23 12:17 . 2011-06-23 12:17 39424 c:\windows\assembly\NativeImages_v2.0.50727_32\PresentationCFFRast#\d54d318ae1eb0667badea576d0534f9d\PresentationCFFRasterizer.ni.dll
    + 2011-06-23 13:18 . 2011-06-23 13:18 55296 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Vsa\87fe1d01b568b3bc9c750b7cf7802516\Microsoft.Vsa.ni.dll
    + 2011-06-23 13:17 . 2011-06-23 13:17 65024 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Build.Fra#\f5057c30d89ad8d99e38c946a68def9e\Microsoft.Build.Framework.ni.dll
    + 2011-06-23 13:17 . 2011-06-23 13:17 74752 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Build.Fra#\623c05a555ac0719a1367f511d4a9270\Microsoft.Build.Framework.ni.dll
    + 2011-06-23 13:17 . 2011-06-23 13:17 14336 c:\windows\assembly\NativeImages_v2.0.50727_32\dfsvc\c40d3caad8bff3c52db7e7562286406a\dfsvc.ni.exe
    + 2011-06-23 13:16 . 2011-06-23 13:16 25600 c:\windows\assembly\NativeImages_v2.0.50727_32\Accessibility\d9228d58804dfd75fd92a4d12ffac8af\Accessibility.ni.dll
    + 2011-06-22 15:52 . 2011-06-22 15:52 77824 c:\windows\assembly\GAC_MSIL\System.Web.RegularExpressions\2.0.0.0__b03f5f7f11d50a3a\System.Web.RegularExpressions.dll
    - 2011-04-18 16:10 . 2011-04-18 16:10 77824 c:\windows\assembly\GAC_MSIL\System.Web.RegularExpressions\2.0.0.0__b03f5f7f11d50a3a\System.Web.RegularExpressions.dll
    + 2011-06-22 15:52 . 2011-06-22 15:52 81920 c:\windows\assembly\GAC_MSIL\System.Drawing.Design\2.0.0.0__b03f5f7f11d50a3a\System.Drawing.Design.dll
    - 2011-04-18 16:10 . 2011-04-18 16:10 81920 c:\windows\assembly\GAC_MSIL\System.Drawing.Design\2.0.0.0__b03f5f7f11d50a3a\System.Drawing.Design.dll
    - 2011-04-18 16:10 . 2011-04-18 16:10 81920 c:\windows\assembly\GAC_MSIL\System.Configuration.Install\2.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll
    + 2011-06-22 15:53 . 2011-06-22 15:53 81920 c:\windows\assembly\GAC_MSIL\System.Configuration.Install\2.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll
    - 2011-04-18 16:10 . 2011-04-18 16:10 32768 c:\windows\assembly\GAC_MSIL\Microsoft.Vsa\8.0.0.0__b03f5f7f11d50a3a\Microsoft.Vsa.dll
    + 2011-06-22 15:53 . 2011-06-22 15:53 32768 c:\windows\assembly\GAC_MSIL\Microsoft.Vsa\8.0.0.0__b03f5f7f11d50a3a\Microsoft.Vsa.dll
    - 2011-04-18 16:10 . 2011-04-18 16:10 12800 c:\windows\assembly\GAC_MSIL\Microsoft.Vsa.Vb.CodeDOMProcessor\8.0.0.0__b03f5f7f11d50a3a\Microsoft.Vsa.Vb.CodeDOMProcessor.dll
    + 2011-06-22 15:53 . 2011-06-22 15:53 12800 c:\windows\assembly\GAC_MSIL\Microsoft.Vsa.Vb.CodeDOMProcessor\8.0.0.0__b03f5f7f11d50a3a\Microsoft.Vsa.Vb.CodeDOMProcessor.dll
    + 2011-06-22 15:53 . 2011-06-22 15:53 28672 c:\windows\assembly\GAC_MSIL\Microsoft.VisualBasic.Vsa\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.Vsa.dll
    - 2011-04-18 16:10 . 2011-04-18 16:10 28672 c:\windows\assembly\GAC_MSIL\Microsoft.VisualBasic.Vsa\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.Vsa.dll
    + 2011-06-22 15:53 . 2011-06-22 15:53 77824 c:\windows\assembly\GAC_MSIL\Microsoft.Build.Utilities\2.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Utilities.dll
    - 2011-04-18 16:10 . 2011-04-18 16:10 77824 c:\windows\assembly\GAC_MSIL\Microsoft.Build.Utilities\2.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Utilities.dll
    - 2011-04-18 16:10 . 2011-04-18 16:10 36864 c:\windows\assembly\GAC_MSIL\Microsoft.Build.Framework\2.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Framework.dll
    + 2011-06-22 15:53 . 2011-06-22 15:53 36864 c:\windows\assembly\GAC_MSIL\Microsoft.Build.Framework\2.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Framework.dll
    - 2011-04-18 16:10 . 2011-04-18 16:10 77824 c:\windows\assembly\GAC_MSIL\IEHost\2.0.0.0__b03f5f7f11d50a3a\IEHost.dll
    + 2011-06-22 15:53 . 2011-06-22 15:53 77824 c:\windows\assembly\GAC_MSIL\IEHost\2.0.0.0__b03f5f7f11d50a3a\IEHost.dll
    + 2011-06-22 15:53 . 2011-06-22 15:53 13312 c:\windows\assembly\GAC_MSIL\cscompmgd\8.0.0.0__b03f5f7f11d50a3a\cscompmgd.dll
    - 2011-04-18 16:10 . 2011-04-18 16:10 13312 c:\windows\assembly\GAC_MSIL\cscompmgd\8.0.0.0__b03f5f7f11d50a3a\cscompmgd.dll
    + 2011-06-22 15:53 . 2011-06-22 15:53 10752 c:\windows\assembly\GAC_MSIL\Accessibility\2.0.0.0__b03f5f7f11d50a3a\Accessibility.dll
    - 2011-04-18 16:10 . 2011-04-18 16:10 10752 c:\windows\assembly\GAC_MSIL\Accessibility\2.0.0.0__b03f5f7f11d50a3a\Accessibility.dll
    + 2011-06-22 15:53 . 2011-06-22 15:53 72192 c:\windows\assembly\GAC_32\ISymWrapper\2.0.0.0__b03f5f7f11d50a3a\ISymWrapper.dll
    - 2011-04-18 16:10 . 2011-04-18 16:10 72192 c:\windows\assembly\GAC_32\ISymWrapper\2.0.0.0__b03f5f7f11d50a3a\ISymWrapper.dll
    - 2011-04-18 16:10 . 2011-04-18 16:10 69120 c:\windows\assembly\GAC_32\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll
    + 2011-06-22 15:53 . 2011-06-22 15:53 69120 c:\windows\assembly\GAC_32\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll
    - 2011-04-18 16:10 . 2011-04-18 16:10 8192 c:\windows\WinSxS\MSIL_IEExecRemote_b03f5f7f11d50a3a_2.0.0.0_x-ww_6e57c34e\IEExecRemote.dll
    + 2011-06-22 15:53 . 2011-06-22 15:53 8192 c:\windows\WinSxS\MSIL_IEExecRemote_b03f5f7f11d50a3a_2.0.0.0_x-ww_6e57c34e\IEExecRemote.dll
    + 2011-06-22 15:53 . 2011-06-22 15:53 7168 c:\windows\assembly\GAC_MSIL\Microsoft_VsaVb\8.0.0.0__b03f5f7f11d50a3a\Microsoft_VsaVb.dll
    - 2011-04-18 16:10 . 2011-04-18 16:10 7168 c:\windows\assembly\GAC_MSIL\Microsoft_VsaVb\8.0.0.0__b03f5f7f11d50a3a\Microsoft_VsaVb.dll
    + 2011-06-22 15:53 . 2011-06-22 15:53 5632 c:\windows\assembly\GAC_MSIL\Microsoft.VisualC\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualC.Dll
    - 2011-04-18 16:10 . 2011-04-18 16:10 5632 c:\windows\assembly\GAC_MSIL\Microsoft.VisualC\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualC.Dll
    - 2011-04-18 16:10 . 2011-04-18 16:10 6656 c:\windows\assembly\GAC_MSIL\IIEHost\2.0.0.0__b03f5f7f11d50a3a\IIEHost.dll
    + 2011-06-22 15:53 . 2011-06-22 15:53 6656 c:\windows\assembly\GAC_MSIL\IIEHost\2.0.0.0__b03f5f7f11d50a3a\IIEHost.dll
    + 2011-06-22 15:53 . 2011-06-22 15:53 8192 c:\windows\assembly\GAC_MSIL\IEExecRemote\2.0.0.0__b03f5f7f11d50a3a\IEExecRemote.dll
    - 2011-04-18 16:10 . 2011-04-18 16:10 8192 c:\windows\assembly\GAC_MSIL\IEExecRemote\2.0.0.0__b03f5f7f11d50a3a\IEExecRemote.dll
    - 2011-04-18 16:10 . 2011-04-18 16:10 113664 c:\windows\WinSxS\x86_System.EnterpriseServices_b03f5f7f11d50a3a_2.0.0.0_x-ww_7d5f3790\System.EnterpriseServices.Wrapper.dll
    + 2011-06-22 15:53 . 2011-06-22 15:53 113664 c:\windows\WinSxS\x86_System.EnterpriseServices_b03f5f7f11d50a3a_2.0.0.0_x-ww_7d5f3790\System.EnterpriseServices.Wrapper.dll
    - 2011-04-18 16:10 . 2011-04-18 16:10 258048 c:\windows\WinSxS\x86_System.EnterpriseServices_b03f5f7f11d50a3a_2.0.0.0_x-ww_7d5f3790\System.EnterpriseServices.dll
    + 2011-06-22 15:53 . 2011-06-22 15:53 258048 c:\windows\WinSxS\x86_System.EnterpriseServices_b03f5f7f11d50a3a_2.0.0.0_x-ww_7d5f3790\System.EnterpriseServices.dll
    + 2004-08-11 22:00 . 2011-06-22 15:53 443140 c:\windows\system32\perfh009.dat
    + 2011-06-22 12:50 . 2011-06-22 12:50 240288 c:\windows\system32\Macromed\Flash\FlashUtil10t_Plugin.exe
    + 2011-03-25 10:15 . 2011-03-25 10:15 388936 c:\windows\Microsoft.NET\Framework\v2.0.50727\SOS.dll
    - 2011-01-18 08:39 . 2011-01-18 08:39 388936 c:\windows\Microsoft.NET\Framework\v2.0.50727\SOS.dll
    - 2011-01-18 08:39 . 2011-01-18 08:39 363856 c:\windows\Microsoft.NET\Framework\v2.0.50727\mscorjit.dll
    + 2011-03-25 10:15 . 2011-03-25 10:15 363856 c:\windows\Microsoft.NET\Framework\v2.0.50727\mscorjit.dll
    - 2011-01-18 08:39 . 2011-01-18 08:39 989016 c:\windows\Microsoft.NET\Framework\v2.0.50727\mscordacwks.dll
    + 2011-03-25 10:15 . 2011-03-25 10:15 989016 c:\windows\Microsoft.NET\Framework\v2.0.50727\mscordacwks.dll
    + 2011-06-23 13:17 . 2011-06-23 13:17 321536 c:\windows\assembly\NativeImages_v2.0.50727_32\WsatConfig\8ba27eaa0f7d987f92319c64aefd2e98\WsatConfig.ni.exe
    + 2011-06-23 12:19 . 2011-06-23 12:19 240128 c:\windows\assembly\NativeImages_v2.0.50727_32\WindowsFormsIntegra#\431d5dc1cfcc0c0530e813f370931670\WindowsFormsIntegration.ni.dll
    + 2011-06-23 12:19 . 2011-06-23 12:19 187904 c:\windows\assembly\NativeImages_v2.0.50727_32\UIAutomationTypes\3740d6db28af31a6523a79fcdd71fbeb\UIAutomationTypes.ni.dll
    + 2011-06-23 12:19 . 2011-06-23 12:19 447488 c:\windows\assembly\NativeImages_v2.0.50727_32\UIAutomationClient\00dfe5563886a1f69c96b3acb839107b\UIAutomationClient.ni.dll
    + 2011-06-23 13:19 . 2011-06-23 13:19 400896 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Xml.Linq\80187a9cfed4fd0ec82746495be76764\System.Xml.Linq.ni.dll
    + 2011-06-23 13:19 . 2011-06-23 13:19 129536 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Web.Routing\58c421c537b1c3f3878458ad306b2a42\System.Web.Routing.ni.dll
    + 2011-06-23 13:19 . 2011-06-23 13:19 202240 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Web.RegularE#\dc26fff00ce95d24fd190f38904bb2b3\System.Web.RegularExpressions.ni.dll
    + 2011-06-23 13:19 . 2011-06-23 13:19 859648 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Web.Extensio#\4e3dd4d7f9aeda74a2fcefee036e5070\System.Web.Extensions.Design.ni.dll
    + 2011-06-23 13:19 . 2011-06-23 13:19 328704 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Web.Entity\4fb1c0c07f40248b463f2e33444b9477\System.Web.Entity.ni.dll
    + 2011-06-23 13:19 . 2011-06-23 13:19 301056 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Web.Entity.D#\4dfcffc6e6d02bdcdc185d5527a8097e\System.Web.Entity.Design.ni.dll
    + 2011-06-23 13:19 . 2011-06-23 13:19 547328 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Web.DynamicD#\4b921d1cffcd5e80ea14c51db967edd6\System.Web.DynamicData.ni.dll
    + 2011-06-23 13:19 . 2011-06-23 13:19 141312 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Web.Abstract#\702b506e56d3a7051aea7822cd915c7f\System.Web.Abstractions.ni.dll
    + 2011-06-23 13:18 . 2011-06-23 13:18 627200 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Transactions\7c430c38d71d632c019ae37d5ef12c8e\System.Transactions.ni.dll
    + 2011-06-23 13:18 . 2011-06-23 13:18 212992 c:\windows\assembly\NativeImages_v2.0.50727_32\System.ServiceProce#\0f3d321ebd65af974ff0ad424223276d\System.ServiceProcess.ni.dll
    + 2011-06-23 13:17 . 2011-06-23 13:17 679936 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Security\e4bcb14e8e53c8dcaff3d2c20daf746e\System.Security.ni.dll
    + 2011-06-23 13:18 . 2011-06-23 13:18 311296 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Runtime.Seri#\503ccbb50e9c06c2f0b02ad8c3f2d100\System.Runtime.Serialization.Formatters.Soap.ni.dll
    + 2011-06-23 13:18 . 2011-06-23 13:18 621056 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Net\ac53723e41898bc0e8a591c2e4f6f39b\System.Net.ni.dll
    + 2011-06-23 13:18 . 2011-06-23 13:18 998400 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Management\19280e723d215c0d6607d3884f453cdf\System.Management.ni.dll
    + 2011-06-23 13:18 . 2011-06-23 13:18 330752 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Management.I#\4a3a674008d8102c1aa5b3fc18251ef7\System.Management.Instrumentation.ni.dll
    + 2011-06-23 13:16 . 2011-06-23 13:16 381440 c:\windows\assembly\NativeImages_v2.0.50727_32\System.IO.Log\7f5f5bfd5f8d6587c96870751a6eb44d\System.IO.Log.ni.dll
    + 2011-06-23 13:16 . 2011-06-23 13:16 212992 c:\windows\assembly\NativeImages_v2.0.50727_32\System.IdentityMode#\de1bf796614ca11afd9fab95edb1b4e2\System.IdentityModel.Selectors.ni.dll
    + 2011-06-23 13:18 . 2011-06-23 13:18 280064 c:\windows\assembly\NativeImages_v2.0.50727_32\System.EnterpriseSe#\94aae9e592c0f104120572f9925fca12\System.EnterpriseServices.Wrapper.dll
    + 2011-06-23 13:18 . 2011-06-23 13:18 627712 c:\windows\assembly\NativeImages_v2.0.50727_32\System.EnterpriseSe#\94aae9e592c0f104120572f9925fca12\System.EnterpriseServices.ni.dll
    + 2011-06-23 12:19 . 2011-06-23 12:19 208384 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Drawing.Desi#\1af8683e05c42eb32f46578fe5a8f83f\System.Drawing.Design.ni.dll
    + 2011-06-23 13:18 . 2011-06-23 13:18 455680 c:\windows\assembly\NativeImages_v2.0.50727_32\System.DirectorySer#\791a6643b70542b148d977ff42f2f2ef\System.DirectoryServices.Protocols.ni.dll
    + 2011-06-23 13:18 . 2011-06-23 13:18 881152 c:\windows\assembly\NativeImages_v2.0.50727_32\System.DirectorySer#\31759ad8be21735f0a369c37514c2efc\System.DirectoryServices.AccountManagement.ni.dll
    + 2011-06-23 13:18 . 2011-06-23 13:18 939008 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Data.Service#\df507a4500e73fa4cfc13f65a1c9055e\System.Data.Services.Client.ni.dll
    + 2011-06-23 13:18 . 2011-06-23 13:18 354816 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Data.Service#\d1778fffc09d783bc90512b65d35be66\System.Data.Services.Design.ni.dll
    + 2011-06-23 13:18 . 2011-06-23 13:18 756736 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Data.Entity.#\5a47a8bf16370c93b3c6a471e48cc67a\System.Data.Entity.Design.ni.dll
    + 2011-06-23 13:17 . 2011-06-23 13:17 135680 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Data.DataSet#\50492d147392c238edc5a614beccb91b\System.Data.DataSetExtensions.ni.dll
    + 2011-06-23 13:17 . 2011-06-23 13:17 971264 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Configuration\48f8b951a598647dd309ca2031807a5d\System.Configuration.ni.dll
    + 2011-06-23 13:18 . 2011-06-23 13:18 141312 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Configuratio#\fa21b6c9badcf916bb254b4b823c2463\System.Configuration.Install.ni.dll
    + 2011-06-23 13:17 . 2011-06-23 13:17 633856 c:\windows\assembly\NativeImages_v2.0.50727_32\System.AddIn\77015cc1e6d9e7d20e63903777afd6df\System.AddIn.ni.dll
    + 2011-06-23 13:17 . 2011-06-23 13:17 366080 c:\windows\assembly\NativeImages_v2.0.50727_32\SMSvcHost\6ca41c7917119c3a9de0bcdca525001d\SMSvcHost.ni.exe
    + 2011-06-23 13:17 . 2011-06-23 13:17 256000 c:\windows\assembly\NativeImages_v2.0.50727_32\SMDiagnostics\8ff6d395f8861384bc9bfbe34cafb64e\SMDiagnostics.ni.dll
    + 2011-06-23 13:17 . 2011-06-23 13:17 320512 c:\windows\assembly\NativeImages_v2.0.50727_32\ServiceModelReg\67dc00c24e551003f6dacb73fe9cf881\ServiceModelReg.ni.exe
    + 2011-06-23 12:18 . 2011-06-23 12:18 368128 c:\windows\assembly\NativeImages_v2.0.50727_32\PresentationFramewo#\e468e9265c844f74577530e4df71f120\PresentationFramework.Aero.ni.dll
    + 2011-06-23 12:18 . 2011-06-23 12:18 224768 c:\windows\assembly\NativeImages_v2.0.50727_32\PresentationFramewo#\959709491c71caef88fb41b0eb159714\PresentationFramework.Classic.ni.dll
    + 2011-06-23 12:18 . 2011-06-23 12:18 258048 c:\windows\assembly\NativeImages_v2.0.50727_32\PresentationFramewo#\807b62468c2893ee943dffff63a34d8d\PresentationFramework.Royale.ni.dll
    + 2011-06-23 12:18 . 2011-06-23 12:18 539648 c:\windows\assembly\NativeImages_v2.0.50727_32\PresentationFramewo#\6cf82f370413a2cd1e6bc54060334753\PresentationFramework.Luna.ni.dll
    + 2011-06-23 13:17 . 2011-06-23 13:17 133632 c:\windows\assembly\NativeImages_v2.0.50727_32\MSBuild\0add35a0fbe0c381c998b651c5979902\MSBuild.ni.exe
    + 2011-06-23 13:17 . 2011-06-23 13:17 386560 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Transacti#\667dc256d9eb3577f2514c89c5974aff\Microsoft.Transactions.Bridge.Dtc.ni.dll
    + 2011-06-23 13:17 . 2011-06-23 13:17 144384 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Build.Uti#\d5561a4ad04c22f0eb5acf4736c7936e\Microsoft.Build.Utilities.ni.dll
    + 2011-06-23 13:17 . 2011-06-23 13:17 175104 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Build.Uti#\1a0623063225521aa43044314cc5e721\Microsoft.Build.Utilities.v3.5.ni.dll
    + 2011-06-23 13:17 . 2011-06-23 13:17 839680 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Build.Eng#\530f98922474a31636c34fa3db9a63ba\Microsoft.Build.Engine.ni.dll
    + 2011-06-23 13:17 . 2011-06-23 13:17 222720 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Build.Con#\7e75fca3ca1f36df8ac624190d9cd283\Microsoft.Build.Conversion.v3.5.ni.dll
    + 2011-06-23 13:17 . 2011-06-23 13:17 220672 c:\windows\assembly\NativeImages_v2.0.50727_32\CustomMarshalers\80bd17388778c90f301746ad88700758\CustomMarshalers.ni.dll
    + 2011-06-23 13:17 . 2011-06-23 13:17 410112 c:\windows\assembly\NativeImages_v2.0.50727_32\ComSvcConfig\c0f5f3c318a92212bbe3b413eeb2b374\ComSvcConfig.ni.exe
    + 2011-06-23 13:16 . 2011-06-23 13:16 842240 c:\windows\assembly\NativeImages_v2.0.50727_32\AspNetMMCExt\0524928cbd0a686db3960ef688d0d37e\AspNetMMCExt.ni.dll
    + 2011-06-22 15:52 . 2011-06-22 15:52 839680 c:\windows\assembly\GAC_MSIL\System.Web.Services\2.0.0.0__b03f5f7f11d50a3a\System.Web.Services.dll
    - 2011-04-18 16:10 . 2011-04-18 16:10 839680 c:\windows\assembly\GAC_MSIL\System.Web.Services\2.0.0.0__b03f5f7f11d50a3a\System.Web.Services.dll
    - 2011-04-18 16:10 . 2011-04-18 16:10 835584 c:\windows\assembly\GAC_MSIL\System.Web.Mobile\2.0.0.0__b03f5f7f11d50a3a\System.Web.Mobile.dll
    + 2011-06-22 15:52 . 2011-06-22 15:52 835584 c:\windows\assembly\GAC_MSIL\System.Web.Mobile\2.0.0.0__b03f5f7f11d50a3a\System.Web.Mobile.dll
    + 2011-06-22 15:53 . 2011-06-22 15:53 114688 c:\windows\assembly\GAC_MSIL\System.ServiceProcess\2.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll
    - 2011-04-18 16:10 . 2011-04-18 16:10 114688 c:\windows\assembly\GAC_MSIL\System.ServiceProcess\2.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll
    - 2011-04-18 16:10 . 2011-04-18 16:10 258048 c:\windows\assembly\GAC_MSIL\System.Security\2.0.0.0__b03f5f7f11d50a3a\System.Security.dll
    + 2011-06-22 15:53 . 2011-06-22 15:53 258048 c:\windows\assembly\GAC_MSIL\System.Security\2.0.0.0__b03f5f7f11d50a3a\System.Security.dll
    + 2011-06-22 15:53 . 2011-06-22 15:53 131072 c:\windows\assembly\GAC_MSIL\System.Runtime.Serialization.Formatters.Soap\2.0.0.0__b03f5f7f11d50a3a\System.Runtime.Serialization.Formatters.Soap.dll
    - 2011-04-18 16:10 . 2011-04-18 16:10 131072 c:\windows\assembly\GAC_MSIL\System.Runtime.Serialization.Formatters.Soap\2.0.0.0__b03f5f7f11d50a3a\System.Runtime.Serialization.Formatters.Soap.dll
    - 2011-04-18 16:10 . 2011-04-18 16:10 303104 c:\windows\assembly\GAC_MSIL\System.Runtime.Remoting\2.0.0.0__b77a5c561934e089\System.Runtime.Remoting.dll
    + 2011-06-22 15:53 . 2011-06-22 15:53 303104 c:\windows\assembly\GAC_MSIL\System.Runtime.Remoting\2.0.0.0__b77a5c561934e089\System.Runtime.Remoting.dll
    + 2011-06-22 15:53 . 2011-06-22 15:53 258048 c:\windows\assembly\GAC_MSIL\System.Messaging\2.0.0.0__b03f5f7f11d50a3a\System.Messaging.dll
    - 2011-04-18 16:10 . 2011-04-18 16:10 258048 c:\windows\assembly\GAC_MSIL\System.Messaging\2.0.0.0__b03f5f7f11d50a3a\System.Messaging.dll
    + 2011-06-22 15:53 . 2011-06-22 15:53 372736 c:\windows\assembly\GAC_MSIL\System.Management\2.0.0.0__b03f5f7f11d50a3a\System.Management.dll
    - 2011-04-18 16:10 . 2011-04-18 16:10 372736 c:\windows\assembly\GAC_MSIL\System.Management\2.0.0.0__b03f5f7f11d50a3a\System.Management.dll
    - 2011-04-18 16:10 . 2011-04-18 16:10 626688 c:\windows\assembly\GAC_MSIL\System.Drawing\2.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll
    + 2011-06-22 15:53 . 2011-06-22 15:53 626688 c:\windows\assembly\GAC_MSIL\System.Drawing\2.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll
    - 2011-04-18 16:10 . 2011-04-18 16:10 401408 c:\windows\assembly\GAC_MSIL\System.DirectoryServices\2.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll
    + 2011-06-22 15:53 . 2011-06-22 15:53 401408 c:\windows\assembly\GAC_MSIL\System.DirectoryServices\2.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll
    + 2011-06-22 15:53 . 2011-06-22 15:53 188416 c:\windows\assembly\GAC_MSIL\System.DirectoryServices.Protocols\2.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.Protocols.dll
    - 2011-04-18 16:10 . 2011-04-18 16:10 188416 c:\windows\assembly\GAC_MSIL\System.DirectoryServices.Protocols\2.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.Protocols.dll
    + 2011-06-22 15:53 . 2011-06-22 15:53 970752 c:\windows\assembly\GAC_MSIL\System.Deployment\2.0.0.0__b03f5f7f11d50a3a\System.Deployment.dll
    - 2011-04-18 16:10 . 2011-04-18 16:10 970752 c:\windows\assembly\GAC_MSIL\System.Deployment\2.0.0.0__b03f5f7f11d50a3a\System.Deployment.dll
    - 2011-04-18 16:10 . 2011-04-18 16:10 745472 c:\windows\assembly\GAC_MSIL\System.Data.SqlXml\2.0.0.0__b77a5c561934e089\System.Data.SqlXml.dll
    + 2011-06-22 15:53 . 2011-06-22 15:53 745472 c:\windows\assembly\GAC_MSIL\System.Data.SqlXml\2.0.0.0__b77a5c561934e089\System.Data.SqlXml.dll
    + 2011-06-22 15:53 . 2011-06-22 15:53 425984 c:\windows\assembly\GAC_MSIL\System.Configuration\2.0.0.0__b03f5f7f11d50a3a\System.configuration.dll
    - 2011-04-18 16:10 . 2011-04-18 16:10 425984 c:\windows\assembly\GAC_MSIL\System.Configuration\2.0.0.0__b03f5f7f11d50a3a\System.configuration.dll
    - 2011-04-18 16:10 . 2011-04-18 16:10 110592 c:\windows\assembly\GAC_MSIL\sysglobl\2.0.0.0__b03f5f7f11d50a3a\sysglobl.dll
    + 2011-06-22 15:53 . 2011-06-22 15:53 110592 c:\windows\assembly\GAC_MSIL\sysglobl\2.0.0.0__b03f5f7f11d50a3a\sysglobl.dll
    + 2011-06-22 15:53 . 2011-06-22 15:53 659456 c:\windows\assembly\GAC_MSIL\Microsoft.VisualBasic\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll
    - 2011-04-18 16:10 . 2011-04-18 16:10 659456 c:\windows\assembly\GAC_MSIL\Microsoft.VisualBasic\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll
    - 2011-04-18 16:10 . 2011-04-18 16:10 372736 c:\windows\assembly\GAC_MSIL\Microsoft.VisualBasic.Compatibility\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.Compatibility.dll
    + 2011-06-22 15:53 . 2011-06-22 15:53 372736 c:\windows\assembly\GAC_MSIL\Microsoft.VisualBasic.Compatibility\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.Compatibility.dll
    - 2011-04-18 16:10 . 2011-04-18 16:10 110592 c:\windows\assembly\GAC_MSIL\Microsoft.VisualBasic.Compatibility.Data\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.Compatibility.Data.dll
    + 2011-06-22 15:53 . 2011-06-22 15:53 110592 c:\windows\assembly\GAC_MSIL\Microsoft.VisualBasic.Compatibility.Data\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.Compatibility.Data.dll
    - 2011-04-18 16:10 . 2011-04-18 16:10 749568 c:\windows\assembly\GAC_MSIL\Microsoft.JScript\8.0.0.0__b03f5f7f11d50a3a\Microsoft.JScript.dll
    + 2011-06-22 15:53 . 2011-06-22 15:53 749568 c:\windows\assembly\GAC_MSIL\Microsoft.JScript\8.0.0.0__b03f5f7f11d50a3a\Microsoft.JScript.dll
    + 2011-06-22 15:53 . 2011-06-22 15:53 655360 c:\windows\assembly\GAC_MSIL\Microsoft.Build.Tasks\2.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Tasks.dll
    - 2011-04-18 16:10 . 2011-04-18 16:10 655360 c:\windows\assembly\GAC_MSIL\Microsoft.Build.Tasks\2.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Tasks.dll
    - 2011-04-18 16:10 . 2011-04-18 16:10 348160 c:\windows\assembly\GAC_MSIL\Microsoft.Build.Engine\2.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Engine.dll
    + 2011-06-22 15:53 . 2011-06-22 15:53 348160 c:\windows\assembly\GAC_MSIL\Microsoft.Build.Engine\2.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Engine.dll
    + 2011-06-22 15:52 . 2011-06-22 15:52 507904 c:\windows\assembly\GAC_MSIL\AspNetMMCExt\2.0.0.0__b03f5f7f11d50a3a\AspNetMMCExt.dll
    - 2011-04-18 16:10 . 2011-04-18 16:10 507904 c:\windows\assembly\GAC_MSIL\AspNetMMCExt\2.0.0.0__b03f5f7f11d50a3a\AspNetMMCExt.dll
    - 2011-04-18 16:10 . 2011-04-18 16:10 261632 c:\windows\assembly\GAC_32\System.Transactions\2.0.0.0__b77a5c561934e089\System.Transactions.dll
    + 2011-06-22 15:53 . 2011-06-22 15:53 261632 c:\windows\assembly\GAC_32\System.Transactions\2.0.0.0__b77a5c561934e089\System.Transactions.dll
    - 2011-04-18 16:10 . 2011-04-18 16:10 113664 c:\windows\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll
    + 2011-06-22 15:53 . 2011-06-22 15:53 113664 c:\windows\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll
    - 2011-04-18 16:10 . 2011-04-18 16:10 258048 c:\windows\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.dll
    + 2011-06-22 15:53 . 2011-06-22 15:53 258048 c:\windows\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.dll
    - 2011-04-18 16:10 . 2011-04-18 16:10 486400 c:\windows\assembly\GAC_32\System.Data.OracleClient\2.0.0.0__b77a5c561934e089\System.Data.OracleClient.dll
    + 2011-06-22 15:53 . 2011-06-22 15:53 486400 c:\windows\assembly\GAC_32\System.Data.OracleClient\2.0.0.0__b77a5c561934e089\System.Data.OracleClient.dll
    + 2008-10-05 03:24 . 2011-06-22 12:50 6271136 c:\windows\system32\Macromed\Flash\NPSWF32.dll
    + 2011-03-25 10:15 . 2011-03-25 10:15 5025792 c:\windows\Microsoft.NET\Framework\v2.0.50727\System.Windows.Forms.dll
    - 2008-07-25 15:17 . 2008-07-25 15:17 5025792 c:\windows\Microsoft.NET\Framework\v2.0.50727\System.Windows.Forms.dll
    + 2011-01-18 08:39 . 2011-01-18 08:39 3182592 c:\windows\Microsoft.NET\Framework\v2.0.50727\System.dll
    - 2010-03-23 09:32 . 2010-03-23 09:32 3182592 c:\windows\Microsoft.NET\Framework\v2.0.50727\System.dll
    + 2011-03-25 10:15 . 2011-03-25 10:15 5912400 c:\windows\Microsoft.NET\Framework\v2.0.50727\mscorwks.dll
    - 2011-01-18 08:39 . 2011-01-18 08:39 4550656 c:\windows\Microsoft.NET\Framework\v2.0.50727\mscorlib.dll
    + 2011-03-25 10:15 . 2011-03-25 10:15 4550656 c:\windows\Microsoft.NET\Framework\v2.0.50727\mscorlib.dll
    + 2011-01-19 03:36 . 2011-01-19 03:36 2687488 c:\windows\Installer\40e1895.msp
    + 2011-06-23 12:17 . 2011-06-23 12:17 3325440 c:\windows\assembly\NativeImages_v2.0.50727_32\WindowsBase\11526c1635b97a7d49e25e72ed6e9662\WindowsBase.ni.dll
    + 2011-06-23 12:19 . 2011-06-23 12:19 1049600 c:\windows\assembly\NativeImages_v2.0.50727_32\UIAutomationClients#\901c3796073853746fecd8979c679494\UIAutomationClientsideProviders.ni.dll
    + 2011-06-23 12:17 . 2011-06-23 12:17 7950848 c:\windows\assembly\NativeImages_v2.0.50727_32\System\f6a9a002526806f3a5b745cf5c407cae\System.ni.dll
    + 2011-06-23 12:19 . 2011-06-23 12:19 5450752 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Xml\f354057a5b4fad4c399da28449ba0d92\System.Xml.ni.dll
    + 2011-06-23 13:19 . 2011-06-23 13:19 1356288 c:\windows\assembly\NativeImages_v2.0.50727_32\System.WorkflowServ#\2877dda3e0f0faeba527b4bf1efe9cb5\System.WorkflowServices.ni.dll
    + 2011-06-23 13:19 . 2011-06-23 13:19 1908224 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Workflow.Run#\d7cb3697989fe6fa3a08d2821d38aa5e\System.Workflow.Runtime.ni.dll
    + 2011-06-23 13:19 . 2011-06-23 13:19 4514304 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Workflow.Com#\4ac04107c35485d415f9e1bebfd155dd\System.Workflow.ComponentModel.ni.dll
    + 2011-06-23 13:19 . 2011-06-23 13:19 2992640 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Workflow.Act#\2169feb8bd57d96e621fa26d9391d463\System.Workflow.Activities.ni.dll
    + 2011-06-23 13:19 . 2011-06-23 13:19 1840640 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Web.Services\f31f1579160d87470cba918f06276e0d\System.Web.Services.ni.dll
    + 2011-06-23 13:19 . 2011-06-23 13:19 2209280 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Web.Mobile\bdad1c0f4eb846543b234353fd2b926f\System.Web.Mobile.ni.dll
    + 2011-06-23 13:19 . 2011-06-23 13:19 2405376 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Web.Extensio#\647bfe6da40e8160b967c41424901dc8\System.Web.Extensions.ni.dll
    + 2011-06-23 12:19 . 2011-06-23 12:19 1917952 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Speech\2047e63293e067b351b8f0e038253f33\System.Speech.ni.dll
    + 2011-06-23 13:18 . 2011-06-23 13:18 1706496 c:\windows\assembly\NativeImages_v2.0.50727_32\System.ServiceModel#\ead07662976fb7094811461c568643d5\System.ServiceModel.Web.ni.dll
    + 2011-06-23 13:16 . 2011-06-23 13:16 2345472 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Runtime.Seri#\c889a45c82004537f1620dd3b211af66\System.Runtime.Serialization.ni.dll
    + 2011-06-23 12:19 . 2011-06-23 12:19 1035776 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Printing\c64aa916251a45206a805ab6488b9255\System.Printing.ni.dll
    + 2011-06-23 13:16 . 2011-06-23 13:16 1070080 c:\windows\assembly\NativeImages_v2.0.50727_32\System.IdentityModel\a8039af85f459c19c041313f9fe0d7e8\System.IdentityModel.ni.dll
    + 2011-06-23 12:19 . 2011-06-23 12:19 1587200 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\a59b17e6040e3f6286a2227dfdb17096\System.Drawing.ni.dll
    + 2011-06-23 13:18 . 2011-06-23 13:18 1116672 c:\windows\assembly\NativeImages_v2.0.50727_32\System.DirectorySer#\55211bc8f4fcff47c05bfc3020d97148\System.DirectoryServices.ni.dll
    + 2011-06-23 13:18 . 2011-06-23 13:18 1801216 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Deployment\f9ff2fb342cd5102e2d95883b3433a5d\System.Deployment.ni.dll
    + 2011-06-23 12:18 . 2011-06-23 12:18 6616576 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Data\05d99241bd45cbd96a6053841790a4a2\System.Data.ni.dll
    + 2011-06-23 13:17 . 2011-06-23 13:17 2510336 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Data.SqlXml\ef31ab37b0d7c3c1a6d72646966c8911\System.Data.SqlXml.ni.dll
    + 2011-06-23 13:18 . 2011-06-23 13:18 1328128 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Data.Services\f945e9c32c775bb604ab83d8933f1b2c\System.Data.Services.ni.dll
    + 2011-06-23 12:18 . 2011-06-23 12:18 2516480 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Data.Linq\283e9bf48e17bdb34acdc93bd5721be0\System.Data.Linq.ni.dll
    + 2011-06-23 13:18 . 2011-06-23 13:18 9924096 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Data.Entity\368c85cccea8a1206be5c849fd6614e3\System.Data.Entity.ni.dll
    + 2011-06-23 12:18 . 2011-06-23 12:18 2295296 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Core\bd2e04dfab2993479ae17ea3fa4f6222\System.Core.ni.dll
    + 2011-06-23 12:18 . 2011-06-23 12:18 2128896 c:\windows\assembly\NativeImages_v2.0.50727_32\ReachFramework\4f82a0a1b4405ef61dfa088d11161e35\ReachFramework.ni.dll
    + 2011-06-23 12:18 . 2011-06-23 12:18 1657856 c:\windows\assembly\NativeImages_v2.0.50727_32\PresentationUI\148505f5b0307230de5d355f10d30a20\PresentationUI.ni.dll
    + 2011-06-23 12:17 . 2011-06-23 12:17 1451008 c:\windows\assembly\NativeImages_v2.0.50727_32\PresentationBuildTa#\1fab86af683c04bdb0aaf65ce7fcd9e5\PresentationBuildTasks.ni.dll
    + 2011-06-23 13:17 . 2011-06-23 13:17 1712128 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualBas#\7292ca9d793cb71cf3d41ae663e7139b\Microsoft.VisualBasic.ni.dll
    + 2011-06-23 13:17 . 2011-06-23 13:17 1093120 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Transacti#\abaf7a180354ed5ec099fb69339b538a\Microsoft.Transactions.Bridge.ni.dll
    + 2011-06-23 13:18 . 2011-06-23 13:18 2332160 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.JScript\b41db9f2897f538203911026bb0abd5d\Microsoft.JScript.ni.dll
    + 2011-06-23 13:17 . 2011-06-23 13:17 1966080 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Build.Tas#\a91940f9033c7910f3f64c061571cec9\Microsoft.Build.Tasks.v3.5.ni.dll
    + 2011-06-23 13:17 . 2011-06-23 13:17 1620992 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Build.Tas#\5195a94327ccef45d202776e932e847b\Microsoft.Build.Tasks.ni.dll
    + 2011-06-23 13:17 . 2011-06-23 13:17 1888768 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Build.Eng#\3efbca53acdd34586bd7f6f87e71ed62\Microsoft.Build.Engine.ni.dll
    + 2011-06-22 15:53 . 2011-06-22 15:53 3182592 c:\windows\assembly\GAC_MSIL\System\2.0.0.0__b77a5c561934e089\System.dll
    - 2011-04-18 16:10 . 2011-04-18 16:10 3182592 c:\windows\assembly\GAC_MSIL\System\2.0.0.0__b77a5c561934e089\System.dll
    + 2011-06-22 15:53 . 2011-06-22 15:53 2048000 c:\windows\assembly\GAC_MSIL\System.Xml\2.0.0.0__b77a5c561934e089\System.XML.dll
    - 2011-04-18 16:10 . 2011-04-18 16:10 2048000 c:\windows\assembly\GAC_MSIL\System.Xml\2.0.0.0__b77a5c561934e089\System.XML.dll
    - 2011-04-18 16:10 . 2011-04-18 16:10 5025792 c:\windows\assembly\GAC_MSIL\System.Windows.Forms\2.0.0.0__b77a5c561934e089\System.Windows.Forms.dll
    + 2011-06-22 15:52 . 2011-06-22 15:52 5025792 c:\windows\assembly\GAC_MSIL\System.Windows.Forms\2.0.0.0__b77a5c561934e089\System.Windows.Forms.dll
    - 2011-04-18 16:10 . 2011-04-18 16:10 5062656 c:\windows\assembly\GAC_MSIL\System.Design\2.0.0.0__b03f5f7f11d50a3a\System.Design.dll
    + 2011-06-22 15:52 . 2011-06-22 15:52 5062656 c:\windows\assembly\GAC_MSIL\System.Design\2.0.0.0__b03f5f7f11d50a3a\System.Design.dll
    + 2011-06-22 15:52 . 2011-06-22 15:52 5242880 c:\windows\assembly\GAC_32\System.Web\2.0.0.0__b03f5f7f11d50a3a\System.Web.dll
    - 2011-04-18 16:10 . 2011-04-18 16:10 5242880 c:\windows\assembly\GAC_32\System.Web\2.0.0.0__b03f5f7f11d50a3a\System.Web.dll
    + 2011-06-22 15:53 . 2011-06-22 15:53 2933248 c:\windows\assembly\GAC_32\System.Data\2.0.0.0__b77a5c561934e089\System.Data.dll
    - 2011-04-18 16:10 . 2011-04-18 16:10 2933248 c:\windows\assembly\GAC_32\System.Data\2.0.0.0__b77a5c561934e089\System.Data.dll
    - 2011-04-18 16:10 . 2011-04-18 16:10 4550656 c:\windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\mscorlib.dll
    + 2011-06-22 15:53 . 2011-06-22 15:53 4550656 c:\windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\mscorlib.dll
    + 2011-03-28 07:27 . 2011-03-28 07:27 15456256 c:\windows\Installer\40e18a1.msp
    + 2011-06-23 12:19 . 2011-06-23 12:19 12430848 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\29d16d2f164fe2263539789ecd0d9d4f\System.Windows.Forms.ni.dll
    + 2011-06-23 13:19 . 2011-06-23 13:19 11800576 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Web\1fb5d8788c9a9a7f44e2d0fa19c62729\System.Web.ni.dll
    + 2011-06-23 13:17 . 2011-06-23 13:17 17403904 c:\windows\assembly\NativeImages_v2.0.50727_32\System.ServiceModel\23abc8e4b535b9cd9c5560266c655ac2\System.ServiceModel.ni.dll
    + 2011-06-23 12:19 . 2011-06-23 12:19 10683392 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Design\ee914f59ad8211e0b6734dccffd9986e\System.Design.ni.dll
    + 2011-06-23 12:18 . 2011-06-23 12:18 14328320 c:\windows\assembly\NativeImages_v2.0.50727_32\PresentationFramewo#\999df2b262da53356dda514512bb7bb8\PresentationFramework.ni.dll
    + 2011-06-23 12:17 . 2011-06-23 12:17 12215808 c:\windows\assembly\NativeImages_v2.0.50727_32\PresentationCore\caafa254739e326b0cf55eed815b4333\PresentationCore.ni.dll
    + 2011-06-23 12:16 . 2011-06-23 12:16 11490816 c:\windows\assembly\NativeImages_v2.0.50727_32\mscorlib\0309936a8e1672d39b9cf14463ce69f9\mscorlib.ni.dll
    .
    -- Snapshot reset to current date --
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2006-09-11 218032]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-06-14 142104]
    "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-06-14 162584]
    "Persistence"="c:\windows\system32\igfxpers.exe" [2007-06-14 138008]
    "RTHDCPL"="RTHDCPL.EXE" [2007-06-14 16132608]
    "Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2008-06-05 29744]
    "dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2008-03-11 16384]
    "PDVDDXSrv"="c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2008-02-26 128296]
    "BrStsWnd"="c:\program files\Brownie\BrstsWnd.exe" [2009-08-19 3618104]
    "McAfeeUpdaterUI"="c:\program files\McAfee\Common Framework\udaterui.exe" [2011-01-12 161088]
    "ShStatEXE"="c:\program files\McAfee\VirusScan Enterprise\SHSTAT.EXE" [2011-01-13 215360]
    "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-04-08 254696]
    .
    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
    "RunNarrator"="Narrator.exe" [2008-04-14 53760]
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\Program Files\\CyberLink\\PowerDVD DX\\PowerDVD.exe"=
    "c:\\Program Files\\CyberLink\\PowerDVD DX\\PDVDDXSrv.exe"=
    "c:\\Program Files\\McAfee\\Common Framework\\FrameworkService.exe"=
    "c:\\WINDOWS\\system32\\usmt\\migwiz.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    .
    R1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\system32\drivers\mfetdi2k.sys [6/9/2011 12:41 PM 88544]
    R2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [6/9/2011 12:41 PM 145936]
    S2 TLCService;TLC Automatic Client Update Service;c:\program files\The Library Corporation\Library.Solution\TLCService\TLCService.exe [9/4/2008 4:19 PM 69632]
    S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [6/9/2011 12:41 PM 85152]
    .
    --- Other Services/Drivers In Memory ---
    .
    *Deregistered* - mfeavfk01
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2011-06-06 c:\windows\Tasks\CleanXP.job
    - c:\utilities\CleanXP.bat [2008-06-30 19:08]
    .
    2011-06-27 c:\windows\Tasks\User_Feed_Synchronization-{AC1055A1-7369-44E5-AD00-B0D94A46520C}.job
    - c:\windows\system32\msfeedssync.exe [2007-08-13 08:31]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = partnerpage.google.com/smallbiz.dell.com/en_us?hl=en&client=dell-usuk&channel=us-smb&ibd=0080605
    uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
    uSearchAssistant = hxxp://www.google.com/ie
    uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    TCP: DhcpNameServer = 10.1.7.254
    FF - ProfilePath - c:\documents and settings\jmiller\Application Data\Mozilla\Firefox\Profiles\j92djc0l.default\
    FF - prefs.js: browser.startup.homepage - hxxp://start.mozilla.org/firefox?client=firefox-a&rls=org.mozilla:en-US:eek:fficial
    .
    .
    **************************************************************************
    .
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2011-06-27 09:55
    Windows 5.1.2600 Service Pack 3 NTFS
    .
    scanning hidden processes ...
    .
    scanning hidden autostart entries ...
    .
    scanning hidden files ...
    .
    scan completed successfully
    hidden files: 0
    .
    **************************************************************************
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------
    .
    - - - - - - - > 'explorer.exe'(3748)
    c:\windows\system32\WININET.dll
    c:\windows\system32\ieframe.dll
    c:\program files\McAfee\Common Framework\McTrayLegacySupportPlugin.dll
    c:\program files\McAfee\Common Framework\McTrayInterfaceLib.dll
    c:\program files\McAfee\Common Framework\McAfeeWin32GUISupportDLL.dll
    c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.3053_x-ww_b80fa8ca\MSVCR80.dll
    c:\windows\system32\webcheck.dll
    .
    Completion time: 2011-06-27 09:56:29
    ComboFix-quarantined-files.txt 2011-06-27 13:56
    .
    Pre-Run: 138,016,137,216 bytes free
    Post-Run: 138,135,531,520 bytes free
    .
    - - End Of File - - BCE09EDD3F48F1DAD816020211C5FEBA
     
  15. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    When you began the thread, you said: "Hard dive contents are invisible. Program list is empty."

    After I had you run unhide.exe you said "Unhide worked."

    You now tell me that the contents of Programs are "empty- unhide did not make them visable."
    1.) What did Unhide restore when you ran it previously.
    =============================================
    Windows XP Recovery shows removed from jmiller\Start Menu\Programs in Combofix 6/21 and it also removed kill.exe The Description of this File is > it shuts down all background processes that you can't normally close due to an error reading "access denied. the file is in use by another application.."
    2.) Did you run one of the 'kill' programs? Which one? When? Are you jmiller?
    =============================================
    Scheduled tasks:
    2011-06-06 C:\WINDOWS\Tasks\CleanXP.job
    - C:\Utilities\CleanXP.bat [2008-06-30 19:07:46 . 2008-06-30 19:08:11]
    3.) What has been set up in this?
    ==================================
    The registry entry for authorized applications in the firewall is not showing correctly. The only apps listed are:
    4.) Please check the firewall settings exceptions setting and make sure you haven't blocked necessary processes.
    =====================================
    This scheduled tasks concerns me: 2011-06-06 c:\windows\Tasks\CleanXP.job
    - c:\utilities\CleanXP.bat [2008-06-30 19:08]
    5.) What has been set up in this?
    =============================================
    I just noticed this from 2008:
    R2 TLCService;TLC Automatic Client Update Service;c:\program files\the library corporation\library.solution\tlcservice\TLCService.exe [2008-9-4 69632]

    "The Lively Computer, a full service computer dealer for the animator and professional videographer."
    6.) Are you still using this?
    =============================================
    Regarding this entry:
    2011-06-09 16:41:33 24376 ----a-w- c:\program files\mozilla firefox\distribution\bundles\{d19ca586-dd6c-4a0a-96f8-14644f340d60}\components\scriptff.dll
    7.) Is this what it is?
    [​IMG]
    ============================================
    8.) I'd like you to do a search in the system for any one of the programs whose folder is 'empty.' When the program entries are found, look to the right for the location. If you programs does not come up at all in the search:
    Control Panel> Folder Options> View tab> Check 'show hidden files and folders'> Uncheck 'hide system files (Recommended). Then search again.

    If you do have to view the hidden files and folders, be sure to go back and rehide them.

    Let me know.
     
  16. Evangelical

    Evangelical TS Rookie Topic Starter Posts: 16

    I am not jmiller - but am working on her problem.
    I will not be able to get to the computer until early next week.

    Thanks for your help.
     
  17. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Did you want to continue with this next week?
     
  18. Evangelical

    Evangelical TS Rookie Topic Starter Posts: 16

    The user is satisfied with the current condition of the computer. I will not be spending more time on it.
    Thank you for your assistance.
     
  19. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Thank you for the update.
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...