Jump to content

Build Theme!
  •  
  • Unreplied Topics
  • Downloads
  • Infected?

WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. :D Join 93125 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!


Photo

Infection: "system-check.com" [Solved]

Started by Dean N , Dec 27 2011 10:34 PM

  • This topic is locked This topic is locked
133 replies to this topic

#46 Dean N

Dean N

    Authentic Member

  • Authentic Member
  • PipPip
  • 152 posts

Posted 02 January 2012 - 08:33 PM

Newest installment:


2012-01-02-21:09:56

using tdl_delete_sda.bin

Model: ATA HTS721010G9SA00 (scsi)
Disk /dev/sda: 100GB
Sector size (logical/physical): 512B/512B
Partition Table: msdos

Number Start End Size Type File system Flags
1 1049kB 95.6GB 95.6GB primary ntfs boot
2 95.6GB 100GB 4443MB primary ntfs
3 100GB 100GB 1327kB primary ntfs hidden

Hidden partition found on sda
sda3 is hidden
Deleting partition 3 on drive sda

Model: ATA HTS721010G9SA00 (scsi)
Disk /dev/sda: 100GB
Sector size (logical/physical): 512B/512B
Partition Table: msdos

Number Start End Size Type File system Flags
1 1049kB 95.6GB 95.6GB primary ntfs boot
2 95.6GB 100GB 4443MB primary ntfs

No hidden partition on sdb





aswMBR version 0.9.9.1124 Copyright© 2011 AVAST Software
Run date: 2012-01-02 21:20:46
-----------------------------
21:20:46.421 OS Version: Windows 5.1.2600 Service Pack 3
21:20:46.421 Number of processors: 2 586 0xF06
21:20:46.421 ComputerName: D2 UserName:
21:20:56.421 Initialize success
21:24:09.671 AVAST engine defs: 12010201
21:24:34.921 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-0
21:24:34.921 Disk 0 Vendor: HTS72101 MCZI Size: 95396MB BusType: 3
21:24:34.937 Disk 0 MBR read successfully
21:24:34.953 Disk 0 MBR scan
21:24:34.968 Disk 0 Windows VISTA default MBR code
21:24:34.984 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 91157 MB offset 2048
21:24:35.015 Disk 0 Partition 2 00 13 NTFS 4237 MB offset 186691584
21:24:35.031 Disk 0 scanning sectors +195368960
21:24:35.078 Disk 0 scanning C:\WINDOWS\system32\drivers
21:24:42.625 Service scanning
21:24:43.890 Modules scanning
21:24:51.359 Disk 0 trace - called modules:
21:24:51.390 ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll iaStor.sys
21:24:51.390 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8af30ab8]
21:24:51.406 3 CLASSPNP.SYS[ba0e8fd7] -> nt!IofCallDriver -> \Device\00000087[0x8af3b910]
21:24:51.406 5 ACPI.sys[b9f7f620] -> nt!IofCallDriver -> \Device\Ide\IAAStorageDevice-0[0x8af1e030]
21:24:51.906 AVAST engine scan C:\WINDOWS
21:24:54.453 AVAST engine scan C:\WINDOWS\system32
21:26:01.671 AVAST engine scan C:\WINDOWS\system32\drivers
21:26:08.562 AVAST engine scan C:\Documents and Settings\Dean Nicholson
21:27:05.609 AVAST engine scan C:\Documents and Settings\All Users
21:27:07.890 File: C:\Documents and Settings\All Users\Documents\19792079 **INFECTED** Win32:Kryptik-GHE [Trj]
21:27:08.531 Scan finished successfully
21:30:32.984 Disk 0 MBR has been saved successfully to "E:\MBR.dat"
21:30:33.000 The log file has been saved successfully to "E:\aswMBR4.txt"

    Advertisements

Register to Remove

#47 ken545

ken545

    Forum God

  • Retired Classroom Teacher
  • 23,225 posts
  • Interests:Fighting Malware and cooking some great Italian and TexMex food
  • MVP

Posted 02 January 2012 - 08:37 PM

Were getting there, slowly but surely

Plug this into System Look

  • Double-click SystemLook.exe to run it.
  • Copy the content of the following codebox into the main textfield:
    :filefind
winlogon.exe
svchost.exe
explorer.exe
  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt

 
 
The forum is staffed by volunteers who donate their time and expertise.
If you feel you have been helped, please consider a donation.
donate.gif
 
Find us on Facebook
Please LIKE and SHARE
 
 
Just a reminder that threads will be closed if no reply in 3 days.

#48 Dean N

Dean N

    Authentic Member

  • Authentic Member
  • PipPip
  • 152 posts

Posted 02 January 2012 - 08:45 PM

SystemLook 30.07.11 by jpshortstuff Log created at 21:43 on 02/01/2012 by Dean Nicholson Administrator - Elevation successful ========== filefind ========== Searching for "winlogon.exe" C:\Program Files\Malwarebytes' Anti-Malware\Chameleon\winlogon.exe --a---- 182856 bytes [03:32 28/12/2011] [22:50 24/12/2011] B382935AB01B27D0E14F267DBF288896 C:\WINDOWS\ERDNT\cache\winlogon.exe --a---- 507904 bytes [17:03 30/12/2011] [17:00 21/08/2008] ED0EF0A136DEC83DF69F04118870003E C:\WINDOWS\system32\winlogon.exe --a---- 545280 bytes [18:15 30/08/2010] [17:00 21/08/2008] 1300F6682BEA386767AE2A7C6C2DDCA7 Searching for "svchost.exe" C:\Program Files\Malwarebytes' Anti-Malware\Chameleon\svchost.exe --a---- 182856 bytes [03:32 28/12/2011] [22:50 24/12/2011] B382935AB01B27D0E14F267DBF288896 C:\WINDOWS\ERDNT\cache\svchost.exe --a---- 14336 bytes [17:03 30/12/2011] [17:00 21/08/2008] 27C6D03BCDB8CFEB96B716F3D8BE3E18 C:\WINDOWS\system32\svchost.exe --a---- 39936 bytes [18:15 30/08/2010] [17:00 21/08/2008] ECD453C1AD7D2FF9448C24A65642FE17 Searching for "explorer.exe" C:\WINDOWS\explorer.exe --a---- 1058816 bytes [18:15 30/08/2010] [00:42 03/01/2012] F92D05B1C0DE946CF66B11479247FBDE C:\WINDOWS\ERDNT\cache\explorer.exe --a---- 1033728 bytes [17:03 30/12/2011] [17:00 21/08/2008] 12896823FB95BFB3DC9B46BCAEDC9923 -= EOF =-

#49 ken545

ken545

    Forum God

  • Retired Classroom Teacher
  • 23,225 posts
  • Interests:Fighting Malware and cooking some great Italian and TexMex food
  • MVP

Posted 03 January 2012 - 03:14 AM

Do you have your windows XP disk ?

Make sure your running Combofix from your desktop



Backup Your Registry with ERUNT:
  • Download erunt.zip to your Desktop from here:
    http://aumha.org/downloads/erunt.zip
  • Right-click erunt.zip, select Extract All... and follow the prompts to extract ERUNT to a new folder on your Desktop
  • Inside the new folder, double-click ERUNT.exe to start the program
  • OK all the prompts to back up your registry to the default location.
Note: to restore your registry, go to the backup folder and start ERDNT.exe





Open Notepad Go to Start> All Programs> Assessories> Notepad ( this will only work with Notepad )and copy all the text inside the Codebox by highlighting it all and pressing CTRL C on your keyboard, then paste it into Notepad, make sure there is no space before and above Services::


Services::
 B
   
NetSvc::
B
	
File::
C:\Documents and Settings\All Users\Documents\19792079
globalroot\Device\HarddiskVolume1\DOCUME~1\DEANNI~1\LOCALS~1\Temp\B.tmp
	
Registry::
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\B]
[-HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\B]
[-HKEY_LOCAL_MACHINE\System\ControlSet002\Services\B]

Save this as CFScript to your desktop.

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

Posted Image


This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply.



Then plug these into System Look
:filefind
winlogon.*
svchost.*
explorer.*

 
 
The forum is staffed by volunteers who donate their time and expertise.
If you feel you have been helped, please consider a donation.
donate.gif
 
Find us on Facebook
Please LIKE and SHARE
 
 
Just a reminder that threads will be closed if no reply in 3 days.

#50 Dean N

Dean N

    Authentic Member

  • Authentic Member
  • PipPip
  • 152 posts

Posted 03 January 2012 - 10:56 AM

I've been running some of the downloads from My Documents because the desktop has been hijacked and hidden, and I haven't been able to find and fix the setting for it. (I did manage to find the setting and unhide My Documents.) I'm going to run erunt from the desktop in safe mode. Hopefully my nonuse of the Desktop hasn't been confusing you... :smack: Erunt ran just fine. Combofix is currently running from the desktop and taking quite a while... is it ok to run all programs from here on out from the desktop (if needed) in safe mode if I cannot access the desktop in regular mode?

Edited by Dean N, 03 January 2012 - 11:00 AM.

#51 ken545

ken545

    Forum God

  • Retired Classroom Teacher
  • 23,225 posts
  • Interests:Fighting Malware and cooking some great Italian and TexMex food
  • MVP

Posted 03 January 2012 - 11:48 AM

You can try running this Unhide program and see if things show up

UNHIDE

My Documents is fine if thats all you can do at this point.

The files I want you to check with System Look,there infected and the folder there being backed from is infected as well. Running them with the wild card switch may show other locations that we can possible replace them from


Some of the files that ESET found are a replicating virus, lets run ESET again and make sure there gone


ESET Online Scanner
I'd like us to scan your machine with ESET OnlineScan

*Note
It is recommended to disable onboard antivirus program and antispyware programs while performing scans so there are no conflicts and it will speed up scan time.
Please don't go surfing while your resident protection is disabled!
Once the scan is finished remember to re-enable your antivirus along with your antispyware programs.


  • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  • Click the Posted Image button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on Posted Image to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the Posted Image icon on your desktop.
  • Check Posted Image
  • Click the Posted Image button.
  • Accept any security warnings from your browser.
  • Check Posted Image
  • Make sure that the option "Remove found threats" is Unchecked
  • Push the Start button.
  • ESET will then download updates for itself, install itself, and begin
    scanning your computer. Please be patient as this can take some time.
  • When the scan completes, push Posted Image
  • Push Posted Image, and save the file to your desktop using a unique name, such as
    ESETScan. Include the contents of this report in your next reply.
  • Push the Posted Image button.
  • Push Posted Image
Please make sure you include the following items in your next post:
The log that was produced after running ESET Online Scanner.

 
 
The forum is staffed by volunteers who donate their time and expertise.
If you feel you have been helped, please consider a donation.
donate.gif
 
Find us on Facebook
Please LIKE and SHARE
 
 
Just a reminder that threads will be closed if no reply in 3 days.

#52 Dean N

Dean N

    Authentic Member

  • Authentic Member
  • PipPip
  • 152 posts

Posted 03 January 2012 - 12:11 PM

combofix is.... still going.... Do you still want the report? or should I just go ahead with the post #51 instructions (when ComboFix has finished)? (or both?)

Edited by Dean N, 03 January 2012 - 12:12 PM.

#53 Dean N

Dean N

    Authentic Member

  • Authentic Member
  • PipPip
  • 152 posts

Posted 03 January 2012 - 12:21 PM

ComboFix just finished up:

ComboFix 12-01-03.04 - Administrator 01/03/2012 11:41:39.6.2 - x86 NETWORK
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3070.2791 [GMT -5:00]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Administrator\Desktop\CFScript.txt
.
FILE ::
"c:\documents and settings\All Users\Documents\19792079"
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\All Users\Application Data\~Igkq6wYuojMmGl
c:\documents and settings\All Users\Application Data\~Igkq6wYuojMmGlr
c:\documents and settings\All Users\Application Data\ewsvtVHncw.exe
c:\documents and settings\All Users\Application Data\f56f1hy858p5rr11174acxm00vdv766cc8x6
c:\documents and settings\All Users\Application Data\griuaaa.tmp
c:\documents and settings\All Users\Application Data\icbuaaa.tmp
c:\documents and settings\All Users\Application Data\Igkq6wYuojMmGl
c:\documents and settings\All Users\Application Data\Igkq6wYuojMmGl.exe
c:\documents and settings\All Users\Application Data\jcbuaaa.tmp
c:\documents and settings\All Users\Application Data\jriuaaa.tmp
c:\documents and settings\All Users\Application Data\kriuaaa.tmp
c:\documents and settings\All Users\Application Data\mcbuaaa.tmp
c:\documents and settings\All Users\Application Data\qekuaaa.tmp
c:\documents and settings\All Users\Application Data\rekuaaa.tmp
c:\documents and settings\All Users\Application Data\sekuaaa.tmp
c:\documents and settings\All Users\Application Data\uekuaaa.tmp
c:\windows\system32\config\systemprofile\Local Settings\Application Data\7272e1c7366f4418.exe
c:\windows\system32\config\systemprofile\Local Settings\Application Data\atm.exe
c:\windows\system32\config\systemprofile\Templates\f56f1hy858p5rr11174acxm00vdv766cc8x6
c:\windows\system32\drivers\e59bfa443ffcd009.sys
.
Infected copy of c:\windows\system32\winlogon.exe was found and disinfected
Restored copy from - c:\windows\ERDNT\cache\winlogon.exe
.
Infected copy of c:\windows\system32\svchost.exe was found and disinfected
Restored copy from - c:\windows\ERDNT\cache\svchost.exe
.
c:\windows\explorer.exe . . . is infected!!
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_e59bfa443ffcd009
-------\Service_e59bfa443ffcd009
.
.
((((((((((((((((((((((((( Files Created from 2011-12-03 to 2012-01-03 )))))))))))))))))))))))))))))))
.
.
2012-01-02 22:55 . 2012-01-01 17:17 4702720 ---ha-w- C:\aswMBR.exe
2012-01-01 03:06 . 2012-01-01 03:06 -------- d-sh--w- c:\windows\system32\config\systemprofile\PrivacIE
2012-01-01 03:06 . 2012-01-01 03:06 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2012-01-01 00:31 . 2012-01-01 00:31 -------- d-sh--w- c:\documents and settings\Administrator\PrivacIE
2012-01-01 00:29 . 2012-01-01 00:29 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache
2011-12-30 19:28 . 2011-12-30 19:28 -------- d--h--w- c:\program files\ESET
2011-12-30 12:21 . 2012-01-01 06:39 -------- d--h--w- c:\windows\system32\LogFiles
2011-12-30 01:16 . 2011-12-30 01:16 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2011-12-21 00:36 . 2011-12-29 01:52 -------- d--h--w- c:\documents and settings\Dean Nicholson\Application Data\Skype
2011-12-21 00:36 . 2011-12-29 01:52 -------- d--h--w- c:\documents and settings\All Users\Application Data\Skype
2011-12-18 21:32 . 2011-12-18 21:32 -------- d--h--w- c:\documents and settings\Dean Nicholson\Application Data\Yahoo!
2011-12-18 21:29 . 2011-12-23 05:00 -------- d--h--w- c:\program files\Yahoo!
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-01-03 00:42 . 2010-08-30 18:15 1058816 ---ha-w- c:\windows\explorer.exe
2011-12-28 00:19 . 2011-07-01 01:56 414368 ---ha-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-12-10 20:24 . 2011-07-01 02:22 20464 ---ha-w- c:\windows\system32\drivers\mbam.sys
2011-11-23 13:25 . 2010-08-30 18:15 1859584 ----a-w- c:\windows\system32\win32k.sys
2011-11-04 19:20 . 2010-08-30 18:15 916992 ---ha-w- c:\windows\system32\wininet.dll
2011-11-04 19:20 . 2010-08-30 18:15 43520 ---h--w- c:\windows\system32\licmgr10.dll
2011-11-04 19:20 . 2010-08-30 18:15 1469440 ---h--w- c:\windows\system32\inetcpl.cpl
2011-11-04 11:23 . 2010-08-30 18:15 385024 ---h--w- c:\windows\system32\html.iec
2011-11-01 16:07 . 2010-08-30 18:15 1288704 ---ha-w- c:\windows\system32\ole32.dll
2011-10-28 05:31 . 2010-08-30 18:15 33280 ----a-w- c:\windows\system32\csrsrv.dll
2011-10-25 13:37 . 2008-04-14 00:54 2148864 ---ha-w- c:\windows\system32\ntoskrnl.exe
2011-10-25 12:52 . 2008-04-14 00:01 2027008 ----a-w- c:\windows\system32\ntkrnlpa.exe
2011-10-18 11:13 . 2010-08-30 18:15 186880 ---ha-w- c:\windows\system32\encdec.dll
2011-10-10 14:22 . 2010-08-30 18:26 692736 ---ha-w- c:\windows\system32\inetcomm.dll
2011-10-10 12:31 . 2011-07-02 02:13 17712 ---ha-w- c:\windows\system32\nitrolocalui2.dll
2011-10-10 12:31 . 2011-07-02 02:13 26416 ---ha-w- c:\windows\system32\nitrolocalmon2.dll
.
.
------- Sigcheck -------
Note: Unsigned files aren't necessarily malware.
.
[7] 2008-08-21 . ED0EF0A136DEC83DF69F04118870003E . 507904 . . [5.1.2600.5512] . . c:\windows\ERDNT\cache\winlogon.exe
[-] 2008-08-21 . 1300F6682BEA386767AE2A7C6C2DDCA7 . 545280 . . [5.1.2600.5512] . . c:\windows\system32\winlogon.exe
.
[7] 2008-08-21 . 27C6D03BCDB8CFEB96B716F3D8BE3E18 . 14336 . . [5.1.2600.5512] . . c:\windows\ERDNT\cache\svchost.exe
[-] 2008-08-21 . ECD453C1AD7D2FF9448C24A65642FE17 . 39936 . . [5.1.2600.5512] . . c:\windows\system32\svchost.exe
.
[-] 2012-01-03 . F92D05B1C0DE946CF66B11479247FBDE . 1058816 . . [6.00.2900.5512] . . c:\windows\explorer.exe
[7] 2008-08-21 . 12896823FB95BFB3DC9B46BCAEDC9923 . 1033728 . . [6.00.2900.5512] . . c:\windows\ERDNT\cache\explorer.exe
.
((((((((((((((((((((((((((((( SnapShot@2012-01-02_23.12.52 )))))))))))))))))))))))))))))))))))))))))
.
+ 2012-01-03 00:42 . 2012-01-03 00:42 14336 c:\windows\system32\svch.dat
+ 2012-01-03 12:38 . 2012-01-03 12:38 27648 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Last Active\{D344D4C7-3607-11E1-84C5-00197E0B8494}.dat
+ 2012-01-03 12:18 . 2012-01-03 12:18 45568 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{FD3F3E58-3604-11E1-84C4-00197E0B8494}.dat
+ 2012-01-03 11:34 . 2012-01-03 11:38 10752 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{F7570F4E-35FE-11E1-84C4-00197E0B8494}.dat
+ 2012-01-03 11:42 . 2012-01-03 11:45 12288 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{F7126ADC-35FF-11E1-84C4-00197E0B8494}.dat
+ 2012-01-03 11:27 . 2012-01-03 11:27 22016 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{F2F139A2-35FD-11E1-84C4-00197E0B8494}.dat
+ 2012-01-03 11:48 . 2012-01-03 11:55 34816 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{E88DF88A-3600-11E1-84C4-00197E0B8494}.dat
+ 2012-01-03 11:33 . 2012-01-03 11:38 15872 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{D17DBA92-35FE-11E1-84C4-00197E0B8494}.dat
+ 2012-01-03 11:40 . 2012-01-03 11:45 29184 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{B0B1201E-35FF-11E1-84C4-00197E0B8494}.dat
+ 2012-01-03 12:15 . 2012-01-03 12:21 12800 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{9F8BF34A-3604-11E1-84C4-00197E0B8494}.dat
+ 2012-01-03 12:15 . 2012-01-03 12:21 34816 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{962189DC-3604-11E1-84C4-00197E0B8494}.dat
+ 2012-01-03 12:15 . 2012-01-03 12:18 46080 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{937A0BAA-3604-11E1-84C4-00197E0B8494}.dat
+ 2012-01-03 10:34 . 2012-01-03 10:41 12800 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{7D228CD2-35F6-11E1-84C2-00197E0B8494}.dat
+ 2012-01-03 10:41 . 2012-01-03 10:47 12288 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{78F48CB8-35F7-11E1-84C2-00197E0B8494}.dat
+ 2012-01-03 11:38 . 2012-01-03 11:44 11776 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{6556ADA0-35FF-11E1-84C4-00197E0B8494}.dat
+ 2012-01-03 10:33 . 2012-01-03 10:33 18432 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{5A8E1178-35F6-11E1-84C2-00197E0B8494}.dat
+ 2012-01-03 10:33 . 2012-01-03 10:33 20480 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{5968D03A-35F6-11E1-84C2-00197E0B8494}.dat
+ 2012-01-03 10:47 . 2012-01-03 10:54 12800 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{55093E7E-35F8-11E1-84C2-00197E0B8494}.dat
+ 2012-01-03 11:37 . 2012-01-03 11:42 16384 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{4ABB0F36-35FF-11E1-84C4-00197E0B8494}.dat
+ 2012-01-03 12:27 . 2012-01-03 12:34 11776 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{452F3194-3606-11E1-84C5-00197E0B8494}.dat
+ 2012-01-03 12:34 . 2012-01-03 12:34 35840 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{41CE3BB6-3607-11E1-84C5-00197E0B8494}.dat
+ 2012-01-03 11:44 . 2012-01-03 11:45 12288 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{3AA3AF72-3600-11E1-84C4-00197E0B8494}.dat
+ 2012-01-03 11:36 . 2012-01-03 11:38 10752 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{3A24D310-35FF-11E1-84C4-00197E0B8494}.dat
+ 2012-01-03 10:46 . 2012-01-03 10:53 12800 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{3884DE02-35F8-11E1-84C2-00197E0B8494}.dat
+ 2012-01-03 12:33 . 2012-01-03 12:38 11776 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{2523B59A-3607-11E1-84C5-00197E0B8494}.dat
+ 2012-01-03 11:43 . 2012-01-03 11:45 12288 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{241EB95E-3600-11E1-84C4-00197E0B8494}.dat
+ 2012-01-03 11:35 . 2012-01-03 11:38 11776 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{1A37D5E8-35FF-11E1-84C4-00197E0B8494}.dat
+ 2012-01-03 11:35 . 2012-01-03 11:36 58368 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{0F597DA6-35FF-11E1-84C4-00197E0B8494}.dat
+ 2012-01-03 11:42 . 2012-01-03 11:45 12288 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{0D4650FC-3600-11E1-84C4-00197E0B8494}.dat
+ 2012-01-01 03:17 . 2012-01-03 12:47 32768 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\DOMStore\index.dat
- 2012-01-01 03:17 . 2012-01-01 22:41 32768 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\DOMStore\index.dat
+ 2012-01-01 03:07 . 2012-01-03 13:02 32768 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Feeds Cache\index.dat
- 2012-01-01 03:07 . 2012-01-01 22:42 32768 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Feeds Cache\index.dat
+ 2011-07-01 01:39 . 2012-01-03 10:33 26400 c:\windows\system32\config\systemprofile\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
+ 2012-01-01 03:06 . 2012-01-03 12:44 16384 c:\windows\system32\config\systemprofile\IETldCache\index.dat
- 2012-01-01 03:06 . 2012-01-01 20:38 16384 c:\windows\system32\config\systemprofile\IETldCache\index.dat
+ 2012-01-03 10:32 . 2012-01-03 13:02 98304 c:\windows\system32\config\systemprofile\Cookies\index.dat
- 2012-01-01 03:06 . 2012-01-01 22:41 98304 c:\windows\system32\config\systemprofile\Cookies\index.dat
- 2012-01-01 03:07 . 2012-01-01 20:23 32768 c:\windows\system32\config\systemprofile\Application Data\Microsoft\Internet Explorer\UserData\index.dat
+ 2012-01-01 03:07 . 2012-01-03 12:36 32768 c:\windows\system32\config\systemprofile\Application Data\Microsoft\Internet Explorer\UserData\index.dat
+ 2010-08-31 18:54 . 2012-01-03 16:11 8572 c:\windows\system32\d3d9caps.dat
- 2010-08-31 18:54 . 2012-01-01 20:27 8572 c:\windows\system32\d3d9caps.dat
+ 2012-01-03 12:38 . 2012-01-03 12:38 3584 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Last Active\RecoveryStore.{D344D4C4-3607-11E1-84C5-00197E0B8494}.dat
+ 2012-01-03 12:38 . 2012-01-03 12:38 3584 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Last Active\RecoveryStore.{D344D4C3-3607-11E1-84C5-00197E0B8494}.dat
+ 2012-01-03 12:38 . 2012-01-03 12:38 3584 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Last Active\RecoveryStore.{D344D4C2-3607-11E1-84C5-00197E0B8494}.dat
+ 2012-01-03 12:18 . 2012-01-03 12:52 3584 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Last Active\RecoveryStore.{0472381B-3605-11E1-84C4-00197E0B8494}.dat
+ 2012-01-03 12:38 . 2012-01-03 12:38 5120 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Last Active\{D344D4C5-3607-11E1-84C5-00197E0B8494}.dat
+ 2012-01-03 12:52 . 2012-01-03 12:52 5632 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Last Active\{C12D5B2A-3609-11E1-84C5-00197E0B8494}.dat
+ 2012-01-03 11:27 . 2012-01-03 11:27 3584 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\RecoveryStore.{F2F139A1-35FD-11E1-84C4-00197E0B8494}.dat
+ 2012-01-03 11:13 . 2012-01-03 11:13 3584 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\RecoveryStore.{EE0EE9E9-35FB-11E1-84C3-00197E0B8494}.dat
+ 2012-01-03 12:10 . 2012-01-03 12:10 3584 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\RecoveryStore.{EBB2F043-3603-11E1-84C4-00197E0B8494}.dat
+ 2012-01-03 11:48 . 2012-01-03 11:48 3584 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\RecoveryStore.{E88DF889-3600-11E1-84C4-00197E0B8494}.dat
+ 2012-01-03 11:19 . 2012-01-03 11:19 3584 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\RecoveryStore.{DAA6C501-35FC-11E1-84C3-00197E0B8494}.dat
+ 2012-01-03 11:26 . 2012-01-03 11:26 3584 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\RecoveryStore.{D510C1D1-35FD-11E1-84C4-00197E0B8494}.dat
+ 2012-01-03 11:19 . 2012-01-03 11:19 3584 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\RecoveryStore.{CB8B9EC5-35FC-11E1-84C3-00197E0B8494}.dat
+ 2012-01-03 12:15 . 2012-01-03 12:15 3584 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\RecoveryStore.{9F8BF349-3604-11E1-84C4-00197E0B8494}.dat
+ 2012-01-03 12:15 . 2012-01-03 12:15 3584 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\RecoveryStore.{962189DB-3604-11E1-84C4-00197E0B8494}.dat
+ 2012-01-03 12:15 . 2012-01-03 12:15 1536 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\RecoveryStore.{8EB557A9-3604-11E1-84C4-00197E0B8494}.dat
+ 2012-01-03 10:34 . 2012-01-03 10:34 3584 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\RecoveryStore.{7D228CD1-35F6-11E1-84C2-00197E0B8494}.dat
+ 2012-01-03 10:41 . 2012-01-03 10:41 3584 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\RecoveryStore.{78F48CB7-35F7-11E1-84C2-00197E0B8494}.dat
+ 2012-01-03 11:38 . 2012-01-03 11:38 3584 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\RecoveryStore.{6556AD9F-35FF-11E1-84C4-00197E0B8494}.dat
+ 2012-01-03 10:33 . 2012-01-03 10:33 3584 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\RecoveryStore.{5A8E1177-35F6-11E1-84C2-00197E0B8494}.dat
+ 2012-01-03 10:33 . 2012-01-03 10:33 3584 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\RecoveryStore.{5968D039-35F6-11E1-84C2-00197E0B8494}.dat
+ 2012-01-03 10:33 . 2012-01-03 10:33 3584 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\RecoveryStore.{58A2ED0B-35F6-11E1-84C2-00197E0B8494}.dat
+ 2012-01-03 10:47 . 2012-01-03 10:47 3584 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\RecoveryStore.{55093E7D-35F8-11E1-84C2-00197E0B8494}.dat
+ 2012-01-03 12:13 . 2012-01-03 12:13 3584 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\RecoveryStore.{4ADA2A2D-3604-11E1-84C4-00197E0B8494}.dat
+ 2012-01-03 11:37 . 2012-01-03 11:43 5120 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\RecoveryStore.{4ABB0F35-35FF-11E1-84C4-00197E0B8494}.dat
+ 2012-01-03 12:27 . 2012-01-03 12:27 3584 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\RecoveryStore.{452F3193-3606-11E1-84C5-00197E0B8494}.dat
+ 2012-01-03 12:34 . 2012-01-03 12:34 3584 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\RecoveryStore.{41CE3BB5-3607-11E1-84C5-00197E0B8494}.dat
+ 2012-01-03 11:01 . 2012-01-03 11:01 3584 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\RecoveryStore.{3CA60F3F-35FA-11E1-84C2-00197E0B8494}.dat
+ 2012-01-03 10:32 . 2012-01-03 10:33 5120 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\RecoveryStore.{3AD0C357-35F6-11E1-84C2-00197E0B8494}.dat
+ 2012-01-03 11:15 . 2012-01-03 11:15 3584 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\RecoveryStore.{395184E3-35FC-11E1-84C3-00197E0B8494}.dat
+ 2012-01-03 10:46 . 2012-01-03 10:46 3584 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\RecoveryStore.{3884DE01-35F8-11E1-84C2-00197E0B8494}.dat
+ 2012-01-03 11:00 . 2012-01-03 11:00 3584 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\RecoveryStore.{32A7D405-35FA-11E1-84C2-00197E0B8494}.dat
+ 2012-01-03 10:39 . 2012-01-03 10:39 3584 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\RecoveryStore.{2DC766E7-35F7-11E1-84C2-00197E0B8494}.dat
+ 2012-01-03 12:33 . 2012-01-03 12:33 3584 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\RecoveryStore.{2523B599-3607-11E1-84C5-00197E0B8494}.dat
+ 2012-01-03 13:02 . 2012-01-03 13:02 3584 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\RecoveryStore.{21A54069-360B-11E1-84C5-00197E0B8494}.dat
+ 2012-01-03 13:02 . 2012-01-03 13:02 3584 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\RecoveryStore.{21A07BB5-360B-11E1-84C5-00197E0B8494}.dat
+ 2012-01-03 11:00 . 2012-01-03 11:00 3584 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\RecoveryStore.{2133DD31-35FA-11E1-84C2-00197E0B8494}.dat
+ 2012-01-03 11:50 . 2012-01-03 11:50 3584 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\RecoveryStore.{12C0B777-3601-11E1-84C4-00197E0B8494}.dat
+ 2012-01-03 11:35 . 2012-01-03 11:35 3584 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\RecoveryStore.{0F597DA5-35FF-11E1-84C4-00197E0B8494}.dat
+ 2012-01-03 12:18 . 2012-01-03 12:18 3584 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\RecoveryStore.{058DEFF3-3605-11E1-84C4-00197E0B8494}.dat
+ 2012-01-03 10:59 . 2012-01-03 11:03 9216 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{FF739322-35F9-11E1-84C2-00197E0B8494}.dat
+ 2012-01-03 11:13 . 2012-01-03 11:15 5120 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{EE0EE9EA-35FB-11E1-84C3-00197E0B8494}.dat
+ 2012-01-03 11:49 . 2012-01-03 11:50 8192 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{EC833FF0-3600-11E1-84C4-00197E0B8494}.dat
+ 2012-01-03 12:10 . 2012-01-03 12:10 6144 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{EBB2F044-3603-11E1-84C4-00197E0B8494}.dat
+ 2012-01-03 11:19 . 2012-01-03 11:21 6144 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{DAA6C502-35FC-11E1-84C3-00197E0B8494}.dat
+ 2012-01-03 12:09 . 2012-01-03 12:13 6656 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{CE4024A0-3603-11E1-84C4-00197E0B8494}.dat
+ 2012-01-03 11:19 . 2012-01-03 11:19 6144 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{CB8B9EC6-35FC-11E1-84C3-00197E0B8494}.dat
+ 2012-01-03 12:45 . 2012-01-03 12:49 7168 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{C9CC9CFA-3608-11E1-84C5-00197E0B8494}.dat
+ 2012-01-03 11:48 . 2012-01-03 11:50 7680 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{C8E61F90-3600-11E1-84C4-00197E0B8494}.dat
+ 2012-01-03 12:09 . 2012-01-03 12:14 6656 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{C5F637BC-3603-11E1-84C4-00197E0B8494}.dat
+ 2012-01-03 11:47 . 2012-01-03 11:50 8192 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{A6FAEB2C-3600-11E1-84C4-00197E0B8494}.dat
+ 2012-01-03 12:08 . 2012-01-03 12:15 6656 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{A50EE3AA-3603-11E1-84C4-00197E0B8494}.dat
+ 2012-01-03 11:46 . 2012-01-03 11:50 7680 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{91ABE6CC-3600-11E1-84C4-00197E0B8494}.dat
+ 2012-01-03 12:00 . 2012-01-03 12:06 7168 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{8459213A-3602-11E1-84C4-00197E0B8494}.dat
+ 2012-01-03 11:45 . 2012-01-03 11:50 9216 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{63BF7B42-3600-11E1-84C4-00197E0B8494}.dat
+ 2012-01-03 10:33 . 2012-01-03 10:33 4096 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{620891C2-35F6-11E1-84C2-00197E0B8494}.dat
+ 2012-01-03 10:33 . 2012-01-03 10:33 9216 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{58A2ED0C-35F6-11E1-84C2-00197E0B8494}.dat
+ 2012-01-03 12:13 . 2012-01-03 12:14 7680 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{4ADA2A2E-3604-11E1-84C4-00197E0B8494}.dat
+ 2012-01-03 11:01 . 2012-01-03 11:03 8192 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{3CA60F40-35FA-11E1-84C2-00197E0B8494}.dat
+ 2012-01-03 10:32 . 2012-01-03 10:33 8192 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{3AD0C358-35F6-11E1-84C2-00197E0B8494}.dat
+ 2012-01-03 11:15 . 2012-01-03 11:15 6144 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{395184E4-35FC-11E1-84C3-00197E0B8494}.dat
+ 2012-01-03 11:00 . 2012-01-03 11:04 9216 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{32A7D406-35FA-11E1-84C2-00197E0B8494}.dat
+ 2012-01-03 11:43 . 2012-01-03 11:43 9728 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{2DFB93AC-3600-11E1-84C4-00197E0B8494}.dat
+ 2012-01-03 10:39 . 2012-01-03 10:39 5120 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{2DC766E8-35F7-11E1-84C2-00197E0B8494}.dat
+ 2012-01-03 13:02 . 2012-01-03 13:02 4096 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{29AC6B72-360B-11E1-84C5-00197E0B8494}.dat
+ 2012-01-03 13:02 . 2012-01-03 13:02 4096 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{291D5E5A-360B-11E1-84C5-00197E0B8494}.dat
+ 2012-01-03 11:00 . 2012-01-03 11:02 8192 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{2133DD32-35FA-11E1-84C2-00197E0B8494}.dat
+ 2012-01-03 12:47 . 2012-01-03 12:52 5120 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{1B4C9F80-3609-11E1-84C5-00197E0B8494}.dat
+ 2012-01-03 11:50 . 2012-01-03 11:56 5120 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{12C0B778-3601-11E1-84C4-00197E0B8494}.dat
+ 2012-01-03 11:49 . 2012-01-03 11:50 8192 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{085BF71C-3601-11E1-84C4-00197E0B8494}.dat
+ 2012-01-03 16:21 . 2012-01-03 16:21 8192 c:\windows\ERDNT\1-3-2012\Users\00000002\UsrClass.dat
+ 2010-08-30 18:15 . 2008-08-21 17:00 507904 c:\windows\system32\winl.dat
+ 2012-01-03 10:32 . 2012-01-03 12:47 163840 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012012010320120104\index.dat
+ 2012-01-03 10:32 . 2012-01-03 10:32 114688 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012011122620120102\index.dat
+ 2010-08-30 18:30 . 2012-01-03 13:02 458752 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2012-01-03 12:38 . 2012-01-03 12:38 145408 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Last Active\{D344D4C6-3607-11E1-84C5-00197E0B8494}.dat
+ 2012-01-03 11:26 . 2012-01-03 11:33 306688 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{D510C1D2-35FD-11E1-84C4-00197E0B8494}.dat
+ 2012-01-03 12:18 . 2012-01-03 12:22 172032 c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Internet Explorer\Recovery\Active\{058DEFF4-3605-11E1-84C4-00197E0B8494}.dat
+ 2012-01-03 13:14 . 2012-01-03 16:14 163328 c:\windows\ERDNT\1-3-2012\ERDNT.EXE
+ 2012-01-01 03:06 . 2012-01-03 12:47 1015808 c:\windows\system32\config\systemprofile\PrivacIE\index.dat
+ 2012-01-01 03:06 . 2012-01-03 13:02 5177344 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2012-01-03 16:21 . 2012-01-03 16:21 1196032 c:\windows\ERDNT\1-3-2012\Users\00000001\NTUSER.DAT
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2005-05-20 925696]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-03-05 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-03-05 166424]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-03-05 137752]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2010-06-03 1791272]
"PWRMGRTR"="c:\progra~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL" [2010-05-12 517480]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 81920]
"cssauth"="c:\program files\Lenovo\Client Security Solution\cssauth.exe" [2009-03-05 3093816]
"TPHOTKEY"="c:\program files\Lenovo\HOTKEY\TPOSDSVC.exe" [2009-12-21 69568]
"ACTray"="c:\program files\ThinkPad\ConnectUtilities\ACTray.exe" [2010-04-22 431464]
"ACWLIcon"="c:\program files\ThinkPad\ConnectUtilities\ACWLIcon.exe" [2010-04-22 181608]
"LPManager"="c:\progra~1\THINKV~1\PrdCtr\LPMGR.exe" [2009-07-23 185688]
"LPMailChecker"="c:\progra~1\THINKV~1\PrdCtr\LPMLCHK.exe" [2009-07-23 124248]
"EZEJMNAP"="c:\progra~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe" [2009-12-01 256576]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-11-29 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-06-07 421160]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-04-08 254696]
"dplaysvr"="c:\documents and settings\Administrator\Application Data\dplaysvr.exe" [BU]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"dplaysvr"="c:\documents and settings\Administrator\Application Data\dplaysvr.exe" [BU]
.
c:\documents and settings\Dean Nicholson\Start Menu\Programs\Startup\
OpenOffice.org 3.3.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2010-12-13 1198592]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\IBM\\Lotus\\Symphony\\framework\\rcp\\eclipse\\plugins\\com.ibm.rcp.base_6.2.0.20090505-1200\\win32\\x86\\symphony.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
.
R0 DozeHDD;DozeHDD;c:\windows\system32\drivers\DOZEHDD.SYS [8/31/2010 12:26 PM 24304]
S1 lenovo.smi;Lenovo System Interface Driver;c:\windows\system32\drivers\smiif32.sys [9/1/2010 11:16 AM 13480]
S2 DozeSvc;Lenovo Doze Mode Service;c:\program files\ThinkPad\Utilities\DOZESVC.EXE [8/31/2010 12:26 PM 132456]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [8/30/2011 7:28 PM 136176]
S2 LENOVO.MICMUTE;Lenovo Microphone Mute;c:\program files\Lenovo\HOTKEY\micmute.exe [9/1/2010 11:16 AM 45496]
S2 NitroReaderDriverReadSpool2;NitroPDFReaderDriverCreatorReadSpool2;c:\program files\Nitro PDF\Reader 2\NitroPDFReaderDriverService2.exe [10/10/2011 7:32 AM 196912]
S2 Power Manager DBC Service;Power Manager DBC Service;c:\program files\ThinkPad\Utilities\PWMDBSVC.exe [8/31/2010 12:26 PM 53248]
S2 TPHKSVC;On Screen Display;c:\program files\Lenovo\HOTKEY\TPHKSVC.exe [9/1/2010 11:16 AM 63928]
S3 CFcatchme;CFcatchme;\??\c:\docume~1\ADMINI~1\LOCALS~1\Temp\CFcatchme.sys --> c:\docume~1\ADMINI~1\LOCALS~1\Temp\CFcatchme.sys [?]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [8/30/2011 7:28 PM 136176]
S3 swmx01;Sierra Wireless USB MUX Driver (#01);c:\windows\system32\drivers\swmx01.sys [11/18/2005 3:21 PM 58624]
S3 SWNC5E01;Sierra Wireless MUX NDIS Driver (#01);c:\windows\system32\drivers\SWNC5E01.sys [8/5/2005 2:42 PM 73600]
S3 TVTI2C;Lenovo SM bus driver;c:\windows\system32\drivers\tvti2c.sys [2/22/2008 2:54 PM 37312]
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - WUAUSERV
.
Contents of the 'Scheduled Tasks' folder
.
2011-07-02 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-01 21:57]
.
2012-01-03 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-08-31 00:28]
.
2012-01-03 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-08-31 00:28]
.
2011-12-30 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1741676890-1038465670-3455570982-1004Core.job
- c:\documents and settings\Dean Nicholson\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-09-27 00:38]
.
2012-01-03 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1741676890-1038465670-3455570982-1004UA.job
- c:\documents and settings\Dean Nicholson\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-09-27 00:38]
.
2012-01-03 c:\windows\Tasks\PMTask.job
- c:\progra~1\ThinkPad\UTILIT~1\PWMIDTSK.EXE [2010-08-31 05:25]
.
.
------- Supplementary Scan -------
.
TCP: DhcpNameServer = 192.168.1.1
.
- - - - ORPHANS REMOVED - - - -
.
HKLM-Run-ewsvtVHncw.exe - c:\documents and settings\All Users\Application Data\ewsvtVHncw.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-01-03 13:02
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,6d,50,6e,4d,4a,8d,41,45,b1,36,70,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,6d,50,6e,4d,4a,8d,41,45,b1,36,70,\
.
[HKEY_USERS\S-1-5-21-1741676890-1038465670-3455570982-500\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (Administrator)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,36,d1,36,27,dc,79,2b,4a,8f,08,48,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,36,d1,36,27,dc,79,2b,4a,8f,08,48,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(1052)
c:\windows\system32\Ati2evxx.dll
.
- - - - - - - > 'explorer.exe'(1412)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
.
Completion time: 2012-01-03 13:17:37 - machine was rebooted
ComboFix-quarantined-files.txt 2012-01-03 18:17
ComboFix2.txt 2012-01-02 23:16
.
.
Post-Run: 81,653,444,608 bytes free
.
- - End Of File - - 7B5CD931A3A958BC3BD89914BF554299

#54 ken545

ken545

    Forum God

  • Retired Classroom Teacher
  • 23,225 posts
  • Interests:Fighting Malware and cooking some great Italian and TexMex food
  • MVP

Posted 03 January 2012 - 12:43 PM

Go ahead and run System Look and post the log and while I am looking them over go ahead and run ESET

 
 
The forum is staffed by volunteers who donate their time and expertise.
If you feel you have been helped, please consider a donation.
donate.gif
 
Find us on Facebook
Please LIKE and SHARE
 
 
Just a reminder that threads will be closed if no reply in 3 days.

#55 Dean N

Dean N

    Authentic Member

  • Authentic Member
  • PipPip
  • 152 posts

Posted 03 January 2012 - 01:46 PM

Can you advise on what to enter into SystemLook? I have to go back and forth (again) on machines, and eset online got crashed in safe mode! It's getting challenging to run stuff again...

    Advertisements

Register to Remove

#56 ken545

ken545

    Forum God

  • Retired Classroom Teacher
  • 23,225 posts
  • Interests:Fighting Malware and cooking some great Italian and TexMex food
  • MVP

Posted 03 January 2012 - 03:21 PM

:filefind winlogon.* svchost.* explorer.* If we could get these resolved I think it would make a difference

 
 
The forum is staffed by volunteers who donate their time and expertise.
If you feel you have been helped, please consider a donation.
donate.gif
 
Find us on Facebook
Please LIKE and SHARE
 
 
Just a reminder that threads will be closed if no reply in 3 days.

#57 Dean N

Dean N

    Authentic Member

  • Authentic Member
  • PipPip
  • 152 posts

Posted 03 January 2012 - 03:34 PM

Wow, I thought I had posted that. Sorry! SystemLook 30.07.11 by jpshortstuff Log created at 16:31 on 03/01/2012 by Dean Nicholson Administrator - Elevation successful ========== filefind ========== Searching for "winlogon.exe" C:\Program Files\Malwarebytes' Anti-Malware\Chameleon\winlogon.exe --a---- 182856 bytes [03:32 28/12/2011] [22:50 24/12/2011] B382935AB01B27D0E14F267DBF288896 C:\WINDOWS\ERDNT\cache\winlogon.exe --a---- 507904 bytes [17:03 30/12/2011] [17:00 21/08/2008] ED0EF0A136DEC83DF69F04118870003E C:\WINDOWS\system32\winlogon.exe --a---- 545280 bytes [18:15 30/08/2010] [17:00 21/08/2008] 1300F6682BEA386767AE2A7C6C2DDCA7 Searching for "svchost.exe" C:\Program Files\Malwarebytes' Anti-Malware\Chameleon\svchost.exe --a---- 182856 bytes [03:32 28/12/2011] [22:50 24/12/2011] B382935AB01B27D0E14F267DBF288896 C:\WINDOWS\ERDNT\cache\svchost.exe --a---- 14336 bytes [17:03 30/12/2011] [17:00 21/08/2008] 27C6D03BCDB8CFEB96B716F3D8BE3E18 C:\WINDOWS\system32\svchost.exe --a---- 39936 bytes [18:15 30/08/2010] [17:00 21/08/2008] ECD453C1AD7D2FF9448C24A65642FE17 Searching for "explorer.exe" C:\WINDOWS\explorer.exe --a---- 1058816 bytes [18:15 30/08/2010] [00:42 03/01/2012] F92D05B1C0DE946CF66B11479247FBDE C:\WINDOWS\ERDNT\cache\explorer.exe --a---- 1033728 bytes [17:03 30/12/2011] [17:00 21/08/2008] 12896823FB95BFB3DC9B46BCAEDC9923 -= EOF =-

Edited by Dean N, 03 January 2012 - 03:34 PM.

#58 ken545

ken545

    Forum God

  • Retired Classroom Teacher
  • 23,225 posts
  • Interests:Fighting Malware and cooking some great Italian and TexMex food
  • MVP

Posted 03 January 2012 - 04:09 PM

Different script

Notice the .* and the end of each file


:filefind
winlogon.*
svchost.*
explorer.*

 
 
The forum is staffed by volunteers who donate their time and expertise.
If you feel you have been helped, please consider a donation.
donate.gif
 
Find us on Facebook
Please LIKE and SHARE
 
 
Just a reminder that threads will be closed if no reply in 3 days.

#59 Dean N

Dean N

    Authentic Member

  • Authentic Member
  • PipPip
  • 152 posts

Posted 03 January 2012 - 04:13 PM

Oops again! I missed that. SystemLook 30.07.11 by jpshortstuff Log created at 17:11 on 03/01/2012 by Dean Nicholson Administrator - Elevation successful ========== filefind ========== Searching for "winlogon.*" C:\Program Files\Malwarebytes' Anti-Malware\Chameleon\winlogon.exe --a---- 182856 bytes [03:32 28/12/2011] [22:50 24/12/2011] B382935AB01B27D0E14F267DBF288896 C:\Qoobox\Quarantine\C\WINDOWS\system32\winlogon.exe.vir --a---- 545280 bytes [18:15 30/08/2010] [17:00 21/08/2008] 1300F6682BEA386767AE2A7C6C2DDCA7 C:\WINDOWS\ERDNT\cache\winlogon.exe --a---- 507904 bytes [17:03 30/12/2011] [17:00 21/08/2008] ED0EF0A136DEC83DF69F04118870003E C:\WINDOWS\I386\WINLOGON.EX_ --a---- 265069 bytes [18:15 30/08/2010] [17:00 21/08/2008] 063EF1A46C58A731F78AE5AF47070D65 C:\WINDOWS\system32\winlogon.exe --a---- 545280 bytes [18:15 30/08/2010] [17:00 21/08/2008] 1300F6682BEA386767AE2A7C6C2DDCA7 Searching for "svchost.*" C:\Program Files\Malwarebytes' Anti-Malware\Chameleon\svchost.exe --a---- 182856 bytes [03:32 28/12/2011] [22:50 24/12/2011] B382935AB01B27D0E14F267DBF288896 C:\Qoobox\Quarantine\C\WINDOWS\system32\svchost.exe.vir --a---- 39936 bytes [18:15 30/08/2010] [17:00 21/08/2008] ECD453C1AD7D2FF9448C24A65642FE17 C:\WINDOWS\ERDNT\cache\svchost.exe --a---- 14336 bytes [17:03 30/12/2011] [17:00 21/08/2008] 27C6D03BCDB8CFEB96B716F3D8BE3E18 C:\WINDOWS\I386\SVCHOST.EX_ --a---- 7276 bytes [18:14 30/08/2010] [17:00 21/08/2008] D54450099E0666AAE89D76BD248AF6CC C:\WINDOWS\pchealth\ERRORREP\UserDumps\svchost.exe.20111230-143249-00.hdmp --ah--- 1705315246 bytes [14:32 30/12/2011] [14:34 30/12/2011] 29E9EB1DF0DB9856C86895B3315A3A03 C:\WINDOWS\pchealth\ERRORREP\UserDumps\svchost.exe.20111230-143249-00.mdmp --a--c- 0 bytes [14:32 30/12/2011] [14:32 30/12/2011] D41D8CD98F00B204E9800998ECF8427E C:\WINDOWS\Prefetch\SVCHOST.EXE-3530F672.pf --ah--- 62226 bytes [00:34 01/01/2012] [10:23 03/01/2012] B57DABEE3FABE7102640710DE0344404 C:\WINDOWS\system32\svchost.exe --a---- 39936 bytes [18:15 30/08/2010] [17:00 21/08/2008] ECD453C1AD7D2FF9448C24A65642FE17 Searching for "explorer.* " C:\Qoobox\Quarantine\C\WINDOWS\explorer.exe.vir --a---- 1058816 bytes [18:15 30/08/2010] [17:00 21/08/2008] F92D05B1C0DE946CF66B11479247FBDE C:\WINDOWS\explorer.exe --a---- 1058816 bytes [18:15 30/08/2010] [00:42 03/01/2012] F92D05B1C0DE946CF66B11479247FBDE C:\WINDOWS\explorer.scf --a---- 80 bytes [18:15 30/08/2010] [17:00 21/08/2008] A3975A7D2C98B30A2AE010754FFB9392 C:\WINDOWS\ERDNT\cache\explorer.exe --a---- 1033728 bytes [17:03 30/12/2011] [17:00 21/08/2008] 12896823FB95BFB3DC9B46BCAEDC9923 C:\WINDOWS\I386\EXPLORER.EX_ --a--c- 356615 bytes [18:12 30/08/2010] [17:00 21/08/2008] D7B59A7EC9CB1429FDCEC84A22228555 C:\WINDOWS\I386\EXPLORER.SC_ --a---- 181 bytes [18:12 30/08/2010] [17:00 21/08/2008] BC5B38879C56DFBC05C8B5C43AC4D739 C:\WINDOWS\Prefetch\EXPLORER.EXE-082F38A9.pf --a---- 27378 bytes [13:11 03/01/2012] [13:11 03/01/2012] 64512AF93A9E0D0FD5EA86297BA5F65C -= EOF =-

#60 ken545

ken545

    Forum God

  • Retired Classroom Teacher
  • 23,225 posts
  • Interests:Fighting Malware and cooking some great Italian and TexMex food
  • MVP

Posted 03 January 2012 - 05:29 PM

Thats what I was looking for, lets hope this works

Open Notepad Go to Start> All Programs> Assessories> Notepad ( this will only work with Notepad )and copy all the text inside the Codebox by highlighting it all and pressing CTRL C on your keyboard, then paste it into Notepad, make sure there is no space before and above FCopy::


Fcopy::
C:\WINDOWS\I386\winlogon.exe | c:\windows\system32\winlogon.exe
C:\WINDOWS\I386\svchost.exe | c:\windows\system32\svchost.exe
C:\WINDOWS\I386\explorer.exe | c:\windows\explorer.exe

Save this as CFScript to your desktop.

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

Posted Image


This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply.

 
 
The forum is staffed by volunteers who donate their time and expertise.
If you feel you have been helped, please consider a donation.
donate.gif
 
Find us on Facebook
Please LIKE and SHARE
 
 
Just a reminder that threads will be closed if no reply in 3 days.

Related Topics

Back to Virus, Spyware & Malware Removal · Next Unread Topic →

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. What the Tech
  2. Spyware / Malware / Virus Removal
  3. Virus, Spyware & Malware Removal
  4. Privacy Policy
  5. Terms of Use ·