Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

TRO/ROOT KIT?


  • Please log in to reply

#31
RKinner

RKinner

    Malware Expert

  • Expert
  • 24,598 posts
  • MVP
S0 mjvhhu;mjvhhu; C:\Windows\SysWOW64\drivers\mjvhhu.sys []
S0 tcoifh;tcoifh; C:\Windows\SysWOW64\drivers\tcoifh.sys []
S0 vqdtrh;vqdtrh; C:\Windows\SysWOW64\drivers\vqdtrh.sys []
S0 wayuia;wayuia; C:\Windows\SysWOW64\drivers\wayuia.sys []
S0 zedltn;zedltn; C:\Windows\SysWOW64\drivers\zedltn.sys []

Submit one or more of these files to http://virustotal.com and let's see what they think of them. Want to make sure we are not barking up the wrong tree. Can you see these files in Windows Explorer? If so right click on them and select Properties then look for a name of the maker if any. Note the date and look for other files with the same date.

It appears to me that part of your bug is hiding down in the MBR which is why something like Hiren's is handy. If you boot off Hiren's then you can use one of the MBR tools to look at the MBR and the partitions without the virus being active. It would be handy to get a dump of the MBR saved to a USB drive while in Hiren's. You can then submit it to virustotal and see if it looks good or zip it up and attach it and let me look at it.

Also do you have a Windows disk you can boot off of? Then run:

  • bootrec /FixMbr
  • bootrec /FixBoot
  • exit


I'm not sure what the problem is with the Avast update folders. Have never used the program. Can you not create a new folder before you start for it to use? Does the boot-time scan miss the infection?
  • 0

Advertisements


#32
DAV2

DAV2

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 140 posts
Ron, scans do not work at default on second computer. Boot cd downloaded on first computer, but only makes coasters. Boot cd will not download on second computer. Says zip is empty. I just love working with Win. I will keep trying.

This is from the second computer.


;******
;Scan header
;VPS file version: May 31, 2011 - [110531-0]
;Params: C:\ D:\ X:\ Scan: Full files, All files, Ignore targeting, Archive: All packers,
;Columns: File name TAB Status [OK,INFECTED,ERROR]
;******
D:\DOWNFROMC\Downloads\mbam-setup-1.51.1.1800.exe\{embedded}\setup.exe ERROR: Unknown packer version.
D:\DOWNFROMC\pagefileB.sys INFECTED: Win32:Small-HUF [Trj]
D:\ProgramData\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe\{embedded}\setup.exe ERROR: Unknown packer version.
D:\Users\930\Downloads\mbam-setup-1.51.2.1300.exe\{embedded}\setup.exe ERROR: Unknown packer version.
;--------------------------
;Files: 210974
;Folders: 22158
;Files size: 42893127042
;Infected files: 1
;--------------------------
;******
;Scan footer
;Scan completed with return code: 0
;******


;******
;Command header
;Columns: File name TAB Command TAB Returned code TAB Custom parameter 1 TAB Custom parameter 2
;******
D:\DOWNFROMC\pagefileB.sys DELETE OK 1 0
D:\DOWNFROMC\Downloads\mbam-setup-1.51.1.1800.exe\{embedded}\setup.exe DELETE OK 1 0

;******
;Command footer
;******

Original Trojan has disappeared for now on second computer. On first computer it is gone and not returned yet.
  • 0

#33
RKinner

RKinner

    Malware Expert

  • Expert
  • 24,598 posts
  • MVP

scans do not work at default on second computer.


Which scans are we talking about here? If ESET and BitDefender then there are a lot of possibilities like firewalls.

Were you able to submit any of the files from #2 to virustotal?

We can go ahead and remove them:



Copy the text between the lines of stars by highlighting and Ctrl + c.

******************************************

Killall::


File::
C:\Windows\SysWOW64\drivers\mjvhhu.sys
C:\Windows\SysWOW64\drivers\tcoifh.sys
C:\Windows\SysWOW64\drivers\vqdtrh.sys
C:\Windows\SysWOW64\drivers\wayuia.sys
C:\Windows\SysWOW64\drivers\zedltn.sys

Driver::
mjvhhu
tcoifh
vqdtrh
wayuia
zedltn

RootKit::
C:\Windows\SysWOW64\drivers\mjvhhu.sys
C:\Windows\SysWOW64\drivers\tcoifh.sys
C:\Windows\SysWOW64\drivers\vqdtrh.sys
C:\Windows\SysWOW64\drivers\wayuia.sys
C:\Windows\SysWOW64\drivers\zedltn.sys

******************************************

Now open notepad (Start, Run, notepad, OK) and Ctrl + V to paste the text into Notepad. Make sure you got it all then File, SAVE AS, (to your Desktop), CFScript , OK. Close notepad. (Overwrite the old one if it's still there.) You should see a file CFScript.txt on your desktop.

Pause your anti-virus. (AVAST:
Click on the Avast ball. Then click on Additional Protections then on AutoSandbox then on Settings then uncheck Enable AutoSandbox. OK

Right click on the Avast Ball and select Avast! Shields Control and Disable Until Computer is Restarted)


Drag CFScript.txt over to Combofix and let go Combofix should start on its own.

Post the new log.

Since we have scared it off of 1 and 2 let's run Combofix on a third one.

Ron
  • 0

#34
DAV2

DAV2

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 140 posts
Ron the " drivers\mjvhhu.sys []
S0 tcoifh;tcoifh; C:\Windows\SysWOW64\drivers\tcoifh.sys []
S0 vqdtrh;vqdtrh; C:\Windows\SysWOW64\drivers\vqdtrh.sys []
S0 wayuia;wayuia; C:\Windows\SysWOW64\drivers\wayuia.sys []
S0 zedltn;zedltn; C:\Windows\SysWOW64\drivers\zedltn.sys []"

do not exist on the second computer. Did I misunderstand?
  • 0

#35
RKinner

RKinner

    Malware Expert

  • Expert
  • 24,598 posts
  • MVP
I expect they are there but you can't see them. (I assume you have changed windows so you can see hidden system files and are seeing other files in the same folder.) Stealth malware is common and this is a good sign that they are dirty. Sometimes you can see them in Command Prompt:

Start, All Programs, Accessories, right click on Command Prompt and Run as Administrator, Continue. Type with an Enter after each line:

cd \Windows\SysWOW64\drivers

dir /a /od *.sys > \junk.txt

notepad \junk.txt
  • 0

#36
DAV2

DAV2

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 140 posts
Ron, ok I disabled Avast and now I am able to do and am doing the scans on the first computer. Still making more coasters and no luck downloading yet on second computer. Yes, rebooting between, but no luck yet.
Had a differnt Trojan on 3rd computer (that verified by VirusTotal) that changed its name and than disapeared after reboot, but I was told by Avast that that was normal.
I have yet to run the Combofix log on second computer and it will take awhile to prepare the 3rd computer for a hunting expedition. I will try to run the files for the MBR on the first computer after the scans, that so far do not show anything, but still working.

Yes, I have folders set to see all and search returns nothing for any of them.

I will try your "" cd \Windows\SysWOW64\drivers

dir /a /od *.sys > \junk.txt

notepad \junk.txt"" next, but I need to eat first.
  • 0

#37
DAV2

DAV2

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 140 posts
BITDEFENDER LOG COMPUTER 1


QuickScan 32-bit v0.9.9.103
---------------------------
Scan date: Mon Jan 16 15:33:35 2012
Machine ID: 6A207BEB



No infection found.
-------------------



Processes
---------
avast! Antivirus 2740 C:\Program Files\AVAST Software\Avast\AvastUI.exe
QFanHelp.exe 2760 C:\Program Files (x86)\ASUS\AI Suite\QFan3\QFanHelp.exe
TurboV.exe 2156 C:\Program Files (x86)\ASUS\TurboV\TurboV.exe
USB 3.0 Monitor 1172 C:\Program Files (x86)\NEC Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe
Windows® Internet Explorer 3236 C:\Program Files (x86)\Internet Explorer\iexplore.exe
Windows® Internet Explorer 3392 C:\Program Files (x86)\Internet Explorer\iexplore.exe
Windows® Internet Explorer 4052 C:\Program Files (x86)\Internet Explorer\iexplore.exe


Network activity
----------------
Process iexplore.exe (3392) connected on port 443 (HTTP over SSL) --> 74.125.127.95
Process iexplore.exe (3392) connected on port 443 (HTTP over SSL) --> 74.125.127.95
Process iexplore.exe (4052) connected on port 443 (HTTP over SSL) --> 74.125.224.89
Process iexplore.exe (4052) connected on port 443 (HTTP over SSL) --> 74.125.224.133
Process iexplore.exe (4052) connected on port 443 (HTTP over SSL) --> 74.125.224.133
Process iexplore.exe (4052) connected on port 443 (HTTP over SSL) --> 74.125.224.75
Process iexplore.exe (4052) connected on port 443 (HTTP over SSL) --> 74.125.224.75
Process iexplore.exe (4052) connected on port 443 (HTTP over SSL) --> 96.17.237.177
Process iexplore.exe (4052) connected on port 443 (HTTP over SSL) --> 74.125.224.159
Process iexplore.exe (4052) connected on port 443 (HTTP over SSL) --> 74.125.224.159



Autoruns and critical files
---------------------------
avast! Antivirus C:\Program Files\AVAST Software\Avast\AvastUI.exe
Microsoft® Windows® Operating System c:\windows\system32\userinit.exe
QFanHelp.exe C:\Program Files (x86)\ASUS\AI Suite\QFan3\QFanHelp.exe
TurboV.exe C:\Program Files (x86)\ASUS\TurboV\TurboV.exe
USB 3.0 Monitor C:\Program Files (x86)\NEC Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe
Windows® Internet Explorer c:\windows\syswow64\webcheck.dll


Browser plugins
---------------
AcroIEHelperShim Library c:\program files (x86)\common files\adobe\acrobat\activex\acroiehelpershim.dll
Adobe Acrobat C:\Program Files (x86)\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll
avast! WebRep C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll
BitDefender QuickScan C:\Windows\Downloaded Program Files\qsax.dll
Java™ Platform SE 6 U30 c:\program files (x86)\java\jre6\bin\jp2ssv.dll
Java™ Platform SE 6 U30 C:\Program Files (x86)\Java\jre6\bin\new_plugin\npjp2.dll
Java™ Platform SE 6 U30 c:\program files (x86)\java\jre6\bin\ssv.dll
Microsoft® Windows® Operating System C:\Windows\system32\mswsock.dll
Microsoft® Windows® Operating System C:\Windows\system32\NLAapi.dll
Windows® Internet Explorer c:\windows\syswow64\ieframe.dll
(verified) Microsoft® Windows® Operating System C:\Windows\system32\napinsp.dll
(verified) Microsoft® Windows® Operating System C:\Windows\system32\pnrpnsp.dll
(verified) Microsoft® Windows® Operating System C:\Windows\System32\winrnr.dll


Scan
----
MD5: 198bed114015c2671c88fdc32cdcb21d C:\Program Files (x86)\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll
MD5: 183112be4c21fd4773207f348924a080 C:\Program Files (x86)\ASUS\AI Suite\QFan3\ASACPI.DLL
MD5: 2f4dde8f9fefbabea7ec23120b376cdf C:\Program Files (x86)\ASUS\AI Suite\QFan3\QFan.dll
MD5: ef980778cfb8d135c4b08d8b5cfa3290 C:\Program Files (x86)\ASUS\AI Suite\QFan3\QFanHelp.exe
MD5: 798a87b2d7ad73b16b7cd968c5d1f18f C:\Program Files (x86)\ASUS\AsSysCtrlService\1.00.02\AsSysCtrlService.exe
MD5: 60c44e5b40f1845800494001464cd627 C:\Program Files (x86)\ASUS\TurboV\ASACPI.DLL
MD5: dc4da0251c46d416894ef4d4e5da2c34 C:\Program Files (x86)\ASUS\TurboV\OcProfile.dll
MD5: 5bbc951150e738f108c6d3d325bd4029 C:\Program Files (x86)\ASUS\TurboV\pngio.dll
MD5: 5f45fd5c7cea1c5030856bdf50386230 C:\Program Files (x86)\ASUS\TurboV\TurboV.exe
MD5: b82b0a2525ad0bfbfcb8ab23f286f944 C:\Program Files (x86)\ASUS\TurboV\TVOCLIB.DLL
MD5: 8c4ac22616e77925135c221c46dc6307 c:\program files (x86)\common files\adobe\acrobat\activex\acroiehelpershim.dll
MD5: 11a52cf7b265631deeb24c6149309eff C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
MD5: a1659e4d08fe8d0f0bc61960d8c0369e C:\Program Files (x86)\Internet Explorer\ieproxy.dll
MD5: 4d0bad6e0b9a5e650fe37a05f33bf288 C:\Program Files (x86)\Internet Explorer\IEShims.dll
MD5: 904e13ba41af2e353a32cf351ca53639 C:\Program Files (x86)\Internet Explorer\iexplore.exe
MD5: f2121482c2968cd3b53ed53acc9277a5 c:\program files (x86)\java\jre6\bin\jp2ssv.dll
MD5: ccc24faa47c47e66be61bf22603c5e3a C:\Program Files (x86)\Java\jre6\bin\new_plugin\npjp2.dll
MD5: e810acafa8e6d80117414b7ca036d626 c:\program files (x86)\java\jre6\bin\ssv.dll
MD5: 83ecb3325f8a7bf3e810d9e2156c2a8a C:\Program Files (x86)\NEC Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.dll
MD5: 358c81ada09e0b6906db82ea75b836d5 C:\Program Files (x86)\NEC Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe
MD5: ffaa62e671f4604f729063640befd039 C:\Program Files\AVAST Software\Avast\1033\Base.dll
MD5: cd76996b881fb8e96b4ec2210e6934b8 C:\Program Files\AVAST Software\Avast\1033\UILangRes.dll
MD5: 9e9898d12608f8fbbd3ab3b9cde010c6 C:\Program Files\AVAST Software\Avast\Aavm4h.dll
MD5: b0e0b1b2f651e3c3917d4bec88be57f4 C:\Program Files\AVAST Software\Avast\AavmRpch.dll
MD5: 08087f2630cc8df07e336a5e55168fb1 C:\Program Files\AVAST Software\Avast\afwCore.dll
MD5: b3c297cb645b98f5837589008c5445ca C:\Program Files\AVAST Software\Avast\afwCoreClient.dll
MD5: 8114394497bc12b10f412a9b0a3ac01c C:\Program Files\AVAST Software\Avast\afwGeoIP.dll
MD5: f58be607310ea1b5db534e9cc227677e C:\Program Files\AVAST Software\Avast\afwRpc.dll
MD5: 63d43ba2ea495a9f1c1740a513c7e00b C:\Program Files\AVAST Software\Avast\afwServ.exe
MD5: ca4ddb5cb61b905a4407c5fb76527437 C:\Program Files\AVAST Software\Avast\ashBase.dll
MD5: b821ced9f11f12f5dff8e983fc32aea2 C:\Program Files\AVAST Software\Avast\ashTask.dll
MD5: bef4f20a11c0fe612d2d521a502cca52 C:\Program Files\AVAST Software\Avast\ashTaskEx.dll
MD5: 1d352baff5a4b2e5e163bb6e652daf49 C:\Program Files\AVAST Software\Avast\aswAux.dll
MD5: 5a996ce86bda5ff1b628b21b9871287a C:\Program Files\AVAST Software\Avast\aswCmnBS.dll
MD5: 85e7f7d95de30a2008c75726cfc3ad61 C:\Program Files\AVAST Software\Avast\aswCmnIS.dll
MD5: 928f0fc896d10b099588a1d5aa46b1bf C:\Program Files\AVAST Software\Avast\aswCmnOS.dll
MD5: bdf5080dc5de21a5f662e45d57926233 C:\Program Files\AVAST Software\Avast\aswData.dll
MD5: 09cb9ae8bbc2512d9818987e721abe32 C:\Program Files\AVAST Software\Avast\aswEngLdr.dll
MD5: 6e659799d1b14096c4da0717a9ab86a8 C:\Program Files\AVAST Software\Avast\aswJsFlt.dll
MD5: 4f91c0b574919537defdb406ffd94430 C:\Program Files\AVAST Software\Avast\aswLog.dll
MD5: aee62a34b70cbea34ebe384d529312cb C:\Program Files\AVAST Software\Avast\aswProperty.dll
MD5: 388d8dd599c04577edff52e79c451bd7 C:\Program Files\AVAST Software\Avast\aswSqLt.dll
MD5: 99d5d540f154f29896c2f570938c6ceb C:\Program Files\AVAST Software\Avast\aswUtil.dll
MD5: 328bc79bc53ba7a284c818dde88945d7 C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll
MD5: 996e6d052438e8d8dfd501f31560b2e0 C:\Program Files\AVAST Software\Avast\AvastSvc.exe
MD5: f7226aa410954185160067d5fa82f3f2 C:\Program Files\AVAST Software\Avast\AvastUI.exe
MD5: c4b742a1bac5f35d9223619f94acb45f C:\Program Files\AVAST Software\Avast\CommonRes.dll
MD5: 164f617ab6e48c89bfdea974e73d83b4 C:\Program Files\AVAST Software\Avast\defs\12011600\uiExt.dll
MD5: ea5abee342925aa2c959e07fe6a95d5c C:\Program Files\AVAST Software\Avast\snxhk.dll
MD5: a9f3bfc9345f49614d5859ec95b9e994 C:\Program Files\Windows Media Player\wmpnetwk.exe
MD5: b8f613ac24cc3c706029e602e2d5ddbf C:\Windows\Downloaded Program Files\qsax.dll
MD5: c4002b6b41975f057d98c439030cea07 C:\Windows\ehome\ehRecvr.exe
MD5: 332feab1435662fc6c672e25beb37be3 C:\Windows\Explorer.exe
MD5: 5988fc40f8db5b0739cd1e3a5d0d78bd C:\Windows\Microsoft.NET\Framework64\v3.0\Windows Communication Foundation\infocard.exe
MD5: a8b7f3818ab65695e3a0bb3279f6dce6 C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe
MD5: 773212b2aaa24c1e31f10246b15b276c C:\Windows\servicing\TrustedInstaller.exe
MD5: 37ce7a79d901235504f9add99a7ac177 C:\Windows\system32\api-ms-win-core-console-l1-1-0.dll
MD5: 7a044b0746d957bfd7aae18cfd8422c5 C:\Windows\system32\api-ms-win-core-datetime-l1-1-0.dll
MD5: 0a12d948b2cc7fbb01e28daa5e7c01ea C:\Windows\system32\api-ms-win-core-debug-l1-1-0.dll
MD5: cb4863f2bd46aa02d954b86b56a149da C:\Windows\system32\api-ms-win-core-delayload-l1-1-0.dll
MD5: 2cae4ed96aa903578452b85e5383940c C:\Windows\system32\api-ms-win-core-errorhandling-l1-1-0.dll
MD5: e96170a923a69711b4d08e885f05d889 C:\Windows\system32\api-ms-win-core-fibers-l1-1-0.dll
MD5: 44ca750001f0db8c308d1ca4abd0f8e5 C:\Windows\system32\api-ms-win-core-file-l1-1-0.dll
MD5: 15df9eb8daba744e4d0e9b117f760f49 C:\Windows\system32\api-ms-win-core-handle-l1-1-0.dll
MD5: a2385b02cb492131af6f79959a42a93f C:\Windows\system32\api-ms-win-core-heap-l1-1-0.dll
MD5: 3ad0832e8e29fbe9bd722e3354dd4f57 C:\Windows\system32\api-ms-win-core-interlocked-l1-1-0.dll
MD5: 88dc1714e38d4eb41a4378aab98e753b C:\Windows\system32\api-ms-win-core-io-l1-1-0.dll
MD5: a1d4deb5176c96b1a80715f6a1fdfb4f C:\Windows\system32\api-ms-win-core-libraryloader-l1-1-0.dll
MD5: b302a1630e5aea2d830b76bbcd761d72 C:\Windows\system32\api-ms-win-core-localization-l1-1-0.dll
MD5: 22f767bb3b704f79363999bd4a49e68e C:\Windows\system32\api-ms-win-core-localregistry-l1-1-0.dll
MD5: 00b83152f99e846fefb139c574cd4a96 C:\Windows\system32\api-ms-win-core-memory-l1-1-0.dll
MD5: 50035c36acee069d0c209288208626d9 C:\Windows\system32\api-ms-win-core-misc-l1-1-0.dll
MD5: cdf677ad479fa99f2e4d9766b83ef53c C:\Windows\system32\api-ms-win-core-namedpipe-l1-1-0.dll
MD5: 12c34c7325b74e8347e8db75279a8f3f C:\Windows\system32\api-ms-win-core-processenvironment-l1-1-0.dll
MD5: 96324ed3218133a13fff82055afac733 C:\Windows\system32\api-ms-win-core-processthreads-l1-1-0.dll
MD5: a7bdf88a46bcc218b73e383e6547ba5f C:\Windows\system32\api-ms-win-core-profile-l1-1-0.dll
MD5: 573c70d7076f2f101752a727db7c2280 C:\Windows\system32\api-ms-win-core-rtlsupport-l1-1-0.dll
MD5: 29b01d02e9ff3d8a63f8747b50a5a1a3 C:\Windows\system32\api-ms-win-core-string-l1-1-0.dll
MD5: 0cc90316b34118e3b8af760d92c262a4 C:\Windows\system32\api-ms-win-core-synch-l1-1-0.dll
MD5: 6f399c3e562c4e69df96039743a7aa26 C:\Windows\system32\api-ms-win-core-sysinfo-l1-1-0.dll
MD5: f3b94e04053c2483a6fecf953d6661d6 C:\Windows\system32\api-ms-win-core-threadpool-l1-1-0.dll
MD5: c6942a18444bfffc3cceca69a7e1879c C:\Windows\system32\api-ms-win-core-util-l1-1-0.dll
MD5: f47e08b025ae376ef1342fc9ecfecdf1 C:\Windows\system32\api-ms-win-core-xstate-l1-1-0.dll
MD5: 8a13e14b68e00ac2cb67420396d8a1c5 C:\Windows\system32\api-ms-win-security-base-l1-1-0.dll
MD5: 863f793d15b4026b1a5fdeca873d4d84 C:\Windows\system32\apphelp.dll
MD5: b6296a1e765612688e7e9800cebf2ac8 C:\Windows\system32\AsIo.dll
MD5: c940f2f5c60b3727c5f18840735b229c C:\Windows\system32\AUDIOSES.DLL
MD5: 7a6986dd659b96398a11af5173892715 C:\Windows\system32\Cabinet.dll
MD5: ad7b9c14083b52bc532fba5948342b98 C:\Windows\system32\cmd.exe
MD5: 4e5fe39c1076d115ec8bfcfe14d75b80 C:\Windows\system32\credssp.dll
MD5: a585bebf7d054bd9618eda0922d5484a C:\Windows\system32\cryptsvc.dll
MD5: 465bea35f7ed4a4a57686dea7ea10f47 C:\Windows\system32\cscapi.dll
MD5: 35cede6439ff0d8903223a0817ffe46c C:\Windows\system32\d2d1.dll
MD5: 2de90400a63818fa38c4c5c9adb166bf C:\Windows\system32\d3d10_1.dll
MD5: 9c36a3ca80f9b204c670336d344f5df8 C:\Windows\system32\d3d10_1core.dll
MD5: 6ef5f3f18413c367195f06e503ab86a6 C:\Windows\system32\d3d9.dll
MD5: 53223b673a3fa2f9a4d1c31c8d3f6cd8 C:\Windows\system32\dbghelp.dll
MD5: 162d247e995eaebf3ef4289069e1111c C:\Windows\system32\DEVRTL.dll
MD5: e9e01eb683c132f7fa27cd607b8a2b63 C:\Windows\system32\dhcpcore.dll
MD5: b40420876b9288e0a1c8cca8a84e5dc9 C:\Windows\system32\DNSAPI.dll
MD5: 0a5c7253183a6f956d10a3a4bbc96288 C:\Windows\system32\DWrite.dll
MD5: 0411b7958c524bb2e91ee1b3035fe321 C:\Windows\system32\dxgi.dll
MD5: 8b88ebbb05a0e56b7dcc708498c02b3e C:\Windows\system32\Explorer.exe
MD5: e2a17bcc08d92f42e08af6ba2f93aba7 C:\Windows\system32\explorerframe.dll
MD5: 03a03a453f1aaae0c73aaaf895321c7a C:\Windows\System32\fwpuclnt.dll
MD5: 691e93028b8723e05b4a637be77380dd C:\Windows\system32\ieframe.dll
MD5: 274e38af453fa9e079b1d5a85f5f0921 C:\Windows\system32\IEUI.dll
MD5: 68563ac389f92ee79f1c714288ba1dce C:\Windows\system32\ImgUtil.dll
MD5: a6f09e5669d9a19035f6d942caa15882 C:\Windows\system32\IMM32.DLL
MD5: a90dc9abd65db1a8902f361103029952 C:\Windows\system32\iphlpapi.DLL
MD5: dc6612a9ee015a36ba2a27bc9cc12537 C:\Windows\system32\MFC42.DLL
MD5: 243974ec02f7ae49e4179c54624143ab C:\Windows\System32\MMDevApi.dll
MD5: 7f8678c59f188528d60104e697c2361e C:\Windows\system32\mscms.dll
MD5: 66c0aee61d1c5c35bf1b4642a153b114 C:\Windows\system32\MSHTML.dll
MD5: eee470f2a771fc0b543bdeef74fceca0 C:\Windows\system32\msiexec.exe
MD5: 35aae2e841aa1a949775168e119482c9 C:\Windows\system32\msls31.dll
MD5: 8999b8631c7fd9f7f9ec3cafd953ba24 C:\Windows\system32\mswsock.dll
MD5: 4205ca4cd43e725db9ff02b0a588a8c6 C:\Windows\System32\msxml3.dll
MD5: 269d867585cda04d3972a39f3694e7df C:\Windows\System32\msxml6.dll
MD5: 104a1070e90f1c530328e69b49718841 C:\Windows\system32\NLAapi.dll
MD5: eb77db354791a5932ca559b6f6374e95 C:\Windows\system32\ntshrui.dll
MD5: 7dbb5fcbadf03aeae39031ac365089cf C:\Windows\system32\nvd3dum.dll
MD5: fec52d8341982a01f43f0abf25bc5a5a C:\Windows\system32\nvwgf2um.dll
MD5: 7d34af98a706230cc2dedfe0cabf87ab C:\Windows\system32\ODBC32.dll
MD5: 8e01332cc4b68bc6b5b7effe374442aa C:\Windows\system32\OLEACC.dll
MD5: 414bba67a3ded1d28437eb66aeb8a720 C:\Windows\system32\pla.dll
MD5: 12c45e3cb6d65f73209549e2d02eca7a C:\Windows\System32\PROPSYS.dll
MD5: dbc02d918fff1cad628acbe0c0eaa8e8 C:\Windows\system32\provsvc.dll
MD5: 5997d769cdb108390dcfaebf442bf816 C:\Windows\system32\RpcRtRemote.dll
MD5: 0915c4db6dbc3bb9e11b7ecbbe4b7159 C:\Windows\system32\rtutils.dll
MD5: 236f286e103fd44bd85fdd93097fd5dd C:\Windows\system32\SearchIndexer.exe
MD5: 69678722290c78d5d7198c60b5a4e3e8 C:\Windows\system32\Secur32.dll
MD5: 4ae380f39a0032eab7dd953030b26d28 C:\Windows\system32\sessenv.dll
MD5: 414da952a35bf5d50192e28263b40577 C:\Windows\System32\shsvcs.dll
MD5: 5ccdcd40e732d54e0f7451ac66ac1c87 C:\Windows\system32\srvcli.dll
MD5: 919001d2bb17df06ca3f8ac16ad039f6 C:\Windows\system32\SXS.DLL
MD5: 613bf4820361543956909043a265c6ac C:\Windows\System32\tapisrv.dll
MD5: d15618a0ff8dbc2c5bf3726bacc75a0b C:\Windows\system32\USERENV.dll
MD5: 61ac3efdfacfdd3f0f11dd4fd4044223 c:\windows\system32\userinit.exe
MD5: cfc7d8289d2b5f3cf8d16e2db7f93d4a C:\Windows\system32\wbem\fastprox.dll
MD5: 704314fd398c81d5f342caa5df7b7f21 C:\Windows\system32\wbemcomn.dll
MD5: 34eee0dfaadb4f691d6d5308a51315dc C:\Windows\System32\wcncsvc.dll
MD5: d205c24a9d069049fe2df2a1b38726a7 C:\Windows\system32\wdmaud.drv
MD5: a9d880f97530d5b8fee278923349929d C:\Windows\System32\webclnt.dll
MD5: 1db71a41daee6b3f8cd0dda8209fa2d5 C:\Windows\system32\WindowsCodecs.dll
MD5: ca9f7888b524d8100b977c81f44c3234 C:\Windows\System32\winhttp.dll
MD5: d5aefad57c08349a4393d987df7c715d C:\Windows\system32\WINMM.dll
MD5: 9e4b0e7472b4ceba9e17f440b8cb0ab8 C:\Windows\system32\WINSPOOL.DRV
MD5: e5a4a1326a02f8e7b59e6c3270ce7202 C:\Windows\system32\wkscli.dll
MD5: 1b91cd34ea3a90ab6a4ef0550174f4cc C:\Windows\system32\WsmSvc.dll
MD5: edf2a5e96bec469da3f64e9bdd386111 C:\Windows\system32\xmllite.dll
MD5: 95e2376b3323f062eb562b8586d0f14a C:\Windows\syswow64\ADVAPI32.dll
MD5: f436e847fa799ecd75ad8c313673f450 C:\Windows\syswow64\CFGMGR32.dll
MD5: d1de1eafde97be41cf6585027ff3e732 C:\Windows\syswow64\COMDLG32.dll
MD5: 454e292861a4ef1d72f43f42bbaf6917 C:\Windows\syswow64\CRYPT32.dll
MD5: 2eeff4502f5e13b1bed4a04ccad64c08 C:\Windows\syswow64\DEVOBJ.dll
MD5: 4312debdacbe338f0b90e7f08e7672be C:\Windows\SysWOW64\Dxtmsft.dll
MD5: ca493a92da9880b6f1a89c3dbd54ba5b C:\Windows\SysWOW64\Dxtrans.dll
MD5: d6d3ad7bf1d6f6ce9547613ed5e170a2 C:\Windows\syswow64\GDI32.dll
MD5: ee9d715af1b928982f417238b9914484 C:\Windows\SysWOW64\ieapfltr.dll
MD5: 691e93028b8723e05b4a637be77380dd c:\windows\syswow64\ieframe.dll
MD5: 1416ab557be700fa117323b6b8f32882 C:\Windows\syswow64\iertutil.dll
MD5: 82586704868e3abb382cae303b41e8b7 C:\Windows\SysWOW64\jscript9.dll
MD5: 99c3f8e9cc59d95666eb8d8a8b4c2beb C:\Windows\syswow64\kernel32.dll
MD5: 5c2d21c9b6b6175b89bc5d7e3cb979e1 C:\Windows\syswow64\KERNELBASE.dll
MD5: e9f427ef46965d33e878a507a2f5ccb6 C:\Windows\SysWOW64\Macromed\Flash\Flash11e.ocx
MD5: 938f39b50bafe13d6f58c7790682c010 C:\Windows\syswow64\MSASN1.dll
MD5: e73b0f1819602cb6ef176fb78d76a47b C:\Windows\SysWOW64\ntdll.dll
MD5: 928cf7268086631f54c3d8e17238c6dd C:\Windows\syswow64\ole32.dll
MD5: 6c765e82b57f2e66ce9c54ac238471d9 C:\Windows\syswow64\OLEAUT32.dll
MD5: c5ad8083cf94201f1f8084ecc696a8b7 C:\Windows\syswow64\RPCRT4.dll
MD5: 1affb765af1fdcc0c185c38e9ddddaee C:\Windows\SysWOW64\schannel.dll
MD5: 10fb16b50affda6d44588f3c445dc273 C:\Windows\syswow64\SETUPAPI.dll
MD5: 16ab4bd2acc52109f43739bf0e89e18f C:\Windows\syswow64\SHELL32.dll
MD5: 8cc3c111d653e96f3ea1590891491d71 C:\Windows\syswow64\SHLWAPI.dll
MD5: 44b2693080979a0e05085b3faaa43a09 C:\Windows\syswow64\SspiCli.dll
MD5: 814638f572f497d96b17bf254113d9a4 C:\Windows\syswow64\urlmon.dll
MD5: 5e0db2d8b2750543cd2ebb9ea8e6cdd3 C:\Windows\syswow64\USER32.dll
MD5: 804aaafebb3ad5f49334dd906bcb1de5 C:\Windows\syswow64\USP10.dll
MD5: 5e7a2cf7719161c5e6c0e47d67ad45ae C:\Windows\SysWOW64\vbscript.dll
MD5: 5193de33f3284c447e0d31dafbf92570 c:\windows\syswow64\webcheck.dll
MD5: 02f98b5c0e397ad06124d84428cf8f1a C:\Windows\syswow64\WININET.dll
MD5: 2d0d2da87bea7144f2a17f19d0d17e4c C:\Windows\syswow64\WINTRUST.dll
MD5: a8bb45f9ecad993461e0fef8e2a99152 C:\Windows\syswow64\WLDAP32.dll
MD5: 7ff15a4f092cd4a96055ba69f903e3e9 C:\Windows\syswow64\WS2_32.dll
MD5: 4c39358ebdd2ffcd9132a30e1ec31e16 C:\Windows\WinSxS\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.6161_none_50934f2ebcb7eb57\MSVCP90.dll
MD5: cdbe9690cf2b8409facad94fac9479c9 C:\Windows\WinSxS\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.6161_none_50934f2ebcb7eb57\MSVCR90.dll
MD5: ca6ade4f7761bb15b3325356dc3b82bb C:\Windows\WinSxS\x86_microsoft.vc90.mfc_1fc8b3b9a1e18e3b_9.0.30729.6161_none_4bf7e3e2bf9ada4c\mfc90u.dll
MD5: fbfca1a574d47ee575448b719cbbf2e4 C:\Windows\WinSxS\x86_microsoft.vc90.mfcloc_1fc8b3b9a1e18e3b_9.0.30729.6161_none_49768ef57548175e\MFC90ENU.DLL
MD5: bdac1aa64495d0f7e1ff810ebbf1f018 C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\COMCTL32.DLL
MD5: 352b3dc62a0d259a82a052238425c872 C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\COMCTL32.dll


No file uploaded.

Scan finished - communication took 2 sec
Total traffic - 0.01 MB sent, 0.67 KB recvd
Scanned 286 files and modules - 7 seconds

==============================================================================
  • 0

#38
DAV2

DAV2

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 140 posts
Ron, ok I did the bootrec on computer 1.
I did the "\Windows\SysWOW64\drivers" on computer 2 and got

" Volume in drive C has no label.
Volume Serial Number is D667-F146

Directory of C:\Windows\SysWOW64\drivers

01/04/2008 01:34 PM 10,216 AsInsHelp32.sys
01/04/2008 01:34 PM 11,832 AsInsHelp64.sys
07/13/2009 07:19 PM 19,008 wimmount.sys
08/04/2009 10:28 AM 13,440 AsIO.sys
4 File(s) 54,496 bytes
0 Dir(s) 125,673,472,000 bytes free
  • 0

#39
DAV2

DAV2

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 140 posts
COMBOFIX ON 2ND COMPUTER

ComboFix 12-01-16.02 - 930 01/16/2012 17:05:31.2.8 - x64
Microsoft Windows 7 Professional 6.1.7601.1.1252.1.1033.18.6135.4669 [GMT -6:00]
Running from: c:\users\930\Downloads\ComboFix.exe
Command switches used :: c:\users\930\Documents\CFScript.txt
AV: avast! Internet Security *Disabled/Updated* {2B2D1395-420B-D5C9-657E-930FE358FC3C}
FW: avast! Internet Security *Enabled* {131692B0-0864-D491-4E21-3A3A1D8BBB47}
SP: avast! Internet Security *Disabled/Updated* {904CF271-6431-DA47-5FCE-A87D98DFB681}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
FILE ::
"c:\windows\SysWOW64\drivers\mjvhhu.sys"
"c:\windows\SysWOW64\drivers\tcoifh.sys"
"c:\windows\SysWOW64\drivers\vqdtrh.sys"
"c:\windows\SysWOW64\drivers\wayuia.sys"
"c:\windows\SysWOW64\drivers\zedltn.sys"
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_MJVHHU
-------\Legacy_TCOIFH
-------\Legacy_VQDTRH
-------\Legacy_WAYUIA
-------\Legacy_ZEDLTN
-------\Service_mjvhhu
-------\Service_tcoifh
-------\Service_vqdtrh
-------\Service_wayuia
-------\Service_zedltn
.
.
((((((((((((((((((((((((( Files Created from 2011-12-16 to 2012-01-16 )))))))))))))))))))))))))))))))
.
.
2012-01-16 23:11 . 2012-01-16 23:11 69000 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{8E68F4B4-E6CA-4904-BAAD-A1ED7D52EEA4}\offreg.dll
2012-01-16 23:07 . 2012-01-16 23:07 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-01-16 17:45 . 2012-01-16 17:45 -------- d-----w- C:\rsit
2012-01-16 17:45 . 2012-01-16 17:45 -------- d-----w- c:\program files (x86)\trend micro
2012-01-16 13:37 . 2012-01-16 13:37 -------- d-----w- c:\program files (x86)\Microsoft ActiveSync
2012-01-16 03:42 . 2012-01-16 03:42 -------- d-----w- c:\windows\Microsoft Antimalware
2012-01-16 03:42 . 2012-01-16 03:42 -------- d-----w- c:\windows\Windows Defender Offline
2012-01-16 01:36 . 2011-11-19 14:58 77312 ----a-w- c:\windows\system32\packager.dll
2012-01-16 01:36 . 2011-11-19 14:01 67072 ----a-w- c:\windows\SysWow64\packager.dll
2012-01-16 01:36 . 2011-11-30 08:21 8822856 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{8E68F4B4-E6CA-4904-BAAD-A1ED7D52EEA4}\mpengine.dll
2012-01-16 01:35 . 2011-10-26 05:25 1572864 ----a-w- c:\windows\system32\quartz.dll
2012-01-16 01:35 . 2011-10-26 05:25 366592 ----a-w- c:\windows\system32\qdvd.dll
2012-01-16 01:35 . 2011-10-26 04:32 514560 ----a-w- c:\windows\SysWow64\qdvd.dll
2012-01-16 01:35 . 2011-10-26 04:32 1328128 ----a-w- c:\windows\SysWow64\quartz.dll
2012-01-16 01:35 . 2011-11-17 06:41 1731920 ----a-w- c:\windows\system32\ntdll.dll
2012-01-16 01:35 . 2011-11-17 05:38 1292080 ----a-w- c:\windows\SysWow64\ntdll.dll
2012-01-15 20:29 . 2012-01-15 20:29 -------- d-----w- C:\DOWN
2012-01-15 19:08 . 2012-01-15 19:08 -------- d-----w- c:\programdata\Malwarebytes
2012-01-15 19:08 . 2012-01-16 02:53 -------- d-----w- c:\program files (x86)\Malwarebytes' Anti-Malware
2012-01-15 19:08 . 2011-12-10 21:24 23152 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-01-15 18:53 . 2012-01-15 18:58 -------- d-----w- C:\Quarantine
2012-01-08 11:42 . 2011-11-28 17:51 24408 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2012-01-08 11:42 . 2011-11-28 17:53 304472 ----a-w- c:\windows\system32\drivers\aswSP.sys
2012-01-08 11:42 . 2011-11-28 17:54 140120 ----a-w- c:\windows\system32\drivers\aswFW.sys
2012-01-08 11:42 . 2011-11-28 17:53 258392 ----a-w- c:\windows\system32\drivers\aswNdis2.sys
2012-01-08 11:42 . 2011-11-28 17:52 42328 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2012-01-08 11:42 . 2011-11-28 17:52 58712 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2012-01-08 11:42 . 2011-11-28 17:54 591192 ----a-w- c:\windows\system32\drivers\aswSnx.sys
2012-01-08 11:42 . 2011-11-28 17:52 66904 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys
2012-01-08 11:42 . 2011-11-28 17:26 12368 ----a-w- c:\windows\system32\drivers\aswNdis.sys
2012-01-08 11:41 . 2011-11-28 18:01 41184 ----a-w- c:\windows\avastSS.scr
2012-01-08 11:41 . 2011-11-28 18:01 199816 ----a-w- c:\windows\SysWow64\aswBoot.exe
2012-01-07 01:23 . 2012-01-07 01:23 -------- d-----w- c:\program files (x86)\Microsoft Silverlight
2012-01-07 01:14 . 2012-01-07 01:14 414368 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2012-01-07 01:14 . 2012-01-07 01:14 -------- d-----w- c:\windows\SysWow64\Macromed
2012-01-07 01:14 . 2012-01-07 01:14 -------- d-----w- c:\windows\system32\Macromed
2012-01-07 00:50 . 2012-01-07 00:50 -------- d-----w- c:\program files\Microsoft IntelliPoint
2012-01-07 00:49 . 2012-01-07 00:49 -------- d-----w- c:\windows\PCHEALTH
2012-01-07 00:48 . 2012-01-07 00:48 -------- d-----w- c:\users\UpdatusUser
2012-01-07 00:48 . 2012-01-07 00:48 -------- d-----w- c:\program files (x86)\NVIDIA Corporation
2012-01-07 00:48 . 2012-01-07 00:48 -------- d-----w- c:\programdata\NVIDIA
2012-01-07 00:48 . 2011-05-21 12:01 739432 ----a-w- c:\windows\system32\easyupdatusapiu64.dll
2012-01-07 00:48 . 2011-05-21 12:01 6300776 ----a-w- c:\windows\system32\nvcpl.dll
2012-01-07 00:48 . 2011-05-21 12:01 61544 ----a-w- c:\windows\system32\nvshext.dll
2012-01-07 00:48 . 2011-05-21 12:01 3040872 ----a-w- c:\windows\system32\nvsvc64.dll
2012-01-07 00:48 . 2011-05-21 12:01 2560616 ----a-w- c:\windows\system32\nvsvcr.dll
2012-01-07 00:48 . 2011-05-21 12:01 117864 ----a-w- c:\windows\system32\nvmctray.dll
2012-01-07 00:48 . 2011-05-21 12:01 1016936 ----a-w- c:\windows\system32\nvvsvc.exe
2012-01-07 00:47 . 2012-01-07 00:47 -------- d-----w- c:\programdata\NVIDIA Corporation
2012-01-07 00:47 . 2012-01-07 00:48 -------- d-----w- c:\program files\NVIDIA Corporation
2012-01-07 00:40 . 2011-02-19 12:05 1139200 ----a-w- c:\windows\system32\FntCache.dll
2012-01-07 00:40 . 2011-02-19 12:04 1544192 ----a-w- c:\windows\system32\DWrite.dll
2012-01-07 00:40 . 2011-02-19 12:04 902656 ----a-w- c:\windows\system32\d2d1.dll
2012-01-07 00:40 . 2011-02-19 06:30 1076736 ----a-w- c:\windows\SysWow64\DWrite.dll
2012-01-07 00:40 . 2011-02-19 06:30 739840 ----a-w- c:\windows\SysWow64\d2d1.dll
2012-01-07 00:13 . 2012-01-07 00:13 -------- d-----w- c:\program files (x86)\Microsoft.NET
2012-01-06 23:58 . 2012-01-06 23:58 995328 ----a-w- c:\program files\Common Files\Microsoft Shared\VGX\VGX.dll
2012-01-06 23:51 . 2011-11-15 20:29 270720 ------w- c:\windows\system32\MpSigStub.exe
2012-01-06 23:49 . 2011-04-09 06:58 142336 ----a-w- c:\windows\system32\poqexec.exe
2012-01-06 23:48 . 2011-11-05 05:32 2048 ----a-w- c:\windows\system32\tzres.dll
2012-01-06 23:48 . 2011-11-05 04:26 2048 ----a-w- c:\windows\SysWow64\tzres.dll
2012-01-06 23:48 . 2011-08-17 05:26 613888 ----a-w- c:\windows\system32\psisdecd.dll
2012-01-06 23:48 . 2011-08-17 04:24 465408 ----a-w- c:\windows\SysWow64\psisdecd.dll
2012-01-06 23:48 . 2011-08-17 04:19 75776 ----a-w- c:\windows\SysWow64\psisrndr.ax
2012-01-06 23:48 . 2011-08-17 05:25 108032 ----a-w- c:\windows\system32\psisrndr.ax
2012-01-06 23:46 . 2011-05-24 11:42 404480 ----a-w- c:\windows\system32\umpnpmgr.dll
2012-01-06 23:46 . 2011-05-24 10:40 64512 ----a-w- c:\windows\SysWow64\devobj.dll
2012-01-06 23:46 . 2011-05-24 10:40 44544 ----a-w- c:\windows\SysWow64\devrtl.dll
2012-01-06 23:46 . 2011-05-24 10:39 145920 ----a-w- c:\windows\SysWow64\cfgmgr32.dll
2012-01-06 23:46 . 2011-05-24 10:37 252928 ----a-w- c:\windows\SysWow64\drvinst.exe
2012-01-06 23:46 . 2011-02-12 11:34 267776 ----a-w- c:\windows\system32\FXSCOVER.exe
2012-01-05 16:03 . 2012-01-05 16:03 -------- d-----w- c:\programdata\McAfee
2012-01-04 22:42 . 2009-09-30 17:33 24576 ----a-w- c:\windows\SysWow64\AsIO.dll
2012-01-04 22:42 . 2009-08-04 16:28 13440 ----a-w- c:\windows\SysWow64\drivers\AsIO.sys
2012-01-04 22:41 . 2012-01-04 22:42 -------- d-----w- c:\program files (x86)\ASUS
2012-01-04 22:41 . 2008-01-04 19:34 11832 ----a-w- c:\windows\SysWow64\drivers\AsInsHelp64.sys
2012-01-04 19:42 . 2009-04-22 15:53 62464 ----a-w- c:\windows\SysWow64\SFFXComm.dll
2012-01-04 19:40 . 2012-01-04 19:40 -------- d-----w- c:\program files (x86)\Marvell
2012-01-04 19:40 . 2012-01-04 19:40 -------- d-----w- c:\program files (x86)\Intel
2012-01-04 19:40 . 2009-12-04 23:30 53248 ----a-r- c:\windows\SysWow64\CSVer.dll
2012-01-04 02:54 . 2012-01-04 01:28 -------- d-----w- c:\windows\Panther
2012-01-04 01:58 . 2012-01-04 01:58 -------- d-----w- c:\windows\system32\SPReview
2012-01-04 01:45 . 2010-11-20 11:01 2560 ----a-w- c:\windows\system32\drivers\en-US\rdpwd.sys.mui
2012-01-04 01:45 . 2010-11-20 10:57 3072 ----a-w- c:\windows\system32\drivers\en-US\tsusbflt.sys.mui
2012-01-04 01:45 . 2010-11-20 11:11 6144 ----a-w- c:\windows\system32\drivers\en-US\IPMIDrv.sys.mui
2012-01-04 01:45 . 2010-11-20 11:10 4608 ----a-w- c:\windows\system32\drivers\en-US\kbdclass.sys.mui
2012-01-04 01:38 . 2010-11-20 11:33 299392 ----a-w- c:\windows\system32\mcupdate_GenuineIntel.dll
2012-01-04 01:36 . 2012-01-04 01:36 -------- d-----w- c:\windows\system32\EventProviders
2012-01-04 01:28 . 2012-01-04 01:28 -------- d-----w- c:\users\930
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-01-04 01:56 . 2009-07-14 02:36 175616 ----a-w- c:\windows\system32\msclmd.dll
2012-01-04 01:56 . 2009-07-14 02:36 152576 ----a-w- c:\windows\SysWow64\msclmd.dll
.
.
((((((((((((((((((((((((((((( SnapShot@2012-01-16_12.30.00 )))))))))))))))))))))))))))))))))))))))))
.
+ 1999-11-24 23:40 . 1999-11-24 23:40 40960 c:\windows\SysWOW64\VBAME.DLL
- 2012-01-04 01:39 . 2010-11-20 10:08 96768 c:\windows\SysWOW64\sspicli.dll
+ 2012-01-16 13:40 . 2011-11-17 05:28 96768 c:\windows\SysWOW64\sspicli.dll
- 2012-01-04 01:39 . 2010-11-20 10:21 22016 c:\windows\SysWOW64\secur32.dll
+ 2012-01-16 13:40 . 2011-11-17 05:34 22016 c:\windows\SysWOW64\secur32.dll
+ 1998-03-25 02:54 . 1998-03-25 02:54 15872 c:\windows\SysWOW64\SCP32.DLL
+ 1998-08-09 16:07 . 1998-08-09 16:07 94208 c:\windows\SysWOW64\MSSTKPRP.DLL
+ 1998-06-18 00:08 . 1998-06-18 00:08 53248 c:\windows\SysWOW64\MFC42ENU.DLL
+ 2003-08-18 20:26 . 2003-08-18 20:26 25872 c:\windows\SysWOW64\FM20ENU.DLL
- 2009-07-14 04:54 . 2012-01-16 12:29 16384 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2009-07-14 04:54 . 2012-01-16 23:09 16384 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2009-07-14 04:54 . 2012-01-16 12:29 32768 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2009-07-14 04:54 . 2012-01-16 23:09 32768 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2009-07-14 04:54 . 2012-01-16 12:29 16384 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2009-07-14 04:54 . 2012-01-16 23:09 16384 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2001-01-22 09:25 . 2001-01-22 09:25 32768 c:\windows\SysWOW64\ATHPRXY.DLL
+ 2012-01-04 17:08 . 2012-01-16 19:53 31804 c:\windows\system32\wdi\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2009-07-14 05:10 . 2012-01-16 19:53 32534 c:\windows\system32\wdi\BootPerformanceDiagnostics_SystemData.bin
+ 2012-01-16 13:40 . 2011-11-17 06:35 29184 c:\windows\system32\sspisrv.dll
- 2012-01-04 01:39 . 2010-11-20 11:27 29184 c:\windows\system32\sspisrv.dll
- 2012-01-04 01:39 . 2010-11-20 11:27 28160 c:\windows\system32\secur32.dll
+ 2012-01-16 13:40 . 2011-11-17 06:35 28160 c:\windows\system32\secur32.dll
+ 2012-01-16 13:40 . 2011-11-17 06:33 31232 c:\windows\system32\lsass.exe
- 2009-07-13 23:20 . 2009-07-14 01:39 31232 c:\windows\system32\lsass.exe
+ 2012-01-16 13:40 . 2011-11-17 06:49 95600 c:\windows\system32\drivers\ksecdd.sys
+ 2012-01-04 03:08 . 2012-01-16 22:52 16384 c:\windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2012-01-04 03:08 . 2012-01-16 12:19 16384 c:\windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2012-01-04 03:08 . 2012-01-16 12:19 32768 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2012-01-04 03:08 . 2012-01-16 22:52 32768 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2009-07-14 04:54 . 2012-01-16 22:52 16384 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2009-07-14 04:54 . 2012-01-16 12:19 16384 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2012-01-16 13:37 . 2012-01-16 13:40 90112 c:\windows\Installer\{91130409-6000-11D3-8CFE-0050048383C9}\xlicons.exe
+ 2012-01-16 13:37 . 2012-01-16 13:40 45056 c:\windows\Installer\{91130409-6000-11D3-8CFE-0050048383C9}\wordicon.exe
+ 2012-01-16 13:37 . 2012-01-16 13:40 22528 c:\windows\Installer\{91130409-6000-11D3-8CFE-0050048383C9}\unbndico.exe
+ 2012-01-16 13:37 . 2012-01-16 13:40 12800 c:\windows\Installer\{91130409-6000-11D3-8CFE-0050048383C9}\pubs.exe
+ 2012-01-16 13:37 . 2012-01-16 13:40 16384 c:\windows\Installer\{91130409-6000-11D3-8CFE-0050048383C9}\PEicons.exe
+ 2012-01-16 13:37 . 2012-01-16 13:40 34304 c:\windows\Installer\{91130409-6000-11D3-8CFE-0050048383C9}\misc.exe
+ 2012-01-04 02:00 . 2012-01-16 12:37 1604 c:\windows\system32\wdi\ERCQueuedResolutions.dat
+ 2012-01-04 03:04 . 2012-01-16 19:53 7316 c:\windows\system32\wdi\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-2861902998-1298274927-726295685-1000_UserData.bin
- 2012-01-16 12:29 . 2012-01-16 12:29 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2012-01-16 23:09 . 2012-01-16 23:09 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
- 2012-01-16 12:29 . 2012-01-16 12:29 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2012-01-16 23:09 . 2012-01-16 23:09 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2012-01-16 13:37 . 2012-01-16 13:40 3584 c:\windows\Installer\{91130409-6000-11D3-8CFE-0050048383C9}\opwicon.exe
+ 2012-01-16 13:37 . 2012-01-16 13:40 8192 c:\windows\Installer\{91130409-6000-11D3-8CFE-0050048383C9}\mspicons.exe
+ 2012-01-16 13:37 . 2012-01-16 13:40 2560 c:\windows\Installer\{91130409-6000-11D3-8CFE-0050048383C9}\cagicon.exe
- 2012-01-04 01:39 . 2010-11-20 10:21 314880 c:\windows\SysWOW64\webio.dll
+ 2012-01-16 13:40 . 2011-11-17 05:35 314880 c:\windows\SysWOW64\webio.dll
+ 2012-01-16 13:40 . 2011-11-17 05:34 224768 c:\windows\SysWOW64\schannel.dll
+ 2000-04-03 23:52 . 2000-04-03 23:52 151552 c:\windows\SysWOW64\RDOCURS.DLL
+ 2000-05-24 03:45 . 2000-05-24 03:45 118784 c:\windows\SysWOW64\MSSTDFMT.DLL
+ 2000-05-11 19:06 . 2000-05-11 19:06 397312 c:\windows\SysWOW64\MSRDO20.DLL
- 2012-01-04 01:39 . 2010-11-20 11:27 395776 c:\windows\system32\webio.dll
+ 2012-01-16 13:40 . 2011-11-17 06:35 395776 c:\windows\system32\webio.dll
- 2012-01-04 01:39 . 2010-11-20 11:27 136192 c:\windows\system32\sspicli.dll
+ 2012-01-16 13:40 . 2011-11-17 06:35 136192 c:\windows\system32\sspicli.dll
- 2012-01-04 01:39 . 2010-11-20 11:27 340992 c:\windows\system32\schannel.dll
+ 2012-01-16 13:40 . 2011-11-17 06:35 340992 c:\windows\system32\schannel.dll
+ 2009-07-14 02:36 . 2012-01-16 23:13 623940 c:\windows\system32\perfh009.dat
- 2009-07-14 02:36 . 2012-01-16 12:21 623940 c:\windows\system32\perfh009.dat
- 2009-07-14 02:36 . 2012-01-16 12:21 106316 c:\windows\system32\perfc009.dat
+ 2009-07-14 02:36 . 2012-01-16 23:13 106316 c:\windows\system32\perfc009.dat
+ 2009-07-14 04:45 . 2012-01-16 14:06 338496 c:\windows\system32\FNTCACHE.DAT
+ 2012-01-16 13:40 . 2011-11-17 06:49 152432 c:\windows\system32\drivers\ksecpkg.sys
+ 2012-01-16 13:40 . 2011-11-17 06:44 459232 c:\windows\system32\drivers\cng.sys
+ 2009-07-14 04:46 . 2012-01-16 14:24 116248 c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\SoftwareProtectionPlatform\Cache\cache.dat
+ 2009-07-14 05:01 . 2012-01-16 23:08 307216 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
+ 2012-01-16 13:37 . 2012-01-16 13:40 114688 c:\windows\Installer\{91130409-6000-11D3-8CFE-0050048383C9}\outicon.exe
+ 2012-01-16 13:37 . 2012-01-16 13:40 155702 c:\windows\Installer\{91130409-6000-11D3-8CFE-0050048383C9}\bcicon.exe
+ 1998-06-17 16:52 . 1998-06-17 16:52 401462 c:\windows\Installer\$PatchCache$\Managed\9040311900063D11C8EF00054038389C\10.0.2627\MSVCP60.DLL
+ 2003-09-25 18:07 . 2003-09-25 18:07 1139472 c:\windows\SysWOW64\FM20.DLL
+ 2012-01-16 13:40 . 2011-11-17 06:35 1447936 c:\windows\system32\lsasrv.dll
- 2012-01-04 01:39 . 2010-11-20 11:26 1447936 c:\windows\system32\lsasrv.dll
+ 2009-07-14 04:45 . 2012-01-16 14:09 7361430 c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\SoftwareProtectionPlatform\tokens.dat
- 2009-07-14 04:45 . 2012-01-16 12:19 7361430 c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\SoftwareProtectionPlatform\tokens.dat
+ 2012-01-07 21:05 . 2012-01-16 23:08 2020776 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-2861902998-1298274927-726295685-1000-8192.dat
+ 2012-01-07 00:41 . 2012-01-16 23:08 2391436 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-2861902998-1298274927-726295685-1000-4096.dat
+ 2001-03-07 20:38 . 2001-03-07 20:38 3034112 c:\windows\Installer\358cb9.msi
- 2009-07-14 02:34 . 2012-01-07 00:31 10485760 c:\windows\system32\SMI\Store\Machine\SCHEMA.DAT
+ 2009-07-14 02:34 . 2012-01-16 14:05 10485760 c:\windows\system32\SMI\Store\Machine\SCHEMA.DAT
+ 2004-01-30 09:19 . 2004-01-30 09:19 56269996 c:\windows\Installer\358d0d.msp
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="c:\program files (x86)\Analog Devices\Core\smax4pnp.exe" [2009-12-04 1310720]
"Ai Nap"="c:\program files (x86)\ASUS\AI Suite\AiNap\AiNap.exe" [2010-03-10 1439360]
"QFan Help"="c:\program files (x86)\ASUS\AI Suite\QFan3\QFanHelp.exe" [2010-01-14 611968]
"Cpu Level Up help"="c:\program files (x86)\ASUS\AI Suite\CpuLevelUpHelp.exe" [2009-12-29 887936]
"avast"="c:\program files\AVAST Software\Avast\avastUI.exe" [2011-11-28 3744552]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files (x86)\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [x]
S0 aswNdis;avast! Firewall NDIS Filter Service;c:\windows\system32\DRIVERS\aswNdis.sys [x]
S0 aswNdis2;avast! Firewall Core Firewall Service; [x]
S1 aswFW;avast! TDI Firewall driver; [x]
S1 aswSnx;aswSnx; [x]
S1 aswSP;aswSP; [x]
S2 aswFsBlk;aswFsBlk; [x]
S2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [x]
S2 avast! Firewall;avast! Firewall;c:\program files\AVAST Software\Avast\afwServ.exe [2011-11-28 127192]
S2 nvUpdatusService;NVIDIA Update Service Daemon;c:\program files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe [2011-05-21 2214504]
S3 Point64;Microsoft IntelliPoint Filter Driver;c:\windows\system32\DRIVERS\point64.sys [x]
S3 yukonw7;NDIS6.2 Miniport Driver for Marvell Yukon Ethernet Controller;c:\windows\system32\DRIVERS\yk62x64.sys [x]
.
.
.
--------- x86-64 -----------
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
@="{472083B0-C522-11CF-8763-00608CC02F24}"
[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
2011-11-28 18:01 134384 ----a-w- c:\program files\AVAST Software\Avast\ashShA64.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2011-08-01 2417032]
"combofix"="c:\combofix\CF6157.3XE" [2010-11-20 345088]
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
mLocal Page = c:\windows\SysWOW64\blank.htm
IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~2\Office10\EXCEL.EXE/3000
TCP: DhcpNameServer = 75.75.76.76 75.75.75.75
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil11e_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil11e_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11e.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.10"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11e.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11e.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11e.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
------------------------ Other Running Processes ------------------------
.
c:\program files\AVAST Software\Avast\AvastSvc.exe
.
**************************************************************************
.
Completion time: 2012-01-16 17:59:24 - machine was rebooted
ComboFix-quarantined-files.txt 2012-01-16 23:59
ComboFix2.txt 2012-01-16 12:33
.
Pre-Run: 125,689,942,016 bytes free
Post-Run: 125,614,723,072 bytes free
.
- - End Of File - - 6B9974051322FAAE043A91CEEC0D176D
  • 0

#40
RKinner

RKinner

    Malware Expert

  • Expert
  • 24,598 posts
  • MVP
On the two that we have run the cfscript on I would clear the temp files and the System Restore Points:

Copy the following:


:Commands
[EMPTYTEMP]
[CLEARALLRESTOREPOINTS]
[Reboot]

Right click on OTL and Run As Administrator. In the Custom Scans/Fixes box at the bottom, paste in the copied text (Ctrl + v) and then hit Run Fix.

How do you tell when the trojan is active? Is there some other symptom other than the Avast scan?
  • 0

Advertisements


#41
DAV2

DAV2

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 140 posts
Ron, I have worked much to my dismay with Win for many years. I thought XP was bad, because I had to reformat it so often, maybe a handful of times. But Win 7 has been done every couple of weeks for more than 1 yr. The SFC /scannow usually does not complete or it can not be repaired. The Sigverif usually has non signed drivers and Win simply crashes so often that it needs to be reformatted. Trojans are routinely found on scans and removed and the settings on firewalls and security programs are always changed all by themselves, Security scans of hash marks change and then with no restore, they change back. I do not know if this is normal for Win or not, but it is definitely the most unstable and worst waste of my time by heads and shoulders of any previous release of Win.
See Trojan gone then see Trojan back. From where? These are the latest Avast scans from today on first computer.

;******
;Scan header
;VPS file version: January 16, 2012 - [120116-0]
;Params: C:\ D:\ X:\ Scan: Full files, All files, Ignore targeting, Archive: All packers,
;Columns: File name TAB Status [OK,INFECTED,ERROR]
;******
;--------------------------
;Files: 238617
;Folders: 21840
;Files size: 30520762031
;Infected files: 0
;--------------------------
;******
;Scan footer
;Scan completed with return code: 0
;******

;******
;Scan header
;VPS file version: May 31, 2011 - [110531-0]
;Params: C:\ D:\ X:\ Scan: Full files, All files, Ignore targeting, Archive: All packers,
;Columns: File name TAB Status [OK,INFECTED,ERROR]
;******
;--------------------------
;Files: 238597
;Folders: 21840
;Files size: 30507285777
;Infected files: 0
;--------------------------
;******
;Scan footer
;Scan completed with return code: 0
;******

;******
;Scan header
;VPS file version: May 31, 2011 - [110531-0]
;Params: C:\ D:\ X:\ Scan: Full files, All files, Ignore targeting, Archive: All packers,
;Columns: File name TAB Status [OK,INFECTED,ERROR]
;******
D:\pagefile.sys INFECTED: Win32:Small-HUF [Trj]
D:\Users\975\Downloads\Hirens.BootCD.15.1.zip\Hiren's.BootCD.15.1.iso ERROR: The file is a decompression bomb.
;--------------------------
;Files: 243990
;Folders: 21854
;Files size: 33107373815
;Infected files: 1
;--------------------------
;******
;Scan footer
;Scan completed with return code: 0
;******


;******
;Command header
;Columns: File name TAB Command TAB Returned code TAB Custom parameter 1 TAB Custom parameter 2
;******

;******
;Command footer
;******

;******
;Scan header
;VPS file version: January 16, 2012 - [120116-1]
;Params: C:\ D:\ X:\ Scan: Full files, All files, Ignore targeting, Archive: All packers,
;Columns: File name TAB Status [OK,INFECTED,ERROR]
;******
D:\pagefile.sys INFECTED: Win32:Small-HUF [Trj]
D:\Users\975\Downloads\Hirens.BootCD.15.1.zip\Hiren's.BootCD.15.1.iso ERROR: The file is a decompression bomb.
;--------------------------
;Files: 175866
;Folders: 7518
;Files size: 23481325993
;Infected files: 1
;--------------------------
;USER CANCEL SCAN
;******
;Scan footer
;Scan completed with return code: 0
;******


;******
;Command header
;Columns: File name TAB Command TAB Returned code TAB Custom parameter 1 TAB Custom parameter 2
;******
D:\pagefile.sys DELETE OK 1 0

;******
;Command footer
;******

Are we there yet?
  • 0

#42
RKinner

RKinner

    Malware Expert

  • Expert
  • 24,598 posts
  • MVP
Looks like Avast doesn't like Hiren's which may be why it is not working. You might try downloading and burning the cd with Avast turned off.

Appears that the bug is back since you can see it in pagefile.sys again. Can you run Combofix again (just the standard scan) and let's see if it has new strange drivers for us. This is probably spreading through a network worm. You need to tell the Avast firewall that you are in a hostile environment and not to trust any of the other 17 PCs or just disconnect it from the network after cleaning until we have them all clean.


My experience with Win 7 has been better. The only time SFC hasn't work for me is when it hits active malware and sigverif seldom finds any odd drivers especially on 64 bit systems. I have seen a lot of problems with applications that don't play well with 64 bits - some of them from Microsoft (Windows Live is a prime example).


I usually do this if SFC is having problems:

Start, All Programs, Accessories, right click on Command Prompt and Run as Administrator, Continue. Type with an Enter after each line:


cd  \windows\logs\cbs

copy  cbs.log  cbs.old

del  cbs.log

sfc  /scannow

findstr  /c:"[SR]"  cbs.log  >  junk.txt 




attach the file \windows\logs\cbs\junk.txt to your next reply.
  • 0

#43
DAV2

DAV2

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 140 posts
Another thing I noticed with Win 7 is that it will not open png files. It will make them and transfer them and they can be opened in xp but not win 7. MS rep said that is normal for Win and no bug report is necessary. Now after 1 yr and hundreds of re loads and updates it will finally open png files, but with seconds delay. Why did they work in XP and then stop working in Win? Normal for Win? ? I simply do not know what is normal for Win.
I always configure Win not to share anything with any other computer on net and I always tell the firewall to act in public network and never local. These settings do revert and I find myself constantly resetting them. I was told that Win was designed to be open and will do that by itself. I just waste my time having to constantly change them back. The router is configured not to let computers talk to each other wirelessly.

Edited by DAV2, 16 January 2012 - 08:22 PM.

  • 0

#44
DAV2

DAV2

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 140 posts
2012-01-16 20:26:16, Info CSI 00000009 [SR] Verifying 100 (0x0000000000000064) components
2012-01-16 20:26:16, Info CSI 0000000a [SR] Beginning Verify and Repair transaction
2012-01-16 20:26:16, Info CSI 0000000c [SR] Verify complete
2012-01-16 20:26:16, Info CSI 0000000d [SR] Verifying 100 (0x0000000000000064) components
2012-01-16 20:26:16, Info CSI 0000000e [SR] Beginning Verify and Repair transaction
2012-01-16 20:26:17, Info CSI 00000010 [SR] Verify complete
2012-01-16 20:26:17, Info CSI 00000011 [SR] Verifying 100 (0x0000000000000064) components
2012-01-16 20:26:17, Info CSI 00000012 [SR] Beginning Verify and Repair transaction
2012-01-16 20:26:17, Info CSI 00000014 [SR] Verify complete
2012-01-16 20:26:17, Info CSI 00000015 [SR] Verifying 100 (0x0000000000000064) components
2012-01-16 20:26:17, Info CSI 00000016 [SR] Beginning Verify and Repair transaction
2012-01-16 20:26:18, Info CSI 00000018 [SR] Verify complete
2012-01-16 20:26:18, Info CSI 00000019 [SR] Verifying 100 (0x0000000000000064) components
2012-01-16 20:26:18, Info CSI 0000001a [SR] Beginning Verify and Repair transaction
2012-01-16 20:26:18, Info CSI 0000001c [SR] Verify complete
2012-01-16 20:26:19, Info CSI 0000001d [SR] Verifying 100 (0x0000000000000064) components
2012-01-16 20:26:19, Info CSI 0000001e [SR] Beginning Verify and Repair transaction
2012-01-16 20:26:19, Info CSI 00000020 [SR] Verify complete
2012-01-16 20:26:19, Info CSI 00000021 [SR] Verifying 100 (0x0000000000000064) components
2012-01-16 20:26:19, Info CSI 00000022 [SR] Beginning Verify and Repair transaction
2012-01-16 20:26:19, Info CSI 00000024 [SR] Verify complete
2012-01-16 20:26:19, Info CSI 00000025 [SR] Verifying 100 (0x0000000000000064) components
2012-01-16 20:26:19, Info CSI 00000026 [SR] Beginning Verify and Repair transaction
2012-01-16 20:26:20, Info CSI 00000029 [SR] Verify complete
2012-01-16 20:26:21, Info CSI 0000002a [SR] Verifying 100 (0x0000000000000064) components
2012-01-16 20:26:21, Info CSI 0000002b [SR] Beginning Verify and Repair transaction
2012-01-16 20:26:23, Info CSI 00000030 [SR] Verify complete
2012-01-16 20:26:23, Info CSI 00000031 [SR] Verifying 100 (0x0000000000000064) components
2012-01-16 20:26:23, Info CSI 00000032 [SR] Beginning Verify and Repair transaction
2012-01-16 20:26:24, Info CSI 00000034 [SR] Verify complete
2012-01-16 20:26:25, Info CSI 00000035 [SR] Verifying 100 (0x0000000000000064) components
2012-01-16 20:26:25, Info CSI 00000036 [SR] Beginning Verify and Repair transaction
2012-01-16 20:26:26, Info CSI 00000039 [SR] Verify complete
2012-01-16 20:26:26, Info CSI 0000003a [SR] Verifying 100 (0x0000000000000064) components
2012-01-16 20:26:26, Info CSI 0000003b [SR] Beginning Verify and Repair transaction
2012-01-16 20:26:27, Info CSI 0000003d [SR] Verify complete
2012-01-16 20:26:27, Info CSI 0000003e [SR] Verifying 100 (0x0000000000000064) components
2012-01-16 20:26:27, Info CSI 0000003f [SR] Beginning Verify and Repair transaction
2012-01-16 20:26:30, Info CSI 00000061 [SR] Verify complete
2012-01-16 20:26:30, Info CSI 00000062 [SR] Verifying 100 (0x0000000000000064) components
2012-01-16 20:26:30, Info CSI 00000063 [SR] Beginning Verify and Repair transaction
2012-01-16 20:26:31, Info CSI 00000068 [SR] Verify complete
2012-01-16 20:26:31, Info CSI 00000069 [SR] Verifying 100 (0x0000000000000064) components
2012-01-16 20:26:31, Info CSI 0000006a [SR] Beginning Verify and Repair transaction
2012-01-16 20:26:32, Info CSI 0000006c [SR] Verify complete
2012-01-16 20:26:32, Info CSI 0000006d [SR] Verifying 100 (0x0000000000000064) components
2012-01-16 20:26:32, Info CSI 0000006e [SR] Beginning Verify and Repair transaction
2012-01-16 20:26:36, Info CSI 00000070 [SR] Verify complete
2012-01-16 20:26:36, Info CSI 00000071 [SR] Verifying 100 (0x0000000000000064) components
2012-01-16 20:26:36, Info CSI 00000072 [SR] Beginning Verify and Repair transaction
2012-01-16 20:26:37, Info CSI 00000074 [SR] Verify complete
2012-01-16 20:26:37, Info CSI 00000075 [SR] Verifying 100 (0x0000000000000064) components
2012-01-16 20:26:37, Info CSI 00000076 [SR] Beginning Verify and Repair transaction
2012-01-16 20:26:39, Info CSI 00000078 [SR] Verify complete
2012-01-16 20:26:40, Info CSI 00000079 [SR] Verifying 100 (0x0000000000000064) components
2012-01-16 20:26:40, Info CSI 0000007a [SR] Beginning Verify and Repair transaction
2012-01-16 20:26:43, Info CSI 0000009d [SR] Verify complete
2012-01-16 20:26:43, Info CSI 0000009e [SR] Verifying 100 (0x0000000000000064) components
2012-01-16 20:26:43, Info CSI 0000009f [SR] Beginning Verify and Repair transaction
2012-01-16 20:26:45, Info CSI 000000a1 [SR] Verify complete
2012-01-16 20:26:45, Info CSI 000000a2 [SR] Verifying 100 (0x0000000000000064) components
2012-01-16 20:26:45, Info CSI 000000a3 [SR] Beginning Verify and Repair transaction
2012-01-16 20:26:50, Info CSI 000000a5 [SR] Verify complete
2012-01-16 20:26:50, Info CSI 000000a6 [SR] Verifying 100 (0x0000000000000064) components
2012-01-16 20:26:50, Info CSI 000000a7 [SR] Beginning Verify and Repair transaction
2012-01-16 20:26:52, Info CSI 000000ab [SR] Verify complete
2012-01-16 20:26:52, Info CSI 000000ac [SR] Verifying 100 (0x0000000000000064) components
2012-01-16 20:26:52, Info CSI 000000ad [SR] Beginning Verify and Repair transaction
2012-01-16 20:26:53, Info CSI 000000af [SR] Verify complete
2012-01-16 20:26:53, Info CSI 000000b0 [SR] Verifying 100 (0x0000000000000064) components
2012-01-16 20:26:53, Info CSI 000000b1 [SR] Beginning Verify and Repair transaction
2012-01-16 20:26:53, Info CSI 000000b3 [SR] Verify complete
2012-01-16 20:26:53, Info CSI 000000b4 [SR] Verifying 100 (0x0000000000000064) components
2012-01-16 20:26:53, Info CSI 000000b5 [SR] Beginning Verify and Repair transaction
2012-01-16 20:26:54, Info CSI 000000b7 [SR] Verify complete
2012-01-16 20:26:54, Info CSI 000000b8 [SR] Verifying 100 (0x0000000000000064) components
2012-01-16 20:26:54, Info CSI 000000b9 [SR] Beginning Verify and Repair transaction
2012-01-16 20:26:58, Info CSI 000000cc [SR] Verify complete
2012-01-16 20:26:58, Info CSI 000000cd [SR] Verifying 100 (0x0000000000000064) components
2012-01-16 20:26:58, Info CSI 000000ce [SR] Beginning Verify and Repair transaction
2012-01-16 20:26:59, Info CSI 000000d0 [SR] Verify complete
2012-01-16 20:26:59, Info CSI 000000d1 [SR] Verifying 100 (0x0000000000000064) components
2012-01-16 20:26:59, Info CSI 000000d2 [SR] Beginning Verify and Repair transaction
2012-01-16 20:26:59, Info CSI 000000d4 [SR] Verify complete
2012-01-16 20:26:59, Info CSI 000000d5 [SR] Verifying 100 (0x0000000000000064) components
2012-01-16 20:26:59, Info CSI 000000d6 [SR] Beginning Verify and Repair transaction
2012-01-16 20:27:00, Info CSI 000000d8 [SR] Verify complete
2012-01-16 20:27:00, Info CSI 000000d9 [SR] Verifying 100 (0x0000000000000064) components
2012-01-16 20:27:00, Info CSI 000000da [SR] Beginning Verify and Repair transaction
2012-01-16 20:27:02, Info CSI 000000dc [SR] Verify complete
2012-01-16 20:27:02, Info CSI 000000dd [SR] Verifying 100 (0x0000000000000064) components
2012-01-16 20:27:02, Info CSI 000000de [SR] Beginning Verify and Repair transaction
2012-01-16 20:27:04, Info CSI 000000e2 [SR] Verify complete
2012-01-16 20:27:04, Info CSI 000000e3 [SR] Verifying 100 (0x0000000000000064) components
2012-01-16 20:27:04, Info CSI 000000e4 [SR] Beginning Verify and Repair transaction
2012-01-16 20:27:06, Info CSI 000000e6 [SR] Verify complete
2012-01-16 20:27:06, Info CSI 000000e7 [SR] Verifying 100 (0x0000000000000064) components
2012-01-16 20:27:06, Info CSI 000000e8 [SR] Beginning Verify and Repair transaction
2012-01-16 20:27:06, Info CSI 000000ea [SR] Verify complete
2012-01-16 20:27:06, Info CSI 000000eb [SR] Verifying 100 (0x0000000000000064) components
2012-01-16 20:27:06, Info CSI 000000ec [SR] Beginning Verify and Repair transaction
2012-01-16 20:27:07, Info CSI 000000ee [SR] Verify complete
2012-01-16 20:27:07, Info CSI 000000ef [SR] Verifying 100 (0x0000000000000064) components
2012-01-16 20:27:07, Info CSI 000000f0 [SR] Beginning Verify and Repair transaction
2012-01-16 20:27:08, Info CSI 000000f2 [SR] Verify complete
2012-01-16 20:27:09, Info CSI 000000f3 [SR] Verifying 100 (0x0000000000000064) components
2012-01-16 20:27:09, Info CSI 000000f4 [SR] Beginning Verify and Repair transaction
2012-01-16 20:27:10, Info CSI 000000f6 [SR] Verify complete
2012-01-16 20:27:10, Info CSI 000000f7 [SR] Verifying 100 (0x0000000000000064) components
2012-01-16 20:27:10, Info CSI 000000f8 [SR] Beginning Verify and Repair transaction
2012-01-16 20:27:13, Info CSI 000000fa [SR] Verify complete
2012-01-16 20:27:13, Info CSI 000000fb [SR] Verifying 100 (0x0000000000000064) components
2012-01-16 20:27:13, Info CSI 000000fc [SR] Beginning Verify and Repair transaction
2012-01-16 20:27:16, Info CSI 00000114 [SR] Verify complete
2012-01-16 20:27:16, Info CSI 00000115 [SR] Verifying 100 (0x0000000000000064) components
2012-01-16 20:27:16, Info CSI 00000116 [SR] Beginning Verify and Repair transaction
2012-01-16 20:27:17, Info CSI 00000118 [SR] Verify complete
2012-01-16 20:27:17, Info CSI 00000119 [SR] Verifying 100 (0x0000000000000064) components
2012-01-16 20:27:17, Info CSI 0000011a [SR] Beginning Verify and Repair transaction
2012-01-16 20:27:25, Info CSI 0000011c [SR] Verify complete
2012-01-16 20:27:25, Info CSI 0000011d [SR] Verifying 100 (0x0000000000000064) components
2012-01-16 20:27:25, Info CSI 0000011e [SR] Beginning Verify and Repair transaction
2012-01-16 20:27:28, Info CSI 00000121 [SR] Verify complete
2012-01-16 20:27:28, Info CSI 00000122 [SR] Verifying 100 (0x0000000000000064) components
2012-01-16 20:27:28, Info CSI 00000123 [SR] Beginning Verify and Repair transaction
2012-01-16 20:27:30, Info CSI 00000125 [SR] Verify complete
2012-01-16 20:27:30, Info CSI 00000126 [SR] Verifying 100 (0x0000000000000064) components
2012-01-16 20:27:30, Info CSI 00000127 [SR] Beginning Verify and Repair transaction
2012-01-16 20:27:31, Info CSI 00000129 [SR] Verify complete
2012-01-16 20:27:31, Info CSI 0000012a [SR] Verifying 100 (0x0000000000000064) components
2012-01-16 20:27:31, Info CSI 0000012b [SR] Beginning Verify and Repair transaction
2012-01-16 20:27:33, Info CSI 0000012d [SR] Verify complete
2012-01-16 20:27:33, Info CSI 0000012e [SR] Verifying 100 (0x0000000000000064) components
2012-01-16 20:27:33, Info CSI 0000012f [SR] Beginning Verify and Repair transaction
2012-01-16 20:27:33, Info CSI 00000131 [SR] Verify complete
2012-01-16 20:27:34, Info CSI 00000132 [SR] Verifying 100 (0x0000000000000064) components
2012-01-16 20:27:34, Info CSI 00000133 [SR] Beginning Verify and Repair transaction
2012-01-16 20:27:34, Info CSI 00000137 [SR] Verify complete
2012-01-16 20:27:34, Info CSI 00000138 [SR] Verifying 100 (0x0000000000000064) components
2012-01-16 20:27:34, Info CSI 00000139 [SR] Beginning Verify and Repair transaction
2012-01-16 20:27:41, Info CSI 0000013b [SR] Verify complete
2012-01-16 20:27:41, Info CSI 0000013c [SR] Verifying 100 (0x0000000000000064) components
2012-01-16 20:27:41, Info CSI 0000013d [SR] Beginning Verify and Repair transaction
2012-01-16 20:27:42, Info CSI 00000140 [SR] Verify complete
2012-01-16 20:27:42, Info CSI 00000141 [SR] Verifying 100 (0x0000000000000064) components
2012-01-16 20:27:42, Info CSI 00000142 [SR] Beginning Verify and Repair transaction
2012-01-16 20:27:44, Info CSI 00000145 [SR] Verify complete
2012-01-16 20:27:44, Info CSI 00000146 [SR] Verifying 100 (0x0000000000000064) components
2012-01-16 20:27:44, Info CSI 00000147 [SR] Beginning Verify and Repair transaction
2012-01-16 20:27:46, Info CSI 00000149 [SR] Verify complete
2012-01-16 20:27:46, Info CSI 0000014a [SR] Verifying 100 (0x0000000000000064) components
2012-01-16 20:27:46, Info CSI 0000014b [SR] Beginning Verify and Repair transaction
2012-01-16 20:27:51, Info CSI 0000014e [SR] Verify complete
2012-01-16 20:27:51, Info CSI 0000014f [SR] Verifying 100 (0x0000000000000064) components
2012-01-16 20:27:51, Info CSI 00000150 [SR] Beginning Verify and Repair transaction
2012-01-16 20:27:52, Info CSI 00000152 [SR] Verify complete
2012-01-16 20:27:52, Info CSI 00000153 [SR] Verifying 100 (0x0000000000000064) components
2012-01-16 20:27:52, Info CSI 00000154 [SR] Beginning Verify and Repair transaction
2012-01-16 20:27:54, Info CSI 00000156 [SR] Verify complete
2012-01-16 20:27:54, Info CSI 00000157 [SR] Verifying 100 (0x0000000000000064) components
2012-01-16 20:27:54, Info CSI 00000158 [SR] Beginning Verify and Repair transaction
2012-01-16 20:27:55, Info CSI 0000015a [SR] Verify complete
2012-01-16 20:27:55, Info CSI 0000015b [SR] Verifying 100 (0x0000000000000064) components
2012-01-16 20:27:55, Info CSI 0000015c [SR] Beginning Verify and Repair transaction
2012-01-16 20:27:57, Info CSI 0000015f [SR] Verify complete
2012-01-16 20:27:57, Info CSI 00000160 [SR] Verifying 100 (0x0000000000000064) components
2012-01-16 20:27:57, Info CSI 00000161 [SR] Beginning Verify and Repair transaction
2012-01-16 20:27:58, Info CSI 00000163 [SR] Verify complete
2012-01-16 20:27:58, Info CSI 00000164 [SR] Verifying 100 (0x0000000000000064) components
2012-01-16 20:27:58, Info CSI 00000165 [SR] Beginning Verify and Repair transaction
2012-01-16 20:28:00, Info CSI 00000168 [SR] Verify complete
2012-01-16 20:28:00, Info CSI 00000169 [SR] Verifying 100 (0x0000000000000064) components
2012-01-16 20:28:00, Info CSI 0000016a [SR] Beginning Verify and Repair transaction
2012-01-16 20:28:02, Info CSI 0000016c [SR] Verify complete
2012-01-16 20:28:02, Info CSI 0000016d [SR] Verifying 100 (0x0000000000000064) components
2012-01-16 20:28:02, Info CSI 0000016e [SR] Beginning Verify and Repair transaction
2012-01-16 20:28:04, Info CSI 00000172 [SR] Verify complete
2012-01-16 20:28:04, Info CSI 00000173 [SR] Verifying 100 (0x0000000000000064) components
2012-01-16 20:28:04, Info CSI 00000174 [SR] Beginning Verify and Repair transaction
2012-01-16 20:28:06, Info CSI 00000176 [SR] Verify complete
2012-01-16 20:28:06, Info CSI 00000177 [SR] Verifying 100 (0x0000000000000064) components
2012-01-16 20:28:06, Info CSI 00000178 [SR] Beginning Verify and Repair transaction
2012-01-16 20:28:08, Info CSI 0000017b [SR] Verify complete
2012-01-16 20:28:08, Info CSI 0000017c [SR] Verifying 100 (0x0000000000000064) components
2012-01-16 20:28:08, Info CSI 0000017d [SR] Beginning Verify and Repair transaction
2012-01-16 20:28:09, Info CSI 0000017f [SR] Verify complete
2012-01-16 20:28:09, Info CSI 00000180 [SR] Verifying 100 (0x0000000000000064) components
2012-01-16 20:28:09, Info CSI 00000181 [SR] Beginning Verify and Repair transaction
2012-01-16 20:28:09, Info CSI 00000183 [SR] Verify complete
2012-01-16 20:28:09, Info CSI 00000184 [SR] Verifying 100 (0x0000000000000064) components
2012-01-16 20:28:09, Info CSI 00000185 [SR] Beginning Verify and Repair transaction
2012-01-16 20:28:11, Info CSI 00000187 [SR] Verify complete
2012-01-16 20:28:11, Info CSI 00000188 [SR] Verifying 100 (0x0000000000000064) components
2012-01-16 20:28:11, Info CSI 00000189 [SR] Beginning Verify and Repair transaction
2012-01-16 20:28:15, Info CSI 0000018b [SR] Verify complete
2012-01-16 20:28:15, Info CSI 0000018c [SR] Verifying 100 (0x0000000000000064) components
2012-01-16 20:28:15, Info CSI 0000018d [SR] Beginning Verify and Repair transaction
2012-01-16 20:28:16, Info CSI 0000018f [SR] Verify complete
2012-01-16 20:28:16, Info CSI 00000190 [SR] Verifying 100 (0x0000000000000064) components
2012-01-16 20:28:16, Info CSI 00000191 [SR] Beginning Verify and Repair transaction
2012-01-16 20:28:17, Info CSI 00000193 [SR] Verify complete
2012-01-16 20:28:17, Info CSI 00000194 [SR] Verifying 100 (0x0000000000000064) components
2012-01-16 20:28:17, Info CSI 00000195 [SR] Beginning Verify and Repair transaction
2012-01-16 20:28:18, Info CSI 00000197 [SR] Verify complete
2012-01-16 20:28:18, Info CSI 00000198 [SR] Verifying 100 (0x0000000000000064) components
2012-01-16 20:28:18, Info CSI 00000199 [SR] Beginning Verify and Repair transaction
2012-01-16 20:28:22, Info CSI 0000019b [SR] Verify complete
2012-01-16 20:28:22, Info CSI 0000019c [SR] Verifying 100 (0x0000000000000064) components
2012-01-16 20:28:22, Info CSI 0000019d [SR] Beginning Verify and Repair transaction
2012-01-16 20:28:26, Info CSI 0000019f [SR] Verify complete
2012-01-16 20:28:26, Info CSI 000001a0 [SR] Verifying 100 (0x0000000000000064) components
2012-01-16 20:28:26, Info CSI 000001a1 [SR] Beginning Verify and Repair transaction
2012-01-16 20:28:27, Info CSI 000001a3 [SR] Verify complete
2012-01-16 20:28:27, Info CSI 000001a4 [SR] Verifying 100 (0x0000000000000064) components
2012-01-16 20:28:27, Info CSI 000001a5 [SR] Beginning Verify and Repair transaction
2012-01-16 20:28:28, Info CSI 000001a7 [SR] Verify complete
2012-01-16 20:28:28, Info CSI 000001a8 [SR] Verifying 100 (0x0000000000000064) components
2012-01-16 20:28:28, Info CSI 000001a9 [SR] Beginning Verify and Repair transaction
2012-01-16 20:28:29, Info CSI 000001ab [SR] Verify complete
2012-01-16 20:28:29, Info CSI 000001ac [SR] Verifying 100 (0x0000000000000064) components
2012-01-16 20:28:29, Info CSI 000001ad [SR] Beginning Verify and Repair transaction
2012-01-16 20:28:29, Info CSI 000001af [SR] Verify complete
2012-01-16 20:28:29, Info CSI 000001b0 [SR] Verifying 100 (0x0000000000000064) components
2012-01-16 20:28:29, Info CSI 000001b1 [SR] Beginning Verify and Repair transaction
2012-01-16 20:28:30, Info CSI 000001b3 [SR] Verify complete
2012-01-16 20:28:30, Info CSI 000001b4 [SR] Verifying 100 (0x0000000000000064) components
2012-01-16 20:28:30, Info CSI 000001b5 [SR] Beginning Verify and Repair transaction
2012-01-16 20:28:32, Info CSI 000001bd [SR] Verify complete
2012-01-16 20:28:33, Info CSI 000001be [SR] Verifying 100 (0x0000000000000064) components
2012-01-16 20:28:33, Info CSI 000001bf [SR] Beginning Verify and Repair transaction
2012-01-16 20:28:33, Info CSI 000001c1 [SR] Verify complete
2012-01-16 20:28:33, Info CSI 000001c2 [SR] Verifying 100 (0x0000000000000064) components
2012-01-16 20:28:33, Info CSI 000001c3 [SR] Beginning Verify and Repair transaction
2012-01-16 20:28:34, Info CSI 000001c5 [SR] Verify complete
2012-01-16 20:28:34, Info CSI 000001c6 [SR] Verifying 100 (0x0000000000000064) components
2012-01-16 20:28:34, Info CSI 000001c7 [SR] Beginning Verify and Repair transaction
2012-01-16 20:28:35, Info CSI 000001c9 [SR] Verify complete
2012-01-16 20:28:35, Info CSI 000001ca [SR] Verifying 100 (0x0000000000000064) components
2012-01-16 20:28:35, Info CSI 000001cb [SR] Beginning Verify and Repair transaction
2012-01-16 20:28:36, Info CSI 000001cd [SR] Verify complete
2012-01-16 20:28:36, Info CSI 000001ce [SR] Verifying 100 (0x0000000000000064) components
2012-01-16 20:28:36, Info CSI 000001cf [SR] Beginning Verify and Repair transaction
2012-01-16 20:28:38, Info CSI 000001d2 [SR] Verify complete
2012-01-16 20:28:38, Info CSI 000001d3 [SR] Verifying 100 (0x0000000000000064) components
2012-01-16 20:28:38, Info CSI 000001d4 [SR] Beginning Verify and Repair transaction
2012-01-16 20:28:40, Info CSI 000001d6 [SR] Verify complete
2012-01-16 20:28:40, Info CSI 000001d7 [SR] Verifying 100 (0x0000000000000064) components
2012-01-16 20:28:40, Info CSI 000001d8 [SR] Beginning Verify and Repair transaction
2012-01-16 20:28:40, Info CSI 000001da [SR] Verify complete
2012-01-16 20:28:40, Info CSI 000001db [SR] Verifying 100 (0x0000000000000064) components
2012-01-16 20:28:40, Info CSI 000001dc [SR] Beginning Verify and Repair transaction
2012-01-16 20:28:43, Info CSI 000001df [SR] Verify complete
2012-01-16 20:28:43, Info CSI 000001e0 [SR] Verifying 100 (0x0000000000000064) components
2012-01-16 20:28:43, Info CSI 000001e1 [SR] Beginning Verify and Repair transaction
2012-01-16 20:28:46, Info CSI 000001e6 [SR] Verify complete
2012-01-16 20:28:46, Info CSI 000001e7 [SR] Verifying 100 (0x0000000000000064) components
2012-01-16 20:28:46, Info CSI 000001e8 [SR] Beginning Verify and Repair transaction
2012-01-16 20:28:48, Info CSI 000001ec [SR] Verify complete
2012-01-16 20:28:48, Info CSI 000001ed [SR] Verifying 100 (0x0000000000000064) components
2012-01-16 20:28:48, Info CSI 000001ee [SR] Beginning Verify and Repair transaction
2012-01-16 20:28:50, Info CSI 000001f6 [SR] Verify complete
2012-01-16 20:28:50, Info CSI 000001f7 [SR] Verifying 100 (0x0000000000000064) components
2012-01-16 20:28:50, Info CSI 000001f8 [SR] Beginning Verify and Repair transaction
2012-01-16 20:28:54, Info CSI 000001ff [SR] Verify complete
2012-01-16 20:28:54, Info CSI 00000200 [SR] Verifying 100 (0x0000000000000064) components
2012-01-16 20:28:54, Info CSI 00000201 [SR] Beginning Verify and Repair transaction
2012-01-16 20:28:55, Info CSI 00000206 [SR] Verify complete
2012-01-16 20:28:55, Info CSI 00000207 [SR] Verifying 100 (0x0000000000000064) components
2012-01-16 20:28:55, Info CSI 00000208 [SR] Beginning Verify and Repair transaction
2012-01-16 20:28:56, Info CSI 0000020c [SR] Verify complete
2012-01-16 20:28:56, Info CSI 0000020d [SR] Verifying 100 (0x0000000000000064) components
2012-01-16 20:28:56, Info CSI 0000020e [SR] Beginning Verify and Repair transaction
2012-01-16 20:28:57, Info CSI 00000210 [SR] Verify complete
2012-01-16 20:28:57, Info CSI 00000211 [SR] Verifying 100 (0x0000000000000064) components
2012-01-16 20:28:57, Info CSI 00000212 [SR] Beginning Verify and Repair transaction
2012-01-16 20:29:00, Info CSI 00000237 [SR] Verify complete
2012-01-16 20:29:00, Info CSI 00000238 [SR] Verifying 100 (0x0000000000000064) components
2012-01-16 20:29:00, Info CSI 00000239 [SR] Beginning Verify and Repair transaction
2012-01-16 20:29:01, Info CSI 0000023b [SR] Verify complete
2012-01-16 20:29:01, Info CSI 0000023c [SR] Verifying 100 (0x0000000000000064) components
2012-01-16 20:29:01, Info CSI 0000023d [SR] Beginning Verify and Repair transaction
2012-01-16 20:29:04, Info CSI 0000023f [SR] Verify complete
2012-01-16 20:29:04, Info CSI 00000240 [SR] Verifying 100 (0x0000000000000064) components
2012-01-16 20:29:04, Info CSI 00000241 [SR] Beginning Verify and Repair transaction
2012-01-16 20:29:04, Info CSI 00000243 [SR] Verify complete
2012-01-16 20:29:05, Info CSI 00000244 [SR] Verifying 100 (0x0000000000000064) components
2012-01-16 20:29:05, Info CSI 00000245 [SR] Beginning Verify and Repair transaction
2012-01-16 20:29:05, Info CSI 00000253 [SR] Verify complete
2012-01-16 20:29:05, Info CSI 00000254 [SR] Verifying 100 (0x0000000000000064) components
2012-01-16 20:29:05, Info CSI 00000255 [SR] Beginning Verify and Repair transaction
2012-01-16 20:29:07, Info CSI 00000257 [SR] Verify complete
2012-01-16 20:29:07, Info CSI 00000258 [SR] Verifying 100 (0x0000000000000064) components
2012-01-16 20:29:07, Info CSI 00000259 [SR] Beginning Verify and Repair transaction
2012-01-16 20:29:10, Info CSI 00000267 [SR] Verify complete
2012-01-16 20:29:10, Info CSI 00000268 [SR] Verifying 100 (0x0000000000000064) components
2012-01-16 20:29:10, Info CSI 00000269 [SR] Beginning Verify and Repair transaction
2012-01-16 20:29:10, Info CSI 0000026b [SR] Verify complete
2012-01-16 20:29:10, Info CSI 0000026c [SR] Verifying 100 (0x0000000000000064) components
2012-01-16 20:29:10, Info CSI 0000026d [SR] Beginning Verify and Repair transaction
2012-01-16 20:29:12, Info CSI 0000026f [SR] Verify complete
2012-01-16 20:29:12, Info CSI 00000270 [SR] Verifying 100 (0x0000000000000064) components
2012-01-16 20:29:12, Info CSI 00000271 [SR] Beginning Verify and Repair transaction
2012-01-16 20:29:15, Info CSI 00000274 [SR] Verify complete
2012-01-16 20:29:15, Info CSI 00000275 [SR] Verifying 100 (0x0000000000000064) components
2012-01-16 20:29:15, Info CSI 00000276 [SR] Beginning Verify and Repair transaction
2012-01-16 20:29:15, Info CSI 00000278 [SR] Verify complete
2012-01-16 20:29:15, Info CSI 00000279 [SR] Verifying 100 (0x0000000000000064) components
2012-01-16 20:29:15, Info CSI 0000027a [SR] Beginning Verify and Repair transaction
2012-01-16 20:29:16, Info CSI 0000027c [SR] Verify complete
2012-01-16 20:29:16, Info CSI 0000027d [SR] Verifying 100 (0x0000000000000064) components
2012-01-16 20:29:16, Info CSI 0000027e [SR] Beginning Verify and Repair transaction
2012-01-16 20:29:19, Info CSI 00000280 [SR] Verify complete
2012-01-16 20:29:19, Info CSI 00000281 [SR] Verifying 100 (0x0000000000000064) components
2012-01-16 20:29:19, Info CSI 00000282 [SR] Beginning Verify and Repair transaction
2012-01-16 20:29:21, Info CSI 0000028d [SR] Verify complete
2012-01-16 20:29:21, Info CSI 0000028e [SR] Verifying 100 (0x0000000000000064) components
2012-01-16 20:29:21, Info CSI 0000028f [SR] Beginning Verify and Repair transaction
2012-01-16 20:29:23, Info CSI 000002a0 [SR] Verify complete
2012-01-16 20:29:23, Info CSI 000002a1 [SR] Verifying 100 (0x0000000000000064) components
2012-01-16 20:29:23, Info CSI 000002a2 [SR] Beginning Verify and Repair transaction
2012-01-16 20:29:30, Info CSI 000002a4 [SR] Verify complete
2012-01-16 20:29:30, Info CSI 000002a5 [SR] Verifying 100 (0x0000000000000064) components
2012-01-16 20:29:30, Info CSI 000002a6 [SR] Beginning Verify and Repair transaction
2012-01-16 20:29:31, Info CSI 000002a8 [SR] Verify complete
2012-01-16 20:29:31, Info CSI 000002a9 [SR] Verifying 100 (0x0000000000000064) components
2012-01-16 20:29:31, Info CSI 000002aa [SR] Beginning Verify and Repair transaction
2012-01-16 20:29:32, Info CSI 000002ad [SR] Verify complete
2012-01-16 20:29:32, Info CSI 000002ae [SR] Verifying 100 (0x0000000000000064) components
2012-01-16 20:29:32, Info CSI 000002af [SR] Beginning Verify and Repair transaction
2012-01-16 20:29:32, Info CSI 000002b2 [SR] Verify complete
2012-01-16 20:29:33, Info CSI 000002b3 [SR] Verifying 100 (0x0000000000000064) components
2012-01-16 20:29:33, Info CSI 000002b4 [SR] Beginning Verify and Repair transaction
2012-01-16 20:29:33, Info CSI 000002b6 [SR] Verify complete
2012-01-16 20:29:34, Info CSI 000002b7 [SR] Verifying 100 (0x0000000000000064) components
2012-01-16 20:29:34, Info CSI 000002b8 [SR] Beginning Verify and Repair transaction
2012-01-16 20:29:35, Info CSI 000002ba [SR] Verify complete
2012-01-16 20:29:35, Info CSI 000002bb [SR] Verifying 100 (0x0000000000000064) components
2012-01-16 20:29:35, Info CSI 000002bc [SR] Beginning Verify and Repair transaction
2012-01-16 20:29:36, Info CSI 000002bf [SR] Verify complete
2012-01-16 20:29:36, Info CSI 000002c0 [SR] Verifying 100 (0x0000000000000064) components
2012-01-16 20:29:36, Info CSI 000002c1 [SR] Beginning Verify and Repair transaction
2012-01-16 20:29:37, Info CSI 000002c3 [SR] Verify complete
2012-01-16 20:29:37, Info CSI 000002c4 [SR] Verifying 100 (0x0000000000000064) components
2012-01-16 20:29:37, Info CSI 000002c5 [SR] Beginning Verify and Repair transaction
2012-01-16 20:29:38, Info CSI 000002c7 [SR] Verify complete
2012-01-16 20:29:38, Info CSI 000002c8 [SR] Verifying 100 (0x0000000000000064) components
2012-01-16 20:29:38, Info CSI 000002c9 [SR] Beginning Verify and Repair transaction
2012-01-16 20:29:39, Info CSI 000002cb [SR] Verify complete
2012-01-16 20:29:39, Info CSI 000002cc [SR] Verifying 100 (0x0000000000000064) components
2012-01-16 20:29:39, Info CSI 000002cd [SR] Beginning Verify and Repair transaction
2012-01-16 20:29:40, Info CSI 000002d0 [SR] Verify complete
2012-01-16 20:29:40, Info CSI 000002d1 [SR] Verifying 100 (0x0000000000000064) components
2012-01-16 20:29:40, Info CSI 000002d2 [SR] Beginning Verify and Repair transaction
2012-01-16 20:29:41, Info CSI 000002d4 [SR] Verify complete
2012-01-16 20:29:41, Info CSI 000002d5 [SR] Verifying 100 (0x0000000000000064) components
2012-01-16 20:29:41, Info CSI 000002d6 [SR] Beginning Verify and Repair transaction
2012-01-16 20:29:43, Info CSI 000002d8 [SR] Verify complete
2012-01-16 20:29:43, Info CSI 000002d9 [SR] Verifying 100 (0x0000000000000064) components
2012-01-16 20:29:43, Info CSI 000002da [SR] Beginning Verify and Repair transaction
2012-01-16 20:29:44, Info CSI 000002dc [SR] Verify complete
2012-01-16 20:29:44, Info CSI 000002dd [SR] Verifying 100 (0x0000000000000064) components
2012-01-16 20:29:44, Info CSI 000002de [SR] Beginning Verify and Repair transaction
2012-01-16 20:29:46, Info CSI 000002e0 [SR] Verify complete
2012-01-16 20:29:46, Info CSI 000002e1 [SR] Verifying 41 (0x0000000000000029) components
2012-01-16 20:29:46, Info CSI 000002e2 [SR] Beginning Verify and Repair transaction
2012-01-16 20:29:46, Info CSI 000002e4 [SR] Verify complete
2012-01-16 20:29:46, Info CSI 000002e5 [SR] Repairing 0 components
2012-01-16 20:29:46, Info CSI 000002e6 [SR] Beginning Verify and Repair transaction
2012-01-16 20:29:46, Info CSI 000002e8 [SR] Repair complete
  • 0

#45
RKinner

RKinner

    Malware Expert

  • Expert
  • 24,598 posts
  • MVP
This SFC seems to have worked OK.

Are your 17 PCs part of a domain?
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP