Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Unknown Trojan/Virus (possibly Themida related)

Started by valeriano , Nov 10 2009 05:16 PM

  • Please log in to reply

#1
valeriano
Posted 10 November 2009 - 05:16 PM

valeriano

    New Member

  • Member
  • Pip
  • 1 posts
Hi. Please forgive the broken English, it's not my primary language.

I just checked and followed all steps detailed on the Malware and Spyware Cleaning Guide. I also did a search on the forums for a related issue and found this but the thread was closed before a solution was found.

It all started when I ran a "trusted" anti-cheat patch for Alien Arena, named patch.exe. I scanned it with Avira Personal and it was clean. Once I executed it I realized it could have been a mistake. It hang for a second and then a weird looking GUI appeared (not a standard windows GUI) telling me that the game was patched correctly. It did not change the game in any way and it ran normally afterwards, so I was not too worried then.

After I played for a while, I noticed something really weird: the standby light on my webcam went red, as in "in use". I put up my best O___o face and tried to find the process or executable or whatever that was controlling my webcam! And I couldn't find it but... I saw two instances of firefox.exe and deciced to kill both. The browser then closed, as expected but something else happened:
  • webcam goes back to standby mode (green light)
  • suddenly the CPU usage went from 5% to about 60%
  • new processes appeared but I couldn't see which ones exactly
  • that deleted patch.exe program appeared again telling me that the game was, again, patched
  • firefox.exe is once again in the process list
  • CPU usage goes back to normal
I did a long research around the web (even thought of posting here before but wanted to try and figure it out myself) but could not find anything specific regarding this. Before I post my MBAM, RootRepeal, and OTL logs, I'll explain a bit of what I did.

First, I wanted to know where that firefox.exe was coming from, so I downloaded Sysinternal's Process Explorer. It says that both processes (the real Firefox and the darn Trojan/Virus/Malware thing) are the same. Or at least live at the same folder. :)

When killing the process using Process Explorer, I noticed this: the process wfxload.exe starts (from C:\Windows\Object Desktop\, a hidden folder), calls another instance of itself and then calls the patch.exe process (from C:\Documents and Settings\Mike\Local Settings\Temp\). Finally, firefox.exe is called. Then both instances of wfxload.exe are closed automatically, while patch.exe continues to execute, as if I had just "patched" the game again. :) If I close it, nothing happens. So there, I cannot kill firefox.exe.

I found then another Sysinternals tool, Process Monitor, to try and see how the processes were being created or something (I don't know a whole lot about this stuff, I'm only curious). So I added a filter in the ProcMon to watch the firefox.exe process and... dear Lord...! It doesn't stop! If this is relevant, I'll attach/paste some of that info here, but it basically keeps creating a XxX.xXx file (that's the exact name) at C:\Documents and Settings\Mike\Local Settings\Temp\ and I cannot check its contents with Notepad because Windows tells me the file is in use by another process. Oh, by the way - I found my friend patch.exe in that folder too. :)

At some point when running both Process Explorer and Process Monitor, I tried to kill firefox.exe again and, right when it was about to be ressurected by his pals wfxload.exe and patch.exe, I got this error about Themida not being able to be started because of a process monitor running on the machine. I could not get the message to appear again after I restarted the computer (the error continued to appear every 5 seconds or so, even with both Sysinternals tools closed). I searched for Themida online and I did not like what I discovered!

I tried to delete these folders/files but, just as I feared, they appeared right back. And that concludes my very brave attempt of understanding what the heck is wrong with my computer now. :)

Edit - bit more info: when I restart the computer, patch.exe executes itself again, calling firefox.exe. Suspending the processes with Process Explorer doesn't work, as they keep trying to call new instances of themselves and taking all the CPU usage. :)

MBAM LOG
Malwarebytes' Anti-Malware 1.41
Database version: 3137
Windows 5.1.2600 Service Pack 3

10/11/2009 20:47:03
mbam-log-2009-11-10 (20-47-03).txt

Scan type: Quick Scan
Objects scanned: 94849
Time elapsed: 3 minute(s), 19 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 4

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\RECYCLER\S-1-5-21-1993962763-1647877149-1547161642-1003\Dc40.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Mike\Local Settings\Temp\patch.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Mike\Application Data\logs.dat (Bifrose.Trace) -> Quarantined and deleted successfully.
C:\Documents and Settings\Mike\Local Settings\Temp\XxX.xXx (Malware.Trace) -> Delete on reboot.

RootRepeal LOG
ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2009/11/10 20:50
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP3
==================================================

Drivers
-------------------
Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xB0EF5000 Size: 98304 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xBA5F2000 Size: 8192 File Visible: No Signed: -
Status: -

Name: PROCEXP113.SYS
Image Path: C:\WINDOWS\system32\Drivers\PROCEXP113.SYS
Address: 0xBA5EE000 Size: 7872 File Visible: No Signed: -
Status: -

Name: PROCMON20.SYS
Image Path: C:\WINDOWS\system32\Drivers\PROCMON20.SYS
Address: 0xAE893000 Size: 47232 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xADB42000 Size: 49152 File Visible: No Signed: -
Status: -

SSDT
-------------------
#: 025 Function Name: NtClose
Status: Hooked by "C:\WINDOWS\system32\Drivers\PROCMON20.SYS" at address 0xae8977ea

#: 041 Function Name: NtCreateKey
Status: Hooked by "C:\WINDOWS\system32\Drivers\PROCMON20.SYS" at address 0xae8975e0

#: 053 Function Name: NtCreateThread
Status: Hooked by "<unknown>" at address 0xba7c51bc

#: 063 Function Name: NtDeleteKey
Status: Hooked by "C:\WINDOWS\system32\Drivers\PROCMON20.SYS" at address 0xae897488

#: 065 Function Name: NtDeleteValueKey
Status: Hooked by "C:\WINDOWS\system32\Drivers\PROCMON20.SYS" at address 0xae8974ce

#: 071 Function Name: NtEnumerateKey
Status: Hooked by "C:\WINDOWS\system32\Drivers\PROCMON20.SYS" at address 0xae8973ce

#: 073 Function Name: NtEnumerateValueKey
Status: Hooked by "C:\WINDOWS\system32\Drivers\PROCMON20.SYS" at address 0xae89732a

#: 079 Function Name: NtFlushKey
Status: Hooked by "C:\WINDOWS\system32\Drivers\PROCMON20.SYS" at address 0xae897422

#: 098 Function Name: NtLoadKey
Status: Hooked by "C:\WINDOWS\system32\Drivers\PROCMON20.SYS" at address 0xae89794e

#: 119 Function Name: NtOpenKey
Status: Hooked by "C:\WINDOWS\system32\Drivers\PROCMON20.SYS" at address 0xae8977ac

#: 122 Function Name: NtOpenProcess
Status: Hooked by "<unknown>" at address 0xba7c51a8

#: 128 Function Name: NtOpenThread
Status: Hooked by "<unknown>" at address 0xba7c51ad

#: 160 Function Name: NtQueryKey
Status: Hooked by "C:\WINDOWS\system32\Drivers\PROCMON20.SYS" at address 0xae89701a

#: 177 Function Name: NtQueryValueKey
Status: Hooked by "C:\WINDOWS\system32\Drivers\PROCMON20.SYS" at address 0xae8970b2

#: 193 Function Name: NtReplaceKey
Status: Hooked by "<unknown>" at address 0xba7c51e4

#: 204 Function Name: NtRestoreKey
Status: Hooked by "<unknown>" at address 0xba7c51df

#: 247 Function Name: NtSetValueKey
Status: Hooked by "C:\WINDOWS\system32\Drivers\PROCMON20.SYS" at address 0xae8971d6

#: 257 Function Name: NtTerminateProcess
Status: Hooked by "<unknown>" at address 0xba7c51b7

#: 263 Function Name: NtUnloadKey
Status: Hooked by "C:\WINDOWS\system32\Drivers\PROCMON20.SYS" at address 0xae897a9e

==EOF==

OTL LOG (Only got OTL.txt, did not get Extras.txt)
OTL logfile created on: 10/11/2009 20:53:05 - Run 2
OTL by OldTimer - Version 3.1.4.0 Folder = C:\Documents and Settings\Mike\Desktop\Downloads
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000809 | Country: United Kingdom | Language: ENG | Date Format: dd/MM/yyyy

2.00 Gb Total Physical Memory | 1.40 Gb Available Physical Memory | 70.19% Memory free
3.85 Gb Paging File | 3.37 Gb Available in Paging File | 87.58% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 232.88 Gb Total Space | 165.24 Gb Free Space | 70.96% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: STATION
Current User Name: Mike
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: On
Skip Microsoft Files: On
File Age = 14 Days
Output = Standard
Quick Scan

========== Processes (SafeList) ==========

PRC - [2009/11/06 13:38:10 | 00,908,248 | ---- | M] (Mozilla Corporation) -- C:\Program Files\Mozilla Firefox\firefox.exe
PRC - [2009/11/06 13:38:10 | 00,908,248 | ---- | M] (Mozilla Corporation) -- C:\Program Files\Mozilla Firefox\firefox.exe
PRC - [2009/11/06 12:54:34 | 00,528,896 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Mike\Desktop\Downloads\OTL.exe
PRC - [2009/10/20 19:30:12 | 00,289,072 | ---- | M] (BitTorrent, Inc.) -- C:\Program Files\uTorrent\uTorrent.exe
PRC - [2009/07/27 00:37:50 | 00,180,224 | ---- | M] (PowerISO Computing, Inc.) -- C:\Program Files\PowerISO\PWRISOVM.EXE
PRC - [2009/07/26 16:44:34 | 03,883,856 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Live\Messenger\msnmsgr.exe
PRC - [2009/07/21 14:34:33 | 00,185,089 | ---- | M] (Avira GmbH) -- C:\Program Files\Avira\AntiVir Desktop\avguard.exe
PRC - [2009/05/22 01:03:58 | 17,881,088 | ---- | M] (Realtek Semiconductor Corp.) -- C:\WINDOWS\RTHDCPL.EXE
PRC - [2009/05/21 23:42:33 | 00,630,784 | ---- | M] (Motorola Inc.) -- C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe
PRC - [2009/05/21 21:56:27 | 00,487,424 | ---- | M] (ATI Technologies Inc.) -- C:\WINDOWS\system32\ati2evxx.exe
PRC - [2009/05/21 21:56:27 | 00,487,424 | ---- | M] (ATI Technologies Inc.) -- C:\WINDOWS\system32\ati2evxx.exe
PRC - [2009/05/13 16:48:22 | 00,108,289 | ---- | M] (Avira GmbH) -- C:\Program Files\Avira\AntiVir Desktop\sched.exe
PRC - [2009/03/02 13:08:47 | 00,209,153 | ---- | M] (Avira GmbH) -- C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
PRC - [2009/02/06 17:07:48 | 00,027,512 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Live\Contacts\wlcomm.exe
PRC - [2009/02/06 08:10:02 | 00,227,840 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\wbem\wmiprvse.exe
PRC - [2008/11/12 01:54:50 | 01,634,304 | ---- | M] (Ralink Technology, Corp.) -- C:\Program Files\Ralink\Common\RaUI.exe
PRC - [2008/09/05 15:23:20 | 00,075,040 | ---- | M] (Ralink Technology, Corp.) -- C:\Program Files\Ralink\Common\RalinkRegistryWriter.exe
PRC - [2008/04/14 02:42:20 | 01,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2007/08/31 17:01:21 | 01,037,736 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft IntelliPoint\ipoint.exe
PRC - [2007/08/31 16:58:50 | 00,357,800 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft IntelliPoint\dpupdchk.exe


========== Modules (SafeList) ==========

MOD - [2009/11/06 12:54:34 | 00,528,896 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Mike\Desktop\Downloads\OTL.exe
MOD - [2008/04/14 02:42:52 | 01,054,208 | R--- | M] (Microsoft Corporation) -- C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll
MOD - [2008/04/14 02:41:54 | 00,185,344 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\wbem\framedyn.dll


========== Win32 Services (SafeList) ==========

SRV - [2009/07/21 14:34:33 | 00,185,089 | ---- | M] (Avira GmbH) -- C:\Program Files\Avira\AntiVir Desktop\avguard.exe -- (AntiVirService)
SRV - [2009/05/21 21:56:27 | 00,487,424 | ---- | M] (ATI Technologies Inc.) -- C:\WINDOWS\system32\ati2evxx.exe -- (Ati HotKey Poller)
SRV - [2009/05/13 16:48:22 | 00,108,289 | ---- | M] (Avira GmbH) -- C:\Program Files\Avira\AntiVir Desktop\sched.exe -- (AntiVirSchedulerService)
SRV - [2008/09/05 15:23:20 | 00,075,040 | ---- | M] (Ralink Technology, Corp.) -- C:\Program Files\Ralink\Common\RalinkRegistryWriter.exe -- (RalinkRegistryWriter)
SRV - [2008/07/29 21:10:04 | 00,046,104 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe -- (FontCache3.0.0.0)
SRV - [2008/07/29 19:24:50 | 00,881,664 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe -- (idsvc)
SRV - [2008/07/29 19:16:38 | 00,132,096 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe -- (NetTcpPortSharing)
SRV - [2008/07/25 11:17:02 | 00,069,632 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe -- (clr_optimization_v2.0.50727_32)
SRV - [2008/07/25 11:16:40 | 00,034,312 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe -- (aspnet_state)
SRV - [2008/04/14 02:42:04 | 00,038,400 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\pchealth\helpctr\binaries\pchsvc.dll -- (helpsvc)
SRV - [2003/07/28 14:28:22 | 00,089,136 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE -- (ose)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL = [binary data]
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Extensions Off Page = about:NoAdd-ons
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\system32\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Security Risk Page = about:SecurityRisk
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,CustomizeSearch = http://ie.search.msn...st/srchcust.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie.search.msn...st/srchasst.htm

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\system32\blank.htm
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft...amp;ar=iesearch
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.com/
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..extensions.enabledItems: [email protected]:1.1
FF - prefs.js..extensions.enabledItems: {D4DD63FA-01E4-46a7-B6B1-EDAB7D6AD389}:0.9.6.5
FF - prefs.js..extensions.enabledItems: {DDC359D1-844A-42a7-9AA1-88A850A938A8}:1.1.7
FF - prefs.js..extensions.enabledItems: {c0c9a2c7-2e5c-4447-bc53-97718bc91e1b}:1.8
FF - prefs.js..extensions.enabledItems: {a7c6cf7f-112c-4500-a7ea-39801a327e5f}:1.0.6
FF - prefs.js..extensions.enabledItems: {20a82645-c095-46ed-80e3-08825760534b}:1.1
FF - prefs.js..extensions.enabledItems: {972ce4c6-7e08-4474-a285-3208198ce6fd}:3.5.5

FF - HKLM\software\mozilla\Firefox\Extensions\\{20a82645-c095-46ed-80e3-08825760534b}: c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\ [2009/10/21 08:19:29 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.5.5\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2009/11/06 13:38:16 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.5.5\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2009/11/06 13:38:16 | 00,000,000 | ---D | M]

[2009/10/19 20:51:22 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Mike\Application Data\Mozilla\Extensions
[2009/10/19 20:51:22 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Mike\Application Data\Mozilla\Extensions\{ec8030f7-c20a-464f-9b0e-13a3a9e97384}
[2009/11/10 01:46:15 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Mike\Application Data\Mozilla\Firefox\Profiles\pktekupd.default\extensions
[2009/10/21 13:53:20 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Mike\Application Data\Mozilla\Firefox\Profiles\pktekupd.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2009/10/19 21:10:47 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Mike\Application Data\Mozilla\Firefox\Profiles\pktekupd.default\extensions\{a7c6cf7f-112c-4500-a7ea-39801a327e5f}
[2009/10/19 21:10:47 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Mike\Application Data\Mozilla\Firefox\Profiles\pktekupd.default\extensions\{c0c9a2c7-2e5c-4447-bc53-97718bc91e1b}
[2009/10/29 07:09:41 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Mike\Application Data\Mozilla\Firefox\Profiles\pktekupd.default\extensions\{D4DD63FA-01E4-46a7-B6B1-EDAB7D6AD389}
[2009/10/28 06:11:48 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Mike\Application Data\Mozilla\Firefox\Profiles\pktekupd.default\extensions\{DDC359D1-844A-42a7-9AA1-88A850A938A8}
[2009/11/07 08:43:31 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Mike\Application Data\Mozilla\Firefox\Profiles\pktekupd.default\extensions\[email protected]
[2009/11/10 18:58:09 | 00,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions
[2009/11/06 13:38:16 | 00,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
[2009/11/06 13:38:10 | 00,023,512 | ---- | M] (Mozilla Foundation) -- C:\Program Files\Mozilla Firefox\components\browserdirprovider.dll
[2009/11/06 13:38:10 | 00,137,176 | ---- | M] (Mozilla Foundation) -- C:\Program Files\Mozilla Firefox\components\brwsrcmp.dll
[2009/10/21 08:38:59 | 00,075,208 | ---- | M] (Foxit Software Company) -- C:\Program Files\Mozilla Firefox\plugins\npFoxitReaderPlugin.dll
[2009/11/06 13:38:12 | 00,064,984 | ---- | M] (mozilla.org) -- C:\Program Files\Mozilla Firefox\plugins\npnul32.dll
[2007/03/22 21:23:30 | 00,017,248 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Mozilla Firefox\plugins\NPOFFICE.DLL
[2009/08/24 17:10:36 | 00,001,538 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\amazon-en-GB.xml
[2009/08/24 17:10:36 | 00,002,193 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\answers.xml
[2009/08/24 17:10:36 | 00,000,947 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\chambers-en-GB.xml
[2009/08/24 17:10:36 | 00,001,534 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\creativecommons.xml
[2009/08/24 17:10:36 | 00,000,769 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\eBay-en-GB.xml
[2009/08/24 17:10:36 | 00,002,371 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\google.xml
[2009/08/24 17:10:36 | 00,001,178 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\wikipedia.xml
[2009/08/24 17:10:36 | 00,000,831 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\yahoo-en-GB.xml

O1 HOSTS File: (792 bytes) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: 127.0.0.1 mpa.one.microsoft.com
O1 - Hosts: 127.0.0.1 rad.msn.com
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - No CLSID value found.
O2 - BHO: (Windows Live Sign-in Helper) - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corporation)
O4 - HKLM..\Run: [avgnt] C:\Program Files\Avira\AntiVir Desktop\avgnt.exe (Avira GmbH)
O4 - HKLM..\Run: [BluetoothAuthenticationAgent] C:\WINDOWS\System32\bthprops.cpl (Microsoft Corporation)
O4 - HKLM..\Run: [IntelliPoint] C:\Program Files\Microsoft IntelliPoint\ipoint.exe (Microsoft Corporation)
O4 - HKLM..\Run: [Malwarebytes Anti-Malware (reboot)] C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe (Malwarebytes Corporation)
O4 - HKLM..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE (PowerISO Computing, Inc.)
O4 - HKLM..\Run: [RTHDCPL] C:\WINDOWS\RTHDCPL.EXE (Realtek Semiconductor Corp.)
O4 - HKLM..\Run: [SMSERIAL] C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe (Motorola Inc.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Ralink Wireless Utility.lnk = C:\Program Files\Ralink\Common\RaUI.exe (Ralink Technology, Corp.)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: dontdisplaylastusername = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticecaption =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticetext =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: shutdownwithoutlogon = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: undockwithoutlogon = 1
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O8 - Extra context menu item: E&xport to Microsoft Excel - C:\Program Files\Microsoft Office\OFFICE11\EXCEL.EXE (Microsoft Corporation)
O9 - Extra Button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Program Files\Microsoft Office\OFFICE11\REFIEBAR.DLL (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe (Microsoft Corporation)
O9 - Extra Button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)
O15 - HKLM\..Trusted Domains: 1 domain(s) and sub-domain(s) not assigned to a zone.
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://update.micros...b?1255978564938 (WUWebControl Class)
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} http://www.update.mi...b?1256120725406 (MUWebControl Class)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.2.1
O18 - Protocol\Handler\http\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\http\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\https\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\https\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\ipp - No CLSID value found
O18 - Protocol\Handler\ipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\livecall {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\Windows Live\Messenger\msgrapp.14.0.8089.0726.dll (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp - No CLSID value found
O18 - Protocol\Handler\msdaipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll (Microsoft Corporation)
O18 - Protocol\Handler\msnim {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\Windows Live\Messenger\msgrapp.14.0.8089.0726.dll (Microsoft Corporation)
O18 - Protocol\Handler\mso-offdap11 {32505114-5902-49B2-880A-1F7738E5A384} - C:\Program Files\Common Files\Microsoft Shared\Web Components\11\OWC11.DLL (Microsoft Corporation)
O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll (Skype Technologies)
O18 - Protocol\Filter\text/xml {807553E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\AtiExtEvent: DllName - Ati2evxx.dll - C:\WINDOWS\System32\ati2evxx.dll (ATI Technologies Inc.)
O24 - Desktop Components:0 (My Current Home Page) - About:Home
O31 - SafeBoot: AlternateShell - cmd.exe
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2009/10/19 21:38:22 | 00,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O33 - MountPoints2\{257d4706-c335-11de-be04-001583c50677}\Shell\Autoplay\CoMMAnD - "" = cptooo.cmd
O33 - MountPoints2\{257d4706-c335-11de-be04-001583c50677}\Shell\AutoRun\command - "" = cptooo.cmd
O33 - MountPoints2\{257d4706-c335-11de-be04-001583c50677}\Shell\expLOre\CommAND - "" = cptooo.cmd
O33 - MountPoints2\{257d4706-c335-11de-be04-001583c50677}\Shell\open\cOmMAnD - "" = cptooo.cmd
O34 - HKLM BootExecute: (autocheck) - File not found
O34 - HKLM BootExecute: (autochk) - C:\WINDOWS\System32\autochk.exe (Microsoft Corporation)
O34 - HKLM BootExecute: (*) - File not found
O35 - comfile [open] -- "%1" %* File not found
O35 - exefile [open] -- "%1" %* File not found

NetSvcs: 6to4 - File not found
NetSvcs: Ias - C:\WINDOWS\system32\ias [2009/10/19 21:37:55 | 00,000,000 | ---D | M]
NetSvcs: Iprip - File not found
NetSvcs: Irmon - C:\WINDOWS\system32\irmon.dll (Microsoft Corporation)
NetSvcs: NWCWorkstation - File not found
NetSvcs: Nwsapagent - File not found
NetSvcs: WmdmPmSp - File not found
NetSvcs: helpsvc - C:\WINDOWS\pchealth\helpctr\binaries\pchsvc.dll (Microsoft Corporation)

========== Files/Folders - Created Within 14 Days ==========

[2009/11/10 19:45:15 | 00,000,000 | ---D | C] -- C:\Program Files\Trend Micro
[2009/11/10 19:20:17 | 02,989,416 | ---- | C] (Sysinternals - www.sysinternals.com) -- C:\Documents and Settings\Mike\Desktop\Procmon.exe
[2009/11/10 18:55:16 | 03,550,592 | ---- | C] (Sysinternals - www.sysinternals.com) -- C:\Documents and Settings\Mike\Desktop\procexp.exe
[2009/11/10 18:10:53 | 00,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
[2009/11/09 22:35:10 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Mike\Application Data\Malwarebytes
[2009/11/09 22:35:05 | 00,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2009/11/09 22:35:02 | 00,019,160 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2009/11/09 22:35:02 | 00,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2009/11/09 22:35:02 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
[2009/11/09 22:34:07 | 00,000,000 | -HSD | C] -- C:\Config.Msi
[2009/11/09 22:24:37 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Mike\Application Data\Screaming Bee
[2009/11/09 22:23:56 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Screaming Bee
[2009/11/09 22:23:55 | 00,000,000 | ---D | C] -- C:\Program Files\Screaming Bee
[2009/11/09 19:51:59 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Mike\Desktop\epsxe170
[2009/11/09 17:49:35 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Mike\Desktop\PSXeven
[2009/11/09 11:52:13 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Mike\Application Data\PrimoPDF
[2009/11/09 11:51:26 | 00,000,000 | ---D | C] -- C:\Program Files\Nitro PDF
[2009/11/08 20:15:26 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Mike\Desktop\Song 1
[2009/11/08 00:15:09 | 00,551,936 | ---- | C] (cmW@re) -- C:\WINDOWS\th_inst2.exe
[2009/11/05 15:01:25 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\OptiTex
[2009/11/05 14:58:08 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Mike\Application Data\DAZ 3D
[2009/11/05 14:58:03 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Mike\My Documents\DAZ 3D
[2009/11/05 14:57:48 | 00,000,000 | ---D | C] -- C:\Program Files\Common Files\DAZ
[2009/11/05 14:57:22 | 00,000,000 | ---D | C] -- C:\Program Files\DAZ 3D
[2009/11/05 11:43:19 | 00,000,000 | ---D | C] -- C:\Program Files\Serious Sam 2
[2009/11/04 21:43:08 | 04,411,392 | ---- | C] (Gabest) -- C:\Documents and Settings\Mike\Desktop\mplayerc.exe
[2009/11/04 21:07:56 | 00,000,000 | ---D | C] -- C:\Program Files\Fusion Media Player
[2009/11/04 17:32:56 | 00,000,000 | ---D | C] -- C:\Scenario
[2009/11/02 23:59:34 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Mike\Application Data\InfraRecorder
[2009/10/31 19:21:15 | 00,000,000 | ---D | C] -- C:\Program Files\Croteam
[2009/10/29 10:49:40 | 00,000,000 | ---D | C] -- C:\Program Files\PFPortChecker
[2009/10/29 09:26:22 | 00,000,000 | ---D | C] -- C:\WINDOWS\System32\LogFiles
[2009/10/28 14:50:24 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Mike\Application Data\skypePM
[2009/10/28 14:49:07 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Mike\Application Data\Skype
[2009/10/28 14:47:38 | 00,000,000 | ---D | C] -- C:\Program Files\Common Files\Skype
[2009/10/28 14:47:36 | 00,000,000 | R--D | C] -- C:\Program Files\Skype
[2009/10/28 14:47:31 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Skype
[2009/10/27 22:07:57 | 00,023,480 | ---- | C] (Wippien Software) -- C:\WINDOWS\System32\drivers\wip0204.sys
[2009/10/27 22:07:57 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Mike\Application Data\Wippien

========== Files - Modified Within 14 Days ==========

[2009/11/10 20:52:42 | 00,001,910 | ---- | M] () -- C:\Documents and Settings\Mike\Application Data\logs.dat
[2009/11/10 19:28:46 | 00,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2009/11/10 19:28:43 | 00,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2009/11/10 19:28:42 | 00,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2009/11/10 19:27:56 | 03,670,016 | -H-- | M] () -- C:\Documents and Settings\Mike\NTUSER.DAT
[2009/11/10 19:27:56 | 00,000,178 | -HS- | M] () -- C:\Documents and Settings\Mike\ntuser.ini
[2009/11/10 18:12:04 | 00,432,924 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2009/11/10 18:12:04 | 00,067,714 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2009/11/10 18:12:03 | 00,508,956 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI
[2009/11/10 16:43:54 | 02,635,902 | -H-- | M] () -- C:\Documents and Settings\Mike\Local Settings\Application Data\IconCache.db
[2009/11/09 17:40:46 | 00,003,639 | ---- | M] () -- C:\WINDOWS\VGSCDAPI.VXD
[2009/11/09 13:47:56 | 00,066,119 | ---- | M] () -- C:\Documents and Settings\Mike\My Documents\C1.pdf
[2009/11/09 13:47:27 | 00,040,448 | ---- | M] () -- C:\Documents and Settings\Mike\My Documents\C1.doc
[2009/11/09 11:51:36 | 00,000,798 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\PrimoPDF - Drop Files Here to Convert!.lnk
[2009/11/09 11:51:28 | 00,000,314 | ---- | M] () -- C:\WINDOWS\primopdf.ini
[2009/11/07 19:04:07 | 07,059,057 | ---- | M] () -- C:\Documents and Settings\Mike\Desktop\faceless.mp3
[2009/11/07 14:27:41 | 12,830,449 | ---- | M] () -- C:\Documents and Settings\Mike\My Documents\WGN Radio - Tommy Emmanuel's -The Welsh Tornado,- with Steve & Johnnie.MP4
[2009/11/05 14:50:08 | 00,006,906 | ---- | M] () -- C:\Documents and Settings\Mike\My Documents\Story.ddb
[2009/11/05 11:11:25 | 00,014,336 | ---- | M] () -- C:\Documents and Settings\Mike\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2009/11/03 09:08:16 | 02,989,416 | ---- | M] (Sysinternals - www.sysinternals.com) -- C:\Documents and Settings\Mike\Desktop\Procmon.exe
[2009/10/29 08:03:58 | 08,165,440 | ---- | M] () -- C:\Documents and Settings\Mike\My Documents\Tommy Emmanuel & Michael Johnson - Chet Atkins - Jerry Reed.MP4
[2009/10/29 07:58:18 | 11,667,627 | ---- | M] () -- C:\Documents and Settings\Mike\My Documents\Tommy Emmanuel - Classical Gas.MP4
[2009/10/29 07:52:13 | 13,233,472 | ---- | M] () -- C:\Documents and Settings\Mike\My Documents\Tommy Emmanuel @ CAAS 2009 - Sanitarium Shuffle.MP4
[2009/10/29 07:41:38 | 10,218,296 | ---- | M] () -- C:\Documents and Settings\Mike\My Documents\Tommy Emmanuel - J.Shimabukuro- While My Guitar Gently Weeps.MP4
[2009/10/29 07:40:11 | 11,804,443 | ---- | M] () -- C:\Documents and Settings\Mike\My Documents\Tommy Emmanuel - Guitar Boogie.MP4
[2009/10/29 07:22:33 | 24,429,871 | ---- | M] () -- C:\Documents and Settings\Mike\My Documents\WGN Radio - Tommy Emmanuel.MP4
[2009/10/28 14:50:24 | 00,000,056 | -H-- | M] () -- C:\WINDOWS\System32\ezsidmv.dat

========== Files Created - No Company Name ==========

[2009/11/10 19:20:17 | 00,060,652 | ---- | C] () -- C:\Documents and Settings\Mike\Desktop\procmon.chm
[2009/11/10 18:55:16 | 00,072,138 | ---- | C] () -- C:\Documents and Settings\Mike\Desktop\procexp.chm
[2009/11/10 11:49:27 | 00,000,090 | R--- | C] () -- C:\Documents and Settings\Mike\Desktop\Final Fantasy VIII - CD3.cue
[2009/11/10 11:48:31 | 72,135,6048 | R--- | C] () -- C:\Documents and Settings\Mike\Desktop\Final Fantasy VIII - CD3.bin
[2009/11/09 17:40:46 | 00,003,639 | ---- | C] () -- C:\WINDOWS\VGSCDAPI.VXD
[2009/11/09 13:47:56 | 00,066,119 | ---- | C] () -- C:\Documents and Settings\Mike\My Documents\C1.pdf
[2009/11/09 11:51:36 | 00,000,798 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\PrimoPDF - Drop Files Here to Convert!.lnk
[2009/11/09 11:51:28 | 00,176,235 | ---- | C] () -- C:\WINDOWS\System32\Primomonnt.dll
[2009/11/09 09:48:28 | 00,040,448 | ---- | C] () -- C:\Documents and Settings\Mike\My Documents\C1.doc
[2009/11/07 19:03:11 | 07,059,057 | ---- | C] () -- C:\Documents and Settings\Mike\Desktop\faceless.mp3
[2009/11/07 14:24:20 | 12,830,449 | ---- | C] () -- C:\Documents and Settings\Mike\My Documents\WGN Radio - Tommy Emmanuel's -The Welsh Tornado,- with Steve & Johnnie.MP4
[2009/10/29 08:00:00 | 08,165,440 | ---- | C] () -- C:\Documents and Settings\Mike\My Documents\Tommy Emmanuel & Michael Johnson - Chet Atkins - Jerry Reed.MP4
[2009/10/29 07:45:29 | 13,233,472 | ---- | C] () -- C:\Documents and Settings\Mike\My Documents\Tommy Emmanuel @ CAAS 2009 - Sanitarium Shuffle.MP4
[2009/10/29 07:30:38 | 11,667,627 | ---- | C] () -- C:\Documents and Settings\Mike\My Documents\Tommy Emmanuel - Classical Gas.MP4
[2009/10/29 07:30:03 | 10,218,296 | ---- | C] () -- C:\Documents and Settings\Mike\My Documents\Tommy Emmanuel - J.Shimabukuro- While My Guitar Gently Weeps.MP4
[2009/10/29 07:26:26 | 11,804,443 | ---- | C] () -- C:\Documents and Settings\Mike\My Documents\Tommy Emmanuel - Guitar Boogie.MP4
[2009/10/29 07:10:44 | 24,429,871 | ---- | C] () -- C:\Documents and Settings\Mike\My Documents\WGN Radio - Tommy Emmanuel.MP4
[2009/10/28 14:50:24 | 00,000,056 | -H-- | C] () -- C:\WINDOWS\System32\ezsidmv.dat
[2009/10/26 19:56:08 | 00,014,336 | ---- | C] () -- C:\Documents and Settings\Mike\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2009/10/22 09:06:56 | 00,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2009/10/20 21:42:57 | 00,178,176 | ---- | C] () -- C:\WINDOWS\System32\unrar.dll
[2009/10/20 21:42:57 | 00,000,038 | ---- | C] () -- C:\WINDOWS\avisplitter.ini
[2009/10/20 21:42:55 | 00,881,664 | ---- | C] () -- C:\WINDOWS\System32\xvidcore.dll
[2009/10/20 21:42:55 | 00,205,824 | ---- | C] () -- C:\WINDOWS\System32\xvidvfw.dll
[2009/10/20 21:42:54 | 00,085,504 | ---- | C] () -- C:\WINDOWS\System32\ff_vfw.dll
[2009/10/20 21:42:54 | 00,000,547 | ---- | C] () -- C:\WINDOWS\System32\ff_vfw.dll.manifest
[2009/10/19 21:49:54 | 02,635,902 | -H-- | C] () -- C:\Documents and Settings\Mike\Local Settings\Application Data\IconCache.db
[2009/10/19 21:43:07 | 00,000,062 | -HS- | C] () -- C:\Documents and Settings\Mike\Application Data\desktop.ini
[2009/10/19 16:56:40 | 00,028,008 | ---- | C] () -- C:\Documents and Settings\Mike\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
[2009/10/19 14:27:54 | 00,000,062 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\desktop.ini
[2009/07/30 23:58:42 | 00,000,314 | ---- | C] () -- C:\WINDOWS\primopdf.ini
[2006/06/29 14:58:52 | 00,030,808 | ---- | C] () -- C:\WINDOWS\Fonts\GlobalUserInterface.CompositeFont
[2006/06/29 14:53:56 | 00,026,489 | ---- | C] () -- C:\WINDOWS\Fonts\GlobalSansSerif.CompositeFont
[2006/04/18 15:39:28 | 00,029,779 | ---- | C] () -- C:\WINDOWS\Fonts\GlobalSerif.CompositeFont
[2006/04/18 15:39:28 | 00,026,040 | ---- | C] () -- C:\WINDOWS\Fonts\GlobalMonospace.CompositeFont
[2005/06/06 15:27:26 | 00,001,910 | ---- | C] () -- C:\Documents and Settings\Mike\Application Data\logs.dat
[2001/08/23 09:00:00 | 00,000,477 | ---- | C] () -- C:\WINDOWS\win.ini
[2001/08/23 09:00:00 | 00,000,231 | ---- | C] () -- C:\WINDOWS\system.ini

========== LOP Check ==========

[2009/10/25 03:45:39 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Cakewalk
[2009/11/05 15:01:25 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\OptiTex
[2009/10/19 21:47:38 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Ralink Driver
[2009/11/09 22:25:04 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Screaming Bee
[2009/11/05 14:58:08 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Mike\Application Data\DAZ 3D
[2009/10/21 08:39:13 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Mike\Application Data\Foxit
[2009/11/02 23:59:40 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Mike\Application Data\InfraRecorder
[2009/10/24 17:54:23 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Mike\Application Data\MtStudio
[2009/10/25 07:07:19 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Mike\Application Data\Music Recognition
[2009/11/09 13:47:57 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Mike\Application Data\PrimoPDF
[2009/11/09 22:25:06 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Mike\Application Data\Screaming Bee
[2009/10/25 11:05:38 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Mike\Application Data\Steinberg
[2009/11/10 20:54:03 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Mike\Application Data\uTorrent
[2009/10/29 11:11:10 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Mike\Application Data\Wippien
[2001/08/23 09:00:00 | 00,000,065 | RH-- | M] () -- C:\WINDOWS\Tasks\desktop.ini
[2009/11/10 19:28:43 | 00,000,006 | -H-- | M] () -- C:\WINDOWS\Tasks\SA.DAT

========== Purity Check ==========



========== Custom Scans ==========


< %SYSTEMDRIVE%\*.exe >

< %SYSTEMDRIVE%\eventlog.dll /s /md5 >
[2008/04/14 02:41:54 | 00,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\system32\eventlog.dll
[2008/04/14 02:41:54 | 00,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\system32\dllcache\eventlog.dll

< %SYSTEMDRIVE%\scecli.dll /s /md5 >
[2008/04/14 02:42:06 | 00,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\system32\scecli.dll
[2008/04/14 02:42:06 | 00,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\system32\dllcache\scecli.dll

< %SYSTEMDRIVE%\netlogon.dll /s /md5 >
[2008/04/14 02:42:02 | 00,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\system32\netlogon.dll
[2008/04/14 02:42:02 | 00,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\system32\dllcache\netlogon.dll

< %SYSTEMDRIVE%\cngaudit.dll /s /md5 >

< %SYSTEMDRIVE%\sceclt.dll /s /md5 >

< %SYSTEMDRIVE%\ntelogon.dll /s /md5 >

< %SYSTEMDRIVE%\logevent.dll /s /md5 >

< %SYSTEMDRIVE%\iaStor.sys /s /md5 >

< %SYSTEMDRIVE%\nvstor.sys /s /md5 >

< %SYSTEMDRIVE%\atapi.sys /s /md5 >
[2008/04/13 21:10:32 | 00,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\system32\drivers\atapi.sys

< %SYSTEMDRIVE%\IdeChnDr.sys /s /md5 >

< %SYSTEMDRIVE%\viasraid.sys /s /md5 >

< %SYSTEMDRIVE%\AGP440.sys /s /md5 >

< %SYSTEMDRIVE%\vaxscsi.sys /s /md5 >
< End of report >


Thanks in advance for any help. :)

Edited by valeriano, 11 November 2009 - 04:53 AM.

  • 0

Advertisements

Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP