1. You are viewing our forum as a guest. For full access please Register. WindowsBBS.com is completely free, paid for by advertisers and donations.

Solved Cannot access Windows update - malware involved?

Discussion in 'Malware and Virus Removal Archive' started by dmonfette, 2010/12/23.

Page 1 of 2
  1. 2010/12/23
    dmonfette

    dmonfette Inactive Thread Starter

    Joined:
    2010/12/23
    Messages:
    19
    Likes Received:
    0
    [Resolved] Cannot access Windows update - malware involved?

    2 days ago a popup asked me to buy a defrag software. I forced a power off on the computer and afterwards got messages saying the disk was full, the memory was full, etc... Booting Ubuntu from a USB key, I deleted all exe files in the windows folder (they all had a date and time stamp close enough from the popup and had names beginning with the letter Q).

    I then rebooted and ran autorun from Microsoft. I unchecked everything I thought was suspicious. Some of the unchecked items would reappear copied and checked after a reboot... I tried to update Windows but could not reach the web page! I downloaded sp3 from another computer and installed it. Unlucky... The web page is still not available.

    Then I got to a web page from you guys. I understood I went maybe too far on my own.

    Here are the log files from Malwarebytes, GMER, MBRCheck, and DDS:

    MALWAREBYTES:

    Malwarebytes' Anti-Malware 1.50.1.1100
    www.malwarebytes.org

    Version de la base de données: 5384

    Windows 5.1.2600 Service Pack 3 (Safe Mode)
    Internet Explorer 6.0.2900.5512

    2010-12-23 10:45:07
    mbam-log-2010-12-23 (10-45-07).txt

    Type d'examen: Examen rapide
    Elément(s) analysé(s): 159055
    Temps écoulé: 1 minute(s), 42 seconde(s)

    Processus mémoire infecté(s): 0
    Module(s) mémoire infecté(s): 0
    Clé(s) du Registre infectée(s): 1
    Valeur(s) du Registre infectée(s): 0
    Elément(s) de données du Registre infecté(s): 0
    Dossier(s) infecté(s): 0
    Fichier(s) infecté(s): 3

    Processus mémoire infecté(s):
    (Aucun élément nuisible détecté)

    Module(s) mémoire infecté(s):
    (Aucun élément nuisible détecté)

    Clé(s) du Registre infectée(s):
    HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SSHNAS (Trojan.Renos) -> Quarantined and deleted successfully.

    Valeur(s) du Registre infectée(s):
    (Aucun élément nuisible détecté)

    Elément(s) de données du Registre infecté(s):
    (Aucun élément nuisible détecté)

    Dossier(s) infecté(s):
    (Aucun élément nuisible détecté)

    Fichier(s) infecté(s):
    c:\WINDOWS\msh4cota.oka.dll (Trojan.Hiloti) -> Quarantined and deleted successfully.
    c:\WINDOWS\Tasks\{22116563-108c-42c0-a7ce-60161b75e508}.job (Trojan.Downloader) -> Quarantined and deleted successfully.
    c:\WINDOWS\Tasks\{62c40aa6-4406-467a-a5a5-dfdf1b559b7a}.job (Trojan.FakeAlert) -> Quarantined and deleted successfully.


    GMER:

    GMER 1.0.15.15530 - http://www.gmer.net
    Rootkit scan 2010-12-23 10:57:08
    Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdePort0 ST3750330AS rev.SD15
    Running: jbi0n2wm.exe; Driver: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\pxtdapow.sys


    ---- System - GMER 1.0.15 ----

    SSDT 9A0B8C76 ZwCreateKey
    SSDT 9A0B8C6C ZwCreateThread
    SSDT 9A0B8C7B ZwDeleteKey
    SSDT 9A0B8C85 ZwDeleteValueKey
    SSDT 9A0B8C8A ZwLoadKey
    SSDT 9A0B8C58 ZwOpenProcess
    SSDT 9A0B8C5D ZwOpenThread
    SSDT 9A0B8C94 ZwReplaceKey
    SSDT 9A0B8C8F ZwRestoreKey
    SSDT 9A0B8C80 ZwSetValueKey

    ---- Kernel code sections - GMER 1.0.15 ----

    ? ocfdwlrg.sys The system cannot find the file specified. !

    ---- User code sections - GMER 1.0.15 ----

    .text C:\WINDOWS\Explorer.EXE[220] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00AA000A
    .text C:\WINDOWS\Explorer.EXE[220] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00AB000A
    .text C:\WINDOWS\Explorer.EXE[220] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00A2000C
    .text C:\WINDOWS\SMINST\Scheduler.exe[1412] USER32.dll!GetSysColor 7E418E78 5 Bytes JMP 00419330 C:\WINDOWS\SMINST\Scheduler.exe
    .text C:\WINDOWS\SMINST\Scheduler.exe[1412] USER32.dll!GetSysColorBrush 7E418EAB 5 Bytes JMP 004193A0 C:\WINDOWS\SMINST\Scheduler.exe
    .text C:\WINDOWS\SMINST\Scheduler.exe[1412] USER32.dll!SetScrollInfo 7E419056 7 Bytes JMP 00419220 C:\WINDOWS\SMINST\Scheduler.exe
    .text C:\WINDOWS\SMINST\Scheduler.exe[1412] USER32.dll!GetScrollInfo 7E42DFE2 7 Bytes JMP 00419170 C:\WINDOWS\SMINST\Scheduler.exe
    .text C:\WINDOWS\SMINST\Scheduler.exe[1412] USER32.dll!ShowScrollBar 7E42F2F2 5 Bytes JMP 004192F0 C:\WINDOWS\SMINST\Scheduler.exe
    .text C:\WINDOWS\SMINST\Scheduler.exe[1412] USER32.dll!GetScrollPos 7E42F704 5 Bytes JMP 004191B0 C:\WINDOWS\SMINST\Scheduler.exe
    .text C:\WINDOWS\SMINST\Scheduler.exe[1412] USER32.dll!SetScrollPos 7E42F750 5 Bytes JMP 00419260 C:\WINDOWS\SMINST\Scheduler.exe
    .text C:\WINDOWS\SMINST\Scheduler.exe[1412] USER32.dll!GetScrollRange 7E42F787 5 Bytes JMP 004191E0 C:\WINDOWS\SMINST\Scheduler.exe
    .text C:\WINDOWS\SMINST\Scheduler.exe[1412] USER32.dll!SetScrollRange 7E42F99B 5 Bytes JMP 004192A0 C:\WINDOWS\SMINST\Scheduler.exe
    .text C:\WINDOWS\SMINST\Scheduler.exe[1412] USER32.dll!EnableScrollBar 7E468005 7 Bytes JMP 00419130 C:\WINDOWS\SMINST\Scheduler.exe
    .text C:\WINDOWS\System32\svchost.exe[1788] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00D2000A
    .text C:\WINDOWS\System32\svchost.exe[1788] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00D3000A
    .text C:\WINDOWS\System32\svchost.exe[1788] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00D1000C
    .text C:\WINDOWS\System32\svchost.exe[1788] ole32.dll!CoCreateInstance 7750057E 5 Bytes JMP 00F4000A

    ---- User IAT/EAT - GMER 1.0.15 ----

    IAT C:\WINDOWS\Explorer.EXE[220] @ C:\WINDOWS\Explorer.EXE [USER32.dll!ExitWindowsEx] [01CF1940] C:\Program Files\NewTech Infosystems\Backup Now EZ\Pehook.dll (Backup Now EZ Module/NewTech Infosystems, Inc.)
    IAT C:\WINDOWS\Explorer.EXE[220] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!ExitWindowsEx] [01CF1940] C:\Program Files\NewTech Infosystems\Backup Now EZ\Pehook.dll (Backup Now EZ Module/NewTech Infosystems, Inc.)
    IAT C:\Program Files\Hewlett-Packard\HP ProtectTools Security Manager\PTHOSTTR.EXE[1236] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!ExitWindowsEx] [022D1940] C:\Program Files\NewTech Infosystems\Backup Now EZ\Pehook.dll (Backup Now EZ Module/NewTech Infosystems, Inc.)
    IAT C:\Program Files\ATI Technologies\ATI.ACE\cli.exe[1348] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!ExitWindowsEx] [10001940] C:\Program Files\NewTech Infosystems\Backup Now EZ\Pehook.dll (Backup Now EZ Module/NewTech Infosystems, Inc.)
    IAT C:\Program Files\RemoteAgent64\Bin\EventServer.exe[1364] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!ExitWindowsEx] [10001940] C:\Program Files\NewTech Infosystems\Backup Now EZ\Pehook.dll (Backup Now EZ Module/NewTech Infosystems, Inc.)
    IAT C:\WINDOWS\RTHDCPL.EXE[1372] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!ExitWindowsEx] [10001940] C:\Program Files\NewTech Infosystems\Backup Now EZ\Pehook.dll (Backup Now EZ Module/NewTech Infosystems, Inc.)
    IAT C:\Program Files\Avira\AntiVir Desktop\avgnt.exe[1380] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!ExitWindowsEx] [01791940] C:\Program Files\NewTech Infosystems\Backup Now EZ\Pehook.dll (Backup Now EZ Module/NewTech Infosystems, Inc.)
    IAT C:\Program Files\NewTech Infosystems\Backup Now EZ\BackupNowEZtray.exe[1388] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!ExitWindowsEx] [00C61940] C:\Program Files\NewTech Infosystems\Backup Now EZ\Pehook.dll (Backup Now EZ Module/NewTech Infosystems, Inc.)
    IAT C:\WINDOWS\SMINST\Scheduler.exe[1412] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!ExitWindowsEx] [10001940] C:\Program Files\NewTech Infosystems\Backup Now EZ\Pehook.dll (Backup Now EZ Module/NewTech Infosystems, Inc.)
    IAT C:\WINDOWS\system32\ctfmon.exe[1428] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!ExitWindowsEx] [10001940] C:\Program Files\NewTech Infosystems\Backup Now EZ\Pehook.dll (Backup Now EZ Module/NewTech Infosystems, Inc.)
    IAT C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe[1440] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!ExitWindowsEx] [00DA1940] C:\Program Files\NewTech Infosystems\Backup Now EZ\Pehook.dll (Backup Now EZ Module/NewTech Infosystems, Inc.)
    IAT C:\Program Files\Panasonic\MotionSD STUDIO\SD_Browser\AutoLauncher.exe[1468] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!ExitWindowsEx] [02AF1940] C:\Program Files\NewTech Infosystems\Backup Now EZ\Pehook.dll (Backup Now EZ Module/NewTech Infosystems, Inc.)
    IAT C:\Program Files\HPQ\IAM\bin\asghost.exe[1948] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!ExitWindowsEx] [01DB1940] C:\Program Files\NewTech Infosystems\Backup Now EZ\Pehook.dll (Backup Now EZ Module/NewTech Infosystems, Inc.)
    IAT C:\Program Files\ATI Technologies\ATI.ACE\cli.exe[2008] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!ExitWindowsEx] [10001940] C:\Program Files\NewTech Infosystems\Backup Now EZ\Pehook.dll (Backup Now EZ Module/NewTech Infosystems, Inc.)
    IAT C:\Program Files\ProtectTools\Embedded Security Software\PSDrt.exe[2112] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!ExitWindowsEx] [00F31940] C:\Program Files\NewTech Infosystems\Backup Now EZ\Pehook.dll (Backup Now EZ Module/NewTech Infosystems, Inc.)

    ---- Devices - GMER 1.0.15 ----

    Device pci.sys (NT Plug and Play PCI Enumerator/Microsoft Corporation)
    Device \FileSystem\Cdfs \Cdfs DLAIFS_M.SYS (Drive Letter Access Component/Roxio)
    Device \Device\Ide\IdeDeviceP0T0L0-3 -> \??\IDE#DiskST3750330AS_____________________________SD15____#5&288f8644&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found

    ---- Disk sectors - GMER 1.0.15 ----

    Disk \Device\Harddisk0\DR0 sector 01: rootkit-like behavior;
    Disk \Device\Harddisk0\DR0 sector 02: rootkit-like behavior;
    Disk \Device\Harddisk0\DR0 sector 04: rootkit-like behavior;
    Disk \Device\Harddisk0\DR0 sector 05: rootkit-like behavior;
    Disk \Device\Harddisk0\DR0 sector 06: rootkit-like behavior;
    Disk \Device\Harddisk0\DR0 sector 07: rootkit-like behavior;
    Disk \Device\Harddisk0\DR0 sector 37: rootkit-like behavior;
    Disk \Device\Harddisk0\DR0 sector 53: rootkit-like behavior;
    Disk \Device\Harddisk0\DR0 sector 61: rootkit-like behavior;
    Disk \Device\Harddisk0\DR0 sector 62: rootkit-like behavior;
    Disk \Device\Harddisk0\DR0 sector 63: rootkit-like behavior;

    ---- EOF - GMER 1.0.15 ----

    MBRCHECK:

    MBRCheck, version 1.2.3
    (c) 2010, AD

    Command-line:
    Windows Version: Windows XP Professional
    Windows Information: Service Pack 3 (build 2600)
    Logical Drives Mask: 0x0006001c

    Kernel Drivers (total 156):
    0x804D7000 \WINDOWS\system32\ntkrnlpa.exe
    0x806E4000 \WINDOWS\system32\hal.dll
    0x8B2EB000 \WINDOWS\system32\KDCOM.DLL
    0xBA4BC000 \WINDOWS\system32\BOOTVID.dll
    0xBA0A8000 ocfdwlrg.sys
    0xB9F79000 ACPI.sys
    0xBA5A8000 \WINDOWS\system32\DRIVERS\WMILIB.SYS
    0xB9F68000 pci.sys
    0xBA0B8000 isapnp.sys
    0xBA670000 pciide.sys
    0xBA328000 \WINDOWS\system32\DRIVERS\PCIIDEX.SYS
    0xBA0C8000 MountMgr.sys
    0xB9F49000 ftdisk.sys
    0xBA5AA000 dmload.sys
    0xB9F23000 dmio.sys
    0xBA330000 PartMgr.sys
    0xBA0D8000 VolSnap.sys
    0xB9F0B000 atapi.sys
    0xBA0E8000 disk.sys
    0xBA0F8000 \WINDOWS\system32\DRIVERS\CLASSPNP.SYS
    0xB9EEB000 fltmgr.sys
    0xB9ED9000 sr.sys
    0xB9EC3000 DRVMCDB.SYS
    0xBA108000 PxHelp20.sys
    0xB9EAC000 KSecDD.sys
    0xB9E1F000 Ntfs.sys
    0xB9DF2000 NDIS.sys
    0xBA4C0000 Gernuwa.sys
    0xB9DD8000 Mup.sys
    0xB8539000 \SystemRoot\system32\DRIVERS\ati2mtag.sys
    0xB8525000 \SystemRoot\system32\DRIVERS\VIDEOPRT.SYS
    0xB90B3000 \SystemRoot\system32\drivers\aw_host5.sys
    0xBA2A8000 \SystemRoot\system32\DRIVERS\HECI.sys
    0xB84EC000 \SystemRoot\system32\DRIVERS\e1e5132.sys
    0xB8863000 \SystemRoot\system32\DRIVERS\usbuhci.sys
    0xB84C8000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
    0xB885B000 \SystemRoot\system32\DRIVERS\usbehci.sys
    0xB84A0000 \SystemRoot\system32\DRIVERS\HDAudBus.sys
    0xB8853000 \SystemRoot\system32\DRIVERS\mouclass.sys
    0xB884B000 \SystemRoot\system32\DRIVERS\kbdclass.sys
    0xB848C000 \SystemRoot\system32\DRIVERS\parport.sys
    0xBA2C8000 \SystemRoot\system32\DRIVERS\serial.sys
    0xB90AF000 \SystemRoot\system32\DRIVERS\serenum.sys
    0xB8843000 \SystemRoot\system32\DRIVERS\fdc.sys
    0xBA2D8000 \SystemRoot\system32\DRIVERS\IFXTPM.SYS
    0xBA2E8000 \SystemRoot\system32\DRIVERS\imapi.sys
    0xBA5D6000 \??\C:\WINDOWS\system32\drivers\UBHelper.sys
    0xBA2F8000 \SystemRoot\System32\Drivers\cdrbsdrv.SYS
    0xBA5D8000 \SystemRoot\System32\Drivers\DLACDBHM.SYS
    0xBA308000 \SystemRoot\system32\DRIVERS\cdrom.sys
    0xBA318000 \SystemRoot\system32\DRIVERS\redbook.sys
    0xB8469000 \SystemRoot\system32\DRIVERS\ks.sys
    0xBA5DA000 \??\C:\WINDOWS\system32\drivers\NTIDrvr.sys
    0xBA128000 \SystemRoot\system32\DRIVERS\intelppm.sys
    0xB909B000 \SystemRoot\system32\DRIVERS\wmiacpi.sys
    0xBA708000 \SystemRoot\system32\DRIVERS\rminiv3.sys
    0xB844E000 \SystemRoot\system32\DRIVERS\dne2000.sys
    0xBA709000 \SystemRoot\system32\DRIVERS\audstub.sys
    0xBA138000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
    0xB9093000 \SystemRoot\system32\DRIVERS\ndistapi.sys
    0xB8437000 \SystemRoot\system32\DRIVERS\ndiswan.sys
    0xBA148000 \SystemRoot\system32\DRIVERS\raspppoe.sys
    0xBA158000 \SystemRoot\system32\DRIVERS\raspptp.sys
    0xB883B000 \SystemRoot\system32\DRIVERS\TDI.SYS
    0xB8426000 \SystemRoot\system32\DRIVERS\psched.sys
    0xBA168000 \SystemRoot\system32\DRIVERS\msgpc.sys
    0xB8833000 \SystemRoot\system32\DRIVERS\ptilink.sys
    0xB882B000 \SystemRoot\system32\DRIVERS\raspti.sys
    0xBA178000 \SystemRoot\system32\DRIVERS\tap0801.sys
    0xB8823000 \SystemRoot\system32\DRIVERS\pppop.sys
    0xB840F000 \SystemRoot\system32\DRIVERS\VBoxNetAdp.sys
    0xB83DF000 \SystemRoot\system32\DRIVERS\rdpdr.sys
    0xBA188000 \SystemRoot\system32\DRIVERS\termdd.sys
    0xB83C5000 \SystemRoot\system32\DRIVERS\VBoxNetFlt.sys
    0xBA5DC000 \SystemRoot\system32\DRIVERS\swenum.sys
    0xB881B000 \SystemRoot\system32\DRIVERS\mssmbios.sys
    0xB9063000 \SystemRoot\System32\Drivers\NDProxy.SYS
    0xB9023000 \SystemRoot\system32\DRIVERS\usbhub.sys
    0xBA5F0000 \SystemRoot\system32\DRIVERS\USBD.SYS
    0xA0FCD000 \SystemRoot\system32\drivers\RtkHDAud.sys
    0xA0FA9000 \SystemRoot\system32\drivers\portcls.sys
    0xA5B65000 \SystemRoot\system32\drivers\drmk.sys
    0x9A2DE000 \SystemRoot\System32\drivers\psd.sys
    0xBA628000 \SystemRoot\System32\Drivers\Fs_Rec.SYS
    0x9A1CF000 \SystemRoot\System32\Drivers\Null.SYS
    0xBA62A000 \SystemRoot\System32\Drivers\Beep.SYS
    0x9A2CE000 \SystemRoot\System32\Drivers\DLARTL_M.SYS
    0x9A43E000 \??\C:\WINDOWS\system32\rserver30\raddrvv3.sys
    0x9A2C6000 \SystemRoot\system32\DRIVERS\HIDPARSE.SYS
    0x9A2BE000 \SystemRoot\System32\drivers\vga.sys
    0xBA62C000 \SystemRoot\system32\drivers\awechomd.sys
    0x9A161000 \SystemRoot\System32\Drivers\awlegacy.sys
    0xBA62E000 \SystemRoot\System32\Drivers\mnmdd.SYS
    0xBA632000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
    0x9A2B6000 \SystemRoot\System32\Drivers\Msfs.SYS
    0x9A2AE000 \SystemRoot\System32\Drivers\Npfs.SYS
    0x9A15D000 \SystemRoot\system32\DRIVERS\rasacd.sys
    0x99D36000 \SystemRoot\system32\DRIVERS\ipsec.sys
    0x99CDD000 \SystemRoot\system32\DRIVERS\tcpip.sys
    0x99CB5000 \SystemRoot\system32\DRIVERS\netbt.sys
    0x99C8F000 \SystemRoot\system32\DRIVERS\ipnat.sys
    0x99C6D000 \SystemRoot\System32\drivers\afd.sys
    0x9A42E000 \SystemRoot\system32\DRIVERS\netbios.sys
    0x9A40E000 \SystemRoot\system32\DRIVERS\VBoxUSBMon.sys
    0x99C50000 \SystemRoot\system32\DRIVERS\VBoxDrv.sys
    0x9A2A6000 \SystemRoot\system32\DRIVERS\ssmdrv.sys
    0x99C25000 \SystemRoot\system32\DRIVERS\rdbss.sys
    0x9A3FE000 \SystemRoot\system32\DRIVERS\wanarp.sys
    0x99BB5000 \SystemRoot\system32\DRIVERS\mrxsmb.sys
    0x9A3EE000 \SystemRoot\System32\Drivers\Fips.SYS
    0x99B92000 \SystemRoot\system32\DRIVERS\avipbb.sys
    0xBA636000 \??\C:\Program Files\Avira\AntiVir Desktop\avgio.sys
    0x99E85000 \SystemRoot\System32\Drivers\ASPI32.SYS
    0x9A05D000 \SystemRoot\system32\DRIVERS\usbccgp.sys
    0x99E71000 \SystemRoot\system32\DRIVERS\hidusb.sys
    0x9A267000 \SystemRoot\system32\DRIVERS\HIDCLASS.SYS
    0xA65ED000 \SystemRoot\system32\DRIVERS\kbdhid.sys
    0xA6FAA000 \SystemRoot\system32\DRIVERS\mouhid.sys
    0x9A257000 \SystemRoot\System32\Drivers\Cdfs.SYS
    0xB9CF1000 \SystemRoot\system32\DRIVERS\usbscan.sys
    0x9A247000 \SystemRoot\System32\Drivers\nx6000.sys
    0x99B74000 \SystemRoot\System32\Drivers\usbvideo.sys
    0x9A237000 \SystemRoot\system32\drivers\usbaudio.sys
    0x99B5C000 \SystemRoot\System32\Drivers\dump_atapi.sys
    0xBA646000 \SystemRoot\System32\Drivers\dump_WMILIB.SYS
    0xBF800000 \SystemRoot\System32\win32k.sys
    0xA6FB6000 \SystemRoot\System32\drivers\Dxapi.sys
    0x9A04D000 \SystemRoot\System32\watchdog.sys
    0xBF000000 \SystemRoot\System32\drivers\dxg.sys
    0xBA6D9000 \SystemRoot\System32\drivers\dxgthk.sys
    0xBF012000 \SystemRoot\System32\ati2dvag.dll
    0xBF055000 \SystemRoot\System32\ati2cqag.dll
    0xBF09A000 \SystemRoot\System32\atikvmag.dll
    0xBF0DC000 \SystemRoot\System32\ati3duag.dll
    0xBF37D000 \SystemRoot\System32\ativvaxx.dll
    0xBFFA0000 \SystemRoot\System32\ATMFD.DLL
    0x97B47000 \SystemRoot\system32\DRIVERS\avgntflt.sys
    0x9E312000 \SystemRoot\System32\Drivers\DRVNDDM.SYS
    0xBA77F000 \SystemRoot\System32\DLA\DLADResM.SYS
    0x97B2F000 \SystemRoot\System32\DLA\DLAIFS_M.SYS
    0x99DA9000 \SystemRoot\System32\DLA\DLAOPIOM.SYS
    0x9BE6D000 \SystemRoot\System32\DLA\DLAPoolM.SYS
    0x99DA1000 \SystemRoot\System32\DLA\DLABMFSM.SYS
    0x99D99000 \SystemRoot\System32\DLA\DLABOIOM.SYS
    0x97B19000 \SystemRoot\System32\DLA\DLAUDFAM.SYS
    0x97B02000 \SystemRoot\System32\DLA\DLAUDF_M.SYS
    0x9C403000 \SystemRoot\system32\DRIVERS\ndisuio.sys
    0x979E5000 \SystemRoot\system32\DRIVERS\mrxdav.sys
    0x97980000 \SystemRoot\system32\drivers\wdmaud.sys
    0x9F040000 \SystemRoot\system32\drivers\sysaudio.sys
    0x96BFF000 \??\C:\WINDOWS\system32\Drivers\CVPNDRVA.sys
    0x968ED000 \SystemRoot\system32\DRIVERS\srv.sys
    0x968AD000 \??\C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\pxtdapow.sys
    0x95F70000 \SystemRoot\System32\Drivers\HTTP.sys
    0x95D18000 \SystemRoot\system32\drivers\kmixer.sys
    0x7C900000 \WINDOWS\system32\ntdll.dll

    Processes (total 56):
    0 System Idle Process
    4 System
    1992 C:\WINDOWS\system32\smss.exe
    316 csrss.exe
    344 C:\WINDOWS\system32\winlogon.exe
    388 C:\WINDOWS\system32\services.exe
    400 C:\WINDOWS\system32\lsass.exe
    656 C:\WINDOWS\system32\ati2evxx.exe
    672 C:\WINDOWS\system32\svchost.exe
    752 svchost.exe
    1788 C:\WINDOWS\system32\svchost.exe
    1972 svchost.exe
    852 svchost.exe
    1084 C:\WINDOWS\system32\spoolsv.exe
    1216 C:\Program Files\Avira\AntiVir Desktop\sched.exe
    1256 C:\Program Files\Avira\AntiVir Desktop\avguard.exe
    1328 svchost.exe
    1704 C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
    1924 C:\WINDOWS\system32\ati2evxx.exe
    1948 C:\Program Files\HPQ\IAM\Bin\asghost.exe
    220 C:\WINDOWS\explorer.exe
    1236 C:\Program Files\Hewlett-Packard\HP ProtectTools Security Manager\pthosttr.exe
    1348 C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
    1364 C:\Program Files\RemoteAgent64\Bin\EventServer.exe
    1372 C:\WINDOWS\RTHDCPL.exe
    1380 C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
    1388 C:\Program Files\NewTech Infosystems\Backup Now EZ\BackupNowEZtray.exe
    1404 C:\Program Files\Common Files\Java\Java Update\jusched.exe
    1412 C:\WINDOWS\SMINST\Scheduler.exe
    1428 C:\WINDOWS\system32\ctfmon.exe
    1440 C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe
    1468 C:\Program Files\Panasonic\MotionSD STUDIO\SD_Browser\AutoLauncher.exe
    1636 C:\WINDOWS\system32\svchost.exe
    1780 C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
    2080 E:\cygwin\bin\cygrunsrv.exe
    2360 C:\WINDOWS\system32\FortiSSLVPNdaemon.exe
    2756 E:\cygwin\bin\exim-4.69-1.exe
    2812 C:\WINDOWS\system32\IFXSPMGT.exe
    3460 C:\WINDOWS\system32\IFXTCS.exe
    3956 C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
    3992 C:\Program Files\Java\jre6\bin\jqs.exe
    4016 C:\Program Files\Common Files\LightScribe\LSSrvc.exe
    276 C:\Program Files\Microsoft LifeCam\MSCamS32.exe
    476 C:\Program Files\Palm\SDK\bin\novacom\x86\novacomd.exe
    1184 C:\Program Files\NewTech Infosystems\Backup Now EZ\BackupNowEZSvr.exe
    1228 C:\Program Files\ProtectTools\Embedded Security Software\PSDsrvc.EXE
    1568 C:\WINDOWS\system32\svchost.exe
    2732 C:\Program Files\TightVNC\WinVNC.exe
    3024 C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
    3052 C:\WINDOWS\system32\wuauclt.exe
    2488 C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
    2008 C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
    3384 wmiprvse.exe
    2112 C:\Program Files\ProtectTools\Embedded Security Software\PSDrt.exe
    2612 alg.exe
    3192 C:\Documents and Settings\Administrator\Desktop\malware\MBRCheck.exe

    \\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`00007e00 (NTFS)
    \\.\D: --> \\.\PhysicalDrive0 at offset 0x00000010`a0f85600 (NTFS)
    \\.\E: --> \\.\PhysicalDrive0 at offset 0x00000012`a14c0000 (NTFS)

    PhysicalDrive0 Model Number: ST3750330AS, Rev: SD15

    Size Device Name MBR Status
    --------------------------------------------
    698 GB \\.\PhysicalDrive0 Unknown MBR code
    SHA1: 0C62942DB383379A3F323ED173858423662B0152


    Found non-standard or infected MBR.
    Enter 'Y' and hit ENTER for more options, or 'N' to exit:
    Options:
    [1] Dump the MBR of a physical disk to file.
    [2] Restore the MBR of a physical disk with a standard boot code.
    [3] Exit.

    Enter your choice:

    Done!

    DDS:


    DDS (Ver_10-12-12.02) - NTFSx86
    Run by Administrator at 10:59:36,32 on 2010-12-23
    Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_18
    Microsoft Windows XP Professionnel 5.1.2600.3.1252.2.1033.18.3583.2983 [GMT -5:00]

    AV: AntiVir Desktop *Enabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}

    ============== Running Processes ===============

    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost -k DcomLaunch
    svchost.exe
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    svchost.exe
    svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Avira\AntiVir Desktop\sched.exe
    C:\Program Files\Avira\AntiVir Desktop\avguard.exe
    svchost.exe
    C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\Program Files\HPQ\IAM\bin\asghost.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Hewlett-Packard\HP ProtectTools Security Manager\PTHOSTTR.EXE
    C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
    C:\Program Files\RemoteAgent64\Bin\EventServer.exe
    C:\WINDOWS\RTHDCPL.EXE
    C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
    C:\Program Files\NewTech Infosystems\Backup Now EZ\BackupNowEZtray.exe
    C:\Program Files\Common Files\Java\Java Update\jusched.exe
    C:\WINDOWS\SMINST\Scheduler.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe
    C:\Program Files\Panasonic\MotionSD STUDIO\SD_Browser\AutoLauncher.exe
    C:\WINDOWS\System32\svchost.exe -k Cognizance
    C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
    e:\cygwin\bin\cygrunsrv.exe
    C:\WINDOWS\system32\FortiSSLVPNdaemon.exe
    e:\cygwin\bin\exim-4.69-1.exe
    C:\WINDOWS\system32\IFXSPMGT.exe
    C:\WINDOWS\system32\IFXTCS.exe
    C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\Program Files\Common Files\LightScribe\LSSrvc.exe
    C:\Program Files\Microsoft LifeCam\MSCamS32.exe
    C:\Program Files\Palm\SDK\bin\novacom\x86\novacomd.exe
    C:\Program Files\NewTech Infosystems\Backup Now EZ\BackupNowEZSvr.exe
    C:\Program Files\ProtectTools\Embedded Security Software\PSDsrvc.EXE
    C:\WINDOWS\system32\svchost.exe -k imgsvc
    C:\Program Files\TightVNC\WinVNC.exe
    C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
    C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
    C:\Program Files\ProtectTools\Embedded Security Software\PSDrt.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\Documents and Settings\Administrator\Desktop\malware\dds.scr

    ============== Pseudo HJT Report ===============

    uStart Page = hxxp://www.hp.com
    mDefault_Search_URL = hxxp://www.google.com/ie
    uInternet Connection Wizard,ShellNext = hxxp://www.hp.com/
    mSearchAssistant = hxxp://www.google.com/ie
    BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
    BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
    BHO: Skype Plug-In: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
    BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.6.5805.1910\swg.dll
    BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
    BHO: HP Credential Manager for ProtectTools: {df21f1db-80c6-11d3-9483-b03d0ec10000} - c:\program files\hpq\iam\bin\ItIeAddIN.dll
    BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
    uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
    uRun: [LightScribe Control Panel] c:\program files\common files\lightscribe\LightScribeControlPanel.exe -hidden
    mRun: [ATIPTA] "c:\program files\ati technologies\ati control panel\atiptaxx.exe "
    mRun: [PTHOSTTR] c:\program files\hewlett-packard\hp protecttools security manager\PTHOSTTR.EXE /Start
    mRun: [SetRefresh] c:\program files\compaq\setrefresh\SetRefresh.exe
    mRun: [CognizanceTS] rundll32.exe c:\progra~1\hpq\iam\bin\AsTsVcc.dll,RegisterModule
    mRun: [ATICCC] "c:\program files\ati technologies\ati.ace\cli.exe" runtime -Delay
    mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
    mRun: [EventServer] c:\program files\remoteagent64\bin\EventServer.exe /h
    mRun: [RTHDCPL] RTHDCPL.EXE
    mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
    mRun: [BackupNowEZtray] "c:\program files\newtech infosystems\backup now ez\BackupNowEZtray.exe" -k
    mRun: [LifeCam] "c:\program files\microsoft lifecam\LifeExp.exe "
    mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe "
    mRun: [Scheduler] c:\windows\sminst\Scheduler.exe
    dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\motion~1.lnk - c:\program files\panasonic\motionsd studio\sd_browser\AutoLauncher.exe
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\vpncli~1.lnk - c:\windows\installer\{d25122bc-a60e-4663-b602-b01718f12044}\Icon3E5562ED7.ico
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\autoru~1\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\autoru~1\eventl~1.lnk - c:\program files\jm integrated remote station\cms\EventLogger.exe
    mPolicies-system: DisableCAD = 1 (0x1)
    IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_E11712C84EA7E12B.dll/cmsidewiki.html
    IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
    IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
    IE: {FB858B22-55E2-413f-87F5-30ADC5552151} - c:\program files\plotsoft\pdfill\DownloadPDF.exe
    IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
    DPF: {32C11E38-E587-4BE9-9ABB-D69158C21CE5} - hxxp://216.30.165.22:8080/activex/decoder/mpeg4_dec.cab
    DPF: {46D8BEE7-0B27-4466-ABA2-A5F1E157971C} - hxxp://65.254.18.46:100/RemoteWeb.cab
    DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} - hxxp://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.4.2.cab
    DPF: {5B8DED15-6FC1-4044-A923-F8CE2EAB40B7} - hxxp://216.215.157.230/SpecoRemote.cab
    DPF: {5FFDFC21-AE40-4C7C-955C-415A1ACE01C8} - hxxp://65.254.18.46:100/VideoViewer.cab
    DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1200348910062
    DPF: {721700FE-7F0E-49C5-BDED-CA92B7CB1245} - hxxp://192.168.200.100/dcsclictrl.cab
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
    DPF: {A2DA760C-D2DF-4FED-92B4-593E3F148692} - hxxp://demopc8p24.dss.com.tw:1700/WebCamX.cab
    DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
    DPF: {CF1C4A31-BD38-4DCB-BFDB-9E1854B6AAF1} - hxxp://www.dvrhost.com/control/viewer.cab
    DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    DPF: {DE625294-70E6-45ED-B895-CFFA13AEB044} - hxxp://216.30.165.22:8080/activex/AMC.cab
    DPF: {F3CAAA40-344A-412E-84E3-D176D64EE54F} - hxxp://www.bms2000.org/BMS2000_Access_Control.ocx
    Handler: intu-ir2008 - {729D3592-92E7-4cbc-8E44-3C22B3F457B3} - c:\program files\impotrapide 2008\ic2008pp.dll
    Handler: intu-ir2009 - {E4616804-F2F8-4839-B728-5305004DA6A7} - c:\program files\impotrapide 2009\ic2009pp.dll
    Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
    Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
    Notify: AtiExtEvent - Ati2evxx.dll
    Notify: IfxWlxEN - IfxWlxEN.dll
    Notify: OneCard - c:\program files\hpq\iam\bin\AsWlnPkg.dll
    Notify: PCANotify - PCANotify.dll
    SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
    LSA: Notification Packages = scecli AsWlnPkg
    mASetup: {10880D85-AAD9-4558-ABDC-2AB1552D831F} - "c:\program files\common files\lightscribe\LSRunOnce.exe "

    ================= FIREFOX ===================

    FF - ProfilePath - c:\docume~1\admini~1\applic~1\mozilla\firefox\profiles\xcprpuph.default\
    FF - component: c:\program files\mozilla firefox\extensions\{ab2ce124-6272-4b12-94a9-7303c7397bd1}\components\SkypeFfComponent.dll
    FF - plugin: c:\program files\fortinet\sslvpnclient\npccplugin.dll
    FF - plugin: c:\program files\fortinet\sslvpnclient\nptcplugin.dll
    FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
    FF - plugin: c:\program files\google\update\1.2.183.39\npGoogleOneClick8.dll
    FF - plugin: c:\program files\mozilla firefox\plugins\npbittorrent.dll
    FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
    FF - Ext: Skype extension: {AB2CE124-6272-4b12-94A9-7303C7397BD1} - c:\program files\mozilla firefox\extensions\{AB2CE124-6272-4b12-94A9-7303C7397BD1}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA}
    FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
    FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\java\jre6\lib\deploy\jqs\ff
    FF - Ext: XULRunner: {89489159-3FA0-49AC-968A-7C3E455F74FB} - c:\documents and settings\danny\local settings\application data\{89489159-3FA0-49AC-968A-7C3E455F74FB}
    FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}

    ============= SERVICES / DRIVERS ===============

    R1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2009-5-6 11608]
    R1 AW_HOST;AW_HOST;c:\windows\system32\drivers\AW_HOST5.sys [2003-10-23 16984]
    R1 awlegacy;awlegacy;c:\windows\system32\drivers\AWLEGACY.sys [2003-11-17 11165]
    R1 PersonalSecureDrive;PersonalSecureDrive;c:\windows\system32\drivers\psd.sys [2006-4-6 31104]
    R1 raddrvv3;raddrvv3;c:\windows\system32\rserver30\raddrvv3.sys [2007-2-2 41176]
    R1 VBoxDrv;VirtualBox Service;c:\windows\system32\drivers\VBoxDrv.sys [2009-9-15 123280]
    R1 VBoxUSBMon;VirtualBox USB Monitor Driver;c:\windows\system32\drivers\VBoxUSBMon.sys [2009-9-15 41680]
    R2 AntiVirSchedulerService;Avira AntiVir Planificateur;c:\program files\avira\antivir desktop\sched.exe [2009-5-6 135336]
    R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2009-5-6 267944]
    R2 ASChannel;Local Communication Channel;c:\windows\system32\svchost.exe -k Cognizance [2006-2-27 14336]
    R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2009-5-6 60936]
    R2 exim;Exim;e:\cygwin\bin\cygrunsrv.exe [2008-12-19 68096]
    R2 FortiSslvpnDaemon;FortiClient SSL VPN;c:\windows\system32\FortiSSLVPNdaemon.exe [2009-2-6 518688]
    R2 NovacomD;Palm Novacom;c:\program files\palm\sdk\bin\novacom\x86\novacomd.exe [2009-8-3 31232]
    R2 NTI BackupNowEZSvr;NTI BackupNowEZSvr;c:\program files\newtech infosystems\backup now ez\BackupNowEZSvr.exe [2009-5-8 45312]
    R3 IFXTPM;IFXTPM;c:\windows\system32\drivers\ifxtpm.sys [2007-5-11 36608]
    R3 mirrorv3;mirrorv3;c:\windows\system32\drivers\rminiv3.sys [2006-11-1 3328]
    R3 MSHUSBVideo;NX6000/NX3000/VX2000/VX5000/VX5500/VX7000/Cinema Filter Driver;c:\windows\system32\drivers\nx6000.sys [2010-3-19 30576]
    R3 pppop;PPPoP WAN Adapter;c:\windows\system32\drivers\pppop.sys [2009-2-3 36384]
    R3 tap0801;TAP-Win32 Adapter V8;c:\windows\system32\drivers\tap0801.sys [2004-7-31 23552]
    R3 VBoxNetAdp;VirtualBox Host-Only Ethernet Adapter;c:\windows\system32\drivers\VBoxNetAdp.sys [2009-9-15 99152]
    R3 VBoxNetFlt;VBoxNetFlt Service;c:\windows\system32\drivers\VBoxNetFlt.sys [2010-2-12 110096]
    S2 gupdate;Service Google Update (gupdate);c:\program files\google\update\GoogleUpdate.exe [2009-10-7 133104]
    S3 awhost32;Service Elève pcAnywhere;c:\program files\symantec\pcanywhere\awhost32.exe [2004-11-5 106496]
    S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2007-11-6 34064]
    S3 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2005-1-26 280344]
    S4 RServer3;Radmin Server V3; "c:\windows\system32\rserver30\rserver3.exe" /service --> c:\windows\system32\rserver30\RServer3.exe [?]

    =============== Created Last 30 ================

    2010-12-23 15:41:41 -------- d-----w- c:\docume~1\admini~1\applic~1\Malwarebytes
    2010-12-23 15:41:37 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2010-12-23 15:41:37 -------- d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
    2010-12-23 15:41:34 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
    2010-12-23 15:41:34 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2010-12-23 05:28:21 -------- d-----w- c:\docume~1\admini~1\applic~1\Avira
    2010-12-23 03:45:48 33792 ------w- c:\windows\system32\dllcache\custsat.dll
    2010-12-23 03:44:26 -------- d-----w- c:\windows\network diagnostic
    2010-12-23 03:26:37 -------- d-----w- c:\program files\autorun
    2010-12-23 03:13:52 -------- d-----w- c:\docume~1\admini~1\locals~1\applic~1\Mozilla
    2010-12-20 12:30:03 0 ----a-w- c:\windows\Ibilodobuvog.bin

    ==================== Find3M ====================

    2010-12-10 13:28:01 1080 ----a-w- c:\windows\AUTOLNCH.REG
    2009-03-05 22:49:01 224256 ----a-w- c:\program files\fentun.exe
    2008-08-06 21:27:08 3520552 ----a-w- c:\program files\procexp.exe
    2007-05-17 14:56:26 172032 ----a-w- c:\program files\puttygen.exe
    2007-05-17 14:56:21 135168 ----a-w- c:\program files\pageant.exe
    2007-05-17 14:56:16 282624 ----a-w- c:\program files\plink.exe
    2007-05-17 14:56:11 307200 ----a-w- c:\program files\psftp.exe
    2007-05-17 14:56:06 294912 ----a-w- c:\program files\pscp.exe
    2007-05-17 14:56:01 294912 ----a-w- c:\program files\puttytel.exe
    2007-05-17 14:55:26 454656 ----a-w- c:\program files\putty.exe

    =================== ROOTKIT ====================

    Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
    Windows 5.1.2600 Disk: ST3750330AS rev.SD15 -> Harddisk0\DR0 -> \Device\Ide\IdePort0 P0T0L0-3

    device: opened successfully
    user: MBR read successfully

    Disk trace:
    called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x8B349555]<<
    _asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x8b34f7b0]; MOV EAX, [0x8b34f82c]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }
    1 ntkrnlpa!IofCallDriver[0x804EF1A6] -> \Device\Harddisk0\DR0[0x8B3B1AB8]
    3 CLASSPNP[0xBA0F8FD7] -> ntkrnlpa!IofCallDriver[0x804EF1A6] -> \Device\00000081[0x8B3BBF18]
    5 ACPI[0xB9F7F620] -> ntkrnlpa!IofCallDriver[0x804EF1A6] -> [0x8B366D98]
    \Driver\atapi[0x8B362610] -> IRP_MJ_CREATE -> 0x8B349555
    kernel: MBR read successfully
    _asm { XOR DI, DI; MOV SS, DI; MOV SP, 0x7a00; MOV BX, 0x7a0; MOV DS, BX; MOV ES, BX; MOV SI, 0x200; MOV CX, SI; CLD ; REP MOVSB ; JMP FAR 0x7a0:0xa3; }
    detected disk devices:
    \Device\Ide\IdeDeviceP0T0L0-3 -> \??\IDE#DiskST3750330AS_____________________________SD15____#5&288f8644&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
    detected hooks:
    \Driver\atapi DriverStartIo -> 0x8B34939B
    user & kernel MBR OK
    Warning: possible TDL3 rootkit infection !

    ============= FINISH: 11:00:17,65 ===============



    Thanks for your help!
     
    dmonfette,
    #1
  2. 2010/12/23
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    Welcome aboard :)

    Please, observe following rules:
    • Read all of my instructions very carefully. Your mistakes during cleaning process may have very serious consequences, like unbootable computer.
    • If you're stuck, or you're not sure about certain step, always ask before doing anything else.
    • Please refrain from running tools or applying updates other than those I suggest.
    • Never run more than one scan at a time.
    • Keep updating me regarding your computer behavior, good, or bad.
    • The cleaning process, once started, has to be completed. Even if your computer appears to act better, it may still be infected. Once the computer is totally clean, I'll certainly let you know.
    • If you leave the topic without explanation in the middle of a cleaning process, you may not be eligible to receive any more help in malware removal forum.
    • I close my topics if you have not replied in 5 days. If you need more time, simply let me know. If I closed your topic and you need it to be reopened, simply PM me.

    ==============================================================

    I still need Attach.txt part of DDS.

    For starters, you're infected with a rootkit.

    Download TDSSKiller and save it to your desktop.
    • Extract (unzip) its contents to your desktop.
    • Open the TDSSKiller folder and doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
    • If an infected file is detected, the default action will be Cure, click on Continue.
    • If a suspicious file is detected, the default action will be Skip, click on Continue.
    • It may ask you to reboot the computer to complete the process. Click on Reboot Now.
    • If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
    • If a reboot is required, the report can also be found in your root directory (usually C:\ folder) in the form of TDSSKiller_xxxx_log.txt. Please copy and paste the contents of that file here.
     
    broni,
    #2


  3. to hide this advert.

  4. 2010/12/23
    dmonfette

    dmonfette Inactive Thread Starter

    Joined:
    2010/12/23
    Messages:
    19
    Likes Received:
    0
    Thanks Broni!

    Here is the attach.txt file from DDS:


    UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
    IF REQUESTED, ZIP IT UP & ATTACH IT

    DDS (Ver_10-12-12.02)

    Microsoft Windows XP Professionnel
    Boot Device: \Device\HarddiskVolume1
    Install Date: 1/14/2008 4:48:13 PM
    System Uptime: 12/23/2010 10:46:25 AM (1 hours ago)

    Motherboard: Hewlett-Packard | | 0A58h
    Processor: Intel(R) Core(TM)2 CPU 6700 @ 2.66GHz | XU1 PROCESSOR | 2659/1066mhz

    ==== Disk Partitions =========================

    C: is FIXED (NTFS) - 67 GiB total, 26.218 GiB free.
    D: is FIXED (NTFS) - 8 GiB total, 6.228 GiB free.
    E: is FIXED (NTFS) - 331 GiB total, 147.444 GiB free.
    R: is CDROM ()
    S: is CDROM ()

    ==== Disabled Device Manager Items =============

    Class GUID: {4D36E96F-E325-11CE-BFC1-08002BE10318}
    Description: PS/2 Compatible Mouse
    Device ID: ACPI\PNP0F13\4&696F438&0
    Manufacturer: Microsoft
    Name: PS/2 Compatible Mouse
    PNP Device ID: ACPI\PNP0F13\4&696F438&0
    Service: i8042prt

    Class GUID: {4D36E96B-E325-11CE-BFC1-08002BE10318}
    Description: Standard 101/102-Key or Microsoft Natural PS/2 Keyboard
    Device ID: ACPI\PNP0303\4&696F438&0
    Manufacturer: (Standard keyboards)
    Name: Standard 101/102-Key or Microsoft Natural PS/2 Keyboard
    PNP Device ID: ACPI\PNP0303\4&696F438&0
    Service: i8042prt

    Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
    Description: Cisco Systems VPN Adapter
    Device ID: ROOT\NET\0001
    Manufacturer: Cisco Systems
    Name: Cisco Systems VPN Adapter
    PNP Device ID: ROOT\NET\0001
    Service: CVirtA

    ==== System Restore Points ===================

    RP407: 12/22/2010 11:18:56 PM - Installed Windows XP KB968537.
    RP408: 12/22/2010 11:19:32 PM - Installed Windows XP KB969059.
    RP409: 12/22/2010 11:20:09 PM - Installed Windows XP KB969897.
    RP410: 12/22/2010 11:20:47 PM - Installed Windows XP KB969947.
    RP411: 12/22/2010 11:21:22 PM - Installed Windows XP KB970238.
    RP412: 12/22/2010 11:22:01 PM - Installed Windows XP KB970430.
    RP413: 12/22/2010 11:22:38 PM - Installed Windows XP KB971468.
    RP414: 12/22/2010 11:23:16 PM - Installed Windows XP KB971486.
    RP415: 12/22/2010 11:23:52 PM - Installed Windows XP KB971557.
    RP416: 12/22/2010 11:24:29 PM - Installed Windows XP KB971633.
    RP417: 12/22/2010 11:25:04 PM - Installed Windows XP KB971657.
    RP418: 12/22/2010 11:26:35 PM - Installed Windows XP KB971737.
    RP419: 12/22/2010 11:27:11 PM - Installed Windows XP KB972260.
    RP420: 12/22/2010 11:27:55 PM - Installed Windows XP KB972270.
    RP421: 12/22/2010 11:28:33 PM - Installed Windows XP KB973354.
    RP422: 12/22/2010 11:29:10 PM - Installed Windows XP KB973507.
    RP423: 12/22/2010 11:29:47 PM - Installed Windows XP KB973687.
    RP424: 12/22/2010 11:30:23 PM - Installed Windows XP KB973815.
    RP425: 12/22/2010 11:31:01 PM - Installed Windows XP KB973869.
    RP426: 12/22/2010 11:31:38 PM - Installed Windows XP KB974112.
    RP427: 12/22/2010 11:32:14 PM - Installed Windows XP KB974318.
    RP428: 12/22/2010 11:33:00 PM - Installed Windows XP KB974392.
    RP429: 12/22/2010 11:33:38 PM - Installed Windows XP KB974455.
    RP430: 12/22/2010 11:34:16 PM - Installed Windows XP KB974571.
    RP431: 12/22/2010 11:34:52 PM - Installed Windows XP KB975025.
    RP432: 12/22/2010 11:35:29 PM - Installed Windows XP KB975467.
    RP433: 12/22/2010 11:36:10 PM - Installed Windows XP KB975560.
    RP434: 12/22/2010 11:36:47 PM - Installed Windows XP KB975561.
    RP435: 12/22/2010 11:37:27 PM - Installed Windows XP KB975562.
    RP436: 12/22/2010 11:38:05 PM - Installed Windows XP KB976325.
    RP437: 12/22/2010 11:38:43 PM - Installed Windows XP KB976749.
    RP438: 12/22/2010 11:39:22 PM - Installed Windows XP KB977165.
    RP439: 12/22/2010 11:40:03 PM - Installed Windows XP KB977914.
    RP440: 12/22/2010 11:40:41 PM - Installed Windows XP KB978037.
    RP441: 12/22/2010 11:41:19 PM - Installed Windows XP KB978207.
    RP442: 12/22/2010 11:41:57 PM - Installed Windows XP KB978251.
    RP443: 12/22/2010 11:42:35 PM - Installed Windows XP KB978338.
    RP444: 12/22/2010 11:43:12 PM - Installed Windows XP KB978542.
    RP445: 12/22/2010 11:43:50 PM - Installed Windows XP KB978601.
    RP446: 12/22/2010 11:44:28 PM - Installed Windows XP KB978706.
    RP447: 12/22/2010 11:45:04 PM - Installed Windows XP KB979309.
    RP448: 12/22/2010 11:45:42 PM - Installed Windows XP KB979482.
    RP449: 12/22/2010 11:46:18 PM - Installed Windows XP KB979559.
    RP450: 12/22/2010 11:46:56 PM - Installed Windows XP KB979683.
    RP451: 12/22/2010 11:47:35 PM - Installed Windows XP KB980182.
    RP452: 12/22/2010 11:48:13 PM - Installed Windows XP KB980218.
    RP453: 12/22/2010 11:48:50 PM - Installed Windows XP KB980232.
    RP454: 12/22/2010 11:49:25 PM - Installed Windows XP KB982381.

    ==== Installed Programs ======================


    7-Zip 4.65
    Adobe Flash Player 10 Plugin
    Adobe Flash Player ActiveX
    Adobe Reader 7.0
    Adobe Shockwave Player
    Advanced IP Address Calculator v1.1
    Advanced IP Scanner v1.5
    Advanced LAN Scanner v1.0 BETA 1
    Advanced Port Scanner v1.3
    Apple Software Update
    ATI - Software Uninstall Utility
    ATI Catalyst Control Center
    ATI Control Panel
    ATI Display Driver
    ATI Problem Report Wizard
    Audacity 1.2.6
    Avira AntiVir Personal - Free Antivirus
    AXIS Media Control Embedded
    Brother's Keeper 6.2
    Camera Support Core Library
    Camera Window DS
    Camera Window DVC
    Camera Window MC
    Camtasia Studio 3
    Canon Camera Support Core Library
    Canon Camera Window DS for ZoomBrowser EX
    Canon Camera Window DVC for ZoomBrowser EX
    Canon Camera Window for ZoomBrowser EX
    Canon MovieEdit Task for ZoomBrowser EX
    Canon PhotoRecord
    Canon RAW Image Task for ZoomBrowser EX
    Canon RemoteCapture Task for ZoomBrowser EX
    Canon Utilities PhotoStitch 3.1
    Canon ZoomBrowser EX
    Cisco Network Assistant
    Cisco Systems VPN Client 4.8.01.0300
    ClearType Tuning Control Panel Applet
    Corel Applications
    CutePDF Writer 2.2
    DicomWorks 1.3.5b
    DVD Shrink 3.2
    DVR Web Viewer for IE (remove only)
    Family Tree SuperTools
    FortiClient SSL VPN v4.0.2010
    Garmin Trip and Waypoint Manager v5
    Google Toolbar for Internet Explorer
    Google Update Helper
    Google*Earth
    GPSU version 4.15
    Hawke BRC 1.0.5
    High Definition Audio Driver Package - KB888111
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
    Hotfix for Windows XP (KB952287)
    Hotfix for Windows XP (KB954550-v5)
    Hotfix for Windows XP (KB961118)
    Hotfix for Windows XP (KB970653-v3)
    Hotfix for Windows XP (KB976098-v2)
    Hotfix for Windows XP (KB979306)
    Hotfix for Windows XP (KB981793)
    HP Backup and Recovery Manager
    HP BIOS Configuration for ProtectTools 2.00 J2
    HP Credential Manager for ProtectTools
    HP Embedded Security for ProtectTools
    HP Help and Support
    HP PrecisionScan LTX
    HP ProtectTools Security Manager 2.00 D3
    HP USB Disk Storage Format Tool
    HpSdpAppCoreApp
    ImpôtRapide 2008
    ImpôtRapide 2009
    Index Dat Spy 2.1.0
    Intel(R) Management Engine Interface
    Intel(R) PRO Network Connections
    InterVideo FilterSDK for Panasonic
    InterVideo Register Manager
    InterVideo WinDVD
    iReport nb-3.5.1
    J2SE Runtime Environment 5.0 Update 6
    Java Auto Updater
    Java(TM) 6 Update 18
    Java(TM) 6 Update 7
    JM Integrated Remote Station
    KeePass Password Safe 1.15
    LightScribe Applications
    LightScribe System Software 1.14.25.1
    LightScribe Template Designs - Art Pack 1
    LightScribe Template Designs - Business Pack 1
    LightScribe Template Designs - Fantasy Pack 1
    LightScribe Template Designs - Holiday Pack 1
    LightScribe Template Designs - Special Occasion Pack 1
    LightScribe Template Designs - Sports Pack 1
    LightScribe Template Designs - Tattoo Pack 1
    LightScribe Template Designs - Urban Pack 1
    LightScribe Template Designs - Wedding Pack 1
    LightScribeTemplateLabeler
    LiveReg (Symantec Corporation)
    LiveUpdate 2.5 (Symantec Corporation)
    Look@LAN 2.50 Build 35
    Malwarebytes' Anti-Malware
    MapSource
    MapSource - Topo Canada v2
    Microsoft .NET Framework 1.1
    Microsoft .NET Framework 1.1 Security Update (KB979906)
    Microsoft .NET Framework 2.0 Service Pack 2
    Microsoft .NET Framework 3.0 Service Pack 2
    Microsoft .NET Framework 3.5 SP1
    Microsoft Corporation
    Microsoft Kernel-Mode Driver Framework Feature Pack 1.7
    Microsoft LifeCam
    Microsoft Silverlight
    Microsoft User-Mode Driver Framework Feature Pack 1.7
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
    Microsoft WinUsb 1.0
    MotionSD STUDIO 1.3E
    MovieEdit Task
    Mozilla Firefox (3.6.13)
    Mozilla Thunderbird (2.0.0.6)
    MSXML 4.0 SP2 (KB936181)
    MSXML 4.0 SP2 (KB954430)
    MSXML 4.0 SP2 (KB973688)
    MSXML 6 Service Pack 2 (KB973686)
    Netscape Communicator 4.78
    NTI Backup Now EZ
    OpenOffice.org 3.2
    OpenVPN 2.0
    Palm SDK
    PDFill PDF Editor with FREE Writer and FREE Tools
    PhotoStitch
    QuickTime
    Radmin Server 3.0
    Radmin Viewer 3.0
    RAW Image Task 1.2
    Realtek High Definition Audio Driver
    RemoteAgent64 v7.2
    RemoteCapture Task 1.1
    Roxio Audio Module
    Roxio Copy Module
    Roxio Creator Audio
    Roxio Creator Basic v9
    Roxio Creator Copy
    Roxio Creator Data
    Roxio Creator Tools
    Roxio Data Module
    Roxio Drag-to-Disc
    Roxio Express Labeler 3
    Roxio MyDVD Basic v9
    Roxio MyDVD Plus
    Security Update for Windows Media Player (KB911564)
    Security Update for Windows Media Player (KB952069)
    Security Update for Windows Media Player (KB954155)
    Security Update for Windows Media Player (KB968816)
    Security Update for Windows Media Player (KB973540)
    Security Update for Windows Media Player (KB979402)
    Security Update for Windows Media Player 6.4 (KB925398)
    Security Update for Windows Media Player 9 (KB936782)
    Security Update for Windows XP (KB2229593)
    Security Update for Windows XP (KB923561)
    Security Update for Windows XP (KB923689)
    Security Update for Windows XP (KB923789)
    Security Update for Windows XP (KB938464)
    Security Update for Windows XP (KB941569)
    Security Update for Windows XP (KB946648)
    Security Update for Windows XP (KB950762)
    Security Update for Windows XP (KB950974)
    Security Update for Windows XP (KB951066)
    Security Update for Windows XP (KB951376-v2)
    Security Update for Windows XP (KB951698)
    Security Update for Windows XP (KB951748)
    Security Update for Windows XP (KB952004)
    Security Update for Windows XP (KB952954)
    Security Update for Windows XP (KB953838)
    Security Update for Windows XP (KB953839)
    Security Update for Windows XP (KB954211)
    Security Update for Windows XP (KB954600)
    Security Update for Windows XP (KB955069)
    Security Update for Windows XP (KB956390)
    Security Update for Windows XP (KB956391)
    Security Update for Windows XP (KB956572)
    Security Update for Windows XP (KB956802)
    Security Update for Windows XP (KB956803)
    Security Update for Windows XP (KB956841)
    Security Update for Windows XP (KB956844)
    Security Update for Windows XP (KB957095)
    Security Update for Windows XP (KB957097)
    Security Update for Windows XP (KB958215)
    Security Update for Windows XP (KB958644)
    Security Update for Windows XP (KB958687)
    Security Update for Windows XP (KB958690)
    Security Update for Windows XP (KB958869)
    Security Update for Windows XP (KB959426)
    Security Update for Windows XP (KB960225)
    Security Update for Windows XP (KB960714)
    Security Update for Windows XP (KB960715)
    Security Update for Windows XP (KB960803)
    Security Update for Windows XP (KB960859)
    Security Update for Windows XP (KB961371)
    Security Update for Windows XP (KB961373)
    Security Update for Windows XP (KB961501)
    Security Update for Windows XP (KB963027)
    Security Update for Windows XP (KB968537)
    Security Update for Windows XP (KB969059)
    Security Update for Windows XP (KB969897)
    Security Update for Windows XP (KB969898)
    Security Update for Windows XP (KB969947)
    Security Update for Windows XP (KB970238)
    Security Update for Windows XP (KB970430)
    Security Update for Windows XP (KB971468)
    Security Update for Windows XP (KB971486)
    Security Update for Windows XP (KB971557)
    Security Update for Windows XP (KB971633)
    Security Update for Windows XP (KB971657)
    Security Update for Windows XP (KB972260)
    Security Update for Windows XP (KB972270)
    Security Update for Windows XP (KB973346)
    Security Update for Windows XP (KB973354)
    Security Update for Windows XP (KB973507)
    Security Update for Windows XP (KB973525)
    Security Update for Windows XP (KB973869)
    Security Update for Windows XP (KB973904)
    Security Update for Windows XP (KB974112)
    Security Update for Windows XP (KB974318)
    Security Update for Windows XP (KB974392)
    Security Update for Windows XP (KB974455)
    Security Update for Windows XP (KB974571)
    Security Update for Windows XP (KB975025)
    Security Update for Windows XP (KB975467)
    Security Update for Windows XP (KB975560)
    Security Update for Windows XP (KB975561)
    Security Update for Windows XP (KB975562)
    Security Update for Windows XP (KB976325)
    Security Update for Windows XP (KB977165)
    Security Update for Windows XP (KB977816)
    Security Update for Windows XP (KB977914)
    Security Update for Windows XP (KB978037)
    Security Update for Windows XP (KB978251)
    Security Update for Windows XP (KB978262)
    Security Update for Windows XP (KB978338)
    Security Update for Windows XP (KB978542)
    Security Update for Windows XP (KB978601)
    Security Update for Windows XP (KB978706)
    Security Update for Windows XP (KB979309)
    Security Update for Windows XP (KB979482)
    Security Update for Windows XP (KB979559)
    Security Update for Windows XP (KB979683)
    Security Update for Windows XP (KB980195)
    Security Update for Windows XP (KB980218)
    Security Update for Windows XP (KB980232)
    Security Update for Windows XP (KB982381)
    Skype Toolbars
    Skypeâ„¢ 5.0
    Sonic Activation Module
    Sun VirtualBox
    Symantec pcAnywhere
    TightVNC 1.3.9
    Toktumi client
    Trailgauge
    Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
    Update for Windows XP (KB951072-v2)
    Update for Windows XP (KB955759)
    Update for Windows XP (KB955839)
    Update for Windows XP (KB967715)
    Update for Windows XP (KB968389)
    Update for Windows XP (KB971737)
    Update for Windows XP (KB973687)
    Update for Windows XP (KB973815)
    Update for Windows XP (KB976749)
    Update for Windows XP (KB978207)
    Update for Windows XP (KB980182)
    VBrick StreamPlayerPlus
    Virtual Desktop Manager Powertoy for Windows XP
    VLC media player 1.1.2
    VRWriter4
    WebFldrs XP
    Windows Driver Package - Palm (WinUSB) Palm Devices (11/30/2008 1.0.0)
    Windows Genuine Advantage Notifications (KB905474)
    Windows Genuine Advantage Validation Tool (KB892130)
    Windows Imaging Component
    Windows Media Format 11 runtime
    Windows XP Service Pack 3
    WinPcap 4.0.2
    WinSCP 3.7.4
    WinZip
    Wireshark 1.0.6
    Xming 6.9.0.31

    ==== Event Viewer Messages From Past Week ========

    12/23/2010 12:28:38 AM, error: Service Control Manager [7022] - The Mises à jour automatiques service hung on starting.
    12/23/2010 10:49:34 AM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: i8042prt iaStor
    12/23/2010 10:49:34 AM, error: Service Control Manager [7022] - The Mises à jour automatiques service hung on starting.
    12/23/2010 10:46:57 AM, error: sr [1] - The System Restore filter encountered the unexpected error '0xC0000001' while processing the file '' on the volume 'HarddiskVolume1'. It has stopped monitoring the volume.
    12/23/2010 10:35:39 AM, error: Service Control Manager [7034] - The VNC Server service terminated unexpectedly. It has done this 1 time(s).
    12/23/2010 10:35:39 AM, error: Service Control Manager [7034] - The Trusted Platform Core Service service terminated unexpectedly. It has done this 1 time(s).
    12/23/2010 10:35:39 AM, error: Service Control Manager [7034] - The Security Platform Management Service service terminated unexpectedly. It has done this 1 time(s).
    12/23/2010 10:35:39 AM, error: Service Control Manager [7034] - The Personal Secure Drive Service service terminated unexpectedly. It has done this 1 time(s).
    12/23/2010 10:35:39 AM, error: Service Control Manager [7034] - The Palm Novacom service terminated unexpectedly. It has done this 1 time(s).
    12/23/2010 10:35:39 AM, error: Service Control Manager [7034] - The MSCamSvc service terminated unexpectedly. It has done this 1 time(s).
    12/23/2010 10:35:39 AM, error: Service Control Manager [7034] - The LightScribeService Direct Disc Labeling Service service terminated unexpectedly. It has done this 1 time(s).
    12/23/2010 10:35:39 AM, error: Service Control Manager [7034] - The hpqwmiex service terminated unexpectedly. It has done this 1 time(s).
    12/23/2010 10:35:39 AM, error: Service Control Manager [7034] - The FortiClient SSL VPN service terminated unexpectedly. It has done this 1 time(s).
    12/23/2010 10:35:39 AM, error: Service Control Manager [7034] - The exim service terminated unexpectedly. It has done this 1 time(s).
    12/23/2010 10:35:39 AM, error: Service Control Manager [7034] - The Cisco Systems, Inc. VPN Service service terminated unexpectedly. It has done this 1 time(s).
    12/23/2010 10:35:39 AM, error: Service Control Manager [7034] - The Ati HotKey Poller service terminated unexpectedly. It has done this 1 time(s).
    12/22/2010 5:54:43 PM, error: Service Control Manager [7022] - The Mises à jour automatiques service hung on starting.
    12/22/2010 2:42:50 AM, error: Service Control Manager [7023] - The SSHNAS service terminated with the following error: The specified module could not be found.
    12/22/2010 10:36:44 PM, error: Service Control Manager [7022] - The Mises à jour automatiques service hung on starting.
    12/22/2010 10:34:35 PM, error: sr [1] - The System Restore filter encountered the unexpected error '0xC0000043' while processing the file 'exim-daemon.pid' on the volume 'HarddiskVolume3'. It has stopped monitoring the volume.
    12/22/2010 10:20:49 PM, error: Service Control Manager [7022] - The Mises à jour automatiques service hung on starting.
    12/22/2010 10:16:44 PM, error: Service Control Manager [7034] - The Java Quick Starter service terminated unexpectedly. It has done this 1 time(s).
    12/22/2010 10:16:37 PM, error: Service Control Manager [7034] - The IviRegMgr service terminated unexpectedly. It has done this 1 time(s).
    12/21/2010 9:24:25 AM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service StiSvc with arguments " " in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}
    12/21/2010 9:24:12 AM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: ASPI32 avgio avipbb awlegacy AW_HOST Fips i8042prt intelppm ssmdrv VBoxDrv VBoxUSBMon
    12/20/2010 7:43:03 AM, error: Service Control Manager [7022] - The Mises à jour automatiques service hung on starting.
    12/20/2010 5:11:11 AM, error: DCOM [10005] - DCOM a reçu l'erreur "%1053" lors de la mise en route du service winmgmt avec les arguments " " pour démarrer le serveur*: {8BC3F05E-D86B-11D0-A075-00C04FB68820}
    12/20/2010 5:01:10 AM, error: DCOM [10005] - DCOM got error "%1053" attempting to start the service winmgmt with arguments " " in order to run the server: {8BC3F05E-D86B-11D0-A075-00C04FB68820}
    12/20/2010 12:49:35 AM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: i8042prt
    12/20/2010 12:49:35 AM, error: Service Control Manager [7022] - The MSCamSvc service hung on starting.
    12/20/2010 12:48:13 AM, error: Service Control Manager [7000] - The Radmin Server V3 service failed to start due to the following error: The system cannot find the file specified.
    12/19/2010 8:08:07 PM, error: Service Control Manager [7034] - The NTI BackupNowEZSvr service terminated unexpectedly. It has done this 1 time(s).
    12/19/2010 5:23:14 PM, error: W32Time [17] - Time Provider NtpClient: An error occurred during DNS lookup of the manually configured peer 'time.windows.com,0x1'. NtpClient will try the DNS lookup again in 15 minutes. The error was: Une opération a été tentée sur un hôte impossible à atteindre. (0x80072751)
    12/19/2010 5:23:14 PM, error: W32Time [17] - Time Provider NtpClient: An error occurred during DNS lookup of the manually configured peer 'time.windows.com,0x1'. NtpClient will try the DNS lookup again in 15 minutes. The error was: Une opération a été tentée sur un hôte impossible à atteindre. (0x80072751)
    12/19/2010 5:16:49 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments " " in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
    12/19/2010 5:16:48 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service IFXSpMgtSrv with arguments "-Service" in order to run the server: {FBCD9C6A-72CB-47BB-99DD-2317551491DE}
    12/19/2010 3:01:15 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service IFXSpMgtSrv with arguments "-Service" in order to run the server: {FBCD9C66-72CB-47BB-99DD-2317551491DE}
    12/19/2010 2:52:25 PM, error: Service Control Manager [7000] - The Radmin Server V3 service failed to start due to the following error: Access is denied.

    ==== End Of File ===========================


    I will post the results from TDSSKiller later;

    Thanks;
    Danny
     
    dmonfette,
    #3
  5. 2010/12/23
    dmonfette

    dmonfette Inactive Thread Starter

    Joined:
    2010/12/23
    Messages:
    19
    Likes Received:
    0
    ... and the results from TDSSKiller:

    2010/12/23 18:16:13.0421 TDSS rootkit removing tool 2.4.12.0 Dec 16 2010 09:46:46
    2010/12/23 18:16:13.0421 ================================================================================
    2010/12/23 18:16:13.0421 SystemInfo:
    2010/12/23 18:16:13.0421
    2010/12/23 18:16:13.0421 OS Version: 5.1.2600 ServicePack: 3.0
    2010/12/23 18:16:13.0421 Product type: Workstation
    2010/12/23 18:16:13.0421 ComputerName: DAN
    2010/12/23 18:16:13.0421 UserName: Administrator
    2010/12/23 18:16:13.0421 Windows directory: C:\WINDOWS
    2010/12/23 18:16:13.0421 System windows directory: C:\WINDOWS
    2010/12/23 18:16:13.0421 Processor architecture: Intel x86
    2010/12/23 18:16:13.0421 Number of processors: 2
    2010/12/23 18:16:13.0421 Page size: 0x1000
    2010/12/23 18:16:13.0421 Boot type: Normal boot
    2010/12/23 18:16:13.0421 ================================================================================
    2010/12/23 18:16:13.0859 Initialize success
    2010/12/23 18:16:28.0312 ================================================================================
    2010/12/23 18:16:28.0312 Scan started
    2010/12/23 18:16:28.0312 Mode: Manual;
    2010/12/23 18:16:28.0312 ================================================================================
    2010/12/23 18:16:30.0125 ac97intc (0f2d66d5f08ebe2f77bb904288dcf6f0) C:\WINDOWS\system32\drivers\ac97intc.sys
    2010/12/23 18:16:30.0187 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
    2010/12/23 18:16:30.0375 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
    2010/12/23 18:16:30.0468 adpu160m (9a11864873da202c996558b2106b0bbc) C:\WINDOWS\system32\DRIVERS\adpu160m.sys
    2010/12/23 18:16:30.0578 adpu320 (0ea9b1f0c6c90a509c8603775366adb7) C:\WINDOWS\system32\DRIVERS\adpu320.sys
    2010/12/23 18:16:30.0781 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
    2010/12/23 18:16:30.0906 AFD (7e775010ef291da96ad17ca4b17137d7) C:\WINDOWS\System32\drivers\afd.sys
    2010/12/23 18:16:31.0015 aic78u2 (19dd0fb48b0c18892f70e2e7d61a1529) C:\WINDOWS\system32\DRIVERS\aic78u2.sys
    2010/12/23 18:16:31.0062 aic78xx (b7fe594a7468aa0132deb03fb8e34326) C:\WINDOWS\system32\DRIVERS\aic78xx.sys
    2010/12/23 18:16:31.0265 ASPI32 (b979979ab8027f7f53fb16ec4229b7db) C:\WINDOWS\system32\drivers\ASPI32.sys
    2010/12/23 18:16:31.0312 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
    2010/12/23 18:16:31.0359 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
    2010/12/23 18:16:31.0468 ati2mtag (92e6e84d152d2acc44936c1c89ff26c4) C:\WINDOWS\system32\DRIVERS\ati2mtag.sys
    2010/12/23 18:16:31.0515 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
    2010/12/23 18:16:31.0562 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
    2010/12/23 18:16:31.0656 avgio (0b497c79824f8e1bf22fa6aacd3de3a0) C:\Program Files\Avira\AntiVir Desktop\avgio.sys
    2010/12/23 18:16:31.0703 avgntflt (1eb7d72a82f94f7e9496d363fce00b68) C:\WINDOWS\system32\DRIVERS\avgntflt.sys
    2010/12/23 18:16:31.0781 avipbb (f8c56231ed5ecf7d1b46b0330880ccef) C:\WINDOWS\system32\DRIVERS\avipbb.sys
    2010/12/23 18:16:31.0828 awecho (7305e36433ae7ce4a878ccc900bcf2a8) C:\WINDOWS\system32\drivers\awechomd.sys
    2010/12/23 18:16:31.0875 awlegacy (1464f3daf223e7a204baf1b556ee7769) C:\WINDOWS\System32\Drivers\awlegacy.sys
    2010/12/23 18:16:31.0921 AW_HOST (71c32536b50136e9e439306a2e9296e2) C:\WINDOWS\system32\drivers\aw_host5.sys
    2010/12/23 18:16:31.0968 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
    2010/12/23 18:16:32.0015 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
    2010/12/23 18:16:32.0062 CCDECODE (0be5aef125be881c4f854c554f2b025c) C:\WINDOWS\system32\DRIVERS\CCDECODE.sys
    2010/12/23 18:16:32.0125 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
    2010/12/23 18:16:32.0187 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
    2010/12/23 18:16:32.0234 cdrbsdrv (e0042bd5bef17a6a3ef1df576bde24d1) C:\WINDOWS\system32\drivers\cdrbsdrv.sys
    2010/12/23 18:16:32.0281 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
    2010/12/23 18:16:32.0484 CVirtA (5c706c06c1279952d2cc1a609ca948bf) C:\WINDOWS\system32\DRIVERS\CVirtA.sys
    2010/12/23 18:16:32.0515 CVPNDRVA (5ba042bcab6246c6bba51606afd7b488) C:\WINDOWS\system32\Drivers\CVPNDRVA.sys
    2010/12/23 18:16:32.0671 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
    2010/12/23 18:16:32.0734 DLABMFSM (a53723176d0002feb486eff8e17812f2) C:\WINDOWS\system32\DLA\DLABMFSM.SYS
    2010/12/23 18:16:32.0812 DLABOIOM (d4587063acea776699251e177d719586) C:\WINDOWS\system32\DLA\DLABOIOM.SYS
    2010/12/23 18:16:32.0875 DLACDBHM (76167b5eb2dffc729edc36386876b40b) C:\WINDOWS\system32\Drivers\DLACDBHM.SYS
    2010/12/23 18:16:32.0906 DLADResM (4d1b9bdaab7a4e3643b79d805b79d33e) C:\WINDOWS\system32\DLA\DLADResM.SYS
    2010/12/23 18:16:32.0953 DLAIFS_M (24400137e387a24410c52a591f3cfb4d) C:\WINDOWS\system32\DLA\DLAIFS_M.SYS
    2010/12/23 18:16:33.0000 DLAOPIOM (29a303feceb28641ecebdae89eb71c63) C:\WINDOWS\system32\DLA\DLAOPIOM.SYS
    2010/12/23 18:16:33.0031 DLAPoolM (c93e33a22a1ae0c5508f3fb1f6d0a50c) C:\WINDOWS\system32\DLA\DLAPoolM.SYS
    2010/12/23 18:16:33.0062 DLARTL_M (91886fed52a3f9966207bce46cfd794f) C:\WINDOWS\system32\Drivers\DLARTL_M.SYS
    2010/12/23 18:16:33.0093 DLAUDFAM (b953498c35a31e5ac98f49adbcf3e627) C:\WINDOWS\system32\DLA\DLAUDFAM.SYS
    2010/12/23 18:16:33.0125 DLAUDF_M (4897704c093c1f59ce58fc65e1e1ef1e) C:\WINDOWS\system32\DLA\DLAUDF_M.SYS
    2010/12/23 18:16:33.0203 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
    2010/12/23 18:16:33.0281 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
    2010/12/23 18:16:33.0359 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
    2010/12/23 18:16:33.0406 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
    2010/12/23 18:16:33.0437 DNE (2eddbb3ef1dd5a28cb07c149d36e7286) C:\WINDOWS\system32\DRIVERS\dne2000.sys
    2010/12/23 18:16:33.0484 dpti2o (40f3b93b4e5b0126f2f5c0a7a5e22660) C:\WINDOWS\system32\DRIVERS\dpti2o.sys
    2010/12/23 18:16:33.0515 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
    2010/12/23 18:16:33.0546 DRVMCDB (c00440385cf9f3d142917c63f989e244) C:\WINDOWS\system32\Drivers\DRVMCDB.SYS
    2010/12/23 18:16:33.0625 DRVNDDM (6e6ab29d3c06e64ce81feacda85394b5) C:\WINDOWS\system32\Drivers\DRVNDDM.SYS
    2010/12/23 18:16:33.0656 E100B (3fca03cbca11269f973b70fa483c88ef) C:\WINDOWS\system32\DRIVERS\e100b325.sys
    2010/12/23 18:16:33.0734 e1express (00192f0c612591d585594e9467e6ca8b) C:\WINDOWS\system32\DRIVERS\e1e5132.sys
    2010/12/23 18:16:33.0906 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
    2010/12/23 18:16:33.0953 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\DRIVERS\fdc.sys
    2010/12/23 18:16:34.0000 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
    2010/12/23 18:16:34.0031 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\DRIVERS\flpydisk.sys
    2010/12/23 18:16:34.0109 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys
    2010/12/23 18:16:34.0171 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
    2010/12/23 18:16:34.0203 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
    2010/12/23 18:16:34.0328 Gernuwa (fd25177ced6751c14de170d8282ced90) C:\WINDOWS\system32\drivers\Gernuwa.sys
    2010/12/23 18:16:34.0375 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
    2010/12/23 18:16:34.0437 grmnusb (d956358054e99e6ffac69cd87e893a89) C:\WINDOWS\system32\drivers\grmnusb.sys
    2010/12/23 18:16:34.0484 HDAudBus (573c7d0a32852b48f3058cfd8026f511) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
    2010/12/23 18:16:34.0546 HECI (d0fc694df051bc65946db616f20d1168) C:\WINDOWS\system32\DRIVERS\HECI.sys
    2010/12/23 18:16:34.0640 HidUsb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
    2010/12/23 18:16:34.0734 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
    2010/12/23 18:16:34.0906 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
    2010/12/23 18:16:34.0968 i81x (06b7ef73ba5f302eecc294cdf7e19702) C:\WINDOWS\system32\DRIVERS\i81xnt5.sys
    2010/12/23 18:16:35.0046 iAimFP0 (7b5b44efe5eb9dadfb8ee29700885d23) C:\WINDOWS\system32\DRIVERS\wADV01nt.sys
    2010/12/23 18:16:35.0109 iAimFP1 (eb1f6bab6c22ede0ba551b527475f7e9) C:\WINDOWS\system32\DRIVERS\wADV02NT.sys
    2010/12/23 18:16:35.0140 iAimFP2 (03ce989d846c1aa81145cb22fcb86d06) C:\WINDOWS\system32\DRIVERS\wADV05NT.sys
    2010/12/23 18:16:35.0171 iAimFP3 (525849b4469de021d5d61b4db9be3a9d) C:\WINDOWS\system32\DRIVERS\wSiINTxx.sys
    2010/12/23 18:16:35.0218 iAimFP4 (589c2bcdb5bd602bf7b63d210407ef8c) C:\WINDOWS\system32\DRIVERS\wVchNTxx.sys
    2010/12/23 18:16:35.0250 iAimFP5 (0308aef61941e4af478fa1a0f83812f5) C:\WINDOWS\system32\DRIVERS\wADV07nt.sys
    2010/12/23 18:16:35.0312 iAimFP6 (714038a8aa5de08e12062202cd7eaeb5) C:\WINDOWS\system32\DRIVERS\wADV08nt.sys
    2010/12/23 18:16:35.0375 iAimFP7 (7bb3aa595e4507a788de1cdc63f4c8c4) C:\WINDOWS\system32\DRIVERS\wADV09nt.sys
    2010/12/23 18:16:35.0421 iAimTV0 (d83bdd5c059667a2f647a6be5703a4d2) C:\WINDOWS\system32\DRIVERS\wATV01nt.sys
    2010/12/23 18:16:35.0453 iAimTV1 (ed968d23354daa0d7c621580c012a1f6) C:\WINDOWS\system32\DRIVERS\wATV02NT.sys
    2010/12/23 18:16:35.0500 iAimTV3 (d738273f218a224c1ddac04203f27a84) C:\WINDOWS\system32\DRIVERS\wATV04nt.sys
    2010/12/23 18:16:35.0578 iAimTV4 (0052d118995cbab152daabe6106d1442) C:\WINDOWS\system32\DRIVERS\wCh7xxNT.sys
    2010/12/23 18:16:35.0640 iAimTV5 (791cc45de6e50445be72e8ad6401ff45) C:\WINDOWS\system32\DRIVERS\wATV10nt.sys
    2010/12/23 18:16:35.0687 iAimTV6 (352fa0e98bc461ce1ce5d41f64db558d) C:\WINDOWS\system32\DRIVERS\wATV06nt.sys
    2010/12/23 18:16:35.0734 iaStor (019cf5f31c67030841233c545a0e217a) C:\WINDOWS\system32\DRIVERS\iaStor.sys
    2010/12/23 18:16:35.0812 IFXTPM (f67554da27d5b55efcb6c7cb4818fbfd) C:\WINDOWS\system32\DRIVERS\IFXTPM.SYS
    2010/12/23 18:16:35.0875 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
    2010/12/23 18:16:36.0109 IntcAzAudAddService (06b0e8d608ab69643b14a1f95f7feab3) C:\WINDOWS\system32\drivers\RtkHDAud.sys
    2010/12/23 18:16:36.0156 IntelIde (b5466a9250342a7aa0cd1fba13420678) C:\WINDOWS\system32\DRIVERS\intelide.sys
    2010/12/23 18:16:36.0203 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys
    2010/12/23 18:16:36.0234 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys
    2010/12/23 18:16:36.0281 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
    2010/12/23 18:16:36.0312 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
    2010/12/23 18:16:36.0375 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
    2010/12/23 18:16:36.0406 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
    2010/12/23 18:16:36.0453 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
    2010/12/23 18:16:36.0484 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
    2010/12/23 18:16:36.0531 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
    2010/12/23 18:16:36.0562 kbdhid (9ef487a186dea361aa06913a75b3fa99) C:\WINDOWS\system32\DRIVERS\kbdhid.sys
    2010/12/23 18:16:36.0687 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
    2010/12/23 18:16:36.0781 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
    2010/12/23 18:16:36.0984 mirrorv3 (d96ea49ab9a9174331bc023fd0cadc18) C:\WINDOWS\system32\DRIVERS\rminiv3.sys
    2010/12/23 18:16:37.0046 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
    2010/12/23 18:16:37.0093 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
    2010/12/23 18:16:37.0140 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
    2010/12/23 18:16:37.0203 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
    2010/12/23 18:16:37.0234 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
    2010/12/23 18:16:37.0359 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
    2010/12/23 18:16:37.0406 MRxSmb (f3aefb11abc521122b67095044169e98) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
    2010/12/23 18:16:37.0468 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
    2010/12/23 18:16:37.0500 MSHUSBVideo (5119ffc2a6b51089cdb0efdc75808c97) C:\WINDOWS\system32\Drivers\nx6000.sys
    2010/12/23 18:16:37.0531 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
    2010/12/23 18:16:37.0578 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
    2010/12/23 18:16:37.0593 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
    2010/12/23 18:16:37.0640 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
    2010/12/23 18:16:37.0671 MSTEE (e53736a9e30c45fa9e7b5eac55056d1d) C:\WINDOWS\system32\drivers\MSTEE.sys
    2010/12/23 18:16:37.0718 Mup (2f625d11385b1a94360bfc70aaefdee1) C:\WINDOWS\system32\drivers\Mup.sys
    2010/12/23 18:16:37.0781 NABTSFEC (5b50f1b2a2ed47d560577b221da734db) C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys
    2010/12/23 18:16:37.0843 NAL (1e59aaed42a5e3a5ed86ec403f9c0776) C:\WINDOWS\system32\Drivers\iqvw32.sys
    2010/12/23 18:16:37.0906 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
    2010/12/23 18:16:37.0953 NdisIP (7ff1f1fd8609c149aa432f95a8163d97) C:\WINDOWS\system32\DRIVERS\NdisIP.sys
    2010/12/23 18:16:38.0000 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
    2010/12/23 18:16:38.0109 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
    2010/12/23 18:16:38.0156 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
    2010/12/23 18:16:38.0187 NDProxy (6215023940cfd3702b46abc304e1d45a) C:\WINDOWS\system32\drivers\NDProxy.sys
    2010/12/23 18:16:38.0234 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
    2010/12/23 18:16:38.0281 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
    2010/12/23 18:16:38.0343 nm (1e421a6bcf2203cc61b821ada9de878b) C:\WINDOWS\system32\DRIVERS\NMnt.sys
    2010/12/23 18:16:38.0406 NPF (6623e51595c0076755c29c00846c4eb2) C:\WINDOWS\system32\drivers\npf.sys
    2010/12/23 18:16:38.0453 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
    2010/12/23 18:16:38.0500 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
    2010/12/23 18:16:38.0593 NTIDrvr (8055859b87ac3e504ece0c1e9353cc4e) C:\WINDOWS\system32\drivers\NTIDrvr.sys
    2010/12/23 18:16:38.0640 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
    2010/12/23 18:16:38.0671 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
    2010/12/23 18:16:38.0703 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
    2010/12/23 18:16:38.0734 P3 (c90018bafdc7098619a4a95b046b30f3) C:\WINDOWS\system32\DRIVERS\p3.sys
    2010/12/23 18:16:38.0843 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys
    2010/12/23 18:16:38.0890 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
    2010/12/23 18:16:38.0937 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
    2010/12/23 18:16:38.0984 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
    2010/12/23 18:16:39.0109 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
    2010/12/23 18:16:39.0234 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys
    2010/12/23 18:16:39.0531 PersonalSecureDrive (9abf51856b69b6a343988bc7d74840c4) C:\WINDOWS\System32\drivers\psd.sys
    2010/12/23 18:16:39.0609 pppop (80ae9714ff0c140d6471911fe334198a) C:\WINDOWS\system32\DRIVERS\pppop.sys
    2010/12/23 18:16:39.0703 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
    2010/12/23 18:16:39.0828 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
    2010/12/23 18:16:39.0953 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
    2010/12/23 18:16:40.0046 PxHelp20 (feffcfdc528764a04c8ed63d5fa6e711) C:\WINDOWS\system32\Drivers\PxHelp20.sys
    2010/12/23 18:16:40.0296 raddrvv3 (bfadb3f81e4e8ab07bca46f2882989da) C:\WINDOWS\system32\rserver30\raddrvv3.sys
    2010/12/23 18:16:40.0359 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
    2010/12/23 18:16:40.0421 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
    2010/12/23 18:16:40.0484 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
    2010/12/23 18:16:40.0531 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
    2010/12/23 18:16:40.0625 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
    2010/12/23 18:16:40.0671 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
    2010/12/23 18:16:40.0734 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
    2010/12/23 18:16:40.0890 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys
    2010/12/23 18:16:40.0937 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
    2010/12/23 18:16:41.0000 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
    2010/12/23 18:16:41.0031 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys
    2010/12/23 18:16:41.0078 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys
    2010/12/23 18:16:41.0109 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
    2010/12/23 18:16:41.0171 SLIP (866d538ebe33709a5c9f5c62b73b7d14) C:\WINDOWS\system32\DRIVERS\SLIP.sys
    2010/12/23 18:16:41.0234 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
    2010/12/23 18:16:41.0281 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
    2010/12/23 18:16:41.0328 Srv (89220b427890aa1dffd1a02648ae51c3) C:\WINDOWS\system32\DRIVERS\srv.sys
    2010/12/23 18:16:41.0390 ssmdrv (a36ee93698802cd899f98bfd553d8185) C:\WINDOWS\system32\DRIVERS\ssmdrv.sys
    2010/12/23 18:16:41.0421 streamip (77813007ba6265c4b6098187e6ed79d2) C:\WINDOWS\system32\DRIVERS\StreamIP.sys
    2010/12/23 18:16:41.0453 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
    2010/12/23 18:16:41.0484 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
    2010/12/23 18:16:41.0515 symc810 (1ff3217614018630d0a6758630fc698c) C:\WINDOWS\system32\DRIVERS\symc810.sys
    2010/12/23 18:16:41.0562 symc8xx (070e001d95cf725186ef8b20335f933c) C:\WINDOWS\system32\DRIVERS\symc8xx.sys
    2010/12/23 18:16:41.0703 SymEvent (7e3a39f208d93f7d443794db9aefbe44) C:\Program Files\Symantec\SYMEVENT.SYS
    2010/12/23 18:16:41.0765 Symmpi (f2b7e8416f508368ac6730e2ae1c614f) C:\WINDOWS\system32\DRIVERS\symmpi.sys
    2010/12/23 18:16:41.0812 sym_hi (80ac1c4abbe2df3b738bf15517a51f2c) C:\WINDOWS\system32\DRIVERS\sym_hi.sys
    2010/12/23 18:16:41.0843 sym_u3 (bf4fab949a382a8e105f46ebb4937058) C:\WINDOWS\system32\DRIVERS\sym_u3.sys
    2010/12/23 18:16:41.0890 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
    2010/12/23 18:16:41.0937 tap0801 (846b7c0e3f6370cdcce157a5b36e70cd) C:\WINDOWS\system32\DRIVERS\tap0801.sys
    2010/12/23 18:16:41.0984 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
    2010/12/23 18:16:42.0031 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
    2010/12/23 18:16:42.0062 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
    2010/12/23 18:16:42.0093 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
    2010/12/23 18:16:42.0171 UBHelper (9e39dc3022e6d84bf974678011a1ea4c) C:\WINDOWS\system32\drivers\UBHelper.sys
    2010/12/23 18:16:42.0218 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
    2010/12/23 18:16:42.0296 usbaudio (e919708db44ed8543a7c017953148330) C:\WINDOWS\system32\drivers\usbaudio.sys
    2010/12/23 18:16:42.0328 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
    2010/12/23 18:16:42.0390 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
    2010/12/23 18:16:42.0421 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
    2010/12/23 18:16:42.0453 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys
    2010/12/23 18:16:42.0484 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys
    2010/12/23 18:16:42.0515 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
    2010/12/23 18:16:42.0546 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
    2010/12/23 18:16:42.0625 usbvideo (63bbfca7f390f4c49ed4b96bfb1633e0) C:\WINDOWS\system32\Drivers\usbvideo.sys
    2010/12/23 18:16:42.0671 VBoxDrv (60741ad74d5d599dc1ba7a00265a3606) C:\WINDOWS\system32\DRIVERS\VBoxDrv.sys
    2010/12/23 18:16:42.0703 VBoxNetAdp (3f753d64b3a3aba0690aeeb8e4f12460) C:\WINDOWS\system32\DRIVERS\VBoxNetAdp.sys
    2010/12/23 18:16:42.0828 VBoxNetFlt (32207ed4e4b335e5ec774d37127e837e) C:\WINDOWS\system32\DRIVERS\VBoxNetFlt.sys
    2010/12/23 18:16:42.0906 VBoxUSBMon (7d0c8fc5a5917af4f091d0f4e83a7cec) C:\WINDOWS\system32\DRIVERS\VBoxUSBMon.sys
    2010/12/23 18:16:42.0953 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
    2010/12/23 18:16:42.0984 ViaIde (3b3efcda263b8ac14fdf9cbdd0791b2e) C:\WINDOWS\system32\DRIVERS\viaide.sys
    2010/12/23 18:16:43.0031 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
    2010/12/23 18:16:43.0078 vsdatant (27b3dd12a19eec50220df15b64913dda) C:\WINDOWS\system32\vsdatant.sys
    2010/12/23 18:16:43.0187 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
    2010/12/23 18:16:43.0234 Wdf01000 (bbcfeab7e871cddac2d397ee7fa91fdc) C:\WINDOWS\system32\Drivers\wdf01000.sys
    2010/12/23 18:16:43.0328 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
    2010/12/23 18:16:43.0390 WinUSB (fd600b032e741eb6aab509fc630f7c42) C:\WINDOWS\system32\DRIVERS\WinUSB.sys
    2010/12/23 18:16:43.0421 WmiAcpi (c42584fd66ce9e17403aebca199f7bdb) C:\WINDOWS\system32\DRIVERS\wmiacpi.sys
    2010/12/23 18:16:43.0468 WSTCODEC (c98b39829c2bbd34e454150633c62c78) C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS
    2010/12/23 18:16:43.0515 WudfPf (6ff66513d372d479ef1810223c8d20ce) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
    2010/12/23 18:16:43.0546 WudfRd (ac13cb789d93412106b0fb6c7eb2bcb6) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
    2010/12/23 18:16:43.0593 \HardDisk0 - detected Rootkit.Win32.TDSS.tdl4 (0)
    2010/12/23 18:16:43.0593 ================================================================================
    2010/12/23 18:16:43.0593 Scan finished
    2010/12/23 18:16:43.0593 ================================================================================
    2010/12/23 18:16:43.0609 Detected object count: 1
    2010/12/23 18:16:56.0421 \HardDisk0 - will be cured after reboot
    2010/12/23 18:16:56.0421 Rootkit.Win32.TDSS.tdl4(\HardDisk0) - User select action: Cure
    2010/12/23 18:17:10.0734 Deinitialize success
     
    dmonfette,
    #4
  6. 2010/12/23
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    Good job :)

    Download Bootkit Remover to your Desktop.

    • You then need to extract the remover.exe file from the RAR using a program capable of extracing RAR compressed files. If you don't have an extraction program, you can use 7-Zip: http://www.7-zip.org/
    • After extracing remover.exe to your Desktop, double-click on remover.exe to run the program (Vista/7 users,right click on remover.exe and click Run As Administrator.
    • It will show a Black screen with some data on it.
    • Right click on the screen and click Select All.
    • Press CTRL+C
    • Open a Notepad and press CTRL+V
    • Post the output back here.
     
    broni,
    #5
  7. 2010/12/23
    dmonfette

    dmonfette Inactive Thread Starter

    Joined:
    2010/12/23
    Messages:
    19
    Likes Received:
    0
    Here is the result:
    Bootkit Remover
    (c) 2009 eSage Lab
    www.esagelab.com

    Program version: 1.2.0.0
    OS Version: Microsoft Windows XP Professional Service Pack 3 (build 2600)

    System volume is \\.\C:
    \\.\C: -> \\.\PhysicalDrive0 at offset 0x00000000`00007e00
    Boot sector MD5 is: a47b8690aaee9b3d17289c10971c153a

    Size Device Name MBR Status
    --------------------------------------------
    698 GB \\.\PhysicalDrive0 Unknown boot code

    Unknown boot code has been found on some of your physical disks.
    To inspect the boot code manually, dump the master boot sector:
    remover.exe dump <device_name> [output_file]
    To disinfect the master boot sector, use the following command:
    remover.exe fix <device_name>


    Done;
    Press any key to quit...
     
    dmonfette,
    #6
  8. 2010/12/23
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    We need to fix your MBR...

    Please download NTBR by noahdfear and save it to your Desktop.
    File size: 2.44 MB (2,565,432 bytes)

    • Place a blank CD in your CD drive.
    • Double click on NTBR_CD.exe file and a folder of the same name will appear.
    • Open the folder and double click on BurnItCD.cmd file. If your CD drive will open, simply close it back.
    • Follow the prompts to burn the CD.
    • Now you will need to set the CD-Rom as first boot device if it isn't already (if you don't know how to do it, see HERE)
    • If you have any questions about this step, ask before you proceed. If you enter the BIOS and are unsure if you have carried out the step correctly, there should be an option to exit without keeping changes, so you won't do any harm.
    • Insert the newly created CD into your infected PC and reboot your computer.
    • Once you have rebooted please press Enter when prompted to continue booting from CD - you have a whole 15 seconds to do this!
    • Read the warning and then continue as prompted.
    • You first need to select your keyboard layout - press Enter for English.
    • Next you want to select the appropriate tool. Enter 1 to choose 1. MBRWORK
    • On the following screen enter 5 to select Install Standard MBR code.
    • Enter 1 to overwrite the infected MBR Code with the Standard MBR code.
    • When asked to confirm please do so.
    • Afterwards, please enter E to leave MBRWORK, then 6 to leave the bootable CD.
    • Eject the disc and then press ctrl+alt+del to reboot the PC.
    Once rebooted, run MBRCheck again and post its log.
     
    broni,
    #7
  9. 2010/12/23
    dmonfette

    dmonfette Inactive Thread Starter

    Joined:
    2010/12/23
    Messages:
    19
    Likes Received:
    0
    Here is the result: (Looks good to me!)

    MBRCheck, version 1.2.3
    (c) 2010, AD

    Command-line:
    Windows Version: Windows XP Professional
    Windows Information: Service Pack 3 (build 2600)
    Logical Drives Mask: 0x0006001c

    \\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`00007e00 (NTFS)
    \\.\D: --> \\.\PhysicalDrive0 at offset 0x00000010`a0f85600 (NTFS)
    \\.\E: --> \\.\PhysicalDrive0 at offset 0x00000012`a14c0000 (NTFS)

    Size Device Name MBR Status
    --------------------------------------------
    698 GB \\.\PhysicalDrive0 Windows XP MBR code detected
    SHA1: DA38B874B7713D1B51CBC449F4EF809B0DEC644A


    Done!
    Press ENTER to exit...
     
    dmonfette,
    #8
  10. 2010/12/23
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    Yes :)

    Please download ComboFix from [color= "Red"]Here[/color] or [color= "#FF0000"]Here[/color] to your Desktop.

    [color= "Blue"]**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**[/color]
    1. Please, never rename Combofix unless instructed.
    2. Close any open browsers.
    3. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results ".
      • Click on [color= "Red"]this link[/color] to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
      NOTE1. If Combofix asks you to install Recovery Console, please allow it.
      NOTE 2. If Combofix asks you to update the program, always do so.
      • Close any open browsers.
      • [color= "Red"]WARNING:[/color] Combofix will disconnect your machine from the Internet as soon as it starts
      • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
      • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
    4. Double click on combofix.exe & follow the prompts.
    5. When finished, it will produce a report for you.
    6. Please post the "C:\ComboFix.txt"
    **Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall
    **Note 2 for AVG users: ComboFix will not run until AVG is uninstalled as a protective measure against the anti-virus. This is because AVG "falsely" detects ComboFix (or its embedded files) as a threat and may remove them resulting in the tool not working correctly which in turn can cause "unpredictable results ". Since AVG cannot be effectively disabled before running ComboFix, the author recommends you to uninstall AVG first.
    Use AppRemover to uninstall it: http://www.appremover.com/
    We can reinstall it when we're done with CF.
    **Note 3: If you receive an error "Illegal operation attempted on a registery key that has been marked for deletion ", restart computer to fix the issue.



    Make sure, you re-enable your security programs, when you're done with Combofix.

    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    NOTE.
    If, for some reason, Combofix refuses to run, try one of the following:

    1. Run Combofix from Safe Mode.

    2. Delete Combofix file, download fresh one, but rename combofix.exe to your_name.exe BEFORE saving it to your desktop.
    Do NOT run it yet.

    Please download and run the below tool named Rkill (courtesy of BleepingComputer.com) which may help allow other programs to run.

    There are 4 different versions. If one of them won't run then download and try to run the other one.

    Vista and Win7 users need to right click Rkill and choose Run as Administrator

    You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.

    Rkill.com
    Rkill.scr
    Rkill.pif
    Rkill.exe

    • Double-click on the Rkill desktop icon to run the tool.
    • If using Vista or Windows 7 right-click on it and choose Run As Administrator.
    • A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
    • If not, delete the file, then download and use the one provided in Link 2.
    • If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.
    • Do not reboot until instructed.
    • If the tool does not run from any of the links provided, please let me know.

    Once you've gotten one of them to run, immediately run your_name.exe by double clicking on it.

    If normal mode still doesn't work, run BOTH tools from safe mode.

    In case #2, please post BOTH logs, rKill and Combofix.

    DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!
     
    broni,
    #9
  11. 2010/12/24
    dmonfette

    dmonfette Inactive Thread Starter

    Joined:
    2010/12/23
    Messages:
    19
    Likes Received:
    0
    Thanks again broni!

    Here is the CombiFix result:

    ComboFix 10-12-24.01 - Administrator 2010-12-24 13:42:57.1.2 - x86
    Microsoft Windows XP Professional 5.1.2600.3.1252.2.1033.18.3583.2840 [GMT -5:00]
    Lancé depuis: c:\documents and settings\Administrator\Desktop\malware\ComboFix.exe
    AV: AntiVir Desktop *Disabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}
    .

    (((((((((((((((((((((((((((((((((((( Autres suppressions ))))))))))))))))))))))))))))))))))))))))))))))))
    .

    c:\documents and settings\danny\Local Settings\Application Data\{89489159-3FA0-49AC-968A-7C3E455F74FB}
    c:\documents and settings\danny\Local Settings\Application Data\{89489159-3FA0-49AC-968A-7C3E455F74FB}\chrome.manifest
    c:\documents and settings\danny\Local Settings\Application Data\{89489159-3FA0-49AC-968A-7C3E455F74FB}\chrome\content\_cfg.js
    c:\documents and settings\danny\Local Settings\Application Data\{89489159-3FA0-49AC-968A-7C3E455F74FB}\chrome\content\overlay.xul
    c:\documents and settings\danny\Local Settings\Application Data\{89489159-3FA0-49AC-968A-7C3E455F74FB}\install.rdf
    c:\windows\AUTOLNCH.REG
    c:\windows\system32\Oeminfo.ini
    c:\windows\winhelp.ini
    D:\Autorun.inf

    .
    ((((((((((((((((((((((((((((((((((((((( Pilotes/Services )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    -------\Legacy_SSHNAS


    ((((((((((((((((((((((((((((( Fichiers créés du 2010-11-24 au 2010-12-24 ))))))))))))))))))))))))))))))))))))
    .

    2010-12-23 03:45 . 2008-04-14 10:41 33792 ------w- c:\windows\system32\dllcache\custsat.dll
    2010-12-23 03:26 . 2010-12-23 03:34 -------- d-----w- c:\documents and settings\Administrator\Application Data\Roxio
    2010-12-23 03:26 . 2010-12-23 03:26 -------- d-----w- c:\program files\autorun
    2010-12-23 03:13 . 2010-12-23 03:13 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Mozilla
    2010-12-20 12:30 . 2010-12-23 03:21 0 ----a-w- c:\windows\Ibilodobuvog.bin
    2010-12-20 08:57 . 2010-12-20 08:57 -------- d-----w- c:\documents and settings\LocalService\Application Data\AdobeUM
    2010-12-20 05:30 . 2010-12-20 08:56 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Adobe
    2010-12-20 05:06 . 2010-12-20 05:06 -------- d-s---w- c:\documents and settings\LocalService\UserData
    2010-12-20 01:06 . 2010-12-20 01:06 -------- d-s---w- c:\documents and settings\NetworkService\UserData

    .
    (((((((((((((((((((((((((((((((((( Compte-rendu de Find3M ))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2009-03-05 22:49 . 2009-03-05 22:48 224256 ----a-w- c:\program files\fentun.exe
    2008-08-06 21:27 . 2008-09-22 01:23 3520552 ----a-w- c:\program files\procexp.exe
    2007-05-17 14:56 . 2008-02-01 22:42 172032 ----a-w- c:\program files\puttygen.exe
    2007-05-17 14:56 . 2008-02-01 22:42 135168 ----a-w- c:\program files\pageant.exe
    2007-05-17 14:56 . 2008-02-01 22:42 282624 ----a-w- c:\program files\plink.exe
    2007-05-17 14:56 . 2008-02-01 22:42 307200 ----a-w- c:\program files\psftp.exe
    2007-05-17 14:56 . 2008-02-01 22:42 294912 ----a-w- c:\program files\pscp.exe
    2007-05-17 14:56 . 2008-02-01 22:42 294912 ----a-w- c:\program files\puttytel.exe
    2007-05-17 14:55 . 2008-02-01 22:42 454656 ----a-w- c:\program files\putty.exe
    .

    ((((((((((((((((((((((((((((((((( Points de chargement Reg ))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* les éléments vides & les éléments initiaux légitimes ne sont pas listés
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "LightScribe Control Panel "= "c:\program files\Common Files\LightScribe\LightScribeControlPanel.exe" [2008-08-22 2363392]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "ATIPTA "= "c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2006-05-24 344064]
    "PTHOSTTR "= "c:\program files\Hewlett-Packard\HP ProtectTools Security Manager\PTHOSTTR.EXE" [2006-06-08 131072]
    "SetRefresh "= "c:\program files\Compaq\SetRefresh\SetRefresh.exe" [2003-11-20 525824]
    "CognizanceTS "= "c:\progra~1\HPQ\IAM\Bin\AsTsVcc.dll" [2003-12-22 17920]
    "ATICCC "= "c:\program files\ATI Technologies\ATI.ACE\cli.exe" [2006-01-02 45056]
    "QuickTime Task "= "c:\program files\QuickTime\qttask.exe" [2008-01-10 385024]
    "EventServer "= "c:\program files\RemoteAgent64\Bin\EventServer.exe" [2006-11-14 151552]
    "RTHDCPL "= "RTHDCPL.EXE" [2008-06-13 16871936]
    "avgnt "= "c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2010-08-17 281768]
    "BackupNowEZtray "= "c:\program files\NewTech Infosystems\Backup Now EZ\BackupNowEZtray.exe" [2009-05-08 552192]
    "LifeCam "= "c:\program files\Microsoft LifeCam\LifeExp.exe" [2010-03-12 119152]
    "SunJavaUpdateSched "= "c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-01-11 246504]
    "Scheduler "= "c:\windows\SMINST\Scheduler.exe" [2006-04-24 888832]

    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "CTFMON.EXE "= "c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

    c:\documents and settings\All Users\Start Menu\Programs\Startup\
    MotionSD STUDIO - Auto-activation Navigateur SD -.lnk - c:\program files\Panasonic\MotionSD STUDIO\SD_Browser\AutoLauncher.exe [2008-9-21 66952]
    VPN Client.lnk - c:\windows\Installer\{D25122BC-A60E-4663-B602-B01718F12044}\Icon3E5562ED7.ico [2008-1-20 6144]

    c:\documents and settings\All Users\Start Menu\Programs\Startup\AutorunsDisabled
    Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]
    EventLogger.lnk - c:\program files\JM Integrated Remote Station\cms\EventLogger.exe [2010-8-17 540672]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "DisableCAD "= 1 (0x1)

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IfxWlxEN]
    2006-04-07 04:00 434176 ----a-w- c:\windows\system32\IfxWlxEN.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\OneCard]
    2006-06-07 19:26 40448 ----a-w- c:\program files\HPQ\IAM\Bin\AsWlnPkg.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\PCANotify]
    2004-11-05 15:50 8704 ----a-w- c:\windows\system32\PCANotify.dll

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
    @= "Driver "

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
    "EnableFirewall "= 0 (0x0)

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe "=
    "c:\\WINDOWS\\SMINST\\Scheduler.exe "=
    "c:\\Program Files\\TightVNC\\WinVNC.exe "=
    "c:\\WINDOWS\\system32\\mstsc.exe "=
    "c:\\Program Files\\Look@LAN\\LookAtLan.exe "=
    "c:\\Program Files\\RemoteAgent64\\Bin\\EventServer.exe "=
    "c:\\Program Files\\Java\\jre6\\bin\\java.exe "=
    "c:\\Program Files\\Symantec\\pcAnywhere\\awrem32.exe "=
    "c:\\Program Files\\Xming\\Xming.exe "=
    "e:\\Program Files\\Sun\\VirtualBox\\VirtualBox.exe "=
    "c:\\Program Files\\Microsoft LifeCam\\LifeCam.exe "=
    "c:\\Program Files\\Microsoft LifeCam\\LifeEnC2.exe "=
    "c:\\Program Files\\Microsoft LifeCam\\LifeExp.exe "=
    "c:\\Program Files\\Microsoft LifeCam\\LifeTray.exe "=
    "c:\\Program Files\\Toktumi\\Toktumi.exe "=
    "c:\\WINDOWS\\system32\\dpvsetup.exe "=
    "c:\\Program Files\\JM Integrated Remote Station\\cms\\EventLogger.exe "=
    "c:\\Program Files\\Google\\Google Earth\\client\\googleearth.exe "=
    "c:\\Program Files\\Skype\\Phone\\Skype.exe "=
    "c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe "=
    "c:\\Program Files\\BitTorrent\\bittorrent.exe "=
    "c:\\Program Files\\DNA\\btdna.exe "=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe "=

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
    "4899:TCP "= 4899:TCP:Remote_Admin

    R1 PersonalSecureDrive;PersonalSecureDrive;c:\windows\system32\drivers\psd.sys [4/6/2006 11:46 PM 31104]
    R1 raddrvv3;raddrvv3;c:\windows\system32\rserver30\raddrvv3.sys [2/2/2007 2:54 PM 41176]
    R1 VBoxDrv;VirtualBox Service;c:\windows\system32\drivers\VBoxDrv.sys [9/15/2009 5:46 PM 123280]
    R1 VBoxUSBMon;VirtualBox USB Monitor Driver;c:\windows\system32\drivers\VBoxUSBMon.sys [9/15/2009 5:46 PM 41680]
    R2 AntiVirSchedulerService;Avira AntiVir Planificateur;c:\program files\Avira\AntiVir Desktop\sched.exe [5/6/2009 6:48 PM 135336]
    R2 ASChannel;Local Communication Channel;c:\windows\System32\svchost.exe -k Cognizance [2/27/2006 9:00 PM 14336]
    R2 exim;Exim;e:\cygwin\bin\cygrunsrv.exe [12/19/2008 8:17 PM 68096]
    R2 FortiSslvpnDaemon;FortiClient SSL VPN;c:\windows\system32\FortiSSLVPNdaemon.exe [2/6/2009 9:39 AM 518688]
    R2 NovacomD;Palm Novacom;c:\program files\Palm\SDK\bin\novacom\x86\novacomd.exe [8/3/2009 9:13 PM 31232]
    R2 NTI BackupNowEZSvr;NTI BackupNowEZSvr;c:\program files\NewTech Infosystems\Backup Now EZ\BackupNowEZSvr.exe [5/8/2009 5:20 PM 45312]
    R3 IFXTPM;IFXTPM;c:\windows\system32\drivers\ifxtpm.sys [5/11/2007 8:26 PM 36608]
    R3 MSHUSBVideo;NX6000/NX3000/VX2000/VX5000/VX5500/VX7000/Cinema Filter Driver;c:\windows\system32\drivers\nx6000.sys [3/19/2010 3:26 PM 30576]
    R3 pppop;PPPoP WAN Adapter;c:\windows\system32\drivers\pppop.sys [2/3/2009 10:43 AM 36384]
    R3 tap0801;TAP-Win32 Adapter V8;c:\windows\system32\drivers\tap0801.sys [7/31/2004 4:50 PM 23552]
    R3 VBoxNetAdp;VirtualBox Host-Only Ethernet Adapter;c:\windows\system32\drivers\VBoxNetAdp.sys [9/15/2009 5:46 PM 99152]
    R3 VBoxNetFlt;VBoxNetFlt Service;c:\windows\system32\drivers\VBoxNetFlt.sys [2/12/2010 8:34 PM 110096]
    S2 gupdate;Service Google Update (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [10/7/2009 6:32 PM 133104]
    S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [11/6/2007 3:22 PM 34064]
    S4 RServer3;Radmin Server V3; "c:\windows\system32\rserver30\RServer3.exe" /service --> c:\windows\system32\rserver30\RServer3.exe [?]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    Cognizance REG_MULTI_SZ ASChannel

    [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
    2008-08-22 18:11 451872 ----a-w- c:\program files\Common Files\LightScribe\LSRunOnce.exe
    .
    Contenu du dossier 'Tâches planifiées'

    2010-03-25 c:\windows\Tasks\AppleSoftwareUpdate.job
    - c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 19:57]

    2010-12-24 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2009-10-07 23:32]

    2010-12-24 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2009-10-07 23:32]
    .
    .
    ------- Examen supplémentaire -------
    .
    uStart Page = hxxp://www.hp.com
    uInternet Connection Wizard,ShellNext = hxxp://www.hp.com/
    IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_E11712C84EA7E12B.dll/cmsidewiki.html
    Handler: intu-ir2008 - {729D3592-92E7-4cbc-8E44-3C22B3F457B3} - c:\program files\ImpotRapide 2008\ic2008pp.dll
    Handler: intu-ir2009 - {E4616804-F2F8-4839-B728-5305004DA6A7} - c:\program files\ImpotRapide 2009\ic2009pp.dll
    DPF: {32C11E38-E587-4BE9-9ABB-D69158C21CE5} - hxxp://216.30.165.22:8080/activex/decoder/mpeg4_dec.cab
    DPF: {46D8BEE7-0B27-4466-ABA2-A5F1E157971C} - hxxp://65.254.18.46:100/RemoteWeb.cab
    DPF: {5B8DED15-6FC1-4044-A923-F8CE2EAB40B7} - hxxp://216.215.157.230/SpecoRemote.cab
    DPF: {5FFDFC21-AE40-4C7C-955C-415A1ACE01C8} - hxxp://65.254.18.46:100/VideoViewer.cab
    DPF: {721700FE-7F0E-49C5-BDED-CA92B7CB1245} - hxxp://192.168.200.100/dcsclictrl.cab
    DPF: {A2DA760C-D2DF-4FED-92B4-593E3F148692} - hxxp://demopc8p24.dss.com.tw:1700/WebCamX.cab
    DPF: {CF1C4A31-BD38-4DCB-BFDB-9E1854B6AAF1} - hxxp://www.dvrhost.com/control/viewer.cab
    DPF: {DE625294-70E6-45ED-B895-CFFA13AEB044} - hxxp://216.30.165.22:8080/activex/AMC.cab
    DPF: {F3CAAA40-344A-412E-84E3-D176D64EE54F} - hxxp://www.bms2000.org/BMS2000_Access_Control.ocx
    FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\xcprpuph.default\
    FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
    FF - Ext: Skype extension: {AB2CE124-6272-4b12-94A9-7303C7397BD1} - c:\program files\Mozilla Firefox\extensions\{AB2CE124-6272-4b12-94A9-7303C7397BD1}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA}
    FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
    FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
    FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
    .

    **************************************************************************

    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2010-12-24 13:47
    Windows 5.1.2600 Service Pack 3 NTFS

    Recherche de processus cachés ...

    Recherche d'éléments en démarrage automatique cachés ...

    Recherche de fichiers cachés ...

    Scan terminé avec succès
    Fichiers cachés: 0

    **************************************************************************
    .
    --------------------- CLES DE REGISTRE BLOQUEES ---------------------

    [HKEY_LOCAL_MACHINE\software\DeterministicNetworks\DNE\Parameters]
    "SymbolicLinkValue "=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
    00,5c,00,4d,00,61,00,63,00,68,00,69,00,6e,00,65,00,5c,00,53,00,79,00,73,00,\
    .
    --------------------- DLLs chargées dans les processus actifs ---------------------

    - - - - - - - > 'winlogon.exe'(336)
    c:\windows\system32\Ati2evxx.dll
    c:\program files\HPQ\IAM\Bin\AsWlnPkg.dll
    c:\windows\system32\IfxWlxEN.dll

    - - - - - - - > 'explorer.exe'(3368)
    c:\program files\HPQ\IAM\Bin\SFSShell.dll
    c:\program files\HPQ\IAM\bin\ItMsg.dll
    c:\program files\NewTech Infosystems\Backup Now EZ\Pehook.dll
    c:\windows\system32\WPDShServiceObj.dll
    c:\program files\Roxio\Drag-to-Disc\Shellex.dll
    c:\windows\system32\DLAAPI_W.DLL
    c:\windows\system32\CDRTC.DLL
    c:\program files\Roxio\Drag-to-Disc\ShellRes.dll
    c:\program files\WinSCP3\DragExt.dll
    c:\windows\system32\PortableDeviceTypes.dll
    c:\windows\system32\PortableDeviceApi.dll
    .
    ------------------------ Autres processus actifs ------------------------
    .
    c:\windows\system32\Ati2evxx.exe
    c:\program files\Avira\AntiVir Desktop\avguard.exe
    c:\program files\Avira\AntiVir Desktop\avshadow.exe
    c:\windows\system32\Ati2evxx.exe
    c:\program files\HPQ\IAM\bin\asghost.exe
    c:\program files\Cisco Systems\VPN Client\cvpnd.exe
    c:\windows\system32\IFXSPMGT.exe
    e:\cygwin\bin\exim-4.69-1.exe
    c:\windows\system32\IFXTCS.exe
    c:\program files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
    c:\program files\Java\jre6\bin\jqs.exe
    c:\program files\Common Files\LightScribe\LSSrvc.exe
    c:\program files\Microsoft LifeCam\MSCamS32.exe
    c:\program files\ProtectTools\Embedded Security Software\PSDsrvc.EXE
    c:\program files\TightVNC\WinVNC.exe
    c:\program files\Hewlett-Packard\Shared\hpqwmiex.exe
    c:\windows\RTHDCPL.EXE
    c:\windows\system32\wscntfy.exe
    c:\program files\ProtectTools\Embedded Security Software\PSDrt.exe
    c:\windows\system32\wbem\wmiapsrv.exe
    .
    **************************************************************************
    .
    Heure de fin: 2010-12-24 13:49:12 - La machine a redémarré
    ComboFix-quarantined-files.txt 2010-12-24 18:49

    Avant-CF: 27*672*326*144 bytes free
    Après-CF: 27*589*345*280 bytes free

    WindowsXP-KB310994-SP2-Pro-BootDisk-FRA.exe
    [boot loader]
    timeout=2
    default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
    [operating systems]
    c:\cmdcons\BOOTSECT.DAT= "Microsoft Windows Recovery Console" /cmdcons
    UnsupportedDebug= "do not select this" /debug
    multi(0)disk(0)rdisk(0)partition(1)\WINDOWS= "Microsoft Windows XP Professional" /noexecute=optin /fastdetect

    - - End Of File - - F4783E8C1DE724E8F6A7495CE84C4357
     
    dmonfette,
    #10
  12. 2010/12/24
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    1. Please open Notepad
    • Click Start , then Run
    • Type notepad .exe in the Run Box.

    2. Now copy/paste the entire content of the codebox below into the Notepad window:

    Code:
    File::
c:\windows\Ibilodobuvog.bin

    3. Save the above as CFScript.txt

    4. Close/disable all anti virus and anti malware programs again, so they do not interfere with the running of ComboFix.

    5. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

    [​IMG]


    6. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
    • Combofix.txt
     
    broni,
    #11
  13. 2010/12/25
    dmonfette

    dmonfette Inactive Thread Starter

    Joined:
    2010/12/23
    Messages:
    19
    Likes Received:
    0
    Broni;

    I disabled my Avira antivir guard, created the txt file, dragged it to the combofix.exe icon. Combofix started, updated itself and ran.

    I was asked to reboot the computer, but no report... Should I run it again?
    Thanks;
    --
    Danny
     
    dmonfette,
    #12
  14. 2010/12/25
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    Yes, please.
     
    broni,
    #13
  15. 2010/12/25
    dmonfette

    dmonfette Inactive Thread Starter

    Joined:
    2010/12/23
    Messages:
    19
    Likes Received:
    0
    This time it ran:

    ComboFix 10-12-25.02 - Administrator 2010-12-25 22:58:55.2.2 - x86
    Microsoft Windows XP Professional 5.1.2600.3.1252.2.1033.18.3583.3021 [GMT -5:00]
    Lancé depuis: c:\documents and settings\Administrator\Desktop\malware\ComboFix.exe
    Commutateurs utilisés :: c:\documents and settings\Administrator\Desktop\malware\CFScript.txt
    AV: AntiVir Desktop *Disabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}

    FILE ::
    "c:\windows\Ibilodobuvog.bin "
    .

    (((((((((((((((((((((((((((((((((((( Autres suppressions ))))))))))))))))))))))))))))))))))))))))))))))))
    .

    c:\windows\Ibilodobuvog.bin

    .
    ((((((((((((((((((((((((((((( Fichiers créés du 2010-11-26 au 2010-12-26 ))))))))))))))))))))))))))))))))))))
    .

    2010-12-26 03:57 . 2010-12-26 03:57 -------- d-----w- c:\windows\LastGood
    2010-12-23 03:45 . 2008-04-14 10:41 33792 ------w- c:\windows\system32\dllcache\custsat.dll
    2010-12-23 03:26 . 2010-12-23 03:34 -------- d-----w- c:\documents and settings\Administrator\Application Data\Roxio
    2010-12-23 03:26 . 2010-12-23 03:26 -------- d-----w- c:\program files\autorun
    2010-12-23 03:13 . 2010-12-23 03:13 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Mozilla
    2010-12-20 08:57 . 2010-12-20 08:57 -------- d-----w- c:\documents and settings\LocalService\Application Data\AdobeUM
    2010-12-20 05:30 . 2010-12-20 08:56 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Adobe
    2010-12-20 05:06 . 2010-12-20 05:06 -------- d-s---w- c:\documents and settings\LocalService\UserData
    2010-12-20 01:06 . 2010-12-20 01:06 -------- d-s---w- c:\documents and settings\NetworkService\UserData

    .
    (((((((((((((((((((((((((((((((((( Compte-rendu de Find3M ))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2010-12-25 21:20 . 2009-05-06 23:48 61960 ----a-w- c:\windows\system32\drivers\avgntflt.sys
    2010-12-25 21:20 . 2009-05-06 23:48 135096 ----a-w- c:\windows\system32\drivers\avipbb.sys
    2010-11-05 05:05 . 2006-02-28 02:00 667136 ----a-w- c:\windows\system32\wininet.dll
    2010-11-05 05:05 . 2006-02-28 02:00 61952 ----a-w- c:\windows\system32\tdc.ocx
    2010-11-05 05:05 . 2006-02-28 02:00 81920 ----a-w- c:\windows\system32\ieencode.dll
    2010-11-03 12:59 . 2006-02-28 02:00 369664 ----a-w- c:\windows\system32\html.iec
    2010-10-26 13:25 . 2006-02-28 02:00 1853312 ----a-w- c:\windows\system32\win32k.sys
    2009-03-05 22:49 . 2009-03-05 22:48 224256 ----a-w- c:\program files\fentun.exe
    2008-08-06 21:27 . 2008-09-22 01:23 3520552 ----a-w- c:\program files\procexp.exe
    2007-05-17 14:56 . 2008-02-01 22:42 172032 ----a-w- c:\program files\puttygen.exe
    2007-05-17 14:56 . 2008-02-01 22:42 135168 ----a-w- c:\program files\pageant.exe
    2007-05-17 14:56 . 2008-02-01 22:42 282624 ----a-w- c:\program files\plink.exe
    2007-05-17 14:56 . 2008-02-01 22:42 307200 ----a-w- c:\program files\psftp.exe
    2007-05-17 14:56 . 2008-02-01 22:42 294912 ----a-w- c:\program files\pscp.exe
    2007-05-17 14:56 . 2008-02-01 22:42 294912 ----a-w- c:\program files\puttytel.exe
    2007-05-17 14:55 . 2008-02-01 22:42 454656 ----a-w- c:\program files\putty.exe
    .

    ((((((((((((((((((((((((((((( SnapShot@2010-12-24_18.47.08 )))))))))))))))))))))))))))))))))))))))))
    .
    + 2010-12-26 03:55 . 2010-12-26 03:55 16384 c:\windows\Temp\Perflib_Perfdata_fcc.dat
    + 2010-12-26 03:53 . 2010-12-26 03:53 16384 c:\windows\Temp\Perflib_Perfdata_d74.dat
    + 2010-12-26 03:58 . 2010-12-26 03:58 16384 c:\windows\Temp\Perflib_Perfdata_9f8.dat
    + 2007-05-12 01:34 . 2007-07-27 15:41 26488 c:\windows\system32\spupdsvc.exe
    - 2007-05-12 01:34 . 2007-08-11 01:46 26488 c:\windows\system32\spupdsvc.exe
    + 2006-04-25 17:43 . 2010-12-26 03:57 71196 c:\windows\system32\perfc009.dat
    - 2006-04-25 17:43 . 2010-12-24 14:54 71196 c:\windows\system32\perfc009.dat
    + 2006-02-28 02:00 . 2010-06-17 14:03 80384 c:\windows\system32\iccvid.dll
    - 2006-02-28 02:00 . 2008-04-14 10:41 80384 c:\windows\system32\iccvid.dll
    + 2010-12-24 04:16 . 2010-10-11 14:59 45568 c:\windows\system32\dllcache\wab.exe
    - 2009-02-20 08:14 . 2010-04-16 16:09 81920 c:\windows\system32\dllcache\ieencode.dll
    + 2009-02-20 08:14 . 2010-11-05 05:05 81920 c:\windows\system32\dllcache\ieencode.dll
    - 2010-03-23 09:31 . 2010-03-23 09:31 30544 c:\windows\Microsoft.NET\Framework\v2.0.50727\aspnet_wp.exe
    + 2010-09-22 14:43 . 2010-09-22 14:43 30544 c:\windows\Microsoft.NET\Framework\v2.0.50727\aspnet_wp.exe
    - 2010-04-01 15:42 . 2010-04-01 15:42 81920 c:\windows\Microsoft.NET\Framework\v1.1.4322\System.Security.dll
    + 2010-09-23 20:55 . 2010-09-23 20:55 81920 c:\windows\Microsoft.NET\Framework\v1.1.4322\System.Security.dll
    - 2010-03-31 18:51 . 2010-03-31 18:51 77824 c:\windows\Microsoft.NET\Framework\v1.1.4322\mscorsn.dll
    + 2010-09-23 07:26 . 2010-09-23 07:26 77824 c:\windows\Microsoft.NET\Framework\v1.1.4322\mscorsn.dll
    + 2010-09-23 07:26 . 2010-09-23 07:26 86016 c:\windows\Microsoft.NET\Framework\v1.1.4322\mscorie.dll
    - 2010-03-31 18:51 . 2010-03-31 18:51 86016 c:\windows\Microsoft.NET\Framework\v1.1.4322\mscorie.dll
    - 2010-03-31 18:51 . 2010-03-31 18:51 81920 c:\windows\Microsoft.NET\Framework\v1.1.4322\CORPerfMonExt.dll
    + 2010-09-23 07:26 . 2010-09-23 07:26 81920 c:\windows\Microsoft.NET\Framework\v1.1.4322\CORPerfMonExt.dll
    - 2010-03-31 19:32 . 2010-03-31 19:32 32768 c:\windows\Microsoft.NET\Framework\v1.1.4322\aspnet_wp.exe
    + 2010-09-23 08:17 . 2010-09-23 08:17 32768 c:\windows\Microsoft.NET\Framework\v1.1.4322\aspnet_wp.exe
    + 2010-09-23 08:17 . 2010-09-23 08:17 24576 c:\windows\Microsoft.NET\Framework\v1.1.4322\aspnet_filter.dll
    - 2010-03-31 19:32 . 2010-03-31 19:32 24576 c:\windows\Microsoft.NET\Framework\v1.1.4322\aspnet_filter.dll
    + 2010-12-25 21:21 . 2010-12-25 21:21 90112 c:\windows\assembly\NativeImages1_v1.1.4322\System.Drawing.Design\1.0.5000.0__b03f5f7f11d50a3a_cbe58f0d\System.Drawing.Design.dll
    + 2010-12-25 21:21 . 2010-12-25 21:21 61440 c:\windows\assembly\NativeImages1_v1.1.4322\CustomMarshalers\1.0.5000.0__b03f5f7f11d50a3a_1ca6bbf3\CustomMarshalers.dll
    - 2010-06-24 21:02 . 2010-06-24 21:02 77824 c:\windows\assembly\GAC_MSIL\System.Web.RegularExpressions\2.0.0.0__b03f5f7f11d50a3a\System.Web.RegularExpressions.dll
    + 2010-12-26 03:56 . 2010-12-26 03:56 77824 c:\windows\assembly\GAC_MSIL\System.Web.RegularExpressions\2.0.0.0__b03f5f7f11d50a3a\System.Web.RegularExpressions.dll
    + 2010-12-26 03:56 . 2010-12-26 03:56 81920 c:\windows\assembly\GAC_MSIL\System.Drawing.Design\2.0.0.0__b03f5f7f11d50a3a\System.Drawing.Design.dll
    - 2010-06-24 21:02 . 2010-06-24 21:02 81920 c:\windows\assembly\GAC_MSIL\System.Drawing.Design\2.0.0.0__b03f5f7f11d50a3a\System.Drawing.Design.dll
    + 2010-12-26 03:57 . 2010-12-26 03:57 81920 c:\windows\assembly\GAC_MSIL\System.Configuration.Install\2.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll
    - 2010-06-24 21:02 . 2010-06-24 21:02 81920 c:\windows\assembly\GAC_MSIL\System.Configuration.Install\2.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll
    + 2010-12-26 03:56 . 2010-12-26 03:56 32768 c:\windows\assembly\GAC_MSIL\Microsoft.Vsa\8.0.0.0__b03f5f7f11d50a3a\Microsoft.Vsa.dll
    - 2010-06-24 21:02 . 2010-06-24 21:02 32768 c:\windows\assembly\GAC_MSIL\Microsoft.Vsa\8.0.0.0__b03f5f7f11d50a3a\Microsoft.Vsa.dll
    + 2010-12-26 03:56 . 2010-12-26 03:56 12800 c:\windows\assembly\GAC_MSIL\Microsoft.Vsa.Vb.CodeDOMProcessor\8.0.0.0__b03f5f7f11d50a3a\Microsoft.Vsa.Vb.CodeDOMProcessor.dll
    - 2010-06-24 21:02 . 2010-06-24 21:02 12800 c:\windows\assembly\GAC_MSIL\Microsoft.Vsa.Vb.CodeDOMProcessor\8.0.0.0__b03f5f7f11d50a3a\Microsoft.Vsa.Vb.CodeDOMProcessor.dll
    + 2010-12-26 03:56 . 2010-12-26 03:56 28672 c:\windows\assembly\GAC_MSIL\Microsoft.VisualBasic.Vsa\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.Vsa.dll
    - 2010-06-24 21:02 . 2010-06-24 21:02 28672 c:\windows\assembly\GAC_MSIL\Microsoft.VisualBasic.Vsa\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.Vsa.dll
    + 2010-12-26 03:56 . 2010-12-26 03:56 77824 c:\windows\assembly\GAC_MSIL\Microsoft.Build.Utilities\2.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Utilities.dll
    - 2010-06-24 21:02 . 2010-06-24 21:02 77824 c:\windows\assembly\GAC_MSIL\Microsoft.Build.Utilities\2.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Utilities.dll
    - 2010-06-24 21:02 . 2010-06-24 21:02 36864 c:\windows\assembly\GAC_MSIL\Microsoft.Build.Framework\2.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Framework.dll
    + 2010-12-26 03:56 . 2010-12-26 03:56 36864 c:\windows\assembly\GAC_MSIL\Microsoft.Build.Framework\2.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Framework.dll
    + 2010-12-26 03:56 . 2010-12-26 03:56 77824 c:\windows\assembly\GAC_MSIL\IEHost\2.0.0.0__b03f5f7f11d50a3a\IEHost.dll
    - 2010-06-24 21:02 . 2010-06-24 21:02 77824 c:\windows\assembly\GAC_MSIL\IEHost\2.0.0.0__b03f5f7f11d50a3a\IEHost.dll
    - 2010-06-24 21:02 . 2010-06-24 21:02 13312 c:\windows\assembly\GAC_MSIL\cscompmgd\8.0.0.0__b03f5f7f11d50a3a\cscompmgd.dll
    + 2010-12-26 03:56 . 2010-12-26 03:56 13312 c:\windows\assembly\GAC_MSIL\cscompmgd\8.0.0.0__b03f5f7f11d50a3a\cscompmgd.dll
    - 2010-06-24 21:02 . 2010-06-24 21:02 10752 c:\windows\assembly\GAC_MSIL\Accessibility\2.0.0.0__b03f5f7f11d50a3a\Accessibility.dll
    + 2010-12-26 03:56 . 2010-12-26 03:56 10752 c:\windows\assembly\GAC_MSIL\Accessibility\2.0.0.0__b03f5f7f11d50a3a\Accessibility.dll
    + 2010-12-26 03:56 . 2010-12-26 03:56 72192 c:\windows\assembly\GAC_32\ISymWrapper\2.0.0.0__b03f5f7f11d50a3a\ISymWrapper.dll
    - 2010-06-24 21:02 . 2010-06-24 21:02 72192 c:\windows\assembly\GAC_32\ISymWrapper\2.0.0.0__b03f5f7f11d50a3a\ISymWrapper.dll
    - 2010-06-24 21:02 . 2010-06-24 21:02 69120 c:\windows\assembly\GAC_32\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll
    + 2010-12-26 03:56 . 2010-12-26 03:56 69120 c:\windows\assembly\GAC_32\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll
    + 2010-12-25 21:21 . 2010-12-25 21:21 81920 c:\windows\assembly\GAC\System.Security\1.0.5000.0__b03f5f7f11d50a3a\System.Security.dll
    - 2010-06-10 12:32 . 2010-06-10 12:32 81920 c:\windows\assembly\GAC\System.Security\1.0.5000.0__b03f5f7f11d50a3a\System.Security.dll
    + 2010-12-25 21:20 . 2007-03-06 01:22 14048 c:\windows\$NtUninstallKB971961$\spmsg.dll
    + 2010-12-25 21:20 . 2007-03-06 01:22 22752 c:\windows\$NtUninstallKB971961$\spcustom.dll
    + 2009-09-14 23:30 . 2009-05-26 11:40 26488 c:\windows\$hf_mig$\KB971961\update\spcustom.dll
    + 2009-09-14 23:30 . 2009-05-26 11:40 17272 c:\windows\$hf_mig$\KB971961\spmsg.dll
    - 2010-06-24 21:02 . 2010-06-24 21:02 8192 c:\windows\WinSxS\MSIL_IEExecRemote_b03f5f7f11d50a3a_2.0.0.0_x-ww_6e57c34e\IEExecRemote.dll
    + 2010-12-26 03:56 . 2010-12-26 03:56 8192 c:\windows\WinSxS\MSIL_IEExecRemote_b03f5f7f11d50a3a_2.0.0.0_x-ww_6e57c34e\IEExecRemote.dll
    + 2009-04-17 21:21 . 2010-08-13 12:53 5120 c:\windows\system32\xpsp4res.dll
    - 2010-06-24 21:02 . 2010-06-24 21:02 7168 c:\windows\assembly\GAC_MSIL\Microsoft_VsaVb\8.0.0.0__b03f5f7f11d50a3a\Microsoft_VsaVb.dll
    + 2010-12-26 03:56 . 2010-12-26 03:56 7168 c:\windows\assembly\GAC_MSIL\Microsoft_VsaVb\8.0.0.0__b03f5f7f11d50a3a\Microsoft_VsaVb.dll
    - 2010-06-24 21:02 . 2010-06-24 21:02 5632 c:\windows\assembly\GAC_MSIL\Microsoft.VisualC\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualC.Dll
    + 2010-12-26 03:57 . 2010-12-26 03:57 5632 c:\windows\assembly\GAC_MSIL\Microsoft.VisualC\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualC.Dll
    - 2010-06-24 21:02 . 2010-06-24 21:02 6656 c:\windows\assembly\GAC_MSIL\IIEHost\2.0.0.0__b03f5f7f11d50a3a\IIEHost.dll
    + 2010-12-26 03:56 . 2010-12-26 03:56 6656 c:\windows\assembly\GAC_MSIL\IIEHost\2.0.0.0__b03f5f7f11d50a3a\IIEHost.dll
    + 2010-12-26 03:56 . 2010-12-26 03:56 8192 c:\windows\assembly\GAC_MSIL\IEExecRemote\2.0.0.0__b03f5f7f11d50a3a\IEExecRemote.dll
    - 2010-06-24 21:02 . 2010-06-24 21:02 8192 c:\windows\assembly\GAC_MSIL\IEExecRemote\2.0.0.0__b03f5f7f11d50a3a\IEExecRemote.dll
    - 2010-06-24 21:02 . 2010-06-24 21:02 113664 c:\windows\WinSxS\x86_System.EnterpriseServices_b03f5f7f11d50a3a_2.0.0.0_x-ww_7d5f3790\System.EnterpriseServices.Wrapper.dll
    + 2010-12-26 03:56 . 2010-12-26 03:56 113664 c:\windows\WinSxS\x86_System.EnterpriseServices_b03f5f7f11d50a3a_2.0.0.0_x-ww_7d5f3790\System.EnterpriseServices.Wrapper.dll
    + 2010-12-26 03:56 . 2010-12-26 03:56 258048 c:\windows\WinSxS\x86_System.EnterpriseServices_b03f5f7f11d50a3a_2.0.0.0_x-ww_7d5f3790\System.EnterpriseServices.dll
    - 2010-06-24 21:02 . 2010-06-24 21:02 258048 c:\windows\WinSxS\x86_System.EnterpriseServices_b03f5f7f11d50a3a_2.0.0.0_x-ww_7d5f3790\System.EnterpriseServices.dll
    - 2006-02-28 02:00 . 2008-04-14 10:42 233472 c:\windows\system32\wmpdxm.dll
    + 2006-02-28 02:00 . 2009-07-12 17:21 233472 c:\windows\system32\wmpdxm.dll
    - 2006-02-28 02:00 . 2008-04-14 10:42 406016 c:\windows\system32\usp10.dll
    + 2006-02-28 02:00 . 2010-04-16 15:36 406016 c:\windows\system32\usp10.dll
    + 2006-02-28 02:00 . 2010-11-05 05:05 629760 c:\windows\system32\urlmon.dll
    + 2006-02-28 02:00 . 2010-06-30 12:31 149504 c:\windows\system32\schannel.dll
    + 2006-02-28 02:00 . 2010-08-16 08:45 590848 c:\windows\system32\rpcrt4.dll
    + 2006-04-25 17:43 . 2010-12-26 03:57 441260 c:\windows\system32\perfh009.dat
    - 2006-04-25 17:43 . 2010-12-24 14:54 441260 c:\windows\system32\perfh009.dat
    - 2006-02-28 02:00 . 2008-04-14 10:42 532480 c:\windows\system32\mstime.dll
    + 2006-02-28 02:00 . 2010-11-05 05:05 532480 c:\windows\system32\mstime.dll
    + 2006-02-28 02:00 . 2010-11-05 05:05 449024 c:\windows\system32\mshtmled.dll
    - 2006-02-28 02:00 . 2008-04-14 10:42 449024 c:\windows\system32\mshtmled.dll
    + 2006-02-28 02:00 . 2009-08-13 15:16 512000 c:\windows\system32\jscript.dll
    - 2006-02-28 02:00 . 2008-04-14 10:41 512000 c:\windows\system32\jscript.dll
    + 2006-02-28 02:00 . 2010-06-09 07:43 692736 c:\windows\system32\inetcomm.dll
    + 2006-02-28 02:00 . 2010-11-05 05:05 251904 c:\windows\system32\iepeers.dll
    - 2006-02-28 02:00 . 2010-04-16 16:09 251904 c:\windows\system32\iepeers.dll
    - 2006-04-25 17:39 . 2010-12-23 05:17 254272 c:\windows\system32\FNTCACHE.DAT
    + 2006-04-25 17:39 . 2010-12-25 21:24 254272 c:\windows\system32\FNTCACHE.DAT
    + 2009-07-13 06:18 . 2009-07-12 17:21 233472 c:\windows\system32\dllcache\wmpdxm.dll
    - 2009-07-13 06:18 . 2008-04-14 10:42 233472 c:\windows\system32\dllcache\wmpdxm.dll
    + 2008-06-23 15:09 . 2010-11-05 05:05 667136 c:\windows\system32\dllcache\wininet.dll
    - 2008-06-23 15:09 . 2010-04-16 16:09 667136 c:\windows\system32\dllcache\wininet.dll
    + 2010-04-16 15:36 . 2010-04-16 15:36 406016 c:\windows\system32\dllcache\usp10.dll
    + 2008-06-26 08:15 . 2010-11-05 05:05 629760 c:\windows\system32\dllcache\urlmon.dll
    + 2008-12-05 06:54 . 2010-06-30 12:31 149504 c:\windows\system32\dllcache\schannel.dll
    + 2009-04-15 14:51 . 2010-08-16 08:45 590848 c:\windows\system32\dllcache\rpcrt4.dll
    + 2010-11-05 05:05 . 2010-11-05 05:05 532480 c:\windows\system32\dllcache\mstime.dll
    + 2010-11-05 05:05 . 2010-11-05 05:05 449024 c:\windows\system32\dllcache\mshtmled.dll
    + 2010-12-24 04:16 . 2009-08-13 15:16 512000 c:\windows\system32\dllcache\jscript.dll
    + 2008-08-20 15:47 . 2010-06-09 07:43 692736 c:\windows\system32\dllcache\inetcomm.dll
    - 2010-04-16 16:09 . 2010-04-16 16:09 251904 c:\windows\system32\dllcache\iepeers.dll
    + 2010-04-16 16:09 . 2010-11-05 05:05 251904 c:\windows\system32\dllcache\iepeers.dll
    + 2010-09-22 14:43 . 2010-09-22 14:43 435024 c:\windows\Microsoft.NET\Framework\v2.0.50727\webengine.dll
    - 2010-03-23 09:31 . 2010-03-23 09:31 435024 c:\windows\Microsoft.NET\Framework\v2.0.50727\webengine.dll
    + 2010-09-23 07:26 . 2010-09-23 07:26 102400 c:\windows\Microsoft.NET\Framework\v1.1.4322\mscorld.dll
    - 2010-03-31 18:51 . 2010-03-31 18:51 102400 c:\windows\Microsoft.NET\Framework\v1.1.4322\mscorld.dll
    - 2010-03-31 18:49 . 2010-03-31 18:49 315392 c:\windows\Microsoft.NET\Framework\v1.1.4322\mscorjit.dll
    + 2010-09-23 07:25 . 2010-09-23 07:25 315392 c:\windows\Microsoft.NET\Framework\v1.1.4322\mscorjit.dll
    + 2010-09-23 08:17 . 2010-09-23 08:17 258048 c:\windows\Microsoft.NET\Framework\v1.1.4322\aspnet_isapi.dll
    - 2010-03-31 19:32 . 2010-03-31 19:32 258048 c:\windows\Microsoft.NET\Framework\v1.1.4322\aspnet_isapi.dll
    + 2010-12-25 21:21 . 2010-12-25 21:21 835584 c:\windows\assembly\NativeImages1_v1.1.4322\System.Drawing\1.0.5000.0__b03f5f7f11d50a3a_98deb076\System.Drawing.dll
    + 2010-12-25 21:21 . 2010-12-25 21:21 192512 c:\windows\assembly\NativeImages1_v1.1.4322\System.Drawing.Design\1.0.5000.0__b03f5f7f11d50a3a_b8b9aa85\System.Drawing.Design.dll
    + 2010-12-25 21:21 . 2010-12-25 21:21 118784 c:\windows\assembly\NativeImages1_v1.1.4322\CustomMarshalers\1.0.5000.0__b03f5f7f11d50a3a_6b93433d\CustomMarshalers.dll
    + 2010-12-26 03:56 . 2010-12-26 03:56 839680 c:\windows\assembly\GAC_MSIL\System.Web.Services\2.0.0.0__b03f5f7f11d50a3a\System.Web.Services.dll
    - 2010-06-24 21:02 . 2010-06-24 21:02 839680 c:\windows\assembly\GAC_MSIL\System.Web.Services\2.0.0.0__b03f5f7f11d50a3a\System.Web.Services.dll
    - 2010-06-24 21:02 . 2010-06-24 21:02 835584 c:\windows\assembly\GAC_MSIL\System.Web.Mobile\2.0.0.0__b03f5f7f11d50a3a\System.Web.Mobile.dll
    + 2010-12-26 03:56 . 2010-12-26 03:56 835584 c:\windows\assembly\GAC_MSIL\System.Web.Mobile\2.0.0.0__b03f5f7f11d50a3a\System.Web.Mobile.dll
    - 2010-06-24 21:02 . 2010-06-24 21:02 114688 c:\windows\assembly\GAC_MSIL\System.ServiceProcess\2.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll
    + 2010-12-26 03:56 . 2010-12-26 03:56 114688 c:\windows\assembly\GAC_MSIL\System.ServiceProcess\2.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll
    - 2010-06-24 21:02 . 2010-06-24 21:02 258048 c:\windows\assembly\GAC_MSIL\System.Security\2.0.0.0__b03f5f7f11d50a3a\System.Security.dll
    + 2010-12-26 03:56 . 2010-12-26 03:56 258048 c:\windows\assembly\GAC_MSIL\System.Security\2.0.0.0__b03f5f7f11d50a3a\System.Security.dll
    - 2010-06-24 21:02 . 2010-06-24 21:02 131072 c:\windows\assembly\GAC_MSIL\System.Runtime.Serialization.Formatters.Soap\2.0.0.0__b03f5f7f11d50a3a\System.Runtime.Serialization.Formatters.Soap.dll
    + 2010-12-26 03:56 . 2010-12-26 03:56 131072 c:\windows\assembly\GAC_MSIL\System.Runtime.Serialization.Formatters.Soap\2.0.0.0__b03f5f7f11d50a3a\System.Runtime.Serialization.Formatters.Soap.dll
    + 2010-12-26 03:56 . 2010-12-26 03:56 303104 c:\windows\assembly\GAC_MSIL\System.Runtime.Remoting\2.0.0.0__b77a5c561934e089\System.Runtime.Remoting.dll
    - 2010-06-24 21:02 . 2010-06-24 21:02 303104 c:\windows\assembly\GAC_MSIL\System.Runtime.Remoting\2.0.0.0__b77a5c561934e089\System.Runtime.Remoting.dll
    - 2010-06-24 21:02 . 2010-06-24 21:02 258048 c:\windows\assembly\GAC_MSIL\System.Messaging\2.0.0.0__b03f5f7f11d50a3a\System.Messaging.dll
    + 2010-12-26 03:56 . 2010-12-26 03:56 258048 c:\windows\assembly\GAC_MSIL\System.Messaging\2.0.0.0__b03f5f7f11d50a3a\System.Messaging.dll
    + 2010-12-26 03:56 . 2010-12-26 03:56 372736 c:\windows\assembly\GAC_MSIL\System.Management\2.0.0.0__b03f5f7f11d50a3a\System.Management.dll
    - 2010-06-24 21:02 . 2010-06-24 21:02 372736 c:\windows\assembly\GAC_MSIL\System.Management\2.0.0.0__b03f5f7f11d50a3a\System.Management.dll
    + 2010-12-26 03:56 . 2010-12-26 03:56 626688 c:\windows\assembly\GAC_MSIL\System.Drawing\2.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll
    - 2010-06-24 21:02 . 2010-06-24 21:02 626688 c:\windows\assembly\GAC_MSIL\System.Drawing\2.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll
    + 2010-12-26 03:56 . 2010-12-26 03:56 401408 c:\windows\assembly\GAC_MSIL\System.DirectoryServices\2.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll
    - 2010-06-24 21:02 . 2010-06-24 21:02 401408 c:\windows\assembly\GAC_MSIL\System.DirectoryServices\2.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll
    + 2010-12-26 03:56 . 2010-12-26 03:56 188416 c:\windows\assembly\GAC_MSIL\System.DirectoryServices.Protocols\2.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.Protocols.dll
    - 2010-06-24 21:02 . 2010-06-24 21:02 188416 c:\windows\assembly\GAC_MSIL\System.DirectoryServices.Protocols\2.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.Protocols.dll
    + 2010-12-26 03:57 . 2010-12-26 03:57 970752 c:\windows\assembly\GAC_MSIL\System.Deployment\2.0.0.0__b03f5f7f11d50a3a\System.Deployment.dll
    - 2010-06-24 21:02 . 2010-06-24 21:02 970752 c:\windows\assembly\GAC_MSIL\System.Deployment\2.0.0.0__b03f5f7f11d50a3a\System.Deployment.dll
    - 2010-06-24 21:02 . 2010-06-24 21:02 745472 c:\windows\assembly\GAC_MSIL\System.Data.SqlXml\2.0.0.0__b77a5c561934e089\System.Data.SqlXml.dll
    + 2010-12-26 03:57 . 2010-12-26 03:57 745472 c:\windows\assembly\GAC_MSIL\System.Data.SqlXml\2.0.0.0__b77a5c561934e089\System.Data.SqlXml.dll
    - 2010-06-24 21:02 . 2010-06-24 21:02 425984 c:\windows\assembly\GAC_MSIL\System.Configuration\2.0.0.0__b03f5f7f11d50a3a\System.configuration.dll
    + 2010-12-26 03:57 . 2010-12-26 03:57 425984 c:\windows\assembly\GAC_MSIL\System.Configuration\2.0.0.0__b03f5f7f11d50a3a\System.configuration.dll
    - 2010-06-24 21:02 . 2010-06-24 21:02 110592 c:\windows\assembly\GAC_MSIL\sysglobl\2.0.0.0__b03f5f7f11d50a3a\sysglobl.dll
    + 2010-12-26 03:57 . 2010-12-26 03:57 110592 c:\windows\assembly\GAC_MSIL\sysglobl\2.0.0.0__b03f5f7f11d50a3a\sysglobl.dll
    + 2010-12-26 03:56 . 2010-12-26 03:56 659456 c:\windows\assembly\GAC_MSIL\Microsoft.VisualBasic\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll
    - 2010-06-24 21:02 . 2010-06-24 21:02 659456 c:\windows\assembly\GAC_MSIL\Microsoft.VisualBasic\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll
    - 2010-06-24 21:02 . 2010-06-24 21:02 372736 c:\windows\assembly\GAC_MSIL\Microsoft.VisualBasic.Compatibility\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.Compatibility.dll
    + 2010-12-26 03:56 . 2010-12-26 03:56 372736 c:\windows\assembly\GAC_MSIL\Microsoft.VisualBasic.Compatibility\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.Compatibility.dll
    + 2010-12-26 03:56 . 2010-12-26 03:56 110592 c:\windows\assembly\GAC_MSIL\Microsoft.VisualBasic.Compatibility.Data\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.Compatibility.Data.dll
    - 2010-06-24 21:02 . 2010-06-24 21:02 110592 c:\windows\assembly\GAC_MSIL\Microsoft.VisualBasic.Compatibility.Data\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.Compatibility.Data.dll
    + 2010-12-26 03:56 . 2010-12-26 03:56 749568 c:\windows\assembly\GAC_MSIL\Microsoft.JScript\8.0.0.0__b03f5f7f11d50a3a\Microsoft.JScript.dll
    - 2010-06-24 21:02 . 2010-06-24 21:02 749568 c:\windows\assembly\GAC_MSIL\Microsoft.JScript\8.0.0.0__b03f5f7f11d50a3a\Microsoft.JScript.dll
    - 2010-06-24 21:02 . 2010-06-24 21:02 655360 c:\windows\assembly\GAC_MSIL\Microsoft.Build.Tasks\2.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Tasks.dll
    + 2010-12-26 03:56 . 2010-12-26 03:56 655360 c:\windows\assembly\GAC_MSIL\Microsoft.Build.Tasks\2.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Tasks.dll
    - 2010-06-24 21:02 . 2010-06-24 21:02 348160 c:\windows\assembly\GAC_MSIL\Microsoft.Build.Engine\2.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Engine.dll
    + 2010-12-26 03:56 . 2010-12-26 03:56 348160 c:\windows\assembly\GAC_MSIL\Microsoft.Build.Engine\2.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Engine.dll
    - 2010-06-24 21:02 . 2010-06-24 21:02 507904 c:\windows\assembly\GAC_MSIL\AspNetMMCExt\2.0.0.0__b03f5f7f11d50a3a\AspNetMMCExt.dll
    + 2010-12-26 03:56 . 2010-12-26 03:56 507904 c:\windows\assembly\GAC_MSIL\AspNetMMCExt\2.0.0.0__b03f5f7f11d50a3a\AspNetMMCExt.dll
    - 2010-06-24 21:02 . 2010-06-24 21:02 261632 c:\windows\assembly\GAC_32\System.Transactions\2.0.0.0__b77a5c561934e089\System.Transactions.dll
    + 2010-12-26 03:56 . 2010-12-26 03:56 261632 c:\windows\assembly\GAC_32\System.Transactions\2.0.0.0__b77a5c561934e089\System.Transactions.dll
    - 2010-06-24 21:02 . 2010-06-24 21:02 113664 c:\windows\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll
    + 2010-12-26 03:56 . 2010-12-26 03:56 113664 c:\windows\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll
    - 2010-06-24 21:02 . 2010-06-24 21:02 258048 c:\windows\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.dll
    + 2010-12-26 03:56 . 2010-12-26 03:56 258048 c:\windows\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.dll
    - 2010-06-24 21:02 . 2010-06-24 21:02 486400 c:\windows\assembly\GAC_32\System.Data.OracleClient\2.0.0.0__b77a5c561934e089\System.Data.OracleClient.dll
    + 2010-12-26 03:57 . 2010-12-26 03:57 486400 c:\windows\assembly\GAC_32\System.Data.OracleClient\2.0.0.0__b77a5c561934e089\System.Data.OracleClient.dll
    + 2010-12-25 21:20 . 2007-03-06 01:23 371424 c:\windows\$NtUninstallKB971961$\updspapi.dll
    + 2010-12-25 21:20 . 2007-03-06 01:22 716000 c:\windows\$NtUninstallKB971961$\update.exe
    + 2009-09-14 23:30 . 2009-05-26 11:40 382840 c:\windows\$NtUninstallKB971961$\spuninst\updspapi.dll
    + 2009-09-14 23:30 . 2009-05-26 11:40 231288 c:\windows\$NtUninstallKB971961$\spuninst\spuninst.exe
    + 2010-12-25 21:20 . 2007-03-06 01:22 213216 c:\windows\$NtUninstallKB971961$\spuninst.exe
    + 2009-09-14 23:30 . 2008-04-14 10:41 512000 c:\windows\$NtUninstallKB971961$\jscript.dll
    + 2009-09-14 23:30 . 2009-05-26 11:40 382840 c:\windows\$hf_mig$\KB971961\update\updspapi.dll
    + 2009-09-14 23:30 . 2009-05-26 11:40 755576 c:\windows\$hf_mig$\KB971961\update\update.exe
    + 2009-09-14 23:30 . 2009-05-26 11:40 231288 c:\windows\$hf_mig$\KB971961\spuninst.exe
    + 2010-12-24 04:16 . 2009-08-13 15:02 512000 c:\windows\$hf_mig$\KB971961\SP3QFE\jscript.dll
    + 2006-02-28 02:00 . 2009-07-12 17:21 4874240 c:\windows\system32\wmp.dll
    - 2006-02-28 02:00 . 2008-04-14 10:42 4874240 c:\windows\system32\wmp.dll
    + 2006-02-28 02:00 . 2010-07-27 06:30 8462336 c:\windows\system32\shell32.dll
    + 2006-02-28 02:00 . 2010-11-05 05:05 1510400 c:\windows\system32\shdocvw.dll
    + 2006-02-28 02:00 . 2010-11-05 05:05 3076096 c:\windows\system32\mshtml.dll
    + 2009-07-13 06:18 . 2009-07-12 17:21 4874240 c:\windows\system32\dllcache\wmp.dll
    - 2009-07-13 06:18 . 2008-04-14 10:42 4874240 c:\windows\system32\dllcache\wmp.dll
    + 2008-10-15 23:23 . 2010-10-26 13:25 1853312 c:\windows\system32\dllcache\win32k.sys
    + 2008-06-17 19:02 . 2010-07-27 06:30 8462336 c:\windows\system32\dllcache\shell32.dll
    + 2008-06-26 08:15 . 2010-11-05 05:05 1510400 c:\windows\system32\dllcache\shdocvw.dll
    + 2008-06-23 15:09 . 2010-11-05 05:05 3076096 c:\windows\system32\dllcache\mshtml.dll
    + 2010-03-11 20:42 . 2010-06-18 13:36 3558912 c:\windows\system32\dllcache\moviemk.exe
    - 2010-03-11 20:42 . 2009-10-23 15:28 3558912 c:\windows\system32\dllcache\moviemk.exe
    + 2010-04-16 16:09 . 2010-11-05 05:05 1025024 c:\windows\system32\dllcache\browseui.dll
    - 2010-04-16 16:09 . 2010-04-16 16:09 1025024 c:\windows\system32\dllcache\browseui.dll
    - 2006-02-28 02:00 . 2010-04-16 16:09 1025024 c:\windows\system32\browseui.dll
    + 2006-02-28 02:00 . 2010-11-05 05:05 1025024 c:\windows\system32\browseui.dll
    - 2010-03-23 09:32 . 2010-03-23 09:32 5242880 c:\windows\Microsoft.NET\Framework\v2.0.50727\System.Web.dll
    + 2010-09-22 14:44 . 2010-09-22 14:44 5242880 c:\windows\Microsoft.NET\Framework\v2.0.50727\System.Web.dll
    - 2010-04-01 15:42 . 2010-04-01 15:42 1265664 c:\windows\Microsoft.NET\Framework\v1.1.4322\System.Web.dll
    + 2010-09-23 20:55 . 2010-09-23 20:55 1265664 c:\windows\Microsoft.NET\Framework\v1.1.4322\System.Web.dll
    - 2010-04-01 15:42 . 2010-04-01 15:42 1232896 c:\windows\Microsoft.NET\Framework\v1.1.4322\System.dll
    + 2010-09-23 20:55 . 2010-09-23 20:55 1232896 c:\windows\Microsoft.NET\Framework\v1.1.4322\System.dll
    + 2010-09-23 07:26 . 2010-09-23 07:26 2514944 c:\windows\Microsoft.NET\Framework\v1.1.4322\mscorwks.dll
    - 2010-03-31 18:50 . 2010-03-31 18:50 2514944 c:\windows\Microsoft.NET\Framework\v1.1.4322\mscorwks.dll
    + 2010-09-23 07:25 . 2010-09-23 07:25 2523136 c:\windows\Microsoft.NET\Framework\v1.1.4322\mscorsvr.dll
    + 2010-09-23 20:55 . 2010-09-23 20:55 2142208 c:\windows\Microsoft.NET\Framework\v1.1.4322\mscorlib.dll
    - 2010-04-01 15:42 . 2010-04-01 15:42 2142208 c:\windows\Microsoft.NET\Framework\v1.1.4322\mscorlib.dll
    + 2010-09-23 12:40 . 2010-09-23 12:40 2607104 c:\windows\Installer\4de7f.msp
    + 2010-09-23 12:39 . 2010-09-23 12:39 4265472 c:\windows\Installer\4de7e.msp
    + 2010-09-23 12:39 . 2010-09-23 12:39 4265472 c:\windows\Installer\35b08.msp
    + 2010-12-25 21:21 . 2010-12-25 21:21 4792320 c:\windows\assembly\NativeImages1_v1.1.4322\System\1.0.5000.0__b77a5c561934e089_f97b166c\System.dll
    + 2010-12-25 21:21 . 2010-12-25 21:21 1966080 c:\windows\assembly\NativeImages1_v1.1.4322\System\1.0.5000.0__b77a5c561934e089_1058d0c9\System.dll
    + 2010-12-25 21:21 . 2010-12-25 21:21 2088960 c:\windows\assembly\NativeImages1_v1.1.4322\System.Xml\1.0.5000.0__b77a5c561934e089_8ef93dbb\System.Xml.dll
    + 2010-12-25 21:21 . 2010-12-25 21:21 5513216 c:\windows\assembly\NativeImages1_v1.1.4322\System.Xml\1.0.5000.0__b77a5c561934e089_366e4a1e\System.Xml.dll
    + 2010-12-25 21:21 . 2010-12-25 21:21 7884800 c:\windows\assembly\NativeImages1_v1.1.4322\System.Windows.Forms\1.0.5000.0__b77a5c561934e089_e7e68329\System.Windows.Forms.dll
    + 2010-12-25 21:21 . 2010-12-25 21:21 3018752 c:\windows\assembly\NativeImages1_v1.1.4322\System.Windows.Forms\1.0.5000.0__b77a5c561934e089_062bc2d3\System.Windows.Forms.dll
    + 2010-12-25 21:21 . 2010-12-25 21:21 2244608 c:\windows\assembly\NativeImages1_v1.1.4322\System.Drawing\1.0.5000.0__b03f5f7f11d50a3a_be742de6\System.Drawing.dll
    + 2010-12-25 21:21 . 2010-12-25 21:21 1470464 c:\windows\assembly\NativeImages1_v1.1.4322\System.Design\1.0.5000.0__b03f5f7f11d50a3a_c9c0c50f\System.Design.dll
    + 2010-12-25 21:21 . 2010-12-25 21:21 3395584 c:\windows\assembly\NativeImages1_v1.1.4322\System.Design\1.0.5000.0__b03f5f7f11d50a3a_9c35d7c8\System.Design.dll
    + 2010-12-25 21:21 . 2010-12-25 21:21 8908800 c:\windows\assembly\NativeImages1_v1.1.4322\mscorlib\1.0.5000.0__b77a5c561934e089_e033505b\mscorlib.dll
    + 2010-12-25 21:21 . 2010-12-25 21:21 3391488 c:\windows\assembly\NativeImages1_v1.1.4322\mscorlib\1.0.5000.0__b77a5c561934e089_32279eec\mscorlib.dll
    + 2010-12-26 03:57 . 2010-12-26 03:57 3182592 c:\windows\assembly\GAC_MSIL\System\2.0.0.0__b77a5c561934e089\System.dll
    - 2010-06-24 21:02 . 2010-06-24 21:02 3182592 c:\windows\assembly\GAC_MSIL\System\2.0.0.0__b77a5c561934e089\System.dll
    - 2010-06-24 21:02 . 2010-06-24 21:02 2048000 c:\windows\assembly\GAC_MSIL\System.Xml\2.0.0.0__b77a5c561934e089\System.XML.dll
    + 2010-12-26 03:57 . 2010-12-26 03:57 2048000 c:\windows\assembly\GAC_MSIL\System.Xml\2.0.0.0__b77a5c561934e089\System.XML.dll
    - 2010-06-24 21:02 . 2010-06-24 21:02 5025792 c:\windows\assembly\GAC_MSIL\System.Windows.Forms\2.0.0.0__b77a5c561934e089\System.Windows.Forms.dll
    + 2010-12-26 03:56 . 2010-12-26 03:56 5025792 c:\windows\assembly\GAC_MSIL\System.Windows.Forms\2.0.0.0__b77a5c561934e089\System.Windows.Forms.dll
    + 2010-12-26 03:56 . 2010-12-26 03:56 5062656 c:\windows\assembly\GAC_MSIL\System.Design\2.0.0.0__b03f5f7f11d50a3a\System.Design.dll
    - 2010-06-24 21:02 . 2010-06-24 21:02 5062656 c:\windows\assembly\GAC_MSIL\System.Design\2.0.0.0__b03f5f7f11d50a3a\System.Design.dll
    + 2010-12-26 03:56 . 2010-12-26 03:56 5242880 c:\windows\assembly\GAC_32\System.Web\2.0.0.0__b03f5f7f11d50a3a\System.Web.dll
    - 2010-06-24 21:02 . 2010-06-24 21:02 5242880 c:\windows\assembly\GAC_32\System.Web\2.0.0.0__b03f5f7f11d50a3a\System.Web.dll
    - 2010-06-24 21:02 . 2010-06-24 21:02 2933248 c:\windows\assembly\GAC_32\System.Data\2.0.0.0__b77a5c561934e089\System.Data.dll
    + 2010-12-26 03:57 . 2010-12-26 03:57 2933248 c:\windows\assembly\GAC_32\System.Data\2.0.0.0__b77a5c561934e089\System.Data.dll
    + 2010-12-26 03:57 . 2010-12-26 03:57 4546560 c:\windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\mscorlib.dll
    - 2010-06-24 21:02 . 2010-06-24 21:02 4546560 c:\windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\mscorlib.dll
    + 2010-12-25 21:21 . 2010-12-25 21:21 1232896 c:\windows\assembly\GAC\System\1.0.5000.0__b77a5c561934e089\System.dll
    - 2010-06-10 12:32 . 2010-06-10 12:32 1232896 c:\windows\assembly\GAC\System\1.0.5000.0__b77a5c561934e089\System.dll
    - 2010-06-10 12:32 . 2010-06-10 12:32 1265664 c:\windows\assembly\GAC\System.Web\1.0.5000.0__b03f5f7f11d50a3a\System.Web.dll
    + 2010-12-25 21:21 . 2010-12-25 21:21 1265664 c:\windows\assembly\GAC\System.Web\1.0.5000.0__b03f5f7f11d50a3a\System.Web.dll
    + 2010-09-24 19:08 . 2010-09-24 19:08 11430400 c:\windows\Microsoft.NET\Framework\v1.1.4322\Updates\M2416447\M2416447Uninstall.msp
    + 2010-09-24 12:08 . 2010-09-24 12:08 17518080 c:\windows\Installer\4de7d.msp
    + 2010-12-26 03:58 . 2010-12-26 03:58 10683392 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Design\28d23e870e26d7284dbf506a5a19402a\System.Design.ni.dll
    .
    -- Instantané actualisé --
    .
    ((((((((((((((((((((((((((((((((( Points de chargement Reg ))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* les éléments vides & les éléments initiaux légitimes ne sont pas listés
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "LightScribe Control Panel "= "c:\program files\Common Files\LightScribe\LightScribeControlPanel.exe" [2008-08-22 2363392]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "ATIPTA "= "c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2006-05-24 344064]
    "PTHOSTTR "= "c:\program files\Hewlett-Packard\HP ProtectTools Security Manager\PTHOSTTR.EXE" [2006-06-08 131072]
    "SetRefresh "= "c:\program files\Compaq\SetRefresh\SetRefresh.exe" [2003-11-20 525824]
    "CognizanceTS "= "c:\progra~1\HPQ\IAM\Bin\AsTsVcc.dll" [2003-12-22 17920]
    "ATICCC "= "c:\program files\ATI Technologies\ATI.ACE\cli.exe" [2006-01-02 45056]
    "QuickTime Task "= "c:\program files\QuickTime\qttask.exe" [2008-01-10 385024]
    "EventServer "= "c:\program files\RemoteAgent64\Bin\EventServer.exe" [2006-11-14 151552]
    "RTHDCPL "= "RTHDCPL.EXE" [2008-06-13 16871936]
    "avgnt "= "c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2010-08-17 281768]
    "BackupNowEZtray "= "c:\program files\NewTech Infosystems\Backup Now EZ\BackupNowEZtray.exe" [2009-05-08 552192]
    "LifeCam "= "c:\program files\Microsoft LifeCam\LifeExp.exe" [2010-03-12 119152]
    "SunJavaUpdateSched "= "c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-01-11 246504]
    "Scheduler "= "c:\windows\SMINST\Scheduler.exe" [2006-04-24 888832]

    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "CTFMON.EXE "= "c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

    c:\documents and settings\All Users\Start Menu\Programs\Startup\
    MotionSD STUDIO - Auto-activation Navigateur SD -.lnk - c:\program files\Panasonic\MotionSD STUDIO\SD_Browser\AutoLauncher.exe [2008-9-21 66952]
    VPN Client.lnk - c:\windows\Installer\{D25122BC-A60E-4663-B602-B01718F12044}\Icon3E5562ED7.ico [2008-1-20 6144]

    c:\documents and settings\All Users\Start Menu\Programs\Startup\AutorunsDisabled
    Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]
    EventLogger.lnk - c:\program files\JM Integrated Remote Station\cms\EventLogger.exe [2010-8-17 540672]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "DisableCAD "= 1 (0x1)

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IfxWlxEN]
    2006-04-07 04:00 434176 ----a-w- c:\windows\system32\IfxWlxEN.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\OneCard]
    2006-06-07 19:26 40448 ----a-w- c:\program files\HPQ\IAM\Bin\AsWlnPkg.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\PCANotify]
    2004-11-05 15:50 8704 ----a-w- c:\windows\system32\PCANotify.dll

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
    @= "Driver "

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe "=
    "c:\\WINDOWS\\SMINST\\Scheduler.exe "=
    "c:\\Program Files\\TightVNC\\WinVNC.exe "=
    "c:\\WINDOWS\\system32\\mstsc.exe "=
    "c:\\Program Files\\Look@LAN\\LookAtLan.exe "=
    "c:\\Program Files\\RemoteAgent64\\Bin\\EventServer.exe "=
    "c:\\Program Files\\Java\\jre6\\bin\\java.exe "=
    "c:\\Program Files\\Symantec\\pcAnywhere\\awrem32.exe "=
    "c:\\Program Files\\Xming\\Xming.exe "=
    "e:\\Program Files\\Sun\\VirtualBox\\VirtualBox.exe "=
    "c:\\Program Files\\Microsoft LifeCam\\LifeCam.exe "=
    "c:\\Program Files\\Microsoft LifeCam\\LifeEnC2.exe "=
    "c:\\Program Files\\Microsoft LifeCam\\LifeExp.exe "=
    "c:\\Program Files\\Microsoft LifeCam\\LifeTray.exe "=
    "c:\\Program Files\\Toktumi\\Toktumi.exe "=
    "c:\\WINDOWS\\system32\\dpvsetup.exe "=
    "c:\\Program Files\\JM Integrated Remote Station\\cms\\EventLogger.exe "=
    "c:\\Program Files\\Google\\Google Earth\\client\\googleearth.exe "=
    "c:\\Program Files\\Skype\\Phone\\Skype.exe "=
    "c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe "=
    "c:\\Program Files\\BitTorrent\\bittorrent.exe "=
    "c:\\Program Files\\DNA\\btdna.exe "=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe "=

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
    "4899:TCP "= 4899:TCP:Remote_Admin

    R1 PersonalSecureDrive;PersonalSecureDrive;c:\windows\system32\drivers\psd.sys [4/6/2006 11:46 PM 31104]
    R1 raddrvv3;raddrvv3;c:\windows\system32\rserver30\raddrvv3.sys [2/2/2007 2:54 PM 41176]
    R1 VBoxDrv;VirtualBox Service;c:\windows\system32\drivers\VBoxDrv.sys [9/15/2009 5:46 PM 123280]
    R1 VBoxUSBMon;VirtualBox USB Monitor Driver;c:\windows\system32\drivers\VBoxUSBMon.sys [9/15/2009 5:46 PM 41680]
    R2 AntiVirSchedulerService;Avira AntiVir Planificateur;c:\program files\Avira\AntiVir Desktop\sched.exe [5/6/2009 6:48 PM 135336]
    R2 ASChannel;Local Communication Channel;c:\windows\System32\svchost.exe -k Cognizance [2/27/2006 9:00 PM 14336]
    R2 FortiSslvpnDaemon;FortiClient SSL VPN;c:\windows\system32\FortiSSLVPNdaemon.exe [2/6/2009 9:39 AM 518688]
    R2 NTI BackupNowEZSvr;NTI BackupNowEZSvr;c:\program files\NewTech Infosystems\Backup Now EZ\BackupNowEZSvr.exe [5/8/2009 5:20 PM 45312]
    R3 IFXTPM;IFXTPM;c:\windows\system32\drivers\ifxtpm.sys [5/11/2007 8:26 PM 36608]
    R3 MSHUSBVideo;NX6000/NX3000/VX2000/VX5000/VX5500/VX7000/Cinema Filter Driver;c:\windows\system32\drivers\nx6000.sys [3/19/2010 3:26 PM 30576]
    R3 pppop;PPPoP WAN Adapter;c:\windows\system32\drivers\pppop.sys [2/3/2009 10:43 AM 36384]
    R3 tap0801;TAP-Win32 Adapter V8;c:\windows\system32\drivers\tap0801.sys [7/31/2004 4:50 PM 23552]
    R3 VBoxNetAdp;VirtualBox Host-Only Ethernet Adapter;c:\windows\system32\drivers\VBoxNetAdp.sys [9/15/2009 5:46 PM 99152]
    R3 VBoxNetFlt;VBoxNetFlt Service;c:\windows\system32\drivers\VBoxNetFlt.sys [2/12/2010 8:34 PM 110096]
    S2 exim;Exim;e:\cygwin\bin\cygrunsrv.exe [12/19/2008 8:17 PM 68096]
    S2 gupdate;Service Google Update (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [10/7/2009 6:32 PM 133104]
    S2 NovacomD;Palm Novacom;c:\program files\Palm\SDK\bin\novacom\x86\novacomd.exe [8/3/2009 9:13 PM 31232]
    S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [11/6/2007 3:22 PM 34064]
    S4 RServer3;Radmin Server V3; "c:\windows\system32\rserver30\RServer3.exe" /service --> c:\windows\system32\rserver30\RServer3.exe [?]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    Cognizance REG_MULTI_SZ ASChannel

    [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
    2008-08-22 18:11 451872 ----a-w- c:\program files\Common Files\LightScribe\LSRunOnce.exe
    .
    Contenu du dossier 'Tâches planifiées'

    2010-03-25 c:\windows\Tasks\AppleSoftwareUpdate.job
    - c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 19:57]

    2010-12-26 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2009-10-07 23:32]

    2010-12-26 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2009-10-07 23:32]
    .
    .
    ------- Examen supplémentaire -------
    .
    uStart Page = hxxp://www.hp.com
    uInternet Connection Wizard,ShellNext = hxxp://www.hp.com/
    IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_E11712C84EA7E12B.dll/cmsidewiki.html
    Handler: intu-ir2008 - {729D3592-92E7-4cbc-8E44-3C22B3F457B3} - c:\program files\ImpotRapide 2008\ic2008pp.dll
    Handler: intu-ir2009 - {E4616804-F2F8-4839-B728-5305004DA6A7} - c:\program files\ImpotRapide 2009\ic2009pp.dll
    DPF: {32C11E38-E587-4BE9-9ABB-D69158C21CE5} - hxxp://216.30.165.22:8080/activex/decoder/mpeg4_dec.cab
    DPF: {46D8BEE7-0B27-4466-ABA2-A5F1E157971C} - hxxp://65.254.18.46:100/RemoteWeb.cab
    DPF: {5B8DED15-6FC1-4044-A923-F8CE2EAB40B7} - hxxp://216.215.157.230/SpecoRemote.cab
    DPF: {5FFDFC21-AE40-4C7C-955C-415A1ACE01C8} - hxxp://65.254.18.46:100/VideoViewer.cab
    DPF: {721700FE-7F0E-49C5-BDED-CA92B7CB1245} - hxxp://192.168.200.100/dcsclictrl.cab
    DPF: {A2DA760C-D2DF-4FED-92B4-593E3F148692} - hxxp://demopc8p24.dss.com.tw:1700/WebCamX.cab
    DPF: {CF1C4A31-BD38-4DCB-BFDB-9E1854B6AAF1} - hxxp://www.dvrhost.com/control/viewer.cab
    DPF: {DE625294-70E6-45ED-B895-CFFA13AEB044} - hxxp://216.30.165.22:8080/activex/AMC.cab
    DPF: {F3CAAA40-344A-412E-84E3-D176D64EE54F} - hxxp://www.bms2000.org/BMS2000_Access_Control.ocx
    FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\xcprpuph.default\
    FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
    FF - Ext: Skype extension: {AB2CE124-6272-4b12-94A9-7303C7397BD1} - c:\program files\Mozilla Firefox\extensions\{AB2CE124-6272-4b12-94A9-7303C7397BD1}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA}
    FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
    FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
    FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
    .

    **************************************************************************

    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2010-12-25 23:01
    Windows 5.1.2600 Service Pack 3 NTFS

    Recherche de processus cachés ...

    Recherche d'éléments en démarrage automatique cachés ...

    Recherche de fichiers cachés ...

    Scan terminé avec succès
    Fichiers cachés: 0

    **************************************************************************
    .
    --------------------- CLES DE REGISTRE BLOQUEES ---------------------

    [HKEY_LOCAL_MACHINE\software\DeterministicNetworks\DNE\Parameters]
    "SymbolicLinkValue "=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
    00,5c,00,4d,00,61,00,63,00,68,00,69,00,6e,00,65,00,5c,00,53,00,79,00,73,00,\
    .
    --------------------- DLLs chargées dans les processus actifs ---------------------

    - - - - - - - > 'winlogon.exe'(332)
    c:\windows\system32\Ati2evxx.dll
    c:\program files\HPQ\IAM\Bin\AsWlnPkg.dll
    c:\windows\system32\IfxWlxEN.dll
    .
    Heure de fin: 2010-12-25 23:02:35
    ComboFix-quarantined-files.txt 2010-12-26 04:02
    ComboFix2.txt 2010-12-24 18:49

    Avant-CF: 27*678*220*288 bytes free
    Après-CF: 27*695*640*576 bytes free

    - - End Of File - - EE42EE9DDF6E5C1A33A97319CF8750D0
     
    dmonfette,
    #14
  16. 2010/12/25
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    Good :)

    How is computer doing?

    Download OTL to your Desktop.

    • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
    • Under the Custom Scan box paste this in:


    netsvcs
    drivers32
    %SYSTEMDRIVE%\*.*
    %systemroot%\Fonts\*.com
    %systemroot%\Fonts\*.dll
    %systemroot%\Fonts\*.ini
    %systemroot%\Fonts\*.ini2
    %systemroot%\Fonts\*.exe
    %systemroot%\system32\spool\prtprocs\w32x86\*.*
    %systemroot%\REPAIR\*.bak1
    %systemroot%\REPAIR\*.ini
    %systemroot%\system32\*.jpg
    %systemroot%\*.jpg
    %systemroot%\*.png
    %systemroot%\*.scr
    %systemroot%\*._sy
    %APPDATA%\Adobe\Update\*.*
    %ALLUSERSPROFILE%\Favorites\*.*
    %APPDATA%\Microsoft\*.*
    %PROGRAMFILES%\*.*
    %APPDATA%\Update\*.*
    %systemroot%\*. /mp /s
    CREATERESTOREPOINT
    %systemroot%\System32\config\*.sav
    %PROGRAMFILES%\bak. /s
    %systemroot%\system32\bak. /s
    %ALLUSERSPROFILE%\Start Menu\*.lnk /x
    %systemroot%\system32\config\systemprofile\*.dat /x
    %systemroot%\*.config
    %systemroot%\system32\*.db
    %APPDATA%\Microsoft\Internet Explorer\Quick Launch\*.lnk /x
    %USERPROFILE%\Desktop\*.exe
    %PROGRAMFILES%\Common Files\*.*
    %systemroot%\*.src
    %systemroot%\install\*.*
    %systemroot%\system32\DLL\*.*
    %systemroot%\system32\HelpFiles\*.*
    %systemroot%\system32\rundll\*.*
    %systemroot%\winn32\*.*
    %systemroot%\Java\*.*
    %systemroot%\system32\test\*.*
    %systemroot%\system32\Rundll32\*.*
    %systemroot%\AppPatch\Custom\*.*
    %APPDATA%\Roaming\Microsoft\Windows\Recent\*.lnk /x
    %PROGRAMFILES%\PC-Doctor\Downloads\*.*
    %PROGRAMFILES%\Internet Explorer\*.tmp
    %PROGRAMFILES%\Internet Explorer\*.dat
    %USERPROFILE%\My Documents\*.exe
    %USERPROFILE%\*.exe
    %systemroot%\ADDINS\*.*
    %systemroot%\assembly\*.bak2
    %systemroot%\Config\*.*
    %systemroot%\REPAIR\*.bak2
    %systemroot%\SECURITY\Database\*.sdb /x
    %systemroot%\SYSTEM\*.bak2
    %systemroot%\Web\*.bak2
    %systemroot%\Driver Cache\*.*
    %PROGRAMFILES%\Mozilla Firefox\0*.exe
    %ProgramFiles%\Microsoft Common\*.*
    %ProgramFiles%\TinyProxy.
    %USERPROFILE%\Favorites\*.url /x
    %systemroot%\system32\*.bk
    %systemroot%\*.te
    %systemroot%\system32\system32\*.*
    %ALLUSERSPROFILE%\*.dat /x
    %systemroot%\system32\drivers\*.rmv
    dir /b "%systemroot%\system32\*.exe" | find /i " " /c
    dir /b "%systemroot%\*.exe" | find /i " " /c
    %PROGRAMFILES%\Microsoft\*.*
    %systemroot%\System32\Wbem\proquota.exe
    %PROGRAMFILES%\Mozilla Firefox\*.dat
    %USERPROFILE%\Cookies\*.txt /x
    %SystemRoot%\system32\fonts\*.*
    %systemroot%\system32\winlog\*.*
    %systemroot%\system32\Language\*.*
    %systemroot%\system32\Settings\*.*
    %systemroot%\system32\*.quo
    %SYSTEMROOT%\AppPatch\*.exe
    %SYSTEMROOT%\inf\*.exe
    %SYSTEMROOT%\Installer\*.exe
    %systemroot%\system32\config\*.bak2
    %systemroot%\system32\Computers\*.*
    %SystemRoot%\system32\Sound\*.*
    %SystemRoot%\system32\SpecialImg\*.*
    %SystemRoot%\system32\code\*.*
    %SystemRoot%\system32\draft\*.*
    %SystemRoot%\system32\MSSSys\*.*
    %ProgramFiles%\Javascript\*.*
    %systemroot%\pchealth\helpctr\System\*.exe /s
    %systemroot%\Web\*.exe
    %systemroot%\system32\msn\*.*
    %systemroot%\system32\*.tro
    %AppData%\Microsoft\Installer\msupdates\*.*
    %ProgramFiles%\Messenger\*.*
    %systemroot%\system32\systhem32\*.*
    %systemroot%\system\*.exe
    HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs
    /md5start
    /md5stop


    • Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
    • When the scan completes, it will open two notepad windows: OTL.txt and Extras.txt. These are saved in the same location as OTL.
    • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post them back here.
     
    broni,
    #15
  17. 2010/12/25
    dmonfette

    dmonfette Inactive Thread Starter

    Joined:
    2010/12/23
    Messages:
    19
    Likes Received:
    0
    Broni;

    The computer looks good. Waiting for your reply, I went back to look at the other posts. Some of us are keeping you quite busy!

    The time you give me is greatly appreciated. I just cannot believe all the troubleshooting needed to remove a rootkit.

    Here is the otl.txt:

    OTL logfile created on: 2010-12-25 23:19:05 - Run 1
    OTL by OldTimer - Version 3.2.18.0 Folder = C:\Documents and Settings\Administrator\Desktop\malware\otl
    Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
    Internet Explorer (Version = 6.0.2900.5512)
    Locale: 00000C0C | Country: Canada | Language: FRC | Date Format: yyyy-MM-dd

    3,00 Gb Total Physical Memory | 3,00 Gb Available Physical Memory | 84,00% Memory free
    5,00 Gb Paging File | 5,00 Gb Available in Paging File | 91,00% Paging File free
    Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

    %SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
    Drive C: | 66,51 Gb Total Space | 25,81 Gb Free Space | 38,81% Space Free | Partition Type: NTFS
    Drive D: | 8,01 Gb Total Space | 6,23 Gb Free Space | 77,80% Space Free | Partition Type: NTFS
    Drive E: | 331,05 Gb Total Space | 147,48 Gb Free Space | 44,55% Space Free | Partition Type: NTFS

    Computer Name: DAN | User Name: Administrator | Logged in as Administrator.
    Boot Mode: Normal | Scan Mode: Current user | Quick Scan
    Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

    ========== Processes (SafeList) ==========

    PRC - [2010-12-25 23:16:14 | 000,602,624 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Administrator\Desktop\malware\otl\OTL.exe
    PRC - [2010-12-25 16:19:55 | 000,267,944 | ---- | M] (Avira GmbH) -- C:\Program Files\Avira\AntiVir Desktop\avguard.exe
    PRC - [2010-08-17 13:39:03 | 000,135,336 | ---- | M] (Avira GmbH) -- C:\Program Files\Avira\AntiVir Desktop\sched.exe
    PRC - [2010-08-17 13:38:55 | 000,281,768 | ---- | M] (Avira GmbH) -- C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
    PRC - [2010-03-12 17:41:16 | 000,139,632 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft LifeCam\MSCamS32.exe
    PRC - [2010-01-14 22:11:14 | 000,076,968 | ---- | M] (Avira GmbH) -- C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
    PRC - [2009-05-08 17:20:38 | 000,552,192 | ---- | M] (NewTech Infosystems, Inc.) -- C:\Program Files\NewTech Infosystems\Backup Now EZ\BackupNowEZtray.exe
    PRC - [2009-05-08 17:20:34 | 000,045,312 | ---- | M] (NewTech Infosystems, Inc.) -- C:\Program Files\NewTech Infosystems\Backup Now EZ\BackupNowEZSvr.exe
    PRC - [2009-02-06 09:39:26 | 000,518,688 | ---- | M] (Fortinet Inc.) -- C:\WINDOWS\system32\FortiSSLVPNdaemon.exe
    PRC - [2008-04-14 05:42:20 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
    PRC - [2008-01-28 21:59:43 | 000,793,088 | ---- | M] () -- e:\cygwin\bin\exim-4.69-1.exe
    PRC - [2007-08-31 09:48:50 | 000,066,952 | ---- | M] (Matsushita Electric Industrial Co., Ltd.) -- C:\Program Files\Panasonic\MotionSD STUDIO\SD_Browser\AutoLauncher.exe
    PRC - [2007-05-07 19:28:58 | 000,589,824 | ---- | M] (TightVNC Group) -- C:\Program Files\TightVNC\WinVNC.exe
    PRC - [2007-01-04 21:48:52 | 000,112,152 | R--- | M] (InterVideo) -- C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
    PRC - [2006-11-14 00:00:00 | 000,151,552 | ---- | M] (OEM) -- C:\Program Files\RemoteAgent64\Bin\EventServer.exe
    PRC - [2006-06-08 16:02:06 | 000,131,072 | ---- | M] (Hewlett-Packard Development Company, L.P.) -- C:\Program Files\Hewlett-Packard\HP ProtectTools Security Manager\pthosttr.exe
    PRC - [2006-04-25 12:46:54 | 000,131,072 | ---- | M] (Infineon Technologies AG) -- C:\Program Files\ProtectTools\Embedded Security Software\PSDrt.exe
    PRC - [2006-04-24 12:42:06 | 000,888,832 | ---- | M] () -- C:\WINDOWS\SMINST\Scheduler.exe
    PRC - [2006-04-20 08:34:26 | 001,520,688 | ---- | M] (Cisco Systems, Inc.) -- C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
    PRC - [2006-01-02 17:41:22 | 000,045,056 | ---- | M] (ATI Technologies Inc.) -- C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
    PRC - [2005-06-29 15:06:54 | 000,043,008 | ---- | M] (Cognizance Corporation) -- C:\Program Files\HPQ\IAM\Bin\asghost.exe


    ========== Modules (SafeList) ==========

    MOD - [2010-12-25 23:16:14 | 000,602,624 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Administrator\Desktop\malware\otl\OTL.exe
    MOD - [2009-05-08 10:05:24 | 000,073,728 | ---- | M] (NewTech Infosystems, Inc.) -- C:\Program Files\NewTech Infosystems\Backup Now EZ\Pehook.dll


    ========== Win32 Services (SafeList) ==========

    SRV - File not found [Disabled | Stopped] -- C:\WINDOWS\System32\rserver30\RServer3.exe -- (RServer3)
    SRV - File not found [Disabled | Stopped] -- C:\WINDOWS\System32\hidserv.dll -- (HidServ)
    SRV - [2010-12-25 16:19:55 | 000,267,944 | ---- | M] (Avira GmbH) [Auto | Running] -- C:\Program Files\Avira\AntiVir Desktop\avguard.exe -- (AntiVirService)
    SRV - [2010-08-17 13:39:03 | 000,135,336 | ---- | M] (Avira GmbH) [Auto | Running] -- C:\Program Files\Avira\AntiVir Desktop\sched.exe -- (AntiVirSchedulerService)
    SRV - [2010-03-12 17:41:16 | 000,139,632 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Microsoft LifeCam\MSCamS32.exe -- (MSCamSvc)
    SRV - [2009-08-03 21:13:28 | 000,031,232 | ---- | M] () [Auto | Stopped] -- C:\Program Files\Palm\SDK\bin\novacom\x86\novacomd.exe -- (NovacomD)
    SRV - [2009-05-08 17:20:34 | 000,045,312 | ---- | M] (NewTech Infosystems, Inc.) [Auto | Running] -- C:\Program Files\NewTech Infosystems\Backup Now EZ\BackupNowEZSvr.exe -- (NTI BackupNowEZSvr)
    SRV - [2009-02-06 09:39:26 | 000,518,688 | ---- | M] (Fortinet Inc.) [Auto | Running] -- C:\WINDOWS\system32\FortiSSLVPNdaemon.exe -- (FortiSslvpnDaemon)
    SRV - [2008-03-18 05:28:46 | 000,068,096 | ---- | M] () [Auto | Stopped] -- e:\cygwin\bin\cygrunsrv.exe -- (exim)
    SRV - [2007-11-06 15:22:26 | 000,092,792 | ---- | M] (CACE Technologies) [On_Demand | Stopped] -- C:\Program Files\WinPcap\rpcapd.exe -- (rpcapd) Remote Packet Capture Protocol v.0 (experimental)
    SRV - [2007-05-07 19:28:58 | 000,589,824 | ---- | M] (TightVNC Group) [Auto | Running] -- C:\Program Files\TightVNC\WinVNC.exe -- (winvnc)
    SRV - [2007-01-04 21:48:52 | 000,112,152 | R--- | M] (InterVideo) [Auto | Running] -- C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe -- (IviRegMgr)
    SRV - [2006-12-28 20:18:00 | 000,122,512 | ---- | M] (B.H.A Corporation) [Disabled | Stopped] -- C:\WINDOWS\System32\bgsvcgen.exe -- (bgsvcgen)
    SRV - [2006-04-20 08:34:26 | 001,520,688 | ---- | M] (Cisco Systems, Inc.) [Auto | Running] -- C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe -- (CVPND)
    SRV - [2005-04-17 21:27:15 | 000,014,336 | ---- | M] () [On_Demand | Stopped] -- C:\Program Files\OpenVPN\bin\openvpnserv.exe -- (OpenVPNService)
    SRV - [2004-11-05 10:50:00 | 000,106,496 | ---- | M] (Symantec Corporation) [On_Demand | Stopped] -- C:\Program Files\Symantec\pcAnywhere\awhost32.exe -- (awhost32)
    SRV - [2004-10-22 02:24:18 | 000,073,728 | ---- | M] (Macrovision Corporation) [On_Demand | Stopped] -- C:\Program Files\Roxio\Roxio MyDVD Basic v9\InstallShield\Driver\1050\Intel 32\IDriverT.exe -- (IDriverT)


    ========== Driver Services (SafeList) ==========

    DRV - File not found [Kernel | On_Demand | Running] -- C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\catchme.sys -- (catchme)
    DRV - [2010-12-25 16:20:03 | 000,135,096 | ---- | M] (Avira GmbH) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\avipbb.sys -- (avipbb)
    DRV - [2010-12-25 16:20:03 | 000,061,960 | ---- | M] (Avira GmbH) [File_System | Auto | Running] -- C:\WINDOWS\system32\drivers\avgntflt.sys -- (avgntflt)
    DRV - [2010-06-17 15:28:02 | 000,028,520 | ---- | M] (Avira GmbH) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\ssmdrv.sys -- (ssmdrv)
    DRV - [2010-06-17 15:27:52 | 000,011,608 | ---- | M] (Avira GmbH) [Kernel | System | Running] -- C:\Program Files\Avira\AntiVir Desktop\avgio.sys -- (avgio)
    DRV - [2010-03-12 17:41:16 | 000,030,576 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\nx6000.sys -- (MSHUSBVideo)
    DRV - [2010-02-12 20:34:58 | 000,123,280 | ---- | M] (Sun Microsystems, Inc.) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\VBoxDrv.sys -- (VBoxDrv)
    DRV - [2010-02-12 20:34:58 | 000,110,096 | ---- | M] (Sun Microsystems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\VBoxNetFlt.sys -- (VBoxNetFlt)
    DRV - [2010-02-12 20:34:58 | 000,099,152 | ---- | M] (Sun Microsystems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\VBoxNetAdp.sys -- (VBoxNetAdp)
    DRV - [2010-02-12 20:34:58 | 000,041,680 | ---- | M] (Sun Microsystems, Inc.) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\VBoxUSBMon.sys -- (VBoxUSBMon)
    DRV - [2009-05-05 15:46:08 | 000,014,464 | ---- | M] (NewTech Infosystems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\NTIDrvr.sys -- (NTIDrvr)
    DRV - [2009-05-05 15:46:08 | 000,013,440 | ---- | M] (NewTech Infosystems Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\UBHelper.sys -- (UBHelper)
    DRV - [2009-02-03 10:43:38 | 000,036,384 | ---- | M] (Fortinet Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\pppop.sys -- (pppop)
    DRV - [2008-09-21 21:39:28 | 000,104,144 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Stopped] -- C:\Program Files\Symantec\SYMEVENT.SYS -- (SymEvent)
    DRV - [2008-06-17 16:49:22 | 004,756,992 | ---- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\RtkHDAud.sys -- (IntcAzAudAddService) Service for Realtek HD Audio (WDM)
    DRV - [2008-04-14 00:23:10 | 000,040,320 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\nmnt.sys -- (nm)
    DRV - [2008-04-14 00:15:14 | 000,060,032 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\usbaudio.sys -- (usbaudio) USB Audio Driver (WDM)
    DRV - [2008-04-13 22:06:06 | 000,144,384 | ---- | M] (Windows (R) Server 2003 DDK provider) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\hdaudbus.sys -- (HDAudBus)
    DRV - [2007-11-06 15:22:06 | 000,034,064 | ---- | M] (CACE Technologies) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\npf.sys -- (NPF)
    DRV - [2007-02-02 14:54:26 | 000,041,176 | ---- | M] (Famatech International Corp.) [Kernel | System | Running] -- C:\WINDOWS\system32\rserver30\raddrvv3.sys -- (raddrvv3)
    DRV - [2006-12-06 07:12:56 | 000,044,416 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HECI.sys -- (HECI) Intel(R)
    DRV - [2006-11-02 06:00:08 | 000,039,368 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\winusb.sys -- (WinUSB)
    DRV - [2006-11-01 05:01:56 | 000,003,328 | ---- | M] (Famatech International Corp.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\rminiv3.sys -- (mirrorv3)
    DRV - [2006-10-26 15:22:08 | 000,009,432 | ---- | M] (Roxio) [File_System | Auto | Running] -- C:\WINDOWS\system32\DLA\DLADResM.SYS -- (DLADResM)
    DRV - [2006-10-26 15:21:34 | 000,094,648 | ---- | M] (Roxio) [File_System | Auto | Running] -- C:\WINDOWS\system32\DLA\DLAUDFAM.SYS -- (DLAUDFAM)
    DRV - [2006-10-26 15:21:34 | 000,035,096 | ---- | M] (Roxio) [File_System | Auto | Running] -- C:\WINDOWS\system32\DLA\DLABMFSM.SYS -- (DLABMFSM)
    DRV - [2006-10-26 15:21:32 | 000,097,848 | ---- | M] (Roxio) [File_System | Auto | Running] -- C:\WINDOWS\system32\DLA\DLAUDF_M.SYS -- (DLAUDF_M)
    DRV - [2006-10-26 15:21:30 | 000,026,296 | ---- | M] (Roxio) [File_System | Auto | Running] -- C:\WINDOWS\system32\DLA\DLAOPIOM.SYS -- (DLAOPIOM)
    DRV - [2006-10-26 15:21:28 | 000,032,472 | ---- | M] (Roxio) [File_System | Auto | Running] -- C:\WINDOWS\system32\DLA\DLABOIOM.SYS -- (DLABOIOM)
    DRV - [2006-10-26 15:21:26 | 000,014,520 | ---- | M] (Roxio) [File_System | Auto | Running] -- C:\WINDOWS\system32\DLA\DLAPoolM.SYS -- (DLAPoolM)
    DRV - [2006-10-26 15:21:24 | 000,104,536 | ---- | M] (Roxio) [File_System | Auto | Running] -- C:\WINDOWS\system32\DLA\DLAIFS_M.SYS -- (DLAIFS_M)
    DRV - [2006-08-11 10:05:58 | 000,051,768 | ---- | M] (Roxio) [File_System | Auto | Running] -- C:\WINDOWS\system32\drivers\DRVNDDM.SYS -- (DRVNDDM)
    DRV - [2006-08-11 09:35:18 | 000,012,920 | ---- | M] (Roxio) [File_System | System | Running] -- C:\WINDOWS\system32\drivers\DLACDBHM.SYS -- (DLACDBHM)
    DRV - [2006-08-11 09:35:16 | 000,028,184 | ---- | M] (Roxio) [File_System | System | Running] -- C:\WINDOWS\system32\drivers\DLARTL_M.SYS -- (DLARTL_M)
    DRV - [2006-07-22 16:13:48 | 001,579,008 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ati2mtag.sys -- (ati2mtag)
    DRV - [2006-07-21 10:21:26 | 000,099,176 | ---- | M] (Sonic Solutions) [Kernel | Boot | Running] -- C:\WINDOWS\System32\Drivers\DRVMCDB.SYS -- (DRVMCDB)
    DRV - [2006-07-19 10:42:16 | 000,230,400 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\e1e5132.sys -- (e1express) Intel(R)
    DRV - [2006-07-06 01:59:42 | 000,246,784 | ---- | M] (Intel Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\System32\DRIVERS\iaStor.sys -- (iaStor)
    DRV - [2006-06-05 05:39:56 | 000,024,064 | ---- | M] (Intel Corporation ) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\iqvw32.sys -- (NAL)
    DRV - [2006-04-25 11:26:08 | 000,036,608 | ---- | M] (Infineon Technologies AG) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ifxtpm.sys -- (IFXTPM)
    DRV - [2006-04-20 08:33:40 | 000,303,740 | ---- | M] (Cisco Systems, Inc.) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\CVPNDRVA.sys -- (CVPNDRVA)
    DRV - [2006-04-06 23:46:48 | 000,031,104 | ---- | M] (Infineon Technologies AG) [Kernel | System | Running] -- C:\WINDOWS\System32\drivers\psd.sys -- (PersonalSecureDrive)
    DRV - [2006-02-20 18:17:00 | 000,033,408 | ---- | M] (B.H.A Corporation) [Kernel | System | Running] -- C:\WINDOWS\System32\drivers\cdrbsdrv.sys -- (cdrbsdrv)
    DRV - [2005-08-18 19:22:30 | 000,110,080 | ---- | M] (Deterministic Networks, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\dne2000.sys -- (DNE)
    DRV - [2005-05-17 04:51:34 | 000,005,315 | ---- | M] (Cisco Systems, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\CVirtA.sys -- (CVirtA)
    DRV - [2005-01-26 06:22:20 | 000,280,344 | ---- | M] (Zone Labs LLC) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\vsdatant.sys -- (vsdatant)
    DRV - [2004-08-03 12:29:50 | 000,019,455 | ---- | M] (Intel(R) Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\wVchNTxx.sys -- (iAimFP4)
    DRV - [2004-08-03 12:29:48 | 000,012,063 | ---- | M] (Intel(R) Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\wSiINTxx.sys -- (iAimFP3)
    DRV - [2004-08-03 12:29:46 | 000,025,471 | ---- | M] (Intel(R) Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\wATV10nt.sys -- (iAimTV5)
    DRV - [2004-08-03 12:29:46 | 000,023,615 | ---- | M] (Intel(R) Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\wCh7xxNT.sys -- (iAimTV4)
    DRV - [2004-08-03 12:29:46 | 000,022,271 | ---- | M] (Intel(R) Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\wATV06nt.sys -- (iAimTV6)
    DRV - [2004-08-03 12:29:44 | 000,033,599 | ---- | M] (Intel(R) Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\wATV04nt.sys -- (iAimTV3)
    DRV - [2004-08-03 12:29:44 | 000,019,551 | ---- | M] (Intel(R) Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\wATV02NT.sys -- (iAimTV1)
    DRV - [2004-08-03 12:29:42 | 000,029,311 | ---- | M] (Intel(R) Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\wATV01nt.sys -- (iAimTV0)
    DRV - [2004-08-03 12:29:42 | 000,011,871 | ---- | M] (Intel(R) Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\wADV09NT.sys -- (iAimFP7)
    DRV - [2004-08-03 12:29:40 | 000,011,807 | ---- | M] (Intel(R) Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\wADV07nt.sys -- (iAimFP5)
    DRV - [2004-08-03 12:29:40 | 000,011,295 | ---- | M] (Intel(R) Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\wADV08NT.sys -- (iAimFP6)
    DRV - [2004-08-03 12:29:38 | 000,161,020 | ---- | M] (Intel(R) Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\i81xnt5.sys -- (i81x)
    DRV - [2004-08-03 12:29:38 | 000,012,415 | ---- | M] (Intel(R) Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\wADV01nt.sys -- (iAimFP0)
    DRV - [2004-08-03 12:29:38 | 000,012,127 | ---- | M] (Intel(R) Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\wADV02NT.sys -- (iAimFP1)
    DRV - [2004-08-03 12:29:38 | 000,011,775 | ---- | M] (Intel(R) Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\wADV05NT.sys -- (iAimFP2)
    DRV - [2004-07-31 16:50:12 | 000,023,552 | ---- | M] (The OpenVPN Project) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\tap0801.sys -- (tap0801)
    DRV - [2004-03-05 11:52:22 | 000,008,368 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\awechomd.sys -- (awecho)
    DRV - [2003-11-17 17:06:48 | 000,011,165 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\WINDOWS\System32\Drivers\awlegacy.sys -- (awlegacy)
    DRV - [2003-10-23 09:32:20 | 000,016,984 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\AW_HOST5.sys -- (AW_HOST)
    DRV - [2003-04-21 12:00:32 | 000,013,898 | ---- | M] (Symantec Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\System32\drivers\GERNUWA.sys -- (Gernuwa)
    DRV - [2002-05-08 12:44:42 | 000,105,472 | ---- | M] (Adaptec, Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\adpu320.sys -- (adpu320)
    DRV - [2002-04-04 00:32:06 | 000,028,416 | R--- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\symmpi.sys -- (Symmpi)
    DRV - [2001-08-17 11:07:42 | 000,030,688 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\sym_u3.sys -- (sym_u3)
    DRV - [2001-08-17 11:07:40 | 000,028,384 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\sym_hi.sys -- (sym_hi)
    DRV - [2001-08-17 11:07:36 | 000,032,640 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\symc8xx.sys -- (symc8xx)
    DRV - [2001-08-17 11:07:34 | 000,016,256 | ---- | M] (Symbios Logic Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\symc810.sys -- (symc810)
    DRV - [2001-08-17 02:20:04 | 000,096,256 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\ac97intc.sys -- (ac97intc) Intel(r) 82801 Audio Driver Install Service (WDM)
    DRV - [1999-09-10 11:06:00 | 000,025,244 | ---- | M] (Adaptec) [Kernel | System | Running] -- C:\WINDOWS\System32\drivers\ASPI32.SYS -- (ASPI32)


    ========== Standard Registry (SafeList) ==========


    ========== Internet Explorer ==========

    IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm
    IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ie

    IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.hp.com
    IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

    ========== FireFox ==========

    FF - prefs.js..extensions.enabledItems: {AB2CE124-6272-4b12-94A9-7303C7397BD1}:5.0.0.6778
    FF - prefs.js..extensions.enabledItems: jqs@sun.com:1.0

    FF - HKLM\software\mozilla\Mozilla Firefox 3.6.13\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010-12-22 22:13:53 | 000,000,000 | ---D | M]
    FF - HKLM\software\mozilla\Mozilla Firefox 3.6.13\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010-12-12 14:24:27 | 000,000,000 | ---D | M]
    FF - HKLM\software\mozilla\Mozilla Thunderbird 2.0.0.6\extensions\\Components: C:\Program Files\Mozilla Thunderbird\components [2008-12-11 20:08:20 | 000,000,000 | ---D | M]
    FF - HKLM\software\mozilla\Mozilla Thunderbird 2.0.0.6\extensions\\Plugins: C:\Program Files\Mozilla Thunderbird\plugins [2008-11-05 20:33:09 | 000,000,000 | ---D | M]

    [2010-12-22 22:13:56 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\Mozilla\Extensions
    [2010-12-25 23:04:00 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\xcprpuph.default\extensions
    [2010-12-22 22:22:14 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\xcprpuph.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
    [2010-12-25 16:50:49 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions
    [2010-10-22 15:47:15 | 000,000,000 | ---D | M] (Skype extension) -- C:\Program Files\Mozilla Firefox\extensions\{AB2CE124-6272-4b12-94A9-7303C7397BD1}
    [2008-09-03 19:11:24 | 000,054,600 | ---- | M] (BitTorrent, Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npbittorrent.dll
    [2010-08-12 17:35:55 | 000,001,516 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\amazon-france.xml
    [2010-08-12 17:35:55 | 000,001,822 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\cnrtl-tlfi-fr.xml
    [2010-08-12 17:35:55 | 000,000,757 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\eBay-france.xml
    [2010-08-12 17:35:55 | 000,001,426 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\wikipedia-fr.xml
    [2010-08-12 17:35:55 | 000,000,956 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\yahoo-france.xml

    O1 HOSTS File: ([2010-12-25 23:01:40 | 000,000,027 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
    O1 - Hosts: 127.0.0.1 localhost
    O2 - BHO: (AcroIEHlprObj Class) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
    O2 - BHO: (Google Toolbar Helper) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
    O2 - BHO: (Skype Plug-In) - {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
    O2 - BHO: (Google Toolbar Notifier BHO) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.6.5805.1910\swg.dll (Google Inc.)
    O2 - BHO: (HP Credential Manager for ProtectTools) - {DF21F1DB-80C6-11D3-9483-B03D0EC10000} - C:\Program Files\HPQ\IAM\Bin\ItIeAddIN.dll (Infineon Technologies AG)
    O3 - HKLM\..\Toolbar: (Google Toolbar) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
    O3 - HKCU\..\Toolbar\WebBrowser: (Google Toolbar) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
    O4 - HKLM..\Run: [ATICCC] C:\Program Files\ATI Technologies\ATI.ACE\cli.exe (ATI Technologies Inc.)
    O4 - HKLM..\Run: [avgnt] C:\Program Files\Avira\AntiVir Desktop\avgnt.exe (Avira GmbH)
    O4 - HKLM..\Run: [BackupNowEZtray] C:\Program Files\NewTech Infosystems\Backup Now EZ\BackupNowEZtray.exe (NewTech Infosystems, Inc.)
    O4 - HKLM..\Run: [CognizanceTS] C:\Program Files\HPQ\IAM\Bin\AsTsVcc.dll (Cognizance Corporation)
    O4 - HKLM..\Run: [EventServer] C:\Program Files\RemoteAgent64\Bin\EventServer.exe (OEM)
    O4 - HKLM..\Run: [LifeCam] C:\Program Files\Microsoft LifeCam\LifeExp.exe (Microsoft Corporation)
    O4 - HKLM..\Run: [PTHOSTTR] C:\Program Files\Hewlett-Packard\HP ProtectTools Security Manager\PTHOSTTR.EXE (Hewlett-Packard Development Company, L.P.)
    O4 - HKLM..\Run: [Scheduler] C:\WINDOWS\SMINST\Scheduler.exe ()
    O4 - HKLM..\Run: [SetRefresh] C:\Program Files\Compaq\SetRefresh\SetRefresh.exe (Hewlett-Packard Company)
    O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\AutorunsDisabled [2010-12-22 22:38:41 | 000,000,000 | -H-D | M]
    O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\MotionSD STUDIO - Auto-activation Navigateur SD -.lnk = C:\Program Files\Panasonic\MotionSD STUDIO\SD_Browser\AutoLauncher.exe (Matsushita Electric Industrial Co., Ltd.)
    O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\VPN Client.lnk = C:\WINDOWS\Installer\{D25122BC-A60E-4663-B602-B01718F12044}\Icon3E5562ED7.ico ()
    O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoCDBurning = 0
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableCAD = 1
    O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
    O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
    O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
    O8 - Extra context menu item: Google Sidewiki... - C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_E11712C84EA7E12B.dll (Google Inc.)
    O9 - Extra Button: Skype Plug-In - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
    O9 - Extra 'Tools' menuitem : Skype Plug-In - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
    O9 - Extra Button: PDFill PDF Editor - {FB858B22-55E2-413f-87F5-30ADC5552151} - C:\Program Files\PlotSoft\PDFill\DownloadPDF.exe (PlotSoft LLC)
    O16 - DPF: {32C11E38-E587-4BE9-9ABB-D69158C21CE5} http://216.30.165.22:8080/activex/decoder/mpeg4_dec.cab (Moonlight MPEG-4 Video Decoder)
    O16 - DPF: {46D8BEE7-0B27-4466-ABA2-A5F1E157971C} http://65.254.18.46:100/RemoteWeb.cab (Remote200 Control)
    O16 - DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} http://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.4.2.cab (DLM Control)
    O16 - DPF: {5B8DED15-6FC1-4044-A923-F8CE2EAB40B7} http://216.215.157.230/SpecoRemote.cab (SpecoRemote Control)
    O16 - DPF: {5FFDFC21-AE40-4C7C-955C-415A1ACE01C8} http://65.254.18.46:100/VideoViewer.cab (CViewerControl Object)
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://www.update.microsoft.com/win...ls/en/x86/client/wuweb_site.cab?1200348910062 (WUWebControl Class)
    O16 - DPF: {721700FE-7F0E-49C5-BDED-CA92B7CB1245} http://192.168.200.100/dcsclictrl.cab (Camera Stream Client Control Object)
    O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab (Java Plug-in 1.6.0_18)
    O16 - DPF: {A2DA760C-D2DF-4FED-92B4-593E3F148692} http://demopc8p24.dss.com.tw:1700/WebCamX.cab (WebCamX Control)
    O16 - DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} http://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab (Reg Error: Key error.)
    O16 - DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab (Java Plug-in 1.6.0_07)
    O16 - DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab (Java Plug-in 1.6.0_18)
    O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab (Java Plug-in 1.6.0_18)
    O16 - DPF: {CF1C4A31-BD38-4DCB-BFDB-9E1854B6AAF1} http://www.dvrhost.com/control/viewer.cab (DVR Web Viewer)
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab (Shockwave Flash Object)
    O16 - DPF: {DE625294-70E6-45ED-B895-CFFA13AEB044} http://216.30.165.22:8080/activex/AMC.cab (AxisMediaControlEmb Class)
    O16 - DPF: {F3CAAA40-344A-412E-84E3-D176D64EE54F} http://www.bms2000.org/BMS2000_Access_Control.ocx (Groupe BMS2000 Security Access Control 1.0.0)
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.200.1
    O18 - Protocol\Handler\intu-ir2008 {729D3592-92E7-4cbc-8E44-3C22B3F457B3} - C:\Program Files\ImpotRapide 2008\ic2008pp.dll (Intuit Canada, a general partnership/une société en nom collectif.)
    O18 - Protocol\Handler\intu-ir2009 {E4616804-F2F8-4839-B728-5305004DA6A7} - C:\Program Files\ImpotRapide 2009\ic2009pp.dll (Intuit Canada, a general partnership/une société en nom collectif.)
    O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll (Skype Technologies)
    O18 - Protocol\Handler\skype-ie-addon-data {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
    O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
    O20 - Winlogon\Notify\AtiExtEvent: DllName - Ati2evxx.dll - C:\WINDOWS\System32\ati2evxx.dll (ATI Technologies Inc.)
    O20 - Winlogon\Notify\IfxWlxEN: DllName - IfxWlxEN.dll - C:\WINDOWS\System32\IfxWlxEN.dll (Infineon Technologies AG)
    O20 - Winlogon\Notify\OneCard: DllName - C:\Program Files\HPQ\IAM\Bin\AsWlnPkg.dll - C:\Program Files\HPQ\IAM\Bin\AsWlnPkg.dll (Cognizance Corporation)
    O20 - Winlogon\Notify\PCANotify: DllName - PCANotify.dll - C:\WINDOWS\System32\PCANotify.dll (Symantec Corporation)
    O24 - Desktop WallPaper: C:\WINDOWS\Web\Wallpaper\Bliss.bmp
    O24 - Desktop BackupWallPaper: C:\WINDOWS\Web\Wallpaper\Bliss.bmp
    O32 - HKLM CDRom: AutoRun - 1
    O34 - HKLM BootExecute: (autocheck autochk *) - File not found
    O35 - HKLM\..comfile [open] -- "%1" %*
    O35 - HKLM\..exefile [open] -- "%1" %*
    O37 - HKLM\...com [@ = ComFile] -- "%1" %*
    O37 - HKLM\...exe [@ = exefile] -- "%1" %*

    NetSvcs: 6to4 - File not found
    NetSvcs: HidServ - C:\WINDOWS\System32\hidserv.dll File not found
    NetSvcs: Ias - File not found
    NetSvcs: Iprip - File not found
    NetSvcs: Irmon - File not found
    NetSvcs: NWCWorkstation - File not found
    NetSvcs: Nwsapagent - File not found
    NetSvcs: WmdmPmSp - File not found

    Drivers32: msacm.iac2 - C:\WINDOWS\system32\iac25_32.ax (Intel Corporation)
    Drivers32: msacm.l3acm - C:\WINDOWS\system32\l3codeca.acm (Fraunhofer Institut Integrierte Schaltungen IIS)
    Drivers32: msacm.trspch - C:\WINDOWS\System32\tssoft32.acm (DSP GROUP, INC.)
    Drivers32: MSVideo8 - C:\WINDOWS\System32\vfwwdm32.dll (Microsoft Corporation)
    Drivers32: vidc.adv1 - C:\WINDOWS\System32\ADV601.dll (Analog Devices)
    Drivers32: vidc.cvid - C:\WINDOWS\System32\iccvid.dll (Radius Inc.)
    Drivers32: VIDC.DVSD - C:\WINDOWS\System32\pdvcodec.dll (Matsushita Electric Industrial Co., Ltd.)
    Drivers32: vidc.iv31 - C:\WINDOWS\System32\ir32_32.dll ()
    Drivers32: vidc.iv32 - C:\WINDOWS\System32\ir32_32.dll ()
    Drivers32: vidc.iv41 - C:\WINDOWS\System32\ir41_32.ax (Intel Corporation)
    Drivers32: vidc.iv50 - C:\WINDOWS\System32\ir50_32.dll (Intel Corporation)
    Drivers32: vidc.tscc - C:\WINDOWS\System32\tsccvid.dll (TechSmith Corporation)
    Drivers32: vidc.XVID - C:\WINDOWS\System32\xvidvfw.dll ()

    CREATERESTOREPOINT
    Restore point Set: OTL Restore Point (16902109354000384)

    ========== Files/Folders - Created Within 30 Days ==========

    [2010-12-25 22:57:56 | 000,000,000 | ---D | C] -- C:\WINDOWS\LastGood
    [2010-12-24 13:42:02 | 000,000,000 | RHSD | C] -- C:\cmdcons
    [2010-12-24 13:40:32 | 000,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe
    [2010-12-24 13:40:32 | 000,161,792 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe
    [2010-12-24 13:40:32 | 000,136,704 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe
    [2010-12-24 13:40:32 | 000,031,232 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe
    [2010-12-24 13:40:28 | 000,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
    [2010-12-24 13:40:05 | 000,000,000 | ---D | C] -- C:\Qoobox
    [2010-12-23 10:41:41 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Application Data\Malwarebytes
    [2010-12-23 10:41:37 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
    [2010-12-23 10:41:37 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
    [2010-12-23 10:41:34 | 000,020,952 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
    [2010-12-23 10:41:34 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
    [2010-12-23 10:35:22 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Desktop\malware
    [2010-12-23 00:28:21 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Application Data\Avira
    [2010-12-23 00:17:46 | 000,000,000 | ---D | C] -- C:\WINDOWS\Prefetch
    [2010-12-22 23:32:35 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Application Data\Sun
    [2010-12-22 22:47:15 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\scripting
    [2010-12-22 22:47:15 | 000,000,000 | ---D | C] -- C:\WINDOWS\l2schemas
    [2010-12-22 22:47:14 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\en
    [2010-12-22 22:47:14 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\bits
    [2010-12-22 22:44:26 | 000,000,000 | ---D | C] -- C:\WINDOWS\network diagnostic
    [2010-12-22 22:41:56 | 000,000,000 | -H-D | C] -- C:\WINDOWS\$NtServicePackUninstall$
    [2010-12-22 22:28:17 | 000,000,000 | -H-D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Startup\AutorunsDisabled
    [2010-12-22 22:26:57 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Application Data\Roxio
    [2010-12-22 22:26:37 | 000,000,000 | ---D | C] -- C:\Program Files\autorun
    [2010-12-22 22:23:26 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\My Documents\Téléchargements
    [2010-12-22 22:14:02 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Application Data\Macromedia
    [2010-12-22 22:13:52 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla
    [2010-12-22 22:13:52 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Application Data\Mozilla
    [2010-12-22 22:13:10 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Application Data\Adobe
    [2010-12-22 22:12:25 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Application Data\Google
    [2010-12-20 03:57:17 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Application Data\AdobeUM
    [2010-12-20 00:30:12 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Adobe
    [2010-12-19 23:11:14 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Application Data\Macromedia
    [2010-12-19 17:41:11 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Macromedia
    [2010-12-19 17:41:11 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Adobe
    [2008-09-21 20:23:41 | 003,520,552 | ---- | C] (Sysinternals - www.sysinternals.com) -- C:\Program Files\procexp.exe
    [2008-02-01 17:42:10 | 000,172,032 | ---- | C] (Simon Tatham) -- C:\Program Files\puttygen.exe
    [2008-02-01 17:42:09 | 000,454,656 | ---- | C] (Simon Tatham) -- C:\Program Files\putty.exe
    [2008-02-01 17:42:09 | 000,307,200 | ---- | C] (Simon Tatham) -- C:\Program Files\psftp.exe
    [2008-02-01 17:42:09 | 000,294,912 | ---- | C] (Simon Tatham) -- C:\Program Files\puttytel.exe
    [2008-02-01 17:42:09 | 000,294,912 | ---- | C] (Simon Tatham) -- C:\Program Files\pscp.exe
    [2008-02-01 17:42:09 | 000,282,624 | ---- | C] (Simon Tatham) -- C:\Program Files\plink.exe
    [2008-02-01 17:42:09 | 000,135,168 | ---- | C] (Simon Tatham) -- C:\Program Files\pageant.exe

    ========== Files - Modified Within 30 Days ==========

    [2010-12-25 23:01:40 | 000,000,027 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
    [2010-12-25 22:57:25 | 000,441,260 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
    [2010-12-25 22:57:25 | 000,071,196 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
    [2010-12-25 22:57:00 | 000,001,052 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
    [2010-12-25 22:55:24 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
    [2010-12-25 22:52:46 | 000,002,447 | ---- | M] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Startup\VPN Client.lnk
    [2010-12-25 22:52:30 | 000,001,048 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
    [2010-12-25 22:52:18 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
    [2010-12-25 22:52:15 | 3757,367,296 | -HS- | M] () -- C:\hiberfil.sys
    [2010-12-25 16:24:18 | 000,254,272 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
    [2010-12-25 16:22:24 | 000,001,393 | ---- | M] () -- C:\WINDOWS\imsins.BAK
    [2010-12-25 16:20:03 | 000,135,096 | ---- | M] (Avira GmbH) -- C:\WINDOWS\System32\drivers\avipbb.sys
    [2010-12-25 16:20:03 | 000,061,960 | ---- | M] (Avira GmbH) -- C:\WINDOWS\System32\drivers\avgntflt.sys
    [2010-12-24 13:42:05 | 000,000,327 | RHS- | M] () -- C:\boot.ini
    [2010-12-23 10:41:37 | 000,000,784 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
    [2010-12-23 00:18:50 | 000,000,779 | ---- | M] () -- C:\Documents and Settings\Administrator\Application Data\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk
    [2010-12-23 00:12:44 | 002,239,685 | ---- | M] () -- C:\WINDOWS\iis6.BAK
    [2010-12-22 22:44:10 | 000,250,048 | RHS- | M] () -- C:\ntldr
    [2010-12-22 20:35:52 | 000,001,536 | ---- | M] () -- C:\WINDOWS\MKDEWE.TRN
    [2010-12-22 18:18:53 | 000,000,673 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\autoruns.lnk
    [2010-12-21 09:03:50 | 000,000,120 | ---- | M] () -- C:\WINDOWS\Cgoyulasejad.dat
    [2010-12-20 18:09:00 | 000,038,224 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
    [2010-12-20 18:08:40 | 000,020,952 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys

    ========== Files Created - No Company Name ==========

    [2010-12-24 13:42:05 | 000,000,211 | ---- | C] () -- C:\Boot.bak
    [2010-12-24 13:42:03 | 000,263,488 | RHS- | C] () -- C:\cmldr
    [2010-12-24 13:40:32 | 000,256,512 | ---- | C] () -- C:\WINDOWS\PEV.exe
    [2010-12-24 13:40:32 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
    [2010-12-24 13:40:32 | 000,089,088 | ---- | C] () -- C:\WINDOWS\MBR.exe
    [2010-12-24 13:40:32 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
    [2010-12-24 13:40:32 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
    [2010-12-23 10:46:46 | 3757,367,296 | -HS- | C] () -- C:\hiberfil.sys
    [2010-12-23 10:41:37 | 000,000,784 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
    [2010-12-22 22:47:34 | 000,613,334 | ---- | C] () -- C:\WINDOWS\System32\dllcache\wmplayer.chm
    [2010-12-22 22:47:34 | 000,354,468 | ---- | C] () -- C:\WINDOWS\System32\dllcache\wmpaud1.wav
    [2010-12-22 22:47:34 | 000,343,204 | ---- | C] () -- C:\WINDOWS\System32\dllcache\wmpaud7.wav
    [2010-12-22 22:47:34 | 000,343,204 | ---- | C] () -- C:\WINDOWS\System32\dllcache\wmpaud6.wav
    [2010-12-22 22:47:34 | 000,172,196 | ---- | C] () -- C:\WINDOWS\System32\dllcache\wmpaud9.wav
    [2010-12-22 22:47:34 | 000,172,196 | ---- | C] () -- C:\WINDOWS\System32\dllcache\wmpaud8.wav
    [2010-12-22 22:47:34 | 000,172,196 | ---- | C] () -- C:\WINDOWS\System32\dllcache\wmpaud3.wav
    [2010-12-22 22:47:34 | 000,086,196 | ---- | C] () -- C:\WINDOWS\System32\dllcache\wmpaud5.wav
    [2010-12-22 22:47:34 | 000,086,180 | ---- | C] () -- C:\WINDOWS\System32\dllcache\wmpaud4.wav
    [2010-12-22 22:47:34 | 000,086,180 | ---- | C] () -- C:\WINDOWS\System32\dllcache\wmpaud2.wav
    [2010-12-22 22:47:34 | 000,067,374 | ---- | C] () -- C:\WINDOWS\System32\dllcache\wmplayer.adm
    [2010-12-22 22:47:34 | 000,023,195 | ---- | C] () -- C:\WINDOWS\System32\dllcache\wmplay.chm
    [2010-12-22 22:47:34 | 000,010,457 | ---- | C] () -- C:\WINDOWS\System32\dllcache\wmptour.hta
    [2010-12-22 22:47:34 | 000,001,771 | ---- | C] () -- C:\WINDOWS\System32\dllcache\wmptour.css
    [2010-12-22 22:47:34 | 000,000,855 | ---- | C] () -- C:\WINDOWS\System32\dllcache\wmpocm.inf
    [2010-12-22 22:47:34 | 000,000,420 | ---- | C] () -- C:\WINDOWS\System32\dllcache\wmploc.js
    [2010-12-22 22:47:33 | 000,300,969 | ---- | C] () -- C:\WINDOWS\System32\dllcache\viz.wmv
    [2010-12-22 22:47:33 | 000,029,070 | ---- | C] () -- C:\WINDOWS\System32\dllcache\wmp.inf
    [2010-12-22 22:47:33 | 000,017,272 | ---- | C] () -- C:\WINDOWS\System32\dllcache\wmdm.inf
    [2010-12-22 22:47:33 | 000,008,677 | ---- | C] () -- C:\WINDOWS\System32\dllcache\wm7.gif
    [2010-12-22 22:47:33 | 000,007,892 | ---- | C] () -- C:\WINDOWS\System32\dllcache\wm9.gif
    [2010-12-22 22:47:33 | 000,007,636 | ---- | C] () -- C:\WINDOWS\System32\dllcache\wm2.gif
    [2010-12-22 22:47:33 | 000,007,369 | ---- | C] () -- C:\WINDOWS\System32\dllcache\wm4.gif
    [2010-12-22 22:47:33 | 000,006,769 | ---- | C] () -- C:\WINDOWS\System32\dllcache\wmfsdk.inf
    [2010-12-22 22:47:33 | 000,006,241 | ---- | C] () -- C:\WINDOWS\System32\dllcache\wm3.gif
    [2010-12-22 22:47:33 | 000,006,060 | ---- | C] () -- C:\WINDOWS\System32\dllcache\wm6.gif
    [2010-12-22 22:47:33 | 000,005,789 | ---- | C] () -- C:\WINDOWS\System32\dllcache\wm1.gif
    [2010-12-22 22:47:33 | 000,005,290 | ---- | C] () -- C:\WINDOWS\System32\dllcache\vidsamp.gif
    [2010-12-22 22:47:33 | 000,004,193 | ---- | C] () -- C:\WINDOWS\System32\dllcache\wm8.gif
    [2010-12-22 22:47:33 | 000,002,477 | ---- | C] () -- C:\WINDOWS\System32\dllcache\wm5.gif
    [2010-12-22 22:47:32 | 000,572,557 | ---- | C] () -- C:\WINDOWS\System32\dllcache\rtuner.wmv
    [2010-12-22 22:47:32 | 000,375,519 | ---- | C] () -- C:\WINDOWS\System32\dllcache\nuskin.wmv
    [2010-12-22 22:47:32 | 000,077,307 | ---- | C] () -- C:\WINDOWS\System32\dllcache\plyr_err.chm
    [2010-12-22 22:47:32 | 000,066,725 | ---- | C] () -- C:\WINDOWS\System32\dllcache\revert.wmz
    [2010-12-22 22:47:32 | 000,023,829 | ---- | C] () -- C:\WINDOWS\System32\dllcache\tourbg.gif
    [2010-12-22 22:47:32 | 000,022,060 | ---- | C] () -- C:\WINDOWS\System32\dllcache\npds.zip
    [2010-12-22 22:47:32 | 000,018,286 | ---- | C] () -- C:\WINDOWS\System32\dllcache\mplayer2.inf
    [2010-12-22 22:47:32 | 000,017,489 | ---- | C] () -- C:\WINDOWS\System32\dllcache\videobg.gif
    [2010-12-22 22:47:32 | 000,003,187 | ---- | C] () -- C:\WINDOWS\System32\dllcache\tour.js
    [2010-12-22 22:47:32 | 000,002,778 | ---- | C] () -- C:\WINDOWS\System32\dllcache\mplogoh.gif
    [2010-12-22 22:47:32 | 000,002,545 | ---- | C] () -- C:\WINDOWS\System32\dllcache\mplogo.gif
    [2010-12-22 22:47:32 | 000,002,469 | ---- | C] () -- C:\WINDOWS\System32\dllcache\tplay.gif
    [2010-12-22 22:47:32 | 000,002,450 | ---- | C] () -- C:\WINDOWS\System32\dllcache\tpause.gif
    [2010-12-22 22:47:32 | 000,002,375 | ---- | C] () -- C:\WINDOWS\System32\dllcache\tplayh.gif
    [2010-12-22 22:47:32 | 000,002,371 | ---- | C] () -- C:\WINDOWS\System32\dllcache\tpauseh.gif
    [2010-12-22 22:47:32 | 000,001,477 | ---- | C] () -- C:\WINDOWS\System32\dllcache\plylst6.wpl
    [2010-12-22 22:47:32 | 000,001,477 | ---- | C] () -- C:\WINDOWS\System32\dllcache\plylst5.wpl
    [2010-12-22 22:47:32 | 000,001,474 | ---- | C] () -- C:\WINDOWS\System32\dllcache\plylst3.wpl
    [2010-12-22 22:47:32 | 000,001,451 | ---- | C] () -- C:\WINDOWS\System32\dllcache\plylst12.wpl
    [2010-12-22 22:47:32 | 000,001,448 | ---- | C] () -- C:\WINDOWS\System32\dllcache\plylst4.wpl
    [2010-12-22 22:47:32 | 000,001,398 | ---- | C] () -- C:\WINDOWS\System32\dllcache\taon.gif
    [2010-12-22 22:47:32 | 000,001,380 | ---- | C] () -- C:\WINDOWS\System32\dllcache\taonh.gif
    [2010-12-22 22:47:32 | 000,001,380 | ---- | C] () -- C:\WINDOWS\System32\dllcache\taoff.gif
    [2010-12-22 22:47:32 | 000,001,367 | ---- | C] () -- C:\WINDOWS\System32\dllcache\taoffh.gif
    [2010-12-22 22:47:32 | 000,001,250 | ---- | C] () -- C:\WINDOWS\System32\dllcache\plylst1.wpl
    [2010-12-22 22:47:32 | 000,001,148 | ---- | C] () -- C:\WINDOWS\System32\dllcache\snd.htm
    [2010-12-22 22:47:32 | 000,001,049 | ---- | C] () -- C:\WINDOWS\System32\dllcache\plylst2.wpl
    [2010-12-22 22:47:32 | 000,001,046 | ---- | C] () -- C:\WINDOWS\System32\dllcache\plylst7.wpl
    [2010-12-22 22:47:32 | 000,001,036 | ---- | C] () -- C:\WINDOWS\System32\dllcache\plylst8.wpl
    [2010-12-22 22:47:32 | 000,000,908 | ---- | C] () -- C:\WINDOWS\System32\dllcache\skins.inf
    [2010-12-22 22:47:32 | 000,000,789 | ---- | C] () -- C:\WINDOWS\System32\dllcache\plylst11.wpl
    [2010-12-22 22:47:32 | 000,000,787 | ---- | C] () -- C:\WINDOWS\System32\dllcache\plylst10.wpl
    [2010-12-22 22:47:32 | 000,000,784 | ---- | C] () -- C:\WINDOWS\System32\dllcache\plylst9.wpl
    [2010-12-22 22:47:32 | 000,000,783 | ---- | C] () -- C:\WINDOWS\System32\dllcache\plylst13.wpl
    [2010-12-22 22:47:32 | 000,000,775 | ---- | C] () -- C:\WINDOWS\System32\dllcache\plylst14.wpl
    [2010-12-22 22:47:32 | 000,000,733 | ---- | C] () -- C:\WINDOWS\System32\dllcache\plylst15.wpl
    [2010-12-22 22:47:32 | 000,000,403 | ---- | C] () -- C:\WINDOWS\System32\dllcache\npdrmv2.zip
    [2010-12-22 22:47:31 | 000,457,607 | ---- | C] () -- C:\WINDOWS\System32\dllcache\mdlib.wmv
    [2010-12-22 22:47:31 | 000,381,425 | ---- | C] () -- C:\WINDOWS\System32\dllcache\copycd.wmv
    [2010-12-22 22:47:31 | 000,184,959 | ---- | C] () -- C:\WINDOWS\System32\dllcache\compact.wmz
    [2010-12-22 22:47:31 | 000,009,585 | ---- | C] () -- C:\WINDOWS\System32\dllcache\controls.css
    [2010-12-22 22:47:31 | 000,008,298 | ---- | C] () -- C:\WINDOWS\System32\dllcache\contents.htm
    [2010-12-22 22:47:31 | 000,006,878 | ---- | C] () -- C:\WINDOWS\System32\dllcache\controls.js
    [2010-12-22 22:47:31 | 000,005,971 | ---- | C] () -- C:\WINDOWS\System32\dllcache\events.js
    [2010-12-22 22:47:31 | 000,000,999 | ---- | C] () -- C:\WINDOWS\System32\dllcache\bktrh.gif
    [2010-12-22 22:47:31 | 000,000,773 | ---- | C] () -- C:\WINDOWS\System32\dllcache\cnth.gif
    [2010-12-22 22:47:31 | 000,000,773 | ---- | C] () -- C:\WINDOWS\System32\dllcache\cnt.gif
    [2010-12-22 22:47:31 | 000,000,772 | ---- | C] () -- C:\WINDOWS\System32\dllcache\cntd.gif
    [2010-12-22 22:47:31 | 000,000,760 | ---- | C] () -- C:\WINDOWS\System32\dllcache\cloapph.gif
    [2010-12-22 22:47:31 | 000,000,717 | ---- | C] () -- C:\WINDOWS\System32\dllcache\cloapp.gif
    [2010-12-22 22:45:38 | 000,844,314 | ---- | C] () -- C:\WINDOWS\System32\dllcache\msdxm.ocx
    [2010-12-22 22:45:38 | 000,004,126 | ---- | C] () -- C:\WINDOWS\System32\dllcache\msdxmlc.dll
    [2010-12-22 22:44:25 | 000,064,352 | ---- | C] () -- C:\WINDOWS\System32\drivers\ativmc20.cod
    [2010-12-22 22:44:24 | 000,129,045 | ---- | C] () -- C:\WINDOWS\System32\drivers\cxthsfs2.cty
    [2010-12-22 22:44:23 | 000,067,866 | ---- | C] () -- C:\WINDOWS\System32\drivers\netwlan5.img
    [2010-12-22 18:18:34 | 000,000,673 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\autoruns.lnk
    [2010-12-22 02:41:36 | 000,002,206 | ---- | C] () -- C:\WINDOWS\System32\wpa.dbl
    [2010-12-19 14:55:01 | 000,000,120 | ---- | C] () -- C:\WINDOWS\Cgoyulasejad.dat
    [2010-08-19 22:56:37 | 000,137,248 | ---- | C] () -- C:\Documents and Settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
    [2009-05-12 15:37:32 | 000,000,062 | ---- | C] () -- C:\WINDOWS\dcmvwr.INI
    [2009-03-07 12:12:28 | 000,906,784 | ---- | C] () -- C:\WINDOWS\System32\owl52f.dll
    [2009-03-05 17:48:59 | 000,224,256 | ---- | C] () -- C:\Program Files\fentun.exe
    [2009-02-20 14:33:27 | 000,112,688 | ---- | C] () -- C:\WINDOWS\System32\shw32.dll
    [2008-12-14 13:21:42 | 000,110,080 | ---- | C] () -- C:\WINDOWS\System32\w32mkrc.dll
    [2008-12-10 22:00:38 | 000,000,000 | ---- | C] () -- C:\WINDOWS\Title.INI
    [2008-11-05 21:53:50 | 000,761,856 | ---- | C] () -- C:\WINDOWS\System32\xvidcore.dll
    [2008-11-05 21:53:50 | 000,180,224 | ---- | C] () -- C:\WINDOWS\System32\xvidvfw.dll
    [2008-10-31 14:47:46 | 000,081,920 | ---- | C] () -- C:\WINDOWS\System32\cpwmon2k.dll
    [2008-09-27 21:26:28 | 000,000,121 | ---- | C] () -- C:\WINDOWS\Winamp.ini
    [2008-09-27 21:25:47 | 000,032,770 | ---- | C] () -- C:\WINDOWS\System32\ltinp32.dll
    [2008-09-27 21:25:47 | 000,028,674 | ---- | C] () -- C:\WINDOWS\System32\cpnoged.dll
    [2008-09-21 22:04:32 | 000,000,028 | ---- | C] () -- C:\WINDOWS\MotionSDSTUDIO.INI
    [2008-09-21 21:50:40 | 000,056,056 | ---- | C] () -- C:\WINDOWS\System32\DLAAPI_W.DLL
    [2008-09-21 21:42:49 | 000,000,280 | ---- | C] () -- C:\WINDOWS\wininit.ini
    [2008-09-21 21:26:52 | 000,000,000 | ---- | C] () -- C:\WINDOWS\OpPrintServer.INI
    [2008-09-21 20:23:42 | 000,072,138 | ---- | C] () -- C:\Program Files\procexp.chm
    [2008-02-01 17:42:10 | 001,518,921 | ---- | C] () -- C:\Program Files\putty.zip
    [2008-02-01 17:42:10 | 000,368,336 | ---- | C] () -- C:\Program Files\puttydoc.txt
    [2008-02-01 17:42:10 | 000,041,438 | -H-- | C] () -- C:\Program Files\putty.GID
    [2008-02-01 17:42:10 | 000,026,269 | ---- | C] () -- C:\Program Files\putty.log
    [2008-02-01 17:42:10 | 000,000,427 | ---- | C] () -- C:\Program Files\putty readme.txt
    [2008-01-16 20:25:15 | 000,000,063 | ---- | C] () -- C:\WINDOWS\mdm.ini
    [2008-01-16 20:25:10 | 000,000,000 | ---- | C] () -- C:\WINDOWS\NSREX.INI
    [2008-01-16 19:02:54 | 000,000,589 | ---- | C] () -- C:\WINDOWS\lotus.ini
    [2008-01-16 19:02:40 | 000,013,049 | ---- | C] () -- C:\WINDOWS\123R5.INI
    [2008-01-16 19:02:40 | 000,000,478 | ---- | C] () -- C:\WINDOWS\LODBF04.INI
    [2008-01-16 19:02:40 | 000,000,397 | ---- | C] () -- C:\WINDOWS\ODBC.INI
    [2008-01-14 16:58:37 | 000,000,136 | ---- | C] () -- C:\Documents and Settings\Administrator\Local Settings\Application Data\fusioncache.dat
    [2008-01-02 13:37:08 | 000,413,696 | ---- | C] () -- C:\WINDOWS\System32\RTClientSDK71.dll
    [2008-01-02 13:37:08 | 000,001,147 | ---- | C] () -- C:\WINDOWS\System32\IPCamera.ini
    [2007-11-06 15:19:28 | 000,053,299 | ---- | C] () -- C:\WINDOWS\System32\pthreadVC.dll
    [2007-05-11 20:45:38 | 000,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini
    [2007-05-11 20:37:38 | 000,204,800 | ---- | C] () -- C:\WINDOWS\System32\IVIresizeW7.dll
    [2007-05-11 20:37:38 | 000,200,704 | ---- | C] () -- C:\WINDOWS\System32\IVIresizeA6.dll
    [2007-05-11 20:37:38 | 000,192,512 | ---- | C] () -- C:\WINDOWS\System32\IVIresizeP6.dll
    [2007-05-11 20:37:38 | 000,192,512 | ---- | C] () -- C:\WINDOWS\System32\IVIresizeM6.dll
    [2007-05-11 20:37:38 | 000,188,416 | ---- | C] () -- C:\WINDOWS\System32\IVIresizePX.dll
    [2007-05-11 20:37:38 | 000,020,480 | ---- | C] () -- C:\WINDOWS\System32\IVIresize.dll
    [2006-11-28 19:03:16 | 000,000,000 | ---- | C] () -- C:\WINDOWS\System32\px.ini
    [2006-09-18 22:02:40 | 000,520,192 | ---- | C] () -- C:\WINDOWS\System32\CddbPlaylist2Roxio.dll
    [2006-09-18 22:02:40 | 000,204,800 | ---- | C] () -- C:\WINDOWS\System32\CddbFileTaggerRoxio.dll
    [2006-04-25 12:31:56 | 000,004,298 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI
    [2006-04-20 08:34:38 | 000,197,680 | ---- | C] () -- C:\WINDOWS\System32\vpnapi.dll
    [2006-04-20 08:34:24 | 000,193,584 | ---- | C] () -- C:\WINDOWS\System32\CSGina.dll
    [2005-05-03 00:45:58 | 000,038,912 | ---- | C] () -- C:\WINDOWS\System32\ClientTool.dll
    [2005-05-03 00:45:56 | 000,315,392 | ---- | C] () -- C:\WINDOWS\System32\ClientRes.dll
    [2005-05-02 23:13:30 | 000,053,248 | ---- | C] () -- C:\WINDOWS\System32\Viewing.dll
    [2005-05-02 23:13:30 | 000,017,408 | ---- | C] () -- C:\WINDOWS\System32\Network.dll
    [2004-07-19 21:52:22 | 000,270,336 | ---- | C] () -- C:\WINDOWS\System32\cximage.dll
    [2002-03-19 16:30:00 | 000,141,824 | ---- | C] () -- C:\WINDOWS\System32\msvdm.dll
    [2000-04-12 15:28:12 | 000,118,784 | ---- | C] () -- C:\WINDOWS\System32\lfkodak.dll
    [2000-04-12 15:24:10 | 000,338,944 | ---- | C] () -- C:\WINDOWS\System32\LFFPX7.dll
    [1999-01-22 13:46:58 | 000,065,536 | ---- | C] () -- C:\WINDOWS\System32\MSRTEDIT.DLL
    [1998-08-23 18:36:00 | 000,063,488 | ---- | C] () -- C:\WINDOWS\System32\Eztw32.dll
    [1998-05-06 22:10:00 | 000,069,632 | ---- | C] () -- C:\WINDOWS\System32\ODMA32.dll

    THE REST OF IT ON THE NEXT POST!
     
    dmonfette,
    #16
  18. 2010/12/25
    dmonfette

    dmonfette Inactive Thread Starter

    Joined:
    2010/12/23
    Messages:
    19
    Likes Received:
    0
    ... and the end of OTL.txt:

    ========== LOP Check ==========

    [2007-05-11 20:40:15 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\Infineon
    [2007-05-11 20:42:58 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\SampleView
    [2007-05-11 20:40:15 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Infineon
    [2008-10-13 19:45:21 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\LightScribe
    [2008-09-21 22:04:23 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Panasonic
    [2010-07-19 17:57:01 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\PlotSoft
    [2008-10-09 20:13:42 | 000,000,000 | -HSD | M] -- C:\Documents and Settings\All Users\Application Data\System Restore
    [2009-02-05 18:37:09 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\TDK
    [2008-09-21 22:29:47 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\TEMP
    [2009-01-28 17:43:57 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\WinAgents

    ========== Purity Check ==========



    ========== Custom Scans ==========


    < %SYSTEMDRIVE%\*.* >
    [2010-09-30 17:45:31 | 000,000,000 | ---- | M] () -- C:\adv1.err
    [2008-01-14 16:48:02 | 000,000,211 | ---- | M] () -- C:\Boot.bak
    [2010-12-24 13:42:05 | 000,000,327 | RHS- | M] () -- C:\boot.ini
    [2004-08-03 23:00:08 | 000,263,488 | RHS- | M] () -- C:\cmldr
    [2010-12-25 23:02:35 | 000,047,153 | ---- | M] () -- C:\ComboFix.txt
    [2010-12-25 22:52:15 | 3757,367,296 | -HS- | M] () -- C:\hiberfil.sys
    [2008-01-16 19:02:14 | 000,000,000 | RHS- | M] () -- C:\IO.SYS
    [2010-12-25 22:53:26 | 000,000,000 | ---- | M] () -- C:\Log.txt
    [2008-01-16 19:02:14 | 000,000,000 | RHS- | M] () -- C:\MSDOS.SYS
    [2006-02-27 21:00:00 | 000,047,564 | RHS- | M] () -- C:\NTDETECT.COM
    [2010-12-22 22:44:10 | 000,250,048 | RHS- | M] () -- C:\ntldr
    [2010-12-25 22:52:14 | 2145,386,496 | -HS- | M] () -- C:\pagefile.sys
    [2010-12-23 18:17:10 | 000,051,818 | ---- | M] () -- C:\TDSSKiller.2.4.12.0_23.12.2010_18.16.13_log.txt

    < %systemroot%\Fonts\*.com >
    [2006-04-18 14:39:28 | 000,026,040 | ---- | M] () -- C:\WINDOWS\Fonts\GlobalMonospace.CompositeFont
    [2006-06-29 13:53:56 | 000,026,489 | ---- | M] () -- C:\WINDOWS\Fonts\GlobalSansSerif.CompositeFont
    [2006-04-18 14:39:28 | 000,029,779 | ---- | M] () -- C:\WINDOWS\Fonts\GlobalSerif.CompositeFont
    [2006-06-29 13:58:52 | 000,030,808 | ---- | M] () -- C:\WINDOWS\Fonts\GlobalUserInterface.CompositeFont

    < %systemroot%\Fonts\*.dll >

    < %systemroot%\Fonts\*.ini >
    [2006-04-25 12:31:24 | 000,000,067 | -HS- | M] () -- C:\WINDOWS\Fonts\desktop.ini

    < %systemroot%\Fonts\*.ini2 >

    < %systemroot%\Fonts\*.exe >

    < %systemroot%\system32\spool\prtprocs\w32x86\*.* >
    [2008-07-06 07:06:10 | 000,089,088 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\spool\prtprocs\w32x86\filterpipelineprintproc.dll
    [2008-07-06 05:50:03 | 000,597,504 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\spool\prtprocs\w32x86\printfilterpipelinesvc.exe

    < %systemroot%\REPAIR\*.bak1 >

    < %systemroot%\REPAIR\*.ini >

    < %systemroot%\system32\*.jpg >

    < %systemroot%\*.jpg >

    < %systemroot%\*.png >

    < %systemroot%\*.scr >

    < %systemroot%\*._sy >

    < %APPDATA%\Adobe\Update\*.* >

    < %ALLUSERSPROFILE%\Favorites\*.* >

    < %APPDATA%\Microsoft\*.* >

    < %PROGRAMFILES%\*.* >
    [2009-03-05 17:49:01 | 000,224,256 | ---- | M] () -- C:\Program Files\fentun.exe
    [2007-05-17 09:56:21 | 000,135,168 | ---- | M] (Simon Tatham) -- C:\Program Files\pageant.exe
    [2007-05-17 09:56:16 | 000,282,624 | ---- | M] (Simon Tatham) -- C:\Program Files\plink.exe
    [2007-08-31 05:36:16 | 000,072,138 | ---- | M] () -- C:\Program Files\procexp.chm
    [2008-08-06 16:27:08 | 003,520,552 | ---- | M] (Sysinternals - www.sysinternals.com) -- C:\Program Files\procexp.exe
    [2007-05-17 09:56:06 | 000,294,912 | ---- | M] (Simon Tatham) -- C:\Program Files\pscp.exe
    [2007-05-17 09:56:11 | 000,307,200 | ---- | M] (Simon Tatham) -- C:\Program Files\psftp.exe
    [2005-10-16 17:50:31 | 000,000,427 | ---- | M] () -- C:\Program Files\putty readme.txt
    [2007-05-17 09:55:26 | 000,454,656 | ---- | M] (Simon Tatham) -- C:\Program Files\putty.exe
    [2007-05-17 09:52:15 | 000,041,438 | -H-- | M] () -- C:\Program Files\putty.GID
    [2005-12-13 16:14:23 | 000,587,549 | ---- | M] () -- C:\Program Files\putty.hlp
    [2006-02-01 10:35:46 | 000,026,269 | ---- | M] () -- C:\Program Files\putty.log
    [2007-05-17 09:56:40 | 001,518,921 | ---- | M] () -- C:\Program Files\putty.zip
    [2005-12-13 16:13:27 | 000,368,336 | ---- | M] () -- C:\Program Files\puttydoc.txt
    [2007-05-17 09:56:26 | 000,172,032 | ---- | M] (Simon Tatham) -- C:\Program Files\puttygen.exe
    [2007-05-17 09:56:01 | 000,294,912 | ---- | M] (Simon Tatham) -- C:\Program Files\puttytel.exe

    < %APPDATA%\Update\*.* >

    < %systemroot%\*. /mp /s >

    < %systemroot%\System32\config\*.sav >
    [2006-04-25 05:17:50 | 000,094,208 | ---- | M] () -- C:\WINDOWS\system32\config\default.sav
    [2006-04-25 05:17:50 | 000,659,456 | ---- | M] () -- C:\WINDOWS\system32\config\software.sav
    [2006-04-25 05:17:50 | 000,864,256 | ---- | M] () -- C:\WINDOWS\system32\config\system.sav

    < %PROGRAMFILES%\bak. /s >

    < %systemroot%\system32\bak. /s >

    < %ALLUSERSPROFILE%\Start Menu\*.lnk /x >
    [2010-12-22 22:47:53 | 000,000,272 | -HS- | M] () -- C:\Documents and Settings\All Users\Start Menu\desktop.ini

    < %systemroot%\system32\config\systemprofile\*.dat /x >

    < %systemroot%\*.config >

    < %systemroot%\system32\*.db >

    < %APPDATA%\Microsoft\Internet Explorer\Quick Launch\*.lnk /x >
    [2010-12-23 00:20:03 | 000,000,119 | -HS- | M] () -- C:\Documents and Settings\Administrator\Application Data\Microsoft\Internet Explorer\Quick Launch\desktop.ini
    [2006-04-25 12:41:10 | 000,000,079 | ---- | M] () -- C:\Documents and Settings\Administrator\Application Data\Microsoft\Internet Explorer\Quick Launch\Show Desktop.scf

    < %USERPROFILE%\Desktop\*.exe >

    < %PROGRAMFILES%\Common Files\*.* >

    < %systemroot%\*.src >

    < %systemroot%\install\*.* >

    < %systemroot%\system32\DLL\*.* >

    < %systemroot%\system32\HelpFiles\*.* >

    < %systemroot%\system32\rundll\*.* >

    < %systemroot%\winn32\*.* >

    < %systemroot%\Java\*.* >

    < %systemroot%\system32\test\*.* >

    < %systemroot%\system32\Rundll32\*.* >

    < %systemroot%\AppPatch\Custom\*.* >

    < %APPDATA%\Roaming\Microsoft\Windows\Recent\*.lnk /x >

    < %PROGRAMFILES%\PC-Doctor\Downloads\*.* >

    < %PROGRAMFILES%\Internet Explorer\*.tmp >

    < %PROGRAMFILES%\Internet Explorer\*.dat >

    < %USERPROFILE%\My Documents\*.exe >

    < %USERPROFILE%\*.exe >

    < %systemroot%\ADDINS\*.* >

    < %systemroot%\assembly\*.bak2 >

    < %systemroot%\Config\*.* >

    < %systemroot%\REPAIR\*.bak2 >

    < %systemroot%\SECURITY\Database\*.sdb /x >

    < %systemroot%\SYSTEM\*.bak2 >

    < %systemroot%\Web\*.bak2 >

    < %systemroot%\Driver Cache\*.* >

    < %PROGRAMFILES%\Mozilla Firefox\0*.exe >

    < %ProgramFiles%\Microsoft Common\*.* >

    < %ProgramFiles%\TinyProxy. >

    < %USERPROFILE%\Favorites\*.url /x >
    [2010-12-23 00:20:03 | 000,000,122 | -HS- | M] () -- C:\Documents and Settings\Administrator\Favorites\Desktop.ini

    < %systemroot%\system32\*.bk >

    < %systemroot%\*.te >

    < %systemroot%\system32\system32\*.* >

    < %ALLUSERSPROFILE%\*.dat /x >

    < %systemroot%\system32\drivers\*.rmv >

    < dir /b "%systemroot%\system32\*.exe" | find /i " " /c >
    No captured output from command...

    < dir /b "%systemroot%\*.exe" | find /i " " /c >
    No captured output from command...

    < %PROGRAMFILES%\Microsoft\*.* >

    < %systemroot%\System32\Wbem\proquota.exe >

    < %PROGRAMFILES%\Mozilla Firefox\*.dat >

    < %USERPROFILE%\Cookies\*.txt /x >
    [2010-12-25 23:04:02 | 000,032,768 | ---- | M] () -- C:\Documents and Settings\Administrator\Cookies\index.dat

    < %SystemRoot%\system32\fonts\*.* >

    < %systemroot%\system32\winlog\*.* >

    < %systemroot%\system32\Language\*.* >

    < %systemroot%\system32\Settings\*.* >

    < %systemroot%\system32\*.quo >

    < %SYSTEMROOT%\AppPatch\*.exe >

    < %SYSTEMROOT%\inf\*.exe >
    [2008-04-14 05:42:40 | 000,208,896 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\inf\unregmp2.exe

    < %SYSTEMROOT%\Installer\*.exe >

    < %systemroot%\system32\config\*.bak2 >

    < %systemroot%\system32\Computers\*.* >

    < %SystemRoot%\system32\Sound\*.* >

    < %SystemRoot%\system32\SpecialImg\*.* >

    < %SystemRoot%\system32\code\*.* >

    < %SystemRoot%\system32\draft\*.* >

    < %SystemRoot%\system32\MSSSys\*.* >

    < %ProgramFiles%\Javascript\*.* >

    < %systemroot%\pchealth\helpctr\System\*.exe /s >

    < %systemroot%\Web\*.exe >

    < %systemroot%\system32\msn\*.* >

    < %systemroot%\system32\*.tro >

    < %AppData%\Microsoft\Installer\msupdates\*.* >

    < %ProgramFiles%\Messenger\*.* >
    [2008-04-14 05:41:52 | 000,033,792 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Messenger\custsat.dll
    [2004-08-03 22:06:34 | 000,004,821 | ---- | M] () -- C:\Program Files\Messenger\logowin.gif
    [2004-08-03 22:06:34 | 000,007,047 | ---- | M] () -- C:\Program Files\Messenger\lvback.gif
    [2008-05-02 09:01:49 | 000,083,968 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Messenger\msgsc.dll
    [2008-04-13 23:00:30 | 000,180,224 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Messenger\msgslang.dll
    [2008-04-14 05:42:30 | 001,695,232 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Messenger\msmsgs.exe
    [2004-08-03 22:06:36 | 000,002,882 | ---- | M] () -- C:\Program Files\Messenger\newalert.wav
    [2004-08-03 22:06:36 | 000,006,156 | ---- | M] () -- C:\Program Files\Messenger\newemail.wav
    [2004-08-03 22:06:36 | 000,006,160 | ---- | M] () -- C:\Program Files\Messenger\online.wav
    [2004-08-03 22:06:36 | 000,004,454 | ---- | M] () -- C:\Program Files\Messenger\type.wav
    [2004-08-03 22:06:36 | 000,115,981 | ---- | M] () -- C:\Program Files\Messenger\xpmsgr.chm

    < %systemroot%\system32\systhem32\*.* >

    < %systemroot%\system\*.exe >
    [1999-09-10 11:06:00 | 000,004,672 | ---- | M] (Adaptec) -- C:\WINDOWS\system\WOWPOST.EXE

    < HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU >

    < HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\ Auto Update\Results\Install|LastSuccessTime /rs >


    < End of report >
     
    dmonfette,
    #17
  19. 2010/12/25
    dmonfette

    dmonfette Inactive Thread Starter

    Joined:
    2010/12/23
    Messages:
    19
    Likes Received:
    0
    ... and extra.txt:

    OTL Extras logfile created on: 2010-12-25 23:19:05 - Run 1
    OTL by OldTimer - Version 3.2.18.0 Folder = C:\Documents and Settings\Administrator\Desktop\malware\otl
    Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
    Internet Explorer (Version = 6.0.2900.5512)
    Locale: 00000C0C | Country: Canada | Language: FRC | Date Format: yyyy-MM-dd

    3,00 Gb Total Physical Memory | 3,00 Gb Available Physical Memory | 84,00% Memory free
    5,00 Gb Paging File | 5,00 Gb Available in Paging File | 91,00% Paging File free
    Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

    %SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
    Drive C: | 66,51 Gb Total Space | 25,81 Gb Free Space | 38,81% Space Free | Partition Type: NTFS
    Drive D: | 8,01 Gb Total Space | 6,23 Gb Free Space | 77,80% Space Free | Partition Type: NTFS
    Drive E: | 331,05 Gb Total Space | 147,48 Gb Free Space | 44,55% Space Free | Partition Type: NTFS

    Computer Name: DAN | User Name: Administrator | Logged in as Administrator.
    Boot Mode: Normal | Scan Mode: Current user | Quick Scan
    Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

    ========== Extra Registry (SafeList) ==========


    ========== File Associations ==========

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]

    ========== Shell Spawning ==========

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
    batfile [open] -- "%1" %*
    cmdfile [open] -- "%1" %*
    comfile [open] -- "%1" %*
    exefile [open] -- "%1" %*
    htmlfile [edit] -- "C:\Program Files\Microsoft Office\Office\WINWORD.EXE" /n File not found
    piffile [open] -- "%1" %*
    regfile [merge] -- Reg Error: Key error.
    scrfile [config] -- "%1 "
    scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
    scrfile [open] -- "%1" /S
    txtfile [edit] -- Reg Error: Key error.
    Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
    Directory [AddToPlaylistVLC] -- "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "%1" ()
    Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
    Directory [PlayWithVLC] -- "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --no-playlist-enqueue "%1" ()
    Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
    Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
    Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

    ========== Security Center Settings ==========

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
    "FirstRunDisabled" = 1
    "AntiVirusDisableNotify" = 0
    "FirewallDisableNotify" = 0
    "UpdatesDisableNotify" = 0
    "AntiVirusOverride" = 0
    "FirewallOverride" = 0

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

    ========== System Restore Settings ==========

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
    "DisableSR" = 0

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sr]
    "Start" = 0

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SrService]
    "Start" = 2

    ========== Firewall Settings ==========

    [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile]

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List]
    "139:TCP" = 139:TCP:*:Enabled:mad:xpsp2res.dll,-22004
    "445:TCP" = 445:TCP:*:Enabled:mad:xpsp2res.dll,-22005
    "137:UDP" = 137:UDP:*:Enabled:mad:xpsp2res.dll,-22001
    "138:UDP" = 138:UDP:*:Enabled:mad:xpsp2res.dll,-22002
    "1900:UDP" = 1900:UDP:LocalSubNet:Enabled:mad:xpsp2res.dll,-22007
    "2869:TCP" = 2869:TCP:LocalSubNet:Enabled:mad:xpsp2res.dll,-22008

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
    "EnableFirewall" = 1
    "DoNotAllowExceptions" = 0
    "DisableNotifications" = 0

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
    "4899:TCP" = 4899:TCP:*:Enabled:Remote_Admin
    "1900:UDP" = 1900:UDP:LocalSubNet:Enabled:mad:xpsp2res.dll,-22007
    "2869:TCP" = 2869:TCP:LocalSubNet:Enabled:mad:xpsp2res.dll,-22008
    "139:TCP" = 139:TCP:LocalSubNet:Enabled:mad:xpsp2res.dll,-22004
    "445:TCP" = 445:TCP:LocalSubNet:Enabled:mad:xpsp2res.dll,-22005
    "137:UDP" = 137:UDP:LocalSubNet:Enabled:mad:xpsp2res.dll,-22001
    "138:UDP" = 138:UDP:LocalSubNet:Enabled:mad:xpsp2res.dll,-22002

    ========== Authorized Applications List ==========

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
    "C:\WINDOWS\SMINST\Scheduler.exe" = C:\WINDOWS\SMINST\Scheduler.exe:*:Enabled:Scheduler -- ()
    "C:\Program Files\TightVNC\WinVNC.exe" = C:\Program Files\TightVNC\WinVNC.exe:*:Enabled:Launch TightVNC Server -- (TightVNC Group)
    "C:\Program Files\Look@LAN\LookAtLan.exe" = C:\Program Files\Look@LAN\LookAtLan.exe:*:Enabled:Look@LAN -- (Carlo Medas)
    "C:\Program Files\RemoteAgent64\Bin\EventServer.exe" = C:\Program Files\RemoteAgent64\Bin\EventServer.exe:*:Enabled:Event Server -- (OEM)
    "C:\Program Files\Java\jre6\bin\java.exe" = C:\Program Files\Java\jre6\bin\java.exe:*:Enabled:Java(TM) Platform SE binary -- (Sun Microsystems, Inc.)
    "C:\Program Files\Symantec\pcAnywhere\awrem32.exe" = C:\Program Files\Symantec\pcAnywhere\awrem32.exe:*:Disabled:Remote Control Module -- (Symantec Corporation)
    "C:\Program Files\Xming\Xming.exe" = C:\Program Files\Xming\Xming.exe:*:Enabled:Xming X Server -- ()
    "E:\Program Files\Sun\VirtualBox\VirtualBox.exe" = E:\Program Files\Sun\VirtualBox\VirtualBox.exe:*:Enabled:VirtualBox GUI -- (Sun Microsystems, Inc.)
    "C:\Program Files\Microsoft LifeCam\LifeCam.exe" = C:\Program Files\Microsoft LifeCam\LifeCam.exe:*:Enabled:LifeCam.exe -- (Microsoft Corporation)
    "C:\Program Files\Microsoft LifeCam\LifeEnC2.exe" = C:\Program Files\Microsoft LifeCam\LifeEnC2.exe:*:Enabled:LifeEnC2.exe -- (Microsoft Corporation)
    "C:\Program Files\Microsoft LifeCam\LifeExp.exe" = C:\Program Files\Microsoft LifeCam\LifeExp.exe:*:Enabled:LifeExp.exe -- (Microsoft Corporation)
    "C:\Program Files\Microsoft LifeCam\LifeTray.exe" = C:\Program Files\Microsoft LifeCam\LifeTray.exe:*:Enabled:LifeTray.exe -- (Microsoft Corporation)
    "C:\Program Files\Toktumi\Toktumi.exe" = C:\Program Files\Toktumi\Toktumi.exe:*:Enabled:Toktumi client application -- (Toktumi)
    "C:\WINDOWS\system32\dpvsetup.exe" = C:\WINDOWS\system32\dpvsetup.exe:*:Enabled:Microsoft DirectPlay Voice Test -- (Microsoft Corporation)
    "C:\Program Files\JM Integrated Remote Station\cms\EventLogger.exe" = C:\Program Files\JM Integrated Remote Station\cms\EventLogger.exe:*:Disabled:EventLogger -- ()
    "C:\Program Files\Google\Google Earth\client\googleearth.exe" = C:\Program Files\Google\Google Earth\client\googleearth.exe:*:Enabled:Google Earth -- (Google)
    "C:\Program Files\BitTorrent\bittorrent.exe" = C:\Program Files\BitTorrent\bittorrent.exe:*:Disabled:BitTorrent -- (BitTorrent, Inc.)
    "C:\Program Files\DNA\btdna.exe" = C:\Program Files\DNA\btdna.exe:*:Disabled:DNA -- (BitTorrent, Inc.)


    ========== HKEY_LOCAL_MACHINE Uninstall List ==========

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
    "{0345CF70-FA00-4F4E-A218-0FA494F465A4}" = LightScribe Template Designs - Business Pack 1
    "{0394CDC8-FABD-4ed8-B104-03393876DFDF}" = Roxio Creator Tools
    "{075473F5-846A-448B-BCB3-104AA1760205}" = Roxio Data Module
    "{07D00E73-7F67-4008-A33C-80C7D53F1857}" = Radmin Viewer 3.0
    "{0878E100-C0BB-41E8-B4C6-C486B61FDA7B}" = Canon PhotoRecord
    "{0BEDBD4E-2D34-47B5-9973-57E62B29307C}" = ATI Control Panel
    "{0D397393-9B50-4c52-84D5-77E344289F87}" = Roxio Creator Data
    "{0E0DF90C-D0BA-4C89-9262-AD78D1A3DE51}" = HP USB Disk Storage Format Tool
    "{0F8C8B5A-B076-4400-8262-41D6131099ED}" = ImpôtRapide 2009
    "{111A3D14-7596-43B0-92BA-418435C90672}" = Intel(R) PRO Network Connections
    "{115E8183-866A-11D3-97DF-0000F8D8F2E9}" = Symantec pcAnywhere
    "{15B6EAD9-E83D-458F-AF6F-B8F865FA4F28}" = LightScribe Template Designs - Wedding Pack 1
    "{167ABF69-A947-4839-856D-3BA2274FCBE9}" = ImpôtRapide 2008
    "{18455581-E099-4BA8-BC6B-F34B2F06600C}" = Google Toolbar for Internet Explorer
    "{21657574-BD54-48A2-9450-EB03B2C7FC29}" = Roxio MyDVD Plus
    "{218BBBE3-FE63-4BB2-81A8-7435575A84FA}" = PhotoStitch
    "{2318C2B1-4965-11d4-9B18-009027A5CD4F}" = Google Toolbar for Internet Explorer
    "{26A24AE4-039D-4CA4-87B4-2F83216018FF}" = Java(TM) 6 Update 18
    "{28291BD5-92D2-4685-82DC-CCA925C53CCA}" = RemoteCapture Task 1.1
    "{2BB2B8D4-5753-45C8-8073-765AFAF053BC}" = HP Embedded Security for ProtectTools
    "{2CDB2DCD-1153-4ED4-9D0A-606231CEFE9A}" = LightScribe Template Designs - Art Pack 1
    "{2F4C24E6-CBD4-4AAC-B56F-C9FD44DE5668}" = Roxio Drag-to-Disc
    "{2F5AEC7C-8B46-4807-8DC1-0BFA072C151C}" = VBrick StreamPlayerPlus
    "{305D4B08-5807-4475-B1C8-D54685534864}" = LightScribeTemplateLabeler
    "{3248F0A8-6813-11D6-A77B-00B0D0150060}" = J2SE Runtime Environment 5.0 Update 6
    "{3248F0A8-6813-11D6-A77B-00B0D0160070}" = Java(TM) 6 Update 7
    "{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
    "{35E1EC43-D4FC-4E4A-AAB3-20DDA27E8BB0}" = Sonic Activation Module
    "{3912A629-0020-0005-3131-2FBA74D4DF0A}" = InterVideo WinDVD
    "{397FF711-8BD9-4388-ADFC-2A878B83F018}" = Cisco Network Assistant
    "{3F9F7336-6DF8-476F-ABF6-C70A17FAF619}" = HP Backup and Recovery Manager
    "{414A373B-59DF-4102-94CA-9FE9A74CBDDA}" = Garmin Trip and Waypoint Manager v5
    "{4286E640-B5FB-11DF-AC4B-005056C00008}" = Google*Earth
    "{45EF4EE3-F591-4B74-A477-0CAE12934CE7}" = RAW Image Task 1.2
    "{47A3FE80-528F-482B-8143-B3A4645557FC}" = Microsoft LifeCam
    "{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
    "{4C96958A-6562-4143-B820-FF4890D3B734}" = Camera Window DVC
    "{4EE2EF4B-25D3-4D44-8384-A2B96F811F55}" = OpenOffice.org 3.2
    "{4EEB184A-2429-4ACB-8538-5CB8D70547CB}_is1" = Hawke BRC 1.0.5
    "{5254D71A-2EB7-4EE1-9AFD-DCF82DDEE009}" = Palm SDK
    "{570ADBDA-6161-42D7-8B31-CF511B964257}" = Toktumi client
    "{5DA6F06A-B389-407B-BF8C-1548767914D8}" = ATI Problem Report Wizard
    "{5E3CFCA6-C95A-47CB-A822-7FA80D423AF2}" = MapSource
    "{619CDD8A-14B6-43a1-AB6C-0F4EE48CE048}" = Roxio Creator Copy
    "{6675CA7F-E51B-4F6A-99D4-F8F0124C6EAA}" = Roxio Express Labeler 3
    "{6813B620-4109-4E66-9A28-4F32789851D2}" = JM Integrated Remote Station
    "{69333A04-5134-40A5-A055-9166A7AA1EC8}" =
    "{6EC874C2-F950-4B7E-A5B7-B1066D6B74AA}" = QuickTime
    "{725F0ABA-808A-4256-885C-1E60245521D0}" = LightScribe Template Designs - Sports Pack 1
    "{7373184D-8E8F-4308-912A-3901071FA1AD}" = LightScribe Applications
    "{8174AEA7-A8D5-450D-8340-51D409CA4D76}" = Sun VirtualBox
    "{83FFCFC7-88C6-41c6-8752-958A45325C82}" = Roxio Creator Audio
    "{85548764-32DC-43ED-BAA5-5386FDB2500A}" = LightScribe Template Designs - Urban Pack 1
    "{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
    "{8AF1E098-1A5C-4336-BBE2-D047ABB401ED}" = MovieEdit Task
    "{91203BD3-6C3E-472F-ADBD-F60FDC7C4010}" = Camera Window DS
    "{914E1AB1-DCA0-4A7D-935F-B58C4B887A2B}" = HP ProtectTools Security Manager 2.00 D3
    "{91810AFC-A4F8-4EBA-A5AA-B198BBC81144}" = InterVideo WinDVD
    "{91F1A0D6-23AD-49FE-8D4E-379485652214}" = Camera Support Core Library
    "{938B1CD7-7C60-491E-AA90-1F1888168240}" = Roxio MyDVD Basic v9
    "{99867949-A794-11D5-8228-005004A6E645}" = Family Tree SuperTools
    "{9A25302D-30C0-39D9-BD6F-21E6EC160475}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
    "{9F308117-9B2F-45EB-9FAF-B59CD8339673}" = MapSource - Topo Canada v2
    "{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
    "{A34DCE59-0004-0000-2010-3F8A9926B752}" = FortiClient SSL VPN v4.0.2010
    "{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}" = Google Update Helper
    "{A93C4E94-1005-489D-BEAA-B873C1AA6CFC}" = HP Help and Support
    "{AA47D951-588B-48A5-8183-21C44B1EA6EA}" = VRWriter4
    "{AAD51583-6D43-4444-A1FF-0C8345345526}" = Radmin Server 3.0
    "{AB708C9B-97C8-4AC9-899B-DBF226AC9382}" = Roxio Audio Module
    "{AC76BA86-7AD7-1033-7B44-A70000000000}" = Adobe Reader 7.0
    "{AE052EF7-2640-48D7-8915-69B810D975CB}" = HP BIOS Configuration for ProtectTools 2.00 J2
    "{B12665F4-4E93-4AB4-B7FC-37053B524629}" = Roxio Copy Module
    "{B3BC9DB1-0B0A-48B0-B86B-EA77CAA7F800}" = Microsoft Corporation
    "{B6C766E9-B26D-4D54-A22B-A52B069C6C14}" = LightScribe Template Designs - Special Occasion Pack 1
    "{B74F042E-E1B9-4A5B-8D46-387BB172F0A4}" = Apple Software Update
    "{B9ECA41B-55CC-4654-B6B5-6731D009EC69}" = NTI Backup Now EZ
    "{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
    "{C1D76D7A-F3BB-47EA-A746-5B1E2FFC1DF2}" = Canon ZoomBrowser EX
    "{C7281207-4AA4-425E-B57A-0E9EF8445635}" = Camera Window MC
    "{C8B0680B-CDAE-4809-9F91-387B6DE00F7C}" = Roxio Creator Basic v9
    "{C9E4932C-8417-4E4C-A0E3-EE534810AB4D}" = ClearType Tuning Control Panel Applet
    "{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
    "{CD95D125-2992-4858-B3EF-5F6FB52FBAD6}" = Skype Toolbars
    "{CDCBF62D-8E74-44A5-91AD-44AB4C2EFD89}" = InterVideo FilterSDK for Panasonic
    "{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
    "{CEF736FF-8133-42F3-8E18-BDFE293B87FF}" = LightScribe Template Designs - Holiday Pack 1
    "{D1399216-81B2-457C-A0F7-73B9A2EF6902}" = PDFill PDF Editor with FREE Writer and FREE Tools
    "{D173E50C-D87F-40A1-BFB2-FFEA51F92CB1}" = HP Credential Manager for ProtectTools
    "{D25122BC-A60E-4663-B602-B01718F12044}" = Cisco Systems VPN Client 4.8.01.0300
    "{DA9DAC64-C947-47BA-B411-8A1959B177CF}" = LightScribe System Software 1.14.25.1
    "{DB518BA6-CB74-4EB6-9ABD-880B6D6E1F38}" = HpSdpAppCoreApp
    "{DE72186D-A4A5-4504-839C-B14FC3432DA1}" = LightScribe Template Designs - Fantasy Pack 1
    "{E045A5E3-0FC6-4AC2-BBE3-C49D68BA54DA}" = MotionSD STUDIO 1.3E
    "{E35A1183-F6D8-4DCA-A111-296AFFA00A5C}" = LightScribe Template Designs - Tattoo Pack 1
    "{E633D396-5188-4E9D-8F6B-BFB8BF3467E8}" = Skypeâ„¢ 5.0
    "{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}" = Realtek High Definition Audio Driver
    "{F18DB86D-BC16-4E01-BCCE-63F62B931D82}" = InterVideo Register Manager
    "{F251B999-08A9-4704-999C-9962F0DFD88E}" = Virtual Desktop Manager Powertoy for Windows XP
    "{F3CF601C-C7F0-401F-B593-6F0B8FF8D2F9}" = ATI Catalyst Control Center
    "{F4EF72B5-72D8-4416-BC9D-8AD2A2DB1FFB}" = RemoteAgent64 v7.2
    "7-Zip" = 7-Zip 9.20
    "84713BEB4A2EB4B0E2F1346FDEBFFE94DAB5225D" = Windows Driver Package - Palm (WinUSB) Palm Devices (11/30/2008 1.0.0)
    "Adobe Flash Player ActiveX" = Adobe Flash Player ActiveX
    "Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
    "Adobe Shockwave Player" = Adobe Shockwave Player
    "Advanced IP Address Calculator v1.1" = Advanced IP Address Calculator v1.1
    "Advanced IP Scanner v1.5" = Advanced IP Scanner v1.5
    "Advanced LAN Scanner v1.0 BETA 1" = Advanced LAN Scanner v1.0 BETA 1
    "Advanced Port Scanner v1.3" = Advanced Port Scanner v1.3
    "All ATI Software" = ATI - Software Uninstall Utility
    "ATI Display Driver" = ATI Display Driver
    "Audacity_is1" = Audacity 1.2.6
    "Avira AntiVir Desktop" = Avira AntiVir Personal - Free Antivirus
    "AXIS Media Control Embedded" = AXIS Media Control Embedded
    "Brother's Keeper 6.2" = Brother's Keeper 6.2
    "Camtasia Studio 3" = Camtasia Studio 3
    "Corel Applications" = Corel Applications
    "CutePDF Writer Installation" = CutePDF Writer 2.2
    "DicomWorks 1.3.5b_is1" = DicomWorks 1.3.5b
    "DVD Shrink_is1" = DVD Shrink 3.2
    "DVR Web Viewer" = DVR Web Viewer for IE (remove only)
    "GPS Utility_is1" = GPSU version 4.15
    "HECI" = Intel(R) Management Engine Interface
    "HP PrecisionScan LTX" = HP PrecisionScan LTX
    "Index Dat Spy_is1" = Index Dat Spy 2.1.0
    "InstallShield_{218BBBE3-FE63-4BB2-81A8-7435575A84FA}" = Canon Utilities PhotoStitch 3.1
    "InstallShield_{28291BD5-92D2-4685-82DC-CCA925C53CCA}" = Canon RemoteCapture Task for ZoomBrowser EX
    "InstallShield_{45EF4EE3-F591-4B74-A477-0CAE12934CE7}" = Canon RAW Image Task for ZoomBrowser EX
    "InstallShield_{4C96958A-6562-4143-B820-FF4890D3B734}" = Canon Camera Window DVC for ZoomBrowser EX
    "InstallShield_{8AF1E098-1A5C-4336-BBE2-D047ABB401ED}" = Canon MovieEdit Task for ZoomBrowser EX
    "InstallShield_{91203BD3-6C3E-472F-ADBD-F60FDC7C4010}" = Canon Camera Window DS for ZoomBrowser EX
    "InstallShield_{91F1A0D6-23AD-49FE-8D4E-379485652214}" = Canon Camera Support Core Library
    "InstallShield_{9F308117-9B2F-45EB-9FAF-B59CD8339673}" = MapSource - Topo Canada v2
    "InstallShield_{B9ECA41B-55CC-4654-B6B5-6731D009EC69}" = NTI Backup Now EZ
    "InstallShield_{C7281207-4AA4-425E-B57A-0E9EF8445635}" = Canon Camera Window for ZoomBrowser EX
    "iReport-nb-3.5.1.exe" = iReport nb-3.5.1
    "KeePass Password Safe_is1" = KeePass Password Safe 1.15
    "LiveReg" = LiveReg (Symantec Corporation)
    "LiveUpdate" = LiveUpdate 2.5 (Symantec Corporation)
    "Look@LAN_1.0" = Look@LAN 2.50 Build 35
    "Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
    "Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1
    "Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
    "Mozilla Firefox (3.6.13)" = Mozilla Firefox (3.6.13)
    "Mozilla Thunderbird (2.0.0.6)" = Mozilla Thunderbird (2.0.0.6)
    "Netscape Communicator 4.78" = Netscape Communicator 4.78
    "OpenVPN" = OpenVPN 2.0
    "TightVNC_is1" = TightVNC 1.3.9
    "Trailgauge" = Trailgauge
    "VLC media player" = VLC media player 1.1.2
    "Wdf01007" = Microsoft Kernel-Mode Driver Framework Feature Pack 1.7
    "WIC" = Windows Imaging Component
    "Windows Media Format Runtime" = Windows Media Format 11 runtime
    "Windows XP Service Pack" = Windows XP Service Pack 3
    "WinPcapInst" = WinPcap 4.0.2
    "winscp3_is1" = WinSCP 3.7.4
    "winusb0100" = Microsoft WinUsb 1.0
    "WinZip" = WinZip
    "Wireshark" = Wireshark 1.0.6
    "WMFDist11" = Windows Media Format 11 runtime
    "Wudf01007" = Microsoft User-Mode Driver Framework Feature Pack 1.7
    "Xming_is1" = Xming 6.9.0.31

    ========== Last 10 Event Log Errors ==========

    [ Application Events ]
    Error - 2010-12-23 00:20:25 | Computer Name = DAN | Source = EventSystem | ID = 4609
    Description = The COM+ Event System detected a bad return code during its internal
    processing. HRESULT was 80070057 from line 62 of d:\comxp_sp2\com\com1x\src\events\tier1\eventsystemobj.cpp.
    Please contact Microsoft Product Support Services to report this erro

    Error - 2010-12-23 01:37:17 | Computer Name = DAN | Source = Application Error | ID = 1000
    Description = Faulting application svchost.exe, version 5.1.2600.5512, faulting
    module mshtml.dll, version 6.0.2900.5969, fault address 0x000bf297.

    Error - 2010-12-23 11:41:00 | Computer Name = DAN | Source = IFXWlxEN | ID = 2687344
    Description = Failed to create instance of IWlxEvent interface.

    Error - 2010-12-23 12:14:14 | Computer Name = DAN | Source = Application Error | ID = 1000
    Description = Faulting application svchost.exe, version 5.1.2600.5512, faulting
    module ntdll.dll, version 5.1.2600.5755, fault address 0x00023845.

    Error - 2010-12-23 12:40:15 | Computer Name = DAN | Source = PerfNet | ID = 2004
    Description = Unable to open the Server service. Server performance data will not
    be returned. Error code returned is in data DWORD 0.

    Error - 2010-12-23 19:24:35 | Computer Name = DAN | Source = Application Error | ID = 1000
    Description = Faulting application eventserver.exe, version 1.0.0.1, faulting module
    unknown, version 0.0.0.0, fault address 0x00000000.

    Error - 2010-12-23 20:18:37 | Computer Name = DAN | Source = Application Error | ID = 1000
    Description = Faulting application eventserver.exe, version 1.0.0.1, faulting module
    unknown, version 0.0.0.0, fault address 0x00000000.

    Error - 2010-12-23 23:53:44 | Computer Name = DAN | Source = Application Error | ID = 1000
    Description = Faulting application eventserver.exe, version 1.0.0.1, faulting module
    unknown, version 0.0.0.0, fault address 0x00000000.

    Error - 2010-12-24 00:07:44 | Computer Name = DAN | Source = Application Error | ID = 1000
    Description = Faulting application eventserver.exe, version 1.0.0.1, faulting module
    unknown, version 0.0.0.0, fault address 0x00000000.

    Error - 2010-12-24 11:31:27 | Computer Name = DAN | Source = Application Hang | ID = 1002
    Description = Hanging application coreldrw.exe, version 9.337.0.0, hang module hungapp,
    version 0.0.0.0, hang address 0x00000000.

    [ System Events ]
    Error - 2010-12-25 23:57:30 | Computer Name = DAN | Source = Windows Update Agent | ID = 20
    Description = Installation Failure: Windows failed to install the following update
    with error 0x800706ba: Security Update for Windows XP (KB2296199).

    Error - 2010-12-25 23:57:30 | Computer Name = DAN | Source = Windows Update Agent | ID = 20
    Description = Installation Failure: Windows failed to install the following update
    with error 0x800706ba: Security Update for Windows XP (KB975558).

    Error - 2010-12-25 23:57:30 | Computer Name = DAN | Source = Windows Update Agent | ID = 20
    Description = Installation Failure: Windows failed to install the following update
    with error 0x800706ba: Security Update for Windows XP (KB2115168).

    Error - 2010-12-25 23:57:30 | Computer Name = DAN | Source = Windows Update Agent | ID = 20
    Description = Installation Failure: Windows failed to install the following update
    with error 0x800706ba: Security Update for Windows XP (KB2296011).

    Error - 2010-12-25 23:57:30 | Computer Name = DAN | Source = Windows Update Agent | ID = 20
    Description = Installation Failure: Windows failed to install the following update
    with error 0x800706ba: Security Update for Windows XP (KB2259922).

    Error - 2010-12-25 23:57:42 | Computer Name = DAN | Source = Windows Update Agent | ID = 20
    Description = Installation Failure: Windows failed to install the following update
    with error 0x800706ba: Update for Windows XP (KB2345886).

    Error - 2010-12-25 23:57:42 | Computer Name = DAN | Source = Windows Update Agent | ID = 20
    Description = Installation Failure: Windows failed to install the following update
    with error 0x800706ba: Security Update for Windows XP (KB982214).

    Error - 2010-12-25 23:57:42 | Computer Name = DAN | Source = Windows Update Agent | ID = 20
    Description = Installation Failure: Windows failed to install the following update
    with error 0x800706ba: Security Update for Windows XP (KB2387149).

    Error - 2010-12-25 23:58:44 | Computer Name = DAN | Source = Service Control Manager | ID = 7034
    Description = The exim service terminated unexpectedly. It has done this 1 time(s).

    Error - 2010-12-25 23:58:45 | Computer Name = DAN | Source = Service Control Manager | ID = 7034
    Description = The Palm Novacom service terminated unexpectedly. It has done this
    1 time(s).


    < End of report >
     
    dmonfette,
    #18
  20. 2010/12/26
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    We're just checking, if nothing else is hiding...

    Update your Java version here: http://www.java.com/en/download/installed.jsp

    Note 1: UNCHECK any pre-checked toolbar and/or software offered with the Java update. The pre-checked toolbars/software are not part of the Java update.

    Note 2: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications. If you don't want to run another extra service, go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter. Click OK and restart your computer.

    Now, we need to remove old Java version and its remnants...

    Download JavaRa to your desktop and unzip it to its own folder
    • Run JavaRa.exe (Vista users! Right click on JavaRa.exe, click Run As Administrator), pick the language of your choice and click Select. Then click Remove Older Versions.
    • Accept any prompts.

    =============================================================

    Run OTL
    • Under the [color= "#0000FF"]Custom Scans/Fixes[/color] box at the bottom, paste in the following

      Code:
      :OTL
SRV - [2004-11-05 10:50:00 | 000,106,496 | ---- | M] (Symantec Corporation) [On_Demand | Stopped] -- C:\Program Files\Symantec\pcAnywhere\awhost32.exe -- (awhost32)
DRV - [2008-09-21 21:39:28 | 000,104,144 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Stopped] -- C:\Program Files\Symantec\SYMEVENT.SYS -- (SymEvent)
DRV - [2004-03-05 11:52:22 | 000,008,368 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\awechomd.sys -- (awecho)
DRV - [2003-11-17 17:06:48 | 000,011,165 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\WINDOWS\System32\Drivers\awlegacy.sys -- (awlegacy)
DRV - [2003-10-23 09:32:20 | 000,016,984 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\AW_HOST5.sys -- (AW_HOST)
DRV - [2003-04-21 12:00:32 | 000,013,898 | ---- | M] (Symantec Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\System32\drivers\GERNUWA.sys -- (Gernuwa)
O16 - DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} http://java.sun.com/update/1.5.0/jin...ndows-i586.cab (Reg Error: Key error.)
O20 - Winlogon\Notify\PCANotify: DllName - PCANotify.dll - C:\WINDOWS\System32\PCANotify.dll (Symantec Corporation)
[2010-12-21 09:03:50 | 000,000,120 | ---- | M] () -- C:\WINDOWS\Cgoyulasejad.dat


:Services

:Reg

:Files

:Commands
[purity]
[emptytemp]
[emptyflash]
[Reboot]
    • Then click the [color= "#FF0000"]Run Fix[/color] button at the top
    • Let the program run unhindered, reboot the PC when it is done
    • You will get a log that shows the results of the fix. Please post it.

    ==============================================================

    Last scans....

    1. Download Security Check from HERE, and save it to your Desktop.
    • Double-click SecurityCheck.exe
    • Follow the onscreen instructions inside of the black box.
    • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

      NOTE SecurityCheck may produce some false warning(s), so leave the results reading to me.


    2. Download Temp File Cleaner (TFC)
    • Double click on TFC.exe to run the program.
    • Click on Start button to begin cleaning process.
    • TFC will close all running programs, and it may ask you to restart computer.


    3. Please run a free online scan with the ESET Online Scanner

    • Disable your antivirus program
    • Tick the box next to YES, I accept the Terms of Use
    • Click Start
    • IMPORTANT! UN-check Remove found threats
    • Accept any security warnings from your browser.
    • Check Scan archives
    • Click Start
    • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
    • When the scan completes, push List of found threats
    • Click on Export to text file , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
    • NOTE. If Eset won't find any threats, it won't produce any log.
     
    broni,
    #19
  21. 2010/12/26
    dmonfette

    dmonfette Inactive Thread Starter

    Joined:
    2010/12/23
    Messages:
    19
    Likes Received:
    0
    Here is the OTL log:

    All processes killed
    ========== OTL ==========
    Service awhost32 stopped successfully!
    Service awhost32 deleted successfully!
    C:\Program Files\Symantec\pcAnywhere\awhost32.exe moved successfully.
    Service SymEvent stopped successfully!
    Service SymEvent deleted successfully!
    C:\Program Files\Symantec\SYMEVENT.SYS moved successfully.
    Error: Unable to stop service awecho!
    Registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\awecho deleted successfully.
    C:\WINDOWS\system32\drivers\awechomd.sys moved successfully.
    Service awlegacy stopped successfully!
    Service awlegacy deleted successfully!
    C:\WINDOWS\system32\drivers\AWLEGACY.sys moved successfully.
    Error: Unable to stop service AW_HOST!
    Registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\AW_HOST deleted successfully.
    C:\WINDOWS\system32\drivers\AW_HOST5.sys moved successfully.
    Service Gernuwa stopped successfully!
    Service Gernuwa deleted successfully!
    C:\WINDOWS\system32\drivers\GERNUWA.sys moved successfully.
    Starting removal of ActiveX control {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA}
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA}\ not found.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA}\ not found.
    Registry key HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA}\ deleted successfully.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA}\ not found.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA}\ not found.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\PCANotify\ deleted successfully.
    C:\WINDOWS\system32\PCANotify.dll moved successfully.
    C:\WINDOWS\Cgoyulasejad.dat moved successfully.
    ========== SERVICES/DRIVERS ==========
    ========== REGISTRY ==========
    ========== FILES ==========
    ========== COMMANDS ==========

    [EMPTYTEMP]

    User: Administrator
    ->Temp folder emptied: 9918821 bytes
    ->Temporary Internet Files folder emptied: 113235 bytes
    ->Java cache emptied: 2027 bytes
    ->FireFox cache emptied: 46403198 bytes
    ->Flash cache emptied: 673 bytes

    User: All Users

    User: danny
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 67 bytes
    ->Java cache emptied: 0 bytes
    ->FireFox cache emptied: 94541245 bytes
    ->Flash cache emptied: 15076 bytes

    User: Default User
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 67 bytes

    User: LocalService
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 32902 bytes
    ->Flash cache emptied: 0 bytes

    User: martine
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes
    ->FireFox cache emptied: 0 bytes
    ->Flash cache emptied: 0 bytes

    User: NetworkService
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 67 bytes
    ->Flash cache emptied: 2398 bytes

    %systemdrive% .tmp files removed: 0 bytes
    %systemroot% .tmp files removed: 0 bytes
    %systemroot%\System32 .tmp files removed: 0 bytes
    %systemroot%\System32\dllcache .tmp files removed: 0 bytes
    %systemroot%\System32\drivers .tmp files removed: 0 bytes
    Windows Temp folder emptied: 33251 bytes
    %systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
    %systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes
    RecycleBin emptied: 0 bytes

    Total Files Cleaned = 144,00 mb


    [EMPTYFLASH]

    User: Administrator
    ->Flash cache emptied: 0 bytes

    User: All Users

    User: danny
    ->Flash cache emptied: 0 bytes

    User: Default User

    User: LocalService
    ->Flash cache emptied: 0 bytes

    User: martine
    ->Flash cache emptied: 0 bytes

    User: NetworkService
    ->Flash cache emptied: 0 bytes

    Total Flash Files Cleaned = 0,00 mb


    OTL by OldTimer - Version 3.2.18.0 log created on 12262010_163952

    Files\Folders moved on Reboot...

    Registry entries deleted on Reboot...
     
    dmonfette,
    #20
Page 1 of 2

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Accept Learn More...