Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

WORD macro virus - help & advice please [Solved]


  • This topic is locked This topic is locked

#1
trampas

trampas

    Member

  • Member
  • PipPip
  • 99 posts
Hi Folks

I've got suspicious behaviour on my desktop PC, strongly suggesting virus activity.

I originally had some of the same problems in January which is when I started this thread :
http://www.geekstogo...it/page__st__30

At the time I suspected that I had a trojan because my PC was being hacked - my files were uploaded for example, passwords captured. The hacker had also introduced a WORD macro virus onto the PC which had infected many of my DOCs. (I tried dealing with the macro virus by converting all the DOCs to RTFs - that seemed to work.) But having rebuilt the PC twice and *not* got rid of the trojan I decided to seek help here. After quite a few tests, no virus could be detected which suggests that a rootkit was also present. Eventually I was told that the best course of action would be to rebuild the PC from scratch.

As I'd done this before a couple of times I asked for further guidance and was advised to start a new thread in the PC Operating Systems forum. I rebuilt the PC again and with some extra steps I suspect this rebuild worked. During this process I created a UBCD4WIN CD which was helpful and I also discovered 2 copies of a trojan virus in the RECYCLER folder of my backup hard drive. I deleted that folder.

There was still a particular issue with restoring my personal files - the hacker had saved malware within some of my RTF files, so the malware needed to be removed somehow. Here's the thread :
http://www.geekstogo...15#entry2137871

It was suggested that if my RTF files were converted to DOCs this would remove the malware or anything else that was found to be redundant/not supposed to be there. This may have worked but I don't know - I used ConvertDOC. Having done that, I resumed normal work on my PC. Unfortunately some of the suspicious activites have returned. For example, I get asked if I want to save the changes to a DOC even when there have been no changes and it isn't consistent. This seems like a WORD macro virus, just like in the early days of the problem. It's also worth mentioning that as soon as I make a *very* simple edit to a file that had been freshly converted, it seems to grow by a large amount e.g. 900KB to 1000KB.

However there are other suspicious activities - please see my last post in the second thread for details. I'm not sure how much damage a macro virus could cause, so I'm not sure whether the original trojan virus has returned or whether it's just the macro virus. Either way, I've been advised to open a new thread in the malware forum.

I have a few hundred DOCs so, as things stand, I'd prefer to automate whatever process I use to clean those files. According to the MS web site here :
http://support.microsoft.com/kb/187243

there *are* WORD macro virus detection packages from A/V suppliers, though I'm not currently aware of any. If I used one of these maybe I would find that only a handful of my DOCs have been reinfected. That would be very helpful in the current situation.

Just to see what came of it, I ran the Avira scan from the UBCD4WIN CD on the PC and found no trojan. That suggests there's no trojan - at least not the one that was found previously. But I can't say I'm certain that the original trojan/rootkit hasn't returned. My doubts result from my lack of knowledge, specifically :
- could a macro virus cause all of the suspicious activity that I've seen recently (see post)
- or could a macro virus bypass my firewall and download the trojan/rootkit again

With the suspected macro virus I seem to have two options to try to clear it but I probably need advice. This is what I believe I could do :
1) download a WORD macro virus detector and detect all infections. Then manually clean all those files, as well as the template files. But does this detector exist ? (I use the free Avira A/V software) OR
2) run a program that automatically cleans ALL macros out of my DOC files. Does that software exist ?

Just a final point. I'm not sure how the macro virus has returned to my PC but I do see one possibility. When I converted my DOCs to RTFs I believed that macros would be removed (I used the automated conversion utility that's built into WORD to do this). But maybe a macro can still exist in an RTF file even though it will never be executed. And when converting the RTFs back to DOCs (to fix a different problem) maybe the ConvertDOC program would not remove any dormant macros that it found, as these are legitimate for a DOC file.

I don't use macros in my WORD documents so I'm happy to remove them all but I would like them removes rather than just be dormant. All help appreciated ....

trampas
  • 0

Advertisements


#2
trampas

trampas

    Member

  • Topic Starter
  • Member
  • PipPip
  • 99 posts
I wouldn't normally Add a reply until there had been a response but in this case it might be helpful.

I haven't seen a guide on this site that gives general help on WORD macro viruses but I've found a few on the internet, though it took a while. This is one that I found to be of most relevance to my issues :
http://cquirke.mvps.org/9x/macrov.htm

This describes 'hardening' WORD by creating a fresh Normal.dot file, making a few changes then making it Read-Only.

Since doing this I've had significant relief from the symptoms that I was experiencing. In particular I haven't, so far, had a problem with ZoneAlarm not wanting to close down when I reboot the PC. I'll monitor the situation and post an update.

From the behaviour experienced it appears that my previous Normal.dot was infected. When I checked it's size it was quite a bit smaller than the fresh copy that I created today. In the two weeks since I installed WORD I don't recall making big changes to the default WORD settings. I turned off grammar and spell check for example. So maybe one of the WORD commands such as SaveAs had been overwritten (fairly typical for a macro virus) in Normal.dot.

If my Normal.dot file had been infected, surely that means one of my DOC files is currently infected. So I really ought to try finding out which one or ones. Anyone got ideas ?

EDIT: It's probably relevant to mention that when I open any DOC I never get asked if I want to allow Macros to run, and never have done (it's WORD 2002). Just a thought - if I submit the 'bad' Normal.dot to Avira for analysis, shouldn't that show up as viral ?

Cheers

trampas

Edited by trampas, 27 March 2012 - 06:38 PM.

  • 0

#3
trampas

trampas

    Member

  • Topic Starter
  • Member
  • PipPip
  • 99 posts
There's one file that I know has been tampered with, so I've done some tests on it. Almost always when I open it in WORD and close the file immediately, I get asked about saving changes. So I regard that file as infected somehow. If I convert that file to RTF and then convert the RTF to DOC I have a file that's free of the problem just described. And it's a bit smaller as well.

When I open the original file and try to find macros I see none. And if I view Visual Basic (ALT-F11) I see no code there either.

So these questions arise, remembering that Normal.dot is brand new and read-only :
1)If that original DOC file was infected with a macro why couldn't I see the macro ?
2) If the file wasn't infected with a macro why did conversion to RTF (and back) clean it up ?
  • 0

#4
maliprog

maliprog

    Trusted Helper

  • Malware Removal
  • 6,172 posts
Hello trampas and welcome to my office here at G2G! :)

My nick is maliprog and I'll be your technical support on this issue. Before we start please read my notes carefully:

NOTE:
  • Malware removal is NOT instantaneous, most infections require several courses of action to completely eradicate.
  • Absence of symptoms does not always mean the computer is clean
  • Kindly follow my instructions in the order posted. Order is crucial in cleaning process.
  • Please DO NOT run any scans or fix on your own without my direction.
  • Please read all of my response through at least once before attempting to follow the procedures described.
  • If there's anything you don't understand or isn't totally clear, please come back to me for clarification.
  • Please do not attach any log files to your replies unless I specifically ask you. Instead please copy and paste so as to include the log in your reply.
  • You must reply within 3 days or your topic will be closed

Step 1

Until we found out what is wrong DON'T copy and paste or open word documents except I tell you to do so. If we clean your system and you open infected doc then we must do it all over again.

Can you write me full document name of one file you are hewing problems with?

Step 2

Download OTL to your Desktop

  • Double click on the icon to run it (If running Vista or Windows 7, right click on it and select "Run as an Administrator")
    . Make sure all other windows are closed and to let it run uninterrupted.
  • Under the Custom Scan box paste this in

netsvcs
%SYSTEMDRIVE%\*.exe
/md5start
explorer.exe
winlogon.exe
Userinit.exe
svchost.exe
/md5stop
%systemroot%\*. /mp /s
hklm\software\clients\startmenuinternet|command /rs
hklm\software\clients\startmenuinternet|command /64 /rs
CREATERESTOREPOINT

  • Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
  • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
  • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post them if you need to start a new topic.

Step 3

Download GMER from Here. Note the file's name and save it to your root folder, such as C:.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security program drivers will not conflict with this file.
  • Click on this link to see a list of programs that should be disabled.
  • Double-click on the downloaded file to start the program. (If running Vista, right click on it and select "Run as an Administrator")
  • Allow the driver to load if asked.
  • You may be prompted to scan immediately if it detects rootkit activity.
  • If you are prompted to scan your system click "No", save the log and post back the results.
  • If not prompted, click the "Rootkit/Malware" tab.
  • On the right-side, all items to be scanned should be checked by default except for "Show All". Leave that box unchecked.
  • Select all drives that are connected to your system to be scanned.
  • Click the Scan button to begin. (Please be patient as it can take some time to complete)
  • When the scan is finished, click Save to save the scan results to your Desktop.
  • Save the file as Results.log and copy/paste the contents in your next reply.
  • Exit the program and re-enable all active protection when done.

Step 4

Please don't forget to include these items in your reply:

  • OTL log
  • OTL Extras log
  • GMER log
It would be helpful if you could post each log in separate post
  • 0

#5
trampas

trampas

    Member

  • Topic Starter
  • Member
  • PipPip
  • 99 posts
Hi maliprog !

Thanks for picking up this chalice - it's probably atypical.

Just a few words of background to this :
- a hacker who is current has placed the malware on my PC
- I still receive lure emails from this person, who seems very PC-educated
- most of the malware that I've got/had will be customised i.e. not detectable by signature

I would be happy if the hacker's malware was sent to A/V supplier(s) so that the signature could be added to their databases.

Since I last posted I've done a few things which may have improved the situation on my desktop PC. I probably ought to describe what I've done but I'll let you decide first.

More than happy to run those tests once you've had a read of the above. One thing I don't like to do at the moment is connect the desktop PC to the internet. I can give reasons.

This post is long enough already. Please let me know your thoughts and thanks again for picking this one up.

Regards

trampas
  • 0

#6
maliprog

maliprog

    Trusted Helper

  • Malware Removal
  • 6,172 posts
There is another way too. We will need clean PC and USB memory to download and transfer tools to infected PC. First we need to disinfect your USB memory so you can transfer files and not get infected.

Do this on the clean computer just once:

  • 1 - Flash Drive Disinfector
    Download Flash_Disinfector.exe by sUBs from here and save it to your desktop.
  • Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.
  • The utility may ask you to insert your flash drive and/or other removable drives including your mobile phone. Please do so and allow the utility to clean up those drives as well.
  • Wait until it has finished scanning and then exit the program.
  • Reboot your computer when done.

    Note: Flash_Disinfector will create a hidden folder named autorun.inf in each partition and every USB drive plugged in when you run it. Don't delete this folder...it will help protect your drives from future infection.

  • 0

#7
trampas

trampas

    Member

  • Topic Starter
  • Member
  • PipPip
  • 99 posts
Hi maliprog

I'll get on with that flash disinfector and post back the OTL and GMER logs. For info I couldn't download OTL.scr - I hope that doesn't mean my clean PC is infected .... :( I downloaded one of the others.

Some of what follows may be relevant to how you proceed. I'll try to be brief initially but there's a lot to tell you.

I suspect this is what has happened since the latest rebuild of my desktop PC :
- rebuilt the PC from trusted sources - no problems
- restored my personal files from backup drive, including RTF files, which were converted to DOCs during the restoration process (using ConvertDoc)
- using WORD I opened a particular file which was probably infected
- this infected Normal.dot
- and I suspect that it dropped another virus which was somehow executed
- the second virus then became responsible for corrupting certain files on the PC over a few weeks
- the corrupted files were causing the File System Check to be run about 60% of the time during boot-up (this is way higher than normal). On another occasion Windows reported that it had recovered the registry from copies of files (very odd)
- the final corruption was on the SYSTEM32\CONFIG\SYSTEM file, which prevented the PC from booting. It was this activity that convinced me there must have been a second virus, i.e. not just a WORD virus

As I was working alone at that time I took these actions to try to control the virus activities :
- hardened Normal.dot
- searched for and found all DOCs that had been infected via Normal.dot (see earlier post)
- moved all infected DOCs, including the DOC that was originally infected to a quarantine folder
- Performed a conversion of each infected DOC to RTF and then back to DOC
- Kept a copy of the converted, clean DOCs in their proper folders for my subsequent use

So I reached a point where any DOC that I needed to open didn't have the 'save changes' issue. Hence there ought to be no chance of that second virus being dropped again.

At this time I still had the file system being corrupted by the second virus and also the ZoneAlarm client not being fully initialised (which was causing it to not close down when I did a shutdown). I recovered from the corrupt SYSTEM file using the online MS article - essentially its a manual System Restore. I had to do it that way because I couldn't do it from Safe Mode.

Having got the PC back up again, I did another manual System Restore (there was a reason for this being manual) to a RP which I'd created the day before I restored any of my personal files to the PC. So I was fairly sure that the registry from that time would not contain anything about the second virus.

The file system corruptions have now stopped and the ZoneAlarm client initialises properly. Though I'm not quite sure how ZoneAlarm came to be fixed.

The current position :
- I think I still have a file on my PC that contains the second virus but I don't know what it's called or which folder it's in. It's not an immediate problem as it never gets executed but it would be good to find it and share with AV vendors.

- I also have about a dozen files that display the 'save changes' issue. One of these is much larger and is most likely the source of the WORD virus this time round and presumably also the dropped second virus. For each one of the infected DOCs there's a version that doesn't have the 'save changes' issue and so *may* be clean. These can be used for comparison. In my investigations I haven't found evidence of a macro or any VB code in the infected DOCs. One application that I used was OfficeMalScanner.

EDIT: Although I *may* now have clean WORD DOCs I won't open any until you advise to do so.

trampas

Edited by trampas, 06 April 2012 - 09:58 PM.

  • 0

#8
trampas

trampas

    Member

  • Topic Starter
  • Member
  • PipPip
  • 99 posts
OTL.LOG


OTL logfile created on: 7/04/2012 2:25:03 PM - Run 1
OTL by OldTimer - Version 3.2.39.2 Folder = C:\Documents and Settings\admin-su\Desktop
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000C09 | Country: Australia | Language: ENA | Date Format: d/MM/yyyy

510.73 Mb Total Physical Memory | 298.19 Mb Available Physical Memory | 58.38% Memory free
1.22 Gb Paging File | 0.93 Gb Available in Paging File | 76.39% Paging File free
Paging file location(s): C:\pagefile.sys 768 1536 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 74.52 Gb Total Space | 52.92 Gb Free Space | 71.02% Space Free | Partition Type: NTFS
Drive E: | 3.72 Gb Total Space | 2.80 Gb Free Space | 75.31% Space Free | Partition Type: FAT32

Computer Name: SERVER | User Name: admin-su | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2012/04/07 13:14:06 | 000,593,920 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\admin-su\Desktop\OTL.com
PRC - [2011/10/05 10:18:37 | 000,080,336 | ---- | M] (Avira Operations GmbH & Co. KG) -- C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
PRC - [2011/10/05 10:18:29 | 000,086,224 | ---- | M] (Avira Operations GmbH & Co. KG) -- C:\Program Files\Avira\AntiVir Desktop\sched.exe
PRC - [2011/10/05 10:18:17 | 000,258,512 | ---- | M] (Avira Operations GmbH & Co. KG) -- C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
PRC - [2011/10/05 10:18:17 | 000,110,032 | ---- | M] (Avira Operations GmbH & Co. KG) -- C:\Program Files\Avira\AntiVir Desktop\avguard.exe
PRC - [2011/03/18 01:26:14 | 002,435,592 | ---- | M] (Check Point Software Technologies LTD) -- C:\WINDOWS\system32\ZoneLabs\vsmon.exe
PRC - [2011/03/18 01:24:50 | 001,043,968 | ---- | M] (Check Point Software Technologies LTD) -- C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
PRC - [2008/04/14 05:42:20 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe


========== Modules (No Company Name) ==========

MOD - [2011/10/05 10:18:31 | 000,398,288 | ---- | M] () -- C:\Program Files\Avira\AntiVir Desktop\sqlite3.dll


========== Win32 Services (SafeList) ==========

SRV - File not found [Disabled | Stopped] -- %SystemRoot%\System32\hidserv.dll -- (HidServ)
SRV - File not found [On_Demand | Stopped] -- %SystemRoot%\System32\appmgmts.dll -- (AppMgmt)
SRV - [2011/10/05 10:18:29 | 000,086,224 | ---- | M] (Avira Operations GmbH & Co. KG) [Auto | Running] -- C:\Program Files\Avira\AntiVir Desktop\sched.exe -- (AntiVirSchedulerService)
SRV - [2011/10/05 10:18:17 | 000,110,032 | ---- | M] (Avira Operations GmbH & Co. KG) [Auto | Running] -- C:\Program Files\Avira\AntiVir Desktop\avguard.exe -- (AntiVirService)
SRV - [2011/03/18 01:26:14 | 002,435,592 | ---- | M] (Check Point Software Technologies LTD) [Auto | Running] -- C:\WINDOWS\system32\ZoneLabs\vsmon.exe -- (vsmon)


========== Driver Services (SafeList) ==========

DRV - File not found [Kernel | On_Demand | Stopped] -- -- (WDICA)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDRFRAME)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDRELI)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDFRAME)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDCOMP)
DRV - File not found [Kernel | System | Stopped] -- -- (PCIDump)
DRV - File not found [Kernel | System | Stopped] -- -- (lbrtfdc)
DRV - File not found [Kernel | System | Stopped] -- -- (i2omgmt)
DRV - File not found [Kernel | System | Stopped] -- -- (Changer)
DRV - [2012/03/10 15:11:24 | 000,137,416 | ---- | M] (Avira GmbH) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\avipbb.sys -- (avipbb)
DRV - [2011/09/15 23:55:04 | 000,036,000 | ---- | M] (Avira GmbH) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\avkmgr.sys -- (avkmgr)
DRV - [2011/09/15 23:55:03 | 000,074,640 | ---- | M] (Avira GmbH) [File_System | Auto | Running] -- C:\WINDOWS\system32\drivers\avgntflt.sys -- (avgntflt)
DRV - [2010/06/17 15:14:27 | 000,028,520 | ---- | M] (Avira GmbH) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\ssmdrv.sys -- (ssmdrv)
DRV - [2010/05/13 10:02:32 | 000,532,224 | ---- | M] (Check Point Software Technologies LTD) [Kernel | System | Running] -- C:\WINDOWS\system32\vsdatant.sys -- (vsdatant)
DRV - [2008/03/17 11:03:46 | 000,101,376 | ---- | M] (Huawei Technologies Co., Ltd.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\ewusbmdm.sys -- (hwdatacard)
DRV - [2002/12/20 21:50:54 | 000,061,408 | ---- | M] (VIA Technologies, Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\drivers\viaraid.sys -- (viaraid)
DRV - [2001/08/17 23:28:12 | 000,488,383 | ---- | M] (Conexant) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\HSF_V124.sys -- (V124)
DRV - [2001/08/17 23:28:12 | 000,050,751 | ---- | M] (Conexant) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\HSF_TONE.sys -- (Tones)
DRV - [2001/08/17 23:28:10 | 000,542,879 | ---- | M] (Conexant) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\HSF_MSFT.sys -- (hsf_msft)
DRV - [2001/08/17 23:28:10 | 000,057,471 | ---- | M] (Conexant) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\HSF_SAMP.sys -- (Rksample)
DRV - [2001/08/17 23:28:08 | 000,391,199 | ---- | M] (Conexant) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\HSF_K56K.sys -- (K56)
DRV - [2001/08/17 23:28:06 | 000,289,887 | ---- | M] (Conexant) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\HSF_FALL.sys -- (Fallback)
DRV - [2001/08/17 23:28:06 | 000,199,711 | ---- | M] (Conexant) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\HSF_FAXX.sys -- (SoftFax)
DRV - [2001/08/17 23:28:06 | 000,115,807 | ---- | M] (Conexant) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\HSF_FSKS.sys -- (Fsks)
DRV - [2001/08/17 23:28:04 | 000,067,167 | ---- | M] (Conexant) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\HSF_BSC2.sys -- (basic2)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://search.live.c...ferrer:source?}

IE - HKCU\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE - HKCU\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://search.live.c...Box&Form=IE8SRC
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0


========== FireFox ==========

FF - HKCU\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Documents and Settings\admin-su\Local Settings\Application Data\Google\Update\1.3.21.99\npGoogleUpdate3.dll (Google Inc.)
FF - HKCU\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Documents and Settings\admin-su\Local Settings\Application Data\Google\Update\1.3.21.99\npGoogleUpdate3.dll (Google Inc.)



========== Chrome ==========

CHR - default_search_provider: Google (Enabled)
CHR - default_search_provider: search_url = {google:baseURL}search?{google:RLZ}{google:acceptedSuggestion}{google:originalQueryForSuggestion}{google:searchFieldtrialParameter}{google:instantFieldTrialGroupParameter}sourceid=chrome&ie={inputEncoding}&q={searchTerms}
CHR - default_search_provider: suggest_url = {google:baseSuggestURL}search?{google:searchFieldtrialParameter}{google:instantFieldTrialGroupParameter}client=chrome&hl={language}&q={searchTerms}
CHR - plugin: Remoting Viewer (Enabled) = internal-remoting-viewer
CHR - plugin: Native Client (Enabled) = C:\Documents and Settings\admin-su\Local Settings\Application Data\Google\Chrome\Application\17.0.963.79\ppGoogleNaClPluginChrome.dll
CHR - plugin: Chrome PDF Viewer (Enabled) = C:\Documents and Settings\admin-su\Local Settings\Application Data\Google\Chrome\Application\17.0.963.79\pdf.dll
CHR - plugin: Shockwave Flash (Enabled) = C:\Documents and Settings\admin-su\Local Settings\Application Data\Google\Chrome\Application\17.0.963.79\gcswf32.dll
CHR - plugin: Microsoft\u00AE DRM (Enabled) = C:\Program Files\Windows Media Player\npdrmv2.dll
CHR - plugin: Microsoft\u00AE DRM (Enabled) = C:\Program Files\Windows Media Player\npwmsdrm.dll
CHR - plugin: Windows Media Player Plug-in Dynamic Link Library (Enabled) = C:\Program Files\Windows Media Player\npdsplay.dll
CHR - plugin: Google Update (Enabled) = C:\Documents and Settings\admin-su\Local Settings\Application Data\Google\Update\1.3.21.99\npGoogleUpdate3.dll
CHR - plugin: Default Plug-in (Enabled) = default_plugin
CHR - Extension: YouTube = C:\Documents and Settings\admin-su\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2_0\
CHR - Extension: Google Search = C:\Documents and Settings\admin-su\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf\0.0.0.14_0\
CHR - Extension: Gmail = C:\Documents and Settings\admin-su\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia\6.1.3_0\

O1 HOSTS File: ([2003/03/31 22:00:00 | 000,000,734 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O4 - HKLM..\Run: [avgnt] C:\Program Files\Avira\AntiVir Desktop\avgnt.exe (Avira Operations GmbH & Co. KG)
O4 - HKLM..\Run: [ZoneAlarm Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe (Check Point Software Technologies LTD)
O4 - HKCU..\Run: [Mobile Partner] C:\Program Files\3 MobileBroadband\3 MobileBroadband.exe ()
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 36
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = FF FF FF FF [binary data]
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\system32\userinit.exe) - C:\WINDOWS\system32\userinit.exe (Microsoft Corporation)
O24 - Desktop WallPaper: C:\WINDOWS\Web\Wallpaper\Bliss.bmp
O24 - Desktop BackupWallPaper: C:\WINDOWS\Web\Wallpaper\Bliss.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2012/03/10 12:13:23 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O32 - AutoRun File - [2012/04/07 14:17:09 | 000,000,000 | ---D | M] - C:\autorun.inf -- [ NTFS ]
O32 - AutoRun File - [2012/04/07 14:17:10 | 000,000,000 | ---D | M] - E:\autorun.inf -- [ FAT32 ]
O33 - MountPoints2\{67022981-6a6d-11e1-85df-91647d583422}\Shell - "" = AutoRun
O33 - MountPoints2\{67022981-6a6d-11e1-85df-91647d583422}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{67022981-6a6d-11e1-85df-91647d583422}\Shell\AutoRun\command - "" = E:\AutoRun.exe
O33 - MountPoints2\{67022982-6a6d-11e1-85df-91647d583422}\Shell - "" = AutoRun
O33 - MountPoints2\{67022982-6a6d-11e1-85df-91647d583422}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{67022982-6a6d-11e1-85df-91647d583422}\Shell\AutoRun\command - "" = E:\AutoRun.exe
O33 - MountPoints2\{b84a80fe-6a5d-11e1-85dd-da0c9b9811f6}\Shell - "" = AutoRun
O33 - MountPoints2\{b84a80fe-6a5d-11e1-85dd-da0c9b9811f6}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{b84a80fe-6a5d-11e1-85dd-da0c9b9811f6}\Shell\AutoRun\command - "" = E:\AutoRun.exe
O34 - HKLM BootExecute: (autocheck autochk *)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

NetSvcs: 6to4 - File not found
NetSvcs: AppMgmt - %SystemRoot%\System32\appmgmts.dll File not found
NetSvcs: HidServ - %SystemRoot%\System32\hidserv.dll File not found
NetSvcs: Ias - File not found
NetSvcs: Iprip - File not found
NetSvcs: Irmon - File not found
NetSvcs: NWCWorkstation - File not found
NetSvcs: Nwsapagent - File not found
NetSvcs: WmdmPmSp - File not found

CREATERESTOREPOINT
Restore point Set: OTL Restore Point

========== Files/Folders - Created Within 30 Days ==========

[2012/04/07 14:24:12 | 000,593,920 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\admin-su\Desktop\OTL.com
[2012/04/07 14:17:09 | 000,000,000 | ---D | C] -- C:\autorun.inf
[2012/04/07 14:16:35 | 000,593,920 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\admin-su\My Documents\OTL.com
[2012/04/06 14:27:28 | 000,000,000 | ---D | C] -- C:\WINDOWS\tmp2
[2012/04/06 13:37:23 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Windows Support Tools
[2012/04/06 13:37:19 | 000,000,000 | ---D | C] -- C:\Program Files\SumatraPDF
[2012/04/06 08:27:20 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\NtmsData
[2012/04/06 00:28:11 | 000,000,000 | ---D | C] -- C:\WINDOWS\tmp
[2012/03/29 06:38:20 | 000,000,000 | ---D | C] -- C:\Program Files\Support Tools
[2012/03/25 15:44:45 | 000,000,000 | ---D | C] -- C:\Documents and Settings\admin-su\Application Data\SumatraPDF
[2012/03/14 13:28:35 | 000,000,000 | ---D | C] -- C:\Documents and Settings\admin-su\My Documents\Pinnacle Studio
[2012/03/14 13:28:33 | 000,000,000 | R--D | C] -- C:\Documents and Settings\admin-su\My Documents\My Videos
[2012/03/14 13:21:17 | 000,000,000 | R--D | C] -- C:\Documents and Settings\admin-su\My Documents\Fin Plan_x
[2012/03/14 13:21:17 | 000,000,000 | R--D | C] -- C:\Documents and Settings\admin-su\My Documents\Dons Folder
[2012/03/14 13:21:15 | 000,000,000 | ---D | C] -- C:\Documents and Settings\admin-su\My Documents\Downloads
[2012/03/13 07:26:56 | 000,000,000 | ---D | C] -- C:\WINDOWS\ie8updates
[2012/03/11 19:08:18 | 000,000,000 | ---D | C] -- C:\Documents and Settings\admin-su\My Documents\asus
[2012/03/11 15:13:55 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Convert Doc
[2012/03/11 15:13:51 | 000,487,424 | ---- | C] (SoftInterface.COM) -- C:\WINDOWS\System32\PDFConverterX.ocx
[2012/03/11 15:13:51 | 000,208,896 | ---- | C] (BCL Technologies) -- C:\WINDOWS\System32\beconv.dll
[2012/03/11 15:13:51 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\Resource
[2012/03/11 15:13:50 | 001,047,552 | ---- | C] (The Imaging Source Europe GmbH) -- C:\WINDOWS\System32\tx16_dox.dll
[2012/03/11 15:13:50 | 000,706,048 | ---- | C] (The Imaging Source Europe GmbH) -- C:\WINDOWS\System32\tx16_doc.dll
[2012/03/11 15:13:50 | 000,687,104 | ---- | C] (The Imaging Source Europe GmbH) -- C:\WINDOWS\System32\tx16_pdf.dll
[2012/03/11 15:13:50 | 000,582,144 | ---- | C] (The Imaging Source Europe GmbH) -- C:\WINDOWS\System32\tx16_rtf.dll
[2012/03/11 15:13:50 | 000,573,440 | ---- | C] (The Imaging Source Europe GmbH) -- C:\WINDOWS\System32\tx16_htm.dll
[2012/03/11 15:13:50 | 000,435,200 | ---- | C] (The Imaging Source Europe GmbH) -- C:\WINDOWS\System32\tx16_css.dll
[2012/03/11 15:13:50 | 000,220,160 | ---- | C] (The Imaging Source Europe GmbH) -- C:\WINDOWS\System32\tx16_png.flt
[2012/03/11 15:13:50 | 000,187,904 | ---- | C] (The Imaging Source Europe GmbH) -- C:\WINDOWS\System32\tx16_jpg.flt
[2012/03/11 15:13:50 | 000,155,136 | ---- | C] (The Imaging Source Europe GmbH) -- C:\WINDOWS\System32\tx16_ic.dll
[2012/03/11 15:13:50 | 000,101,376 | ---- | C] (The Imaging Source Europe GmbH) -- C:\WINDOWS\System32\tx16_tif.flt
[2012/03/11 15:13:50 | 000,052,736 | ---- | C] (The Imaging Source Europe GmbH) -- C:\WINDOWS\System32\tx16_gif.flt
[2012/03/11 15:13:50 | 000,044,032 | ---- | C] (The Imaging Source Europe GmbH) -- C:\WINDOWS\System32\tx16_wmf.flt
[2012/03/11 15:13:49 | 001,119,232 | ---- | C] (The Imaging Source Europe GmbH) -- C:\WINDOWS\System32\tx16.dll
[2012/03/11 15:13:49 | 000,380,928 | ---- | C] (The Imaging Source Europe GmbH) -- C:\WINDOWS\System32\tx4ole16.ocx
[2012/03/11 15:13:49 | 000,327,680 | ---- | C] (The Imaging Source Europe GmbH) -- C:\WINDOWS\System32\tx16_obj.dll
[2012/03/11 15:13:49 | 000,241,664 | ---- | C] (The Imaging Source Europe GmbH) -- C:\WINDOWS\System32\tx16_tls.dll
[2012/03/11 15:13:49 | 000,106,496 | ---- | C] (Skogen) -- C:\WINDOWS\System32\SeeThroughPicture.ocx
[2012/03/11 15:13:49 | 000,074,752 | ---- | C] (The Imaging Source Europe GmbH) -- C:\WINDOWS\System32\tx16_bmp.flt
[2012/03/11 15:13:49 | 000,065,536 | ---- | C] (The Imaging Source Europe GmbH) -- C:\WINDOWS\System32\tx16_wnd.dll
[2012/03/11 15:13:46 | 000,000,000 | ---D | C] -- C:\Program Files\Softinterface, Inc
[2012/03/10 22:05:31 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\ODBC
[2012/03/10 22:05:29 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\SpeechEngines
[2012/03/10 22:05:28 | 000,000,000 | R--D | C] -- C:\Program Files
[2012/03/10 22:05:28 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Microsoft Shared
[2012/03/10 22:05:28 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files
[2012/03/10 22:05:12 | 000,000,000 | R--D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Startup
[2012/03/10 22:05:12 | 000,000,000 | R--D | C] -- C:\Documents and Settings\All Users\Start Menu
[2012/03/10 22:05:12 | 000,000,000 | R--D | C] -- C:\Documents and Settings\All Users\Documents
[2012/03/10 22:05:12 | 000,000,000 | -H-D | C] -- C:\Documents and Settings\All Users\Templates
[2012/03/10 22:05:12 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Favorites
[2012/03/10 22:05:12 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Desktop
[2012/03/10 22:05:02 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\CatRoot2
[2012/03/10 22:05:02 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\CatRoot
[2012/03/10 22:04:56 | 000,000,000 | --SD | C] -- C:\Documents and Settings\All Users\Application Data\Microsoft
[2012/03/10 22:04:56 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\All Users\Application Data
[2012/03/10 22:04:43 | 000,000,000 | ---D | C] -- C:\Documents and Settings
[2012/03/10 22:01:27 | 000,000,000 | ---D | C] -- C:\WINDOWS\OemDir
[2012/03/10 22:01:23 | 000,000,000 | R-SD | C] -- C:\WINDOWS\Fonts
[2012/03/10 22:01:23 | 000,000,000 | RHSD | C] -- C:\WINDOWS\System32\dllcache
[2012/03/10 22:01:23 | 000,000,000 | R--D | C] -- C:\WINDOWS\Web
[2012/03/10 22:01:23 | 000,000,000 | -H-D | C] -- C:\WINDOWS\inf
[2012/03/10 22:01:23 | 000,000,000 | ---D | C] -- C:\WINDOWS\WinSxS
[2012/03/10 22:01:23 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\wins
[2012/03/10 22:01:23 | 000,000,000 | ---D | C] -- C:\WINDOWS
[2012/03/10 22:01:23 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\wbem
[2012/03/10 22:01:23 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\usmt
[2012/03/10 22:01:23 | 000,000,000 | ---D | C] -- C:\WINDOWS\twain_32
[2012/03/10 22:01:23 | 000,000,000 | ---D | C] -- C:\WINDOWS\Temp
[2012/03/10 22:01:23 | 000,000,000 | ---D | C] -- C:\WINDOWS\system32
[2012/03/10 22:01:23 | 000,000,000 | ---D | C] -- C:\WINDOWS\system
[2012/03/10 22:01:23 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\spool
[2012/03/10 22:01:23 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\ShellExt
[2012/03/10 22:01:23 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\Setup
[2012/03/10 22:01:23 | 000,000,000 | ---D | C] -- C:\WINDOWS\security
[2012/03/10 22:01:23 | 000,000,000 | ---D | C] -- C:\WINDOWS\Resources
[2012/03/10 22:01:23 | 000,000,000 | ---D | C] -- C:\WINDOWS\repair
[2012/03/10 22:01:23 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\ras
[2012/03/10 22:01:23 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\oobe
[2012/03/10 22:01:23 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\npp
[2012/03/10 22:01:23 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\mui
[2012/03/10 22:01:23 | 000,000,000 | ---D | C] -- C:\WINDOWS\mui
[2012/03/10 22:01:23 | 000,000,000 | ---D | C] -- C:\WINDOWS\msapps
[2012/03/10 22:01:23 | 000,000,000 | ---D | C] -- C:\WINDOWS\msagent
[2012/03/10 22:01:23 | 000,000,000 | ---D | C] -- C:\WINDOWS\Media
[2012/03/10 22:01:23 | 000,000,000 | ---D | C] -- C:\WINDOWS\java
[2012/03/10 22:01:23 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\inetsrv
[2012/03/10 22:01:23 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\IME
[2012/03/10 22:01:23 | 000,000,000 | ---D | C] -- C:\WINDOWS\ime
[2012/03/10 22:01:23 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\icsxml
[2012/03/10 22:01:23 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\ias
[2012/03/10 22:01:23 | 000,000,000 | ---D | C] -- C:\WINDOWS\Help
[2012/03/10 22:01:23 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\export
[2012/03/10 22:01:23 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\drivers\etc
[2012/03/10 22:01:23 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\drivers
[2012/03/10 22:01:23 | 000,000,000 | ---D | C] -- C:\WINDOWS\Driver Cache
[2012/03/10 22:01:23 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\drivers\disdn
[2012/03/10 22:01:23 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\dhcp
[2012/03/10 22:01:23 | 000,000,000 | ---D | C] -- C:\WINDOWS\Debug
[2012/03/10 22:01:23 | 000,000,000 | ---D | C] -- C:\WINDOWS\Cursors
[2012/03/10 22:01:23 | 000,000,000 | ---D | C] -- C:\WINDOWS\Connection Wizard
[2012/03/10 22:01:23 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\config
[2012/03/10 22:01:23 | 000,000,000 | ---D | C] -- C:\WINDOWS\Config
[2012/03/10 22:01:23 | 000,000,000 | ---D | C] -- C:\WINDOWS\AppPatch
[2012/03/10 22:01:23 | 000,000,000 | ---D | C] -- C:\WINDOWS\addins
[2012/03/10 22:01:23 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\3com_dmi
[2012/03/10 22:01:23 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\3076
[2012/03/10 22:01:23 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\2052
[2012/03/10 22:01:23 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\1054
[2012/03/10 22:01:23 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\1042
[2012/03/10 22:01:23 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\1041
[2012/03/10 22:01:23 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\1037
[2012/03/10 22:01:23 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\1033
[2012/03/10 22:01:23 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\1031
[2012/03/10 22:01:23 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\1028
[2012/03/10 22:01:23 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\1025
[2012/03/10 19:41:21 | 000,000,000 | ---D | C] -- C:\Documents and Settings\admin-su\Start Menu\Programs\Google Chrome
[2012/03/10 19:30:28 | 000,000,000 | ---D | C] -- C:\Documents and Settings\admin-su\Local Settings\Application Data\Google
[2012/03/10 19:25:58 | 000,000,000 | -HSD | C] -- C:\Documents and Settings\admin-su\PrivacIE
[2012/03/10 17:49:59 | 000,000,000 | ---D | C] -- C:\Program Files\MSECache
[2012/03/10 17:49:24 | 009,852,544 | ---- | C] (Malwarebytes Corporation ) -- C:\Documents and Settings\admin-su\My Documents\mbam-setup-1.51.2.1300.exe
[2012/03/10 17:49:24 | 006,055,875 | ---- | C] (LIGHTNING UK!) -- C:\Documents and Settings\admin-su\My Documents\SetupImgBurn_2.5.6.0.exe
[2012/03/10 17:49:24 | 004,763,136 | ---- | C] (Krzysztof Kowalczyk) -- C:\Documents and Settings\admin-su\My Documents\SumatraPDF-1.8-install.exe
[2012/03/10 17:42:22 | 000,000,000 | -HSD | C] -- C:\RECYCLER
[2012/03/10 17:37:03 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Microsoft Office Tools
[2012/03/10 17:37:02 | 000,000,000 | ---D | C] -- C:\Program Files\Microsoft ActiveSync
[2012/03/10 17:36:51 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Designer
[2012/03/10 17:36:31 | 000,000,000 | ---D | C] -- C:\WINDOWS\ShellNew
[2012/03/10 17:36:26 | 000,000,000 | ---D | C] -- C:\Program Files\Microsoft Office
[2012/03/10 16:29:03 | 000,000,000 | ---D | C] -- C:\Documents and Settings\admin-su\My Documents\Downloaded
[2012/03/10 14:56:22 | 000,000,000 | -HSD | C] -- C:\Documents and Settings\admin-su\IETldCache
[2012/03/10 14:32:58 | 000,000,000 | ---D | C] -- C:\WINDOWS\WBEM
[2012/03/10 14:32:32 | 000,000,000 | -H-D | C] -- C:\WINDOWS\ie8
[2012/03/10 13:24:31 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\PreInstall
[2012/03/10 13:24:29 | 000,000,000 | -H-D | C] -- C:\WINDOWS\$hf_mig$
[2012/03/10 13:07:39 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\SoftwareDistribution
[2012/03/10 13:05:40 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\3 MobileBroadband
[2012/03/10 13:05:28 | 000,872,192 | ---- | C] (DiBcom SA) -- C:\WINDOWS\System32\drivers\mod7700.sys
[2012/03/10 13:05:28 | 000,103,168 | ---- | C] (Huawei Technologies Co., Ltd.) -- C:\WINDOWS\System32\drivers\ewusbfake.sys
[2012/03/10 13:05:28 | 000,101,376 | ---- | C] (Huawei Technologies Co., Ltd.) -- C:\WINDOWS\System32\drivers\ewusbmdm.sys
[2012/03/10 13:05:28 | 000,100,992 | ---- | C] (Huawei Technologies Co., Ltd.) -- C:\WINDOWS\System32\drivers\ewusbnet.sys
[2012/03/10 13:05:28 | 000,024,448 | ---- | C] (Huawei Tech. Co., Ltd.) -- C:\WINDOWS\System32\drivers\ewdcsc.sys
[2012/03/10 13:04:45 | 000,000,000 | ---D | C] -- C:\Program Files\3 MobileBroadband
[2012/03/10 12:58:16 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\ZoneAlarm
[2012/03/10 12:58:08 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\ZoneLabs
[2012/03/10 12:58:06 | 000,000,000 | ---D | C] -- C:\Program Files\Zone Labs
[2012/03/10 12:57:13 | 000,000,000 | ---D | C] -- C:\WINDOWS\Internet Logs
[2012/03/10 12:55:54 | 000,000,000 | ---D | C] -- C:\Documents and Settings\admin-su\Application Data\Avira
[2012/03/10 12:55:35 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Avira
[2012/03/10 12:55:20 | 000,028,520 | ---- | C] (Avira GmbH) -- C:\WINDOWS\System32\drivers\ssmdrv.sys
[2012/03/10 12:55:18 | 000,137,416 | ---- | C] (Avira GmbH) -- C:\WINDOWS\System32\drivers\avipbb.sys
[2012/03/10 12:55:18 | 000,074,640 | ---- | C] (Avira GmbH) -- C:\WINDOWS\System32\drivers\avgntflt.sys
[2012/03/10 12:55:18 | 000,036,000 | ---- | C] (Avira GmbH) -- C:\WINDOWS\System32\drivers\avkmgr.sys
[2012/03/10 12:55:18 | 000,000,000 | ---D | C] -- C:\Program Files\Avira
[2012/03/10 12:55:18 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Avira
[2012/03/10 12:52:09 | 000,000,000 | ---D | C] -- C:\WINDOWS\SoftwareDistribution
[2012/03/10 12:52:04 | 000,000,000 | ---D | C] -- C:\WINDOWS\Prefetch
[2012/03/10 12:45:47 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\en-us
[2012/03/10 12:45:46 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\scripting
[2012/03/10 12:45:46 | 000,000,000 | ---D | C] -- C:\WINDOWS\provisioning
[2012/03/10 12:45:44 | 000,000,000 | ---D | C] -- C:\WINDOWS\l2schemas
[2012/03/10 12:45:43 | 000,000,000 | ---D | C] -- C:\WINDOWS\peernet
[2012/03/10 12:45:43 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\en
[2012/03/10 12:45:43 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\bits
[2012/03/10 12:44:00 | 000,000,000 | ---D | C] -- C:\WINDOWS\ServicePackFiles
[2012/03/10 12:42:51 | 000,000,000 | ---D | C] -- C:\WINDOWS\network diagnostic
[2012/03/10 12:41:52 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\ReinstallBackups
[2012/03/10 12:40:15 | 000,000,000 | -H-D | C] -- C:\WINDOWS\$NtServicePackUninstall$
[2012/03/10 12:40:14 | 000,000,000 | ---D | C] -- C:\WINDOWS\EHome
[2012/03/10 12:36:39 | 009,287,264 | ---- | C] (Softinterface, Inc. ) -- C:\Documents and Settings\admin-su\My Documents\CD.EXE
[2012/03/10 12:23:44 | 000,000,000 | --SD | C] -- C:\WINDOWS\System32\Microsoft
[2012/03/10 12:18:14 | 000,000,000 | -HSD | C] -- C:\WINDOWS\Installer
[2012/03/10 12:18:12 | 000,000,000 | ---D | C] -- C:\Documents and Settings\admin-su\Application Data\Identities
[2012/03/10 12:18:07 | 000,000,000 | -H-D | C] -- C:\Program Files\Uninstall Information
[2012/03/10 12:18:06 | 000,000,000 | R--D | C] -- C:\Documents and Settings\admin-su\My Documents\My Pictures
[2012/03/10 12:18:06 | 000,000,000 | R--D | C] -- C:\Documents and Settings\admin-su\My Documents\My Music
[2012/03/10 12:18:04 | 000,000,000 | ---D | C] -- C:\Documents and Settings\admin-su\Local Settings\Application Data\Microsoft
[2012/03/10 12:18:03 | 000,000,000 | --SD | C] -- C:\Documents and Settings\admin-su\Application Data\Microsoft
[2012/03/10 12:18:03 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\admin-su\SendTo
[2012/03/10 12:18:03 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\admin-su\Recent
[2012/03/10 12:18:03 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\admin-su\Application Data
[2012/03/10 12:18:03 | 000,000,000 | R--D | C] -- C:\Documents and Settings\admin-su\Start Menu\Programs\Startup
[2012/03/10 12:18:03 | 000,000,000 | R--D | C] -- C:\Documents and Settings\admin-su\Start Menu
[2012/03/10 12:18:03 | 000,000,000 | R--D | C] -- C:\Documents and Settings\admin-su\My Documents
[2012/03/10 12:18:03 | 000,000,000 | R--D | C] -- C:\Documents and Settings\admin-su\Favorites
[2012/03/10 12:18:03 | 000,000,000 | R--D | C] -- C:\Documents and Settings\admin-su\Start Menu\Programs\Accessories
[2012/03/10 12:18:03 | 000,000,000 | -HSD | C] -- C:\Documents and Settings\admin-su\Cookies
[2012/03/10 12:18:03 | 000,000,000 | -H-D | C] -- C:\Documents and Settings\admin-su\Templates
[2012/03/10 12:18:03 | 000,000,000 | -H-D | C] -- C:\Documents and Settings\admin-su\PrintHood
[2012/03/10 12:18:03 | 000,000,000 | -H-D | C] -- C:\Documents and Settings\admin-su\NetHood
[2012/03/10 12:18:03 | 000,000,000 | -H-D | C] -- C:\Documents and Settings\admin-su\Local Settings
[2012/03/10 12:18:03 | 000,000,000 | ---D | C] -- C:\Documents and Settings\admin-su\Desktop
[2012/03/10 12:16:16 | 000,000,000 | -HSD | C] -- C:\System Volume Information
[2012/03/10 12:16:15 | 000,000,000 | --SD | C] -- C:\Documents and Settings\NetworkService\Application Data\Microsoft
[2012/03/10 12:16:15 | 000,000,000 | --SD | C] -- C:\Documents and Settings\LocalService\Application Data\Microsoft
[2012/03/10 12:16:15 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft
[2012/03/10 12:16:15 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft
[2012/03/10 12:14:37 | 000,079,872 | ---- | C] (Ricoh Co., Ltd.) -- C:\WINDOWS\System32\dllcache\rwia330.dll
[2012/03/10 12:14:37 | 000,079,872 | ---- | C] (Ricoh Co., Ltd.) -- C:\WINDOWS\System32\dllcache\rwia001.dll
[2012/03/10 12:13:46 | 000,054,528 | ---- | C] (Philips Semiconductors GmbH) -- C:\WINDOWS\System32\dllcache\cap7146.sys
[2012/03/10 12:13:29 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\xircom
[2012/03/10 12:13:29 | 000,000,000 | ---D | C] -- C:\Program Files\xerox
[2012/03/10 12:13:29 | 000,000,000 | ---D | C] -- C:\Program Files\microsoft frontpage
[2012/03/10 12:12:45 | 000,000,000 | -HSD | C] -- C:\Documents and Settings\All Users\DRM
[2012/03/10 12:12:37 | 000,000,000 | --SD | C] -- C:\WINDOWS\Downloaded Program Files
[2012/03/10 12:12:37 | 000,000,000 | R--D | C] -- C:\WINDOWS\Offline Web Pages
[2012/03/10 12:12:17 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\DirectX
[2012/03/10 12:11:48 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Services
[2012/03/10 12:11:45 | 000,000,000 | --SD | C] -- C:\WINDOWS\Tasks
[2012/03/10 12:11:43 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\MSSoap
[2012/03/10 12:11:39 | 000,000,000 | ---D | C] -- C:\WINDOWS\srchasst
[2012/03/10 12:11:39 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\Macromed
[2012/03/10 12:11:38 | 000,000,000 | ---D | C] -- C:\Program Files\Movie Maker
[2012/03/10 12:11:35 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\Restore
[2012/03/10 12:11:35 | 000,000,000 | ---D | C] -- C:\WINDOWS\PCHealth
[2012/03/10 12:11:32 | 000,000,000 | ---D | C] -- C:\Program Files\NetMeeting
[2012/03/10 12:11:31 | 000,000,000 | ---D | C] -- C:\Program Files\Outlook Express
[2012/03/10 12:11:29 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\System
[2012/03/10 12:11:27 | 000,000,000 | ---D | C] -- C:\Program Files\Internet Explorer
[2012/03/10 12:11:25 | 000,000,000 | R--D | C] -- C:\Documents and Settings\All Users\Documents\My Pictures
[2012/03/10 12:11:25 | 000,000,000 | R--D | C] -- C:\Documents and Settings\All Users\Documents\My Music
[2012/03/10 12:11:22 | 000,000,000 | ---D | C] -- C:\Program Files\ComPlus Applications
[2012/03/10 12:11:19 | 000,000,000 | R--D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Administrative Tools
[2012/03/10 12:11:19 | 000,000,000 | ---D | C] -- C:\WINDOWS\Registration
[2012/03/10 12:11:02 | 000,000,000 | R--D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Games
[2012/03/10 12:11:01 | 000,000,000 | -H-D | C] -- C:\Program Files\WindowsUpdate
[2012/03/10 12:11:01 | 000,000,000 | ---D | C] -- C:\Program Files\Online Services
[2012/03/10 12:11:00 | 000,000,000 | ---D | C] -- C:\Program Files\Windows Media Player
[2012/03/10 12:10:57 | 000,000,000 | ---D | C] -- C:\Program Files\Messenger
[2012/03/10 12:10:53 | 000,000,000 | ---D | C] -- C:\Program Files\MSN Gaming Zone
[2012/03/10 12:10:25 | 000,000,000 | ---D | C] -- C:\Program Files\Windows NT
[2012/03/10 12:10:25 | 000,000,000 | ---D | C] -- C:\Program Files\MSN
[2012/03/10 12:10:23 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\MsDtc
[2012/03/10 12:10:22 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\Com
[2012/03/10 12:10:04 | 000,000,000 | R--D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Accessories
[3 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[2 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2012/04/07 14:13:49 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2012/04/07 14:11:00 | 000,000,974 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-1957994488-1715567821-725345543-1005UA.job
[2012/04/07 13:35:00 | 000,000,990 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-1957994488-1715567821-725345543-1004UA.job
[2012/04/07 13:20:08 | 000,302,592 | ---- | M] () -- C:\Documents and Settings\admin-su\My Documents\30kr1xnx.exe
[2012/04/07 13:14:06 | 000,593,920 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\admin-su\My Documents\OTL.com
[2012/04/07 13:14:06 | 000,593,920 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\admin-su\Desktop\OTL.com
[2012/04/07 12:56:30 | 000,132,597 | ---- | M] () -- C:\Documents and Settings\admin-su\My Documents\Flash_Disinfector.exe
[2012/04/06 19:35:00 | 000,000,938 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-1957994488-1715567821-725345543-1004Core.job
[2012/04/06 17:11:00 | 000,000,922 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-1957994488-1715567821-725345543-1005Core.job
[2012/04/06 14:42:51 | 000,312,220 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2012/04/06 14:42:51 | 000,040,224 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2012/04/06 14:41:04 | 000,161,936 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2012/04/05 15:09:46 | 000,013,646 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2012/03/16 16:47:22 | 000,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2012/03/15 07:26:44 | 000,000,376 | ---- | M] () -- C:\WINDOWS\ODBC.INI
[2012/03/14 15:06:59 | 000,006,656 | ---- | M] () -- C:\Documents and Settings\admin-su\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2012/03/14 12:07:41 | 000,000,052 | ---- | M] () -- C:\WINDOWS\SW_Win3112X32.DLL
[2012/03/13 17:13:40 | 000,000,828 | ---- | M] () -- C:\Documents and Settings\admin-su\Application Data\Microsoft\Internet Explorer\Quick Launch\EXCEL.lnk
[2012/03/13 07:38:57 | 000,002,287 | ---- | M] () -- C:\Documents and Settings\admin-su\Application Data\Microsoft\Internet Explorer\Quick Launch\Google Chrome.lnk
[2012/03/13 07:38:56 | 000,002,309 | ---- | M] () -- C:\Documents and Settings\admin-su\Desktop\Google Chrome.lnk
[2012/03/12 08:46:30 | 000,000,804 | ---- | M] () -- C:\Documents and Settings\admin-su\Application Data\Microsoft\Internet Explorer\Quick Launch\Windows Media Player.lnk
[2012/03/11 15:13:55 | 000,000,826 | ---- | M] () -- C:\Documents and Settings\admin-su\Desktop\Convert Doc.lnk
[2012/03/10 17:43:12 | 000,000,828 | ---- | M] () -- C:\Documents and Settings\admin-su\Desktop\EXCEL.lnk
[2012/03/10 17:42:13 | 000,000,840 | ---- | M] () -- C:\Documents and Settings\admin-su\Desktop\WORD.lnk
[2012/03/10 17:37:03 | 000,001,730 | ---- | M] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
[2012/03/10 15:11:24 | 000,137,416 | ---- | M] (Avira GmbH) -- C:\WINDOWS\System32\drivers\avipbb.sys
[2012/03/10 14:56:32 | 000,000,815 | ---- | M] () -- C:\Documents and Settings\admin-su\Application Data\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk
[2012/03/10 13:09:38 | 000,013,646 | ---- | M] () -- C:\WINDOWS\System32\wpa.bak
[2012/03/10 13:05:40 | 000,000,790 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\3 MobileBroadband.lnk
[2012/03/10 12:58:35 | 000,420,800 | ---- | M] () -- C:\WINDOWS\System32\vsconfig.xml
[2012/03/10 12:58:16 | 000,004,212 | -H-- | M] () -- C:\WINDOWS\System32\zllictbl.dat
[2012/03/10 12:58:16 | 000,000,731 | ---- | M] () -- C:\Documents and Settings\admin-su\Desktop\ZoneAlarm Security.lnk
[2012/03/10 12:55:35 | 000,001,707 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Avira Control Center.lnk
[2012/03/10 12:52:57 | 000,316,640 | ---- | M] () -- C:\WINDOWS\WMSysPr9.prx
[2012/03/10 12:46:53 | 000,000,211 | RHS- | M] () -- C:\boot.ini
[2012/03/10 12:42:39 | 000,250,048 | RHS- | M] () -- C:\ntldr
[2012/03/10 12:42:39 | 000,047,564 | RHS- | M] () -- C:\NTDETECT.COM
[2012/03/10 12:35:39 | 000,000,104 | ---- | M] () -- C:\Documents and Settings\admin-su\Desktop\My Computer.lnk
[2012/03/10 12:18:16 | 000,000,079 | ---- | M] () -- C:\Documents and Settings\admin-su\Application Data\Microsoft\Internet Explorer\Quick Launch\Show Desktop.scf
[2012/03/10 12:18:12 | 000,025,065 | ---- | M] () -- C:\WINDOWS\System32\wmpscheme.xml
[2012/03/10 12:15:47 | 000,008,192 | ---- | M] () -- C:\WINDOWS\REGLOCS.OLD
[2012/03/10 12:15:01 | 000,000,386 | ---- | M] () -- C:\WINDOWS\System32\$winnt$.inf
[2012/03/10 12:13:23 | 000,002,577 | ---- | M] () -- C:\WINDOWS\System32\CONFIG.NT
[2012/03/10 12:13:23 | 000,000,000 | RHS- | M] () -- C:\MSDOS.SYS
[2012/03/10 12:13:23 | 000,000,000 | RHS- | M] () -- C:\IO.SYS
[2012/03/10 12:13:23 | 000,000,000 | ---- | M] () -- C:\CONFIG.SYS
[2012/03/10 12:13:23 | 000,000,000 | ---- | M] () -- C:\AUTOEXEC.BAT
[2012/03/10 12:13:21 | 000,023,392 | ---- | M] () -- C:\WINDOWS\System32\nscompat.tlb
[2012/03/10 12:13:21 | 000,016,832 | ---- | M] () -- C:\WINDOWS\System32\amcompat.tlb
[2012/03/10 12:13:20 | 000,299,552 | ---- | M] () -- C:\WINDOWS\WMSysPrx.prx
[2012/03/10 12:13:16 | 000,004,161 | ---- | M] () -- C:\WINDOWS\ODBCINST.INI
[2012/03/10 12:11:23 | 000,021,640 | ---- | M] () -- C:\WINDOWS\System32\emptyregdb.dat
[2012/03/09 09:54:26 | 009,287,264 | ---- | M] (Softinterface, Inc. ) -- C:\Documents and Settings\admin-su\My Documents\CD.EXE
[3 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[2 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files Created - No Company Name ==========

[2012/04/07 14:16:36 | 000,302,592 | ---- | C] () -- C:\Documents and Settings\admin-su\My Documents\30kr1xnx.exe
[2012/04/07 14:16:36 | 000,132,597 | ---- | C] () -- C:\Documents and Settings\admin-su\My Documents\Flash_Disinfector.exe
[2012/03/25 15:44:41 | 000,001,586 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\SumatraPDF.lnk
[2012/03/16 17:06:41 | 000,000,974 | ---- | C] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-1957994488-1715567821-725345543-1005UA.job
[2012/03/16 17:06:41 | 000,000,922 | ---- | C] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-1957994488-1715567821-725345543-1005Core.job
[2012/03/13 17:13:40 | 000,000,828 | ---- | C] () -- C:\Documents and Settings\admin-su\Application Data\Microsoft\Internet Explorer\Quick Launch\EXCEL.lnk
[2012/03/11 15:14:08 | 000,000,052 | ---- | C] () -- C:\WINDOWS\SW_Win3112X32.DLL
[2012/03/11 15:13:55 | 000,000,826 | ---- | C] () -- C:\Documents and Settings\admin-su\Desktop\Convert Doc.lnk
[2012/03/11 15:13:51 | 003,203,072 | ---- | C] () -- C:\WINDOWS\System32\beconvlib.dll
[2012/03/11 15:13:51 | 000,385,119 | ---- | C] () -- C:\WINDOWS\System32\english.dic
[2012/03/11 15:13:51 | 000,286,720 | ---- | C] () -- C:\WINDOWS\System32\bprgcomm.dll
[2012/03/11 15:13:51 | 000,102,400 | ---- | C] ( ) -- C:\WINDOWS\System32\bclnap.dll
[2012/03/11 15:13:51 | 000,006,728 | ---- | C] () -- C:\WINDOWS\System32\easyconverter.rsc
[2012/03/11 15:13:50 | 000,131,072 | ---- | C] () -- C:\WINDOWS\System32\CSVSpecialProcessing.dll
[2012/03/11 15:13:50 | 000,000,530 | ---- | C] () -- C:\WINDOWS\System32\tx16_ic.ini
[2012/03/11 15:13:49 | 000,221,184 | ---- | C] () -- C:\WINDOWS\System32\SII_PDF.dll
[2012/03/11 15:13:49 | 000,102,400 | ---- | C] () -- C:\WINDOWS\System32\SARzilla.dll
[2012/03/11 15:13:49 | 000,098,304 | ---- | C] () -- C:\WINDOWS\System32\DVM.dll
[2012/03/11 15:13:49 | 000,053,248 | ---- | C] () -- C:\WINDOWS\System32\RegisterExe.exe
[2012/03/10 22:05:34 | 000,001,374 | ---- | C] () -- C:\WINDOWS\imsins.BAK
[2012/03/10 22:05:31 | 000,004,161 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI
[2012/03/10 22:05:30 | 001,685,606 | ---- | C] () -- C:\WINDOWS\System32\dllcache\sam.spd
[2012/03/10 22:05:30 | 000,000,888 | ---- | C] () -- C:\WINDOWS\System32\dllcache\sam.sdf
[2012/03/10 22:05:29 | 000,643,717 | ---- | C] () -- C:\WINDOWS\System32\dllcache\ltts1033.lxa
[2012/03/10 22:05:29 | 000,605,050 | ---- | C] () -- C:\WINDOWS\System32\dllcache\r1033tts.lxa
[2012/03/10 22:05:16 | 000,001,688 | ---- | C] () -- C:\WINDOWS\System32\AUTOEXEC.NT
[2012/03/10 22:05:10 | 000,797,189 | ---- | C] () -- C:\WINDOWS\System32\dllcache\NT5IIS.CAT
[2012/03/10 22:05:10 | 000,399,645 | ---- | C] () -- C:\WINDOWS\System32\dllcache\MAPIMIG.CAT
[2012/03/10 22:05:10 | 000,037,484 | ---- | C] () -- C:\WINDOWS\System32\dllcache\MW770.CAT
[2012/03/10 22:05:10 | 000,013,472 | ---- | C] () -- C:\WINDOWS\System32\dllcache\HPCRDP.CAT
[2012/03/10 22:05:10 | 000,008,574 | ---- | C] () -- C:\WINDOWS\System32\dllcache\IASNT4.CAT
[2012/03/10 22:05:10 | 000,007,382 | ---- | C] () -- C:\WINDOWS\System32\dllcache\OEMBIOS.CAT
[2012/03/10 22:04:42 | 000,161,936 | ---- | C] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2012/03/10 22:03:53 | 000,000,211 | RHS- | C] () -- C:\boot.ini
[2012/03/10 22:03:51 | 000,000,386 | ---- | C] () -- C:\WINDOWS\System32\$winnt$.inf
[2012/03/10 19:41:25 | 000,002,309 | ---- | C] () -- C:\Documents and Settings\admin-su\Desktop\Google Chrome.lnk
[2012/03/10 19:41:25 | 000,002,287 | ---- | C] () -- C:\Documents and Settings\admin-su\Application Data\Microsoft\Internet Explorer\Quick Launch\Google Chrome.lnk
[2012/03/10 19:30:29 | 000,000,990 | ---- | C] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-1957994488-1715567821-725345543-1004UA.job
[2012/03/10 19:30:29 | 000,000,938 | ---- | C] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-1957994488-1715567821-725345543-1004Core.job
[2012/03/10 17:50:15 | 000,001,924 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Microsoft Office PowerPoint Viewer 2007.lnk
[2012/03/10 17:42:29 | 000,000,828 | ---- | C] () -- C:\Documents and Settings\admin-su\Desktop\EXCEL.lnk
[2012/03/10 17:42:13 | 000,000,840 | ---- | C] () -- C:\Documents and Settings\admin-su\Desktop\WORD.lnk
[2012/03/10 17:37:29 | 000,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2012/03/10 17:37:03 | 000,002,030 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Microsoft Excel.lnk
[2012/03/10 17:37:03 | 000,002,022 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Microsoft Word.lnk
[2012/03/10 17:37:03 | 000,001,730 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
[2012/03/10 16:26:25 | 000,006,656 | ---- | C] () -- C:\Documents and Settings\admin-su\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2012/03/10 13:26:55 | 000,003,072 | ---- | C] () -- C:\WINDOWS\System32\iacenc.dll
[2012/03/10 13:26:55 | 000,003,072 | ---- | C] () -- C:\WINDOWS\System32\dllcache\iacenc.dll
[2012/03/10 13:09:41 | 000,013,646 | ---- | C] () -- C:\WINDOWS\System32\wpa.bak
[2012/03/10 13:05:40 | 000,000,790 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\3 MobileBroadband.lnk
[2012/03/10 12:58:16 | 000,004,212 | -H-- | C] () -- C:\WINDOWS\System32\zllictbl.dat
[2012/03/10 12:58:16 | 000,000,731 | ---- | C] () -- C:\Documents and Settings\admin-su\Desktop\ZoneAlarm Security.lnk
[2012/03/10 12:58:06 | 000,420,800 | ---- | C] () -- C:\WINDOWS\System32\vsconfig.xml
[2012/03/10 12:55:35 | 000,001,707 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Avira Control Center.lnk
[2012/03/10 12:52:30 | 000,316,640 | ---- | C] () -- C:\WINDOWS\WMSysPr9.prx
[2012/03/10 12:46:02 | 000,010,457 | ---- | C] () -- C:\WINDOWS\System32\dllcache\wmptour.hta
[2012/03/10 12:46:02 | 000,001,771 | ---- | C] () -- C:\WINDOWS\System32\dllcache\wmptour.css
[2012/03/10 12:46:02 | 000,000,855 | ---- | C] () -- C:\WINDOWS\System32\dllcache\wmpocm.inf
[2012/03/10 12:46:01 | 000,613,334 | ---- | C] () -- C:\WINDOWS\System32\dllcache\wmplayer.chm
[2012/03/10 12:46:01 | 000,354,468 | ---- | C] () -- C:\WINDOWS\System32\dllcache\wmpaud1.wav
[2012/03/10 12:46:01 | 000,343,204 | ---- | C] () -- C:\WINDOWS\System32\dllcache\wmpaud7.wav
[2012/03/10 12:46:01 | 000,343,204 | ---- | C] () -- C:\WINDOWS\System32\dllcache\wmpaud6.wav
[2012/03/10 12:46:01 | 000,300,969 | ---- | C] () -- C:\WINDOWS\System32\dllcache\viz.wmv
[2012/03/10 12:46:01 | 000,172,196 | ---- | C] () -- C:\WINDOWS\System32\dllcache\wmpaud9.wav
[2012/03/10 12:46:01 | 000,172,196 | ---- | C] () -- C:\WINDOWS\System32\dllcache\wmpaud8.wav
[2012/03/10 12:46:01 | 000,172,196 | ---- | C] () -- C:\WINDOWS\System32\dllcache\wmpaud3.wav
[2012/03/10 12:46:01 | 000,086,196 | ---- | C] () -- C:\WINDOWS\System32\dllcache\wmpaud5.wav
[2012/03/10 12:46:01 | 000,086,180 | ---- | C] () -- C:\WINDOWS\System32\dllcache\wmpaud4.wav
[2012/03/10 12:46:01 | 000,086,180 | ---- | C] () -- C:\WINDOWS\System32\dllcache\wmpaud2.wav
[2012/03/10 12:46:01 | 000,067,374 | ---- | C] () -- C:\WINDOWS\System32\dllcache\wmplayer.adm
[2012/03/10 12:46:01 | 000,029,070 | ---- | C] () -- C:\WINDOWS\System32\dllcache\wmp.inf
[2012/03/10 12:46:01 | 000,023,195 | ---- | C] () -- C:\WINDOWS\System32\dllcache\wmplay.chm
[2012/03/10 12:46:01 | 000,017,489 | ---- | C] () -- C:\WINDOWS\System32\dllcache\videobg.gif
[2012/03/10 12:46:01 | 000,017,272 | ---- | C] () -- C:\WINDOWS\System32\dllcache\wmdm.inf
[2012/03/10 12:46:01 | 000,008,677 | ---- | C] () -- C:\WINDOWS\System32\dllcache\wm7.gif
[2012/03/10 12:46:01 | 000,007,892 | ---- | C] () -- C:\WINDOWS\System32\dllcache\wm9.gif
[2012/03/10 12:46:01 | 000,007,636 | ---- | C] () -- C:\WINDOWS\System32\dllcache\wm2.gif
[2012/03/10 12:46:01 | 000,007,369 | ---- | C] () -- C:\WINDOWS\System32\dllcache\wm4.gif
[2012/03/10 12:46:01 | 000,006,769 | ---- | C] () -- C:\WINDOWS\System32\dllcache\wmfsdk.inf
[2012/03/10 12:46:01 | 000,006,241 | ---- | C] () -- C:\WINDOWS\System32\dllcache\wm3.gif
[2012/03/10 12:46:01 | 000,006,060 | ---- | C] () -- C:\WINDOWS\System32\dllcache\wm6.gif
[2012/03/10 12:46:01 | 000,005,789 | ---- | C] () -- C:\WINDOWS\System32\dllcache\wm1.gif
[2012/03/10 12:46:01 | 000,005,290 | ---- | C] () -- C:\WINDOWS\System32\dllcache\vidsamp.gif
[2012/03/10 12:46:01 | 000,004,193 | ---- | C] () -- C:\WINDOWS\System32\dllcache\wm8.gif
[2012/03/10 12:46:01 | 000,002,477 | ---- | C] () -- C:\WINDOWS\System32\dllcache\wm5.gif
[2012/03/10 12:46:01 | 000,002,469 | ---- | C] () -- C:\WINDOWS\System32\dllcache\tplay.gif
[2012/03/10 12:46:01 | 000,002,450 | ---- | C] () -- C:\WINDOWS\System32\dllcache\tpause.gif
[2012/03/10 12:46:01 | 000,002,375 | ---- | C] () -- C:\WINDOWS\System32\dllcache\tplayh.gif
[2012/03/10 12:46:01 | 000,002,371 | ---- | C] () -- C:\WINDOWS\System32\dllcache\tpauseh.gif
[2012/03/10 12:46:01 | 000,000,420 | ---- | C] () -- C:\WINDOWS\System32\dllcache\wmploc.js
[2012/03/10 12:46:00 | 000,572,557 | ---- | C] () -- C:\WINDOWS\System32\dllcache\rtuner.wmv
[2012/03/10 12:46:00 | 000,375,519 | ---- | C] () -- C:\WINDOWS\System32\dllcache\nuskin.wmv
[2012/03/10 12:46:00 | 000,077,307 | ---- | C] () -- C:\WINDOWS\System32\dllcache\plyr_err.chm
[2012/03/10 12:46:00 | 000,066,725 | ---- | C] () -- C:\WINDOWS\System32\dllcache\revert.wmz
[2012/03/10 12:46:00 | 000,023,829 | ---- | C] () -- C:\WINDOWS\System32\dllcache\tourbg.gif
[2012/03/10 12:46:00 | 000,022,060 | ---- | C] () -- C:\WINDOWS\System32\dllcache\npds.zip
[2012/03/10 12:46:00 | 000,018,286 | ---- | C] () -- C:\WINDOWS\System32\dllcache\mplayer2.inf
[2012/03/10 12:46:00 | 000,003,187 | ---- | C] () -- C:\WINDOWS\System32\dllcache\tour.js
[2012/03/10 12:46:00 | 000,002,778 | ---- | C] () -- C:\WINDOWS\System32\dllcache\mplogoh.gif
[2012/03/10 12:46:00 | 000,002,545 | ---- | C] () -- C:\WINDOWS\System32\dllcache\mplogo.gif
[2012/03/10 12:46:00 | 000,001,477 | ---- | C] () -- C:\WINDOWS\System32\dllcache\plylst6.wpl
[2012/03/10 12:46:00 | 000,001,477 | ---- | C] () -- C:\WINDOWS\System32\dllcache\plylst5.wpl
[2012/03/10 12:46:00 | 000,001,474 | ---- | C] () -- C:\WINDOWS\System32\dllcache\plylst3.wpl
[2012/03/10 12:46:00 | 000,001,451 | ---- | C] () -- C:\WINDOWS\System32\dllcache\plylst12.wpl
[2012/03/10 12:46:00 | 000,001,448 | ---- | C] () -- C:\WINDOWS\System32\dllcache\plylst4.wpl
[2012/03/10 12:46:00 | 000,001,398 | ---- | C] () -- C:\WINDOWS\System32\dllcache\taon.gif
[2012/03/10 12:46:00 | 000,001,380 | ---- | C] () -- C:\WINDOWS\System32\dllcache\taonh.gif
[2012/03/10 12:46:00 | 000,001,380 | ---- | C] () -- C:\WINDOWS\System32\dllcache\taoff.gif
[2012/03/10 12:46:00 | 000,001,367 | ---- | C] () -- C:\WINDOWS\System32\dllcache\taoffh.gif
[2012/03/10 12:46:00 | 000,001,250 | ---- | C] () -- C:\WINDOWS\System32\dllcache\plylst1.wpl
[2012/03/10 12:46:00 | 000,001,148 | ---- | C] () -- C:\WINDOWS\System32\dllcache\snd.htm
[2012/03/10 12:46:00 | 000,001,049 | ---- | C] () -- C:\WINDOWS\System32\dllcache\plylst2.wpl
[2012/03/10 12:46:00 | 000,001,046 | ---- | C] () -- C:\WINDOWS\System32\dllcache\plylst7.wpl
[2012/03/10 12:46:00 | 000,001,036 | ---- | C] () -- C:\WINDOWS\System32\dllcache\plylst8.wpl
[2012/03/10 12:46:00 | 000,000,908 | ---- | C] () -- C:\WINDOWS\System32\dllcache\skins.inf
[2012/03/10 12:46:00 | 000,000,789 | ---- | C] () -- C:\WINDOWS\System32\dllcache\plylst11.wpl
[2012/03/10 12:46:00 | 000,000,787 | ---- | C] () -- C:\WINDOWS\System32\dllcache\plylst10.wpl
[2012/03/10 12:46:00 | 000,000,784 | ---- | C] () -- C:\WINDOWS\System32\dllcache\plylst9.wpl
[2012/03/10 12:46:00 | 000,000,783 | ---- | C] () -- C:\WINDOWS\System32\dllcache\plylst13.wpl
[2012/03/10 12:46:00 | 000,000,775 | ---- | C] () -- C:\WINDOWS\System32\dllcache\plylst14.wpl
[2012/03/10 12:46:00 | 000,000,733 | ---- | C] () -- C:\WINDOWS\System32\dllcache\plylst15.wpl
[2012/03/10 12:46:00 | 000,000,403 | ---- | C] () -- C:\WINDOWS\System32\dllcache\npdrmv2.zip
[2012/03/10 12:45:59 | 000,457,607 | ---- | C] () -- C:\WINDOWS\System32\dllcache\mdlib.wmv
[2012/03/10 12:45:59 | 000,381,425 | ---- | C] () -- C:\WINDOWS\System32\dllcache\copycd.wmv
[2012/03/10 12:45:59 | 000,184,959 | ---- | C] () -- C:\WINDOWS\System32\dllcache\compact.wmz
[2012/03/10 12:45:59 | 000,009,585 | ---- | C] () -- C:\WINDOWS\System32\dllcache\controls.css
[2012/03/10 12:45:59 | 000,008,298 | ---- | C] () -- C:\WINDOWS\System32\dllcache\contents.htm
[2012/03/10 12:45:59 | 000,006,878 | ---- | C] () -- C:\WINDOWS\System32\dllcache\controls.js
[2012/03/10 12:45:59 | 000,005,971 | ---- | C] () -- C:\WINDOWS\System32\dllcache\events.js
[2012/03/10 12:45:59 | 000,000,999 | ---- | C] () -- C:\WINDOWS\System32\dllcache\bktrh.gif
[2012/03/10 12:45:59 | 000,000,773 | ---- | C] () -- C:\WINDOWS\System32\dllcache\cnth.gif
[2012/03/10 12:45:59 | 000,000,773 | ---- | C] () -- C:\WINDOWS\System32\dllcache\cnt.gif
[2012/03/10 12:45:59 | 000,000,772 | ---- | C] () -- C:\WINDOWS\System32\dllcache\cntd.gif
[2012/03/10 12:45:59 | 000,000,760 | ---- | C] () -- C:\WINDOWS\System32\dllcache\cloapph.gif
[2012/03/10 12:45:59 | 000,000,717 | ---- | C] () -- C:\WINDOWS\System32\dllcache\cloapp.gif
[2012/03/10 12:45:50 | 000,118,272 | ---- | C] () -- C:\WINDOWS\System32\mpeg2data.ax
[2012/03/10 12:42:49 | 000,129,045 | ---- | C] () -- C:\WINDOWS\System32\drivers\cxthsfs2.cty
[2012/03/10 12:42:49 | 000,064,352 | ---- | C] () -- C:\WINDOWS\System32\drivers\ativmc20.cod
[2012/03/10 12:42:48 | 000,067,866 | ---- | C] () -- C:\WINDOWS\System32\drivers\netwlan5.img
[2012/03/10 12:36:34 | 083,477,336 | ---- | C] () -- C:\Documents and Settings\admin-su\My Documents\avira_free_antivirus_en.exe
[2012/03/10 12:36:32 | 046,973,440 | ---- | C] () -- C:\Documents and Settings\admin-su\My Documents\zaSetup_92_106_000_en.exe
[2012/03/10 12:35:39 | 000,000,104 | ---- | C] () -- C:\Documents and Settings\admin-su\Desktop\My Computer.lnk
[2012/03/10 12:18:16 | 000,000,079 | ---- | C] () -- C:\Documents and Settings\admin-su\Application Data\Microsoft\Internet Explorer\Quick Launch\Show Desktop.scf
[2012/03/10 12:18:12 | 000,000,738 | ---- | C] () -- C:\Documents and Settings\admin-su\Start Menu\Programs\Outlook Express.lnk
[2012/03/10 12:18:10 | 000,000,804 | ---- | C] () -- C:\Documents and Settings\admin-su\Application Data\Microsoft\Internet Explorer\Quick Launch\Windows Media Player.lnk
[2012/03/10 12:18:07 | 000,000,815 | ---- | C] () -- C:\Documents and Settings\admin-su\Application Data\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk
[2012/03/10 12:18:07 | 000,000,803 | ---- | C] () -- C:\Documents and Settings\admin-su\Start Menu\Programs\Internet Explorer.lnk
[2012/03/10 12:18:03 | 000,001,599 | ---- | C] () -- C:\Documents and Settings\admin-su\Start Menu\Programs\Remote Assistance.lnk
[2012/03/10 12:18:03 | 000,000,792 | ---- | C] () -- C:\Documents and Settings\admin-su\Start Menu\Programs\Windows Media Player.lnk
[2012/03/10 12:15:47 | 000,008,192 | ---- | C] () -- C:\WINDOWS\REGLOCS.OLD
[2012/03/10 12:15:01 | 000,002,048 | --S- | C] () -- C:\WINDOWS\bootstat.dat
[2012/03/10 12:14:33 | 000,175,104 | ---- | C] () -- C:\WINDOWS\System32\dllcache\pintlcsa.dll
[2012/03/10 12:14:18 | 001,158,818 | ---- | C] () -- C:\WINDOWS\System32\dllcache\korwbrkr.lex
[2012/03/10 12:14:12 | 000,059,392 | ---- | C] () -- C:\WINDOWS\System32\dllcache\imscinst.exe
[2012/03/10 12:14:11 | 000,196,665 | ---- | C] () -- C:\WINDOWS\System32\dllcache\imjpinst.exe
[2012/03/10 12:14:10 | 000,134,339 | ---- | C] () -- C:\WINDOWS\System32\dllcache\imekr.lex
[2012/03/10 12:14:03 | 013,463,552 | ---- | C] () -- C:\WINDOWS\System32\dllcache\hwxjpn.dll
[2012/03/10 12:13:59 | 000,108,827 | ---- | C] () -- C:\WINDOWS\System32\dllcache\hanja.lex
[2012/03/10 12:13:49 | 000,173,568 | ---- | C] () -- C:\WINDOWS\System32\dllcache\chtskf.dll
[2012/03/10 12:13:23 | 000,002,577 | ---- | C] () -- C:\WINDOWS\System32\CONFIG.NT
[2012/03/10 12:13:23 | 000,000,000 | RHS- | C] () -- C:\MSDOS.SYS
[2012/03/10 12:13:23 | 000,000,000 | RHS- | C] () -- C:\IO.SYS
[2012/03/10 12:13:23 | 000,000,000 | ---- | C] () -- C:\CONFIG.SYS
[2012/03/10 12:13:23 | 000,000,000 | ---- | C] () -- C:\AUTOEXEC.BAT
[2012/03/10 12:13:21 | 000,025,065 | ---- | C] () -- C:\WINDOWS\System32\wmpscheme.xml
[2012/03/10 12:13:21 | 000,023,392 | ---- | C] () -- C:\WINDOWS\System32\nscompat.tlb
[2012/03/10 12:13:21 | 000,016,832 | ---- | C] () -- C:\WINDOWS\System32\amcompat.tlb
[2012/03/10 12:13:20 | 000,299,552 | ---- | C] () -- C:\WINDOWS\WMSysPrx.prx
[2012/03/10 12:12:23 | 004,399,505 | ---- | C] () -- C:\WINDOWS\System32\dllcache\nls302en.lex
[2012/03/10 12:11:55 | 000,048,680 | -HS- | C] () -- C:\WINDOWS\winnt256.bmp
[2012/03/10 12:11:55 | 000,048,680 | -HS- | C] () -- C:\WINDOWS\winnt.bmp
[2012/03/10 12:11:50 | 000,000,984 | ---- | C] () -- C:\WINDOWS\System32\dllcache\srframe.mmf
[2012/03/10 12:11:23 | 000,021,640 | ---- | C] () -- C:\WINDOWS\System32\emptyregdb.dat
[2012/03/10 12:11:02 | 000,000,829 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Windows Messenger.lnk
[2012/03/10 12:11:01 | 000,001,846 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\MSN Explorer.lnk
[2012/03/10 12:10:40 | 000,065,978 | ---- | C] () -- C:\WINDOWS\Soap Bubbles.bmp
[2012/03/10 12:10:40 | 000,065,954 | ---- | C] () -- C:\WINDOWS\Prairie Wind.bmp
[2012/03/10 12:10:40 | 000,065,832 | ---- | C] () -- C:\WINDOWS\Santa Fe Stucco.bmp
[2012/03/10 12:10:40 | 000,026,680 | ---- | C] () -- C:\WINDOWS\River Sumida.bmp
[2012/03/10 12:10:40 | 000,026,582 | ---- | C] () -- C:\WINDOWS\Greenstone.bmp
[2012/03/10 12:10:40 | 000,017,362 | ---- | C] () -- C:\WINDOWS\Rhododendron.bmp
[2012/03/10 12:10:40 | 000,017,336 | ---- | C] () -- C:\WINDOWS\Gone Fishing.bmp
[2012/03/10 12:10:40 | 000,017,062 | ---- | C] () -- C:\WINDOWS\Coffee Bean.bmp
[2012/03/10 12:10:40 | 000,016,730 | ---- | C] () -- C:\WINDOWS\FeatherTexture.bmp
[2012/03/10 12:10:40 | 000,009,522 | ---- | C] () -- C:\WINDOWS\Zapotec.bmp
[2012/03/10 12:10:40 | 000,001,272 | ---- | C] () -- C:\WINDOWS\Blue Lace 16.bmp
[2012/03/10 12:10:38 | 000,001,161 | ---- | C] () -- C:\WINDOWS\System32\usrlogon.cmd
[2012/03/10 12:10:37 | 000,003,286 | ---- | C] () -- C:\WINDOWS\System32\tslabels.h
[2012/03/10 12:10:36 | 000,000,768 | ---- | C] () -- C:\WINDOWS\System32\msdtcprf.h
[2012/03/10 12:10:29 | 000,063,488 | ---- | C] () -- C:\WINDOWS\System32\wmimgmt.msc

========== LOP Check ==========

[2012/03/25 15:44:58 | 000,000,000 | ---D | M] -- C:\Documents and Settings\admin-su\Application Data\SumatraPDF

========== Purity Check ==========



========== Custom Scans ==========

< %SYSTEMDRIVE%\*.exe >

< MD5 for: EXPLORER.EXE >
[2008/04/14 05:42:20 | 001,033,728 | ---- | M] (Microsoft Corporation) MD5=12896823FB95BFB3DC9B46BCAEDC9923 -- C:\WINDOWS\explorer.exe
[2008/04/14 05:42:20 | 001,033,728 | ---- | M] (Microsoft Corporation) MD5=12896823FB95BFB3DC9B46BCAEDC9923 -- C:\WINDOWS\ServicePackFiles\i386\explorer.exe
[2003/03/31 22:00:00 | 001,004,032 | ---- | M] (Microsoft Corporation) MD5=A82B28BFC2E4455FE43022A498C0EF0A -- C:\WINDOWS\$NtServicePackUninstall$\explorer.exe

< MD5 for: SVCHOST.EXE >
[2003/03/31 22:00:00 | 000,012,800 | ---- | M] (Microsoft Corporation) MD5=0F7D9C87B0CE1FA520473119752C6F79 -- C:\WINDOWS\$NtServicePackUninstall$\svchost.exe
[2008/04/14 05:42:38 | 000,014,336 | ---- | M] (Microsoft Corporation) MD5=27C6D03BCDB8CFEB96B716F3D8BE3E18 -- C:\WINDOWS\ServicePackFiles\i386\svchost.exe
[2008/04/14 05:42:38 | 000,014,336 | ---- | M] (Microsoft Corporation) MD5=27C6D03BCDB8CFEB96B716F3D8BE3E18 -- C:\WINDOWS\system32\svchost.exe

< MD5 for: USERINIT.EXE >
[2008/04/14 05:42:40 | 000,026,112 | ---- | M] (Microsoft Corporation) MD5=A93AEE1928A9D7CE3E16D24EC7380F89 -- C:\WINDOWS\ServicePackFiles\i386\userinit.exe
[2008/04/14 05:42:40 | 000,026,112 | ---- | M] (Microsoft Corporation) MD5=A93AEE1928A9D7CE3E16D24EC7380F89 -- C:\WINDOWS\system32\userinit.exe
[2003/03/31 22:00:00 | 000,022,016 | ---- | M] (Microsoft Corporation) MD5=E931E0A2B8BF0019DB902E98D03662CB -- C:\WINDOWS\$NtServicePackUninstall$\userinit.exe

< MD5 for: WINLOGON.EXE >
[2003/03/31 22:00:00 | 000,516,608 | ---- | M] (Microsoft Corporation) MD5=2246D8D8F4714A2CEDB21AB9B1849ABB -- C:\WINDOWS\$NtServicePackUninstall$\winlogon.exe
[2008/04/14 05:42:40 | 000,507,904 | ---- | M] (Microsoft Corporation) MD5=ED0EF0A136DEC83DF69F04118870003E -- C:\WINDOWS\ServicePackFiles\i386\winlogon.exe
[2008/04/14 05:42:40 | 000,507,904 | ---- | M] (Microsoft Corporation) MD5=ED0EF0A136DEC83DF69F04118870003E -- C:\WINDOWS\system32\winlogon.exe

< %systemroot%\*. /mp /s >

< hklm\software\clients\startmenuinternet|command /rs >
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\chrome.exe\shell\open\command\\: "C:\Documents and Settings\admin-su\Local Settings\Application Data\Google\Chrome\Application\chrome.exe" [2012/03/10 19:21:44 | 001,049,072 | ---- | M] (Google Inc.)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\InstallInfo\\ReinstallCommand: "C:\WINDOWS\system32\ie4uinit.exe" -reinstall [2011/12/16 22:23:08 | 000,174,080 | ---- | M] (Microsoft Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\InstallInfo\\HideIconsCommand: "C:\WINDOWS\system32\ie4uinit.exe" -hide [2011/12/16 22:23:08 | 000,174,080 | ---- | M] (Microsoft Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\InstallInfo\\ShowIconsCommand: "C:\WINDOWS\system32\ie4uinit.exe" -show [2011/12/16 22:23:08 | 000,174,080 | ---- | M] (Microsoft Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\shell\naom\command\\: "C:\Program Files\Internet Explorer\iexplore.exe" -extoff [2009/03/08 14:09:26 | 000,638,816 | ---- | M] (Microsoft Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\shell\open\command\\: C:\Program Files\Internet Explorer\iexplore.exe [2009/03/08 14:09:26 | 000,638,816 | ---- | M] (Microsoft Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\MSN Explorer\shell\open\command\\: "C:\Program Files\MSN\MSNCoreFiles\MSN6.EXE" [2003/03/31 22:00:00 | 000,094,208 | ---- | M] (Microsoft Corporation)

< hklm\software\clients\startmenuinternet|command /64 /rs >
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\chrome.exe\shell\open\command\\: "C:\Documents and Settings\admin-su\Local Settings\Application Data\Google\Chrome\Application\chrome.exe" [2012/03/10 19:21:44 | 001,049,072 | ---- | M] (Google Inc.)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\InstallInfo\\ReinstallCommand: "C:\WINDOWS\system32\ie4uinit.exe" -reinstall [2011/12/16 22:23:08 | 000,174,080 | ---- | M] (Microsoft Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\InstallInfo\\HideIconsCommand: "C:\WINDOWS\system32\ie4uinit.exe" -hide [2011/12/16 22:23:08 | 000,174,080 | ---- | M] (Microsoft Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\InstallInfo\\ShowIconsCommand: "C:\WINDOWS\system32\ie4uinit.exe" -show [2011/12/16 22:23:08 | 000,174,080 | ---- | M] (Microsoft Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\shell\naom\command\\: "C:\Program Files\Internet Explorer\iexplore.exe" -extoff [2009/03/08 14:09:26 | 000,638,816 | ---- | M] (Microsoft Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\shell\open\command\\: C:\Program Files\Internet Explorer\iexplore.exe [2009/03/08 14:09:26 | 000,638,816 | ---- | M] (Microsoft Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\MSN Explorer\shell\open\command\\: "C:\Program Files\MSN\MSNCoreFiles\MSN6.EXE" [2003/03/31 22:00:00 | 000,094,208 | ---- | M] (Microsoft Corporation)

< End of report >
  • 0

#9
trampas

trampas

    Member

  • Topic Starter
  • Member
  • PipPip
  • 99 posts
OTL Extras logfile created on: 7/04/2012 2:25:03 PM - Run 1
OTL by OldTimer - Version 3.2.39.2 Folder = C:\Documents and Settings\admin-su\Desktop
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000C09 | Country: Australia | Language: ENA | Date Format: d/MM/yyyy

510.73 Mb Total Physical Memory | 298.19 Mb Available Physical Memory | 58.38% Memory free
1.22 Gb Paging File | 0.93 Gb Available in Paging File | 76.39% Paging File free
Paging file location(s): C:\pagefile.sys 768 1536 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 74.52 Gb Total Space | 52.92 Gb Free Space | 71.02% Space Free | Partition Type: NTFS
Drive E: | 3.72 Gb Total Space | 2.80 Gb Free Space | 75.31% Space Free | Partition Type: FAT32

Computer Name: SERVER | User Name: admin-su | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*

[HKEY_CURRENT_USER\SOFTWARE\Classes\<extension>]
.html [@ = ChromeHTML] -- Reg Error: Key error. File not found

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
exefile [open] -- "%1" %*
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 0
"FirewallOverride" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring" = 1

========== System Restore Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
"DisableSR" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sr]
"Start" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SrService]
"Start" = 2

========== Firewall Settings ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"EnableFirewall" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 0

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\WINDOWS\system32\ZoneLabs\vsmon.exe" = C:\WINDOWS\system32\ZoneLabs\vsmon.exe:*:Enabled:vsmon -- (Check Point Software Technologies LTD)


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{02E89EFC-7B07-4D5A-AA03-9EC0902914EE}" = VC 9.0 Runtime
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{91130409-6000-11D3-8CFE-0050048383C9}" = Microsoft Office XP Small Business
"{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}" = Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219
"3 MobileBroadband" = 3 MobileBroadband
"Avira AntiVir Desktop" = Avira Free Antivirus
"ie8" = Windows Internet Explorer 8
"VIA_{BB7D68E9-93AE-4118-85FF-6DAF1FD1731D}" = VIA RAID Setup Program (Remove)
"Windows XP Service Pack" = Windows XP Service Pack 3
"ZoneAlarm" = ZoneAlarm

========== HKEY_CURRENT_USER Uninstall List ==========

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"Google Chrome" = Google Chrome

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 2/04/2012 2:28:33 AM | Computer Name = SERVER | Source = ESENT | ID = 490
Description = svchost (840) An attempt to open the file "C:\WINDOWS\system32\CatRoot2\tmp.edb"
for read / write access failed with system error 1392 (0x00000570): "The file or
directory is corrupted and unreadable. ". The open file operation will fail with
error -1022 (0xfffffc02).

Error - 2/04/2012 2:28:33 AM | Computer Name = SERVER | Source = ESENT | ID = 439
Description = Catalog Database (840) Unable to write a shadowed header for file
C:\WINDOWS\system32\CatRoot2\tmp.edb. Error -1022.

Error - 5/04/2012 12:47:15 AM | Computer Name = SERVER | Source = PerfNet | ID = 2004
Description = Unable to open the Server service. Server performance data will not
be returned. Error code returned is in data DWORD 0.

Error - 5/04/2012 12:47:15 AM | Computer Name = SERVER | Source = PerfNet | ID = 2002
Description = Unable to open the Redirector service. Redirector performance data
will
not be returned. Error code returned is in data DWORD 0.

Error - 5/04/2012 12:47:47 AM | Computer Name = SERVER | Source = LoadPerf | ID = 3001
Description = The performance counter name string value in the registry is incorrectly
formatted.
The bogus string is 2278, the bogus index value is the first DWORD in Data section
while the last valid index values are the second and third DWORD in Data section.

Error - 5/04/2012 12:47:47 AM | Computer Name = SERVER | Source = LoadPerf | ID = 3011
Description = Unloading the performance counter strings for service WmiApRpl (WmiApRpl)
failed. The Error code is the first DWORD in Data section.

Error - 5/04/2012 12:47:50 AM | Computer Name = SERVER | Source = LoadPerf | ID = 3001
Description = The performance counter name string value in the registry is incorrectly
formatted.
The bogus string is 2278, the bogus index value is the first DWORD in Data section
while the last valid index values are the second and third DWORD in Data section.

Error - 6/04/2012 12:42:48 AM | Computer Name = SERVER | Source = LoadPerf | ID = 3001
Description = The performance counter name string value in the registry is incorrectly
formatted.
The bogus string is 2338, the bogus index value is the first DWORD in Data section
while the last valid index values are the second and third DWORD in Data section.

Error - 6/04/2012 12:42:48 AM | Computer Name = SERVER | Source = LoadPerf | ID = 3011
Description = Unloading the performance counter strings for service WmiApRpl (WmiApRpl)
failed. The Error code is the first DWORD in Data section.

Error - 6/04/2012 12:42:51 AM | Computer Name = SERVER | Source = LoadPerf | ID = 3001
Description = The performance counter name string value in the registry is incorrectly
formatted.
The bogus string is 2338, the bogus index value is the first DWORD in Data section
while the last valid index values are the second and third DWORD in Data section.

[ System Events ]
Error - 5/04/2012 12:41:41 AM | Computer Name = SERVER | Source = Service Control Manager | ID = 7001
Description = The DNS Client service depends on the TCP/IP Protocol Driver service
which failed to start because of the following error: %%31

Error - 5/04/2012 12:41:41 AM | Computer Name = SERVER | Source = Service Control Manager | ID = 7001
Description = The Messenger service depends on the NetBIOS Interface service which
failed to start because of the following error: %%31

Error - 5/04/2012 12:41:41 AM | Computer Name = SERVER | Source = Service Control Manager | ID = 7001
Description = The IPSEC Services service depends on the IPSEC driver service which
failed to start because of the following error: %%31

Error - 5/04/2012 12:41:41 AM | Computer Name = SERVER | Source = Service Control Manager | ID = 7026
Description = The following boot-start or system-start driver(s) failed to load:
Fips IPSec MRxSmb NetBIOS NetBT Processor Rdbss Tcpip

Error - 5/04/2012 12:44:24 AM | Computer Name = SERVER | Source = Service Control Manager | ID = 7001
Description = The DHCP Client service depends on the NetBios over Tcpip service
which failed to start because of the following error: %%31

Error - 5/04/2012 12:44:24 AM | Computer Name = SERVER | Source = Service Control Manager | ID = 7001
Description = The DNS Client service depends on the TCP/IP Protocol Driver service
which failed to start because of the following error: %%31

Error - 5/04/2012 12:44:24 AM | Computer Name = SERVER | Source = Service Control Manager | ID = 7001
Description = The Messenger service depends on the NetBIOS Interface service which
failed to start because of the following error: %%31

Error - 5/04/2012 12:44:24 AM | Computer Name = SERVER | Source = Service Control Manager | ID = 7001
Description = The IPSEC Services service depends on the IPSEC driver service which
failed to start because of the following error: %%31

Error - 5/04/2012 12:44:24 AM | Computer Name = SERVER | Source = Service Control Manager | ID = 7026
Description = The following boot-start or system-start driver(s) failed to load:
Fips IPSec MRxSmb NetBIOS NetBT Processor Rdbss Tcpip

Error - 5/04/2012 1:10:43 AM | Computer Name = SERVER | Source = Windows Update Agent | ID = 16
Description =


< End of report >
  • 0

#10
trampas

trampas

    Member

  • Topic Starter
  • Member
  • PipPip
  • 99 posts
I've only been able to run GMER.EXE to completion when I uncheck the Files box. The log for this is attached. If I try to include Files or if I just scan on Files alone I often get a BSOD. The information doesn't stay for very long before the PC reboots but on at least a few occasions I've noticed that the error is simiar to what I got on 13 Feb (see first thread page 1/3). What I've confirmed on recent runs is the following :

"A problem has been detected and windows has been shut down to prevent damage to your computer.

DRIVER_IRQL_NOT_LESS_OR_EQUAL

*** STOP:

*** SCSIPORT.SYS"

When I don't get a BSOD the PC just hangs. On these occasions the last file scanned by GMER is not always the same.

Here is the partial gmer log :

GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2012-04-07 16:54:58
Windows 5.1.2600 Service Pack 3
Running: 30kr1xnx.exe; Driver: C:\DOCUME~1\admin-su\LOCALS~1\Temp\uftdypob.sys


---- System - GMER 1.0.15 ----

SSDT F8BCA6BC ZwClose
SSDT \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwConnectPort [0xF3252534]
SSDT \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwCreateFile [0xF324C782]
SSDT F8BCA676 ZwCreateKey
SSDT \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwCreatePort [0xF3252CC0]
SSDT \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwCreateProcess [0xF3265EB4]
SSDT \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwCreateProcessEx [0xF32662A2]
SSDT \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwCreateSection [0xF326F916]
SSDT F8BCA66C ZwCreateThread
SSDT \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwCreateWaitablePort [0xF3252DF6]
SSDT \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwDeleteFile [0xF324D398]
SSDT F8BCA67B ZwDeleteKey
SSDT F8BCA685 ZwDeleteValueKey
SSDT \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwDuplicateObject [0xF3264DF0]
SSDT F8BCA68A ZwLoadKey
SSDT \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwLoadKey2 [0xF326DB44]
SSDT \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwOpenFile [0xF324CFAA]
SSDT \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwOpenProcess [0xF32681CE]
SSDT \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwOpenThread [0xF3267DF8]
SSDT F8BCA6DF ZwQueryValueKey
SSDT \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwRenameKey [0xF326E8D2]
SSDT F8BCA694 ZwReplaceKey
SSDT \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwRequestWaitReplyPort [0xF32520F4]
SSDT F8BCA68F ZwRestoreKey
SSDT \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwSecureConnectPort [0xF32527DC]
SSDT F8BCA6CB ZwSetContextThread
SSDT \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwSetInformationFile [0xF324D75C]
SSDT F8BCA6D5 ZwSetSecurityObject
SSDT F8BCA680 ZwSetValueKey
SSDT \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwSystemDebugControl [0xF3266F0A]
SSDT \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwTerminateProcess [0xF3266C86]

---- Kernel code sections - GMER 1.0.15 ----

.text ntoskrnl.exe!ZwYieldExecution + 12E 804E4988 12 Bytes [C0, 2C, 25, F3, B4, 5E, 26, ...]
.text ntoskrnl.exe!ZwYieldExecution + 376 804E4BD0 8 Bytes [D2, E8, 26, F3, 94, A6, BC, ...]

---- Kernel IAT/EAT - GMER 1.0.15 ----

IAT \SystemRoot\System32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisRegisterProtocol] [F3257672] \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\System32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisOpenAdapter] [F32574C8] \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\System32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisCloseAdapter] [F3257CBA] \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\System32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisDeregisterProtocol] [F3255C2A] \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\System32\DRIVERS\psched.sys[NDIS.SYS!NdisDeregisterProtocol] [F3255C2A] \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\System32\DRIVERS\psched.sys[NDIS.SYS!NdisRegisterProtocol] [F3257672] \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\System32\DRIVERS\psched.sys[NDIS.SYS!NdisOpenAdapter] [F32574C8] \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\System32\DRIVERS\psched.sys[NDIS.SYS!NdisCloseAdapter] [F3257CBA] \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisRegisterProtocol] [F3257672] \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisDeregisterProtocol] [F3255C2A] \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisCloseAdapter] [F3257CBA] \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisOpenAdapter] [F32574C8] \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\System32\DRIVERS\tcpip.sys[NDIS.SYS!NdisCloseAdapter] [F3257CBA] \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\System32\DRIVERS\tcpip.sys[NDIS.SYS!NdisOpenAdapter] [F32574C8] \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\System32\DRIVERS\tcpip.sys[NDIS.SYS!NdisRegisterProtocol] [F3257672] \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\System32\DRIVERS\wanarp.sys[NDIS.SYS!NdisDeregisterProtocol] [F3255C2A] \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\System32\DRIVERS\wanarp.sys[NDIS.SYS!NdisRegisterProtocol] [F3257672] \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\System32\DRIVERS\wanarp.sys[NDIS.SYS!NdisOpenAdapter] [F32574C8] \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\System32\DRIVERS\wanarp.sys[NDIS.SYS!NdisCloseAdapter] [F3257CBA] \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\System32\DRIVERS\arp1394.sys[NDIS.SYS!NdisCloseAdapter] [F3257CBA] \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\System32\DRIVERS\arp1394.sys[NDIS.SYS!NdisOpenAdapter] [F32574C8] \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\System32\DRIVERS\arp1394.sys[NDIS.SYS!NdisDeregisterProtocol] [F3255C2A] \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\System32\DRIVERS\arp1394.sys[NDIS.SYS!NdisRegisterProtocol] [F3257672] \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\System32\drivers\afd.sys[ntoskrnl.exe!IoCreateFile] [F32353C4] \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\System32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisRegisterProtocol] [F3257672] \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\System32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisDeregisterProtocol] [F3255C2A] \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\System32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisCloseAdapter] [F3257CBA] \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\System32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisOpenAdapter] [F32574C8] \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\System32\DRIVERS\srv.sys[ntoskrnl.exe!NtSetInformationFile] [F324E2AA] \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\System32\DRIVERS\srv.sys[ntoskrnl.exe!IoCreateFile] [F324E60C] \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\System32\DRIVERS\srv.sys[ntoskrnl.exe!NtCreateFile] [F324DD40] \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\System32\DRIVERS\srv.sys[ntoskrnl.exe!NtOpenFile] [F324E41C] \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD)

---- Devices - GMER 1.0.15 ----

Device \Driver\Tcpip \Device\Ip vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD)
Device \Driver\Tcpip \Device\Tcp vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD)
Device \Driver\Tcpip \Device\Udp vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD)
Device \Driver\Tcpip \Device\RawIp vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD)
Device \Driver\Tcpip \Device\IPMULTICAST vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD)

---- EOF - GMER 1.0.15 ----
  • 0

Advertisements


#11
trampas

trampas

    Member

  • Topic Starter
  • Member
  • PipPip
  • 99 posts
Hi maliprog

Just a bit more background information. I had to reboot the PC quite a few times trying to capture the GMER log. At no stage did I have a File System Check happen, so I'm thinking that that problem is fixed. Whatever malware was causing that is probably not now being executed.

With the ZoneAlarm client I'm still getting it failing to initialise about 1 time in 10. If I hover the pointer over the icon in the system tray it says 'Protection is up, UI is initializing' and that lasts until I restart the PC. A normal response to the hover would be 'ZoneAlarm' and after receiving that message I can expect a clean shutdown.

trampas

Edited by trampas, 07 April 2012 - 01:36 AM.

  • 0

#12
maliprog

maliprog

    Trusted Helper

  • Malware Removal
  • 6,172 posts
Hi trampas,

Sorry for delay. From first two scans I don't see any malware on your system. We need to dig deeper and try to find it if there is any.

Step 1

NOTE: This fix is custom made for this system only and for current system state! Don't try to run it on another system!

Please close all running programs and Run OTL
  • Under the Custom Scans/Fixes box at the bottom, paste in the following

    :OTL
    O33 - MountPoints2\{67022981-6a6d-11e1-85df-91647d583422}\Shell - "" = AutoRun
    O33 - MountPoints2\{67022981-6a6d-11e1-85df-91647d583422}\Shell\AutoRun - "" = Auto&Play
    O33 - MountPoints2\{67022981-6a6d-11e1-85df-91647d583422}\Shell\AutoRun\command - "" = E:\AutoRun.exe
    O33 - MountPoints2\{67022982-6a6d-11e1-85df-91647d583422}\Shell - "" = AutoRun
    O33 - MountPoints2\{67022982-6a6d-11e1-85df-91647d583422}\Shell\AutoRun - "" = Auto&Play
    O33 - MountPoints2\{67022982-6a6d-11e1-85df-91647d583422}\Shell\AutoRun\command - "" = E:\AutoRun.exe
    O33 - MountPoints2\{b84a80fe-6a5d-11e1-85dd-da0c9b9811f6}\Shell - "" = AutoRun
    O33 - MountPoints2\{b84a80fe-6a5d-11e1-85dd-da0c9b9811f6}\Shell\AutoRun - "" = Auto&Play
    O33 - MountPoints2\{b84a80fe-6a5d-11e1-85dd-da0c9b9811f6}\Shell\AutoRun\command - "" = E:\AutoRun.exe


    :Commands
    [purity]
    [emptytemp]
    [Reboot]

  • Then click the Run Fix button at the top
  • Let the program run unhindered, reboot the PC when it is done
  • Post the fix log it produces in your next reply or you can find it in C:\_OTL\MovedFiles
Step 2

Download the latest version of TDSSKiller from here and save it to your Desktop.

  • Doubleclick on TDSSKiller.exe to run the application, then click on Change parameters.
  • Check the boxes beside:

    • Verify Driver Digital Signature
    • Detect TDLFS file system
  • then click OK.
  • Click the Start Scan button to start the scan.
  • If a suspicious object is detected, the default action will be Skip
  • If malicious objects are found, they will show in the Scan results and offer three (3) options.
  • Ensure Cure is selected for malicious objects

    Posted Image
  • Click Continue then Reboot now to finish the cleaning process.
  • Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.
A report will be created in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste its contents on your next reply.

Step 3

Download and Install Combofix

Download ComboFix from one of the following locations:

Link 1
Link 2

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop *

IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here

  • Double click on ComboFix.exe & follow the prompts.
  • Accept the disclaimer and allow to update if it asks

    Posted Image

    Posted Image
  • When finished, it shall produce a log for you.
  • Please include the C:\ComboFix.txt in your next reply.

Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.


Please make sure you include the combo fix log in your next reply as well as describe how your computer is running now

Step 4

Please don't forget to include these items in your reply:

  • OTL fix log
  • TDSSKiller log
  • Combofix log
It would be helpful if you could post each log in separate post
  • 0

#13
trampas

trampas

    Member

  • Topic Starter
  • Member
  • PipPip
  • 99 posts
Hi maliprog

Thanks for those instructions. Here's the OTL fix log :

trampas


All processes killed
========== OTL ==========
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{67022981-6a6d-11e1-85df-91647d583422}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{67022981-6a6d-11e1-85df-91647d583422}\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{67022981-6a6d-11e1-85df-91647d583422}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{67022981-6a6d-11e1-85df-91647d583422}\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{67022981-6a6d-11e1-85df-91647d583422}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{67022981-6a6d-11e1-85df-91647d583422}\ not found.
File E:\AutoRun.exe not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{67022982-6a6d-11e1-85df-91647d583422}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{67022982-6a6d-11e1-85df-91647d583422}\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{67022982-6a6d-11e1-85df-91647d583422}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{67022982-6a6d-11e1-85df-91647d583422}\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{67022982-6a6d-11e1-85df-91647d583422}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{67022982-6a6d-11e1-85df-91647d583422}\ not found.
File E:\AutoRun.exe not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b84a80fe-6a5d-11e1-85dd-da0c9b9811f6}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{b84a80fe-6a5d-11e1-85dd-da0c9b9811f6}\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b84a80fe-6a5d-11e1-85dd-da0c9b9811f6}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{b84a80fe-6a5d-11e1-85dd-da0c9b9811f6}\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b84a80fe-6a5d-11e1-85dd-da0c9b9811f6}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{b84a80fe-6a5d-11e1-85dd-da0c9b9811f6}\ not found.
File E:\AutoRun.exe not found.
========== COMMANDS ==========

[EMPTYTEMP]

User: admin-su
->Temp folder emptied: 32568256 bytes
->Temporary Internet Files folder emptied: 76951495 bytes
->Google Chrome cache emptied: 6808151 bytes

User: Administrator
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes

User: Administrator.SERVER
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 204952 bytes

User: All Users

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes

User: LocalService
->Temp folder emptied: 65984 bytes
->Temporary Internet Files folder emptied: 33170 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes

User: serf
->Temp folder emptied: 18789845 bytes
->Temporary Internet Files folder emptied: 6913588 bytes
->Google Chrome cache emptied: 41913971 bytes
->Flash cache emptied: 571 bytes

User: serf.SERVER
->Temp folder emptied: 99308 bytes
->Temporary Internet Files folder emptied: 33300 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 1119359 bytes
%systemroot%\System32 .tmp files removed: 4183 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 2304 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 33170 bytes
RecycleBin emptied: 29795899 bytes

Total Files Cleaned = 205.00 mb


OTL by OldTimer - Version 3.2.39.2 log created on 04102012_172327

Files\Folders moved on Reboot...
C:\Documents and Settings\admin-su\Local Settings\Temp\~DFBC29.tmp moved successfully.
File\Folder C:\WINDOWS\temp\ZLT02c7a.TMP not found!

Registry entries deleted on Reboot...
  • 0

#14
trampas

trampas

    Member

  • Topic Starter
  • Member
  • PipPip
  • 99 posts
Here is the TDSS Killer log (my RAID driver mentioned again) :


17:30:07.0421 2936 TDSS rootkit removing tool 2.7.27.0 Apr 9 2012 09:53:37
17:30:09.0437 2936 ============================================================
17:30:09.0437 2936 Current date / time: 2012/04/10 17:30:09.0437
17:30:09.0437 2936 SystemInfo:
17:30:09.0437 2936
17:30:09.0437 2936 OS Version: 5.1.2600 ServicePack: 3.0
17:30:09.0437 2936 Product type: Workstation
17:30:09.0437 2936 ComputerName: SERVER
17:30:09.0437 2936 UserName: admin-su
17:30:09.0437 2936 Windows directory: C:\WINDOWS
17:30:09.0437 2936 System windows directory: C:\WINDOWS
17:30:09.0437 2936 Processor architecture: Intel x86
17:30:09.0437 2936 Number of processors: 2
17:30:09.0437 2936 Page size: 0x1000
17:30:09.0437 2936 Boot type: Normal boot
17:30:09.0437 2936 ============================================================
17:30:10.0531 2936 Drive \Device\Harddisk0\DR0 - Size: 0x12A1F15E00 (74.53 Gb), SectorSize: 0x200, Cylinders: 0x2601, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'K0', Flags 0x00000058
17:30:10.0531 2936 Drive \Device\Harddisk1\DR2 - Size: 0xEEB00000 (3.73 Gb), SectorSize: 0x200, Cylinders: 0x1E6, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'W'
17:30:10.0531 2936 \Device\Harddisk0\DR0:
17:30:10.0531 2936 MBR used
17:30:10.0531 2936 \Device\Harddisk0\DR0\Partition0: MBR, Type 0x7, StartLBA 0x3F, BlocksNum 0x950A5C1
17:30:10.0531 2936 \Device\Harddisk1\DR2:
17:30:10.0531 2936 MBR used
17:30:10.0531 2936 \Device\Harddisk1\DR2\Partition0: MBR, Type 0xB, StartLBA 0x20, BlocksNum 0x7757E0
17:30:10.0562 2936 Initialize success
17:30:10.0562 2936 ============================================================
17:31:13.0187 3112 ============================================================
17:31:13.0187 3112 Scan started
17:31:13.0187 3112 Mode: Manual; SigCheck; TDLFS;
17:31:13.0187 3112 ============================================================
17:31:13.0312 3112 Abiosdsk - ok
17:31:13.0343 3112 abp480n5 - ok
17:31:13.0437 3112 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
17:31:14.0062 3112 ACPI - ok
17:31:14.0125 3112 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
17:31:14.0281 3112 ACPIEC - ok
17:31:14.0312 3112 adpu160m - ok
17:31:14.0390 3112 AFD (1e44bc1e83d8fd2305f8d452db109cf9) C:\WINDOWS\System32\drivers\afd.sys
17:31:14.0421 3112 AFD - ok
17:31:14.0515 3112 agp440 (08fd04aa961bdc77fb983f328334e3d7) C:\WINDOWS\system32\DRIVERS\agp440.sys
17:31:14.0671 3112 agp440 - ok
17:31:14.0687 3112 Aha154x - ok
17:31:14.0718 3112 aic78u2 - ok
17:31:14.0765 3112 aic78xx - ok
17:31:14.0796 3112 Alerter (a9a3daa780ca6c9671a19d52456705b4) C:\WINDOWS\system32\alrsvc.dll
17:31:14.0953 3112 Alerter - ok
17:31:15.0000 3112 ALG (8c515081584a38aa007909cd02020b3d) C:\WINDOWS\System32\alg.exe
17:31:15.0140 3112 ALG - ok
17:31:15.0171 3112 AliIde - ok
17:31:15.0203 3112 amsint - ok
17:31:15.0281 3112 AntiVirSchedulerService (72709089a54bdc1c5b16bc4a4b926567) C:\Program Files\Avira\AntiVir Desktop\sched.exe
17:31:15.0312 3112 AntiVirSchedulerService - ok
17:31:15.0328 3112 AntiVirService (42f88bfbb76f7a63e381829479b18518) C:\Program Files\Avira\AntiVir Desktop\avguard.exe
17:31:15.0343 3112 AntiVirService - ok
17:31:15.0359 3112 AppMgmt - ok
17:31:15.0421 3112 Arp1394 (b5b8a80875c1dededa8b02765642c32f) C:\WINDOWS\system32\DRIVERS\arp1394.sys
17:31:15.0593 3112 Arp1394 - ok
17:31:15.0640 3112 asc - ok
17:31:15.0671 3112 asc3350p - ok
17:31:15.0703 3112 asc3550 - ok
17:31:15.0734 3112 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
17:31:15.0890 3112 AsyncMac - ok
17:31:15.0968 3112 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
17:31:16.0171 3112 atapi - ok
17:31:16.0203 3112 Atdisk - ok
17:31:16.0250 3112 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
17:31:16.0390 3112 Atmarpc - ok
17:31:16.0437 3112 AudioSrv (def7a7882bec100fe0b2ce2549188f9d) C:\WINDOWS\System32\audiosrv.dll
17:31:16.0578 3112 AudioSrv - ok
17:31:16.0640 3112 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
17:31:16.0796 3112 audstub - ok
17:31:16.0859 3112 avgntflt (7713e4eb0276702faa08e52a6e23f2a6) C:\WINDOWS\system32\DRIVERS\avgntflt.sys
17:31:16.0906 3112 avgntflt - ok
17:31:16.0968 3112 avipbb (13b02b9b969dde270cd7c351203dad3c) C:\WINDOWS\system32\DRIVERS\avipbb.sys
17:31:17.0000 3112 avipbb - ok
17:31:17.0031 3112 avkmgr (271cfd1a989209b1964e24d969552bf7) C:\WINDOWS\system32\DRIVERS\avkmgr.sys
17:31:17.0046 3112 avkmgr - ok
17:31:17.0078 3112 basic2 (1b9c81ab9a456eabd9f8335f04b5f495) C:\WINDOWS\system32\DRIVERS\HSF_BSC2.sys
17:31:17.0250 3112 basic2 - ok
17:31:17.0328 3112 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
17:31:17.0484 3112 Beep - ok
17:31:17.0578 3112 BITS (574738f61fca2935f5265dc4e5691314) C:\WINDOWS\System32\qmgr.dll
17:31:17.0781 3112 BITS - ok
17:31:17.0828 3112 Browser (a06ce3399d16db864f55faeb1f1927a9) C:\WINDOWS\System32\browser.dll
17:31:17.0968 3112 Browser - ok
17:31:18.0031 3112 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
17:31:18.0187 3112 cbidf2k - ok
17:31:18.0218 3112 cd20xrnt - ok
17:31:18.0281 3112 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
17:31:18.0421 3112 Cdaudio - ok
17:31:18.0500 3112 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
17:31:18.0625 3112 Cdfs - ok
17:31:18.0671 3112 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
17:31:18.0812 3112 Cdrom - ok
17:31:18.0843 3112 Changer - ok
17:31:18.0875 3112 CiSvc (1cfe720eb8d93a7158a4ebc3ab178bde) C:\WINDOWS\system32\cisvc.exe
17:31:19.0031 3112 CiSvc - ok
17:31:19.0062 3112 ClipSrv (34cbe729f38138217f9c80212a2a0c82) C:\WINDOWS\system32\clipsrv.exe
17:31:19.0218 3112 ClipSrv - ok
17:31:19.0250 3112 CmdIde - ok
17:31:19.0265 3112 COMSysApp - ok
17:31:19.0312 3112 Cpqarray - ok
17:31:19.0375 3112 CryptSvc (3d4e199942e29207970e04315d02ad3b) C:\WINDOWS\System32\cryptsvc.dll
17:31:19.0515 3112 CryptSvc - ok
17:31:19.0546 3112 dac2w2k - ok
17:31:19.0578 3112 dac960nt - ok
17:31:19.0656 3112 DcomLaunch (6b27a5c03dfb94b4245739065431322c) C:\WINDOWS\system32\rpcss.dll
17:31:19.0718 3112 DcomLaunch - ok
17:31:19.0796 3112 Dhcp (5e38d7684a49cacfb752b046357e0589) C:\WINDOWS\System32\dhcpcsvc.dll
17:31:19.0937 3112 Dhcp - ok
17:31:19.0984 3112 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
17:31:20.0125 3112 Disk - ok
17:31:20.0156 3112 dmadmin - ok
17:31:20.0234 3112 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
17:31:20.0468 3112 dmboot - ok
17:31:20.0500 3112 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
17:31:20.0671 3112 dmio - ok
17:31:20.0718 3112 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
17:31:20.0890 3112 dmload - ok
17:31:20.0937 3112 dmserver (57edec2e5f59f0335e92f35184bc8631) C:\WINDOWS\System32\dmserver.dll
17:31:21.0093 3112 dmserver - ok
17:31:21.0171 3112 Dnscache (5f7e24fa9eab896051ffb87f840730d2) C:\WINDOWS\System32\dnsrslvr.dll
17:31:21.0218 3112 Dnscache - ok
17:31:21.0296 3112 Dot3svc (0f0f6e687e5e15579ef4da8dd6945814) C:\WINDOWS\System32\dot3svc.dll
17:31:21.0484 3112 Dot3svc - ok
17:31:21.0515 3112 dpti2o - ok
17:31:21.0546 3112 EapHost (2187855a7703adef0cef9ee4285182cc) C:\WINDOWS\System32\eapsvc.dll
17:31:21.0687 3112 EapHost - ok
17:31:21.0750 3112 ERSvc (bc93b4a066477954555966d77fec9ecb) C:\WINDOWS\System32\ersvc.dll
17:31:21.0890 3112 ERSvc - ok
17:31:21.0953 3112 Eventlog (65df52f5b8b6e9bbd183505225c37315) C:\WINDOWS\system32\services.exe
17:31:22.0000 3112 Eventlog - ok
17:31:22.0078 3112 EventSystem (d4991d98f2db73c60d042f1aef79efae) C:\WINDOWS\System32\es.dll
17:31:22.0171 3112 EventSystem - ok
17:31:22.0218 3112 Fallback (c823debe2548656549f84a875d65237b) C:\WINDOWS\system32\DRIVERS\HSF_FALL.sys
17:31:22.0421 3112 Fallback - ok
17:31:22.0500 3112 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
17:31:22.0640 3112 Fastfat - ok
17:31:22.0703 3112 FastUserSwitchingCompatibility (99bc0b50f511924348be19c7c7313bbf) C:\WINDOWS\System32\shsvcs.dll
17:31:22.0734 3112 FastUserSwitchingCompatibility - ok
17:31:22.0765 3112 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\DRIVERS\fdc.sys
17:31:22.0906 3112 Fdc - ok
17:31:22.0953 3112 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
17:31:23.0093 3112 Fips - ok
17:31:23.0125 3112 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\DRIVERS\flpydisk.sys
17:31:23.0265 3112 Flpydisk - ok
17:31:23.0312 3112 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys
17:31:23.0453 3112 FltMgr - ok
17:31:23.0531 3112 Fsks (6483414841d4cab6c3b4db2ac6edd70b) C:\WINDOWS\system32\DRIVERS\HSF_FSKS.sys
17:31:23.0687 3112 Fsks - ok
17:31:23.0734 3112 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
17:31:23.0906 3112 Fs_Rec - ok
17:31:23.0937 3112 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
17:31:24.0109 3112 Ftdisk - ok
17:31:24.0140 3112 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
17:31:24.0281 3112 Gpc - ok
17:31:24.0375 3112 helpsvc (4fcca060dfe0c51a09dd5c3843888bcd) C:\WINDOWS\PCHealth\HelpCtr\Binaries\pchsvc.dll
17:31:24.0500 3112 helpsvc - ok
17:31:24.0515 3112 HidServ - ok
17:31:24.0609 3112 hkmsvc (8878bd685e490239777bfe51320b88e9) C:\WINDOWS\System32\kmsvc.dll
17:31:24.0765 3112 hkmsvc - ok
17:31:24.0796 3112 hpn - ok
17:31:24.0828 3112 HSFHWBS2 (970178e8e003eb1481293830069624b9) C:\WINDOWS\system32\DRIVERS\HSFBS2S2.sys
17:31:24.0984 3112 HSFHWBS2 - ok
17:31:25.0062 3112 HSF_DP (ebb354438a4c5a3327fb97306260714a) C:\WINDOWS\system32\DRIVERS\HSFDPSP2.sys
17:31:25.0281 3112 HSF_DP - ok
17:31:25.0375 3112 hsf_msft (74e379857d4c0dfb56de2d19b8f4c434) C:\WINDOWS\system32\DRIVERS\HSF_MSFT.sys
17:31:25.0593 3112 hsf_msft - ok
17:31:25.0671 3112 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
17:31:25.0718 3112 HTTP - ok
17:31:25.0781 3112 HTTPFilter (6100a808600f44d999cebdef8841c7a3) C:\WINDOWS\System32\w3ssl.dll
17:31:25.0937 3112 HTTPFilter - ok
17:31:26.0000 3112 hwdatacard (07853191b1bdee5b39be4cfcfe3b9ad4) C:\WINDOWS\system32\DRIVERS\ewusbmdm.sys
17:31:26.0046 3112 hwdatacard - ok
17:31:26.0093 3112 i2omgmt - ok
17:31:26.0125 3112 i2omp - ok
17:31:26.0187 3112 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
17:31:26.0328 3112 i8042prt - ok
17:31:26.0359 3112 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
17:31:26.0500 3112 Imapi - ok
17:31:26.0578 3112 ImapiService (30deaf54a9755bb8546168cfe8a6b5e1) C:\WINDOWS\System32\imapi.exe
17:31:26.0718 3112 ImapiService - ok
17:31:26.0750 3112 ini910u - ok
17:31:26.0796 3112 IntelIde - ok
17:31:26.0843 3112 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys
17:31:26.0968 3112 intelppm - ok
17:31:27.0015 3112 ip6fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys
17:31:27.0156 3112 ip6fw - ok
17:31:27.0203 3112 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
17:31:27.0375 3112 IpFilterDriver - ok
17:31:27.0406 3112 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
17:31:27.0546 3112 IpInIp - ok
17:31:27.0593 3112 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
17:31:27.0734 3112 IpNat - ok
17:31:27.0765 3112 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
17:31:27.0906 3112 IPSec - ok
17:31:27.0921 3112 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
17:31:28.0078 3112 IRENUM - ok
17:31:28.0125 3112 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
17:31:28.0265 3112 isapnp - ok
17:31:28.0359 3112 K56 (9c5e3fdbfcc30cf71a49ca178b9ad442) C:\WINDOWS\system32\DRIVERS\HSF_K56K.sys
17:31:28.0546 3112 K56 - ok
17:31:28.0578 3112 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
17:31:28.0718 3112 Kbdclass - ok
17:31:28.0765 3112 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
17:31:28.0828 3112 KSecDD - ok
17:31:28.0875 3112 lanmanserver (3a7c3cbe5d96b8ae96ce81f0b22fb527) C:\WINDOWS\System32\srvsvc.dll
17:31:28.0921 3112 lanmanserver - ok
17:31:28.0984 3112 lanmanworkstation (a8888a5327621856c0cec4e385f69309) C:\WINDOWS\System32\wkssvc.dll
17:31:29.0046 3112 lanmanworkstation - ok
17:31:29.0078 3112 lbrtfdc - ok
17:31:29.0140 3112 LmHosts (a7db739ae99a796d91580147e919cc59) C:\WINDOWS\System32\lmhsvc.dll
17:31:29.0296 3112 LmHosts - ok
17:31:29.0328 3112 mdmxsdk (195741aee20369980796b557358cd774) C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys
17:31:29.0484 3112 mdmxsdk - ok
17:31:29.0515 3112 Messenger (986b1ff5814366d71e0ac5755c88f2d3) C:\WINDOWS\System32\msgsvc.dll
17:31:29.0671 3112 Messenger - ok
17:31:29.0734 3112 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
17:31:29.0906 3112 mnmdd - ok
17:31:29.0968 3112 mnmsrvc (d18f1f0c101d06a1c1adf26eed16fcdd) C:\WINDOWS\System32\mnmsrvc.exe
17:31:30.0125 3112 mnmsrvc - ok
17:31:30.0171 3112 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
17:31:30.0312 3112 Modem - ok
17:31:30.0343 3112 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
17:31:30.0484 3112 Mouclass - ok
17:31:30.0531 3112 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
17:31:30.0671 3112 MountMgr - ok
17:31:30.0687 3112 mraid35x - ok
17:31:30.0734 3112 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
17:31:30.0875 3112 MRxDAV - ok
17:31:30.0953 3112 MRxSmb (7d304a5eb4344ebeeab53a2fe3ffb9f0) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
17:31:31.0031 3112 MRxSmb - ok
17:31:31.0093 3112 MSDTC (a137f1470499a205abbb9aafb3b6f2b1) C:\WINDOWS\System32\msdtc.exe
17:31:31.0234 3112 MSDTC - ok
17:31:31.0281 3112 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
17:31:31.0406 3112 Msfs - ok
17:31:31.0437 3112 MSIServer - ok
17:31:31.0500 3112 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
17:31:31.0625 3112 mssmbios - ok
17:31:31.0671 3112 Mup (de6a75f5c270e756c5508d94b6cf68f5) C:\WINDOWS\system32\drivers\Mup.sys
17:31:31.0718 3112 Mup - ok
17:31:31.0812 3112 napagent (0102140028fad045756796e1c685d695) C:\WINDOWS\System32\qagentrt.dll
17:31:32.0000 3112 napagent - ok
17:31:32.0046 3112 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
17:31:32.0218 3112 NDIS - ok
17:31:32.0281 3112 NdisTapi (0109c4f3850dfbab279542515386ae22) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
17:31:32.0312 3112 NdisTapi - ok
17:31:32.0359 3112 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
17:31:32.0500 3112 Ndisuio - ok
17:31:32.0531 3112 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
17:31:32.0656 3112 NdisWan - ok
17:31:32.0734 3112 NDProxy (9282bd12dfb069d3889eb3fcc1000a9b) C:\WINDOWS\system32\drivers\NDProxy.sys
17:31:32.0765 3112 NDProxy - ok
17:31:32.0796 3112 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
17:31:32.0937 3112 NetBIOS - ok
17:31:32.0984 3112 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
17:31:33.0125 3112 NetBT - ok
17:31:33.0187 3112 NetDDE (b857ba82860d7ff85ae29b095645563b) C:\WINDOWS\system32\netdde.exe
17:31:33.0328 3112 NetDDE - ok
17:31:33.0343 3112 NetDDEdsdm (b857ba82860d7ff85ae29b095645563b) C:\WINDOWS\system32\netdde.exe
17:31:33.0468 3112 NetDDEdsdm - ok
17:31:33.0515 3112 Netlogon (bf2466b3e18e970d8a976fb95fc1ca85) C:\WINDOWS\System32\lsass.exe
17:31:33.0640 3112 Netlogon - ok
17:31:33.0703 3112 Netman (13e67b55b3abd7bf3fe7aae5a0f9a9de) C:\WINDOWS\System32\netman.dll
17:31:33.0859 3112 Netman - ok
17:31:33.0890 3112 NIC1394 (e9e47cfb2d461fa0fc75b7a74c6383ea) C:\WINDOWS\system32\DRIVERS\nic1394.sys
17:31:34.0031 3112 NIC1394 - ok
17:31:34.0093 3112 Nla (943337d786a56729263071623bbb9de5) C:\WINDOWS\System32\mswsock.dll
17:31:34.0125 3112 Nla - ok
17:31:34.0171 3112 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
17:31:34.0328 3112 Npfs - ok
17:31:34.0437 3112 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
17:31:34.0640 3112 Ntfs - ok
17:31:34.0718 3112 NtLmSsp (bf2466b3e18e970d8a976fb95fc1ca85) C:\WINDOWS\System32\lsass.exe
17:31:34.0843 3112 NtLmSsp - ok
17:31:34.0921 3112 NtmsSvc (156f64a3345bd23c600655fb4d10bc08) C:\WINDOWS\system32\ntmssvc.dll
17:31:35.0093 3112 NtmsSvc - ok
17:31:35.0171 3112 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
17:31:35.0328 3112 Null - ok
17:31:35.0468 3112 nv (2b298519edbfcf451d43e0f1e8f1006d) C:\WINDOWS\system32\DRIVERS\nv4_mini.sys
17:31:35.0765 3112 nv - ok
17:31:35.0843 3112 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
17:31:36.0015 3112 NwlnkFlt - ok
17:31:36.0046 3112 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
17:31:36.0234 3112 NwlnkFwd - ok
17:31:36.0296 3112 ohci1394 (ca33832df41afb202ee7aeb05145922f) C:\WINDOWS\system32\DRIVERS\ohci1394.sys
17:31:36.0437 3112 ohci1394 - ok
17:31:36.0500 3112 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys
17:31:36.0625 3112 Parport - ok
17:31:36.0656 3112 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
17:31:36.0812 3112 PartMgr - ok
17:31:36.0875 3112 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
17:31:37.0046 3112 ParVdm - ok
17:31:37.0078 3112 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
17:31:37.0234 3112 PCI - ok
17:31:37.0265 3112 PCIDump - ok
17:31:37.0312 3112 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
17:31:37.0468 3112 PCIIde - ok
17:31:37.0546 3112 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys
17:31:37.0703 3112 Pcmcia - ok
17:31:37.0734 3112 PDCOMP - ok
17:31:37.0765 3112 PDFRAME - ok
17:31:37.0812 3112 PDRELI - ok
17:31:37.0843 3112 PDRFRAME - ok
17:31:37.0875 3112 perc2 - ok
17:31:37.0906 3112 perc2hib - ok
17:31:37.0984 3112 PlugPlay (65df52f5b8b6e9bbd183505225c37315) C:\WINDOWS\system32\services.exe
17:31:38.0015 3112 PlugPlay - ok
17:31:38.0062 3112 PolicyAgent (bf2466b3e18e970d8a976fb95fc1ca85) C:\WINDOWS\System32\lsass.exe
17:31:38.0187 3112 PolicyAgent - ok
17:31:38.0265 3112 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
17:31:38.0390 3112 PptpMiniport - ok
17:31:38.0437 3112 Processor (a32bebaf723557681bfc6bd93e98bd26) C:\WINDOWS\system32\DRIVERS\processr.sys
17:31:38.0578 3112 Processor - ok
17:31:38.0593 3112 ProtectedStorage (bf2466b3e18e970d8a976fb95fc1ca85) C:\WINDOWS\system32\lsass.exe
17:31:38.0734 3112 ProtectedStorage - ok
17:31:38.0765 3112 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
17:31:38.0906 3112 PSched - ok
17:31:38.0953 3112 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
17:31:39.0140 3112 Ptilink - ok
17:31:39.0171 3112 ql1080 - ok
17:31:39.0203 3112 Ql10wnt - ok
17:31:39.0234 3112 ql12160 - ok
17:31:39.0265 3112 ql1240 - ok
17:31:39.0328 3112 ql1280 - ok
17:31:39.0359 3112 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
17:31:39.0515 3112 RasAcd - ok
17:31:39.0562 3112 RasAuto (ad188be7bdf94e8df4ca0a55c00a5073) C:\WINDOWS\System32\rasauto.dll
17:31:39.0718 3112 RasAuto - ok
17:31:39.0750 3112 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
17:31:39.0875 3112 Rasl2tp - ok
17:31:39.0953 3112 RasMan (76a9a3cbeadd68cc57cda5e1d7448235) C:\WINDOWS\System32\rasmans.dll
17:31:40.0093 3112 RasMan - ok
17:31:40.0125 3112 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
17:31:40.0265 3112 RasPppoe - ok
17:31:40.0312 3112 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
17:31:40.0484 3112 Raspti - ok
17:31:40.0531 3112 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
17:31:40.0671 3112 Rdbss - ok
17:31:40.0703 3112 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
17:31:40.0859 3112 RDPCDD - ok
17:31:40.0937 3112 RDPWD (5b3055daa788bd688594d2f5981f2a83) C:\WINDOWS\system32\drivers\RDPWD.sys
17:31:40.0984 3112 RDPWD - ok
17:31:41.0031 3112 RDSessMgr (3c37bf86641bda977c3bf8a840f3b7fa) C:\WINDOWS\system32\sessmgr.exe
17:31:41.0187 3112 RDSessMgr - ok
17:31:41.0218 3112 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
17:31:41.0359 3112 redbook - ok
17:31:41.0421 3112 RemoteAccess (7e699ff5f59b5d9de5390e3c34c67cf5) C:\WINDOWS\System32\mprdim.dll
17:31:41.0578 3112 RemoteAccess - ok
17:31:41.0640 3112 Rksample (bb7549bd94d1aac3599c7606c50c48a0) C:\WINDOWS\system32\DRIVERS\HSF_SAMP.sys
17:31:41.0812 3112 Rksample - ok
17:31:41.0843 3112 RpcLocator (aaed593f84afa419bbae8572af87cf6a) C:\WINDOWS\System32\locator.exe
17:31:41.0984 3112 RpcLocator - ok
17:31:42.0062 3112 RpcSs (6b27a5c03dfb94b4245739065431322c) C:\WINDOWS\system32\rpcss.dll
17:31:42.0093 3112 RpcSs - ok
17:31:42.0140 3112 RSVP (471b3f9741d762abe75e9deea4787e47) C:\WINDOWS\System32\rsvp.exe
17:31:42.0328 3112 RSVP - ok
17:31:42.0375 3112 SamSs (bf2466b3e18e970d8a976fb95fc1ca85) C:\WINDOWS\system32\lsass.exe
17:31:42.0500 3112 SamSs - ok
17:31:42.0531 3112 SCardSvr (86d007e7a654b9a71d1d7d856b104353) C:\WINDOWS\System32\SCardSvr.exe
17:31:42.0687 3112 SCardSvr - ok
17:31:42.0750 3112 Schedule (0a9a7365a1ca4319aa7c1d6cd8e4eafa) C:\WINDOWS\system32\schedsvc.dll
17:31:42.0906 3112 Schedule - ok
17:31:42.0953 3112 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
17:31:43.0109 3112 Secdrv - ok
17:31:43.0140 3112 seclogon (cbe612e2bb6a10e3563336191eda1250) C:\WINDOWS\System32\seclogon.dll
17:31:43.0281 3112 seclogon - ok
17:31:43.0328 3112 SENS (7fdd5d0684eca8c1f68b4d99d124dcd0) C:\WINDOWS\system32\sens.dll
17:31:43.0468 3112 SENS - ok
17:31:43.0500 3112 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys
17:31:43.0640 3112 serenum - ok
17:31:43.0687 3112 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys
17:31:43.0812 3112 Serial - ok
17:31:43.0859 3112 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
17:31:43.0984 3112 Sfloppy - ok
17:31:44.0031 3112 SharedAccess (83f41d0d89645d7235c051ab1d9523ac) C:\WINDOWS\System32\ipnathlp.dll
17:31:44.0203 3112 SharedAccess - ok
17:31:44.0281 3112 ShellHWDetection (99bc0b50f511924348be19c7c7313bbf) C:\WINDOWS\System32\shsvcs.dll
17:31:44.0312 3112 ShellHWDetection - ok
17:31:44.0343 3112 Simbad - ok
17:31:44.0406 3112 SoftFax (d9e8e0ce154a2f6430d9efabdf730867) C:\WINDOWS\system32\DRIVERS\HSF_FAXX.sys
17:31:44.0609 3112 SoftFax - ok
17:31:44.0625 3112 Sparrow - ok
17:31:44.0703 3112 Spooler (60784f891563fb1b767f70117fc2428f) C:\WINDOWS\system32\spoolsv.exe
17:31:44.0734 3112 Spooler - ok
17:31:44.0796 3112 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
17:31:44.0937 3112 sr - ok
17:31:45.0000 3112 srservice (3805df0ac4296a34ba4bf93b346cc378) C:\WINDOWS\System32\srsvc.dll
17:31:45.0156 3112 srservice - ok
17:31:45.0218 3112 Srv (47ddfc2f003f7f9f0592c6874962a2e7) C:\WINDOWS\system32\DRIVERS\srv.sys
17:31:45.0312 3112 Srv - ok
17:31:45.0375 3112 SSDPSRV (0a5679b3714edab99e357057ee88fca6) C:\WINDOWS\System32\ssdpsrv.dll
17:31:45.0515 3112 SSDPSRV - ok
17:31:45.0578 3112 ssmdrv (a36ee93698802cd899f98bfd553d8185) C:\WINDOWS\system32\DRIVERS\ssmdrv.sys
17:31:45.0593 3112 ssmdrv - ok
17:31:45.0671 3112 stisvc (8bad69cbac032d4bbacfce0306174c30) C:\WINDOWS\system32\wiaservc.dll
17:31:45.0859 3112 stisvc - ok
17:31:45.0921 3112 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
17:31:46.0062 3112 swenum - ok
17:31:46.0093 3112 SwPrv - ok
17:31:46.0125 3112 symc810 - ok
17:31:46.0156 3112 symc8xx - ok
17:31:46.0187 3112 sym_hi - ok
17:31:46.0218 3112 sym_u3 - ok
17:31:46.0265 3112 SysmonLog (c7abbc59b43274b1109df6b24d617051) C:\WINDOWS\system32\smlogsvc.exe
17:31:46.0421 3112 SysmonLog - ok
17:31:46.0468 3112 TapiSrv (3cb78c17bb664637787c9a1c98f79c38) C:\WINDOWS\System32\tapisrv.dll
17:31:46.0625 3112 TapiSrv - ok
17:31:46.0703 3112 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
17:31:46.0734 3112 Tcpip - ok
17:31:46.0796 3112 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
17:31:46.0953 3112 TDPIPE - ok
17:31:47.0000 3112 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
17:31:47.0140 3112 TDTCP - ok
17:31:47.0187 3112 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
17:31:47.0328 3112 TermDD - ok
17:31:47.0375 3112 TermService (ff3477c03be7201c294c35f684b3479f) C:\WINDOWS\System32\termsrv.dll
17:31:47.0515 3112 TermService - ok
17:31:47.0578 3112 Themes (99bc0b50f511924348be19c7c7313bbf) C:\WINDOWS\System32\shsvcs.dll
17:31:47.0593 3112 Themes - ok
17:31:47.0656 3112 Tones (8021a499db46b2961c285168671cb9af) C:\WINDOWS\system32\DRIVERS\HSF_TONE.sys
17:31:47.0828 3112 Tones - ok
17:31:47.0859 3112 TosIde - ok
17:31:47.0906 3112 TrkWks (55bca12f7f523d35ca3cb833c725f54e) C:\WINDOWS\system32\trkwks.dll
17:31:48.0046 3112 TrkWks - ok
17:31:48.0093 3112 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
17:31:48.0250 3112 Udfs - ok
17:31:48.0296 3112 ultra - ok
17:31:48.0375 3112 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
17:31:48.0562 3112 Update - ok
17:31:48.0609 3112 upnphost (1ebafeb9a3fbdc41b8d9c7f0f687ad91) C:\WINDOWS\System32\upnphost.dll
17:31:48.0765 3112 upnphost - ok
17:31:48.0812 3112 UPS (05365fb38fca1e98f7a566aaaf5d1815) C:\WINDOWS\System32\ups.exe
17:31:48.0953 3112 UPS - ok
17:31:49.0015 3112 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
17:31:49.0156 3112 usbccgp - ok
17:31:49.0203 3112 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
17:31:49.0375 3112 usbehci - ok
17:31:49.0406 3112 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
17:31:49.0562 3112 usbhub - ok
17:31:49.0609 3112 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
17:31:49.0765 3112 USBSTOR - ok
17:31:49.0796 3112 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
17:31:49.0937 3112 usbuhci - ok
17:31:50.0015 3112 V124 (269c0ade94b90029b12497747be408cb) C:\WINDOWS\system32\DRIVERS\HSF_V124.sys
17:31:50.0234 3112 V124 - ok
17:31:50.0312 3112 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
17:31:50.0437 3112 VgaSave - ok
17:31:50.0468 3112 ViaIde - ok
17:31:50.0531 3112 viaraid (5334b4c7c8c3fc3be2521d537c04b523) C:\WINDOWS\system32\drivers\viaraid.sys
17:31:50.0546 3112 viaraid ( UnsignedFile.Multi.Generic ) - warning
17:31:50.0546 3112 viaraid - detected UnsignedFile.Multi.Generic (1)
17:31:50.0609 3112 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
17:31:50.0765 3112 VolSnap - ok
17:31:50.0843 3112 vsdatant (050c38ebb22512122e54b47dc278bccd) C:\WINDOWS\system32\vsdatant.sys
17:31:50.0890 3112 vsdatant - ok
17:31:50.0921 3112 vsmon - ok
17:31:51.0000 3112 VSS (7a9db3a67c333bf0bd42e42b8596854b) C:\WINDOWS\System32\vssvc.exe
17:31:51.0171 3112 VSS - ok
17:31:51.0218 3112 W32Time (54af4b1d5459500ef0937f6d33b1914f) C:\WINDOWS\System32\w32time.dll
17:31:51.0359 3112 W32Time - ok
17:31:51.0406 3112 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
17:31:51.0546 3112 Wanarp - ok
17:31:51.0578 3112 WDICA - ok
17:31:51.0625 3112 WebClient (77a354e28153ad2d5e120a5a8687bc06) C:\WINDOWS\System32\webclnt.dll
17:31:51.0765 3112 WebClient - ok
17:31:51.0843 3112 winachsf (1225ebea76aac3c84df6c54fe5e5d8be) C:\WINDOWS\system32\DRIVERS\HSFCXTS2.sys
17:31:52.0046 3112 winachsf - ok
17:31:52.0125 3112 winmgmt (2d0e4ed081963804ccc196a0929275b5) C:\WINDOWS\system32\wbem\WMIsvc.dll
17:31:52.0250 3112 winmgmt - ok
17:31:52.0328 3112 WmdmPmSN (c7e39ea41233e9f5b86c8da3a9f1e4a8) C:\WINDOWS\System32\mspmsnsv.dll
17:31:52.0484 3112 WmdmPmSN - ok
17:31:52.0546 3112 WmiApSrv (e0673f1106e62a68d2257e376079f821) C:\WINDOWS\System32\wbem\wmiapsrv.exe
17:31:52.0687 3112 WmiApSrv - ok
17:31:52.0750 3112 wscsvc (7c278e6408d1dce642230c0585a854d5) C:\WINDOWS\system32\wscsvc.dll
17:31:52.0906 3112 wscsvc - ok
17:31:52.0937 3112 wuauserv (35321fb577cdc98ce3eb3a3eb9e4610a) C:\WINDOWS\System32\wuauserv.dll
17:31:53.0109 3112 wuauserv - ok
17:31:53.0171 3112 WZCSVC (81dc3f549f44b1c1fff022dec9ecf30b) C:\WINDOWS\System32\wzcsvc.dll
17:31:53.0359 3112 WZCSVC - ok
17:31:53.0406 3112 xmlprov (295d21f14c335b53cb8154e5b1f892b9) C:\WINDOWS\System32\xmlprov.dll
17:31:53.0546 3112 xmlprov - ok
17:31:53.0578 3112 MBR (0x1B8) (8f558eb6672622401da993e1e865c861) \Device\Harddisk0\DR0
17:31:53.0906 3112 \Device\Harddisk0\DR0 - ok
17:31:53.0906 3112 MBR (0x1B8) (5fb38429d5d77768867c76dcbdb35194) \Device\Harddisk1\DR2
17:31:54.0093 3112 \Device\Harddisk1\DR2 - ok
17:31:54.0093 3112 Boot (0x1200) (a1c59af216fd434b5f6e2d69ed2227fc) \Device\Harddisk0\DR0\Partition0
17:31:54.0093 3112 \Device\Harddisk0\DR0\Partition0 - ok
17:31:54.0109 3112 Boot (0x1200) (8e54d9ec8d3d547dfb7fc6d4956065ae) \Device\Harddisk1\DR2\Partition0
17:31:54.0109 3112 \Device\Harddisk1\DR2\Partition0 - ok
17:31:54.0109 3112 ============================================================
17:31:54.0109 3112 Scan finished
17:31:54.0109 3112 ============================================================
17:31:54.0218 3104 Detected object count: 1
17:31:54.0234 3104 Actual detected object count: 1
17:32:58.0953 3104 viaraid ( UnsignedFile.Multi.Generic ) - skipped by user
17:32:58.0953 3104 viaraid ( UnsignedFile.Multi.Generic ) - User select action: Skip
17:33:29.0859 2932 Deinitialize success
  • 0

#15
trampas

trampas

    Member

  • Topic Starter
  • Member
  • PipPip
  • 99 posts
Here is the output from ComboFix (run without any internet access) :


ComboFix 12-04-09.07 - admin-su 10/04/2012 17:44:26.1.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.511.118 [GMT 10:00]
Running from: c:\documents and settings\admin-su\Desktop\ComboFix.exe
AV: Avira Desktop *Disabled/Outdated* {AD166499-45F9-482A-A743-FDD3350758C7}
FW: ZoneAlarm Firewall *Enabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}
.
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\SW_Win3112X32.DLL
c:\windows\WindowsUpdate.log
.
.
((((((((((((((((((((((((( Files Created from 2012-03-10 to 2012-04-10 )))))))))))))))))))))))))))))))
.
.
2012-04-10 07:23 . 2012-04-10 07:23 -------- d-----w- C:\_OTL
2012-04-06 04:46 . 2012-04-06 04:53 -------- d-----w- c:\documents and settings\serf.SERVER
2012-04-06 03:37 . 2012-04-06 03:37 -------- d-----w- c:\program files\SumatraPDF
2012-04-05 22:27 . 2012-04-06 03:37 -------- d-----w- c:\windows\system32\NtmsData
2012-04-05 14:28 . 2012-04-05 04:59 -------- d-----w- c:\windows\tmp
2012-04-05 04:40 . 2012-04-05 04:40 -------- d-----w- c:\documents and settings\Administrator
2012-03-28 20:45 . 2012-03-28 20:45 -------- d-----w- c:\documents and settings\serf\Local Settings\Application Data\Help
2012-03-28 20:38 . 2012-04-06 03:36 -------- d-----w- c:\program files\Support Tools
2012-03-25 07:36 . 2012-03-25 07:36 -------- d-----w- c:\documents and settings\serf\Application Data\SumatraPDF
2012-03-25 05:44 . 2012-03-25 05:44 -------- d-----w- c:\documents and settings\admin-su\Application Data\SumatraPDF
2012-03-16 07:06 . 2012-03-16 07:55 -------- d-----w- c:\documents and settings\serf\Local Settings\Application Data\Google
2012-03-16 06:59 . 2012-03-16 06:59 -------- d-sh--w- c:\documents and settings\serf\PrivacIE
2012-03-14 21:30 . 2012-03-14 21:30 -------- d-----w- c:\documents and settings\serf\Application Data\Avira
2012-03-12 21:26 . 2012-03-12 21:27 -------- d-----w- c:\windows\ie8updates
2012-03-12 21:25 . 2011-12-17 19:46 602112 -c----w- c:\windows\system32\dllcache\msfeeds.dll
2012-03-12 21:25 . 2011-12-17 19:46 55296 -c----w- c:\windows\system32\dllcache\msfeedsbs.dll
2012-03-12 21:25 . 2011-12-17 19:46 247808 -c----w- c:\windows\system32\dllcache\ieproxy.dll
2012-03-12 21:25 . 2011-12-17 19:46 2000384 -c----w- c:\windows\system32\dllcache\iertutil.dll
2012-03-12 21:25 . 2011-12-17 19:46 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll
2012-03-12 21:25 . 2011-12-17 19:46 743424 -c----w- c:\windows\system32\dllcache\iedvtool.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-03-10 05:11 . 2012-03-10 02:55 137416 ----a-w- c:\windows\system32\drivers\avipbb.sys
2012-02-03 09:22 . 2003-03-31 12:00 1860096 ----a-w- c:\windows\system32\win32k.sys
2012-01-11 19:06 . 2012-03-10 03:26 3072 ------w- c:\windows\system32\iacenc.dll
.
.
------- Sigcheck -------
Note: Unsigned files aren't necessarily malware.
.
[7] 2008-04-13 . 9B9F1C38D559047B8AC0DBA2D5FEBDE9 . 4096 . . [5.3.2600.5512] . . c:\windows\ServicePackFiles\i386\ksuser.dll
.
c:\windows\System32\ksuser.dll ... is missing !!
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Mobile Partner"="c:\program files\3 MobileBroadband\3 MobileBroadband.exe" [2012-03-10 110592]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2011-10-05 258512]
"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2011-03-17 1043968]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2008-04-13 15360]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\ZoneLabs\\vsmon.exe"=
.
R0 viaraid;viaraid;c:\windows\system32\drivers\viaraid.sys [13/02/2003 1:10 AM 61408]
R1 avkmgr;avkmgr;c:\windows\system32\drivers\avkmgr.sys [10/03/2012 12:55 PM 36000]
R2 AntiVirSchedulerService;Avira Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [10/03/2012 12:55 PM 86224]
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - WS2IFSL
.
Contents of the 'Scheduled Tasks' folder
.
2012-04-09 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1957994488-1715567821-725345543-1004Core.job
- c:\documents and settings\admin-su\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2012-03-10 09:30]
.
2012-04-10 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1957994488-1715567821-725345543-1004UA.job
- c:\documents and settings\admin-su\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2012-03-10 09:30]
.
2012-04-10 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1957994488-1715567821-725345543-1005Core.job
- c:\documents and settings\serf\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2012-03-16 07:06]
.
2012-04-10 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1957994488-1715567821-725345543-1005UA.job
- c:\documents and settings\serf\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2012-03-16 07:06]
.
.
------- Supplementary Scan -------
.
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-04-10 17:58
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(3272)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Avira\AntiVir Desktop\avguard.exe
c:\program files\Avira\AntiVir Desktop\avshadow.exe
c:\windows\system32\wscntfy.exe
c:\program files\avira\antivir desktop\ipmGui.exe
.
**************************************************************************
.
Completion time: 2012-04-10 18:01:12 - machine was rebooted
ComboFix-quarantined-files.txt 2012-04-10 08:01
.
Pre-Run: 56,921,493,504 bytes free
Post-Run: 56,872,660,992 bytes free
.
- - End Of File - - 4822164B887DD0C735C9B4BE119BB108
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP